| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enabling ptest will significantly increase build time. Additionally,
since the ptest distro_feature is enabled by default in poky distro,
build time can be very long, which is annoying.
On my build host:
Enable ptest:
$ time build scap-security-guide
real 219m54.529s
user 0m49.040s
sys 0m1.304s
Disable ptest:
$ time build scap-security-guide
real 1m25.222s
user 0m3.306s
sys 0m0.166s
Since no one cares about this ptest and no one fixes the test failures.
Let's disable it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
| |
Update to latest version to pick up fixes required for building with
CMake 4.0.
ChangeLog:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.77
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
| |
Log kas commands to files and export them as artefacts
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Update for Ubuntu 24.04 runners:
- use venv for installing kas
- add missing directories
Assume that python3 and pip are installed.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
| |
Add a patch to fix building chkrootkit with gcc 15.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
| |
Use the Debian mirror as the Ubuntu one is failing frequently.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Update libhoth SRCREV to its latest commit, and add patches to fix
gcc 15 and build dependency issues. Since the last update was
so long ago, the changelog is longer than seems reasonable to
include here, please refer to:
https://github.com/google/libhoth/commits/main/?since=2024-01-16&until=2025-07-03
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
| |
This picks up required gcc 15 fixes.
Changelog: https://bitbucket.org/sshguard/sshguard/src/master/CHANGELOG.rst
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The project does not use release branches; their release model currently
rebases the stable branch each release and relies on the release tags to
keep the commits referenced. Until their release model changes, just
use the release commit with nobranch.
See upstream issue [1] for details.
[1] https://github.com/ComplianceAsCode/content/issues/13543
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
[tweaked commit message]
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
After commit 7a2b9acef2 "cargo: pass PACKAGECONFIG_CONFARGS to cargo build"
we don't need to include Parsec cargo build features into CARGO_BUILD_FLAGS.
Let's update PACKAGECONFIG options as lists of features.
A small fix in readme.md as well.
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
| |
Remove or update S definitions as required to work with oe-core
S/UNPACKDIR changes.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
| |
Update LAYERSERIES_COMPAT in all layer.conf files with the exception
of meta-parsec to whinlatter. For meta-parsec, whinlatter has been
added, and the EOL releases removed, as an initial update.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
| |
Fix "CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS"
https://docs.yoctoproject.org/dev/ref-manual/variables.html#term-CVE_STATUS
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
| |
v2 : also fix some typos while we are here.
v3 : add fixes for isic and checksecurity
Signed-off-by: Jason Schonberg <schonm@gmail.com>
[removed already applied change]
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add Marta and myself as maintainers for meta-security and the other
embedded layers that Armin had been maintaining. To avoid Armin
getting bugged about individual recipes, set the RECIPE_MAINTAINER
variables to myself for now as a starting point that can be adjusted
as things get more settled.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
/var/log/suricata initialization is handled by
systemd-tmpfiles-setup.service, which occurs before services like
suricata
Work towards resolving:
ERROR: [...] do_rootfs: The following packages could not be configured
offline and rootfs is read-only: ['100-suricata']
Added in commit 36d656fe7244 ("suricata: add tmpfiles.d config")
systemd testing:
root@beaglebone-yocto:~# ls -d /var/log/suricata
/var/log/suricata
root@beaglebone-yocto:~# systemctl enable suricata
Created symlink '/etc/systemd/system/multi-user.target.wants/suricata.service' -> '/usr/lib/systemd/system/suricata.service'.
root@beaglebone-yocto:~# rmdir /var/log/suricata
root@beaglebone-yocto:~# reboot now
root@beaglebone-yocto:~# ls -d /var/log/suricata
/var/log/suricata
root@beaglebone-yocto:~# journalctl -o short-iso-precise -u systemd-tmpfiles-setup -u suricata
2025-05-20T00:45:46.450027+00:00 beaglebone-yocto systemd[1]: Starting Create System Files and Directories...
[...]
2025-05-20T00:45:47.041049+00:00 beaglebone-yocto systemd[1]: Finished Create System Files and Directories.
2025-05-20T00:45:47.542976+00:00 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon.
[...]
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File /usr/bin/suricata
in package suricata contains reference to TMPDIR [buildpaths]
ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File
/usr/src/debug/suricata/7.0.0/src/build-info.h in package suricata-src
contains reference to TMPDIR [buildpaths]
Address references when src/build-info.h is being written
This is similar to Debian's approach:
https://sources.debian.org/patches/suricata/1:7.0.10-1~bpo12%2B1/reproducible.patch/
Restore the "already-stripped" check and CFLAGS info
Original resolution in commit c0e3fecc3bea ("suricata: fix QA warnings")
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
If measured-uki support is not enabled or build is continuing
from previous stages, then the matching file list can be empty.
Fixes build failure where sed says no input files.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since OE bitbake commit 24772dd2ae6c ("parse/ConfHandler: Add warning for
deprecated whitespace usage"), the current build generates the following
warning (as example):
| WARNING: ...meta-security/meta-tpm/recipes-core/systemd/systemd-boot_%.bbappend:7
| has a lack of whitespace around the assignment:
| 'EXTRA_OEMESON:append= " ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', '-Dtpm2=true', '', d)} "'
Fix all the warnings.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
* Some sources like merger/merger.py import json, so add
python3-json to RDEPENDS
* Fix following warning
has a lack of whitespace around the assignment: 'DESCRIPTION=xxx'
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tpm2-pkcs11-tools python module is importing several modules which
are not currently included in it's dependencies. This causes the script
invocation to fail. The current commit adds the relevant dependencies,
to ensure that the python module is always able to run.
The relevant dependencies are:
* python3-fcntl: To add the fcntl module, imported in db.py.
* python3-sqlite3: To add the sqlite3 module, imported in db.py.
* python3-tpm2-pytss: To add the tpm2_pytss module, imported in
utils.py.
* python3-compression: To add the zipfile module, imported through
"importlib.metadata import distribution" in tpm2_ptool.
Signed-off-by: Omri Sarig <omri.sarig13@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The tpm2-pytss module is importing the module asn1crypto in tsskey.py,
however, the current bitbake recipe is not including this python package
as runtime dependency. This causes the module invocation to fail at the
moment.
The commit adds this dependency to the bitbake recipe, to make the
recipe self contained.
Signed-off-by: Omri Sarig <omri.sarig13@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Skip configure step to fix this error:
pcr-extend-0.1+git-r0 do_configure: no configure script found at ../git/configure
There is no configure for this package.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
7a2b9acef2 cargo: pass PACKAGECONFIG_CONFARGS to cargo build
error: unexpected argument '--with-libcap_ng-includes' found
|
| Usage: cargo build --verbose... --target [<TRIPLE>] --release --manifest-path <PATH> --offline
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The unprivileged service user feature has been improved in 2.10 to allow
running the sssd service as an unprivileged user [1]. So enable this
feature, and then we can run the service as the unprivileged user sssd.
[1] https://github.com/SSSD/sssd/releases/tag/2.10.0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ChangeLog:
https://github.com/SSSD/sssd/releases/tag/2.10.2
* Drop backport patches.
* Update sssd.conf and volatile files.
* Drop PACKAGECONFIG[infopipe] as it has been removed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ptest result:
ptest-runner libgssglue
START: ptest-runner
2025-03-27T13:15
BEGIN: /usr/lib64/libgssglue/ptest
PASS: gss_create_empty_oid_set
PASS: gss_test_oid_set_member
PASS: gss_test_oid_set_member n==0
PASS: gss_add_oid_set_member() OK
PASS: gss_test_oid_set_member() OK
OID present in set with the OID added to it => 1
PASS: gss_test_oid_set_member() OK
PASS: gss_test_oid_set_member() OK
Another OID present in set without the OID => 0
PASS: gss_test_oid_set_member() OK
PASS: gss_add_oid_set_member() OK
PASS: gss_test_oid_set_member() OK
Another OID present in set with it added => 1
PASS: gss_test_oid_set_member() OK
PASS: gss_test_oid_set_member() OK
First OID present in set => 1
PASS: gss_test_oid_set_member() OK
PASS: gss_release_oid_set() OK
PASS: gss_indicate_mechs() OK
PASS: gss_release_oid_set() OK
PASS: gss_import_name() OK
PASS: gss_display_name() OK
display_name() => 27: imap@server.example.org@FOO
PASS: gss_release_buffer() OK
PASS: gss_release_name() OK
Basic self tests done with 0 errors
DURATION: 0
END: /usr/lib64/libgssglue/ptest
2025-03-27T13:15
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
* Drop useless patch libgssglue-canon-name.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
ChangeLog:
https://fossies.org/linux/samhain/docs/Changelog
* Refresh patches
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release note:
Enhancements:
The MergerConfig class now accepts overrides for config values as "keys" and
"rules" keyword arguments to the constructor.
Credit and my thanks go to https://github.com/leviem1!
BREAKING CHANGES:
Support for Python 3.6 has been dropped. This is forced by incompatibilities
discovered with the latest version of pytest and because dependencies like
dateutil and ruamel-yaml-clib no longer support Python 3.6. Support for
Python 3.7 is tepid. While pytest is still working with Python 3.7, other
dependencies are no longer supporting Python 3.7; however, the extensive
tests for yamlpath show no issues with them, so far. For now, Python 3.12
support is pending, waiting for the dateutil library to resolve a
DeprecationWarning regarding its use of datetime.datetime.utcfromtimestamp().
Refer:
https://pypi.org/project/yamlpath/3.8.2/
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
2.7.0 (2024-05-13)
* Changed the comparison to make accurate and standard more accurate, although fast gets less accurate as a result.
* Changed usage of deprecated pkg_resources package to importlib.metadata.
* A use_replace flag was added to the XMLFormatter by Thomas Pfitzinger. It changes text replacement from delete and insert tags to a replace tag. It’s not currently accessaible thtough the CLI, the question is it is better to add a new formatter name, or an option to pass in formatter flags.
- Added option to XMLFormatter to use replace tags
- in _make_diff_tags after diffing, neighboring delete/insert diffs are joined to a replace tag
- the deleted text is added as an attribute (“old-text”)
- the inserted text is the element’s text
Refer:
https://pypi.org/project/xmldiff/2.7.0/
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
drop CVE-2024-45797.patch now included
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
ChangeLog:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.76
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without the symlink, the engine is not found by openssl:
openssl engine -t -c tpm2tss
20F0C5BDFFFF0000:error:12800067:DSO support routines:dlfcn_load:could
not load the shared library:/usr/src/debug/openssl/3.2.4/crypto/dso/dso_dlfcn.c:118:
filename(/usr/lib/engines-3/tpm2tss.so): /usr/lib/engines-3/tpm2tss.so:
cannot open shared object file: No such file or directory
...
With sym-link it works (also without extra configuration for openssl)
cd /usr/lib/engines-3/
ln -s libtpm2tss.so tpm2tss.so
openssl engine -t -c tpm2tss
(tpm2tss) TPM2-TSS engine for OpenSSL
[RSA, RAND]
[ available ]
For exmample also the Fedora package has the symlink.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
ChangeLog:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.75
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ChangeLog:
https://github.com/OpenSCAP/openscap/releases/tag/1.4.1
* Introduce "oscap-im" - script that can be used in Containerfiles to
build hardened bootable container images to run as Image Mode
Operating System
* Add support for containers with no entrypoint/cmd in "oscap-docker"
* Stop printing useless component reference information in "oscap info"
* Fix missing declaration of PATH_MAX on Solaris
* Fix RPM database path in RPM probes (RHEL-55251, #2151)
* Fix issues reported by OpenScanHub after 1.4.0 release
* Fix failing test probes/filehash58/test_probes_filehash58.sh on s390x
architecture
* Ensure xlink namespace exists (RHEL-34104)
* Minor fixes in test suite and CI
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This is needed when a verity image is used in conjunction with tools
like a WIC and a bmap file, as avoiding writing "sparse" sectors
can result in errors in the signature verification.
Signed-off-by: Lorenzo Arena <arena.lor@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When IMA and EVM are used for file appraisal then EVM verifies the
signature stored in security.evm. This signature covers file metadata
(uid, gid, mode bits, etc.) as well as the security.ima xattr.
Therefore, it is sufficient that only files' hashes are stored in
security.ima. This also leads to slight performance improvements
since IMA appraisal will then only verify that a file's hash matches
the expected hash stored in security.ima. EVM will ensure that the
signature over all the file metadata and security.ima xattr is
correct. Therefore, give the user control over whether to store file
signatures (--imasig) in ima.security or hashes (--imahash) by
setting the option in IMA_EVM_IMA_XATTR_OPT.
Only test-verify an IMA signature if --imasig is used as the option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
appears to be a known issue:
https://bugs.gentoo.org/937374
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
build parsec image not the larger generic security image
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes:
| error: unnecessary qualification
| --> src/front/domain_socket.rs:247:30
| |
| 247 | let ucred_size = mem::size_of::<ucred>();
| | ^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
drop ptest from base builds.
Enable ptest in test image only
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Improves error reporting among other things. Changes:
https://github.com/stefanberger/swtpm/releases/tag/v0.10.0
version 0.10.0:
swtpm:
Requires libtpms v0.10.0
Display tpmstate-opt-lock as a new capability
Add support for lock option parameter to tpmstate option
nvstore_linear: Add support for file-backend locking
Remove broken logic to check for neither dir nor file backend
Use ptm_cap_n to build PTM_GET_CAPABILITY response
Define a structure to return PTM_GET_CAPABILITY result
Implement --print-info to run TPMLIB_GetInfo with flags
Support --profile fd= to read profile from file descriptor
Support --profile file= to read profile from file
Ignore remove-disabled parameter on non-'custom' profile
Check for good entropy source in chroot environment
Implement a check for HMAC+sha1 for testing future restriction
Implement function to check whether a crypto algorithm is disabled
Print cmdarg-print-profiles as part of capabilities
Check whether SHA1 signature support is disabled in profile
Use TPMLIB_WasManufactured to check whether profile was applied
Determine whether OpenSSL needs to be configured (FIPs, SHA1 signature)
Add support for --print-profiles option
Print profile names as part of capabilities JSON
Display new capability to allow setting a profile
Add support for --profile option to set a profile on TPM 2
swtpm_setup:
Comment flags for storage primary key and deprecate --create-spk
Implement --print-profiles to display all profile
Add profile entries to swtpm_setup.conf written by swtpm_setup
Add support for --profile-name option
Accept profiles with name starting with 'custom:'
Support default profile from file in swtpm_setup.conf
Support --profile-file-fd to read profile from file descriptor
Support --profile-file to read profile from file
Always log the active profile
Implement --profile-remove-fips-disabled option
Read default profile from swtpm_setup.conf
Print profile names as part of capabilities JSON
Add support for --profile parameter
Get default rsa keysize from setup_setup.conf if not given
swtpm_ioctl:
Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response
selinux:
Change write to append for appending to log
Add rule for logging to svirt_image_t labeled files from swtpm_t
tests:
Update IBMTSS2 test suite to v2.4.0
Test activation of PCR banks when not all are available
Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with profile
Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file
Consolidate custom profile test cases and check for StateFormatLevel
Convert test_samples_create_tpmca to run installed
Mention test_tpm2_libtpms_versions_profiles requiring env. variables
allow running ibmtss2 tests against installed version
Derive support for CUSE from SWTPM_EXE help screen
Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test
Extend test case testing across libtpms versions
Add test case for testing profiles across libtpms versions
Test the --profile option of swtpm_setup and swtpm
teach them to run installed
add installed-runner.sh
install tests on the system
lookup system binaries if INSTALLED is set
build-sys:
enable 64-bit file API on 32-bit systems
Add -Wshadow to the CFLAGS
Require that libtpms v0.10 is available for TPMLIB_SetProfile
debian:
Add rule to allow usage of /var/tmp directory (QEMU)
Add rules for reading profiles from distro and local dirs
Allow non-owner file write access in /var/lib/libvirt/swtpm/
Add sys_admin capability to apparmor profile
https://github.com/stefanberger/swtpm/releases/tag/v0.9.0
version 0.9.0:
Note: The SElinux policy for swtpm was completely redone. For systems
with an SELinux policy the same policy (>= 40.17) as used in
Fedora >= 40 is required due to changes in labels related to libvirt
that made the re-development of the SELinux policy necessary.
swtpm:
Use umask() to create/truncated state file rather than fchmod()
Use fchmod to set mode bits provided by user
Replace mkstemp with g_mkstemp_full (Coverity)
fix typo in help message
cuse: Fix Coverity complaints regarding locks
Fix double free in error path
Close fd after main loop
Restore logging to stderr on log open failure
swtpm_setup:
Fail --pcr-banks without --tpm2
Fail --decryption or --allow-signing without --tpm2
Initialized argv in get_swtpm_capabilities()
Flush spk after persisting to create room for another key
Refactor duplicate code into swtpm_tpm2_write_cert_nvram
Move persisting of certificate into tpm2_persist_certificate
Pass key_type to function creating filename for key
Add scheme parameter before curveid to createprimary_ecc
Rename is_ek to preserve for future extension
Mask-out EK and plaform certificate flags and set cert_flags
Move common code into new function read_certificate_file()
Exit with '0' upon --version rather than '1'
Close file descriptors passed to swtpm process on parent side
Make stdout unbuffered
Use medium duration on TSC_PhysicalPresence to avoid timeouts
Add poll() after write() and before read() to detect errors
swtpm_localca:
Add support for up to 20 bytes serial numbers
Introduce --key as more generic alias for --ek
Add missing NULL option to end of array
Make stdout unbuffered
swtpm_cert:
Add support for serial numbers up to 20 bytes long
swtpm_ioctl:
Separate return code from flags
Repeatedly call PTM_GET_INFO for long responses
selinux:
Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install)
New SELinux policy that requires Fedora 40 or later
tests:
Fixed occurrences of stray '' before '-'
Rearrange order of test cases to run some also as 'root'
Add tests for command line options and combinations of options
Add softhsm_setup to shellcheck'ed files and fix issues
Add missing 'exit 1' on unexpected file size on --reconfigure
Add test cases for swtpm_cert with max serial number
Fix spelling mistakes
reformat regexs for easier readability and extension
ibmtss2: Add patch to disable x509 test with older libtpms
Upgrade to ibmtss2 v2.0.1
Fixed several issues detected by shellcheck
build-sys:
Add support for --disable-tests to disable tests
Display GMP_LIBS and GMP_CFLAGS
Only display warning if pkg-config for gmp fails
Add gmp library and devel package as dependency
use PKG_CHECK_MODULES to check libtpms version
rpm:
Add gmp library and devel package as dependency
Split off SELinux files to build an selinux package
debian:
Sync AppArmor profile with what is used by Ubuntu
Add gmp library and devel package as dependency
Allow apparmor access to qemu session bus swtpm files
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
