tpm2-tools: upgrade 4.1.3 -> 4.3.2

* Drop backported CVE patch. * License-Update: Add Copyrights and move it to doc directory. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2026-01-12 01:00:15 +00:00 · 2021-10-28 14:48:57 +08:00
parent 1d1bd5934b
commit 8226df83a6
2 changed files with 3 additions and 57 deletions
--- a/meta-tpm2/recipes-tpm/tpm2-tools/files/CVE-2021-3565.patch
+++ b/meta-tpm2/recipes-tpm/tpm2-tools/files/CVE-2021-3565.patch
@@ -1,53 +0,0 @@
-From 47b3b6e6fffed7080a2f1ce7673207ea44823ef7 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Fri, 21 May 2021 12:22:31 -0500
-Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
-
-tpm2_import used a fixed AES key for the inner wrapper, which means that
-a MITM attack would be able to unwrap the imported key. Even the
-use of an encrypted session will not prevent this. The TPM only
-encrypts the first parameter which is the fixed symmetric key.
-
-To fix this, ensure the key size is 16 bytes or bigger and use
-OpenSSL to generate a secure random AES key.
-
-Fixes: #2738
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
-
-Upstream-Status: Backport
-[https://github.com/tpm2-software/tpm2-tools/commit/c069e4f179d5e6653a84fb236816c375dca82515]
-
-CVE: CVE-2021-3565
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- tools/tpm2_import.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
-index 50072894..ee5dec15 100644
--- a/tools/tpm2_import.c
-+++ b/tools/tpm2_import.c
-@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
-     TPM2B_DATA enc_sensitive_key = {
-         .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
-     };
-    memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
-+
-+    if(enc_sensitive_key.size < 16) {
-+        LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
-+        return tool_rc_general_error;
-+    }
-+
-+    int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
-+    if (ossl_rc != 1) {
-+        LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
-+        return tool_rc_general_error;
-+    }
- 
-     /*
-      * Calculate the object name.
-- 
-2.25.1
-
--- a/meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_4.3.2.bb
+++ b/meta-tpm2/recipes-tpm/tpm2-tools/tpm2-tools_4.3.2.bb
@@ -1,18 +1,17 @@
 SUMMARY = "Tools for TPM2."
 DESCRIPTION = "tpm2-tools"
 LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=0eb1216e46938bd723098d93a23c3bcc"
+LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=a846608d090aa64494c45fc147cc12e3"
 SECTION = "tpm"

 DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive"

 SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
           file://0001-tests-switch-to-python3.patch \
-           file://CVE-2021-3565.patch \
           file://0001-build-only-use-Werror-for-non-release-builds.patch \
          "

-SRC_URI[md5sum] = "48e0f58232b6a86fe4d007acf12af283"
-SRC_URI[sha256sum] = "bb5d3310620e75468fe33dbd530bd73dd648c70ec707b4579c74d9f63fc82704"
+SRC_URI[md5sum] = "1d06d8940db8d055daf840716872ee89"
+SRC_URI[sha256sum] = "e2802d4093a24b2c65b1f913d0f4c68eadde9b8fd8a9b7a3b17a6e50765e8350"

 inherit autotools pkgconfig bash-completion