| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Remove or update S definitions as required to work with oe-core
S/UNPACKDIR changes.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since OE bitbake commit 24772dd2ae6c ("parse/ConfHandler: Add warning for
deprecated whitespace usage"), the current build generates the following
warning (as example):
| WARNING: ...meta-security/meta-tpm/recipes-core/systemd/systemd-boot_%.bbappend:7
| has a lack of whitespace around the assignment:
| 'EXTRA_OEMESON:append= " ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', '-Dtpm2=true', '', d)} "'
Fix all the warnings.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Improves error reporting among other things. Changes:
https://github.com/stefanberger/swtpm/releases/tag/v0.10.0
version 0.10.0:
swtpm:
Requires libtpms v0.10.0
Display tpmstate-opt-lock as a new capability
Add support for lock option parameter to tpmstate option
nvstore_linear: Add support for file-backend locking
Remove broken logic to check for neither dir nor file backend
Use ptm_cap_n to build PTM_GET_CAPABILITY response
Define a structure to return PTM_GET_CAPABILITY result
Implement --print-info to run TPMLIB_GetInfo with flags
Support --profile fd= to read profile from file descriptor
Support --profile file= to read profile from file
Ignore remove-disabled parameter on non-'custom' profile
Check for good entropy source in chroot environment
Implement a check for HMAC+sha1 for testing future restriction
Implement function to check whether a crypto algorithm is disabled
Print cmdarg-print-profiles as part of capabilities
Check whether SHA1 signature support is disabled in profile
Use TPMLIB_WasManufactured to check whether profile was applied
Determine whether OpenSSL needs to be configured (FIPs, SHA1 signature)
Add support for --print-profiles option
Print profile names as part of capabilities JSON
Display new capability to allow setting a profile
Add support for --profile option to set a profile on TPM 2
swtpm_setup:
Comment flags for storage primary key and deprecate --create-spk
Implement --print-profiles to display all profile
Add profile entries to swtpm_setup.conf written by swtpm_setup
Add support for --profile-name option
Accept profiles with name starting with 'custom:'
Support default profile from file in swtpm_setup.conf
Support --profile-file-fd to read profile from file descriptor
Support --profile-file to read profile from file
Always log the active profile
Implement --profile-remove-fips-disabled option
Read default profile from swtpm_setup.conf
Print profile names as part of capabilities JSON
Add support for --profile parameter
Get default rsa keysize from setup_setup.conf if not given
swtpm_ioctl:
Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response
selinux:
Change write to append for appending to log
Add rule for logging to svirt_image_t labeled files from swtpm_t
tests:
Update IBMTSS2 test suite to v2.4.0
Test activation of PCR banks when not all are available
Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with profile
Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file
Consolidate custom profile test cases and check for StateFormatLevel
Convert test_samples_create_tpmca to run installed
Mention test_tpm2_libtpms_versions_profiles requiring env. variables
allow running ibmtss2 tests against installed version
Derive support for CUSE from SWTPM_EXE help screen
Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test
Extend test case testing across libtpms versions
Add test case for testing profiles across libtpms versions
Test the --profile option of swtpm_setup and swtpm
teach them to run installed
add installed-runner.sh
install tests on the system
lookup system binaries if INSTALLED is set
build-sys:
enable 64-bit file API on 32-bit systems
Add -Wshadow to the CFLAGS
Require that libtpms v0.10 is available for TPMLIB_SetProfile
debian:
Add rule to allow usage of /var/tmp directory (QEMU)
Add rules for reading profiles from distro and local dirs
Allow non-owner file write access in /var/lib/libvirt/swtpm/
Add sys_admin capability to apparmor profile
https://github.com/stefanberger/swtpm/releases/tag/v0.9.0
version 0.9.0:
Note: The SElinux policy for swtpm was completely redone. For systems
with an SELinux policy the same policy (>= 40.17) as used in
Fedora >= 40 is required due to changes in labels related to libvirt
that made the re-development of the SELinux policy necessary.
swtpm:
Use umask() to create/truncated state file rather than fchmod()
Use fchmod to set mode bits provided by user
Replace mkstemp with g_mkstemp_full (Coverity)
fix typo in help message
cuse: Fix Coverity complaints regarding locks
Fix double free in error path
Close fd after main loop
Restore logging to stderr on log open failure
swtpm_setup:
Fail --pcr-banks without --tpm2
Fail --decryption or --allow-signing without --tpm2
Initialized argv in get_swtpm_capabilities()
Flush spk after persisting to create room for another key
Refactor duplicate code into swtpm_tpm2_write_cert_nvram
Move persisting of certificate into tpm2_persist_certificate
Pass key_type to function creating filename for key
Add scheme parameter before curveid to createprimary_ecc
Rename is_ek to preserve for future extension
Mask-out EK and plaform certificate flags and set cert_flags
Move common code into new function read_certificate_file()
Exit with '0' upon --version rather than '1'
Close file descriptors passed to swtpm process on parent side
Make stdout unbuffered
Use medium duration on TSC_PhysicalPresence to avoid timeouts
Add poll() after write() and before read() to detect errors
swtpm_localca:
Add support for up to 20 bytes serial numbers
Introduce --key as more generic alias for --ek
Add missing NULL option to end of array
Make stdout unbuffered
swtpm_cert:
Add support for serial numbers up to 20 bytes long
swtpm_ioctl:
Separate return code from flags
Repeatedly call PTM_GET_INFO for long responses
selinux:
Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install)
New SELinux policy that requires Fedora 40 or later
tests:
Fixed occurrences of stray '' before '-'
Rearrange order of test cases to run some also as 'root'
Add tests for command line options and combinations of options
Add softhsm_setup to shellcheck'ed files and fix issues
Add missing 'exit 1' on unexpected file size on --reconfigure
Add test cases for swtpm_cert with max serial number
Fix spelling mistakes
reformat regexs for easier readability and extension
ibmtss2: Add patch to disable x509 test with older libtpms
Upgrade to ibmtss2 v2.0.1
Fixed several issues detected by shellcheck
build-sys:
Add support for --disable-tests to disable tests
Display GMP_LIBS and GMP_CFLAGS
Only display warning if pkg-config for gmp fails
Add gmp library and devel package as dependency
use PKG_CHECK_MODULES to check libtpms version
rpm:
Add gmp library and devel package as dependency
Split off SELinux files to build an selinux package
debian:
Sync AppArmor profile with what is used by Ubuntu
Add gmp library and devel package as dependency
Allow apparmor access to qemu session bus swtpm files
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
version 0.8.2:
- swtpm:
- cuse: Lock file_ops_lock before reading tpm_running
- build-sys:
- Add support for --disable-tests to disable tests
https://github.com/stefanberger/swtpm/compare/v0.8.1...v0.8.2
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There could be some false possitives (the script is far from perfect), so please
test it on your QA, I've only double checked with "git grep" (the script looks
only in parent directory).
@ ~/layers/meta-security $ /OE/extra-layers/meta-ros/scripts/check-patch-files.sh .
./recipes-ids/tripwire/files/add_armeb_arch.patch: not used in any recipe
./dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch: not used in any recipe
./recipes-scanners/clamav/files/fix2_libcurl_check.patch: not used in any recipe
./recipes-scanners/arpwatch/files/postfix_workaround.patch: not used in any recipe
./meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch: not used in any recipe
./meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch: not used in any recipe
./meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch: not used in any recipe
./meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch: not used in any recipe
./meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch: not used in any recipe
./recipes-mac/AppArmor/files/disable_perl_h_check.patch: not used in any recipe
@ ~/layers/meta-security $ git grep add_armeb_arch.patch
@ ~/layers/meta-security $ git grep 0001-To-fix-build-error-of-xrang.patch
@ ~/layers/meta-security $ git grep fix2_libcurl_check.patch
@ ~/layers/meta-security $ git grep postfix_workaround.patch
@ ~/layers/meta-security $ git grep Use-format-s-for-call-to-dprintf.patch
@ ~/layers/meta-security $ git grep fix_signed_issue.patch
@ ~/layers/meta-security $ git grep Convert-another-vdprintf-to-dprintf.patch
@ ~/layers/meta-security $ git grep fix_lib_search_path.patch
@ ~/layers/meta-security $ git grep fix_fcntl_h.patch
@ ~/layers/meta-security $ git grep disable_perl_h_check.patch
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
pass the required argument to --home-dir
fixes: Bugzilla-15034
Signed-off-by: Ahmed Abdelfattah <a.abfattah@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
includes CVE-2022-23645
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
a bit of re-org
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
a bit of re-org.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
drop musl patch.Fix another way
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
needed for cert support
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
fixes: CVE-2022-23645.
Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
swtpm no longer depends on Python[1] so the dependencies have been
removed.
"inherit perlnative" has been added due to (in oe-core):
deda455b3c ("bitbake.conf: drop pod2man from hosttools")
Some leftover dependencies have also been removed, ex: tpm-tools
required in the past by swtpm_setup.sh (<0.4.0)[2].
[1] https://github.com/stefanberger/swtpm/issues/437
[2] https://github.com/stefanberger/swtpm/commit/eee8cb5dfb13f87140dddda38f65bf61aff19508
Signed-off-by: Kristian Klausen <kristian@klausen.dk>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Found a few places that tscd check was trying to run the hosts.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
need native pip3, was using host's
Signed-off-by: Armin Kuster <akuster808@gmail.com>
--
V2]
add python3-cryptography-native to DEPENDS
forgot to add changes.
|
| |
|
|
|
|
| |
Add python package
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
checking for whether to build with seccomp profile... configure: error: "Is libseccomp-devel installed? -- could not get cflags for libseccomp"
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
added PE
split cuse into its own package
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This allows dropping some patches for issues that were addressed
upstream. It also brings in support for connecting swtpm to qemu
without relying on CUSE.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
if cuse is enabled, depend on fuse which is in meta-filesystems
throw error is layer is missing.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
