commit e2bff8997b5f5784930fdf1a4e4463d6f48b838c Author: CentOS Sources Date: Tue May 16 06:23:33 2023 +0000 import tboot-1.10.5-2.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fc61607 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tboot-1.10.5.tar.gz diff --git a/.tboot.metadata b/.tboot.metadata new file mode 100644 index 0000000..7a9d72e --- /dev/null +++ b/.tboot.metadata @@ -0,0 +1 @@ +687bb5c0453b0256d64c8b1aa538a49703f9737a SOURCES/tboot-1.10.5.tar.gz diff --git a/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch b/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch new file mode 100644 index 0000000..1f8a20b --- /dev/null +++ b/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch @@ -0,0 +1,20 @@ +# HG changeset patch +# User Pawel Randzio +# Date 1646837604 -3600 +# Wed Mar 09 15:53:24 2022 +0100 +# Node ID 9cda8c127b0a7bb11561befbaa9ecf1130763fcf +# Parent 5941842afb661f0e78085cb1317781d362583a38 +Fixed a typo in man page for lcp2_crtpollist + +diff -r 5941842afb66 -r 9cda8c127b0a docs/man/lcp2_crtpollist.8 +--- a/docs/man/lcp2_crtpollist.8 Fri Mar 04 11:14:35 2022 +0100 ++++ b/docs/man/lcp2_crtpollist.8 Wed Mar 09 15:53:24 2022 +0100 +@@ -36,7 +36,7 @@ + support rsapss and ecdsa. + .TP \w'\fB--hashalg\ \fI\fP'u+1n + \fB--hashalg\ \fI\fP +-Hash algorightm used for signing a list. Lists version 0x100 only support SHA1. ++Hash algorithm used for signing a list. Lists version 0x100 only support SHA1. + .TP + \fB--pub\ \fIfile\fP + Public key to use, must be in PEM format. diff --git a/SOURCES/0002-check-for-client-server-match.patch b/SOURCES/0002-check-for-client-server-match.patch new file mode 100644 index 0000000..db71d65 --- /dev/null +++ b/SOURCES/0002-check-for-client-server-match.patch @@ -0,0 +1,133 @@ +# HG changeset patch +# User Timo Lindfors +# Date 1646900891 -7200 +# Thu Mar 10 10:28:11 2022 +0200 +# Node ID 9c625ab2035bae1fc38787025f74d2937600223b +# Parent 9cda8c127b0a7bb11561befbaa9ecf1130763fcf +txt-acminfo: Map TXT heap using mmap +Without this patch + +txt-acminfo 5th_gen_i5_i7_SINIT_79.BIN + +segfaults. This issue was introduced in + +o changeset: 627:d8a8e17f6d41 +| user: Lukasz Hawrylko +| date: Thu May 13 16:04:27 2021 +0200 +| summary: Check for client/server match when selecting SINIT + +Signed-off-by: Timo Lindfors + +diff -r 9cda8c127b0a -r 9c625ab2035b tboot/common/loader.c +--- a/tboot/common/loader.c Wed Mar 09 15:53:24 2022 +0100 ++++ b/tboot/common/loader.c Thu Mar 10 10:28:11 2022 +0200 +@@ -1792,7 +1792,7 @@ + void *base2 = (void *)m->mod_start; + uint32_t size2 = m->mod_end - (unsigned long)(base2); + if ( is_racm_acmod(base2, size2, false) && +- does_acmod_match_platform((acm_hdr_t *)base2) ) { ++ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { + if ( base != NULL ) + *base = base2; + if ( size != NULL ) +@@ -1837,7 +1837,7 @@ + void *base2 = (void *)m->mod_start; + uint32_t size2 = m->mod_end - (unsigned long)(base2); + if ( is_sinit_acmod(base2, size2, false) && +- does_acmod_match_platform((acm_hdr_t *)base2) ) { ++ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { + if ( base != NULL ) + *base = base2; + if ( size != NULL ) +diff -r 9cda8c127b0a -r 9c625ab2035b tboot/include/txt/acmod.h +--- a/tboot/include/txt/acmod.h Wed Mar 09 15:53:24 2022 +0100 ++++ b/tboot/include/txt/acmod.h Thu Mar 10 10:28:11 2022 +0200 +@@ -37,6 +37,8 @@ + #ifndef __TXT_ACMOD_H__ + #define __TXT_ACMOD_H__ + ++typedef void txt_heap_t; ++ + /* + * authenticated code (AC) module header (ver 0.0) + */ +@@ -179,7 +181,7 @@ + extern acm_hdr_t *copy_racm(const acm_hdr_t *racm); + extern bool verify_racm(const acm_hdr_t *acm_hdr); + extern bool is_sinit_acmod(const void *acmod_base, uint32_t acmod_size, bool quiet); +-extern bool does_acmod_match_platform(const acm_hdr_t* hdr); ++extern bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t* txt_heap); + extern acm_hdr_t *copy_sinit(const acm_hdr_t *sinit); + extern bool verify_acmod(const acm_hdr_t *acm_hdr); + extern uint32_t get_supported_os_sinit_data_ver(const acm_hdr_t* hdr); +diff -r 9cda8c127b0a -r 9c625ab2035b tboot/txt/acmod.c +--- a/tboot/txt/acmod.c Wed Mar 09 15:53:24 2022 +0100 ++++ b/tboot/txt/acmod.c Thu Mar 10 10:28:11 2022 +0200 +@@ -576,7 +576,7 @@ + return true; + } + +-bool does_acmod_match_platform(const acm_hdr_t* hdr) ++bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t *txt_heap) + { + /* used to ensure we don't print chipset/proc info for each module */ + static bool printed_host_info; +@@ -587,7 +587,8 @@ + return false; + + /* verify client/server platform match */ +- txt_heap_t *txt_heap = get_txt_heap(); ++ if (txt_heap == NULL) ++ txt_heap = get_txt_heap(); + bios_data_t *bios_data = get_bios_data_start(txt_heap); + if (info_table->version >= 5 && bios_data->version >= 6) { + uint32_t bios_type = bios_data->flags.bits.mle.platform_type; +@@ -713,7 +714,7 @@ + + /* is it a valid SINIT module? */ + if ( !is_sinit_acmod(sinit_region_base, bios_data->bios_sinit_size, false) || +- !does_acmod_match_platform((acm_hdr_t *)sinit_region_base) ) ++ !does_acmod_match_platform((acm_hdr_t *)sinit_region_base, NULL) ) + return NULL; + + return (acm_hdr_t *)sinit_region_base; +diff -r 9cda8c127b0a -r 9c625ab2035b utils/txt-acminfo.c +--- a/utils/txt-acminfo.c Wed Mar 09 15:53:24 2022 +0100 ++++ b/utils/txt-acminfo.c Thu Mar 10 10:28:11 2022 +0200 +@@ -203,15 +203,31 @@ + close(fd_mem); + return false; + } +- else { +- if ( does_acmod_match_platform(hdr) ) +- printf("ACM matches platform\n"); +- else +- printf("ACM does not match platform\n"); + ++ uint64_t txt_heap_size = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_SIZE); ++ if (txt_heap_size == 0) { ++ printf("ERROR: No TXT heap is available\n"); + munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); ++ close(fd_mem); ++ return false; + } + ++ uint64_t txt_heap_base = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_BASE); ++ txt_heap_t *txt_heap = mmap(NULL, txt_heap_size, PROT_READ, MAP_PRIVATE, ++ fd_mem, txt_heap_base); ++ if ( txt_heap == MAP_FAILED ) { ++ printf("ERROR: cannot map TXT heap by mmap()\n"); ++ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); ++ close(fd_mem); ++ return false; ++ } ++ if ( does_acmod_match_platform(hdr, txt_heap) ) ++ printf("ACM matches platform\n"); ++ else ++ printf("ACM does not match platform\n"); ++ ++ munmap(txt_heap, txt_heap_size); ++ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); + close(fd_mem); + return true; + } diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec new file mode 100644 index 0000000..a9200d3 --- /dev/null +++ b/SPECS/tboot.spec @@ -0,0 +1,242 @@ +Summary: Performs a verified launch using Intel TXT +Name: tboot +Version: 1.10.5 +Release: 2%{?dist} +Epoch: 1 + +Group: System Environment/Base +License: BSD +URL: http://sourceforge.net/projects/tboot/ +Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz + +BuildRequires: openssl-devel +BuildRequires: perl +ExclusiveArch: %{ix86} x86_64 +Requires: grub2-efi-x64-modules + +Patch01: 0001-fix-typo-in-lcp2_crtpollist-manpage.patch +Patch02: 0002-check-for-client-server-match.patch + +%description +Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses +Intel Trusted Execution Technology (Intel TXT) to perform a measured +and verified launch of an OS kernel/VMM. + +%prep +%autosetup -S git + +# do not override OPTFLAGS +sed -i -e 's/-march=i686//' Config.mk + +%build +CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS +LDFLAGS="$RPM_LD_FLAGS"; export LDFLAGS +make debug=y %{?_smp_mflags} + +%post +# create the tboot entry and copy the modules to the grubenvdir +grublib='/usr/lib/grub/x86_64-efi/' + +if [ -d /sys/firmware/efi ]; then + echo "EFI detected .." + grubenvdir='/boot/efi/EFI/redhat' +else + echo "Legacy BIOS detected .." + grubenvdir='/boot/grub2' + # If previous install put the modules in the wrong dir + [ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi +fi + +grub2-mkconfig -o $grubenvdir/grub.cfg +[ -d $grubenvdir/x86_64-efi ] || mkdir -pv $grubenvdir/x86_64-efi +cp -vf $grublib/relocator.mod $grubenvdir/x86_64-efi/ +cp -vf $grublib/multiboot2.mod $grubenvdir/x86_64-efi/ + +%postun +# Cleanup all tboot files + +# Remove residual grub efi modules. +if [ -d /sys/firmware/efi ]; then + echo "EFI detected .." + grubenvdir='/boot/efi/EFI/redhat' +else + echo "Legacy BIOS detected .." + grubenvdir='/boot/grub2' +fi + +[ -d $grubenvdir/x86_64-efi ] && rm -rf $grubenvdir/x86_64-efi +grub2-mkconfig -o $grubenvdir/grub.cfg + +%install +echo "installing tboot" +make debug=y DISTDIR=$RPM_BUILD_ROOT install + +%files +%doc README.md COPYING docs/* lcptools-v2/lcptools.txt +%config %{_sysconfdir}/grub.d/20_linux_tboot +%config %{_sysconfdir}/grub.d/20_linux_xen_tboot +%{_sbindir}/txt-acminfo +%{_sbindir}/lcp2_crtpol +%{_sbindir}/lcp2_crtpolelt +%{_sbindir}/lcp2_crtpollist +%{_sbindir}/lcp2_mlehash +%{_sbindir}/txt-parse_err +%{_sbindir}/tb_polgen +%{_sbindir}/txt-stat +%{_mandir}/man8/txt-acminfo.8.gz +%{_mandir}/man8/tb_polgen.8.gz +%{_mandir}/man8/txt-stat.8.gz +%{_mandir}/man8/lcp2_crtpol.8.gz +%{_mandir}/man8/lcp2_crtpolelt.8.gz +%{_mandir}/man8/lcp2_crtpollist.8.gz +%{_mandir}/man8/lcp2_mlehash.8.gz +%{_mandir}/man8/txt-parse_err.8.gz +/boot/tboot.gz +/boot/tboot-syms + +%changelog +* Fri Aug 26 2022 Tony Camuso - 1:1.10.5-2 +- The install scriptlet in %post was not choosing the correct + grubenv directory. In RHEL8, the efi and legacy bios grubenv + directories are different. This change assures that the + correct directory is used for grub.cfg and related modules. + Added a %postun section to cleanup when removing tboot with + dnf erase. + Resolves: rhbz#2121836 + +* Wed Apr 20 2022 Tony Camuso - 1:1.10.5-1 + Upgrade to tboot-1.10.5-1 for fixes and updates. + Added a scriptlet to the tboot.spec file to automatically install + grub2-efi-x64-modules and move them to the correct directory. + Resolves: rhbz#2040082 + Resolves: rhbz#2041759 + +* Thu Jun 10 2021 Tony Camuso - 1:1.10.1-1 + Upgrade to tboot-1.10.2-1 provides some bug fixes and updates. + Remove 0001-Do-not-install-man-pages-for-deprecated-tools.patch + from the git repo, since it is no longer needed. + Resolves: rhbz#1857068 + Resolves: rhbz#1873296 + Resolves: rhbz#1920386 + +* Mon Feb 22 2021 Tony Camuso - 1:1.10.0-1 + Need to add BuildRequires: perl, since it has beem moved + from BuildRoot. + See: https://fedoraproject.org/wiki/Packaging:Perl#Build_Dependencies + Resolves: rhbz#1857068 + +* Mon Feb 22 2021 Tony Camuso - 1:1.10.0-1 + Build problem creating directory for grub modules. We can't + know if the modules are there, so it's up to the end user to + find the modules and copy them to the correct location. + Specifically, for systems booting from EFI, the + /boot/efi/EFI/redhat/x86_64-efi/multiboot2.mod file, if it + exists, must be copied to the /boot/efi/EFI/redhat/x86_64-efi/ + directory. If that file does not exist, then the system has + the wrong version of grub for using tboot in an EFI system. + Resolves: rhbz#1857068 + +* Fri Dec 11 2020 Tony Camuso - 1:1.10.0-0 + Upgrade to latest upstream version + Added upstream patch to remove deprecated man pages + Resolves: rhbz#1857068 + +* Tue Jun 23 2020 Tony Camuso - 1:1.9.12-2 +- Fix build issues with one upstream patch. + This patch also reverts the previous patch concerning the + -Wno-address-of-packed-member cflag. + Resolves: rhbz#1847938 + +* Fri Jun 12 2020 Tony Camuso - 1:1.9.12-1 +- Add patch to revert "Disable GCC9 address-of-packed-member warning" + While it was able to build locally with 'rhpkg local', the brew + build failed, because the compiler on the brew systems did not + recognized the new GCC9 command line flag: + -Wno-address-of-packed-member + +* Fri May 29 2020 Tony Camuso - 1:1.9.12-1 +- Upgrade to latest upstream version + Resolves: rhbz#1790169 + +* Fri Nov 15 2019 Tony Camuso - 1:1.9.10-1 +- Rebase to the lastest upstream version. + Resolves: rhbz#1725661 + +* Fri Sep 7 2018 Tony Camuso - 1:1.9.7-1 +- Rebase to the latest upstream version. + Resolves: rhbz#1511799 +- Do not override OPTFLAGS in the make + Resolves: rhbz#1620070 + +* Fri Jul 20 2018 Tony Camuso - 1:1.9.6-3 +- Incorporate latest upstream patches, including a newer version + of the OpenSSL patch in 1.9.6-2 + Resolves: rhbz#1492771 + Resolves: rhbz#1499435 + +* Tue Feb 06 2018 Tomáš Mráz - 1:1.9.6-2 +- Patch to build with OpenSSL-1.1.x + +* Sun Feb 04 2018 Filipe Rosset - 1:1.9.6-1 +- Upgrade to latest upstream version + +* Thu Aug 03 2017 Fedora Release Engineering - 1:1.8.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1:1.8.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 1:1.8.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 05 2016 Fedora Release Engineering - 1:1.8.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 1:1.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Aug 18 2014 Fedora Release Engineering - 1:1.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 30 2014 Gang Wei - 1:1.8.2-1 +- Upgrade to latest upstream version which provided security fix for: + tboot:argument measurement vulnerablity for GRUB2+ELF kernels + +* Wed Jun 18 2014 Gang Wei - 1:1.8.1-1 +- Upgrade to latest upstream version + +* Sun Jun 08 2014 Fedora Release Engineering - 1:1.7.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Aug 04 2013 Fedora Release Engineering - 1:1.7.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Apr 02 2013 Gang Wei - 1:1.7.3-3 +- Fix for breaking grub2-mkconfig operation in 32bit case(#929384) + +* Wed Feb 20 2013 Gang Wei - 1:1.7.3-2 +- Fix version string in log + +* Wed Jan 30 2013 David Cantrell - 1:1.7.3-1 +- Upgrade to latest upstream version (#902653) + +* Wed Aug 22 2012 Gang Wei - 1:1.7.0-2 +- Fix build error with zlib 1.2.7 + +* Sat Jul 21 2012 Fedora Release Engineering - 1:1.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun Jan 15 2012 Gang Wei - 1:1.7.0 +- 1.7.0 release + +* Sat Jan 14 2012 Fedora Release Engineering - 20110429-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Apr 29 2011 Gang Wei - 20110429-1 +- Pull upstream changeset 255, rebuilt in F15 + +* Wed Feb 09 2011 Fedora Release Engineering - 20101005-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 1 2010 Joseph Cihula - 20101005-1.fc13 +- Initial import