no testsuite for tboot.
- mark grub.d snippets as %config (noreplace) to satisfy rpmlint warning
(the grub2 package itself marks its snippets this way, so it seems to be
common standard to do so).
- update to v1.11.4:
* v1.11.4
Increase the TBOOT log size from 32 KB to 64 KB. For some Intel server
platforms, it was noticed that TBOOT_SERIAL_LOG memory section was too
small to hold all of the print logs, produced by TBOOT. Due to this
reason TBOOT log section memory size had to be increase to 64KB.
* v1.11.3
Fix the hanging TBOOT issue, which appeared during the RLPs wakeup process
on the Intel's multisocket platform. This problem appeared during the AP
stacks allocations for these RLPs. TBOOT allocated memory for them depending
on the woken-up CPUs X2 APIC values. When some of them exceeded the NR_CPUS (1024),
then the RLP wakeup process execution halted. For the current moment,
the maximal X2 APID value was increased from 1024 to 8192. This kind of
solution fixed the given problem.
* v1.11.2
Fix the RAM memory allocation algorithm for the initrd.
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=115
- updated to v1.11.1 / 20230125:
20230125: v1.11.1
- Revert log memory range extension (caused memory overlaps and boot failures)
20221223: v1.11.0
- Fixed TPM handling to flush objects after integrity measurement (Intel PTT limitations)
- Exteded low memory range for logs (HCC CPUs had issue with not enough memory)
- "agile" removed from PCR Extend policy options (requested deprecation)
- Added handling for flexible ACM Info Table format
- lcptools: CPPFLAGS use by environment in build
- lcptools: removed __DATE__ refs to make build reproducible
- Only platform-matchin SINIT modules can be selected
- txt-acminfo: Map TXT heap using mmap
- Typo fix in man page
20220304: v1.10.5
- Fixed mlehash.c to bring back functionality and make it GCC12 compliant
- Reverted change for replacing EFI memory to bring back Tboot in-memory logs
20220224: v1.10.4
- Fix hash printing for SHA384, SHA512 and SM3
- Touch ups for GCC12
- Set GDT to map CS and DS to 4GB before jumping to Linux
- make efi_memmap_reserve handle gaps like e820_protect_region
- Ensure that growth of Multiboot tags does not go beyond original area
- Replace EFI memory map in Multiboot2 info
- Fix endianness of pcr_info->pcr_selection.size_of_select
- Don't ignore locality in PCR file
- Fix composite hashing algorithm for PCONF elements to match lcptools-1
20211210: v1.10.3
- Add UNI-VGA license information
- Remove poly1305 object files on clean
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=112
- updated to v1.10.2 / 20210614
Fix ACM chipset/processor list validation
Check for client/server match when selecting SINIT
Fix issues when building with GCC11
Default to D/A mapping when TPM1.2 and CBnT platform
- updated to 1.10.1 / 20210330
- Indicate to SINIT that CBnT is supported by TBOOT
- lcptools: Fix issues from static code analysis
OBS-URL: https://build.opensuse.org/request/show/900328
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=107
- changes from 1.9.12:
- Release localities in S3 flow for CRB interface
- Config.mk, safestringlib/makefile : allow tool overrides
- safestringlib: fix warnings with GCC 6.4.0
- Strip executable file before generating tboot.gz
- Add support for EFI memory map parse/modification
- Add SHA384 and SHA512 digest algorithms
- lcptools-v2: add pconf2 policy element support
- tb_polgen: Add SHA384 and SHA512 support
- Disable GCC9 address-of-packed-member warning
- Fix warnings after "Avoid unsafe functions" scan
- Use SHA256 as default hashing algorithm
- changes from 1.9.11:
- tb_polgen: Add support for SHA256
- Configure IOMMU before executing GETSEC[SENTER]
- SINIT ACM can have padding, handle that when checking size
- disable-address-of-packed-member-warning.patch: now contained upstream
- tboot-grub2-fix-xen-submenu-name.patch: refreshed
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=97
- changes from 1.9.10:
- lcp-gen2: update with latest version (wxWidgets wildcard bugfix)
- print latest tag in logs
- add support for 64bit framebuffer address
- changes from 1.9.9:
- tools: fix some dereference-NULL issues reported by klocwork
- tools: replace banned mem/str fns with corresponding ones in safestringlib
- Add safestringlib code to support replacement of banned mem/str fns
- lcptools: remove tools supporting platforms before 2008
- tboot: update string/memory fn name to differentiate from c lib
- Fix a harmless overflow caused by wrong loop limits
- rebased patches to match new upstream version
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=89
- Skip tboot launch error index read/write when ignore prev err option is true
- s3-fix: fix a stack overflow caused by enlarged tb_hash_t union
- S3 fix: revert the mis-changed type casting in changeset 522:8e881a07c059
- S3-fix: Adding option save_vtd=true to opt-in the vtd table restore
- rebased patches to match new upstream version
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=85
- removed following patches, because they're now included upstream:
* tboot-grub2-fix-menu-in-xen-host-server.patch
* tboot-grub2-fix-xen-submenu-name.patch
* tboot-grub2-suse.patch
- Changes in this version:
* GCC7 fix, adds generic FALLTHROUGH notations to avoid warnings appearing on GCC7
* Ensure Tboot never overwrites modules in the process of moving them.
* Add support to x2APIC, which uses 32 bit APIC ID.
* Fix S3 secrets sealing/unsealing failures
* Support OpenSSL 1.1.0+ for ECDSA signature verification.
* Support OpenSSL 1.1.0+ for RSA key manipulation.
* Adds additional checks to prevent the kernel image from being overwritten.
* Added TCG TPM event log support.
* Pass through the EFI memory map that's provided by grub2.
* Fix a null pointer dereference bug when Intel TXT is disabled in BIOS.
* Adjust KERNEL_CMDLINE_OFFSET from 0x9000 to 0x8D00.
* Bounds checking on the kernel_cmdline string.
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=64
Added TPM 2.0 CRB support
Increased BSP and AP stacks to avoid stack overflow
Added an ACPI_RSDP structure g_rsdp in tboot to avoid potential memory overwritten issue on TPM 2.0 UEFI platforms
Added support to both Intel TPM nv index set and TCG TPM nv index set
grub2: tboot doesn't skip first argument any more
grub2: sanitize whitespace in command lines
grub2: Allow addition of policy data in grub.cfg
grub2 support: allow the user to customize the command line
Mitigated S3 resume delay by adjusting LZ_MAX_OFFSET to 5000 in lz.c.
Added SGX TPM nv index support
Add 64 bit ELF object support
Gentoo Hardened, which uses the GRSecurity and PaX patch sets
Disable -fstack-check in CFLAG for compatibility with Gentoo Linux.
Enhanced tboot compatiblity running on non-Intel TXT platform with a fix of is_launched()
LCP documentation improvements
- tboot-grub2-suse.patch: refreshed
- tboot-grub2-fix-xen-submenu-name.patch: refreshed
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=46
Fix build error "may be used uninitialized"
Reset eventlog when S3
Update tboot version to 1.8.1 in grub title
Fix grub cfg file generation scripts for SLES12
Fix seal failure issue
tpm2 lcptools
Restore local apic base for AP
Fix typo in hash_alg_to_string()
Change to create primary object only once
Add prepare_tpm call in S3 path to ensure locality 0 was released before senter
Fix possible dead loop in print_bios_data when bios_data version 4
Fix possible null pointer dereference in loader.c
Fix possible null pointer dereference in tpm_12.c and tpm_20.c
Avoid buffer overrun when append tpm12 eventlog
Fix possible NULL pointer dereference
Fix one event log issue caused by wrong append and print operation
Fix error "unsupported hash alg" for agile extend policy
Fix warning "ACM info_table version mismatch"
Update the tpm family detection with a general way
Fix a lcp tools issue caused by redefining TB_HALG_SHA1 from 0 to 4
Assign g_tpm a value for no tpm case to avoid NULL checks
Fix crash when TPM is missing
Fix infinite loop in determine_multiboot_type()
Fix typo in tpm20_init() and remove unused variable
Allow the to-be-measured nv to be protected by AUTHWRITE
Check cpu vendor id to avoid unexpected behavior in non-intel cpu
Change to detect TPM family only once
Fix some typos caused by copy-paste
- removed tboot-cs381.patch: upstream
OBS-URL: https://build.opensuse.org/package/show/security/tboot?expand=0&rev=36
