starlingx/integ
Code Issues Proposed changes

Merge "rebase tboot patch to CentOS 7.6 version" into f/centos76

Browse Source
This commit is contained in:
Zuul 2019-01-22 16:22:53 +00:00 committed by Gerrit Code Review
commit aed7ec8741
6 changed files with 36 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
security/tboot/centos/build_srpm.data
View File

@ -1 +1 @@
TIS_PATCH_VER=2 TIS_PATCH_VER=1

6
security/tboot/centos/meta_patches/0001-tboot-Update-package-versioning-for-TIS-format.patch
View File

@ -15,8 +15,8 @@ index 2f6f0a8..c2d5eb7 100644
Summary: Performs a verified launch using Intel TXT Summary: Performs a verified launch using Intel TXT
Name: tboot Name: tboot
Version: 1.9.6 Version: 1.9.6
-Release: 2%{?dist} -Release: 3%{?dist}
+Release: 2.e17%{?_tis_dist}.%{tis_patch_ver} +Release: 3.e17%{?_tis_dist}.%{tis_patch_ver}
Epoch: 1 Epoch: 1
Group: System Environment/Base Group: System Environment/Base
@ -26,7 +26,7 @@ index 2f6f0a8..c2d5eb7 100644
+ +
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch01: 0001-MANPATH-should-not-be-used-as-install-dir.patch Patch01: ../patches/0001-Fix-a-logical-error-in-function-bool-evtlog_append.patch
-- --
2.7.4 2.7.4

37
security/tboot/centos/meta_patches/0002-TiS-tboot.patch
View File

@ -4,37 +4,26 @@ Date: Wed, 6 Dec 2017 08:47:12 -0500
Subject: [PATCH 1/1] TiS tboot Subject: [PATCH 1/1] TiS tboot
--- ---
SPECS/tboot.spec | 11 +++++++++-- SPECS/tboot.spec | 2 ++
1 file changed, 9 insertions(+), 2 deletions(-) 1 file changed, 2 insertions(+)
diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
index c2d5eb7..f04dd17 100644 index c2d5eb7..f04dd17 100644
--- a/SPECS/tboot.spec --- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec +++ b/SPECS/tboot.spec
@@ -12,9 +12,10 @@ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar. @@ -27,6 +27,7 @@ Patch13: ../patches/0013-Add-centos7-instructions-for-Use-in-EFI-boot-mode.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Patch14: ../patches/0014-Ensure-tboot-log-is-available-even-when-measured-lau.patch
Patch15: ../patches/0015-Add-support-for-appending-to-a-TPM2-TCG-style-event-.patch
Patch01: 0001-MANPATH-should-not-be-used-as-install-dir.patch Patch16: ../patches/0016-Add-an-option-in-tboot-to-force-SINIT-to-use-the-leg.patch
+Patch999: 1000-tboot-for-tis.patch +Patch999: ../patches/1000-tboot-for-tis.patch
BuildRequires: trousers-devel BuildRequires: trousers-devel
-BuildRequires: openssl-devel BuildRequires: openssl-devel
+BuildRequires: openssl-devel git @@ -56,6 +57,7 @@ and verified launch of an OS kernel/VMM.
ExclusiveArch: x86_64 %patch14 -p1 -b .0014
%patch15 -p1 -b .0015
%description %patch16 -p1 -b .0016
@@ -24,7 +25,13 @@ and verified launch of an OS kernel/VMM. +%patch999 -p1
%prep
%setup -q
-%patch01 -p1 -b .0001
+
+git init
+git config user.email "example@example.com"
+git config user.name "RHEL example"
+git add .
+git commit -a -q -m "baseline."
+git am %{patches}
%build %build
CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS

8
security/tboot/centos/meta_patches/0003-security-set-immutable-attribute.patch
View File

@ -11,7 +11,7 @@ diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
index f04dd17..1673095 100644 index f04dd17..1673095 100644
--- a/SPECS/tboot.spec --- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec +++ b/SPECS/tboot.spec
@@ -49,6 +49,13 @@ if [ -e "/sys/firmware/efi" ]; then @@ -75,6 +75,13 @@ if [ -e "/sys/firmware/efi" ]; then
exit 0; exit 0;
fi fi
@ -25,7 +25,7 @@ index f04dd17..1673095 100644
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
make debug=y DISTDIR=$RPM_BUILD_ROOT install make debug=y DISTDIR=$RPM_BUILD_ROOT install
@@ -56,6 +63,11 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install @@ -82,6 +89,11 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
@ -37,7 +37,7 @@ index f04dd17..1673095 100644
%files %files
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc README COPYING docs/* lcptools/lcptools2.txt lcptools/Linux_LCP_Tools_User_Manual.pdf %doc README COPYING docs/* lcptools/lcptools2.txt lcptools/Linux_LCP_Tools_User_Manual.pdf
@@ -92,8 +104,8 @@ rm -rf $RPM_BUILD_ROOT @@ -118,8 +130,8 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/lcp_writepol.8.gz %{_mandir}/man8/lcp_writepol.8.gz
%{_mandir}/man8/tb_polgen.8.gz %{_mandir}/man8/tb_polgen.8.gz
%{_mandir}/man8/txt-stat.8.gz %{_mandir}/man8/txt-stat.8.gz
@ -47,7 +47,7 @@ index f04dd17..1673095 100644
+%attr(0400,root,root) /boot/tboot-syms +%attr(0400,root,root) /boot/tboot-syms
%changelog %changelog
* Thu Jan 25 2018 Tony Camuso <tcamuso@redhat.com> - 1:1.9.6-2 * Mon Jul 16 2018 Tony Camuso <tcamuso@redhat.com> - 1:1.9.6-3
-- --
2.7.4 2.7.4

28
security/tboot/centos/patches/1000-tboot-for-tis.patch
View File

@ -94,15 +94,15 @@ diff --git a/tboot/common/policy.c b/tboot/common/policy.c
index 9678b7c..5a16d81 100644 index 9678b7c..5a16d81 100644
--- a/tboot/common/policy.c --- a/tboot/common/policy.c
+++ b/tboot/common/policy.c +++ b/tboot/common/policy.c
@@ -349,6 +349,7 @@ tb_error_t set_policy(void) @@ -353,6 +353,7 @@ tb_error_t set_policy(void)
* type is LCP_POLTYPE_LIST (since we could have been give a policy data * type is LCP_POLTYPE_LIST (since we could have been give a policy data
* file even though the policy was not a LIST */ * file even though the policy was not a LIST */
printk(TBOOT_INFO"reading Launch Control Policy from TPM NV...\n"); printk(TBOOT_INFO"reading Launch Control Policy from TPM NV...\n");
+ +
if ( read_policy_from_tpm(g_tpm->lcp_own_index, if ( read_policy_from_tpm(tpm->lcp_own_index,
_policy_index_buf, &policy_index_size) ) { _policy_index_buf, &policy_index_size) ) {
printk(TBOOT_DETA"\t:%lu bytes read\n", policy_index_size); printk(TBOOT_DETA"\t:%lu bytes read\n", policy_index_size);
@@ -408,6 +409,7 @@ bool hash_policy(tb_hash_t *hash, uint16_t hash_alg) @@ -412,6 +413,7 @@ bool hash_policy(tb_hash_t *hash, uint16_t hash_alg)
/* generate hash by hashing cmdline and module image */ /* generate hash by hashing cmdline and module image */
static bool hash_module(hash_list_t *hl, static bool hash_module(hash_list_t *hl,
@ -110,7 +110,7 @@ index 9678b7c..5a16d81 100644
const char* cmdline, void *base, const char* cmdline, void *base,
size_t size) size_t size)
{ {
@@ -416,6 +418,7 @@ static bool hash_module(hash_list_t *hl, @@ -423,6 +425,7 @@ static bool hash_module(hash_list_t *hl,
return false; return false;
} }
@ -118,29 +118,29 @@ index 9678b7c..5a16d81 100644
/* final hash is SHA-1( SHA-1(cmdline) | SHA-1(image) ) */ /* final hash is SHA-1( SHA-1(cmdline) | SHA-1(image) ) */
/* where cmdline is first stripped of leading spaces, file name, then */ /* where cmdline is first stripped of leading spaces, file name, then */
/* any spaces until the next non-space char */ /* any spaces until the next non-space char */
@@ -430,16 +433,17 @@ static bool hash_module(hash_list_t *hl, @@ -437,16 +440,17 @@ static bool hash_module(hash_list_t *hl,
switch (g_tpm->extpol) { switch (tpm->extpol) {
case TB_EXTPOL_FIXED: case TB_EXTPOL_FIXED:
hl->count = 1; hl->count = 1;
- hl->entries[0].alg = g_tpm->cur_alg; - hl->entries[0].alg = tpm->cur_alg;
+ // hl->entries[0].alg = g_tpm->cur_alg; + // hl->entries[0].alg = tpm->cur_alg;
+ hl->entries[0].alg = cur_alg; + hl->entries[0].alg = cur_alg;
if ( !hash_buffer((const unsigned char *)cmdline, strlen(cmdline), if ( !hash_buffer((const unsigned char *)cmdline, strlen(cmdline),
- &hl->entries[0].hash, g_tpm->cur_alg) ) - &hl->entries[0].hash, tpm->cur_alg) )
+ &hl->entries[0].hash, cur_alg) ) + &hl->entries[0].hash, cur_alg) )
return false; return false;
/* hash image and extend into cmdline hash */ /* hash image and extend into cmdline hash */
tb_hash_t img_hash; tb_hash_t img_hash;
- if ( !hash_buffer(base, size, &img_hash, g_tpm->cur_alg) ) - if ( !hash_buffer(base, size, &img_hash, tpm->cur_alg) )
+ if ( !hash_buffer(base, size, &img_hash, cur_alg) ) + if ( !hash_buffer(base, size, &img_hash, cur_alg) )
return false; return false;
- if ( !extend_hash(&hl->entries[0].hash, &img_hash, g_tpm->cur_alg) ) - if ( !extend_hash(&hl->entries[0].hash, &img_hash, tpm->cur_alg) )
+ if ( !extend_hash(&hl->entries[0].hash, &img_hash, cur_alg) ) + if ( !extend_hash(&hl->entries[0].hash, &img_hash, cur_alg) )
return false; return false;
break; break;
@@ -635,7 +639,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry, @@ -643,7 +647,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
} }
hash_list_t hl; hash_list_t hl;
@ -149,7 +149,7 @@ index 9678b7c..5a16d81 100644
printk(TBOOT_ERR"\t hash cannot be generated.\n"); printk(TBOOT_ERR"\t hash cannot be generated.\n");
return TB_ERR_MODULE_VERIFICATION_FAILED; return TB_ERR_MODULE_VERIFICATION_FAILED;
} }
@@ -659,6 +663,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry, @@ -667,6 +671,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
if ( pol_entry != NULL && if ( pol_entry != NULL &&
!is_hash_in_policy_entry(pol_entry, &hl.entries[0].hash, hash_alg) ) { !is_hash_in_policy_entry(pol_entry, &hl.entries[0].hash, hash_alg) ) {
printk(TBOOT_ERR"\t verification failed\n"); printk(TBOOT_ERR"\t verification failed\n");
@ -171,7 +171,7 @@ index b9b67c9..b7c5d62 100644
index, offset, ret); index, offset, ret);
ti->error = ret; ti->error = ret;
return false; return false;
@@ -2505,8 +2505,9 @@ static bool tpm20_init(struct tpm_if *ti) @@ -2504,8 +2504,9 @@ static bool tpm20_init(struct tpm_if *ti)
get_tboot_extpol(); get_tboot_extpol();
if (info_list->capabilities.tpm_nv_index_set == 0){ if (info_list->capabilities.tpm_nv_index_set == 0){
/* init NV index */ /* init NV index */

2
security/tboot/centos/srpm_path
View File

@ -1 +1 @@
mirror:Source/tboot-1.9.6-2.el7.src.rpm mirror:Source/tboot-1.9.6-3.el7.src.rpm