- add tboot-fix-alloc-size-warning.patch: newest GCC spits out this error:
```
pconf_legacy.c: In function ‘create’:
pconf_legacy.c:327:16: error: allocation of insufficient size ‘20’ for type ‘tb_hash_t’ with size ‘64’ [-Werror=alloc-size]
327 | digest = malloc(SHA1_DIGEST_SIZE);
| ^
```
There's a union data type behind this. It's not an actual error. To get rid
of the warning, the patch allocates the full union size, thereby wasting a
bit of memory.
OBS-URL: https://build.opensuse.org/request/show/1196424
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tboot?expand=0&rev=50
```
pconf_legacy.c: In function ‘create’:
pconf_legacy.c:327:16: error: allocation of insufficient size ‘20’ for type ‘tb_hash_t’ with size ‘64’ [-Werror=alloc-size]
327 | digest = malloc(SHA1_DIGEST_SIZE);
| ^
```
There's a union data type behind this. It's not an actual error. To get rid
of the warning, the patch allocates the full union size, thereby wasting a
bit of memory.
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=120
- add tboot-bsc#1207833-copy-mbi.patch: correctly move MBI from a lower
address above tboot (bsc#1207833). This fixes a broken boot situation in
some configurations stopping with log line "TBOOT: loader context was moved
from 0x<address> to 0x<address>".
this patch syncs the Factory package with the SLE package. For some reason I
forgot to add the patch to Factory first. Also upstream did not react to the
patch, that I posted to their mailing list, so it's not contained in the
upstream tarball.
OBS-URL: https://build.opensuse.org/request/show/1183112
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tboot?expand=0&rev=49
address above tboot (bsc#1207833). This fixes a broken boot situation in
some configurations stopping with log line "TBOOT: loader context was moved
from 0x<address> to 0x<address>".
this patch syncs the Factory package with the SLE package. For some reason I
forgot to add the patch to Factory first. Also upstream did not react to the
patch, that I posted to their mailing list, so it's not contained in the
upstream tarball.
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=118
- add tboot.rpmlintrc: suppress warning about missing %check section. There's
no testsuite for tboot.
- mark grub.d snippets as %config (noreplace) to satisfy rpmlint warning
(the grub2 package itself marks its snippets this way, so it seems to be
common standard to do so).
- update to v1.11.4:
* v1.11.4
Increase the TBOOT log size from 32 KB to 64 KB. For some Intel server
platforms, it was noticed that TBOOT_SERIAL_LOG memory section was too
small to hold all of the print logs, produced by TBOOT. Due to this
reason TBOOT log section memory size had to be increase to 64KB.
* v1.11.3
Fix the hanging TBOOT issue, which appeared during the RLPs wakeup process
on the Intel's multisocket platform. This problem appeared during the AP
stacks allocations for these RLPs. TBOOT allocated memory for them depending
on the woken-up CPUs X2 APIC values. When some of them exceeded the NR_CPUS (1024),
then the RLP wakeup process execution halted. For the current moment,
the maximal X2 APID value was increased from 1024 to 8192. This kind of
solution fixed the given problem.
* v1.11.2
Fix the RAM memory allocation algorithm for the initrd.
OBS-URL: https://build.opensuse.org/request/show/1181402
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tboot?expand=0&rev=48
no testsuite for tboot.
- mark grub.d snippets as %config (noreplace) to satisfy rpmlint warning
(the grub2 package itself marks its snippets this way, so it seems to be
common standard to do so).
- update to v1.11.4:
* v1.11.4
Increase the TBOOT log size from 32 KB to 64 KB. For some Intel server
platforms, it was noticed that TBOOT_SERIAL_LOG memory section was too
small to hold all of the print logs, produced by TBOOT. Due to this
reason TBOOT log section memory size had to be increase to 64KB.
* v1.11.3
Fix the hanging TBOOT issue, which appeared during the RLPs wakeup process
on the Intel's multisocket platform. This problem appeared during the AP
stacks allocations for these RLPs. TBOOT allocated memory for them depending
on the woken-up CPUs X2 APIC values. When some of them exceeded the NR_CPUS (1024),
then the RLP wakeup process execution halted. For the current moment,
the maximal X2 APID value was increased from 1024 to 8192. This kind of
solution fixed the given problem.
* v1.11.2
Fix the RAM memory allocation algorithm for the initrd.
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=115
- required update due to openSSL 3.0 deprecation errors in current version
- updated to v1.11.1 / 20230125:
20230125: v1.11.1
- Revert log memory range extension (caused memory overlaps and boot failures)
20221223: v1.11.0
- Fixed TPM handling to flush objects after integrity measurement (Intel PTT limitations)
- Exteded low memory range for logs (HCC CPUs had issue with not enough memory)
- "agile" removed from PCR Extend policy options (requested deprecation)
- Added handling for flexible ACM Info Table format
- lcptools: CPPFLAGS use by environment in build
- lcptools: removed __DATE__ refs to make build reproducible
- Only platform-matchin SINIT modules can be selected
- txt-acminfo: Map TXT heap using mmap
- Typo fix in man page
20220304: v1.10.5
- Fixed mlehash.c to bring back functionality and make it GCC12 compliant
- Reverted change for replacing EFI memory to bring back Tboot in-memory logs
20220224: v1.10.4
- Fix hash printing for SHA384, SHA512 and SM3
- Touch ups for GCC12
- Set GDT to map CS and DS to 4GB before jumping to Linux
- make efi_memmap_reserve handle gaps like e820_protect_region
- Ensure that growth of Multiboot tags does not go beyond original area
- Replace EFI memory map in Multiboot2 info
- Fix endianness of pcr_info->pcr_selection.size_of_select
- Don't ignore locality in PCR file
- Fix composite hashing algorithm for PCONF elements to match lcptools-1
20211210: v1.10.3
- Add UNI-VGA license information
- Remove poly1305 object files on clean
OBS-URL: https://build.opensuse.org/request/show/1063392
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tboot?expand=0&rev=47
- updated to v1.11.1 / 20230125:
20230125: v1.11.1
- Revert log memory range extension (caused memory overlaps and boot failures)
20221223: v1.11.0
- Fixed TPM handling to flush objects after integrity measurement (Intel PTT limitations)
- Exteded low memory range for logs (HCC CPUs had issue with not enough memory)
- "agile" removed from PCR Extend policy options (requested deprecation)
- Added handling for flexible ACM Info Table format
- lcptools: CPPFLAGS use by environment in build
- lcptools: removed __DATE__ refs to make build reproducible
- Only platform-matchin SINIT modules can be selected
- txt-acminfo: Map TXT heap using mmap
- Typo fix in man page
20220304: v1.10.5
- Fixed mlehash.c to bring back functionality and make it GCC12 compliant
- Reverted change for replacing EFI memory to bring back Tboot in-memory logs
20220224: v1.10.4
- Fix hash printing for SHA384, SHA512 and SM3
- Touch ups for GCC12
- Set GDT to map CS and DS to 4GB before jumping to Linux
- make efi_memmap_reserve handle gaps like e820_protect_region
- Ensure that growth of Multiboot tags does not go beyond original area
- Replace EFI memory map in Multiboot2 info
- Fix endianness of pcr_info->pcr_selection.size_of_select
- Don't ignore locality in PCR file
- Fix composite hashing algorithm for PCONF elements to match lcptools-1
20211210: v1.10.3
- Add UNI-VGA license information
- Remove poly1305 object files on clean
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=112
- updated to v1.10.2 / 20210614
Fix ACM chipset/processor list validation
Check for client/server match when selecting SINIT
Fix issues when building with GCC11
Default to D/A mapping when TPM1.2 and CBnT platform
- updated to 1.10.1 / 20210330
- Indicate to SINIT that CBnT is supported by TBOOT
- lcptools: Fix issues from static code analysis (forwarded request 900328 from msmeissn)
OBS-URL: https://build.opensuse.org/request/show/900884
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tboot?expand=0&rev=45
- updated to v1.10.2 / 20210614
Fix ACM chipset/processor list validation
Check for client/server match when selecting SINIT
Fix issues when building with GCC11
Default to D/A mapping when TPM1.2 and CBnT platform
- updated to 1.10.1 / 20210330
- Indicate to SINIT that CBnT is supported by TBOOT
- lcptools: Fix issues from static code analysis
OBS-URL: https://build.opensuse.org/request/show/900328
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=107
- release 1.10.0 ramifications:
- README is now README.md
- acminfo and parse_err now are called txt-acminfo and txt-parse_err
- lcptools are deprecated (tpm 1.2, TrouSerS dependency) and are no longer
packaged.
- no longer needs TrouSerS dependency due to deprecation
- tboot-grub2-fix-menu-in-xen-host-server.patch: refreshed to match new
upstream version.
- tboot-grub2-fix-xen-submenu-name.patch: refreshed to match new upstream
version.
- update to new upstream release 1.10.0:
- Rename TXT related tools to have 'txt-' prefix
- Clarify license issues
- Fix issues reported by Coverity Scan
- Ensure txt-acminfo does not print false information if msr is not loaded
- Fix issue with multiboot(1) booting - infinite loop during boot
- Fix issue with TPM1.2 - invalid default policy
- Unmask NMI# after returning from SINIT
- Update GRUB scripts to use multiboot2 only
- Enable VGA logging for EFI platforms
- Add warning when using SHA1 as hashing algorithm
- Add Doxygen documentation
- Replace VMAC with Poly1305
- Validate TPM NV index attributes
- Move old lcptool to deprecated folder and exclude from build
- TrouSerS is not longer required to build
- lcptools-v2: meet requirements from MLE DG rev16
- lcptools-v2: Implement SM2 signing and SM2 signature verification
OBS-URL: https://build.opensuse.org/request/show/864334
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tboot?expand=0&rev=44
- README is now README.md
- acminfo and parse_err now are called txt-acminfo and txt-parse_err
- lcptools are deprecated (tpm 1.2, TrouSerS dependency) and are no longer
packaged.
- update to new upstream release 1.10.0:
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=104
- Rename TXT related tools to have 'txt-' prefix
- Clarify license issues
- Fix issues reported by Coverity Scan
- Ensure txt-acminfo does not print false information if msr is not loaded
- Fix issue with multiboot(1) booting - infinite loop during boot
- Fix issue with TPM1.2 - invalid default policy
- Unmask NMI# after returning from SINIT
- Update GRUB scripts to use multiboot2 only
- Enable VGA logging for EFI platforms
- Add warning when using SHA1 as hashing algorithm
- Add Doxygen documentation
- Replace VMAC with Poly1305
- Validate TPM NV index attributes
- Move old lcptool to deprecated folder and exclude from build
- TrouSerS is not longer required to build
- lcptools-v2: meet requirements from MLE DG rev16
- lcptools-v2: Implement SM2 signing and SM2 signature verification
- lcptools-v2: Set aux_hash_alg_mask to 0 when policy version != 0x300
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=102
- update to new upstream release 1.9.12:
- changes from 1.9.12:
- Release localities in S3 flow for CRB interface
- Config.mk, safestringlib/makefile : allow tool overrides
- safestringlib: fix warnings with GCC 6.4.0
- Strip executable file before generating tboot.gz
- Add support for EFI memory map parse/modification
- Add SHA384 and SHA512 digest algorithms
- lcptools-v2: add pconf2 policy element support
- tb_polgen: Add SHA384 and SHA512 support
- Disable GCC9 address-of-packed-member warning
- Fix warnings after "Avoid unsafe functions" scan
- Use SHA256 as default hashing algorithm
- changes from 1.9.11:
- tb_polgen: Add support for SHA256
- Configure IOMMU before executing GETSEC[SENTER]
- SINIT ACM can have padding, handle that when checking size
- disable-address-of-packed-member-warning.patch: now contained upstream
- tboot-grub2-fix-xen-submenu-name.patch: refreshed
OBS-URL: https://build.opensuse.org/request/show/838277
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tboot?expand=0&rev=42
- changes from 1.9.12:
- Release localities in S3 flow for CRB interface
- Config.mk, safestringlib/makefile : allow tool overrides
- safestringlib: fix warnings with GCC 6.4.0
- Strip executable file before generating tboot.gz
- Add support for EFI memory map parse/modification
- Add SHA384 and SHA512 digest algorithms
- lcptools-v2: add pconf2 policy element support
- tb_polgen: Add SHA384 and SHA512 support
- Disable GCC9 address-of-packed-member warning
- Fix warnings after "Avoid unsafe functions" scan
- Use SHA256 as default hashing algorithm
- changes from 1.9.11:
- tb_polgen: Add support for SHA256
- Configure IOMMU before executing GETSEC[SENTER]
- SINIT ACM can have padding, handle that when checking size
- disable-address-of-packed-member-warning.patch: now contained upstream
- tboot-grub2-fix-xen-submenu-name.patch: refreshed
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=97
- update to new upstream release 1.9.10:
- changes from 1.9.10:
- lcp-gen2: update with latest version (wxWidgets wildcard bugfix)
- print latest tag in logs
- add support for 64bit framebuffer address
- changes from 1.9.9:
- tools: fix some dereference-NULL issues reported by klocwork
- tools: replace banned mem/str fns with corresponding ones in safestringlib
- Add safestringlib code to support replacement of banned mem/str fns
- lcptools: remove tools supporting platforms before 2008
- tboot: update string/memory fn name to differentiate from c lib
- Fix a harmless overflow caused by wrong loop limits
- rebased patches to match new upstream version
OBS-URL: https://build.opensuse.org/request/show/704217
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tboot?expand=0&rev=38
- changes from 1.9.10:
- lcp-gen2: update with latest version (wxWidgets wildcard bugfix)
- print latest tag in logs
- add support for 64bit framebuffer address
- changes from 1.9.9:
- tools: fix some dereference-NULL issues reported by klocwork
- tools: replace banned mem/str fns with corresponding ones in safestringlib
- Add safestringlib code to support replacement of banned mem/str fns
- lcptools: remove tools supporting platforms before 2008
- tboot: update string/memory fn name to differentiate from c lib
- Fix a harmless overflow caused by wrong loop limits
- rebased patches to match new upstream version
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=89
- update to new upstream release 1.9.8:
- Skip tboot launch error index read/write when ignore prev err option is true
- s3-fix: fix a stack overflow caused by enlarged tb_hash_t union
- S3 fix: revert the mis-changed type casting in changeset 522:8e881a07c059
- S3-fix: Adding option save_vtd=true to opt-in the vtd table restore
- rebased patches to match new upstream version
OBS-URL: https://build.opensuse.org/request/show/644201
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tboot?expand=0&rev=36
- Skip tboot launch error index read/write when ignore prev err option is true
- s3-fix: fix a stack overflow caused by enlarged tb_hash_t union
- S3 fix: revert the mis-changed type casting in changeset 522:8e881a07c059
- S3-fix: Adding option save_vtd=true to opt-in the vtd table restore
- rebased patches to match new upstream version
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=85
- update to upstream version 1.9.7. This in mainly a bugfix release:
Fix a lot of issues in tools reported by klocwork scan.
Fix a lot of issues in tboot module reported by klocwork scan.
Remove a redundant tboot option
Fix indent in heap.c
Fix 4 issues along with extpol=agile option
Mitigations for tpm interposer attacks
Add an option in tboot to force SINIT to use the legacy TPM2 log format.
Add support for appending to a TPM2 TCG style event log.
Ensure tboot log is available even when measured launch is skipped.
Add centos7 instructions for Use in EFI boot mode.
Fix memory leak and invalid reads and writes issues.
Fix TPM 1.2 locality selection issue.
Fix a null pointer dereference bug when Intel TXT is disabled.
Optimize tboot docs installation.
Fix security vulnerabilities rooted in tpm_if structure and g_tpm variable.
The size field of the MB2 tag is the size of the tag header + the size
Fix openssl-1.0.2 double frees
Make policy element stm_elt use unique type name
lcptools-v2 utilities fixes
port to openssl-1.1.0
Reset debug PCR16 to zero.
Fix a logical error in function bool evtlog_append(...).
- removed tboot-CVE-2017-16837.patch: now contained in tarball
- removed tboot-openssl-1-1-0.patch: now contained in tarball
- removed tboot-signature-segfault.patch: now contained in tarball
- removed tboot-ssl-broken.patch: now contained in tarball
OBS-URL: https://build.opensuse.org/request/show/632523
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tboot?expand=0&rev=33
Fix a lot of issues in tools reported by klocwork scan.
Fix a lot of issues in tboot module reported by klocwork scan.
Remove a redundant tboot option
Fix indent in heap.c
Fix 4 issues along with extpol=agile option
Mitigations for tpm interposer attacks
Add an option in tboot to force SINIT to use the legacy TPM2 log format.
Add support for appending to a TPM2 TCG style event log.
Ensure tboot log is available even when measured launch is skipped.
Add centos7 instructions for Use in EFI boot mode.
Fix memory leak and invalid reads and writes issues.
Fix TPM 1.2 locality selection issue.
Fix a null pointer dereference bug when Intel TXT is disabled.
Optimize tboot docs installation.
Fix security vulnerabilities rooted in tpm_if structure and g_tpm variable.
The size field of the MB2 tag is the size of the tag header + the size
Fix openssl-1.0.2 double frees
Make policy element stm_elt use unique type name
lcptools-v2 utilities fixes
port to openssl-1.1.0
Reset debug PCR16 to zero.
Fix a logical error in function bool evtlog_append(...).
- removed tboot-CVE-2017-16837.patch: now contained in tarball
- removed tboot-openssl-1-1-0.patch: now contained in tarball
- removed tboot-signature-segfault.patch: now contained in tarball
- removed tboot-ssl-broken.patch: now contained in tarball
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=78
- tboot-signature-segfault.patch: Intermediate patch necessary for
tboot-ssl-broken.patch. Upstream tried to fix OpenSSL issues here, but
failed to do so.
- tboot-ssl-broken.patch: Fixed memory corruption when using OpenSSL
functionality like in lcp2_crtpollist (bnc#1083693). Fix has not yet been
commented on by upstream (posted on tboot-devel mailing list).
OBS-URL: https://build.opensuse.org/request/show/587462
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tboot?expand=0&rev=32
