From 49a7dff047adeb85d8424043ec8e7fb343958826b839df2ea01e145146d59bc1 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Fri, 29 Jun 2018 14:14:45 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=42 --- install-man.patch | 20 ------ tpm2-tools-3.0.4.tar.gz | 3 - tpm2-tools-3.1.0.tar.gz | 3 + tpm2.0-tools-fix-hardening.patch | 15 ----- tpm2.0-tools.changes | 107 +++++++++++++++++++++++++++++++ tpm2.0-tools.spec | 19 +++--- 6 files changed, 121 insertions(+), 46 deletions(-) delete mode 100644 install-man.patch delete mode 100644 tpm2-tools-3.0.4.tar.gz create mode 100644 tpm2-tools-3.1.0.tar.gz delete mode 100644 tpm2.0-tools-fix-hardening.patch diff --git a/install-man.patch b/install-man.patch deleted file mode 100644 index 874a942..0000000 --- a/install-man.patch +++ /dev/null @@ -1,20 +0,0 @@ -Index: tpm2-tools-3.0.4/Makefile.am -=================================================================== ---- tpm2-tools-3.0.4.orig/Makefile.am -+++ tpm2-tools-3.0.4/Makefile.am -@@ -273,7 +273,6 @@ EXTRA_DIST = $(top_srcdir)/man \ - RELEASE.md \ - test/system - --if HAVE_PANDOC - man1_MANS := \ - man/man1/tpm2_activatecredential.1 \ - man/man1/tpm2_certify.1 \ -@@ -315,6 +314,7 @@ if HAVE_PANDOC - man/man1/tpm2_unseal.1 \ - man/man1/tpm2_verifysignature.1 - -+if HAVE_PANDOC - # If pandoc is enabled, we want to generate the manpages for the dist tarball - EXTRA_DIST += $(man1_MANS) - else diff --git a/tpm2-tools-3.0.4.tar.gz b/tpm2-tools-3.0.4.tar.gz deleted file mode 100644 index 382fcdb..0000000 --- a/tpm2-tools-3.0.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ac05028347a9fa1da79b5d53b998193de0c3a76000badb961c3feb8b8a0e8e8e -size 560648 diff --git a/tpm2-tools-3.1.0.tar.gz b/tpm2-tools-3.1.0.tar.gz new file mode 100644 index 0000000..e185aa1 --- /dev/null +++ b/tpm2-tools-3.1.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:287c83718cd1910667615b0d4a73400da7ebf93a2fba247461435560269f1375 +size 553400 diff --git a/tpm2.0-tools-fix-hardening.patch b/tpm2.0-tools-fix-hardening.patch deleted file mode 100644 index 484896a..0000000 --- a/tpm2.0-tools-fix-hardening.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: tpm2-tools-3.0.3/configure.ac -=================================================================== ---- tpm2-tools-3.0.3.orig/configure.ac -+++ tpm2-tools-3.0.3/configure.ac -@@ -130,10 +130,8 @@ AS_IF([test x"$hardening" != x"no"], [ - - add_hardened_c_flag([-Wformat]) - add_hardened_c_flag([-Wformat-security]) -- add_hardened_c_flag([-Wstack-protector]) - add_hardened_c_flag([-fstack-protector-all]) - -- add_hardened_define_flag([-U_FORTIFY_SOURCE]) - add_hardened_define_flag([-D_FORTIFY_SOURCE=2]) - - add_hardened_c_flag([-fPIC]) diff --git a/tpm2.0-tools.changes b/tpm2.0-tools.changes index 0628998..f06a95e 100644 --- a/tpm2.0-tools.changes +++ b/tpm2.0-tools.changes @@ -1,3 +1,110 @@ +------------------------------------------------------------------- +Fri Jun 29 12:03:48 UTC 2018 - matthias.gerstner@suse.com + +- update to major version 3.1.0: + - the tpm2 stack introduces an incompatible ABI to the previous version with + this update. There is no compatibility layer, libraries have new names + - install-man.patch: dropped, because we don't really need it + - tpm2.0-tools-fix-hardening.patch: contained in upstream tarball now +s etc. + - upstream changelog: + * tpm2_unseal: -P becomes -p + * tpm2_sign: -P becomes -p + * tpm2_nvreadlock: long form for -P is now --auth-hierarchy + * tpm2_rsadecrypt: -P becomes -p + * tpm2_nvrelease: long-form of -P becomes --auth-hierarchy + * tpm2_nvdefine: -I becomes -p + * tpm2_encryptdecrypt: -P becomes -p + * tpm2_dictionarylockout: -P becomes -p + * tpm2_createprimary: -K becomes -p + * tpm2_createak: -E becomes -e + * tpm2_certify: -k becomes -p + * tpm2_hash: -g changes to -G + * tpm2_encryptdecrypt: Support IVs via -i and algorithm modes via -G. + * tpm2_hmac: drop -g, just use the algorithm associated with the object. + * tpm2_getmanufec: -g changes to -G + * tpm2_createek: -g changes to -G + * tpm2_createak: -g changes to -G + * tpm2_verifysignature: -g becomes -G + * tpm2_sign: -g becomes -G + * tpm2_import: support specifying parent key with a context file, + --parent-key-handle/-H becomes --parent-key/-C + * tpm2_nvwrite and tpm2_nvread: when -P is "index" -a is optional and defaults to + the NV_INDEX value passed to -x. + * Load TCTI's by SONAME, not raw .so file + * tpm2_activatecredential: -e becomes -E + * tpm2_activatecredential: -e becomes -E + * tpm2_certify: -c and -C are swapped, -k becomes -K + * tpm2_createprimary: -K becomes -k + * tpm2_encryptdecrypt: supports input and output to stdin and stdout respectively. + * tpm2_create: -g/-G become optional options. + * tpm2_createprimary: -g/-G become optional options. + * tpm2_verifysignature - Option `-r` changes to `-f` and supports signature format "rsa". + * tpm2_import - Parent public data option, `-K` is optional. + * tpm2_import - Supports importing external RSA 2048 keys via pem files. + * tpm2_pcrlist: Option `--algorithm` changes to `--halg`, which is in line with other tools. + * tpm2_verifysignature: Option `-r` and `--raw` have been removed. This were unused within the tool. + * tpm2_hmac: Option `--algorithm` changes to `--halg`, which is in line with the manpage. + * tpm2_makecredential: Option `--sec` changes to `--secret`. + * tpm2_activatecredential: Option `--Password` changes to `--auth-key`. + * system tests are now run with make check when --enable-unit is used in configure. + * tpm2_unseal: Option `--pwdk` changes to `--auth-key`. + * tpm2_sign: Option `--pwdk` changes to `--auth-key`. + * tpm2_rsadecrypt: Option `--pwdk` changes to `--auth-key`. + * tpm2_quote: Option `--ak-passwd` changes to `--auth-ak` + * tpm2_pcrevent: Option `--passwd` changes to `--auth-pcr` + * tpm2_nvwrite: Options `--authhandle` and `--handle-passwd` + changes to `--hierarchy` and `--auth-hierarchy` respectively. + * tpm2_nvread: Options `--authhandle` and `--handle-passwd` + changes to `--hierarchy` and `--auth-hierarchy` respectively. + * tpm2_nvdefine: Options `--authhandle`, `--handle-passwd` and `--index-passwd` + changes to `--hierarchy`, `--auth-hierarchy` and `--auth-index` + respectively. + * tpm2_loadexternal: `-H` changes to `-a` for specifying hierarchy. + * tpm2_load: Option `--pwdp` changes to `--auth-parent`. + * tpm2_hmac: Option `--pwdk` changes to `--auth-key`. + * tpm2_hash: `-H` changes to `-a` for specifying hierarchy. + * tpm2_getmanufec: Options `--owner-passwd`, `--endorse-passwd` + * and `--ek-passwd`change to `--auth-owner`, `--auth-endorse` + and `--auth-ek` respectively. + * tpm2_evictcontrol: Option group `-A` and `--auth` changes to `-a` and `--hierarchy` + Option `--pwda` changes to `--auth-hierarchy` + * tpm2_encryptdecrypt: Option `--pwdk` changes to `--auth-key`. + * tpm2_dictionarylockout: Option `--lockout-passwd` changes to `--auth-lockout` + * tpm2_createprimary: Options `--pwdp` and `--pwdk` change to + `--auth-hierarchy` and `--auth-object` respectively. + * tpm2_createek: Options `--owner-passwd`, `--endorse-passwd` + * and `--ek-passwd`change to `--auth-owner`, `--auth-endorse` + and `--auth-ek` respectively. + * tpm2_createak: Options `--owner-passwd`, `--endorse-passwd` + * and `--ak-passwd`change to `--auth-owner`, `--auth-endorse` + and `--auth-ak` respectively. + * tpm2_create: Options `--pwdo` and `--pwdk` change to `--auth-object` and + `--auth-key` respectively. + * tpm2_clearlock: Option `--lockout-passwd` changes to `--auth-lockout` + * tpm2_clear: Option `--lockout-passwd` changes to `--auth-lockout` + * tpm2_changeauth: Options, `--old-owner-passwd`, `--old-endorse-passwd`, + and `--old-lockout-passwd` go to `--old-auth-owner`, `--old-auth-endorse`, + and `--old-auth-lockout` respectively. + * tpm2_certify: Options `--pwdo` and `--pwdk` change to `--auth-object` and + `--auth-key` respectively. + * tpm2_createprimary: `-H` changes to `-a` for specifying hierarchy. + * tpm2_createak: support for non-persistent AK generation. + * tpm2_createek: support for non-persistent EK generation. + * tpm2_getpubak renamed to tpm2_createak, -f becomes -p and -f is used for format of public key + output. + * tpm2_getpubek renamed to tpm2_createek, -f becomes -p and -f is used for format of public key + output. + * Libre SSL builds fixed. + * Dynamic TCTIS. Support for pluggable TCTI modules via the -T or --tcti options. + * tpm2_sign: supports signing a pre-computed hash via -D + * tpm2_clearlock: tool added + * test: system testing scripts moved into subordinate test directory. + * fix a buffer overflow in nvread/write tools. + * configure: enable code coverage option. + * tpm2_takeownership: split into tpm2_clear and tpm2_changeauth + * env: add TPM2TOOLS_ENABLE_ERRATA to control the -Z or errata option. + ------------------------------------------------------------------- Tue Jun 5 09:55:43 UTC 2018 - matthias.gerstner@suse.com diff --git a/tpm2.0-tools.spec b/tpm2.0-tools.spec index 8f06e6b..2f62609 100644 --- a/tpm2.0-tools.spec +++ b/tpm2.0-tools.spec @@ -17,15 +17,13 @@ Name: tpm2.0-tools -Version: 3.0.4 +Version: 3.1.0 Release: 0 Summary: Trusted Platform Module (TPM) 2.0 administration tools License: BSD-3-Clause Group: Productivity/Security Url: https://github.com/tpm2-software/tpm2-tools/releases Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz -Patch0: tpm2.0-tools-fix-hardening.patch -Patch1: install-man.patch BuildRequires: autoconf-archive BuildRequires: automake BuildRequires: gcc-c++ @@ -41,6 +39,10 @@ BuildRequires: libtool # don't need to generate them any more. On openSUSE we can still keep this # dependency for having fresh builds of the man pages (if that helps # anything?). +# +# Update: In the 3.1.0 a required patch is still missing and the man pages +# won't be installed. they're shipped, though. so if pandoc isn't installed we +# need to install them explicitly. BuildRequires: pandoc %endif BuildRequires: pkgconfig @@ -59,13 +61,8 @@ associated interfaces. %prep %setup -q -n tpm2-tools-%{version} -%patch0 -p1 -%patch1 -p1 %build -# patch1 (install-man) requires to run autoreconf ATM, because it modifies -# Makefile.am. This can be dropped with the next release containing the fix. -autoreconf %configure --disable-static make %{?_smp_mflags} @@ -75,6 +72,12 @@ make %{?_smp_mflags} check %install make DESTDIR=%{buildroot} install %{?_smp_mflags} find %{buildroot} -type f -name "*.la" -delete -print +%if ! 0%{?is_opensuse} +# install man pages explicitly, until upstream fixes their installation +# setup in autotools, see commit 72a28f36151db9bfa59a460ae0114dcece218862 +mkdir -p %{buildroot}/%{_mandir}/man1/ +cp %{_builddir}/tpm2-tools-%{version}/man/man1/* %{buildroot}/%{_mandir}/man1/ +%endif %files %defattr(-,root,root)