746cb59c5f
Improves error reporting among other things. Changes: https://github.com/stefanberger/swtpm/releases/tag/v0.10.0 version 0.10.0: swtpm: Requires libtpms v0.10.0 Display tpmstate-opt-lock as a new capability Add support for lock option parameter to tpmstate option nvstore_linear: Add support for file-backend locking Remove broken logic to check for neither dir nor file backend Use ptm_cap_n to build PTM_GET_CAPABILITY response Define a structure to return PTM_GET_CAPABILITY result Implement --print-info to run TPMLIB_GetInfo with flags Support --profile fd= to read profile from file descriptor Support --profile file= to read profile from file Ignore remove-disabled parameter on non-'custom' profile Check for good entropy source in chroot environment Implement a check for HMAC+sha1 for testing future restriction Implement function to check whether a crypto algorithm is disabled Print cmdarg-print-profiles as part of capabilities Check whether SHA1 signature support is disabled in profile Use TPMLIB_WasManufactured to check whether profile was applied Determine whether OpenSSL needs to be configured (FIPs, SHA1 signature) Add support for --print-profiles option Print profile names as part of capabilities JSON Display new capability to allow setting a profile Add support for --profile option to set a profile on TPM 2 swtpm_setup: Comment flags for storage primary key and deprecate --create-spk Implement --print-profiles to display all profile Add profile entries to swtpm_setup.conf written by swtpm_setup Add support for --profile-name option Accept profiles with name starting with 'custom:' Support default profile from file in swtpm_setup.conf Support --profile-file-fd to read profile from file descriptor Support --profile-file to read profile from file Always log the active profile Implement --profile-remove-fips-disabled option Read default profile from swtpm_setup.conf Print profile names as part of capabilities JSON Add support for --profile parameter Get default rsa keysize from setup_setup.conf if not given swtpm_ioctl: Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response selinux: Change write to append for appending to log Add rule for logging to svirt_image_t labeled files from swtpm_t tests: Update IBMTSS2 test suite to v2.4.0 Test activation of PCR banks when not all are available Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with profile Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file Consolidate custom profile test cases and check for StateFormatLevel Convert test_samples_create_tpmca to run installed Mention test_tpm2_libtpms_versions_profiles requiring env. variables allow running ibmtss2 tests against installed version Derive support for CUSE from SWTPM_EXE help screen Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test Extend test case testing across libtpms versions Add test case for testing profiles across libtpms versions Test the --profile option of swtpm_setup and swtpm teach them to run installed add installed-runner.sh install tests on the system lookup system binaries if INSTALLED is set build-sys: enable 64-bit file API on 32-bit systems Add -Wshadow to the CFLAGS Require that libtpms v0.10 is available for TPMLIB_SetProfile debian: Add rule to allow usage of /var/tmp directory (QEMU) Add rules for reading profiles from distro and local dirs Allow non-owner file write access in /var/lib/libvirt/swtpm/ Add sys_admin capability to apparmor profile https://github.com/stefanberger/swtpm/releases/tag/v0.9.0 version 0.9.0: Note: The SElinux policy for swtpm was completely redone. For systems with an SELinux policy the same policy (>= 40.17) as used in Fedora >= 40 is required due to changes in labels related to libvirt that made the re-development of the SELinux policy necessary. swtpm: Use umask() to create/truncated state file rather than fchmod() Use fchmod to set mode bits provided by user Replace mkstemp with g_mkstemp_full (Coverity) fix typo in help message cuse: Fix Coverity complaints regarding locks Fix double free in error path Close fd after main loop Restore logging to stderr on log open failure swtpm_setup: Fail --pcr-banks without --tpm2 Fail --decryption or --allow-signing without --tpm2 Initialized argv in get_swtpm_capabilities() Flush spk after persisting to create room for another key Refactor duplicate code into swtpm_tpm2_write_cert_nvram Move persisting of certificate into tpm2_persist_certificate Pass key_type to function creating filename for key Add scheme parameter before curveid to createprimary_ecc Rename is_ek to preserve for future extension Mask-out EK and plaform certificate flags and set cert_flags Move common code into new function read_certificate_file() Exit with '0' upon --version rather than '1' Close file descriptors passed to swtpm process on parent side Make stdout unbuffered Use medium duration on TSC_PhysicalPresence to avoid timeouts Add poll() after write() and before read() to detect errors swtpm_localca: Add support for up to 20 bytes serial numbers Introduce --key as more generic alias for --ek Add missing NULL option to end of array Make stdout unbuffered swtpm_cert: Add support for serial numbers up to 20 bytes long swtpm_ioctl: Separate return code from flags Repeatedly call PTM_GET_INFO for long responses selinux: Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install) New SELinux policy that requires Fedora 40 or later tests: Fixed occurrences of stray '' before '-' Rearrange order of test cases to run some also as 'root' Add tests for command line options and combinations of options Add softhsm_setup to shellcheck'ed files and fix issues Add missing 'exit 1' on unexpected file size on --reconfigure Add test cases for swtpm_cert with max serial number Fix spelling mistakes reformat regexs for easier readability and extension ibmtss2: Add patch to disable x509 test with older libtpms Upgrade to ibmtss2 v2.0.1 Fixed several issues detected by shellcheck build-sys: Add support for --disable-tests to disable tests Display GMP_LIBS and GMP_CFLAGS Only display warning if pkg-config for gmp fails Add gmp library and devel package as dependency use PKG_CHECK_MODULES to check libtpms version rpm: Add gmp library and devel package as dependency Split off SELinux files to build an selinux package debian: Sync AppArmor profile with what is used by Ubuntu Add gmp library and devel package as dependency Allow apparmor access to qemu session bus swtpm files Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
meta-tpm layer
The bbappend files for some recipes (e.g. linux-yocto) in this layer need to have 'tpm' in DISTRO_FEATURES to have effect. To enable them, add in configuration file the following line.
DISTRO_FEATURES:append = " tpm"
If meta-tpm is included, but tpm is not enabled as a distro feature a warning is printed at parse time:
You have included the meta-tpm layer, but
'tpm' has not been enabled in your DISTRO_FEATURES. Some bbappend files
and preferred version setting may not take effect.
If you know what you are doing, this warning can be disabled by setting the following variable in your configuration:
SKIP_META_TPM_SANITY_CHECK = 1
This layer contains base TPM recipes.
Dependencies
This layer depends on:
URI: git://git.openembedded.org/openembedded-core branch: master revision: HEAD prio: default
URI: git://git.openembedded.org/meta-openembedded/meta-oe branch: master revision: HEAD prio: default
Adding the meta-tpm layer to your build
In order to use this layer, you need to make the build system aware of it.
Assuming this layer exists at the top-level of your yocto build tree, you can add it to the build system by adding the location of the meta-tpm layer to bblayers.conf, along with any other layers needed. e.g.:
BBLAYERS ?= "
/path/to/oe-core/meta
/path/to/meta-openembedded/meta-oe
/path/to/layer/meta-tpm \
Maintenance
Send pull requests, patches, comments or questions to yocto-patches@lists.yoctoproject.org
When sending single patches, please using something like: 'git send-email -1 --to yocto-patches@lists.yoctoproject.org --subject-prefix=meta-security][PATCH'
These values can be set as defaults for this repository:
$ git config sendemail.to yocto-patches@lists.yoctoproject.org $ git config format.subjectPrefix meta-security][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
Maintainers: Armin Kuster akuster808@gmail.com
License
All metadata is MIT licensed unless otherwise stated. Source code included in tree for individual recipes is under the LICENSE stated in each recipe (.bb file) unless otherwise stated.