also document bug numbers
  - Fixed CVE-2024-29038 (bsc#1223687)
  - Fixed CVE-2024-29039 (bsc#1223689)

• Files Changed
• Browse Source

Update to version 5.7:
+ Security
  - Fixed CVE-2024-29038
  - Fixed CVE-2024-29039
+ Fixed
  - Fix eventlog test
  - Fix issues with reading NV indexes
  - Fix context save error on tpm2_create
  - tpm2_sessionconfig: fix handling of --disable-continue session so that the subsequent command will not fail
  - when attempting to context save a flushed session.
  - detection of functions within libcrypto when CRYPTO_LIBS is set and system has install libcrypto.
  - tpm2_send: fix EOF detection on input stream.
  - tpm2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems.
  - tpm2_nvread: fix input handling no nv index.
  - Auth file: Ensure 0-termination when reading auths from a file.
  - configure.ac: fix bashisms. configure scripts need to be runnable with a POSIX-compliant /bin/sh.
  - cirrus.yml fix tss compilation with libtpms for FreeBSD.
  - tpm2_tool.c Fix missing include for basename to enable compilation on netbsd.
  - options: fix TCTI handling to avoid failures for commands that should work with no options.
  - tpm2_getekcertificate.c Fix leak. ek_uri was not freed if get_ek_server_address failed.
+ Added
  - Add the possibility for autoflush (environment variable "TPM2TOOLS_AUTOFLUSH", or -R option)
+ Removed
  - Testing on Ubuntu 18.04 as it's near EOL (May 2023).m2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems.
  - tpm2_nvread: fix input handling no nv index.
- tpm2-tools.keyring: added Andreas Fuchs 0x8F4F9A45D7FFEE74 key, documented
  in upstream repo, which was used for signing this new release tarball.

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to version 5.2:
  + tpm2_nvextend:
    * Added option -n, --name to specify the name of the nvindex in
      hex bytes. This is used when cpHash ought to be calculated
      without dispatching the TPM2_NV_Extend command to the TPM.
  + tpm2_nvread:
    * Added option --rphash=FILE to specify ile path to record the
      hash of the response parameters. This is commonly termed as
      rpHash.
    * Added option -n, --name to specify the name of the nvindex in
      hex bytes. This is used when cpHash ought to be calculated
      without dispatching the TPM2_NVRead command to the TPM.
    * Added option -S, --session to specify to specify an auxiliary
      session for auditing and or encryption/decryption of the
      parameters.
  + tpm2_nvsetbits:
    * Added option --rphash=FILE to specify file path to record the
      hash of the response parameters. This is commonly termed as
      rpHash.
    * Added option -S, --session to specify to specify an auxiliary
      session for auditing and or encryption/decryption of the
      parameters.
    * Added option -n, --name to specify the name of the nvindex in
      hex bytes. This is used when cpHash ought to be calculated
      without dispatching the TPM2_NV_SetBits command to the TPM.
  + tpm2_createprimary:
    * Support public-key output at creation time in various public-key
      formats.
  + tpm2_create:
    * Support public-key output at creation time in various public-key
      formats.
  + tpm2_print:
    * Support outputing public key in various public key formats over
      the default YAML output. Supports taking -u output from
      tpm2_create and converting it to a PEM or DER file format.
  + tpm2_import:
    * Add support for importing keys with sealed-data-blobs.
  + tpm2_rsaencrypt, tpm2_rsadecrypt:
    * Add support for specifying the hash algorithm with oaep.
  + tpm2_pcrread, tpm2_quote:
    * Add option -F, --pcrs_format to specify PCR format selection for
      the binary blob in the PCR output file. 'values' will output a
      binary blob of the PCR values. 'serialized' will output a binary
      blob of the PCR values in the form of serialized data structure
      in little endian format.
  + tpm2_eventlog:
    * Add support for decoding StartupLocality.
    * Add support for printing the partition information.
    * Add support for reading eventlogs longer than 64kb including
      from /sys/kernel/security/tpm0/binary_bios-measurements.
  + tpm2_duplicate:
    * Add option -L, --policy to specify an authorization policy to be
      associated with the duplicated object.
    * Added support for external key duplication without needing the
      TCTI.
  + tools:
    * Enhance error message on invalid passwords when sessions cannot
      be used.
  + lib/tpm2_options:
    * Add option to specify fake tcti which is required in cases where
      sapi ctx is required to be initialized for retrieving command
      parameters without invoking the tcti to talk to the TPM.
  + openssl:
    * Dropped support for OpenSSL < 1.1.0
    * Add support for OpenSSL 3.0.0
  + Support added to make the repository documentation and man pages
    available live on readthedocs.
  + Bug-fixes:
    * tpm2_import: Don't allow setting passwords for imported object
      with -p option as the tool doesn't modify the TPM2B_SENSITIVE
      structure. Added appropriate logging to indicate using
      tpm2_changeauth after import.
    * lib/tpm2_util.c: The function to calculate pHash algorithm
      returned error when input session is a password session and the
      only session in the command.
    * lib/tpm2_alg_util.c: Fix an error where oaep was parsed under
      ECC.
    * tpm2_sign: Fix segfaults when tool does not find TPM resources
      (TPM or RM).
    * tpm2_makecredential: Fix an issue where reading input from stdin
      could result in unsupported data size larger than the largest
      digest size.
    * tpm2_loadexternal: Fix an issue where restricted attribute could
      not be set.
    * lib/tpm2_nv_util.h: The NV index size is dependent on different
      data sets read from the GetCapability structures because there
      is a dependency on the NV operation type: Define vs Read vs
      Write vs Extend. Fix a sane default in the case where
      GetCapability fails or fails to report the specific property/
      data set. This is especially true because some properties are
      TPM implementation dependent.
    * tpm2_createpolicy: Fix an issue where tool exited silently
      without reporting an error if wrong pcr string is specified.
    * lib/tpm2_alg_util: add error message on public init to prevent
      tools from dying silently, add an error message.
    * tpm2_import: fix an issue where an imported hmac object scheme
      was NULL. While allowed, it was inconsistent with other tools
      like tpm2_create which set the scheme as hmac->sha256 when
      generating a keyedhash object.
- Drop patches already in upstream:
  + 0001-tpm2_checkquote-fix-uninitialized-variable.patch
  + 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch
  + 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch (forwarded request 926512 from aplanas)

• Files Changed
• Browse Source

- Add 0001-tpm2_eventlog-fix-buffer-offset-when-reading-the-eve.patch to
fix the offset of the read buffer (forwarded request 909201 from aplanas)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- update to version 5.1.1:
  - tpm2_import: fix fixed AES key CVE-2021-3565
    - tpm2_import used a fixed AES key for the inner wrapper, which means that
      a MITM attack would be able to unwrap the imported key. To fix this,
      ensure the key size is 16 bytes or bigger and use OpenSSL to generate a
      secure random AES key.
- Avoid pandoc build dependency, use prebuilt man pages everywhere
- Drop 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch, now upstream
- Drop _service, unused
- Drop unused unzip build dependency
- Drop autoreconfigure call, no longer necessary
- Use %autosetup
- Verify tarball signature
- Build against efivar
- Drop %check section, tests weren't built, so that was a noop (forwarded request 902778 from favogt)

• Files Changed
• Browse Source

- Add 0001-tpm2_eventlog-read-eventlog-file-in-chunks.patch to fix the
  tpm2_eventlog command (boo#1187360) (forwarded request 900773 from aplanas)

• Files Changed
• Browse Source

- Add 0001-tpm2_checkquote-fix-uninitialized-variable.patch for a better
  fix of boo#1187316
- Re-enable lto (forwarded request 900548 from aplanas)

• Files Changed
• Browse Source

- Disable lto to fix tpm2_checkquote error (boo#1187316)
- Update service file to point to the correct revision (forwarded request 900118 from aplanas)

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- add 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch: no longer use a
  fixed AES key in the context of the tpm2_import command. Fixes CVE-2021-3565
  (bsc#1186490).
- drop fix_pie_linking.patch: now contained in upstream tarball
- drop fix_warnings.patch: now contained in upstream tarball
- update to upstream version 5.1:
  - Minimum tpm2-tss version dependency bumped to 3.1.0
  - Minimum tpm2-abrmd version dependency bumped to 2.4.0
  - tss2:
    - Support in tools for PolicyRef inclusion in policy search per latest TSS.
    - Support to use TPM objects protected by a policy with PolicySigned.
    - Enable backward compatibility to old Fapi callback API.
    - Fix PCR selection for tss2 quote.
    - Support policy signed policies by implementing Fapi_SetSignCB.
  - Command/ response parameter support for auditing and pHash policies:
    - lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash
    - Add support to calculate rphash for tpm2_create, tpm2_activatecredential,
      tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps,
      tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal
    - Add support to calculate cphash for tpm2_changeeps, tpm2_changepps.
  - Session-support:
    - tpm2_sessionconfig: Add tool to display and configure session attributes.
    - tpm2_getrandom: Fix— session input was hardcoded for audit-only
    - tpm2_startauthsession: Add option to specify the bind object  and its
      authorization value.
    - tpm2_startauthsession: support for bounded-only session.
    - tpm2_startauthsession: support for salted-only session.
    - tpm2_startauthsession: add option to specify an hmac session type.
    - Add support for specifying non-authorization sessions for audit and
      parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend,

• Files Changed
• Browse Source

- fix `--version` output of tools. Since now autoreconf is called and
  configure.ac attempts to fetch the version from git (which we don't have
  during building), the version was empty. Fix this by replacing the git
  invocation in configure.ac.

• Files Changed
• Browse Source