SHA256
1
0
forked from pool/tpm2.0-tools

- add 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch: no longer use a

fixed AES key in the context of the tpm2_import command. Fixes CVE-2021-3565
  (bsc#1186490).
- drop fix_pie_linking.patch: now contained in upstream tarball
- drop fix_warnings.patch: now contained in upstream tarball
- update to upstream version 5.1:
  - Minimum tpm2-tss version dependency bumped to 3.1.0
  - Minimum tpm2-abrmd version dependency bumped to 2.4.0
  - tss2:
    - Support in tools for PolicyRef inclusion in policy search per latest TSS.
    - Support to use TPM objects protected by a policy with PolicySigned.
    - Enable backward compatibility to old Fapi callback API.
    - Fix PCR selection for tss2 quote.
    - Support policy signed policies by implementing Fapi_SetSignCB.
  - Command/ response parameter support for auditing and pHash policies:
    - lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash
    - Add support to calculate rphash for tpm2_create, tpm2_activatecredential,
      tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps,
      tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal
    - Add support to calculate cphash for tpm2_changeeps, tpm2_changepps.
  - Session-support:
    - tpm2_sessionconfig: Add tool to display and configure session attributes.
    - tpm2_getrandom: Fix— session input was hardcoded for audit-only
    - tpm2_startauthsession: Add option to specify the bind object  and its
      authorization value.
    - tpm2_startauthsession: support for bounded-only session.
    - tpm2_startauthsession: support for salted-only session.
    - tpm2_startauthsession: add option to specify an hmac session type.
    - Add support for specifying non-authorization sessions for audit and
      parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend,

OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=70
This commit is contained in:
Matthias Gerstner 2021-05-28 10:32:05 +00:00 committed by Git OBS Bridge
parent d836ba0360
commit b000df49d3
7 changed files with 178 additions and 48 deletions

View File

@ -0,0 +1,46 @@
From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 21 May 2021 12:22:31 -0500
Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
tpm2_import used a fixed AES key for the inner wrapper, which means that
a MITM attack would be able to unwrap the imported key. Even the
use of an encrypted session will not prevent this. The TPM only
encrypts the first parameter which is the fixed symmetric key.
To fix this, ensure the key size is 16 bytes or bigger and use
OpenSSL to generate a secure random AES key.
Fixes: #2738
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
tools/tpm2_import.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
index cfb6f207..f44326c8 100644
--- a/tools/tpm2_import.c
+++ b/tools/tpm2_import.c
@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
TPM2B_DATA enc_sensitive_key = {
.size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
};
- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
+
+ if(enc_sensitive_key.size < 16) {
+ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
+ return tool_rc_general_error;
+ }
+
+ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
+ if (ossl_rc != 1) {
+ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
+ return tool_rc_general_error;
+ }
/*
* Calculate the object name.
--
2.26.3

View File

@ -1,13 +0,0 @@
Index: tpm2-tools-5.0/Makefile.am
===================================================================
--- tpm2-tools-5.0.orig/Makefile.am
+++ tpm2-tools-5.0/Makefile.am
@@ -45,7 +45,7 @@ lib_libcommon_a_SOURCES = $(LIB_SRC)
lib_libcommon_a_CFLAGS = -fPIC $(AM_CFLAGS)
tools_fapi_tss2_CFLAGS = $(FAPI_CFLAGS) -DTSS2_TOOLS_MAX="$(words $(tss2_tools))"
-tools_fapi_tss2_LDFLAGS = $(TSS2_FAPI_LIBS)
+tools_fapi_tss2_LDFLAGS = $(EXTRA_LDFLAGS) $(TSS2_FAPI_LIBS)
tools_fapi_tss2_SOURCES = \
tools/fapi/tss2_template.c \
tools/fapi/tss2_template.h \

View File

@ -1,28 +0,0 @@
Index: tpm2-tools-5.0/tools/tpm2_getekcertificate.c
===================================================================
--- tpm2-tools-5.0.orig/tools/tpm2_getekcertificate.c
+++ tpm2-tools-5.0/tools/tpm2_getekcertificate.c
@@ -190,8 +190,8 @@ static char *base64_encode(const unsigne
return final_string;
}
-static size_t writecallback(void *contents, size_t size, size_t nitems,
- char *CERT_BUFFER) {
+static size_t writecallback(char *contents, size_t size, size_t nitems,
+ void *CERT_BUFFER) {
strncpy(CERT_BUFFER, (const char *)contents, nitems * size);
ctx.rsa_cert_buffer_size = nitems * size;
Index: tpm2-tools-5.0/lib/tpm2_util.c
===================================================================
--- tpm2-tools-5.0.orig/lib/tpm2_util.c
+++ tpm2-tools-5.0/lib/tpm2_util.c
@@ -49,7 +49,7 @@ bool tpm2_util_concat_buffer(TPM2B_MAX_B
return false;
}
- if ((result->size + append->size) > TPM2_MAX_DIGEST_BUFFER) {
+ if (((size_t)result->size + append->size) > TPM2_MAX_DIGEST_BUFFER) {
return false;
}

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e1b907fe29877628052e08ad84eebc6c3f7646d29505ed4862e96162a8c91ba1
size 990855

3
tpm2-tools-5.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e2d37b4376f968d6ce480e71b9b26a56a1960c844f4816335570c141c03642cd
size 1042653

View File

@ -1,3 +1,130 @@
-------------------------------------------------------------------
Fri May 28 10:24:21 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
- add 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch: no longer use a
fixed AES key in the context of the tpm2_import command. Fixes CVE-2021-3565
(bsc#1186490).
- drop fix_pie_linking.patch: now contained in upstream tarball
- drop fix_warnings.patch: now contained in upstream tarball
- update to upstream version 5.1:
- Minimum tpm2-tss version dependency bumped to 3.1.0
- Minimum tpm2-abrmd version dependency bumped to 2.4.0
- tss2:
- Support in tools for PolicyRef inclusion in policy search per latest TSS.
- Support to use TPM objects protected by a policy with PolicySigned.
- Enable backward compatibility to old Fapi callback API.
- Fix PCR selection for tss2 quote.
- Support policy signed policies by implementing Fapi_SetSignCB.
- Command/ response parameter support for auditing and pHash policies:
- lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash
- Add support to calculate rphash for tpm2_create, tpm2_activatecredential,
tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps,
tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal
- Add support to calculate cphash for tpm2_changeeps, tpm2_changepps.
- Session-support:
- tpm2_sessionconfig: Add tool to display and configure session attributes.
- tpm2_getrandom: Fix— session input was hardcoded for audit-only
- tpm2_startauthsession: Add option to specify the bind object and its
authorization value.
- tpm2_startauthsession: support for bounded-only session.
- tpm2_startauthsession: support for salted-only session.
- tpm2_startauthsession: add option to specify an hmac session type.
- Add support for specifying non-authorization sessions for audit and
parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend,
tpm2_nvdefine, tpm2_unseal, tpm2_activatecredential, tpm2_certify,
tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, tpm2_changepps.
- tpm2_eventlog:
- Support for event type: EV_IPL extensively used by the Shim and Grub.
- Support for event type: EV_EFI_GPT_EVENT to parse.
UEFI_PARTITION_TABLE_HEADER and UEFI_PARTITION_ENTRY.
- Support for event type: EFI_SIGNATURE_LIST, which contains one or more
EFI_SIGNATURE_DATA.
- Support for event type EV_EFI_VARIABLE_AUTHORITY.
- Parse UEFI_PLATFORM_FIRMWARE_BLOB structure that the CRTM MUST put into
the Event Log entry TCG_PCR_EVENT2.event field for event types
EV_POST_CODE, EV_S_CRTM_CONTENTS, and EV_EFI_PLATFORM_FIRMWARE_BLOB.
- Parse secureboot variable to indicate enable as 'Yes'.
- Parse BootOrder variable to a more readable format.
- Parse Boot variables per EFI_LOAD_OPTION described in more details in
UEFI Spec Section 3.1.3
- Parse Device-path in a readable format using the efivar library.
- Support for logs longer than 64 kilobytes.
- Perform verification for event types where digest can be verified from
their event payload.
- Better support for multiline strings.
- Fix handling of event log EV_POST_CODE data where field is empty and len
is specified.
- scripts/utils: Add a utility to read the cert chain of embedded CA.
- tpm2_getekcertificate: Fix tool failing to return error/non-zero for HTTP
404.
- tpm2_nvdefine: allow setting hash algorithm by command line parameter for NV
indices set in extend mode.
- tpm2_duplicate, tpm2_import: support duplicating non-TPM keys to a remote
TPM without first requiring them to be loaded to a local TPM.
- tpm2_dictionarylockout: Fix issue where setting value for one parameter
caused to reset the others.
- tpm2_getpolicydigest: Add new tool to enable TPM2_CC_PolicyGetDigest.
- Fix segfault where optind > argc.
- tools/tpm2_checkquote: fix missing initializer
- tpm2_convert: fix EVP_EncodeUpdate usage for OSSL < 1.1.0
- openssl: fix EVP_ENCODE_CTX_(new|free)
- test: Add support for swTPM simulator to the testing framework and make it
the default if mssim isn't available.
- tpm2_unseal:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- tpm2_nvextend:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- tpm2_nvdefine:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- tpm2_changepps:
- Added option **\--cphash**=_FILE_ to specify ile path to record the hash
of the command parameters. This is commonly termed as cpHash.
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
- tpm2_changeeps:
- Added option **\--cphash**=_FILE_ to specify ile path to record the hash
of the command parameters. This is commonly termed as cpHash.
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
- tpm2_changeauth:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
- tpm2_certifycreation:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
- tpm2_certify:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
- tpm2_activatecredential:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
- tpm2_create:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- tpm2_unseal:
- Added option **-S**, **--session** to specify auxiliary sessions for
audit and encryption.
- tpm2_nvdefine:
- Added option **-S**, **--session** to specify auxiliary sessions for
audit and encryption.
- tpm2_nvextend:
- Added option **-S**, **--session** to specify auxilary sessions for
audit and encryption.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue May 4 08:55:06 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com> Tue May 4 08:55:06 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>

View File

@ -17,7 +17,7 @@
Name: tpm2.0-tools Name: tpm2.0-tools
Version: 5.0 Version: 5.1
Release: 0 Release: 0
Summary: Trusted Platform Module (TPM) 2.0 administration tools Summary: Trusted Platform Module (TPM) 2.0 administration tools
License: BSD-3-Clause License: BSD-3-Clause
@ -25,8 +25,7 @@ Group: Productivity/Security
URL: https://github.com/tpm2-software/tpm2-tools/releases URL: https://github.com/tpm2-software/tpm2-tools/releases
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz
Patch0: fix_bogus_warning.patch Patch0: fix_bogus_warning.patch
Patch1: fix_warnings.patch Patch1: 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
Patch2: fix_pie_linking.patch
BuildRequires: autoconf-archive BuildRequires: autoconf-archive
BuildRequires: automake BuildRequires: automake
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -67,7 +66,6 @@ associated interfaces.
%setup -q -n tpm2-tools-%{version} %setup -q -n tpm2-tools-%{version}
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1
%build %build
# TODO: remove autoreconf once fix_pie_linking patch is no longer needed # TODO: remove autoreconf once fix_pie_linking patch is no longer needed