commit 6c3483b76dcc01ea90c4adfb6de5c0cc4b3e93ca Author: MSVSphere Packaging Team Date: Fri Sep 22 20:40:32 2023 +0300 import tpm2-tss-3.2.2-2.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e2bb401 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tpm2-tss-3.2.2.tar.gz diff --git a/.tpm2-tss.metadata b/.tpm2-tss.metadata new file mode 100644 index 0000000..8e53ba5 --- /dev/null +++ b/.tpm2-tss.metadata @@ -0,0 +1 @@ +6ebd166443d782e270b3f408e1489284e30dd608 SOURCES/tpm2-tss-3.2.2.tar.gz diff --git a/SOURCES/0001-esys_iutil-fix-possible-NPD.patch b/SOURCES/0001-esys_iutil-fix-possible-NPD.patch new file mode 100644 index 0000000..20e6eb3 --- /dev/null +++ b/SOURCES/0001-esys_iutil-fix-possible-NPD.patch @@ -0,0 +1,41 @@ +From f5907e96363729e16475172ef1056532d9404482 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Fri, 3 Jun 2022 11:51:02 -0500 +Subject: [PATCH 1/2] esys_iutil: fix possible NPD + +Clang-10 scan-build reports: +src/tss2-esys/esys_iutil.c:1366:56: warning: Dereference of null pointer + auths->auths[auths->count].sessionHandle = session->rsrc.handle; + ^~~~~~~~~~~~~~~~~~~~ +1 warning generated. + +The code above the report checks that session might be NULL: +RSRC_NODE_T *session = esys_context->session_tab[session_idx]; + if (session != NULL) { + IESYS_SESSION *rsrc_session = &session->rsrc.misc.rsrc_session; + if (rsrc_session->type_policy_session == POLICY_PASSWORD) { + +Thus suggesting/indicating session may be NULL in subsequent code where +session is dereferenced. + +Signed-off-by: William Roberts +--- + src/tss2-esys/esys_iutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-esys/esys_iutil.c b/src/tss2-esys/esys_iutil.c +index 4d31cef8..b364dd73 100644 +--- a/src/tss2-esys/esys_iutil.c ++++ b/src/tss2-esys/esys_iutil.c +@@ -1352,7 +1352,7 @@ iesys_gen_auths(ESYS_CONTEXT * esys_context, + && encryptNonceIdx > 0) ? encryptNonce : NULL, + &auths->auths[session_idx]); + return_if_error(r, "Error while computing hmacs"); +- if (esys_context->session_tab[session_idx] != NULL) { ++ if (esys_context->session_tab[session_idx] != NULL && session != NULL) { + auths->auths[auths->count].sessionHandle = session->rsrc.handle; + auths->count++; + } +-- +2.39.2 + diff --git a/SOURCES/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch b/SOURCES/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch new file mode 100644 index 0000000..0c7930d --- /dev/null +++ b/SOURCES/0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch @@ -0,0 +1,65 @@ +From eb2fd8b436688377a20d24a467fd03e62d3e6c06 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Tue, 24 Jan 2023 10:01:23 -0600 +Subject: [PATCH 01/10] tss2-rc: fix unknown layer handler dropping bits + +The commit (on 4.0.1 and master): + - 49107d65d5c7 tss2_rc: ensure layer number is in bounds + +Introduces a bug where the right shift by 8 drops the lower byte going +into the unknown_layer handler function. This will effectively drop rc +error bits for unknown layers. The largest impact will be on windows +where their resource manager is not a registered handler. + +Fix this by just dumping all the bytes and not get fancy with masking +things out. + +Fixes: #2550 + +Signed-off-by: William Roberts +--- + src/tss2-rc/tss2_rc.c | 4 ++-- + test/unit/test_tss2_rc.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c +index 7e668a46..6de7d6f3 100644 +--- a/src/tss2-rc/tss2_rc.c ++++ b/src/tss2-rc/tss2_rc.c +@@ -985,9 +985,9 @@ Tss2_RC_Decode(TSS2_RC rc) + } else { + /* + * we don't want to drop any bits if we don't know what to do with it +- * so drop the layer byte since we we already have that. ++ * so just send the whole thing. + */ +- const char *e = unknown_layer_handler(rc >> 8); ++ const char *e = unknown_layer_handler(rc); + assert(e); + catbuf(buf, "%s", e); + } +diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c +index 0b0f57c6..e5051c85 100644 +--- a/test/unit/test_tss2_rc.c ++++ b/test/unit/test_tss2_rc.c +@@ -199,7 +199,7 @@ test_custom_handler(void **state) + * Test an unknown layer + */ + e = Tss2_RC_Decode(rc); +- assert_string_equal(e, "1:0x100"); ++ assert_string_equal(e, "1:0x1002A"); + } + + static void +@@ -288,7 +288,7 @@ test_all_FFs(void **state) + (void) state; + + const char *e = Tss2_RC_Decode(0xFFFFFFFF); +- assert_string_equal(e, "255:0xFFFFFF"); ++ assert_string_equal(e, "255:0xFFFFFFFF"); + } + + static void +-- +2.41.0 + diff --git a/SOURCES/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch b/SOURCES/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch new file mode 100644 index 0000000..f6b7d65 --- /dev/null +++ b/SOURCES/0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch @@ -0,0 +1,65 @@ +From 6e4f8823ca6f7f062df3cd4ee88e397fac9adc37 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Thu, 9 Feb 2023 15:22:08 +0100 +Subject: [PATCH 02/10] MU: Fix unneeded size check in TPM2B unmarshaling + +There is a size check for the destination object whether the size is zero. +If the memory of the destination object is no cleared this might cause +a race conditions. +Unneeded tests from the integration test tpmclient were removed. +Fixes: #2564 + +Signed-off-by: Juergen Repp +--- + src/tss2-mu/tpm2b-types.c | 6 +----- + test/tpmclient/tpmclient.int.c | 9 --------- + 2 files changed, 1 insertion(+), 14 deletions(-) + +diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c +index 2e10f487..6e8915f6 100644 +--- a/src/tss2-mu/tpm2b-types.c ++++ b/src/tss2-mu/tpm2b-types.c +@@ -248,11 +248,7 @@ TSS2_RC Tss2_MU_##type##_Unmarshal(uint8_t const buffer[], size_t buffer_size, \ + sizeof(size)); \ + return TSS2_MU_RC_INSUFFICIENT_BUFFER; \ + } \ +- if (dest && dest->size != 0) { \ +- LOG_WARNING("Size not zero"); \ +- return TSS2_SYS_RC_BAD_VALUE; \ +- } \ +-\ ++ \ + rc = Tss2_MU_UINT16_Unmarshal(buffer, buffer_size, &local_offset, &size); \ + if (rc) \ + return rc; \ +diff --git a/test/tpmclient/tpmclient.int.c b/test/tpmclient/tpmclient.int.c +index deedcfb7..16443955 100644 +--- a/test/tpmclient/tpmclient.int.c ++++ b/test/tpmclient/tpmclient.int.c +@@ -847,12 +847,6 @@ static void TestHierarchyControl() + rval = Tss2_Sys_NV_DefineSpace( sysContext, TPM2_RH_PLATFORM, &sessionsData, &nvAuth, &publicInfo, 0 ); + CheckPassed( rval ); + +- /* Test SYS for case where nvPublic.size != 0 */ +- nvPublic.size = 0xff; +- INIT_SIMPLE_TPM2B_SIZE( nvName ); +- rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 ); +- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE ); +- + nvPublic.size = 0; + INIT_SIMPLE_TPM2B_SIZE( nvName ); + rval = Tss2_Sys_NV_ReadPublic( sysContext, TPM20_INDEX_TEST1, 0, &nvPublic, &nvName, 0 ); +@@ -2135,10 +2129,7 @@ static void EcEphemeralTest() + + LOG_INFO("EC Ephemeral TESTS:" ); + +- /* Test SYS for case of Q size field not being set to 0. */ + INIT_SIMPLE_TPM2B_SIZE( Q ); +- rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 ); +- CheckFailed( rval, TSS2_SYS_RC_BAD_VALUE ); + + Q.size = 0; + rval = Tss2_Sys_EC_Ephemeral( sysContext, 0, TPM2_ECC_BN_P256, &Q, &counter, 0 ); +-- +2.41.0 + diff --git a/SOURCES/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch b/SOURCES/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch new file mode 100644 index 0000000..955acd1 --- /dev/null +++ b/SOURCES/0003-FAPI-Fix-parameter-encryption-for-provisioning.patch @@ -0,0 +1,78 @@ +From d486edf730d652c8ab2fc50eb00e45223b43628f Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Tue, 14 Feb 2023 19:52:28 +0100 +Subject: [PATCH 03/10] FAPI: Fix parameter encryption for provisioning + +Currently no parameter encryption was made during provisioning. +Now the EK es used as tpmkey for the create primary session of +the SRK and the SRK is used for parameter encryption of the +other command executed during provisioning. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_Provision.c | 6 ++++-- + src/tss2-fapi/fapi_int.h | 7 ++++--- + src/tss2-fapi/fapi_util.c | 5 ++++- + 3 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_Provision.c b/src/tss2-fapi/api/Fapi_Provision.c +index 97c25828..48f2fd3b 100644 +--- a/src/tss2-fapi/api/Fapi_Provision.c ++++ b/src/tss2-fapi/api/Fapi_Provision.c +@@ -884,7 +884,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context) + statecase(context->state, PROVISION_INIT_SRK); + /* Create session which will be used for SRK generation. */ + context->srk_handle = context->ek_handle; +- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0); ++ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1, ++ TPMA_SESSION_DECRYPT, 0); + goto_if_error_reset_state(r, "Create sessions", error_cleanup); + + fallthrough; +@@ -1084,7 +1085,8 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context) + try_again_or_error_goto(r, "Cleanup", error_cleanup); + + /* Create session which will be used for parameter encryption. */ +- r = ifapi_get_sessions_async(context, IFAPI_SESSION1, 0, 0); ++ r = ifapi_get_sessions_async(context, IFAPI_SESSION_USE_SRK | IFAPI_SESSION1, ++ TPMA_SESSION_DECRYPT, 0); + goto_if_error_reset_state(r, "Create sessions", error_cleanup); + + fallthrough; +diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h +index 5f666a75..8533112a 100644 +--- a/src/tss2-fapi/fapi_int.h ++++ b/src/tss2-fapi/fapi_int.h +@@ -55,9 +55,10 @@ typedef UINT32 TSS2_KEY_TYPE; + #define MAX_PLATFORM_CERT_HANDLE 0x01C0FFFF + + typedef UINT8 IFAPI_SESSION_TYPE; +-#define IFAPI_SESSION_GENEK 0x01 +-#define IFAPI_SESSION1 0x02 +-#define IFAPI_SESSION2 0x04 ++#define IFAPI_SESSION_GENEK 0x01 ++#define IFAPI_SESSION1 0x02 ++#define IFAPI_SESSION2 0x04 ++#define IFAPI_SESSION_USE_SRK 0x08 + + #define IFAPI_POLICY_PATH "policy" + #define IFAPI_NV_PATH "nv" +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index 44dd4168..ded0d247 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -1327,7 +1327,10 @@ ifapi_get_sessions_async(FAPI_CONTEXT *context, + context->session2_attribute_flags = attribute_flags2; + char *file = NULL; + +- if (!(session_flags & IFAPI_SESSION_GENEK)) { ++ if (session_flags & IFAPI_SESSION_USE_SRK) { ++ context->session_state = SESSION_CREATE_SESSION; ++ return TSS2_RC_SUCCESS; ++ } else if (!(session_flags & IFAPI_SESSION_GENEK)) { + context->srk_handle = ESYS_TR_NONE; + context->session_state = SESSION_CREATE_SESSION; + return TSS2_RC_SUCCESS; +-- +2.41.0 + diff --git a/SOURCES/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch b/SOURCES/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch new file mode 100644 index 0000000..28b2a3d --- /dev/null +++ b/SOURCES/0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch @@ -0,0 +1,101 @@ +From 6bb79f17b89592909830f872dc47d09c0e5dadda Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 3 Mar 2023 11:17:43 +0100 +Subject: [PATCH 04/10] FAPI: Fix missing parameter encryption for policy + sessions. + +The parameter encryption for policy sessions was not enabled. +Now the parameter encryption is enabled and the auth value of +objects is added to the session key. +One exception is the cp hash policy. In this case the +the cp hash check forced by this policy would fail with an +encrypted parameter. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/fapi_util.c | 28 ++++++++++++------------ + src/tss2-fapi/ifapi_policy_execute.c | 5 +++++ + src/tss2-fapi/ifapi_policyutil_execute.c | 4 ++++ + 3 files changed, 23 insertions(+), 14 deletions(-) + +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index ded0d247..55ce3327 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -2110,21 +2110,20 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses + statecase(object->authorization_state, AUTH_INIT) + LOG_TRACE("**STATE** AUTH_INIT"); + +- if (!policy_digest_size(object)) { +- /* No policy used authorization callbacks have to be called if necessary. */ +- if (object_with_auth(object)) { +- /* Check whether hierarchy was already authorized. */ +- if (object->objectType != IFAPI_HIERARCHY_OBJ || +- !object->misc.hierarchy.authorized) { +- char *description = NULL; +- r = ifapi_get_description(object, &description); +- return_if_error(r, "Get description"); +- +- r = ifapi_set_auth(context, object, description); +- SAFE_FREE(description); +- return_if_error(r, "Set auth value"); +- } ++ if (object_with_auth(object)) { ++ /* Check whether hierarchy was already authorized. */ ++ if (object->objectType != IFAPI_HIERARCHY_OBJ || ++ !object->misc.hierarchy.authorized) { ++ char *description = NULL; ++ r = ifapi_get_description(object, &description); ++ return_if_error(r, "Get description"); ++ ++ r = ifapi_set_auth(context, object, description); ++ SAFE_FREE(description); ++ return_if_error(r, "Set auth value"); + } ++ } ++ if (!policy_digest_size(object)) { + /* No policy session needed current fapi session can be used */ + if (context->session1 && context->session1 != ESYS_TR_NONE) + *session = context->session1; +@@ -2133,6 +2132,7 @@ ifapi_authorize_object(FAPI_CONTEXT *context, IFAPI_OBJECT *object, ESYS_TR *ses + *session = ESYS_TR_PASSWORD; + break; + } ++ + /* Save current object to be authorized in context. */ + context->current_auth_object = object; + r = ifapi_policyutil_execute_prepare(context, get_name_alg(context, object), +diff --git a/src/tss2-fapi/ifapi_policy_execute.c b/src/tss2-fapi/ifapi_policy_execute.c +index c2ce3301..0e7de316 100644 +--- a/src/tss2-fapi/ifapi_policy_execute.c ++++ b/src/tss2-fapi/ifapi_policy_execute.c +@@ -1245,6 +1245,11 @@ execute_policy_cp_hash( + r = Esys_PolicyCpHash_Finish(esys_ctx); + try_again_or_error(r, "Execute PolicyCpHash_Finish."); + ++ /* Disable encryption to enable check of cp hash defined in ++ policy cp. */ ++ r = Esys_TRSess_SetAttributes(esys_ctx, current_policy->session, ++ 0, 0xff); ++ + current_policy->state = POLICY_EXECUTE_INIT; + return r; + +diff --git a/src/tss2-fapi/ifapi_policyutil_execute.c b/src/tss2-fapi/ifapi_policyutil_execute.c +index 997fb504..0e2823cb 100644 +--- a/src/tss2-fapi/ifapi_policyutil_execute.c ++++ b/src/tss2-fapi/ifapi_policyutil_execute.c +@@ -119,6 +119,10 @@ create_session( + r = Esys_StartAuthSession_Finish(context->esys, session); + if (r != TSS2_RC_SUCCESS) + return r; ++ ++ r = Esys_TRSess_SetAttributes(context->esys, *session, ++ TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT, ++ 0xff); + context->policy.create_session_state = CREATE_SESSION_INIT; + break; + +-- +2.41.0 + diff --git a/SOURCES/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch b/SOURCES/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch new file mode 100644 index 0000000..fd385af --- /dev/null +++ b/SOURCES/0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch @@ -0,0 +1,59 @@ +From c7cd976e7152e3f5aaa813aaebf4ab1e5d9b1f3e Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sun, 5 Mar 2023 19:19:22 +0100 +Subject: [PATCH 05/10] FAPI: Fix missing parameter encryption for some HMAC + sessions. + +* For Fapi_CreateNv and Fap_NvSetBits the parameter encryption was not enabled. +* For Fapi_Unseal the response description was not enabled. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_CreateNv.c | 2 +- + src/tss2-fapi/api/Fapi_NvSetBits.c | 2 +- + src/tss2-fapi/fapi_util.c | 3 ++- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_CreateNv.c b/src/tss2-fapi/api/Fapi_CreateNv.c +index 45e72e33..8160b99d 100644 +--- a/src/tss2-fapi/api/Fapi_CreateNv.c ++++ b/src/tss2-fapi/api/Fapi_CreateNv.c +@@ -399,7 +399,7 @@ Fapi_CreateNv_Finish( + context->primary_state = PRIMARY_INIT; + r = ifapi_get_sessions_async(context, + IFAPI_SESSION_GENEK | IFAPI_SESSION1, +- 0, 0); ++ TPMA_SESSION_DECRYPT, 0); + goto_if_error_reset_state(r, "Create sessions", error_cleanup); + fallthrough; + +diff --git a/src/tss2-fapi/api/Fapi_NvSetBits.c b/src/tss2-fapi/api/Fapi_NvSetBits.c +index 0615aa12..adf332e0 100644 +--- a/src/tss2-fapi/api/Fapi_NvSetBits.c ++++ b/src/tss2-fapi/api/Fapi_NvSetBits.c +@@ -282,7 +282,7 @@ Fapi_NvSetBits_Finish( + /* Prepare session for authorization */ + r = ifapi_get_sessions_async(context, + IFAPI_SESSION_GENEK | IFAPI_SESSION1, +- 0, 0); ++ TPMA_SESSION_DECRYPT, 0); + goto_if_error_reset_state(r, "Create sessions", error_cleanup); + + fallthrough; +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index 55ce3327..ef4a92d0 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -2743,7 +2743,8 @@ ifapi_load_key( + /* Prepare the session creation. */ + r = ifapi_get_sessions_async(context, + IFAPI_SESSION_GENEK | IFAPI_SESSION1, +- TPMA_SESSION_DECRYPT, 0); ++ TPMA_SESSION_DECRYPT | TPMA_SESSION_ENCRYPT, ++ 0); + goto_if_error_reset_state(r, "Create sessions", error_cleanup); + fallthrough; + +-- +2.41.0 + diff --git a/SOURCES/0006-FAPI-Fix-usage-of-persistent-handles.patch b/SOURCES/0006-FAPI-Fix-usage-of-persistent-handles.patch new file mode 100644 index 0000000..b1b2df0 --- /dev/null +++ b/SOURCES/0006-FAPI-Fix-usage-of-persistent-handles.patch @@ -0,0 +1,61 @@ +From db8ccb1df778dc92d1be88a88ddcd9d6c92c3e63 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 3 Apr 2023 21:21:55 +0200 +Subject: [PATCH 06/10] FAPI: Fix usage of persistent handles. + +* Evict control for persistent keys created with Fapi_CreateKey was + called with the wrong handle. +* If Fapi_Quote was executed with a primary key for this key flush + context was called. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/api/Fapi_Quote.c | 14 +++++++++----- + src/tss2-fapi/fapi_util.c | 1 + + 2 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/src/tss2-fapi/api/Fapi_Quote.c b/src/tss2-fapi/api/Fapi_Quote.c +index b71267a7..61e4e3db 100644 +--- a/src/tss2-fapi/api/Fapi_Quote.c ++++ b/src/tss2-fapi/api/Fapi_Quote.c +@@ -392,16 +392,20 @@ Fapi_Quote_Finish( + goto_if_error(r, "Error: PCR_Quote", error_cleanup); + + /* Flush the key used for the quote. */ +- r = Esys_FlushContext_Async(context->esys, command->handle); +- goto_if_error(r, "Error: FlushContext", error_cleanup); ++ if (!command->key_object->misc.key.persistent_handle) { ++ r = Esys_FlushContext_Async(context->esys, command->handle); ++ goto_if_error(r, "Error: FlushContext", error_cleanup); ++ } + command->handle = ESYS_TR_NONE; + + fallthrough; + + statecase(context->state, PCR_QUOTE_WAIT_FOR_FLUSH); +- r = Esys_FlushContext_Finish(context->esys); +- return_try_again(r); +- goto_if_error(r, "Error: Sign", error_cleanup); ++ if (!command->key_object->misc.key.persistent_handle) { ++ r = Esys_FlushContext_Finish(context->esys); ++ return_try_again(r); ++ goto_if_error(r, "Error: Sign", error_cleanup); ++ } + + sig_key_object = command->key_object; + /* Convert the TPM-encoded signature into something useful for the caller. */ +diff --git a/src/tss2-fapi/fapi_util.c b/src/tss2-fapi/fapi_util.c +index ef4a92d0..49f7dd07 100644 +--- a/src/tss2-fapi/fapi_util.c ++++ b/src/tss2-fapi/fapi_util.c +@@ -4746,6 +4746,7 @@ ifapi_create_primary( + + statecase(context->cmd.Key_Create.state, KEY_CREATE_PRIMARY_WAIT_FOR_AUTHORIZE2); + if (template->persistent_handle) { ++ object->misc.key.persistent_handle = template->persistent_handle; + r = ifapi_authorize_object(context, hierarchy, &auth_session); + FAPI_SYNC(r, "Authorize hierarchy.", error_cleanup); + +-- +2.41.0 + diff --git a/SOURCES/0007-build-Fix-failed-build-with-disable-vendor.patch b/SOURCES/0007-build-Fix-failed-build-with-disable-vendor.patch new file mode 100644 index 0000000..5ff29c9 --- /dev/null +++ b/SOURCES/0007-build-Fix-failed-build-with-disable-vendor.patch @@ -0,0 +1,62 @@ +From e46840f3ec5932f3f9206f3eab903d82b7a977db Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 27 Feb 2023 18:00:54 +0100 +Subject: [PATCH 07/10] build: Fix failed build with --disable-vendor + +The compilation of the marshaling functions for TPML_INTEL_PTT_PROPERTY +is now disabled for builds with --disable-vendor. +Fixes: #2571 + +Signed-off-by: Juergen Repp +--- + include/tss2/tss2_tpm2_types.h | 2 ++ + src/tss2-mu/tpml-types.c | 2 ++ + tss2-dlopen/tss2-dlopen-mu.c | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/include/tss2/tss2_tpm2_types.h b/include/tss2/tss2_tpm2_types.h +index 96286fb7..39a6978c 100644 +--- a/include/tss2/tss2_tpm2_types.h ++++ b/include/tss2/tss2_tpm2_types.h +@@ -63,7 +63,9 @@ + #define TPM2_PRIVATE_VENDOR_SPECIFIC_BYTES ((TPM2_MAX_RSA_KEY_BYTES / 2) * (3 + 2)) + + /* Vendor Specific Defines */ ++#ifndef DISABLE_VENDOR + #define TPM2_MAX_PTT_PROPERTIES (TPM2_MAX_CAP_BUFFER / sizeof(UINT32)) ++#endif + + /* Attached Component Capabilities */ + #define TPM2_MAX_AC_CAPABILITIES (TPM2_MAX_CAP_BUFFER / sizeof(TPMS_AC_OUTPUT)) +diff --git a/src/tss2-mu/tpml-types.c b/src/tss2-mu/tpml-types.c +index 60f85a8c..1df9bbb8 100644 +--- a/src/tss2-mu/tpml-types.c ++++ b/src/tss2-mu/tpml-types.c +@@ -175,8 +175,10 @@ TPML_MARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Marshal, pcrSelectio + TPML_UNMARSHAL(TPML_PCR_SELECTION, Tss2_MU_TPMS_PCR_SELECTION_Unmarshal, pcrSelections) + TPML_MARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Marshal, digests, ADDR) + TPML_UNMARSHAL(TPML_DIGEST_VALUES, Tss2_MU_TPMT_HA_Unmarshal, digests) ++#ifndef DISABLE_VENDOR + TPML_MARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Marshal, property, VAL) + TPML_UNMARSHAL(TPML_INTEL_PTT_PROPERTY, Tss2_MU_UINT32_Unmarshal, property) ++#endif + TPML_MARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Marshal, acCapabilities, ADDR) + TPML_UNMARSHAL(TPML_AC_CAPABILITIES, Tss2_MU_TPMS_AC_OUTPUT_Unmarshal, acCapabilities) + TPML_MARSHAL(TPML_TAGGED_POLICY, Tss2_MU_TPMS_TAGGED_POLICY_Marshal, policies, ADDR) +diff --git a/tss2-dlopen/tss2-dlopen-mu.c b/tss2-dlopen/tss2-dlopen-mu.c +index 2297818b..21cd1123 100644 +--- a/tss2-dlopen/tss2-dlopen-mu.c ++++ b/tss2-dlopen/tss2-dlopen-mu.c +@@ -254,7 +254,9 @@ MAKE_MU_STRUCT(TPML_ALG_PROPERTY); + MAKE_MU_STRUCT(TPML_ECC_CURVE); + MAKE_MU_STRUCT(TPML_TAGGED_PCR_PROPERTY); + MAKE_MU_STRUCT(TPML_TAGGED_TPM_PROPERTY); ++#ifndef DISABLE_VENDOR + MAKE_MU_STRUCT(TPML_INTEL_PTT_PROPERTY); ++#endif + MAKE_MU_STRUCT(TPML_AC_CAPABILITIES); + MAKE_MU_STRUCT(TPML_TAGGED_POLICY); + MAKE_MU_STRUCT(TPML_ACT_DATA); +-- +2.41.0 + diff --git a/SOURCES/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch b/SOURCES/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch new file mode 100644 index 0000000..14aa2b5 --- /dev/null +++ b/SOURCES/0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch @@ -0,0 +1,35 @@ +From acb274ee0c59d6159b66e2df08aaf410e179f5f9 Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Mon, 10 Apr 2023 20:20:24 +0200 +Subject: [PATCH 08/10] FAPI: Fapi_GetInfo display warning for SHA3 hash algs. + +Currenlty FAPI_GetInfo did produce errors if the TPM implements +SHA3 hash algs. Now a warning is displayed. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/tpm_json_serialize.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/tss2-fapi/tpm_json_serialize.c b/src/tss2-fapi/tpm_json_serialize.c +index 1eaa4eb2..65320da6 100644 +--- a/src/tss2-fapi/tpm_json_serialize.c ++++ b/src/tss2-fapi/tpm_json_serialize.c +@@ -1558,6 +1558,14 @@ ifapi_json_TPMS_ALG_PROPERTY_serialize(const TPMS_ALG_PROPERTY *in, json_object + return_if_null(in, "Bad reference.", TSS2_FAPI_RC_BAD_REFERENCE); + + TSS2_RC r; ++ ++ if ((in->alg == TPM2_ALG_SHA3_256 || ++ in->alg == TPM2_ALG_SHA3_384 || ++ in->alg == TPM2_ALG_SHA3_512)) { ++ LOG_WARNING("SHA3 hash algs are not supported by TSS"); ++ return TSS2_RC_SUCCESS; ++ } ++ + json_object *jso2; + if (*jso == NULL) + *jso = json_object_new_object (); +-- +2.41.0 + diff --git a/SOURCES/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch b/SOURCES/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch new file mode 100644 index 0000000..4fe97d2 --- /dev/null +++ b/SOURCES/0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch @@ -0,0 +1,39 @@ +From e43323dd5c089ed6af0a6a77b30f97350e1fbb6a Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Sun, 9 Apr 2023 08:38:56 +0200 +Subject: [PATCH 09/10] FAPI: Skip provisioning test for nv ext and profile + paths. + +The provisioning test in ifapi_check_provisioned will be skipped +for ext nv and profile paths. The test did produce inappropriate +error messages if the corresponding paths did not exist in keystore. +The test is only needed for pathnames starting with the profile. +Fixes: #2596 + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/ifapi_keystore.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/tss2-fapi/ifapi_keystore.c b/src/tss2-fapi/ifapi_keystore.c +index 7e50ee1e..38c2f7fd 100644 +--- a/src/tss2-fapi/ifapi_keystore.c ++++ b/src/tss2-fapi/ifapi_keystore.c +@@ -1772,6 +1772,14 @@ ifapi_check_provisioned( + + *ok = false; + ++ /* No profile in path, test can be skipped. */ ++ if (ifapi_path_type_p(rel_path, IFAPI_NV_PATH) || ++ ifapi_path_type_p(rel_path, IFAPI_POLICY_PATH) || ++ ifapi_path_type_p(rel_path, IFAPI_EXT_PATH)) { ++ *ok = true; ++ return TSS2_RC_SUCCESS; ++ } ++ + /* First expand path in user directory */ + r = expand_path(keystore, rel_path, &directory); + goto_if_error(r, "Expand path", cleanup); +-- +2.41.0 + diff --git a/SOURCES/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch b/SOURCES/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch new file mode 100644 index 0000000..2e83a61 --- /dev/null +++ b/SOURCES/0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch @@ -0,0 +1,30 @@ +From 12519626a221f0e4c20e66ec101429fc0f321c6f Mon Sep 17 00:00:00 2001 +From: Juergen Repp +Date: Fri, 12 May 2023 09:30:53 +0200 +Subject: [PATCH 10/10] FAPI: Fix wrong allocation of pcr policy. + +The list of pcr registers was was allocated with the wrong size in the +function copy_policy_element which caused a segfault if more than one +pcr was used. + +Signed-off-by: Juergen Repp +--- + src/tss2-fapi/ifapi_helpers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tss2-fapi/ifapi_helpers.c b/src/tss2-fapi/ifapi_helpers.c +index e1c4220b..5c574717 100644 +--- a/src/tss2-fapi/ifapi_helpers.c ++++ b/src/tss2-fapi/ifapi_helpers.c +@@ -1343,7 +1343,7 @@ copy_policy_element(const TPMT_POLICYELEMENT *from_policy, TPMT_POLICYELEMENT *t + case POLICYPCR: + to_policy->element.PolicyPCR.pcrs = + calloc(1, sizeof(TPML_PCRVALUES) + +- from_policy->element.PolicyPCR.pcrs->count + sizeof(TPMS_PCRVALUE)); ++ from_policy->element.PolicyPCR.pcrs->count * sizeof(TPMS_PCRVALUE)); + goto_if_null2(to_policy->element.PolicyPCR.pcrs, "Out of memory.", + r, TSS2_FAPI_RC_MEMORY, error); + to_policy->element.PolicyPCR.pcrs->count +-- +2.41.0 + diff --git a/SOURCES/tpm2-tss-3.0.0-doxygen.patch b/SOURCES/tpm2-tss-3.0.0-doxygen.patch new file mode 100644 index 0000000..2f82472 --- /dev/null +++ b/SOURCES/tpm2-tss-3.0.0-doxygen.patch @@ -0,0 +1,15 @@ +diff -up tpm2-tss-3.0.0/Doxyfile.in.me tpm2-tss-3.0.0/Doxyfile.in +--- tpm2-tss-3.0.0/Doxyfile.in.me 2020-09-15 20:24:26.463314644 +0200 ++++ tpm2-tss-3.0.0/Doxyfile.in 2020-09-15 20:26:29.010866650 +0200 +@@ -947,7 +947,10 @@ EXCLUDE_PATTERNS = + # Note that the wildcards are matched against the file with absolute path, so to + # exclude all test directories use the pattern */test/* + +-EXCLUDE_SYMBOLS = *_IN IESYS_CMD_IN_PARAM ++EXCLUDE_SYMBOLS = StartAuthSession_IN CreatePrimary_IN ContextSave_IN ContextLoad_IN \ ++ Load_IN LoadExternal_IN CreateLoaded_IN EvictControl_IN HMAC_Start_IN \ ++ HierarchyChangeAuth_IN SequenceComplete_IN Policy_IN NV_IN FlushContext_IN \ ++ IESYS_CMD_IN_PARAM + + # The EXAMPLE_PATH tag can be used to specify one or more files or directories + # that contain example code fragments that are included (see the \include diff --git a/SOURCES/tpm2-tss-systemd-sysusers.conf b/SOURCES/tpm2-tss-systemd-sysusers.conf new file mode 100644 index 0000000..bf66465 --- /dev/null +++ b/SOURCES/tpm2-tss-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u tss 59 "Account used for TPM access" - - diff --git a/SPECS/tpm2-tss.spec b/SPECS/tpm2-tss.spec new file mode 100644 index 0000000..09f7c07 --- /dev/null +++ b/SPECS/tpm2-tss.spec @@ -0,0 +1,310 @@ +Name: tpm2-tss +Version: 3.2.2 +Release: 2%{?dist} +Summary: TPM2.0 Software Stack + +License: BSD +URL: https://github.com/tpm2-software/tpm2-tss +Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz +Source1: tpm2-tss-systemd-sysusers.conf +# doxygen patch +Patch0: tpm2-tss-3.0.0-doxygen.patch +Patch2: 0001-esys_iutil-fix-possible-NPD.patch +Patch3: 0001-tss2-rc-fix-unknown-layer-handler-dropping-bits.patch +Patch4: 0002-MU-Fix-unneeded-size-check-in-TPM2B-unmarshaling.patch +Patch5: 0003-FAPI-Fix-parameter-encryption-for-provisioning.patch +Patch6: 0004-FAPI-Fix-missing-parameter-encryption-for-policy-ses.patch +Patch7: 0005-FAPI-Fix-missing-parameter-encryption-for-some-HMAC-.patch +Patch8: 0006-FAPI-Fix-usage-of-persistent-handles.patch +Patch11: 0007-build-Fix-failed-build-with-disable-vendor.patch +Patch12: 0008-FAPI-Fapi_GetInfo-display-warning-for-SHA3-hash-algs.patch +Patch13: 0009-FAPI-Skip-provisioning-test-for-nv-ext-and-profile-p.patch +Patch14: 0010-FAPI-Fix-wrong-allocation-of-pcr-policy.patch + +%global udevrules_prefix 60- + +BuildRequires: make +BuildRequires: autoconf-archive +BuildRequires: doxygen +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: json-c-devel +BuildRequires: libcurl-devel +BuildRequires: libgcrypt-devel +BuildRequires: libtool +BuildRequires: openssl-devel +BuildRequires: pkgconfig +BuildRequires: systemd +BuildRequires: systemd-rpm-macros +Requires(pre): shadow-utils + +%description +tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system +APIs. It sits between TPM driver and applications, providing TPM2.0 specified +APIs for applications to access TPM module through kernel TPM drivers. + +%prep +%autosetup -p1 -n %{name}-%{version} + +%build +# Use built-in tpm-udev.rules, with specified installation path and prefix. +%configure --disable-static --disable-silent-rules \ + --disable-tcti-pcap --disable-tcti-libtpms \ + --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \ + --with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir} + +# This is to fix Rpath errors. Taken from https://fedoraproject.org/wiki/Packaging:Guidelines#Removing_Rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + +%make_build + +%install +%make_install +find %{buildroot}%{_libdir} -type f -name \*.la -delete +rm %{buildroot}%{_sysusersdir}/tpm2-tss.conf +install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/tpm2-tss.conf + +%pre +%sysusers_create_compat %{SOURCE1} +exit 0 + +%ldconfig_scriptlets + +%files +%doc README.md CHANGELOG.md +%license LICENSE +%{_sysconfdir}/tpm2-tss/ +%{_libdir}/libtss2-mu.so.0* +%{_libdir}/libtss2-sys.so.1* +%{_libdir}/libtss2-esys.so.0* +%{_libdir}/libtss2-fapi.so.1* +%{_libdir}/libtss2-rc.so.0* +%{_libdir}/libtss2-tctildr.so.0* +%{_libdir}/libtss2-tcti-cmd.so.0* +%{_libdir}/libtss2-tcti-device.so.0* +%{_libdir}/libtss2-tcti-mssim.so.0* +%{_libdir}/libtss2-tcti-swtpm.so.0* +%{_sysusersdir}/tpm2-tss.conf +%{_tmpfilesdir}/tpm2-tss-fapi.conf +%{_udevrulesdir}/%{udevrules_prefix}tpm-udev.rules + +%package devel +Summary: Headers and libraries for building apps that use tpm2-tss +Requires: %{name}%{_isa} = %{version}-%{release} + +%description devel +This package contains headers and libraries required to build applications that +use tpm2-tss. + +%files devel +%{_includedir}/tss2/ +%{_libdir}/libtss2-mu.so +%{_libdir}/libtss2-sys.so +%{_libdir}/libtss2-esys.so +%{_libdir}/libtss2-fapi.so +%{_libdir}/libtss2-rc.so +%{_libdir}/libtss2-tctildr.so +%{_libdir}/libtss2-tcti-cmd.so +%{_libdir}/libtss2-tcti-device.so +%{_libdir}/libtss2-tcti-mssim.so +%{_libdir}/libtss2-tcti-swtpm.so +%{_libdir}/pkgconfig/tss2-mu.pc +%{_libdir}/pkgconfig/tss2-sys.pc +%{_libdir}/pkgconfig/tss2-esys.pc +%{_libdir}/pkgconfig/tss2-fapi.pc +%{_libdir}/pkgconfig/tss2-rc.pc +%{_libdir}/pkgconfig/tss2-tctildr.pc +%{_libdir}/pkgconfig/tss2-tcti-cmd.pc +%{_libdir}/pkgconfig/tss2-tcti-device.pc +%{_libdir}/pkgconfig/tss2-tcti-mssim.pc +%{_libdir}/pkgconfig/tss2-tcti-swtpm.pc +%{_mandir}/man3/*.3.gz +%{_mandir}/man5/*.5.gz +%{_mandir}/man7/tss2*.7.gz + + +%changelog +* Mon Jul 3 2023 Štěpán Horáček - 3.2.2-2 +- Remove misapplied license + Resolves: rhbz#2160307 + +* Fri Jun 23 2023 Štěpán Horáček - 3.2.2-1 +- Rebase to 3.2.2 +- Use systemd-sysusers to create user + Resolves: CVE-2023-22745 + Resolves: rhbz#2095479 + Resolves: rhbz#2160307 + Resolves: rhbz#2162613 + +* Wed Aug 10 2022 Štěpán Horáček - 3.0.3-8 +- Fix memory leaks, potential crashes, upgrade to OpenSSL 3 + Resolves: rhbz#2041919 + +* Thu Feb 17 2022 Štěpán Horáček - 3.0.3-7 +- Rebuild with latest json-c library + Related: rhbz#2023328 + +* Wed Aug 18 2021 Štěpán Horáček - 3.0.3-6 +- Fix failures while using OpenSSL 3 + Resolves: rhbz#1984634 + +* Tue Aug 10 2021 Mohan Boddu - 3.0.3-5 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 3.0.3-4 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri Apr 16 2021 Mohan Boddu - 3.0.3-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Jan 27 2021 Fedora Release Engineering - 3.0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Nov 26 2020 Peter Robinson - 3.0.3-1 +- Update to 3.0.2 + +* Sun Nov 22 2020 Peter Robinson - 3.0.2-1 +- Update to 3.0.2 + +* Wed Sep 23 2020 Peter Robinson - 3.0.1-1 +- Update to 3.0.1 + +* Tue Sep 15 2020 Than Ngo - 3.0.0-4 +- Fix doxygen crash + +* Tue Sep 15 2020 Peter Robinson - 3.0.0-3 +- Create tss user, if it doesn't exist, for userspace TPM access + +* Fri Aug 07 2020 Peter Robinson - 3.0.0-2 +- Install sysusers config in sysusersdir (rhbz #1834519) + +* Wed Aug 05 2020 Peter Robinson - 3.0.0-1 +- Update to 3.0.0 + +* Wed Aug 05 2020 Peter Robinson - 2.4.2-1 +- Update to 2.4.2 + +* Wed Jul 29 2020 Fedora Release Engineering - 2.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu May 14 2020 Peter Robinson - 2.4.1-1 +- Update to 2.4.1 + +* Fri May 08 2020 Paul Wouters - 2.4.0-3 +- Use proper rundir and tmpfiles macros so proper directories are used + +* Tue Apr 21 2020 Björn Esser - 2.4.0-2 +- Rebuild (json-c) + +* Thu Mar 12 2020 Peter Robinson - 2.4.0-1 +- Update to 2.4.0 release + +* Mon Feb 24 2020 Peter Robinson - 2.3.3-1 +- Update to 2.3.3 release + +* Fri Jan 31 2020 Fedora Release Engineering - 2.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Dec 13 2019 Yunying Sun - 2.3.2-1 +- Update to 2.3.2 release + +* Fri Sep 6 2019 Yunying Sun - 2.3.1-1 +- Update to 2.3.1 release + +* Thu Aug 15 2019 Yunying Sun - 2.3.0-1 +- Update to 2.3.0 release + +* Sat Jul 27 2019 Fedora Release Engineering - 2.2.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed May 29 2019 Yunying Sun - 2.2.3-1 +- Update to 2.2.3 release + +* Fri Mar 29 2019 Yunying Sun - 2.2.2-1 +- Update to 2.2.2 release + +* Mon Mar 4 2019 Peter Robinson 2.2.1-1 +- Update to 2.2.1 release + +* Wed Feb 06 2019 Javier Martinez Canillas - 2.2.0-1 +- Update to 2.2.0 release + +* Sun Feb 03 2019 Fedora Release Engineering - 2.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Oct 10 2018 Yunying Sun - 2.1.0-1 +- Update to 2.1.0 release + +* Thu Aug 30 2018 Yunying Sun - 2.0.1-1 +- Update to 2.0.1 release + +* Sat Jul 14 2018 Fedora Release Engineering - 2.0.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 4 2018 Yunying Sun - 2.0.0-2 +- Re-enable ESAPI since gcrypt dependency is not an issue for Fedora +- Bump release version to 2.0.0-2 + +* Mon Jul 2 2018 Yunying Sun - 2.0.0-1 +- Update to 2.0.0 release (RHBZ#1508870) +- Remove patch file 60-tpm-udev.rules, use upstream tpm-udev.rules instead +- Disable ESAPI to fix build errors caused by dependency to libgcrypt 1.6.0 +- Add scriptlet to fix Rpath errors +- Update file installation paths and names accordingly + +* Sun Mar 04 2018 Javier Martinez Canillas - 1.4.0-1 +- Update URLs to point to the new project location +- Add README.md CHANGELOG.md to %%files directive +- Update to 1.4.0 release (RHBZ#1508870) + +* Fri Feb 23 2018 Javier Martinez Canillas - 1.3.0-4 +- Install udev rule for TPM character devices + +* Wed Feb 21 2018 Javier Martinez Canillas - 1.3.0-3 +- Remove ExclusiveArch: %%{ix86} x86_64 directive + +* Fri Feb 09 2018 Igor Gnatenko - 1.3.0-2 +- Escape macros in %%changelog + +* Fri Dec 08 2017 Javier Martinez Canillas - 1.3.0-1 +- Update to 1.3.0 release + +* Wed Nov 29 2017 Javier Martinez Canillas - 1.3.0-0.1.rc2 +- Update to 1.3.0 release candidate 2 (RHBZ#1508870) +- Remove global pkg_prefix since now the upstream repo and package names match +- Update URLs to point to the new project location +- Remove -Wno-int-in-bool-context compiler flag since now upstream takes care +- Remove %%doc directive since README.md and CHANGELOG.md are not in the tarball +- Add patch to include a LICENSE since the generated tarball does not have it + +* Mon Aug 28 2017 Javier Martinez Canillas - 1.2.0-1 +- Update to 1.2.0 release +- Use tpm2-tss instead of TPM2.0-TSS as prefix since project name changed +- Fix SPEC file access mode +- Include new man pages in %%files directive + +* Fri Aug 18 2017 Javier Martinez Canillas - 1.1.0-3 +- Remove unneeded source tarballs (RHBZ#1482828) + +* Thu Aug 03 2017 Fedora Release Engineering - 1.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Sun Yunying - 1.1.0-1 +- Update to 1.1.0 release + +* Sat Feb 11 2017 Fedora Release Engineering - 1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 12 2016 Sun Yunying - 1.0-2 +- Remove global macro pkg_version to avoid duplicate of version +- Use ExclusiveArch instead of ExcludeArch +- Use less wildcard in %%files section to be more specific +- Add trailing slash at end of added directory in %%file section +- Remove autoconf/automake/pkgconfig(cmocka) from BuildRequires +- Increase release version to 2 + +* Fri Dec 2 2016 Sun Yunying - 1.0-1 +- Initial version of the package