<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-security.git/meta-tpm, branch walnascar</title>
<subtitle>Mirror of git.yoctoproject.org/meta-security.git</subtitle>
<id>https://git.enea.com/cgit/linux/meta-security.git/atom?h=walnascar</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-security.git/atom?h=walnascar'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/'/>
<updated>2025-04-13T18:07:57+00:00</updated>
<entry>
<title>tpm2-pkcs11: Add tools python runtime dependencies</title>
<updated>2025-04-13T18:07:57+00:00</updated>
<author>
<name>Omri Sarig</name>
<email>omri.sarig13@gmail.com</email>
</author>
<published>2025-03-11T10:33:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=784ca4b6584101e971b2d5d76ec7b716ad1301b5'/>
<id>urn:sha1:784ca4b6584101e971b2d5d76ec7b716ad1301b5</id>
<content type='text'>
The tpm2-pkcs11-tools python module is importing several modules which
are not currently included in it's dependencies. This causes the script
invocation to fail. The current commit adds the relevant dependencies,
to ensure that the python module is always able to run.

The relevant dependencies are:
* python3-fcntl: To add the fcntl module, imported in db.py.
* python3-sqlite3: To add the sqlite3 module, imported in db.py.
* python3-tpm2-pytss: To add the tpm2_pytss module, imported in
  utils.py.
* python3-compression: To add the zipfile module, imported through
  "importlib.metadata import distribution" in tpm2_ptool.

Signed-off-by: Omri Sarig &lt;omri.sarig13@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>tpm2-pytss: Add python3-asn1crypto runtime dependency</title>
<updated>2025-04-13T18:07:57+00:00</updated>
<author>
<name>Omri Sarig</name>
<email>omri.sarig13@gmail.com</email>
</author>
<published>2025-03-11T10:33:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=75a6ea387b1f48d875ae23ed92a8346c93720f0f'/>
<id>urn:sha1:75a6ea387b1f48d875ae23ed92a8346c93720f0f</id>
<content type='text'>
The tpm2-pytss module is importing the module asn1crypto in tsskey.py,
however, the current bitbake recipe is not including this python package
as runtime dependency. This causes the module invocation to fail at the
moment.

The commit adds this dependency to the bitbake recipe, to make the
recipe self contained.

Signed-off-by: Omri Sarig &lt;omri.sarig13@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>pcr-extend: fix config error</title>
<updated>2025-04-13T18:07:57+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2025-04-05T18:38:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=11c031554b67fe9c267f008daaeb92b4ba25fce1'/>
<id>urn:sha1:11c031554b67fe9c267f008daaeb92b4ba25fce1</id>
<content type='text'>
Skip configure step to fix this error:
pcr-extend-0.1+git-r0 do_configure: no configure script found at ../git/configure

There is no configure for this package.

Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>tpm2-tss-engine: add .so symmlink to engines package</title>
<updated>2025-04-13T18:07:57+00:00</updated>
<author>
<name>Adrian Freihofer</name>
<email>adrian.freihofer@siemens.com</email>
</author>
<published>2025-03-20T20:20:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=36840b49c8a9082ded705f46224cd3c74656a353'/>
<id>urn:sha1:36840b49c8a9082ded705f46224cd3c74656a353</id>
<content type='text'>
Without the symlink, the engine is not found by openssl:

openssl engine -t -c tpm2tss
20F0C5BDFFFF0000:error:12800067:DSO support routines:dlfcn_load:could
    not load the shared library:/usr/src/debug/openssl/3.2.4/crypto/dso/dso_dlfcn.c:118:
    filename(/usr/lib/engines-3/tpm2tss.so): /usr/lib/engines-3/tpm2tss.so:
    cannot open shared object file: No such file or directory
...

With sym-link it works (also without extra configuration for openssl)

cd /usr/lib/engines-3/
ln -s libtpm2tss.so tpm2tss.so
openssl engine -t -c tpm2tss
(tpm2tss) TPM2-TSS engine for OpenSSL
    [RSA, RAND]
        [ available ]

For exmample also the Fedora package has the symlink.

Signed-off-by: Adrian Freihofer &lt;adrian.freihofer@siemens.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>tpm2-openssl: update to 1.3.0</title>
<updated>2025-04-13T18:07:37+00:00</updated>
<author>
<name>Michael Haener</name>
<email>michael.haener@siemens.com</email>
</author>
<published>2025-03-14T12:08:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=7badda60cdbbda55a52bbbb9fa61bfe8ff165383'/>
<id>urn:sha1:7badda60cdbbda55a52bbbb9fa61bfe8ff165383</id>
<content type='text'>
Signed-off-by: Michael Haener &lt;michael.haener@siemens.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>swtpm: update from 0.8.2 to 0.10.0</title>
<updated>2024-12-27T16:28:23+00:00</updated>
<author>
<name>Mikko Rapeli</name>
<email>mikko.rapeli@linaro.org</email>
</author>
<published>2024-12-20T14:04:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=746cb59c5f592374f10854d66062c9674dae9da6'/>
<id>urn:sha1:746cb59c5f592374f10854d66062c9674dae9da6</id>
<content type='text'>
Improves error reporting among other things. Changes:

https://github.com/stefanberger/swtpm/releases/tag/v0.10.0

version 0.10.0:

    swtpm:
        Requires libtpms v0.10.0
        Display tpmstate-opt-lock as a new capability
        Add support for lock option parameter to tpmstate option
        nvstore_linear: Add support for file-backend locking
        Remove broken logic to check for neither dir nor file backend
        Use ptm_cap_n to build PTM_GET_CAPABILITY response
        Define a structure to return PTM_GET_CAPABILITY result
        Implement --print-info to run TPMLIB_GetInfo with flags
        Support --profile fd= to read profile from file descriptor
        Support --profile file= to read profile from file
        Ignore remove-disabled parameter on non-'custom' profile
        Check for good entropy source in chroot environment
        Implement a check for HMAC+sha1 for testing future restriction
        Implement function to check whether a crypto algorithm is disabled
        Print cmdarg-print-profiles as part of capabilities
        Check whether SHA1 signature support is disabled in profile
        Use TPMLIB_WasManufactured to check whether profile was applied
        Determine whether OpenSSL needs to be configured (FIPs, SHA1 signature)
        Add support for --print-profiles option
        Print profile names as part of capabilities JSON
        Display new capability to allow setting a profile
        Add support for --profile option to set a profile on TPM 2
    swtpm_setup:
        Comment flags for storage primary key and deprecate --create-spk
        Implement --print-profiles to display all profile
        Add profile entries to swtpm_setup.conf written by swtpm_setup
        Add support for --profile-name option
        Accept profiles with name starting with 'custom:'
        Support default profile from file in swtpm_setup.conf
        Support --profile-file-fd to read profile from file descriptor
        Support --profile-file to read profile from file
        Always log the active profile
        Implement --profile-remove-fips-disabled option
        Read default profile from swtpm_setup.conf
        Print profile names as part of capabilities JSON
        Add support for --profile parameter
        Get default rsa keysize from setup_setup.conf if not given
    swtpm_ioctl:
        Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response
    selinux:
        Change write to append for appending to log
        Add rule for logging to svirt_image_t labeled files from swtpm_t
    tests:
        Update IBMTSS2 test suite to v2.4.0
        Test activation of PCR banks when not all are available
        Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with profile
        Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file
        Consolidate custom profile test cases and check for StateFormatLevel
        Convert test_samples_create_tpmca to run installed
        Mention test_tpm2_libtpms_versions_profiles requiring env. variables
        allow running ibmtss2 tests against installed version
        Derive support for CUSE from SWTPM_EXE help screen
        Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test
        Extend test case testing across libtpms versions
        Add test case for testing profiles across libtpms versions
        Test the --profile option of swtpm_setup and swtpm
        teach them to run installed
        add installed-runner.sh
        install tests on the system
        lookup system binaries if INSTALLED is set
    build-sys:
        enable 64-bit file API on 32-bit systems
        Add -Wshadow to the CFLAGS
        Require that libtpms v0.10 is available for TPMLIB_SetProfile
    debian:
        Add rule to allow usage of /var/tmp directory (QEMU)
        Add rules for reading profiles from distro and local dirs
        Allow non-owner file write access in /var/lib/libvirt/swtpm/
        Add sys_admin capability to apparmor profile

https://github.com/stefanberger/swtpm/releases/tag/v0.9.0

version 0.9.0:
Note: The SElinux policy for swtpm was completely redone. For systems
with an SELinux policy the same policy (&gt;= 40.17) as used in
Fedora &gt;= 40 is required due to changes in labels related to libvirt
that made the re-development of the SELinux policy necessary.

    swtpm:
        Use umask() to create/truncated state file rather than fchmod()
        Use fchmod to set mode bits provided by user
        Replace mkstemp with g_mkstemp_full (Coverity)
        fix typo in help message
        cuse: Fix Coverity complaints regarding locks
        Fix double free in error path
        Close fd after main loop
        Restore logging to stderr on log open failure
    swtpm_setup:
        Fail --pcr-banks without --tpm2
        Fail --decryption or --allow-signing without --tpm2
        Initialized argv in get_swtpm_capabilities()
        Flush spk after persisting to create room for another key
        Refactor duplicate code into swtpm_tpm2_write_cert_nvram
        Move persisting of certificate into tpm2_persist_certificate
        Pass key_type to function creating filename for key
        Add scheme parameter before curveid to createprimary_ecc
        Rename is_ek to preserve for future extension
        Mask-out EK and plaform certificate flags and set cert_flags
        Move common code into new function read_certificate_file()
        Exit with '0' upon --version rather than '1'
        Close file descriptors passed to swtpm process on parent side
        Make stdout unbuffered
        Use medium duration on TSC_PhysicalPresence to avoid timeouts
        Add poll() after write() and before read() to detect errors
    swtpm_localca:
        Add support for up to 20 bytes serial numbers
        Introduce --key as more generic alias for --ek
        Add missing NULL option to end of array
        Make stdout unbuffered
    swtpm_cert:
        Add support for serial numbers up to 20 bytes long
    swtpm_ioctl:
        Separate return code from flags
        Repeatedly call PTM_GET_INFO for long responses
    selinux:
        Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install)
        New SELinux policy that requires Fedora 40 or later
    tests:
        Fixed occurrences of stray '' before '-'
        Rearrange order of test cases to run some also as 'root'
        Add tests for command line options and combinations of options
        Add softhsm_setup to shellcheck'ed files and fix issues
        Add missing 'exit 1' on unexpected file size on --reconfigure
        Add test cases for swtpm_cert with max serial number
        Fix spelling mistakes
        reformat regexs for easier readability and extension
        ibmtss2: Add patch to disable x509 test with older libtpms
        Upgrade to ibmtss2 v2.0.1
        Fixed several issues detected by shellcheck
    build-sys:
        Add support for --disable-tests to disable tests
        Display GMP_LIBS and GMP_CFLAGS
        Only display warning if pkg-config for gmp fails
        Add gmp library and devel package as dependency
        use PKG_CHECK_MODULES to check libtpms version
    rpm:
        Add gmp library and devel package as dependency
        Split off SELinux files to build an selinux package
    debian:
        Sync AppArmor profile with what is used by Ubuntu
        Add gmp library and devel package as dependency
        Allow apparmor access to qemu session bus swtpm files

Signed-off-by: Mikko Rapeli &lt;mikko.rapeli@linaro.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>libtpms: set CVE_PRODUCT</title>
<updated>2024-12-27T16:28:23+00:00</updated>
<author>
<name>Mikko Rapeli</name>
<email>mikko.rapeli@linaro.org</email>
</author>
<published>2024-12-20T14:04:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=0b4a2afb985afaa6ff19db8ae7a7a0bc2f4c0b53'/>
<id>urn:sha1:0b4a2afb985afaa6ff19db8ae7a7a0bc2f4c0b53</id>
<content type='text'>
Using vendor "libtpms_project" and product "libtpms"
as in https://nvd.nist.gov/vuln/detail/CVE-2021-3446

Matches CVEs better when analyzing with cve_check.bbclass.

Signed-off-by: Mikko Rapeli &lt;mikko.rapeli@linaro.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>libtpm: rename to libtpms</title>
<updated>2024-12-27T16:28:23+00:00</updated>
<author>
<name>Mikko Rapeli</name>
<email>mikko.rapeli@linaro.org</email>
</author>
<published>2024-12-20T14:04:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=68f959b95d24a6f61aff9bc2e2bbfbadf2820736'/>
<id>urn:sha1:68f959b95d24a6f61aff9bc2e2bbfbadf2820736</id>
<content type='text'>
Upstream and other distros like Debian use package name
libtpms so use this name for recipe too to match CVEs etc.

Signed-off-by: Mikko Rapeli &lt;mikko.rapeli@linaro.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>libtpm: update from 0.9.6 to 0.10.0</title>
<updated>2024-12-27T16:28:23+00:00</updated>
<author>
<name>Mikko Rapeli</name>
<email>mikko.rapeli@linaro.org</email>
</author>
<published>2024-12-20T14:04:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=eac5796a07d104d83fa8203032d773f7f7c854ed'/>
<id>urn:sha1:eac5796a07d104d83fa8203032d773f7f7c854ed</id>
<content type='text'>
Needed by newer swtpm. Improves error messages etc.

Changes:

https://github.com/stefanberger/libtpms/releases/tag/v0.10.0

version 0.10.0:

    tpm2: Support for profiles: default-v1 &amp; custom
    tpm2: Add new API call TPMLIB_SetProfile to enable user to set a profile
    tpm2: Extende TPMLIB_GetInfo to return profiles-related info
    tpm2: Implemented crypto tests and restrictions on crypto related to
    FIPS-140-3; can be enabled with profiles
    tpm2: Enable Camellia-192 and AES-192
    tpm2: Implement TPMLIB_WasManufactured API call
    tpm2: Fixes for issues detected by static analyzers
    tpm2: Use OpenSSL-based KDFe implementation if possible
    tpm2: Update to TPM 2 spec rev 183 (many changes)
    tpm2: Better support for OpenSSL 3.x
    tpm2: Use Carmichael function for RSA priv. exponent D (&gt;= 2048 bits)
    tpm2: Fixes for CVE-2023-1017 and CVE-2023-1018
    tpm2: Fix of SignedCompareB().
    NOTE: This fix may result in backwards compatibility issues with
    PCR policies used by TPM2_PolicyCounterTimer and TPM2_PolicyNV
    when upgrading from v0.9 to v0.10.

Signed-off-by: Mikko Rapeli &lt;mikko.rapeli@linaro.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>systemd-boot: enable TPM support via "tpm2" in DISTRO_FEATURES</title>
<updated>2024-12-27T16:28:23+00:00</updated>
<author>
<name>Mikko Rapeli</name>
<email>mikko.rapeli@linaro.org</email>
</author>
<published>2024-12-20T14:04:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=a4f343b686d53d8a0db28a557263e4ef98fc1568'/>
<id>urn:sha1:a4f343b686d53d8a0db28a557263e4ef98fc1568</id>
<content type='text'>
systemd-boot will then measure boot components to TPM device.

Signed-off-by: Mikko Rapeli &lt;mikko.rapeli@linaro.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
</feed>
