Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pcr-oracle for openSUSE:Factory checked in at 2025-05-20 09:30:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pcr-oracle (Old) and /work/SRC/openSUSE:Factory/.pcr-oracle.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pcr-oracle" Tue May 20 09:30:59 2025 rev:20 rq:1277028 version:0.5.6 Changes: -------- --- /work/SRC/openSUSE:Factory/pcr-oracle/pcr-oracle.changes 2025-04-03 18:43:56.182113201 +0200 +++ /work/SRC/openSUSE:Factory/.pcr-oracle.new.30101/pcr-oracle.changes 2025-05-20 09:31:00.979518421 +0200 @@ -1,0 +2,10 @@ +Tue May 13 02:53:41 UTC 2025 - Gary Ching-Pang Lin <g...@suse.com> + +- Update to 0.5.6 + + rsa: adopt OpenSSL 3.0 API to generate RSA key + + Drop the code for openSSL < 3.0.0 + + Look for signing authority in alternative database + (bsc#1241957) +- Bump the requirement of libopenssl-devel to 3.0.0 + +------------------------------------------------------------------- Old: ---- pcr-oracle-0.5.5.tar.xz New: ---- pcr-oracle-0.5.6.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pcr-oracle.spec ++++++ --- /var/tmp/diff_new_pack.rIPOOs/_old 2025-05-20 09:31:01.699548424 +0200 +++ /var/tmp/diff_new_pack.rIPOOs/_new 2025-05-20 09:31:01.707548757 +0200 @@ -18,14 +18,14 @@ Name: pcr-oracle -Version: 0.5.5 +Version: 0.5.6 Release: 0 Summary: Predict TPM PCR values License: GPL-2.0-or-later Group: System/Boot URL: https://github.com/openSUSE/pcr-oracle Source: %{name}-%{version}.tar.xz -BuildRequires: libopenssl-devel >= 0.9.8 +BuildRequires: libopenssl-devel >= 3.0.0 BuildRequires: tpm2-0-tss-devel >= 2.4.0 Requires: libtss2-tcti-device0 ExclusiveArch: x86_64 aarch64 ppc64le riscv64 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.rIPOOs/_old 2025-05-20 09:31:02.015561591 +0200 +++ /var/tmp/diff_new_pack.rIPOOs/_new 2025-05-20 09:31:02.055563258 +0200 @@ -7,7 +7,7 @@ <param name="url">https://github.com/openSUSE/pcr-oracle.git</param> <param name="filename">pcr-oracle</param> <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">refs/tags/0.5.5</param> + <param name="revision">refs/tags/0.5.6</param> </service> <service name="recompress" mode="disabled"> <param name="file">pcr-oracle*.tar</param> ++++++ pcr-oracle-0.5.5.tar.xz -> pcr-oracle-0.5.6.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.5/configure new/pcr-oracle-0.5.6/configure --- old/pcr-oracle-0.5.5/configure 2025-04-01 17:09:14.000000000 +0200 +++ new/pcr-oracle-0.5.6/configure 2025-05-13 08:48:20.000000000 +0200 @@ -12,7 +12,7 @@ # Invoke with --help for a description of options # # microconf:begin -# version 0.5.5 +# version 0.5.6 # require libtss2 # require json # disable debug-authenticode diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.5/microconf/stage1/04-libcrypto new/pcr-oracle-0.5.6/microconf/stage1/04-libcrypto --- old/pcr-oracle-0.5.5/microconf/stage1/04-libcrypto 1970-01-01 01:00:00.000000000 +0100 +++ new/pcr-oracle-0.5.6/microconf/stage1/04-libcrypto 2025-05-13 08:48:20.000000000 +0200 @@ -0,0 +1,10 @@ +uc_add_option_with libcrypto +uc_with_libcrypto=detect + +uc_add_help <<EOH + + Override libcrypto detection + --with-libcrypto=VERSION + --without-libcrypto + +EOH diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.5/microconf/stage3/06-libcrypto new/pcr-oracle-0.5.6/microconf/stage3/06-libcrypto --- old/pcr-oracle-0.5.5/microconf/stage3/06-libcrypto 1970-01-01 01:00:00.000000000 +0100 +++ new/pcr-oracle-0.5.6/microconf/stage3/06-libcrypto 2025-05-13 08:48:20.000000000 +0200 @@ -0,0 +1,13 @@ +################################################################## +# libcrypto version +################################################################## +if [ -z "$uc_with_libcrypto" -o "$uc_with_libcrypto" = "detect" ]; then + uc_pkg_config_check_package libcrypto + + min_ver="3.0.0" + + if [ ! -z "$uc_with_libcrypto" ] && [[ "$uc_with_libcrypto" < "$min_ver" ]]; then + echo "Error: Requires openSSL >= $min_ver" + exit 1 + fi +fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.5/microconf/version new/pcr-oracle-0.5.6/microconf/version --- old/pcr-oracle-0.5.5/microconf/version 2025-04-01 17:09:14.000000000 +0200 +++ new/pcr-oracle-0.5.6/microconf/version 2025-05-13 08:48:20.000000000 +0200 @@ -1 +1 @@ -uc_version=0.5.5 +uc_version=0.5.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.5/src/efi-variable.c new/pcr-oracle-0.5.6/src/efi-variable.c --- old/pcr-oracle-0.5.5/src/efi-variable.c 2025-04-01 17:09:14.000000000 +0200 +++ new/pcr-oracle-0.5.6/src/efi-variable.c 2025-05-13 08:48:20.000000000 +0200 @@ -347,6 +347,56 @@ return HASH_STRATEGY_DATA; /* no idea what would be right */ } +static const unsigned char uefi_global_guid[16] = + {0xcb, 0xb2, 0x19, 0xd7, + 0x3a, 0x3d, + 0x96, 0x45, + 0xa3, 0xbc, + 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f}; +static const unsigned char shim_variable_guid[16] = + {0x50, 0xab, 0x5d, 0x60, + 0x46, 0xe0, + 0x00, 0x43, + 0xab, 0xb6, + 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23}; + +static tpm_parsed_event_t * +efi_variable_get_parsed_alt (const tpm_parsed_event_t *parsed) +{ + tpm_parsed_event_t *parsed_alt = NULL; + const char *var_short_name; + + if (parsed->event_type != TPM2_EFI_VARIABLE_AUTHORITY) + return NULL; + + var_short_name = parsed->efi_variable_event.variable_name; + + if (!strcmp(var_short_name, "db") || !strcmp(var_short_name, "MokListRT")) + return NULL; + + parsed_alt = malloc(sizeof(tpm_parsed_event_t)); + if (parsed_alt == NULL) + return NULL; + + memcpy(parsed_alt, parsed, sizeof(tpm_parsed_event_t)); + + /* Set the alternative database: "MokListRT" <==> "db" */ + if (!strcmp(var_short_name, "db")) { + memcpy(parsed_alt->efi_variable_event.variable_guid, shim_variable_guid, 16); + parsed_alt->efi_variable_event.variable_name = "MokListRT"; + } else + if (!strcmp(var_short_name, "MokListRT")) { + memcpy(parsed_alt->efi_variable_event.variable_guid, uefi_global_guid, 16); + parsed_alt->efi_variable_event.variable_name = "db"; + } + + /* No event data for this synthesized parsed event */ + parsed_alt->efi_variable_event.len = 0; + parsed_alt->efi_variable_event.data = NULL; + + return parsed_alt; +} + static const tpm_evdigest_t * __tpm_event_efi_variable_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *parsed, tpm_event_log_rehash_ctx_t *ctx) { @@ -357,6 +407,8 @@ buffer_t *file_data = NULL, *event_data = NULL, *data_to_hash = NULL; const tpm_evdigest_t *md = NULL; int hash_strategy; + char *var_name_alt = NULL; + tpm_parsed_event_t *parsed_alt = NULL; if (!(var_name = tpm_efi_variable_event_extract_full_varname(parsed))) fatal("Unable to extract EFI variable name from EFI_VARIABLE event\n"); @@ -381,6 +433,34 @@ */ md = tpm_event_get_digest(ev, algo); goto out; + } else + if (file_data == NULL && (parsed_alt = efi_variable_get_parsed_alt(parsed))) { + /* If the signer of the next application is not available in the + * specified EFI variable of the EFI_VARIABLE_AUTHORITY event, + * we may need to look for the signer in another database. + * + * For example, a testing GRUB2 may be signed with a testing key + * enrolled in UEFI db while the original GRUB2 is verified by + * the certificate in MokListRT. After installing the testing GRUB2, + * the corresponding EFI_VARIABLE_AUTHORITY event will change + * in the next boot with signing authority from UEFI db instead of + * MokListRT. To predict the EFI_VARIABLE_AUTHORITY event, + * 'parsed_alt' is created to contain the path to the alternative + * database so we can look for signing authority in the alternative + * database. */ + var_name_alt = (char *)tpm_efi_variable_event_extract_full_varname(parsed_alt); + if (var_name_alt == NULL) + fatal("Unable to extract EFI variable name from EFI_VARIABLE event(alt)\n"); + debug("Looking for signing authority in alternative database\n"); + file_data = efi_variable_authority_get_record(parsed_alt, var_name_alt, ctx); + if (file_data == NULL) { + warning("Failed to find authority record\n"); + var_name_alt = NULL; + free(parsed_alt); + parsed_alt = NULL; + } else { + warning("Signing authority from different database!\n"); + } } } else { file_data = runtime_read_efi_variable(var_name); @@ -402,14 +482,16 @@ buffers_to_free[num_buffers_to_free++] = file_data; if (hash_strategy == HASH_STRATEGY_EVENT) { - event_data = __tpm_event_efi_variable_build_event(parsed, + event_data = __tpm_event_efi_variable_build_event( + parsed_alt ? parsed_alt : parsed, buffer_read_pointer(file_data), buffer_available(file_data)); if (event_data == NULL) fatal("Unable to re-marshal EFI variable for hashing\n"); if (opt_debug > 1) { - debug(" Remarshaled event for EFI variable %s:\n", var_name); + debug(" Remarshaled event for EFI variable %s:\n", + var_name_alt ? var_name_alt : var_name); hexdump(buffer_read_pointer(event_data), buffer_available(event_data), debug, 8); @@ -428,6 +510,8 @@ out: while (num_buffers_to_free) buffer_free(buffers_to_free[--num_buffers_to_free]); + if (parsed_alt) + free(parsed_alt); return md; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.5/src/rsa.c new/pcr-oracle-0.5.6/src/rsa.c --- old/pcr-oracle-0.5.5/src/rsa.c 2025-04-01 17:09:14.000000000 +0200 +++ new/pcr-oracle-0.5.6/src/rsa.c 2025-05-13 08:48:20.000000000 +0200 @@ -26,9 +26,7 @@ #include <openssl/pem.h> #include <tss2_esys.h> -#if OPENSSL_VERSION_NUMBER >= 0x30000000L #include <openssl/core_names.h> -#endif #include "util.h" #include "rsa.h" @@ -197,23 +195,10 @@ tpm_rsa_key_t * tpm_rsa_generate(unsigned int bits) { - BIGNUM *exp = NULL; - RSA *rsa = NULL; EVP_PKEY *pkey = NULL; - exp = BN_new(); - if (!BN_set_word(exp, RSA_F4)) - goto failed; - - rsa = RSA_new(); - if (!RSA_generate_key_ex(rsa, bits, exp, NULL)) - goto failed; - - BN_free(exp); - exp = NULL; - - pkey = EVP_PKEY_new(); - if (!EVP_PKEY_set1_RSA(pkey, rsa)) + pkey = EVP_RSA_gen(bits); + if (!pkey) goto failed; return tpm_rsa_key_alloc("<generated>", pkey, true); @@ -222,10 +207,6 @@ error("Failed to generate %u bit RSA key\n", bits); if (pkey) EVP_PKEY_free(pkey); - else if (rsa) - RSA_free(rsa); - if (exp) - BN_free(exp); return NULL; } @@ -330,17 +311,6 @@ TPM2B_PUBLIC * tpm_rsa_key_to_tss2(const tpm_rsa_key_t *key) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L - RSA *rsa; - const BIGNUM *n, *e; - - if (!(rsa = EVP_PKEY_get0_RSA(key->pkey))) { - error("%s: cannot extract RSA modulus and exponent - EVP_PKEY_get0_RSA failed\n", key->path); - return NULL; - } - - RSA_get0_key(rsa, &n, &e, NULL); -#else BIGNUM *n = NULL, *e = NULL; if (!EVP_PKEY_get_bn_param(key->pkey, OSSL_PKEY_PARAM_RSA_N, &n)) { @@ -351,7 +321,6 @@ error("%s: cannot extract RSA exponent\n", key->path); return NULL; } -#endif return rsa_pubkey_alloc(n, e, key->path); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.5/src/tpm2key-asn.h new/pcr-oracle-0.5.6/src/tpm2key-asn.h --- old/pcr-oracle-0.5.5/src/tpm2key-asn.h 2025-04-01 17:09:14.000000000 +0200 +++ new/pcr-oracle-0.5.6/src/tpm2key-asn.h 2025-05-13 08:48:20.000000000 +0200 @@ -26,17 +26,7 @@ ASN1_OCTET_STRING *CommandPolicy; } TSSOPTPOLICY; -#if OPENSSL_VERSION_NUMBER < 0x10100000 -DECLARE_STACK_OF(TSSOPTPOLICY); -#define sk_TSSOPTPOLICY_new_null() SKM_sk_new_null(TSSOPTPOLICY) -#define sk_TSSOPTPOLICY_push(sk, policy) SKM_sk_push(TSSOPTPOLICY, sk, policy) -#define sk_TSSOPTPOLICY_pop(sk) SKM_sk_pop(TSSOPTPOLICY, sk) -#define sk_TSSOPTPOLICY_free(sk) SKM_sk_free(TSSOPTPOLICY, sk) -#define sk_TSSOPTPOLICY_num(policy) SKM_sk_num(TSSOPTPOLICY, policy) -#define sk_TSSOPTPOLICY_value(policy, i) SKM_sk_value(TSSOPTPOLICY, policy, i) -#else DEFINE_STACK_OF(TSSOPTPOLICY); -#endif /* * Define the format of optional authorization policy. The policy for @@ -56,17 +46,7 @@ STACK_OF(TSSOPTPOLICY) *policy; } TSSAUTHPOLICY; -#if OPENSSL_VERSION_NUMBER < 0x10100000 -DECLARE_STACK_OF(TSSAUTHPOLICY); -#define sk_TSSAUTHPOLICY_new_null() SKM_sk_new_null(TSSAUTHPOLICY) -#define sk_TSSAUTHPOLICY_push(sk, policy) SKM_sk_push(TSSAUTHPOLICY, sk, policy) -#define sk_TSSAUTHPOLICY_pop(sk) SKM_sk_pop(TSSAUTHPOLICY, sk) -#define sk_TSSAUTHPOLICY_free(sk) SKM_sk_free(TSSAUTHPOLICY, sk) -#define sk_TSSAUTHPOLICY_num(policy) SKM_sk_num(TSSAUTHPOLICY, policy) -#define sk_TSSAUTHPOLICY_value(policy, i) SKM_sk_value(TSSAUTHPOLICY, policy, i) -#else DEFINE_STACK_OF(TSSAUTHPOLICY); -#endif /* * Define the format of a TPM key file.
