From d5d7cb49a602b65c1b1b0de22499f007615fec55 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 30 2021 10:38:09 +0000 Subject: import tpm2-tools-4.1.1-2.el8 --- diff --git a/SOURCES/0001-Fix-ESYS_TR-hierarchy-transition.patch b/SOURCES/0001-Fix-ESYS_TR-hierarchy-transition.patch new file mode 100644 index 0000000..ff6b2cb --- /dev/null +++ b/SOURCES/0001-Fix-ESYS_TR-hierarchy-transition.patch @@ -0,0 +1,80 @@ +From e607f78a054acfdbe119499c3608bdb2a44423d9 Mon Sep 17 00:00:00 2001 +From: Andreas Fuchs +Date: Thu, 7 May 2020 11:51:17 +0200 +Subject: [PATCH] Fix ESYS_TR hierarchy transition + +Fix those cases of TPM2_RH_ to ESYS_TR_RH_ translations that were missed in +780800c0be69a49b9097f8eae653cdb0623d2100 + +Signed-off-by: Andreas Fuchs +--- + lib/tpm2.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/lib/tpm2.c b/lib/tpm2.c +index e7ff77047bef..909a4422339d 100644 +--- a/lib/tpm2.c ++++ b/lib/tpm2.c +@@ -656,6 +656,12 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy) + { + #if defined(ESYS_3_0) + switch (hierarchy) { ++ case ESYS_TR_RH_NULL: ++ case ESYS_TR_RH_OWNER: ++ case ESYS_TR_RH_ENDORSEMENT: ++ case ESYS_TR_RH_PLATFORM: ++ case ESYS_TR_RH_PLATFORM_NV: ++ return hierarchy; + case TPM2_RH_NULL: + return ESYS_TR_RH_NULL; + case TPM2_RH_OWNER: +@@ -664,14 +670,16 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy) + return ESYS_TR_RH_ENDORSEMENT; + case TPM2_RH_PLATFORM: + return ESYS_TR_RH_PLATFORM; ++ case TPM2_RH_PLATFORM_NV: ++ return ESYS_TR_RH_PLATFORM_NV; + default: +- return TSS2_ESYS_RC_BAD_VALUE; ++ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy); ++ return 0xffffffff; + } + #elif defined(ESYS_2_3) + return hierarchy; + #else +- UNUSED(hierarchy); +- return TSS2_ESYS_RC_BAD_VALUE; ++#error "Need to define either ESYS_3_0 or ESYS_2_3" + #endif + } + +@@ -1154,7 +1162,7 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context, + } + + TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle, +- shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state); ++ shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state); + if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) { + LOG_PERR(Esys_HierarchyControl, rval); + return tool_rc_from_tpm(rval); +@@ -1251,7 +1259,7 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context, + + TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle, + hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer, +- TPM2_RH_NULL, result, validation); ++ fix_esys_hierarchy(TPM2_RH_NULL), result, validation); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_HMAC, rval); + return tool_rc_from_tpm(rval); +@@ -1907,7 +1915,7 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private, + + TSS2_RC rval = Esys_LoadExternal(ectx, + ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, +- private, public, hierarchy, ++ private, public, fix_esys_hierarchy(hierarchy), + object_handle); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_LoadExternal, rval); +-- +2.27.0 + diff --git a/SOURCES/0001-Refactor-fix_esys_hierarchies.patch b/SOURCES/0001-Refactor-fix_esys_hierarchies.patch new file mode 100644 index 0000000..9e76674 --- /dev/null +++ b/SOURCES/0001-Refactor-fix_esys_hierarchies.patch @@ -0,0 +1,211 @@ +From 2e7839b905f7a493f739d36e3e550e0cee30049e Mon Sep 17 00:00:00 2001 +From: Andreas Fuchs +Date: Thu, 7 May 2020 19:12:36 +0200 +Subject: [PATCH] Refactor fix_esys_hierarchies() + +Refactor fix_esys_hierarchies() to return an actual TSS2_RC return code +and have an output parameter. + +Signed-off-by: Andreas Fuchs +--- + lib/tpm2.c | 88 +++++++++++++++++++++++++++++---------- + lib/tpm2.h | 2 +- + tools/tpm2_loadexternal.c | 9 +++- + 3 files changed, 75 insertions(+), 24 deletions(-) + +diff --git a/lib/tpm2.c b/lib/tpm2.c +index 909a4422339d..744fed8c529f 100644 +--- a/lib/tpm2.c ++++ b/lib/tpm2.c +@@ -645,39 +645,51 @@ tool_rc tpm2_evictcontrol(ESYS_CONTEXT *esys_context, + } + + /* This function addresses ESAPI change that changes parameter type from +- * Esys_TR to TPMI_RH_HIERARCHY and breaks backwards compatibility. ++ * Esys_TR to TPMI_RH_HIERARCHY or TPMI_RH_ENABLES and breaks backwards ++ * compatibility. + * To keep the tools parameters consistent after v4.0 release we need to + * map the values to appropriate type based on the version of the ESYS API. + * Note: the mapping is based on the ESYS version recognized at compile time. + * The TSS change can be found here: + * https://github.com/tpm2-software/tpm2-tss/pull/1531 + */ +-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy) ++TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out) + { + #if defined(ESYS_3_0) +- switch (hierarchy) { ++ switch (in) { + case ESYS_TR_RH_NULL: ++ /* FALLTHRU */ + case ESYS_TR_RH_OWNER: ++ /* FALLTHRU */ + case ESYS_TR_RH_ENDORSEMENT: ++ /* FALLTHRU */ + case ESYS_TR_RH_PLATFORM: ++ /* FALLTHRU */ + case ESYS_TR_RH_PLATFORM_NV: +- return hierarchy; ++ *out = in; ++ return TSS2_RC_SUCCESS; + case TPM2_RH_NULL: +- return ESYS_TR_RH_NULL; ++ *out = ESYS_TR_RH_NULL; ++ return TSS2_RC_SUCCESS; + case TPM2_RH_OWNER: +- return ESYS_TR_RH_OWNER; ++ *out = ESYS_TR_RH_OWNER; ++ return TSS2_RC_SUCCESS; + case TPM2_RH_ENDORSEMENT: +- return ESYS_TR_RH_ENDORSEMENT; ++ *out = ESYS_TR_RH_ENDORSEMENT; ++ return TSS2_RC_SUCCESS; + case TPM2_RH_PLATFORM: +- return ESYS_TR_RH_PLATFORM; ++ *out = ESYS_TR_RH_PLATFORM; ++ return TSS2_RC_SUCCESS; + case TPM2_RH_PLATFORM_NV: +- return ESYS_TR_RH_PLATFORM_NV; ++ *out = ESYS_TR_RH_PLATFORM_NV; ++ return TSS2_RC_SUCCESS; + default: +- LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy); +- return 0xffffffff; ++ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", in); ++ return TSS2_ESYS_RC_BAD_VALUE; + } + #elif defined(ESYS_2_3) +- return hierarchy; ++ *out = in; ++ return TSS2_RC_SUCCESS; + #else + #error "Need to define either ESYS_3_0 or ESYS_2_3" + #endif +@@ -688,8 +700,14 @@ tool_rc tpm2_hash(ESYS_CONTEXT *esys_context, ESYS_TR shandle1, ESYS_TR shandle2 + TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **out_hash, + TPMT_TK_HASHCHECK **validation) { + +- TSS2_RC rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data, +- hash_alg, fix_esys_hierarchy(hierarchy), out_hash, validation); ++ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ ++ rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data, ++ hash_alg, hierarchy, out_hash, validation); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_Hash, rval); + return tool_rc_from_tpm(rval); +@@ -729,9 +747,15 @@ tool_rc tpm2_sequence_complete(ESYS_CONTEXT *esys_context, + TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **result, + TPMT_TK_HASHCHECK **validation) { + +- TSS2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle, ++ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ ++ rval = Esys_SequenceComplete(esys_context, sequence_handle, + ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, buffer, +- fix_esys_hierarchy(hierarchy), result, validation); ++ hierarchy, result, validation); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_SequenceComplete, rval); + return tool_rc_from_tpm(rval); +@@ -1161,8 +1185,14 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context, + return rc; + } + +- TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle, +- shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state); ++ TSS2_RC rval = fix_esys_hierarchy(enable, &enable); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ ++ rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle, ++ shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state); + if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) { + LOG_PERR(Esys_HierarchyControl, rval); + return tool_rc_from_tpm(rval); +@@ -1257,9 +1287,17 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context, + return rc; + } + +- TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle, ++ uint32_t hierarchy; ++ ++ TSS2_RC rval = fix_esys_hierarchy(TPM2_RH_NULL, &hierarchy); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ ++ rval = Esys_SequenceComplete(esys_context, sequence_handle, + hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer, +- fix_esys_hierarchy(TPM2_RH_NULL), result, validation); ++ hierarchy, result, validation); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_HMAC, rval); + return tool_rc_from_tpm(rval); +@@ -1913,9 +1951,15 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private, + const TPM2B_PUBLIC *public, TPMI_RH_HIERARCHY hierarchy, + ESYS_TR *object_handle) { + +- TSS2_RC rval = Esys_LoadExternal(ectx, ++ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ ++ rval = Esys_LoadExternal(ectx, + ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, +- private, public, fix_esys_hierarchy(hierarchy), ++ private, public, hierarchy, + object_handle); + if (rval != TSS2_RC_SUCCESS) { + LOG_PERR(Esys_LoadExternal, rval); +diff --git a/lib/tpm2.h b/lib/tpm2.h +index a37e05606c7a..2e4ae5e7dddc 100644 +--- a/lib/tpm2.h ++++ b/lib/tpm2.h +@@ -389,7 +389,7 @@ tool_rc tpm2_policy_nv_written(ESYS_CONTEXT *esys_context, + ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2, + ESYS_TR shandle3, TPMI_YES_NO written_set); + +-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy); ++TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out); + + tool_rc tpm2_certifycreation(ESYS_CONTEXT *esys_context, + tpm2_loaded_object *signingkey_obj, tpm2_loaded_object *certifiedkey_obj, +diff --git a/tools/tpm2_loadexternal.c b/tools/tpm2_loadexternal.c +index 70fb72877aae..4127ca1b524b 100644 +--- a/tools/tpm2_loadexternal.c ++++ b/tools/tpm2_loadexternal.c +@@ -48,9 +48,16 @@ static tpm_loadexternal_ctx ctx = { + static tool_rc load_external(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *pub, + TPM2B_SENSITIVE *priv, bool has_priv, TPM2B_NAME **name) { + ++ uint32_t hierarchy; ++ TSS2_RC rval = fix_esys_hierarchy(ctx.hierarchy_value, &hierarchy); ++ if (rval != TSS2_RC_SUCCESS) { ++ LOG_ERR("Unknown hierarchy"); ++ return tool_rc_from_tpm(rval); ++ } ++ + tool_rc rc = tpm2_loadexternal(ectx, + has_priv ? priv : NULL, pub, +- fix_esys_hierarchy(ctx.hierarchy_value), &ctx.handle); ++ hierarchy, &ctx.handle); + if (rc != tool_rc_success) { + return rc; + } +-- +2.27.0 + diff --git a/SOURCES/0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch b/SOURCES/0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch new file mode 100644 index 0000000..2869652 --- /dev/null +++ b/SOURCES/0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch @@ -0,0 +1,28 @@ +From c28932caef2036039901a91cf55eb7ff093c70f5 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Fri, 24 Jan 2020 15:53:39 -0700 +Subject: [PATCH] tpm2_alg_util.c: fix a bug where the string rsa3072 wasnt + being parsed + +Signed-off-by: Imran Desai +--- + lib/tpm2_alg_util.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c +index b83c387a05bd..fcad480e0c3d 100644 +--- a/lib/tpm2_alg_util.c ++++ b/lib/tpm2_alg_util.c +@@ -301,6 +301,9 @@ static alg_parser_rc handle_rsa(const char *ext, TPM2B_PUBLIC *public) { + } else if (!strncmp(ext, "4096", 4)) { + r->keyBits = 4096; + ext += 4; ++ } else if (!strncmp(ext, "3072", 4)) { ++ r->keyBits = 3072; ++ ext += 4; + } else { + r->keyBits = 2048; + } +-- +2.27.0 + diff --git a/SOURCES/0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch b/SOURCES/0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch new file mode 100644 index 0000000..fbc402e --- /dev/null +++ b/SOURCES/0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch @@ -0,0 +1,186 @@ +From 696a17861c38b38fb2acf888119d918eb9c12329 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Thu, 21 May 2020 11:31:43 -0700 +Subject: [PATCH] tpm2_create.c: Fix an issue where userwithauth attr cleared + if policy specified + +Fixes #2037 + +Signed-off-by: Imran Desai +--- + man/tpm2_create.1.md | 9 +++- + test/integration/tests/import_tpm.sh | 78 +++++++++++++++++----------- + tools/tpm2_create.c | 10 ++-- + 3 files changed, 60 insertions(+), 37 deletions(-) + +diff --git a/man/tpm2_create.1.md b/man/tpm2_create.1.md +index e8e5eaac49c3..9a7ba33e6017 100644 +--- a/man/tpm2_create.1.md ++++ b/man/tpm2_create.1.md +@@ -13,7 +13,7 @@ + **tpm2_create**(1) - Create a child object. The object can either be a key or + a sealing object. A sealing object allows to seal user data to the TPM, with a + maximum size of 256 bytes. Additionally it will load the created object if the +-**-o** is specified. ++**-c** is specified. + + # OPTIONS + +@@ -55,6 +55,13 @@ These options for creating the TPM entity: + and unsealing. I.e. one cannot use an object for sealing and cryptography + operations. + ++ When **-L** is specified for adding policy based authorization information ++ AND no string password is specified, the attribute `TPMA_OBJECT_USERWITHAUTH` ++ is cleared unless an explicit choice is made by setting of the attribute ++ with **-a** option. This prevents creation of objects with inadvertant auth ++ model where in user intended to enforce a policy but inadvertantly created ++ an object with empty auth which can be used instead of policy authorization. ++ + * **-i**, **\--sealing-input**=_FILE_ or _STDIN_: + + The data file to be sealed, optional. If file is -, read from stdin. +diff --git a/test/integration/tests/import_tpm.sh b/test/integration/tests/import_tpm.sh +index ff48185aba70..3d1e10820844 100755 +--- a/test/integration/tests/import_tpm.sh ++++ b/test/integration/tests/import_tpm.sh +@@ -54,8 +54,13 @@ load_new_parent() { + create_load_duplicatee() { + # Create the key we want to duplicate + create_policy dpolicy.dat TPM2_CC_Duplicate +- tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p foo -r key.prv -u key.pub \ +- -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth" ++ if [ -z "$2" ];then ++ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -r key.prv \ ++ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth" ++ else ++ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p "$2" -r key.prv \ ++ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth" ++ fi + # Load the key + tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx + # Extract the public part for import later +@@ -113,34 +118,45 @@ for dup_key_type in aes rsa ecc; do + done + done + +-# Part 2 : +-# Create a rsa key (Kd) +-# Encrypt a message using Kd +-# Duplicate Kd +-# Import & Load Kd +-# Decrypt the message and verify +-tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx +-# New parent ... +-create_load_new_parent +-# Key to be duplicated +-create_load_duplicatee rsa +-# Encrypt a secret message +-echo "Mary had a little lamb ..." > plain.txt +-tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt +-# Duplicate the key +-do_duplication null +-# Remove, we're done with it +-rm new_parent.ctx +-# Load the full thing this time +-load_new_parent +-# Import & load the duplicate +-do_import_load null +-# Decrypt the secret message using duplicated key +-tpm2_rsadecrypt -Q -p foo -c dup.ctx -o recovered.txt cipher.txt +-# Check we got it right ... +-diff recovered.txt plain.txt +-# Cleanup +-rm plain.txt recovered.txt cipher.txt +-cleanup "no-shut-down" ++test_key_usage() { ++ # Part 2 : ++ # Create a rsa key (Kd) ++ # Encrypt a message using Kd ++ # Duplicate Kd ++ # Import & Load Kd ++ # Decrypt the message and verify ++ tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx ++ # New parent ... ++ create_load_new_parent ++ # Key to be duplicated ++ create_load_duplicatee rsa "$1" ++ # Encrypt a secret message ++ echo "Mary had a little lamb ..." > plain.txt ++ tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt ++ # Duplicate the key ++ do_duplication null ++ # Remove, we're done with it ++ rm new_parent.ctx ++ # Load the full thing this time ++ load_new_parent ++ # Import & load the duplicate ++ do_import_load null ++ # Decrypt the secret message using duplicated key ++ if [ -z "$1" ];then ++ tpm2_rsadecrypt -Q -c dup.ctx -o recovered.txt cipher.txt ++ else ++ tpm2_rsadecrypt -Q -p "$1" -c dup.ctx -o recovered.txt cipher.txt ++ fi ++ # Check we got it right ... ++ diff recovered.txt plain.txt ++ # Cleanup ++ rm plain.txt recovered.txt cipher.txt ++ cleanup "no-shut-down" ++} ++ ++#Test key with password ++test_key_usage foo ++#Test key without password ++test_key_usage + + exit 0 +diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c +index 941b77655f55..8e92cc747e17 100644 +--- a/tools/tpm2_create.c ++++ b/tools/tpm2_create.c +@@ -47,7 +47,7 @@ struct tpm_create_ctx { + TPML_PCR_SELECTION creation_pcr; + + struct { +- UINT8 b :1; ++ UINT8 a :1; + UINT8 i :1; + UINT8 L :1; + UINT8 u :1; +@@ -224,7 +224,7 @@ static bool on_option(char key, char *value) { + break; + case 'a': + ctx.object.attrs = value; +- ctx.flags.b = 1; ++ ctx.flags.a = 1; + break; + case 'i': + ctx.object.sealed_data = strcmp("-", value) ? value : NULL; +@@ -346,12 +346,12 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { + + ctx.object.alg = "keyedhash"; + +- if (!ctx.flags.b) { ++ if (!ctx.flags.a) { + attrs &= ~TPMA_OBJECT_SIGN_ENCRYPT; + attrs &= ~TPMA_OBJECT_DECRYPT; + attrs &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN; + } +- } else if (!ctx.flags.b && !strncmp("hmac", ctx.object.alg, 4)) { ++ } else if (!ctx.flags.a && !strncmp("hmac", ctx.object.alg, 4)) { + attrs &= ~TPMA_OBJECT_DECRYPT; + } + +@@ -362,7 +362,7 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { + return tool_rc_general_error; + } + +- if (ctx.flags.L && !ctx.object.auth_str) { ++ if (!ctx.flags.a && ctx.flags.L && !ctx.object.auth_str) { + ctx.object.public.publicArea.objectAttributes &= + ~TPMA_OBJECT_USERWITHAUTH; + } +-- +2.27.0 + diff --git a/SOURCES/0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch b/SOURCES/0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch new file mode 100644 index 0000000..0d4b89b --- /dev/null +++ b/SOURCES/0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch @@ -0,0 +1,37 @@ +From 334b4c739fa575fb4ea58f92df6de87c38e59e15 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Thu, 23 Jan 2020 08:06:56 -0700 +Subject: [PATCH] tpm2_hierarchycontrol: Fixed bug where hierarchycontrol + operation failed silently + +Fixes #1841 + +Signed-off-by: Imran Desai +--- + tools/tpm2_hierarchycontrol.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/tools/tpm2_hierarchycontrol.c b/tools/tpm2_hierarchycontrol.c +index 0baf2ca487d3..7e9e2c657544 100644 +--- a/tools/tpm2_hierarchycontrol.c ++++ b/tools/tpm2_hierarchycontrol.c +@@ -32,8 +32,14 @@ static tool_rc hierarchycontrol(ESYS_CONTEXT *ectx) { + ctx.enable == TPM2_RH_ENDORSEMENT ? "ehEnable" : "phEnableNV", + ctx.state ? "SET" : "CLEAR"); + +- return tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object, ctx.enable, +- ctx.state); ++ tool_rc rc = tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object, ++ ctx.enable, ctx.state); ++ ++ if (rc != tool_rc_success) { ++ LOG_ERR("Failed hierarchycontrol operation."); ++ } ++ ++ return rc; + } + + bool on_arg(int argc, char **argv) { +-- +2.27.0 + diff --git a/SOURCES/0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch b/SOURCES/0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch new file mode 100644 index 0000000..da77107 --- /dev/null +++ b/SOURCES/0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch @@ -0,0 +1,31 @@ +From 652322f7278ec8c384fde9ec2204b06d084a24e4 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Thu, 23 Jan 2020 07:54:58 -0700 +Subject: [PATCH] tpm2_nvdefine.c: Fixed error reporting message + +Fixes #1861 + +NV define failure error message had the wording to suggest NV index +was successfully defined. + +Signed-off-by: Imran Desai +--- + tools/tpm2_nvdefine.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tpm2_nvdefine.c b/tools/tpm2_nvdefine.c +index cb2949c4dddc..71203cb6c80d 100644 +--- a/tools/tpm2_nvdefine.c ++++ b/tools/tpm2_nvdefine.c +@@ -65,7 +65,7 @@ static tool_rc nv_space_define(ESYS_CONTEXT *ectx) { + tool_rc rc = tpm2_nv_definespace(ectx, &ctx.auth_hierarchy.object, + &ctx.nv_auth, &public_info); + if (rc != tool_rc_success) { +- LOG_INFO("Success to define NV area at index 0x%x.", ctx.nv_index); ++ LOG_ERR("Failed to create NV index 0x%x.", ctx.nv_index); + return rc; + } + +-- +2.27.0 + diff --git a/SOURCES/0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch b/SOURCES/0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch new file mode 100644 index 0000000..c6a5e86 --- /dev/null +++ b/SOURCES/0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch @@ -0,0 +1,26 @@ +From 44d0d2d17dc693e029e0557ec985c9b68c3efeb5 Mon Sep 17 00:00:00 2001 +From: Imran Desai +Date: Wed, 22 Jan 2020 14:15:48 -0700 +Subject: [PATCH] tpm2_policyor: Silent failure bug fix for invalid/unspecified + policy digest alg + +Signed-off-by: Imran Desai +--- + lib/tpm2_policy.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c +index 3d9b5491f9ce..8460bd1d9ae9 100644 +--- a/lib/tpm2_policy.c ++++ b/lib/tpm2_policy.c +@@ -588,6 +588,7 @@ bool tpm2_policy_parse_policy_list(char *str, TPML_DIGEST *policy_list) { + hash = tpm2_alg_util_from_optarg(subtoken, + tpm2_alg_util_flags_hash); + if (hash == TPM2_ALG_ERROR) { ++ LOG_ERR("Invalid/ Unspecified policy digest algorithm."); + return false; + } + } +-- +2.27.0 + diff --git a/SPECS/tpm2-tools.spec b/SPECS/tpm2-tools.spec index f25149e..8a9b583 100644 --- a/SPECS/tpm2-tools.spec +++ b/SPECS/tpm2-tools.spec @@ -1,11 +1,18 @@ Name: tpm2-tools Version: 4.1.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A TPM2.0 testing tool build upon TPM2.0-TSS License: BSD URL: https://github.com/tpm2-software/tpm2-tools Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch0: 0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch +Patch1: 0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch +Patch2: 0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch +Patch3: 0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch +Patch4: 0001-Fix-ESYS_TR-hierarchy-transition.patch +Patch5: 0001-Refactor-fix_esys_hierarchies.patch +Patch6: 0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch BuildRequires: gcc-c++ BuildRequires: libtool @@ -46,6 +53,16 @@ tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss. %{_mandir}/man1/tpm2_*.1.gz %changelog +* Mon Nov 16 2020 Jerry Snitselaar - 4.1.1-2 +- Fix ESYS_TR hierarchy transition. +- Refactor fix_esys_hierarchies to return actual TSS2_RC return code. +- tpm2_alg_util.c: fix a bug where the string rsa3072 wasn't being parsed. +- tpm2_create.c: Fix an issue where userwithauth attr cleared if policy specified. +- tpm2_hierarchycontrol: Fix bug where hierarchycontrol operation failed silently. +- tpm2_nvdefine.c: Fix error reporting message. +- tpm2_policyor: Fix silent failure for invalid/unspecified policy digest alg. +resolves: rhbz#1854774 + * Wed Apr 29 2020 Jerry Snitselaar - 4.1.1-1 - Update to 4.1.1 release resolves: rhbz#1789682