Hello community, here is the log from the commit of package ima-evm-utils for openSUSE:Factory checked in at 2020-11-02 09:39:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ima-evm-utils (Old) and /work/SRC/openSUSE:Factory/.ima-evm-utils.new.3463 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ima-evm-utils" Mon Nov 2 09:39:48 2020 rev:19 rq:844713 version:1.3.2 Changes: -------- --- /work/SRC/openSUSE:Factory/ima-evm-utils/ima-evm-utils.changes 2020-10-02 17:17:31.146111718 +0200 +++ /work/SRC/openSUSE:Factory/.ima-evm-utils.new.3463/ima-evm-utils.changes 2020-11-02 09:39:53.969581489 +0100 @@ -1,0 +2,13 @@ +Thu Oct 29 06:12:46 UTC 2020 - Petr Vorel <pvo...@suse.cz> + +- Update to version 1.3.2 + * Bugfixes: importing keys + * NEW: Docker based travis distro testing + * Travis bugfixes, code cleanup, software version update, + and script removal + * Initial travis testing +- Remove 0001-help-Add-missing-new-line-for-ignore-violations.patch + (patch from this release) +- Add make check + dependencies (getfattr => attr, xxd => vim) + +------------------------------------------------------------------- Old: ---- 0001-help-Add-missing-new-line-for-ignore-violations.patch ima-evm-utils-1.3.1.tar.gz New: ---- ima-evm-utils-1.3.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ima-evm-utils.spec ++++++ --- /var/tmp/diff_new_pack.8saiuV/_old 2020-11-02 09:39:54.425581927 +0100 +++ /var/tmp/diff_new_pack.8saiuV/_new 2020-11-02 09:39:54.429581931 +0100 @@ -19,15 +19,15 @@ %define sover 2 %define libname libimaevm%{sover} Name: ima-evm-utils -Version: 1.3.1 +Version: 1.3.2 Release: 0 Summary: IMA/EVM control utility License: LGPL-2.1-or-later Group: System/Base URL: http://sourceforge.net/projects/linux-ima/ Source0: http://downloads.sourceforge.net/project/linux-ima/ima-evm-utils/%{name}-%{version}.tar.gz -Patch1: 0001-help-Add-missing-new-line-for-ignore-violations.patch BuildRequires: asciidoc +BuildRequires: attr BuildRequires: autoconf BuildRequires: automake BuildRequires: docbook-xsl-stylesheets @@ -38,6 +38,7 @@ BuildRequires: openssl-devel BuildRequires: pkgconfig BuildRequires: tpm2-0-tss-devel +BuildRequires: vim %description This package provides the control utility for IMA/EVM (Integrity @@ -86,6 +87,9 @@ rm -rf %{buildroot}%{_datadir}/doc find %{buildroot} -type f -name "*.la" -delete -print +%check +make %{?_smp_mflags} check + %post -n %{libname} -p /sbin/ldconfig %postun -n %{libname} -p /sbin/ldconfig ++++++ ima-evm-utils-1.3.1.tar.gz -> ima-evm-utils-1.3.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/.travis.yml new/ima-evm-utils-1.3.2/.travis.yml --- old/ima-evm-utils-1.3.1/.travis.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/.travis.yml 2020-10-28 18:18:08.000000000 +0100 @@ -0,0 +1,78 @@ +dist: bionic +language: C +services: + - docker + +matrix: + include: + # 32 bit build + - os: linux + env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss + compiler: gcc + + # cross compilation builds + - os: linux + env: DISTRO=debian:stable VARIANT=cross-compile ARCH=ppc64el TSS=ibmtss + compiler: powerpc64le-linux-gnu-gcc + + - os: linux + env: DISTRO=debian:stable VARIANT=cross-compile ARCH=arm64 TSS=tpm2-tss + compiler: aarch64-linux-gnu-gcc + + - os: linux + env: DISTRO=debian:stable VARIANT=cross-compile ARCH=s390x TSS=ibmtss + compiler: s390x-linux-gnu-gcc + + # musl + - os: linux + env: DISTRO=alpine:latest TSS=tpm2-tss + compiler: gcc + + # glibc (gcc/clang) + - os: linux + env: DISTRO=opensuse/tumbleweed TSS=ibmtss + compiler: clang + + - os: linux + env: DISTRO=opensuse/leap TSS=tpm2-tss + compiler: gcc + + - os: linux + env: DISTRO=ubuntu:eoan TSS=ibmtss + compiler: gcc + + - os: linux + env: DISTRO=ubuntu:xenial TSS=tpm2-tss + compiler: clang + + - os: linux + env: DISTRO=fedora:latest TSS=ibmtss + compiler: clang + + - os: linux + env: DISTRO=centos:7 TSS=tpm2-tss + compiler: gcc + + - os: linux + env: DISTRO=centos:latest TSS=tpm2-tss + compiler: clang + + - os: linux + env: DISTRO=debian:testing TSS=tpm2-tss + compiler: clang + + - os: linux + env: DISTRO=debian:stable TSS=ibmtss + compiler: gcc + +before_install: + - df -hT + - DIR="/usr/src/ima-evm-utils" + - printf "FROM $DISTRO\nRUN mkdir -p $DIR\nWORKDIR $DIR\nCOPY . $DIR\n" > Dockerfile + - cat Dockerfile + - docker build -t ima-evm-utils . + +script: + - INSTALL="${DISTRO%%:*}" + - INSTALL="${INSTALL%%/*}" + - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/Makefile.am new/ima-evm-utils-1.3.2/Makefile.am --- old/ima-evm-utils-1.3.1/Makefile.am 2020-08-11 13:19:04.000000000 +0200 +++ new/ima-evm-utils-1.3.2/Makefile.am 2020-10-28 18:18:08.000000000 +0100 @@ -1,5 +1,7 @@ SUBDIRS = src tests +if MANPAGE_DOCBOOK_XSL dist_man_MANS = evmctl.1 +endif doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh EXTRA_DIST = autogen.sh $(doc_DATA) @@ -23,6 +25,7 @@ cp $(tarname) $(SRCS)/ rpmbuild -ba --nodeps $(SPEC) +if MANPAGE_DOCBOOK_XSL evmctl.1.html: README @asciidoc -o $@ $< @@ -35,5 +38,6 @@ rm -f evmctl.1 doc: evmctl.1.html rmman evmctl.1 +endif .PHONY: $(tarname) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/NEWS new/ima-evm-utils-1.3.2/NEWS --- old/ima-evm-utils-1.3.1/NEWS 2020-08-11 13:19:04.000000000 +0200 +++ new/ima-evm-utils-1.3.2/NEWS 2020-10-28 18:18:08.000000000 +0100 @@ -1,3 +1,12 @@ +2020-10-28 Mimi Zohar <zo...@linux.ibm.com> + + version 1.3.2: + * Bugfixes: importing keys + * NEW: Docker based travis distro testing + * Travis bugfixes, code cleanup, software version update, + and script removal + * Initial travis testing + 2020-08-11 Mimi Zohar <zo...@linux.ibm.com> version 1.3.1: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/README new/ima-evm-utils-1.3.2/README --- old/ima-evm-utils-1.3.1/README 2020-08-11 13:19:04.000000000 +0200 +++ new/ima-evm-utils-1.3.2/README 2020-10-28 18:18:08.000000000 +0100 @@ -28,6 +28,7 @@ import [--rsa] pubkey keyring sign [-r] [--imahash | --imasig ] [--portable] [--key key] [--pass password] file verify file + ima_boot_aggregate [--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log] ima_sign [--sigfile] [--key key] [--pass password] file ima_verify file ima_hash file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/autogen.sh new/ima-evm-utils-1.3.2/autogen.sh --- old/ima-evm-utils-1.3.1/autogen.sh 2020-08-11 13:19:04.000000000 +0200 +++ new/ima-evm-utils-1.3.2/autogen.sh 2020-10-28 18:18:08.000000000 +0100 @@ -1,16 +1,4 @@ #! /bin/sh - set -e -# new way -# strange, but need this for Makefile.am, because it has -I m4 -test -d m4 || mkdir m4 -autoreconf -f -i - -# old way -#libtoolize --automake --copy --force -#aclocal -#autoconf --force -#autoheader --force -#automake --add-missing --copy --force-missing --gnu - +autoreconf -i diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/build.sh new/ima-evm-utils-1.3.2/build.sh --- old/ima-evm-utils-1.3.1/build.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/build.sh 2020-10-28 18:18:08.000000000 +0100 @@ -0,0 +1,97 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel <pvo...@suse.cz> + +set -e + +CC="${CC:-gcc}" +CFLAGS="${CFLAGS:--Wformat -Werror=format-security -Werror=implicit-function-declaration -Werror=return-type -fno-common}" +PREFIX="${PREFIX:-$HOME/ima-evm-utils-install}" + +export LD_LIBRARY_PATH="$PREFIX/lib64:$PREFIX/lib:/usr/local/lib64:/usr/local/lib" +export PATH="$PREFIX/bin:/usr/local/bin:$PATH" + +title() +{ + echo "===== $1 =====" +} + +log_exit() +{ + local ret="${3:-$?}" + local log="$1" + local msg="$2" + local prefix + + echo "=== $log ===" + [ $ret -eq 0 ] || prefix="FAIL: " + cat $log + echo + echo "$prefix$msg, see output of $log above" + exit $ret +} + +cd `dirname $0` + +case "$VARIANT" in + i386) + echo "32-bit compilation" + export CFLAGS="-m32 $CFLAGS" LDFLAGS="-m32 $LDFLAGS" + export PKG_CONFIG_LIBDIR=/usr/lib/i386-linux-gnu/pkgconfig + ;; + cross-compile) + host="${CC%-gcc}" + export CROSS_COMPILE="${host}-" + host="--host=$host" + echo "cross compilation: $host" + echo "CROSS_COMPILE: '$CROSS_COMPILE'" + ;; + *) + if [ "$VARIANT" ]; then + echo "Wrong VARIANT: '$VARIANT'" >&2 + exit 1 + fi + echo "native build" + ;; +esac + +title "compiler version" +$CC --version +echo "CFLAGS: '$CFLAGS'" +echo "LDFLAGS: '$LDFLAGS'" +echo "PREFIX: '$PREFIX'" + +title "configure" +./autogen.sh +./configure --prefix=$PREFIX $host || log_exit config.log "configure failed" + +title "make" +make -j$(nproc) +make install + +title "test" +if [ "$VARIANT" = "cross-compile" ]; then + echo "skip make check on cross compilation" + exit 0 +fi + +ret=0 +VERBOSE=1 make check || ret=$? + +title "logs" +if [ $ret -eq 0 ]; then + tail -3 tests/ima_hash.log + tail -3 tests/sign_verify.log + tail -20 tests/boot_aggregate.log + exit 0 +fi + +cat tests/test-suite.log + +if [ $ret -eq 77 ]; then + msg="WARN: some tests skipped" + ret=0 +else + msg="FAIL: tests exited: $ret" +fi + +log_exit tests/test-suite.log "$msg" $ret diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/configure.ac new/ima-evm-utils-1.3.2/configure.ac --- old/ima-evm-utils-1.3.1/configure.ac 2020-08-11 13:19:04.000000000 +0200 +++ new/ima-evm-utils-1.3.2/configure.ac 2020-10-28 18:18:08.000000000 +0100 @@ -1,7 +1,7 @@ # autoconf script AC_PREREQ([2.65]) -AC_INIT(ima-evm-utils, 1.3.1, zo...@linux.ibm.com) +AC_INIT(ima-evm-utils, 1.3.2, zo...@linux.ibm.com) AM_INIT_AUTOMAKE([foreign]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) @@ -30,9 +30,9 @@ AC_CHECK_HEADER(unistd.h) AC_CHECK_HEADERS(openssl/conf.h) -AC_CHECK_LIB([tss2-esys], [Esys_PCR_Read]) +AC_CHECK_LIB([tss2-esys], [Esys_Free]) AC_CHECK_LIB([tss2-rc], [Tss2_RC_Decode]) -AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_PCR_Read" = "xyes"]) +AM_CONDITIONAL([USE_PCRTSS], [test "x$ac_cv_lib_tss2_esys_Esys_Free" = "xyes"]) AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])]) AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])]) @@ -77,6 +77,7 @@ echo "Configuration:" echo " debug: $pkg_cv_enable_debug" echo " openssl-conf: $enable_openssl_conf" -echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_PCR_Read" +echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free" echo " tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode" +echo " doc: $have_doc" echo diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/m4/manpage-docbook-xsl.m4 new/ima-evm-utils-1.3.2/m4/manpage-docbook-xsl.m4 --- old/ima-evm-utils-1.3.1/m4/manpage-docbook-xsl.m4 2020-08-11 13:19:04.000000000 +0200 +++ new/ima-evm-utils-1.3.2/m4/manpage-docbook-xsl.m4 2020-10-28 18:18:08.000000000 +0100 @@ -1,7 +1,10 @@ -dnl Copyright (c) 2018 Petr Vorel <pvo...@suse.cz> +dnl Copyright (c) 2018-2020 Petr Vorel <pvo...@suse.cz> dnl Find docbook manpage stylesheet AC_DEFUN([EVMCTL_MANPAGE_DOCBOOK_XSL], [ + DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current" + DOCBOOK_XSL_PATH="manpages/docbook.xsl" + AC_PATH_PROGS(XMLCATALOG, xmlcatalog) AC_ARG_WITH([xml-catalog], AC_HELP_STRING([--with-xml-catalog=CATALOG], @@ -9,20 +12,37 @@ [with_xml_catalog=/etc/xml/catalog]) XML_CATALOG_FILE="$with_xml_catalog" AC_SUBST([XML_CATALOG_FILE]) - AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)]) - if test -f "$XML_CATALOG_FILE"; then - have_xmlcatalog_file=yes - AC_MSG_RESULT([found]) + + if test "x${XMLCATALOG}" = "x"; then + AC_MSG_WARN([xmlcatalog not found, cannot search for $DOCBOOK_XSL_PATH]) else - AC_MSG_RESULT([not found]) + AC_MSG_CHECKING([for XML catalog ($XML_CATALOG_FILE)]) + if test -f "$XML_CATALOG_FILE"; then + have_xmlcatalog_file=yes + AC_MSG_RESULT([found]) + else + AC_MSG_RESULT([not found, cannot search for $DOCBOOK_XSL_PATH]) + fi fi + if test "x${XMLCATALOG}" != "x" -a "x$have_xmlcatalog_file" = "xyes"; then - DOCBOOK_XSL_URI="http://docbook.sourceforge.net/release/xsl/current" - DOCBOOK_XSL_PATH="manpages/docbook.xsl" - MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed -n 's|^file:/\+|/|p;q') + MANPAGE_DOCBOOK_XSL=$(${XMLCATALOG} ${XML_CATALOG_FILE} ${DOCBOOK_XSL_URI}/${DOCBOOK_XSL_PATH} | sed 's|^file:/\+|/|') fi + if test "x${MANPAGE_DOCBOOK_XSL}" = "x"; then MANPAGE_DOCBOOK_XSL="/usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl" + AC_MSG_WARN([trying a default path for $DOCBOOK_XSL_PATH]) fi + + if test -f "$MANPAGE_DOCBOOK_XSL"; then + have_doc=yes + AC_MSG_NOTICE([using $MANPAGE_DOCBOOK_XSL for generating doc]) + else + AC_MSG_WARN([$DOCBOOK_XSL_PATH not found, generating doc will be skipped]) + MANPAGE_DOCBOOK_XSL= + have_doc=no + fi + AM_CONDITIONAL(MANPAGE_DOCBOOK_XSL, test "x$have_doc" = xyes) + AC_SUBST(MANPAGE_DOCBOOK_XSL) ]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/packaging/ima-evm-utils.spec new/ima-evm-utils-1.3.2/packaging/ima-evm-utils.spec --- old/ima-evm-utils-1.3.1/packaging/ima-evm-utils.spec 2020-08-11 13:19:04.000000000 +0200 +++ new/ima-evm-utils-1.3.2/packaging/ima-evm-utils.spec 2020-10-28 18:18:08.000000000 +0100 @@ -1,5 +1,5 @@ Name: ima-evm-utils -Version: 1.3.1 +Version: 1.3.2 Release: 1%{?dist} Summary: ima-evm-utils - IMA/EVM control utility Group: System/Libraries diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/src/evmctl.c new/ima-evm-utils-1.3.2/src/evmctl.c --- old/ima-evm-utils-1.3.1/src/evmctl.c 2020-08-11 13:19:04.000000000 +0200 +++ new/ima-evm-utils-1.3.2/src/evmctl.c 2020-10-28 18:18:08.000000000 +0100 @@ -221,7 +221,7 @@ fclose(fp); return NULL; } - if (fread(data, len, 1, fp) != len) { + if (fread(data, len, 1, fp) != 1) { log_err("Failed to fread %zu bytes: %s\n", len, name); fclose(fp); free(data); @@ -2467,7 +2467,7 @@ " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n" " --verify-sig verify measurement list signatures\n" " --engine e preload OpenSSL engine e (such as: gost)\n" - " --ignore-violations ignore ToMToU measurement violations" + " --ignore-violations ignore ToMToU measurement violations\n" " -v increase verbosity level\n" " -h, --help display this help and exit\n" "\n"); @@ -2485,7 +2485,7 @@ {"ima_setxattr", cmd_setxattr_ima, 0, "[--sigfile file]", "Set IMA signature from sigfile\n"}, {"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"}, {"ima_measurement", cmd_ima_measurement, 0, "[--ignore-violations] [--verify-sig [--key key1, key2, ...]] [--pcrs [hash-algorithm,]file [--pcrs hash-algorithm,file] ...] file", "Verify measurement list (experimental).\n"}, - {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[file]", "Calculate per TPM bank boot_aggregate digests\n"}, + {"ima_boot_aggregate", cmd_ima_bootaggr, 0, "[--pcrs hash-algorithm,file] [TPM 1.2 BIOS event log]", "Calculate per TPM bank boot_aggregate digests\n"}, {"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"}, {"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"}, {"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"}, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/tests/boot_aggregate.test new/ima-evm-utils-1.3.2/tests/boot_aggregate.test --- old/ima-evm-utils-1.3.1/tests/boot_aggregate.test 2020-08-11 13:19:04.000000000 +0200 +++ new/ima-evm-utils-1.3.2/tests/boot_aggregate.test 2020-10-28 18:18:08.000000000 +0100 @@ -26,44 +26,49 @@ PCRFILE="/sys/class/tpm/tpm0/device/pcrs" MISC_PCRFILE="/sys/class/misc/tpm0/device/pcrs" -if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then - ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements" -else - BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9" - ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9" - export TPM_INTERFACE_TYPE="socsim" - export TPM_COMMAND_PORT=2321 -fi - -# Only stop this test's software TPM. Preferred method: "tsstpmcmd -stop" +# Only stop this test's software TPM cleanup() { - if [ ! -z "${SWTPM_PPID}" ]; then - if [ -f "${TSSDIR}/tsstpmcmd" ]; then - "${TSSDIR}/tsstpmcmd" -stop - else - pkill -P "${SWTPM_PPID}" - fi + if [ -n "${SWTPM_PID}" ]; then + kill -SIGTERM "${SWTPM_PID}" + elif [ -n "${TPMSERVER_PID}" ]; then + "${TSSDIR}/tsstpmcmd" -stop fi } # Try to start a software TPM if needed. swtpm_start() { - local swtpm + local tpm_server swtpm - swtpm="$(which tpm_server)" - if [ -z "${swtpm}" ]; then - echo "${CYAN}SKIP: Softare TPM (tpm_server) not found${NORM}" + tpm_server="$(which tpm_server)" + swtpm="$(which swtpm)" + if [ -z "${tpm_server}" ] && [ -z "${swtpm}" ]; then + echo "${CYAN}SKIP: Software TPM (tpm_server and swtpm) not found${NORM}" return "$SKIP" fi - pgrep tpm_server - if [ $? -eq 0 ]; then - echo "INFO: Software TPM (tpm_server) already running" - return 114 - else - echo "INFO: Starting software TPM: ${swtpm}" - ${swtpm} > /dev/null 2>&1 & - SWTPM_PPID=$! + if [ -n "${swtpm}" ]; then + pgrep swtpm + if [ $? -eq 0 ]; then + echo "INFO: Software TPM (swtpm) already running" + return 114 + else + echo "INFO: Starting software TPM: ${swtpm}" + mkdir -p ./myvtpm + ${swtpm} socket --tpmstate dir=./myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init > /dev/null 2>&1 & + SWTPM_PID=$! + fi + elif [ -n "${tpm_server}" ]; then + # tpm_server uses the Microsoft simulator encapsulated packet format + export TPM_SERVER_TYPE="mssim" + pgrep tpm_server + if [ $? -eq 0 ]; then + echo "INFO: Software TPM (tpm_server) already running" + return 114 + else + echo "INFO: Starting software TPM: ${tpm_server}" + ${tpm_server} > /dev/null 2>&1 & + TPMSERVER_PID=$! + fi fi return 0 } @@ -75,8 +80,20 @@ return "$SKIP" fi - echo "INFO: Walking ${BINARY_BIOS_MEASUREMENTS} initializing the software TPM" + echo "INFO: Sending software TPM startup" "${TSSDIR}/tssstartup" + if [ $? -ne 0 ]; then + echo "INFO: Retry sending software TPM startup" + sleep 1 + "${TSSDIR}/tssstartup" + fi + + if [ $? -ne 0 ]; then + echo "INFO: Software TPM startup failed" + return "$SKIP" + fi + + echo "INFO: Walking ${BINARY_BIOS_MEASUREMENTS} initializing the software TPM" # $(${TSSDIR}/tsseventextend -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v) 2>&1 > /dev/null "${TSSDIR}/tsseventextend" -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v > /dev/null 2>&1 } @@ -101,7 +118,7 @@ done } -# The first entry in the IMA measuremnet list is the "boot_aggregate". +# The first entry in the IMA measurement list is the "boot_aggregate". # For each kexec, an additional "boot_aggregate" will appear in the # measurement list, assuming the previous measurement list is carried # across the kexec. @@ -133,6 +150,24 @@ return "$FAIL" } +if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then + ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements" + if [ ! -d "/sys/kernel/security/ima" ]; then + echo "${CYAN}SKIP: CONFIG_IMA not enabled${NORM}" + exit "$SKIP" + fi +else + BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9" + ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9" + export TPM_INTERFACE_TYPE="socsim" + export TPM_COMMAND_PORT=2321 + export TPM_PLATFORM_PORT=2322 + export TPM_SERVER_NAME="localhost" + + # swtpm uses the raw, unencapsulated packet format + export TPM_SERVER_TYPE="raw" +fi + # Start and initialize a software TPM as needed if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then if [ -f "$PCRFILE" ] || [ -f "$MISC_PCRFILE" ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/tests/install-swtpm.sh new/ima-evm-utils-1.3.2/tests/install-swtpm.sh --- old/ima-evm-utils-1.3.1/tests/install-swtpm.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/tests/install-swtpm.sh 2020-10-28 18:18:08.000000000 +0100 @@ -0,0 +1,13 @@ +#!/bin/sh +set -ex + +version=1637 + +wget --no-check-certificate https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${version}.tar.gz/download +mkdir ibmtpm$version +cd ibmtpm$version +tar -xvzf ../download +cd src +make -j$(nproc) +sudo cp tpm_server /usr/local/bin/ +cd ../.. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/tests/install-tss.sh new/ima-evm-utils-1.3.2/tests/install-tss.sh --- old/ima-evm-utils-1.3.1/tests/install-tss.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/tests/install-tss.sh 2020-10-28 18:18:08.000000000 +0100 @@ -0,0 +1,8 @@ +#!/bin/sh + +set -ex +git clone https://git.code.sf.net/p/ibmtpm20tss/tss +cd tss +autoreconf -i && ./configure --disable-tpm-1.2 --disable-hwtpm && make -j$(nproc) && sudo make install +cd .. +rm -rf tss diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/tests/sign_verify.test new/ima-evm-utils-1.3.2/tests/sign_verify.test --- old/ima-evm-utils-1.3.1/tests/sign_verify.test 2020-08-11 13:19:04.000000000 +0200 +++ new/ima-evm-utils-1.3.2/tests/sign_verify.test 2020-10-28 18:18:08.000000000 +0100 @@ -18,7 +18,14 @@ cd "$(dirname "$0")" || exit 1 PATH=../src:$PATH source ./functions.sh -_require evmctl openssl xxd getfattr + +_require cmp evmctl getfattr openssl xxd + +if cmp -b 2>&1 | grep -q "invalid option"; then + echo "cmp does not support -b (cmp from busybox?) Use cmp from diffutils" + exit "$HARDFAIL" +fi + ./gen-keys.sh >/dev/null 2>&1 trap _report_exit EXIT @@ -93,7 +100,8 @@ return "$FAIL" fi - rm "$file_sig" "$file_sig2" + # Leave '$file_sig' for ima_verify --sigfile test. + rm "$file_sig2" } # Run single sign command @@ -254,9 +262,12 @@ # Normal verify with proper key should pass expect_pass check_verify + expect_pass check_verify OPTS="--sigfile" # Multiple files and some don't verify expect_fail check_verify FILE="/dev/null $file" + + rm "$FILE.sig" fi TYPE=evm diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/travis/alpine.sh new/ima-evm-utils-1.3.2/travis/alpine.sh --- old/ima-evm-utils-1.3.1/travis/alpine.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/travis/alpine.sh 2020-10-28 18:18:08.000000000 +0100 @@ -0,0 +1,50 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel <pvo...@suse.cz> +set -ex + +if [ -z "$CC" ]; then + echo "missing \$CC!" >&2 + exit 1 +fi + +case "$TSS" in +ibmtss) echo "No IBM TSS package, will be installed from git" >&2; TSS=;; +tpm2-tss) TSS="tpm2-tss-dev";; +'') echo "Missing TSS!" >&2; exit 1;; +*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; +esac + +# ibmswtpm2 requires gcc +[ "$CC" = "gcc" ] || CC="gcc $CC" + +apk update + +apk add \ + $CC $TSS \ + asciidoc \ + attr \ + attr-dev \ + autoconf \ + automake \ + diffutils \ + docbook-xml \ + docbook-xsl \ + keyutils-dev \ + libtool \ + libxslt \ + linux-headers \ + make \ + musl-dev \ + openssl \ + openssl-dev \ + pkgconfig \ + procps \ + sudo \ + wget \ + which \ + xxd + +if [ ! "$TSS" ]; then + apk add git + ../tests/install-tss.sh +fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/travis/centos.sh new/ima-evm-utils-1.3.2/travis/centos.sh --- old/ima-evm-utils-1.3.1/travis/centos.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/travis/centos.sh 2020-11-02 09:39:54.493581992 +0100 @@ -0,0 +1 @@ +symbolic link to fedora.sh diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/travis/debian.cross-compile.sh new/ima-evm-utils-1.3.2/travis/debian.cross-compile.sh --- old/ima-evm-utils-1.3.1/travis/debian.cross-compile.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/travis/debian.cross-compile.sh 2020-10-28 18:18:08.000000000 +0100 @@ -0,0 +1,23 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel <pvo...@suse.cz> +set -ex + +if [ -z "$ARCH" ]; then + echo "missing \$ARCH!" >&2 + exit 1 +fi + +case "$ARCH" in +arm64) gcc_arch="aarch64";; +ppc64el) gcc_arch="powerpc64le";; +s390x) gcc_arch="$ARCH";; +*) echo "unsupported arch: '$ARCH'!" >&2; exit 1;; +esac + +dpkg --add-architecture $ARCH +apt update + +apt install -y --no-install-recommends \ + dpkg-dev \ + gcc-${gcc_arch}-linux-gnu \ + libc6-dev-${ARCH}-cross diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/travis/debian.i386.sh new/ima-evm-utils-1.3.2/travis/debian.i386.sh --- old/ima-evm-utils-1.3.1/travis/debian.i386.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/travis/debian.i386.sh 2020-10-28 18:18:08.000000000 +0100 @@ -0,0 +1,11 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel <pvo...@suse.cz> +set -ex + +dpkg --add-architecture i386 +apt update + +apt install -y --no-install-recommends \ + linux-libc-dev:i386 \ + gcc-multilib \ + pkg-config:i386 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/travis/debian.sh new/ima-evm-utils-1.3.2/travis/debian.sh --- old/ima-evm-utils-1.3.1/travis/debian.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/travis/debian.sh 2020-10-28 18:18:08.000000000 +0100 @@ -0,0 +1,54 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel <pvo...@suse.cz> +set -ex + +if [ -z "$CC" ]; then + echo "missing \$CC!" >&2 + exit 1 +fi + +# debian.*.sh must be run first +if [ "$ARCH" ]; then + ARCH=":$ARCH" + unset CC +else + apt update +fi + +# ibmswtpm2 requires gcc +[ "$CC" = "gcc" ] || CC="gcc $CC" + +case "$TSS" in +ibmtss) TSS="libtss-dev";; +tpm2-tss) TSS="libtss2-dev";; +'') echo "Missing TSS!" >&2; exit 1;; +*) [ "$TSS" ] && echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; +esac + +apt="apt install -y --no-install-recommends" + +$apt \ + $CC $TSS \ + asciidoc \ + attr \ + autoconf \ + automake \ + diffutils \ + debianutils \ + docbook-xml \ + docbook-xsl \ + gzip \ + libattr1-dev$ARCH \ + libkeyutils-dev$ARCH \ + libssl-dev$ARCH \ + libtool \ + make \ + openssl \ + pkg-config \ + procps \ + sudo \ + wget \ + xsltproc \ + +$apt xxd || $apt vim-common +$apt libengine-gost-openssl1.1$ARCH || true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/travis/fedora.sh new/ima-evm-utils-1.3.2/travis/fedora.sh --- old/ima-evm-utils-1.3.1/travis/fedora.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/travis/fedora.sh 2020-10-28 18:18:08.000000000 +0100 @@ -0,0 +1,44 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel <pvo...@suse.cz> +set -e + +if [ -z "$CC" ]; then + echo "missing \$CC!" >&2 + exit 1 +fi + +case "$TSS" in +ibmtss) TSS="tss2-devel";; +tpm2-tss) TSS="tpm2-tss-devel";; +'') echo "Missing TSS!" >&2; exit 1;; +*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; +esac + +# ibmswtpm2 requires gcc +[ "$CC" = "gcc" ] || CC="gcc $CC" + +yum -y install \ + $CC $TSS \ + asciidoc \ + attr \ + autoconf \ + automake \ + diffutils \ + docbook-xsl \ + gzip \ + keyutils-libs-devel \ + libattr-devel \ + libtool \ + libxslt \ + make \ + openssl \ + openssl-devel \ + pkg-config \ + procps \ + sudo \ + vim-common \ + wget \ + which + +yum -y install docbook5-style-xsl || true +yum -y install swtpm || true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/travis/opensuse.sh new/ima-evm-utils-1.3.2/travis/opensuse.sh --- old/ima-evm-utils-1.3.1/travis/opensuse.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/travis/opensuse.sh 2020-11-02 09:39:54.489581989 +0100 @@ -0,0 +1 @@ +symbolic link to tumbleweed.sh diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/travis/tumbleweed.sh new/ima-evm-utils-1.3.2/travis/tumbleweed.sh --- old/ima-evm-utils-1.3.1/travis/tumbleweed.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/travis/tumbleweed.sh 2020-10-28 18:18:08.000000000 +0100 @@ -0,0 +1,47 @@ +#!/bin/sh +# Copyright (c) 2020 Petr Vorel <pvo...@suse.cz> +set -ex + +if [ -z "$CC" ]; then + echo "missing \$CC!" >&2 + exit 1 +fi + +case "$TSS" in +ibmtss) TSS="ibmtss-devel";; +tpm2-tss) TSS="tpm2-0-tss-devel";; +'') echo "Missing TSS!" >&2; exit 1;; +*) echo "Unsupported TSS: '$TSS'!" >&2; exit 1;; +esac + +# clang has some gcc dependency +[ "$CC" = "gcc" ] || CC="gcc $CC" + +zypper --non-interactive install --force-resolution --no-recommends \ + $CC $TSS \ + asciidoc \ + attr \ + autoconf \ + automake \ + diffutils \ + docbook_5 \ + docbook5-xsl-stylesheets \ + gzip \ + ibmswtpm2 \ + keyutils-devel \ + libattr-devel \ + libopenssl-devel \ + libtool \ + make \ + openssl \ + pkg-config \ + procps \ + sudo \ + vim \ + wget \ + which \ + xsltproc + +if [ -f /usr/lib/ibmtss/tpm_server ]; then + ln -s /usr/lib/ibmtss/tpm_server /usr/local/bin +fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ima-evm-utils-1.3.1/travis/ubuntu.sh new/ima-evm-utils-1.3.2/travis/ubuntu.sh --- old/ima-evm-utils-1.3.1/travis/ubuntu.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/ima-evm-utils-1.3.2/travis/ubuntu.sh 2020-11-02 09:39:54.481581981 +0100 @@ -0,0 +1 @@ +symbolic link to debian.sh