From 5d26f76e31e3bb6511e50cf6b31b59b6e6e7611c Mon Sep 17 00:00:00 2001 From: chenyan Date: Tue, 21 Aug 2018 16:07:34 +0800 Subject: [PATCH] CentOS 7.5 upgrade for tboot package. Story: 2003389 Task: 24506 Change-Id: I111deaddf2df85ff2762c4ea0191c2cd39b5b4ab Signed-off-by: chenyan --- ...te-package-versioning-for-TIS-format.patch | 12 +++--- .../centos/meta_patches/0002-TiS-tboot.patch | 22 +++++----- ...003-security-set-immutable-attribute.patch | 25 +++++------- .../centos/patches/1000-tboot-for-tis.patch | 40 +++++++++---------- security/tboot/centos/srpm_path | 2 +- 5 files changed, 49 insertions(+), 52 deletions(-) diff --git a/security/tboot/centos/meta_patches/0001-tboot-Update-package-versioning-for-TIS-format.patch b/security/tboot/centos/meta_patches/0001-tboot-Update-package-versioning-for-TIS-format.patch index 3c686a96b..7e51ef7f3 100644 --- a/security/tboot/centos/meta_patches/0001-tboot-Update-package-versioning-for-TIS-format.patch +++ b/security/tboot/centos/meta_patches/0001-tboot-Update-package-versioning-for-TIS-format.patch @@ -8,15 +8,15 @@ Subject: [PATCH 1/1] WRS: 8000-TiS-tboot.patch 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec -index 5827214..9ae8f9b 100644 +index 2f6f0a8..c2d5eb7 100644 --- a/SPECS/tboot.spec +++ b/SPECS/tboot.spec @@ -1,13 +1,14 @@ Summary: Performs a verified launch using Intel TXT Name: tboot - Version: 1.9.5 --Release: 1%{?dist} -+Release: 1.e17%{?_tis_dist}.%{tis_patch_ver} + Version: 1.9.6 +-Release: 2%{?dist} ++Release: 2.e17%{?_tis_dist}.%{tis_patch_ver} Epoch: 1 Group: System Environment/Base @@ -26,7 +26,7 @@ index 5827214..9ae8f9b 100644 + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - BuildRequires: trousers-devel + Patch01: 0001-MANPATH-should-not-be-used-as-install-dir.patch -- -1.8.3.1 +2.7.4 diff --git a/security/tboot/centos/meta_patches/0002-TiS-tboot.patch b/security/tboot/centos/meta_patches/0002-TiS-tboot.patch index b7b52858b..fdf2df5c3 100644 --- a/security/tboot/centos/meta_patches/0002-TiS-tboot.patch +++ b/security/tboot/centos/meta_patches/0002-TiS-tboot.patch @@ -4,31 +4,31 @@ Date: Wed, 6 Dec 2017 08:47:12 -0500 Subject: [PATCH 1/1] TiS tboot --- - SPECS/tboot.spec | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) + SPECS/tboot.spec | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec -index 9ae8f9b..4c479ad 100644 +index c2d5eb7..f04dd17 100644 --- a/SPECS/tboot.spec +++ b/SPECS/tboot.spec -@@ -8,11 +8,12 @@ Group: System Environment/Base - License: BSD - URL: http://sourceforge.net/projects/tboot/ - Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz -+Patch999: 1000-tboot-for-tis.patch - +@@ -12,9 +12,10 @@ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar. BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + Patch01: 0001-MANPATH-should-not-be-used-as-install-dir.patch ++Patch999: 1000-tboot-for-tis.patch + BuildRequires: trousers-devel -BuildRequires: openssl-devel +BuildRequires: openssl-devel git ExclusiveArch: x86_64 %description -@@ -22,6 +23,12 @@ and verified launch of an OS kernel/VMM. +@@ -24,7 +25,13 @@ and verified launch of an OS kernel/VMM. %prep %setup -q +-%patch01 -p1 -b .0001 ++ +git init +git config user.email "example@example.com" +git config user.name "RHEL example" @@ -39,5 +39,5 @@ index 9ae8f9b..4c479ad 100644 %build CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS -- -1.8.3.1 +2.7.4 diff --git a/security/tboot/centos/meta_patches/0003-security-set-immutable-attribute.patch b/security/tboot/centos/meta_patches/0003-security-set-immutable-attribute.patch index 20a4cbd5e..b9be1ae8e 100644 --- a/security/tboot/centos/meta_patches/0003-security-set-immutable-attribute.patch +++ b/security/tboot/centos/meta_patches/0003-security-set-immutable-attribute.patch @@ -4,19 +4,17 @@ Date: Tue, 6 Feb 2018 15:25:00 -0500 Subject: [PATCH] CGTS-8849: Security: Set immutable attribute and permissions --- - SPECS/tboot.spec | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) + SPECS/tboot.spec | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec -index 4c479ad..d0039d4 100644 +index f04dd17..1673095 100644 --- a/SPECS/tboot.spec +++ b/SPECS/tboot.spec -@@ -43,8 +43,14 @@ if [ -e "/sys/firmware/efi" ]; then - putk "WARNING: tboot is not supported on UEFI-based systems." - putk " Please see https://access.redhat.com/articles/2217041." - putk " and https://access.redhat.com/articles/2464721" -- exit 0; +@@ -49,6 +49,13 @@ if [ -e "/sys/firmware/efi" ]; then + exit 0; fi + +# On updating this package, we want to clear the immutable +# attribute so that the module files can get overwritten +if [ $1 -gt 1 ]; then @@ -24,10 +22,10 @@ index 4c479ad..d0039d4 100644 +fi +exit 0 + - %install rm -rf $RPM_BUILD_ROOT -@@ -53,6 +59,12 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install + make debug=y DISTDIR=$RPM_BUILD_ROOT install +@@ -56,6 +63,11 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install %clean rm -rf $RPM_BUILD_ROOT @@ -35,12 +33,11 @@ index 4c479ad..d0039d4 100644 +# Set immutable attribute on tboot modules +chattr +i /boot/tboot.gz /boot/tboot-syms +exit 0 -+ + %files %defattr(-,root,root,-) %doc README COPYING docs/* lcptools/lcptools2.txt lcptools/Linux_LCP_Tools_User_Manual.pdf -@@ -89,8 +101,8 @@ rm -rf $RPM_BUILD_ROOT +@@ -92,8 +104,8 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/lcp_writepol.8.gz %{_mandir}/man8/tb_polgen.8.gz %{_mandir}/man8/txt-stat.8.gz @@ -50,7 +47,7 @@ index 4c479ad..d0039d4 100644 +%attr(0400,root,root) /boot/tboot-syms %changelog - * Fri Jan 27 2017 Tony Camuso - 1:1.9.5-1 + * Thu Jan 25 2018 Tony Camuso - 1:1.9.6-2 -- -1.8.3.1 +2.7.4 diff --git a/security/tboot/centos/patches/1000-tboot-for-tis.patch b/security/tboot/centos/patches/1000-tboot-for-tis.patch index 104211d62..ddb8b0f8c 100644 --- a/security/tboot/centos/patches/1000-tboot-for-tis.patch +++ b/security/tboot/centos/patches/1000-tboot-for-tis.patch @@ -11,7 +11,7 @@ Subject: [PATCH 1/1] WRS: Patch1: 9000-tboot-for-tis.patch 4 files changed, 28 insertions(+), 18 deletions(-) diff --git a/tboot/20_linux_tboot b/tboot/20_linux_tboot -index 7c25181..e4fd557 100644 +index 816d50a..eed512d 100644 --- a/tboot/20_linux_tboot +++ b/tboot/20_linux_tboot @@ -22,6 +22,13 @@ exec_prefix=${prefix} @@ -28,7 +28,7 @@ index 7c25181..e4fd557 100644 if test -e /usr/share/grub/grub-mkconfig_lib; then . /usr/share/grub/grub-mkconfig_lib elif test -e ${libdir}/grub/grub-mkconfig_lib; then -@@ -38,7 +45,7 @@ fi +@@ -40,7 +47,7 @@ fi [ -z "${GRUB_CMDLINE_LINUX_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_TBOOT [ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA # Command line for tboot itself @@ -37,7 +37,7 @@ index 7c25181..e4fd557 100644 # Linux kernel parameters to append for tboot : ${GRUB_CMDLINE_LINUX_TBOOT='intel_iommu=on'} # Base name of LCP policy data file for list policy -@@ -67,10 +74,8 @@ export TEXTDOMAINDIR=${prefix}/share/locale +@@ -69,10 +76,8 @@ export TEXTDOMAINDIR=${prefix}/share/locale CLASS="--class gnu-linux --class gnu --class os --class tboot" @@ -50,7 +50,7 @@ index 7c25181..e4fd557 100644 CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}" fi -@@ -107,9 +112,9 @@ linux_entry () +@@ -109,9 +114,9 @@ linux_entry () iommu_args="$7" if ${recovery} ; then @@ -62,15 +62,15 @@ index 7c25181..e4fd557 100644 fi if [ -d /sys/firmware/efi ] ; then -@@ -200,7 +205,6 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do +@@ -202,7 +207,6 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` # tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"` - tboot_version="1.9.5" + tboot_version="1.9.6" - echo "submenu \"tboot ${tboot_version}\" {" while [ "x$list" != "x" ] ; do linux=`version_find_latest $list` echo "Found linux image: $linux" >&2 -@@ -241,6 +245,5 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do +@@ -243,6 +247,5 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '` done @@ -78,10 +78,10 @@ index 7c25181..e4fd557 100644 tboot_list=`echo $tboot_list | tr ' ' '\n' | grep -vx $current_tboot | tr '\n' ' '` done diff --git a/tboot/20_linux_xen_tboot b/tboot/20_linux_xen_tboot -index b674834..4dc8d68 100644 +index a113a3c..b1e4b09 100644 --- a/tboot/20_linux_xen_tboot +++ b/tboot/20_linux_xen_tboot -@@ -39,7 +39,7 @@ fi +@@ -41,7 +41,7 @@ fi [ -z "${GRUB_CMDLINE_LINUX_XEN_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_XEN_TBOOT [ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA # Command line for tboot itself @@ -91,10 +91,10 @@ index b674834..4dc8d68 100644 : ${GRUB_CMDLINE_XEN_TBOOT=''} # Linux kernel parameters to append for tboot + Xen diff --git a/tboot/common/policy.c b/tboot/common/policy.c -index b30d299..9ec02be 100644 +index 9678b7c..5a16d81 100644 --- a/tboot/common/policy.c +++ b/tboot/common/policy.c -@@ -347,6 +347,7 @@ tb_error_t set_policy(void) +@@ -349,6 +349,7 @@ tb_error_t set_policy(void) * type is LCP_POLTYPE_LIST (since we could have been give a policy data * file even though the policy was not a LIST */ printk(TBOOT_INFO"reading Launch Control Policy from TPM NV...\n"); @@ -102,7 +102,7 @@ index b30d299..9ec02be 100644 if ( read_policy_from_tpm(g_tpm->lcp_own_index, _policy_index_buf, &policy_index_size) ) { printk(TBOOT_DETA"\t:%lu bytes read\n", policy_index_size); -@@ -406,6 +407,7 @@ bool hash_policy(tb_hash_t *hash, uint16_t hash_alg) +@@ -408,6 +409,7 @@ bool hash_policy(tb_hash_t *hash, uint16_t hash_alg) /* generate hash by hashing cmdline and module image */ static bool hash_module(hash_list_t *hl, @@ -110,7 +110,7 @@ index b30d299..9ec02be 100644 const char* cmdline, void *base, size_t size) { -@@ -414,6 +416,7 @@ static bool hash_module(hash_list_t *hl, +@@ -416,6 +418,7 @@ static bool hash_module(hash_list_t *hl, return false; } @@ -118,7 +118,7 @@ index b30d299..9ec02be 100644 /* final hash is SHA-1( SHA-1(cmdline) | SHA-1(image) ) */ /* where cmdline is first stripped of leading spaces, file name, then */ /* any spaces until the next non-space char */ -@@ -428,16 +431,17 @@ static bool hash_module(hash_list_t *hl, +@@ -430,16 +433,17 @@ static bool hash_module(hash_list_t *hl, switch (g_tpm->extpol) { case TB_EXTPOL_FIXED: hl->count = 1; @@ -140,7 +140,7 @@ index b30d299..9ec02be 100644 return false; break; -@@ -633,7 +637,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry, +@@ -635,7 +639,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry, } hash_list_t hl; @@ -149,7 +149,7 @@ index b30d299..9ec02be 100644 printk(TBOOT_ERR"\t hash cannot be generated.\n"); return TB_ERR_MODULE_VERIFICATION_FAILED; } -@@ -657,6 +661,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry, +@@ -659,6 +663,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry, if ( pol_entry != NULL && !is_hash_in_policy_entry(pol_entry, &hl.entries[0].hash, hash_alg) ) { printk(TBOOT_ERR"\t verification failed\n"); @@ -159,10 +159,10 @@ index b30d299..9ec02be 100644 } diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c -index 678a3d2..63ca9dd 100644 +index b9b67c9..b7c5d62 100644 --- a/tboot/common/tpm_20.c +++ b/tboot/common/tpm_20.c -@@ -1933,7 +1933,7 @@ static bool tpm20_nv_read(struct tpm_if *ti, uint32_t locality, +@@ -2096,7 +2096,7 @@ static bool tpm20_nv_read(struct tpm_if *ti, uint32_t locality, ret = _tpm20_nv_read(locality, &read_in, &read_out); if ( ret != TPM_RC_SUCCESS ) { @@ -171,7 +171,7 @@ index 678a3d2..63ca9dd 100644 index, offset, ret); ti->error = ret; return false; -@@ -2273,8 +2273,9 @@ static bool tpm20_init(struct tpm_if *ti) +@@ -2505,8 +2505,9 @@ static bool tpm20_init(struct tpm_if *ti) get_tboot_extpol(); if (info_list->capabilities.tpm_nv_index_set == 0){ /* init NV index */ @@ -184,5 +184,5 @@ index 678a3d2..63ca9dd 100644 ti->sgx_svn_index = 0x01800004; } -- -1.8.3.1 +2.7.4 diff --git a/security/tboot/centos/srpm_path b/security/tboot/centos/srpm_path index 824a4a4bd..c36bb4899 100644 --- a/security/tboot/centos/srpm_path +++ b/security/tboot/centos/srpm_path @@ -1 +1 @@ -mirror:Source/tboot-1.9.5-1.el7.src.rpm +mirror:Source/tboot-1.9.6-2.el7.src.rpm