[v2]:
include new hash
LICENSE file changes do to removal of TCG
minor changes do to configure and makefile updates
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
[v2]: Correct musl malloc fix.
remove HAVE_MALLOC_H define; this enables using the included defined mallinfo.
[V1]: Fix c99
x_dnmalloc.c:563:26: error: return type is an incomplete type
| #define public_mALLINFo mallinfo
| ^
| x_dnmalloc.c:1689:17: note: in expansion of macro 'public_mALLINFo'
| struct mallinfo public_mALLINFo() {
and
_dnmalloc.c:5527:17: error: unknown type name 'u_int'
| u_int rnd[(128 - 2*sizeof(struct timeval)) / sizeof(u_int)];
| ^~~~~
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Install systemd resource.mgr service and it needed user/group.
version 2:
- do not hardcode sbin directory in a patch but use ${sbindir} instead
Signed-off-by: Benjamin Gaignard <benjamin.gaignard@linaro.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Soon it might be possible to let qemu start swtpm directly, without
requiring root privileges as for swtpm_cuse. For that to work
we also need to wrap the swtpm binary. Just in case we now also
do it for everything.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
when acl is enabled this error occurrs.
configure: error: in `/home/akuster/oss/maint/openembedded-core/build/tmp-glibc/work/x86_64-linux/samhain-server-native/4.2.0-r0/samhain-4.2.0':
| configure: error: --enable-posix-acl was given, but test for acl support failed
add missing depends.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
use POSIX getpwent instead of getpwent_r
This was causing the libtspi to have the getpwent_r with when loaded via tpm-tools, it would fail.
[ Yocto #11095]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The configure script checks for expect and socat and
fails when it is not present.
Signed-off-by: Benjamin Gaignard <benjamin.gaignard@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Brings in instructions for setting the log level. Setting the log level
with --log file=...,level=1 is necessary at the moment before anything
gets written to the log. Even errors are suppressed by default.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Native tools exist in recipe specific sysroots and are normally
not meant to be called from outside a build. But that's what we
need to do when using swtpm-native together with qemu, so these
wrappers make that possible by setting up the necessary environment
and hiding the internal paths.
Invoking swtpm_setup.sh gets some special support: swtpm_setup.sh runs
two daemons, tcsd and swtpm, of which tcsd insists on running as root
or tss. In practice, running as the normal user is perfectly
fine. Instead of patching the upstream source code, the approach take
here is to run under pseudo.
Usage examples:
$ bitbake swtpm-wrappers
$ mkdir -p my-machine/myvtpm0
$ tmp-glibc/work/x86_64-linux/swtpm-wrappers/1.0-r0/swtpm_setup_oe.sh --tpm-state my-machine/myvtpm0
Starting vTPM manufacturing as root:root @ Mon 16 Jan 2017 04:09:21 PM CET
TPM is listening on TCP port 55675.
-rw------- 1 root root 65 Jan 16 16:09 /tmp/tmp.2yJBKTTwRk
Ending vTPM manufacturing @ Mon 16 Jan 2017 04:09:21 PM CET
The resulting "my-machine/myvtpm0" can then be used with swtpm (this
time, it really has to be running as root because it uses CUSE to
create /dev/vtpm0, and an absolute path is needed for the tpm state
dir) and qemu-tpm (patches not currently in OE-core, have to be
applied manually):
$ sudo tmp-glibc/work/x86_64-linux/swtpm-wrappers/1.0-r0/swtpm_cuse_oe.sh -n vtpm0 --tpmstate dir=`pwd`/my-machine/myvtpm0
$ sudo chmod a+rw /dev/vtpm0
$ runqemu ... 'qemuparams=-tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 -device tpm-tis,tpmdev=tpm0'
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The CUSE support in swtpm does not depend on selinux. It is needed
for simulating a virtual TPM, one of the use cases for swtpm-native, so
enable it by default.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
When building for x86-64, gcc complains:
tpm_ioctl.c:866:9: error: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 2 has type ‘long unsigned int’ [-Werror=format=]
| printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
| ^
| cc1: all warnings being treated as errors
Casting to "long long unsigned" matches the format specifier in all
cases, including those where "long long" is larger than 64 bits.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The configure script checks for tpm_nvdefine from tpm-tools and fails
when it is not present.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
For use with qemu-tpm as described in the swtpm main README, swtpm
must be compiled natively. nativesdk is added just in case that
someone wants to add this to an SDK.
The fix_lib_search_path.patch was recently removed during the version
update, but it is still needed when building natively. Here's a
version that applies cleanly again.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The upstream dist/Makefile.am ensures that /etc/tcsd.conf is owned by
tss:tss, and that must not be changed because otherwise tcsd refuses
to start.
In addition, tss group and user should be added as special system
group resp. user, because they are not normal users. This also avoids
the host-user-contaminated QA warning because the "tss" user will
typically not get assigned a UID from the same range as the host user
that is used for building.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Installing tpm-tools for tools like tpm_takeown pull in the libtspi
package, but the resulting system is not functional unless the tcsd
(from the main "trousers" package) also gets installed. A RRECOMMENDS
entry for that takes care of that automatically.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The soname of libtspi.so is "libtspi.so.1" and therefore apps
linked against that library depend on the libtspi.so.1 symlink
to find the library.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
*Changes*
Bug #1861: Suricata with multi tenancy does not start in 3.1/3.1.1
Bug #1889: Suricata doesn't error on missing semicolon
Bug #1910: libhtp 0.5.23 (3.1.x)
Bug #1912: http.memcap reached condition can lead to dead lock
Bug #1913: af-packet fanout detection broken on Debian Jessie
Bug #1933: unix-command socket created with last character missing (3.1.x)
Bug #1934: make install-full does not install tls-events.rules (3.1.x)
Bug #1941: Can't set fast_pattern on tls_sni content (3.1.x)
Bug #1942: dns - back to back requests results in loss of response (3.1.x)
Bug #1943: Check redis reply in non pipeline mode (3.1.x)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Changes:
- New option 'SetAuditdFlags = r|w|x|a' to (re-)define the flags supplied
to auditd.
- New option 'PortCheckDevice = device' for the port check module, to monitor
a device regardless of the address assigned to it.
- Fix for the case sensitivity of the arguments to the Severity/Class options.
- Compiler warnings with gcc 6.2 and a few minor bugs have been fixed.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
