diff --git a/.gitignore b/.gitignore index fc61607..59eae9a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tboot-1.10.5.tar.gz +SOURCES/tboot-1.11.3.tar.gz diff --git a/.tboot.metadata b/.tboot.metadata index 7a9d72e..44acd2a 100644 --- a/.tboot.metadata +++ b/.tboot.metadata @@ -1 +1 @@ -687bb5c0453b0256d64c8b1aa538a49703f9737a SOURCES/tboot-1.10.5.tar.gz +ea8af2a58cc0a1a5339478aef0f89fda100f7d1c SOURCES/tboot-1.11.3.tar.gz diff --git a/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch b/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch deleted file mode 100644 index 1f8a20b..0000000 --- a/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch +++ /dev/null @@ -1,20 +0,0 @@ -# HG changeset patch -# User Pawel Randzio -# Date 1646837604 -3600 -# Wed Mar 09 15:53:24 2022 +0100 -# Node ID 9cda8c127b0a7bb11561befbaa9ecf1130763fcf -# Parent 5941842afb661f0e78085cb1317781d362583a38 -Fixed a typo in man page for lcp2_crtpollist - -diff -r 5941842afb66 -r 9cda8c127b0a docs/man/lcp2_crtpollist.8 ---- a/docs/man/lcp2_crtpollist.8 Fri Mar 04 11:14:35 2022 +0100 -+++ b/docs/man/lcp2_crtpollist.8 Wed Mar 09 15:53:24 2022 +0100 -@@ -36,7 +36,7 @@ - support rsapss and ecdsa. - .TP \w'\fB--hashalg\ \fI\fP'u+1n - \fB--hashalg\ \fI\fP --Hash algorightm used for signing a list. Lists version 0x100 only support SHA1. -+Hash algorithm used for signing a list. Lists version 0x100 only support SHA1. - .TP - \fB--pub\ \fIfile\fP - Public key to use, must be in PEM format. diff --git a/SOURCES/0002-check-for-client-server-match.patch b/SOURCES/0002-check-for-client-server-match.patch deleted file mode 100644 index db71d65..0000000 --- a/SOURCES/0002-check-for-client-server-match.patch +++ /dev/null @@ -1,133 +0,0 @@ -# HG changeset patch -# User Timo Lindfors -# Date 1646900891 -7200 -# Thu Mar 10 10:28:11 2022 +0200 -# Node ID 9c625ab2035bae1fc38787025f74d2937600223b -# Parent 9cda8c127b0a7bb11561befbaa9ecf1130763fcf -txt-acminfo: Map TXT heap using mmap -Without this patch - -txt-acminfo 5th_gen_i5_i7_SINIT_79.BIN - -segfaults. This issue was introduced in - -o changeset: 627:d8a8e17f6d41 -| user: Lukasz Hawrylko -| date: Thu May 13 16:04:27 2021 +0200 -| summary: Check for client/server match when selecting SINIT - -Signed-off-by: Timo Lindfors - -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/common/loader.c ---- a/tboot/common/loader.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/common/loader.c Thu Mar 10 10:28:11 2022 +0200 -@@ -1792,7 +1792,7 @@ - void *base2 = (void *)m->mod_start; - uint32_t size2 = m->mod_end - (unsigned long)(base2); - if ( is_racm_acmod(base2, size2, false) && -- does_acmod_match_platform((acm_hdr_t *)base2) ) { -+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { - if ( base != NULL ) - *base = base2; - if ( size != NULL ) -@@ -1837,7 +1837,7 @@ - void *base2 = (void *)m->mod_start; - uint32_t size2 = m->mod_end - (unsigned long)(base2); - if ( is_sinit_acmod(base2, size2, false) && -- does_acmod_match_platform((acm_hdr_t *)base2) ) { -+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { - if ( base != NULL ) - *base = base2; - if ( size != NULL ) -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/include/txt/acmod.h ---- a/tboot/include/txt/acmod.h Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/include/txt/acmod.h Thu Mar 10 10:28:11 2022 +0200 -@@ -37,6 +37,8 @@ - #ifndef __TXT_ACMOD_H__ - #define __TXT_ACMOD_H__ - -+typedef void txt_heap_t; -+ - /* - * authenticated code (AC) module header (ver 0.0) - */ -@@ -179,7 +181,7 @@ - extern acm_hdr_t *copy_racm(const acm_hdr_t *racm); - extern bool verify_racm(const acm_hdr_t *acm_hdr); - extern bool is_sinit_acmod(const void *acmod_base, uint32_t acmod_size, bool quiet); --extern bool does_acmod_match_platform(const acm_hdr_t* hdr); -+extern bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t* txt_heap); - extern acm_hdr_t *copy_sinit(const acm_hdr_t *sinit); - extern bool verify_acmod(const acm_hdr_t *acm_hdr); - extern uint32_t get_supported_os_sinit_data_ver(const acm_hdr_t* hdr); -diff -r 9cda8c127b0a -r 9c625ab2035b tboot/txt/acmod.c ---- a/tboot/txt/acmod.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/tboot/txt/acmod.c Thu Mar 10 10:28:11 2022 +0200 -@@ -576,7 +576,7 @@ - return true; - } - --bool does_acmod_match_platform(const acm_hdr_t* hdr) -+bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t *txt_heap) - { - /* used to ensure we don't print chipset/proc info for each module */ - static bool printed_host_info; -@@ -587,7 +587,8 @@ - return false; - - /* verify client/server platform match */ -- txt_heap_t *txt_heap = get_txt_heap(); -+ if (txt_heap == NULL) -+ txt_heap = get_txt_heap(); - bios_data_t *bios_data = get_bios_data_start(txt_heap); - if (info_table->version >= 5 && bios_data->version >= 6) { - uint32_t bios_type = bios_data->flags.bits.mle.platform_type; -@@ -713,7 +714,7 @@ - - /* is it a valid SINIT module? */ - if ( !is_sinit_acmod(sinit_region_base, bios_data->bios_sinit_size, false) || -- !does_acmod_match_platform((acm_hdr_t *)sinit_region_base) ) -+ !does_acmod_match_platform((acm_hdr_t *)sinit_region_base, NULL) ) - return NULL; - - return (acm_hdr_t *)sinit_region_base; -diff -r 9cda8c127b0a -r 9c625ab2035b utils/txt-acminfo.c ---- a/utils/txt-acminfo.c Wed Mar 09 15:53:24 2022 +0100 -+++ b/utils/txt-acminfo.c Thu Mar 10 10:28:11 2022 +0200 -@@ -203,15 +203,31 @@ - close(fd_mem); - return false; - } -- else { -- if ( does_acmod_match_platform(hdr) ) -- printf("ACM matches platform\n"); -- else -- printf("ACM does not match platform\n"); - -+ uint64_t txt_heap_size = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_SIZE); -+ if (txt_heap_size == 0) { -+ printf("ERROR: No TXT heap is available\n"); - munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); -+ close(fd_mem); -+ return false; - } - -+ uint64_t txt_heap_base = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_BASE); -+ txt_heap_t *txt_heap = mmap(NULL, txt_heap_size, PROT_READ, MAP_PRIVATE, -+ fd_mem, txt_heap_base); -+ if ( txt_heap == MAP_FAILED ) { -+ printf("ERROR: cannot map TXT heap by mmap()\n"); -+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); -+ close(fd_mem); -+ return false; -+ } -+ if ( does_acmod_match_platform(hdr, txt_heap) ) -+ printf("ACM matches platform\n"); -+ else -+ printf("ACM does not match platform\n"); -+ -+ munmap(txt_heap, txt_heap_size); -+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); - close(fd_mem); - return true; - } diff --git a/SOURCES/tboot-gcc14.patch b/SOURCES/tboot-gcc14.patch new file mode 100644 index 0000000..9b6ff83 --- /dev/null +++ b/SOURCES/tboot-gcc14.patch @@ -0,0 +1,17 @@ +Suppress GCC 14 allocation size warning in lcptools-v2/pconf_legacy.c + +Submitted upstream: + +diff --git a/lcptools-v2/pconf_legacy.c b/lcptools-v2/pconf_legacy.c +index 443b5cd5525b9fe1..5ebc6c451f7008b1 100644 +--- a/lcptools-v2/pconf_legacy.c ++++ b/lcptools-v2/pconf_legacy.c +@@ -324,7 +324,7 @@ static lcp_policy_element_t *create(void) + ERROR("Error: no pcrs were selected.\n"); + return NULL; + } +- digest = malloc(SHA1_DIGEST_SIZE); ++ digest = malloc(sizeof(*digest)); + if (digest == NULL) { + ERROR("Error: failed to allocate memory for digest buffer.\n"); + return NULL; diff --git a/SOURCES/tboot-no-engine.patch b/SOURCES/tboot-no-engine.patch new file mode 100644 index 0000000..747657d --- /dev/null +++ b/SOURCES/tboot-no-engine.patch @@ -0,0 +1,57 @@ +diff -up tboot-1.11.3/lcptools-v2/crtpol.c.no-engine tboot-1.11.3/lcptools-v2/crtpol.c +--- tboot-1.11.3/lcptools-v2/crtpol.c.no-engine 2024-08-13 18:03:43.003697657 +0200 ++++ tboot-1.11.3/lcptools-v2/crtpol.c 2024-08-13 18:04:49.315001612 +0200 +@@ -43,7 +43,10 @@ + #include + #include + #include ++#include ++#ifndef OPENSSL_NO_ENGINE + #include ++#endif + #include + #include + #include +diff -up tboot-1.11.3/lcptools-v2/crtpollist.c.no-engine tboot-1.11.3/lcptools-v2/crtpollist.c +--- tboot-1.11.3/lcptools-v2/crtpollist.c.no-engine 2024-08-13 18:03:43.005697697 +0200 ++++ tboot-1.11.3/lcptools-v2/crtpollist.c 2024-08-13 18:04:58.324178771 +0200 +@@ -44,7 +44,10 @@ + #include + #include + #include ++#include ++#ifndef OPENSSL_NO_ENGINE + #include ++#endif + #include + #include + #include +diff -up tboot-1.11.3/lcptools-v2/lcputils.c.no-engine tboot-1.11.3/lcptools-v2/lcputils.c +--- tboot-1.11.3/lcptools-v2/lcputils.c.no-engine 2024-08-13 18:03:43.004697677 +0200 ++++ tboot-1.11.3/lcptools-v2/lcputils.c 2024-08-13 18:04:53.293079838 +0200 +@@ -43,7 +43,10 @@ + #include + #include + #include ++#include ++#ifndef OPENSSL_NO_ENGINE + #include ++#endif + #include + #include + #include +diff -up tboot-1.11.3/lcptools-v2/pollist2.c.no-engine tboot-1.11.3/lcptools-v2/pollist2.c +--- tboot-1.11.3/lcptools-v2/pollist2.c.no-engine 2024-08-13 18:03:43.002697637 +0200 ++++ tboot-1.11.3/lcptools-v2/pollist2.c 2024-08-13 18:04:45.813932767 +0200 +@@ -41,7 +41,10 @@ + #include + #include + #include ++#include ++#ifndef OPENSSL_NO_ENGINE + #include ++#endif + #include + #include + #include + diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec index 81989ff..a258b70 100644 --- a/SPECS/tboot.spec +++ b/SPECS/tboot.spec @@ -1,23 +1,22 @@ -Summary: Performs a verified launch using Intel TXT -Name: tboot -Version: 1.10.5 -Release: 2%{?dist} -Epoch: 1 - -License: BSD -URL: http://sourceforge.net/projects/tboot/ -Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz - -Patch01: 0001-fix-typo-in-lcp2_crtpollist-manpage.patch -Patch02: 0002-check-for-client-server-match.patch - -BuildRequires: make -BuildRequires: gcc -BuildRequires: perl -BuildRequires: openssl-devel -BuildRequires: zlib-devel -ExclusiveArch: %{ix86} x86_64 -Requires: grub2-efi-x64-modules +Summary: Performs a verified launch using Intel TXT +Name: tboot +Version: 1.11.3 +Release: 3%{?dist} +Epoch: 1 + +License: BSD-3-Clause +URL: http://sourceforge.net/projects/tboot/ +Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz +Patch0: tboot-gcc14.patch +Patch1: tboot-no-engine.patch + +BuildRequires: make +BuildRequires: gcc +BuildRequires: perl +BuildRequires: openssl-devel +BuildRequires: zlib-devel +Requires: grub2-efi-x64-modules +ExclusiveArch: %{ix86} x86_64 %description Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses @@ -28,11 +27,16 @@ and verified launch of an OS kernel/VMM. %autosetup -p1 -n %{name}-%{version} %build -CFLAGS="%{optflags}"; export CFLAGS -LDFLAGS="%{build_ldflags}"; export LDFLAGS -make debug=y %{?_smp_mflags} +%make_build debug=y + +%install +%make_install debug=y %post +# create the tboot grub entry +grub2-mkconfig -o /boot/grub2/grub.cfg + +# For EFI based machines ... # Rmove the grub efi modules if they had been placed in the wrong directory by # a previous install. [ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi @@ -68,107 +72,109 @@ fi [ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi grub2-mkconfig -o /etc/grub2.cfg -%install -make debug=y DISTDIR=$RPM_BUILD_ROOT install - %files -%doc README.md COPYING docs/* lcptools-v2/lcptools.txt +%license COPYING +%doc docs/* %config %{_sysconfdir}/grub.d/20_linux_tboot %config %{_sysconfdir}/grub.d/20_linux_xen_tboot -%{_sbindir}/txt-acminfo %{_sbindir}/lcp2_crtpol %{_sbindir}/lcp2_crtpolelt %{_sbindir}/lcp2_crtpollist %{_sbindir}/lcp2_mlehash -%{_sbindir}/txt-parse_err %{_sbindir}/tb_polgen +%{_sbindir}/txt-acminfo +%{_sbindir}/txt-parse_err %{_sbindir}/txt-stat -%{_mandir}/man8/txt-acminfo.8.gz -%{_mandir}/man8/tb_polgen.8.gz -%{_mandir}/man8/txt-stat.8.gz %{_mandir}/man8/lcp2_crtpol.8.gz %{_mandir}/man8/lcp2_crtpolelt.8.gz %{_mandir}/man8/lcp2_crtpollist.8.gz %{_mandir}/man8/lcp2_mlehash.8.gz +%{_mandir}/man8/tb_polgen.8.gz +%{_mandir}/man8/txt-acminfo.8.gz %{_mandir}/man8/txt-parse_err.8.gz +%{_mandir}/man8/txt-stat.8.gz /boot/tboot.gz /boot/tboot-syms %changelog -* Fri Apr 14 2023 MSVSphere Packaging Team - 1.10.5-2 -- Rebuilt for MSVSphere 9.2 beta - -* Thu Aug 18 2022 Tony Camuso - 1:1.10.5-2 -- The install scriptlet in %post was choosing the first grub.cfg - file it encountered, which was /boot/efi/EFI/redhat/grub.cfg. - This is a stub that defines grub boot disk UUID necessary for - proper grubenv setup, and it must not be overwritten or changed. - Modify the scriptlet to target /boot/grub2/grub.cfg - Additionally, remove any wrongly created /boot/grub2/x86_64-efi - directory and recreate the correct /boot/efi/EFI/redhat/grub.cfg - stub file. - Added a %postun section to cleanup when removing tboot with - dnf erase. - Thanks to Lenny Szubowicz for the bash code to recreate the - /boot/efi/EFI/redhat/grub.cfg stub file. - Resolves: rhbz#2112236 - -* Wed May 04 2022 Tony Camuso - 1:1.10.5-1 -- Upgrade to tboot-1.10.5-1 for fixes and updates. -- Added a Requires line to install grub2-efi-x64-modules -- Added a scriptlet to the tboot.spec file to automatically install - grub2-efi-x64-modules and move them to the correct directory. -- Removed three patches that are no longer needed. -- Added two patches from upstream, one for a fix, the other cosemetic. -- Resolves: rhbz#2041766 - Resolves: rhbz#2040083 - -* Thu Sep 30 2021 Tony Camuso - 1:1.10.2-6 -- Use sha256 as default hashing algorithm - Resolves: rhbz#1935448 - -* Tue Aug 10 2021 Mohan Boddu - 1:1.10.2-5 -- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Related: rhbz#1991688 - -* Wed Jul 28 2021 Tony Camuso - 1:1.10.2-4 -- From Miroslave Vadkerti: - Onboarding tests to RHEL9 in BaseOS CI requires action, adding - test configuration in our "dispatcher" configuration for RHEL9: - https://gitlab.cee.redhat.com/baseos-qe/citool-config/blob/production/brew-dispatcher-rhel9.yaml - Test config was added for tboot in the following MR. - https://gitlab.cee.redhat.com/baseos-qe/citool-config/-/merge_requests/2686 - Resolves: rhbz#1922002 - -* Tue Jul 27 2021 Tony Camuso - 1:1.10.2-3 -- Add the %{optflags} and %{build_ldflags} macros to assure the - build meets RHEL security requirements. - Resolves: rhbz#1922002 - -* Thu Jul 22 2021 Tony Camuso - 1:1.10.2-2 -- Bump the NVR as a result of including the gating.yaml file in - the git repo. - Resolves: rhbz#1922002 - -* Mon Jun 21 2021 Tony Camuso - 1:1.10.2-1 -- The patches are for SSL3 compatibility. These can probably be - removed when upstream tboot fully implements SSL3. -- Upgrade to latest upstream. -- Remove trousers dependency. - Resolves: rhbz#1922002 - Resolves: rhbz#1870520 - Resolves: rhbz#1927374 - -* Wed Jun 16 2021 Mohan Boddu - 1:1.9.11-9 -- Rebuilt for RHEL 9 BETA for openssl 3.0 - Related: rhbz#1971065 - -* Thu May 27 2021 Tony Camuso - 1:1.9.11-8 -- Add -Wno-error=deprecated-declarations to the Config.mk patch - Resolves: rhbz#1958031 - -* Fri Apr 16 2021 Mohan Boddu - 1:1.9.11-7 -- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 +* Sat Oct 12 2024 Arkady L. Shane - 1:1.11.3-3 +- Rebuilt for MSVSphere 9.5 + +* Thu Aug 15 2024 Tony Camuso - 1:1.11.3-3 +- Add gating.yaml + Resolves: RHEL-54412 + +* Tue Aug 13 2024 Tony Camuso - 1:1.11.3-2 +- Stop using OpenSSL ENGINE API in tboot + Resolves: RHEL-54172 + +* Tue Jun 25 2024 Tony Camuso - 1:1.11.3-1 +- Latest version of tboot. + Resolves: RHEL-34500 + +* Mon Jun 24 2024 Troy Dawson - 1:1.11.1-7 +- Bump release for June 2024 mass rebuild + +* Mon Jan 29 2024 Florian Weimer - 1:1.11.1-6 +- Suppress GCC 14 allocation size warning + +* Sat Jan 27 2024 Fedora Release Engineering - 1:1.11.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Nov 01 2023 Yaakov Selkowitz - 1:1.11.1-4 +- Add grub2-efi-x64-modules dependency and scriplet + +* Fri Sep 22 2023 David Cantrell - 1:1.11.1-3 +- Use %%license for the COPYING file in the %%files section +- Convert the License tag to an SPDX expression + +* Sat Jul 22 2023 Fedora Release Engineering - 1:1.11.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Sun May 07 2023 Jun Miao - 1:1.11.1-1 +- Update to v1.11.1 release + +* Sun Apr 23 2023 Jun Miao - 1:1.11.0-2 +- Update code sources with the v1.11.0 + +* Mon Feb 27 2023 Jun Miao - 1:1.11.0-1 +- Update to v1.11.0 release + +* Sat Jan 21 2023 Fedora Release Engineering - 1:1.10.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Sat Jul 23 2022 Fedora Release Engineering - 1:1.10.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Apr 20 2022 Jun Miao - 1:1.10.5-1 +- Update to v1.10.5 release + +* Fri Feb 25 2022 Jun Miao jun.miao@intel.com - 1:1.10.4-2 +- Update the tboot-1.10.4.tar.gz source + +* Fri Feb 25 2022 Jun Miao - 1:1.10.4-1 +- Updated to upstream 1.10.4 release +- Fix the GCC12 build error + +* Thu Dec 23 2021 Yunying Sun - 1:1.10.3-1 +- Updated to 1.10.3 which added OpenSSL 3.0.0 support +- Bugzilla 2021901 is fixed with this updated release +- Removed obsolete patch files + +* Fri Dec 3 2021 Yunying Sun - 1:1.10.2-4 +- Rebuilt again with OpenSSL 3.0.0 fix patch + +* Tue Sep 14 2021 Sahana Prasad - 1:1.10.2-3 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 1:1.10.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jun 15 2021 Yunying Sun - 1:1.10.2-1 +- Updated to upstream 1.10.2 release +- Removed standalone patches as both are fixed in 1.10.2 +- Adjusted dependencies, removed trousers and added perl +- Updated packaged file list * Wed Jan 27 2021 Fedora Release Engineering - 1:1.9.11-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild