diff --git a/_service b/_service
index 716288d..d513e4e 100644
--- a/_service
+++ b/_service
@@ -2,7 +2,7 @@
https://github.com/intel/tpm2-tools.git
git
- 4.3.0
+ 5.0
@PARENT_TAG@
disable
diff --git a/fix_bogus_warning.patch b/fix_bogus_warning.patch
index c75ab17..568d8b6 100644
--- a/fix_bogus_warning.patch
+++ b/fix_bogus_warning.patch
@@ -1,7 +1,7 @@
-Index: tpm2-tools-4.1/lib/tpm2_attr_util.c
+Index: tpm2-tools-5.0/lib/tpm2_attr_util.c
===================================================================
---- tpm2-tools-4.1.orig/lib/tpm2_attr_util.c
-+++ tpm2-tools-4.1/lib/tpm2_attr_util.c
+--- tpm2-tools-5.0.orig/lib/tpm2_attr_util.c
++++ tpm2-tools-5.0/lib/tpm2_attr_util.c
@@ -202,7 +202,7 @@ static bool lookup_nt_friendly_name(cons
static bool nt(TPMA_NV *nv, char *arg) {
diff --git a/fix_pie_linking.patch b/fix_pie_linking.patch
new file mode 100644
index 0000000..f0d1ebc
--- /dev/null
+++ b/fix_pie_linking.patch
@@ -0,0 +1,13 @@
+Index: tpm2-tools-5.0/Makefile.am
+===================================================================
+--- tpm2-tools-5.0.orig/Makefile.am
++++ tpm2-tools-5.0/Makefile.am
+@@ -45,7 +45,7 @@ lib_libcommon_a_SOURCES = $(LIB_SRC)
+ lib_libcommon_a_CFLAGS = -fPIC $(AM_CFLAGS)
+
+ tools_fapi_tss2_CFLAGS = $(FAPI_CFLAGS) -DTSS2_TOOLS_MAX="$(words $(tss2_tools))"
+-tools_fapi_tss2_LDFLAGS = $(TSS2_FAPI_LIBS)
++tools_fapi_tss2_LDFLAGS = $(EXTRA_LDFLAGS) $(TSS2_FAPI_LIBS)
+ tools_fapi_tss2_SOURCES = \
+ tools/fapi/tss2_template.c \
+ tools/fapi/tss2_template.h \
diff --git a/fix_warnings.patch b/fix_warnings.patch
new file mode 100644
index 0000000..d491ed4
--- /dev/null
+++ b/fix_warnings.patch
@@ -0,0 +1,28 @@
+Index: tpm2-tools-5.0/tools/tpm2_getekcertificate.c
+===================================================================
+--- tpm2-tools-5.0.orig/tools/tpm2_getekcertificate.c
++++ tpm2-tools-5.0/tools/tpm2_getekcertificate.c
+@@ -190,8 +190,8 @@ static char *base64_encode(const unsigne
+ return final_string;
+ }
+
+-static size_t writecallback(void *contents, size_t size, size_t nitems,
+- char *CERT_BUFFER) {
++static size_t writecallback(char *contents, size_t size, size_t nitems,
++ void *CERT_BUFFER) {
+
+ strncpy(CERT_BUFFER, (const char *)contents, nitems * size);
+ ctx.rsa_cert_buffer_size = nitems * size;
+Index: tpm2-tools-5.0/lib/tpm2_util.c
+===================================================================
+--- tpm2-tools-5.0.orig/lib/tpm2_util.c
++++ tpm2-tools-5.0/lib/tpm2_util.c
+@@ -49,7 +49,7 @@ bool tpm2_util_concat_buffer(TPM2B_MAX_B
+ return false;
+ }
+
+- if ((result->size + append->size) > TPM2_MAX_DIGEST_BUFFER) {
++ if (((size_t)result->size + append->size) > TPM2_MAX_DIGEST_BUFFER) {
+ return false;
+ }
+
diff --git a/tpm2-tools-4.3.0.tar.gz b/tpm2-tools-4.3.0.tar.gz
deleted file mode 100644
index 1e3f277..0000000
--- a/tpm2-tools-4.3.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ae009b3495b44a16faa3d94d41ac9c9d99c71723482efad53c5eea17eeed80fc
-size 881544
diff --git a/tpm2-tools-5.0.tar.gz b/tpm2-tools-5.0.tar.gz
new file mode 100644
index 0000000..cef1ed3
--- /dev/null
+++ b/tpm2-tools-5.0.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e1b907fe29877628052e08ad84eebc6c3f7646d29505ed4862e96162a8c91ba1
+size 990855
diff --git a/tpm2.0-tools.changes b/tpm2.0-tools.changes
index 3cc64fa..362d529 100644
--- a/tpm2.0-tools.changes
+++ b/tpm2.0-tools.changes
@@ -1,3 +1,195 @@
+-------------------------------------------------------------------
+Thu Jan 28 09:49:06 UTC 2021 - Matthias Gerstner
+
+- add fix_warnings.patch: fixes a couple of build errors resulting from LTO
+ linking and -Werror.
+- add fix_pie_linking.patch: fixes an error in the build system that causes
+ the tss2 binary to be linked without passed LDFLAGS (like -pie), which
+ causes the binary not to be position independent.
+- update to major version 5.0:
+ - Non Backwards Compatible Changes
+ * Default hash algorithm is now sha256. Prior versions claimed sha1, but were
+ inconsistent in choice. Best practice is to specify the hash algorithm to
+ avoid surprises.
+
+ * tpm2_tools and tss2_tools are now a busybox style commandlet. Ie
+ tpm2_getrandom becomes tpm2 getrandom. make install will install symlinks
+ to the old tool names and the tpm2 commandlet will interrogate argv[0] for
+ the command to run. This will provide backwards compatibility if they are
+ installed. If you wish to use the old names not installed system wide, set
+ DESTDIR during install to a separate path and set the proper directory on
+ PATH.
+
+ * tpm2_eventlog's output changed to be YAML compliant. The output before
+ was intended to be YAML compliant but was never properly checked and
+ tested.
+
+ * umask set to 0117 for all tools.
+
+ * tpm2_getekcertificate now outputs the INTC EK certificates in PEM format
+ by default. In order to output the URL safe variant of base64 encoded
+ output of the INTC EK certificate use the added option --raw.
+
+ - Dependency update
+ * Update tpm2-tss dependency version to 3.0.1
+
+ * Update tpm2-abrmd dependency version to 2.3.3
+
+ - New tools and features
+ * tpm2_zgen2phase: Add new tool to support command TPM2_CC_ZGen_2Phase.
+ * tpm2_ecdhzgen: Add new tool to support command TPM2_CC_ECDH_ZGen.
+ * tpm2_ecdhkeygen: Add new tool to support command TPM2_CC_ECDH_KeyGen.
+ * tpm2_commit: Add new tool to support command TPM2_CC_Commit.
+ * tpm2_ecephemeral: Add new tool to support command TPM2_CC_EC_Ephemeral.
+ * tpm2_geteccparameters: Add new tool to support command TPM2_CC_ECC_Parameters.
+ * tpm2_setcommandauditstatus: Added new tool to support command TPM2_CC_SetCommandCodeAuditStatus.
+ * tpm2_getcommandauditstatus: Added new tool to support command TPM2_CC_GetCommandAuditDigest.
+ * tpm2_getsessionauditdigest: Added new tool to support command TPM2_CC_GetSessionAuditDigest.
+ * tpm2_certifyX509certutil: Added new tool for creating partial x509 certificates required to support
+ the TPM2_CC_CertifyX509 command.
+ * tpm2_policysigned:
+ Added option --cphash-input to specify the command parameter hash
+ (cpHashA), enforcing the TPM command to be authorized as well as its
+ handle and parameter values.
+ * tpm2_createprimary:
+ Added option to specify the unique data from the stdin by adding
+ provision for specifying the option value for unique file as -.
+ * tpm2_startauthsession:
+ Added new feature/option --audit-session to start an HMAC session to
+ be used as an audit session.
+ * tpm2_getrandom:
+ - Added new feature/option -S, --session to specify a HMAC session
+ to be used as an audit session. This adds support for auditing the
+ command using an audit session.
+ - Added new feature/option --rphash to specify file path to record the
+ hash of the response parameters. This is commonly termed as rpHash.
+ - Added new feature/option --cphash to specify a file path to record
+ the hash of the command parameters. This is commonly termed as cpHash.
+ NOTE: In absence of --rphash option, when this option is selected,
+ The tool will not actually execute the command, it simply returns a
+ cpHash.
+ * tpm2_getcap: tpm2_getcap was missing raw on a property TPM2_PT_REVISION,
+ and it should always be specified.
+ * tpm2_sign:
+ - Add option --commit-index to specify the commit index to use when
+ performing an ECDAA signature.
+ - Add support for ECDAA signature.
+ * tpm2_getekcertificate:
+ - Add option --raw to output EK certificate in URL safe variant base64
+ encoded format. By default it outputs a PEM formatted certificate.
+ - The tool can now output INTC and non INTC EK certificates from NV
+ indices specified by the TCG EK profile specification.
+ * tpm2_activatecredential:
+ - The secret data input can now be specified as stdin with -s option.
+ - The public key used for encryption can be specified as -u to make it
+ similar to rest of the tools specifying a public key. The old -e
+ option is retained for backwards compatibility.
+ - Add option to specify the key algorithm when the input public key is in
+ PEM format using the new option -G, --key-algorithm. Can specify
+ either RSA/ECC. When this option is used, input public key is expected
+ to be in PEM format and the default TCG EK template is used for the key
+ properties.
+ * tpm2_checkqoute:
+ - Add EC support.
+ - Support loading tss signatures.
+ - Support loading tpm2 pcrread PCR values by specifying the PCR
+ selection using the new option -l, --pcr-list.
+ - Added support for automatically detecting the signature format. With
+ this -F, --format option is retained for backwards compatibility but
+ it is deprecated.
+ * tpm2_createak: add option to output qualified name with new option
+ -q, --ak-qualified-name.
+ * tpm2_policypcr: Add option for specifying cumulative hash of PCR's as an argument.
+ * tpm2_readpublic: Add option to output qualified name using the new option
+ -q, --qualified-name.
+ * tpm2_print:
+ - Support printing TPM2B_PUBLIC data structures.
+ - Support printing TPMT_PUBLIC data structures.
+ * tpm2_send: Add support for handling sending and receiving command and
+ response buffer for multiple commands.
+ * tpm2_verifysignature: Added support for verifying RSA-PSS signatures.
+ * tpm2_eventlog:
+ - Add handling of sha1 log format.
+ - Add fixes for eventlog output to be proper YAML.
+ - Add support for sha384, sha512, sm3_256 PCR hash algorithms.
+ - Add support for computing PCR values based on the events.
+ * tpm2_tools (all):
+ - Set stdin/stdout to non-buffering.
+ - Added changes for FreeBSD portability.
+
+ - Bug fixes
+
+ * Fix printing short options when no ascii character is used.
+
+ * OpenSSL: Fix deprecated OpenSSL functions. ECC Functions with suffix
+ GFp will become deprecated (DEPRECATED_1_2_0).
+
+ * tpm2_eventlog: output EV_POST_CODE as string not firmware blob to be
+ compliant with TCG PC Client FPF section 2.3.4.1 and 9.4.12.3.4.1
+
+ * Fix missing handle maps for ESY3 handle breaks. See #1994.
+
+ * tpm2_rsaencrypt: fix OAEP RSA encryption failing to invalid hash selection.
+
+ * tpm2_rsadecrypt: fix OAEP RSA decryption failing to invalid hash selection.
+
+ * tpm2_sign: fix for signing failures with restricted signing keys when
+ input data to sign is not a digest, rather the full message. The
+ validation ticket creation process defaults to the owner hierarchy and
+ so in order to choose other hierarchies the tpm2_hash tool should be
+ used instead.
+
+ * tpm2_print: fix segfault when -t option is omitted by appropriately
+ warning of the required option.
+
+ * tpm2_nvdefine: fix for default size when size is not specified by
+ invoking TPM2_CC_GetCapability.
+
+ * Fix for an issue where the return code for unsupported algorithms was
+ tool_rc_general instead of tool_rc_unsupported in tpm2_create and
+ tpm2_createprimary tools.
+
+ * Fix for an issue where RSA_PSS signature verification caused failures.
+
+ * tpm2_nvreadpublic, tpm2_kdfa, tpm2_checkquote, tpm2_quote:
+ Fixes for issues with interoperability of the attestation tools between
+ big and little endian platforms.
+
+ * tss2_*:
+ - Fix bash-completion for tss2_pcrextend and tss2_verifysignature
+ - Add force option to tss2_list
+ - Make force option consistent in all fapi tools
+ - Do not decode non-TPM errors
+ - Enhance integration tests to test changes of optional/mandatory parameters
+ - Add --hex parameter to tss2_getrandom
+ - Fix autocompletion issue
+ - Switch tss2_* to with-"="-style
+ - Add size parameter to tss2_createseal
+ - References to the cryptographic profile (fapi-profile(5)) and config file
+ - (fapi-config(5)) man pages from all relevant tss2_* man pages.
+ - Fix policy branch selection menu item from 1 to 0.
+ - Documentation
+ * wiki pages have been removed and data has been migrated to
+ tpm2-software.github.io portal's tutorial section.
+
+ * Fix the problem with man and no-man help output for tools were not
+ correctly displayed.
+
+ * man:
+
+ - tpm2_create: Correct max seal data size from 256 bytes to 128 bytes.
+
+ - tpm2_nvread: Fix manpage example.
+
+ - tpm2_nvwrite: Added missing information on how to specify the NV index as
+ an argument.
+
+ - tpm2_unseal: Add end-to-end example.
+
+ - tpm2_nvincrement: Fix incorrect commands in example section.
+
+ - tpm2_hmac: Fix the example section.
+
-------------------------------------------------------------------
Thu Oct 22 11:58:16 UTC 2020 - Matthias Gerstner
diff --git a/tpm2.0-tools.spec b/tpm2.0-tools.spec
index e7d1361..f34d7d6 100644
--- a/tpm2.0-tools.spec
+++ b/tpm2.0-tools.spec
@@ -1,7 +1,7 @@
#
# spec file for package tpm2.0-tools
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: tpm2.0-tools
-Version: 4.3.0
+Version: 5.0
Release: 0
Summary: Trusted Platform Module (TPM) 2.0 administration tools
License: BSD-3-Clause
@@ -25,6 +25,8 @@ Group: Productivity/Security
URL: https://github.com/tpm2-software/tpm2-tools/releases
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz
Patch0: fix_bogus_warning.patch
+Patch1: fix_warnings.patch
+Patch2: fix_pie_linking.patch
BuildRequires: autoconf-archive
BuildRequires: automake
BuildRequires: gcc-c++
@@ -64,8 +66,12 @@ associated interfaces.
%prep
%setup -q -n tpm2-tools-%{version}
%patch0 -p1
+%patch1 -p1
+%patch2 -p1
%build
+# TODO: remove autoreconf once fix_pie_linking patch is no longer needed
+autoreconf -fvi
%configure --disable-static
make %{?_smp_mflags}
@@ -79,10 +85,10 @@ find %{buildroot} -type f -name "*.la" -delete -print
%files
%defattr(-,root,root)
%doc README.md doc/LICENSE doc/CHANGELOG.md
-/usr/bin/tpm2_*
-/usr/bin/tss2_*
-%{_mandir}/man1/tpm2_*
-%{_mandir}/man1/tss2_*
+/usr/bin/tpm2*
+/usr/bin/tss2*
+%{_mandir}/man1/tpm2*
+%{_mandir}/man1/tss2*
%dir %{_datadir}/bash-completion
%dir %{_datadir}/bash-completion/completions
%{_datadir}/bash-completion/completions/*