From b9a82547f8fc868fcbfe1aee04e2de875ab3fca0 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Sat, 30 Oct 2021 17:03:40 +0300 Subject: [PATCH 01/21] Initial Qubes OS support This allows to build qubes-safeboot package using qubes-builder and use it to generate and setup UEFI Secure Boot keys and configuration, generate and sign unified EFI executable bundle with xen, xen config, kernel and ramdisk. --- .gitignore | 1 + Makefile | 2 +- Makefile.builder | 3 + qubes-hooks/kernel-safeboot.install | 5 ++ qubes-safeboot.spec.in | 48 ++++++++++++++++ sbin/safeboot | 85 +++++++++++++++++++++++++++-- version | 1 + 7 files changed, 139 insertions(+), 6 deletions(-) create mode 100644 Makefile.builder create mode 100644 qubes-hooks/kernel-safeboot.install create mode 100644 qubes-safeboot.spec.in create mode 100644 version diff --git a/.gitignore b/.gitignore index 42411272..a63cb323 100644 --- a/.gitignore +++ b/.gitignore @@ -47,3 +47,4 @@ build linux-* initramfs/response/transport.* initramfs/response/*.hash +pkgs/* diff --git a/Makefile b/Makefile index 886af57d..494aef37 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VERSION ?= 0.8 +VERSION ?= $(file /dev/null ; then echo dirty ; else echo clean ; fi) GIT_HASH := $(shell git rev-parse HEAD) diff --git a/Makefile.builder b/Makefile.builder new file mode 100644 index 00000000..ed2e1adf --- /dev/null +++ b/Makefile.builder @@ -0,0 +1,3 @@ +ifeq ($(PACKAGE_SET),dom0) +RPM_SPEC_FILES := qubes-safeboot.spec +endif diff --git a/qubes-hooks/kernel-safeboot.install b/qubes-hooks/kernel-safeboot.install new file mode 100644 index 00000000..c00c4bf5 --- /dev/null +++ b/qubes-hooks/kernel-safeboot.install @@ -0,0 +1,5 @@ +#!/bin/bash + +if [ -f /boot/efi/EFI/qubes/qubes.efi.signed ]; then + safeboot qubes-sign +fi diff --git a/qubes-safeboot.spec.in b/qubes-safeboot.spec.in new file mode 100644 index 00000000..60fc776b --- /dev/null +++ b/qubes-safeboot.spec.in @@ -0,0 +1,48 @@ +Name: qubes-safeboot +Version: @VERSION@ +Release: 1%{?dist} +Summary: Boot Qubes OS more safely +License: GPLv2 and LGPLv2 and BSD + +URL: https://github.com/osresearch/safeboot +#Source0: %{url}/archive/refs/tags/release-{version}.tar.gz +Source0: %{name}-%{version}.tar.gz + +Requires: efitools%{_isa} +Requires: sbsigntools%{_isa} +Requires: binutils%{_isa} + +%description + Makes the Qubes OS boot process slightly safer by enabling UEFI Secure Boot, with packing xen, config, kernel and initrd to unified EFI binary and signing it with personal key + +%prep +%setup + +%install +install -m 0755 -D %{_builddir}/%{name}-%{version}/sbin/safeboot -t %{buildroot}%{_sbindir} +install -m 0644 -D %{_builddir}/%{name}-%{version}/safeboot.conf -t %{buildroot}%{_sysconfdir}/safeboot/ +install -m 0644 -D %{_builddir}/%{name}-%{version}/functions.sh -t %{buildroot}/usr/lib/safeboot/ +install -m 0755 -D %{_builddir}/%{name}-%{version}/qubes-hooks/kernel-safeboot.install %{buildroot}/usr/lib/kernel/install.d/99-qubes-safeboot.install + +# symlink since we doesn't build this tools to Qubes OS +mkdir -p %{buildroot}%{_bindir} +ln -s sbsign %{buildroot}%{_bindir}/sbsign.safeboot +ln -s sign-efi-sig-list %{buildroot}%{_bindir}/sign-efi-sig-list.safeboot + + +%triggerin -- xen-hypervisor +if [ -f /boot/efi/EFI/qubes/qubes.efi.signed ]; then + /usr/sbin/safeboot qubes-sign +fi + +%files +%config %{_sysconfdir}/safeboot/safeboot.conf +%{_sbindir}/safeboot +/usr/lib/safeboot/functions.sh +/usr/lib/kernel/install.d/99-qubes-safeboot.install + +%{_bindir}/sbsign.safeboot +%{_bindir}/sign-efi-sig-list.safeboot + +%changelog +@CHANGELOG@ diff --git a/sbin/safeboot b/sbin/safeboot index bbf64ed1..bee797d6 100755 --- a/sbin/safeboot +++ b/sbin/safeboot @@ -217,7 +217,10 @@ key-init() { mv "$CERT" "$CERT.orig" \ || die "$CERT: unable to backup" fi - + # Do not encrypt key with Qubes OS to allow unattended updates + if [ -f /etc/qubes-release ]; then + openssl_param+="-nodes" + fi openssl req \ -new \ -x509 \ @@ -228,6 +231,7 @@ key-init() { -out "$CERT" \ -days "3650" \ -sha256 \ + $openssl_param \ || die "$KEY: unable to create" # Create a certificate and public key file from the PEM @@ -501,7 +505,7 @@ pcrs-sign() { target="${2-linux}" linux="$EFIDIR/$target/linux.efi" - yubikey_daemon + [ -f /etc/qubes-release ] || yubikey_daemon if [ "$prevent_rollback" = "prevent-rollback" ]; then warn "$linux: Incrementing TPM version to prevent rollback" @@ -636,7 +640,7 @@ luks-seal() { shift fi - yubikey_daemon + [ -f /etc/qubes-release ] || yubikey_daemon KEYSLOT=1 @@ -844,7 +848,7 @@ sign() { OUT="$IN.signed" fi - yubikey_daemon + [ -f /etc/qubes-release ] || yubikey_daemon sbsign.safeboot \ $KEY_ENGINE \ @@ -1158,6 +1162,77 @@ linux-sign() ######################################## +qubes_sign_usage=' +## qubes-sign +Usage: +``` +safeboot qubes-sign +``` + +Generate a unified EFI executable bundle with xen, xen config, kernel and initrd, + sign it with safeboot keys and create EFI boot record "Safeboot Qubes OS". + +It requires Qubes OS R4.1+ with configured boot with xen EFI loader (xen.efi). +' + +usage+=$qubes_sign_usage +commands+="|qubes-sign" + +qubes-sign() +{ + xen_config='/boot/efi/EFI/qubes/xen.cfg' + [ -f "$xen_config" ] \ + && qubes_kver=$(awk -F= '/default=/ {print $2}' "$xen_config") \ + || die "No xen.cfg found!" + + xen_efi='/boot/efi/EFI/qubes/xen.efi' + [ -f "$xen_efi" ] \ + || die "No xen.efi found!" + + qubes_kernel="/boot/efi/EFI/qubes/vmlinuz-$qubes_kver" + [ -f "$qubes_kernel" ] \ + || die "No default kernel found!" + + qubes_ramdisk="/boot/efi/EFI/qubes/initramfs-$qubes_kver.img" + [ -f "$qubes_ramdisk" ] \ + || die "No default initramfs found!" + + qubes_efi='/boot/efi/EFI/qubes/qubes.efi' + objcopy \ + --add-section .config="$xen_config" \ + --change-section-vma .config=0xffff82d041000000 \ + --add-section .kernel="$qubes_kernel" \ + --change-section-vma .kernel=0xffff82d041100000 \ + --add-section .ramdisk="$qubes_ramdisk" \ + --change-section-vma .ramdisk=0xffff82d042000000 \ + $xen_efi \ + $qubes_efi \ + || die "Objcopy failed!" + + safeboot sign \ + $qubes_efi $qubes_efi.signed \ + || die "Signing failed!" + + qubes_label="Safeboot Qubes OS" + if ! efibootmgr | grep "^Boot.* $qubes_label\$" ; then + # determine the device the EFI system partition is on + DEV="$(df "$qubes_efi" | tail -1 | cut -d' ' -f1)" + part=$(cat /sys/class/block/$(basename $DEV)/partition) + + warn "efibootmgr: Creating boot menu item on $DEV, partition $part" + efibootmgr \ + --quiet \ + --create \ + --disk "$DEV" \ + --part $part \ + --label "$qubes_label" \ + --loader "\\EFI\\qubes\\qubes.efi.signed" \ + || die "efibootmgr: failed to create $qubes_label entry" + fi +} + +######################################## + recovery_sign_usage=' ## recovery-sign Usage: @@ -1641,7 +1716,7 @@ case "$command" in exit 0 ;; #$commands) - yubikey-init|yubikey-pubkey|key-init|uefi-sign-keys|uefi-set-keys|luks-seal|pcrs-sign|sign|unify-kernel|sign-kernel|install-kernel|linux-sign|recovery-sign|reboot|recovery-reboot|remount|tpm2_trial_extend|sip-init|bootnext|unlock|mount-all) + yubikey-init|yubikey-pubkey|key-init|uefi-sign-keys|uefi-set-keys|luks-seal|pcrs-sign|sign|unify-kernel|sign-kernel|install-kernel|linux-sign|qubes-sign|recovery-sign|reboot|recovery-reboot|remount|tpm2_trial_extend|sip-init|bootnext|unlock|mount-all) $command "$@" ;; *) diff --git a/version b/version new file mode 100644 index 00000000..aec258df --- /dev/null +++ b/version @@ -0,0 +1 @@ +0.8 From 57ecf2315da087325f24a2a5d590d28a6d79c4ee Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Tue, 2 Nov 2021 15:29:06 +0300 Subject: [PATCH 02/21] Add xen.cfg generation for Qubes OS support --- qubes-safeboot.spec.in | 2 +- sbin/safeboot | 65 +++++++++++++++++++++++++++++++++++++----- 2 files changed, 59 insertions(+), 8 deletions(-) diff --git a/qubes-safeboot.spec.in b/qubes-safeboot.spec.in index 60fc776b..663626a7 100644 --- a/qubes-safeboot.spec.in +++ b/qubes-safeboot.spec.in @@ -24,7 +24,7 @@ install -m 0644 -D %{_builddir}/%{name}-%{version}/safeboot.conf -t %{buildroot} install -m 0644 -D %{_builddir}/%{name}-%{version}/functions.sh -t %{buildroot}/usr/lib/safeboot/ install -m 0755 -D %{_builddir}/%{name}-%{version}/qubes-hooks/kernel-safeboot.install %{buildroot}/usr/lib/kernel/install.d/99-qubes-safeboot.install -# symlink since we doesn't build this tools to Qubes OS +# symlink since we don't build this tools to Qubes OS mkdir -p %{buildroot}%{_bindir} ln -s sbsign %{buildroot}%{_bindir}/sbsign.safeboot ln -s sign-efi-sig-list %{buildroot}%{_bindir}/sign-efi-sig-list.safeboot diff --git a/sbin/safeboot b/sbin/safeboot index bee797d6..a314367d 100755 --- a/sbin/safeboot +++ b/sbin/safeboot @@ -1162,6 +1162,55 @@ linux-sign() ######################################## +qubes_xen_config_usage=' +## qubes-xen-config +Usage: +``` +safeboot qubes-xen-config +``` +Generate Xen EFI loader configuration (xen.cfg) based on default grub2 variables. +' +usage+=$qubes_xen_config_usage +commands+="|qubes-xen-config" + +qubes-xen-config(){ + show_help "$1" "$qubes_xen_config_usage" + rootdev-check - + + QUBES_EFIDIR="/boot/efi/EFI/qubes" + xen_config="$QUBES_EFIDIR/xen.cfg" + if [ -f "$xen_config" ]; then + warn "Xen config exists" + return + fi + + QUBES_KVER=$(uname -r) + kernel="vmlinuz-$QUBES_KVER" + [ -f /boot/$kernel ] \ + && cp /boot/$kernel $QUBES_EFIDIR \ + || die "Kernel image not found!" + + ramdisk=initramfs-$QUBES_KVER.img + [ -f /boot/$ramdisk ] \ + && cp /boot/$ramdisk $QUBES_EFIDIR \ + || die "Initrd image not found!" + + . /etc/default/grub + [ -n "$GRUB_CMDLINE_LINUX" ] \ + && [ -n "$GRUB_CMDLINE_XEN_DEFAULT" ] \ + || die "Failed read grub defaults" + + ( \ + echo "[global]" ; \ + echo "default=$QUBES_KVER" ; \ + echo "[$QUBES_KVER]" ; \ + echo "kernel=$kernel root=$ROOTDEV ro $GRUB_CMDLINE_LINUX" ; \ + echo "ramdisk=$ramdisk" ; \ + echo "options=$GRUB_CMDLINE_XEN_DEFAULT" + ) >> $xen_config \ + || die "Unable create xen.cfg" +} + qubes_sign_usage=' ## qubes-sign Usage: @@ -1172,7 +1221,7 @@ safeboot qubes-sign Generate a unified EFI executable bundle with xen, xen config, kernel and initrd, sign it with safeboot keys and create EFI boot record "Safeboot Qubes OS". -It requires Qubes OS R4.1+ with configured boot with xen EFI loader (xen.efi). +It requires Qubes OS R4.1+ with xen >= 4.14 ' usage+=$qubes_sign_usage @@ -1180,20 +1229,22 @@ commands+="|qubes-sign" qubes-sign() { + show_help "$1" "$qubes_sign_usage" + xen_config='/boot/efi/EFI/qubes/xen.cfg' [ -f "$xen_config" ] \ - && qubes_kver=$(awk -F= '/default=/ {print $2}' "$xen_config") \ - || die "No xen.cfg found!" + && QUBES_KVER=$(awk -F= '/default=/ {print $2}' "$xen_config") \ + || qubes-xen-config xen_efi='/boot/efi/EFI/qubes/xen.efi' [ -f "$xen_efi" ] \ || die "No xen.efi found!" - qubes_kernel="/boot/efi/EFI/qubes/vmlinuz-$qubes_kver" + qubes_kernel="/boot/efi/EFI/qubes/vmlinuz-$QUBES_KVER" [ -f "$qubes_kernel" ] \ || die "No default kernel found!" - qubes_ramdisk="/boot/efi/EFI/qubes/initramfs-$qubes_kver.img" + qubes_ramdisk="/boot/efi/EFI/qubes/initramfs-$QUBES_KVER.img" [ -f "$qubes_ramdisk" ] \ || die "No default initramfs found!" @@ -1209,7 +1260,7 @@ qubes-sign() $qubes_efi \ || die "Objcopy failed!" - safeboot sign \ + sign \ $qubes_efi $qubes_efi.signed \ || die "Signing failed!" @@ -1716,7 +1767,7 @@ case "$command" in exit 0 ;; #$commands) - yubikey-init|yubikey-pubkey|key-init|uefi-sign-keys|uefi-set-keys|luks-seal|pcrs-sign|sign|unify-kernel|sign-kernel|install-kernel|linux-sign|qubes-sign|recovery-sign|reboot|recovery-reboot|remount|tpm2_trial_extend|sip-init|bootnext|unlock|mount-all) + yubikey-init|yubikey-pubkey|key-init|uefi-sign-keys|uefi-set-keys|luks-seal|pcrs-sign|sign|unify-kernel|sign-kernel|install-kernel|linux-sign|qubes-xen-config|qubes-sign|recovery-sign|reboot|recovery-reboot|remount|tpm2_trial_extend|sip-init|bootnext|unlock|mount-all) $command "$@" ;; *) From c66d4c7089e7aff49e3a8431d3f344fb6e321007 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Tue, 9 Nov 2021 15:44:21 +0300 Subject: [PATCH 03/21] check partition uuid with efibootmgr --- sbin/safeboot | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/sbin/safeboot b/sbin/safeboot index a314367d..8a9a25ae 100755 --- a/sbin/safeboot +++ b/sbin/safeboot @@ -1265,21 +1265,21 @@ qubes-sign() || die "Signing failed!" qubes_label="Safeboot Qubes OS" - if ! efibootmgr | grep "^Boot.* $qubes_label\$" ; then - # determine the device the EFI system partition is on - DEV="$(df "$qubes_efi" | tail -1 | cut -d' ' -f1)" - part=$(cat /sys/class/block/$(basename $DEV)/partition) - - warn "efibootmgr: Creating boot menu item on $DEV, partition $part" - efibootmgr \ - --quiet \ - --create \ - --disk "$DEV" \ - --part $part \ - --label "$qubes_label" \ - --loader "\\EFI\\qubes\\qubes.efi.signed" \ - || die "efibootmgr: failed to create $qubes_label entry" - fi + # determine the device the EFI system partition is on + DEV="$(df "$qubes_efi" | tail -1 | cut -d' ' -f1)" + part=$(cat /sys/class/block/$(basename $DEV)/partition) + partuuid=$(blkid --output value --match-tag PARTUUID $DEV) + if ! efibootmgr -v | grep "^Boot.* $qubes_label.*$partuuid.*\$" >/dev/null ; then + warn "efibootmgr: Creating boot menu item on $DEV, partition $part" + efibootmgr \ + --quiet \ + --create \ + --disk "$DEV" \ + --part $part \ + --label "$qubes_label" \ + --loader "\\EFI\\qubes\\qubes.efi.signed" \ + || die "efibootmgr: failed to create $qubes_label entry" + fi } ######################################## From ddc59df42cfa8123f06b6fee865ab011bae6ea6f Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Tue, 14 Jun 2022 19:24:16 +0300 Subject: [PATCH 04/21] Build efitools for dom0 fc32 --- Makefile.builder | 23 +++++ efitools.spec.in | 89 +++++++++++++++++++ qubes-safeboot.spec.in | 4 +- qubes/functions.sh | 1 + .../qubes-hooks}/kernel-safeboot.install | 0 qubes/safeboot | 1 + qubes/safeboot.conf | 1 + 7 files changed, 117 insertions(+), 2 deletions(-) create mode 100644 efitools.spec.in create mode 120000 qubes/functions.sh rename {qubes-hooks => qubes/qubes-hooks}/kernel-safeboot.install (100%) create mode 120000 qubes/safeboot create mode 120000 qubes/safeboot.conf diff --git a/Makefile.builder b/Makefile.builder index ed2e1adf..ecbb78fd 100644 --- a/Makefile.builder +++ b/Makefile.builder @@ -1,3 +1,26 @@ ifeq ($(PACKAGE_SET),dom0) RPM_SPEC_FILES := qubes-safeboot.spec +ifeq ($(DIST_DOM0), fc32) +RPM_SPEC_FILES += efitools.spec endif +endif + +NO_ARCHIVE := 1 + +VERSION ?= $(file <$(ORIG_SRC)/version) +EFITOOLS_VERSION = 1.9.2 + +EFITOOLS = efitools-$(EFITOOLS_VERSION).tar.gz + +SOURCES = qubes-safeboot-$(VERSION).tar.gz \ + $(EFITOOLS) + +SOURCE_COPY_IN := $(SOURCES) + +qubes-safeboot-$(VERSION).tar.gz: + tar --xform='s:$(ORIG_SRC)/qubes:qubes-safeboot-$(VERSION):' -czhf $(CHROOT_DIR)$(DIST_SRC)/qubes-safeboot-$(VERSION).tar.gz $(ORIG_SRC)/qubes + +$(EFITOOLS): + tar --xform='s:$(ORIG_SRC)/efitools:efitools-$(EFITOOLS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(EFITOOLS) $(ORIG_SRC)/efitools + +# vim: set ft=make: diff --git a/efitools.spec.in b/efitools.spec.in new file mode 100644 index 00000000..81667f45 --- /dev/null +++ b/efitools.spec.in @@ -0,0 +1,89 @@ +Name: efitools +Version: 1.9.2 +Release: 7%{?dist} +Summary: Tools to manipulate EFI secure boot keys and signatures +License: GPLv2 and LGPLv2 and BSD + +# call-to-mktemp: +# https://github.com/vathpela/efitools/issues/2 +#URL: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git +#Source0: %{url}/snapshot/%{name}-%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz + +# same as gnu-efi +ExclusiveArch: %{efi} + +BuildRequires: pkgconfig(openssl) + +BuildRequires: gcc +BuildRequires: gnu-efi-devel +BuildRequires: help2man +BuildRequires: openssl +BuildRequires: perl-File-Slurp +BuildRequires: sbsigntools + +Requires: coreutils%{_isa} +Requires: mtools%{_isa} +Requires: parted%{_isa} +Requires: util-linux%{_isa} +Recommends: sbsigntools%{_isa} + +%description +This package installs a variety of tools for manipulating keys and binary +signatures on UEFI secure boot platforms. +The tools provide access to the keys and certificates stored in the +secure variables of the UEFI firmware, usually in the NVRAM area. + +%prep +%autosetup + +%build +%set_build_flags +%make_build + +%install +%make_install DOCDIR=%{buildroot}%{_docdir}/%{name}/ CFLAGS="%{optflags}" + +rm -v %{buildroot}%{_docdir}/%{name}/COPYING + +%files +%doc README +%license COPYING + +%{_datadir}/%{name}/ +%{_mandir}/man1/*.1.* + +%{_bindir}/cert-to-efi-hash-list +%{_bindir}/cert-to-efi-sig-list +%{_bindir}/efi-readvar +%{_bindir}/efi-updatevar +%{_bindir}/efitool-mkusb +%{_bindir}/flash-var +%{_bindir}/hash-to-efi-sig-list +%{_bindir}/sig-list-to-certs +%{_bindir}/sign-efi-sig-list + +%changelog +* Thu Jan 20 2022 Fedora Release Engineering - 1.9.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Sep 14 2021 Sahana Prasad - 1.9.2-6 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Jul 21 2021 Fedora Release Engineering - 1.9.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Sun Mar 07 2021 Vladislav Kazakov - 1.9.2-4 +- Fix incorrect build. + +* Sat Feb 06 2021 Vladislav Kazakov - 1.9.2-3 +- Add system flags to CFLAGS. +- Remove i686 support. + +* Sun Jan 31 2021 Vladislav Kazakov - 1.9.2-2 +- Add BSD license. +- Rename LGPLv2.1 to LGPLv2. +- Add reference to issue about mktemp usage. + +* Sun Jan 17 2021 Vladislav Kazakov - 1.9.2-1 +- Initial SPEC release. diff --git a/qubes-safeboot.spec.in b/qubes-safeboot.spec.in index 663626a7..bb3ac7f7 100644 --- a/qubes-safeboot.spec.in +++ b/qubes-safeboot.spec.in @@ -16,10 +16,10 @@ Requires: binutils%{_isa} Makes the Qubes OS boot process slightly safer by enabling UEFI Secure Boot, with packing xen, config, kernel and initrd to unified EFI binary and signing it with personal key %prep -%setup +%setup %install -install -m 0755 -D %{_builddir}/%{name}-%{version}/sbin/safeboot -t %{buildroot}%{_sbindir} +install -m 0755 -D %{_builddir}/%{name}-%{version}/safeboot -t %{buildroot}%{_sbindir} install -m 0644 -D %{_builddir}/%{name}-%{version}/safeboot.conf -t %{buildroot}%{_sysconfdir}/safeboot/ install -m 0644 -D %{_builddir}/%{name}-%{version}/functions.sh -t %{buildroot}/usr/lib/safeboot/ install -m 0755 -D %{_builddir}/%{name}-%{version}/qubes-hooks/kernel-safeboot.install %{buildroot}/usr/lib/kernel/install.d/99-qubes-safeboot.install diff --git a/qubes/functions.sh b/qubes/functions.sh new file mode 120000 index 00000000..162f53f7 --- /dev/null +++ b/qubes/functions.sh @@ -0,0 +1 @@ +../functions.sh \ No newline at end of file diff --git a/qubes-hooks/kernel-safeboot.install b/qubes/qubes-hooks/kernel-safeboot.install similarity index 100% rename from qubes-hooks/kernel-safeboot.install rename to qubes/qubes-hooks/kernel-safeboot.install diff --git a/qubes/safeboot b/qubes/safeboot new file mode 120000 index 00000000..c161d8ce --- /dev/null +++ b/qubes/safeboot @@ -0,0 +1 @@ +../sbin/safeboot \ No newline at end of file diff --git a/qubes/safeboot.conf b/qubes/safeboot.conf new file mode 120000 index 00000000..0d5eae63 --- /dev/null +++ b/qubes/safeboot.conf @@ -0,0 +1 @@ +../safeboot.conf \ No newline at end of file From 24f4ee928b7816e590902db754ab17ddb5f18baf Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Tue, 21 Jun 2022 11:32:42 +0300 Subject: [PATCH 05/21] qubes-builder: get efitools sources --- Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index 494aef37..564641fe 100644 --- a/Makefile +++ b/Makefile @@ -627,4 +627,8 @@ qemu-server: \ -kill `cat $(TPM_PID)` @-$(RM) "$(TPM_PID)" "$(TPMSOCK)" +get-sources: + git submodule update --init --recursive efitools +verify-sources: + @true From 192f1918d666aa8fb5c26e9a1d6848453d4cfbc4 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Tue, 19 Jul 2022 16:43:51 +0300 Subject: [PATCH 06/21] qubes-sign: efi entry check w/ local function --- sbin/safeboot | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/sbin/safeboot b/sbin/safeboot index 8a9a25ae..29318133 100755 --- a/sbin/safeboot +++ b/sbin/safeboot @@ -1265,11 +1265,12 @@ qubes-sign() || die "Signing failed!" qubes_label="Safeboot Qubes OS" - # determine the device the EFI system partition is on - DEV="$(df "$qubes_efi" | tail -1 | cut -d' ' -f1)" - part=$(cat /sys/class/block/$(basename $DEV)/partition) - partuuid=$(blkid --output value --match-tag PARTUUID $DEV) - if ! efibootmgr -v | grep "^Boot.* $qubes_label.*$partuuid.*\$" >/dev/null ; then + qubes_entry=$(efiboot_entry "$qubes_label") + if [ -z "$qubes_entry" ]; then + # determine the device the EFI system partition is on + DEV="$(df "$qubes_efi" | tail -1 | cut -d' ' -f1)" + part=$(cat /sys/class/block/$(basename $DEV)/partition) + partuuid=$(blkid --output value --match-tag PARTUUID $DEV) warn "efibootmgr: Creating boot menu item on $DEV, partition $part" efibootmgr \ --quiet \ From c3313d9b6348d23f659d466629188edbad03ec53 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Tue, 19 Jul 2022 18:05:28 +0300 Subject: [PATCH 07/21] qubes-builder: efitools: disable concurrent build This should prevents from such errors: > DEBUG: ./cert-to-efi-sig-list PK.crt PK-blacklist.esl > DEBUG: make: ./cert-to-efi-sig-list: Command not found > DEBUG: make: *** [Make.rules:75: PK-blacklist.esl] Error 127 --- efitools.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/efitools.spec.in b/efitools.spec.in index 81667f45..1666d238 100644 --- a/efitools.spec.in +++ b/efitools.spec.in @@ -39,7 +39,7 @@ secure variables of the UEFI firmware, usually in the NVRAM area. %build %set_build_flags -%make_build +%make_build -j1 %install %make_install DOCDIR=%{buildroot}%{_docdir}/%{name}/ CFLAGS="%{optflags}" From 1ed38470e10d6811975aeecafe46dc103c10b95f Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Thu, 21 Jul 2022 11:41:08 +0300 Subject: [PATCH 08/21] qubes-builder: build sbsigntools package --- Makefile | 1 + Makefile.builder | 7 +- sbsigntools-dont-ignore-errors.patch | 59 ++++++++++++ sbsigntools-gnuefi.patch | 69 +++++++++++++ sbsigntools.spec.in | 139 +++++++++++++++++++++++++++ 5 files changed, 274 insertions(+), 1 deletion(-) create mode 100644 sbsigntools-dont-ignore-errors.patch create mode 100644 sbsigntools-gnuefi.patch create mode 100644 sbsigntools.spec.in diff --git a/Makefile b/Makefile index 564641fe..beeac6d4 100644 --- a/Makefile +++ b/Makefile @@ -629,6 +629,7 @@ qemu-server: \ get-sources: git submodule update --init --recursive efitools + git submodule update --init --recursive --recommend-shallow sbsigntools verify-sources: @true diff --git a/Makefile.builder b/Makefile.builder index ecbb78fd..b7649c11 100644 --- a/Makefile.builder +++ b/Makefile.builder @@ -1,7 +1,7 @@ ifeq ($(PACKAGE_SET),dom0) RPM_SPEC_FILES := qubes-safeboot.spec ifeq ($(DIST_DOM0), fc32) -RPM_SPEC_FILES += efitools.spec +RPM_SPEC_FILES += sbsigntools.spec efitools.spec endif endif @@ -9,10 +9,13 @@ NO_ARCHIVE := 1 VERSION ?= $(file <$(ORIG_SRC)/version) EFITOOLS_VERSION = 1.9.2 +SBSIGNTOOLS_VERSION = 0.9.4 EFITOOLS = efitools-$(EFITOOLS_VERSION).tar.gz +SBSIGNTOOLS = sbsigntools-$(SBSIGNTOOLS_VERSION).tar.gz SOURCES = qubes-safeboot-$(VERSION).tar.gz \ + $(SBSIGNTOOLS) \ $(EFITOOLS) SOURCE_COPY_IN := $(SOURCES) @@ -23,4 +26,6 @@ qubes-safeboot-$(VERSION).tar.gz: $(EFITOOLS): tar --xform='s:$(ORIG_SRC)/efitools:efitools-$(EFITOOLS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(EFITOOLS) $(ORIG_SRC)/efitools +$(SBSIGNTOOLS): + tar --xform='s:$(ORIG_SRC)/sbsigntools:sbsigntools-$(SBSIGNTOOLS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(SBSIGNTOOLS) $(ORIG_SRC)/sbsigntools # vim: set ft=make: diff --git a/sbsigntools-dont-ignore-errors.patch b/sbsigntools-dont-ignore-errors.patch new file mode 100644 index 00000000..11bed89c --- /dev/null +++ b/sbsigntools-dont-ignore-errors.patch @@ -0,0 +1,59 @@ +From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001 +From: dann frazier +Date: Wed, 12 Aug 2020 15:27:08 -0600 +Subject: sbkeysync: Don't ignore errors from insert_new_keys() + +If insert_new_keys() fails, say due to a full variable store, we currently +still exit(0). This can make it difficult to know something is wrong. +For example, Debian and Ubuntu implement a secureboot-db systemd service +to update the DB and DBX, which calls: + + ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose + +But although this seemed to succeed on my system, looking at the logs shows +a different story: + +Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx +Error writing key update: Invalid argument +Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin + +Signed-off-by: dann frazier +Signed-off-by: James Bottomley +--- + src/sbkeysync.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/sbkeysync.c b/src/sbkeysync.c +index e51f177..7748990 100644 +--- a/src/sbkeysync.c ++++ b/src/sbkeysync.c +@@ -889,10 +889,12 @@ int main(int argc, char **argv) + { + bool use_default_keystore_dirs; + struct sync_context *ctx; ++ int rc; + + use_default_keystore_dirs = true; + ctx = talloc_zero(NULL, struct sync_context); + list_head_init(&ctx->new_keys); ++ rc = EXIT_SUCCESS; + + for (;;) { + int idx, c; +@@ -985,10 +987,10 @@ int main(int argc, char **argv) + if (ctx->verbose) + print_new_keys(ctx); + +- if (!ctx->dry_run) +- insert_new_keys(ctx); ++ if (!ctx->dry_run && insert_new_keys(ctx)) ++ rc = EXIT_FAILURE; + + talloc_free(ctx); + +- return EXIT_SUCCESS; ++ return rc; + } +-- +cgit 1.2.3-1.el7 + diff --git a/sbsigntools-gnuefi.patch b/sbsigntools-gnuefi.patch new file mode 100644 index 00000000..2e288835 --- /dev/null +++ b/sbsigntools-gnuefi.patch @@ -0,0 +1,69 @@ +diff -up sbsigntools-0.9.3/configure.ac.gnu-efi sbsigntools-0.9.3/configure.ac +--- sbsigntools-0.9.3/configure.ac.gnu-efi 2020-02-03 09:38:56.000000000 +0100 ++++ sbsigntools-0.9.3/configure.ac 2020-02-04 09:48:53.011259075 +0100 +@@ -64,19 +64,30 @@ PKG_CHECK_MODULES(uuid, uuid, + AC_MSG_ERROR([libuuid (from the uuid package) is required])) + + dnl gnu-efi headers require extra include dirs +-EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/') +-AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ]) ++EFI_ARCH=$(uname -m | sed -e 's/i.86/ia32/;s/arm.*/arm/' -e 's/x86_64/x64/' -e 's/aarch64/aa64/') ++AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aa64" ]) + + ## + # no consistent view of where gnu-efi should dump the efi stuff, so find it + ## +-for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do +- if test -e $path/crt0-efi-$EFI_ARCH.o; then ++AC_MSG_CHECKING([gnu-efi crt path]) ++for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi /usr/lib/gnuefi/$EFI_ARCH ; do ++ if test -e $path/crt0.o; then + CRTPATH=$path ++ CRT=crt0.o ++ LDS=efi.lds ++ EFI_PATH=$path ++ elif test -e $path/crt0-efi-$EFI_ARCH.o; then ++ CRTPATH=$path ++ CRT=crt0-efi-${EFI_ARCH}.o ++ LDS=elf_${EFI_ARCH}_efi.lds ++ EFI_PATH=$libdir + fi + done + if test -z "$CRTPATH"; then + AC_MSG_ERROR([cannot find the gnu-efi crt path]) ++else ++ AC_MSG_RESULT($CRTPATH) + fi + + EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \ +@@ -88,6 +99,9 @@ CPPFLAGS="$CPPFLAGS_save" + AC_SUBST(EFI_CPPFLAGS, $EFI_CPPFLAGS) + AC_SUBST(EFI_ARCH, $EFI_ARCH) + AC_SUBST(CRTPATH, $CRTPATH) ++AC_SUBST(CRT, $CRT) ++AC_SUBST(LDS, $LDS) ++AC_SUBST(EFI_PATH, $EFI_PATH) + + AC_CONFIG_FILES([Makefile src/Makefile lib/ccan/Makefile] + [docs/Makefile tests/Makefile]) +diff -up sbsigntools-0.9.3/tests/Makefile.am.gnu-efi sbsigntools-0.9.3/tests/Makefile.am +--- sbsigntools-0.9.3/tests/Makefile.am.gnu-efi 2020-02-03 09:38:56.000000000 +0100 ++++ sbsigntools-0.9.3/tests/Makefile.am 2020-02-04 09:47:44.786665340 +0100 +@@ -14,7 +14,7 @@ if TEST_BINARY_FORMAT + EFILDFLAGS = --defsym=EFI_SUBSYSTEM=0x0a + FORMAT = -O binary + else +-FORMAT = --target=efi-app-$(EFI_ARCH) ++FORMAT = --target=efi-app-$(EFI_ARCH:x64=x86_64) + endif + check_DATA = $(test_key) $(test_cert) + check_SCRIPTS = test-wrapper.sh +@@ -27,7 +27,7 @@ check_SCRIPTS = test-wrapper.sh + $(FORMAT) $^ $@ + + .$(OBJEXT).elf: +- $(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/crt0-efi-$(EFI_ARCH).o -T elf_$(EFI_ARCH)_efi.lds $< -o $@ -lefi -lgnuefi ++ $(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/$(CRT) -T $(LDS) $< -o $@ $(EFI_PATH)/libefi.a $(EFI_PATH)/libgnuefi.a + + AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH) + diff --git a/sbsigntools.spec.in b/sbsigntools.spec.in new file mode 100644 index 00000000..f645fa8e --- /dev/null +++ b/sbsigntools.spec.in @@ -0,0 +1,139 @@ +%bcond_without check +%define _warning_options -Wall -Werror=format-security -Wno-deprecated-declarations + +Name: sbsigntools +Version: 0.9.4 +Release: 8%{?dist} +Summary: Signing utility for UEFI secure boot +License: GPLv3+ +URL: https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools +Source0: %{name}-%{version}.tar.gz + +# add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a +Patch1: %{name}-gnuefi.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1955828 +Patch2: %{name}-dont-ignore-errors.patch +# https://groups.io/g/sbsigntools/message/54 +#Patch3: %{name}-openssl3.patch + +# same as gnu-efi +ExclusiveArch: x86_64 aarch64 %{arm} %{ix86} +BuildRequires: make +BuildRequires: automake +BuildRequires: binutils-devel +BuildRequires: gcc +BuildRequires: gnu-efi-devel >= 1:3.0.8-3 +BuildRequires: help2man +BuildRequires: libuuid-devel +%if %{with check} +BuildRequires: openssl +%endif +BuildRequires: openssl-devel +Provides: bundled(ccan-array_size) +Provides: bundled(ccan-build_assert) +Provides: bundled(ccan-check_type) +Provides: bundled(ccan-compiler) +Provides: bundled(ccan-container_of) +Provides: bundled(ccan-endian) +Provides: bundled(ccan-failtest) +Provides: bundled(ccan-hash) +Provides: bundled(ccan-htable) +Provides: bundled(ccan-list) +Provides: bundled(ccan-read_write_all) +Provides: bundled(ccan-str) +Provides: bundled(ccan-talloc) +Provides: bundled(ccan-tcon) +Provides: bundled(ccan-time) +Provides: bundled(ccan-tlist) +Provides: bundled(ccan-typesafe_cb) + +%description +Tools to add signatures to EFI binaries and Drivers. + +%prep +%autosetup -p1 + +%build +./autogen.sh +%configure +%make_build + +%install +%make_install + +%if %{with check} +%check +make check +%endif + +%files +%license COPYING LICENSE.GPLv3 lib/ccan/licenses/* +%doc AUTHORS ChangeLog +%{_bindir}/sbattach +%{_bindir}/sbkeysync +%{_bindir}/sbsiglist +%{_bindir}/sbsign +%{_bindir}/sbvarsign +%{_bindir}/sbverify +%{_mandir}/man1/sbattach.1.* +%{_mandir}/man1/sbkeysync.1.* +%{_mandir}/man1/sbsiglist.1.* +%{_mandir}/man1/sbsign.1.* +%{_mandir}/man1/sbvarsign.1.* +%{_mandir}/man1/sbverify.1.* + +%changelog +* Sat Jan 22 2022 Fedora Release Engineering - 0.9.4-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Nov 19 2021 Dominik Mierzejewski - 0.9.4-7 +- fix build with OpenSSL 3.0.0 (fixes rhbz#2021909) + +* Tue Sep 14 2021 Sahana Prasad - 0.9.4-6 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 0.9.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Mon May 17 2021 Dominik Mierzejewski - 0.9.4-4 +- don't ignore errors from sbkeysync (fixes rhbz#1955828) + +* Wed Jan 27 2021 Fedora Release Engineering - 0.9.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 0.9.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jul 03 2020 Dominik Mierzejewski - 0.9.4-1 +- update to 0.9.4 (#1846578) + +* Mon Feb 03 2020 Dominik Mierzejewski - 0.9.3-1 +- update to 0.9.3 +- update bundled CCAN components list +- support building with gnu-efi 3.0.11 + +* Thu Jan 30 2020 Fedora Release Engineering - 0.9.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Jul 26 2019 Fedora Release Engineering - 0.9.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Feb 28 2019 Dominik Mierzejewski - 0.9.2-1 +- update to 0.9.2 + +* Sat Feb 02 2019 Fedora Release Engineering - 0.9.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jul 25 2018 Dominik Mierzejewski - 0.9.1-3 +- fix paths to gnu-efi (work around #1608293) + +* Sat Jul 14 2018 Fedora Release Engineering - 0.9.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Feb 22 2018 Dominik Mierzejewski - 0.9.1-1 +- update to 0.9.1 +- add Fedora gnu-efi libs location to search path +- link tests statically against gnu-efi libs, there are no shared versions + +* Mon Sep 4 2017 Dominik Mierzejewski - 0.8-1 +- initial build From 85e9e9ae34d99016425a80deaddf5a6a3d77d072 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Thu, 21 Jul 2022 17:09:03 +0300 Subject: [PATCH 09/21] qubes-builder: build tpm2-tss and tpm2-tools --- Makefile | 2 + Makefile.builder | 16 +- tpm2-tools.spec.in | 264 ++++++++++++++++++++++++++++++++ tpm2-tss-3.0.0-doxygen.patch | 15 ++ tpm2-tss.spec.in | 281 +++++++++++++++++++++++++++++++++++ 5 files changed, 577 insertions(+), 1 deletion(-) create mode 100644 tpm2-tools.spec.in create mode 100644 tpm2-tss-3.0.0-doxygen.patch create mode 100644 tpm2-tss.spec.in diff --git a/Makefile b/Makefile index beeac6d4..da1f91c4 100644 --- a/Makefile +++ b/Makefile @@ -630,6 +630,8 @@ qemu-server: \ get-sources: git submodule update --init --recursive efitools git submodule update --init --recursive --recommend-shallow sbsigntools + git submodule update --init --recursive --recommend-shallow tpm2-tss + git submodule update --init --recursive --recommend-shallow tpm2-tools verify-sources: @true diff --git a/Makefile.builder b/Makefile.builder index b7649c11..18d45fe3 100644 --- a/Makefile.builder +++ b/Makefile.builder @@ -1,21 +1,28 @@ ifeq ($(PACKAGE_SET),dom0) RPM_SPEC_FILES := qubes-safeboot.spec ifeq ($(DIST_DOM0), fc32) -RPM_SPEC_FILES += sbsigntools.spec efitools.spec +RPM_SPEC_FILES += sbsigntools.spec efitools.spec tpm2-tss.spec tpm2-tools.spec endif endif NO_ARCHIVE := 1 VERSION ?= $(file <$(ORIG_SRC)/version) + EFITOOLS_VERSION = 1.9.2 SBSIGNTOOLS_VERSION = 0.9.4 +TPM2_TSS_VERSION = 3.1.0 +TPM2_TOOLS_VERSION = 5.1.1 EFITOOLS = efitools-$(EFITOOLS_VERSION).tar.gz SBSIGNTOOLS = sbsigntools-$(SBSIGNTOOLS_VERSION).tar.gz +TPM2_TSS = tpm2-tss-$(TPM2_TSS_VERSION).tar.gz +TPM2_TOOLS = tpm2-tools-$(TPM2_TOOLS_VERSION).tar.gz SOURCES = qubes-safeboot-$(VERSION).tar.gz \ $(SBSIGNTOOLS) \ + $(TPM2_TSS) \ + $(TPM2_TOOLS) \ $(EFITOOLS) SOURCE_COPY_IN := $(SOURCES) @@ -28,4 +35,11 @@ $(EFITOOLS): $(SBSIGNTOOLS): tar --xform='s:$(ORIG_SRC)/sbsigntools:sbsigntools-$(SBSIGNTOOLS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(SBSIGNTOOLS) $(ORIG_SRC)/sbsigntools + +$(TPM2_TSS): + tar --xform='s:$(ORIG_SRC)/tpm2-tss:tpm2-tss-$(TPM2_TSS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(TPM2_TSS) $(ORIG_SRC)/tpm2-tss + +$(TPM2_TOOLS): + tar --xform='s:$(ORIG_SRC)/tpm2-tools:tpm2-tools-$(TPM2_TOOLS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(TPM2_TOOLS) $(ORIG_SRC)/tpm2-tools + # vim: set ft=make: diff --git a/tpm2-tools.spec.in b/tpm2-tools.spec.in new file mode 100644 index 00000000..3f4f49cd --- /dev/null +++ b/tpm2-tools.spec.in @@ -0,0 +1,264 @@ +#global candidate rc2 + +Name: tpm2-tools +Version: 5.1.0 +Release: 1%{?candidate:.%{candidate}}%{?dist} +Summary: A bunch of TPM testing toolS build upon tpm2-tss + +License: BSD +URL: https://github.com/tpm2-software/tpm2-tools +Source0: %{name}-%{version}%{?candidate:-%{candidate}}.tar.gz + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: make +BuildRequires: git +BuildRequires: gcc-c++ +BuildRequires: libtool +BuildRequires: autoconf-archive +BuildRequires: pandoc +BuildRequires: pkgconfig(cmocka) +BuildRequires: pkgconfig(libcurl) +BuildRequires: pkgconfig(openssl) +# tpm2-tss-devel provides tss2-mu/sys/esys package config +BuildRequires: pkgconfig(tss2-mu) >= 3.1.0 +BuildRequires: pkgconfig(tss2-sys) >= 3.1.0 +BuildRequires: pkgconfig(tss2-esys) >= 3.1.0 +BuildRequires: pkgconfig(uuid) + +# tpm2-tools is heavily depending on TPM2.0-TSS project, matched tss is required +Requires: tpm2-tss%{?_isa} >= 3.1.0 + +%description +tpm2-tools is a batch of tools for tpm2.0. It is based on tpm2-tss. + +%prep +%autosetup -p1 -n %{name}-%{version}%{?candidate:-%{candidate}} + +%build +# There is no git info because of submodule +sed -i "s/m4_esyscmd_s(\[git describe --tags --always --dirty\])/%{version}/" configure.ac +./bootstrap + +# LTO exposes a latent uninitialized variable "value" in the function # "nt". +# This has been reported to the maintainer (Yunying), but they have not +# responded and I am not comfortable enough with the code to know if a trivial +# initialization to zero is appropriate/safe. So LTO is disabled for now. +%define _lto_cflags %{nil} +%configure --prefix=/usr --disable-static --disable-silent-rules +%make_build + +%install +%make_install + +%files +%license doc/LICENSE +%doc README.md doc/CHANGELOG.md +%{_bindir}/tpm2 +%{_bindir}/tpm2_* +%{_bindir}/tss2 +%{_bindir}/tss2_* +%{_datadir}/bash-completion/completions/tpm2* +%{_datadir}/bash-completion/completions/tss2* +%{_mandir}/man1/tpm2_*.1.gz +%{_mandir}/man1/tpm2.1.gz +%{_mandir}/man1/tss2_*.1.gz + +%changelog +* Mon Jun 21 2021 Peter Robinson - 5.1.1-1 +- Update to 5.1.1 +- Fixes CVE-2021-3565 (rhbz 1964428) + +* Tue May 25 2021 Peter Robinson - 5.1-1 +- Update to 5.1 + +* Wed Jan 27 2021 Fedora Release Engineering - 5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Nov 23 2020 Peter Robinson - 5.0-1 +- Update tp tpm2-tools 5.0 + +* Sat Aug 29 2020 Peter Robinson - 4.3.0-1 +- Update to 4.3.0 + +* Mon Aug 10 2020 Peter Robinson - 4.2.1-4 +- Rebuild for tpm2-tss 3.0 + +* Wed Jul 29 2020 Fedora Release Engineering - 4.2.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jun 30 2020 Jeff Law - 4.2.1-2 +- Disable LTO due to latent uninitialized variable exposed by LTO + +* Wed May 27 2020 Peter Robinson - 4.2.1-1 +- Update to 4.2.1 + +* Tue Apr 14 2020 Peter Robinson - 4.2-1 +- Update to 4.2 + +* Fri Jan 31 2020 Fedora Release Engineering - 4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Nov 28 2019 Yunying Sun - 4.1-1 +- Update to 4.1 release + +* Tue Oct 29 2019 Yunying Sun - 4.0.1-1 +- Update to 4.0.1 release + +* Tue Sep 10 2019 Peter Robinson 4.0-1 +- Update to 4.0 + +* Fri Sep 6 2019 Javier Martinez Canillas 4.0-0.4-rc2 +- Use a release tarball instead of a source code tarball + +* Fri Sep 6 2019 Peter Robinson 4.0-0.3-rc2 +- Update to 4.0 RC2 + +* Tue Aug 27 2019 Peter Robinson 4.0-0.2-rc1 +- Update to 4.0 RC1 + +* Tue Aug 20 2019 Peter Robinson 4.0-0.1-rc0 +- Update to 4.0 RC0 + +* Thu Aug 1 2019 Peter Robinson 3.2.0-3 +- Fix for crash for max PCRs available + +* Sat Jul 27 2019 Fedora Release Engineering - 3.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jun 21 2019 Yunying Sun - 3.2.0-1 +- Update to 3.2.0 release +- Removed patches since all have been included in 3.2.0 release + +* Fri May 10 2019 Javier Martinez Canillas - 3.1.4-2 +- Allow tpm2_makecredential to run without a TPM (jetwhiz) +- Add tpm2_pcrreset and tpm2_checkquote tools (jetwhiz) + +* Fri Mar 15 2019 Yunying Sun - 3.1.4-1 +- Update to 3.1.4 release +- Removed the 4 patches since all have been included in 3.1.4 release + +* Sun Feb 03 2019 Fedora Release Engineering - 3.1.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 7 2019 Javier Martinez Canillas - 3.1.3-3 +- Fix broken -T option when passing additional arguments + +* Mon Jan 7 2019 Javier Martinez Canillas - 3.1.3-2 +- Fix broken -T option and a couple of minor fixes +- Add pandoc BuildRequires + +* Wed Nov 7 2018 Yunying Sun - 3.1.3-1 +- Update to 3.1.3 release + +* Wed Sep 12 2018 Javier Martinez Canillas - 3.1.2-1 +- Update to 3.1.2 release +- Restore TCTI configuration environment for tools +- Restore tpm2_getcap tool properties output + Resolves: rhbz#1625647 + +* Sat Jul 14 2018 Javier Martinez Canillas - 3.1.1-3 +- Revert backward incompatible change that removes default object attributes + +* Sat Jul 14 2018 Fedora Release Engineering - 3.1.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jul 12 2018 Yunying Sun - 3.1.1-1 +- Update to 3.1.1 release + +* Thu Jul 5 2018 Yunying Sun - 3.1.0-1 +- Update Requires version of tpm2-tss to 2.0.0 +- Remove BuildRequires for tcti-abrmd since it is optional +- Remove BuildRequires for tcti-{device,mssim} as it is now dynamically loaded +- Update to 3.1.0 release + +* Mon Apr 30 2018 Javier Martinez Canillas - 3.0.4-1 +- Update URLs to point to the new project location +- Update to 3.0.4 release + +* Wed Feb 21 2018 Javier Martinez Canillas - 3.0.3-3 +- Remove ExclusiveArch: x86_64 directive + +* Fri Feb 09 2018 Fedora Release Engineering - 3.0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 16 2018 Javier Martinez Canillas - 3.0.3-1 +- Update to 3.0.3 release + +* Mon Dec 18 2017 Javier Martinez Canillas - 3.0.2-1 +- Update to 3.0.2 release + +* Tue Dec 12 2017 Javier Martinez Canillas - 3.0.1-1 +- Update to 3.0.1 release (RHBZ#1512743) +- Download the generated tarball provided instead of the source code tarball + +* Fri Dec 08 2017 Javier Martinez Canillas - 3.0-1 +- Update to 3.0 release + +* Wed Nov 29 2017 Javier Martinez Canillas - 3.0-0.1.rc1 +- Update to 3.0 release candidate 1 +- Update URLs to point to the new project location +- Make the package to obsolete version 2.1.1 + +* Wed Nov 01 2017 Javier Martinez Canillas - 2.1.1-1 +- Rename remaining tpm2.0-tools prefixes to tpm2-tools +- Remove global pkg_prefix since now the upstream repo and package names match +- Remove downstream patches since now these are in the latest upstream release +- Update to 2.1.1 release (RHBZ#1504438) + +* Thu Oct 19 2017 Jerry Snitselaar - 2.1.0-7 +- Clean up potential memleak (RHBZ#1503959) + +* Thu Oct 05 2017 Javier Martinez Canillas - 2.1.0-6 +- Add tpm2-abrmd-devel BuildRequires so tools have abrmd support (RHBZ#1498909) + +* Fri Aug 18 2017 Javier Martinez Canillas - 2.1.0-5 +- Remove unneeded source tarballs (RHBZ#1482830) + +* Tue Aug 15 2017 Sun Yunying - 2.1.0-4 +- Add patch to fix build error when openssl-devel is installed(RHBZ#1481236) + +* Thu Aug 03 2017 Fedora Release Engineering - 2.1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Mon Jul 31 2017 Sun Yunying - 2.1.0-2 +- Add patch to fix gcc7 complaining about implicit-fallthrough cases + +* Fri Jul 28 2017 Sun Yunying - 2.1.0-1 +- Update to latest upstream release 2.1.0 + +* Fri Jul 28 2017 Sun Yunying - 1.1.0-9 +- Update Requires dependency so that tpm2-tss update won't break tpm2-tools + +* Thu Jul 27 2017 Fedora Release Engineering - 1.1.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed May 10 2017 Sun Yunying - 1.1.0-7 +- Only update release version to make fedpkg build works for f26 + +* Wed Mar 1 2017 Sun Yunying - 1.1.0-6 +- Update tpm2-tss version to 1.0-3 to fix broken dependency on f26 + +* Sat Feb 11 2017 Fedora Release Engineering - 1.1.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 20 2017 Sun Yunying - 1.1.0-4 +- Dependency check failed for Requires again, here to fix this +- Update release version and changelog + +* Thu Jan 19 2017 Sun Yunying - 1.1.0-3 +- Change spec file permission to 644 to avoid rpmlint complain +- Update Requires to fix dependency check error reported in Bodhi +- Remove tpm2-tss-devel version in BuildRequires comment +- Update release version and changelog + +* Wed Dec 21 2016 Sun Yunying - 1.1.0-2 +- Remove pkg_version to avoid dupliate use of version +- Remove redundant BuildRequires for autoconf/automake/pkgconfig +- Add comments for BuildRequires of sapi/tcti-device/tcti-socket +- Use ExclusiveArch instead of ExcludeArch +- Requires tpm2-tss version updated to 1.0-2 +- Updated release version and changelog + +* Fri Dec 2 2016 Sun Yunying - 1.1.0-1 +- Initial version of the package diff --git a/tpm2-tss-3.0.0-doxygen.patch b/tpm2-tss-3.0.0-doxygen.patch new file mode 100644 index 00000000..2f824729 --- /dev/null +++ b/tpm2-tss-3.0.0-doxygen.patch @@ -0,0 +1,15 @@ +diff -up tpm2-tss-3.0.0/Doxyfile.in.me tpm2-tss-3.0.0/Doxyfile.in +--- tpm2-tss-3.0.0/Doxyfile.in.me 2020-09-15 20:24:26.463314644 +0200 ++++ tpm2-tss-3.0.0/Doxyfile.in 2020-09-15 20:26:29.010866650 +0200 +@@ -947,7 +947,10 @@ EXCLUDE_PATTERNS = + # Note that the wildcards are matched against the file with absolute path, so to + # exclude all test directories use the pattern */test/* + +-EXCLUDE_SYMBOLS = *_IN IESYS_CMD_IN_PARAM ++EXCLUDE_SYMBOLS = StartAuthSession_IN CreatePrimary_IN ContextSave_IN ContextLoad_IN \ ++ Load_IN LoadExternal_IN CreateLoaded_IN EvictControl_IN HMAC_Start_IN \ ++ HierarchyChangeAuth_IN SequenceComplete_IN Policy_IN NV_IN FlushContext_IN \ ++ IESYS_CMD_IN_PARAM + + # The EXAMPLE_PATH tag can be used to specify one or more files or directories + # that contain example code fragments that are included (see the \include diff --git a/tpm2-tss.spec.in b/tpm2-tss.spec.in new file mode 100644 index 00000000..6002ee27 --- /dev/null +++ b/tpm2-tss.spec.in @@ -0,0 +1,281 @@ +Name: tpm2-tss +Version: 3.1.0 +Release: 1%{?dist} +Summary: TPM2.0 Software Stack + +# The entire source code is under BSD except implementation.h and tpmb.h which +# is under TCGL(Trusted Computing Group License). +License: BSD and TCGL +URL: https://github.com/tpm2-software/tpm2-tss +Source0: %{name}-%{version}.tar.gz +# doxygen crash +Patch0: tpm2-tss-3.0.0-doxygen.patch + +%global udevrules_prefix 60- + +BuildRequires: autoconf +BuildRequires: autoconf-archive +BuildRequires: automake +BuildRequires: libtool +BuildRequires: make +BuildRequires: git +BuildRequires: doxygen +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: json-c-devel +BuildRequires: libcurl-devel +BuildRequires: libgcrypt-devel +BuildRequires: openssl-devel +BuildRequires: pkgconfig +BuildRequires: systemd +Requires(pre): shadow-utils + +%description +tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system +APIs. It sits between TPM driver and applications, providing TPM2.0 specified +APIs for applications to access TPM module through kernel TPM drivers. + +%prep +%autosetup -n %{name}-%{version} -p1 + +%build +# There is no git info because of submodule +sed -i "s/m4_esyscmd_s(\[git describe --tags --always --dirty\])/%{version}/" configure.ac +./bootstrap + +# Use built-in tpm-udev.rules, with specified installation path and prefix. +%configure --disable-static --disable-silent-rules \ + --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \ + --with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir} + +# This is to fix Rpath errors. Taken from https://fedoraproject.org/wiki/Packaging:Guidelines#Removing_Rpath +sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool +sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + +%make_build + +%install +%make_install +find %{buildroot}%{_libdir} -type f -name \*.la -delete + +%pre +getent group tss >/dev/null || groupadd -f -g 59 -r tss +if ! getent passwd tss >/dev/null ; then + if ! getent passwd 59 >/dev/null ; then + useradd -r -u 59 -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss + else + useradd -r -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss + fi +fi +exit 0 + +%ldconfig_scriptlets + +%files +%doc README.md CHANGELOG.md +%license LICENSE +%{_sysconfdir}/tpm2-tss/ +%{_libdir}/libtss2-mu.so.0* +%{_libdir}/libtss2-sys.so.1* +%{_libdir}/libtss2-esys.so.0* +%{_libdir}/libtss2-fapi.so.1* +%{_libdir}/libtss2-rc.so.0* +%{_libdir}/libtss2-tctildr.so.0* +%{_libdir}/libtss2-tcti-cmd.so.0* +%{_libdir}/libtss2-tcti-device.so.0* +%{_libdir}/libtss2-tcti-mssim.so.0* +%{_libdir}/libtss2-tcti-pcap.so.0* +%{_libdir}/libtss2-tcti-swtpm.so.0* +%{_sysusersdir}/tpm2-tss.conf +%{_tmpfilesdir}/tpm2-tss-fapi.conf +%{_udevrulesdir}/%{udevrules_prefix}tpm-udev.rules + +%package devel +Summary: Headers and libraries for building apps that use tpm2-tss +Requires: %{name}%{_isa} = %{version}-%{release} + +%description devel +This package contains headers and libraries required to build applications that +use tpm2-tss. + +%files devel +%{_includedir}/tss2/ +%{_libdir}/libtss2-mu.so +%{_libdir}/libtss2-sys.so +%{_libdir}/libtss2-esys.so +%{_libdir}/libtss2-fapi.so +%{_libdir}/libtss2-rc.so +%{_libdir}/libtss2-tctildr.so +%{_libdir}/libtss2-tcti-cmd.so +%{_libdir}/libtss2-tcti-device.so +%{_libdir}/libtss2-tcti-mssim.so +%{_libdir}/libtss2-tcti-pcap.so +%{_libdir}/libtss2-tcti-swtpm.so +%{_libdir}/pkgconfig/tss2-mu.pc +%{_libdir}/pkgconfig/tss2-sys.pc +%{_libdir}/pkgconfig/tss2-esys.pc +%{_libdir}/pkgconfig/tss2-fapi.pc +%{_libdir}/pkgconfig/tss2-rc.pc +%{_libdir}/pkgconfig/tss2-tctildr.pc +%{_libdir}/pkgconfig/tss2-tcti-cmd.pc +%{_libdir}/pkgconfig/tss2-tcti-device.pc +%{_libdir}/pkgconfig/tss2-tcti-mssim.pc +%{_libdir}/pkgconfig/tss2-tcti-pcap.pc +%{_libdir}/pkgconfig/tss2-tcti-swtpm.pc +%{_mandir}/man3/*.3.gz +%{_mandir}/man5/*.5.gz +%{_mandir}/man7/tss2*.7.gz + + +%changelog +* Mon May 17 2021 Peter Robinson - 3.1.0-1 +- Update to 3.1.0 + +* Wed Jan 27 2021 Fedora Release Engineering - 3.0.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Nov 26 2020 Peter Robinson - 3.0.3-1 +- Update to 3.0.2 + +* Sun Nov 22 2020 Peter Robinson - 3.0.2-1 +- Update to 3.0.2 + +* Wed Sep 23 2020 Peter Robinson - 3.0.1-1 +- Update to 3.0.1 + +* Tue Sep 15 2020 Than Ngo - 3.0.0-4 +- Fix doxygen crash + +* Tue Sep 15 2020 Peter Robinson - 3.0.0-3 +- Create tss user, if it doesn't exist, for userspace TPM access + +* Fri Aug 07 2020 Peter Robinson - 3.0.0-2 +- Install sysusers config in sysusersdir (rhbz #1834519) + +* Wed Aug 05 2020 Peter Robinson - 3.0.0-1 +- Update to 3.0.0 + +* Wed Aug 05 2020 Peter Robinson - 2.4.2-1 +- Update to 2.4.2 + +* Wed Jul 29 2020 Fedora Release Engineering - 2.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu May 14 2020 Peter Robinson - 2.4.1-1 +- Update to 2.4.1 + +* Fri May 08 2020 Paul Wouters - 2.4.0-3 +- Use proper rundir and tmpfiles macros so proper directories are used + +* Tue Apr 21 2020 Björn Esser - 2.4.0-2 +- Rebuild (json-c) + +* Thu Mar 12 2020 Peter Robinson - 2.4.0-1 +- Update to 2.4.0 release + +* Mon Feb 24 2020 Peter Robinson - 2.3.3-1 +- Update to 2.3.3 release + +* Fri Jan 31 2020 Fedora Release Engineering - 2.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Dec 13 2019 Yunying Sun - 2.3.2-1 +- Update to 2.3.2 release + +* Fri Sep 6 2019 Yunying Sun - 2.3.1-1 +- Update to 2.3.1 release + +* Thu Aug 15 2019 Yunying Sun - 2.3.0-1 +- Update to 2.3.0 release + +* Sat Jul 27 2019 Fedora Release Engineering - 2.2.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed May 29 2019 Yunying Sun - 2.2.3-1 +- Update to 2.2.3 release + +* Fri Mar 29 2019 Yunying Sun - 2.2.2-1 +- Update to 2.2.2 release + +* Mon Mar 4 2019 Peter Robinson 2.2.1-1 +- Update to 2.2.1 release + +* Wed Feb 06 2019 Javier Martinez Canillas - 2.2.0-1 +- Update to 2.2.0 release + +* Sun Feb 03 2019 Fedora Release Engineering - 2.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Oct 10 2018 Yunying Sun - 2.1.0-1 +- Update to 2.1.0 release + +* Thu Aug 30 2018 Yunying Sun - 2.0.1-1 +- Update to 2.0.1 release + +* Sat Jul 14 2018 Fedora Release Engineering - 2.0.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 4 2018 Yunying Sun - 2.0.0-2 +- Re-enable ESAPI since gcrypt dependency is not an issue for Fedora +- Bump release version to 2.0.0-2 + +* Mon Jul 2 2018 Yunying Sun - 2.0.0-1 +- Update to 2.0.0 release (RHBZ#1508870) +- Remove patch file 60-tpm-udev.rules, use upstream tpm-udev.rules instead +- Disable ESAPI to fix build errors caused by dependency to libgcrypt 1.6.0 +- Add scriptlet to fix Rpath errors +- Update file installation paths and names accordingly + +* Sun Mar 04 2018 Javier Martinez Canillas - 1.4.0-1 +- Update URLs to point to the new project location +- Add README.md CHANGELOG.md to %%files directive +- Update to 1.4.0 release (RHBZ#1508870) + +* Fri Feb 23 2018 Javier Martinez Canillas - 1.3.0-4 +- Install udev rule for TPM character devices + +* Wed Feb 21 2018 Javier Martinez Canillas - 1.3.0-3 +- Remove ExclusiveArch: %%{ix86} x86_64 directive + +* Fri Feb 09 2018 Igor Gnatenko - 1.3.0-2 +- Escape macros in %%changelog + +* Fri Dec 08 2017 Javier Martinez Canillas - 1.3.0-1 +- Update to 1.3.0 release + +* Wed Nov 29 2017 Javier Martinez Canillas - 1.3.0-0.1.rc2 +- Update to 1.3.0 release candidate 2 (RHBZ#1508870) +- Remove global pkg_prefix since now the upstream repo and package names match +- Update URLs to point to the new project location +- Remove -Wno-int-in-bool-context compiler flag since now upstream takes care +- Remove %%doc directive since README.md and CHANGELOG.md are not in the tarball +- Add patch to include a LICENSE since the generated tarball does not have it + +* Mon Aug 28 2017 Javier Martinez Canillas - 1.2.0-1 +- Update to 1.2.0 release +- Use tpm2-tss instead of TPM2.0-TSS as prefix since project name changed +- Fix SPEC file access mode +- Include new man pages in %%files directive + +* Fri Aug 18 2017 Javier Martinez Canillas - 1.1.0-3 +- Remove unneeded source tarballs (RHBZ#1482828) + +* Thu Aug 03 2017 Fedora Release Engineering - 1.1.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Sun Yunying - 1.1.0-1 +- Update to 1.1.0 release + +* Sat Feb 11 2017 Fedora Release Engineering - 1.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Dec 12 2016 Sun Yunying - 1.0-2 +- Remove global macro pkg_version to avoid duplicate of version +- Use ExclusiveArch instead of ExcludeArch +- Use less wildcard in %%files section to be more specific +- Add trailing slash at end of added directory in %%file section +- Remove autoconf/automake/pkgconfig(cmocka) from BuildRequires +- Increase release version to 2 + +* Fri Dec 2 2016 Sun Yunying - 1.0-1 +- Initial version of the package From 600cccae8bfbda6179e65b15bbbca005e94ad786 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Fri, 29 Jul 2022 18:01:56 +0300 Subject: [PATCH 10/21] qubes-builder: set versions from builder Makefile --- Makefile.builder | 4 ++++ efitools.spec.in | 2 +- sbsigntools.spec.in | 2 +- tpm2-tools.spec.in | 2 +- tpm2-tss.spec.in | 2 +- 5 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Makefile.builder b/Makefile.builder index 18d45fe3..3685445a 100644 --- a/Makefile.builder +++ b/Makefile.builder @@ -32,14 +32,18 @@ qubes-safeboot-$(VERSION).tar.gz: $(EFITOOLS): tar --xform='s:$(ORIG_SRC)/efitools:efitools-$(EFITOOLS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(EFITOOLS) $(ORIG_SRC)/efitools + sed -i "s:#VERSION#:$(EFITOOLS_VERSION):" $(CHROOT_DIR)$(DIST_SRC)/efitools.spec.in $(SBSIGNTOOLS): tar --xform='s:$(ORIG_SRC)/sbsigntools:sbsigntools-$(SBSIGNTOOLS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(SBSIGNTOOLS) $(ORIG_SRC)/sbsigntools + sed -i "s:#VERSION#:$(SBSIGNTOOLS_VERSION):" $(CHROOT_DIR)$(DIST_SRC)/sbsigntools.spec.in $(TPM2_TSS): tar --xform='s:$(ORIG_SRC)/tpm2-tss:tpm2-tss-$(TPM2_TSS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(TPM2_TSS) $(ORIG_SRC)/tpm2-tss + sed -i "s:#VERSION#:$(TPM2_TSS_VERSION):" $(CHROOT_DIR)$(DIST_SRC)/tpm2-tss.spec.in $(TPM2_TOOLS): tar --xform='s:$(ORIG_SRC)/tpm2-tools:tpm2-tools-$(TPM2_TOOLS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(TPM2_TOOLS) $(ORIG_SRC)/tpm2-tools + sed -i "s:#VERSION#:$(TPM2_TOOLS_VERSION):" $(CHROOT_DIR)$(DIST_SRC)/tpm2-tools.spec.in # vim: set ft=make: diff --git a/efitools.spec.in b/efitools.spec.in index 1666d238..18e49715 100644 --- a/efitools.spec.in +++ b/efitools.spec.in @@ -1,5 +1,5 @@ Name: efitools -Version: 1.9.2 +Version: #VERSION# Release: 7%{?dist} Summary: Tools to manipulate EFI secure boot keys and signatures License: GPLv2 and LGPLv2 and BSD diff --git a/sbsigntools.spec.in b/sbsigntools.spec.in index f645fa8e..7ed8f4b4 100644 --- a/sbsigntools.spec.in +++ b/sbsigntools.spec.in @@ -2,7 +2,7 @@ %define _warning_options -Wall -Werror=format-security -Wno-deprecated-declarations Name: sbsigntools -Version: 0.9.4 +Version: #VERSION# Release: 8%{?dist} Summary: Signing utility for UEFI secure boot License: GPLv3+ diff --git a/tpm2-tools.spec.in b/tpm2-tools.spec.in index 3f4f49cd..aa0dd5d3 100644 --- a/tpm2-tools.spec.in +++ b/tpm2-tools.spec.in @@ -1,7 +1,7 @@ #global candidate rc2 Name: tpm2-tools -Version: 5.1.0 +Version: #VERSION# Release: 1%{?candidate:.%{candidate}}%{?dist} Summary: A bunch of TPM testing toolS build upon tpm2-tss diff --git a/tpm2-tss.spec.in b/tpm2-tss.spec.in index 6002ee27..8c8ca68f 100644 --- a/tpm2-tss.spec.in +++ b/tpm2-tss.spec.in @@ -1,5 +1,5 @@ Name: tpm2-tss -Version: 3.1.0 +Version: #VERSION# Release: 1%{?dist} Summary: TPM2.0 Software Stack From 664790f0a3f33e3239b30a86de7a4c9e090d95b9 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Tue, 19 Jul 2022 16:46:22 +0300 Subject: [PATCH 11/21] yubikey_daemon condition with KEY_ENGINE --- sbin/safeboot | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sbin/safeboot b/sbin/safeboot index 29318133..3c8312b5 100755 --- a/sbin/safeboot +++ b/sbin/safeboot @@ -505,7 +505,7 @@ pcrs-sign() { target="${2-linux}" linux="$EFIDIR/$target/linux.efi" - [ -f /etc/qubes-release ] || yubikey_daemon + [ -z "$KEY_ENGINE" ] || yubikey_daemon if [ "$prevent_rollback" = "prevent-rollback" ]; then warn "$linux: Incrementing TPM version to prevent rollback" @@ -640,7 +640,7 @@ luks-seal() { shift fi - [ -f /etc/qubes-release ] || yubikey_daemon + [ -z "$KEY_ENGINE" ] || yubikey_daemon KEYSLOT=1 @@ -848,7 +848,7 @@ sign() { OUT="$IN.signed" fi - [ -f /etc/qubes-release ] || yubikey_daemon + [ -z "$KEY_ENGINE" ] || yubikey_daemon sbsign.safeboot \ $KEY_ENGINE \ From d69aec1d687ad0d8138ece4ae8c6f7db488d7f4f Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Tue, 19 Jul 2022 16:56:54 +0300 Subject: [PATCH 12/21] key-init: add nopassword option This could be useful to support unattended updates in a secure environment, such as Qubes OS. --- sbin/safeboot | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/sbin/safeboot b/sbin/safeboot index 3c8312b5..0d521a89 100755 --- a/sbin/safeboot +++ b/sbin/safeboot @@ -163,7 +163,7 @@ key_init_usage=' ## key-init Usage: ``` -safeboot key-init "subject" +safeboot key-init "subject" [nopassword] ``` Generate a new x509 signing key with openssl, writing storing @@ -174,6 +174,10 @@ although if the key is moved to an external device and the `$KEY` variable in `/etc/safeboot/local.conf` updated to point to it, then it will prevent a software-only attack. +Optionally available to disable password protection, which +can be useful to support unattended updates in a secure +environment, such as Qubes OS. + The subject must be written as a "distinguished name": ``` /CN=host.example.com/OU=test/O=example.com/ @@ -188,6 +192,7 @@ key-init() { fi subject="$1" + nopassword="$2" if [ "$KEY" == "pkcs11:" ]; then warn "\$KEY=pkcs11:; updating in local.conf" @@ -217,9 +222,8 @@ key-init() { mv "$CERT" "$CERT.orig" \ || die "$CERT: unable to backup" fi - # Do not encrypt key with Qubes OS to allow unattended updates - if [ -f /etc/qubes-release ]; then - openssl_param+="-nodes" + if [ "$nopassword" == "nopassword" ]; then + openssl_nodes_param="-nodes" fi openssl req \ -new \ @@ -231,7 +235,7 @@ key-init() { -out "$CERT" \ -days "3650" \ -sha256 \ - $openssl_param \ + $openssl_nodes_param \ || die "$KEY: unable to create" # Create a certificate and public key file from the PEM From 72c326aa75f5353bbddf8a3d301d7edd04eac9d8 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Tue, 19 Jul 2022 17:06:07 +0300 Subject: [PATCH 13/21] qubes-safeboot: add linux-firmware update trigger Update qubes.efi after linux-firmware upgrading. --- qubes-safeboot.spec.in | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/qubes-safeboot.spec.in b/qubes-safeboot.spec.in index bb3ac7f7..87338670 100644 --- a/qubes-safeboot.spec.in +++ b/qubes-safeboot.spec.in @@ -35,6 +35,11 @@ if [ -f /boot/efi/EFI/qubes/qubes.efi.signed ]; then /usr/sbin/safeboot qubes-sign fi +%triggerin -- linux-firmware +if [ -f /boot/efi/EFI/qubes/qubes.efi.signed ]; then + /usr/sbin/safeboot qubes-sign +fi + %files %config %{_sysconfdir}/safeboot/safeboot.conf %{_sbindir}/safeboot From 23c8292e44154ecd820db941b4bac2474da06ff9 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Tue, 26 Jul 2022 11:39:25 +0300 Subject: [PATCH 14/21] function.sh: fix efivar_read error with fedora This fixes error: > tail: 'standard input': cannot seek to relative offset 4: Illegal seek --- functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/functions.sh b/functions.sh index daac0031..944dffb7 100755 --- a/functions.sh +++ b/functions.sh @@ -296,7 +296,7 @@ efivar_write() { efivar_read() { efivar_setup "${1:-}" - tail -c +5 < "$var" + cat "$var" | tail -c +5 } efiboot_entry() { From 84a25a340588f18b6b94aadb136f763cd892b86b Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Wed, 27 Jul 2022 15:13:04 +0300 Subject: [PATCH 15/21] qubes-sign: refactor variables --- sbin/safeboot | 52 +++++++++++++++++++++++++-------------------------- 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/sbin/safeboot b/sbin/safeboot index 0d521a89..801b25c3 100755 --- a/sbin/safeboot +++ b/sbin/safeboot @@ -82,6 +82,7 @@ fi : "${LINUX_COMMANDLINE:=}" : "${RECOVERY_COMMANDLINE:=${LINUX_COMMANDLINE}}" : "${SEAL_PIN:=1}" +: "${XEN_CONFIG:=$EFIDIR/qubes/xen.cfg}" # # Ensure that there is a valid root device @@ -1181,22 +1182,20 @@ qubes-xen-config(){ show_help "$1" "$qubes_xen_config_usage" rootdev-check - - QUBES_EFIDIR="/boot/efi/EFI/qubes" - xen_config="$QUBES_EFIDIR/xen.cfg" - if [ -f "$xen_config" ]; then + if [ -f "$XEN_CONFIG" ]; then warn "Xen config exists" return fi - QUBES_KVER=$(uname -r) - kernel="vmlinuz-$QUBES_KVER" - [ -f /boot/$kernel ] \ - && cp /boot/$kernel $QUBES_EFIDIR \ + qubes_kver=$(uname -r) + qubes_kernel="$KERNEL-$qubes_kver" + [ -f $kernel ] \ + && cp $qubes_kernel $EFIDIR/qubes \ || die "Kernel image not found!" - ramdisk=initramfs-$QUBES_KVER.img - [ -f /boot/$ramdisk ] \ - && cp /boot/$ramdisk $QUBES_EFIDIR \ + qubes_ramdisk=initramfs-$qubes_kver.img + [ -f /boot/$qubes_ramdisk ] \ + && cp /boot/$qubes_ramdisk $EFIDIR/qubes \ || die "Initrd image not found!" . /etc/default/grub @@ -1206,12 +1205,12 @@ qubes-xen-config(){ ( \ echo "[global]" ; \ - echo "default=$QUBES_KVER" ; \ - echo "[$QUBES_KVER]" ; \ - echo "kernel=$kernel root=$ROOTDEV ro $GRUB_CMDLINE_LINUX" ; \ - echo "ramdisk=$ramdisk" ; \ + echo "default=$qubes_kver" ; \ + echo "[$qubes_kver]" ; \ + echo "kernel=$qubes_kernel root=$ROOTDEV ro $GRUB_CMDLINE_LINUX" ; \ + echo "ramdisk=$qubes_ramdisk" ; \ echo "options=$GRUB_CMDLINE_XEN_DEFAULT" - ) >> $xen_config \ + ) >> $XEN_CONFIG \ || die "Unable create xen.cfg" } @@ -1235,40 +1234,39 @@ qubes-sign() { show_help "$1" "$qubes_sign_usage" - xen_config='/boot/efi/EFI/qubes/xen.cfg' - [ -f "$xen_config" ] \ - && QUBES_KVER=$(awk -F= '/default=/ {print $2}' "$xen_config") \ + [ -f "$XEN_CONFIG" ] \ + && qubes_kver=$(awk -F= '/default=/ {print $2}' "$XEN_CONFIG") \ || qubes-xen-config - xen_efi='/boot/efi/EFI/qubes/xen.efi' + xen_efi="$EFIDIR/qubes/xen.efi" [ -f "$xen_efi" ] \ || die "No xen.efi found!" - qubes_kernel="/boot/efi/EFI/qubes/vmlinuz-$QUBES_KVER" + qubes_kernel="$EFIDIR/qubes/vmlinuz-$qubes_kver" [ -f "$qubes_kernel" ] \ || die "No default kernel found!" - qubes_ramdisk="/boot/efi/EFI/qubes/initramfs-$QUBES_KVER.img" + qubes_ramdisk="$EFIDIR/qubes/initramfs-$qubes_kver.img" [ -f "$qubes_ramdisk" ] \ || die "No default initramfs found!" - qubes_efi='/boot/efi/EFI/qubes/qubes.efi' + qubes_efi="$EFIDIR/qubes/qubes.efi" objcopy \ - --add-section .config="$xen_config" \ + --add-section .config="$XEN_CONFIG" \ --change-section-vma .config=0xffff82d041000000 \ --add-section .kernel="$qubes_kernel" \ --change-section-vma .kernel=0xffff82d041100000 \ --add-section .ramdisk="$qubes_ramdisk" \ --change-section-vma .ramdisk=0xffff82d042000000 \ $xen_efi \ - $qubes_efi \ + $TMP/qubes.efi \ || die "Objcopy failed!" sign \ - $qubes_efi $qubes_efi.signed \ + $TMP/qubes.efi $qubes_efi \ || die "Signing failed!" - qubes_label="Safeboot Qubes OS" + qubes_label="Safeboot Qubes" qubes_entry=$(efiboot_entry "$qubes_label") if [ -z "$qubes_entry" ]; then # determine the device the EFI system partition is on @@ -1282,7 +1280,7 @@ qubes-sign() --disk "$DEV" \ --part $part \ --label "$qubes_label" \ - --loader "\\EFI\\qubes\\qubes.efi.signed" \ + --loader "\\EFI\\qubes\\qubes.efi" \ || die "efibootmgr: failed to create $qubes_label entry" fi } From 4c232cf57a9f9391dd4255ac8f9286c59334d689 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Wed, 27 Jul 2022 17:02:06 +0300 Subject: [PATCH 16/21] luks-seal: add Qubes OS support --- qubes-safeboot.spec.in | 24 +++- qubes/90safeboot/module-setup.sh | 46 +++++++ qubes/90safeboot/qubes-safeboot-unseal | 115 ++++++++++++++++++ .../qubes-safeboot-unseal.service | 1 + .../system/qubes-safeboot-unseal.service | 16 +++ sbin/safeboot | 78 ++++++++---- 6 files changed, 255 insertions(+), 25 deletions(-) create mode 100644 qubes/90safeboot/module-setup.sh create mode 100755 qubes/90safeboot/qubes-safeboot-unseal create mode 120000 qubes/systemd/system/initrd.target.wants/qubes-safeboot-unseal.service create mode 100644 qubes/systemd/system/qubes-safeboot-unseal.service diff --git a/qubes-safeboot.spec.in b/qubes-safeboot.spec.in index 87338670..42e089bc 100644 --- a/qubes-safeboot.spec.in +++ b/qubes-safeboot.spec.in @@ -8,8 +8,12 @@ URL: https://github.com/osresearch/safeboot #Source0: %{url}/archive/refs/tags/release-{version}.tar.gz Source0: %{name}-%{version}.tar.gz +BuildRequires: systemd-rpm-macros + Requires: efitools%{_isa} Requires: sbsigntools%{_isa} +Requires: tpm2-tss%{_isa} +Requires: tpm2-tools%{_isa} Requires: binutils%{_isa} %description @@ -23,21 +27,32 @@ install -m 0755 -D %{_builddir}/%{name}-%{version}/safeboot -t %{buildroot}%{_sb install -m 0644 -D %{_builddir}/%{name}-%{version}/safeboot.conf -t %{buildroot}%{_sysconfdir}/safeboot/ install -m 0644 -D %{_builddir}/%{name}-%{version}/functions.sh -t %{buildroot}/usr/lib/safeboot/ install -m 0755 -D %{_builddir}/%{name}-%{version}/qubes-hooks/kernel-safeboot.install %{buildroot}/usr/lib/kernel/install.d/99-qubes-safeboot.install +install -m 0755 -D 90safeboot/* -t %{buildroot}/usr/lib/dracut/modules.d/90safeboot/ + +install -m 0644 -D systemd/system/qubes-safeboot-unseal.service -t %{buildroot}%{_unitdir}/ +install -m 0755 -d %{buildroot}%{_unitdir}/initrd.target.wants +ln -s ../qubes-safeboot-unseal.service %{buildroot}%{_unitdir}/initrd.target.wants/qubes-safeboot-unseal.service -# symlink since we don't build this tools to Qubes OS +# symlink since we build these packages mkdir -p %{buildroot}%{_bindir} ln -s sbsign %{buildroot}%{_bindir}/sbsign.safeboot ln -s sign-efi-sig-list %{buildroot}%{_bindir}/sign-efi-sig-list.safeboot %triggerin -- xen-hypervisor -if [ -f /boot/efi/EFI/qubes/qubes.efi.signed ]; then +if [ -f /boot/efi/EFI/qubes/qubes.efi ]; then /usr/sbin/safeboot qubes-sign + if grep -q LINUX_TARGET=qubes /etc/safeboot/local.conf; then + /usr/sbin/safeboot pcrs-sign + fi fi %triggerin -- linux-firmware -if [ -f /boot/efi/EFI/qubes/qubes.efi.signed ]; then +if [ -f /boot/efi/EFI/qubes/qubes.efi ]; then /usr/sbin/safeboot qubes-sign + if grep -q LINUX_TARGET=qubes /etc/safeboot/local.conf; then + /usr/sbin/safeboot pcrs-sign + fi fi %files @@ -45,7 +60,8 @@ fi %{_sbindir}/safeboot /usr/lib/safeboot/functions.sh /usr/lib/kernel/install.d/99-qubes-safeboot.install - +/usr/lib/dracut/modules.d/90safeboot/ +%{_unitdir} %{_bindir}/sbsign.safeboot %{_bindir}/sign-efi-sig-list.safeboot diff --git a/qubes/90safeboot/module-setup.sh b/qubes/90safeboot/module-setup.sh new file mode 100644 index 00000000..361a64ae --- /dev/null +++ b/qubes/90safeboot/module-setup.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +check() { + which tpm2 >/dev/null 2>&1 || return 1 +} + + +#depends() { +#} + + +install() { + # Get Safeboot variables + local DIR=/etc/safeboot + [ -f "$dracutsysrootdir"$DIR/safeboot.conf ] && . "$dracutsysrootdir"$DIR/safeboot.conf || : + [ -f "$dracutsysrootdir"$DIR/local.conf ] && . "$dracutsysrootdir"$DIR/local.conf || : + + inst_script "$moddir"/qubes-safeboot-unseal /sbin/qubes-safeboot-unseal + inst_simple "$dracutsysrootdir"$DIR/safeboot.conf $DIR/safeboot.conf + inst_simple "$dracutsysrootdir"$DIR/local.conf $DIR/local.conf + inst_simple "$dracutsysrootdir"${CERT/.pem/.pub} ${CERT/.pem/.pub} + inst_simple "$dracutsysrootdir"/usr/lib/safeboot/functions.sh $DIR/functions.sh + + inst $systemdsystemunitdir/cryptsetup-pre.target + + dracut_install \ + cat \ + cut \ + chmod \ + chattr \ + mount \ + pidof \ + sha256sum \ + tail \ + time \ + touch \ + tpm2 \ + umount \ + xxd + + inst_libdir_file "libtss2-tcti-device.so*" + + dracut_install \ + $systemdsystemunitdir/qubes-safeboot-unseal.service \ + $systemdsystemunitdir/initrd.target.wants/qubes-safeboot-unseal.service +} diff --git a/qubes/90safeboot/qubes-safeboot-unseal b/qubes/90safeboot/qubes-safeboot-unseal new file mode 100755 index 00000000..c0c28ffd --- /dev/null +++ b/qubes/90safeboot/qubes-safeboot-unseal @@ -0,0 +1,115 @@ +#!/bin/bash +# This is run in the initramfs context, not in the normal user space. +# The boot mode should have been extended in the start of the initramfs. +# +# It attempts to unseal the key from the TPM based on the PCRS passed +# on the command line using direct access since there is no resource +# manager. +# +# If successful, PCR14 will be extended to prevent later stages from +# retrieving the decryption key. The key is stored in a kernel key +# ring, so it should not be accessible to even a root user. +# +# If the unsealing fails, fall back to asking for the user's recovery key. +# +# turn off "echo flags are undefined" and external shell scripts +# shellcheck disable=SC2039 disable=SC1091 + +PCRS=0 +BOOTMODE_PCR=14 +TPM_UNSEALED_SECRET="$TMP/safeboot-keyfile" +MODE=qubes +if [ -z "$DIR" ]; then + DIR="/etc/safeboot" +fi + +for script in \ + safeboot.conf \ + local.conf \ + functions.sh \ +; do + if [ -r "$DIR/$script" ]; then + . "$DIR/$script" || warn "$DIR/$script: failed to source" + fi +done + +# Override die to extend the boot mode PCR to indicate the failure +die() { + echo >&2 "$@" + echo -n bootfail | tpm2_extend "$BOOTMODE_PCR" + touch "/tmp/unseal-failed" + exit 1 +} + +# shellcheck disable=SC2013 +echo -n $MODE | tpm2_extend "$BOOTMODE_PCR" +warn "TPM mode=$MODE pcrs=$PCRS $BOOTMODE_PCR" + +tpm2 pcrread >&2 \ + 'sha256:0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16' + +# +# Try to unseal the secret using the TPM, +# the current NV version and optional user PIN. +# +# Extract the signature from the UEFI variable, skipping +# the four-byte UEFI variable header. + +VERSION="$(tpm2 nvread "$TPM_NV_VERSION" | bin2hex)" +TPM_SESSION_TYPE=policy +TPM_POLICY_SIG="$TMP/pcr.policy.sig" + +efivar_read "$PCR_SIGNATURE" > "$TPM_POLICY_SIG" + +tpm2_create_policy "" "$VERSION" + +tpm2 flushcontext --transient-object + +# +# Attempt and unseal, and if successful, write the key +# to stdout as well as extending the boot mode PCR +# +tpm2_unseal() +{ + PIN="$1" + tpm2 unseal \ + --auth "session:$TMP/session.ctx$PIN" \ + --object-context "$TPM_SEALED_HANDLE" \ + --output "$TPM_UNSEALED_SECRET" \ + || return $? + + # Successfully unsealed, extend the bootmode PCR + warn "TPM disk key unsealed" + echo -n postboot | tpm2_extend "$BOOTMODE_PCR" + exit 0 +} + +if [ "$SEAL_PIN" != "1" ]; then + tpm2_unseal "" +else + for tries in 1 2 3; do + while true; do + # Use the askpass program to try to get a pin + # retrieve a tpmtotp attestation so that the user knows + # that the firmware is unmodified and that it is safe to + # enter their credentials. + #totp="$(/usr/sbin/tpm2-totp --time calculate || echo TPM TOTP FAILED)" + msg="Enter Safeboot Password (Try $tries) + +Enter unseal PIN for $CRYPTTAB_SOURCE ($CRYPTTAB_NAME): " + + PIN=$(systemd-ask-password --timeout=0 "$msg" ) + + if [ "$PIN" != "" ]; then + break + fi + done + + # try to unseal with the provided PIN + tpm2_unseal "+$PIN" + done +fi + +# if we ended up here, things are bad. +# The system will re-run the script to try to use the recovery key +die "UNSEALING FAILED" diff --git a/qubes/systemd/system/initrd.target.wants/qubes-safeboot-unseal.service b/qubes/systemd/system/initrd.target.wants/qubes-safeboot-unseal.service new file mode 120000 index 00000000..c75c3d30 --- /dev/null +++ b/qubes/systemd/system/initrd.target.wants/qubes-safeboot-unseal.service @@ -0,0 +1 @@ +../qubes-safeboot-unseal.service \ No newline at end of file diff --git a/qubes/systemd/system/qubes-safeboot-unseal.service b/qubes/systemd/system/qubes-safeboot-unseal.service new file mode 100644 index 00000000..5d71c918 --- /dev/null +++ b/qubes/systemd/system/qubes-safeboot-unseal.service @@ -0,0 +1,16 @@ +[Unit] +Description=Qubes Safeboot unsealing +DefaultDependencies=no +Wants=cryptsetup-pre.target +Before=cryptsetup-pre.target +After=plymouth-start.service +ConditionKernelCommandLine=rd.luks.key=/safeboot-keyfile + +[Service] +Type=oneshot +RemainAfterExit=no +ExecStart=/sbin/qubes-safeboot-unseal +StandardInput=null +StandardOutput=tty +StandardError=journal+console +TimeoutStartSec=300 diff --git a/sbin/safeboot b/sbin/safeboot index 801b25c3..04f65ca4 100755 --- a/sbin/safeboot +++ b/sbin/safeboot @@ -508,7 +508,11 @@ pcrs-sign() { prevent_rollback="${1}" target="${2-linux}" - linux="$EFIDIR/$target/linux.efi" + if [ "$LINUX_TARGET" = "qubes" ]; then + linux="$EFIDIR/qubes/qubes.efi" + else + linux="$EFIDIR/$target/linux.efi" + fi [ -z "$KEY_ENGINE" ] || yubikey_daemon @@ -649,11 +653,21 @@ luks-seal() { KEYSLOT=1 - # check to see if the initramfs hook is installed - if [ ! -x "$PREFIX/etc/initramfs-tools/hooks/safeboot-hooks" ]; then - warn "!!! $PREFIX/etc/initramfs-tools/hooks/safeboot-hooks is not installed; this will probably not work" + if [ -f /etc/qubes-release ]; then + LINUX_TARGET="qubes" + if ! grep -q "LINUX_TARGET=qubes" $PREFIX$DIR/local.conf; then + echo "LINUX_TARGET=qubes" >> $PREFIX$DIR/local.conf + fi + # enable dracut module + if [ ! -r /etc/dracut.conf.d/safeboot.conf ]; then + echo "add_dracutmodules+=\" safeboot \""> safeboot.conf + fi + else + # check to see if the initramfs hook is installed + if [ ! -x "$PREFIX/etc/initramfs-tools/hooks/safeboot-hooks" ]; then + warn "!!! $PREFIX/etc/initramfs-tools/hooks/safeboot-hooks is not installed; this will probably not work" + fi fi - # and make sure that the unlock script is installed as expected if [ ! -x "$PREFIX/usr/sbin/safeboot" ]; then warn "!!! $PREFIX/usr/sbin/safeboot is not installed; this will probably not work" @@ -766,16 +780,28 @@ luks-seal() { "$TPM_SEALED_HANDLE" \ || die "Unable to persist sealed data into the TPM" - # make sure the crypttab has the unlock script referenced - if ! grep keyscript "$PREFIX/etc/crypttab" > /dev/null ; then - warn "adding crypttab unseal script" - sed \ - -i.orig \ - 's: luks: keyscript=/usr/sbin/safeboot-tpm-unseal,luks:' \ - $PREFIX/etc/crypttab \ - || die "$PREFIX/etc/crypttab: unable to add keyscript" - - need_update_initramfs=1 + if [ -f /etc/qubes-release ]; then + if ! grep -q keyfile "$XEN_CONFIG"; then + warn "adding keyfile kernel cmdline parameter" + sed -r \ + -i.orig \ + 's:^kernel=(.*)$:kernel=\1 rd.luks.crypttab=no rd.luks.key=/safeboot-keyfile:' \ + $XEN_CONFIG \ + || die "$XEN_CONFIG: unable add keyfile option" + need_update_initramfs=1 + fi + else + # make sure the crypttab has the unlock script referenced + if ! grep keyscript "$PREFIX/etc/crypttab" > /dev/null ; then + warn "adding crypttab unseal script" + sed \ + -i.orig \ + 's: luks: keyscript=/usr/sbin/safeboot-tpm-unseal,luks:' \ + $PREFIX/etc/crypttab \ + || die "$PREFIX/etc/crypttab: unable to add keyscript" + + need_update_initramfs=1 + fi fi # ask for the disk encryption key @@ -809,13 +835,23 @@ luks-seal() { warn "$dev: sealed with PCR $PCRS,$BOOTMODE_PCR" if [ -n "$need_update_initramfs" ]; then - warn "-------- Need to update initramfs --------" - update-initramfs -u \ - || die "Unable to update initramfs" + if [ -f /etc/qubes-release ]; then + warn "-------- Need to update initramfs --------" + dracut -f --kver $(uname -r) "$EFIDIR"/qubes/initramfs-$(uname -r).img \ + || die "Unable to update initramfs" + + warn "-------- Need to sign new boot module --------" + qubes-sign \ + || die "Unable to sign qubes.efi" + else + warn "-------- Need to update initramfs --------" + update-initramfs -u \ + || die "Unable to update initramfs" - warn "-------- Need to sign new kernel --------" - linux-sign "$LINUX_TARGET" \ - || die "Unable to sign kernel" + warn "-------- Need to sign new kernel --------" + linux-sign "$LINUX_TARGET" \ + || die "Unable to sign kernel" + fi fi warn "-------- Need to sign PCR and counter values --------" From edd216a302accd720195c66c7878571eedb238d8 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Sat, 30 Jul 2022 21:00:02 +0300 Subject: [PATCH 17/21] luks-seal: fix dracut config setup --- sbin/safeboot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbin/safeboot b/sbin/safeboot index 04f65ca4..58c945de 100755 --- a/sbin/safeboot +++ b/sbin/safeboot @@ -660,7 +660,7 @@ luks-seal() { fi # enable dracut module if [ ! -r /etc/dracut.conf.d/safeboot.conf ]; then - echo "add_dracutmodules+=\" safeboot \""> safeboot.conf + echo "add_dracutmodules+=\" safeboot \""> /etc/dracut.conf.d/safeboot.conf fi else # check to see if the initramfs hook is installed From 070cb73d5c95927667058ab42aa3fe1ebccae7bf Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Sun, 31 Jul 2022 10:11:04 +0300 Subject: [PATCH 18/21] qubes-hooks: add pcrs-sign after kernel update --- qubes/qubes-hooks/kernel-safeboot.install | 3 +++ 1 file changed, 3 insertions(+) diff --git a/qubes/qubes-hooks/kernel-safeboot.install b/qubes/qubes-hooks/kernel-safeboot.install index c00c4bf5..60d02074 100644 --- a/qubes/qubes-hooks/kernel-safeboot.install +++ b/qubes/qubes-hooks/kernel-safeboot.install @@ -2,4 +2,7 @@ if [ -f /boot/efi/EFI/qubes/qubes.efi.signed ]; then safeboot qubes-sign + if grep -q LINUX_TARGET=qubes /etc/safeboot/local.conf; then + /usr/sbin/safeboot pcrs-sign + fi fi From 8c22c8e1973d3059c4656e2b6b5fda7a8e8e5874 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Sun, 31 Jul 2022 10:25:54 +0300 Subject: [PATCH 19/21] qubes-builder: remove additional builds Backported packages are available in Qubes OS repos. --- Makefile | 8 - Makefile.builder | 35 +--- efitools.spec.in | 89 --------- sbsigntools-dont-ignore-errors.patch | 59 ------ sbsigntools-gnuefi.patch | 69 ------- sbsigntools.spec.in | 139 ------------- tpm2-tools.spec.in | 264 ------------------------- tpm2-tss-3.0.0-doxygen.patch | 15 -- tpm2-tss.spec.in | 281 --------------------------- 9 files changed, 1 insertion(+), 958 deletions(-) delete mode 100644 efitools.spec.in delete mode 100644 sbsigntools-dont-ignore-errors.patch delete mode 100644 sbsigntools-gnuefi.patch delete mode 100644 sbsigntools.spec.in delete mode 100644 tpm2-tools.spec.in delete mode 100644 tpm2-tss-3.0.0-doxygen.patch delete mode 100644 tpm2-tss.spec.in diff --git a/Makefile b/Makefile index da1f91c4..190f4ec5 100644 --- a/Makefile +++ b/Makefile @@ -627,11 +627,3 @@ qemu-server: \ -kill `cat $(TPM_PID)` @-$(RM) "$(TPM_PID)" "$(TPMSOCK)" -get-sources: - git submodule update --init --recursive efitools - git submodule update --init --recursive --recommend-shallow sbsigntools - git submodule update --init --recursive --recommend-shallow tpm2-tss - git submodule update --init --recursive --recommend-shallow tpm2-tools - -verify-sources: - @true diff --git a/Makefile.builder b/Makefile.builder index 3685445a..66cb3144 100644 --- a/Makefile.builder +++ b/Makefile.builder @@ -1,49 +1,16 @@ ifeq ($(PACKAGE_SET),dom0) RPM_SPEC_FILES := qubes-safeboot.spec -ifeq ($(DIST_DOM0), fc32) -RPM_SPEC_FILES += sbsigntools.spec efitools.spec tpm2-tss.spec tpm2-tools.spec -endif endif NO_ARCHIVE := 1 VERSION ?= $(file <$(ORIG_SRC)/version) -EFITOOLS_VERSION = 1.9.2 -SBSIGNTOOLS_VERSION = 0.9.4 -TPM2_TSS_VERSION = 3.1.0 -TPM2_TOOLS_VERSION = 5.1.1 - -EFITOOLS = efitools-$(EFITOOLS_VERSION).tar.gz -SBSIGNTOOLS = sbsigntools-$(SBSIGNTOOLS_VERSION).tar.gz -TPM2_TSS = tpm2-tss-$(TPM2_TSS_VERSION).tar.gz -TPM2_TOOLS = tpm2-tools-$(TPM2_TOOLS_VERSION).tar.gz - -SOURCES = qubes-safeboot-$(VERSION).tar.gz \ - $(SBSIGNTOOLS) \ - $(TPM2_TSS) \ - $(TPM2_TOOLS) \ - $(EFITOOLS) +SOURCES = qubes-safeboot-$(VERSION).tar.gz SOURCE_COPY_IN := $(SOURCES) qubes-safeboot-$(VERSION).tar.gz: tar --xform='s:$(ORIG_SRC)/qubes:qubes-safeboot-$(VERSION):' -czhf $(CHROOT_DIR)$(DIST_SRC)/qubes-safeboot-$(VERSION).tar.gz $(ORIG_SRC)/qubes -$(EFITOOLS): - tar --xform='s:$(ORIG_SRC)/efitools:efitools-$(EFITOOLS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(EFITOOLS) $(ORIG_SRC)/efitools - sed -i "s:#VERSION#:$(EFITOOLS_VERSION):" $(CHROOT_DIR)$(DIST_SRC)/efitools.spec.in - -$(SBSIGNTOOLS): - tar --xform='s:$(ORIG_SRC)/sbsigntools:sbsigntools-$(SBSIGNTOOLS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(SBSIGNTOOLS) $(ORIG_SRC)/sbsigntools - sed -i "s:#VERSION#:$(SBSIGNTOOLS_VERSION):" $(CHROOT_DIR)$(DIST_SRC)/sbsigntools.spec.in - -$(TPM2_TSS): - tar --xform='s:$(ORIG_SRC)/tpm2-tss:tpm2-tss-$(TPM2_TSS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(TPM2_TSS) $(ORIG_SRC)/tpm2-tss - sed -i "s:#VERSION#:$(TPM2_TSS_VERSION):" $(CHROOT_DIR)$(DIST_SRC)/tpm2-tss.spec.in - -$(TPM2_TOOLS): - tar --xform='s:$(ORIG_SRC)/tpm2-tools:tpm2-tools-$(TPM2_TOOLS_VERSION):' -czf $(CHROOT_DIR)$(DIST_SRC)/$(TPM2_TOOLS) $(ORIG_SRC)/tpm2-tools - sed -i "s:#VERSION#:$(TPM2_TOOLS_VERSION):" $(CHROOT_DIR)$(DIST_SRC)/tpm2-tools.spec.in - # vim: set ft=make: diff --git a/efitools.spec.in b/efitools.spec.in deleted file mode 100644 index 18e49715..00000000 --- a/efitools.spec.in +++ /dev/null @@ -1,89 +0,0 @@ -Name: efitools -Version: #VERSION# -Release: 7%{?dist} -Summary: Tools to manipulate EFI secure boot keys and signatures -License: GPLv2 and LGPLv2 and BSD - -# call-to-mktemp: -# https://github.com/vathpela/efitools/issues/2 -#URL: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git -#Source0: %{url}/snapshot/%{name}-%{version}.tar.gz -Source0: %{name}-%{version}.tar.gz - -# same as gnu-efi -ExclusiveArch: %{efi} - -BuildRequires: pkgconfig(openssl) - -BuildRequires: gcc -BuildRequires: gnu-efi-devel -BuildRequires: help2man -BuildRequires: openssl -BuildRequires: perl-File-Slurp -BuildRequires: sbsigntools - -Requires: coreutils%{_isa} -Requires: mtools%{_isa} -Requires: parted%{_isa} -Requires: util-linux%{_isa} -Recommends: sbsigntools%{_isa} - -%description -This package installs a variety of tools for manipulating keys and binary -signatures on UEFI secure boot platforms. -The tools provide access to the keys and certificates stored in the -secure variables of the UEFI firmware, usually in the NVRAM area. - -%prep -%autosetup - -%build -%set_build_flags -%make_build -j1 - -%install -%make_install DOCDIR=%{buildroot}%{_docdir}/%{name}/ CFLAGS="%{optflags}" - -rm -v %{buildroot}%{_docdir}/%{name}/COPYING - -%files -%doc README -%license COPYING - -%{_datadir}/%{name}/ -%{_mandir}/man1/*.1.* - -%{_bindir}/cert-to-efi-hash-list -%{_bindir}/cert-to-efi-sig-list -%{_bindir}/efi-readvar -%{_bindir}/efi-updatevar -%{_bindir}/efitool-mkusb -%{_bindir}/flash-var -%{_bindir}/hash-to-efi-sig-list -%{_bindir}/sig-list-to-certs -%{_bindir}/sign-efi-sig-list - -%changelog -* Thu Jan 20 2022 Fedora Release Engineering - 1.9.2-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Tue Sep 14 2021 Sahana Prasad - 1.9.2-6 -- Rebuilt with OpenSSL 3.0.0 - -* Wed Jul 21 2021 Fedora Release Engineering - 1.9.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Sun Mar 07 2021 Vladislav Kazakov - 1.9.2-4 -- Fix incorrect build. - -* Sat Feb 06 2021 Vladislav Kazakov - 1.9.2-3 -- Add system flags to CFLAGS. -- Remove i686 support. - -* Sun Jan 31 2021 Vladislav Kazakov - 1.9.2-2 -- Add BSD license. -- Rename LGPLv2.1 to LGPLv2. -- Add reference to issue about mktemp usage. - -* Sun Jan 17 2021 Vladislav Kazakov - 1.9.2-1 -- Initial SPEC release. diff --git a/sbsigntools-dont-ignore-errors.patch b/sbsigntools-dont-ignore-errors.patch deleted file mode 100644 index 11bed89c..00000000 --- a/sbsigntools-dont-ignore-errors.patch +++ /dev/null @@ -1,59 +0,0 @@ -From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001 -From: dann frazier -Date: Wed, 12 Aug 2020 15:27:08 -0600 -Subject: sbkeysync: Don't ignore errors from insert_new_keys() - -If insert_new_keys() fails, say due to a full variable store, we currently -still exit(0). This can make it difficult to know something is wrong. -For example, Debian and Ubuntu implement a secureboot-db systemd service -to update the DB and DBX, which calls: - - ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose - -But although this seemed to succeed on my system, looking at the logs shows -a different story: - -Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx -Error writing key update: Invalid argument -Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin - -Signed-off-by: dann frazier -Signed-off-by: James Bottomley ---- - src/sbkeysync.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/sbkeysync.c b/src/sbkeysync.c -index e51f177..7748990 100644 ---- a/src/sbkeysync.c -+++ b/src/sbkeysync.c -@@ -889,10 +889,12 @@ int main(int argc, char **argv) - { - bool use_default_keystore_dirs; - struct sync_context *ctx; -+ int rc; - - use_default_keystore_dirs = true; - ctx = talloc_zero(NULL, struct sync_context); - list_head_init(&ctx->new_keys); -+ rc = EXIT_SUCCESS; - - for (;;) { - int idx, c; -@@ -985,10 +987,10 @@ int main(int argc, char **argv) - if (ctx->verbose) - print_new_keys(ctx); - -- if (!ctx->dry_run) -- insert_new_keys(ctx); -+ if (!ctx->dry_run && insert_new_keys(ctx)) -+ rc = EXIT_FAILURE; - - talloc_free(ctx); - -- return EXIT_SUCCESS; -+ return rc; - } --- -cgit 1.2.3-1.el7 - diff --git a/sbsigntools-gnuefi.patch b/sbsigntools-gnuefi.patch deleted file mode 100644 index 2e288835..00000000 --- a/sbsigntools-gnuefi.patch +++ /dev/null @@ -1,69 +0,0 @@ -diff -up sbsigntools-0.9.3/configure.ac.gnu-efi sbsigntools-0.9.3/configure.ac ---- sbsigntools-0.9.3/configure.ac.gnu-efi 2020-02-03 09:38:56.000000000 +0100 -+++ sbsigntools-0.9.3/configure.ac 2020-02-04 09:48:53.011259075 +0100 -@@ -64,19 +64,30 @@ PKG_CHECK_MODULES(uuid, uuid, - AC_MSG_ERROR([libuuid (from the uuid package) is required])) - - dnl gnu-efi headers require extra include dirs --EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/') --AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ]) -+EFI_ARCH=$(uname -m | sed -e 's/i.86/ia32/;s/arm.*/arm/' -e 's/x86_64/x64/' -e 's/aarch64/aa64/') -+AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aa64" ]) - - ## - # no consistent view of where gnu-efi should dump the efi stuff, so find it - ## --for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do -- if test -e $path/crt0-efi-$EFI_ARCH.o; then -+AC_MSG_CHECKING([gnu-efi crt path]) -+for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi /usr/lib/gnuefi/$EFI_ARCH ; do -+ if test -e $path/crt0.o; then - CRTPATH=$path -+ CRT=crt0.o -+ LDS=efi.lds -+ EFI_PATH=$path -+ elif test -e $path/crt0-efi-$EFI_ARCH.o; then -+ CRTPATH=$path -+ CRT=crt0-efi-${EFI_ARCH}.o -+ LDS=elf_${EFI_ARCH}_efi.lds -+ EFI_PATH=$libdir - fi - done - if test -z "$CRTPATH"; then - AC_MSG_ERROR([cannot find the gnu-efi crt path]) -+else -+ AC_MSG_RESULT($CRTPATH) - fi - - EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \ -@@ -88,6 +99,9 @@ CPPFLAGS="$CPPFLAGS_save" - AC_SUBST(EFI_CPPFLAGS, $EFI_CPPFLAGS) - AC_SUBST(EFI_ARCH, $EFI_ARCH) - AC_SUBST(CRTPATH, $CRTPATH) -+AC_SUBST(CRT, $CRT) -+AC_SUBST(LDS, $LDS) -+AC_SUBST(EFI_PATH, $EFI_PATH) - - AC_CONFIG_FILES([Makefile src/Makefile lib/ccan/Makefile] - [docs/Makefile tests/Makefile]) -diff -up sbsigntools-0.9.3/tests/Makefile.am.gnu-efi sbsigntools-0.9.3/tests/Makefile.am ---- sbsigntools-0.9.3/tests/Makefile.am.gnu-efi 2020-02-03 09:38:56.000000000 +0100 -+++ sbsigntools-0.9.3/tests/Makefile.am 2020-02-04 09:47:44.786665340 +0100 -@@ -14,7 +14,7 @@ if TEST_BINARY_FORMAT - EFILDFLAGS = --defsym=EFI_SUBSYSTEM=0x0a - FORMAT = -O binary - else --FORMAT = --target=efi-app-$(EFI_ARCH) -+FORMAT = --target=efi-app-$(EFI_ARCH:x64=x86_64) - endif - check_DATA = $(test_key) $(test_cert) - check_SCRIPTS = test-wrapper.sh -@@ -27,7 +27,7 @@ check_SCRIPTS = test-wrapper.sh - $(FORMAT) $^ $@ - - .$(OBJEXT).elf: -- $(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/crt0-efi-$(EFI_ARCH).o -T elf_$(EFI_ARCH)_efi.lds $< -o $@ -lefi -lgnuefi -+ $(LD) $(EFILDFLAGS) -nostdlib -L /usr/lib -L /usr/lib64 -L $(CRTPATH) -shared -Bsymbolic $(CRTPATH)/$(CRT) -T $(LDS) $< -o $@ $(EFI_PATH)/libefi.a $(EFI_PATH)/libgnuefi.a - - AM_CFLAGS=-fpic -I/usr/include/efi -I/usr/include/efi/$(EFI_ARCH) - diff --git a/sbsigntools.spec.in b/sbsigntools.spec.in deleted file mode 100644 index 7ed8f4b4..00000000 --- a/sbsigntools.spec.in +++ /dev/null @@ -1,139 +0,0 @@ -%bcond_without check -%define _warning_options -Wall -Werror=format-security -Wno-deprecated-declarations - -Name: sbsigntools -Version: #VERSION# -Release: 8%{?dist} -Summary: Signing utility for UEFI secure boot -License: GPLv3+ -URL: https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools -Source0: %{name}-%{version}.tar.gz - -# add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a -Patch1: %{name}-gnuefi.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1955828 -Patch2: %{name}-dont-ignore-errors.patch -# https://groups.io/g/sbsigntools/message/54 -#Patch3: %{name}-openssl3.patch - -# same as gnu-efi -ExclusiveArch: x86_64 aarch64 %{arm} %{ix86} -BuildRequires: make -BuildRequires: automake -BuildRequires: binutils-devel -BuildRequires: gcc -BuildRequires: gnu-efi-devel >= 1:3.0.8-3 -BuildRequires: help2man -BuildRequires: libuuid-devel -%if %{with check} -BuildRequires: openssl -%endif -BuildRequires: openssl-devel -Provides: bundled(ccan-array_size) -Provides: bundled(ccan-build_assert) -Provides: bundled(ccan-check_type) -Provides: bundled(ccan-compiler) -Provides: bundled(ccan-container_of) -Provides: bundled(ccan-endian) -Provides: bundled(ccan-failtest) -Provides: bundled(ccan-hash) -Provides: bundled(ccan-htable) -Provides: bundled(ccan-list) -Provides: bundled(ccan-read_write_all) -Provides: bundled(ccan-str) -Provides: bundled(ccan-talloc) -Provides: bundled(ccan-tcon) -Provides: bundled(ccan-time) -Provides: bundled(ccan-tlist) -Provides: bundled(ccan-typesafe_cb) - -%description -Tools to add signatures to EFI binaries and Drivers. - -%prep -%autosetup -p1 - -%build -./autogen.sh -%configure -%make_build - -%install -%make_install - -%if %{with check} -%check -make check -%endif - -%files -%license COPYING LICENSE.GPLv3 lib/ccan/licenses/* -%doc AUTHORS ChangeLog -%{_bindir}/sbattach -%{_bindir}/sbkeysync -%{_bindir}/sbsiglist -%{_bindir}/sbsign -%{_bindir}/sbvarsign -%{_bindir}/sbverify -%{_mandir}/man1/sbattach.1.* -%{_mandir}/man1/sbkeysync.1.* -%{_mandir}/man1/sbsiglist.1.* -%{_mandir}/man1/sbsign.1.* -%{_mandir}/man1/sbvarsign.1.* -%{_mandir}/man1/sbverify.1.* - -%changelog -* Sat Jan 22 2022 Fedora Release Engineering - 0.9.4-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Fri Nov 19 2021 Dominik Mierzejewski - 0.9.4-7 -- fix build with OpenSSL 3.0.0 (fixes rhbz#2021909) - -* Tue Sep 14 2021 Sahana Prasad - 0.9.4-6 -- Rebuilt with OpenSSL 3.0.0 - -* Fri Jul 23 2021 Fedora Release Engineering - 0.9.4-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Mon May 17 2021 Dominik Mierzejewski - 0.9.4-4 -- don't ignore errors from sbkeysync (fixes rhbz#1955828) - -* Wed Jan 27 2021 Fedora Release Engineering - 0.9.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Wed Jul 29 2020 Fedora Release Engineering - 0.9.4-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Fri Jul 03 2020 Dominik Mierzejewski - 0.9.4-1 -- update to 0.9.4 (#1846578) - -* Mon Feb 03 2020 Dominik Mierzejewski - 0.9.3-1 -- update to 0.9.3 -- update bundled CCAN components list -- support building with gnu-efi 3.0.11 - -* Thu Jan 30 2020 Fedora Release Engineering - 0.9.2-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Fri Jul 26 2019 Fedora Release Engineering - 0.9.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Thu Feb 28 2019 Dominik Mierzejewski - 0.9.2-1 -- update to 0.9.2 - -* Sat Feb 02 2019 Fedora Release Engineering - 0.9.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Wed Jul 25 2018 Dominik Mierzejewski - 0.9.1-3 -- fix paths to gnu-efi (work around #1608293) - -* Sat Jul 14 2018 Fedora Release Engineering - 0.9.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Thu Feb 22 2018 Dominik Mierzejewski - 0.9.1-1 -- update to 0.9.1 -- add Fedora gnu-efi libs location to search path -- link tests statically against gnu-efi libs, there are no shared versions - -* Mon Sep 4 2017 Dominik Mierzejewski - 0.8-1 -- initial build diff --git a/tpm2-tools.spec.in b/tpm2-tools.spec.in deleted file mode 100644 index aa0dd5d3..00000000 --- a/tpm2-tools.spec.in +++ /dev/null @@ -1,264 +0,0 @@ -#global candidate rc2 - -Name: tpm2-tools -Version: #VERSION# -Release: 1%{?candidate:.%{candidate}}%{?dist} -Summary: A bunch of TPM testing toolS build upon tpm2-tss - -License: BSD -URL: https://github.com/tpm2-software/tpm2-tools -Source0: %{name}-%{version}%{?candidate:-%{candidate}}.tar.gz - -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: make -BuildRequires: git -BuildRequires: gcc-c++ -BuildRequires: libtool -BuildRequires: autoconf-archive -BuildRequires: pandoc -BuildRequires: pkgconfig(cmocka) -BuildRequires: pkgconfig(libcurl) -BuildRequires: pkgconfig(openssl) -# tpm2-tss-devel provides tss2-mu/sys/esys package config -BuildRequires: pkgconfig(tss2-mu) >= 3.1.0 -BuildRequires: pkgconfig(tss2-sys) >= 3.1.0 -BuildRequires: pkgconfig(tss2-esys) >= 3.1.0 -BuildRequires: pkgconfig(uuid) - -# tpm2-tools is heavily depending on TPM2.0-TSS project, matched tss is required -Requires: tpm2-tss%{?_isa} >= 3.1.0 - -%description -tpm2-tools is a batch of tools for tpm2.0. It is based on tpm2-tss. - -%prep -%autosetup -p1 -n %{name}-%{version}%{?candidate:-%{candidate}} - -%build -# There is no git info because of submodule -sed -i "s/m4_esyscmd_s(\[git describe --tags --always --dirty\])/%{version}/" configure.ac -./bootstrap - -# LTO exposes a latent uninitialized variable "value" in the function # "nt". -# This has been reported to the maintainer (Yunying), but they have not -# responded and I am not comfortable enough with the code to know if a trivial -# initialization to zero is appropriate/safe. So LTO is disabled for now. -%define _lto_cflags %{nil} -%configure --prefix=/usr --disable-static --disable-silent-rules -%make_build - -%install -%make_install - -%files -%license doc/LICENSE -%doc README.md doc/CHANGELOG.md -%{_bindir}/tpm2 -%{_bindir}/tpm2_* -%{_bindir}/tss2 -%{_bindir}/tss2_* -%{_datadir}/bash-completion/completions/tpm2* -%{_datadir}/bash-completion/completions/tss2* -%{_mandir}/man1/tpm2_*.1.gz -%{_mandir}/man1/tpm2.1.gz -%{_mandir}/man1/tss2_*.1.gz - -%changelog -* Mon Jun 21 2021 Peter Robinson - 5.1.1-1 -- Update to 5.1.1 -- Fixes CVE-2021-3565 (rhbz 1964428) - -* Tue May 25 2021 Peter Robinson - 5.1-1 -- Update to 5.1 - -* Wed Jan 27 2021 Fedora Release Engineering - 5.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Mon Nov 23 2020 Peter Robinson - 5.0-1 -- Update tp tpm2-tools 5.0 - -* Sat Aug 29 2020 Peter Robinson - 4.3.0-1 -- Update to 4.3.0 - -* Mon Aug 10 2020 Peter Robinson - 4.2.1-4 -- Rebuild for tpm2-tss 3.0 - -* Wed Jul 29 2020 Fedora Release Engineering - 4.2.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jun 30 2020 Jeff Law - 4.2.1-2 -- Disable LTO due to latent uninitialized variable exposed by LTO - -* Wed May 27 2020 Peter Robinson - 4.2.1-1 -- Update to 4.2.1 - -* Tue Apr 14 2020 Peter Robinson - 4.2-1 -- Update to 4.2 - -* Fri Jan 31 2020 Fedora Release Engineering - 4.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Thu Nov 28 2019 Yunying Sun - 4.1-1 -- Update to 4.1 release - -* Tue Oct 29 2019 Yunying Sun - 4.0.1-1 -- Update to 4.0.1 release - -* Tue Sep 10 2019 Peter Robinson 4.0-1 -- Update to 4.0 - -* Fri Sep 6 2019 Javier Martinez Canillas 4.0-0.4-rc2 -- Use a release tarball instead of a source code tarball - -* Fri Sep 6 2019 Peter Robinson 4.0-0.3-rc2 -- Update to 4.0 RC2 - -* Tue Aug 27 2019 Peter Robinson 4.0-0.2-rc1 -- Update to 4.0 RC1 - -* Tue Aug 20 2019 Peter Robinson 4.0-0.1-rc0 -- Update to 4.0 RC0 - -* Thu Aug 1 2019 Peter Robinson 3.2.0-3 -- Fix for crash for max PCRs available - -* Sat Jul 27 2019 Fedora Release Engineering - 3.2.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Fri Jun 21 2019 Yunying Sun - 3.2.0-1 -- Update to 3.2.0 release -- Removed patches since all have been included in 3.2.0 release - -* Fri May 10 2019 Javier Martinez Canillas - 3.1.4-2 -- Allow tpm2_makecredential to run without a TPM (jetwhiz) -- Add tpm2_pcrreset and tpm2_checkquote tools (jetwhiz) - -* Fri Mar 15 2019 Yunying Sun - 3.1.4-1 -- Update to 3.1.4 release -- Removed the 4 patches since all have been included in 3.1.4 release - -* Sun Feb 03 2019 Fedora Release Engineering - 3.1.3-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Jan 7 2019 Javier Martinez Canillas - 3.1.3-3 -- Fix broken -T option when passing additional arguments - -* Mon Jan 7 2019 Javier Martinez Canillas - 3.1.3-2 -- Fix broken -T option and a couple of minor fixes -- Add pandoc BuildRequires - -* Wed Nov 7 2018 Yunying Sun - 3.1.3-1 -- Update to 3.1.3 release - -* Wed Sep 12 2018 Javier Martinez Canillas - 3.1.2-1 -- Update to 3.1.2 release -- Restore TCTI configuration environment for tools -- Restore tpm2_getcap tool properties output - Resolves: rhbz#1625647 - -* Sat Jul 14 2018 Javier Martinez Canillas - 3.1.1-3 -- Revert backward incompatible change that removes default object attributes - -* Sat Jul 14 2018 Fedora Release Engineering - 3.1.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Thu Jul 12 2018 Yunying Sun - 3.1.1-1 -- Update to 3.1.1 release - -* Thu Jul 5 2018 Yunying Sun - 3.1.0-1 -- Update Requires version of tpm2-tss to 2.0.0 -- Remove BuildRequires for tcti-abrmd since it is optional -- Remove BuildRequires for tcti-{device,mssim} as it is now dynamically loaded -- Update to 3.1.0 release - -* Mon Apr 30 2018 Javier Martinez Canillas - 3.0.4-1 -- Update URLs to point to the new project location -- Update to 3.0.4 release - -* Wed Feb 21 2018 Javier Martinez Canillas - 3.0.3-3 -- Remove ExclusiveArch: x86_64 directive - -* Fri Feb 09 2018 Fedora Release Engineering - 3.0.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Tue Jan 16 2018 Javier Martinez Canillas - 3.0.3-1 -- Update to 3.0.3 release - -* Mon Dec 18 2017 Javier Martinez Canillas - 3.0.2-1 -- Update to 3.0.2 release - -* Tue Dec 12 2017 Javier Martinez Canillas - 3.0.1-1 -- Update to 3.0.1 release (RHBZ#1512743) -- Download the generated tarball provided instead of the source code tarball - -* Fri Dec 08 2017 Javier Martinez Canillas - 3.0-1 -- Update to 3.0 release - -* Wed Nov 29 2017 Javier Martinez Canillas - 3.0-0.1.rc1 -- Update to 3.0 release candidate 1 -- Update URLs to point to the new project location -- Make the package to obsolete version 2.1.1 - -* Wed Nov 01 2017 Javier Martinez Canillas - 2.1.1-1 -- Rename remaining tpm2.0-tools prefixes to tpm2-tools -- Remove global pkg_prefix since now the upstream repo and package names match -- Remove downstream patches since now these are in the latest upstream release -- Update to 2.1.1 release (RHBZ#1504438) - -* Thu Oct 19 2017 Jerry Snitselaar - 2.1.0-7 -- Clean up potential memleak (RHBZ#1503959) - -* Thu Oct 05 2017 Javier Martinez Canillas - 2.1.0-6 -- Add tpm2-abrmd-devel BuildRequires so tools have abrmd support (RHBZ#1498909) - -* Fri Aug 18 2017 Javier Martinez Canillas - 2.1.0-5 -- Remove unneeded source tarballs (RHBZ#1482830) - -* Tue Aug 15 2017 Sun Yunying - 2.1.0-4 -- Add patch to fix build error when openssl-devel is installed(RHBZ#1481236) - -* Thu Aug 03 2017 Fedora Release Engineering - 2.1.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Mon Jul 31 2017 Sun Yunying - 2.1.0-2 -- Add patch to fix gcc7 complaining about implicit-fallthrough cases - -* Fri Jul 28 2017 Sun Yunying - 2.1.0-1 -- Update to latest upstream release 2.1.0 - -* Fri Jul 28 2017 Sun Yunying - 1.1.0-9 -- Update Requires dependency so that tpm2-tss update won't break tpm2-tools - -* Thu Jul 27 2017 Fedora Release Engineering - 1.1.0-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Wed May 10 2017 Sun Yunying - 1.1.0-7 -- Only update release version to make fedpkg build works for f26 - -* Wed Mar 1 2017 Sun Yunying - 1.1.0-6 -- Update tpm2-tss version to 1.0-3 to fix broken dependency on f26 - -* Sat Feb 11 2017 Fedora Release Engineering - 1.1.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Fri Jan 20 2017 Sun Yunying - 1.1.0-4 -- Dependency check failed for Requires again, here to fix this -- Update release version and changelog - -* Thu Jan 19 2017 Sun Yunying - 1.1.0-3 -- Change spec file permission to 644 to avoid rpmlint complain -- Update Requires to fix dependency check error reported in Bodhi -- Remove tpm2-tss-devel version in BuildRequires comment -- Update release version and changelog - -* Wed Dec 21 2016 Sun Yunying - 1.1.0-2 -- Remove pkg_version to avoid dupliate use of version -- Remove redundant BuildRequires for autoconf/automake/pkgconfig -- Add comments for BuildRequires of sapi/tcti-device/tcti-socket -- Use ExclusiveArch instead of ExcludeArch -- Requires tpm2-tss version updated to 1.0-2 -- Updated release version and changelog - -* Fri Dec 2 2016 Sun Yunying - 1.1.0-1 -- Initial version of the package diff --git a/tpm2-tss-3.0.0-doxygen.patch b/tpm2-tss-3.0.0-doxygen.patch deleted file mode 100644 index 2f824729..00000000 --- a/tpm2-tss-3.0.0-doxygen.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up tpm2-tss-3.0.0/Doxyfile.in.me tpm2-tss-3.0.0/Doxyfile.in ---- tpm2-tss-3.0.0/Doxyfile.in.me 2020-09-15 20:24:26.463314644 +0200 -+++ tpm2-tss-3.0.0/Doxyfile.in 2020-09-15 20:26:29.010866650 +0200 -@@ -947,7 +947,10 @@ EXCLUDE_PATTERNS = - # Note that the wildcards are matched against the file with absolute path, so to - # exclude all test directories use the pattern */test/* - --EXCLUDE_SYMBOLS = *_IN IESYS_CMD_IN_PARAM -+EXCLUDE_SYMBOLS = StartAuthSession_IN CreatePrimary_IN ContextSave_IN ContextLoad_IN \ -+ Load_IN LoadExternal_IN CreateLoaded_IN EvictControl_IN HMAC_Start_IN \ -+ HierarchyChangeAuth_IN SequenceComplete_IN Policy_IN NV_IN FlushContext_IN \ -+ IESYS_CMD_IN_PARAM - - # The EXAMPLE_PATH tag can be used to specify one or more files or directories - # that contain example code fragments that are included (see the \include diff --git a/tpm2-tss.spec.in b/tpm2-tss.spec.in deleted file mode 100644 index 8c8ca68f..00000000 --- a/tpm2-tss.spec.in +++ /dev/null @@ -1,281 +0,0 @@ -Name: tpm2-tss -Version: #VERSION# -Release: 1%{?dist} -Summary: TPM2.0 Software Stack - -# The entire source code is under BSD except implementation.h and tpmb.h which -# is under TCGL(Trusted Computing Group License). -License: BSD and TCGL -URL: https://github.com/tpm2-software/tpm2-tss -Source0: %{name}-%{version}.tar.gz -# doxygen crash -Patch0: tpm2-tss-3.0.0-doxygen.patch - -%global udevrules_prefix 60- - -BuildRequires: autoconf -BuildRequires: autoconf-archive -BuildRequires: automake -BuildRequires: libtool -BuildRequires: make -BuildRequires: git -BuildRequires: doxygen -BuildRequires: gcc -BuildRequires: gcc-c++ -BuildRequires: json-c-devel -BuildRequires: libcurl-devel -BuildRequires: libgcrypt-devel -BuildRequires: openssl-devel -BuildRequires: pkgconfig -BuildRequires: systemd -Requires(pre): shadow-utils - -%description -tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system -APIs. It sits between TPM driver and applications, providing TPM2.0 specified -APIs for applications to access TPM module through kernel TPM drivers. - -%prep -%autosetup -n %{name}-%{version} -p1 - -%build -# There is no git info because of submodule -sed -i "s/m4_esyscmd_s(\[git describe --tags --always --dirty\])/%{version}/" configure.ac -./bootstrap - -# Use built-in tpm-udev.rules, with specified installation path and prefix. -%configure --disable-static --disable-silent-rules \ - --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=%{udevrules_prefix} \ - --with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir} - -# This is to fix Rpath errors. Taken from https://fedoraproject.org/wiki/Packaging:Guidelines#Removing_Rpath -sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool -sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool - -%make_build - -%install -%make_install -find %{buildroot}%{_libdir} -type f -name \*.la -delete - -%pre -getent group tss >/dev/null || groupadd -f -g 59 -r tss -if ! getent passwd tss >/dev/null ; then - if ! getent passwd 59 >/dev/null ; then - useradd -r -u 59 -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss - else - useradd -r -g tss -d /dev/null -s /sbin/nologin -c "Account used for TPM access" tss - fi -fi -exit 0 - -%ldconfig_scriptlets - -%files -%doc README.md CHANGELOG.md -%license LICENSE -%{_sysconfdir}/tpm2-tss/ -%{_libdir}/libtss2-mu.so.0* -%{_libdir}/libtss2-sys.so.1* -%{_libdir}/libtss2-esys.so.0* -%{_libdir}/libtss2-fapi.so.1* -%{_libdir}/libtss2-rc.so.0* -%{_libdir}/libtss2-tctildr.so.0* -%{_libdir}/libtss2-tcti-cmd.so.0* -%{_libdir}/libtss2-tcti-device.so.0* -%{_libdir}/libtss2-tcti-mssim.so.0* -%{_libdir}/libtss2-tcti-pcap.so.0* -%{_libdir}/libtss2-tcti-swtpm.so.0* -%{_sysusersdir}/tpm2-tss.conf -%{_tmpfilesdir}/tpm2-tss-fapi.conf -%{_udevrulesdir}/%{udevrules_prefix}tpm-udev.rules - -%package devel -Summary: Headers and libraries for building apps that use tpm2-tss -Requires: %{name}%{_isa} = %{version}-%{release} - -%description devel -This package contains headers and libraries required to build applications that -use tpm2-tss. - -%files devel -%{_includedir}/tss2/ -%{_libdir}/libtss2-mu.so -%{_libdir}/libtss2-sys.so -%{_libdir}/libtss2-esys.so -%{_libdir}/libtss2-fapi.so -%{_libdir}/libtss2-rc.so -%{_libdir}/libtss2-tctildr.so -%{_libdir}/libtss2-tcti-cmd.so -%{_libdir}/libtss2-tcti-device.so -%{_libdir}/libtss2-tcti-mssim.so -%{_libdir}/libtss2-tcti-pcap.so -%{_libdir}/libtss2-tcti-swtpm.so -%{_libdir}/pkgconfig/tss2-mu.pc -%{_libdir}/pkgconfig/tss2-sys.pc -%{_libdir}/pkgconfig/tss2-esys.pc -%{_libdir}/pkgconfig/tss2-fapi.pc -%{_libdir}/pkgconfig/tss2-rc.pc -%{_libdir}/pkgconfig/tss2-tctildr.pc -%{_libdir}/pkgconfig/tss2-tcti-cmd.pc -%{_libdir}/pkgconfig/tss2-tcti-device.pc -%{_libdir}/pkgconfig/tss2-tcti-mssim.pc -%{_libdir}/pkgconfig/tss2-tcti-pcap.pc -%{_libdir}/pkgconfig/tss2-tcti-swtpm.pc -%{_mandir}/man3/*.3.gz -%{_mandir}/man5/*.5.gz -%{_mandir}/man7/tss2*.7.gz - - -%changelog -* Mon May 17 2021 Peter Robinson - 3.1.0-1 -- Update to 3.1.0 - -* Wed Jan 27 2021 Fedora Release Engineering - 3.0.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Nov 26 2020 Peter Robinson - 3.0.3-1 -- Update to 3.0.2 - -* Sun Nov 22 2020 Peter Robinson - 3.0.2-1 -- Update to 3.0.2 - -* Wed Sep 23 2020 Peter Robinson - 3.0.1-1 -- Update to 3.0.1 - -* Tue Sep 15 2020 Than Ngo - 3.0.0-4 -- Fix doxygen crash - -* Tue Sep 15 2020 Peter Robinson - 3.0.0-3 -- Create tss user, if it doesn't exist, for userspace TPM access - -* Fri Aug 07 2020 Peter Robinson - 3.0.0-2 -- Install sysusers config in sysusersdir (rhbz #1834519) - -* Wed Aug 05 2020 Peter Robinson - 3.0.0-1 -- Update to 3.0.0 - -* Wed Aug 05 2020 Peter Robinson - 2.4.2-1 -- Update to 2.4.2 - -* Wed Jul 29 2020 Fedora Release Engineering - 2.4.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Thu May 14 2020 Peter Robinson - 2.4.1-1 -- Update to 2.4.1 - -* Fri May 08 2020 Paul Wouters - 2.4.0-3 -- Use proper rundir and tmpfiles macros so proper directories are used - -* Tue Apr 21 2020 Björn Esser - 2.4.0-2 -- Rebuild (json-c) - -* Thu Mar 12 2020 Peter Robinson - 2.4.0-1 -- Update to 2.4.0 release - -* Mon Feb 24 2020 Peter Robinson - 2.3.3-1 -- Update to 2.3.3 release - -* Fri Jan 31 2020 Fedora Release Engineering - 2.3.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Fri Dec 13 2019 Yunying Sun - 2.3.2-1 -- Update to 2.3.2 release - -* Fri Sep 6 2019 Yunying Sun - 2.3.1-1 -- Update to 2.3.1 release - -* Thu Aug 15 2019 Yunying Sun - 2.3.0-1 -- Update to 2.3.0 release - -* Sat Jul 27 2019 Fedora Release Engineering - 2.2.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Wed May 29 2019 Yunying Sun - 2.2.3-1 -- Update to 2.2.3 release - -* Fri Mar 29 2019 Yunying Sun - 2.2.2-1 -- Update to 2.2.2 release - -* Mon Mar 4 2019 Peter Robinson 2.2.1-1 -- Update to 2.2.1 release - -* Wed Feb 06 2019 Javier Martinez Canillas - 2.2.0-1 -- Update to 2.2.0 release - -* Sun Feb 03 2019 Fedora Release Engineering - 2.1.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Wed Oct 10 2018 Yunying Sun - 2.1.0-1 -- Update to 2.1.0 release - -* Thu Aug 30 2018 Yunying Sun - 2.0.1-1 -- Update to 2.0.1 release - -* Sat Jul 14 2018 Fedora Release Engineering - 2.0.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Wed Jul 4 2018 Yunying Sun - 2.0.0-2 -- Re-enable ESAPI since gcrypt dependency is not an issue for Fedora -- Bump release version to 2.0.0-2 - -* Mon Jul 2 2018 Yunying Sun - 2.0.0-1 -- Update to 2.0.0 release (RHBZ#1508870) -- Remove patch file 60-tpm-udev.rules, use upstream tpm-udev.rules instead -- Disable ESAPI to fix build errors caused by dependency to libgcrypt 1.6.0 -- Add scriptlet to fix Rpath errors -- Update file installation paths and names accordingly - -* Sun Mar 04 2018 Javier Martinez Canillas - 1.4.0-1 -- Update URLs to point to the new project location -- Add README.md CHANGELOG.md to %%files directive -- Update to 1.4.0 release (RHBZ#1508870) - -* Fri Feb 23 2018 Javier Martinez Canillas - 1.3.0-4 -- Install udev rule for TPM character devices - -* Wed Feb 21 2018 Javier Martinez Canillas - 1.3.0-3 -- Remove ExclusiveArch: %%{ix86} x86_64 directive - -* Fri Feb 09 2018 Igor Gnatenko - 1.3.0-2 -- Escape macros in %%changelog - -* Fri Dec 08 2017 Javier Martinez Canillas - 1.3.0-1 -- Update to 1.3.0 release - -* Wed Nov 29 2017 Javier Martinez Canillas - 1.3.0-0.1.rc2 -- Update to 1.3.0 release candidate 2 (RHBZ#1508870) -- Remove global pkg_prefix since now the upstream repo and package names match -- Update URLs to point to the new project location -- Remove -Wno-int-in-bool-context compiler flag since now upstream takes care -- Remove %%doc directive since README.md and CHANGELOG.md are not in the tarball -- Add patch to include a LICENSE since the generated tarball does not have it - -* Mon Aug 28 2017 Javier Martinez Canillas - 1.2.0-1 -- Update to 1.2.0 release -- Use tpm2-tss instead of TPM2.0-TSS as prefix since project name changed -- Fix SPEC file access mode -- Include new man pages in %%files directive - -* Fri Aug 18 2017 Javier Martinez Canillas - 1.1.0-3 -- Remove unneeded source tarballs (RHBZ#1482828) - -* Thu Aug 03 2017 Fedora Release Engineering - 1.1.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Sun Yunying - 1.1.0-1 -- Update to 1.1.0 release - -* Sat Feb 11 2017 Fedora Release Engineering - 1.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Mon Dec 12 2016 Sun Yunying - 1.0-2 -- Remove global macro pkg_version to avoid duplicate of version -- Use ExclusiveArch instead of ExcludeArch -- Use less wildcard in %%files section to be more specific -- Add trailing slash at end of added directory in %%file section -- Remove autoconf/automake/pkgconfig(cmocka) from BuildRequires -- Increase release version to 2 - -* Fri Dec 2 2016 Sun Yunying - 1.0-1 -- Initial version of the package From 39bc614b4682a58736df82016a428c2888783fd6 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Sun, 31 Jul 2022 21:00:41 +0300 Subject: [PATCH 20/21] qubes-hooks: fix qubes.efi path --- qubes/qubes-hooks/kernel-safeboot.install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qubes/qubes-hooks/kernel-safeboot.install b/qubes/qubes-hooks/kernel-safeboot.install index 60d02074..29674b68 100644 --- a/qubes/qubes-hooks/kernel-safeboot.install +++ b/qubes/qubes-hooks/kernel-safeboot.install @@ -1,6 +1,6 @@ #!/bin/bash -if [ -f /boot/efi/EFI/qubes/qubes.efi.signed ]; then +if [ -f /boot/efi/EFI/qubes/qubes.efi ]; then safeboot qubes-sign if grep -q LINUX_TARGET=qubes /etc/safeboot/local.conf; then /usr/sbin/safeboot pcrs-sign From 24091df6e02ddf9a290e8fbb8feb4723d6e10e92 Mon Sep 17 00:00:00 2001 From: Ivan Kardykov Date: Tue, 2 Aug 2022 15:16:16 +0300 Subject: [PATCH 21/21] Support EV_EFI_ACTION event This fixes PCR computing on Lenovo X1C7+ and others. --- sbin/safeboot | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sbin/safeboot b/sbin/safeboot index 58c945de..be08d528 100755 --- a/sbin/safeboot +++ b/sbin/safeboot @@ -541,13 +541,19 @@ pcrs-sign() { # This works on the Thinkpad X1, which extends PCR4 # with EFI_EV_SEPARATOR and then the PE hash of the EFI_BOOT_APPLICATION linux_hash="$(sbsign.safeboot --hash-only "$linux" || die "unable to hash")" - ev_sep="$(echo "00000000" | hex2bin | tpm2_trial_extend 0)" + if [ -n "$TPM_EFI_ACTION" ]; then + ev_act="$(echo -n "Calling EFI Application from Boot Option" | tpm2_trial_extend 0)" + else + ev_act=0 + fi + ev_sep="$(echo "00000000" | hex2bin | tpm2_trial_extend $ev_act)" pcr4_computed="$(echo -n "${ev_sep}${linux_hash}" | hex2bin | sha256)" pcr2_read="$(tpm2 pcrread sha256:2 | tail -1 | cut -c9- | tr '[:upper:]' '[:lower:]')" pcr4_read="$(tpm2 pcrread sha256:4 | tail -1 | cut -c9- | tr '[:upper:]' '[:lower:]')" # HACK: this assumes PCR2 is the second in the list + ev_sep="$(echo "00000000" | hex2bin | tpm2_trial_extend 0)" if [ "$pcr2_read" != "$ev_sep" ]; then warn "PCR2: ignoring BootMenu entries" echo -n "$ev_sep" | hex2bin \