-
Notifications
You must be signed in to change notification settings - Fork 143
/
CHANGES
313 lines (303 loc) · 14.1 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
CHANGES - changes for swtpm
version 0.10.0:
- swtpm:
- Requires libtpms v0.10.0
- Display tpmstate-opt-lock as a new capability
- Add support for lock option parameter to tpmstate option
- nvstore_linear: Add support for file-backend locking
- Remove broken logic to check for neither dir nor file backend
- Use ptm_cap_n to build PTM_GET_CAPABILITY response
- Define a structure to return PTM_GET_CAPABILITY result
- Implement --print-info to run TPMLIB_GetInfo with flags
- Support --profile fd=<fd> to read profile from file descriptor
- Support --profile file=<filename> to read profile from file
- Ignore remove-disabled parameter on non-'custom' profile
- Check for good entropy source in chroot environment
- Implement a check for HMAC+sha1 for testing future restriction
- Implement function to check whether a crypto algorithm is disabled
- Print cmdarg-print-profiles as part of capabilities
- Check whether SHA1 signature support is disabled in profile
- Use TPMLIB_WasManufactured to check whether profile was applied
- Determine whether OpenSSL needs to be configured (FIPs, SHA1 signature)
- Add support for --print-profiles option
- Print profile names as part of capabilities JSON
- Display new capability to allow setting a profile
- Add support for --profile option to set a profile on TPM 2
- swtpm_setup:
- Comment flags for storage primary key and deprecate --create-spk
- Implement --print-profiles to display all profile
- Add profile entries to swtpm_setup.conf written by swtpm_setup
- Add support for --profile-name option
- Accept profiles with name starting with 'custom:'
- Support default profile from file in swtpm_setup.conf
- Support --profile-file-fd to read profile from file descriptor
- Support --profile-file <file> to read profile from file
- Always log the active profile
- Implement --profile-remove-fips-disabled option
- Read default profile from swtpm_setup.conf
- Print profile names as part of capabilities JSON
- Add support for --profile parameter
- Get default rsa keysize from setup_setup.conf if not given
- swtpm_ioctl:
- Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response
- selinux:
- Change write to append for appending to log
- Add rule for logging to svirt_image_t labeled files from swtpm_t
- tests:
- Update IBMTSS2 test suite to v2.4.0
- Test activation of PCR banks when not all are available
- Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with profile
- Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file
- Consolidate custom profile test cases and check for StateFormatLevel
- Convert test_samples_create_tpmca to run installed
- Mention test_tpm2_libtpms_versions_profiles requiring env. variables
- allow running ibmtss2 tests against installed version
- Derive support for CUSE from SWTPM_EXE help screen
- Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test
- Extend test case testing across libtpms versions
- Add test case for testing profiles across libtpms versions
- Test the --profile option of swtpm_setup and swtpm
- teach them to run installed
- add installed-runner.sh
- install tests on the system
- lookup system binaries if INSTALLED is set
- build-sys:
- enable 64-bit file API on 32-bit systems
- Add -Wshadow to the CFLAGS
- Require that libtpms v0.10 is available for TPMLIB_SetProfile
- debian:
- Add rule to allow usage of /var/tmp directory (QEMU)
- Add rules for reading profiles from distro and local dirs
- Allow non-owner file write access in /var/lib/libvirt/swtpm/
- Add sys_admin capability to apparmor profile
version 0.9.0:
Note: The SElinux policy for swtpm was completely redone. For systems
with an SELinux policy the same policy (>= 40.17) as used in
Fedora >= 40 is required due to changes in labels related to libvirt
that made the re-development of the SELinux policy necessary.
- swtpm:
- Use umask() to create/truncated state file rather than fchmod()
- Use fchmod to set mode bits provided by user
- Replace mkstemp with g_mkstemp_full (Coverity)
- fix typo in help message
- cuse: Fix Coverity complaints regarding locks
- Fix double free in error path
- Close fd after main loop
- Restore logging to stderr on log open failure
- swtpm_setup:
- Fail --pcr-banks without --tpm2
- Fail --decryption or --allow-signing without --tpm2
- Initialized @argv in get_swtpm_capabilities()
- Flush spk after persisting to create room for another key
- Refactor duplicate code into swtpm_tpm2_write_cert_nvram
- Move persisting of certificate into tpm2_persist_certificate
- Pass key_type to function creating filename for key
- Add scheme parameter before curveid to createprimary_ecc
- Rename is_ek to preserve for future extension
- Mask-out EK and plaform certificate flags and set cert_flags
- Move common code into new function read_certificate_file()
- Exit with '0' upon --version rather than '1'
- Close file descriptors passed to swtpm process on parent side
- Make stdout unbuffered
- Use medium duration on TSC_PhysicalPresence to avoid timeouts
- Add poll() after write() and before read() to detect errors
- swtpm_localca:
- Add support for up to 20 bytes serial numbers
- Introduce --key as more generic alias for --ek
- Add missing NULL option to end of array
- Make stdout unbuffered
- swtpm_cert:
- Add support for serial numbers up to 20 bytes long
- swtpm_ioctl:
- Separate return code from flags
- Repeatedly call PTM_GET_INFO for long responses
- selinux:
- Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install)
- New SELinux policy that requires Fedora 40 or later
- tests:
- Fixed occurrences of stray '\' before '-'
- Rearrange order of test cases to run some also as 'root'
- Add tests for command line options and combinations of options
- Add softhsm_setup to shellcheck'ed files and fix issues
- Add missing 'exit 1' on unexpected file size on --reconfigure
- Add test cases for swtpm_cert with max serial number
- Fix spelling mistakes
- reformat regexs for easier readability and extension
- ibmtss2: Add patch to disable x509 test with older libtpms
- Upgrade to ibmtss2 v2.0.1
- Fixed several issues detected by shellcheck
- build-sys:
- Add support for --disable-tests to disable tests
- Display GMP_LIBS and GMP_CFLAGS
- Only display warning if pkg-config for gmp fails
- Add gmp library and devel package as dependency
- use PKG_CHECK_MODULES to check libtpms version
- rpm:
- Add gmp library and devel package as dependency
- Split off SELinux files to build an selinux package
- debian:
- Sync AppArmor profile with what is used by Ubuntu
- Add gmp library and devel package as dependency
- Allow apparmor access to qemu session bus swtpm files
version 0.8.0:
- swtpm:
- Implement release-lock-outgoing parameter for --migration option
- Introduce --migration option and 'incoming' parameter
- Implement terminate parameter for ctrl channel loss
- Add a chroot option
- Introduce disable-auto-shutdown flag for --flags option
- If necessary send TPM2_Shutdown() before TPMLIB_Terminate()
- Add some more recent syscalls to seccomp profile
- Disable OpenSSL FIPS mode to avoid libtpms failures
- Avoid locking directory multiple times
- Remove support for pre-v0.1 state files without header
- Use uint64_t in tlv_data_append() to avoid integer overflows
- Use uint64_t to avoid integer wrap-around when adding a uint32_t
- Do not chdir(/) when using --daemon
- Check header size indicator against expected size (CVE-2022-23645)
- Fixes for gcc 12.2.1 -fanalyzer
- build-sys:
- Fix configure script to support _FORTIFY_SOURCE=3
- Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
- swtpm-localca:
- Re-implement variable resolution for swtpm-localca.conf
- Test for available issuercert before creating CA
- swtpm_setup:
- Configure swtpm to log to stdout/err if needed (glib >=2.74)
- tests:
- Use ${WORKDIR} in config files to test env. var replacement
- Patch IBM TSS2 test suite for OpenSSL 3.x
- build-sys:
- Add probing for -fstack-protector
version 0.7.0:
- swtpm:
- Support for linear file storage backend (file://)
- Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what
libtpms supports
- Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs
- Wipe keys from stack and heap
- Many other small changes
- Make --daemon not racy
- swtpm_setup:
- Only activate SHA256 PCR bank, not SHA1 bank anymore by default
- Support for linear file storage backend (file://)
- Implement option --create-config-files to create config files
- Use non-deprecated APIs to contruct RSA key (OSSL 3)
- Report stderr as returned by external tool (swtpm-localcal)
- Replace '+' and ',' characters in VMId's to make work with
common name in X509 subject
- Add support for --reconfigure flag to change active PCR banks
- swtpm_localca:
- Created certificates for CAs and TPM that do not expire
- swtpm_cert:
- Allow passing -1 for days to get a non-expiring certificate
- test:
- ASAN-related test changes and skipping of tests if ASAN is used
- Fix tests using tpm2-abrmd by preventing concurrency
- Skip chardev related tests after checking for chardev support
- exit with error code if mktemp fails
- OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test
- build-sys:
- Introduce --enable-sanitizers to configure
- Remove check for pip3 that was used by python swtpm_setup
- Allow passing of aditional CFLAGS during build
version 0.6.0:
- swtpm:
- Fix --print-capabilities for 'swtpm chardev'
- Various cleanups and fixes (coverity)
- Addressed potential symlink attack issue (CVE-2020-28407)
- swtpm_setup:
- Rewritten in 'C'; needs json-glib
- Addressed potential symlink attack issue (CVE-2020-28407)
- swtpm_ioctl:
- Use timeouts for communicating with swtpm (Unix socket)
- swtpm-localca:
- Rewritten in 'C'
- tests:
- Use the IBM TSS2 v1.6.0's test suite
- Store and also restore the volatile state at every step when running
IBM TSS2 test suite
- Various cleanup
- build-sys:
- Add HARDENING_CFLAGS and _LDFLAGS to all C programs
version 0.5.0:
- swtpm:
- Write files atomically using a temp file and then renaming
- swtpm_setup:
- Removed remaining 'c' wrapper program
- Do not truncate logfile when testing write-access (regression)
- Remove TPM state file in case error occurred
- swtpm-localca:
- Rewrite in python
- Allow passing pkcs11 PIN using signingkey_password
- Allow passing environment variables needed for pkcs11 modules using
swtpm-localca.conf and format 'env:VARNAME=VALUE'.
- build-sys:
- Add python-install and python-uninstall targets
- Add configure option to disable installation of Python module
- Use -Wl,-z,relro and -Wl,-z,now only when linking (clang)
- Use AC_LINK_IFELSE to check whether support for hardening flags
version 0.4.0:
- swtpm:
- Invoke print capabilities after choosing TPM version
- Add some recent syscalls to seccomp blacklist
- swtpm_cert:
- Support --ecc-curveid option to pass curve id
- swtpm_setup & related scripts:
- Rewrite swtpm_setup.sh in python with TPM 1.2 not requiring tcsd
and TPM tools anymore; new dependencies:
- python3: pip, cryptography, setuptools
dropped dependencies for swtpm_setup:
- tcsd, expect, tpm-tools (some still needed for pkcs11 tests)
- Added support for RSA 3072 keys (for libtpms-0.8.0) and moved to
ECC NIST P384 curve; default RSA key size is still 2048
- Added support for --rsa-keysize option
- Extend script to create a CA using a TPM 2 for signing
- tests:
- Use the IBM TSS2 v1.5.0's test suite
- Add test case for loading of an NVRAM completely full with keys
- Have softhsm_setup use temporary directory for softhsm config & state
- various other improvements
- man pages:
- Improvements
- build-sys:
- clang: properly test for linker flag 'now' and 'relro'
- Gentoo: explicitly link libswtpm_libtpms with -lcrypto
- Ownership of /var/lib/swtpm-localca is now tss:root and
mode flags 0750.
version 0.3.0:
- swtpm:
- Support for applying 'TPM Startup' command during initialization
- Use writev_full rather than writev; fixes --vtpm-proxy EIO error
- Only accept() new client ctrl connection if we have none (bugfix)
- swtpm_setup & related scripts:
- Support whitespaces in filenames and paths
- Do not fail on future PCR banks' hashes
- swtpm_cert:
- Fix OIDs for TPM 2 platforms data
- Option parsing cleanup
- Support for passing password in various forms
- Use gnutls_x509_crt_get_subject_key_id API call for subj keyId
- Support 64bit serial numbers read from command line
- swtpm_ioctl:
- Block SIGPIPE so we can get EPIPE on write()
- swtpm_bios:
- Block SIGPIPE so we can get EPIPE on write()
- tests:
- Increased timeouts and better support for running tests with
executables run by valgrind
- Allow running tests with choice of seccomp profile option
(SWTPM_TEST_SECCOMP_OPT) to enable building for Ubuntu
- Various cleanups & fixes
- SELinux:
- More rules added for support on F30
version 0.2.0:
- Linux: swtpm now runs with a seccomp profile (blacklist) if compiled with
libseccomp support
- Added subpport for passing key and passphrase via file descriptor
- TPM 2 commands can now be prefixed by 'the TCG header' and responses will
have a 4-byte prefix and 4-byte suffix.
- Added --print-capabilities command line option
- Proper handling on EINTR on read, poll, and write
version 0.1.0:
first public release