| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: swtpm-devel | Distribution: SUSE Linux Framework One |
| Version: 0.9.0 | Vendor: SUSE LLC <https://www.suse.com/> |
| Release: slfo.1.1.1 | Build date: Thu Aug 1 09:23:27 2024 |
| Group: Development/Libraries/C and C++ | Build host: reproducible |
| Size: 15342 | Source RPM: swtpm-0.9.0-slfo.1.1.1.src.rpm |
| Packager: https://www.suse.com/ | |
| Url: https://github.com/stefanberger/swtpm | |
| Summary: Development files for swtpm | |
The development files for SWTPM
BSD-3-Clause
* Thu Aug 01 2024 rrahl0@opensuse.org
- update to 0.9.0:
- fixes: boo#1226398
- swtpm:
- Use umask() to create/truncated state file rather than fchmod()
- Use fchmod to set mode bits provided by user
- Replace mkstemp with g_mkstemp_full (Coverity)
- fix typo in help message
- cuse: Fix Coverity complaints regarding locks
- Fix double free in error path
- Close fd after main loop
- Restore logging to stderr on log open failure
- swtpm_setup:
- Fail --pcr-banks without --tpm2
- Fail --decryption or --allow-signing without --tpm2
- Initialized argv in get_swtpm_capabilities()
- Flush spk after persisting to create room for another key
- Refactor duplicate code into swtpm_tpm2_write_cert_nvram
- Move persisting of certificate into tpm2_persist_certificate
- Pass key_type to function creating filename for key
- Add scheme parameter before curveid to createprimary_ecc
- Rename is_ek to preserve for future extension
- Mask-out EK and plaform certificate flags and set cert_flags
- Move common code into new function read_certificate_file()
- Exit with '0' upon --version rather than '1'
- Close file descriptors passed to swtpm process on parent side
- Make stdout unbuffered
- Use medium duration on TSC_PhysicalPresence to avoid timeouts
- Add poll() after write() and before read() to detect errors
- swtpm_localca:
- Add support for up to 20 bytes serial numbers
- Introduce --key as more generic alias for --ek
- Add missing NULL option to end of array
- Make stdout unbuffered
- swtpm_cert:
- Add support for serial numbers up to 20 bytes long
- swtpm_ioctl:
- Separate return code from flags
- Repeatedly call PTM_GET_INFO for long responses
- selinux:
- Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install)
- New SELinux policy that requires Fedora 40 or later
- tests:
- Fixed occurrences of stray '' before '-'
- Rearrange order of test cases to run some also as 'root'
- Add tests for command line options and combinations of options
- Add softhsm_setup to shellcheck'ed files and fix issues
- Add missing 'exit 1' on unexpected file size on --reconfigure
- Add test cases for swtpm_cert with max serial number
- Fix spelling mistakes
- reformat regexs for easier readability and extension
- ibmtss2: Add patch to disable x509 test with older libtpms
- Upgrade to ibmtss2 v2.0.1
- Fixed several issues detected by shellcheck
- build-sys:
- Add support for --disable-tests to disable tests
- Display GMP_LIBS and GMP_CFLAGS
- Only display warning if pkg-config for gmp fails
- Add gmp library and devel package as dependency
- use PKG_CHECK_MODULES to check libtpms version
* Thu Oct 19 2023 william.brown@suse.com
- Add missing requires for certtool
* Sat Sep 16 2023 meissner@suse.com
- Update to version 0.8.1:
- swtpm:
- Restore logging to stderr on log open failure
- swtpm_setup:
- Exit with '0' upon --version rather than '1'.
- Initialized @argv in get_swtpm_capabilities()
- swtpm_localca:
- Add missing NULL option to end of array
- SELinux:
- Add rules for user_tpm_t:sockfile to allow unlink
- Add rules for sock_file on user_tmp_t
* Fri Jun 16 2023 manfred.h@gmx.net
- Make selinux optional to allow building this package for Leap, too.
* Tue May 02 2023 meissner@suse.com
- remove python3 dependency, no longer needed after rewrite (bsc#1211010)
* Tue Mar 21 2023 meissner@suse.com
- swtpm-fix-build.patch: disable -Wstack-protector, it fails on s390x
bsc#1209117
* Mon Mar 06 2023 aplanas@suse.com
- Drop trousers requirement
* Mon Mar 06 2023 aplanas@suse.com
- Update to version 0.8.0:
* swtpm:
+ Implement release-lock-outgoing parameter for --migration option
+ Introduce --migration option and 'incoming' parameter
+ Implement terminate parameter for ctrl channel loss
+ Add a chroot option
+ Introduce disable-auto-shutdown flag for --flags option
+ If necessary send TPM2_Shutdown() before TPMLIB_Terminate()
+ Add some more recent syscalls to seccomp profile
+ Disable OpenSSL FIPS mode to avoid libtpms failures
+ Avoid locking directory multiple times
+ Remove support for pre-v0.1 state files without header
+ Use uint64_t in tlv_data_append() to avoid integer overflows
+ Use uint64_t to avoid integer wrap-around when adding a uint32_t
+ Do not chdir(/) when using --daemon
+ Check header size indicator against expected size (CVE-2022-23645 bsc#1196240)
+ Fixes for gcc 12.2.1 -fanalyzer
* build-sys:
+ Fix configure script to support _FORTIFY_SOURCE=3
+ Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
* swtpm-localca:
+ Re-implement variable resolution for swtpm-localca.conf
+ Test for available issuercert before creating CA
* swtpm_setup:
+ Configure swtpm to log to stdout/err if needed (glib >=2.74)
* tests:
+ Use ${WORKDIR} in config files to test env. var replacement
+ Patch IBM TSS2 test suite for OpenSSL 3.x
* build-sys:
+ Add probing for -fstack-protector
* Fri Apr 29 2022 meissner@suse.com
- Updated to version 0.7.3:
- swtpm:
- Use uint64_t in tlv_data_append() to avoid integer overflows
- Use uint64_t to avoid integer wrap-around when adding a uint32_t
- removed allow-FORTIFY_SOURCE=3.patch (upstreamed)
* Wed Apr 06 2022 mliska@suse.cz
- Cheery-pick upstream patch allow-FORTIFY_SOURCE=3.patch.
* Wed Mar 09 2022 wolfgang.frisch@suse.com
- Update to version 0.7.2:
- swtpm:
- Do not chdir(/) when using --daemon
- swtpm-localca:
- Re-implement variable resolution for swtpm-localca.conf
- tests:
- Use ${WORKDIR} in config files to test env. var replacement
- man pages:
- Add missing .config directory to path description when using ${HOME}
- build-sys:
- Add probing for -fstack-protector
* Mon Feb 21 2022 meissner@suse.com
- Update to version 0.7.1:
- swtpm:
- Check header size indicator against expected size (CVE-2022-23645 bsc#1196240)
- swtpm_localca:
- Test for available issuercert before creating CA
* Wed Nov 10 2021 meissner@suse.com
- Update to version 0.7.0:
- swtpm:
- Support for linear file storage backend (file://)
- Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what
libtpms supports
- Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs
- Wipe keys from stack and heap
- Many other small changes
- Make --daemon not racy
- swtpm_setup:
- Only activate SHA256 PCR bank, not SHA1 bank anymore by default
- Support for linear file storage backend (file://)
- Implement option --create-config-files to create config files
- Use non-deprecated APIs to contruct RSA key (OSSL 3)
- Report stderr as returned by external tool (swtpm-localcal)
- Replace '+' and ',' characters in VMId's to make work with
common name in X509 subject
- Add support for --reconfigure flag to change active PCR banks
- swtpm_localca:
- Created certificates for CAs and TPM that do not expire
- swtpm_cert:
- Allow passing -1 for days to get a non-expiring certificate
- test:
- ASAN-related test changes and skipping of tests if ASAN is used
- Fix tests using tpm2-abrmd by preventing concurrency
- Skip chardev related tests after checking for chardev support
- exit with error code if mktemp fails
- OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test
- build-sys:
- Introduce --enable-sanitizers to configure
- Remove check for pip3 that was used by python swtpm_setup
- Allow passing of aditional CFLAGS during build
* Wed Sep 22 2021 meissner@suse.com
- Update to version 0.6.1:
- swtpm:
- Clear keys from stack and heap
- swtpm-localca:
- Add missing else branch for pkcs11 and PIN
- swtpm_setup:
- Initialize Gerror and free it
- Replace '\\s' in regex with [[:space:]] to fix cygwin
- tests:
- Kill tpm2-abrmd with SIGKILL rather SIGTERM
- build-sys:
- Use -DOPENSSL_SUPPRESS_DEPRECATED to suppress deprecation warnings (OSSL 3)
- Enable configuring with CFLAGS and passing additional CFLAGS on build
* Sat Aug 07 2021 gmbr3@opensuse.org
- Update to version 0.6.0:
- Addressed potential symlink attack issue (CVE-2020-28407)
- Rewritten in 'C'; needs json-glib
- Use timeouts for communicating with swtpm (Unix socket)
- Fix --print-capabilities for 'swtpm chardev'
- Various cleanups and fixes (coverity)
- Enable selinux support
- Removed swtpm-rename_deprecated_libtasn1_types.patch: upstream
- Fix rpmlint errors
* Thu May 20 2021 pmonreal@suse.com
- swtpm_cert: rename deprecated libtasn1 types.
* https://github.com/stefanberger/swtpm/pull/443
* Add swtpm-rename_deprecated_libtasn1_types.patch
* Sun Dec 27 2020 meissner@suse.com
- Update to version 0.5.2
- swtpm:
- Fix potential buffer overflow related to largely unused data hashing
function in control channel
- swtpm: Unconditionally close fd if writing of pidfile fails (coverity)
- swtpm_setup:
- Increase timeout from 10s to 30s for slower machines
- Travis:
- Not building on OS X anymore due to additional costs
* Tue Dec 22 2020 glin@suse.com
- Use "Requires user(tss)" for the "tss" user and group
* Tue Dec 22 2020 glin@suse.com
- Create /var/lib/swtpm-localca to store the keys created by
swtpm-localca (bsc#1179811)
- Replace net-tools-deprecated with iproute2 since the scripts in
swtpm now can use 'ss' instead of 'netstat'
* Sun Nov 22 2020 kai.liu@suse.com
- Update to version 0.5.1
* swtpm & swtpm_setup:
- Addressed potential symlink attack issue (CVE-2020-28407)
* build-sys:
- Fix configure python cryptography error message
- Misc. spec file changes.
* Tue Oct 13 2020 kai.liu@suse.com
- Update Requires and BuildRequires for changes since 0.4.0.
- Remove patch files that are no longer needed:
* swtpm-adjust-seccomp-path.patch
* swtpm-setup-tcsd-path.patch
* swtpm-tpm-tools-path.patch
- Update to version 0.5.0
* swtpm:
- Write files atomically using a temp file and then renaming
* swtpm_setup:
- Removed remaining 'c' wrapper program
- Do not truncate logfile when testing write-access (regression)
- Remove TPM state file in case error occurred
* swtpm-localca:
- Rewrite in python
- Allow passing pkcs11 PIN using signingkey_password
- Allow passing environment variables needed for pkcs11 modules using
swtpm-localca.conf and format 'env:VARNAME=VALUE'.
* build-sys:
- Add python-install and python-uninstall targets
- Add configure option to disable installation of Python module
- Use -Wl,-z,relro and -Wl,-z,now only when linking (clang)
- Use AC_LINK_IFELSE to check whether support for hardening flags
- Changes from version 0.4.1
* swtpm_setup:
- Do not hardcode '/etc' but use SYSCONFDIR
- Fix support for -h and -? options
- Add missing .config path when using ${HOME}
* swtpm-localca:
- Apply password for signing key when creating platform cert
- Properly apply passwords for localca signing key
- Changes from version 0.4.0
* swtpm:
- Invoke print capabilities after choosing TPM version
- Add some recent syscalls to seccomp blacklist
* swtpm_cert:
- Support --ecc-curveid option to pass curve id
* swtpm_setup & related scripts:
- Rewrite swtpm_setup.sh in python with TPM 1.2 not requiring tcsd
and TPM tools anymore; new dependencies:
- python3: pip, cryptography, setuptools
dropped dependencies for swtpm_setup:
- tcsd, expect, tpm-tools (some still needed for pkcs11 tests)
- Added support for RSA 3072 keys (for libtpms-0.8.0) and moved to
ECC NIST P384 curve; default RSA key size is still 2048
- Added support for --rsa-keysize option
- Extend script to create a CA using a TPM 2 for signing
* tests:
- Use the IBM TSS2 v1.5.0's test suite
- Add test case for loading of an NVRAM completely full with keys
- Have softhsm_setup use temporary directory for softhsm config & state
- various other improvements
* man pages:
- Improvements
* build-sys:
- clang: properly test for linker flag 'now' and 'relro'
- Gentoo: explicitly link libswtpm_libtpms with -lcrypto
- Ownership of /var/lib/swtpm-localca is now tss:root and
mode flags 0750.
* Thu Aug 13 2020 kai.liu@suse.com
- Update to version 0.3.4:
* swtpm:
- Fix compilation for cygwin
* swtpm_setup & swtpm-localca:
- Get rid of bash's eval when invoking external tools to avoid abuse.
Only use eval for 'resolving' variables.
* tests:
- Various fixes of minor issues
* Thu Jul 30 2020 kai.liu@suse.com
- Update to version 0.3.3:
* swtpm_setup:
- openSUSE: Support tcsd configuration where tss user != tss group,
such as root/tss; Fedora & Ubuntu for example use tss/tss
* build-sys:
- Check whether tss user and group are available
- Add tss user & group build flags per upstream instruction. This
together with v0.3.3 fixed the bug with TPM 1.2 emulation.
Related upstream bug:
https://github.com/stefanberger/swtpm/issues/284
* Sat Jul 11 2020 kai.liu@suse.com
- Update to 0.3.2:
+ swtpm:
+ Remove unnecessary #include <seccomp.h> (fixes SuSE build)
+ Make coverity happy by handling default case in case
statement
+ swtpm_setup:
+ bugfix: Create ECC storage primary key in owner hierarchy
+ bugfix: remove tpm2_stirrandom and tpm2_changeeps
+ tests:
+ Adjusted pcrUpdateCounter in tests to succeed with PCR TCB
group fixes in libtpms TPM 2 code
* Wed Apr 22 2020 glin@suse.com
- Update to 0.3.1
+ swtpm: Fix vtpm proxy case without startup flags
+ swtpm: Only call memcpy if tocopy != 0 (coverity)
+ man: Document new startup options and capabilities
advertisement
+ swtpm: Enable sending startup commands before processing
commands
+ swtpm_cert: Accept serial numbers that use up to 64bits
+ swtpm_cert: Use getopt_long_only to parse options
+ swtpm_cert: Add support for --print-capabilities option
+ swtpm_cert: Allow passing signing key and parent key via new
option
+ swtpm_setup: Enable spaces in paths and other variables
+ swtpm_ioctl: Calculate strlen(input) only once
+ swtpm_ioctl: Block SIGPIPE so we can get EPIPE on write()
+ swtpm_bios: Block SIGPIPE so we can get EPIPE on write()
+ swtpm: Only accept() new client ctrl connection if we have none
+ swtpm_setup: Do not fail on future PCR banks' hashes
+ swtpm_setup: Use 1st part of SWTPM_EXE/SWTPM_IOCTL to determine
executable
+ swtpm_setup: Keep reserved range of file descriptors for
swtpm_setup.sh
+ swtpm_setup: Log about encryption and fix c&p error in err msg
+ swtpm: Add --print-capabilities to help screen of
'swtpm chardev'
+ swtpm_ioctl: Fix uninitialized variable 'pgi'
+ swtpm_cert: Use gnutls_x509_crt_get_subject_key_id API call for
subj keyId
+ swtpm_cert: Fix OIDs for TPM 2 platforms data
+ swtpm: Fix typo in error report: HMAC instead of hash
+ swtpm: Use writev_full rather than writev; fixes --vtpm-proxy
EIO error
- Refresh swtpm-setup-tcsd-path.patch
* Fri Jan 03 2020 glin@suse.com
- Amend swtpm-adjust-seccomp-path.patch to add the missing seccomp
paths
- Adjust the conditional check of net-tools-deprecated for SLE15
and SLE15-SP1
* Thu Sep 05 2019 glin@suse.com
- Update to 0.2.0
+Linux: swtpm now runs with a seccomp profile (blacklist) if
compiled with libseccomp support
+ Added subpport for passing key and passphrase via file
descriptor
+ TPM 2 commands can now be prefixed by 'the TCG header' and
responses will have a 4-byte prefix and 4-byte suffix.
+ Added --print-capabilities command line option
+ Proper handling on EINTR on read, poll, and write
- Patches to adjust the pathes
+ swtpm-tpm-tools-path.patch
+ swtpm-setup-tcsd-path.patch
+ swtpm-adjust-seccomp-path.patch
* Tue May 15 2018 glin@suse.com
- Initial import: 0.1.0-dev2
/usr/include/swtpm /usr/include/swtpm/tpm_ioctl.h /usr/lib64/swtpm/libswtpm_libtpms.so /usr/share/man/man3/swtpm_ioctls.3.gz
Generated by rpm2html 1.8.1
Fabrice Bellet, Mon Sep 16 00:17:41 2024