diff --git a/0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch b/0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch deleted file mode 100644 index 31f5562..0000000 --- a/0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch +++ /dev/null @@ -1,23 +0,0 @@ -From a10fd03a8d62226e798b8338c6caf73195e64557 Mon Sep 17 00:00:00 2001 -From: Alberto Planas -Date: Fri, 8 Jul 2022 10:09:24 +0200 -Subject: [PATCH 1/1] tests/getekcertificate.sh: Skip the test if curl is not - present - -Signed-off-by: Alberto Planas ---- - test/integration/tests/getekcertificate.sh | 1 + - 1 file changed, 1 insertion(+) - -Index: tpm2-tools-5.2/test/integration/tests/getekcertificate.sh -=================================================================== ---- tpm2-tools-5.2.orig/test/integration/tests/getekcertificate.sh -+++ tpm2-tools-5.2/test/integration/tests/getekcertificate.sh -@@ -19,6 +19,7 @@ start_up - # Check connectivity - if [ -z "$(curl -V 2>/dev/null)" ]; then - echo "curl is not not installed. Skipping connection check." -+ exit 077 - else - if [ "$(curl --silent --output /dev/null --write-out %{http_code} \ - 'https://ekop.intel.com/')" != '200' ]; then diff --git a/add_missing_shut_down_call_on_cleanup.patch b/add_missing_shut_down_call_on_cleanup.patch deleted file mode 100644 index f3368af..0000000 --- a/add_missing_shut_down_call_on_cleanup.patch +++ /dev/null @@ -1,70 +0,0 @@ -From db6aa7ac5094a04168e60256e154786c0c7e7c1c Mon Sep 17 00:00:00 2001 -From: Alberto Planas -Date: Wed, 13 Jul 2022 13:35:19 +0200 -Subject: [PATCH] test: add missing shut_down call on cleanup - -The tests "gettime", "readclock" and "symlink" are not calling -"shut_down" during the "cleanup" stage, making the TPM simulator to keep -their process during the "make check". Somehow this produces problems -when the tests are executed in parallel under certain conditions, with -the effect of "make" not ending and waiting to those process to die. - -This commit and the mising call in the "cleanup" stage. - -Fix #3042 - -Signed-off-by: Alberto Planas ---- - test/integration/tests/gettime.sh | 5 ++++- - test/integration/tests/readclock.sh | 5 ++++- - test/integration/tests/symlink.sh | 5 ++++- - 3 files changed, 12 insertions(+), 3 deletions(-) - -diff --git a/test/integration/tests/gettime.sh b/test/integration/tests/gettime.sh -index 5a91210a7..054bef864 100644 ---- a/test/integration/tests/gettime.sh -+++ b/test/integration/tests/gettime.sh -@@ -3,7 +3,10 @@ - source helpers.sh - - cleanup() { -- rm -f attest.sig attest.data -+ rm -f attest.sig attest.data -+ if [ "$1" != "no-shut-down" ]; then -+ shut_down -+ fi - } - trap cleanup EXIT - -diff --git a/test/integration/tests/readclock.sh b/test/integration/tests/readclock.sh -index 56a4c8622..2c59dad09 100644 ---- a/test/integration/tests/readclock.sh -+++ b/test/integration/tests/readclock.sh -@@ -3,7 +3,10 @@ - source helpers.sh - - cleanup() { -- rm -f clock.yaml -+ rm -f clock.yaml -+ if [ "$1" != "no-shut-down" ]; then -+ shut_down -+ fi - } - trap cleanup EXIT - -diff --git a/test/integration/tests/symlink.sh b/test/integration/tests/symlink.sh -index d1c800ad0..b61349eef 100644 ---- a/test/integration/tests/symlink.sh -+++ b/test/integration/tests/symlink.sh -@@ -4,7 +4,10 @@ source helpers.sh - - TMP="$(mktemp -d)" - cleanup() { -- rm -rf "$TMP" -+ rm -rf "$TMP" -+ if [ "$1" != "no-shut-down" ]; then -+ shut_down -+ fi - } - trap cleanup EXIT - diff --git a/echo_tcti_call_python3_binary.patch b/echo_tcti_call_python3_binary.patch new file mode 100644 index 0000000..1cd1595 --- /dev/null +++ b/echo_tcti_call_python3_binary.patch @@ -0,0 +1,23 @@ +From d191b1f3cd66e9334d000c622bc6cc4bdc63304e Mon Sep 17 00:00:00 2001 +From: Alberto Planas +Date: Thu, 8 Dec 2022 15:23:50 +0100 +Subject: [PATCH] echo_tcti: call python3 binary + +Most distributions are now in Python3. The binary for Python3 is still +called `python3`. + +Signed-off-by: Alberto Planas +--- + test/scripts/echo_tcti.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/scripts/echo_tcti.py b/test/scripts/echo_tcti.py +index 3e4c1f462..325e35315 100755 +--- a/test/scripts/echo_tcti.py ++++ b/test/scripts/echo_tcti.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + + # + # This TCTI is designed to use with the subprocess TCTI and echo the contents diff --git a/fix_check_of_qualifying_data.patch b/fix_check_of_qualifying_data.patch deleted file mode 100644 index 670555c..0000000 --- a/fix_check_of_qualifying_data.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 3b1f00301350848e9454c7adf0487c1a14738236 Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Sat, 8 Jan 2022 13:43:00 +0100 -Subject: [PATCH] test/fapi/fapi-quote-verify.sh Fix check of qualifying data. - -Because of a bug in Fapi_VerifyQuote the qualifying data was not checked correctly. -Errors that were not recognized before occur now. -The order of the tests was cleaned up and for every quote and verify quote now -the correct combination of the qualifying data and quote info containing the nonce -is used. - -Signed-off-by: Juergen Repp ---- - test/integration/fapi/fapi-quote-verify.sh | 38 ++++++++++++---------- - 1 file changed, 20 insertions(+), 18 deletions(-) - -diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify.sh -index ad4ade3a1..497d4337f 100644 ---- a/test/integration/fapi/fapi-quote-verify.sh -+++ b/test/integration/fapi/fapi-quote-verify.sh -@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey - NONCE_FILE=$TEMP_DIR/nonce.file - PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key - QUOTE_INFO=$TEMP_DIR/quote.info -+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info - SIGNATURE_FILE=$TEMP_DIR/signature.file - CERTIFICATE_FILE=$TEMP_DIR/certificate.file - PCR_LOG=$TEMP_DIR/pcr.log -@@ -35,14 +36,32 @@ tss2 provision - - tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue="" - -+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force -+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY -+ -+ - tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \ - --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \ - --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force - -+tss2 verifyquote --publicKeyPath="ext/myNewParent" \ -+ --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \ -+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG -+ - echo "tss2 quote with EMPTY_FILE" # Expected to succeed - tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \ - --qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \ -- --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force -+ --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force -+ -+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed -+tss2 verifyquote --publicKeyPath="ext/myNewParent" \ -+ --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \ -+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG -+ -+# Try with missing qualifyingData -+tss2 verifyquote --publicKeyPath="ext/myNewParent" \ -+ --quoteInfo=$QUOTE_EMPTY_INFO \ -+ --signature=$SIGNATURE_FILE - - echo "tss2 quote with BIG_FILE" # Expected to fail - expect < + +- Update to version 5.4 + + Added: + * tpm2_policyrestart: Added option --cphash to output the cpHash + for the command PM2_CC_PolicyRestart. + * tpm2_policynvwritten: Added option --cphash to output the cpHash + for the command TPM2_CC_PolicyNvWritten. + * tpm2_policylocality: Added option --cphash to output the cpHash + for the command TPM2_CC_PolicyLocality. + * tpm2_policycountertimer: Added option --cphash to output the + cpHash for the command TPM2_CC_PolicyCounterTimer. + * tpm2_policycommandcode: Added option --cphash to output the + cpHash for the command TPM2_CC_PolicyCommandCode. + * tpm2_policypassword: Added option --cphash to output the cpHash + for the command TPM2_CC_PolicyPassword. + * tpm2_policyauthvalue: Added option --cphash to output the cpHash + for the command TPM2_CC_PolicyAuthValue. + * tpm2_policyauthorize: Added option --cphash to output the cpHash + for the command TPM2_CC_PolicyAuthorize. + * tpm2_print: Support printing serialized ESYS_TR's + * tpm2_create: Add a clarifying message to usage of -c when + TPM2_CreateLoaded is not supported. + * tpm2_getcap: Add support for vendor agnostic + capabilites. Requires tpm2-tss version 4.0 and higher to enable. + * Add a script, check_endorsement_cert.sh, to validate the + endorsement certificate chain. It takes two inputs - A + TPM2B_PUBLIC format EKpublic and a PEM format EKcertificate + specified in that order as arguments. + +- Update to version 5.3 + + Features: + * lib/tpm2_tool.c: add --help=no-man for tpm2 option. Prior to + this change the tool parsed no-man as an unrecognized option and + errored out. Now it lists all the available tool options. + * tpm2_encodeobject: New tool to encode TPM2 object. It takes + public and private portions of an object and encode them in a + combined PEM form called tssprivkey used by tpm2-tss-engine and + other applications. + * Support alternative ECC curves for which default EK templates + exist (NIST_P256, NIST_P384, NIST_P521, and SM2_P256). + * tools/misc/tpm2_checkquote: add sm2 verification of signature. + * crypto: support the TPM2_ECC_SM2_P256 curveID. + * fapi: add new command to enable the use of fapi objects for tpm2 + tools. The new command tss2_gettpm2object was added. With this + command context files which can be used for tpm2 tool commands + can be created. + * Support for sign and verify with sm2 algorithms. + * tools/tpm2_startauthsession: add sym-algorithm argument for + supported symmetric algorithm. + * Attestation (certify, command audit, sessionaudit and quote): + add scheme argument for supported signature schemes. This also + enable support for SM signing. + * tpm2_flushcontext: support all options at a time. Support the + -t/-l/-s options all at once so folks don't have to call it + multiple times. + * tools/tpm2_nvread: add human readable output for NV content + Enable parsing and YAML-style output for the different NV index + types. + * New event types in tpm2_eventlog: + EV_EFI_PLATFORM_FIRMWARE_BLOB2, EV_EFI_HANDOFF_TABLES2, + EV_EFI_VARIABLE_BOOT2 + * VERSION: add version file - Generate the version file with + bootstrap and include in the DIST tarball so endusers can call + autoreconf on a dist tarball which doesn't have git. This + alleviates git describe errors on release tarballs in the + autoreconf case. + * import: support restricted parents - Support a restricted parent + with an aes128cfb symmetric parameter. + * tpm2_load - Added capability to load pem files in + TSS2-Private-Key format for interoperability with + tpm2-tss-engine, tpm2-openssl provider tpm2-pkcs11, and + tpm2-pytss. + * tpm2_print - Added capability to parse out and print the public + portion of a TSS Private Key in the PEM format with the arg + option TSSPRIVKEY_OBJ. + * tpm2_loadexternal: Added support to tpm2_loadexternal for + parsing and loading the public portion of a TSS2 Privkey PEM + file. The path to the PEM file must be specified using the -r + option while skipping the -G option for key type. + * Support added for calculating cpHash, rpHash, sessions for + parameter encryption and auditing in: tpm2_nvwrite, + tpm2_nvcertify, tpm2_nvincrement, tpm2_nvwritelock, + tpm2_nvreadlock, tpm2_nvundefine and tpm2_nvreadpublic. + * Support added for calculating cpHash in: tpm2_clear, + tpm2_dictionarylockout, tpm2_clearcontrol, tpm2_sign, + tpm2_setprimarypolicy, tpm2_setclock, tpm2_rsadecrypt, + tpm2_duplicate, tpm2_clockrateadjust, tpm2_createprimary, + tpm2_quote, tpm2_policysecret, tpm2_policynv, + tpm2_policyauthorizenv, tpm2_import, tpm2_hmac, + tpm2_hierarchycontrol, tpm2_load, tpm2_gettime, + tpm2_evictcontrol, tpm2_encryptdecrypt, tpm2_getpolicydigest, + tpm2_loadexternal, tpm2_commit, tpm2_ecdhkeygen, tpm2_ecdhzgen, + tpm2_ecephemeral, tpm2_geteccparameters, tpm2_flushcontext, + tpm2_pcrallocate, tpm2_pcrevent, tpm2_pcrreset, tpm2_pcrread. + * Support for using tcti=none for cpHash calculations to avoid + invoking checks for active TPM in: tpm2_nvreadpublic, + tpm2_nvundefine, tpm2_nvreadlock, tpm2_nvwritelock, + tpm2_nvincrement, tpm2_nvcertify, tpm2_nvdefine, tpm2_nvwrite. + + Known issue: + * FAPI tools will not work on 32bit user-static qemu on 64bit host + because readdir returns NULL. Follow the issue on + https://gitlab.com/qemu-project/qemu/-/issues/263 + + Bug fixes: + * tools/tpm2_pcrreset.c: fix build errors in 32bit systems. + * Fix tssprivkey formatted PEM generation and load errors on 32 + bit systems. + * CI: Add testing of 32bit systems with multiarch/qemu-user-static + containers. + * tools/tpm2_evictcontrol: fix for calls to Esys_TR_Close on bad + handles. + * tools/tpm2_nvextend: fix for ESYS_TR handle not being used in + calculating the object name. + * tools/tpm2_nvwrite, tools/tpm2_nvread: Policy authorization must + be re-instantiated on each iteration of the read/ write when + size exceeds the allowed operating size + (TPM2_PT_NV_BUFFER_MAX). However, information on the compounded + policies cannot be retrieved from the only policy digest read + from the session and hence the session cannot be + re-instantiated. To avoid this scenario only a single iteration + is allowed when policy authorization is in use. + * Fix argument parsing in tpm2_policylocality to fix an issue + causing almost always to generate PolicyLocality(0). There was a + logical inversion that caused almost any argument (including + invalid ones) to be interpreted as zero, except “zero" would be + interpreted as one. + * test/fapi/fapi-quote-verify.sh Fix check of qualifying + data. Because of a bug in Fapi_VerifyQuote the qualifying data + was not checked correctly. Errors that were not recognized + before occur now. The order of the tests was cleaned up and for + every quote and verify quote now the correct combination of the + qualifying data and quote info containing the nonce is used. + * tpm2_nvdefine: set TPMA_NV_PLATFORMCREATE when authenticating + with the platform hierarchy. + * tools/tpm2_getekcertificate: fixed the url link to + ekop.intel.com. There were two places where the fix was needed: + o In the tool source code where a forward slash was always + appended irrespective of it already being part of the link + specified by the user and + o In the integration test where curl tests the link to the + ekop.intel.com backend. It now requires the full link to + include the base64 encoded ek pub hash. + * tools/tpm2_tool.c: Fix an issue where LOG_WARN is always + displayed Despite setting the 'quiet' flag with -Q. + * fapi: fix usage of parameter pcrLog for tss2_quote. pcrLog is an + optional parameter. If pcrLog is not used as parameter currently + the pcr log is still calculated in Fapi_Quote. To avoid this + calculation a NULL pointer will be passed to Fapi_Quote if the + parameter pcrLog is not passed. So tss2_quote can be executed + for a user which has no access rights to the files with the + system measurements. + * import: fix bug on using scheme wherein if scheme is specified + in the template, the openssl load functions clobber the scheme + value and set it to TPM2_ALG_NULL. + * tools/tpm2_sign and tpm2_verifysignature: fix sm2 sign and + verifysignature bugs : (1.) sm2 sign could not get output + signature. (2.) sm2 verify tss format signature failed. + * lib/tpm2.c: added workaround for a system api bug where in the + flush handle is erroneously placed in the handle area instead of + the parameter area. + * nvreadpublic: drop ntoh on attributes The attributes get + marshalled to correct endianess by libmu and don’t need to be + changed again. + * Removing unused '-i' option from tpm2_print + * tpm2_policyor: fix unallocated policy list The TPML_DIGEST + policy list was calloc'd for some reason, however it could just + be statically allocated in the context. The side effect is that + when no options or arguments were given a NPD occured when + checking the count of the policy list. + * tools/tpm2_certify: fix man page for short options and add tests + The short options for the signing-key-auth and + certified-key-auth were swapped. The case fix in the man page + makes it less intuitive but have to go through with the change + so that we don't break any existing scripts. This change does + not affect the long options. Tests have been added to ensure the + functionality. + + CI: + * ci: add ubuntu-22.04. This also requires the min tpm2-tss + version to be at 3.2.0 to support the openSSL major version 3. + * cirrus.yml: update freebsd version to 13.1 + * .ci/download-deps.sh: update tpm2-abrmd dependency version to + 2.4.1 +- Drop 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch + (merged) +- Drop add_missing_shut_down_call_on_cleanup.patch (merged) +- Drop fix_check_of_qualifying_data.patch (merged) +- Add echo_tcti_call_python3_binary.patch (upstreamed) + ------------------------------------------------------------------- Thu Jul 14 09:49:39 UTC 2022 - Alberto Planas Dominguez diff --git a/tpm2.0-tools.spec b/tpm2.0-tools.spec index 567ae10..62605dd 100644 --- a/tpm2.0-tools.spec +++ b/tpm2.0-tools.spec @@ -17,14 +17,9 @@ %define _lto_cflags %{nil} -%ifarch %{ix86} x86_64 aarch64 %{arm} ppc64le %bcond_without test -%else -# ppc ppc64 s390x -%bcond_with test -%endif Name: tpm2.0-tools -Version: 5.2 +Version: 5.4 Release: 0 Summary: Trusted Platform Module (TPM) 2.0 administration tools License: BSD-3-Clause @@ -35,12 +30,8 @@ Source1: https://github.com/tpm2-software/tpm2-tools/releases/download/%{ # git show william-roberts-pub javier-martinez-pub joshua-lock-pub idesai-pub > tpm2-tools.keyring Source2: tpm2-tools.keyring Patch0: fix_bogus_warning.patch -# PATCH-FIX-UPSTREAM 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch -- based on PR#3041 -Patch1: 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch -# PATCH-FIX-UPSTREAM add_missing_shut_down_call_on_cleanup.patch -- based on PR#3047 -Patch2: add_missing_shut_down_call_on_cleanup.patch -# PATCH-FIX-UPSTREAM fix_check_of_qualifying_data.patch -- already merged -Patch3: fix_check_of_qualifying_data.patch +# PATCH-FIX-UPSTREAM add_missing_shut_down_call_on_cleanup.patch -- based on PR#3176 +Patch1: echo_tcti_call_python3_binary.patch BuildRequires: gcc-c++ BuildRequires: libcurl-devel BuildRequires: libopenssl-devel @@ -97,8 +88,8 @@ export PATH=$PATH:/usr/sbin:/usr/libexec/ibmtss find %{buildroot} -type f -name "*.la" -delete -print %files -%doc doc/README.md doc/CHANGELOG.md -%license doc/LICENSE +%doc docs/README.md docs/CHANGELOG.md +%license docs/LICENSE %{_bindir}/tpm2* %{_bindir}/tss2* %{_mandir}/man1/tpm2*