Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
security
swtpm
swtpm.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File swtpm.changes of Package swtpm
------------------------------------------------------------------- Thu Oct 19 00:43:29 UTC 2023 - William Brown <william.brown@suse.com> - Add missing requires for certtool ------------------------------------------------------------------- Sat Sep 16 10:10:45 UTC 2023 - Marcus Meissner <meissner@suse.com> - Update to version 0.8.1: - swtpm: - Restore logging to stderr on log open failure - swtpm_setup: - Exit with '0' upon --version rather than '1'. - Initialized @argv in get_swtpm_capabilities() - swtpm_localca: - Add missing NULL option to end of array - SELinux: - Add rules for user_tpm_t:sockfile to allow unlink - Add rules for sock_file on user_tmp_t ------------------------------------------------------------------- Fri Jun 16 11:32:11 UTC 2023 - Manfred Hollstein <manfred.h@gmx.net> - Make selinux optional to allow building this package for Leap, too. ------------------------------------------------------------------- Tue May 2 09:55:28 UTC 2023 - Marcus Meissner <meissner@suse.com> - remove python3 dependency, no longer needed after rewrite (bsc#1211010) ------------------------------------------------------------------- Tue Mar 21 12:45:54 UTC 2023 - Marcus Meissner <meissner@suse.com> - swtpm-fix-build.patch: disable -Wstack-protector, it fails on s390x bsc#1209117 ------------------------------------------------------------------- Mon Mar 6 20:21:50 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com> - Drop trousers requirement ------------------------------------------------------------------- Mon Mar 6 16:34:33 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com> - Update to version 0.8.0: * swtpm: + Implement release-lock-outgoing parameter for --migration option + Introduce --migration option and 'incoming' parameter + Implement terminate parameter for ctrl channel loss + Add a chroot option + Introduce disable-auto-shutdown flag for --flags option + If necessary send TPM2_Shutdown() before TPMLIB_Terminate() + Add some more recent syscalls to seccomp profile + Disable OpenSSL FIPS mode to avoid libtpms failures + Avoid locking directory multiple times + Remove support for pre-v0.1 state files without header + Use uint64_t in tlv_data_append() to avoid integer overflows + Use uint64_t to avoid integer wrap-around when adding a uint32_t + Do not chdir(/) when using --daemon + Check header size indicator against expected size (CVE-2022-23645 bsc#1196240) + Fixes for gcc 12.2.1 -fanalyzer * build-sys: + Fix configure script to support _FORTIFY_SOURCE=3 + Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin) * swtpm-localca: + Re-implement variable resolution for swtpm-localca.conf + Test for available issuercert before creating CA * swtpm_setup: + Configure swtpm to log to stdout/err if needed (glib >=2.74) * tests: + Use ${WORKDIR} in config files to test env. var replacement + Patch IBM TSS2 test suite for OpenSSL 3.x * build-sys: + Add probing for -fstack-protector ------------------------------------------------------------------- Fri Apr 29 07:41:51 UTC 2022 - Marcus Meissner <meissner@suse.com> - Updated to version 0.7.3: - swtpm: - Use uint64_t in tlv_data_append() to avoid integer overflows - Use uint64_t to avoid integer wrap-around when adding a uint32_t - removed allow-FORTIFY_SOURCE=3.patch (upstreamed) ------------------------------------------------------------------- Wed Apr 6 07:55:48 UTC 2022 - Martin Liška <mliska@suse.cz> - Cheery-pick upstream patch allow-FORTIFY_SOURCE=3.patch. ------------------------------------------------------------------- Wed Mar 9 14:07:03 UTC 2022 - Wolfgang Frisch <wolfgang.frisch@suse.com> - Update to version 0.7.2: - swtpm: - Do not chdir(/) when using --daemon - swtpm-localca: - Re-implement variable resolution for swtpm-localca.conf - tests: - Use ${WORKDIR} in config files to test env. var replacement - man pages: - Add missing .config directory to path description when using ${HOME} - build-sys: - Add probing for -fstack-protector ------------------------------------------------------------------- Mon Feb 21 12:04:56 UTC 2022 - Marcus Meissner <meissner@suse.com> - Update to version 0.7.1: - swtpm: - Check header size indicator against expected size (CVE-2022-23645 bsc#1196240) - swtpm_localca: - Test for available issuercert before creating CA ------------------------------------------------------------------- Wed Nov 10 08:49:00 UTC 2021 - Marcus Meissner <meissner@suse.com> - Update to version 0.7.0: - swtpm: - Support for linear file storage backend (file://) - Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what libtpms supports - Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs - Wipe keys from stack and heap - Many other small changes - Make --daemon not racy - swtpm_setup: - Only activate SHA256 PCR bank, not SHA1 bank anymore by default - Support for linear file storage backend (file://) - Implement option --create-config-files to create config files - Use non-deprecated APIs to contruct RSA key (OSSL 3) - Report stderr as returned by external tool (swtpm-localcal) - Replace '+' and ',' characters in VMId's to make work with common name in X509 subject - Add support for --reconfigure flag to change active PCR banks - swtpm_localca: - Created certificates for CAs and TPM that do not expire - swtpm_cert: - Allow passing -1 for days to get a non-expiring certificate - test: - ASAN-related test changes and skipping of tests if ASAN is used - Fix tests using tpm2-abrmd by preventing concurrency - Skip chardev related tests after checking for chardev support - exit with error code if mktemp fails - OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test - build-sys: - Introduce --enable-sanitizers to configure - Remove check for pip3 that was used by python swtpm_setup - Allow passing of aditional CFLAGS during build ------------------------------------------------------------------- Wed Sep 22 09:33:29 UTC 2021 - Marcus Meissner <meissner@suse.com> - Update to version 0.6.1: - swtpm: - Clear keys from stack and heap - swtpm-localca: - Add missing else branch for pkcs11 and PIN - swtpm_setup: - Initialize Gerror and free it - Replace '\\s' in regex with [[:space:]] to fix cygwin - tests: - Kill tpm2-abrmd with SIGKILL rather SIGTERM - build-sys: - Use -DOPENSSL_SUPPRESS_DEPRECATED to suppress deprecation warnings (OSSL 3) - Enable configuring with CFLAGS and passing additional CFLAGS on build ------------------------------------------------------------------- Sat Aug 7 15:02:40 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Update to version 0.6.0: - Addressed potential symlink attack issue (CVE-2020-28407) - Rewritten in 'C'; needs json-glib - Use timeouts for communicating with swtpm (Unix socket) - Fix --print-capabilities for 'swtpm chardev' - Various cleanups and fixes (coverity) - Enable selinux support - Removed swtpm-rename_deprecated_libtasn1_types.patch: upstream - Fix rpmlint errors ------------------------------------------------------------------- Thu May 20 06:56:39 UTC 2021 - Pedro Monreal <pmonreal@suse.com> - swtpm_cert: rename deprecated libtasn1 types. * https://github.com/stefanberger/swtpm/pull/443 * Add swtpm-rename_deprecated_libtasn1_types.patch ------------------------------------------------------------------- Sun Dec 27 11:42:50 UTC 2020 - Marcus Meissner <meissner@suse.com> - Update to version 0.5.2 - swtpm: - Fix potential buffer overflow related to largely unused data hashing function in control channel - swtpm: Unconditionally close fd if writing of pidfile fails (coverity) - swtpm_setup: - Increase timeout from 10s to 30s for slower machines - Travis: - Not building on OS X anymore due to additional costs ------------------------------------------------------------------- Tue Dec 22 07:53:04 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com> - Use "Requires user(tss)" for the "tss" user and group ------------------------------------------------------------------- Tue Dec 22 04:06:10 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com> - Create /var/lib/swtpm-localca to store the keys created by swtpm-localca (bsc#1179811) - Replace net-tools-deprecated with iproute2 since the scripts in swtpm now can use 'ss' instead of 'netstat' ------------------------------------------------------------------- Sun Nov 22 03:16:13 UTC 2020 - Kai Liu <kai.liu@suse.com> - Update to version 0.5.1 * swtpm & swtpm_setup: - Addressed potential symlink attack issue (CVE-2020-28407) * build-sys: - Fix configure python cryptography error message - Misc. spec file changes. ------------------------------------------------------------------- Tue Oct 13 14:57:25 UTC 2020 - Kai Liu <kai.liu@suse.com> - Update Requires and BuildRequires for changes since 0.4.0. - Remove patch files that are no longer needed: * swtpm-adjust-seccomp-path.patch * swtpm-setup-tcsd-path.patch * swtpm-tpm-tools-path.patch - Update to version 0.5.0 * swtpm: - Write files atomically using a temp file and then renaming * swtpm_setup: - Removed remaining 'c' wrapper program - Do not truncate logfile when testing write-access (regression) - Remove TPM state file in case error occurred * swtpm-localca: - Rewrite in python - Allow passing pkcs11 PIN using signingkey_password - Allow passing environment variables needed for pkcs11 modules using swtpm-localca.conf and format 'env:VARNAME=VALUE'. * build-sys: - Add python-install and python-uninstall targets - Add configure option to disable installation of Python module - Use -Wl,-z,relro and -Wl,-z,now only when linking (clang) - Use AC_LINK_IFELSE to check whether support for hardening flags - Changes from version 0.4.1 * swtpm_setup: - Do not hardcode '/etc' but use SYSCONFDIR - Fix support for -h and -? options - Add missing .config path when using ${HOME} * swtpm-localca: - Apply password for signing key when creating platform cert - Properly apply passwords for localca signing key - Changes from version 0.4.0 * swtpm: - Invoke print capabilities after choosing TPM version - Add some recent syscalls to seccomp blacklist * swtpm_cert: - Support --ecc-curveid option to pass curve id * swtpm_setup & related scripts: - Rewrite swtpm_setup.sh in python with TPM 1.2 not requiring tcsd and TPM tools anymore; new dependencies: - python3: pip, cryptography, setuptools dropped dependencies for swtpm_setup: - tcsd, expect, tpm-tools (some still needed for pkcs11 tests) - Added support for RSA 3072 keys (for libtpms-0.8.0) and moved to ECC NIST P384 curve; default RSA key size is still 2048 - Added support for --rsa-keysize option - Extend script to create a CA using a TPM 2 for signing * tests: - Use the IBM TSS2 v1.5.0's test suite - Add test case for loading of an NVRAM completely full with keys - Have softhsm_setup use temporary directory for softhsm config & state - various other improvements * man pages: - Improvements * build-sys: - clang: properly test for linker flag 'now' and 'relro' - Gentoo: explicitly link libswtpm_libtpms with -lcrypto - Ownership of /var/lib/swtpm-localca is now tss:root and mode flags 0750. ------------------------------------------------------------------- Thu Aug 13 01:37:06 UTC 2020 - Kai Liu <kai.liu@suse.com> - Update to version 0.3.4: * swtpm: - Fix compilation for cygwin * swtpm_setup & swtpm-localca: - Get rid of bash's eval when invoking external tools to avoid abuse. Only use eval for 'resolving' variables. * tests: - Various fixes of minor issues ------------------------------------------------------------------- Thu Jul 30 14:14:22 UTC 2020 - Kai Liu <kai.liu@suse.com> - Update to version 0.3.3: * swtpm_setup: - openSUSE: Support tcsd configuration where tss user != tss group, such as root/tss; Fedora & Ubuntu for example use tss/tss * build-sys: - Check whether tss user and group are available - Add tss user & group build flags per upstream instruction. This together with v0.3.3 fixed the bug with TPM 1.2 emulation. Related upstream bug: https://github.com/stefanberger/swtpm/issues/284 ------------------------------------------------------------------- Sat Jul 11 08:31:54 UTC 2020 - Kai Liu <kai.liu@suse.com> - Update to 0.3.2: + swtpm: + Remove unnecessary #include <seccomp.h> (fixes SuSE build) + Make coverity happy by handling default case in case statement + swtpm_setup: + bugfix: Create ECC storage primary key in owner hierarchy + bugfix: remove tpm2_stirrandom and tpm2_changeeps + tests: + Adjusted pcrUpdateCounter in tests to succeed with PCR TCB group fixes in libtpms TPM 2 code ------------------------------------------------------------------- Wed Apr 22 03:25:36 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com> - Update to 0.3.1 + swtpm: Fix vtpm proxy case without startup flags + swtpm: Only call memcpy if tocopy != 0 (coverity) + man: Document new startup options and capabilities advertisement + swtpm: Enable sending startup commands before processing commands + swtpm_cert: Accept serial numbers that use up to 64bits + swtpm_cert: Use getopt_long_only to parse options + swtpm_cert: Add support for --print-capabilities option + swtpm_cert: Allow passing signing key and parent key via new option + swtpm_setup: Enable spaces in paths and other variables + swtpm_ioctl: Calculate strlen(input) only once + swtpm_ioctl: Block SIGPIPE so we can get EPIPE on write() + swtpm_bios: Block SIGPIPE so we can get EPIPE on write() + swtpm: Only accept() new client ctrl connection if we have none + swtpm_setup: Do not fail on future PCR banks' hashes + swtpm_setup: Use 1st part of SWTPM_EXE/SWTPM_IOCTL to determine executable + swtpm_setup: Keep reserved range of file descriptors for swtpm_setup.sh + swtpm_setup: Log about encryption and fix c&p error in err msg + swtpm: Add --print-capabilities to help screen of 'swtpm chardev' + swtpm_ioctl: Fix uninitialized variable 'pgi' + swtpm_cert: Use gnutls_x509_crt_get_subject_key_id API call for subj keyId + swtpm_cert: Fix OIDs for TPM 2 platforms data + swtpm: Fix typo in error report: HMAC instead of hash + swtpm: Use writev_full rather than writev; fixes --vtpm-proxy EIO error - Refresh swtpm-setup-tcsd-path.patch ------------------------------------------------------------------- Fri Jan 3 01:52:45 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com> - Amend swtpm-adjust-seccomp-path.patch to add the missing seccomp paths - Adjust the conditional check of net-tools-deprecated for SLE15 and SLE15-SP1 ------------------------------------------------------------------- Thu Sep 5 08:00:27 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com> - Update to 0.2.0 +Linux: swtpm now runs with a seccomp profile (blacklist) if compiled with libseccomp support + Added subpport for passing key and passphrase via file descriptor + TPM 2 commands can now be prefixed by 'the TCG header' and responses will have a 4-byte prefix and 4-byte suffix. + Added --print-capabilities command line option + Proper handling on EINTR on read, poll, and write - Patches to adjust the pathes + swtpm-tpm-tools-path.patch + swtpm-setup-tcsd-path.patch + swtpm-adjust-seccomp-path.patch ------------------------------------------------------------------- Tue May 15 08:37:16 UTC 2018 - glin@suse.com - Initial import: 0.1.0-dev2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor