SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for tboot-20210614_1.11.4-150400.140.1.x86_64.rpm :

* Tue Jun 25 2024 matthias.gerstnerAATTsuse.com- add tboot-bsc#1207833-copy-mbi.patch: correctly move MBI from a lower address above tboot (bsc#1207833). This fixes a broken boot situation in some configurations stopping with log line \"TBOOT: loader context was moved from 0x
to 0x
\". this patch syncs the Factory package with the SLE package. For some reason I forgot to add the patch to Factory first. Also upstream did not react to the patch, that I posted to their mailing list, so it\'s not contained in the upstream tarball.
* Mon Jun 17 2024 matthias.gerstnerAATTsuse.com- add tboot.rpmlintrc: suppress warning about missing %check section. There\'s no testsuite for tboot.- mark grub.d snippets as %config (noreplace) to satisfy rpmlint warning (the grub2 package itself marks its snippets this way, so it seems to be common standard to do so).- update to v1.11.4:
* v1.11.4 Increase the TBOOT log size from 32 KB to 64 KB. For some Intel server platforms, it was noticed that TBOOT_SERIAL_LOG memory section was too small to hold all of the print logs, produced by TBOOT. Due to this reason TBOOT log section memory size had to be increase to 64KB.
* v1.11.3 Fix the hanging TBOOT issue, which appeared during the RLPs wakeup process on the Intel\'s multisocket platform. This problem appeared during the AP stacks allocations for these RLPs. TBOOT allocated memory for them depending on the woken-up CPUs X2 APIC values. When some of them exceeded the NR_CPUS (1024), then the RLP wakeup process execution halted. For the current moment, the maximal X2 APID value was increased from 1024 to 8192. This kind of solution fixed the given problem.
* v1.11.2 Fix the RAM memory allocation algorithm for the initrd.
* Mon Feb 06 2023 matthias.gerstnerAATTsuse.com- required update due to openSSL 3.0 deprecation errors in current version- updated to v1.11.1 / 20230125: 20230125: v1.11.1 - Revert log memory range extension (caused memory overlaps and boot failures) 20221223: v1.11.0 - Fixed TPM handling to flush objects after integrity measurement (Intel PTT limitations) - Exteded low memory range for logs (HCC CPUs had issue with not enough memory) - \"agile\" removed from PCR Extend policy options (requested deprecation) - Added handling for flexible ACM Info Table format - lcptools: CPPFLAGS use by environment in build - lcptools: removed __DATE__ refs to make build reproducible - Only platform-matchin SINIT modules can be selected - txt-acminfo: Map TXT heap using mmap - Typo fix in man page 20220304: v1.10.5 - Fixed mlehash.c to bring back functionality and make it GCC12 compliant - Reverted change for replacing EFI memory to bring back Tboot in-memory logs 20220224: v1.10.4 - Fix hash printing for SHA384, SHA512 and SM3 - Touch ups for GCC12 - Set GDT to map CS and DS to 4GB before jumping to Linux - make efi_memmap_reserve handle gaps like e820_protect_region - Ensure that growth of Multiboot tags does not go beyond original area - Replace EFI memory map in Multiboot2 info - Fix endianness of pcr_info->pcr_selection.size_of_select - Don\'t ignore locality in PCR file - Fix composite hashing algorithm for PCONF elements to match lcptools-1 20211210: v1.10.3 - Add UNI-VGA license information - Remove poly1305 object files on clean - Support higher resolution monitors - Use SHA256 as default hashing algorithm in lcp2_mlehash and tb_polgen - Add OpenSSL 3.0.0 support in lcptools-v2 - Increase number of supported CPUs to 1024 to accomodate for larger units- tboot-grub2-fix-menu-in-xen-host-server.patch: refreshed to match new upstream version.- tboot-grub2-fix-xen-submenu-name.patch: refreshed to match new upstream version.
* Fri Jun 11 2021 meissnerAATTsuse.com- updated to v1.10.2 / 20210614 Fix ACM chipset/processor list validation Check for client/server match when selecting SINIT Fix issues when building with GCC11 Default to D/A mapping when TPM1.2 and CBnT platform- updated to 1.10.1 / 20210330 - Indicate to SINIT that CBnT is supported by TBOOT - lcptools: Fix issues from static code analysis
* Tue Jan 19 2021 matthias.gerstnerAATTsuse.com- release 1.10.0 ramifications: - README is now README.md - acminfo and parse_err now are called txt-acminfo and txt-parse_err - lcptools are deprecated (tpm 1.2, TrouSerS dependency) and are no longer packaged. - no longer needs TrouSerS dependency due to deprecation
* Tue Jan 19 2021 matthias.gerstnerAATTsuse.com- tboot-grub2-fix-menu-in-xen-host-server.patch: refreshed to match new upstream version.- tboot-grub2-fix-xen-submenu-name.patch: refreshed to match new upstream version.
* Tue Jan 19 2021 matthias.gerstnerAATTsuse.com- update to new upstream release 1.10.0: - Rename TXT related tools to have \'txt-\' prefix - Clarify license issues - Fix issues reported by Coverity Scan - Ensure txt-acminfo does not print false information if msr is not loaded - Fix issue with multiboot(1) booting - infinite loop during boot - Fix issue with TPM1.2 - invalid default policy - Unmask NMI# after returning from SINIT - Update GRUB scripts to use multiboot2 only - Enable VGA logging for EFI platforms - Add warning when using SHA1 as hashing algorithm - Add Doxygen documentation - Replace VMAC with Poly1305 - Validate TPM NV index attributes - Move old lcptool to deprecated folder and exclude from build - TrouSerS is not longer required to build - lcptools-v2: meet requirements from MLE DG rev16 - lcptools-v2: Implement SM2 signing and SM2 signature verification - lcptools-v2: Set aux_hash_alg_mask to 0 when policy version != 0x300- dropped tboot-Unmask-NMI-after-returning-from-SINIT.patch (upstream)
* Thu Nov 12 2020 matthias.gerstnerAATTsuse.com- add tboot-grub2-refuse-secure-boot.patch: don\'t generate tboot menu entries in grub when the system is running with UEFI Secure Boot (bsc#1175114). This prevents hard to understand error messages when trying to boot tboot in this context.
* Mon Sep 28 2020 matthias.gerstnerAATTsuse.com- update to new upstream release 1.9.12: - changes from 1.9.12: - Release localities in S3 flow for CRB interface - Config.mk, safestringlib/makefile : allow tool overrides - safestringlib: fix warnings with GCC 6.4.0 - Strip executable file before generating tboot.gz - Add support for EFI memory map parse/modification - Add SHA384 and SHA512 digest algorithms - lcptools-v2: add pconf2 policy element support - tb_polgen: Add SHA384 and SHA512 support - Disable GCC9 address-of-packed-member warning - Fix warnings after \"Avoid unsafe functions\" scan - Use SHA256 as default hashing algorithm - changes from 1.9.11: - tb_polgen: Add support for SHA256 - Configure IOMMU before executing GETSEC[SENTER] - SINIT ACM can have padding, handle that when checking size - disable-address-of-packed-member-warning.patch: now contained upstream - tboot-grub2-fix-xen-submenu-name.patch: refreshed- dropped tboot-Release-localities-in-S3-flow-for-CRB-interface.patch (upstream)- dropped tboot-Configure-IOMMU-before-executing-GETSEC-SENTER.patch (upstream)- dropped tboot-Do-not-try-to-read-EFI-mem-map-when-booted-with-mult.patch (upstream)- dropped tboot-Release-localities-in-S3-flow-for-CRB-interface.patch (upstream)- dropped tboot-support-sinit-padding.patch (upstream)- dropped tboot-Add-support-for-EFI-memory-map-parse-modification.patch- dropped tboot-fix-memmap1-boot-issues.patch- dropped tboot-Add-more-mbi-validation.patch
* Fri Jul 12 2019 mliskaAATTsuse.cz- Disable LTO in more elegant way (boo#1141323).
* Thu Jul 11 2019 matthias.gerstnerAATTsuse.com- explicitly disable gcc9 link time optimization to fix the build and avoid trouble in low level tboot code.
* Tue May 28 2019 matthias.gerstnerAATTsuse.com- add disable-address-of-packed-member-warning.patch: taken over patch found in the Fedora package to disable a new gcc-9 warning that breaks the build.
* Mon May 20 2019 matthias.gerstnerAATTsuse.com- update to new upstream release 1.9.10: - changes from 1.9.10: - lcp-gen2: update with latest version (wxWidgets wildcard bugfix) - print latest tag in logs - add support for 64bit framebuffer address - changes from 1.9.9: - tools: fix some dereference-NULL issues reported by klocwork - tools: replace banned mem/str fns with corresponding ones in safestringlib - Add safestringlib code to support replacement of banned mem/str fns - lcptools: remove tools supporting platforms before 2008 - tboot: update string/memory fn name to differentiate from c lib - Fix a harmless overflow caused by wrong loop limits- rebased patches to match new upstream version
* Wed Oct 24 2018 matthias.gerstnerAATTsuse.com- update to new upstream release 1.9.8 (FATE#324359): - Skip tboot launch error index read/write when ignore prev err option is true - s3-fix: fix a stack overflow caused by enlarged tb_hash_t union - S3 fix: revert the mis-changed type casting in changeset 522:8e881a07c059 - S3-fix: Adding option save_vtd=true to opt-in the vtd table restore- rebased patches to match new upstream version
* Fri Sep 07 2018 jengelhAATTinai.de- Use noun phrase in summary.
* Mon Sep 03 2018 matthias.gerstnerAATTsuse.com- package new upstream tarball for 1.9.7. It seems the tarball was replaced upstream without notice, because some version numbers have not been incremented.- tboot-grub2-fix-menu-in-xen-host-server.patch: rebased- tboot-grub2-fix-xen-submenu-name.patch: rebased
* Fri Aug 31 2018 matthias.gerstnerAATTsuse.com- update to upstream version 1.9.7. This in mainly a bugfix release: Fix a lot of issues in tools reported by klocwork scan. Fix a lot of issues in tboot module reported by klocwork scan. Remove a redundant tboot option Fix indent in heap.c Fix 4 issues along with extpol=agile option Mitigations for tpm interposer attacks Add an option in tboot to force SINIT to use the legacy TPM2 log format. Add support for appending to a TPM2 TCG style event log. Ensure tboot log is available even when measured launch is skipped. Add centos7 instructions for Use in EFI boot mode. Fix memory leak and invalid reads and writes issues. Fix TPM 1.2 locality selection issue. Fix a null pointer dereference bug when Intel TXT is disabled. Optimize tboot docs installation. Fix security vulnerabilities rooted in tpm_if structure and g_tpm variable. The size field of the MB2 tag is the size of the tag header + the size Fix openssl-1.0.2 double frees Make policy element stm_elt use unique type name lcptools-v2 utilities fixes port to openssl-1.1.0 Reset debug PCR16 to zero. Fix a logical error in function bool evtlog_append(...).- removed tboot-CVE-2017-16837.patch: now contained in tarball- removed tboot-openssl-1-1-0.patch: now contained in tarball- removed tboot-signature-segfault.patch: now contained in tarball- removed tboot-ssl-broken.patch: now contained in tarball
* Thu Mar 15 2018 matthias.gerstnerAATTsuse.com- tboot-signature-segfault.patch: Intermediate patch necessary for tboot-ssl-broken.patch. Upstream tried to fix OpenSSL issues here, but failed to do so.- tboot-ssl-broken.patch: Fixed memory corruption when using OpenSSL functionality like in lcp2_crtpollist (bnc#1083693). Fix has not yet been commented on by upstream (posted on tboot-devel mailing list).
* Wed Feb 21 2018 matthias.gerstnerAATTsuse.com- Also cover cleanup of bootloader configuration after package removal. (bnc#1078262)
* Mon Feb 12 2018 matthias.gerstnerAATTsuse.com- tboot-distributor.patch: don\'t add GNU/Linux to grub menu entries. SUSE\'s grub2 itself doesn\'t do it as well. (bnc#1078262)- perform update of bootloader configuration after installation via %posttrans. (bnc#1078262)
* Thu Nov 16 2017 matthias.gerstnerAATTsuse.com- tboot-CVE-2017-16837.patch: fix a major security issue in tboot. tboot failed to validate a number of immutable function pointers, which could allow an attacker to bypass the chain of trust and execute arbitrary code (bnc#1068390, CVE-2017-16837).
* Thu Nov 09 2017 matthias.gerstnerAATTsuse.com- tboot-openssl-1-1-0.patch: make package compatible with OpenSSL 1.1.0. There\'s no upstream release containing this patch yet. The patch builds against OpenSSL 1.0.x as well. This is for SLE-15 support (bnc#1067229).
* Tue Jul 18 2017 matthias.gerstnerAATTsuse.comupdate to new upstream version 1.9.6:- removed following patches, because they\'re now included upstream:
* reproducible.patch
* tboot-grub2-suse.patch
* tboot-gcc7.patch- Changes in this version:
* GCC7 fix, adds generic FALLTHROUGH notations to avoid warnings appearing on GCC7
* Ensure Tboot never overwrites modules in the process of moving them.
* Add support to x2APIC, which uses 32 bit APIC ID.
* Fix S3 secrets sealing/unsealing failures
* Support OpenSSL 1.1.0+ for ECDSA signature verification.
* Support OpenSSL 1.1.0+ for RSA key manipulation.
* Adds additional checks to prevent the kernel image from being overwritten.
* Added TCG TPM event log support.
* Pass through the EFI memory map that\'s provided by grub2.
* Fix a null pointer dereference bug when Intel TXT is disabled in BIOS.
* Adjust KERNEL_CMDLINE_OFFSET from 0x9000 to 0x8D00.
* Bounds checking on the kernel_cmdline string.
* Sun Jun 04 2017 meissnerAATTsuse.com- tboot-gcc7.patch: fix some gcc7 warnings that lead to errors. (bsc#1041264)
* Sun Apr 30 2017 bwiedemannAATTsuse.com- Add reproducible.patch to call gzip -n to make build fully reproducible
* Fri Feb 10 2017 jengelhAATTinai.de- Trim filler words from description; use modern macros over shell vars.
* Wed Feb 08 2017 meissnerAATTsuse.com- Updated to 20161216: v1.9.5 (FATE#321510) + Add 2nd generation of LCP creation tool source codes for TPM 2.0 platforms. + Add user guide for 2nd generation LCP creation tool + Provide workaround for Intel PTT(Platform Trust Technology) & Linux PTT driver. + Add new fields in Linux kernel header struct to accommodate Linux kernel new capabilities. + Fix a pointer dereference regression in the tboot native Linux loader which manifests itself as a system reset. + Fix the issue of overwriting tboot when the loaded elf kernel is located below tboot. + Add support to release TPM localities when tboot exits to linux kernel. + Fix the evtlog dump function for tpm2 case. + Initiaize kernel header comdline buffer before copying kernel cmdline arguments to the buffer to avoid random + data at end of the original cmdline contents. + Move tpm_detect() to an earlier stage so as to get tpm interface initialized before checking TXT platform capabilities.
* Wed Jun 22 2016 mchangAATTsuse.com- Fix wrong pvops kernel config matching (bsc#981948)
* modified tboot-grub2-fix-menu-in-xen-host-server.patch
* Wed Jun 01 2016 meissnerAATTsuse.com- tboot-grub2-suse.patch: fixed bad if/elif
* Thu May 19 2016 meissnerAATTsuse.com- Updated to 1.9.4/20160518 (FATE#320665) Added TPM 2.0 CRB support Increased BSP and AP stacks to avoid stack overflow Added an ACPI_RSDP structure g_rsdp in tboot to avoid potential memory overwritten issue on TPM 2.0 UEFI platforms Added support to both Intel TPM nv index set and TCG TPM nv index set grub2: tboot doesn\'t skip first argument any more grub2: sanitize whitespace in command lines grub2: Allow addition of policy data in grub.cfg grub2 support: allow the user to customize the command line Mitigated S3 resume delay by adjusting LZ_MAX_OFFSET to 5000 in lz.c. Added SGX TPM nv index support Add 64 bit ELF object support Gentoo Hardened, which uses the GRSecurity and PaX patch sets Disable -fstack-check in CFLAG for compatibility with Gentoo Linux. Enhanced tboot compatiblity running on non-Intel TXT platform with a fix of is_launched() LCP documentation improvements- tboot-grub2-suse.patch: refreshed- tboot-grub2-fix-xen-submenu-name.patch: refreshed- tboot-fix-stackoverflow.patch: upstream in 1.9.4
* Wed Apr 06 2016 meissnerAATTsuse.com- tboot-fix-stackoverflow.patch: fix a excessive stack usage pattern that could lead to resets/crashes (bsc#967441)
* Fri May 08 2015 meissnerAATTsuse.com- Updated to 1.8.3/20140728 FATE#318542
* Added verified launch control policy user guide
* Fixed a bug about var MTRR settings to follow the rule that each VAR MTRR base must be a multiple of that MTRR\'s size.
* Access tpm sts reg with 3-byte width in v1.2 case and 4-byte width in v2.0 case
* Bugfix: lcp2_mlehash get wrong hash if the cmdline string length > 7
* Optimized tboot log processing flow to avoid log buffer overflow by adopting lz Compress/Uncompress algorithms
* Added SGX support for Skylake platform
* tpm2: use the primary object in NULL Hierarchy instead of Platform Hierarchy for seal/unseal usage
* Fixed a bug for lcp2_mlehash tool
* Fixed system hang issue caused by TXT disable, TPM disable or SINIT ACM not correctly provided in EFI booting mode
* Fixed bug for wrong assumption on the way how GRUB2 load modules
* Fixed MB2 tags mess issue caused by moving shorter module cmdline to head
* Fixed compile issue when debug=y- fixes a boot issue on Skylake (bsc#964408)- refreshed tboot-grub2-fix-xen-submenu-name.patch
  
ICM