Hello community, here is the log from the commit of package tboot for openSUSE:Factory checked in at 2018-10-25 09:11:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tboot (Old) and /work/SRC/openSUSE:Factory/.tboot.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tboot" Thu Oct 25 09:11:30 2018 rev:36 rq:644201 version:20170711_1.9.8 Changes: -------- --- /work/SRC/openSUSE:Factory/tboot/tboot.changes 2018-09-15 15:41:21.192784743 +0200 +++ /work/SRC/openSUSE:Factory/.tboot.new/tboot.changes 2018-10-25 09:11:30.730319613 +0200 @@ -1,0 +2,10 @@ +Wed Oct 24 08:44:04 UTC 2018 - matthias.gerst...@suse.com + +- update to new upstream release 1.9.8: + - Skip tboot launch error index read/write when ignore prev err option is true + - s3-fix: fix a stack overflow caused by enlarged tb_hash_t union + - S3 fix: revert the mis-changed type casting in changeset 522:8e881a07c059 + - S3-fix: Adding option save_vtd=true to opt-in the vtd table restore +- rebased patches to match new upstream version + +------------------------------------------------------------------- Old: ---- tboot-1.9.7.tar.gz New: ---- tboot-1.9.8.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tboot.spec ++++++ --- /var/tmp/diff_new_pack.rKPaqF/_old 2018-10-25 09:11:31.150319362 +0200 +++ /var/tmp/diff_new_pack.rKPaqF/_new 2018-10-25 09:11:31.154319359 +0200 @@ -17,7 +17,7 @@ Name: tboot -%define ver 1.9.7 +%define ver 1.9.8 Version: 20170711_%{ver} Release: 0 Summary: Program for performing a verified launch using Intel TXT ++++++ tboot-1.9.7.tar.gz -> tboot-1.9.8.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/.hg_archival.txt new/tboot-1.9.8/.hg_archival.txt --- old/tboot-1.9.7/.hg_archival.txt 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/.hg_archival.txt 2018-10-18 06:55:47.000000000 +0200 @@ -1,4 +1,5 @@ repo: cedd93279188334eb41d248d5eb70a41a2bc70ca -node: fa126d410df0916f0bab32a882349eb401597d5f +node: bde570f28820ea6cfc4a12fecec9f51e867e28ca branch: default -tag: v1.9.7 +latesttag: v1.9.8 +latesttagdistance: 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/.hgtags new/tboot-1.9.8/.hgtags --- old/tboot-1.9.7/.hgtags 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/.hgtags 2018-10-18 06:55:47.000000000 +0200 @@ -17,3 +17,6 @@ 698548a9b9fe6201361d19099100f8eb59fad4f6 v1.9.5 61c17659bb8670e466c3bac8913459848f5f36d5 v1.9.6 11613463d703e203785b2e4dc9447d76530266c4 v1.9.7 +11613463d703e203785b2e4dc9447d76530266c4 v1.9.7 +fa126d410df0916f0bab32a882349eb401597d5f v1.9.7 +dbc7b1d289f848c3d88a9d4694d67fd409f48039 v1.9.8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/CHANGELOG new/tboot-1.9.8/CHANGELOG --- old/tboot-1.9.7/CHANGELOG 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/CHANGELOG 2018-10-18 06:55:47.000000000 +0200 @@ -1,3 +1,8 @@ +20181011: v1.9.8 + Skip tboot launch error index read/write when ignore prev err option is true + s3-fix: fix a stack overflow caused by enlarged tb_hash_t union + S3 fix: revert the mis-changed type casting in changeset 522:8e881a07c059 + S3-fix: Adding option save_vtd=true to opt-in the vtd table restore 20180830: v1.9.7 Fix a lot of issues in tools reported by klocwork scan. Fix a lot of issues in tboot module reported by klocwork scan. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/README new/tboot-1.9.8/README --- old/tboot-1.9.7/README 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/README 2018-10-18 06:55:47.000000000 +0200 @@ -315,6 +315,16 @@ setting provides a way to force use of the legacy log format for TPM 2 systems: force_tpm2_legacy_log=false|true // defaults to false +o Opt-in the vtd dmar table save/restore process + With recent kernel (4.16.3 in fedora28), the acpi table seems changed by + kernel. So function restore_vtd_dmar_table() will not work as expected to + find the vtd dmar table and restore it in S3 resume, instead, the system will + run into a hang or a reset. + + To solve the S3 issue but still keep vtd dmar table save/restore process for + specific case, add below option: + save_vtd=false|true // defaults to false + PCR Usage: --------- o Legacy PCR mapping diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/tboot/20_linux_tboot new/tboot-1.9.8/tboot/20_linux_tboot --- old/tboot-1.9.7/tboot/20_linux_tboot 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/tboot/20_linux_tboot 2018-10-18 06:55:47.000000000 +0200 @@ -201,7 +201,7 @@ tboot_dirname=`dirname ${current_tboot}` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` # tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"` - tboot_version="1.9.7" + tboot_version="1.9.8" echo "submenu \"tboot ${tboot_version}\" {" while [ "x$list" != "x" ] ; do linux=`version_find_latest $list` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/tboot/20_linux_xen_tboot new/tboot-1.9.8/tboot/20_linux_xen_tboot --- old/tboot-1.9.7/tboot/20_linux_xen_tboot 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/tboot/20_linux_xen_tboot 2018-10-18 06:55:47.000000000 +0200 @@ -216,7 +216,7 @@ tboot_basename=`basename ${current_tboot}` tboot_dirname=`dirname ${current_tboot}` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` - tboot_version="1.9.7" + tboot_version="1.9.8" list="${linux_list}" echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{" while [ "x$list" != "x" ] ; do diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/tboot/Config.mk new/tboot-1.9.8/tboot/Config.mk --- old/tboot-1.9.7/tboot/Config.mk 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/tboot/Config.mk 2018-10-18 06:55:47.000000000 +0200 @@ -33,7 +33,7 @@ CFLAGS += $(call cc-option,$(CC),-fno-stack-check,) # changeset variable for banner -CFLAGS += -DTBOOT_CHANGESET=\""$(shell ((hg parents --template "{isodate|isodate} {rev}:{node|short}" >/dev/null && hg parents --template "{isodate|isodate} {rev}:{node|short}") || echo "2018-08-30 18:00 +0800 1.9.7") 2>/dev/null)"\" +CFLAGS += -DTBOOT_CHANGESET=\""$(shell ((hg parents --template "{isodate|isodate} {rev}:{node|short}" >/dev/null && hg parents --template "{isodate|isodate} {rev}:{node|short}") || echo "2018-10-18 13:00 +0800 1.9.8") 2>/dev/null)"\" AFLAGS += -D__ASSEMBLY__ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/tboot/common/cmdline.c new/tboot-1.9.8/tboot/common/cmdline.c --- old/tboot-1.9.7/tboot/common/cmdline.c 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/tboot/common/cmdline.c 2018-10-18 06:55:47.000000000 +0200 @@ -86,6 +86,7 @@ { "extpol", "sha1" }, /*agile|embedded|sha1|sha256|sm3|... */ { "ignore_prev_err", "true"}, /* true|false */ { "force_tpm2_legacy_log", "false"}, /* true|false */ + { "save_vtd", "false"}, /* true|false */ { NULL, NULL } }; static char g_tboot_param_values[ARRAY_SIZE(g_tboot_cmdline_options)][MAX_VALUE_LEN]; @@ -552,6 +553,17 @@ return false; } +bool get_tboot_save_vtd(void) +{ + const char *save_vtd = + get_option_val(g_tboot_cmdline_options, + g_tboot_param_values, + "save_vtd"); + if ( save_vtd != NULL && strcmp(save_vtd, "true") == 0 ) + return true; + return false; +} + /* * linux kernel command line parsing */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/tboot/common/integrity.c new/tboot-1.9.8/tboot/common/integrity.c --- old/tboot-1.9.7/tboot/common/integrity.c 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/tboot/common/integrity.c 2018-10-18 06:55:47.000000000 +0200 @@ -141,7 +141,7 @@ { /* TPM_Seal can only seal small data (like key or hash), so hash data */ struct __packed { - tb_hash_t data_hash; + sha256_hash_t data_hash; uint8_t secrets[secrets_size]; } blob; uint32_t err; @@ -149,7 +149,7 @@ const struct tpm_if_fp *tpm_fp = get_tpm_fp(); memset(&blob, 0, sizeof(blob)); - if ( !hash_buffer(data, data_size, &blob.data_hash, tpm->cur_alg) ) { + if ( !hash_buffer(data, data_size, (tb_hash_t *)&blob.data_hash, TB_HALG_SHA256) ) { printk(TBOOT_ERR"failed to hash data\n"); return false; } @@ -169,7 +169,7 @@ { /* sealed data is hash of state data and optional secret */ struct __packed { - tb_hash_t data_hash; + sha256_hash_t data_hash; uint8_t secrets[secrets_size]; } blob; bool err = true; @@ -186,14 +186,14 @@ goto done; } - /* verify that (hash of) current data maches sealed hash */ + /* verify that (hash of) current data matches sealed hash */ tb_hash_t curr_data_hash; memset(&curr_data_hash, 0, sizeof(curr_data_hash)); - if ( !hash_buffer(curr_data, curr_data_size, &curr_data_hash, tpm->cur_alg) ) { + if ( !hash_buffer(curr_data, curr_data_size, &curr_data_hash, TB_HALG_SHA256) ) { printk(TBOOT_WARN"failed to hash state data\n"); goto done; } - if ( !are_hashes_equal(&blob.data_hash, &curr_data_hash, tpm->cur_alg) ) { + if ( !are_hashes_equal((tb_hash_t *)&blob.data_hash, &curr_data_hash, TB_HALG_SHA256) ) { printk(TBOOT_WARN"sealed hash does not match current hash\n"); goto done; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/tboot/common/paging.c new/tboot-1.9.8/tboot/common/paging.c --- old/tboot-1.9.7/tboot/common/paging.c 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/tboot/common/paging.c 2018-10-18 06:55:47.000000000 +0200 @@ -178,8 +178,8 @@ for ( i = 0; i < sizeof(pd_table)/TB_L1_PAGETABLE_ENTRIES; i++ ) { ppdptre = &pdptr_table[i]; - *ppdptre = MAKE_TB_PDPTE((unsigned long) - pd_table + i * TB_L1_PAGETABLE_ENTRIES); + *ppdptre = MAKE_TB_PDPTE((unsigned long)( + pd_table + i * TB_L1_PAGETABLE_ENTRIES)); } /* map serial log address ~ kernel command address */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/tboot/common/tb_error.c new/tboot-1.9.8/tboot/common/tb_error.c --- old/tboot-1.9.7/tboot/common/tb_error.c 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/tboot/common/tb_error.c 2018-10-18 06:55:47.000000000 +0200 @@ -49,6 +49,7 @@ #include <tpm.h> #include <tboot.h> #include <txt/config_regs.h> +#include <cmdline.h> #define TB_LAUNCH_ERR_IDX 0x20000002 /* launch error index */ @@ -145,6 +146,9 @@ memset(error, 0, size); + if ( get_tboot_ignore_prev_err() ) + return true; + /* read! */ if ( !tpm_fp->nv_read(tpm, 0, tpm->tb_err_index, 0, (uint8_t *)error, &size) ) { @@ -168,6 +172,9 @@ struct tpm_if *tpm = get_tpm(); const struct tpm_if_fp *tpm_fp = get_tpm_fp(); + if ( get_tboot_ignore_prev_err() ) + return true; + if ( !tpm || !tpm_fp || no_err_idx ) return false; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/tboot/common/tboot.c new/tboot-1.9.8/tboot/common/tboot.c --- old/tboot-1.9.7/tboot/common/tboot.c 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/tboot/common/tboot.c 2018-10-18 06:55:47.000000000 +0200 @@ -169,7 +169,8 @@ txt_post_launch(); /* backup DMAR table */ - save_vtd_dmar_table(); + if ( get_tboot_save_vtd() ) + save_vtd_dmar_table(); if ( s3_flag ) s3_launch(); @@ -473,7 +474,8 @@ } /* remove DMAR table if necessary */ - remove_vtd_dmar_table(); + if ( get_tboot_save_vtd() ) + remove_vtd_dmar_table(); if ( !is_launched() ) apply_policy(TB_ERR_S3_INTEGRITY); @@ -591,7 +593,8 @@ if ( _tboot_shared.shutdown_type == TB_SHUTDOWN_S3 ) { /* restore DMAR table if needed */ - restore_vtd_dmar_table(); + if ( get_tboot_save_vtd() ) + restore_vtd_dmar_table(); if ( tpm->major == TPM20_VER_MAJOR ) { tpm_fp->context_flush(tpm, tpm->cur_loc, handle2048); tpm_fp->context_load(tpm, tpm->cur_loc, &tpm2_context_saved, &handle2048); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/tboot/common/tpm_20.c new/tboot-1.9.8/tboot/common/tpm_20.c --- old/tboot-1.9.7/tboot/common/tpm_20.c 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/tboot/common/tpm_20.c 2018-10-18 06:55:47.000000000 +0200 @@ -1430,7 +1430,7 @@ cmd_size = (u8 *)other - cmd_buf; reverse_copy(cmd_buf + CMD_SIZE_OFFSET, &cmd_size, sizeof(cmd_size)); - rsp_size = sizeof(*out); + rsp_size = sizeof(rsp_buf); if (g_tpm_family == TPM_IF_20_FIFO) { if (!tpm_submit_cmd(locality, cmd_buf, cmd_size, rsp_buf, &rsp_size)) @@ -1799,8 +1799,8 @@ cmd_size = (u8 *)other - cmd_buf; reverse_copy(cmd_buf + CMD_SIZE_OFFSET, &cmd_size, sizeof(cmd_size)); - rsp_size = sizeof(*out); - + rsp_size = sizeof(rsp_buf); + if (g_tpm_family == TPM_IF_20_FIFO) { if (!tpm_submit_cmd(locality, cmd_buf, cmd_size, rsp_buf, &rsp_size)) return TPM_RC_FAILURE; @@ -2412,9 +2412,19 @@ create_in.public.t.public_area.param.keyed_hash.scheme.scheme = TPM_ALG_NULL; create_in.public.t.public_area.unique.keyed_hash.t.size = 0; + COMPILE_TIME_ASSERT( sizeof(auth_str) - 1 <= + sizeof(create_in.sensitive.t.sensitive.user_auth.t.buffer) ); create_in.sensitive.t.sensitive.user_auth.t.size = sizeof(auth_str) - 1; memcpy(&(create_in.sensitive.t.sensitive.user_auth.t.buffer[0]), auth_str, sizeof(auth_str)-1); + if ( in_data_size > + sizeof(create_in.sensitive.t.sensitive.data.t.buffer) ) { + printk(TBOOT_WARN"TPM: input data size to seal is too large:" + " %08X(%08x)\n", + in_data_size, + sizeof(create_in.sensitive.t.sensitive.data.t.buffer)); + return false; + } create_in.sensitive.t.sensitive.data.t.size = in_data_size; memcpy(&(create_in.sensitive.t.sensitive.data.t.buffer[0]), in_data, in_data_size); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tboot-1.9.7/tboot/include/cmdline.h new/tboot-1.9.8/tboot/include/cmdline.h --- old/tboot-1.9.7/tboot/include/cmdline.h 2018-09-03 10:43:39.000000000 +0200 +++ new/tboot-1.9.8/tboot/include/cmdline.h 2018-10-18 06:55:47.000000000 +0200 @@ -56,6 +56,7 @@ extern bool get_tboot_measure_nv(void); extern void get_tboot_extpol(void); extern bool get_tboot_force_tpm2_legacy_log(void); +extern bool get_tboot_save_vtd(void); /* for parse cmdline of linux kernel, say vga and mem */ extern void linux_parse_cmdline(const char *cmdline); ++++++ tboot-distributor.patch ++++++ --- /var/tmp/diff_new_pack.rKPaqF/_old 2018-10-25 09:11:31.266319292 +0200 +++ /var/tmp/diff_new_pack.rKPaqF/_new 2018-10-25 09:11:31.266319292 +0200 @@ -1,7 +1,7 @@ -Index: tboot-1.9.6/tboot/20_linux_tboot +Index: tboot-1.9.8/tboot/20_linux_tboot =================================================================== ---- tboot-1.9.6.orig/tboot/20_linux_tboot -+++ tboot-1.9.6/tboot/20_linux_tboot +--- tboot-1.9.8.orig/tboot/20_linux_tboot ++++ tboot-1.9.8/tboot/20_linux_tboot @@ -72,7 +72,7 @@ CLASS="--class gnu-linux --class gnu --c if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then OS=GNU/Linux @@ -11,10 +11,10 @@ CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}" fi -Index: tboot-1.9.6/tboot/20_linux_xen_tboot +Index: tboot-1.9.8/tboot/20_linux_xen_tboot =================================================================== ---- tboot-1.9.6.orig/tboot/20_linux_xen_tboot -+++ tboot-1.9.6/tboot/20_linux_xen_tboot +--- tboot-1.9.8.orig/tboot/20_linux_xen_tboot ++++ tboot-1.9.8/tboot/20_linux_xen_tboot @@ -63,7 +63,7 @@ CLASS="--class gnu-linux --class gnu --c if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then OS=GNU/Linux ++++++ tboot-grub2-fix-menu-in-xen-host-server.patch ++++++ --- /var/tmp/diff_new_pack.rKPaqF/_old 2018-10-25 09:11:31.274319288 +0200 +++ /var/tmp/diff_new_pack.rKPaqF/_new 2018-10-25 09:11:31.278319285 +0200 @@ -23,10 +23,10 @@ References: bnc#865815 Porting to tboot in order to fix duplicated xen entries -Index: tboot-1.9.7/tboot/20_linux_tboot +Index: tboot-1.9.8/tboot/20_linux_tboot =================================================================== ---- tboot-1.9.7.orig/tboot/20_linux_tboot -+++ tboot-1.9.7/tboot/20_linux_tboot +--- tboot-1.9.8.orig/tboot/20_linux_tboot ++++ tboot-1.9.8/tboot/20_linux_tboot @@ -225,6 +225,49 @@ while [ "x${tboot_list}" != "x" ] && [ " break fi @@ -77,10 +77,10 @@ if test -n "${initrd}" ; then echo "Found initrd image: ${dirname}/${initrd}" >&2 else -Index: tboot-1.9.7/tboot/20_linux_xen_tboot +Index: tboot-1.9.8/tboot/20_linux_xen_tboot =================================================================== ---- tboot-1.9.7.orig/tboot/20_linux_xen_tboot -+++ tboot-1.9.7/tboot/20_linux_xen_tboot +--- tboot-1.9.8.orig/tboot/20_linux_xen_tboot ++++ tboot-1.9.8/tboot/20_linux_xen_tboot @@ -52,6 +52,12 @@ fi export TEXTDOMAIN=grub export TEXTDOMAINDIR=${prefix}/share/locale ++++++ tboot-grub2-fix-xen-submenu-name.patch ++++++ --- /var/tmp/diff_new_pack.rKPaqF/_old 2018-10-25 09:11:31.286319281 +0200 +++ /var/tmp/diff_new_pack.rKPaqF/_new 2018-10-25 09:11:31.286319281 +0200 @@ -4,13 +4,13 @@ References: bnc#865815 Patch-Mainline: no -Index: tboot-1.9.7/tboot/20_linux_xen_tboot +Index: tboot-1.9.8/tboot/20_linux_xen_tboot =================================================================== ---- tboot-1.9.7.orig/tboot/20_linux_xen_tboot -+++ tboot-1.9.7/tboot/20_linux_xen_tboot +--- tboot-1.9.8.orig/tboot/20_linux_xen_tboot ++++ tboot-1.9.8/tboot/20_linux_xen_tboot @@ -232,7 +232,7 @@ while [ "x${xen_list}" != "x" ] ; do rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` - tboot_version="1.9.7" + tboot_version="1.9.8" list="${linux_list}" - echo "submenu \"Xen ${xen_version}\" \"Tboot ${tboot_version}\"{" + echo "submenu \"Xen ${xen_version} with Tboot ${tboot_version}\"{"