From ba6e63314dfb1c18f337db36d17a6694e7b022d9 Mon Sep 17 00:00:00 2001 From: zyppe <210hcl@gmail.com> Date: Thu, 29 Feb 2024 15:56:00 +0800 Subject: [PATCH] Initialize for tpm2-0-tss --- .gitignore | 1 + .tpm2-0-tss.metadata | 1 + ..._rc-ensure-layer-number-is-in-bounds.patch | 90 +++++ baselibs.conf | 10 + tpm2-0-tss.changes | 364 ++++++++++++++++++ tpm2-0-tss.spec | 291 ++++++++++++++ 6 files changed, 757 insertions(+) create mode 100644 .gitignore create mode 100644 .tpm2-0-tss.metadata create mode 100644 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch create mode 100644 baselibs.conf create mode 100644 tpm2-0-tss.changes create mode 100644 tpm2-0-tss.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..dfbb084 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +tpm2-tss-3.1.0.tar.gz diff --git a/.tpm2-0-tss.metadata b/.tpm2-0-tss.metadata new file mode 100644 index 0000000..7995977 --- /dev/null +++ b/.tpm2-0-tss.metadata @@ -0,0 +1 @@ +53825fa88d437d7e433493510181af5df86e3f8adaae7b951bb5850ed4b69f49 tpm2-tss-3.1.0.tar.gz diff --git a/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch b/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch new file mode 100644 index 0000000..6c08d88 --- /dev/null +++ b/0001-tss2_rc-ensure-layer-number-is-in-bounds.patch @@ -0,0 +1,90 @@ +From 306490c8d848c367faa2d9df81f5e69dab46ffb5 Mon Sep 17 00:00:00 2001 +From: William Roberts +Date: Thu, 19 Jan 2023 11:53:06 -0600 +Subject: [PATCH] tss2_rc: ensure layer number is in bounds + +The layer handler array was defined as 255, the max number of uint8, +which is the size of the layer field, however valid values are 0-255 +allowing for 256 possibilities and thus the array was off by one and +needed to be sized to 256 entries. Update the size and add tests. + +Note: previous implementations incorrectly dropped bits on unknown error +output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF, +but earlier implementations returned 255:0xFFFF, dropping the middle +bits, this patch fixes that. + +Fixes: CVE-2023-22745 + +Signed-off-by: William Roberts +--- + src/tss2-rc/tss2_rc.c | 31 +++++++++++++++++++++---------- + test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++- + 2 files changed, 41 insertions(+), 11 deletions(-) + +Index: tpm2-tss-3.1.0/src/tss2-rc/tss2_rc.c +=================================================================== +--- tpm2-tss-3.1.0.orig/src/tss2-rc/tss2_rc.c ++++ tpm2-tss-3.1.0/src/tss2-rc/tss2_rc.c +@@ -1,5 +1,8 @@ + /* SPDX-License-Identifier: BSD-2-Clause */ +- ++#ifdef HAVE_CONFIG_H ++#include "config.h" ++#endif ++#include + #include + #include + #include +@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc) + static struct { + char name[TSS2_ERR_LAYER_NAME_MAX]; + TSS2_RC_HANDLER handler; +-} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = { ++} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = { + ADD_HANDLER("tpm" , tpm2_ehandler), + ADD_NULL_HANDLER, /* layer 1 is unused */ + ADD_NULL_HANDLER, /* layer 2 is unused */ +@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc) + static __thread char buf[32]; + + clearbuf(buf); +- catbuf(buf, "0x%X", tpm2_error_get(rc)); ++ catbuf(buf, "0x%X", rc); + + return buf; + } +@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc) + catbuf(buf, "%u:", layer); + } + +- handler = !handler ? unknown_layer_handler : handler; +- + /* + * Handlers only need the error bits. This way they don't + * need to concern themselves with masking off the layer + * bits or anything else. + */ +- UINT16 err_bits = tpm2_error_get(rc); +- const char *e = err_bits ? handler(err_bits) : "success"; +- if (e) { +- catbuf(buf, "%s", e); ++ if (handler) { ++ UINT16 err_bits = tpm2_error_get(rc); ++ const char *e = err_bits ? handler(err_bits) : "success"; ++ if (e) { ++ catbuf(buf, "%s", e); ++ } else { ++ catbuf(buf, "0x%X", err_bits); ++ } + } else { +- catbuf(buf, "0x%X", err_bits); ++ /* ++ * we don't want to drop any bits if we don't know what to do with it ++ * so drop the layer byte since we we already have that. ++ */ ++ const char *e = unknown_layer_handler(rc >> 8); ++ assert(e); ++ catbuf(buf, "%s", e); + } + + return buf; diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..1f35d94 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,10 @@ +libtss2-esys0 +libtss2-fapi1 +libtss2-mu0 +libtss2-rc0 +libtss2-sys1 +libtss2-tcti-cmd0 +libtss2-tcti-device0 +libtss2-tctildr0 +libtss2-tcti-mssim0 +libtss2-tcti-swtpm0 diff --git a/tpm2-0-tss.changes b/tpm2-0-tss.changes new file mode 100644 index 0000000..6c8a9ff --- /dev/null +++ b/tpm2-0-tss.changes @@ -0,0 +1,364 @@ +* Fri Jan 20 2023 matthias.gerstner@suse.com +- add 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch: fixes + CVE-2023-22745 (bsc#1207325): Buffer Overlow in TSS2_RC_Decode. Overly large + RC values passed to the TSS2 function could lead to memory overread or + memory overread. +* Wed Dec 8 2021 aplanas@suse.com +- Version 3.1.0 includes: + + cover update to 2.4.5 (jsc#SLE-17366) + + cover update to 2.3.0 (jsc#SLE-9515) + + fix policy session for TPM2_PolicyAuthValue (bsc#1160736) +- Add version the configuration file tpm2-tss-fapi.conf +* Thu Jul 15 2021 gmbr3@opensuse.org +- Remove conflicting sysusers.d file +* Wed Jul 14 2021 gmbr3@opensuse.org +- Clean spec file +- Add new library libtss2-tcti-pcap0 +- Update to 3.1.0: + * Fix FAPI PolicyPCR not instatiating correctly (CVE-2020-24455) + * Fixed possible access outside the array in ifapi_calculate_tree + * Added pcap TCTI + * Added GlobalSign TPM Root CA certs to FAPI cert store + * Changed EncryptDecrypt mode type to align with TPM2.0 spec 1.59 + * Added two new TPM commands TPM2_CC_CertifyX509, + and TPM2_CC_ACT_SetTimeout +* Mon Jun 28 2021 meissner@suse.com +- small services fixes and comments +* Thu Jan 28 2021 matthias.gerstner@suse.com +- update to 3.0.3: + - changes in 3.0.3: + * Fix Regression in Fapi_List + * Fix memory leak in policy calculation + - changes in 3.0.2: + * FAPI: Fix setting of the system flag of NV objects + * This will let NV object metadata be created system-wide always instead of + * locally in the user. Existing metadata will remain in the user directory. + * It can be moved to the corresponding systemstore manually if needed. + * FAPI: Fix policy searching, when a policyRef was provided + * FAPI: Accept EK-Certs without CRL dist point + * FAPI: Fix return codes of Fapi_List + * FAPI: Fix memleak in policy execution + * FAPI: Fix coverity NULL-pointer check + * FAPI: Set the written flag of NV objects in FAPI PolicyNV commands + * FAPI: Fix deleting of policy files. + * FAPI: Fix wrong file loading during object search. + * Fapi: Fix memory leak + * Fapi: Fix potential NULL-Dereference + * Fapi: Remove superfluous NULL check + * Fix a memory leak in async keystore load. +* Thu Oct 22 2020 matthias.gerstner@suse.com +- move the tcti-fapi tmpfiles.d config file into the libtss2-fapi1 sub-package. +- improve the descriptions of new libraries (fapi1, cmd0, swtpm0) +- adjust baselibs.conf to match new library versions and added libraries +* Mon Oct 19 2020 guillaume.gardet@opensuse.org +- Update to 3.0.1, changelog at: + https://github.com/tpm2-software/tpm2-tss/blob/3.0.x/CHANGELOG.md +- Update libtss2-sys0 to libtss2-sys1 +- Add new libs: + * libtss2-fapi1 + * libtss2-tcti-cmd0 + * libtss2-tcti-swtpm0 +* Wed Feb 19 2020 mardnh@gmx.de +- Update to version 2.3.3 + * Fixed mixing salted and unsalted sessions in the same ESAPI + context + * Removed use of VLAs from TPML marshal code + * Added check for object node before calling compute_session_value + function + * Fixed auth calculation in Esys_StartAuthSession called with + optional parameters + * Fixed compute_encrypted_salt error handling in + Esys_StartAuthSession + * Fixed exported symbols map for libtss2-mu +* Fri Jan 31 2020 msuchanek@suse.com +- Use system-users for tss user creation (boo#1162360). +* Fri Jan 24 2020 dimstar@opensuse.org +- BuildRequire pkgconfig(udev) instead of udev: allow OBS to + shortcut through the -mini flavor. +* Sun Dec 29 2019 mardnh@gmx.de +- update to upstream version 2.3.2: + - changes since version 2.3.0: + - Fix unit tests on S390 architectures + - Fixed HMAC generation for policy sessions +* Wed Dec 11 2019 matthias.gerstner@suse.com +- update to upstream version 2.3.0: + - changes in version 2.3.0: + - tss2-tctildr: A new library that helps with tcti initialization + Recommend to use this in place of custom tcti loading code now ! + - tss2-rc: A new library that provides textual representations for return + codes + - Option to disable NIST-deprecated crypto (--disable-weak-crypto) + - Support Esys_TR_FromTPMPublic on sessions (for use in Esys_FlushContext) + - map-files with correct symbol lists for tss2-sys and tss2-esys + This may lead to unresolved symbols in linked applications + - Support to call Tss2_Sys_Execute repeatedly on certain errors + - Reduced RAM consumption in Esys due to Tss2_Sys_Execute change + - Automated session attribution clearing for esys (decrypt and encrypt) + per cmd + - Removed libtss2-mu from "Requires" field of libtss2-esys.pc + Needs to be added explicitely now + - All fixes from 2.2.1, 2.2.2 and 2.2.3 + - Fixed SPDX License Identifiers + - Fixed Null-pointer problems in tcti-tbs + - Fixed Default locality for tcti-mssim set to LOC_0 + - Fixed coverity and valgrind leaks detected in test programs (not library + code) +* Fri Aug 23 2019 matthias.gerstner@suse.com +- update to upstream version 2.2.3: + - changes in version 2.2.3: + * Fix computation of session name + * Fixed PolicyPassword handling of session Attributes + * Fixed windows build from dist ball + * Fixed default tcti configure option + * Fixed nonce size calculation in ESYS sessions + - changes in version 2.2.2: + * Fixed wrong encryption flag in EncryptDecrypt + * Fixing openssl engine invocation +* Fri Apr 26 2019 mvetter@suse.com +- bsc#1130588: Require shadow instead of old pwdutils +* Wed Mar 6 2019 matthias.gerstner@suse.com +- update to upstream version 2.2.1: + - changes from version 2.2.0: + - Fixed leak of hkey on success in iesys_cryptossl_hmac_start + - Fixed NULL ptr issues in Esys_HMAC_Start, Esys_HierarchyChangeAuth and Esys_NV_ChangeAuth + - Fixed NULL ptr issue in sequenceHandleNode + - Fixed NULL ptr auth handling in Esys_TR_SetAuth + - Fixed NULL auth handling in iesys_compute_session_value + - Fixed marshaling of TPM2Bs with sub types. + - Fixed NULL ptr session handling in Esys_TRSess_SetAttributes + - Fixed the way size of the hmac value of a session without authorization + - Added missing MU functions for TPM2_NT type + - Added missing MU functions for TPMA_ID_OBJECT type + - Added missing type TPM2_NT into tss2_tpm2_types.h + - Fixed wrong typename _ID_OBJECT in tss2_tpm2_types.h + - Fixed build breakage when --with-maxloglevel is not 'trace' + - Fixed build breakage in generated configure script when CFLAGS is set + - Fixed configure scritp ERROR_IF_NO_PROG macro + - Changed TPM2B type unmarshal to use sizeof of the dest buffer instead of dest + - Fixed unmarshaling of the TPM2B type with invalid size + - Removed dead code defect detected by coverity from Esys_TRSess_GetNonceTPM + - Added support for QNX build + - Added support for partial reads in device TCTI + - changes from version 2.1.1: + - Fixed leak of hkey on success in iesys_cryptossl_hmac_start + - Fixed NULL ptr issues in Esys_HMAC_Start, Esys_HierarchyChangeAuth and Esys_NV_ChangeAuth + - Fixed NULL ptr issue in sequenceHandleNode + - Fixed NULL ptr auth handling in Esys_TR_SetAuth + - Fixed NULL auth handling in iesys_compute_session_value + - Fixed marshaling of TPM2Bs with sub types. + - Fixed NULL ptr session handling in Esys_TRSess_SetAttributes + - Fixed the way size of the hmac value of a session without authorization + - Added missing MU functions for TPM2_NT type + - Added missing MU functions for TPMA_ID_OBJECT type + - Added missing type TPM2_NT into tss2_tpm2_types.h + - Fixed wrong typename _ID_OBJECT in tss2_tpm2_types.h + - Fixed build breakage when --with-maxloglevel is not 'trace' + - Fixed build breakage in generated configure script when CFLAGS is set + - Fixed configure scritp ERROR_IF_NO_PROG macro + - Changed TPM2B type unmarshal to use sizeof of the dest buffer instead of dest + - Fixed unmarshaling of the TPM2B type with invalid size + - Removed dead code defect detected by coverity from Esys_TRSess_GetNonceTPM + - changes from version 2.1.0: + - Fixed handling of the default TCTI + - Changed logging to be ISO-C99 compatible + - Fixed leak of dlopen handle + - Fixed logging of a response header tag in Tss2_Sys_Execute + - Fixed marshaling of TPM2B parameters in SAPI commands + - Fixed unnecessary warning in Esys_Startup + - Fixed warnings in doxygen documentation + - Added Esys_Free wrapper function for systems using different C runtime libraries + - Added Windows TBS TCTI + - Added non-blocking mode of operation in tcti-device + - Added tests for Esys_HMAC and Esys_Hash + - Enabled integration tests on physical TPM device + - Added openssl libcrypto backend + - Added Doxygen documentation to integration tests + - Refactored SetDecryptParam + - Enabled OpenSSL crypto backend by default + - changes from 2.0.2: + - Fixed NULL ptr issues in Esys_HMAC_Start, Esys_HierarchyChangeAuth and Esys_NV_ChangeAuth + - Fixed NULL ptr issue in sequenceHandleNode + - Fixed NULL ptr auth handling in Esys_TR_SetAuth + - Fixed NULL auth handling in iesys_compute_session_value + - Fixed marshaling of TPM2Bs with sub types. + - Fixed NULL ptr session handling in Esys_TRSess_SetAttributes + - Fixed the way size of the hmac value of a session without authorization + - Added missing MU functions for TPM2_NT type + - Added missing MU functions for TPMA_ID_OBJECT type + - Added missing type TPM2_NT into tss2_tpm2_types.h + - Fixed wrong typename _ID_OBJECT in tss2_tpm2_types.h + - Fixed build breakage when --with-maxloglevel is not 'trace' + - Fixed build breakage in generated configure script when CFLAGS is set + - Fixed configure scritp ERROR_IF_NO_PROG macro + - Changed TPM2B type unmarshal to use sizeof of the dest buffer instead of dest + - Fixed unmarshaling of the TPM2B type with invalid size + - Removed dead code defect detected by coverity from Esys_TRSess_GetNonceTPM +- introduce _service file for syncing with upstream tags +* Wed Sep 26 2018 matthias.gerstner@suse.com +- update to upstream version 2.0.1 (FATE#324477): + - Fixed problems with doxygan failing make distcheck + - Fixed conversion of gcrypt mpi numbers to binary data + - Fixed an error in parsing socket address in MSSIM TCTI + - Fixed compilation error with --disable-tcti-mssim + - Added initialization function for gcrypt to suppress warning + - Fixed invalid type base type while marshaling TPMI_ECC_CURVE in Tss2_Sys_ECC_Parameters + - Fixed invalid RSA encryption with exponent equal to 0 + - Fixed checking of return codes in ESAPI commands + - Added checks for programs required by the test harness @ configure time + - Fixed warning on TPM2_RC_INITIALIZE rc after a Startup in Esys_Startup + - Checked for 1.2 TPM type response + - Changed constants values in esys header file to unsigned +* Tue Sep 18 2018 matthias.gerstner@suse.com +- also process udev triggers for tpmrm subsystem, otherwise /dev/tpmrm0 isn't + properly updated (at least on SLES-12-SP4) +* Thu Jul 5 2018 matthias.gerstner@suse.com +- added all librares to baselibs.conf to satisfy 32-bit dependencies of esys0 + and sys0 +* Tue Jul 3 2018 matthias.gerstner@suse.com +- Explicitly require udev to fix missing ownership for /usr/lib/udev. +* Fri Jun 29 2018 matthias.gerstner@suse.com +- update to new major version 2.0.0: + - version_fix.patch: removed, we're now using the distribution tarballs + where this problem shouldn't happen + - this update introduces an incompatible ABI to the previous version. + all libraries have been renamed so there is not really a relation to + the old version any more. + - upstream changelog: + [#]# [2.0.0] - 2018-06-20 + [#]## Added + - Implementation of the Marshal/Unmarshal library (libtss2-mu) + - Implementation of the Enhanced System API (libtss2-esys aka ESAPI) + - New implemetation of the TPM Command Transmission Interface (TCTI) for: + - communication with Linux TPM2 device driver: libtss2-tcti-device + - communication with Microsoft software simulator: libtss2-tcti-mssim + - New directory layout (API break) + - Updated documentation with new doxygen and updated man pages + - Support for Windows build with Visual Studio and clang, currently limited + to libtss2-mu and libtss2-sys + - Implementation of the new Attached Component (AC) commands + - Implementation of the new TPM2_PolicyAuthorizeNV command + - Implementation of the new TPM2_CreateLoaded command + - Implementation of the new TPM2_PolicyTemplate command + - Addition of _Complete functions to all TPM commands + - New logging framework + - Added const qualifiers to API input pointers (API break) + - Cleaned up headers and remove implementation.h and tpm2.h (API break) + [#]## Changed + - Converted all cpp files to c, removed dependency on C++ compiler. + - Cleaned out a number of marshaling functions from the SAPI code. + - Update Linux / Unix OS detection to use non-obsolete macros. + - Changed TCTI macros to CamelCase (API break) + - Changed TPMA_types to unsigned int with defines instead of bitfield structs (API/ABI break) + - Changed Get/SetCmd/RspAuths to new parameter types (API/ABI break) + - Fixed order of parameters in AC commands: Input command authorizations + now come after the input handles, but still before the command parameters. + [#]## Removed + - Removed all sysapi/sysapi_utils/*arshal_TPM*.c files + [#]## Fixed + - Updated invalid number of handles in TPM2_PolicyNvWritten and TPM2_TestParms + - Updated PlatformCommand function from libtss2-tcti-mssim to no longer send + CANCEL_OFF before every command. + - Expanded TPM2B macros and removed TPM2B_TYPE1 and TPM2B_TYPE2 macros + - Fixed wrong return type for Tss2_Sys_Finalize (API break). + [#]# [1.4.0] - 2018-03-02 + [#]## Added + - Attached Component commands from the last public review spec. + [#]## Fixed + - Essential files missing from release tarballs are now included. + - Version string generation has been moved from configure.ac to the + bootstrap script. It is now stored in a file named `VERSION` that is + shipped in the release tarball. + - We've stopped shipping the built man page for InitSocketTcti.3 and now + ship the source. +* Wed Mar 7 2018 matthias.gerstner@suse.com +- removed leftover comment from dropped reproducable.patch +* Thu Feb 22 2018 matthias.gerstner@suse.com +- update to upstream version 1.3.0: + - support for reproducable builds + - improved documentation / manual pages + - various stability bugfixes + - EncryptDecrypt2 command is now implemented +- removed reproducible.patch. This is now included upstream. +- added version_fix.patch to fix package config version numbers. +* Fri Sep 1 2017 matthias.gerstner@suse.com +- fix the "fix", turns out only the unversioned symlink's supposed to go into + - devel. +* Thu Jul 20 2017 matthias.gerstner@suse.com +- no longer install the udev rule, it's now part of the new tpm2.0-abrmd + package. +- fixed a warning regarding a missing dependency of the devel package to the + main package +- correctly package library symlinks only in the devel package, the library + itself only in the library package. Was mixed up before. +* Wed Jul 19 2017 matthias.gerstner@suse.com +- removed tpm2-0-tss-configure.patch, it was just a hack, fixed by requiring + autoconf-archive, see https://github.com/01org/TPM2.0-TSS/issues/227. +* Wed Jul 19 2017 matthias.gerstner@suse.com +- Updated to upstream version 1.1.0 + - With this version the resourcemgr daemon is dropped from this package. It + is replaced by a completely new implementation found in a new package + tpm2.0-abrmd. this package will only consist of the libraries any more. + - Changed + - tpmclient, disabled all tests that rely on the old resourcemgr. + - Fixed + - Fixed definition of PCR_LAST AND TRANSIENT_LAST macros. + - Removed + - tpmtest + - resourcemgr, replacement is in new repo: https://github.com/01org/tpm2-abrmd +* Sat May 27 2017 bwiedemann@suse.com +- Add reproducible.patch to sort input files to make build reproducible + (boo#1041090) +* Thu May 11 2017 matthias.gerstner@suse.com +- create tss user account and install udev rule to fix startup of resourcemgr + (bnc#1038586) +* Wed May 10 2017 mgerstner@suse.com +- remove unnecessary dependency of libsapi0 to trousers. trousers has nothing + to do with tpm2-tss. +* Tue Apr 11 2017 meissner@suse.com +- fixed typo in resourcemgr.service (bsc#1031004) +* Thu Feb 16 2017 jengelh@inai.de +- Remove --with-pic which is only for static libs. +- Fix an improper Requires line. +- Split libtcti* from libsapi0; these are independentlty + developable units. +* Wed Feb 8 2017 meissner@suse.com +- Updated to 1.0 (FATE#321508) + - Added + - Travis-CI integration with GitHub + - Unit tests for primitive (un)?marshal functions. + - Example systemd unit for resourcemgr. + - Allow for unit tests to be enabled selectively. + - added pkg-config files for libraries + - Changed + - move simulator initialization code to socket TCTI init function. + - socket TCTI finalize no longer frees context + - rename libtss2 to libsapi + - rename libtcti_device to libtcti-device + - rename libtcti_socket to libtcti-socket + - move $(includedir)/tss to $(includedir)/sapi + - Move default compiler flags to config.site file. + - Fixed + - Fix run away resourcemgr threads by closing client sockets when resourcemgr recv() call returns 0. + - Set MSG_NOSIGNAL for client connections to avoid SIGPIPE killing resourcemgr. + - Fixes to handling of persistent objects by resourcemgr. + - Removed + - Semicolon from TPMA_* macros definitions. + - Windows build files. + - SAPI_CLIENT macro tests. + - Security + - Fix buffer overflow in resourcemgr. +- use sample resourcemanager.service +- tpm2-0-tss-configure.patch: fix weird error. +* Thu Aug 25 2016 meissner@suse.com +- Remove type=forking from service file (bsc#995554) +* Sat Aug 6 2016 meissner@suse.com +- added a systemd unit service file (FATE#315631) +* Fri May 6 2016 jengelh@inai.de +- Correct package naming to be in line with shared library guideline +- Remove unused systemd build and runtime dependencies + (FATE#315631) +* Fri Apr 8 2016 dimstar@opensuse.org +- Fix rpm group of library package: libs belong, per definition, to + the group "System/Libraries". (FATE#315631) +* Wed Feb 24 2016 meissner@suse.com +- initial import of the tpm 2.0 tss stack (FATE#315631) diff --git a/tpm2-0-tss.spec b/tpm2-0-tss.spec new file mode 100644 index 0000000..3dba563 --- /dev/null +++ b/tpm2-0-tss.spec @@ -0,0 +1,291 @@ +# +# spec file for package tpm2-0-tss +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +Name: tpm2-0-tss +Version: 3.1.0 +Release: 150400.3.3.1 +Summary: Intel's TCG Software Stack access libraries for TPM 2.0 chips +License: BSD-2-Clause +Group: Productivity/Security +URL: https://github.com/tpm2-software/tpm2-tss +Source0: https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/tpm2-tss-%{version}.tar.gz +Source2: baselibs.conf +Patch0: 0001-tss2_rc-ensure-layer-number-is-in-bounds.patch +BuildRequires: /usr/sbin/groupadd +BuildRequires: acl +BuildRequires: doxygen +BuildRequires: gcc-c++ +BuildRequires: libgcrypt-devel +BuildRequires: pkgconfig +BuildRequires: pkgconfig(json-c) +BuildRequires: pkgconfig(libcurl) +BuildRequires: pkgconfig(libopenssl) +BuildRequires: pkgconfig(udev) +# The same user is employed by trousers (and was employed by the old +# resourcemgr shipped with the tpm2-0-tss package): +# +# trousers just needs those accounts for dropping privileges to. The service +# starts as root and uses set*id to drop to tss, after the tpm device has been +# opened. +# +# tpm2-abrmd has no set*id handling and thus requires /dev/tpm to be owned +# by the tss user. Therefore we also need to install a udev rule file. +# +# trousers was here first and created the user like this, also giving it a +# home in /var/lib/tpm. I don't think the home directory is used by either of +# the packages ATM. Trousers is keeping state there, but the directory is +# owned by root and files are opened before dropping privileges. The passwd +# entry seems not to be evaluated. +Requires(pre): user(tss) + +%description +The tpm2-0-tss package provides a TPM 2.0 TSS implementation. This +implementation is developed by INTEL. This package contains the libraries, +see the tpm2.0-abrmd package for the resource manager daemon, tpm2.0-tools for +utilities. + +%package devel +Summary: Development headers for the Intel TSS library for TPM 2.0 chips +Group: Development/Libraries/C and C++ +Requires: glibc-devel +Requires: libtss2-esys0 = %{version} +Requires: libtss2-fapi1 = %{version} +Requires: libtss2-mu0 = %{version} +Requires: libtss2-rc0 = %{version} +Requires: libtss2-sys1 = %{version} +Requires: libtss2-tcti-cmd0 = %{version} +Requires: libtss2-tcti-device0 = %{version} +Requires: libtss2-tcti-mssim0 = %{version} +Requires: libtss2-tcti-pcap0 = %{version} +Requires: libtss2-tcti-swtpm0 = %{version} +Requires: libtss2-tctildr0 = %{version} +Requires: tpm2-0-tss = %{version} + +%description devel +This package provides the development files for the tpm2 stack's libraries for +accessing TPM 2.0 chips. + +%package -n libtss2-esys0 +Summary: TPM2 Enhanced System API (ESAPI) +Group: System/Libraries + +%description -n libtss2-esys0 +This API is a 1-to-1 mapping of the TPM2 commands documented in Part 3 of the +TPM2 specification. Additionally there are asynchronous versions of each +command. In addition to SAPI, the ESAPI performs tracking of meta data for +TPM object and automatic calculation of session based authorization and +encryption values. Both the synchronous and asynchronous API are exposed +through this library. + +%package -n libtss2-sys1 +Summary: TPM2 System API (SAPI) +Group: System/Libraries + +%description -n libtss2-sys1 +System API (SAPI) as described in the system level API and TPM command +transmission interface specification. This API is a 1-to-1 mapping of the TPM2 +commands documented in Part 3 of the TPM2 specification. Additionally there +are asynchronous versions of each command. These asynchronous variants may be +useful for integration into event-driven programming environments. Both the +synchronous and asynchronous API are exposed through this library. + +%package -n libtss2-mu0 +Summary: TPM2 marshaling/unmarshaling library +Group: System/Libraries + +%description -n libtss2-mu0 +Marshaling/Unmarshaling (MU) as described in the TCG TSS 2.0 +Marshaling/Unmarshaling API Specification. This API provides a set of +marshaling and unmarshaling functions for all data types defined by the TPM +library specification. + +%package -n libtss2-rc0 +Summary: TPM2 error code translation library +Group: System/Libraries + +%description -n libtss2-rc0 +This library can translate TPM error codes into human readable strings. + +%package -n libtss2-tctildr0 +Summary: TCTI interface loading library +Group: System/Libraries + +%description -n libtss2-tctildr0 +This is a helper library that simplifies loading other tcti libraries. It is +recommended over custom tcti loading code in applications. + +%package -n libtss2-tcti-device0 +Summary: TCTI interface library for using a native TPM device node +Group: System/Libraries + +%description -n libtss2-tcti-device0 +TPM Command Transmission Interface library for communicating with a +TPM device node. This provides direct access to the TPM through the Linux +kernel driver. + +%package -n libtss2-tcti-mssim0 +Summary: TCTI interface library for Microsoft software TPM2 simulator +Group: System/Libraries + +%description -n libtss2-tcti-mssim0 +TPM Command Transmission Interface library for communicating using the +protocol exposed by the Microsoft software TPM2 simulator. + +%package -n libtss2-fapi1 +Summary: FAPI interface library +Group: System/Libraries + +%description -n libtss2-fapi1 +This is the tpm2 Feature API (FAPI) library. This API is designed to be very +high-level API, intended to make programming with the TPM as simple as +possible. + +%package -n libtss2-tcti-cmd0 +Summary: TCTI cmd interface library +Group: System/Libraries + +%description -n libtss2-tcti-cmd0 +A TCTI for interaction with a subprocess. It abstracts the details of direct +communication with the interface and protocol exposed by a subprocess that can +receive and transmit raw TPM2 command and response buffers. + +%package -n libtss2-tcti-swtpm0 +Summary: TCTI swtpm interface library +Group: System/Libraries + +%description -n libtss2-tcti-swtpm0 +A TCTI for interaction with the TPM2 software simulator. It abstracts the +details of direct communication with the interface and protocol exposed by the +daemon hosting the TPM2 reference implementation. + +%package -n libtss2-tcti-pcap0 +Summary: TCTI pcap interface library +Group: System/Libraries + +%description -n libtss2-tcti-pcap0 +A TCTI which prints TPM commands and responses to a file in pcap-ng format. It abstracts the +details of direct communication with the interface and protocol exposed by the +daemon hosting the TPM2 reference implementation. + +%prep +%autosetup -p1 -n tpm2-tss-%{version} + +%build +# configure looks for groupadd on PATH +export PATH="$PATH:%{_sbindir}" +%configure --disable-static \ + --with-udevrulesdir=%{_udevrulesdir} \ + --with-runstatedir=%{_rundir} \ + --with-tmpfilesdir=%{_tmpfilesdir} \ + --with-sysusersdir=%{_sysusersdir} +%make_build PTHREAD_LDFLAGS=-pthread + +%install +%make_install +find %{buildroot} -type f -name "*.la" -delete -print +# rename the rules file to have a numbered prefix as all others have, too +%define udev_rule_file 90-tpm.rules +mv %{buildroot}%{_udevrulesdir}/tpm-udev.rules %{buildroot}%{_udevrulesdir}/%{udev_rule_file} +# Conflicts with system-users +rm %{buildroot}%{_sysusersdir}/tpm2-tss.conf +# Add version into the configuration tmpfiles.d configuration file +mv %{buildroot}%{_tmpfilesdir}/tpm2-tss-fapi.conf %{buildroot}%{_tmpfilesdir}/tpm2-tss-fapi-%{version}.conf + +%post +%{_bindir}/udevadm trigger -s tpm -s tpmrm || : + +%post -n libtss2-esys0 -p /sbin/ldconfig +%postun -n libtss2-esys0 -p /sbin/ldconfig +%post -n libtss2-sys1 -p /sbin/ldconfig +%postun -n libtss2-sys1 -p /sbin/ldconfig +%post -n libtss2-tctildr0 -p /sbin/ldconfig +%postun -n libtss2-tctildr0 -p /sbin/ldconfig +%post -n libtss2-tcti-device0 -p /sbin/ldconfig +%postun -n libtss2-tcti-device0 -p /sbin/ldconfig +%post -n libtss2-tcti-mssim0 -p /sbin/ldconfig +%postun -n libtss2-tcti-mssim0 -p /sbin/ldconfig +%post -n libtss2-mu0 -p /sbin/ldconfig +%postun -n libtss2-mu0 -p /sbin/ldconfig +%post -n libtss2-rc0 -p /sbin/ldconfig +%postun -n libtss2-rc0 -p /sbin/ldconfig + +%post -n libtss2-fapi1 +/sbin/ldconfig +%tmpfiles_create %{_tmpfilesdir}/tpm2-tss-fapi-%{version}.conf + +%postun -n libtss2-fapi1 -p /sbin/ldconfig +%post -n libtss2-tcti-cmd0 -p /sbin/ldconfig +%postun -n libtss2-tcti-cmd0 -p /sbin/ldconfig +%post -n libtss2-tcti-swtpm0 -p /sbin/ldconfig +%postun -n libtss2-tcti-swtpm0 -p /sbin/ldconfig +%post -n libtss2-tcti-pcap0 -p /sbin/ldconfig +%postun -n libtss2-tcti-pcap0 -p /sbin/ldconfig + +%files +%doc *.md +%license LICENSE +%{_mandir}/man3/* +%{_mandir}/man5/* +%{_mandir}/man7/tss2-* +%{_udevrulesdir}/%{udev_rule_file} +%dir %{_sysconfdir}/tpm2-tss/ +%config %{_sysconfdir}/tpm2-tss/fapi-config.json +%dir %{_sysconfdir}/tpm2-tss/fapi-profiles +%config %{_sysconfdir}/tpm2-tss/fapi-profiles/*.json + +%files devel +%{_includedir}/tss2 +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc + +%files -n libtss2-esys0 +%{_libdir}/libtss2-esys.so.* + +%files -n libtss2-sys1 +%{_libdir}/libtss2-sys.so.* + +%files -n libtss2-mu0 +%{_libdir}/libtss2-mu.so.* + +%files -n libtss2-rc0 +%{_libdir}/libtss2-rc.so.* + +%files -n libtss2-tctildr0 +%{_libdir}/libtss2-tctildr.so.* + +%files -n libtss2-tcti-device0 +%{_libdir}/libtss2-tcti-device.so.* + +%files -n libtss2-tcti-mssim0 +%{_libdir}/libtss2-tcti-mssim.so.* + +%files -n libtss2-fapi1 +%{_libdir}/libtss2-fapi.so.* +%{_tmpfilesdir}/tpm2-tss-fapi-%{version}.conf +# this would fix "tmpfile-not-in-filelist" warnings but when adding these +# entries then it complains about "directories not owned by a package:" for +# /run/tpm2-0-tss & friends. When adding them as %%ghost, too, then Leap15.1 +# complains about "found conflict of libtss2-fapi1-3.0.1-lp152.103.1.x86_64 +# with libtss2-fapi1-3.0.1-lp152.103.1.x86_64". Thus leave it be for the +# moment, some insane circle of errors is involved here. +# +# it seems the problem is that during `make install` the package runs +# systemd-tmpfiles --create, and the directories are created outside the +# package's install tree. It seems this is not expected by RPM. +# %%ghost %%{_sharedstatedir}/%%{name}/system/keystore +# %%ghost %%{_rundir}/%%{name}/eventlog + +%files -n libtss2-tcti-cmd0 +%{_libdir}/libtss2-tcti-cmd.so.* + +%files -n libtss2-tcti-swtpm0 +%{_libdir}/libtss2-tcti-swtpm.so.* + +%files -n libtss2-tcti-pcap0 +%{_libdir}/libtss2-tcti-pcap.so.* + +%changelog