commit d8fab4f02c842e19b5a0cfa4321ce325a13902c5 Author: MSVSphere Packaging Team Date: Tue Nov 26 19:23:52 2024 +0300 import swtpm-0.9.0-2.el10 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3f00fd1 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/swtpm-0.9.0.tar.gz diff --git a/.swtpm.metadata b/.swtpm.metadata new file mode 100644 index 0000000..80d7cf1 --- /dev/null +++ b/.swtpm.metadata @@ -0,0 +1 @@ +5488a09e1a93da4d6535fc5654894259c7a794d5 SOURCES/swtpm-0.9.0.tar.gz diff --git a/SOURCES/openssl-swtpm.cnf b/SOURCES/openssl-swtpm.cnf new file mode 100644 index 0000000..6195ecb --- /dev/null +++ b/SOURCES/openssl-swtpm.cnf @@ -0,0 +1,4 @@ +.include /etc/ssl/openssl.cnf + +[evp_properties] +rh-allow-sha1-signatures = yes diff --git a/SOURCES/selinux.patch b/SOURCES/selinux.patch new file mode 100644 index 0000000..7fc0d4b --- /dev/null +++ b/SOURCES/selinux.patch @@ -0,0 +1,34 @@ +From 1eab90cc323509eda1b43ef81fccb4bcf28056f0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Sat, 13 Jul 2024 13:37:29 +0400 +Subject: [PATCH] selinux + +--- + src/selinux/swtpm_svirt.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te +index f7b886c..424efa7 100644 +--- a/src/selinux/swtpm_svirt.te ++++ b/src/selinux/swtpm_svirt.te +@@ -13,6 +13,7 @@ require { + type user_tmp_t; + type virtd_t; + type virtqemud_t; ++ type virt_var_run_t; + } + + swtpm_domtrans(svirt_t) +@@ -27,6 +28,9 @@ allow svirt_t user_tmp_t:sock_file { create setattr unlink }; + allow svirt_t virtd_t:dir search; + allow svirt_t virtd_t:fifo_file write; + allow svirt_t virtqemud_t:fifo_file write; ++allow svirt_t virt_var_run_t:dir { write add_name remove_name }; ++allow svirt_t virt_var_run_t:file { create write setattr unlink }; ++allow svirt_t virt_var_run_t:sock_file { create write setattr unlink }; + + # For virt-install (see https://bugzilla.redhat.com/show_bug.cgi?id=2283878 ) + allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink }; +-- +2.41.0.28.gd7d8841f67 + diff --git a/SOURCES/swtpm-custom-openssl.patch b/SOURCES/swtpm-custom-openssl.patch new file mode 100644 index 0000000..6bd1b40 --- /dev/null +++ b/SOURCES/swtpm-custom-openssl.patch @@ -0,0 +1,12 @@ +Binary files swtpm-0.9.0/.git/index and swtpm-0.9.0.new/.git/index differ +diff -rup swtpm-0.9.0/src/swtpm/main.c swtpm-0.9.0.new/src/swtpm/main.c +--- swtpm-0.9.0/src/swtpm/main.c 2024-07-08 09:34:00.488080859 +0100 ++++ swtpm-0.9.0.new/src/swtpm/main.c 2024-07-08 09:33:40.057884795 +0100 +@@ -70,6 +70,7 @@ int main(int argc, char **argv) + fprintf(stderr, "Missing TPM interface type.\n"); + return 1; + } ++ setenv("OPENSSL_CONF", "/etc/ssl/openssl-swtpm.cnf", 1); + if (!strcmp(argv[1], "socket")) { + return swtpm_main(argc-1, &argv[1], argv[0], "socket"); + #ifdef WITH_CHARDEV diff --git a/SPECS/swtpm.spec b/SPECS/swtpm.spec new file mode 100644 index 0000000..053e6df --- /dev/null +++ b/SPECS/swtpm.spec @@ -0,0 +1,387 @@ +%bcond_without gnutls + +# Macros needed by SELinux +%global selinuxtype targeted +%global moduletype contrib +%global modulename swtpm + +Summary: TPM Emulator +Name: swtpm +Version: 0.9.0 +Release: 2%{?dist} +License: BSD-3-Clause +Url: https://github.com/stefanberger/swtpm +Source0: https://github.com/stefanberger/swtpm/archive/v%{version}/%{name}-%{version}.tar.gz +Source1: openssl-swtpm.cnf +# Prevent crypto policies disabling SHA-1. +# swtpm algorithm list is unconditional. Since it advertizes +# SHA-1, we MUST always provide a working SHA-1 impl +Patch0002: swtpm-custom-openssl.patch +Patch0003: selinux.patch + +BuildRequires: make +BuildRequires: git-core +BuildRequires: automake +BuildRequires: autoconf +BuildRequires: libtool +BuildRequires: libtpms-devel >= 0.6.0 +BuildRequires: expect +BuildRequires: net-tools +BuildRequires: openssl-devel +BuildRequires: socat +BuildRequires: tpm2-tss +BuildRequires: softhsm +BuildRequires: json-glib-devel +%if %{with gnutls} +BuildRequires: gnutls >= 3.4.0 +BuildRequires: gnutls-devel +BuildRequires: gnutls-utils +BuildRequires: libtasn1-devel +BuildRequires: libtasn1 +%endif +BuildRequires: selinux-policy-devel +BuildRequires: gcc +BuildRequires: libseccomp-devel +BuildRequires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd +BuildRequires: python3-devel + +Requires: %{name}-libs = %{version}-%{release} +Requires: libtpms >= 0.6.0 +Requires: (%{name}-selinux if selinux-policy-targeted) + +%description +TPM emulator built on libtpms providing TPM functionality for QEMU VMs + +%package libs +Summary: Private libraries for swtpm TPM emulators +License: BSD-3-Clause + +%description libs +A private library with callback functions for libtpms based swtpm TPM emulator + +%package devel +Summary: Include files for the TPM emulator's CUSE interface for usage by clients +License: BSD-3-Clause +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description devel +Include files for the TPM emulator's CUSE interface. + +%package tools +Summary: Tools for the TPM emulator +License: BSD-3-Clause +Requires: swtpm = %{version}-%{release} +# tpm2-tss for tss account +Requires: tpm2-tss bash gnutls-utils + +%description tools +Tools for the TPM emulator from the swtpm package + +%package tools-pkcs11 +Summary: Tools for creating a local CA based on a TPM pkcs11 device +License: BSD-3-Clause +Requires: swtpm-tools = %{version}-%{release} +Requires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd +Requires: expect gnutls-utils + +%description tools-pkcs11 +Tools for creating a local CA based on a pkcs11 device + +%package selinux +Summary: SELinux security policy for swtpm +Requires(post): swtpm = %{version}-%{release} +BuildArch: noarch +%if ! 0%{?flatpak} +%{?selinux_requires} +%endif + +%description selinux +SELinux security policy for swtpm. + +%prep +%autosetup -S git -n %{name}-%{version} -p1 + +%build + +NOCONFIGURE=1 ./autogen.sh +%configure \ +%if %{with gnutls} + --with-gnutls \ +%endif + --without-cuse + +%make_build + +%check +make %{?_smp_mflags} check VERBOSE=1 + +%install + +%make_install +rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so} + +%__install -d %{buildroot}%{_sysconfdir}/ssl +cp %{SOURCE1} %{buildroot}/%{_sysconfdir}/ssl/ + +%post selinux +for pp in /usr/share/selinux/packages/swtpm.pp \ + /usr/share/selinux/packages/swtpm_svirt.pp \ + /usr/share/selinux/packages/swtpm_libvirt.pp; do + %selinux_modules_install -s %{selinuxtype} ${pp} +done +restorecon %{_bindir}/swtpm + +%postun selinux +if [ $1 -eq 0 ]; then + for p in swtpm_libvirt swtpm swtpm_svirt; do + %selinux_modules_uninstall -s %{selinuxtype} $p + done +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%ldconfig_post libs +%ldconfig_postun libs + +%files +%license LICENSE +%doc README +%{_bindir}/swtpm +%{_mandir}/man8/swtpm.8* + +%files selinux +%{_datadir}/selinux/packages/swtpm.pp +%{_datadir}/selinux/packages/swtpm_libvirt.pp +%{_datadir}/selinux/packages/swtpm_svirt.pp +%{_sysconfdir}/ssl/openssl-swtpm.cnf + +%files libs +%license LICENSE +%doc README + +%dir %{_libdir}/%{name} +%{_libdir}/%{name}/libswtpm_libtpms.so.0 +%{_libdir}/%{name}/libswtpm_libtpms.so.0.0.0 + +%files devel +%dir %{_includedir}/%{name} +%{_includedir}/%{name}/*.h +%{_mandir}/man3/swtpm_ioctls.3* + +%files tools +%doc README +%{_bindir}/swtpm_bios +%if %{with gnutls} +%{_bindir}/swtpm_cert +%endif +%{_bindir}/swtpm_setup +%{_bindir}/swtpm_ioctl +%{_bindir}/swtpm_localca +%{_mandir}/man5/swtpm-localca.conf.5* +%{_mandir}/man5/swtpm-localca.options.5* +%{_mandir}/man5/swtpm_setup.conf.5* +%{_mandir}/man8/swtpm_bios.8* +%{_mandir}/man8/swtpm_cert.8* +%{_mandir}/man8/swtpm_ioctl.8* +%{_mandir}/man8/swtpm-localca.8* +%{_mandir}/man8/swtpm_localca.8* +%{_mandir}/man8/swtpm_setup.8* +%exclude %{_mandir}/man8/swtpm_cuse.8.gz +%config(noreplace) %{_sysconfdir}/swtpm_setup.conf +%config(noreplace) %{_sysconfdir}/swtpm-localca.options +%config(noreplace) %{_sysconfdir}/swtpm-localca.conf +%dir %{_datadir}/swtpm +%{_datadir}/swtpm/swtpm-localca +%{_datadir}/swtpm/swtpm-create-user-config-files +%attr( 750, tss, root) %{_localstatedir}/lib/swtpm-localca + +%files tools-pkcs11 +%{_mandir}/man8/swtpm-create-tpmca.8* +%{_datadir}/swtpm/swtpm-create-tpmca + +%changelog +* Wed Jul 17 2024 Marc-André Lureau - 0.9.0-2 +- Add extra SELinux policies. + Resolves: RHEL-47273 + +* Tue Jul 09 2024 Marc-André Lureau - 0.9.0-1 +- Update to v0.9.0 release + Resolves: RHEL-42590 +- Fix SHA-1 algorithm availability + Resolves: RHEL-46754 + +* Mon Jun 24 2024 Troy Dawson - 0.8.1-6 +- Bump release for June 2024 mass rebuild + +* Sun Jan 28 2024 Peter Robinson - 0.8.1-5 +- Use tpm2-tss to provide tss account + +* Sat Jan 27 2024 Fedora Release Engineering - 0.8.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Aug 16 2023 Stefan Berger - 0.8.1-3 +- Build for i686 again since dependency issue resolved + +* Tue Aug 15 2023 Stefan Berger - 0.8.1-2 +- Don't build tools-pkcs11 for i686 since python-tpm2-pytss is not built for it +- Set license to BSD-3-Clause for all packages + +* Tue Aug 15 2023 Stefan Berger - 0.8.1-1 +- Update to v0.8.1 release + +* Sat Jul 22 2023 Adam Williamson - 0.8.0-7 +- Make swtpm-selinux Requires(post) swtpm (#2223276) + +* Thu Jul 20 2023 Stefan Berger - 0.8.0-6 +- Added a 'Requires' on swtpm for swtpm-selinux package + +* Wed Jul 19 2023 Stefan Berger - 0.8.0-4 +- Split off SELinux policy into swtpm-selinux + +* Mon May 15 2023 Yaakov Selkowitz - 0.8.0-4 +- Remove trousers dependency from RHEL builds + +* Sat Jan 21 2023 Fedora Release Engineering - 0.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Nov 10 2022 Stefan Berger - 0.8.0-2 +- Adding patch needed on Rawhide build servers only + +* Thu Nov 10 2022 Stefan Berger - 0.8.0-1 +- Update to v0.8.0 release + +* Sat Jul 23 2022 Fedora Release Engineering - 0.7.3-2.20220427gitf2268ee +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Apr 27 2022 Stefan Berger - 0.7.3-1.20220427gitf2268ee +- Update to v0.7.3 release + +* Mon Mar 07 2022 Stefan Berger - 0.7.2-1.20220307git21c90c1 +- Update to v0.7.2 release + +* Fri Feb 18 2022 Stefan Berger - 0.7.1-1.20220218git92a7035 +- Update to v0.7.1 release + +* Sat Jan 22 2022 Fedora Release Engineering - 0.7.0-2.20211109gitb79fd91 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Nov 09 2021 Stefan Berger - 0.7.0-1.20211109gitb79fd91 +- Update to v0.7.0 release + +* Tue Sep 21 2021 Stefan Berger - 0.6.1-1.20210921git98187d2 +- Update to v0.6.1 release + +* Thu Sep 16 2021 Stefan Berger - 0.6.1-0.20210916gita0ca7c3 +- Build upcoming v0.6.1 that has patch to build with OpenSSL 3.0.0 + +* Thu Sep 16 2021 Stefan Berger - 0.6.0-5.20210607gitea627b3 +- Applied patch with -Wno-deprecated-declarations for build with OpenSSL 3.0.0 + +* Tue Sep 14 2021 Sahana Prasad - 0.6.0-4.20210607gitea627b3 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 0.6.0-3.20210607gitea627b3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jul 13 2021 Davide Cavalca - 0.6.0-2.20210706gitea627b +- Add an explicit BuildRequires for python3-devel + +* Mon Jun 07 2021 Stefan Berger - 0.6.0-1.20210706gitea627b +- Update to v0.6.0 release + +* Fri Jun 04 2021 Python Maint - 0.5.2-4.20201226gite59c0c1 +- Rebuilt for Python 3.10 + +* Wed Apr 07 2021 Marc-André Lureau - 0.5.2-3.20201226gite59c0c1 +- Remove unnecessary python3-twisted dependency + +* Wed Jan 27 2021 Fedora Release Engineering - 0.5.2-2.20201226gite59c0c1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sat Dec 26 2020 Stefan Berger - 0.5.2-1.20201226gite59c0c1a +- Bugfixes for stable release + +* Mon Dec 07 2020 Jeff Law - 0.5.1-3.20201117git96f5a04c +- Avoid diagnostic from gcc-11 + +* Fri Nov 13 2020 Stefan Berger - 0.5.1-2.20201117git96f5a04c +- Another build of v0.5.1 after more fixes + +* Fri Nov 13 2020 Stefan Berger - 0.5.1-1.20201007git390f5bd4 +- Update to v0.5.1 addressing potential symlink attack issue (CVE-2020-28407) + +* Wed Oct 7 2020 Stefan Berger - 0.5.0-1.20201007gitb931e109 +- Update to v0.5.0 release + +* Fri Aug 28 2020 Stefan Berger - 0.4.0-1.20200828git0c238a2 +- Update to v0.4.0 release + +* Thu Aug 27 2020 Stefan Berger - 0.3.4-2.20200711git80f0418 +- Disable pkcs11 related test case running into GnuTLS locking bug + +* Tue Aug 11 2020 Stefan Berger - 0.3.4-1.20200711git80f0418 +- Update to v0.3.4 release + +* Sat Aug 01 2020 Fedora Release Engineering - 0.3.0-3.20200218git74ae43b +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 0.3.0-2.20200218git74ae43b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Feb 24 2020 Marc-André Lureau - 0.3.0-1.20200218git74ae43b +- Update to v0.3.0 release + +* Fri Jan 31 2020 Fedora Release Engineering - 0.2.0-7.20191115git8dae4b3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Nov 15 2019 Stefan Berger - 0.2.0-6.20191018git8dae4b3 +- follow stable-0.2.0 branch with fix of GnuTLS API call to get subject key ID + +* Fri Oct 18 2019 Stefan Berger - 0.2.0-5.20191018git9227cf4 +- follow stable-0.2.0 branch with swtpm_cert OID bugfix for TPM 2 + +* Tue Aug 13 2019 Stefan Berger - 0.2.0-4.20190801git13536aa +- run 'restorecon' on swtpm in post to get SELinux label on first install + +* Thu Aug 01 2019 Stefan Berger - 0.2.0-3.20190801git13536aa +- follow stable-0.2.0 branch with some bug fixes + +* Sat Jul 27 2019 Fedora Release Engineering - 0.2.0-2.20190723gitf0b4137 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jul 23 2019 Stefan Berger - 0.2.0-1.20190723gitf0b4137 +- follow stable-0.2.0 branch with some bug fixes + +* Tue Jul 16 2019 Stefan Berger - 0.2.0-0.20190716git374b669 +- (tentative) v0.2.0 release of swtpm + +* Thu Apr 25 2019 Stefan Berger - 0.1.0-0.20190425gitca85606 +- pick up bug fixes + +* Mon Feb 04 2019 Stefan Berger - 0.1.0-0.20190204git2c25d13.1 +- v0.1.0 release of swtpm + +* Sun Feb 03 2019 Fedora Release Engineering - 0.1.0-0.20181212git8b9484a.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Dec 12 2018 Stefan Berger - 0.1.0-0.20181212git8b9484a +- Follow improvements in swtpm repo primarily related to fixes for 'ubsan' + +* Tue Nov 06 2018 Stefan Berger - 0.1.0-0.20181106git05d8160 +- Follow improvements in swtpm repo +- Remove ownership change of swtpm_setup.sh; have root own the file as required + +* Wed Oct 31 2018 Stefan Berger - 0.1.0-0.20181031gitc782a85 +- Follow improvements and fixes in swtpm + +* Tue Oct 02 2018 Stefan Berger - 0.1.0-0.20181002git0143c41 +- Fixes to SELinux policy +- Improvements on various other parts +* Tue Sep 25 2018 Stefan Berger - 0.1.0-0.20180924gitce13edf +- Initial Fedora build +* Mon Sep 17 2018 Stefan Berger - 0.1.0-0.20180918git67d7ea3 +- Created initial version of rpm spec files +- Version is now 0.1.0 +- Bugzilla for this spec: https://bugzilla.redhat.com/show_bug.cgi?id=1611829