Compare commits

...

No commits in common. 'i8c' and 'c9' have entirely different histories.
i8c ... c9

2
.gitignore vendored

@ -1 +1 @@
SOURCES/tboot-1.10.5.tar.gz SOURCES/tboot-1.11.3.tar.gz

@ -1 +1 @@
687bb5c0453b0256d64c8b1aa538a49703f9737a SOURCES/tboot-1.10.5.tar.gz ea8af2a58cc0a1a5339478aef0f89fda100f7d1c SOURCES/tboot-1.11.3.tar.gz

@ -1,20 +0,0 @@
# HG changeset patch
# User Pawel Randzio <pawel.randzio@intel.com>
# Date 1646837604 -3600
# Wed Mar 09 15:53:24 2022 +0100
# Node ID 9cda8c127b0a7bb11561befbaa9ecf1130763fcf
# Parent 5941842afb661f0e78085cb1317781d362583a38
Fixed a typo in man page for lcp2_crtpollist
diff -r 5941842afb66 -r 9cda8c127b0a docs/man/lcp2_crtpollist.8
--- a/docs/man/lcp2_crtpollist.8 Fri Mar 04 11:14:35 2022 +0100
+++ b/docs/man/lcp2_crtpollist.8 Wed Mar 09 15:53:24 2022 +0100
@@ -36,7 +36,7 @@
support rsapss and ecdsa.
.TP \w'\fB--hashalg\ \fI<sha1|sha256|sha384|sha512|sm2>\fP'u+1n
\fB--hashalg\ \fI<sha1|sha256|sha384|sha512|sm2>\fP
-Hash algorightm used for signing a list. Lists version 0x100 only support SHA1.
+Hash algorithm used for signing a list. Lists version 0x100 only support SHA1.
.TP
\fB--pub\ \fIfile\fP
Public key to use, must be in PEM format.

@ -1,133 +0,0 @@
# HG changeset patch
# User Timo Lindfors <timo.lindfors@iki.fi>
# Date 1646900891 -7200
# Thu Mar 10 10:28:11 2022 +0200
# Node ID 9c625ab2035bae1fc38787025f74d2937600223b
# Parent 9cda8c127b0a7bb11561befbaa9ecf1130763fcf
txt-acminfo: Map TXT heap using mmap
Without this patch
txt-acminfo 5th_gen_i5_i7_SINIT_79.BIN
segfaults. This issue was introduced in
o changeset: 627:d8a8e17f6d41
| user: Lukasz Hawrylko <lukas...@in...>
| date: Thu May 13 16:04:27 2021 +0200
| summary: Check for client/server match when selecting SINIT
Signed-off-by: Timo Lindfors <timo.lindfors@iki.fi>
diff -r 9cda8c127b0a -r 9c625ab2035b tboot/common/loader.c
--- a/tboot/common/loader.c Wed Mar 09 15:53:24 2022 +0100
+++ b/tboot/common/loader.c Thu Mar 10 10:28:11 2022 +0200
@@ -1792,7 +1792,7 @@
void *base2 = (void *)m->mod_start;
uint32_t size2 = m->mod_end - (unsigned long)(base2);
if ( is_racm_acmod(base2, size2, false) &&
- does_acmod_match_platform((acm_hdr_t *)base2) ) {
+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) {
if ( base != NULL )
*base = base2;
if ( size != NULL )
@@ -1837,7 +1837,7 @@
void *base2 = (void *)m->mod_start;
uint32_t size2 = m->mod_end - (unsigned long)(base2);
if ( is_sinit_acmod(base2, size2, false) &&
- does_acmod_match_platform((acm_hdr_t *)base2) ) {
+ does_acmod_match_platform((acm_hdr_t *)base2, NULL) ) {
if ( base != NULL )
*base = base2;
if ( size != NULL )
diff -r 9cda8c127b0a -r 9c625ab2035b tboot/include/txt/acmod.h
--- a/tboot/include/txt/acmod.h Wed Mar 09 15:53:24 2022 +0100
+++ b/tboot/include/txt/acmod.h Thu Mar 10 10:28:11 2022 +0200
@@ -37,6 +37,8 @@
#ifndef __TXT_ACMOD_H__
#define __TXT_ACMOD_H__
+typedef void txt_heap_t;
+
/*
* authenticated code (AC) module header (ver 0.0)
*/
@@ -179,7 +181,7 @@
extern acm_hdr_t *copy_racm(const acm_hdr_t *racm);
extern bool verify_racm(const acm_hdr_t *acm_hdr);
extern bool is_sinit_acmod(const void *acmod_base, uint32_t acmod_size, bool quiet);
-extern bool does_acmod_match_platform(const acm_hdr_t* hdr);
+extern bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t* txt_heap);
extern acm_hdr_t *copy_sinit(const acm_hdr_t *sinit);
extern bool verify_acmod(const acm_hdr_t *acm_hdr);
extern uint32_t get_supported_os_sinit_data_ver(const acm_hdr_t* hdr);
diff -r 9cda8c127b0a -r 9c625ab2035b tboot/txt/acmod.c
--- a/tboot/txt/acmod.c Wed Mar 09 15:53:24 2022 +0100
+++ b/tboot/txt/acmod.c Thu Mar 10 10:28:11 2022 +0200
@@ -576,7 +576,7 @@
return true;
}
-bool does_acmod_match_platform(const acm_hdr_t* hdr)
+bool does_acmod_match_platform(const acm_hdr_t* hdr, const txt_heap_t *txt_heap)
{
/* used to ensure we don't print chipset/proc info for each module */
static bool printed_host_info;
@@ -587,7 +587,8 @@
return false;
/* verify client/server platform match */
- txt_heap_t *txt_heap = get_txt_heap();
+ if (txt_heap == NULL)
+ txt_heap = get_txt_heap();
bios_data_t *bios_data = get_bios_data_start(txt_heap);
if (info_table->version >= 5 && bios_data->version >= 6) {
uint32_t bios_type = bios_data->flags.bits.mle.platform_type;
@@ -713,7 +714,7 @@
/* is it a valid SINIT module? */
if ( !is_sinit_acmod(sinit_region_base, bios_data->bios_sinit_size, false) ||
- !does_acmod_match_platform((acm_hdr_t *)sinit_region_base) )
+ !does_acmod_match_platform((acm_hdr_t *)sinit_region_base, NULL) )
return NULL;
return (acm_hdr_t *)sinit_region_base;
diff -r 9cda8c127b0a -r 9c625ab2035b utils/txt-acminfo.c
--- a/utils/txt-acminfo.c Wed Mar 09 15:53:24 2022 +0100
+++ b/utils/txt-acminfo.c Thu Mar 10 10:28:11 2022 +0200
@@ -203,15 +203,31 @@
close(fd_mem);
return false;
}
- else {
- if ( does_acmod_match_platform(hdr) )
- printf("ACM matches platform\n");
- else
- printf("ACM does not match platform\n");
+ uint64_t txt_heap_size = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_SIZE);
+ if (txt_heap_size == 0) {
+ printf("ERROR: No TXT heap is available\n");
munmap(pub_config_base, TXT_CONFIG_REGS_SIZE);
+ close(fd_mem);
+ return false;
}
+ uint64_t txt_heap_base = *(volatile uint64_t *)(pub_config_base + TXTCR_HEAP_BASE);
+ txt_heap_t *txt_heap = mmap(NULL, txt_heap_size, PROT_READ, MAP_PRIVATE,
+ fd_mem, txt_heap_base);
+ if ( txt_heap == MAP_FAILED ) {
+ printf("ERROR: cannot map TXT heap by mmap()\n");
+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE);
+ close(fd_mem);
+ return false;
+ }
+ if ( does_acmod_match_platform(hdr, txt_heap) )
+ printf("ACM matches platform\n");
+ else
+ printf("ACM does not match platform\n");
+
+ munmap(txt_heap, txt_heap_size);
+ munmap(pub_config_base, TXT_CONFIG_REGS_SIZE);
close(fd_mem);
return true;
}

@ -1,74 +1,71 @@
Summary: Performs a verified launch using Intel TXT Summary: Performs a verified launch using Intel TXT
Name: tboot Name: tboot
Version: 1.10.5 Version: 1.11.3
Release: 2%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
Group: System Environment/Base
License: BSD License: BSD
URL: http://sourceforge.net/projects/tboot/ URL: http://sourceforge.net/projects/tboot/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
BuildRequires: make
BuildRequires: gcc
BuildRequires: perl
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: perl BuildRequires: zlib-devel
ExclusiveArch: %{ix86} x86_64 ExclusiveArch: %{ix86} x86_64
Requires: grub2-efi-x64-modules Requires: grub2-efi-x64-modules
Patch01: 0001-fix-typo-in-lcp2_crtpollist-manpage.patch
Patch02: 0002-check-for-client-server-match.patch
%description %description
Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses Trusted Boot (tboot) is an open source, pre-kernel/VMM module that uses
Intel Trusted Execution Technology (Intel TXT) to perform a measured Intel Trusted Execution Technology (Intel TXT) to perform a measured
and verified launch of an OS kernel/VMM. and verified launch of an OS kernel/VMM.
%prep %prep
%autosetup -S git %autosetup -p1 -n %{name}-%{version}
# do not override OPTFLAGS
sed -i -e 's/-march=i686//' Config.mk
%build %build
CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS CFLAGS="%{optflags}"; export CFLAGS
LDFLAGS="$RPM_LD_FLAGS"; export LDFLAGS LDFLAGS="%{build_ldflags}"; export LDFLAGS
make debug=y %{?_smp_mflags} make debug=y %{?_smp_mflags}
%post %post
# create the tboot entry and copy the modules to the grubenvdir # Rmove the grub efi modules if they had been placed in the wrong directory by
grublib='/usr/lib/grub/x86_64-efi/' # a previous install.
[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi
# create the tboot grub entry
grub2-mkconfig -o /boot/grub2/grub.cfg
# For EFI based machines ...
if [ -d /sys/firmware/efi ]; then if [ -d /sys/firmware/efi ]; then
echo "EFI detected .." echo "EFI detected .."
grubenvdir='/boot/efi/EFI/redhat' [ -d /boot/grub2/x86_64-efi ] || mkdir -pv /boot/grub2/x86_64-efi
else cp -vf /usr/lib/grub/x86_64-efi/relocator.mod /boot/grub2/x86_64-efi/
echo "Legacy BIOS detected .." cp -vf /usr/lib/grub/x86_64-efi/multiboot2.mod /boot/grub2/x86_64-efi/
grubenvdir='/boot/grub2'
# If previous install put the modules in the wrong dir # If there were a previous install of tboot that overwrote the
[ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi # originally installed /boot/efi/EFI/redhat/grub.cfg stub, then
# recreate it.
if grep -q -m1 tboot /boot/efi/EFI/redhat/grub.cfg; then
cat << EOF > /boot/efi/EFI/redhat/grub.cfg
search --no-floppy --fs-uuid --set=dev \
$(lsblk -no UUID $(df -P /boot/grub2 | awk 'END{print $1}'))
set prefix=(\$dev)/grub2
export \$prefix
configfile \$prefix/grub.cfg
EOF
chown root:root /boot/efi/EFI/redhat/grub.cfg
chmod u=rwx,go= /boot/efi/EFI/redhat/grub.cfg
fi
fi fi
grub2-mkconfig -o $grubenvdir/grub.cfg
[ -d $grubenvdir/x86_64-efi ] || mkdir -pv $grubenvdir/x86_64-efi
cp -vf $grublib/relocator.mod $grubenvdir/x86_64-efi/
cp -vf $grublib/multiboot2.mod $grubenvdir/x86_64-efi/
%postun %postun
# Cleanup all tboot files
# Remove residual grub efi modules. # Remove residual grub efi modules.
if [ -d /sys/firmware/efi ]; then [ -d /boot/grub2/x86_64-efi ] && rm -rf /boot/grub2/x86_64-efi
echo "EFI detected .." [ -d /boot/efi/EFI/redhat/x86_64-efi ] && rm -rf /boot/efi/EFI/redhat/x86_64-efi
grubenvdir='/boot/efi/EFI/redhat' grub2-mkconfig -o /etc/grub2.cfg
else
echo "Legacy BIOS detected .."
grubenvdir='/boot/grub2'
fi
[ -d $grubenvdir/x86_64-efi ] && rm -rf $grubenvdir/x86_64-efi
grub2-mkconfig -o $grubenvdir/grub.cfg
%install %install
echo "installing tboot"
make debug=y DISTDIR=$RPM_BUILD_ROOT install make debug=y DISTDIR=$RPM_BUILD_ROOT install
%files %files
@ -95,87 +92,134 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install
/boot/tboot-syms /boot/tboot-syms
%changelog %changelog
* Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1:1.10.5-2 * Thu Apr 25 2024 Tony Camuso <tcamuso@redhat.com> - 1:1.11.3-1
- Rebuilt for MSVSphere 8.8 Rebase to upstream 1.11.3 and bump the NVR.
Resolves: RHEL-34941
* Fri Aug 26 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-2
- The install scriptlet in %post was not choosing the correct * Wed Nov 08 2023 Tony Camuso <tcamuso@redhat.com> - 1:1.11.1-2
grubenv directory. In RHEL8, the efi and legacy bios grubenv - Rebase to upstream 1.11.2 and bump the NVR.
directories are different. This change assures that the Resolves: RHEL-16022
correct directory is used for grub.cfg and related modules.
* Wed Apr 12 2023 Tony Camuso <tcamuso@redhat.com> - 1:1.11.1-1
- Backport upstream fixes and updates.
Resolves: rhbz#2186308
* Thu Aug 18 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-2
- The install scriptlet in %post was choosing the first grub.cfg
file it encountered, which was /boot/efi/EFI/redhat/grub.cfg.
This is a stub that defines grub boot disk UUID necessary for
proper grubenv setup, and it must not be overwritten or changed.
Modify the scriptlet to target /boot/grub2/grub.cfg
Additionally, remove any wrongly created /boot/grub2/x86_64-efi
directory and recreate the correct /boot/efi/EFI/redhat/grub.cfg
stub file.
Added a %postun section to cleanup when removing tboot with Added a %postun section to cleanup when removing tboot with
dnf erase. dnf erase.
Resolves: rhbz#2121836 Thanks to Lenny Szubowicz for the bash code to recreate the
/boot/efi/EFI/redhat/grub.cfg stub file.
* Wed Apr 20 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-1 Resolves: rhbz#2112236
Upgrade to tboot-1.10.5-1 for fixes and updates.
Added a scriptlet to the tboot.spec file to automatically install * Wed May 04 2022 Tony Camuso <tcamuso@redhat.com> - 1:1.10.5-1
- Upgrade to tboot-1.10.5-1 for fixes and updates.
- Added a Requires line to install grub2-efi-x64-modules
- Added a scriptlet to the tboot.spec file to automatically install
grub2-efi-x64-modules and move them to the correct directory. grub2-efi-x64-modules and move them to the correct directory.
Resolves: rhbz#2040082 - Removed three patches that are no longer needed.
Resolves: rhbz#2041759 - Added two patches from upstream, one for a fix, the other cosemetic.
- Resolves: rhbz#2041766
* Thu Jun 10 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.1-1 Resolves: rhbz#2040083
Upgrade to tboot-1.10.2-1 provides some bug fixes and updates.
Remove 0001-Do-not-install-man-pages-for-deprecated-tools.patch * Thu Sep 30 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-6
from the git repo, since it is no longer needed. - Use sha256 as default hashing algorithm
Resolves: rhbz#1857068 Resolves: rhbz#1935448
Resolves: rhbz#1873296
Resolves: rhbz#1920386 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.10.2-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
* Mon Feb 22 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.0-1 Related: rhbz#1991688
Need to add BuildRequires: perl, since it has beem moved
from BuildRoot. * Wed Jul 28 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-4
See: https://fedoraproject.org/wiki/Packaging:Perl#Build_Dependencies - From Miroslave Vadkerti:
Resolves: rhbz#1857068 Onboarding tests to RHEL9 in BaseOS CI requires action, adding
test configuration in our "dispatcher" configuration for RHEL9:
* Mon Feb 22 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.0-1 https://gitlab.cee.redhat.com/baseos-qe/citool-config/blob/production/brew-dispatcher-rhel9.yaml
Build problem creating directory for grub modules. We can't Test config was added for tboot in the following MR.
know if the modules are there, so it's up to the end user to https://gitlab.cee.redhat.com/baseos-qe/citool-config/-/merge_requests/2686
find the modules and copy them to the correct location. Resolves: rhbz#1922002
Specifically, for systems booting from EFI, the
/boot/efi/EFI/redhat/x86_64-efi/multiboot2.mod file, if it * Tue Jul 27 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-3
exists, must be copied to the /boot/efi/EFI/redhat/x86_64-efi/ - Add the %{optflags} and %{build_ldflags} macros to assure the
directory. If that file does not exist, then the system has build meets RHEL security requirements.
the wrong version of grub for using tboot in an EFI system. Resolves: rhbz#1922002
Resolves: rhbz#1857068
* Thu Jul 22 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-2
* Fri Dec 11 2020 Tony Camuso <tcamuso@redhat.com> - 1:1.10.0-0 - Bump the NVR as a result of including the gating.yaml file in
Upgrade to latest upstream version the git repo.
Added upstream patch to remove deprecated man pages Resolves: rhbz#1922002
Resolves: rhbz#1857068
* Mon Jun 21 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.10.2-1
* Tue Jun 23 2020 Tony Camuso <tcamuso@redhat.com> - 1:1.9.12-2 - The patches are for SSL3 compatibility. These can probably be
- Fix build issues with one upstream patch. removed when upstream tboot fully implements SSL3.
This patch also reverts the previous patch concerning the - Upgrade to latest upstream.
-Wno-address-of-packed-member cflag. - Remove trousers dependency.
Resolves: rhbz#1847938 Resolves: rhbz#1922002
Resolves: rhbz#1870520
* Fri Jun 12 2020 Tony Camuso <tcamuso@redhat.com> - 1:1.9.12-1 Resolves: rhbz#1927374
- Add patch to revert "Disable GCC9 address-of-packed-member warning"
While it was able to build locally with 'rhpkg local', the brew * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.9.11-9
build failed, because the compiler on the brew systems did not - Rebuilt for RHEL 9 BETA for openssl 3.0
recognized the new GCC9 command line flag: Related: rhbz#1971065
-Wno-address-of-packed-member
* Thu May 27 2021 Tony Camuso <tcamuso@redhat.com> - 1:1.9.11-8
* Fri May 29 2020 Tony Camuso <tcamuso@redhat.com> - 1:1.9.12-1 - Add -Wno-error=deprecated-declarations to the Config.mk patch
- Upgrade to latest upstream version Resolves: rhbz#1958031
Resolves: rhbz#1790169
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.9.11-7
* Fri Nov 15 2019 Tony Camuso <tcamuso@redhat.com> - 1:1.9.10-1 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
- Rebase to the lastest upstream version.
Resolves: rhbz#1725661 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.11-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Sep 7 2018 Tony Camuso <tcamuso@redhat.com> - 1:1.9.7-1
- Rebase to the latest upstream version. * Fri Oct 30 2020 Jeff Law <law@redhat.com> - 1:1.9.11-5
Resolves: rhbz#1511799 - Re-enable -Wstringop-overflow and instead make the problematical
- Do not override OPTFLAGS in the make pointer volatile to avoid the false positive diagnostic
Resolves: rhbz#1620070
* Thu Oct 29 2020 Jeff Law <law@redhat.com> - 1:1.9.11-4
* Fri Jul 20 2018 Tony Camuso <tcamuso@redhat.com> - 1:1.9.6-3 - Fix buglet exposed by gcc-11 -Warray-parameter
- Incorporate latest upstream patches, including a newer version - Temporarily disable -Wstringop-overflow due to false positive in gcc-11
of the OpenSSL patch in 1.9.6-2
Resolves: rhbz#1492771 * Wed Jul 29 2020 Jeff Law <law@redhat.com> - 1:1.9.11-3
Resolves: rhbz#1499435 - Explicitly allow uninitialized variables in a few places that do it
- on purpose
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun Apr 19 2020 Filipe Rosset <rosset.filipe@gmail.com> - 1:1.9.11-1
- Update to 1.9.11
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue May 14 2019 Yunying Sun <yunying.sun@intel.com> - 1:1.9.10-1
- Add patch to fix package build error
- Add build dependency to zlib-devel
- Update to latest release 1.9.10
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Oct 31 2018 Yunying Sun <yunying.sun@intel.com> - 1:1.9.8-1
- Updated to upstream 1.9.8 release
* Tue Sep 4 2018 Yunying Sun <yunying.sun@intel.com> - 1:1.9.7-1
- Updated to upstream 1.9.7 release
- Removed the patch for openssl 1.1 as it is included in 1.9.7 already
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.9.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Feb 06 2018 Tomáš Mráz <tmraz@redhat.com> - 1:1.9.6-2 * Tue Feb 06 2018 Tomáš Mráz <tmraz@redhat.com> - 1:1.9.6-2
- Patch to build with OpenSSL-1.1.x - Patch to build with OpenSSL-1.1.x

Loading…
Cancel
Save