commit fab11511f30172dc7cf9020a7f7304de8c77fceb Author: CentOS Sources Date: Tue Mar 28 09:36:57 2023 +0000 import tboot-1.10.5-2.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fc61607 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tboot-1.10.5.tar.gz diff --git a/.tboot.metadata b/.tboot.metadata new file mode 100644 index 0000000..7a9d72e --- /dev/null +++ b/.tboot.metadata @@ -0,0 +1 @@ +687bb5c0453b0256d64c8b1aa538a49703f9737a SOURCES/tboot-1.10.5.tar.gz diff --git a/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch b/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch new file mode 100644 index 0000000..1f8a20b --- /dev/null +++ b/SOURCES/0001-fix-typo-in-lcp2_crtpollist-manpage.patch @@ -0,0 +1,20 @@ +# HG changeset patch +# User Pawel Randzio +# Date 1646837604 -3600 +# Wed Mar 09 15:53:24 2022 +0100 +# Node ID 9cda8c127b0a7bb11561befbaa9ecf1130763fcf +# Parent 5941842afb661f0e78085cb1317781d362583a38 +Fixed a typo in man page for lcp2_crtpollist + +diff -r 5941842afb66 -r 9cda8c127b0a docs/man/lcp2_crtpollist.8 +--- a/docs/man/lcp2_crtpollist.8 Fri Mar 04 11:14:35 2022 +0100 ++++ b/docs/man/lcp2_crtpollist.8 Wed Mar 09 15:53:24 2022 +0100 +@@ -36,7 +36,7 @@ + support rsapss and ecdsa. + .TP \w'\fB--hashalg\ \fI\fP'u+1n + \fB--hashalg\ \fI\fP +-Hash algorightm used for signing a list. Lists version 0x100 only support SHA1. ++Hash algorithm used for signing a list. Lists version 0x100 only support SHA1. + .TP + \fB--pub\ \fIfile\fP + Public key to use, must be in PEM format. diff --git a/SOURCES/0002-check-for-client-server-match.patch b/SOURCES/0002-check-for-client-server-match.patch new file mode 100644 index 0000000..db71d65 --- /dev/null +++ b/SOURCES/0002-check-for-client-server-match.patch @@ -0,0 +1,133 @@ +# HG changeset patch +# User Timo Lindfors +# Date 1646900891 -7200 +# Thu Mar 10 10:28:11 2022 +0200 +# Node ID 9c625ab2035bae1fc38787025f74d2937600223b +# Parent 9cda8c127b0a7bb11561befbaa9ecf1130763fcf +txt-acminfo: Map TXT heap using mmap +Without this patch + +txt-acminfo 5th_gen_i5_i7_SINIT_79.BIN + +segfaults. This issue was introduced in + +o changeset: 627:d8a8e17f6d41 +| user: Lukasz Hawrylko +| date: Thu May 13 16:04:27 2021 +0200 +| summary: Check for client/server match when selecting SINIT + +Signed-off-by: Timo Lindfors + +diff -r 9cda8c127b0a -r 9c625ab2035b tboot/common/loader.c +--- a/tboot/common/loader.c Wed Mar 09 15:53:24 2022 +0100 ++++ b/tboot/common/loader.c Thu Mar 10 10:28:11 2022 +0200 +@@ -1792,7 +1792,7 @@ + void *base2 = (void *)m->mod_start; + uint32_t size2 = m->mod_end - (unsigned long)(base2); + if ( is_racm_acmod(base2, size2, false) && +- does_acmod_match_platform((acm_hdr_t *)base2) ) { ++ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { + if ( base != NULL ) + *base = base2; + if ( size != NULL ) +@@ -1837,7 +1837,7 @@ + void *base2 = (void *)m->mod_start; + uint32_t size2 = m->mod_end - (unsigned long)(base2); + if ( is_sinit_acmod(base2, size2, false) && +- does_acmod_match_platform((acm_hdr_t *)base2) ) { ++ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) { + if ( base != NULL ) + *base = base2; + if ( size != NULL ) +diff -r 9cda8c127b0a -r 9c625ab2035b tboot/include/txt/acmod.h +--- a/tboot/include/txt/acmod.h Wed Mar 09 15:53:24 2022 +0100 ++++ b/tboot/include/txt/acmod.h Thu Mar 10 10:28:11 2022 +0200 +@@ -37,6 +37,8 @@ + #ifndef __TXT_ACMOD_H__ + #define __TXT_ACMOD_H__ + ++typedef void txt_heap_t; ++ + /* + * authenticated code (AC) module header (ver 0.0) + */ +@@ -179,7 +181,7 @@ + extern acm_hdr_t *copy_racm(const acm_hdr_t *racm); + extern bool verify_racm(const acm_hdr_t *acm_hdr); + extern bool is_sinit_acmod(const void *acmod_base, uint32_t acmod_size, bool quiet); +-extern bool does_acmod_match_platform(const acm_hdr_t* hdr); ++extern bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t* txt_heap); + extern acm_hdr_t *copy_sinit(const acm_hdr_t *sinit); + extern bool verify_acmod(const acm_hdr_t *acm_hdr); + extern uint32_t get_supported_os_sinit_data_ver(const acm_hdr_t* hdr); +diff -r 9cda8c127b0a -r 9c625ab2035b tboot/txt/acmod.c +--- a/tboot/txt/acmod.c Wed Mar 09 15:53:24 2022 +0100 ++++ b/tboot/txt/acmod.c Thu Mar 10 10:28:11 2022 +0200 +@@ -576,7 +576,7 @@ + return true; + } + +-bool does_acmod_match_platform(const acm_hdr_t* hdr) ++bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t *txt_heap) + { + /* used to ensure we don't print chipset/proc info for each module */ + static bool printed_host_info; +@@ -587,7 +587,8 @@ + return false; + + /* verify client/server platform match */ +- txt_heap_t *txt_heap = get_txt_heap(); ++ if (txt_heap == NULL) ++ txt_heap = get_txt_heap(); + bios_data_t *bios_data = get_bios_data_start(txt_heap); + if (info_table->version >= 5 && bios_data->version >= 6) { + uint32_t bios_type = bios_data->flags.bits.mle.platform_type; +@@ -713,7 +714,7 @@ + + /* is it a valid SINIT module? */ + if ( !is_sinit_acmod(sinit_region_base, bios_data->bios_sinit_size, false) || +- !does_acmod_match_platform((acm_hdr_t *)sinit_region_base) ) ++ !does_acmod_match_platform((acm_hdr_t *)sinit_region_base, NULL) ) + return NULL; + + return (acm_hdr_t *)sinit_region_base; +diff -r 9cda8c127b0a -r 9c625ab2035b utils/txt-acminfo.c +--- a/utils/txt-acminfo.c Wed Mar 09 15:53:24 2022 +0100 ++++ b/utils/txt-acminfo.c Thu Mar 10 10:28:11 2022 +0200 +@@ -203,15 +203,31 @@ + close(fd_mem); + return false; + } +- else { +- if ( does_acmod_match_platform(hdr) ) +- printf("ACM matches platform\n"); +- else +- printf("ACM does not match platform\n"); + ++ uint64_t txt_heap_size = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_SIZE); ++ if (txt_heap_size == 0) { ++ printf("ERROR: No TXT heap is available\n"); + munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); ++ close(fd_mem); ++ return false; + } + ++ uint64_t txt_heap_base = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_BASE); ++ txt_heap_t *txt_heap = mmap(NULL, txt_heap_size, PROT_READ, MAP_PRIVATE, ++ fd_mem, txt_heap_base); ++ if ( txt_heap == MAP_FAILED ) { ++ printf("ERROR: cannot map TXT heap by mmap()\n"); ++ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); ++ close(fd_mem); ++ return false; ++ } ++ if ( does_acmod_match_platform(hdr, txt_heap) ) ++ printf("ACM matches platform\n"); ++ else ++ printf("ACM does not match platform\n"); ++ ++ munmap(txt_heap, txt_heap_size); ++ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE); + close(fd_mem); + return true; + } diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec new file mode 100644 index 0000000..cdaa802 --- /dev/null +++ b/SPECS/tboot.spec @@ -0,0 +1,280 @@ +Summary: Performs a verified launch using Intel TXT +Name: tboot +Version: 1.10.5 +Release: 2%{?dist} +Epoch: 1 + +License: BSD +URL: http://sourceforge.net/projects/tboot/ +Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz + +Patch01: 0001-fix-typo-in-lcp2_crtpollist-manpage.patch +Patch02: 0002-check-for-client-server-match.patch + +BuildRequires: make +BuildRequires: gcc +BuildRequires: perl +BuildRequires: openssl-devel +BuildRequires: zlib-devel +ExclusiveArch: %{ix86} x86_64 +Requires: grub2-efi-x64-modules + +%description +Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses +Intel Trusted Execution Technology (Intel TXT) to perform a measured +and verified launch of an OS kernel/VMM. + +%prep +%autosetup -p1 -n %{name}-%{version} + +%build +CFLAGS="%{optflags}"; export CFLAGS +LDFLAGS="%{build_ldflags}"; export LDFLAGS +make debug=y %{?_smp_mflags} + +%post +# Rmove the grub efi modules if they had been placed in the wrong directory by +# a previous install. +[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi +# create the tboot grub entry +grub2-mkconfig -o /boot/grub2/grub.cfg + +# For EFI based machines ... +if [ -d /sys/firmware/efi ]; then + echo "EFI detected .." + [ -d /boot/grub2/x86_64-efi ] || mkdir -pv /boot/grub2/x86_64-efi + cp -vf /usr/lib/grub/x86_64-efi/relocator.mod /boot/grub2/x86_64-efi/ + cp -vf /usr/lib/grub/x86_64-efi/multiboot2.mod /boot/grub2/x86_64-efi/ + + # If there were a previous install of tboot that overwrote the + # originally installed /boot/efi/EFI/redhat/grub.cfg stub, then + # recreate it. + if grep -q -m1 tboot /boot/efi/EFI/redhat/grub.cfg; then +cat << EOF > /boot/efi/EFI/redhat/grub.cfg +search --no-floppy --fs-uuid --set=dev \ + $(lsblk -no UUID $(df -P /boot/grub2 | awk 'END{print $1}')) +set prefix=(\$dev)/grub2 +export \$prefix +configfile \$prefix/grub.cfg +EOF + chown root:root /boot/efi/EFI/redhat/grub.cfg + chmod u=rwx,go= /boot/efi/EFI/redhat/grub.cfg + fi +fi + +%postun +# Remove residual grub efi modules. +[ -d /boot/grub2/x86_64-efi ] && rm -rf /boot/grub2/x86_64-efi +[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi +grub2-mkconfig -o /etc/grub2.cfg + +%install +make debug=y DISTDIR=$RPM_BUILD_ROOT install + +%files +%doc README.md COPYING docs/* lcptools-v2/lcptools.txt +%config %{_sysconfdir}/grub.d/20_linux_tboot +%config %{_sysconfdir}/grub.d/20_linux_xen_tboot +%{_sbindir}/txt-acminfo +%{_sbindir}/lcp2_crtpol +%{_sbindir}/lcp2_crtpolelt +%{_sbindir}/lcp2_crtpollist +%{_sbindir}/lcp2_mlehash +%{_sbindir}/txt-parse_err +%{_sbindir}/tb_polgen +%{_sbindir}/txt-stat +%{_mandir}/man8/txt-acminfo.8.gz +%{_mandir}/man8/tb_polgen.8.gz +%{_mandir}/man8/txt-stat.8.gz +%{_mandir}/man8/lcp2_crtpol.8.gz +%{_mandir}/man8/lcp2_crtpolelt.8.gz +%{_mandir}/man8/lcp2_crtpollist.8.gz +%{_mandir}/man8/lcp2_mlehash.8.gz +%{_mandir}/man8/txt-parse_err.8.gz +/boot/tboot.gz +/boot/tboot-syms + +%changelog +* Thu Aug 18 2022 Tony Camuso - 1:1.10.5-2 +- The install scriptlet in %post was choosing the first grub.cfg + file it encountered, which was /boot/efi/EFI/redhat/grub.cfg. + This is a stub that defines grub boot disk UUID necessary for + proper grubenv setup, and it must not be overwritten or changed. + Modify the scriptlet to target /boot/grub2/grub.cfg + Additionally, remove any wrongly created /boot/grub2/x86_64-efi + directory and recreate the correct /boot/efi/EFI/redhat/grub.cfg + stub file. + Added a %postun section to cleanup when removing tboot with + dnf erase. + Thanks to Lenny Szubowicz for the bash code to recreate the + /boot/efi/EFI/redhat/grub.cfg stub file. + Resolves: rhbz#2112236 + +* Wed May 04 2022 Tony Camuso - 1:1.10.5-1 +- Upgrade to tboot-1.10.5-1 for fixes and updates. +- Added a Requires line to install grub2-efi-x64-modules +- Added a scriptlet to the tboot.spec file to automatically install + grub2-efi-x64-modules and move them to the correct directory. +- Removed three patches that are no longer needed. +- Added two patches from upstream, one for a fix, the other cosemetic. +- Resolves: rhbz#2041766 + Resolves: rhbz#2040083 + +* Thu Sep 30 2021 Tony Camuso - 1:1.10.2-6 +- Use sha256 as default hashing algorithm + Resolves: rhbz#1935448 + +* Tue Aug 10 2021 Mohan Boddu - 1:1.10.2-5 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 28 2021 Tony Camuso - 1:1.10.2-4 +- From Miroslave Vadkerti: + Onboarding tests to RHEL9 in BaseOS CI requires action, adding + test configuration in our "dispatcher" configuration for RHEL9: + https://gitlab.cee.redhat.com/baseos-qe/citool-config/blob/production/brew-dispatcher-rhel9.yaml + Test config was added for tboot in the following MR. + https://gitlab.cee.redhat.com/baseos-qe/citool-config/-/merge_requests/2686 + Resolves: rhbz#1922002 + +* Tue Jul 27 2021 Tony Camuso - 1:1.10.2-3 +- Add the %{optflags} and %{build_ldflags} macros to assure the + build meets RHEL security requirements. + Resolves: rhbz#1922002 + +* Thu Jul 22 2021 Tony Camuso - 1:1.10.2-2 +- Bump the NVR as a result of including the gating.yaml file in + the git repo. + Resolves: rhbz#1922002 + +* Mon Jun 21 2021 Tony Camuso - 1:1.10.2-1 +- The patches are for SSL3 compatibility. These can probably be + removed when upstream tboot fully implements SSL3. +- Upgrade to latest upstream. +- Remove trousers dependency. + Resolves: rhbz#1922002 + Resolves: rhbz#1870520 + Resolves: rhbz#1927374 + +* Wed Jun 16 2021 Mohan Boddu - 1:1.9.11-9 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Thu May 27 2021 Tony Camuso - 1:1.9.11-8 +- Add -Wno-error=deprecated-declarations to the Config.mk patch + Resolves: rhbz#1958031 + +* Fri Apr 16 2021 Mohan Boddu - 1:1.9.11-7 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Jan 27 2021 Fedora Release Engineering - 1:1.9.11-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Oct 30 2020 Jeff Law - 1:1.9.11-5 +- Re-enable -Wstringop-overflow and instead make the problematical + pointer volatile to avoid the false positive diagnostic + +* Thu Oct 29 2020 Jeff Law - 1:1.9.11-4 +- Fix buglet exposed by gcc-11 -Warray-parameter +- Temporarily disable -Wstringop-overflow due to false positive in gcc-11 + +* Wed Jul 29 2020 Jeff Law - 1:1.9.11-3 +- Explicitly allow uninitialized variables in a few places that do it +- on purpose + +* Wed Jul 29 2020 Fedora Release Engineering - 1:1.9.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sun Apr 19 2020 Filipe Rosset - 1:1.9.11-1 +- Update to 1.9.11 + +* Fri Jan 31 2020 Fedora Release Engineering - 1:1.9.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jul 27 2019 Fedora Release Engineering - 1:1.9.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue May 14 2019 Yunying Sun - 1:1.9.10-1 +- Add patch to fix package build error +- Add build dependency to zlib-devel +- Update to latest release 1.9.10 + +* Sun Feb 03 2019 Fedora Release Engineering - 1:1.9.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Oct 31 2018 Yunying Sun - 1:1.9.8-1 +- Updated to upstream 1.9.8 release + +* Tue Sep 4 2018 Yunying Sun - 1:1.9.7-1 +- Updated to upstream 1.9.7 release +- Removed the patch for openssl 1.1 as it is included in 1.9.7 already + +* Sat Jul 14 2018 Fedora Release Engineering - 1:1.9.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Feb 06 2018 Tomáš Mráz - 1:1.9.6-2 +- Patch to build with OpenSSL-1.1.x + +* Sun Feb 04 2018 Filipe Rosset - 1:1.9.6-1 +- Upgrade to latest upstream version + +* Thu Aug 03 2017 Fedora Release Engineering - 1:1.8.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1:1.8.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 1:1.8.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 05 2016 Fedora Release Engineering - 1:1.8.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 1:1.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Aug 18 2014 Fedora Release Engineering - 1:1.8.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 30 2014 Gang Wei - 1:1.8.2-1 +- Upgrade to latest upstream version which provided security fix for: + tboot:argument measurement vulnerablity for GRUB2+ELF kernels + +* Wed Jun 18 2014 Gang Wei - 1:1.8.1-1 +- Upgrade to latest upstream version + +* Sun Jun 08 2014 Fedora Release Engineering - 1:1.7.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Aug 04 2013 Fedora Release Engineering - 1:1.7.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Apr 02 2013 Gang Wei - 1:1.7.3-3 +- Fix for breaking grub2-mkconfig operation in 32bit case(#929384) + +* Wed Feb 20 2013 Gang Wei - 1:1.7.3-2 +- Fix version string in log + +* Wed Jan 30 2013 David Cantrell - 1:1.7.3-1 +- Upgrade to latest upstream version (#902653) + +* Wed Aug 22 2012 Gang Wei - 1:1.7.0-2 +- Fix build error with zlib 1.2.7 + +* Sat Jul 21 2012 Fedora Release Engineering - 1:1.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun Jan 15 2012 Gang Wei - 1:1.7.0 +- 1.7.0 release + +* Sat Jan 14 2012 Fedora Release Engineering - 20110429-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Apr 29 2011 Gang Wei - 20110429-1 +- Pull upstream changeset 255, rebuilt in F15 + +* Wed Feb 09 2011 Fedora Release Engineering - 20101005-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 1 2010 Joseph Cihula - 20101005-1.fc13 +- Initial import