rpm/tboot
SHA256
1
0
Fork 0
forked from pool/tboot
Code Pull Requests Activity

update to new upstream version 1.9.6:

Browse Source 
- removed following patches, because they're now included upstream:
	* tboot-grub2-fix-menu-in-xen-host-server.patch
	* tboot-grub2-fix-xen-submenu-name.patch
	* tboot-grub2-suse.patch
- Changes in this version:
	* GCC7 fix, adds generic FALLTHROUGH notations to avoid warnings appearing on GCC7
        * Ensure Tboot never overwrites modules in the process of moving them.
        * Add support to x2APIC, which uses 32 bit APIC ID.
        * Fix S3 secrets sealing/unsealing failures
        * Support OpenSSL 1.1.0+ for ECDSA signature verification.
        * Support OpenSSL 1.1.0+ for RSA key manipulation.
        * Adds additional checks to prevent the kernel image from being overwritten.
        * Added TCG TPM event log support.
        * Pass through the EFI memory map that's provided by grub2.
        * Fix a null pointer dereference bug when Intel TXT is disabled in BIOS.
        * Adjust KERNEL_CMDLINE_OFFSET from 0x9000 to 0x8D00.
        * Bounds checking on the kernel_cmdline string.

OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=64
This commit is contained in:
Matthias Gerstner 2017-07-18 11:15:11 +00:00 committed by Git OBS Bridge
parent b3b59d9789
commit b9b173fea3
9 changed files with 39 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
reproducible.patch
View File

@ -1,13 +0,0 @@
Index: tboot-1.9.5/tboot/Makefile
===================================================================
--- tboot-1.9.5.orig/tboot/Makefile
+++ tboot-1.9.5/tboot/Makefile
@@ -32,7 +32,7 @@ OBJS := $(obj-y)
TARGET_LDS := $(CURDIR)/common/tboot.lds
$(TARGET).gz : $(TARGET)
- gzip -f -9 < $< > $@
+ gzip -n -f -9 < $< > $@
$(TARGET) : $(OBJS) $(TARGET_LDS)
$(LD) $(LDFLAGS) -T $(TARGET_LDS) -N $(OBJS) -o $(@D)/.$(@F).0

3
tboot-1.9.5.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c7032e367ac0129493c9bb1fcd1437f400ff5533c970119ddce281ff4d58a13f
size 685460

3
tboot-1.9.6.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1b55eed6ca8196b2a003936594248a242888ac34ff970eda651e7660c4772a39
size 693564

86
tboot-gcc7.patch
View File

@ -1,86 +0,0 @@
Index: tboot-1.9.5/tboot/common/tboot.c
===================================================================
--- tboot-1.9.5.orig/tboot/common/tboot.c
+++ tboot-1.9.5/tboot/common/tboot.c
@@ -501,11 +501,13 @@ static void shutdown_system(uint32_t shu
/* write our S3 resume vector to ACPI resume addr */
set_s3_resume_vector(&_tboot_shared.acpi_sinfo, TBOOT_S3_WAKEUP_ADDR);
/* fall through for rest of Sx handling */
+ /* FALLTHROUGH */
case TB_SHUTDOWN_S4:
case TB_SHUTDOWN_S5:
machine_sleep(&_tboot_shared.acpi_sinfo);
/* if machine_sleep() fails, fall through to reset */
+ /* FALLTHROUGH */
case TB_SHUTDOWN_REBOOT:
if ( txt_is_powercycle_required() ) {
/* powercycle by writing 0x0a+0x0e to port 0xcf9 */
@@ -524,6 +526,7 @@ static void shutdown_system(uint32_t shu
outb(0xcf9, 0x06);
}
+ /* FALLTHROUGH */
case TB_SHUTDOWN_HALT:
default:
while ( true )
Index: tboot-1.9.5/tboot/common/vsprintf.c
===================================================================
--- tboot-1.9.5.orig/tboot/common/vsprintf.c
+++ tboot-1.9.5/tboot/common/vsprintf.c
@@ -404,6 +404,7 @@ handle_width:
case 'p':
mods.flag |= PREFIX; /* print prefix 0x for %p */
mods.flag_long = LONG;
+ /* FALLTHROUGH */
case 'x':
mods.base = 16;
buf_pos = write_number_to_buffer(buf, size, buf_pos, mods);
Index: tboot-1.9.5/tboot/common/tpm.c
===================================================================
--- tboot-1.9.5.orig/tboot/common/tpm.c
+++ tboot-1.9.5/tboot/common/tpm.c
@@ -117,14 +117,14 @@ static bool tpm_send_cmd_ready_status_cr
#endif
if ( reg_ctrl_sts.tpmidle== 1) {
- reg_ctrl_request._raw[0] = 0;
+ memset(&reg_ctrl_request,0,sizeof(reg_ctrl_request));
reg_ctrl_request.cmdReady = 1;
write_tpm_reg(locality, TPM_CRB_CTRL_REQ, &reg_ctrl_request);
return true;
}
- reg_ctrl_request._raw[0] = 0;
+ memset(&reg_ctrl_request,0,sizeof(reg_ctrl_request));
reg_ctrl_request.goIdle = 1;
write_tpm_reg(locality, TPM_CRB_CTRL_REQ, &reg_ctrl_request);
@@ -158,7 +158,7 @@ static bool tpm_send_cmd_ready_status_cr
printk(TBOOT_INFO"2. reg_ctrl_sts.tpmsts: 0x%x\n", reg_ctrl_sts.tpmsts);
#endif
- reg_ctrl_request._raw[0] = 0;
+ memset(&reg_ctrl_request,0,sizeof(reg_ctrl_request));
reg_ctrl_request.cmdReady = 1;
write_tpm_reg(locality, TPM_CRB_CTRL_REQ, &reg_ctrl_request);
@@ -724,7 +724,7 @@ bool tpm_relinquish_locality_crb(uint32_
if ( reg_loc_state.loc_assigned == 0 ) return true;
/* make inactive by writing a 1 */
- reg_loc_ctrl._raw[0] = 0;
+ memset(&reg_loc_ctrl,0,sizeof(reg_loc_ctrl));
reg_loc_ctrl.relinquish = 1;
write_tpm_reg(locality, TPM_REG_LOC_CTRL, &reg_loc_ctrl);
@@ -778,7 +778,7 @@ bool tpm_request_locality_crb(uint32_t l
tpm_reg_loc_state_t reg_loc_state;
tpm_reg_loc_ctrl_t reg_loc_ctrl;
/* request access to the TPM from locality N */
- reg_loc_ctrl._raw[0] = 0;
+ memset(&reg_loc_ctrl,0,sizeof(reg_loc_ctrl));
reg_loc_ctrl.requestAccess = 1;
write_tpm_reg(locality, TPM_REG_LOC_CTRL, &reg_loc_ctrl);

12
tboot-grub2-fix-menu-in-xen-host-server.patch
View File

@ -23,10 +23,10 @@ v3:
References: bnc#865815 References: bnc#865815
Porting to tboot in order to fix duplicated xen entries Porting to tboot in order to fix duplicated xen entries
Index: tboot-1.9.4/tboot/20_linux_tboot Index: tboot-1.9.6/tboot/20_linux_tboot
=================================================================== ===================================================================
--- tboot-1.9.4.orig/tboot/20_linux_tboot --- tboot-1.9.6.orig/tboot/20_linux_tboot
+++ tboot-1.9.4/tboot/20_linux_tboot +++ tboot-1.9.6/tboot/20_linux_tboot
@@ -225,6 +225,49 @@ while [ "x${tboot_list}" != "x" ] && [ " @@ -225,6 +225,49 @@ while [ "x${tboot_list}" != "x" ] && [ "
break break
fi fi
@ -77,10 +77,10 @@ Index: tboot-1.9.4/tboot/20_linux_tboot
if test -n "${initrd}" ; then if test -n "${initrd}" ; then
echo "Found initrd image: ${dirname}/${initrd}" >&2 echo "Found initrd image: ${dirname}/${initrd}" >&2
else else
Index: tboot-1.9.4/tboot/20_linux_xen_tboot Index: tboot-1.9.6/tboot/20_linux_xen_tboot
=================================================================== ===================================================================
--- tboot-1.9.4.orig/tboot/20_linux_xen_tboot --- tboot-1.9.6.orig/tboot/20_linux_xen_tboot
+++ tboot-1.9.4/tboot/20_linux_xen_tboot +++ tboot-1.9.6/tboot/20_linux_xen_tboot
@@ -52,6 +52,12 @@ fi @@ -52,6 +52,12 @@ fi
export TEXTDOMAIN=grub export TEXTDOMAIN=grub
export TEXTDOMAINDIR=${prefix}/share/locale export TEXTDOMAINDIR=${prefix}/share/locale

8
tboot-grub2-fix-xen-submenu-name.patch
View File

@ -4,13 +4,13 @@ Subject: fix xen submenu name to show tboot version
References: bnc#865815 References: bnc#865815
Patch-Mainline: no Patch-Mainline: no
Index: tboot-1.9.5/tboot/20_linux_xen_tboot Index: tboot-1.9.6/tboot/20_linux_xen_tboot
=================================================================== ===================================================================
--- tboot-1.9.5.orig/tboot/20_linux_xen_tboot --- tboot-1.9.6.orig/tboot/20_linux_xen_tboot
+++ tboot-1.9.5/tboot/20_linux_xen_tboot +++ tboot-1.9.6/tboot/20_linux_xen_tboot
@@ -232,7 +232,7 @@ while [ "x${xen_list}" != "x" ] ; do @@ -232,7 +232,7 @@ while [ "x${xen_list}" != "x" ] ; do
rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname`
tboot_version="1.9.5" tboot_version="1.9.6"
list="${linux_list}" list="${linux_list}"
- echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{" - echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{"
+ echo "submenu \"Xen ${xen_version} with Tboot ${tboot_version}\"{" + echo "submenu \"Xen ${xen_version} with Tboot ${tboot_version}\"{"

26
tboot-grub2-suse.patch
View File

@ -1,26 +0,0 @@
Index: tboot-1.9.4/tboot/20_linux_tboot
===================================================================
--- tboot-1.9.4.orig/tboot/20_linux_tboot
+++ tboot-1.9.4/tboot/20_linux_tboot
@@ -24,6 +24,8 @@ libdir=${exec_prefix}/lib
sysconfdir=/etc
if test -e /usr/share/grub/grub-mkconfig_lib; then
. /usr/share/grub/grub-mkconfig_lib
+elif test -e /usr/share/grub2/grub-mkconfig_lib; then
+ . /usr/share/grub2/grub-mkconfig_lib
elif test -e ${libdir}/grub/grub-mkconfig_lib; then
. ${libdir}/grub/grub-mkconfig_lib
fi
Index: tboot-1.9.4/tboot/20_linux_xen_tboot
===================================================================
--- tboot-1.9.4.orig/tboot/20_linux_xen_tboot
+++ tboot-1.9.4/tboot/20_linux_xen_tboot
@@ -24,6 +24,8 @@ libdir=${exec_prefix}/lib
sysconfdir=/etc
if test -e /usr/share/grub/grub-mkconfig_lib; then
. /usr/share/grub/grub-mkconfig_lib
+elif test -e /usr/share/grub2/grub-mkconfig_lib; then
+ . /usr/share/grub2/grub-mkconfig_lib
elif test -e ${libdir}/grub/grub-mkconfig_lib; then
. ${libdir}/grub/grub-mkconfig_lib
fi

24
tboot.changes
View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Tue Jul 18 11:10:29 UTC 2017 - matthias.gerstner@suse.com
update to new upstream version 1.9.6:
- removed following patches, because they're now included upstream:
* tboot-grub2-fix-menu-in-xen-host-server.patch
* tboot-grub2-fix-xen-submenu-name.patch
* tboot-grub2-suse.patch
- Changes in this version:
* GCC7 fix, adds generic FALLTHROUGH notations to avoid warnings appearing on GCC7
* Ensure Tboot never overwrites modules in the process of moving them.
* Add support to x2APIC, which uses 32 bit APIC ID.
* Fix S3 secrets sealing/unsealing failures
* Support OpenSSL 1.1.0+ for ECDSA signature verification.
* Support OpenSSL 1.1.0+ for RSA key manipulation.
* Adds additional checks to prevent the kernel image from being overwritten.
* Added TCG TPM event log support.
* Pass through the EFI memory map that's provided by grub2.
* Fix a null pointer dereference bug when Intel TXT is disabled in BIOS.
* Adjust KERNEL_CMDLINE_OFFSET from 0x9000 to 0x8D00.
* Bounds checking on the kernel_cmdline string.
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Jun 4 08:43:14 UTC 2017 - meissner@suse.com Sun Jun 4 08:43:14 UTC 2017 - meissner@suse.com

10
tboot.spec
View File

@ -17,20 +17,17 @@
Name: tboot Name: tboot
%define ver 1.9.5 %define ver 1.9.6
Version: 20160518_1.9.4 Version: 20170711_1.9.6
Release: 0 Release: 0
Summary: Performs a verified launch using Intel(R) TXT Summary: Performs a verified launch using Intel(R) TXT
License: BSD-3-Clause License: BSD-3-Clause
Group: Productivity/Security Group: Productivity/Security
Url: http://sourceforge.net/projects/tboot/ Url: http://sourceforge.net/projects/tboot/
Source0: http://downloads.sourceforge.net/project/tboot/tboot/tboot-%{ver}.tar.gz Source0: http://downloads.sourceforge.net/project/tboot/tboot/tboot-%{ver}.tar.gz
Patch1: tboot-grub2-suse.patch
Patch3: tboot-grub2-fix-menu-in-xen-host-server.patch Patch3: tboot-grub2-fix-menu-in-xen-host-server.patch
Patch4: tboot-grub2-fix-xen-submenu-name.patch Patch4: tboot-grub2-fix-xen-submenu-name.patch
# PATCH-FIX-UPSTREAM -- https://sourceforge.net/p/tboot/code/merge-requests/1/ # PATCH-FIX-UPSTREAM -- https://sourceforge.net/p/tboot/code/merge-requests/1/
Patch5: reproducible.patch
Patch6: tboot-gcc7.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: trousers-devel BuildRequires: trousers-devel
@ -43,11 +40,8 @@ verified launch of an OS kernel/VMM.
%prep %prep
%setup -q -n %name-%ver %setup -q -n %name-%ver
%patch1 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%patch6 -p1
%build %build
export CFLAGS="%{optflags}" export CFLAGS="%{optflags}"