Changelog for
swtpm-selinux-0.8.0-1.1.noarch.rpm :
* Mon Mar 06 2023 Alberto Planas Dominguez
- Drop trousers requirement
* Mon Mar 06 2023 Alberto Planas Dominguez - Update to version 0.8.0:
* swtpm: + Implement release-lock-outgoing parameter for --migration option + Introduce --migration option and \'incoming\' parameter + Implement terminate parameter for ctrl channel loss + Add a chroot option + Introduce disable-auto-shutdown flag for --flags option + If necessary send TPM2_Shutdown() before TPMLIB_Terminate() + Add some more recent syscalls to seccomp profile + Disable OpenSSL FIPS mode to avoid libtpms failures + Avoid locking directory multiple times + Remove support for pre-v0.1 state files without header + Use uint64_t in tlv_data_append() to avoid integer overflows + Use uint64_t to avoid integer wrap-around when adding a uint32_t + Do not chdir(/) when using --daemon + Check header size indicator against expected size (CVE-2022-23645 bsc#1196240) + Fixes for gcc 12.2.1 -fanalyzer
* build-sys: + Fix configure script to support _FORTIFY_SOURCE=3 + Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
* swtpm-localca: + Re-implement variable resolution for swtpm-localca.conf + Test for available issuercert before creating CA
* swtpm_setup: + Configure swtpm to log to stdout/err if needed (glib >=2.74)
* tests: + Use ${WORKDIR} in config files to test env. var replacement + Patch IBM TSS2 test suite for OpenSSL 3.x
* build-sys: + Add probing for -fstack-protector
* Fri Apr 29 2022 Marcus Meissner - Updated to version 0.7.3: - swtpm: - Use uint64_t in tlv_data_append() to avoid integer overflows - Use uint64_t to avoid integer wrap-around when adding a uint32_t- removed allow-FORTIFY_SOURCE=3.patch (upstreamed)
* Wed Apr 06 2022 Martin Liška - Cheery-pick upstream patch allow-FORTIFY_SOURCE=3.patch.
* Wed Mar 09 2022 Wolfgang Frisch - Update to version 0.7.2: - swtpm: - Do not chdir(/) when using --daemon - swtpm-localca: - Re-implement variable resolution for swtpm-localca.conf - tests: - Use ${WORKDIR} in config files to test env. var replacement - man pages: - Add missing .config directory to path description when using ${HOME} - build-sys: - Add probing for -fstack-protector
* Mon Feb 21 2022 Marcus Meissner - Update to version 0.7.1: - swtpm: - Check header size indicator against expected size (CVE-2022-23645 bsc#1196240) - swtpm_localca: - Test for available issuercert before creating CA
* Wed Nov 10 2021 Marcus Meissner - Update to version 0.7.0: - swtpm: - Support for linear file storage backend (file://) - Report \'tpm-1.2\' & \'tpm-2.0\' in --print-capabilities depending what libtpms supports - Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs - Wipe keys from stack and heap - Many other small changes - Make --daemon not racy - swtpm_setup: - Only activate SHA256 PCR bank, not SHA1 bank anymore by default - Support for linear file storage backend (file://) - Implement option --create-config-files to create config files - Use non-deprecated APIs to contruct RSA key (OSSL 3) - Report stderr as returned by external tool (swtpm-localcal) - Replace \'+\' and \',\' characters in VMId\'s to make work with common name in X509 subject - Add support for --reconfigure flag to change active PCR banks - swtpm_localca: - Created certificates for CAs and TPM that do not expire - swtpm_cert: - Allow passing -1 for days to get a non-expiring certificate - test: - ASAN-related test changes and skipping of tests if ASAN is used - Fix tests using tpm2-abrmd by preventing concurrency - Skip chardev related tests after checking for chardev support - exit with error code if mktemp fails - OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test - build-sys: - Introduce --enable-sanitizers to configure - Remove check for pip3 that was used by python swtpm_setup - Allow passing of aditional CFLAGS during build
* Wed Sep 22 2021 Marcus Meissner - Update to version 0.6.1: - swtpm: - Clear keys from stack and heap - swtpm-localca: - Add missing else branch for pkcs11 and PIN - swtpm_setup: - Initialize Gerror and free it - Replace \'\\\\s\' in regex with [[:space:]] to fix cygwin - tests: - Kill tpm2-abrmd with SIGKILL rather SIGTERM - build-sys: - Use -DOPENSSL_SUPPRESS_DEPRECATED to suppress deprecation warnings (OSSL 3) - Enable configuring with CFLAGS and passing additional CFLAGS on build
* Sat Aug 07 2021 Callum Farmer - Update to version 0.6.0: - Addressed potential symlink attack issue (CVE-2020-28407) - Rewritten in \'C\'; needs json-glib - Use timeouts for communicating with swtpm (Unix socket) - Fix --print-capabilities for \'swtpm chardev\' - Various cleanups and fixes (coverity)- Enable selinux support- Removed swtpm-rename_deprecated_libtasn1_types.patch: upstream- Fix rpmlint errors
* Thu May 20 2021 Pedro Monreal - swtpm_cert: rename deprecated libtasn1 types.
* https://github.com/stefanberger/swtpm/pull/443
* Add swtpm-rename_deprecated_libtasn1_types.patch
* Sun Dec 27 2020 Marcus Meissner - Update to version 0.5.2 - swtpm: - Fix potential buffer overflow related to largely unused data hashing function in control channel - swtpm: Unconditionally close fd if writing of pidfile fails (coverity) - swtpm_setup: - Increase timeout from 10s to 30s for slower machines - Travis: - Not building on OS X anymore due to additional costs
* Tue Dec 22 2020 Gary Ching-Pang Lin - Use \"Requires user(tss)\" for the \"tss\" user and group
* Tue Dec 22 2020 Gary Ching-Pang Lin - Create /var/lib/swtpm-localca to store the keys created by swtpm-localca (bsc#1179811)- Replace net-tools-deprecated with iproute2 since the scripts in swtpm now can use \'ss\' instead of \'netstat\'
* Sun Nov 22 2020 Kai Liu - Update to version 0.5.1
* swtpm & swtpm_setup: - Addressed potential symlink attack issue (CVE-2020-28407)
* build-sys: - Fix configure python cryptography error message- Misc. spec file changes.
* Tue Oct 13 2020 Kai Liu - Update Requires and BuildRequires for changes since 0.4.0.- Remove patch files that are no longer needed:
* swtpm-adjust-seccomp-path.patch
* swtpm-setup-tcsd-path.patch
* swtpm-tpm-tools-path.patch- Update to version 0.5.0
* swtpm: - Write files atomically using a temp file and then renaming
* swtpm_setup: - Removed remaining \'c\' wrapper program - Do not truncate logfile when testing write-access (regression) - Remove TPM state file in case error occurred
* swtpm-localca: - Rewrite in python - Allow passing pkcs11 PIN using signingkey_password - Allow passing environment variables needed for pkcs11 modules using swtpm-localca.conf and format \'env:VARNAME=VALUE\'.
* build-sys: - Add python-install and python-uninstall targets - Add configure option to disable installation of Python module - Use -Wl,-z,relro and -Wl,-z,now only when linking (clang) - Use AC_LINK_IFELSE to check whether support for hardening flags- Changes from version 0.4.1
* swtpm_setup: - Do not hardcode \'/etc\' but use SYSCONFDIR - Fix support for -h and -? options - Add missing .config path when using ${HOME}
* swtpm-localca: - Apply password for signing key when creating platform cert - Properly apply passwords for localca signing key- Changes from version 0.4.0
* swtpm: - Invoke print capabilities after choosing TPM version - Add some recent syscalls to seccomp blacklist
* swtpm_cert: - Support --ecc-curveid option to pass curve id
* swtpm_setup & related scripts: - Rewrite swtpm_setup.sh in python with TPM 1.2 not requiring tcsd and TPM tools anymore; new dependencies: - python3: pip, cryptography, setuptools dropped dependencies for swtpm_setup: - tcsd, expect, tpm-tools (some still needed for pkcs11 tests) - Added support for RSA 3072 keys (for libtpms-0.8.0) and moved to ECC NIST P384 curve; default RSA key size is still 2048 - Added support for --rsa-keysize option - Extend script to create a CA using a TPM 2 for signing
* tests: - Use the IBM TSS2 v1.5.0\'s test suite - Add test case for loading of an NVRAM completely full with keys - Have softhsm_setup use temporary directory for softhsm config & state - various other improvements
* man pages: - Improvements
* build-sys: - clang: properly test for linker flag \'now\' and \'relro\' - Gentoo: explicitly link libswtpm_libtpms with -lcrypto - Ownership of /var/lib/swtpm-localca is now tss:root and mode flags 0750.
* Thu Aug 13 2020 Kai Liu - Update to version 0.3.4:
* swtpm: - Fix compilation for cygwin
* swtpm_setup & swtpm-localca: - Get rid of bash\'s eval when invoking external tools to avoid abuse. Only use eval for \'resolving\' variables.
* tests: - Various fixes of minor issues
* Thu Jul 30 2020 Kai Liu - Update to version 0.3.3:
* swtpm_setup: - openSUSE: Support tcsd configuration where tss user != tss group, such as root/tss; Fedora & Ubuntu for example use tss/tss
* build-sys: - Check whether tss user and group are available- Add tss user & group build flags per upstream instruction. This together with v0.3.3 fixed the bug with TPM 1.2 emulation. Related upstream bug: https://github.com/stefanberger/swtpm/issues/284
* Sat Jul 11 2020 Kai Liu - Update to 0.3.2: + swtpm: + Remove unnecessary #include (fixes SuSE build) + Make coverity happy by handling default case in case statement + swtpm_setup: + bugfix: Create ECC storage primary key in owner hierarchy + bugfix: remove tpm2_stirrandom and tpm2_changeeps + tests: + Adjusted pcrUpdateCounter in tests to succeed with PCR TCB group fixes in libtpms TPM 2 code
* Wed Apr 22 2020 Gary Ching-Pang Lin - Update to 0.3.1 + swtpm: Fix vtpm proxy case without startup flags + swtpm: Only call memcpy if tocopy != 0 (coverity) + man: Document new startup options and capabilities advertisement + swtpm: Enable sending startup commands before processing commands + swtpm_cert: Accept serial numbers that use up to 64bits + swtpm_cert: Use getopt_long_only to parse options + swtpm_cert: Add support for --print-capabilities option + swtpm_cert: Allow passing signing key and parent key via new option + swtpm_setup: Enable spaces in paths and other variables + swtpm_ioctl: Calculate strlen(input) only once + swtpm_ioctl: Block SIGPIPE so we can get EPIPE on write() + swtpm_bios: Block SIGPIPE so we can get EPIPE on write() + swtpm: Only accept() new client ctrl connection if we have none + swtpm_setup: Do not fail on future PCR banks\' hashes + swtpm_setup: Use 1st part of SWTPM_EXE/SWTPM_IOCTL to determine executable + swtpm_setup: Keep reserved range of file descriptors for swtpm_setup.sh + swtpm_setup: Log about encryption and fix c&p error in err msg + swtpm: Add --print-capabilities to help screen of \'swtpm chardev\' + swtpm_ioctl: Fix uninitialized variable \'pgi\' + swtpm_cert: Use gnutls_x509_crt_get_subject_key_id API call for subj keyId + swtpm_cert: Fix OIDs for TPM 2 platforms data + swtpm: Fix typo in error report: HMAC instead of hash + swtpm: Use writev_full rather than writev; fixes --vtpm-proxy EIO error- Refresh swtpm-setup-tcsd-path.patch
* Fri Jan 03 2020 Gary Ching-Pang Lin - Amend swtpm-adjust-seccomp-path.patch to add the missing seccomp paths- Adjust the conditional check of net-tools-deprecated for SLE15 and SLE15-SP1