rpms
/
tpm2-tools
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i10c-beta
rpms:c10-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8
...
pull from: rpms:i10cs
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i10c-beta
rpms:c10-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8

No commits in common. 'c9' and 'i10cs' have entirely different histories.
c9 ... i10cs

33 changed files with 82 additions and 9976 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/tpm2-tools-5.2.tar.gz
SOURCES/tpm2-tools-5.7.tar.gz

2
.tpm2-tools.metadata
Unescape View File

@ -1 +1 @@
00dc3b052d3b4ea44aeda95a9b3a6809ee471358 SOURCES/tpm2-tools-5.2.tar.gz
5a3462dc3f1ad234ac487ec4e996a37c99f86bce SOURCES/tpm2-tools-5.7.tar.gz

62
SOURCES/0001-Fix-nv_readpublic.patch
Unescape View File

@ -1,62 +0,0 @@
From 4dffb4295392f69f00003b2879f60bd36076f22d Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Tue, 7 Dec 2021 13:21:58 -0700
Subject: [PATCH 01/17] Fix nv_readpublic
Based on 4af3e6b4 tpm2_nvreadpublic: Add option to output cpHash
---
lib/tpm2.c | 11 +++++++++--
lib/tpm2_nv_util.h | 14 +-------------
2 files changed, 10 insertions(+), 15 deletions(-)
diff --git a/lib/tpm2.c b/lib/tpm2.c
index 4ee27c8c..d91072ae 100644
--- a/lib/tpm2.c
+++ b/lib/tpm2.c
@@ -101,9 +101,16 @@ tool_rc tpm2_close(ESYS_CONTEXT *esys_context, ESYS_TR *rsrc_handle) {
tool_rc tpm2_nv_readpublic(ESYS_CONTEXT *esys_context, ESYS_TR nv_index,
TPM2B_NV_PUBLIC **nv_public, TPM2B_NAME **nv_name) {
- TSS2_RC rval = Esys_NV_ReadPublic(esys_context, nv_index,
- ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, nv_public, nv_name);
+ ESYS_TR esys_tr_nv_index;
+ TSS2_RC rval = Esys_TR_FromTPMPublic(esys_context, nv_index, ESYS_TR_NONE,
+ ESYS_TR_NONE, ESYS_TR_NONE, &esys_tr_nv_index);
+ if (rval != TPM2_RC_SUCCESS) {
+ LOG_PERR(Esys_TR_FromTPMPublic, rval);
+ return tool_rc_from_tpm(rval);
+ }
+ rval = Esys_NV_ReadPublic(esys_context, esys_tr_nv_index,
+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, nv_public, nv_name);
if (rval != TSS2_RC_SUCCESS) {
LOG_PERR(Esys_NV_ReadPublic, rval);
return tool_rc_from_tpm(rval);
diff --git a/lib/tpm2_nv_util.h b/lib/tpm2_nv_util.h
index 99843156..daf8b624 100644
--- a/lib/tpm2_nv_util.h
+++ b/lib/tpm2_nv_util.h
@@ -28,19 +28,7 @@
static inline tool_rc tpm2_util_nv_read_public(ESYS_CONTEXT *context,
TPMI_RH_NV_INDEX nv_index, TPM2B_NV_PUBLIC **nv_public) {
- ESYS_TR tr_object;
- tool_rc rc = tpm2_from_tpm_public(context, nv_index, ESYS_TR_NONE,
- ESYS_TR_NONE, ESYS_TR_NONE, &tr_object);
- if (rc != tool_rc_success) {
- return rc;
- }
-
- rc = tpm2_nv_readpublic(context, tr_object, nv_public, NULL);
- tool_rc tmp_rc = tpm2_close(context, &tr_object);
- if (tmp_rc != tool_rc_success) {
- rc = tmp_rc;
- }
- return rc;
+ return tpm2_nv_readpublic(context, nv_index, nv_public, 0);
}
/**
--
2.40.1

26
SOURCES/0001-lib-tpm2_eventlog_yaml-use-char16_t-for-UEFI-charact.patch
Unescape View File

@ -1,26 +0,0 @@
From 4351d850bb664941f88463229758171c2603080a Mon Sep 17 00:00:00 2001
From: Erik Larsson <who+github@cnackers.org>
Date: Mon, 4 Oct 2021 10:21:49 +0200
Subject: [PATCH 1/9] lib/tpm2_eventlog_yaml: use char16_t for UEFI characters
Signed-off-by: Erik Larsson <who+github@cnackers.org>
---
lib/tpm2_eventlog_yaml.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
index 6e6923e5..9b048db1 100644
--- a/lib/tpm2_eventlog_yaml.c
+++ b/lib/tpm2_eventlog_yaml.c
@@ -475,7 +475,7 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
tpm2_tool_output(" Description: \"");
int i;
for (i = 0; (wchar_t)loadopt->Description[i] != 0; i++) {
- wchar_t c = (wchar_t)loadopt->Description[i];
+ char16_t c = (char16_t)loadopt->Description[i];
tpm2_tool_output("%lc", c);
}
tpm2_tool_output("\"\n");
--
2.37.3

34
SOURCES/0001-testparms-fix-condition-for-negative-test.patch
Unescape View File

@ -1,34 +0,0 @@
From 0789bf264a108c4718875a050d00b1fdee4478b7 Mon Sep 17 00:00:00 2001
From: Jonas Witschel <git@diabonas.de>
Date: Wed, 29 Sep 2021 17:08:07 +0200
Subject: [PATCH] testparms: fix condition for negative test
Content-type: text/plain
Commit e858dec76686bb4c42e74e0984b433231e530f93 ("testparms: ensure curve not
supported before negative test") is supposed to ensure that the negative test
is run only if ecc521 is *not* supported, but instead it runs the negative test
if ecc521 is *available*. This worked anyway for libtpms < 0.9.0 because camellia
was not supported, but since libtpms 0.9.0 added support for this algorithm, the
test suite fails now with swtpm.
Signed-off-by: Jonas Witschel <git@diabonas.de>
---
test/integration/tests/testparms.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test/integration/tests/testparms.sh b/test/integration/tests/testparms.sh
index 8c3548e58f39..a587a60a34cf 100644
--- a/test/integration/tests/testparms.sh
+++ b/test/integration/tests/testparms.sh
@@ -63,7 +63,7 @@ else
fi
# Attempt to specify a suite that is not supported (error from TPM)
-if tpm2 getcap ecc-curves | grep -q TPM2_ECC_NIST_P521; then
+if ! tpm2 getcap ecc-curves | grep -q TPM2_ECC_NIST_P521; then
if tpm2 testparms "ecc521:ecdsa:camellia" &>/dev/null; then
echo "tpm2 testparms succeeded while it shouldn't or TPM failed"
exit 1
--
2.35.3

151
SOURCES/0002-Patch-set-for-handling-of-new-event-types-in-tpm2_ev.patch
Unescape View File

@ -1,151 +0,0 @@
From 2558005814e4a64f8941216b9dc3d3c3a9b35c51 Mon Sep 17 00:00:00 2001
From: George Almasi <gheorghe@us.ibm.com>
Date: Fri, 8 Apr 2022 15:27:05 +0000
Subject: [PATCH 2/9] Patch set for handling of new event types in
tpm2_eventlog: EV_EFI_PLATFORM_FIRMWARE_BLOB2, EV_EFI_HANDOFF_TABLES2,
EV_EFI_VARIABLE_BOOT2
Signed-off-by: George Almasi <gheorghe@us.ibm.com>
---
lib/efi_event.h | 11 ++++++++
lib/tpm2_eventlog_yaml.c | 42 ++++++++++++++++++++++++++++-
test/unit/test_tpm2_eventlog_yaml.c | 6 +++++
3 files changed, 58 insertions(+), 1 deletion(-)
diff --git a/lib/efi_event.h b/lib/efi_event.h
index 0136e32b..cc2ffc98 100644
--- a/lib/efi_event.h
+++ b/lib/efi_event.h
@@ -41,6 +41,10 @@
#define EV_EFI_ACTION EV_EFI_EVENT_BASE + 0x7
#define EV_EFI_PLATFORM_FIRMWARE_BLOB EV_EFI_EVENT_BASE + 0x8
#define EV_EFI_HANDOFF_TABLES EV_EFI_EVENT_BASE + 0x9
+#define EV_EFI_PLATFORM_FIRMWARE_BLOB2 EV_EFI_EVENT_BASE + 0xa
+#define EV_EFI_HANDOFF_TABLES2 EV_EFI_EVENT_BASE + 0xb
+#define EV_EFI_VARIABLE_BOOT2 EV_EFI_EVENT_BASE + 0xc
+
#define EV_EFI_VARIABLE_AUTHORITY EV_EFI_EVENT_BASE + 0xe0
#ifndef PACKED
@@ -96,6 +100,13 @@ typedef struct {
UINT64 BlobLength;
} PACKED UEFI_PLATFORM_FIRMWARE_BLOB;
+
+typedef struct {
+ UINT8 BlobDescriptionSize;
+ BYTE BlobDescription[];
+ /* UEFI_PLATFORM_FIRMWARE_BLOB comes next */
+} PACKED UEFI_PLATFORM_FIRMWARE_BLOB2;
+
typedef struct {
UINT32 pcrIndex;
UINT32 eventType;
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
index 9b048db1..d2d4aefe 100644
--- a/lib/tpm2_eventlog_yaml.c
+++ b/lib/tpm2_eventlog_yaml.c
@@ -90,6 +90,12 @@ char const *eventtype_to_string (UINT32 event_type) {
return "EV_EFI_PLATFORM_FIRMWARE_BLOB";
case EV_EFI_HANDOFF_TABLES:
return "EV_EFI_HANDOFF_TABLES";
+ case EV_EFI_PLATFORM_FIRMWARE_BLOB2:
+ return "EV_EFI_PLATFORM_FIRMWARE_BLOB2";
+ case EV_EFI_HANDOFF_TABLES2:
+ return "EV_EFI_HANDOFF_TABLES2";
+ case EV_EFI_VARIABLE_BOOT2:
+ return "EV_EFI_VARIABLE_BOOT2";
case EV_EFI_VARIABLE_AUTHORITY:
return "EV_EFI_VARIABLE_AUTHORITY";
default:
@@ -433,7 +439,7 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
uuidstr, sdata);
free(sdata);
return true;
- } else if (type == EV_EFI_VARIABLE_BOOT) {
+ } else if (type == EV_EFI_VARIABLE_BOOT || type == EV_EFI_VARIABLE_BOOT2) {
if ((strlen(ret) == 9 && strncmp(ret, "BootOrder", 9) == 0)) {
free(ret);
tpm2_tool_output(" VariableData:\n");
@@ -526,6 +532,37 @@ bool yaml_uefi_platfwblob(UEFI_PLATFORM_FIRMWARE_BLOB *data) {
data->BlobLength);
return true;
}
+
+/* TCG PC Client PFP (02 dec 2020) section 10.2.5 */
+bool yaml_uefi_platfwblob2(UEFI_PLATFORM_FIRMWARE_BLOB2 *data) {
+ UINT8 blobdescsize = data->BlobDescriptionSize;
+ UEFI_PLATFORM_FIRMWARE_BLOB * data2 = (UEFI_PLATFORM_FIRMWARE_BLOB *)((UINT8 *)data + sizeof(UINT8) + blobdescsize);
+
+ char * eventdesc = (char *)calloc (1, 2*blobdescsize+1);
+ if (!eventdesc) {
+ LOG_ERR("failed to allocate memory: %s\n", strerror(errno));
+ return false;
+ }
+
+ bytes_to_str (data->BlobDescription, blobdescsize, eventdesc, 2*blobdescsize);
+
+ tpm2_tool_output(" Event:\n"
+ " BlobDescriptionSize: %d\n"
+ " BlobDescription: \"%.*s\"\n"
+ " BlobBase: 0x%" PRIx64 "\n"
+ " BlobLength: 0x%" PRIx64 "\n",
+ blobdescsize,
+ 2*blobdescsize,
+ eventdesc,
+ data2->BlobBase,
+ data2->BlobLength);
+
+ free(eventdesc);
+ return true;
+}
+
+
+
/* TCG PC Client PFP section 9.4.4 */
bool yaml_uefi_action(UINT8 const *action, size_t size) {
@@ -713,6 +750,7 @@ bool yaml_event2data(TCG_EVENT2 const *event, UINT32 type, uint32_t eventlog_ver
switch (type) {
case EV_EFI_VARIABLE_DRIVER_CONFIG:
case EV_EFI_VARIABLE_BOOT:
+ case EV_EFI_VARIABLE_BOOT2:
case EV_EFI_VARIABLE_AUTHORITY:
return yaml_uefi_var((UEFI_VARIABLE_DATA*)event->Event,
event->EventSize, type, eventlog_version);
@@ -721,6 +759,8 @@ bool yaml_event2data(TCG_EVENT2 const *event, UINT32 type, uint32_t eventlog_ver
case EV_S_CRTM_CONTENTS:
case EV_EFI_PLATFORM_FIRMWARE_BLOB:
return yaml_uefi_platfwblob((UEFI_PLATFORM_FIRMWARE_BLOB*)event->Event);
+ case EV_EFI_PLATFORM_FIRMWARE_BLOB2:
+ return yaml_uefi_platfwblob2((UEFI_PLATFORM_FIRMWARE_BLOB2*)event->Event);
case EV_EFI_ACTION:
return yaml_uefi_action(event->Event, event->EventSize);
case EV_IPL:
diff --git a/test/unit/test_tpm2_eventlog_yaml.c b/test/unit/test_tpm2_eventlog_yaml.c
index d4e30b0e..6881703b 100644
--- a/test/unit/test_tpm2_eventlog_yaml.c
+++ b/test/unit/test_tpm2_eventlog_yaml.c
@@ -47,6 +47,9 @@ def_eventtype_to_string(EV_EFI_GPT_EVENT)
def_eventtype_to_string(EV_EFI_ACTION)
def_eventtype_to_string(EV_EFI_PLATFORM_FIRMWARE_BLOB)
def_eventtype_to_string(EV_EFI_HANDOFF_TABLES)
+def_eventtype_to_string(EV_EFI_PLATFORM_FIRMWARE_BLOB2)
+def_eventtype_to_string(EV_EFI_HANDOFF_TABLES2)
+def_eventtype_to_string(EV_EFI_VARIABLE_BOOT2)
def_eventtype_to_string(EV_EFI_VARIABLE_AUTHORITY)
static void eventtype_to_string_default(void **state) {
@@ -141,6 +144,9 @@ int main(void) {
cmocka_unit_test(eventtype_to_string_EV_EFI_ACTION),
cmocka_unit_test(eventtype_to_string_EV_EFI_PLATFORM_FIRMWARE_BLOB),
cmocka_unit_test(eventtype_to_string_EV_EFI_HANDOFF_TABLES),
+ cmocka_unit_test(eventtype_to_string_EV_EFI_PLATFORM_FIRMWARE_BLOB2),
+ cmocka_unit_test(eventtype_to_string_EV_EFI_HANDOFF_TABLES2),
+ cmocka_unit_test(eventtype_to_string_EV_EFI_VARIABLE_BOOT2),
cmocka_unit_test(eventtype_to_string_EV_EFI_VARIABLE_AUTHORITY),
cmocka_unit_test(eventtype_to_string_default),
cmocka_unit_test(test_yaml_event2hdr_callback),
--
2.37.3

385
SOURCES/0002-tpm2_encodeobject-New-tool-to-encode-TPM2-object.patch
Unescape View File

@ -1,385 +0,0 @@
From ba7682dc511f4ef6bbb8a15ca3bb0edf67ec39ce Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 17 Sep 2021 07:14:20 +0200
Subject: [PATCH 02/17] tpm2_encodeobject: New tool to encode TPM2 object
This adds a new tool tpm2_encodeobject in tools/misc. It takes
public and private portions of an object and encode them in a combined
PEM form used by tpm2-tss-engine and other applications.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
Makefile.am | 2 +
man/tpm2_encodeobject.1.md | 92 +++++++++++++
tools/misc/tpm2_encodeobject.c | 240 +++++++++++++++++++++++++++++++++
3 files changed, 334 insertions(+)
create mode 100644 man/tpm2_encodeobject.1.md
create mode 100644 tools/misc/tpm2_encodeobject.c
diff --git a/Makefile.am b/Makefile.am
index 71322159..e1a51ebf 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -103,6 +103,7 @@ tools_tpm2_SOURCES = \
tpm2_tools = \
tools/misc/tpm2_certifyX509certutil.c \
tools/misc/tpm2_checkquote.c \
+ tools/misc/tpm2_encodeobject.c \
tools/misc/tpm2_eventlog.c \
tools/misc/tpm2_print.c \
tools/misc/tpm2_rc_decode.c \
@@ -376,6 +377,7 @@ if HAVE_MAN_PAGES
man/man1/tpm2_createprimary.1 \
man/man1/tpm2_dictionarylockout.1 \
man/man1/tpm2_duplicate.1 \
+ man/man1/tpm2_encodeobject.1 \
man/man1/tpm2_getcap.1 \
man/man1/tpm2_encryptdecrypt.1 \
man/man1/tpm2_eventlog.1 \
diff --git a/man/tpm2_encodeobject.1.md b/man/tpm2_encodeobject.1.md
new file mode 100644
index 00000000..791eafbd
--- /dev/null
+++ b/man/tpm2_encodeobject.1.md
@@ -0,0 +1,92 @@
+% tpm2_encodeobject(1) tpm2-tools | General Commands Manual
+
+# NAME
+
+**tpm2_encodeobject**(1) - Encode an object into a combined PEM format.
+
+# SYNOPSIS
+
+**tpm2_encodeobject** [*OPTIONS*]
+
+# DESCRIPTION
+
+**tpm2_encodeobject**(1) - Encode both the private and public portions of an
+object into a combined PEM format used by tpm2-tss-engine.
+
+The tool reads private and public portions of an object and encodes it
+into a combined PEM format used by tpm2-tss-engine and other
+applications.
+
+**NOTE**: Both private and public portions of the tpm key must be specified.
+
+# OPTIONS
+
+ * **-C**, **\--parent-context**=_OBJECT_:
+
+ The parent object.
+
+ * **-P**, **\--auth**=_AUTH_:
+
+ The authorization value of the parent object specified by **-C**.
+
+ * **-u**, **\--public**=_FILE_:
+
+ A file containing the public portion of the object.
+
+ * **-r**, **\--private**=_FILE_:
+
+ A file containing the sensitive portion of the object.
+
+ * **-o**, **\--output**=_FILE_:
+
+ The output file path, recording the public portion of the object.
+
+## References
+
+[context object format](common/ctxobj.md) details the methods for specifying
+_OBJECT_.
+
+[authorization formatting](common/authorizations.md) details the methods for
+specifying _AUTH_.
+
+[common options](common/options.md) collection of common options that provide
+information many users may expect.
+
+[common tcti options](common/tcti.md) collection of options used to configure
+the various known TCTI modules.
+
+# EXAMPLES
+
+## Setup
+To load an object you first must create an object under a primary object. So the
+first step is to create the primary object.
+
+```bash
+tpm2_createprimary -c primary.ctx
+```
+
+Step 2 is to create an object under the primary object.
+
+```bash
+tpm2_create -C primary.ctx -u key.pub -r key.priv -f pem -o pub.pem
+```
+
+This creates the private and public portions of the TPM object. With these
+object portions, it is now possible to load that object into the TPM for
+subsequent use.
+
+## Encoding an Object into a combined PEM format
+
+The final step, is encoding the public and private portions of the object into a
+PEM format.
+
+```bash
+tpm2_encodeobject -C primary.ctx -u key.pub -r key.priv -c priv.pem
+```
+
+The generated `priv.pem` can be used together with `pub.pem` created in the
+step 2 of Setup section.
+
+[returns](common/returns.md)
+
+[footer](common/footer.md)
diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c
new file mode 100644
index 00000000..2341c3a1
--- /dev/null
+++ b/tools/misc/tpm2_encodeobject.c
@@ -0,0 +1,240 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
+
+/*
+ * Part of this file is copied from tpm2-tss-engine.
+ *
+ * Copyright 2017-2018, Fraunhofer SIT sponsored by Infineon Technologies AG
+ * All rights reserved.
+ * Copyright (c) 2019, Wind River Systems.
+ * All rights reserved.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/pem.h>
+#include <tss2/tss2_mu.h>
+
+#include "files.h"
+#include "log.h"
+#include "tpm2.h"
+#include "tpm2_options.h"
+#include "tpm2_tool.h"
+
+#define OID_loadableKey "2.23.133.10.1.3"
+
+typedef struct {
+ ASN1_OBJECT *type;
+ ASN1_BOOLEAN emptyAuth;
+ ASN1_INTEGER *parent;
+ ASN1_OCTET_STRING *pubkey;
+ ASN1_OCTET_STRING *privkey;
+} TSSPRIVKEY;
+
+DECLARE_ASN1_FUNCTIONS(TSSPRIVKEY);
+DECLARE_PEM_write_bio(TSSPRIVKEY, TSSPRIVKEY);
+
+ASN1_SEQUENCE(TSSPRIVKEY) = {
+ ASN1_SIMPLE(TSSPRIVKEY, type, ASN1_OBJECT),
+ ASN1_EXP_OPT(TSSPRIVKEY, emptyAuth, ASN1_BOOLEAN, 0),
+ ASN1_SIMPLE(TSSPRIVKEY, parent, ASN1_INTEGER),
+ ASN1_SIMPLE(TSSPRIVKEY, pubkey, ASN1_OCTET_STRING),
+ ASN1_SIMPLE(TSSPRIVKEY, privkey, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(TSSPRIVKEY)
+
+#define TSSPRIVKEY_PEM_STRING "TSS2 PRIVATE KEY"
+
+IMPLEMENT_ASN1_FUNCTIONS(TSSPRIVKEY);
+IMPLEMENT_PEM_write_bio(TSSPRIVKEY, TSSPRIVKEY, TSSPRIVKEY_PEM_STRING, TSSPRIVKEY);
+IMPLEMENT_PEM_read_bio(TSSPRIVKEY, TSSPRIVKEY, TSSPRIVKEY_PEM_STRING, TSSPRIVKEY);
+
+typedef struct tpm_encodeobject_ctx tpm_encodeobject_ctx;
+struct tpm_encodeobject_ctx {
+ struct {
+ const char *ctx_path;
+ const char *auth_str;
+ tpm2_loaded_object object;
+ } parent;
+
+ struct {
+ const char *pubpath;
+ TPM2B_PUBLIC public;
+ const char *privpath;
+ TPM2B_PRIVATE private;
+ ESYS_TR handle;
+ } object;
+
+ char *output_path;
+};
+
+static tpm_encodeobject_ctx ctx;
+
+static bool on_option(char key, char *value) {
+ switch (key) {
+ case 'P':
+ ctx.parent.auth_str = value;
+ break;
+ case 'u':
+ ctx.object.pubpath = value;
+ break;
+ case 'r':
+ ctx.object.privpath = value;
+ break;
+ case 'C':
+ ctx.parent.ctx_path = value;
+ break;
+ case 'o':
+ ctx.output_path = value;
+ break;
+ }
+
+ return true;
+}
+
+static bool tpm2_tool_onstart(tpm2_options **opts) {
+ const struct option topts[] = {
+ { "auth", required_argument, NULL, 'P' },
+ { "public", required_argument, NULL, 'u' },
+ { "private", required_argument, NULL, 'r' },
+ { "parent-context", required_argument, NULL, 'C' },
+ { "output", required_argument, NULL, 'o' },
+ };
+
+ *opts = tpm2_options_new("P:u:r:C:o:", ARRAY_LEN(topts), topts, on_option,
+ NULL, 0);
+
+ return *opts != NULL;
+}
+
+static tool_rc check_opts(void) {
+ tool_rc rc = tool_rc_success;
+ if (!ctx.parent.ctx_path) {
+ LOG_ERR("Expected parent object via -C");
+ rc = tool_rc_option_error;
+ }
+
+ if (!ctx.object.pubpath) {
+ LOG_ERR("Expected public object portion via -u");
+ rc = tool_rc_option_error;
+ }
+
+ if (!ctx.object.privpath) {
+ LOG_ERR("Expected private object portion via -r");
+ rc = tool_rc_option_error;
+ }
+
+ if (!ctx.output_path) {
+ LOG_ERR("Expected output file path via -o");
+ rc = tool_rc_option_error;
+ }
+
+ return rc;
+}
+
+static tool_rc init(ESYS_CONTEXT *ectx) {
+ bool res = files_load_public(ctx.object.pubpath, &ctx.object.public);
+ if (!res) {
+ return tool_rc_general_error;
+ }
+
+ res = files_load_private(ctx.object.privpath, &ctx.object.private);
+ if (!res) {
+ return tool_rc_general_error;
+ }
+
+ return tpm2_util_object_load_auth(ectx, ctx.parent.ctx_path,
+ ctx.parent.auth_str, &ctx.parent.object, false,
+ TPM2_HANDLE_ALL_W_NV);
+}
+
+static int
+encode(void)
+{
+ TSS2_RC rc;
+ BIO *bio = NULL;
+ TSSPRIVKEY *tpk = NULL;
+
+ uint8_t private_buf[sizeof(ctx.object.private)];
+ uint8_t public_buf[sizeof(ctx.object.public)];
+ size_t private_len = 0, public_len = 0;
+
+ rc = Tss2_MU_TPM2B_PRIVATE_Marshal(&ctx.object.private, private_buf,
+ sizeof(private_buf), &private_len);
+ if (rc) {
+ LOG_ERR("Error serializing private portion of object");
+ goto error;
+ }
+
+ rc = Tss2_MU_TPM2B_PUBLIC_Marshal(&ctx.object.public, public_buf,
+ sizeof(public_buf), &public_len);
+ if (rc) {
+ LOG_ERR("Error serializing public portion of object");
+ goto error;
+ }
+
+ tpk = TSSPRIVKEY_new();
+ if (!tpk) {
+ LOG_ERR("oom");
+ goto error;
+ }
+
+ tpk->type = OBJ_txt2obj(OID_loadableKey, 1);
+ tpk->parent = ASN1_INTEGER_new();
+ tpk->privkey = ASN1_OCTET_STRING_new();
+ tpk->pubkey = ASN1_OCTET_STRING_new();
+ if (!tpk->type || !tpk->privkey || !tpk->pubkey || !tpk->parent) {
+ LOG_ERR("oom");
+ goto error;
+ }
+
+ tpk->emptyAuth = ctx.parent.auth_str == NULL ? 0xFF : 0;
+
+ if ((ctx.parent.object.handle >> TPM2_HR_SHIFT) == TPM2_HT_PERSISTENT) {
+ ASN1_INTEGER_set(tpk->parent, ctx.parent.object.handle);
+ } else {
+ /* Indicate that the parent is a primary object generated on the fly. */
+ ASN1_INTEGER_set(tpk->parent, TPM2_RH_OWNER);
+ }
+
+ ASN1_STRING_set(tpk->privkey, private_buf, private_len);
+ ASN1_STRING_set(tpk->pubkey, public_buf, public_len);
+
+ if ((bio = BIO_new_file(ctx.output_path, "w")) == NULL) {
+ LOG_ERR("Could not open file: \"%s\"", ctx.output_path);
+ goto error;
+ }
+
+ PEM_write_bio_TSSPRIVKEY(bio, tpk);
+ TSSPRIVKEY_free(tpk);
+ BIO_free(bio);
+
+ return tool_rc_success;
+ error:
+ if (bio)
+ BIO_free(bio);
+ if (tpk)
+ TSSPRIVKEY_free(tpk);
+ return tool_rc_general_error;
+}
+
+static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
+ UNUSED(flags);
+
+ tool_rc rc = check_opts();
+ if (rc != tool_rc_success) {
+ return rc;
+ }
+
+ rc = init(ectx);
+ if (rc != tool_rc_success) {
+ return rc;
+ }
+
+ return encode();
+}
+
+// Register this tool with tpm2_tool.c
+TPM2_TOOL_REGISTER("encodeobject", tpm2_tool_onstart, tpm2_tool_onrun, NULL, NULL)
--
2.40.1

27
SOURCES/0003-Code-clarity-fix-for-calculation-of-data-member-addr.patch
Unescape View File

@ -1,27 +0,0 @@
From 18f211c7f28d204e5676a30480b681519316d87f Mon Sep 17 00:00:00 2001
From: George Almasi <gheorghe@us.ibm.com>
Date: Mon, 11 Apr 2022 12:12:45 +0000
Subject: [PATCH 3/9] Code clarity fix for calculation of data member addresses
when printing out UEFI_PLATFORM_FIRMWARE_BLOB2 structures.
Signed-off-by: George Almasi <gheorghe@us.ibm.com>
---
lib/tpm2_eventlog_yaml.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
index d2d4aefe..647a2225 100644
--- a/lib/tpm2_eventlog_yaml.c
+++ b/lib/tpm2_eventlog_yaml.c
@@ -536,7 +536,7 @@ bool yaml_uefi_platfwblob(UEFI_PLATFORM_FIRMWARE_BLOB *data) {
/* TCG PC Client PFP (02 dec 2020) section 10.2.5 */
bool yaml_uefi_platfwblob2(UEFI_PLATFORM_FIRMWARE_BLOB2 *data) {
UINT8 blobdescsize = data->BlobDescriptionSize;
- UEFI_PLATFORM_FIRMWARE_BLOB * data2 = (UEFI_PLATFORM_FIRMWARE_BLOB *)((UINT8 *)data + sizeof(UINT8) + blobdescsize);
+ UEFI_PLATFORM_FIRMWARE_BLOB * data2 = (UEFI_PLATFORM_FIRMWARE_BLOB *)((UINT8 *)data + sizeof(data->BlobDescriptionSize) + blobdescsize);
char * eventdesc = (char *)calloc (1, 2*blobdescsize+1);
if (!eventdesc) {
--
2.37.3

104
SOURCES/0003-tools-tpm2_evictconrol-fix-for-call-to-Esys_TR_Close.patch
Unescape View File

@ -1,104 +0,0 @@
From be8b4cb178332f24fb06f30d3211a24ea3c9e632 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Fri, 3 Sep 2021 11:24:31 -0700
Subject: [PATCH 03/17] tools/tpm2_evictconrol: fix for call to Esys_TR_Close
on bad handle
Fixes #2254
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
tools/tpm2_evictcontrol.c | 36 +++++++++++++++---------------------
1 file changed, 15 insertions(+), 21 deletions(-)
diff --git a/tools/tpm2_evictcontrol.c b/tools/tpm2_evictcontrol.c
index 0ae4edc6..8199be39 100644
--- a/tools/tpm2_evictcontrol.c
+++ b/tools/tpm2_evictcontrol.c
@@ -106,20 +106,18 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
bool evicted = false;
/* load up the object/handle to work on */
- tool_rc tmp_rc = tpm2_util_object_load(ectx, ctx.to_persist_key.ctx_path,
- &ctx.to_persist_key.object, TPM2_HANDLE_ALL_W_NV);
- if (tmp_rc != tool_rc_success) {
- rc = tmp_rc;
- goto out;
+ rc = tpm2_util_object_load(ectx, ctx.to_persist_key.ctx_path,
+ &ctx.to_persist_key.object, TPM2_HANDLE_ALL_W_NV);
+ if (rc != tool_rc_success) {
+ return rc;
}
/* load up the auth hierarchy */
- tmp_rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
+ rc = tpm2_util_object_load_auth(ectx, ctx.auth_hierarchy.ctx_path,
ctx.auth_hierarchy.auth_str, &ctx.auth_hierarchy.object, false,
TPM2_HANDLE_FLAGS_O | TPM2_HANDLE_FLAGS_P);
- if (tmp_rc != tool_rc_success) {
- rc = tmp_rc;
- goto out;
+ if (rc != tool_rc_success) {
+ return rc;
}
if (ctx.to_persist_key.object.handle >> TPM2_HR_SHIFT
@@ -136,11 +134,10 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
*/
if (ctx.flags.c && !ctx.flags.p) {
bool is_platform = ctx.auth_hierarchy.object.handle == TPM2_RH_PLATFORM;
- tmp_rc = tpm2_capability_find_vacant_persistent_handle(ectx,
+ rc = tpm2_capability_find_vacant_persistent_handle(ectx,
is_platform, &ctx.persist_handle);
- if (tmp_rc != tool_rc_success) {
- rc = tmp_rc;
- goto out;
+ if (rc != tool_rc_success) {
+ return rc;
}
/* we searched and found a persistent handle, so mark that peristent handle valid */
ctx.flags.p = 1;
@@ -148,7 +145,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
if (ctx.flags.o && !ctx.flags.p) {
LOG_ERR("Cannot specify -o without using a persistent handle");
- goto out;
+ return tool_rc_option_error;
}
ESYS_TR out_tr;
@@ -175,7 +172,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
rc = tpm2_evictcontrol(ectx, &ctx.auth_hierarchy.object,
&ctx.to_persist_key.object, ctx.persist_handle, &out_tr, NULL);
if (rc != tool_rc_success) {
- goto out;
+ return rc;
}
/*
@@ -191,19 +188,16 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
evicted = out_tr == ESYS_TR_NONE;
tpm2_tool_output("persistent-handle: 0x%x\n", ctx.persist_handle);
tpm2_tool_output("action: %s\n", evicted ? "evicted" : "persisted");
-
+ tool_rc tmp_rc = tool_rc_success;
if (ctx.output_arg) {
- rc = files_save_ESYS_TR(ectx, out_tr, ctx.output_arg);
- } else {
- rc = tool_rc_success;
+ tmp_rc = files_save_ESYS_TR(ectx, out_tr, ctx.output_arg);
}
-out:
if (!evicted) {
rc = tpm2_close(ectx, &out_tr);
}
- return rc;
+ return (tmp_rc == tool_rc_success) ? rc : tmp_rc;
}
static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) {
--
2.40.1

45
SOURCES/0004-Fix-argument-parsing-in-tpm2_policylocality.patch
Unescape View File

@ -1,45 +0,0 @@
From f365a0adca8379ce89ff86fdf740082cf6a56f1b Mon Sep 17 00:00:00 2001
From: Tien-Ren Chen <trchen1033@gmail.com>
Date: Thu, 25 Nov 2021 12:41:52 -0500
Subject: [PATCH 04/17] Fix argument parsing in tpm2_policylocality
This patch fixes a bug that caused tpm2_policylocality to almost
always generate PolicyLocality(0).
There was a logical inversion that caused almost any argument
(including invalid ones) to be interpreted as zero, except "zero"
would be interpreted as one.
Signed-off-by: Tien-Ren Chen <trchen1033@gmail.com>
---
tools/tpm2_policylocality.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tools/tpm2_policylocality.c b/tools/tpm2_policylocality.c
index 81edbe65..b1d43d02 100644
--- a/tools/tpm2_policylocality.c
+++ b/tools/tpm2_policylocality.c
@@ -54,15 +54,15 @@ static bool on_arg(int argc, char **argv) {
return false;
}
- if (strcmp(argv[0], "zero")) {
+ if (strcmp(argv[0], "zero") == 0) {
ctx.locality = TPMA_LOCALITY_TPM2_LOC_ZERO;
- } else if (strcmp(argv[0], "one")) {
+ } else if (strcmp(argv[0], "one") == 0) {
ctx.locality = TPMA_LOCALITY_TPM2_LOC_ONE;
- } else if (strcmp(argv[0], "two")) {
+ } else if (strcmp(argv[0], "two") == 0) {
ctx.locality = TPMA_LOCALITY_TPM2_LOC_TWO;
- } else if (strcmp(argv[0], "three")) {
+ } else if (strcmp(argv[0], "three") == 0) {
ctx.locality = TPMA_LOCALITY_TPM2_LOC_THREE;
- } else if (strcmp(argv[0], "four")) {
+ } else if (strcmp(argv[0], "four") == 0) {
ctx.locality = TPMA_LOCALITY_TPM2_LOC_FOUR;
} else {
bool result = tpm2_util_string_to_uint8(argv[0], &ctx.locality);
--
2.40.1

55
SOURCES/0004-tpm2_eventlog-clean-up-some-magic-numbers.patch
Unescape View File

@ -1,55 +0,0 @@
From 2781de8cb60d0e8efb72d57eb1178f2f6df9415c Mon Sep 17 00:00:00 2001
From: Jerry Snitselaar <jsnitsel@redhat.com>
Date: Tue, 2 Aug 2022 11:59:06 -0700
Subject: [PATCH 4/9] tpm2_eventlog: clean up some magic numbers
Make the code a bit clearer by making it clear
we are subtracting the size of the EFI_GUID member
from the EFI_SIGNATURE_DATA size.
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
---
lib/tpm2_eventlog_yaml.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
index 647a2225..fee78027 100644
--- a/lib/tpm2_eventlog_yaml.c
+++ b/lib/tpm2_eventlog_yaml.c
@@ -374,13 +374,13 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
for (i = 0; i < signatures; i++) {
EFI_SIGNATURE_DATA *s = (EFI_SIGNATURE_DATA *)signature;
char *sdata = calloc (1,
- BYTES_TO_HEX_STRING_SIZE(slist->SignatureSize-16));
+ BYTES_TO_HEX_STRING_SIZE(slist->SignatureSize - sizeof(EFI_GUID)));
if (sdata == NULL) {
LOG_ERR("Failled to allocate data: %s\n", strerror(errno));
return false;
}
- bytes_to_str(s->SignatureData, slist->SignatureSize-16,
- sdata, BYTES_TO_HEX_STRING_SIZE(slist->SignatureSize-16));
+ bytes_to_str(s->SignatureData, slist->SignatureSize - sizeof(EFI_GUID),
+ sdata, BYTES_TO_HEX_STRING_SIZE(slist->SignatureSize - sizeof(EFI_GUID)));
guid_unparse_lower(s->SignatureOwner, uuidstr);
tpm2_tool_output(" - SignatureOwner: %s\n"
" SignatureData: %s\n",
@@ -426,13 +426,13 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
EFI_SIGNATURE_DATA *s= (EFI_SIGNATURE_DATA *)&data->UnicodeName[
data->UnicodeNameLength];
char *sdata = calloc (1,
- BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - 16));
+ BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
if (sdata == NULL) {
LOG_ERR("Failled to allocate data: %s\n", strerror(errno));
return false;
}
- bytes_to_str(s->SignatureData, data->VariableDataLength - 16,
- sdata, BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - 16));
+ bytes_to_str(s->SignatureData, data->VariableDataLength - sizeof(EFI_GUID),
+ sdata, BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
guid_unparse_lower(s->SignatureOwner, uuidstr);
tpm2_tool_output(" - SignatureOwner: %s\n"
" SignatureData: %s\n",
--
2.37.3

82
SOURCES/0005-tools-tpm2_tool.c-Fix-an-issue-where-LOG_WARN-is-alw.patch
Unescape View File

@ -1,82 +0,0 @@
From 221d8e557ab5a00246f7b09746377819cfbaec5e Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Wed, 9 Mar 2022 10:24:45 -0700
Subject: [PATCH 05/17] tools/tpm2_tool.c: Fix an issue where LOG_WARN is
always displayed
Despite setting the 'quiet' flag with -Q the warning messages were
always displayed.
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
lib/tpm2_options.c | 12 +++++++++---
tools/tpm2_makecredential.c | 9 ++++++---
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/lib/tpm2_options.c b/lib/tpm2_options.c
index 8c8af2af..1238e440 100644
--- a/lib/tpm2_options.c
+++ b/lib/tpm2_options.c
@@ -456,12 +456,16 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
/* tool doesn't request a sapi, don't initialize one */
if (flags->tcti_none && is_optional_sapi) {
- LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=none");
+ if (!flags->quiet) {
+ LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=none");
+ }
goto none;
}
if (flags->tcti_none && is_no_sapi) {
- LOG_WARN("Tool does not use SAPI. Continuing with tcti=none");
+ if (!flags->quiet) {
+ LOG_WARN("Tool does not use SAPI. Continuing with tcti=none");
+ }
goto none;
}
@@ -481,7 +485,9 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
bool is_optional_fake_tcti = (flags->tcti_none && tool_opts &&
tool_opts->flags & TPM2_OPTIONS_OPTIONAL_SAPI_AND_FAKE_TCTI);
if (is_optional_fake_tcti) {
- LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=fake");
+ if (!flags->quiet) {
+ LOG_WARN("Tool optionally uses SAPI. Continuing with tcti=fake");
+ }
*tcti = (TSS2_TCTI_CONTEXT *)&fake_tcti;
goto none;
}
diff --git a/tools/tpm2_makecredential.c b/tools/tpm2_makecredential.c
index 0b0fa123..5bd5b484 100644
--- a/tools/tpm2_makecredential.c
+++ b/tools/tpm2_makecredential.c
@@ -310,11 +310,14 @@ static void set_default_TCG_EK_template(TPMI_ALG_PUBLIC alg) {
ctx.public.publicArea.nameAlg = TPM2_ALG_SHA256;
}
-static tool_rc process_input(void) {
+static tool_rc process_input(tpm2_option_flags flags) {
TPMI_ALG_PUBLIC alg = TPM2_ALG_NULL;
if (ctx.key_type) {
- LOG_WARN("Because **-G** is specified, assuming input encryption public key is in PEM format.");
+ if (!flags.quiet) {
+ LOG_WARN("Because **-G** is specified, assuming input encryption "
+ "public key is in PEM format.");
+ }
alg = tpm2_alg_util_from_optarg(ctx.key_type,
tpm2_alg_util_flags_asymmetric);
if (alg == TPM2_ALG_ERROR ||
@@ -379,7 +382,7 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
UNUSED(flags);
- tool_rc rc = process_input();
+ tool_rc rc = process_input(flags);
if (rc != tool_rc_success) {
return rc;
}
--
2.40.1

209
SOURCES/0005-tpm2_eventlog_yaml-fix-malformed-YAML-for-EV_IPL-dat.patch
Unescape View File

@ -1,209 +0,0 @@
From cef0317b83e06fdca25ef52a8bfd59b74d318e5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 29 Sep 2022 10:48:36 -0400
Subject: [PATCH 5/9] tpm2_eventlog_yaml: fix malformed YAML for EV_IPL data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The code for printing EV_IPL data was fairly crude and often
did not generate valid YAML syntax. Some problems
* Data starting with a space would result in invalid
indentation, a leading space requires a quoted string
* Non-printable cahracters must generally be escaped,
using a quoted string
* Embedded NUL bytes were turned into newlines, which
mangled any UTF16 encoded data.
This change attempts to make the YAML output much safer. It
is not pefect as it just processes the data bytewise and
thus could potentially emit invalid UTF-8 bytes. In practice
this won't be a problem for known bootloader emitting EV_IPL
events.
This changes the formatting slightly
- All strings are now surrounded with double quotes
- All NUL bytes, including the final trailing NUL
are displayed in escaped format.
- Non-printable ASCII chars are escaped, including
the tab character, per YAML recommendations
A much better long term solution would be to switch to
using libyaml for generating the output which would give
a strong guarantee of correct formatting.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
lib/tpm2_eventlog_yaml.c | 141 ++++++++++++++++++++++++++++++++++++---
1 file changed, 130 insertions(+), 11 deletions(-)
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
index fee78027..66a20701 100644
--- a/lib/tpm2_eventlog_yaml.c
+++ b/lib/tpm2_eventlog_yaml.c
@@ -571,6 +571,125 @@ bool yaml_uefi_action(UINT8 const *action, size_t size) {
return true;
}
+
+
+/*
+ * The yaml_ipl description is received as raw bytes, but the
+ * data will represent a printable string. Unfortunately we
+ * are not told its encoding, and this can vary. For example,
+ * grub will use UTF8, while sd-boot will UTF16LE.
+ *
+ * We need to emit YAML with some rules:
+ *
+ * - No leading ' ' without quoting it
+ * - Escape non-printable ascii chars
+ * - Double quotes if using escape sequences
+ * - Valid UTF8 string
+ *
+ * This method will ignore the question of original data
+ * encoding and apply a few simple rules to make the data
+ * mostly YAML compliant. Where it falls down is not
+ * guaranteeing valid UTF8, if the input was not already
+ * valid UTF8. In practice this limitation shouldn't be
+ * a problem given expected measured data.
+ *
+ * Note: one consequence of this approach is that most
+ * UTF16LE data will be rendered with lots of \0 bytes
+ * escaped.
+ *
+ * For ease of output reading, the data is also split on newlines
+ */
+char **yaml_split_escape_string(UINT8 const *description, size_t size)
+{
+ char **lines = NULL, **tmp;
+ size_t nlines = 0;
+ size_t i, j, k;
+ size_t len;
+ UINT8 *nl;
+
+ i = 0;
+ do {
+ nl = memchr(description + i, '\n', size - i);
+ len = nl ? (size_t)(nl - (description + i)) : size - i;
+
+ tmp = realloc(lines, sizeof(char *) * (nlines + 2));
+ if (!tmp) {
+ LOG_ERR("failed to allocate memory for description lines: %s\n",
+ strerror(errno));
+ goto error;
+ }
+ lines = tmp;
+ lines[nlines + 1] = NULL;
+ k = 0;
+
+ /* Worst case: every byte needs escaping, plus start/end quotes, plus nul */
+ lines[nlines] = calloc(1, (len * 2) + 2 + 1);
+ if (!lines[nlines]) {
+ LOG_ERR("failed to allocate memory for escaped string: %s\n",
+ strerror(errno));
+ goto error;
+ }
+
+ lines[nlines][k++] = '"';
+ for (j = i; j < (i + len); j++) {
+ char escape = '\0';
+
+ switch (description[j]) {
+ case '\0':
+ escape = '0';
+ break;
+ case '\a':
+ escape = 'a';
+ break;
+ case '\b':
+ escape = 'b';
+ break;
+ case '\t':
+ escape = 't';
+ break;
+ case '\v':
+ escape = 'v';
+ break;
+ case '\f':
+ escape = 'f';
+ break;
+ case '\r':
+ escape = 'r';
+ break;
+ case '\e':
+ escape = 'e';
+ break;
+ case '\'':
+ escape = '\'';
+ break;
+ case '\\':
+ escape = '\\';
+ break;
+ }
+
+ if (escape == '\0') {
+ lines[nlines][k++] = description[j];
+ } else {
+ lines[nlines][k++] = '\\';
+ lines[nlines][k++] = escape;
+ }
+ }
+ lines[nlines][k++] = '"';
+
+ nlines++;
+ i += len + 1;
+ } while (i < size);
+
+ return lines;
+
+ error:
+ for (i = 0; lines != NULL && lines[i] != NULL; i++) {
+ free(lines[i]);
+ }
+ free(lines);
+ return NULL;
+}
+
/*
* TCG PC Client PFP section 9.4.1
* This event type is extensively used by the Shim and Grub on a wide varities
@@ -578,21 +697,21 @@ bool yaml_uefi_action(UINT8 const *action, size_t size) {
* the loading of grub, kernel, and initrd images.
*/
bool yaml_ipl(UINT8 const *description, size_t size) {
-
+ char **lines = NULL;
+ size_t i;
tpm2_tool_output(" Event:\n"
" String: |-\n");
- /* We need to handle when description contains multiple lines. */
- size_t i, j;
- for (i = 0; i < size; i++) {
- for (j = i; j < size; j++) {
- if (description[j] == '\n' || description[j] == '\0') {
- break;
- }
- }
- tpm2_tool_output(" %.*s\n", (int)(j - i), description+i);
- i = j;
+ lines = yaml_split_escape_string(description, size);
+ if (!lines) {
+ return false;
+ }
+
+ for (i = 0; lines[i] != NULL; i++) {
+ tpm2_tool_output(" %s\n", lines[i]);
+ free(lines[i]);
}
+ free(lines);
return true;
}
--
2.37.3

100
SOURCES/0006-import-fix-bug-on-using-scheme.patch
Unescape View File

@ -1,100 +0,0 @@
From acc82191f519f8bcdfcc0827faf024dcd2f56f78 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 20 May 2022 10:49:04 -0500
Subject: [PATCH 06/17] import: fix bug on using scheme
When scheme is specified in the template, the openssl load functions
clobber the scheme value and set it to TPM2_ALG_NULL. Only set the
algorithm to NULL if zero value is specified.
Fixes: #2997
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
lib/tpm2_openssl.c | 24 ++++++++++++++++++------
test/integration/tests/import.sh | 13 +++++++++----
2 files changed, 27 insertions(+), 10 deletions(-)
diff --git a/lib/tpm2_openssl.c b/lib/tpm2_openssl.c
index 01bfc9ef..ad43c8e1 100644
--- a/lib/tpm2_openssl.c
+++ b/lib/tpm2_openssl.c
@@ -534,9 +534,15 @@ static bool load_public_RSA_from_key(EVP_PKEY *key, TPM2B_PUBLIC *pub) {
pt->type = TPM2_ALG_RSA;
TPMS_RSA_PARMS *rdetail = &pub->publicArea.parameters.rsaDetail;
- rdetail->scheme.scheme = TPM2_ALG_NULL;
- rdetail->symmetric.algorithm = TPM2_ALG_NULL;
- rdetail->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
+ /*
+ * If the scheme is not TPM2_ALG_ERROR (0),
+ * its a valid scheme so don't set it to NULL scheme
+ */
+ if (rdetail->scheme.scheme == TPM2_ALG_ERROR) {
+ rdetail->scheme.scheme = TPM2_ALG_NULL;
+ rdetail->symmetric.algorithm = TPM2_ALG_NULL;
+ rdetail->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
+ }
/* NULL out sym details */
TPMT_SYM_DEF_OBJECT *sym = &rdetail->symmetric;
@@ -809,9 +815,15 @@ static bool load_public_ECC_from_key(EVP_PKEY *key, TPM2B_PUBLIC *pub) {
* no kdf - not sure what this should be
*/
pp->kdf.scheme = TPM2_ALG_NULL;
- pp->scheme.scheme = TPM2_ALG_NULL;
- pp->symmetric.algorithm = TPM2_ALG_NULL;
- pp->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
+
+ /*
+ * If the scheme is not TPM2_ALG_ERROR (0),
+ * its a valid scheme so don't set it to NULL scheme
+ */
+ if (pp->scheme.scheme == TPM2_ALG_ERROR) {
+ pp->scheme.scheme = TPM2_ALG_NULL;
+ pp->scheme.details.anySig.hashAlg = TPM2_ALG_NULL;
+ }
/* NULL out sym details */
TPMT_SYM_DEF_OBJECT *sym = &pp->symmetric;
diff --git a/test/integration/tests/import.sh b/test/integration/tests/import.sh
index 9f6a474e..9cb6096f 100644
--- a/test/integration/tests/import.sh
+++ b/test/integration/tests/import.sh
@@ -4,8 +4,8 @@ source helpers.sh
cleanup() {
rm -f import_key.ctx import_key.name import_key.priv import_key.pub \
- parent.ctx plain.dec.ssl plain.enc plain.txt sym.key import_rsa_key.pub \
- import_rsa_key.priv import_rsa_key.ctx import_rsa_key.name private.pem \
+ parent.ctx plain.dec.ssl plain.enc plain.txt sym.key import_rsa_key*.pub \
+ import_rsa_key*.priv import_rsa_key.ctx import_rsa_key.name private.pem \
public.pem plain.rsa.enc plain.rsa.dec public.pem data.in.raw \
data.in.digest data.out.signed ticket.out ecc.pub ecc.priv ecc.name \
ecc.ctx private.ecc.pem public.ecc.pem passfile aes.key policy.dat \
@@ -67,6 +67,10 @@ run_rsa_import_test() {
tpm2 import -Q -G rsa -g "$name_alg" -i private.pem -C $1 \
-u import_rsa_key.pub -r import_rsa_key.priv
+ # test in import with scheme and discard
+ tpm2 import -G rsa:rsassa-sha256 -g "$name_alg" -i private.pem -C $1 \
+ -u import_rsa_key2.pub -r import_rsa_key2.priv | grep -q 'rsassa'
+
tpm2 load -Q -C $1 -u import_rsa_key.pub -r import_rsa_key.priv \
-n import_rsa_key.name -c import_rsa_key.ctx
@@ -118,8 +122,9 @@ run_ecc_import_test() {
shasum -a 256 data.in.raw | awk '{ print "000000 " $1 }' | xxd -r -c 32 > \
data.in.digest
- tpm2 import -Q -G ecc -g "$name_alg" -i private.ecc.pem -C $1 -u ecc.pub \
- -r ecc.priv
+ # test import with scheme
+ tpm2 import -G ecc:ecdsa-sha256 -g "$name_alg" -i private.ecc.pem -C $1 -u ecc.pub \
+ -r ecc.priv | grep -q 'ecdsa'
tpm2 load -Q -C $1 -u ecc.pub -r ecc.priv -n ecc.name -c ecc.ctx
--
2.40.1

5678
SOURCES/0006-test-track-expected-YAML-output-for-eventlog.patch
View File

File diff suppressed because one or more lines are too long

92
SOURCES/0007-tpm2_eventlog_yaml-fix-parsing-for-MokListTrusted.patch
Unescape View File

@ -1,92 +0,0 @@
From c26464eb59b71b40bea11b4829b2a848343081f2 Mon Sep 17 00:00:00 2001
From: Thore Sommer <mail@thson.de>
Date: Sat, 8 Oct 2022 21:29:18 +0300
Subject: [PATCH 7/9] tpm2_eventlog_yaml: fix parsing for MokListTrusted
Not all data in events of the EV_EFI_VARIABLE_AUTHORITY are
EFI_SIGNATURE_DATA. The entry for MokListTrusted is a boolean
encoded as an integer similar to SecureBoot variable.
Fixes #3050
Signed-off-by: Thore Sommer <mail@thson.de>
---
lib/tpm2_eventlog_yaml.c | 60 +++++++++++++++++++++++++++-------------
1 file changed, 41 insertions(+), 19 deletions(-)
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
index 66a20701..0b1d0318 100644
--- a/lib/tpm2_eventlog_yaml.c
+++ b/lib/tpm2_eventlog_yaml.c
@@ -418,27 +418,49 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
}
return true;
}
- /* Other variables will be printed as a hex string */
} else if (type == EV_EFI_VARIABLE_AUTHORITY) {
- free(ret);
- tpm2_tool_output(" VariableData:\n");
-
- EFI_SIGNATURE_DATA *s= (EFI_SIGNATURE_DATA *)&data->UnicodeName[
- data->UnicodeNameLength];
- char *sdata = calloc (1,
- BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
- if (sdata == NULL) {
- LOG_ERR("Failled to allocate data: %s\n", strerror(errno));
- return false;
+ /* The MokListTrusted is boolean option, not a EFI_SIGNATURE_DATA*/
+ if ((strlen(ret) == 14 && strncmp(ret, "MokListTrusted", 14) == 0)) {
+ free(ret);
+ tpm2_tool_output(" VariableData:\n"
+ " Enabled: ");
+ if (data->VariableDataLength == 0) {
+ tpm2_tool_output("'No'\n");
+ } else if (data->VariableDataLength > 1) {
+ LOG_ERR("MokListTrusted value length %" PRIu64 " is unexpectedly > 1\n",
+ data->VariableDataLength);
+ return false;
+ } else {
+ uint8_t *variable_data = (uint8_t *)&data->UnicodeName[
+ data->UnicodeNameLength];
+ if (*variable_data == 0) {
+ tpm2_tool_output("'No'\n");
+ } else {
+ tpm2_tool_output("'Yes'\n");
+ }
+ }
+ return true;
+ } else {
+ /* Other variables will be printed as a hex string */
+ free(ret);
+ tpm2_tool_output(" VariableData:\n");
+ EFI_SIGNATURE_DATA *s= (EFI_SIGNATURE_DATA *)&data->UnicodeName[
+ data->UnicodeNameLength];
+ char *sdata = calloc (1,
+ BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
+ if (sdata == NULL) {
+ LOG_ERR("Failled to allocate data: %s\n", strerror(errno));
+ return false;
+ }
+ bytes_to_str(s->SignatureData, data->VariableDataLength - sizeof(EFI_GUID),
+ sdata, BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
+ guid_unparse_lower(s->SignatureOwner, uuidstr);
+ tpm2_tool_output(" - SignatureOwner: %s\n"
+ " SignatureData: %s\n",
+ uuidstr, sdata);
+ free(sdata);
+ return true;
}
- bytes_to_str(s->SignatureData, data->VariableDataLength - sizeof(EFI_GUID),
- sdata, BYTES_TO_HEX_STRING_SIZE(data->VariableDataLength - sizeof(EFI_GUID)));
- guid_unparse_lower(s->SignatureOwner, uuidstr);
- tpm2_tool_output(" - SignatureOwner: %s\n"
- " SignatureData: %s\n",
- uuidstr, sdata);
- free(sdata);
- return true;
} else if (type == EV_EFI_VARIABLE_BOOT || type == EV_EFI_VARIABLE_BOOT2) {
if ((strlen(ret) == 9 && strncmp(ret, "BootOrder", 9) == 0)) {
free(ret);
--
2.37.3

85
SOURCES/0007-tpm2_policyor-fix-unallocated-policy-list.patch
Unescape View File

@ -1,85 +0,0 @@
From d35bff8cf06cec386afd24bdbed9828caf063a2f Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Mon, 18 Jul 2022 11:31:51 -0500
Subject: [PATCH 07/17] tpm2_policyor: fix unallocated policy list
The TPML_DIGEST policy list was calloc'd for some reason, however it
could just be statically allocated in the context. The side effect is
that when no options or arguments were given a NPD occured when checking
the count of the policy list. TO fix this, just statically allocate it.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
tools/tpm2_policyor.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/tools/tpm2_policyor.c b/tools/tpm2_policyor.c
index e4f6541b..d27fff8b 100644
--- a/tools/tpm2_policyor.c
+++ b/tools/tpm2_policyor.c
@@ -14,7 +14,7 @@ struct tpm2_policyor_ctx {
//File path for the session context data
const char *session_path;
//List of policy digests that will be compounded
- TPML_DIGEST *policy_list;
+ TPML_DIGEST policy_list;
//File path for storing the policy digest output
const char *out_policy_dgst_path;
@@ -36,8 +36,7 @@ static bool on_option(char key, char *value) {
ctx.session_path = value;
break;
case 'l':
- ctx.policy_list = calloc(1, sizeof(TPML_DIGEST));
- result = tpm2_policy_parse_policy_list(value, ctx.policy_list);
+ result = tpm2_policy_parse_policy_list(value, &ctx.policy_list);
if (!result) {
return false;
}
@@ -54,8 +53,7 @@ static bool on_arg(int argc, char **argv) {
return false;
}
- ctx.policy_list = calloc(1, sizeof(TPML_DIGEST));
- bool result = tpm2_policy_parse_policy_list(argv[0], ctx.policy_list);
+ bool result = tpm2_policy_parse_policy_list(argv[0], &ctx.policy_list);
if (!result) {
return false;
}
@@ -85,7 +83,7 @@ static bool is_input_option_args_valid(void) {
}
//Minimum two policies needed to be specified for compounding
- if (ctx.policy_list->count < 1) {
+ if (ctx.policy_list.count < 1) {
LOG_ERR("Must specify at least 2 policy digests for compounding.");
return false;
}
@@ -109,14 +107,14 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
}
/* Policy digest hash alg should match that of the session */
- if (ctx.policy_list->digests[0].size
+ if (ctx.policy_list.digests[0].size
!= tpm2_alg_util_get_hash_size(
tpm2_session_get_authhash(ctx.session))) {
LOG_ERR("Policy digest hash alg should match that of the session.");
return tool_rc_general_error;
}
- rc = tpm2_policy_build_policyor(ectx, ctx.session, ctx.policy_list);
+ rc = tpm2_policy_build_policyor(ectx, ctx.session, &ctx.policy_list);
if (rc != tool_rc_success) {
LOG_ERR("Could not build policyor TPM");
return rc;
@@ -127,7 +125,6 @@ static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) {
UNUSED(ectx);
- free(ctx.policy_list);
free(ctx.policy_digest);
return tpm2_session_close(&ctx.session);
}
--
2.40.1

35
SOURCES/0008-lib-tpm2_alg_util.c-Fix-potential-null-pointer-deref.patch
Unescape View File

@ -1,35 +0,0 @@
From cfb18410e8f706646adce2bd9f6cffecbd363d2b Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Thu, 21 Jul 2022 15:19:36 -0700
Subject: [PATCH 08/17] lib/tpm2_alg_util.c: Fix potential null pointer
dereference
Must test ext_alg_str before dereferencing in
tpm2_alg_util_handle_rsa_ext_alg
char *ext_alg_str = calloc(1, strlen(alg_spec) + strlen("rsa") +
RSA_KEYBITS_STRLEN)
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
lib/tpm2_alg_util.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c
index 1e984d74..580f41cb 100644
--- a/lib/tpm2_alg_util.c
+++ b/lib/tpm2_alg_util.c
@@ -601,6 +601,10 @@ tool_rc tpm2_alg_util_handle_rsa_ext_alg(const char *alg_spec,
#define RSA_KEYBITS_STRLEN 6
char *ext_alg_str = calloc(1, strlen(alg_spec) + strlen("rsa") +
RSA_KEYBITS_STRLEN);
+ if (ext_alg_str == NULL) {
+ LOG_ERR("oom");
+ return tool_rc_general_error;
+ }
strcat(ext_alg_str, "rsa");
switch(public->publicArea.parameters.rsaDetail.keyBits) {
--
2.40.1

1462
SOURCES/0008-tests-add-eventlog-for-parsing-MokListTrusted.patch
View File

File diff suppressed because it is too large Load Diff

87
SOURCES/0009-tpm2_eventlog_yaml-use-defines-for-Unicode-variables.patch
Unescape View File

@ -1,87 +0,0 @@
From e05d4ac57960b9aa81943254f5757405a5217616 Mon Sep 17 00:00:00 2001
From: Thore Sommer <mail@thson.de>
Date: Tue, 11 Oct 2022 08:44:44 +0300
Subject: [PATCH 9/9] tpm2_eventlog_yaml: use defines for Unicode variables
The used variables and their length are defined as the following:
- Name: NAME_{VARIABLE_NAME}
- Length: NAME_{VARIABLE_NAME}_LEN
Signed-off-by: Thore Sommer <mail@thson.de>
---
lib/tpm2_eventlog_yaml.c | 30 +++++++++++++++++++++++-------
1 file changed, 23 insertions(+), 7 deletions(-)
diff --git a/lib/tpm2_eventlog_yaml.c b/lib/tpm2_eventlog_yaml.c
index 0b1d0318..59a5d8fc 100644
--- a/lib/tpm2_eventlog_yaml.c
+++ b/lib/tpm2_eventlog_yaml.c
@@ -23,6 +23,22 @@
#include <efivar/efivar.h>
#endif
+/* Valid variable unicode names and their length */
+#define NAME_DB "db"
+#define NAME_DB_LEN 2
+#define NAME_DBX "dbx"
+#define NAME_DBX_LEN 3
+#define NAME_KEK "KEK"
+#define NAME_KEK_LEN 3
+#define NAME_PK "PK"
+#define NAME_PK_LEN 2
+#define NAME_MOKLISTTRUSTED "MokListTrusted"
+#define NAME_MOKLISTTRUSTED_LEN 14
+#define NAME_SECUREBOOT "SecureBoot"
+#define NAME_SECUREBOOT_LEN 10
+#define NAME_BOOTORDER "BootOrder"
+#define NAME_BOOTORDER_LEN 9
+
static void guid_unparse_lower(EFI_GUID guid, char guid_buf[37]) {
snprintf(guid_buf, 37, "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
@@ -321,10 +337,10 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
* respectively.
*/
if (type == EV_EFI_VARIABLE_DRIVER_CONFIG) {
- if ((strlen(ret) == 2 && strncmp(ret, "PK", 2) == 0) ||
- (strlen(ret) == 3 && strncmp(ret, "KEK", 3) == 0) ||
- (strlen(ret) == 2 && strncmp(ret, "db", 2) == 0) ||
- (strlen(ret) == 3 && strncmp(ret, "dbx", 3) == 0)) {
+ if ((strlen(ret) == NAME_PK_LEN && strncmp(ret, NAME_PK, NAME_PK_LEN) == 0) ||
+ (strlen(ret) == NAME_KEK_LEN && strncmp(ret, NAME_KEK, NAME_KEK_LEN) == 0) ||
+ (strlen(ret) == NAME_DB_LEN && strncmp(ret, NAME_DB, NAME_DB_LEN) == 0) ||
+ (strlen(ret) == NAME_DBX_LEN && strncmp(ret, NAME_DBX, NAME_DBX_LEN) == 0)) {
free(ret);
tpm2_tool_output(" VariableData:\n");
@@ -397,7 +413,7 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
variable_data += slist->SignatureListSize;
}
return true;
- } else if ((strlen(ret) == 10 && strncmp(ret, "SecureBoot", 10) == 0)) {
+ } else if ((strlen(ret) == NAME_SECUREBOOT_LEN && strncmp(ret, NAME_SECUREBOOT, NAME_SECUREBOOT_LEN) == 0)) {
free(ret);
tpm2_tool_output(" VariableData:\n"
" Enabled: ");
@@ -420,7 +436,7 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
}
} else if (type == EV_EFI_VARIABLE_AUTHORITY) {
/* The MokListTrusted is boolean option, not a EFI_SIGNATURE_DATA*/
- if ((strlen(ret) == 14 && strncmp(ret, "MokListTrusted", 14) == 0)) {
+ if ((strlen(ret) == NAME_MOKLISTTRUSTED_LEN && strncmp(ret, NAME_MOKLISTTRUSTED, NAME_MOKLISTTRUSTED_LEN) == 0)) {
free(ret);
tpm2_tool_output(" VariableData:\n"
" Enabled: ");
@@ -462,7 +478,7 @@ static bool yaml_uefi_var(UEFI_VARIABLE_DATA *data, size_t size, UINT32 type,
return true;
}
} else if (type == EV_EFI_VARIABLE_BOOT || type == EV_EFI_VARIABLE_BOOT2) {
- if ((strlen(ret) == 9 && strncmp(ret, "BootOrder", 9) == 0)) {
+ if ((strlen(ret) == NAME_BOOTORDER_LEN && strncmp(ret, NAME_BOOTORDER, NAME_BOOTORDER_LEN) == 0)) {
free(ret);
tpm2_tool_output(" VariableData:\n");
--
2.37.3

30
SOURCES/0009-tss2_provision-fix-usage-of-L-parameter.patch
Unescape View File

@ -1,30 +0,0 @@
From d783e7962e268b45c13ad800fca636bb922005fa Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 18 Oct 2022 10:32:43 +0200
Subject: [PATCH 09/17] tss2_provision: fix usage of -L parameter.
The -L short parameter was not marked as parameter with required
arg in the short opt list.
Fixes #3147.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
tools/fapi/tss2_provision.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/fapi/tss2_provision.c b/tools/fapi/tss2_provision.c
index 5be7b4dc..7edf2dd3 100644
--- a/tools/fapi/tss2_provision.c
+++ b/tools/fapi/tss2_provision.c
@@ -33,7 +33,7 @@ static bool tss2_tool_onstart(tpm2_options **opts) {
{"authValueSh", required_argument, NULL, 'S'},
{"authValueLockout", required_argument, NULL, 'L'},
};
- return (*opts = tpm2_options_new ("E:S:L",
+ return (*opts = tpm2_options_new ("E:S:L:",
ARRAY_LEN(topts), topts, on_option, NULL, 0)) != NULL;
}
--
2.40.1

26
SOURCES/0010-tpm2_encodeobject-fix-formatting.patch
Unescape View File

@ -1,26 +0,0 @@
From 0582b619c3a2c407bf5eace8d83d832688781789 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Mon, 24 Oct 2022 10:31:05 -0500
Subject: [PATCH 10/17] tpm2_encodeobject: fix formatting
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
tools/misc/tpm2_encodeobject.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c
index 2341c3a1..ccbd0e01 100644
--- a/tools/misc/tpm2_encodeobject.c
+++ b/tools/misc/tpm2_encodeobject.c
@@ -87,7 +87,7 @@ static bool on_option(char key, char *value) {
ctx.parent.ctx_path = value;
break;
case 'o':
- ctx.output_path = value;
+ ctx.output_path = value;
break;
}
--
2.40.1

99
SOURCES/0011-tpm2_encodeobject-fix-auth-boolean-flag.patch
Unescape View File

@ -1,99 +0,0 @@
From 579bb674b5bdf2a0d50e8d3a3d6f5391d233bdff Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Mon, 24 Oct 2022 10:48:18 -0500
Subject: [PATCH 11/17] tpm2_encodeobject: fix auth boolean flag
The flag for wether or not a key needs a password was being set based on
if the parent needed a password or not when it should be set based on if
the child object needs a password or not.
Correct this by adding a -p/--key-auth option to indicate the value of
this boolean.
$ tpm2 encodeobject -C 0x81000000 -u key.pub -r key.priv -o key.pem
$ openssl asn1parse -dump -inform PEM -in key.pem
<snip>
14:d=2 hl=2 l= 1 prim: BOOLEAN :0
</snip>
$ tpm2 encodeobject -C 0x81000000 -u key.pub -r key.priv -o key.pem -p
$ openssl asn1parse -dump -inform PEM -in key.pem
<snip>
14:d=2 hl=2 l= 1 prim: BOOLEAN :1
</snip>
A workaround would be manually modifying the ASN1 PEM file boolean flag
OR creating the same parent key but with a password and specifying the
password via `-P`. Note that a primary key is the same given the same
inputs and password doesn't change the generated key.
Fixes: #3152
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
man/tpm2_encodeobject.1.md | 5 +++++
tools/misc/tpm2_encodeobject.c | 9 +++++++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/man/tpm2_encodeobject.1.md b/man/tpm2_encodeobject.1.md
index 791eafbd..2e83fa7d 100644
--- a/man/tpm2_encodeobject.1.md
+++ b/man/tpm2_encodeobject.1.md
@@ -37,6 +37,11 @@ applications.
A file containing the sensitive portion of the object.
+ * **-p**, **\--key-auth**:
+
+ Indicates if an authorization value is needed for the object specified by
+ **-r** and **-u**.
+
* **-o**, **\--output**=_FILE_:
The output file path, recording the public portion of the object.
diff --git a/tools/misc/tpm2_encodeobject.c b/tools/misc/tpm2_encodeobject.c
index ccbd0e01..80de14f5 100644
--- a/tools/misc/tpm2_encodeobject.c
+++ b/tools/misc/tpm2_encodeobject.c
@@ -65,6 +65,7 @@ struct tpm_encodeobject_ctx {
const char *privpath;
TPM2B_PRIVATE private;
ESYS_TR handle;
+ bool needs_auth;
} object;
char *output_path;
@@ -89,6 +90,9 @@ static bool on_option(char key, char *value) {
case 'o':
ctx.output_path = value;
break;
+ case 'p':
+ ctx.object.needs_auth = true;
+ break;
}
return true;
@@ -101,9 +105,10 @@ static bool tpm2_tool_onstart(tpm2_options **opts) {
{ "private", required_argument, NULL, 'r' },
{ "parent-context", required_argument, NULL, 'C' },
{ "output", required_argument, NULL, 'o' },
+ { "key-auth", no_argument, NULL, 'p' },
};
- *opts = tpm2_options_new("P:u:r:C:o:", ARRAY_LEN(topts), topts, on_option,
+ *opts = tpm2_options_new("P:u:r:C:o:p", ARRAY_LEN(topts), topts, on_option,
NULL, 0);
return *opts != NULL;
@@ -190,7 +195,7 @@ encode(void)
goto error;
}
- tpk->emptyAuth = ctx.parent.auth_str == NULL ? 0xFF : 0;
+ tpk->emptyAuth = ctx.object.needs_auth;
if ((ctx.parent.object.handle >> TPM2_HR_SHIFT) == TPM2_HT_PERSISTENT) {
ASN1_INTEGER_set(tpk->parent, ctx.parent.object.handle);
--
2.40.1

30
SOURCES/0012-bugfix-fix-convert-sm2-public-key-in-openssl3.patch
Unescape View File

@ -1,30 +0,0 @@
From 3848000b934b9e2546a506ab0922c028491d2284 Mon Sep 17 00:00:00 2001
From: mayuanchen <94815698+mayuanchenma@users.noreply.github.com>
Date: Thu, 1 Dec 2022 21:44:22 +0800
Subject: [PATCH 12/17] bugfix: fix convert sm2 public key in openssl3.
Signed-off-by: mayuanchen <94815698+mayuanchenma@users.noreply.github.com>
---
lib/tpm2_convert.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/tpm2_convert.c b/lib/tpm2_convert.c
index 1bba370f..edb9bed0 100644
--- a/lib/tpm2_convert.c
+++ b/lib/tpm2_convert.c
@@ -335,7 +335,11 @@ EVP_PKEY *convert_pubkey_ECC(TPMT_PUBLIC *public) {
goto out;
}
- ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
+ if (nid == NID_sm2) {
+ ctx = EVP_PKEY_CTX_new_from_name(NULL, "SM2", NULL);
+ } else {
+ ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
+ }
if (!ctx) {
print_ssl_error("Failed to allocate EC key context");
goto out;
--
2.40.1

46
SOURCES/0013-readpublic-fix-reading-and-writing-serialized-trs.patch
Unescape View File

@ -1,46 +0,0 @@
From 62f6cdaa36e1c9e8f39e1ca60d8e3049de6860bf Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Mon, 27 Feb 2023 15:32:55 -0600
Subject: [PATCH 13/17] readpublic: fix reading and writing serialized trs
Fix reading and writing a serialized persistent ESYS_TR handles. This
occurs becuase the TPM2_HANDLE is never set after loading and decisions
are made on it.
Fixes:
tpm2_readpublic -t handle2.tr -c handle.tr
ERROR: Can only output a serialized handle for persistent object handles
ERROR: Unable to run tpm2_readpublic
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
lib/object.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/lib/object.c b/lib/object.c
index c186a820..1279a8e5 100644
--- a/lib/object.c
+++ b/lib/object.c
@@ -15,7 +15,18 @@ static tool_rc do_ctx_file(ESYS_CONTEXT *ctx, const char *objectstr, FILE *f,
/* assign a dummy transient handle */
outobject->handle = TPM2_TRANSIENT_FIRST;
outobject->path = objectstr;
- return files_load_tpm_context_from_file(ctx, &outobject->tr_handle, f);
+ tool_rc rc = files_load_tpm_context_from_file(ctx, &outobject->tr_handle, f);
+ if (rc != tool_rc_success) {
+ return rc;
+ }
+
+ TSS2_RC rval = Esys_TR_GetTpmHandle(ctx, outobject->tr_handle, &outobject->handle);
+ if (rval != TPM2_RC_SUCCESS) {
+ LOG_ERR("Failed to acquire SAPI handle");
+ return tool_rc_general_error;
+ }
+
+ return tool_rc_success;
}
static tool_rc tpm2_util_object_load2(ESYS_CONTEXT *ctx, const char *objectstr,
--
2.40.1

29
SOURCES/0014-fix-wrong-function-name-of-Esys_Load.patch
Unescape View File

@ -1,29 +0,0 @@
From f1515918ebba36a540432425f7cd01ca3c44aaac Mon Sep 17 00:00:00 2001
From: yuxiaojun <yuxiaojun@uniontech.com>
Date: Wed, 1 Feb 2023 11:47:40 +0800
Subject: [PATCH 14/17] fix:wrong function name of "Esys_Load"
LOG_PERR(Eys_Load, rval);
The first parameter in the function should be Esys_Load.
Signed-off-by: yuxiaojun <yuxiaojun@uniontech.com>
---
lib/tpm2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/tpm2.c b/lib/tpm2.c
index d91072ae..27f101e9 100644
--- a/lib/tpm2.c
+++ b/lib/tpm2.c
@@ -1921,7 +1921,7 @@ tpm2_load_free_name1:
parent_object_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, in_private,
in_public, object_handle);
if (rval != TPM2_RC_SUCCESS) {
- LOG_PERR(Eys_Load, rval);
+ LOG_PERR(Esys_Load, rval);
return tool_rc_from_tpm(rval);
}
--
2.40.1

224
SOURCES/0015-tpm-errata-switch-to-twos-complement.patch
Unescape View File

@ -1,224 +0,0 @@
From 510d570d9c4f34d4768af3453dcfcc4f74006e32 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Fri, 7 Apr 2023 14:02:33 +0200
Subject: [PATCH 15/17] tpm errata: switch to twos-complement.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Errata TCG Trusted Platform Module Library Revision 1.59 Version 1.4,
Section 2.5 TPM_EO twos complement states:
"The signed arithmetic operations are performed using twos-complement."
The tests policynv and policycountertimer were adapted to work with the
complement representation of signed numbers. If the tests return the error 0x126
the test will be skipped.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
.../tests/abrmd_policycountertimer.sh | 35 +++++++--
test/integration/tests/abrmd_policynv.sh | 75 +++++++++++++------
2 files changed, 78 insertions(+), 32 deletions(-)
diff --git a/test/integration/tests/abrmd_policycountertimer.sh b/test/integration/tests/abrmd_policycountertimer.sh
index 58fcf1b9..80afc541 100644
--- a/test/integration/tests/abrmd_policycountertimer.sh
+++ b/test/integration/tests/abrmd_policycountertimer.sh
@@ -11,6 +11,27 @@ cleanup() {
fi
}
+call_policy_countertimer () {
+ trap - ERR
+ output=$(tpm2 policycountertimer $@ 2>&1)
+ result=$?
+
+ if [ $result != 0 ] && echo $output | grep "ErrorCode.*0126" > /dev/null
+ then
+ echo "This test failed due to a TPM bug regarding signed comparison as described"
+ echo "in TCG's Errata for TCG Trusted Platform Module Library Revision 1.59 Version 1.4,"
+ echo "Section 2.5 TPM_EO twos complement"
+ tpm2 flushcontext session.ctx
+ skip_test
+ else
+ if [ $result != 0 ]; then
+ tpm2 flushcontext session.ctx
+ exit 1
+ fi
+ fi
+ trap onerror ERR
+}
+
trap cleanup EXIT
start_up
@@ -25,8 +46,7 @@ tpm2 clear
#
tpm2 startauthsession -S session.ctx
-tpm2 policycountertimer -S session.ctx -L policy.countertimer.minute --ult \
-60000
+call_policy_countertimer -S session.ctx -L policy.countertimer.minute --ult 60000
tpm2 flushcontext session.ctx
@@ -42,8 +62,7 @@ tpm2 create -Q -u key.pub -r key.priv -i- -C prim.ctx \
#
tpm2 startauthsession -S session.ctx --policy-session
-tpm2 policycountertimer -S session.ctx -L policy.countertimer.minute --ult \
-60000
+call_policy_countertimer -S session.ctx -L policy.countertimer.minute --ult 60000
tpm2 unseal -c key.ctx -p session:session.ctx
@@ -54,7 +73,7 @@ tpm2 flushcontext session.ctx
#
tpm2 clear
tpm2 startauthsession -S session.ctx --policy-session
-tpm2 policycountertimer -S session.ctx --ult clock=60000
+call_policy_countertimer -S session.ctx --ult clock=60000
tpm2 flushcontext session.ctx
#
@@ -63,7 +82,7 @@ tpm2 flushcontext session.ctx
#
tpm2 clear
tpm2 startauthsession -S session.ctx --policy-session
-tpm2 policycountertimer -S session.ctx safe
+call_policy_countertimer -S session.ctx safe
tpm2 flushcontext session.ctx
#
@@ -72,7 +91,7 @@ tpm2 flushcontext session.ctx
#
tpm2 clear
tpm2 startauthsession -S session.ctx --policy-session
-tpm2 policycountertimer -S session.ctx resets=0
+call_policy_countertimer -S session.ctx resets=0
tpm2 flushcontext session.ctx
#
@@ -81,7 +100,7 @@ tpm2 flushcontext session.ctx
#
tpm2 clear
tpm2 startauthsession -S session.ctx --policy-session
-tpm2 policycountertimer -S session.ctx restarts=0
+call_policy_countertimer -S session.ctx restarts=0
tpm2 flushcontext session.ctx
exit 0
diff --git a/test/integration/tests/abrmd_policynv.sh b/test/integration/tests/abrmd_policynv.sh
index b75cabb8..220edec0 100644
--- a/test/integration/tests/abrmd_policynv.sh
+++ b/test/integration/tests/abrmd_policynv.sh
@@ -36,10 +36,34 @@ evaluate_failing_test_case() {
}
evaluate_passing_test_case() {
- tpm2 startauthsession -S session.ctx --policy-session
- echo $operandB | xxd -r -p | \
- tpm2 policynv -S session.ctx -i- -P nvpass $nv_test_index $1
- tpm2 flushcontext session.ctx
+ tpm2 startauthsession -S session.ctx --policy-session
+ if [[ ${1:0:1} == "s" ]]; then
+ echo "Test sign: $1 $operandA $operandB"
+ # check whether sign compare fails with 0x126
+ trap - ERR
+ output=$(echo $operandB | xxd -r -p | \
+ tpm2 policynv -S session.ctx -i- -P nvpass $nv_test_index $1 2>&1)
+ result=$?
+ if [ $result != 0 ] && echo $output | grep "ErrorCode.*0126" > /dev/null
+ then
+ echo "This test failed due to a TPM bug regarding signed comparison as described"
+ echo "in TCG's Errata for TCG Trusted Platform Module Library Revision 1.59 Version 1.4,"
+ echo "Section 2.5 TPM_EO twos complement"
+ tpm2 flushcontext session.ctx
+ skip_test
+ else
+ if [ $result != 0 ]; then
+ tpm2 flushcontext session.ctx
+ exit 1
+ fi
+ fi
+ tpm2 flushcontext session.ctx
+ trap onerror ERR
+ else
+ echo $operandB | xxd -r -p | \
+ tpm2 policynv -S session.ctx -i- -P nvpass $nv_test_index $1
+ tpm2 flushcontext session.ctx
+ fi
}
trap cleanup EXIT
@@ -70,40 +94,20 @@ evaluate_passing_test_case eq
operandB=0x80
evaluate_passing_test_case neq
-# Perform comparison operation "sgt"
-operandB=0x82
-evaluate_passing_test_case sgt
-
# Perform comparison operation "ugt"
operandB=0x80
evaluate_passing_test_case ugt
-# Perform comparison operation "slt"
-operandB=0x80
-evaluate_passing_test_case slt
-
# Perform comparison operation "ult"
operandB=0x82
evaluate_passing_test_case ult
-# Perform comparison operation "sge"
-operandB=0x82
-evaluate_passing_test_case sge
-operandB=0x81
-evaluate_passing_test_case sge
-
# Perform comparison operation "uge"
operandB=0x80
evaluate_passing_test_case uge
operandB=0x81
evaluate_passing_test_case uge
-# Perform comparison operation "sle"
-operandB=0x80
-evaluate_passing_test_case sle
-operandB=0x81
-evaluate_passing_test_case sle
-
# Perform comparison operation "ule"
operandB=0x82
evaluate_passing_test_case ule
@@ -118,4 +122,27 @@ evaluate_passing_test_case bs
operandB=0x7E
evaluate_passing_test_case bc
+operandA=0xfe # -1
+echo $operandA | xxd -r -p | tpm2 nvwrite -P nvpass -i- $nv_test_index
+
+# Perform comparison operation "sgt"
+operandB=0xfd # -2
+evaluate_passing_test_case sgt
+
+# Perform comparison operation "slt"
+operandB=0xff # 0
+evaluate_passing_test_case slt
+
+# Perform comparison operation "sle"
+operandB=0xff #0
+evaluate_passing_test_case sle
+operandB=0xfe # -1
+evaluate_passing_test_case sle
+
+# Perform comparison operation "sge"
+operandB=0xfd # -2
+evaluate_passing_test_case sge
+operandB=0xfe # -1
+evaluate_passing_test_case sge
+
exit 0
--
2.40.1

159
SOURCES/0016-tpm2_eventlog.c-Fix-pcr-extension-for-EV_NO_ACTION.patch
Unescape View File

@ -1,159 +0,0 @@
From 2f6a737efddce480803c02a5e3b65ce739c6acf2 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 28 Mar 2023 17:29:36 +0200
Subject: [PATCH 16/17] tpm2_eventlog.c Fix pcr extension for EV_NO_ACTION
EV_NO_ACTION events should not be extended to PCR registers.
Fixes: #3224
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
lib/tpm2_eventlog.c | 14 +++++++++-----
lib/tpm2_eventlog.h | 2 +-
test/unit/test_tpm2_eventlog.c | 15 ++++++++-------
3 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/lib/tpm2_eventlog.c b/lib/tpm2_eventlog.c
index 1b59eeeb..e2e27f02 100644
--- a/lib/tpm2_eventlog.c
+++ b/lib/tpm2_eventlog.c
@@ -30,7 +30,8 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size,
* hold the digest. The size of the digest is passed to the callback in the
* 'size' parameter.
*/
-bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index, TCG_DIGEST2 const *digest, size_t count, size_t size) {
+bool foreach_digest2(tpm2_eventlog_context *ctx, UINT32 eventType, unsigned pcr_index,
+ TCG_DIGEST2 const *digest, size_t count, size_t size) {
if (digest == NULL) {
LOG_ERR("digest cannot be NULL");
@@ -80,7 +81,8 @@ bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index, TCG_DIGEST2
LOG_WARN("PCR%d algorithm %d unsupported", pcr_index, alg);
}
- if (pcr && !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) {
+ if (eventType != EV_NO_ACTION && pcr &&
+ !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) {
LOG_ERR("PCR%d extend failed", pcr_index);
return false;
}
@@ -179,7 +181,8 @@ bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size,
.data = digests_size,
.digest2_cb = digest2_accumulator_callback,
};
- ret = foreach_digest2(&ctx, eventhdr->PCRIndex,
+ ret = foreach_digest2(&ctx, eventhdr->EventType,
+ eventhdr->PCRIndex,
eventhdr->Digests, eventhdr->DigestCount,
buf_size - sizeof(*eventhdr));
if (ret != true) {
@@ -216,7 +219,7 @@ bool parse_sha1_log_event(tpm2_eventlog_context *ctx, TCG_EVENT const *event, si
*event_size = sizeof(*event);
pcr = ctx->sha1_pcrs[ event->pcrIndex];
- if (pcr) {
+ if (event->eventType != EV_NO_ACTION && pcr) {
tpm2_openssl_pcr_extend(TPM2_ALG_SHA1, pcr, &event->digest[0], 20);
ctx->sha1_used |= (1 << event->pcrIndex);
}
@@ -451,7 +454,8 @@ bool foreach_event2(tpm2_eventlog_context *ctx, TCG_EVENT_HEADER2 const *eventhd
}
/* digest callback foreach digest */
- ret = foreach_digest2(ctx, eventhdr->PCRIndex, eventhdr->Digests, eventhdr->DigestCount, digests_size);
+ ret = foreach_digest2(ctx, eventhdr->EventType, eventhdr->PCRIndex,
+ eventhdr->Digests, eventhdr->DigestCount, digests_size);
if (ret != true) {
return false;
}
diff --git a/lib/tpm2_eventlog.h b/lib/tpm2_eventlog.h
index 2a91ed60..f141e806 100644
--- a/lib/tpm2_eventlog.h
+++ b/lib/tpm2_eventlog.h
@@ -44,7 +44,7 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size,
void *data);
bool parse_event2body(TCG_EVENT2 const *event, UINT32 type);
-bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index,
+bool foreach_digest2(tpm2_eventlog_context *ctx, UINT32 eventType, unsigned pcr_index,
TCG_DIGEST2 const *event_hdr, size_t count, size_t size);
bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size,
size_t *event_size, size_t *digests_size);
diff --git a/test/unit/test_tpm2_eventlog.c b/test/unit/test_tpm2_eventlog.c
index ebf50e80..e48404d8 100644
--- a/test/unit/test_tpm2_eventlog.c
+++ b/test/unit/test_tpm2_eventlog.c
@@ -27,7 +27,7 @@ static void test_foreach_digest2_null(void **state){
(void)state;
tpm2_eventlog_context ctx = {0};
- assert_false(foreach_digest2(&ctx, 0, NULL, 0, sizeof(TCG_DIGEST2)));
+ assert_false(foreach_digest2(&ctx, 0, 0, NULL, 0, sizeof(TCG_DIGEST2)));
}
static void test_foreach_digest2_size(void **state) {
@@ -36,7 +36,7 @@ static void test_foreach_digest2_size(void **state) {
TCG_DIGEST2 *digest = (TCG_DIGEST2*)buf;
tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
- assert_false(foreach_digest2(&ctx, 0, digest, 1, sizeof(TCG_DIGEST2) - 1));
+ assert_false(foreach_digest2(&ctx, 0, 0, digest, 1, sizeof(TCG_DIGEST2) - 1));
}
static void test_foreach_digest2(void **state) {
@@ -47,7 +47,7 @@ static void test_foreach_digest2(void **state) {
will_return(foreach_digest2_test_callback, true);
tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
- assert_true(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
+ assert_true(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
}
static void test_foreach_digest2_cbnull(void **state){
@@ -56,7 +56,7 @@ static void test_foreach_digest2_cbnull(void **state){
TCG_DIGEST2* digest = (TCG_DIGEST2*)buf;
tpm2_eventlog_context ctx = {0};
- assert_true(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
+ assert_true(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
}
static void test_sha1(void **state){
@@ -73,7 +73,7 @@ static void test_sha1(void **state){
memcpy(digest->Digest, "the magic words are:", TPM2_SHA1_DIGEST_SIZE);
tpm2_eventlog_context ctx = {0};
- assert_true(foreach_digest2(&ctx, pcr_index, digest, 1, TCG_DIGEST2_SHA1_SIZE));
+ assert_true(foreach_digest2(&ctx, 0, pcr_index, digest, 1, TCG_DIGEST2_SHA1_SIZE));
assert_memory_equal(ctx.sha1_pcrs[pcr_index], sha1sum, sizeof(sha1sum));
}
static void test_sha256(void **state){
@@ -93,7 +93,7 @@ static void test_sha256(void **state){
memcpy(digest->Digest, "The Magic Words are Squeamish Ossifrage, for RSA-129 (from 1977)", TPM2_SHA256_DIGEST_SIZE);
tpm2_eventlog_context ctx = {0};
- assert_true(foreach_digest2(&ctx, pcr_index, digest, 1, TCG_DIGEST2_SHA256_SIZE));
+ assert_true(foreach_digest2(&ctx, 0, pcr_index, digest, 1, TCG_DIGEST2_SHA256_SIZE));
assert_memory_equal(ctx.sha256_pcrs[pcr_index], sha256sum, sizeof(sha256sum));
}
static void test_foreach_digest2_cbfail(void **state){
@@ -105,7 +105,7 @@ static void test_foreach_digest2_cbfail(void **state){
will_return(foreach_digest2_test_callback, false);
tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
- assert_false(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
+ assert_false(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
}
static void test_digest2_accumulator_callback(void **state) {
@@ -292,6 +292,7 @@ static void test_foreach_event2_parse_event2body_fail(void **state){
eventhdr->DigestCount = 1;
eventhdr->EventType = EV_EFI_VARIABLE_BOOT;
+ eventhdr->PCRIndex = 0;
digest->AlgorithmId = TPM2_ALG_SHA1;
event->EventSize = 1;
--
2.40.1

52
SOURCES/0017-kdfa.c-Fix-problem-with-FORTIFY_SOURCE-on-Fedora.patch
Unescape View File

@ -1,52 +0,0 @@
From 72b6a5497df8757987dfedd6263346154adb921e Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Mon, 6 Mar 2023 12:16:05 +0100
Subject: [PATCH 17/17] kdfa.c Fix problem with FORTIFY_SOURCE on Fedora
The original kdfa implementation did produce an error caused by the flags
-flto -_FORTIFY_SOURCE=3 on Fedora rawhide.
This error can be avoided by switching off the optimization with pragma.
Fixes: #3210.
Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
lib/tpm2_kdfa.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/lib/tpm2_kdfa.c b/lib/tpm2_kdfa.c
index 5eb8d558..e97c06f6 100644
--- a/lib/tpm2_kdfa.c
+++ b/lib/tpm2_kdfa.c
@@ -13,6 +13,15 @@
#include "tpm2_kdfa.h"
#include "tpm2_openssl.h"
+/*
+ * Disable optimization because of an error in FORTIFY_SOURCE
+ */
+
+#ifdef _FORTIFY_SOURCE
+#pragma GCC push_options
+#pragma GCC optimize ("O0")
+#endif
+
TSS2_RC tpm2_kdfa(TPMI_ALG_HASH hash_alg, TPM2B *key, char *label,
TPM2B *context_u, TPM2B *context_v, UINT16 bits,
TPM2B_MAX_BUFFER *result_key) {
@@ -139,3 +148,13 @@ err:
return rval;
}
+#ifdef _FORTIFY_SOURCE
+
+#endif
+
+#ifdef _FORTIFY_SOURCE
+#pragma GCC pop_options
+#endif
+
+
+
--
2.40.1

32
SOURCES/0019-build-Use-hardcoded-version-variable.patch
Unescape View File

@ -1,32 +0,0 @@
From 395651f059ceb21d56c44cddda05e055caa0fd19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
<shoracek@redhat.com>
Date: Mon, 18 Oct 2021 19:04:54 +0200
Subject: [PATCH] build: Use hardcoded version variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Before this commit the version was generated from git tag/commit hash.
This caused problems with having empty version variable while building
outside of git. Fix this by hardcoding the variable.
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
---
configure.ac | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 9561fa86..2bf3a790 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,4 @@
-AC_INIT([tpm2-tools],
- [m4_esyscmd_s([git describe --tags --always --dirty])])
+AC_INIT([tpm2-tools], [5.2])
AC_CONFIG_MACRO_DIR([m4])
AX_IS_RELEASE([dash-version])
--
2.31.1

434
SOURCES/add_pregenerated_doc.patch
Unescape View File

@ -1,434 +0,0 @@
diff --git a/man/man1/tpm2_encodeobject.1 b/man/man1/tpm2_encodeobject.1
new file mode 100644
index 00000000..9b616bb0
--- /dev/null
+++ b/man/man1/tpm2_encodeobject.1
@@ -0,0 +1,428 @@
+.\" Automatically generated by Pandoc 2.5
+.\"
+.TH "tpm2_encodeobject" "1" "" "tpm2\-tools" "General Commands Manual"
+.hy
+.SH NAME
+.PP
+\f[B]tpm2_encodeobject\f[R](1) \- Encode an object into a combined PEM
+format.
+.SH SYNOPSIS
+.PP
+\f[B]tpm2_encodeobject\f[R] [\f[I]OPTIONS\f[R]]
+.SH DESCRIPTION
+.PP
+\f[B]tpm2_encodeobject\f[R](1) \- Encode both the private and public
+portions of an object into a combined PEM format used by
+tpm2\-tss\-engine.
+.PP
+The tool reads private and public portions of an object and encodes it
+into a combined PEM format used by tpm2\-tss\-engine and other
+applications.
+.PP
+\f[B]NOTE\f[R]: Both private and public portions of the tpm key must be
+specified.
+.SH OPTIONS
+.IP \[bu] 2
+\f[B]\-C\f[R], \f[B]\-\-parent\-context\f[R]=\f[I]OBJECT\f[R]:
+.RS 2
+.PP
+The parent object.
+.RE
+.IP \[bu] 2
+\f[B]\-P\f[R], \f[B]\-\-auth\f[R]=\f[I]AUTH\f[R]:
+.RS 2
+.PP
+The authorization value of the parent object specified by \f[B]\-C\f[R].
+.RE
+.IP \[bu] 2
+\f[B]\-u\f[R], \f[B]\-\-public\f[R]=\f[I]FILE\f[R]:
+.RS 2
+.PP
+A file containing the public portion of the object.
+.RE
+.IP \[bu] 2
+\f[B]\-r\f[R], \f[B]\-\-private\f[R]=\f[I]FILE\f[R]:
+.RS 2
+.PP
+A file containing the sensitive portion of the object.
+.RE
+.IP \[bu] 2
+\f[B]\-p\f[R], \f[B]\-\-key\-auth\f[R]:
+.RS 2
+.PP
+Indicates if an authorization value is needed for the object specified
+by \f[B]\-r\f[R] and \f[B]\-u\f[R].
+.RE
+.IP \[bu] 2
+\f[B]\-o\f[R], \f[B]\-\-output\f[R]=\f[I]FILE\f[R]:
+.RS 2
+.PP
+The output file path, recording the public portion of the object.
+.RE
+.SS References
+.SH Context Object Format
+.PP
+The type of a context object, whether it is a handle or file name, is
+determined according to the following logic \f[I]in\-order\f[R]:
+.IP \[bu] 2
+If the argument is a file path, then the file is loaded as a restored
+TPM transient object.
+.IP \[bu] 2
+If the argument is a \f[I]prefix\f[R] match on one of:
+.RS 2
+.IP \[bu] 2
+owner: the owner hierarchy
+.IP \[bu] 2
+platform: the platform hierarchy
+.IP \[bu] 2
+endorsement: the endorsement hierarchy
+.IP \[bu] 2
+lockout: the lockout control persistent object
+.RE
+.IP \[bu] 2
+If the argument argument can be loaded as a number it will be treat as a
+handle, e.g.\ 0x81010013 and used directly._OBJECT_.
+.SH Authorization Formatting
+.PP
+Authorization for use of an object in TPM2.0 can come in 3 different
+forms: 1.
+Password 2.
+HMAC 3.
+Sessions
+.PP
+\f[B]NOTE:\f[R] \[lq]Authorizations default to the \f[B]EMPTY
+PASSWORD\f[R] when not specified\[rq].
+.SS Passwords
+.PP
+Passwords are interpreted in the following forms below using prefix
+identifiers.
+.PP
+\f[B]Note\f[R]: By default passwords are assumed to be in the string
+form when they do not have a prefix.
+.SS String
+.PP
+A string password, specified by prefix \[lq]str:\[rq] or it\[cq]s
+absence (raw string without prefix) is not interpreted, and is directly
+used for authorization.
+.SS Examples
+.IP
+.nf
+\f[C]
+foobar
+str:foobar
+\f[R]
+.fi
+.SS Hex\-string
+.PP
+A hex\-string password, specified by prefix \[lq]hex:\[rq] is converted
+from a hexidecimal form into a byte array form, thus allowing passwords
+with non\-printable and/or terminal un\-friendly characters.
+.SS Example
+.IP
+.nf
+\f[C]
+hex:1122334455667788
+\f[R]
+.fi
+.SS File
+.PP
+A file based password, specified be prefix \[lq]file:\[rq] should be the
+path of a file containing the password to be read by the tool or a
+\[lq]\-\[rq] to use stdin.
+Storing passwords in files prevents information leakage, passwords
+passed as options can be read from the process list or common shell
+history features.
+.SS Examples
+.IP
+.nf
+\f[C]
+# to use stdin and be prompted
+file:\-
+
+# to use a file from a path
+file:path/to/password/file
+
+# to echo a password via stdin:
+echo foobar | tpm2_tool \-p file:\-
+
+# to use a bash here\-string via stdin:
+
+tpm2_tool \-p file:\- <<< foobar
+\f[R]
+.fi
+.SS Sessions
+.PP
+When using a policy session to authorize the use of an object, prefix
+the option argument with the \f[I]session\f[R] keyword.
+Then indicate a path to a session file that was created with
+tpm2_startauthsession(1).
+Optionally, if the session requires an auth value to be sent with the
+session handle (eg policy password), then append a + and a string as
+described in the \f[B]Passwords\f[R] section.
+.SS Examples
+.PP
+To use a session context file called \f[I]session.ctx\f[R].
+.IP
+.nf
+\f[C]
+session:session.ctx
+\f[R]
+.fi
+.PP
+To use a session context file called \f[I]session.ctx\f[R] \f[B]AND\f[R]
+send the authvalue mypassword.
+.IP
+.nf
+\f[C]
+session:session.ctx+mypassword
+\f[R]
+.fi
+.PP
+To use a session context file called \f[I]session.ctx\f[R] \f[B]AND\f[R]
+send the \f[I]HEX\f[R] authvalue 0x11223344.
+.IP
+.nf
+\f[C]
+session:session.ctx+hex:11223344
+\f[R]
+.fi
+.SS PCR Authorizations
+.PP
+You can satisfy a PCR policy using the \[lq]pcr:\[rq] prefix and the PCR
+minilanguage.
+The PCR minilanguage is as follows:
+\f[C]<pcr\-spec>=<raw\-pcr\-file>\f[R]
+.PP
+The PCR spec is documented in in the section \[lq]PCR bank
+specifiers\[rq].
+.PP
+The \f[C]raw\-pcr\-file\f[R] is an \f[B]optional\f[R] argument that
+contains the output of the raw PCR contents as returned by
+\f[I]tpm2_pcrread(1)\f[R].
+.PP
+PCR bank specifiers (pcr.md)
+.SS Examples
+.PP
+To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifier
+of:
+.IP
+.nf
+\f[C]
+pcr:sha256:0,1,2,3
+\f[R]
+.fi
+.PP
+specifying \f[I]AUTH\f[R].
+.SH COMMON OPTIONS
+.PP
+This collection of options are common to many programs and provide
+information that many users may expect.
+.IP \[bu] 2
+\f[B]\-h\f[R], \f[B]\-\-help=[man|no\-man]\f[R]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[R], See man(1) for more details.
+.RE
+.IP \[bu] 2
+\f[B]\-v\f[R], \f[B]\-\-version\f[R]: Display version information for
+this tool, supported tctis and exit.
+.IP \[bu] 2
+\f[B]\-V\f[R], \f[B]\-\-verbose\f[R]: Increase the information that the
+tool prints to the console during its execution.
+When using this option the file and line number are printed.
+.IP \[bu] 2
+\f[B]\-Q\f[R], \f[B]\-\-quiet\f[R]: Silence normal tool output to
+stdout.
+.IP \[bu] 2
+\f[B]\-Z\f[R], \f[B]\-\-enable\-errata\f[R]: Enable the application of
+errata fixups.
+Useful if an errata fixup needs to be applied to commands sent to the
+TPM.
+Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.
+information many users may expect.
+.SH TCTI Configuration
+.PP
+The TCTI or \[lq]Transmission Interface\[rq] is the communication
+mechanism with the TPM.
+TCTIs can be changed for communication with TPMs across different
+mediums.
+.PP
+To control the TCTI, the tools respect:
+.IP "1." 3
+The command line option \f[B]\-T\f[R] or \f[B]\-\-tcti\f[R]
+.IP "2." 3
+The environment variable: \f[I]TPM2TOOLS_TCTI\f[R].
+.PP
+\f[B]Note:\f[R] The command line option always overrides the environment
+variable.
+.PP
+The current known TCTIs are:
+.IP \[bu] 2
+tabrmd \- The resource manager, called
+tabrmd (https://github.com/tpm2-software/tpm2-abrmd).
+Note that tabrmd and abrmd as a tcti name are synonymous.
+.IP \[bu] 2
+mssim \- Typically used for communicating to the TPM software simulator.
+.IP \[bu] 2
+device \- Used when talking directly to a TPM device file.
+.IP \[bu] 2
+none \- Do not initalize a connection with the TPM.
+Some tools allow for off\-tpm options and thus support not using a TCTI.
+Tools that do not support it will error when attempted to be used
+without a TCTI connection.
+Does not support \f[I]ANY\f[R] options and \f[I]MUST BE\f[R] presented
+as the exact text of \[lq]none\[rq].
+.PP
+The arguments to either the command line option or the environment
+variable are in the form:
+.PP
+\f[C]<tcti\-name>:<tcti\-option\-config>\f[R]
+.PP
+Specifying an empty string for either the \f[C]<tcti\-name>\f[R] or
+\f[C]<tcti\-option\-config>\f[R] results in the default being used for
+that portion respectively.
+.SS TCTI Defaults
+.PP
+When a TCTI is not specified, the default TCTI is searched for using
+\f[I]dlopen(3)\f[R] semantics.
+The tools will search for \f[I]tabrmd\f[R], \f[I]device\f[R] and
+\f[I]mssim\f[R] TCTIs \f[B]IN THAT ORDER\f[R] and \f[B]USE THE FIRST ONE
+FOUND\f[R].
+You can query what TCTI will be chosen as the default by using the
+\f[B]\-v\f[R] option to print the version information.
+The \[lq]default\-tcti\[rq] key\-value pair will indicate which of the
+aforementioned TCTIs is the default.
+.SS Custom TCTIs
+.PP
+Any TCTI that implements the dynamic TCTI interface can be loaded.
+The tools internally use \f[I]dlopen(3)\f[R], and the raw
+\f[I]tcti\-name\f[R] value is used for the lookup.
+Thus, this could be a path to the shared library, or a library name as
+understood by \f[I]dlopen(3)\f[R] semantics.
+.SH TCTI OPTIONS
+.PP
+This collection of options are used to configure the various known TCTI
+modules available:
+.IP \[bu] 2
+\f[B]device\f[R]: For the device TCTI, the TPM character device file for
+use by the device TCTI can be specified.
+The default is \f[I]/dev/tpm0\f[R].
+.RS 2
+.PP
+Example: \f[B]\-T device:/dev/tpm0\f[R] or \f[B]export
+\f[BI]TPM2TOOLS_TCTI\f[B]=\[lq]device:/dev/tpm0\[rq]\f[R]
+.RE
+.IP \[bu] 2
+\f[B]mssim\f[R]: For the mssim TCTI, the domain name or IP address and
+port number used by the simulator can be specified.
+The default are 127.0.0.1 and 2321.
+.RS 2
+.PP
+Example: \f[B]\-T mssim:host=localhost,port=2321\f[R] or \f[B]export
+\f[BI]TPM2TOOLS_TCTI\f[B]=\[lq]mssim:host=localhost,port=2321\[rq]\f[R]
+.RE
+.IP \[bu] 2
+\f[B]abrmd\f[R]: For the abrmd TCTI, the configuration string format is
+a series of simple key value pairs separated by a `,' character.
+Each key and value string are separated by a `=' character.
+.RS 2
+.IP \[bu] 2
+TCTI abrmd supports two keys:
+.RS 2
+.IP "1." 3
+`bus_name' : The name of the tabrmd service on the bus (a string).
+.IP "2." 3
+`bus_type' : The type of the dbus instance (a string) limited to
+`session' and `system'.
+.RE
+.PP
+Specify the tabrmd tcti name and a config string of
+\f[C]bus_name=com.example.FooBar\f[R]:
+.IP
+.nf
+\f[C]
+\[rs]\-\-tcti=tabrmd:bus_name=com.example.FooBar
+\f[R]
+.fi
+.PP
+Specify the default (abrmd) tcti and a config string of
+\f[C]bus_type=session\f[R]:
+.IP
+.nf
+\f[C]
+\[rs]\-\-tcti:bus_type=session
+\f[R]
+.fi
+.PP
+\f[B]NOTE\f[R]: abrmd and tabrmd are synonymous.
+the various known TCTI modules.
+.RE
+.SH EXAMPLES
+.SS Setup
+.PP
+To load an object you first must create an object under a primary
+object.
+So the first step is to create the primary object.
+.IP
+.nf
+\f[C]
+tpm2_createprimary \-c primary.ctx
+\f[R]
+.fi
+.PP
+Step 2 is to create an object under the primary object.
+.IP
+.nf
+\f[C]
+tpm2_create \-C primary.ctx \-u key.pub \-r key.priv \-f pem \-o pub.pem
+\f[R]
+.fi
+.PP
+This creates the private and public portions of the TPM object.
+With these object portions, it is now possible to load that object into
+the TPM for subsequent use.
+.SS Encoding an Object into a combined PEM format
+.PP
+The final step, is encoding the public and private portions of the
+object into a PEM format.
+.IP
+.nf
+\f[C]
+tpm2_encodeobject \-C primary.ctx \-u key.pub \-r key.priv \-o priv.pem
+\f[R]
+.fi
+.PP
+The generated \f[C]priv.pem\f[R] can be used together with
+\f[C]pub.pem\f[R] created in the step 2 of Setup section.
+.SH Returns
+.PP
+Tools can return any of the following codes:
+.IP \[bu] 2
+0 \- Success.
+.IP \[bu] 2
+1 \- General non\-specific error.
+.IP \[bu] 2
+2 \- Options handling error.
+.IP \[bu] 2
+3 \- Authentication error.
+.IP \[bu] 2
+4 \- TCTI related error.
+.IP \[bu] 2
+5 \- Non supported scheme.
+Applicable to tpm2_testparams.
+.SH BUGS
+.PP
+Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
+.SH HELP
+.PP
+See the Mailing
+List (https://lists.linuxfoundation.org/mailman/listinfo/tpm2)

12
SOURCES/test-fixup.patch
Unescape View File

@ -1,12 +0,0 @@
diff -ur tpm2-tools-5.2/test/integration/helpers.sh tpm2-tools-5.2-new/test/integration/helpers.sh
--- tpm2-tools-5.2/test/integration/helpers.sh 2021-08-23 09:47:20.000000000 -0700
+++ tpm2-tools-5.2-new/test/integration/helpers.sh 2022-05-31 16:06:07.939025537 -0700
@@ -409,7 +409,7 @@
echo "Starting tpm2-abrmd"
# Start tpm2-abrmd
start_abrmd || exit 1
- run_startup=false
+ # run_startup=false
else
echo "not starting abrmd"
fi

162
SPECS/tpm2-tools.spec
Unescape View File

@ -1,83 +1,49 @@
#global candidate rc2
#global candidate rc1
Name: tpm2-tools
Version: 5.2
Release: 3%{?candidate:.%{candidate}}%{?dist}
Version: 5.7
Release: 4%{?candidate:.%{candidate}}%{?dist}
Summary: A bunch of TPM testing toolS build upon tpm2-tss
License: BSD
License: BSD-3-Clause
URL: https://github.com/tpm2-software/tpm2-tools
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}%{?candidate:-%{candidate}}/%{name}-%{version}%{?candidate:-%{candidate}}.tar.gz
Patch0: 0019-build-Use-hardcoded-version-variable.patch
Patch1: test-fixup.patch
Patch2: 0001-testparms-fix-condition-for-negative-test.patch
Patch3: 0001-lib-tpm2_eventlog_yaml-use-char16_t-for-UEFI-charact.patch
Patch4: 0002-Patch-set-for-handling-of-new-event-types-in-tpm2_ev.patch
Patch5: 0003-Code-clarity-fix-for-calculation-of-data-member-addr.patch
Patch6: 0004-tpm2_eventlog-clean-up-some-magic-numbers.patch
Patch7: 0005-tpm2_eventlog_yaml-fix-malformed-YAML-for-EV_IPL-dat.patch
Patch8: 0006-test-track-expected-YAML-output-for-eventlog.patch
Patch9: 0007-tpm2_eventlog_yaml-fix-parsing-for-MokListTrusted.patch
Patch10: 0008-tests-add-eventlog-for-parsing-MokListTrusted.patch
Patch11: 0009-tpm2_eventlog_yaml-use-defines-for-Unicode-variables.patch
Patch101: 0001-Fix-nv_readpublic.patch
Patch102: 0002-tpm2_encodeobject-New-tool-to-encode-TPM2-object.patch
Patch103: 0003-tools-tpm2_evictconrol-fix-for-call-to-Esys_TR_Close.patch
Patch104: 0004-Fix-argument-parsing-in-tpm2_policylocality.patch
Patch105: 0005-tools-tpm2_tool.c-Fix-an-issue-where-LOG_WARN-is-alw.patch
Patch106: 0006-import-fix-bug-on-using-scheme.patch
Patch107: 0007-tpm2_policyor-fix-unallocated-policy-list.patch
Patch108: 0008-lib-tpm2_alg_util.c-Fix-potential-null-pointer-deref.patch
Patch109: 0009-tss2_provision-fix-usage-of-L-parameter.patch
Patch110: 0010-tpm2_encodeobject-fix-formatting.patch
Patch111: 0011-tpm2_encodeobject-fix-auth-boolean-flag.patch
Patch112: 0012-bugfix-fix-convert-sm2-public-key-in-openssl3.patch
Patch113: 0013-readpublic-fix-reading-and-writing-serialized-trs.patch
Patch114: 0014-fix-wrong-function-name-of-Esys_Load.patch
Patch115: 0015-tpm-errata-switch-to-twos-complement.patch
Patch116: 0016-tpm2_eventlog.c-Fix-pcr-extension-for-EV_NO_ACTION.patch
Patch117: 0017-kdfa.c-Fix-problem-with-FORTIFY_SOURCE-on-Fedora.patch
Patch118: add_pregenerated_doc.patch
BuildRequires: git
BuildRequires: make
BuildRequires: gcc-c++
BuildRequires: libtool
BuildRequires: autoconf-archive
%if ! 0%{?rhel}
BuildRequires: pandoc
%endif
BuildRequires: pkgconfig(cmocka)
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(openssl)
# tpm2-tss-devel provides tss2-mu/sys/esys package config
BuildRequires: pkgconfig(tss2-mu)
BuildRequires: pkgconfig(tss2-sys)
BuildRequires: pkgconfig(tss2-esys)
BuildRequires: pkgconfig(tss2-mu) >= 3.1.0
BuildRequires: pkgconfig(tss2-sys) >= 3.1.0
BuildRequires: pkgconfig(tss2-esys) >= 3.1.0
BuildRequires: pkgconfig(uuid)
# tpm2-tools is heavily depending on TPM2.0-TSS project, matched tss is required
Requires: tpm2-tss%{?_isa} >= 2.3.1
Requires: tpm2-tss%{?_isa} >= 3.1.0
%description
tpm2-tools is a batch of tools for tpm2.0. It is based on tpm2-tss.
%prep
%autosetup -S git -p1 -n %{name}-%{version}%{?candidate:-%{candidate}}
%autosetup -p1 -n %{name}-%{version}%{?candidate:-%{candidate}}
%build
autoreconf -i
# LTO exposes a latent uninitialized variable "value" in the function # "nt".
# This has been reported to the maintainer (Yunying), but they have not
# responded and I am not comfortable enough with the code to know if a trivial
# initialization to zero is appropriate/safe. So LTO is disabled for now.
%define _lto_cflags %{nil}
%configure --prefix=/usr --disable-static --disable-silent-rules CFLAGS="%{optflags} -Wno-error=deprecated-declarations"
%configure --prefix=/usr --disable-static --disable-silent-rules
%make_build
%install
%make_install
%files
%license doc/LICENSE
%doc doc/README.md doc/CHANGELOG.md
%license docs/LICENSE
%doc docs/README.md docs/CHANGELOG.md
%{_bindir}/tpm2
%{_bindir}/tpm2_*
%{_bindir}/tss2
@ -89,48 +55,80 @@ autoreconf -i
%{_mandir}/man1/tss2_*.1.gz
%changelog
* Wed May 24 2023 Štěpán Horáček <shoracek@redhat.com> - 5.2-3
- Backport fixes.
- Add tpm2_encodeobject tool.
Resolves: rhbz#2160304
Resolves: rhbz#2047342
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 5.7-4
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 5.7-3
- Rebuilt for MSVSphere 10
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 5.7-3
- Bump release for June 2024 mass rebuild
* Wed May 22 2024 Štěpán Horáček <shoracek@redhat.com> - 5.7-2
- Rebuild for gating
Resolves: RHEL-23199
* Tue May 14 2024 Štěpán Horáček <shoracek@redhat.com> - 5.7-1
- Update to 5.7
Resolves: RHEL-23199
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Nov 12 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.6-1
- Update to 5.6
* Tue Sep 26 2023 Štěpán Horáček <shoracek@redhat.com> - 5.5-5
- Migrate license to SPDX
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Mon Apr 17 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 5.5-3
- Disable compiler optimization to fix LTO + FORTIFY_SOURCE=3 issue
Resolves rhbz#2171376
* Tue Feb 21 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 5.5-2
- Disable manpage regeneration in RHEL/ELN builds
* Thu Feb 16 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 5.5-1
- Update to 5.5
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.5-0.2.rc1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Oct 19 2022 Štěpán Horáček <shoracek@redhat.com> - 5.2-2
- Fix eventlog output.
Resolves: rhbz#2136215
* Mon Dec 19 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 5.5-0.1.rc1
- Update to 5.5-RC1
- Enable LTO (RHBZ#1986628)
* Tue May 31 2022 Jerry Snitselaar <jsnitsel@redhat.com> - 5.2-1
- Rebase to 5.2 release.
Resolves: rhbz#2090748
* Thu Dec 08 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 5.4-1
- Update to 5.4
* Mon Oct 25 2021 Štěpán Horáček <shoracek@redhat.com> - 5.0-10
- Fix the version not being reported
Resolves: rhbz#2015941
* Wed Sep 28 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 5.3-1
- Update to 5.3
* Fri Oct 1 2021 Štěpán Horáček <shoracek@redhat.com> - 5.0-9
- Fix a segfault on ppc64le and add support for OpenSSL 3
Resolves: rhbz#1989617
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 5.0-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Jun 28 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 5.0-7
- Fix for CVE-2021-3565
Resolves: rhbz#1965982
* Sat Oct 02 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.2-1
- Update to 5.2
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.0-6
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.1.1-3
- Rebuilt with OpenSSL 3.0.0
* Mon May 24 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 5.0-5
- Remove pandoc dependency. Related: rhbz#1943528
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed May 19 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 5.0-4
- Work around for openssl 3.0 update. Related: rhbz#1958029
* Mon Jun 21 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.1.1-1
- Update to 5.1.1
- Fixes CVE-2021-3565 (rhbz 1964428)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 5.0-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue May 25 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 5.1-1
- Update to 5.1
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Write Preview
Loading…
Cancel
Save