CentOS 7.5 upgrade for tboot package.

Story: 2003389
Task: 24506

Change-Id: I111deaddf2df85ff2762c4ea0191c2cd39b5b4ab
Signed-off-by: chenyan <yan.chen@intel.com>
This commit is contained in:
chenyan 2018-08-21 16:07:34 +08:00
parent ef011db731
commit 5d26f76e31
5 changed files with 49 additions and 52 deletions

View File

@ -8,15 +8,15 @@ Subject: [PATCH 1/1] WRS: 8000-TiS-tboot.patch
1 file changed, 2 insertions(+), 1 deletion(-) 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
index 5827214..9ae8f9b 100644 index 2f6f0a8..c2d5eb7 100644
--- a/SPECS/tboot.spec --- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec +++ b/SPECS/tboot.spec
@@ -1,13 +1,14 @@ @@ -1,13 +1,14 @@
Summary: Performs a verified launch using Intel TXT Summary: Performs a verified launch using Intel TXT
Name: tboot Name: tboot
Version: 1.9.5 Version: 1.9.6
-Release: 1%{?dist} -Release: 2%{?dist}
+Release: 1.e17%{?_tis_dist}.%{tis_patch_ver} +Release: 2.e17%{?_tis_dist}.%{tis_patch_ver}
Epoch: 1 Epoch: 1
Group: System Environment/Base Group: System Environment/Base
@ -26,7 +26,7 @@ index 5827214..9ae8f9b 100644
+ +
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: trousers-devel Patch01: 0001-MANPATH-should-not-be-used-as-install-dir.patch
-- --
1.8.3.1 2.7.4

View File

@ -4,31 +4,31 @@ Date: Wed, 6 Dec 2017 08:47:12 -0500
Subject: [PATCH 1/1] TiS tboot Subject: [PATCH 1/1] TiS tboot
--- ---
SPECS/tboot.spec | 9 ++++++++- SPECS/tboot.spec | 11 +++++++++--
1 file changed, 8 insertions(+), 1 deletion(-) 1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
index 9ae8f9b..4c479ad 100644 index c2d5eb7..f04dd17 100644
--- a/SPECS/tboot.spec --- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec +++ b/SPECS/tboot.spec
@@ -8,11 +8,12 @@ Group: System Environment/Base @@ -12,9 +12,10 @@ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.
License: BSD
URL: http://sourceforge.net/projects/tboot/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
+Patch999: 1000-tboot-for-tis.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch01: 0001-MANPATH-should-not-be-used-as-install-dir.patch
+Patch999: 1000-tboot-for-tis.patch
BuildRequires: trousers-devel BuildRequires: trousers-devel
-BuildRequires: openssl-devel -BuildRequires: openssl-devel
+BuildRequires: openssl-devel git +BuildRequires: openssl-devel git
ExclusiveArch: x86_64 ExclusiveArch: x86_64
%description %description
@@ -22,6 +23,12 @@ and verified launch of an OS kernel/VMM. @@ -24,7 +25,13 @@ and verified launch of an OS kernel/VMM.
%prep %prep
%setup -q %setup -q
-%patch01 -p1 -b .0001
+
+git init +git init
+git config user.email "example@example.com" +git config user.email "example@example.com"
+git config user.name "RHEL example" +git config user.name "RHEL example"
@ -39,5 +39,5 @@ index 9ae8f9b..4c479ad 100644
%build %build
CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
-- --
1.8.3.1 2.7.4

View File

@ -4,19 +4,17 @@ Date: Tue, 6 Feb 2018 15:25:00 -0500
Subject: [PATCH] CGTS-8849: Security: Set immutable attribute and permissions Subject: [PATCH] CGTS-8849: Security: Set immutable attribute and permissions
--- ---
SPECS/tboot.spec | 18 +++++++++++++++--- SPECS/tboot.spec | 16 ++++++++++++++--
1 file changed, 15 insertions(+), 3 deletions(-) 1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
index 4c479ad..d0039d4 100644 index f04dd17..1673095 100644
--- a/SPECS/tboot.spec --- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec +++ b/SPECS/tboot.spec
@@ -43,8 +43,14 @@ if [ -e "/sys/firmware/efi" ]; then @@ -49,6 +49,13 @@ if [ -e "/sys/firmware/efi" ]; then
putk "WARNING: tboot is not supported on UEFI-based systems." exit 0;
putk " Please see https://access.redhat.com/articles/2217041."
putk " and https://access.redhat.com/articles/2464721"
- exit 0;
fi fi
+# On updating this package, we want to clear the immutable +# On updating this package, we want to clear the immutable
+# attribute so that the module files can get overwritten +# attribute so that the module files can get overwritten
+if [ $1 -gt 1 ]; then +if [ $1 -gt 1 ]; then
@ -24,10 +22,10 @@ index 4c479ad..d0039d4 100644
+fi +fi
+exit 0 +exit 0
+ +
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
@@ -53,6 +59,12 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install make debug=y DISTDIR=$RPM_BUILD_ROOT install
@@ -56,6 +63,11 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
@ -35,12 +33,11 @@ index 4c479ad..d0039d4 100644
+# Set immutable attribute on tboot modules +# Set immutable attribute on tboot modules
+chattr +i /boot/tboot.gz /boot/tboot-syms +chattr +i /boot/tboot.gz /boot/tboot-syms
+exit 0 +exit 0
+
+ +
%files %files
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc README COPYING docs/* lcptools/lcptools2.txt lcptools/Linux_LCP_Tools_User_Manual.pdf %doc README COPYING docs/* lcptools/lcptools2.txt lcptools/Linux_LCP_Tools_User_Manual.pdf
@@ -89,8 +101,8 @@ rm -rf $RPM_BUILD_ROOT @@ -92,8 +104,8 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/lcp_writepol.8.gz %{_mandir}/man8/lcp_writepol.8.gz
%{_mandir}/man8/tb_polgen.8.gz %{_mandir}/man8/tb_polgen.8.gz
%{_mandir}/man8/txt-stat.8.gz %{_mandir}/man8/txt-stat.8.gz
@ -50,7 +47,7 @@ index 4c479ad..d0039d4 100644
+%attr(0400,root,root) /boot/tboot-syms +%attr(0400,root,root) /boot/tboot-syms
%changelog %changelog
* Fri Jan 27 2017 Tony Camuso <tcamuso@redhat.com> - 1:1.9.5-1 * Thu Jan 25 2018 Tony Camuso <tcamuso@redhat.com> - 1:1.9.6-2
-- --
1.8.3.1 2.7.4

View File

@ -11,7 +11,7 @@ Subject: [PATCH 1/1] WRS: Patch1: 9000-tboot-for-tis.patch
4 files changed, 28 insertions(+), 18 deletions(-) 4 files changed, 28 insertions(+), 18 deletions(-)
diff --git a/tboot/20_linux_tboot b/tboot/20_linux_tboot diff --git a/tboot/20_linux_tboot b/tboot/20_linux_tboot
index 7c25181..e4fd557 100644 index 816d50a..eed512d 100644
--- a/tboot/20_linux_tboot --- a/tboot/20_linux_tboot
+++ b/tboot/20_linux_tboot +++ b/tboot/20_linux_tboot
@@ -22,6 +22,13 @@ exec_prefix=${prefix} @@ -22,6 +22,13 @@ exec_prefix=${prefix}
@ -28,7 +28,7 @@ index 7c25181..e4fd557 100644
if test -e /usr/share/grub/grub-mkconfig_lib; then if test -e /usr/share/grub/grub-mkconfig_lib; then
. /usr/share/grub/grub-mkconfig_lib . /usr/share/grub/grub-mkconfig_lib
elif test -e ${libdir}/grub/grub-mkconfig_lib; then elif test -e ${libdir}/grub/grub-mkconfig_lib; then
@@ -38,7 +45,7 @@ fi @@ -40,7 +47,7 @@ fi
[ -z "${GRUB_CMDLINE_LINUX_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_TBOOT [ -z "${GRUB_CMDLINE_LINUX_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_TBOOT
[ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA [ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
# Command line for tboot itself # Command line for tboot itself
@ -37,7 +37,7 @@ index 7c25181..e4fd557 100644
# Linux kernel parameters to append for tboot # Linux kernel parameters to append for tboot
: ${GRUB_CMDLINE_LINUX_TBOOT='intel_iommu=on'} : ${GRUB_CMDLINE_LINUX_TBOOT='intel_iommu=on'}
# Base name of LCP policy data file for list policy # Base name of LCP policy data file for list policy
@@ -67,10 +74,8 @@ export TEXTDOMAINDIR=${prefix}/share/locale @@ -69,10 +76,8 @@ export TEXTDOMAINDIR=${prefix}/share/locale
CLASS="--class gnu-linux --class gnu --class os --class tboot" CLASS="--class gnu-linux --class gnu --class os --class tboot"
@ -50,7 +50,7 @@ index 7c25181..e4fd557 100644
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}" CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}"
fi fi
@@ -107,9 +112,9 @@ linux_entry () @@ -109,9 +114,9 @@ linux_entry ()
iommu_args="$7" iommu_args="$7"
if ${recovery} ; then if ${recovery} ; then
@ -62,15 +62,15 @@ index 7c25181..e4fd557 100644
fi fi
if [ -d /sys/firmware/efi ] ; then if [ -d /sys/firmware/efi ] ; then
@@ -200,7 +205,6 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do @@ -202,7 +207,6 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do
rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname` rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname`
# tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"` # tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"`
tboot_version="1.9.5" tboot_version="1.9.6"
- echo "submenu \"tboot ${tboot_version}\" {" - echo "submenu \"tboot ${tboot_version}\" {"
while [ "x$list" != "x" ] ; do while [ "x$list" != "x" ] ; do
linux=`version_find_latest $list` linux=`version_find_latest $list`
echo "Found linux image: $linux" >&2 echo "Found linux image: $linux" >&2
@@ -241,6 +245,5 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do @@ -243,6 +247,5 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do
list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '` list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '`
done done
@ -78,10 +78,10 @@ index 7c25181..e4fd557 100644
tboot_list=`echo $tboot_list | tr ' ' '\n' | grep -vx $current_tboot | tr '\n' ' '` tboot_list=`echo $tboot_list | tr ' ' '\n' | grep -vx $current_tboot | tr '\n' ' '`
done done
diff --git a/tboot/20_linux_xen_tboot b/tboot/20_linux_xen_tboot diff --git a/tboot/20_linux_xen_tboot b/tboot/20_linux_xen_tboot
index b674834..4dc8d68 100644 index a113a3c..b1e4b09 100644
--- a/tboot/20_linux_xen_tboot --- a/tboot/20_linux_xen_tboot
+++ b/tboot/20_linux_xen_tboot +++ b/tboot/20_linux_xen_tboot
@@ -39,7 +39,7 @@ fi @@ -41,7 +41,7 @@ fi
[ -z "${GRUB_CMDLINE_LINUX_XEN_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_XEN_TBOOT [ -z "${GRUB_CMDLINE_LINUX_XEN_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_XEN_TBOOT
[ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA [ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
# Command line for tboot itself # Command line for tboot itself
@ -91,10 +91,10 @@ index b674834..4dc8d68 100644
: ${GRUB_CMDLINE_XEN_TBOOT=''} : ${GRUB_CMDLINE_XEN_TBOOT=''}
# Linux kernel parameters to append for tboot + Xen # Linux kernel parameters to append for tboot + Xen
diff --git a/tboot/common/policy.c b/tboot/common/policy.c diff --git a/tboot/common/policy.c b/tboot/common/policy.c
index b30d299..9ec02be 100644 index 9678b7c..5a16d81 100644
--- a/tboot/common/policy.c --- a/tboot/common/policy.c
+++ b/tboot/common/policy.c +++ b/tboot/common/policy.c
@@ -347,6 +347,7 @@ tb_error_t set_policy(void) @@ -349,6 +349,7 @@ tb_error_t set_policy(void)
* type is LCP_POLTYPE_LIST (since we could have been give a policy data * type is LCP_POLTYPE_LIST (since we could have been give a policy data
* file even though the policy was not a LIST */ * file even though the policy was not a LIST */
printk(TBOOT_INFO"reading Launch Control Policy from TPM NV...\n"); printk(TBOOT_INFO"reading Launch Control Policy from TPM NV...\n");
@ -102,7 +102,7 @@ index b30d299..9ec02be 100644
if ( read_policy_from_tpm(g_tpm->lcp_own_index, if ( read_policy_from_tpm(g_tpm->lcp_own_index,
_policy_index_buf, &policy_index_size) ) { _policy_index_buf, &policy_index_size) ) {
printk(TBOOT_DETA"\t:%lu bytes read\n", policy_index_size); printk(TBOOT_DETA"\t:%lu bytes read\n", policy_index_size);
@@ -406,6 +407,7 @@ bool hash_policy(tb_hash_t *hash, uint16_t hash_alg) @@ -408,6 +409,7 @@ bool hash_policy(tb_hash_t *hash, uint16_t hash_alg)
/* generate hash by hashing cmdline and module image */ /* generate hash by hashing cmdline and module image */
static bool hash_module(hash_list_t *hl, static bool hash_module(hash_list_t *hl,
@ -110,7 +110,7 @@ index b30d299..9ec02be 100644
const char* cmdline, void *base, const char* cmdline, void *base,
size_t size) size_t size)
{ {
@@ -414,6 +416,7 @@ static bool hash_module(hash_list_t *hl, @@ -416,6 +418,7 @@ static bool hash_module(hash_list_t *hl,
return false; return false;
} }
@ -118,7 +118,7 @@ index b30d299..9ec02be 100644
/* final hash is SHA-1( SHA-1(cmdline) | SHA-1(image) ) */ /* final hash is SHA-1( SHA-1(cmdline) | SHA-1(image) ) */
/* where cmdline is first stripped of leading spaces, file name, then */ /* where cmdline is first stripped of leading spaces, file name, then */
/* any spaces until the next non-space char */ /* any spaces until the next non-space char */
@@ -428,16 +431,17 @@ static bool hash_module(hash_list_t *hl, @@ -430,16 +433,17 @@ static bool hash_module(hash_list_t *hl,
switch (g_tpm->extpol) { switch (g_tpm->extpol) {
case TB_EXTPOL_FIXED: case TB_EXTPOL_FIXED:
hl->count = 1; hl->count = 1;
@ -140,7 +140,7 @@ index b30d299..9ec02be 100644
return false; return false;
break; break;
@@ -633,7 +637,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry, @@ -635,7 +639,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
} }
hash_list_t hl; hash_list_t hl;
@ -149,7 +149,7 @@ index b30d299..9ec02be 100644
printk(TBOOT_ERR"\t hash cannot be generated.\n"); printk(TBOOT_ERR"\t hash cannot be generated.\n");
return TB_ERR_MODULE_VERIFICATION_FAILED; return TB_ERR_MODULE_VERIFICATION_FAILED;
} }
@@ -657,6 +661,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry, @@ -659,6 +663,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
if ( pol_entry != NULL && if ( pol_entry != NULL &&
!is_hash_in_policy_entry(pol_entry, &hl.entries[0].hash, hash_alg) ) { !is_hash_in_policy_entry(pol_entry, &hl.entries[0].hash, hash_alg) ) {
printk(TBOOT_ERR"\t verification failed\n"); printk(TBOOT_ERR"\t verification failed\n");
@ -159,10 +159,10 @@ index b30d299..9ec02be 100644
} }
diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c
index 678a3d2..63ca9dd 100644 index b9b67c9..b7c5d62 100644
--- a/tboot/common/tpm_20.c --- a/tboot/common/tpm_20.c
+++ b/tboot/common/tpm_20.c +++ b/tboot/common/tpm_20.c
@@ -1933,7 +1933,7 @@ static bool tpm20_nv_read(struct tpm_if *ti, uint32_t locality, @@ -2096,7 +2096,7 @@ static bool tpm20_nv_read(struct tpm_if *ti, uint32_t locality,
ret = _tpm20_nv_read(locality, &read_in, &read_out); ret = _tpm20_nv_read(locality, &read_in, &read_out);
if ( ret != TPM_RC_SUCCESS ) { if ( ret != TPM_RC_SUCCESS ) {
@ -171,7 +171,7 @@ index 678a3d2..63ca9dd 100644
index, offset, ret); index, offset, ret);
ti->error = ret; ti->error = ret;
return false; return false;
@@ -2273,8 +2273,9 @@ static bool tpm20_init(struct tpm_if *ti) @@ -2505,8 +2505,9 @@ static bool tpm20_init(struct tpm_if *ti)
get_tboot_extpol(); get_tboot_extpol();
if (info_list->capabilities.tpm_nv_index_set == 0){ if (info_list->capabilities.tpm_nv_index_set == 0){
/* init NV index */ /* init NV index */
@ -184,5 +184,5 @@ index 678a3d2..63ca9dd 100644
ti->sgx_svn_index = 0x01800004; ti->sgx_svn_index = 0x01800004;
} }
-- --
1.8.3.1 2.7.4

View File

@ -1 +1 @@
mirror:Source/tboot-1.9.5-1.el7.src.rpm mirror:Source/tboot-1.9.6-2.el7.src.rpm