./sysutils/swtpm, Software TPM (Trusted Platform Module) emulator

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 0.10.0, Package name: swtpm-0.10.0, Maintainer: ryoon

The SWTPM package provides TPM emulators with different front-end interfaces
to libtpms. TPM emulators provide socket interfaces (TCP/IP and Unix) and
the Linux CUSE interface for the creation of multiple native /dev/vtpm* devices.

The SWTPM package also provides several tools for using the TPM emulator,
creating certificates for a TPM, and simulating the manufacturing of
a TPM by creating a TPM's EK and platform certificates etc.


Master sites:

Filesize: 404.979 KB

Version history: (Expand)


CVS history: (Expand)


   2024-12-09 14:48:40 by Ryo ONODERA | Files touched by this commit (4)
Log message:
sysutils/swtpm: Update to 0.10.0

Changelog:
version 0.10.0:
   - swtpm:
     - Requires libtpms v0.10.0
     - Display tpmstate-opt-lock as a new capability
     - Add support for lock option parameter to tpmstate option
     - nvstore_linear: Add support for file-backend locking
     - Remove broken logic to check for neither dir nor file backend
     - Use ptm_cap_n to build PTM_GET_CAPABILITY response
     - Define a structure to return PTM_GET_CAPABILITY result
     - Implement --print-info to run TPMLIB_GetInfo with flags
     - Support --profile fd=<fd> to read profile from file descriptor
     - Support --profile file=<filename> to read profile from file
     - Ignore remove-disabled parameter on non-'custom' profile
     - Check for good entropy source in chroot environment
     - Implement a check for HMAC+sha1 for testing future restriction
     - Implement function to check whether a crypto algorithm is disabled
     - Print cmdarg-print-profiles as part of capabilities
     - Check whether SHA1 signature support is disabled in profile
     - Use TPMLIB_WasManufactured to check whether profile was applied
     - Determine whether OpenSSL needs to be configured (FIPs, SHA1 signature)
     - Add support for --print-profiles option
     - Print profile names as part of capabilities JSON
     - Display new capability to allow setting a profile
     - Add support for --profile option to set a profile on TPM 2
   - swtpm_setup:
     - Comment flags for storage primary key and deprecate --create-spk
     - Implement --print-profiles to display all profile
     - Add profile entries to swtpm_setup.conf written by swtpm_setup
     - Add support for --profile-name option
     - Accept profiles with name starting with 'custom:'
     - Support default profile from file in swtpm_setup.conf
     - Support --profile-file-fd to read profile from file descriptor
     - Support --profile-file <file> to read profile from file
     - Always log the active profile
     - Implement --profile-remove-fips-disabled option
     - Read default profile from swtpm_setup.conf
     - Print profile names as part of capabilities JSON
     - Add support for --profile parameter
     - Get default rsa keysize from setup_setup.conf if not given
   - swtpm_ioctl:
     - Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response
   - selinux:
     - Change write to append for appending to log
     - Add rule for logging to svirt_image_t labeled files from swtpm_t
   - tests:
     - Update IBMTSS2 test suite to v2.4.0
     - Test activation of PCR banks when not all are available
     - Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with profile
     - Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file
     - Consolidate custom profile test cases and check for StateFormatLevel
     - Convert test_samples_create_tpmca to run installed
     - Mention test_tpm2_libtpms_versions_profiles requiring env. variables
     - allow running ibmtss2 tests against installed version
     - Derive support for CUSE from SWTPM_EXE help screen
     - Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test
     - Extend test case testing across libtpms versions
     - Add test case for testing profiles across libtpms versions
     - Test the --profile option of swtpm_setup and swtpm
     - teach them to run installed
     - add installed-runner.sh
     - install tests on the system
     - lookup system binaries if INSTALLED is set
   - build-sys:
     - enable 64-bit file API on 32-bit systems
     - Add -Wshadow to the CFLAGS
     - Require that libtpms v0.10 is available for TPMLIB_SetProfile
   - debian:
     - Add rule to allow usage of /var/tmp directory (QEMU)
     - Add rules for reading profiles from distro and local dirs
     - Allow non-owner file write access in /var/lib/libvirt/swtpm/
     - Add sys_admin capability to apparmor profile

version 0.9.0:
  Note: The SElinux policy for swtpm was completely redone. For systems
        with an SELinux policy the same policy (>= 40.17) as used in
        Fedora >= 40 is required due to changes in labels related to libvirt
        that made the re-development of the SELinux policy necessary.
  - swtpm:
    - Use umask() to create/truncated state file rather than fchmod()
    - Use fchmod to set mode bits provided by user
    - Replace mkstemp with g_mkstemp_full (Coverity)
    - fix typo in help message
    - cuse: Fix Coverity complaints regarding locks
    - Fix double free in error path
    - Close fd after main loop
    - Restore logging to stderr on log open failure
  - swtpm_setup:
    - Fail --pcr-banks without --tpm2
    - Fail --decryption or --allow-signing without --tpm2
    - Initialized @argv in get_swtpm_capabilities()
    - Flush spk after persisting to create room for another key
    - Refactor duplicate code into swtpm_tpm2_write_cert_nvram
    - Move persisting of certificate into tpm2_persist_certificate
    - Pass key_type to function creating filename for key
    - Add scheme parameter before curveid to createprimary_ecc
    - Rename is_ek to preserve for future extension
    - Mask-out EK and plaform certificate flags and set cert_flags
    - Move common code into new function read_certificate_file()
    - Exit with '0' upon --version rather than '1'
    - Close file descriptors passed to swtpm process on parent side
    - Make stdout unbuffered
    - Use medium duration on TSC_PhysicalPresence to avoid timeouts
    - Add poll() after write() and before read() to detect errors
  - swtpm_localca:
    - Add support for up to 20 bytes serial numbers
    - Introduce --key as more generic alias for --ek
    - Add missing NULL option to end of array
    - Make stdout unbuffered
  - swtpm_cert:
    - Add support for serial numbers up to 20 bytes long
  - swtpm_ioctl:
    - Separate return code from flags
    - Repeatedly call PTM_GET_INFO for long responses
  - selinux:
    - Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install)
    - New SELinux policy that requires Fedora 40 or later
  - tests:
    - Fixed occurrences of stray '\' before '-'
    - Rearrange order of test cases to run some also as 'root'
    - Add tests for command line options and combinations of options
    - Add softhsm_setup to shellcheck'ed files and fix issues
    - Add missing 'exit 1' on unexpected file size on --reconfigure
    - Add test cases for swtpm_cert with max serial number
    - Fix spelling mistakes
    - reformat regexs for easier readability and extension
    - ibmtss2: Add patch to disable x509 test with older libtpms
    - Upgrade to ibmtss2 v2.0.1
    - Fixed several issues detected by shellcheck
  - build-sys:
    - Add support for --disable-tests to disable tests
    - Display GMP_LIBS and GMP_CFLAGS
    - Only display warning if pkg-config for gmp fails
    - Add gmp library and devel package as dependency
    - use PKG_CHECK_MODULES to check libtpms version
  - rpm:
    - Add gmp library and devel package as dependency
    - Split off SELinux files to build an selinux package
  - debian:
    - Sync AppArmor profile with what is used by Ubuntu
    - Add gmp library and devel package as dependency
    - Allow apparmor access to qemu session bus swtpm files

version 0.8.0:
  - swtpm:
    - Implement release-lock-outgoing parameter for --migration option
    - Introduce --migration option and 'incoming' parameter
    - Implement terminate parameter for ctrl channel loss
    - Add a chroot option
    - Introduce disable-auto-shutdown flag for --flags option
    - If necessary send TPM2_Shutdown() before TPMLIB_Terminate()
    - Add some more recent syscalls to seccomp profile
    - Disable OpenSSL FIPS mode to avoid libtpms failures
    - Avoid locking directory multiple times
    - Remove support for pre-v0.1 state files without header
    - Use uint64_t in tlv_data_append() to avoid integer overflows
    - Use uint64_t to avoid integer wrap-around when adding a uint32_t
    - Do not chdir(/) when using --daemon
    - Check header size indicator against expected size (CVE-2022-23645)
    - Fixes for gcc 12.2.1 -fanalyzer
  - build-sys:
    - Fix configure script to support _FORTIFY_SOURCE=3
    - Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
  - swtpm-localca:
    - Re-implement variable resolution for swtpm-localca.conf
    - Test for available issuercert before creating CA
  - swtpm_setup:
    - Configure swtpm to log to stdout/err if needed (glib >=2.74)
  - tests:
    - Use ${WORKDIR} in config files to test env. var replacement
    - Patch IBM TSS2 test suite for OpenSSL 3.x
  - build-sys:
    - Add probing for -fstack-protector
   2024-11-14 23:22:33 by Thomas Klausner | Files touched by this commit (2429)
Log message:
*: recursive bump for icu 76 shlib major version bump
   2024-11-01 13:55:19 by Thomas Klausner | Files touched by this commit (2426)
Log message:
*: revbump for icu downgrade
   2024-11-01 01:54:33 by Thomas Klausner | Files touched by this commit (2427)
Log message:
*: recursive bump for icu 76.1 shlib bump
   2024-05-29 18:35:19 by Adam Ciarcinski | Files touched by this commit (1929) | Package updated
Log message:
revbump after icu and protobuf updates
   2024-05-16 08:15:47 by Thomas Klausner | Files touched by this commit (692)
Log message:
*: recursive bump for gnutls p11-kit option

(existing installations need the bl3.mk included, but it's now only
optionally included)
   2023-11-08 14:21:43 by Thomas Klausner | Files touched by this commit (2377)
Log message:
*: recursive bump for icu 74.1
   2023-10-25 00:11:51 by Thomas Klausner | Files touched by this commit (2298)
Log message:
*: bump for openssl 3