starlingx/integ
Code Issues Proposed changes

CentOS 8: Upgrade tboot to version 1.9.7

Browse Source 
(1)Release Version Upgrade
(2)Matching code changes with el7 to el8

Story: 2006729
Task: 37667
Change-Id: I5875bff0a222260e2630133d38cd0f4c9855cbb5
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
This commit is contained in:
chendongqi 2019-11-18 19:25:48 +08:00 committed by Dongqi Chen
parent 9035cd1be8
commit 80c20a281b
5 changed files with 45 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
security/tboot/centos/meta_patches/0001-tboot-Update-package-versioning-for-TIS-format.patch
View File

@ -1,32 +1,26 @@
From f7ac0c586ee46b67c7b5a541ee823f459e19c5c6 Mon Sep 17 00:00:00 2001 From f7ac0c586ee46b67c7b5a541ee823f459e19c5c6 Mon Sep 17 00:00:00 2001
From: Bin Qian <bin.qian@windriver.com> From: Bin Qian <bin.qian@windriver.com>
Date: Mon, 27 Nov 2017 08:35:10 -0500 Date: Mon, 27 Nov 2017 08:35:10 -0500
Subject: [PATCH 1/1] WRS: 8000-TiS-tboot.patch Subject: [PATCH 1/1] 8000-TiS-tboot.patch
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
--- ---
SPECS/tboot.spec | 3 ++- SPECS/tboot.spec | 2 +-
1 file changed, 2 insertions(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
index 2f6f0a8..c2d5eb7 100644 index 2f6f0a8..c2d5eb7 100644
--- a/SPECS/tboot.spec --- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec +++ b/SPECS/tboot.spec
@@ -1,13 +1,14 @@ @@ -1,7 +1,7 @@
Summary: Performs a verified launch using Intel TXT Summary: Performs a verified launch using Intel TXT
Name: tboot Name: tboot
Version: 1.9.6 Version: 1.9.7
-Release: 3%{?dist} -Release: 2%{?dist}
+Release: 3.el7%{?_tis_dist}.%{tis_patch_ver} +Release: 2.el8%{?_tis_dist}.%{tis_patch_ver}
Epoch: 1 Epoch: 1
Group: System Environment/Base Group: System Environment/Base
License: BSD
URL: http://sourceforge.net/projects/tboot/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch01: ../patches/0001-Fix-a-logical-error-in-function-bool-evtlog_append.patch
-- --
2.7.4 1.8.3.1

31
security/tboot/centos/meta_patches/0002-TiS-tboot.patch
View File

@ -3,30 +3,33 @@ From: Bin Qian <bin.qian@windriver.com>
Date: Wed, 6 Dec 2017 08:47:12 -0500 Date: Wed, 6 Dec 2017 08:47:12 -0500
Subject: [PATCH 1/1] TiS tboot Subject: [PATCH 1/1] TiS tboot
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
--- ---
SPECS/tboot.spec | 2 ++ SPECS/tboot.spec | 4 ++++
1 file changed, 2 insertions(+) 1 file changed, 4 insertions(+)
diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
index c2d5eb7..f04dd17 100644 index c2d5eb7..f04dd17 100644
--- a/SPECS/tboot.spec --- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec +++ b/SPECS/tboot.spec
@@ -27,6 +27,7 @@ Patch13: ../patches/0013-Add-centos7-instructions-for-Use-in-EFI-boot-mode.patch @@ -9,6 +9,8 @@ License: BSD
Patch14: ../patches/0014-Ensure-tboot-log-is-available-even-when-measured-lau.patch URL: http://sourceforge.net/projects/tboot/
Patch15: ../patches/0015-Add-support-for-appending-to-a-TPM2-TCG-style-event-.patch Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
Patch16: ../patches/0016-Add-an-option-in-tboot-to-force-SINIT-to-use-the-leg.patch
+Patch999: ../patches/1000-tboot-for-tis.patch
+Patch999: ../patches/1000-tboot-for-tis.patch
+
BuildRequires: trousers-devel BuildRequires: trousers-devel
BuildRequires: openssl-devel BuildRequires: openssl-devel
@@ -56,6 +57,7 @@ and verified launch of an OS kernel/VMM. ExclusiveArch: %{ix86} x86_64
%patch14 -p1 -b .0014 @@ -21,6 +23,8 @@ and verified launch of an OS kernel/VMM.
%patch15 -p1 -b .0015 %prep
%patch16 -p1 -b .0016 %setup -q
+%patch999 -p1 +%patch999 -p1
+
# do not override OPTFLAGS
sed -i -e 's/-march=i686//' Config.mk
%build
CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
-- --
2.7.4 1.8.3.1

19
security/tboot/centos/meta_patches/0003-security-set-immutable-attribute.patch
View File

@ -3,6 +3,7 @@ From: Kam Nasim <kam.nasim@windriver.com>
Date: Tue, 6 Feb 2018 15:25:00 -0500 Date: Tue, 6 Feb 2018 15:25:00 -0500
Subject: [PATCH] CGTS-8849: Security: Set immutable attribute and permissions Subject: [PATCH] CGTS-8849: Security: Set immutable attribute and permissions
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
--- ---
SPECS/tboot.spec | 16 ++++++++++++++-- SPECS/tboot.spec | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-) 1 file changed, 14 insertions(+), 2 deletions(-)
@ -11,9 +12,9 @@ diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
index f04dd17..1673095 100644 index f04dd17..1673095 100644
--- a/SPECS/tboot.spec --- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec +++ b/SPECS/tboot.spec
@@ -75,6 +75,13 @@ if [ -e "/sys/firmware/efi" ]; then @@ -33,9 +33,21 @@ CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
exit 0; LDFLAGS="$RPM_LD_FLAGS"; export LDFLAGS
fi make debug=y %{?_smp_mflags}
+# On updating this package, we want to clear the immutable +# On updating this package, we want to clear the immutable
+# attribute so that the module files can get overwritten +# attribute so that the module files can get overwritten
@ -23,11 +24,7 @@ index f04dd17..1673095 100644
+exit 0 +exit 0
+ +
%install %install
rm -rf $RPM_BUILD_ROOT
make debug=y DISTDIR=$RPM_BUILD_ROOT install make debug=y DISTDIR=$RPM_BUILD_ROOT install
@@ -82,6 +89,11 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install
%clean
rm -rf $RPM_BUILD_ROOT
+%post +%post
+# Set immutable attribute on tboot modules +# Set immutable attribute on tboot modules
@ -35,9 +32,9 @@ index f04dd17..1673095 100644
+exit 0 +exit 0
+ +
%files %files
%defattr(-,root,root,-)
%doc README COPYING docs/* lcptools/lcptools2.txt lcptools/Linux_LCP_Tools_User_Manual.pdf %doc README COPYING docs/* lcptools/lcptools2.txt lcptools/Linux_LCP_Tools_User_Manual.pdf
@@ -118,8 +130,8 @@ rm -rf $RPM_BUILD_ROOT %config %{_sysconfdir}/grub.d/20_linux_tboot
@@ -71,8 +83,8 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install
%{_mandir}/man8/lcp_writepol.8.gz %{_mandir}/man8/lcp_writepol.8.gz
%{_mandir}/man8/tb_polgen.8.gz %{_mandir}/man8/tb_polgen.8.gz
%{_mandir}/man8/txt-stat.8.gz %{_mandir}/man8/txt-stat.8.gz
@ -47,7 +44,7 @@ index f04dd17..1673095 100644
+%attr(0400,root,root) /boot/tboot-syms +%attr(0400,root,root) /boot/tboot-syms
%changelog %changelog
* Mon Jul 16 2018 Tony Camuso <tcamuso@redhat.com> - 1:1.9.6-3 * Fri Sep 7 2018 Tony Camuso <tcamuso@redhat.com> - 1:1.9.7-1
-- --
2.7.4 1.8.3.1

17
security/tboot/centos/patches/1000-tboot-for-tis.patch
View File

@ -1,8 +1,9 @@
From c2edea1ff347242a70075808652fa1ad4c86037a Mon Sep 17 00:00:00 2001 From c2edea1ff347242a70075808652fa1ad4c86037a Mon Sep 17 00:00:00 2001
From: Bin Qian <bin.qian@windriver.com> From: Bin Qian <bin.qian@windriver.com>
Date: Mon, 27 Nov 2017 08:35:11 -0500 Date: Mon, 27 Nov 2017 08:35:11 -0500
Subject: [PATCH 1/1] WRS: Patch1: 9000-tboot-for-tis.patch Subject: [PATCH 1/1] Patch1: 9000-tboot-for-tis.patch
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
--- ---
tboot/20_linux_tboot | 21 ++++++++++++--------- tboot/20_linux_tboot | 21 ++++++++++++---------
tboot/20_linux_xen_tboot | 2 +- tboot/20_linux_xen_tboot | 2 +-
@ -19,11 +20,11 @@ index 816d50a..eed512d 100644
libdir=${exec_prefix}/lib libdir=${exec_prefix}/lib
sysconfdir=/etc sysconfdir=/etc
+ +
+
+tboot=`cat /proc/cmdline | xargs -n1 | grep '^tboot=true$'` || true +tboot=`cat /proc/cmdline | xargs -n1 | grep '^tboot=true$'` || true
+if [ -z "$tboot" ]; then +if [ -z "$tboot" ]; then
+ exit 0 + exit 0
+fi +fi
+
+ +
if test -e /usr/share/grub/grub-mkconfig_lib; then if test -e /usr/share/grub/grub-mkconfig_lib; then
. /usr/share/grub/grub-mkconfig_lib . /usr/share/grub/grub-mkconfig_lib
@ -65,7 +66,7 @@ index 816d50a..eed512d 100644
@@ -202,7 +207,6 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do @@ -202,7 +207,6 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do
rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname`
# tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"` # tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"`
tboot_version="1.9.6" tboot_version="1.9.7"
- echo "submenu \"tboot ${tboot_version}\" {" - echo "submenu \"tboot ${tboot_version}\" {"
while [ "x$list" != "x" ] ; do while [ "x$list" != "x" ] ; do
linux=`version_find_latest $list` linux=`version_find_latest $list`
@ -140,7 +141,7 @@ index 9678b7c..5a16d81 100644
return false; return false;
break; break;
@@ -643,7 +647,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry, @@ -644,7 +648,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
} }
hash_list_t hl; hash_list_t hl;
@ -149,7 +150,7 @@ index 9678b7c..5a16d81 100644
printk(TBOOT_ERR"\t hash cannot be generated.\n"); printk(TBOOT_ERR"\t hash cannot be generated.\n");
return TB_ERR_MODULE_VERIFICATION_FAILED; return TB_ERR_MODULE_VERIFICATION_FAILED;
} }
@@ -667,6 +671,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry, @@ -668,6 +672,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
if ( pol_entry != NULL && if ( pol_entry != NULL &&
!is_hash_in_policy_entry(pol_entry, &hl.entries[0].hash, hash_alg) ) { !is_hash_in_policy_entry(pol_entry, &hl.entries[0].hash, hash_alg) ) {
printk(TBOOT_ERR"\t verification failed\n"); printk(TBOOT_ERR"\t verification failed\n");
@ -162,7 +163,7 @@ diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c
index b9b67c9..b7c5d62 100644 index b9b67c9..b7c5d62 100644
--- a/tboot/common/tpm_20.c --- a/tboot/common/tpm_20.c
+++ b/tboot/common/tpm_20.c +++ b/tboot/common/tpm_20.c
@@ -2096,7 +2096,7 @@ static bool tpm20_nv_read(struct tpm_if *ti, uint32_t locality, @@ -2299,7 +2299,7 @@ static bool tpm20_nv_read(struct tpm_if *ti, uint32_t locality,
ret = _tpm20_nv_read(locality, &read_in, &read_out); ret = _tpm20_nv_read(locality, &read_in, &read_out);
if ( ret != TPM_RC_SUCCESS ) { if ( ret != TPM_RC_SUCCESS ) {
@ -171,7 +172,7 @@ index b9b67c9..b7c5d62 100644
index, offset, ret); index, offset, ret);
ti->error = ret; ti->error = ret;
return false; return false;
@@ -2504,8 +2504,9 @@ static bool tpm20_init(struct tpm_if *ti) @@ -2712,8 +2712,9 @@ static bool tpm20_init(struct tpm_if *ti)
get_tboot_extpol(); get_tboot_extpol();
if (info_list->capabilities.tpm_nv_index_set == 0){ if (info_list->capabilities.tpm_nv_index_set == 0){
/* init NV index */ /* init NV index */
@ -184,5 +185,5 @@ index b9b67c9..b7c5d62 100644
ti->sgx_svn_index = 0x01800004; ti->sgx_svn_index = 0x01800004;
} }
-- --
2.7.4 1.8.3.1

2
security/tboot/centos/srpm_path
View File

@ -1 +1 @@
mirror:Source/tboot-1.9.6-3.el7.src.rpm mirror:Source/tboot-1.9.7-2.el8.src.rpm