Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: swtpm | Distribution: SUSE Linux Framework One |
Version: 0.9.0 | Vendor: SUSE LLC <https://www.suse.com/> |
Release: slfo.1.2.12 | Build date: Thu Sep 19 12:55:54 2024 |
Group: System/Base | Build host: reproducible |
Size: 484333 | Source RPM: swtpm-0.9.0-slfo.1.2.12.src.rpm |
Packager: https://www.suse.com/ | |
Url: https://github.com/stefanberger/swtpm | |
Summary: Software TPM emulator |
The SWTPM package provides TPM emulators with different front-end interfaces to libtpms. TPM emulators provide socket interfaces (TCP/IP) and the Linux CUSE interface for the creation of multiple native /dev/vtpm* devices. Those can be the targets of multiple QEMU cuse-tpm instances.
BSD-3-Clause
* Thu Sep 19 2024 [email protected] - Fix swtpm custom module (bsc#1229131) - Add patch: 1229131-fix-swtpm-selinux-policy-mismatch.patch - this can be removed once swtpm upstream sorts out their custom selinux module. see: https://github.com/stefanberger/swtpm/issues/885 there were a couple changes in the selinux-policy libvirt handling which causes the logfile in /var/log/swtpm/libvirt/qemu/*.log to be labeled virt_log_t instead of var_log_t. this patch allows swtpm_t to open the virt_log_t * Thu Aug 01 2024 [email protected] - update to 0.9.0: - fixes: boo#1226398 - swtpm: - Use umask() to create/truncated state file rather than fchmod() - Use fchmod to set mode bits provided by user - Replace mkstemp with g_mkstemp_full (Coverity) - fix typo in help message - cuse: Fix Coverity complaints regarding locks - Fix double free in error path - Close fd after main loop - Restore logging to stderr on log open failure - swtpm_setup: - Fail --pcr-banks without --tpm2 - Fail --decryption or --allow-signing without --tpm2 - Initialized argv in get_swtpm_capabilities() - Flush spk after persisting to create room for another key - Refactor duplicate code into swtpm_tpm2_write_cert_nvram - Move persisting of certificate into tpm2_persist_certificate - Pass key_type to function creating filename for key - Add scheme parameter before curveid to createprimary_ecc - Rename is_ek to preserve for future extension - Mask-out EK and plaform certificate flags and set cert_flags - Move common code into new function read_certificate_file() - Exit with '0' upon --version rather than '1' - Close file descriptors passed to swtpm process on parent side - Make stdout unbuffered - Use medium duration on TSC_PhysicalPresence to avoid timeouts - Add poll() after write() and before read() to detect errors - swtpm_localca: - Add support for up to 20 bytes serial numbers - Introduce --key as more generic alias for --ek - Add missing NULL option to end of array - Make stdout unbuffered - swtpm_cert: - Add support for serial numbers up to 20 bytes long - swtpm_ioctl: - Separate return code from flags - Repeatedly call PTM_GET_INFO for long responses - selinux: - Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install) - New SELinux policy that requires Fedora 40 or later - tests: - Fixed occurrences of stray '' before '-' - Rearrange order of test cases to run some also as 'root' - Add tests for command line options and combinations of options - Add softhsm_setup to shellcheck'ed files and fix issues - Add missing 'exit 1' on unexpected file size on --reconfigure - Add test cases for swtpm_cert with max serial number - Fix spelling mistakes - reformat regexs for easier readability and extension - ibmtss2: Add patch to disable x509 test with older libtpms - Upgrade to ibmtss2 v2.0.1 - Fixed several issues detected by shellcheck - build-sys: - Add support for --disable-tests to disable tests - Display GMP_LIBS and GMP_CFLAGS - Only display warning if pkg-config for gmp fails - Add gmp library and devel package as dependency - use PKG_CHECK_MODULES to check libtpms version * Thu Oct 19 2023 [email protected] - Add missing requires for certtool * Sat Sep 16 2023 [email protected] - Update to version 0.8.1: - swtpm: - Restore logging to stderr on log open failure - swtpm_setup: - Exit with '0' upon --version rather than '1'. - Initialized @argv in get_swtpm_capabilities() - swtpm_localca: - Add missing NULL option to end of array - SELinux: - Add rules for user_tpm_t:sockfile to allow unlink - Add rules for sock_file on user_tmp_t * Fri Jun 16 2023 [email protected] - Make selinux optional to allow building this package for Leap, too. * Tue May 02 2023 [email protected] - remove python3 dependency, no longer needed after rewrite (bsc#1211010) * Tue Mar 21 2023 [email protected] - swtpm-fix-build.patch: disable -Wstack-protector, it fails on s390x bsc#1209117 * Mon Mar 06 2023 [email protected] - Drop trousers requirement * Mon Mar 06 2023 [email protected] - Update to version 0.8.0: * swtpm: + Implement release-lock-outgoing parameter for --migration option + Introduce --migration option and 'incoming' parameter + Implement terminate parameter for ctrl channel loss + Add a chroot option + Introduce disable-auto-shutdown flag for --flags option + If necessary send TPM2_Shutdown() before TPMLIB_Terminate() + Add some more recent syscalls to seccomp profile + Disable OpenSSL FIPS mode to avoid libtpms failures + Avoid locking directory multiple times + Remove support for pre-v0.1 state files without header + Use uint64_t in tlv_data_append() to avoid integer overflows + Use uint64_t to avoid integer wrap-around when adding a uint32_t + Do not chdir(/) when using --daemon + Check header size indicator against expected size (CVE-2022-23645 bsc#1196240) + Fixes for gcc 12.2.1 -fanalyzer * build-sys: + Fix configure script to support _FORTIFY_SOURCE=3 + Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin) * swtpm-localca: + Re-implement variable resolution for swtpm-localca.conf + Test for available issuercert before creating CA * swtpm_setup: + Configure swtpm to log to stdout/err if needed (glib >=2.74) * tests: + Use ${WORKDIR} in config files to test env. var replacement + Patch IBM TSS2 test suite for OpenSSL 3.x * build-sys: + Add probing for -fstack-protector * Fri Apr 29 2022 [email protected] - Updated to version 0.7.3: - swtpm: - Use uint64_t in tlv_data_append() to avoid integer overflows - Use uint64_t to avoid integer wrap-around when adding a uint32_t - removed allow-FORTIFY_SOURCE=3.patch (upstreamed) * Wed Apr 06 2022 [email protected] - Cheery-pick upstream patch allow-FORTIFY_SOURCE=3.patch. * Wed Mar 09 2022 [email protected] - Update to version 0.7.2: - swtpm: - Do not chdir(/) when using --daemon - swtpm-localca: - Re-implement variable resolution for swtpm-localca.conf - tests: - Use ${WORKDIR} in config files to test env. var replacement - man pages: - Add missing .config directory to path description when using ${HOME} - build-sys: - Add probing for -fstack-protector * Mon Feb 21 2022 [email protected] - Update to version 0.7.1: - swtpm: - Check header size indicator against expected size (CVE-2022-23645 bsc#1196240) - swtpm_localca: - Test for available issuercert before creating CA * Wed Nov 10 2021 [email protected] - Update to version 0.7.0: - swtpm: - Support for linear file storage backend (file://) - Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what libtpms supports - Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs - Wipe keys from stack and heap - Many other small changes - Make --daemon not racy - swtpm_setup: - Only activate SHA256 PCR bank, not SHA1 bank anymore by default - Support for linear file storage backend (file://) - Implement option --create-config-files to create config files - Use non-deprecated APIs to contruct RSA key (OSSL 3) - Report stderr as returned by external tool (swtpm-localcal) - Replace '+' and ',' characters in VMId's to make work with common name in X509 subject - Add support for --reconfigure flag to change active PCR banks - swtpm_localca: - Created certificates for CAs and TPM that do not expire - swtpm_cert: - Allow passing -1 for days to get a non-expiring certificate - test: - ASAN-related test changes and skipping of tests if ASAN is used - Fix tests using tpm2-abrmd by preventing concurrency - Skip chardev related tests after checking for chardev support - exit with error code if mktemp fails - OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test - build-sys: - Introduce --enable-sanitizers to configure - Remove check for pip3 that was used by python swtpm_setup - Allow passing of aditional CFLAGS during build * Wed Sep 22 2021 [email protected] - Update to version 0.6.1: - swtpm: - Clear keys from stack and heap - swtpm-localca: - Add missing else branch for pkcs11 and PIN - swtpm_setup: - Initialize Gerror and free it - Replace '\\s' in regex with [[:space:]] to fix cygwin - tests: - Kill tpm2-abrmd with SIGKILL rather SIGTERM - build-sys: - Use -DOPENSSL_SUPPRESS_DEPRECATED to suppress deprecation warnings (OSSL 3) - Enable configuring with CFLAGS and passing additional CFLAGS on build * Sat Aug 07 2021 [email protected] - Update to version 0.6.0: - Addressed potential symlink attack issue (CVE-2020-28407) - Rewritten in 'C'; needs json-glib - Use timeouts for communicating with swtpm (Unix socket) - Fix --print-capabilities for 'swtpm chardev' - Various cleanups and fixes (coverity) - Enable selinux support - Removed swtpm-rename_deprecated_libtasn1_types.patch: upstream - Fix rpmlint errors * Thu May 20 2021 [email protected] - swtpm_cert: rename deprecated libtasn1 types. * https://github.com/stefanberger/swtpm/pull/443 * Add swtpm-rename_deprecated_libtasn1_types.patch * Sun Dec 27 2020 [email protected] - Update to version 0.5.2 - swtpm: - Fix potential buffer overflow related to largely unused data hashing function in control channel - swtpm: Unconditionally close fd if writing of pidfile fails (coverity) - swtpm_setup: - Increase timeout from 10s to 30s for slower machines - Travis: - Not building on OS X anymore due to additional costs * Tue Dec 22 2020 [email protected] - Use "Requires user(tss)" for the "tss" user and group * Tue Dec 22 2020 [email protected] - Create /var/lib/swtpm-localca to store the keys created by swtpm-localca (bsc#1179811) - Replace net-tools-deprecated with iproute2 since the scripts in swtpm now can use 'ss' instead of 'netstat' * Sun Nov 22 2020 [email protected] - Update to version 0.5.1 * swtpm & swtpm_setup: - Addressed potential symlink attack issue (CVE-2020-28407) * build-sys: - Fix configure python cryptography error message - Misc. spec file changes. * Tue Oct 13 2020 [email protected] - Update Requires and BuildRequires for changes since 0.4.0. - Remove patch files that are no longer needed: * swtpm-adjust-seccomp-path.patch * swtpm-setup-tcsd-path.patch * swtpm-tpm-tools-path.patch - Update to version 0.5.0 * swtpm: - Write files atomically using a temp file and then renaming * swtpm_setup: - Removed remaining 'c' wrapper program - Do not truncate logfile when testing write-access (regression) - Remove TPM state file in case error occurred * swtpm-localca: - Rewrite in python - Allow passing pkcs11 PIN using signingkey_password - Allow passing environment variables needed for pkcs11 modules using swtpm-localca.conf and format 'env:VARNAME=VALUE'. * build-sys: - Add python-install and python-uninstall targets - Add configure option to disable installation of Python module - Use -Wl,-z,relro and -Wl,-z,now only when linking (clang) - Use AC_LINK_IFELSE to check whether support for hardening flags - Changes from version 0.4.1 * swtpm_setup: - Do not hardcode '/etc' but use SYSCONFDIR - Fix support for -h and -? options - Add missing .config path when using ${HOME} * swtpm-localca: - Apply password for signing key when creating platform cert - Properly apply passwords for localca signing key - Changes from version 0.4.0 * swtpm: - Invoke print capabilities after choosing TPM version - Add some recent syscalls to seccomp blacklist * swtpm_cert: - Support --ecc-curveid option to pass curve id * swtpm_setup & related scripts: - Rewrite swtpm_setup.sh in python with TPM 1.2 not requiring tcsd and TPM tools anymore; new dependencies: - python3: pip, cryptography, setuptools dropped dependencies for swtpm_setup: - tcsd, expect, tpm-tools (some still needed for pkcs11 tests) - Added support for RSA 3072 keys (for libtpms-0.8.0) and moved to ECC NIST P384 curve; default RSA key size is still 2048 - Added support for --rsa-keysize option - Extend script to create a CA using a TPM 2 for signing * tests: - Use the IBM TSS2 v1.5.0's test suite - Add test case for loading of an NVRAM completely full with keys - Have softhsm_setup use temporary directory for softhsm config & state - various other improvements * man pages: - Improvements * build-sys: - clang: properly test for linker flag 'now' and 'relro' - Gentoo: explicitly link libswtpm_libtpms with -lcrypto - Ownership of /var/lib/swtpm-localca is now tss:root and mode flags 0750. * Thu Aug 13 2020 [email protected] - Update to version 0.3.4: * swtpm: - Fix compilation for cygwin * swtpm_setup & swtpm-localca: - Get rid of bash's eval when invoking external tools to avoid abuse. Only use eval for 'resolving' variables. * tests: - Various fixes of minor issues * Thu Jul 30 2020 [email protected] - Update to version 0.3.3: * swtpm_setup: - openSUSE: Support tcsd configuration where tss user != tss group, such as root/tss; Fedora & Ubuntu for example use tss/tss * build-sys: - Check whether tss user and group are available - Add tss user & group build flags per upstream instruction. This together with v0.3.3 fixed the bug with TPM 1.2 emulation. Related upstream bug: https://github.com/stefanberger/swtpm/issues/284 * Sat Jul 11 2020 [email protected] - Update to 0.3.2: + swtpm: + Remove unnecessary #include <seccomp.h> (fixes SuSE build) + Make coverity happy by handling default case in case statement + swtpm_setup: + bugfix: Create ECC storage primary key in owner hierarchy + bugfix: remove tpm2_stirrandom and tpm2_changeeps + tests: + Adjusted pcrUpdateCounter in tests to succeed with PCR TCB group fixes in libtpms TPM 2 code * Wed Apr 22 2020 [email protected] - Update to 0.3.1 + swtpm: Fix vtpm proxy case without startup flags + swtpm: Only call memcpy if tocopy != 0 (coverity) + man: Document new startup options and capabilities advertisement + swtpm: Enable sending startup commands before processing commands + swtpm_cert: Accept serial numbers that use up to 64bits + swtpm_cert: Use getopt_long_only to parse options + swtpm_cert: Add support for --print-capabilities option + swtpm_cert: Allow passing signing key and parent key via new option + swtpm_setup: Enable spaces in paths and other variables + swtpm_ioctl: Calculate strlen(input) only once + swtpm_ioctl: Block SIGPIPE so we can get EPIPE on write() + swtpm_bios: Block SIGPIPE so we can get EPIPE on write() + swtpm: Only accept() new client ctrl connection if we have none + swtpm_setup: Do not fail on future PCR banks' hashes + swtpm_setup: Use 1st part of SWTPM_EXE/SWTPM_IOCTL to determine executable + swtpm_setup: Keep reserved range of file descriptors for swtpm_setup.sh + swtpm_setup: Log about encryption and fix c&p error in err msg + swtpm: Add --print-capabilities to help screen of 'swtpm chardev' + swtpm_ioctl: Fix uninitialized variable 'pgi' + swtpm_cert: Use gnutls_x509_crt_get_subject_key_id API call for subj keyId + swtpm_cert: Fix OIDs for TPM 2 platforms data + swtpm: Fix typo in error report: HMAC instead of hash + swtpm: Use writev_full rather than writev; fixes --vtpm-proxy EIO error - Refresh swtpm-setup-tcsd-path.patch * Fri Jan 03 2020 [email protected] - Amend swtpm-adjust-seccomp-path.patch to add the missing seccomp paths - Adjust the conditional check of net-tools-deprecated for SLE15 and SLE15-SP1 * Thu Sep 05 2019 [email protected] - Update to 0.2.0 +Linux: swtpm now runs with a seccomp profile (blacklist) if compiled with libseccomp support + Added subpport for passing key and passphrase via file descriptor + TPM 2 commands can now be prefixed by 'the TCG header' and responses will have a 4-byte prefix and 4-byte suffix. + Added --print-capabilities command line option + Proper handling on EINTR on read, poll, and write - Patches to adjust the pathes + swtpm-tpm-tools-path.patch + swtpm-setup-tcsd-path.patch + swtpm-adjust-seccomp-path.patch * Tue May 15 2018 [email protected] - Initial import: 0.1.0-dev2
/etc/swtpm-localca.conf /etc/swtpm-localca.options /etc/swtpm_setup.conf /usr/bin/swtpm /usr/bin/swtpm_bios /usr/bin/swtpm_cert /usr/bin/swtpm_cuse /usr/bin/swtpm_ioctl /usr/bin/swtpm_localca /usr/bin/swtpm_setup /usr/lib64/swtpm /usr/lib64/swtpm/libswtpm_libtpms.so.0 /usr/lib64/swtpm/libswtpm_libtpms.so.0.0.0 /usr/share/doc/packages/swtpm /usr/share/doc/packages/swtpm/CHANGES /usr/share/doc/packages/swtpm/README /usr/share/doc/packages/swtpm/TODO /usr/share/licenses/swtpm /usr/share/licenses/swtpm/LICENSE /usr/share/man/man5/swtpm-localca.conf.5.gz /usr/share/man/man5/swtpm-localca.options.5.gz /usr/share/man/man5/swtpm_setup.conf.5.gz /usr/share/man/man8/swtpm-create-tpmca.8.gz /usr/share/man/man8/swtpm-localca.8.gz /usr/share/man/man8/swtpm.8.gz /usr/share/man/man8/swtpm_bios.8.gz /usr/share/man/man8/swtpm_cert.8.gz /usr/share/man/man8/swtpm_cuse.8.gz /usr/share/man/man8/swtpm_ioctl.8.gz /usr/share/man/man8/swtpm_localca.8.gz /usr/share/man/man8/swtpm_setup.8.gz /usr/share/swtpm /usr/share/swtpm/swtpm-create-tpmca /usr/share/swtpm/swtpm-create-user-config-files /usr/share/swtpm/swtpm-localca /var/lib/swtpm-localca
Generated by rpm2html 1.8.1
Fabrice Bellet, Wed Dec 11 23:37:55 2024