swtpm: update from 0.8.2 to 0.10.0

Improves error reporting among other things. Changes: https://github.com/stefanberger/swtpm/releases/tag/v0.10.0 version 0.10.0: swtpm: Requires libtpms v0.10.0 Display tpmstate-opt-lock as a new capability Add support for lock option parameter to tpmstate option nvstore_linear: Add support for file-backend locking Remove broken logic to check for neither dir nor file backend Use ptm_cap_n to build PTM_GET_CAPABILITY response Define a structure to return PTM_GET_CAPABILITY result Implement --print-info to run TPMLIB_GetInfo with flags Support --profile fd= to read profile from file descriptor Support --profile file= to read profile from file Ignore remove-disabled parameter on non-'custom' profile Check for good entropy source in chroot environment Implement a check for HMAC+sha1 for testing future restriction Implement function to check whether a crypto algorithm is disabled Print cmdarg-print-profiles as part of capabilities Check whether SHA1 signature support is disabled in profile Use TPMLIB_WasManufactured to check whether profile was applied Determine whether OpenSSL needs to be configured (FIPs, SHA1 signature) Add support for --print-profiles option Print profile names as part of capabilities JSON Display new capability to allow setting a profile Add support for --profile option to set a profile on TPM 2 swtpm_setup: Comment flags for storage primary key and deprecate --create-spk Implement --print-profiles to display all profile Add profile entries to swtpm_setup.conf written by swtpm_setup Add support for --profile-name option Accept profiles with name starting with 'custom:' Support default profile from file in swtpm_setup.conf Support --profile-file-fd to read profile from file descriptor Support --profile-file to read profile from file Always log the active profile Implement --profile-remove-fips-disabled option Read default profile from swtpm_setup.conf Print profile names as part of capabilities JSON Add support for --profile parameter Get default rsa keysize from setup_setup.conf if not given swtpm_ioctl: Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response selinux: Change write to append for appending to log Add rule for logging to svirt_image_t labeled files from swtpm_t tests: Update IBMTSS2 test suite to v2.4.0 Test activation of PCR banks when not all are available Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with profile Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file Consolidate custom profile test cases and check for StateFormatLevel Convert test_samples_create_tpmca to run installed Mention test_tpm2_libtpms_versions_profiles requiring env. variables allow running ibmtss2 tests against installed version Derive support for CUSE from SWTPM_EXE help screen Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test Extend test case testing across libtpms versions Add test case for testing profiles across libtpms versions Test the --profile option of swtpm_setup and swtpm teach them to run installed add installed-runner.sh install tests on the system lookup system binaries if INSTALLED is set build-sys: enable 64-bit file API on 32-bit systems Add -Wshadow to the CFLAGS Require that libtpms v0.10 is available for TPMLIB_SetProfile debian: Add rule to allow usage of /var/tmp directory (QEMU) Add rules for reading profiles from distro and local dirs Allow non-owner file write access in /var/lib/libvirt/swtpm/ Add sys_admin capability to apparmor profile https://github.com/stefanberger/swtpm/releases/tag/v0.9.0 version 0.9.0: Note: The SElinux policy for swtpm was completely redone. For systems with an SELinux policy the same policy (>= 40.17) as used in Fedora >= 40 is required due to changes in labels related to libvirt that made the re-development of the SELinux policy necessary. swtpm: Use umask() to create/truncated state file rather than fchmod() Use fchmod to set mode bits provided by user Replace mkstemp with g_mkstemp_full (Coverity) fix typo in help message cuse: Fix Coverity complaints regarding locks Fix double free in error path Close fd after main loop Restore logging to stderr on log open failure swtpm_setup: Fail --pcr-banks without --tpm2 Fail --decryption or --allow-signing without --tpm2 Initialized argv in get_swtpm_capabilities() Flush spk after persisting to create room for another key Refactor duplicate code into swtpm_tpm2_write_cert_nvram Move persisting of certificate into tpm2_persist_certificate Pass key_type to function creating filename for key Add scheme parameter before curveid to createprimary_ecc Rename is_ek to preserve for future extension Mask-out EK and plaform certificate flags and set cert_flags Move common code into new function read_certificate_file() Exit with '0' upon --version rather than '1' Close file descriptors passed to swtpm process on parent side Make stdout unbuffered Use medium duration on TSC_PhysicalPresence to avoid timeouts Add poll() after write() and before read() to detect errors swtpm_localca: Add support for up to 20 bytes serial numbers Introduce --key as more generic alias for --ek Add missing NULL option to end of array Make stdout unbuffered swtpm_cert: Add support for serial numbers up to 20 bytes long swtpm_ioctl: Separate return code from flags Repeatedly call PTM_GET_INFO for long responses selinux: Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install) New SELinux policy that requires Fedora 40 or later tests: Fixed occurrences of stray '' before '-' Rearrange order of test cases to run some also as 'root' Add tests for command line options and combinations of options Add softhsm_setup to shellcheck'ed files and fix issues Add missing 'exit 1' on unexpected file size on --reconfigure Add test cases for swtpm_cert with max serial number Fix spelling mistakes reformat regexs for easier readability and extension ibmtss2: Add patch to disable x509 test with older libtpms Upgrade to ibmtss2 v2.0.1 Fixed several issues detected by shellcheck build-sys: Add support for --disable-tests to disable tests Display GMP_LIBS and GMP_CFLAGS Only display warning if pkg-config for gmp fails Add gmp library and devel package as dependency use PKG_CHECK_MODULES to check libtpms version rpm: Add gmp library and devel package as dependency Split off SELinux files to build an selinux package debian: Sync AppArmor profile with what is used by Ubuntu Add gmp library and devel package as dependency Allow apparmor access to qemu session bus swtpm files Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Mikko Rapeli <mikko.rapeli@linaro.org> 2024-12-20 16:04:32 +0200
committer: Armin Kuster <akuster808@gmail.com> 2024-12-27 11:28:23 -0500
commit: 746cb59c5f592374f10854d66062c9674dae9da6 (patch)
tree: 70063f2fa0e9a4f3e42e548ddf645cd3baea2d98
parent: 0b4a2afb985afaa6ff19db8ae7a7a0bc2f4c0b53 (diff)
download: meta-security-746cb59c5f592374f10854d66062c9674dae9da6.tar.gz
1 files changed, 5 insertions, 5 deletions
diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.2.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb
index b987f59..3e58c33 100644
--- a/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.2.bb
+++ b/meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb
@@ -4,11 +4,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
 SECTION = "apps"
 # expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests
-DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib"
+DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpms json-glib"
-SRCREV = "507d14219dde88eb3eb2d10d15872d4044aa9d3e"
+SRCREV = "54f4bb1e702a8b80d990ca00b6f72d5031dd131a"
-SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.8;protocol=https"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.10;protocol=https"
-PE = "1"
+PE = "2"
 S = "${WORKDIR}/git"
@@ -44,6 +44,6 @@ FILES:${PN}-cuse = "${bindir}/swtpm_cuse"
 INSANE_SKIP:${PN}   += "dev-so"
-RDEPENDS:${PN} = "libtpm"
+RDEPENDS:${PN} = "libtpms"
 BBCLASSEXTEND = "native nativesdk"
author	Mikko Rapeli <mikko.rapeli@linaro.org>	2024-12-20 16:04:32 +0200
committer	Armin Kuster <akuster808@gmail.com>	2024-12-27 11:28:23 -0500
commit	746cb59c5f592374f10854d66062c9674dae9da6 (patch)
tree	70063f2fa0e9a4f3e42e548ddf645cd3baea2d98
parent	0b4a2afb985afaa6ff19db8ae7a7a0bc2f4c0b53 (diff)
download	meta-security-746cb59c5f592374f10854d66062c9674dae9da6.tar.gz

diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.2.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb index b987f59..3e58c33 100644 --- a/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.2.bb +++ b/meta-tpm/recipes-tpm/swtpm/swtpm_0.10.0.bb
@@ -4,11 +4,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
4	SECTION = "apps"	4	SECTION = "apps"
5		5
6	# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests	6	# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests
7	DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib"	7	DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpms json-glib"
8		8
9	SRCREV = "507d14219dde88eb3eb2d10d15872d4044aa9d3e"	9	SRCREV = "54f4bb1e702a8b80d990ca00b6f72d5031dd131a"
10	SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.8;protocol=https"	10	SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.10;protocol=https"
11	PE = "1"	11	PE = "2"
12		12
13	S = "${WORKDIR}/git"	13	S = "${WORKDIR}/git"
14		14
@@ -44,6 +44,6 @@ FILES:${PN}-cuse = "${bindir}/swtpm_cuse"
44		44
45	INSANE_SKIP:${PN} += "dev-so"	45	INSANE_SKIP:${PN} += "dev-so"
46		46
47	RDEPENDS:${PN} = "libtpm"	47	RDEPENDS:${PN} = "libtpms"
48		48
49	BBCLASSEXTEND = "native nativesdk"	49	BBCLASSEXTEND = "native nativesdk"