diff --git a/SOURCES/0001-Fix-ESYS_TR-hierarchy-transition.patch b/SOURCES/0001-Fix-ESYS_TR-hierarchy-transition.patch
new file mode 100644
index 0000000..ff6b2cb
--- /dev/null
+++ b/SOURCES/0001-Fix-ESYS_TR-hierarchy-transition.patch
@@ -0,0 +1,80 @@
+From e607f78a054acfdbe119499c3608bdb2a44423d9 Mon Sep 17 00:00:00 2001
+From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
+Date: Thu, 7 May 2020 11:51:17 +0200
+Subject: [PATCH] Fix ESYS_TR hierarchy transition
+
+Fix those cases of TPM2_RH_ to ESYS_TR_RH_ translations that were missed in
+780800c0be69a49b9097f8eae653cdb0623d2100
+
+Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
+---
+ lib/tpm2.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/lib/tpm2.c b/lib/tpm2.c
+index e7ff77047bef..909a4422339d 100644
+--- a/lib/tpm2.c
++++ b/lib/tpm2.c
+@@ -656,6 +656,12 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
+ {
+ #if defined(ESYS_3_0)
+ switch (hierarchy) {
++ case ESYS_TR_RH_NULL:
++ case ESYS_TR_RH_OWNER:
++ case ESYS_TR_RH_ENDORSEMENT:
++ case ESYS_TR_RH_PLATFORM:
++ case ESYS_TR_RH_PLATFORM_NV:
++ return hierarchy;
+ case TPM2_RH_NULL:
+ return ESYS_TR_RH_NULL;
+ case TPM2_RH_OWNER:
+@@ -664,14 +670,16 @@ uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
+ return ESYS_TR_RH_ENDORSEMENT;
+ case TPM2_RH_PLATFORM:
+ return ESYS_TR_RH_PLATFORM;
++ case TPM2_RH_PLATFORM_NV:
++ return ESYS_TR_RH_PLATFORM_NV;
+ default:
+- return TSS2_ESYS_RC_BAD_VALUE;
++ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy);
++ return 0xffffffff;
+ }
+ #elif defined(ESYS_2_3)
+ return hierarchy;
+ #else
+- UNUSED(hierarchy);
+- return TSS2_ESYS_RC_BAD_VALUE;
++#error "Need to define either ESYS_3_0 or ESYS_2_3"
+ #endif
+ }
+
+@@ -1154,7 +1162,7 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context,
+ }
+
+ TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
+- shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state);
++ shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state);
+ if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) {
+ LOG_PERR(Esys_HierarchyControl, rval);
+ return tool_rc_from_tpm(rval);
+@@ -1251,7 +1259,7 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context,
+
+ TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
+ hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer,
+- TPM2_RH_NULL, result, validation);
++ fix_esys_hierarchy(TPM2_RH_NULL), result, validation);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_PERR(Esys_HMAC, rval);
+ return tool_rc_from_tpm(rval);
+@@ -1907,7 +1915,7 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private,
+
+ TSS2_RC rval = Esys_LoadExternal(ectx,
+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+- private, public, hierarchy,
++ private, public, fix_esys_hierarchy(hierarchy),
+ object_handle);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_PERR(Esys_LoadExternal, rval);
+--
+2.27.0
+
diff --git a/SOURCES/0001-Refactor-fix_esys_hierarchies.patch b/SOURCES/0001-Refactor-fix_esys_hierarchies.patch
new file mode 100644
index 0000000..9e76674
--- /dev/null
+++ b/SOURCES/0001-Refactor-fix_esys_hierarchies.patch
@@ -0,0 +1,211 @@
+From 2e7839b905f7a493f739d36e3e550e0cee30049e Mon Sep 17 00:00:00 2001
+From: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
+Date: Thu, 7 May 2020 19:12:36 +0200
+Subject: [PATCH] Refactor fix_esys_hierarchies()
+
+Refactor fix_esys_hierarchies() to return an actual TSS2_RC return code
+and have an output parameter.
+
+Signed-off-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de>
+---
+ lib/tpm2.c | 88 +++++++++++++++++++++++++++++----------
+ lib/tpm2.h | 2 +-
+ tools/tpm2_loadexternal.c | 9 +++-
+ 3 files changed, 75 insertions(+), 24 deletions(-)
+
+diff --git a/lib/tpm2.c b/lib/tpm2.c
+index 909a4422339d..744fed8c529f 100644
+--- a/lib/tpm2.c
++++ b/lib/tpm2.c
+@@ -645,39 +645,51 @@ tool_rc tpm2_evictcontrol(ESYS_CONTEXT *esys_context,
+ }
+
+ /* This function addresses ESAPI change that changes parameter type from
+- * Esys_TR to TPMI_RH_HIERARCHY and breaks backwards compatibility.
++ * Esys_TR to TPMI_RH_HIERARCHY or TPMI_RH_ENABLES and breaks backwards
++ * compatibility.
+ * To keep the tools parameters consistent after v4.0 release we need to
+ * map the values to appropriate type based on the version of the ESYS API.
+ * Note: the mapping is based on the ESYS version recognized at compile time.
+ * The TSS change can be found here:
+ * https://github.com/tpm2-software/tpm2-tss/pull/1531
+ */
+-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy)
++TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out)
+ {
+ #if defined(ESYS_3_0)
+- switch (hierarchy) {
++ switch (in) {
+ case ESYS_TR_RH_NULL:
++ /* FALLTHRU */
+ case ESYS_TR_RH_OWNER:
++ /* FALLTHRU */
+ case ESYS_TR_RH_ENDORSEMENT:
++ /* FALLTHRU */
+ case ESYS_TR_RH_PLATFORM:
++ /* FALLTHRU */
+ case ESYS_TR_RH_PLATFORM_NV:
+- return hierarchy;
++ *out = in;
++ return TSS2_RC_SUCCESS;
+ case TPM2_RH_NULL:
+- return ESYS_TR_RH_NULL;
++ *out = ESYS_TR_RH_NULL;
++ return TSS2_RC_SUCCESS;
+ case TPM2_RH_OWNER:
+- return ESYS_TR_RH_OWNER;
++ *out = ESYS_TR_RH_OWNER;
++ return TSS2_RC_SUCCESS;
+ case TPM2_RH_ENDORSEMENT:
+- return ESYS_TR_RH_ENDORSEMENT;
++ *out = ESYS_TR_RH_ENDORSEMENT;
++ return TSS2_RC_SUCCESS;
+ case TPM2_RH_PLATFORM:
+- return ESYS_TR_RH_PLATFORM;
++ *out = ESYS_TR_RH_PLATFORM;
++ return TSS2_RC_SUCCESS;
+ case TPM2_RH_PLATFORM_NV:
+- return ESYS_TR_RH_PLATFORM_NV;
++ *out = ESYS_TR_RH_PLATFORM_NV;
++ return TSS2_RC_SUCCESS;
+ default:
+- LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", hierarchy);
+- return 0xffffffff;
++ LOG_ERR("An unknown hierarchy handle was passed: 0x%08x", in);
++ return TSS2_ESYS_RC_BAD_VALUE;
+ }
+ #elif defined(ESYS_2_3)
+- return hierarchy;
++ *out = in;
++ return TSS2_RC_SUCCESS;
+ #else
+ #error "Need to define either ESYS_3_0 or ESYS_2_3"
+ #endif
+@@ -688,8 +700,14 @@ tool_rc tpm2_hash(ESYS_CONTEXT *esys_context, ESYS_TR shandle1, ESYS_TR shandle2
+ TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **out_hash,
+ TPMT_TK_HASHCHECK **validation) {
+
+- TSS2_RC rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data,
+- hash_alg, fix_esys_hierarchy(hierarchy), out_hash, validation);
++ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
++ if (rval != TSS2_RC_SUCCESS) {
++ LOG_ERR("Unknown hierarchy");
++ return tool_rc_from_tpm(rval);
++ }
++
++ rval = Esys_Hash(esys_context, shandle1, shandle2, shandle3, data,
++ hash_alg, hierarchy, out_hash, validation);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_PERR(Esys_Hash, rval);
+ return tool_rc_from_tpm(rval);
+@@ -729,9 +747,15 @@ tool_rc tpm2_sequence_complete(ESYS_CONTEXT *esys_context,
+ TPMI_RH_HIERARCHY hierarchy, TPM2B_DIGEST **result,
+ TPMT_TK_HASHCHECK **validation) {
+
+- TSS2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
++ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
++ if (rval != TSS2_RC_SUCCESS) {
++ LOG_ERR("Unknown hierarchy");
++ return tool_rc_from_tpm(rval);
++ }
++
++ rval = Esys_SequenceComplete(esys_context, sequence_handle,
+ ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE, buffer,
+- fix_esys_hierarchy(hierarchy), result, validation);
++ hierarchy, result, validation);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_PERR(Esys_SequenceComplete, rval);
+ return tool_rc_from_tpm(rval);
+@@ -1161,8 +1185,14 @@ tool_rc tpm2_hierarchycontrol(ESYS_CONTEXT *esys_context,
+ return rc;
+ }
+
+- TSS2_RC rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
+- shandle, ESYS_TR_NONE, ESYS_TR_NONE, fix_esys_hierarchy(enable), state);
++ TSS2_RC rval = fix_esys_hierarchy(enable, &enable);
++ if (rval != TSS2_RC_SUCCESS) {
++ LOG_ERR("Unknown hierarchy");
++ return tool_rc_from_tpm(rval);
++ }
++
++ rval = Esys_HierarchyControl(esys_context, auth_hierarchy->tr_handle,
++ shandle, ESYS_TR_NONE, ESYS_TR_NONE, enable, state);
+ if (rval != TPM2_RC_SUCCESS && rval != TPM2_RC_INITIALIZE) {
+ LOG_PERR(Esys_HierarchyControl, rval);
+ return tool_rc_from_tpm(rval);
+@@ -1257,9 +1287,17 @@ tool_rc tpm2_hmac_sequencecomplete(ESYS_CONTEXT *esys_context,
+ return rc;
+ }
+
+- TPM2_RC rval = Esys_SequenceComplete(esys_context, sequence_handle,
++ uint32_t hierarchy;
++
++ TSS2_RC rval = fix_esys_hierarchy(TPM2_RH_NULL, &hierarchy);
++ if (rval != TSS2_RC_SUCCESS) {
++ LOG_ERR("Unknown hierarchy");
++ return tool_rc_from_tpm(rval);
++ }
++
++ rval = Esys_SequenceComplete(esys_context, sequence_handle,
+ hmac_key_obj_shandle, ESYS_TR_NONE, ESYS_TR_NONE, input_buffer,
+- fix_esys_hierarchy(TPM2_RH_NULL), result, validation);
++ hierarchy, result, validation);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_PERR(Esys_HMAC, rval);
+ return tool_rc_from_tpm(rval);
+@@ -1913,9 +1951,15 @@ tool_rc tpm2_loadexternal(ESYS_CONTEXT *ectx, const TPM2B_SENSITIVE *private,
+ const TPM2B_PUBLIC *public, TPMI_RH_HIERARCHY hierarchy,
+ ESYS_TR *object_handle) {
+
+- TSS2_RC rval = Esys_LoadExternal(ectx,
++ TSS2_RC rval = fix_esys_hierarchy(hierarchy, &hierarchy);
++ if (rval != TSS2_RC_SUCCESS) {
++ LOG_ERR("Unknown hierarchy");
++ return tool_rc_from_tpm(rval);
++ }
++
++ rval = Esys_LoadExternal(ectx,
+ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+- private, public, fix_esys_hierarchy(hierarchy),
++ private, public, hierarchy,
+ object_handle);
+ if (rval != TSS2_RC_SUCCESS) {
+ LOG_PERR(Esys_LoadExternal, rval);
+diff --git a/lib/tpm2.h b/lib/tpm2.h
+index a37e05606c7a..2e4ae5e7dddc 100644
+--- a/lib/tpm2.h
++++ b/lib/tpm2.h
+@@ -389,7 +389,7 @@ tool_rc tpm2_policy_nv_written(ESYS_CONTEXT *esys_context,
+ ESYS_TR policy_session, ESYS_TR shandle1, ESYS_TR shandle2,
+ ESYS_TR shandle3, TPMI_YES_NO written_set);
+
+-uint32_t fix_esys_hierarchy(TPMI_RH_HIERARCHY hierarchy);
++TSS2_RC fix_esys_hierarchy(uint32_t in, uint32_t *out);
+
+ tool_rc tpm2_certifycreation(ESYS_CONTEXT *esys_context,
+ tpm2_loaded_object *signingkey_obj, tpm2_loaded_object *certifiedkey_obj,
+diff --git a/tools/tpm2_loadexternal.c b/tools/tpm2_loadexternal.c
+index 70fb72877aae..4127ca1b524b 100644
+--- a/tools/tpm2_loadexternal.c
++++ b/tools/tpm2_loadexternal.c
+@@ -48,9 +48,16 @@ static tpm_loadexternal_ctx ctx = {
+ static tool_rc load_external(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *pub,
+ TPM2B_SENSITIVE *priv, bool has_priv, TPM2B_NAME **name) {
+
++ uint32_t hierarchy;
++ TSS2_RC rval = fix_esys_hierarchy(ctx.hierarchy_value, &hierarchy);
++ if (rval != TSS2_RC_SUCCESS) {
++ LOG_ERR("Unknown hierarchy");
++ return tool_rc_from_tpm(rval);
++ }
++
+ tool_rc rc = tpm2_loadexternal(ectx,
+ has_priv ? priv : NULL, pub,
+- fix_esys_hierarchy(ctx.hierarchy_value), &ctx.handle);
++ hierarchy, &ctx.handle);
+ if (rc != tool_rc_success) {
+ return rc;
+ }
+--
+2.27.0
+
diff --git a/SOURCES/0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch b/SOURCES/0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch
new file mode 100644
index 0000000..2869652
--- /dev/null
+++ b/SOURCES/0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch
@@ -0,0 +1,28 @@
+From c28932caef2036039901a91cf55eb7ff093c70f5 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Fri, 24 Jan 2020 15:53:39 -0700
+Subject: [PATCH] tpm2_alg_util.c: fix a bug where the string rsa3072 wasnt
+ being parsed
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ lib/tpm2_alg_util.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c
+index b83c387a05bd..fcad480e0c3d 100644
+--- a/lib/tpm2_alg_util.c
++++ b/lib/tpm2_alg_util.c
+@@ -301,6 +301,9 @@ static alg_parser_rc handle_rsa(const char *ext, TPM2B_PUBLIC *public) {
+ } else if (!strncmp(ext, "4096", 4)) {
+ r->keyBits = 4096;
+ ext += 4;
++ } else if (!strncmp(ext, "3072", 4)) {
++ r->keyBits = 3072;
++ ext += 4;
+ } else {
+ r->keyBits = 2048;
+ }
+--
+2.27.0
+
diff --git a/SOURCES/0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch b/SOURCES/0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch
new file mode 100644
index 0000000..fbc402e
--- /dev/null
+++ b/SOURCES/0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch
@@ -0,0 +1,186 @@
+From 696a17861c38b38fb2acf888119d918eb9c12329 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Thu, 21 May 2020 11:31:43 -0700
+Subject: [PATCH] tpm2_create.c: Fix an issue where userwithauth attr cleared
+ if policy specified
+
+Fixes #2037
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ man/tpm2_create.1.md | 9 +++-
+ test/integration/tests/import_tpm.sh | 78 +++++++++++++++++-----------
+ tools/tpm2_create.c | 10 ++--
+ 3 files changed, 60 insertions(+), 37 deletions(-)
+
+diff --git a/man/tpm2_create.1.md b/man/tpm2_create.1.md
+index e8e5eaac49c3..9a7ba33e6017 100644
+--- a/man/tpm2_create.1.md
++++ b/man/tpm2_create.1.md
+@@ -13,7 +13,7 @@
+ **tpm2_create**(1) - Create a child object. The object can either be a key or
+ a sealing object. A sealing object allows to seal user data to the TPM, with a
+ maximum size of 256 bytes. Additionally it will load the created object if the
+-**-o** is specified.
++**-c** is specified.
+
+ # OPTIONS
+
+@@ -55,6 +55,13 @@ These options for creating the TPM entity:
+ and unsealing. I.e. one cannot use an object for sealing and cryptography
+ operations.
+
++ When **-L** is specified for adding policy based authorization information
++ AND no string password is specified, the attribute `TPMA_OBJECT_USERWITHAUTH`
++ is cleared unless an explicit choice is made by setting of the attribute
++ with **-a** option. This prevents creation of objects with inadvertant auth
++ model where in user intended to enforce a policy but inadvertantly created
++ an object with empty auth which can be used instead of policy authorization.
++
+ * **-i**, **\--sealing-input**=_FILE_ or _STDIN_:
+
+ The data file to be sealed, optional. If file is -, read from stdin.
+diff --git a/test/integration/tests/import_tpm.sh b/test/integration/tests/import_tpm.sh
+index ff48185aba70..3d1e10820844 100755
+--- a/test/integration/tests/import_tpm.sh
++++ b/test/integration/tests/import_tpm.sh
+@@ -54,8 +54,13 @@ load_new_parent() {
+ create_load_duplicatee() {
+ # Create the key we want to duplicate
+ create_policy dpolicy.dat TPM2_CC_Duplicate
+- tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p foo -r key.prv -u key.pub \
+- -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
++ if [ -z "$2" ];then
++ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -r key.prv \
++ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
++ else
++ tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p "$2" -r key.prv \
++ -u key.pub -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth"
++ fi
+ # Load the key
+ tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx
+ # Extract the public part for import later
+@@ -113,34 +118,45 @@ for dup_key_type in aes rsa ecc; do
+ done
+ done
+
+-# Part 2 :
+-# Create a rsa key (Kd)
+-# Encrypt a message using Kd
+-# Duplicate Kd
+-# Import & Load Kd
+-# Decrypt the message and verify
+-tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
+-# New parent ...
+-create_load_new_parent
+-# Key to be duplicated
+-create_load_duplicatee rsa
+-# Encrypt a secret message
+-echo "Mary had a little lamb ..." > plain.txt
+-tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
+-# Duplicate the key
+-do_duplication null
+-# Remove, we're done with it
+-rm new_parent.ctx
+-# Load the full thing this time
+-load_new_parent
+-# Import & load the duplicate
+-do_import_load null
+-# Decrypt the secret message using duplicated key
+-tpm2_rsadecrypt -Q -p foo -c dup.ctx -o recovered.txt cipher.txt
+-# Check we got it right ...
+-diff recovered.txt plain.txt
+-# Cleanup
+-rm plain.txt recovered.txt cipher.txt
+-cleanup "no-shut-down"
++test_key_usage() {
++ # Part 2 :
++ # Create a rsa key (Kd)
++ # Encrypt a message using Kd
++ # Duplicate Kd
++ # Import & Load Kd
++ # Decrypt the message and verify
++ tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx
++ # New parent ...
++ create_load_new_parent
++ # Key to be duplicated
++ create_load_duplicatee rsa "$1"
++ # Encrypt a secret message
++ echo "Mary had a little lamb ..." > plain.txt
++ tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt
++ # Duplicate the key
++ do_duplication null
++ # Remove, we're done with it
++ rm new_parent.ctx
++ # Load the full thing this time
++ load_new_parent
++ # Import & load the duplicate
++ do_import_load null
++ # Decrypt the secret message using duplicated key
++ if [ -z "$1" ];then
++ tpm2_rsadecrypt -Q -c dup.ctx -o recovered.txt cipher.txt
++ else
++ tpm2_rsadecrypt -Q -p "$1" -c dup.ctx -o recovered.txt cipher.txt
++ fi
++ # Check we got it right ...
++ diff recovered.txt plain.txt
++ # Cleanup
++ rm plain.txt recovered.txt cipher.txt
++ cleanup "no-shut-down"
++}
++
++#Test key with password
++test_key_usage foo
++#Test key without password
++test_key_usage
+
+ exit 0
+diff --git a/tools/tpm2_create.c b/tools/tpm2_create.c
+index 941b77655f55..8e92cc747e17 100644
+--- a/tools/tpm2_create.c
++++ b/tools/tpm2_create.c
+@@ -47,7 +47,7 @@ struct tpm_create_ctx {
+ TPML_PCR_SELECTION creation_pcr;
+
+ struct {
+- UINT8 b :1;
++ UINT8 a :1;
+ UINT8 i :1;
+ UINT8 L :1;
+ UINT8 u :1;
+@@ -224,7 +224,7 @@ static bool on_option(char key, char *value) {
+ break;
+ case 'a':
+ ctx.object.attrs = value;
+- ctx.flags.b = 1;
++ ctx.flags.a = 1;
+ break;
+ case 'i':
+ ctx.object.sealed_data = strcmp("-", value) ? value : NULL;
+@@ -346,12 +346,12 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
+
+ ctx.object.alg = "keyedhash";
+
+- if (!ctx.flags.b) {
++ if (!ctx.flags.a) {
+ attrs &= ~TPMA_OBJECT_SIGN_ENCRYPT;
+ attrs &= ~TPMA_OBJECT_DECRYPT;
+ attrs &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN;
+ }
+- } else if (!ctx.flags.b && !strncmp("hmac", ctx.object.alg, 4)) {
++ } else if (!ctx.flags.a && !strncmp("hmac", ctx.object.alg, 4)) {
+ attrs &= ~TPMA_OBJECT_DECRYPT;
+ }
+
+@@ -362,7 +362,7 @@ tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) {
+ return tool_rc_general_error;
+ }
+
+- if (ctx.flags.L && !ctx.object.auth_str) {
++ if (!ctx.flags.a && ctx.flags.L && !ctx.object.auth_str) {
+ ctx.object.public.publicArea.objectAttributes &=
+ ~TPMA_OBJECT_USERWITHAUTH;
+ }
+--
+2.27.0
+
diff --git a/SOURCES/0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch b/SOURCES/0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch
new file mode 100644
index 0000000..0d4b89b
--- /dev/null
+++ b/SOURCES/0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch
@@ -0,0 +1,37 @@
+From 334b4c739fa575fb4ea58f92df6de87c38e59e15 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Thu, 23 Jan 2020 08:06:56 -0700
+Subject: [PATCH] tpm2_hierarchycontrol: Fixed bug where hierarchycontrol
+ operation failed silently
+
+Fixes #1841
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ tools/tpm2_hierarchycontrol.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tpm2_hierarchycontrol.c b/tools/tpm2_hierarchycontrol.c
+index 0baf2ca487d3..7e9e2c657544 100644
+--- a/tools/tpm2_hierarchycontrol.c
++++ b/tools/tpm2_hierarchycontrol.c
+@@ -32,8 +32,14 @@ static tool_rc hierarchycontrol(ESYS_CONTEXT *ectx) {
+ ctx.enable == TPM2_RH_ENDORSEMENT ? "ehEnable" : "phEnableNV",
+ ctx.state ? "SET" : "CLEAR");
+
+- return tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object, ctx.enable,
+- ctx.state);
++ tool_rc rc = tpm2_hierarchycontrol(ectx, &ctx.auth_hierarchy.object,
++ ctx.enable, ctx.state);
++
++ if (rc != tool_rc_success) {
++ LOG_ERR("Failed hierarchycontrol operation.");
++ }
++
++ return rc;
+ }
+
+ bool on_arg(int argc, char **argv) {
+--
+2.27.0
+
diff --git a/SOURCES/0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch b/SOURCES/0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch
new file mode 100644
index 0000000..da77107
--- /dev/null
+++ b/SOURCES/0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch
@@ -0,0 +1,31 @@
+From 652322f7278ec8c384fde9ec2204b06d084a24e4 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Thu, 23 Jan 2020 07:54:58 -0700
+Subject: [PATCH] tpm2_nvdefine.c: Fixed error reporting message
+
+Fixes #1861
+
+NV define failure error message had the wording to suggest NV index
+was successfully defined.
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ tools/tpm2_nvdefine.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/tpm2_nvdefine.c b/tools/tpm2_nvdefine.c
+index cb2949c4dddc..71203cb6c80d 100644
+--- a/tools/tpm2_nvdefine.c
++++ b/tools/tpm2_nvdefine.c
+@@ -65,7 +65,7 @@ static tool_rc nv_space_define(ESYS_CONTEXT *ectx) {
+ tool_rc rc = tpm2_nv_definespace(ectx, &ctx.auth_hierarchy.object,
+ &ctx.nv_auth, &public_info);
+ if (rc != tool_rc_success) {
+- LOG_INFO("Success to define NV area at index 0x%x.", ctx.nv_index);
++ LOG_ERR("Failed to create NV index 0x%x.", ctx.nv_index);
+ return rc;
+ }
+
+--
+2.27.0
+
diff --git a/SOURCES/0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch b/SOURCES/0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch
new file mode 100644
index 0000000..c6a5e86
--- /dev/null
+++ b/SOURCES/0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch
@@ -0,0 +1,26 @@
+From 44d0d2d17dc693e029e0557ec985c9b68c3efeb5 Mon Sep 17 00:00:00 2001
+From: Imran Desai <imran.desai@intel.com>
+Date: Wed, 22 Jan 2020 14:15:48 -0700
+Subject: [PATCH] tpm2_policyor: Silent failure bug fix for invalid/unspecified
+ policy digest alg
+
+Signed-off-by: Imran Desai <imran.desai@intel.com>
+---
+ lib/tpm2_policy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/tpm2_policy.c b/lib/tpm2_policy.c
+index 3d9b5491f9ce..8460bd1d9ae9 100644
+--- a/lib/tpm2_policy.c
++++ b/lib/tpm2_policy.c
+@@ -588,6 +588,7 @@ bool tpm2_policy_parse_policy_list(char *str, TPML_DIGEST *policy_list) {
+ hash = tpm2_alg_util_from_optarg(subtoken,
+ tpm2_alg_util_flags_hash);
+ if (hash == TPM2_ALG_ERROR) {
++ LOG_ERR("Invalid/ Unspecified policy digest algorithm.");
+ return false;
+ }
+ }
+--
+2.27.0
+
diff --git a/SPECS/tpm2-tools.spec b/SPECS/tpm2-tools.spec
index f25149e..8a9b583 100644
--- a/SPECS/tpm2-tools.spec
+++ b/SPECS/tpm2-tools.spec
@@ -1,11 +1,18 @@
Name: tpm2-tools
Version: 4.1.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: A TPM2.0 testing tool build upon TPM2.0-TSS
License: BSD
URL: https://github.com/tpm2-software/tpm2-tools
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch0: 0001-tpm2_hierarchycontrol-Fixed-bug-where-hierarchycontr.patch
+Patch1: 0001-tpm2_nvdefine.c-Fixed-error-reporting-message.patch
+Patch2: 0001-tpm2_policyor-Silent-failure-bug-fix-for-invalid-uns.patch
+Patch3: 0001-tpm2_alg_util.c-fix-a-bug-where-the-string-rsa3072-w.patch
+Patch4: 0001-Fix-ESYS_TR-hierarchy-transition.patch
+Patch5: 0001-Refactor-fix_esys_hierarchies.patch
+Patch6: 0001-tpm2_create.c-Fix-an-issue-where-userwithauth-attr-c.patch
BuildRequires: gcc-c++
BuildRequires: libtool
@@ -46,6 +53,16 @@ tpm2-tools is a batch of testing tools for tpm2.0. It is based on tpm2-tss.
%{_mandir}/man1/tpm2_*.1.gz
%changelog
+* Mon Nov 16 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-2
+- Fix ESYS_TR hierarchy transition.
+- Refactor fix_esys_hierarchies to return actual TSS2_RC return code.
+- tpm2_alg_util.c: fix a bug where the string rsa3072 wasn't being parsed.
+- tpm2_create.c: Fix an issue where userwithauth attr cleared if policy specified.
+- tpm2_hierarchycontrol: Fix bug where hierarchycontrol operation failed silently.
+- tpm2_nvdefine.c: Fix error reporting message.
+- tpm2_policyor: Fix silent failure for invalid/unspecified policy digest alg.
+resolves: rhbz#1854774
+
* Wed Apr 29 2020 Jerry Snitselaar <jsnitsel@redhat.com> - 4.1.1-1
- Update to 4.1.1 release
resolves: rhbz#1789682