diff --git a/backport-CVE-2024-29038.patch b/backport-CVE-2024-29038.patch deleted file mode 100644 index aed3acae39583e30b2a7faf64d38d7b44985992e..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-29038.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 66d922d6547b7b4fe4f274fb2ec10b376e0e259 Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Thu, 2 May 2024 09:00:17 +0800 -Subject: [PATCH] tpm2_checkquote: Fix check of magic number. -It was not checked whether the magic number in the -attest is equal to TPM2_GENERATED_VALUE. -So an malicious attacker could generate arbitrary quote data -which was not detected by tpm2 checkquote. - -Fixes: CVE-2024-29038 - -Signed-off-by: Juergen Repp ---- - tools/misc/tpm2_checkquote.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c -index fe8ef11..b3947e7 100644 ---- a/tools/misc/tpm2_checkquote.c -+++ b/tools/misc/tpm2_checkquote.c -@@ -128,6 +128,13 @@ static bool verify(void) { - goto err; - } - -+ // check magic -+ if (ctx.attest.magic != TPM2_GENERATED_VALUE) { -+ LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x", -+ ctx.attest.magic, TPM2_GENERATED_VALUE); -+ return false; -+ } -+ - // Also ensure digest from quote matches PCR digest - if (ctx.flags.pcr) { - if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest, --- -2.23.0 - diff --git a/backport-CVE-2024-29039.patch b/backport-CVE-2024-29039.patch deleted file mode 100644 index 8b37b7d8cd073fb04230a727a6d2a0f76f219c45..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-29039.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 98599df9392a346216c5a059b8d35271286100bb Mon Sep 17 00:00:00 2001 -From: Juergen Repp -Date: Thu, 2 May 2024 09:10:01 +0800 -Subject: [PATCH] tpm2_checkquote: Add comparison of pcr selection. -The pcr selection which is passed with the --pcr parameter it not -compared with the attest. So it's possible to fake a valid -attestation. - -Fixes: CVE-2024-29039 - -Signed-off-by: Juergen Repp -Signed-off-by: Andreas Fuchs ---- - tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++- - 1 file changed, 40 insertions(+), 1 deletion(-) - -diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c -index b3947e7..81de000 100644 ---- a/tools/misc/tpm2_checkquote.c -+++ b/tools/misc/tpm2_checkquote.c -@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = { - .pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer), - }; - -+static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) { -+ if (attest_sel->count != pcr_sel->count) { -+ LOG_ERR("Selection sizes do not match."); -+ return false; -+ } -+ for (uint32_t i = 0; i < attest_sel->count; i++) { -+ for (uint32_t j = 0; j < pcr_sel->count; j++) { -+ if (attest_sel->pcrSelections[i].hash == -+ pcr_sel->pcrSelections[j].hash) { -+ if (attest_sel->pcrSelections[i].sizeofSelect != -+ pcr_sel->pcrSelections[j].sizeofSelect) { -+ LOG_ERR("Bitmask size does not match"); -+ return false; -+ } -+ if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0], -+ &pcr_sel->pcrSelections[j].pcrSelect[0], -+ attest_sel->pcrSelections[i].sizeofSelect) != 0) { -+ LOG_ERR("Selection bitmasks do not match"); -+ return false; -+ } -+ break; -+ } -+ if (j == pcr_sel->count - 1) { -+ LOG_ERR("Hash selections to not match."); -+ return false; -+ } -+ } -+ } -+ return true; -+} -+ - static bool verify(void) { - - bool result = false; -@@ -394,7 +425,7 @@ static tool_rc init(void) { - } - - TPM2B_ATTEST *msg = NULL; -- TPML_PCR_SELECTION pcr_select; -+ TPML_PCR_SELECTION pcr_select = { 0 }; - tpm2_pcrs *pcrs; - tpm2_pcrs temp_pcrs = {}; - tool_rc return_value = tool_rc_general_error; -@@ -557,6 +588,14 @@ static tool_rc init(void) { - goto err; - } - -+ if (ctx.flags.pcr) { -+ if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect, -+ &pcr_select)) { -+ LOG_ERR("PCR selection does not match PCR slection from attest!"); -+ goto err; -+ } -+ } -+ - // Figure out the digest for this message - res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData, - msg->size, &ctx.msg_hash); --- -2.23.0 - diff --git a/revert-sm2-sign-and-verifysignature.patch b/revert-sm2-sign-and-verifysignature.patch deleted file mode 100644 index 66726662ee6852da3200853964ed03c8d2465e9b..0000000000000000000000000000000000000000 --- a/revert-sm2-sign-and-verifysignature.patch +++ /dev/null @@ -1,406 +0,0 @@ -From 7acc98aec8925b938212bdd0aabc1b6d176c24c1 Mon Sep 17 00:00:00 2001 -From: mayuanchen <94815698+mayuanchenma@users.noreply.github.com> -Date: Thu, 5 Jan 2023 21:46:55 +0800 -Subject: [PATCH] revert: sm2 sign and verifysignature. - -Although tpm2 tools sm2 sign and verifysignature conform to sm2 standard, -sm2 only sign and verifysignature the digest in the tpm2. so keep pace -with tpm2 and remove the code. - -Signed-off-by: mayuanchen <94815698+mayuanchenma@users.noreply.github.com> ---- - lib/tpm2_alg_util.c | 93 ------------------------- - lib/tpm2_alg_util.h | 27 -------- - lib/tpm2_hash.c | 127 ----------------------------------- - lib/tpm2_hash.h | 49 -------------- - tools/tpm2_sign.c | 16 +---- - tools/tpm2_verifysignature.c | 16 +---- - 6 files changed, 4 insertions(+), 324 deletions(-) - -diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c -index 9b7f3d73..65739fc7 100644 ---- a/lib/tpm2_alg_util.c -+++ b/lib/tpm2_alg_util.c -@@ -1145,96 +1145,3 @@ TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle) { - Esys_Free(name); - return name_alg; - } -- --tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle, const char *id, size_t idlen, TPM2B_DIGEST *result) { -- -- TPMS_ALGORITHM_DETAIL_ECC *parameters = NULL; -- TPM2B_PUBLIC *public = NULL; -- TPM2B *id_input = NULL; -- TPM2B_DIGEST *tmp_digest = NULL; -- -- if (!id || !result) { -- return tool_rc_general_error; -- } -- -- /* 2-byte id length in bits */ -- if (strlen(id) != idlen) { -- LOG_ERR("invalid sm2 id!"); -- return tool_rc_general_error; -- } -- -- if (idlen > SM2_MAX_ID_LENGTH || idlen <= 0) { -- LOG_ERR("invalid id length!"); -- return tool_rc_general_error; -- } -- -- tool_rc rc = tpm2_geteccparameters(ectx, TPM2_ECC_SM2_P256, ¶meters, -- NULL, TPM2_ALG_NULL); -- if (rc != tool_rc_success) { -- LOG_ERR("Could not get ecc parameters!"); -- goto out; -- } -- -- rc = tpm2_readpublic(ectx, handle, &public, NULL, NULL); -- if (rc != tool_rc_success) { -- LOG_ERR("Could not read public!"); -- goto out; -- } -- -- UINT16 key_nbytes = parameters->keySize/8; -- if (public->publicArea.type != TPM2_ALG_ECC || -- public->publicArea.parameters.eccDetail.curveID != TPM2_ECC_SM2_P256 || -- public->publicArea.unique.ecc.x.size != key_nbytes || -- public->publicArea.unique.ecc.y.size != key_nbytes) { -- LOG_ERR("invalid sm2 public key!"); -- rc = tool_rc_general_error; -- goto out; -- } -- -- BYTE idbits[2]; -- idbits[0] = ((idlen * 8) >> 8) % 256; -- idbits[1] = (idlen * 8) % 256; -- -- UINT16 total_size = sizeof(idbits) + idlen + 6 * key_nbytes; -- -- id_input = (TPM2B *) calloc(1, sizeof(TPM2B) + total_size); -- if (id_input == NULL) { -- LOG_ERR("Could not calloc memory!"); -- rc = tool_rc_general_error; -- goto out; -- } -- -- id_input->size = total_size; -- -- UINT16 pos = 0; -- memcpy(id_input->buffer + pos, idbits, sizeof(idbits)); -- pos += sizeof(idbits); -- memcpy(id_input->buffer + pos, id, idlen); -- pos += idlen; -- memcpy(id_input->buffer + pos, parameters->a.buffer, key_nbytes); -- pos += key_nbytes; -- memcpy(id_input->buffer + pos, parameters->b.buffer, key_nbytes); -- pos += key_nbytes; -- memcpy(id_input->buffer + pos, parameters->gX.buffer, key_nbytes); -- pos += key_nbytes; -- memcpy(id_input->buffer + pos, parameters->gY.buffer, key_nbytes); -- pos += key_nbytes; -- memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.x.buffer, key_nbytes); -- pos += key_nbytes; -- memcpy(id_input->buffer + pos, public->publicArea.unique.ecc.y.buffer, key_nbytes); -- -- rc = tpm2_hash_compute_data(ectx, TPM2_ALG_SM3_256, TPM2_RH_OWNER, -- id_input->buffer, id_input->size, &tmp_digest, NULL); -- if (rc != tool_rc_success) { -- goto out; -- } -- -- *result = *tmp_digest; -- --out: -- free(id_input); -- Esys_Free(public); -- Esys_Free(tmp_digest); -- Esys_Free(parameters); -- return rc; --} -diff --git a/lib/tpm2_alg_util.h b/lib/tpm2_alg_util.h -index 83cecb17..ae5e3fbb 100644 ---- a/lib/tpm2_alg_util.h -+++ b/lib/tpm2_alg_util.h -@@ -239,31 +239,4 @@ bool tpm2_alg_util_is_sm4_size_valid(UINT16 size_in_bytes); - */ - TPM2_ALG_ID tpm2_alg_util_get_name_alg(ESYS_CONTEXT *ectx, ESYS_TR handle); - --#define SM2_MAX_ID_BITS 65535 --#define SM2_MAX_ID_LENGTH (SM2_MAX_ID_BITS/8) --#define SM2_DEFAULT_ID_GMT09 "1234567812345678" --#define SM2_DEFAULT_ID SM2_DEFAULT_ID_GMT09 --#define SM2_DEFAULT_ID_LENGTH (sizeof(SM2_DEFAULT_ID) - 1) -- --/** -- * Given an ESYS_TR handle to an object, retrieves ecc sm2 parameters -- * with making a geteccparameters call, retrieves the public key with -- * making a readpublic call, and compute id digest. -- * -- * @param ectx -- * The ESAPI context. -- * @param handle -- * The handle of the object to query. -- * @param id -- * sm2 id. -- * @param idlen -- * sm2 id length. -- * @param result -- * sm2 id digest output. -- * @return -- * tool_rc indicating status. -- */ --tool_rc tpm2_alg_util_sm2_compute_id_digest(ESYS_CONTEXT *ectx, ESYS_TR handle, -- const char *id, size_t idlen, TPM2B_DIGEST *result); -- - #endif /* LIB_TPM2_ALG_UTIL_H_ */ -diff --git a/lib/tpm2_hash.c b/lib/tpm2_hash.c -index c0ad2bc5..a3c0dd7d 100644 ---- a/lib/tpm2_hash.c -+++ b/lib/tpm2_hash.c -@@ -134,130 +134,3 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, - return tpm2_hash_common(ectx, halg, hierarchy, input, NULL, 0, result, - validation); - } -- --static tool_rc tpm2_sm2_compute_msg_digest(ESYS_CONTEXT *ectx, -- TPMI_ALG_HASH halg, TPMI_RH_HIERARCHY hierarchy, FILE *infilep, -- BYTE *inbuffer, UINT16 inbuffer_len, TPM2B_DIGEST *z_digest, -- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { -- -- /* if we're using infilep, get file size */ -- bool use_left = true; -- unsigned long left = inbuffer_len; -- if (!!infilep) { -- /* Suppress error reporting with NULL path */ -- use_left = files_get_file_size(infilep, &left, NULL); -- } -- -- TPM2B_MAX_BUFFER buffer = {0}; -- if (z_digest->size <= BUFFER_SIZE(typeof(*z_digest), buffer)) { -- buffer.size = z_digest->size; -- memcpy(buffer.buffer, z_digest->buffer, z_digest->size); -- } else { -- return tool_rc_general_error; -- } -- -- /* -- * length is either unknown because the FILE * is a fifo, or it's too -- * big to do in a single hash call. Based on the size figure out the -- * chunks to loop over, if possible. This way we can call Complete with -- * data. -- */ -- TPMI_DH_OBJECT sequence_handle; -- TPM2B_AUTH null_auth = TPM2B_EMPTY_INIT; -- tool_rc rc = tpm2_hash_sequence_start(ectx, &null_auth, halg, &sequence_handle); -- if (rc != tool_rc_success) { -- return rc; -- } -- -- rc = tpm2_sequence_update(ectx, sequence_handle, &buffer); -- if (rc != tool_rc_success) { -- return rc; -- } -- /* If we know the file size, we decrement the amount read and terminate -- * the loop when 1 block is left, else we go till feof. -- */ -- bool done = false; -- if (use_left && left <= TPM2_MAX_DIGEST_BUFFER) { -- done = true; -- } else { -- done = false; -- } -- -- size_t bytes_read; -- while (!done) { -- /* if we're using infilep, read the file. Otherwise, directly -- copy into our local buffer. */ -- buffer.size = BUFFER_SIZE(typeof(buffer), buffer); -- if (!!infilep) { -- bytes_read = fread(buffer.buffer, 1, buffer.size, infilep); -- if (ferror(infilep)) { -- LOG_ERR("Error reading from input file"); -- return tool_rc_general_error; -- } else { -- buffer.size = bytes_read; -- } -- } else { -- memcpy(buffer.buffer, inbuffer, buffer.size); -- inbuffer = inbuffer + buffer.size; -- } -- -- rc = tpm2_sequence_update(ectx, sequence_handle, &buffer); -- if (rc != tool_rc_success) { -- return rc; -- } -- -- if (use_left) { -- left -= buffer.size; -- if (left <= TPM2_MAX_DIGEST_BUFFER) { -- done = true; -- continue; -- } -- } else if (!!infilep && feof(infilep)) { -- done = true; -- } -- } /* end file read/hash update loop */ -- -- /* if there is data left, get the last bit of data from the file or -- buffer or set the size to zero */ -- if (use_left) { -- buffer.size = left; -- if (!!infilep) { -- bool res = files_read_bytes(infilep, buffer.buffer, buffer.size); -- if (!res) { -- LOG_ERR("Error reading from input file."); -- return tool_rc_general_error; -- } -- } else { -- memcpy(buffer.buffer, inbuffer, buffer.size); -- } -- } else { -- buffer.size = 0; -- } -- -- return tpm2_sequence_complete(ectx, sequence_handle, -- &buffer, hierarchy, result, validation); --} -- --tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, -- TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length, -- TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { -- -- if (!buffer || !z) { -- return tool_rc_general_error; -- } -- -- return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, NULL, buffer, length, -- z, result, validation); --} -- --tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, -- TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z, -- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation) { -- -- if (!input || !z) { -- return tool_rc_general_error; -- } -- -- return tpm2_sm2_compute_msg_digest(ectx, halg, hierarchy, input, NULL, 0, z, -- result, validation); --} -diff --git a/lib/tpm2_hash.h b/lib/tpm2_hash.h -index ac4729ba..12e8e0bd 100644 ---- a/lib/tpm2_hash.h -+++ b/lib/tpm2_hash.h -@@ -53,53 +53,4 @@ tool_rc tpm2_hash_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, - TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST **result, - TPMT_TK_HASHCHECK **validation); - --/** -- * Hashes a BYTE array via the tpm. -- * @param context -- * The esapi context. -- * @param hash_alg -- * The hashing algorithm to use. -- * @param hierarchy -- * The hierarchy. -- * @param buffer -- * The data to hash. -- * @param length -- * The length of the data. -- * @param input -- * The sm2 id digest. -- * @param result -- * The digest result. -- * @param validation -- * The validation ticket. Note that some hierarchies don't produce a -- * validation ticket and thus size will be 0. -- * @return -- * A tool_rc indicating status. -- */ --tool_rc tpm2_sm2_compute_msg_digest_data(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, -- TPMI_RH_HIERARCHY hierarchy, BYTE *buffer, UINT16 length, -- TPM2B_DIGEST *z, TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation); -- --/** -- * Hashes a FILE * object via the tpm. -- * @param context -- * The esapi context. -- * @param hash_alg -- * The hashing algorithm to use. -- * @param hierarchy -- * The hierarchy. -- * @param input -- * The FILE object to hash. -- * @param input -- * The sm2 id digest. -- * @param result -- * The digest result. -- * @param validation -- * The validation ticket. Note that some hierarchies don't produce a -- * validation ticket and thus size will be 0. -- * @return -- * A tool_rc indicating status. -- */ --tool_rc tpm2_sm2_compute_msg_digest_file(ESYS_CONTEXT *ectx, TPMI_ALG_HASH halg, -- TPMI_RH_HIERARCHY hierarchy, FILE *input, TPM2B_DIGEST *z, -- TPM2B_DIGEST **result, TPMT_TK_HASHCHECK **validation); - #endif /* SRC_TPM_HASH_H_ */ -diff --git a/tools/tpm2_sign.c b/tools/tpm2_sign.c -index 7c7b3ce7..77d7c2a8 100644 ---- a/tools/tpm2_sign.c -+++ b/tools/tpm2_sign.c -@@ -140,20 +140,8 @@ static tool_rc process_inputs(ESYS_CONTEXT *ectx) { - return tool_rc_general_error; - } - -- if (ctx.in_scheme.scheme == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) { -- TPM2B_DIGEST z_digest; -- rc = tpm2_alg_util_sm2_compute_id_digest(ectx, ctx.signing_key.object.tr_handle, -- SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest); -- if (rc != tool_rc_success) { -- LOG_ERR("Sign could not compute id digest"); -- } else { -- rc = tpm2_sm2_compute_msg_digest_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &z_digest, -- &ctx.digest, &temp_validation_ticket); -- } -- } else { -- rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest, -- &temp_validation_ticket); -- } -+ rc = tpm2_hash_file(ectx, ctx.halg, TPM2_RH_OWNER, input, &ctx.digest, -+ &temp_validation_ticket); - if (input != stdin) { - fclose(input); - } -diff --git a/tools/tpm2_verifysignature.c b/tools/tpm2_verifysignature.c -index a0f76077..240165d6 100644 ---- a/tools/tpm2_verifysignature.c -+++ b/tools/tpm2_verifysignature.c -@@ -158,20 +158,8 @@ static tool_rc init(ESYS_CONTEXT *context) { - goto err; - } - -- if (ctx.signature.sigAlg == TPM2_ALG_SM2 && ctx.halg == TPM2_ALG_SM3_256) { -- TPM2B_DIGEST z_digest; -- tmp_rc = tpm2_alg_util_sm2_compute_id_digest(context, ctx.key_context_object.tr_handle, -- SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &z_digest); -- if (tmp_rc != tool_rc_success) { -- LOG_ERR("Verify could not compute id digest"); -- } else { -- tmp_rc = tpm2_sm2_compute_msg_digest_data(context, ctx.halg, TPM2_RH_NULL, -- msg->buffer, msg->size, &z_digest, &ctx.msg_hash, NULL); -- } -- } else { -- tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL, -- msg->buffer, msg->size, &ctx.msg_hash, NULL); -- } -+ tmp_rc = tpm2_hash_compute_data(context, ctx.halg, TPM2_RH_NULL, -+ msg->buffer, msg->size, &ctx.msg_hash, NULL); - if (tmp_rc != tool_rc_success) { - rc = tmp_rc; - LOG_ERR("Compute message hash failed!"); --- -2.27.0 - diff --git a/tpm2-tools-5.5.tar.gz b/tpm2-tools-5.5.tar.gz deleted file mode 100644 index 127cb3e84f1566940f0b0377181abb6dd86820be..0000000000000000000000000000000000000000 Binary files a/tpm2-tools-5.5.tar.gz and /dev/null differ diff --git a/tpm2-tools-5.7-do-not-exit-when-missing-pandoc.patch b/tpm2-tools-5.7-do-not-exit-when-missing-pandoc.patch new file mode 100644 index 0000000000000000000000000000000000000000..20d730d57b111a5284ba30f6df48fe2818103481 --- /dev/null +++ b/tpm2-tools-5.7-do-not-exit-when-missing-pandoc.patch @@ -0,0 +1,18 @@ +--- tpm2-tools-5.7/Makefile.am.orig 2024-10-03 00:23:16.260275300 +0800 ++++ tpm2-tools-5.7/Makefile.am 2024-10-03 00:23:23.526223900 +0800 +@@ -664,5 +664,4 @@ + # If pandoc is not enabled, we want to complain that you need pandoc for make dist, + # so hook the target and complain. + @(>&2 echo "You do not have pandoc, a requirement for the distribution of manpages") +- @exit 1 + endif +--- tpm2-tools-5.7/Makefile.in.orig 2024-10-03 00:23:31.203893900 +0800 ++++ tpm2-tools-5.7/Makefile.in 2024-10-03 00:23:40.973683600 +0800 +@@ -6587,7 +6587,6 @@ + # If pandoc is not enabled, we want to complain that you need pandoc for make dist, + # so hook the target and complain. + @HAVE_PANDOC_FALSE@ @(>&2 echo "You do not have pandoc, a requirement for the distribution of manpages") +-@HAVE_PANDOC_FALSE@ @exit 1 + + # Tell versions [3.59,3.63) of GNU make to not export all variables. + # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/tpm2-tools-5.7.tar.gz b/tpm2-tools-5.7.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..8883c10d9dca5ad997d575463cbf387ba5439f9b Binary files /dev/null and b/tpm2-tools-5.7.tar.gz differ diff --git a/tpm2-tools.spec b/tpm2-tools.spec index eba24150c37dcd1fc8410cfdc092fc8e8e037736..69e1f41037b756b5aff4f405e84eb6c232246fd3 100644 --- a/tpm2-tools.spec +++ b/tpm2-tools.spec @@ -1,21 +1,26 @@ Name: tpm2-tools -Version: 5.5 -Release: 3 +Version: 5.7 +Release: 1 Summary: A TPM2.0 testing tool based on TPM2.0-TSS -License: BSD +License: BSD-3-Clause URL: https://github.com/tpm2-software/tpm2-tools Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz - -Patch0: backport-CVE-2024-29038.patch -Patch1: backport-CVE-2024-29039.patch -Patch2: revert-sm2-sign-and-verifysignature.patch - -BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl) -BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) libgcrypt -BuildRequires: libgcrypt-devel -Requires: tpm2-tss >= 2.3.1 -Requires: tpm2-tools-help = %{version}-%{release} -Obsoletes: tpm2-tools <= 2.1.1-2 +Patch0: tpm2-tools-5.7-do-not-exit-when-missing-pandoc.patch + +BuildRequires: gcc-c++ +BuildRequires: pkgconfig(bash-completion) +BuildRequires: pkgconfig(cmocka) +BuildRequires: pkgconfig(efivar) +BuildRequires: pkgconfig(libcrypto) >= 1.1.0 +BuildRequires: pkgconfig(libcurl) +BuildRequires: pkgconfig(tss2-esys) >= 2.4.0 +BuildRequires: pkgconfig(tss2-fapi) +BuildRequires: pkgconfig(tss2-mu) +BuildRequires: pkgconfig(tss2-rc) +BuildRequires: pkgconfig(tss2-sys) +BuildRequires: pkgconfig(tss2-tctildr) +Requires: tpm2-tss >= 2.4.0 +Obsoletes: tpm2-tools-help < %{version}-%{release} %description The package contains the code for the TPM (Trusted Platform Module) 2.0 @@ -24,42 +29,31 @@ tools based on tpm2-tss. The tpm2-tools projects aims to deliver both low-level and aggregate command line tools that provide access to a tpm2.0 compatible device. -%package_help - %prep %autosetup -n %{name}-%{version} -p1 %build -%configure --prefix=/usr --disable-static --disable-silent-rules -make %{?_smp_mflags} V=1 +%configure --disable-static --disable-silent-rules +%make_build %install -rm -rf %{buildroot} %make_install %check -make check - -%pre - -%preun - -%post - -%postun +%make_build check %files -%defattr(-,root,root) %license docs/LICENSE +%doc docs/README.md docs/CHANGELOG.md %{_bindir}/* %{_datadir}/bash-completion/completions/tpm2* %{_datadir}/bash-completion/completions/tss2* - -%files help -%doc docs/README.md docs/CHANGELOG.md %{_mandir}/*/* %changelog +* Wed Oct 02 2024 Funda Wang - 5.7-1 +- update to 5.7 + * Fri Jun 21 2024 bianxiuning - 5.5-3 - revert sm2 sign and verifysignature diff --git a/tpm2-tools.yaml b/tpm2-tools.yaml index d7d2b55ccec56648cee8cc5adc2fcd2a9643d658..6f95ad2a0c82080457f684cdd09d401199e9d770 100644 --- a/tpm2-tools.yaml +++ b/tpm2-tools.yaml @@ -1,4 +1,4 @@ version_control: github src_repo: "tpm2-software/tpm2-tools" tag_prefix: -seperator: +separator: