From 6ea6a4982cb75b0dde96abeba520f305663b95c0 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Fri, 4 Mar 2022 16:12:30 -0800 Subject: swtpm: update to 0.7.1 fixes: CVE-2022-23645. Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs Signed-off-by: Armin Kuster --- .../recipes-tpm/swtpm/files/oe_configure.patch | 65 ---------------------- meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb | 51 ----------------- meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb | 50 +++++++++++++++++ 3 files changed, 50 insertions(+), 116 deletions(-) delete mode 100644 meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch delete mode 100644 meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb create mode 100644 meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb diff --git a/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch b/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch deleted file mode 100644 index 5aee933..0000000 --- a/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch +++ /dev/null @@ -1,65 +0,0 @@ -Don't check for tscd deamon on host. - -Upstream-Status: OE Specific - -Signed-off-by: Armin Kuster - -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -179,15 +179,6 @@ AC_SUBST([LIBTPMS_LIBS]) - AC_CHECK_LIB(c, clock_gettime, LIBRT_LIBS="", LIBRT_LIBS="-lrt") - AC_SUBST([LIBRT_LIBS]) - --AC_PATH_PROG([TCSD], tcsd) --if test "x$TCSD" = "x"; then -- have_tcsd=no -- AC_MSG_WARN([tcsd could not be found; typically need it for tss user account and tests]) --else -- have_tcsd=yes --fi --AM_CONDITIONAL([HAVE_TCSD], test "$have_tcsd" != "no") -- - dnl We either need netstat (more common across systems) or 'ss' for test cases - AC_PATH_PROG([NETSTAT], [netstat]) - if test "x$NETSTAT" = "x"; then -@@ -440,23 +431,6 @@ AC_ARG_WITH([tss-group], - [TSS_GROUP="tss"] - ) - --case $have_tcsd in --yes) -- AC_MSG_CHECKING([whether TSS_USER $TSS_USER is available]) -- if ! test $(id -u $TSS_USER); then -- AC_MSG_ERROR(["$TSS_USER is not available"]) -- else -- AC_MSG_RESULT([yes]) -- fi -- AC_MSG_CHECKING([whether TSS_GROUP $TSS_GROUP is available]) -- if ! test $(id -g $TSS_GROUP); then -- AC_MSG_ERROR(["$TSS_GROUP is not available"]) -- else -- AC_MSG_RESULT([yes]) -- fi -- ;; --esac -- - AC_SUBST([TSS_USER]) - AC_SUBST([TSS_GROUP]) - -Index: git/tests/Makefile.am -=================================================================== ---- git.orig/tests/Makefile.am -+++ git/tests/Makefile.am -@@ -83,10 +83,6 @@ TESTS += \ - test_tpm2_swtpm_cert \ - test_tpm2_swtpm_cert_ecc \ - test_tpm2_swtpm_setup_create_cert --if HAVE_TCSD --TESTS += \ -- test_tpm2_samples_create_tpmca --endif - endif - - EXTRA_DIST=$(TESTS) \ diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb deleted file mode 100644 index 63734b9..0000000 --- a/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb +++ /dev/null @@ -1,51 +0,0 @@ -SUMMARY = "SWTPM - Software TPM Emulator" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8" -SECTION = "apps" - -# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests -DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib" - -SRCREV = "98187d24fe14851653a7c46eb16e9c5f0b9beaa1" -SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.6;protocol=https \ - file://ioctl_h.patch \ - file://oe_configure.patch \ - " -PE = "1" - -S = "${WORKDIR}/git" - -PARALLEL_MAKE = "" -inherit autotools pkgconfig perlnative - -TSS_USER="tss" -TSS_GROUP="tss" - -PACKAGECONFIG ?= "openssl" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" -PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}" -PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" -# expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is -# used by swtpm-create-tpmca (the last two is provided by gnutls) -# gnutls is required by: swtpm-create-tpmca, swtpm-localca and swtpm_cert -PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls, gnutls, expect bash tpm2-pkcs11-tools" -PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux" -PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse" -PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp" - -EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}" - -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM:${PN} = "--system ${TSS_USER}" -USERADD_PARAM:${PN} = "--system -g ${TSS_GROUP} --home-dir \ - --no-create-home --shell /bin/false ${BPN}" - - -PACKAGE_BEFORE_PN = "${PN}-cuse" -FILES:${PN}-cuse = "${bindir}/swtpm_cuse" - -INSANE_SKIP:${PN} += "dev-so" - -RDEPENDS:${PN} = "libtpm" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb new file mode 100644 index 0000000..85e4c5d --- /dev/null +++ b/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb @@ -0,0 +1,50 @@ +SUMMARY = "SWTPM - Software TPM Emulator" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8" +SECTION = "apps" + +# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests +DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib" + +SRCREV = "92a7035f45d9b08aa7c6b8bd6fa4c6916ef07a9e" +SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.7-next;protocol=https \ + file://ioctl_h.patch \ + " +PE = "1" + +S = "${WORKDIR}/git" + +PARALLEL_MAKE = "" +inherit autotools pkgconfig perlnative + +TSS_USER="tss" +TSS_GROUP="tss" + +PACKAGECONFIG ?= "openssl" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}" +PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" +# expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is +# used by swtpm-create-tpmca (the last two is provided by gnutls) +# gnutls is required by: swtpm-create-tpmca, swtpm-localca and swtpm_cert +PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls, gnutls, expect bash tpm2-pkcs11-tools" +PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux" +PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse" +PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp" + +EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}" + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system ${TSS_USER}" +USERADD_PARAM:${PN} = "--system -g ${TSS_GROUP} --home-dir \ + --no-create-home --shell /bin/false ${BPN}" + + +PACKAGE_BEFORE_PN = "${PN}-cuse" +FILES:${PN}-cuse = "${bindir}/swtpm_cuse" + +INSANE_SKIP:${PN} += "dev-so" + +RDEPENDS:${PN} = "libtpm" + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3-54-g00ecf