forked from pool/tpm2.0-tools
- add 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch: no longer use a
fixed AES key in the context of the tpm2_import command. Fixes CVE-2021-3565 (bsc#1186490). - drop fix_pie_linking.patch: now contained in upstream tarball - drop fix_warnings.patch: now contained in upstream tarball - update to upstream version 5.1: - Minimum tpm2-tss version dependency bumped to 3.1.0 - Minimum tpm2-abrmd version dependency bumped to 2.4.0 - tss2: - Support in tools for PolicyRef inclusion in policy search per latest TSS. - Support to use TPM objects protected by a policy with PolicySigned. - Enable backward compatibility to old Fapi callback API. - Fix PCR selection for tss2 quote. - Support policy signed policies by implementing Fapi_SetSignCB. - Command/ response parameter support for auditing and pHash policies: - lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash - Add support to calculate rphash for tpm2_create, tpm2_activatecredential, tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal - Add support to calculate cphash for tpm2_changeeps, tpm2_changepps. - Session-support: - tpm2_sessionconfig: Add tool to display and configure session attributes. - tpm2_getrandom: Fix— session input was hardcoded for audit-only - tpm2_startauthsession: Add option to specify the bind object and its authorization value. - tpm2_startauthsession: support for bounded-only session. - tpm2_startauthsession: support for salted-only session. - tpm2_startauthsession: add option to specify an hmac session type. - Add support for specifying non-authorization sessions for audit and parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend, OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=70
This commit is contained in:
parent
d836ba0360
commit
b000df49d3
46
0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
Normal file
46
0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
|
||||||
|
From: William Roberts <william.c.roberts@intel.com>
|
||||||
|
Date: Fri, 21 May 2021 12:22:31 -0500
|
||||||
|
Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
|
||||||
|
|
||||||
|
tpm2_import used a fixed AES key for the inner wrapper, which means that
|
||||||
|
a MITM attack would be able to unwrap the imported key. Even the
|
||||||
|
use of an encrypted session will not prevent this. The TPM only
|
||||||
|
encrypts the first parameter which is the fixed symmetric key.
|
||||||
|
|
||||||
|
To fix this, ensure the key size is 16 bytes or bigger and use
|
||||||
|
OpenSSL to generate a secure random AES key.
|
||||||
|
|
||||||
|
Fixes: #2738
|
||||||
|
|
||||||
|
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
||||||
|
---
|
||||||
|
tools/tpm2_import.c | 12 +++++++++++-
|
||||||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
|
||||||
|
index cfb6f207..f44326c8 100644
|
||||||
|
--- a/tools/tpm2_import.c
|
||||||
|
+++ b/tools/tpm2_import.c
|
||||||
|
@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
|
||||||
|
TPM2B_DATA enc_sensitive_key = {
|
||||||
|
.size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
|
||||||
|
};
|
||||||
|
- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
|
||||||
|
+
|
||||||
|
+ if(enc_sensitive_key.size < 16) {
|
||||||
|
+ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
|
||||||
|
+ return tool_rc_general_error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
|
||||||
|
+ if (ossl_rc != 1) {
|
||||||
|
+ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
|
||||||
|
+ return tool_rc_general_error;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Calculate the object name.
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -1,13 +0,0 @@
|
|||||||
Index: tpm2-tools-5.0/Makefile.am
|
|
||||||
===================================================================
|
|
||||||
--- tpm2-tools-5.0.orig/Makefile.am
|
|
||||||
+++ tpm2-tools-5.0/Makefile.am
|
|
||||||
@@ -45,7 +45,7 @@ lib_libcommon_a_SOURCES = $(LIB_SRC)
|
|
||||||
lib_libcommon_a_CFLAGS = -fPIC $(AM_CFLAGS)
|
|
||||||
|
|
||||||
tools_fapi_tss2_CFLAGS = $(FAPI_CFLAGS) -DTSS2_TOOLS_MAX="$(words $(tss2_tools))"
|
|
||||||
-tools_fapi_tss2_LDFLAGS = $(TSS2_FAPI_LIBS)
|
|
||||||
+tools_fapi_tss2_LDFLAGS = $(EXTRA_LDFLAGS) $(TSS2_FAPI_LIBS)
|
|
||||||
tools_fapi_tss2_SOURCES = \
|
|
||||||
tools/fapi/tss2_template.c \
|
|
||||||
tools/fapi/tss2_template.h \
|
|
@ -1,28 +0,0 @@
|
|||||||
Index: tpm2-tools-5.0/tools/tpm2_getekcertificate.c
|
|
||||||
===================================================================
|
|
||||||
--- tpm2-tools-5.0.orig/tools/tpm2_getekcertificate.c
|
|
||||||
+++ tpm2-tools-5.0/tools/tpm2_getekcertificate.c
|
|
||||||
@@ -190,8 +190,8 @@ static char *base64_encode(const unsigne
|
|
||||||
return final_string;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static size_t writecallback(void *contents, size_t size, size_t nitems,
|
|
||||||
- char *CERT_BUFFER) {
|
|
||||||
+static size_t writecallback(char *contents, size_t size, size_t nitems,
|
|
||||||
+ void *CERT_BUFFER) {
|
|
||||||
|
|
||||||
strncpy(CERT_BUFFER, (const char *)contents, nitems * size);
|
|
||||||
ctx.rsa_cert_buffer_size = nitems * size;
|
|
||||||
Index: tpm2-tools-5.0/lib/tpm2_util.c
|
|
||||||
===================================================================
|
|
||||||
--- tpm2-tools-5.0.orig/lib/tpm2_util.c
|
|
||||||
+++ tpm2-tools-5.0/lib/tpm2_util.c
|
|
||||||
@@ -49,7 +49,7 @@ bool tpm2_util_concat_buffer(TPM2B_MAX_B
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ((result->size + append->size) > TPM2_MAX_DIGEST_BUFFER) {
|
|
||||||
+ if (((size_t)result->size + append->size) > TPM2_MAX_DIGEST_BUFFER) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:e1b907fe29877628052e08ad84eebc6c3f7646d29505ed4862e96162a8c91ba1
|
|
||||||
size 990855
|
|
3
tpm2-tools-5.1.tar.gz
Normal file
3
tpm2-tools-5.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:e2d37b4376f968d6ce480e71b9b26a56a1960c844f4816335570c141c03642cd
|
||||||
|
size 1042653
|
@ -1,3 +1,130 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 28 10:24:21 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
- add 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch: no longer use a
|
||||||
|
fixed AES key in the context of the tpm2_import command. Fixes CVE-2021-3565
|
||||||
|
(bsc#1186490).
|
||||||
|
- drop fix_pie_linking.patch: now contained in upstream tarball
|
||||||
|
- drop fix_warnings.patch: now contained in upstream tarball
|
||||||
|
- update to upstream version 5.1:
|
||||||
|
- Minimum tpm2-tss version dependency bumped to 3.1.0
|
||||||
|
- Minimum tpm2-abrmd version dependency bumped to 2.4.0
|
||||||
|
- tss2:
|
||||||
|
- Support in tools for PolicyRef inclusion in policy search per latest TSS.
|
||||||
|
- Support to use TPM objects protected by a policy with PolicySigned.
|
||||||
|
- Enable backward compatibility to old Fapi callback API.
|
||||||
|
- Fix PCR selection for tss2 quote.
|
||||||
|
- Support policy signed policies by implementing Fapi_SetSignCB.
|
||||||
|
- Command/ response parameter support for auditing and pHash policies:
|
||||||
|
- lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash
|
||||||
|
- Add support to calculate rphash for tpm2_create, tpm2_activatecredential,
|
||||||
|
tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps,
|
||||||
|
tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal
|
||||||
|
- Add support to calculate cphash for tpm2_changeeps, tpm2_changepps.
|
||||||
|
- Session-support:
|
||||||
|
- tpm2_sessionconfig: Add tool to display and configure session attributes.
|
||||||
|
- tpm2_getrandom: Fix— session input was hardcoded for audit-only
|
||||||
|
- tpm2_startauthsession: Add option to specify the bind object and its
|
||||||
|
authorization value.
|
||||||
|
- tpm2_startauthsession: support for bounded-only session.
|
||||||
|
- tpm2_startauthsession: support for salted-only session.
|
||||||
|
- tpm2_startauthsession: add option to specify an hmac session type.
|
||||||
|
- Add support for specifying non-authorization sessions for audit and
|
||||||
|
parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend,
|
||||||
|
tpm2_nvdefine, tpm2_unseal, tpm2_activatecredential, tpm2_certify,
|
||||||
|
tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, tpm2_changepps.
|
||||||
|
- tpm2_eventlog:
|
||||||
|
- Support for event type: EV_IPL extensively used by the Shim and Grub.
|
||||||
|
- Support for event type: EV_EFI_GPT_EVENT to parse.
|
||||||
|
UEFI_PARTITION_TABLE_HEADER and UEFI_PARTITION_ENTRY.
|
||||||
|
- Support for event type: EFI_SIGNATURE_LIST, which contains one or more
|
||||||
|
EFI_SIGNATURE_DATA.
|
||||||
|
- Support for event type EV_EFI_VARIABLE_AUTHORITY.
|
||||||
|
- Parse UEFI_PLATFORM_FIRMWARE_BLOB structure that the CRTM MUST put into
|
||||||
|
the Event Log entry TCG_PCR_EVENT2.event field for event types
|
||||||
|
EV_POST_CODE, EV_S_CRTM_CONTENTS, and EV_EFI_PLATFORM_FIRMWARE_BLOB.
|
||||||
|
- Parse secureboot variable to indicate enable as 'Yes'.
|
||||||
|
- Parse BootOrder variable to a more readable format.
|
||||||
|
- Parse Boot variables per EFI_LOAD_OPTION described in more details in
|
||||||
|
UEFI Spec Section 3.1.3
|
||||||
|
- Parse Device-path in a readable format using the efivar library.
|
||||||
|
- Support for logs longer than 64 kilobytes.
|
||||||
|
- Perform verification for event types where digest can be verified from
|
||||||
|
their event payload.
|
||||||
|
- Better support for multiline strings.
|
||||||
|
- Fix handling of event log EV_POST_CODE data where field is empty and len
|
||||||
|
is specified.
|
||||||
|
- scripts/utils: Add a utility to read the cert chain of embedded CA.
|
||||||
|
- tpm2_getekcertificate: Fix tool failing to return error/non-zero for HTTP
|
||||||
|
404.
|
||||||
|
- tpm2_nvdefine: allow setting hash algorithm by command line parameter for NV
|
||||||
|
indices set in extend mode.
|
||||||
|
- tpm2_duplicate, tpm2_import: support duplicating non-TPM keys to a remote
|
||||||
|
TPM without first requiring them to be loaded to a local TPM.
|
||||||
|
- tpm2_dictionarylockout: Fix issue where setting value for one parameter
|
||||||
|
caused to reset the others.
|
||||||
|
- tpm2_getpolicydigest: Add new tool to enable TPM2_CC_PolicyGetDigest.
|
||||||
|
- Fix segfault where optind > argc.
|
||||||
|
- tools/tpm2_checkquote: fix missing initializer
|
||||||
|
- tpm2_convert: fix EVP_EncodeUpdate usage for OSSL < 1.1.0
|
||||||
|
- openssl: fix EVP_ENCODE_CTX_(new|free)
|
||||||
|
- test: Add support for swTPM simulator to the testing framework and make it
|
||||||
|
the default if mssim isn't available.
|
||||||
|
- tpm2_unseal:
|
||||||
|
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
of the response parameters. This is commonly termed as rpHash.
|
||||||
|
- tpm2_nvextend:
|
||||||
|
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
of the response parameters. This is commonly termed as rpHash.
|
||||||
|
- tpm2_nvdefine:
|
||||||
|
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
of the response parameters. This is commonly termed as rpHash.
|
||||||
|
- tpm2_changepps:
|
||||||
|
- Added option **\--cphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
of the command parameters. This is commonly termed as cpHash.
|
||||||
|
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||||||
|
session for auditing and or encryption/decryption of the parameters.
|
||||||
|
- tpm2_changeeps:
|
||||||
|
- Added option **\--cphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
of the command parameters. This is commonly termed as cpHash.
|
||||||
|
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
of the response parameters. This is commonly termed as rpHash.
|
||||||
|
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||||||
|
session for auditing and or encryption/decryption of the parameters.
|
||||||
|
- tpm2_changeauth:
|
||||||
|
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
of the response parameters. This is commonly termed as rpHash.
|
||||||
|
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||||||
|
session for auditing and or encryption/decryption of the parameters.
|
||||||
|
- tpm2_certifycreation:
|
||||||
|
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
of the response parameters. This is commonly termed as rpHash.
|
||||||
|
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||||||
|
session for auditing and or encryption/decryption of the parameters.
|
||||||
|
- tpm2_certify:
|
||||||
|
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
of the response parameters. This is commonly termed as rpHash.
|
||||||
|
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||||||
|
session for auditing and or encryption/decryption of the parameters.
|
||||||
|
- tpm2_activatecredential:
|
||||||
|
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
of the response parameters. This is commonly termed as rpHash.
|
||||||
|
- Added option **-S**, **\--session** to specify to specify an auxiliary
|
||||||
|
session for auditing and or encryption/decryption of the parameters.
|
||||||
|
- tpm2_create:
|
||||||
|
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
|
||||||
|
of the response parameters. This is commonly termed as rpHash.
|
||||||
|
- tpm2_unseal:
|
||||||
|
- Added option **-S**, **--session** to specify auxiliary sessions for
|
||||||
|
audit and encryption.
|
||||||
|
- tpm2_nvdefine:
|
||||||
|
- Added option **-S**, **--session** to specify auxiliary sessions for
|
||||||
|
audit and encryption.
|
||||||
|
- tpm2_nvextend:
|
||||||
|
- Added option **-S**, **--session** to specify auxilary sessions for
|
||||||
|
audit and encryption.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue May 4 08:55:06 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
|
Tue May 4 08:55:06 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: tpm2.0-tools
|
Name: tpm2.0-tools
|
||||||
Version: 5.0
|
Version: 5.1
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Trusted Platform Module (TPM) 2.0 administration tools
|
Summary: Trusted Platform Module (TPM) 2.0 administration tools
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
@ -25,8 +25,7 @@ Group: Productivity/Security
|
|||||||
URL: https://github.com/tpm2-software/tpm2-tools/releases
|
URL: https://github.com/tpm2-software/tpm2-tools/releases
|
||||||
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz
|
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz
|
||||||
Patch0: fix_bogus_warning.patch
|
Patch0: fix_bogus_warning.patch
|
||||||
Patch1: fix_warnings.patch
|
Patch1: 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
|
||||||
Patch2: fix_pie_linking.patch
|
|
||||||
BuildRequires: autoconf-archive
|
BuildRequires: autoconf-archive
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -67,7 +66,6 @@ associated interfaces.
|
|||||||
%setup -q -n tpm2-tools-%{version}
|
%setup -q -n tpm2-tools-%{version}
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# TODO: remove autoreconf once fix_pie_linking patch is no longer needed
|
# TODO: remove autoreconf once fix_pie_linking patch is no longer needed
|
||||||
|
Loading…
Reference in New Issue
Block a user