Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package swtpm for openSUSE:Factory checked
in at 2025-06-23 14:50:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/swtpm (Old)
and /work/SRC/openSUSE:Factory/.swtpm.new.7067 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "swtpm"
Mon Jun 23 14:50:34 2025 rev:23 rq:1287567 version:0.10.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/swtpm/swtpm.changes 2024-12-09
21:09:48.728553221 +0100
+++ /work/SRC/openSUSE:Factory/.swtpm.new.7067/swtpm.changes 2025-06-23
14:50:38.053169864 +0200
@@ -1,0 +2,20 @@
+Mon Jun 16 08:49:29 UTC 2025 - Dominique Leuenberger <dims...@opensuse.org>
+
+- Update to version 0.10.1:
+ + swtpm: Fix build error on 32bit systems due to inconsistent
+ _FILE_OFFSET_BITS.
+ + swtpm_setup:
+ - Use DISTRO_PROFILES_DIR when listing profiles (fix path
+ issue).
+ - Do not pass a TPM 2 profile to swtpm when reconfiguring.
+ + selinux:
+ - Add rule for swtpm to be able to read password from pipe.
+ - allow to map state file.
+ - add NFS permissions for swtpm_t.
+ - Add rule to allow swtpm_t opening of virt_log_t files.
+- Drop 1229131-fix-swtpm-selinux-policy-mismatch.patch: fixed
+ upstream.
+- Add 1027.patch: tests: Retry NVWrite command after 0x922 return
+ code and inc lockout counter.
+
+-------------------------------------------------------------------
Old:
----
1229131-fix-swtpm-selinux-policy-mismatch.patch
swtpm-0.10.0.tar.gz
New:
----
1027.patch
swtpm-0.10.1.tar.gz
----------(Old B)----------
Old: - Add rule to allow swtpm_t opening of virt_log_t files.
- Drop 1229131-fix-swtpm-selinux-policy-mismatch.patch: fixed
upstream.
----------(Old E)----------
----------(New B)----------
New: upstream.
- Add 1027.patch: tests: Retry NVWrite command after 0x922 return
code and inc lockout counter.
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ swtpm.spec ++++++
--- /var/tmp/diff_new_pack.akt8we/_old 2025-06-23 14:50:38.717197647 +0200
+++ /var/tmp/diff_new_pack.akt8we/_new 2025-06-23 14:50:38.721197814 +0200
@@ -1,7 +1,7 @@
#
# spec file for package swtpm
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -30,7 +30,7 @@
%define modulename2 swtpm_svirt
%define modulename3 swtpmcuse
Name: swtpm
-Version: 0.10.0
+Version: 0.10.1
Release: 0
Summary: Software TPM emulator
License: BSD-3-Clause
@@ -39,14 +39,8 @@
Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
Source100: swtpm-rpmlintrc
Patch0: swtpm-fix-build.patch
-# 19-09-24 cahu bsc#1229131
-# this can be removed once swtpm upstream sorts out their custom selinux module
-# see: https://github.com/stefanberger/swtpm/issues/885
-# there were a couple changes in the selinux-policy libvirt handling
-# which causes the logfile in /var/log/swtpm/libvirt/qemu/*.log to be labeled
-# virt_log_t instead of var_log_t.
-# this patch allows swtpm_t to open the virt_log_t
-Patch1: 1229131-fix-swtpm-selinux-policy-mismatch.patch
+# PATCH-FIX-UPSTREAM
+Patch1:
https://patch-diff.githubusercontent.com/raw/stefanberger/swtpm/pull/1027.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: expect
++++++ 1229131-fix-swtpm-selinux-policy-mismatch.patch -> 1027.patch ++++++
---
/work/SRC/openSUSE:Factory/swtpm/1229131-fix-swtpm-selinux-policy-mismatch.patch
2024-12-05 17:05:52.478643081 +0100
+++ /work/SRC/openSUSE:Factory/.swtpm.new.7067/1027.patch 2025-06-23
14:50:38.013168191 +0200
@@ -1,20 +1,82 @@
-Index: swtpm-0.10.0/src/selinux/swtpm.te
-===================================================================
---- swtpm-0.10.0.orig/src/selinux/swtpm.te
-+++ swtpm-0.10.0/src/selinux/swtpm.te
-@@ -9,6 +9,7 @@ require {
- type qemu_var_run_t;
- type svirt_image_t;
- type var_log_t;
-+ type virt_log_t;
- type virt_var_lib_t;
- type virtqemud_t;
- type virtqemud_tmp_t;
-@@ -30,6 +31,7 @@ allow swtpm_t qemu_var_run_t:file { crea
- allow swtpm_t qemu_var_run_t:dir { add_name remove_name write };
- allow swtpm_t qemu_var_run_t:sock_file { create setattr unlink };
- allow swtpm_t var_log_t:file open;
-+allow swtpm_t virt_log_t:file open;
- allow swtpm_t virt_var_lib_t:dir { add_name remove_name write };
- allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write };
- allow swtpm_t virtqemud_t:unix_stream_socket { read write getattr };
+From 79ab56b7987e509bd0da2f81fae8ec11198a4f1f Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stef...@linux.ibm.com>
+Date: Mon, 12 May 2025 18:25:48 -0400
+Subject: [PATCH] tests: Retry NVWrite command after 0x922 return code and inc
+ lockout counter
+
+When returncode 0x922 is received from NVWrite then retry the command so
+that it gets the expected error code from failing to provide a password.
+When checking the lockout counter, increase the numbers now.
+
+Patched versions of libtpms may not return 0x922 anymore, so write the code
+that it can test both cases.
+
+Signed-off-by: Stefan Berger <stef...@linux.ibm.com>
+---
+ tests/_test_tpm2_avoid_da_lockout | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/tests/_test_tpm2_avoid_da_lockout
b/tests/_test_tpm2_avoid_da_lockout
+index e4f0121a9..fc26a8cf6 100755
+--- a/tests/_test_tpm2_avoid_da_lockout
++++ b/tests/_test_tpm2_avoid_da_lockout
+@@ -53,6 +53,11 @@ fi
+
cmd='\x80\x02\x00\x00\x00\x24\x00\x00\x01\x37\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09\x40\x00\x00\x09\x00\x00\x00\x00\x00\x00\x01\x41\x00\x00'
+ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
+ exp=' 80 01 00 00 00 0a 00 00 09 22'
++if [ "$RES" == "$exp" ]; then
++ # 0x922 : retry command
++ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
++fi
++exp=' 80 01 00 00 00 0a 00 00 09 8e'
+ if [ "$RES" != "$exp" ]; then
+ echo "Error: Did not get expected result from TPM2_NV_Write"
+ echo "expected: $exp"
+@@ -63,9 +68,9 @@ fi
+ # The TPM_PT_LOCKOUT_COUNTER must be 0 now: tssgetcapability -cap 6 -pr 0x20e
-pc 1
+
cmd='\x80\x01\x00\x00\x00\x16\x00\x00\x01\x7a\x00\x00\x00\x06\x00\x00\x02\x0e\x00\x00\x00\x01'
+ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
+-exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00
00 00 00'
++exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00
00 00 01'
+ if [ "$RES" != "$exp" ]; then
+- echo "Error: Did not get expected result from
TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
++ echo "Error: Did not get expected result from 1st
TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
+ echo "expected: $exp"
+ echo "received: $RES"
+ exit 1
+@@ -92,9 +97,9 @@ fi
+ # Without swtpm sending TPM2_Shutdown, it would be '1' now
+
cmd='\x80\x01\x00\x00\x00\x16\x00\x00\x01\x7a\x00\x00\x00\x06\x00\x00\x02\x0e\x00\x00\x00\x01'
+ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
+-exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00
00 00 00'
++exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00
00 00 01'
+ if [ "$RES" != "$exp" ]; then
+- echo "Error: Did not get expected result from
TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
++ echo "Error: Did not get expected result from 2nd
TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
+ echo "expected: $exp"
+ echo "received: $RES"
+ exit 1
+@@ -104,6 +109,11 @@ fi
+
cmd='\x80\x02\x00\x00\x00\x24\x00\x00\x01\x37\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09\x40\x00\x00\x09\x00\x00\x00\x00\x00\x00\x01\x41\x00\x00'
+ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
+ exp=' 80 01 00 00 00 0a 00 00 09 22'
++if [ "$RES" == "$exp" ]; then
++ # 0x922 : retry command
++ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
++fi
++exp=' 80 01 00 00 00 0a 00 00 09 8e'
+ if [ "$RES" != "$exp" ]; then
+ echo "Error: Did not get expected result from TPM2_NV_Write"
+ echo "expected: $exp"
+@@ -136,9 +146,9 @@ fi
+ # Without swtpm sending TPM2_Shutdown, it would be '2' now
+
cmd='\x80\x01\x00\x00\x00\x16\x00\x00\x01\x7a\x00\x00\x00\x06\x00\x00\x02\x0e\x00\x00\x00\x01'
+ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
+-exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00
00 00 00'
++exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00
00 00 02'
+ if [ "$RES" != "$exp" ]; then
+- echo "Error: Did not get expected result from
TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
++ echo "Error: Did not get expected result from 3rd
TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
+ echo "expected: $exp"
+ echo "received: $RES"
+ exit 1
++++++ swtpm-0.10.0.tar.gz -> swtpm-0.10.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/.github/actions/test-swtpm/action.yml
new/swtpm-0.10.1/.github/actions/test-swtpm/action.yml
--- old/swtpm-0.10.0/.github/actions/test-swtpm/action.yml 1970-01-01
01:00:00.000000000 +0100
+++ new/swtpm-0.10.1/.github/actions/test-swtpm/action.yml 2025-04-30
14:32:33.000000000 +0200
@@ -0,0 +1,47 @@
+runs:
+ using: "composite"
+ steps:
+ - name: Build and test
+ shell: bash
+ run: |
+ sudo apt-get -y update
+ sudo apt-get -y install automake autoconf libtool libssl-dev sed make
gawk \
+ sed bash dh-exec python3-pip libfuse-dev libglib2.0-dev
libjson-glib-dev \
+ libgmp-dev expect libtasn1-dev socat findutils gnutls-dev gnutls-bin
softhsm2 \
+ libseccomp-dev tss2 ${PACKAGES}
+ if [ ! -d libtpms ]; then
+ git clone https://github.com/stefanberger/libtpms;
+ fi
+ pushd libtpms
+ if [ -n "${LIBTPMS_GIT_CHECKOUT}" ]; then
+ git checkout "${LIBTPMS_GIT_CHECKOUT}" -b testing;
+ fi
+ CFLAGS="${LIBTPMS_CFLAGS:--g -O2}" LDFLAGS="${LIBTPMS_LDFLAGS}" \
+ ./autogen.sh --with-openssl --prefix=${LIBTPMS_PREFIX:-/usr}
--with-tpm2 ${LIBTPMS_CONFIG}
+ make -j$(${NPROC:-nproc})
+ sudo make install
+ popd
+ ./autogen.sh ${CONFIG}
+ ${SUDO} make clean
+ export SWTPM_TEST_EXPENSIVE=${SWTPM_TEST_EXPENSIVE:-1}
+ export SWTPM_TEST_IBMTSS2=${SWTPM_TEST_IBMTSS2:-0}
+ export SWTPM_TEST_STORE_VOLATILE=${SWTPM_TEST_STORE_VOLATILE:-0}
+ set +e
+ ${SUDO:+${SUDO} -E} make -j$(${NPROC:-nproc}) ${CHECK} VERBOSE=1
+ if [ $? -ne 0 ]; then
+ for f in swtpm/tests/*.log; do echo ">>>>>>> $f <<<<<<<"; tail -n 50
$f; done
+ exit 1
+ fi
+ set -e
+ if [ -n "${COVERALLS_REPO_TOKEN}" ]; then
+ uidgid="$(id -nu):$(id -ng)"
+ sudo chown -R ${uidgid} ./
+ pip install setuptools==59.6.0 # Default Jammy version
+ pip install cpp-coveralls
+ cpp-coveralls -e libtpms --gcov-options '\-lp'
+ fi
+ if [ -n "${RUN_TEST}" ]; then
+ sudo make install
+ sudo ${PREFIX}/bin/swtpm_setup \
+ --tpmstate /tmp --create-ek-cert --create-platform-cert --tpm2
|| exit 1
+ fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/.github/workflows/ci.yml
new/swtpm-0.10.1/.github/workflows/ci.yml
--- old/swtpm-0.10.0/.github/workflows/ci.yml 1970-01-01 01:00:00.000000000
+0100
+++ new/swtpm-0.10.1/.github/workflows/ci.yml 2025-04-30 14:32:33.000000000
+0200
@@ -0,0 +1,77 @@
+name: Check
+
+on:
+ pull_request:
+ branches: [ "master", "stable-*" ]
+
+jobs:
+ test-distcheck:
+ runs-on: ubuntu-24.04
+ env:
+ PREFIX: "/usr"
+ CONFIG: "--with-openssl --prefix=/usr"
+ CHECK: "distcheck"
+ RUN_TEST: "1"
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Build libtpms and swtpm and test
+ uses: ./.github/actions/test-swtpm
+
+ test-coveralls:
+ runs-on: ubuntu-22.04
+ env:
+ PREFIX: "/usr"
+ CONFIG: "--with-openssl --prefix=/usr
--enable-test-coverage"
+ SUDO: "sudo"
+ CHECK: "check"
+ SWTPM_TEST_IBMTSS2: "1"
+ SWTPM_TEST_STORE_VOLATILE: "1"
+ COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
+ PACKAGES: libtpm2-pkcs11-tools
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Build libtpms and swtpm and test
+ uses: ./.github/actions/test-swtpm
+
+ test-asan-ubsan:
+ runs-on: ubuntu-24.04
+ env:
+ CFLAGS: "-fsanitize=address,undefined -g -fno-omit-frame-pointer
-fno-sanitize-recover"
+ LIBTPMS_CFLAGS: "-fsanitize=address,undefined -g -fno-omit-frame-pointer
-fno-sanitize-recover"
+ LIBS: "-lasan -lubsan"
+ ASAN_OPTIONS: "halt_on_error=1"
+ UBSAN_OPTIONS: "halt_on_error=1"
+ PREFIX: "/usr"
+ CONFIG: "--with-openssl --prefix=/usr --without-seccomp"
+ SUDO: "sudo"
+ CHECK: "check"
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Build libtpms and swtpm and test
+ uses: ./.github/actions/test-swtpm
+
+ test-asan-ubsan-non-openssl:
+ runs-on: ubuntu-24.04
+ env:
+ CFLAGS: "-fsanitize=address,undefined -g -fno-omit-frame-pointer
-fno-sanitize-recover"
+ LIBTPMS_CFLAGS: "-fsanitize=address,undefined -g -fno-omit-frame-pointer
-fno-sanitize-recover"
+ LIBTPMS_CONFIG: "--disable-use-openssl-functions"
+ LIBS: "-lasan -lubsan"
+ ASAN_OPTIONS: "halt_on_error=1"
+ UBSAN_OPTIONS: "halt_on_error=1"
+ PREFIX: "/usr"
+ CONFIG: "--with-openssl --prefix=/usr --without-seccomp"
+ SUDO: "sudo"
+ CHECK: "check"
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Build libtpms and swtpm and test
+ uses: ./.github/actions/test-swtpm
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/.github/workflows/docker.yaml
new/swtpm-0.10.1/.github/workflows/docker.yaml
--- old/swtpm-0.10.0/.github/workflows/docker.yaml 2024-11-15
20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/.github/workflows/docker.yaml 2025-04-30
14:32:33.000000000 +0200
@@ -10,15 +10,6 @@
jobs:
- lint:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- - uses: hadolint/hadolint-action@v3.1.0
- with:
- recursive: true
- ignore: DL3018
-
build:
runs-on: ubuntu-latest
permissions:
@@ -32,6 +23,12 @@
- name: Checkout repository
uses: actions/checkout@v4
+ - name: Run linter
+ uses: hadolint/hadolint-action@v3.1.0
+ with:
+ recursive: true
+ ignore: DL3018
+
# Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v3.0.0
@@ -74,34 +71,3 @@
platforms: linux/amd64
#platforms: linux/amd64,linux/arm/v7,linux/arm/v6
no-cache: true
-
- test:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- - uses: docker/setup-qemu-action@v3
- - uses: docker/setup-buildx-action@v3.0.0
- - name: Start containers
- run: |
- sudo apt-get install -y docker-compose
- docker-compose up --build --force-recreate --detach
- - name: Run Tests
- run: |
- set -x
- docker-compose ps
- name=$(docker-compose ps | grep swtpm-test | awk '{print $1}')
- rc=$(docker wait "${name}")
- if [ "${rc}" != "0" ]; then
- echo "test failed:"
- docker logs "${name}"
- exit 1
- fi
-
- - name: Logs
- if: always()
- run: docker-compose logs
-
- - name: Stop containers
- if: always()
- run: docker-compose down
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/.travis.yml new/swtpm-0.10.1/.travis.yml
--- old/swtpm-0.10.0/.travis.yml 2024-11-15 20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/.travis.yml 2025-04-30 14:32:33.000000000 +0200
@@ -87,6 +87,7 @@
SWTPM_TEST_STORE_VOLATILE="1"
before_script:
- sudo apt-get -y install libtpm2-pkcs11-tools
+ - sudo pip install setuptools==59.6.0 # Default Jammy version
- sudo pip install cpp-coveralls
- p=$PWD; while [ "$PWD" != "/" ]; do chmod o+x . &>/dev/null ; cd .. ;
done; cd $p
&& sudo mkdir src/swtpm/.libs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/CHANGES new/swtpm-0.10.1/CHANGES
--- old/swtpm-0.10.0/CHANGES 2024-11-15 20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/CHANGES 2025-04-30 14:32:33.000000000 +0200
@@ -1,5 +1,21 @@
CHANGES - changes for swtpm
+version 0.10.1:
+ - swtpm:
+ - Fix build error on 32bit systems due to inconsistent _FILE_OFFSET_BITS
+ - swtpm_setup:
+ - Use DISTRO_PROFILES_DIR when listing profiles (fix path issue)
+ - Do not pass a TPM 2 profile to swtpm when reconfiguring
+ - selinux:
+ - Add rule for swtpm to be able to read password from pipe
+ - allow to map state file
+ - add NFS permissions for swtpm_t
+ - Add rule to allow swtpm_t opening of virt_log_t files (BZ 2278123)
+ - swtpm.spec:
+ - Fix issues related to uninstallation of swtpm-related SELinux modules
+ - ci:
+ - Replace Travis with Github actions
+
version 0.10.0:
- swtpm:
- Requires libtpms v0.10.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/configure.ac
new/swtpm-0.10.1/configure.ac
--- old/swtpm-0.10.0/configure.ac 2024-11-15 20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/configure.ac 2025-04-30 14:32:33.000000000 +0200
@@ -23,7 +23,7 @@
# This file is derived from tpm-tool's configure.in.
#
-AC_INIT([swtpm],[0.10.0])
+AC_INIT([swtpm],[0.10.1])
AC_PREREQ([2.69])
AC_CONFIG_SRCDIR(Makefile.am)
AC_CONFIG_HEADERS([config.h])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/debian/changelog
new/swtpm-0.10.1/debian/changelog
--- old/swtpm-0.10.0/debian/changelog 2024-11-15 20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/debian/changelog 2025-04-30 14:32:33.000000000 +0200
@@ -1,3 +1,9 @@
+swtpm (0.10.1) RELEASED; urgency=medium
+
+ * Stable release
+
+ -- Stefan Berger <stef...@linux.ibm.com> Wed, 30 Apr 2025 09:00:00 -0500
+
swtpm (0.10.0) RELEASED; urgency=medium
* Stable release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/debian/rules
new/swtpm-0.10.1/debian/rules
--- old/swtpm-0.10.0/debian/rules 2024-11-15 20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/debian/rules 2025-04-30 14:32:33.000000000 +0200
@@ -13,7 +13,7 @@
dh_apparmor -pswtpm --profile-name=usr.bin.swtpm
override_dh_auto_test:
- SWTPM_TEST_SECCOMP_OPT="--seccomp action=none" make -j4 check VERBOSE=1
+ SWTPM_TEST_SECCOMP_OPT="--seccomp action=none" make check VERBOSE=1
override_dh_clean:
dh_clean --exclude=man/man8/swtpm-localca.8
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/src/selinux/swtpm.te
new/swtpm-0.10.1/src/selinux/swtpm.te
--- old/swtpm-0.10.0/src/selinux/swtpm.te 2024-11-15 20:19:43.000000000
+0100
+++ new/swtpm-0.10.1/src/selinux/swtpm.te 2025-04-30 14:32:33.000000000
+0200
@@ -9,9 +9,12 @@
type qemu_var_run_t;
type svirt_image_t;
type var_log_t;
+ type virt_log_t;
type virt_var_lib_t;
type virtqemud_t;
type virtqemud_tmp_t;
+ class file map;
+ tunable virt_use_nfs;
}
attribute_role swtpm_roles;
@@ -31,11 +34,11 @@
allow swtpm_t qemu_var_run_t:sock_file { create setattr unlink };
allow swtpm_t var_log_t:file open;
allow swtpm_t virt_var_lib_t:dir { add_name remove_name write };
-allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write };
+allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write map };
allow swtpm_t virtqemud_t:unix_stream_socket { read write getattr };
allow swtpm_t virtqemud_tmp_t:file { open write };
allow swtpm_t svirt_image_t:file { open append }; # BZ2306817
-
+allow swtpm_t virt_log_t:file open; # BZ2278123 Comment 39
domain_use_interactive_fds(swtpm_t)
@@ -44,3 +47,10 @@
auth_use_nsswitch(swtpm_t)
miscfiles_read_localization(swtpm_t)
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(swtpm_t)
+ fs_manage_nfs_files(swtpm_t)
+ fs_read_nfs_symlinks(swtpm_t)
+ fs_mmap_nfs_files(swtpm_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/src/selinux/swtpm_svirt.te
new/swtpm-0.10.1/src/selinux/swtpm_svirt.te
--- old/swtpm-0.10.0/src/selinux/swtpm_svirt.te 2024-11-15 20:19:43.000000000
+0100
+++ new/swtpm-0.10.1/src/selinux/swtpm_svirt.te 2025-04-30 14:32:33.000000000
+0200
@@ -26,7 +26,8 @@
allow svirt_t user_tmp_t:sock_file { create setattr unlink };
allow svirt_t virtd_t:dir search;
-allow svirt_t virtd_t:fifo_file write;
+# For passing encryption secret via pipe (see
https://bugzilla.redhat.com/show_bug.cgi?id=2334271)
+allow svirt_t virtd_t:fifo_file { write read };
allow svirt_t virtqemud_t:fifo_file write;
allow svirt_t virt_var_run_t:dir { write add_name remove_name };
allow svirt_t virt_var_run_t:file { create write setattr unlink };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/src/swtpm/mainloop.c
new/swtpm-0.10.1/src/swtpm/mainloop.c
--- old/swtpm-0.10.0/src/swtpm/mainloop.c 2024-11-15 20:19:43.000000000
+0100
+++ new/swtpm-0.10.1/src/swtpm/mainloop.c 2025-04-30 14:32:33.000000000
+0200
@@ -40,6 +40,8 @@
It reads a TPM request, processes the ordinal, and writes the response
*/
+#include <config.h>
+
#include <errno.h>
#include <stdio.h>
#include <stdint.h>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/src/swtpm/profile.c
new/swtpm-0.10.1/src/swtpm/profile.c
--- old/swtpm-0.10.0/src/swtpm/profile.c 2024-11-15 20:19:43.000000000
+0100
+++ new/swtpm-0.10.1/src/swtpm/profile.c 2025-04-30 14:32:33.000000000
+0200
@@ -51,10 +51,12 @@
return -1;
if (ret == -2) {
- info_data = TPMLIB_GetInfo(TPMLIB_INFO_RUNTIME_ALGORITHMS);
-
- ret = json_get_submap_value(info_data, "RuntimeAlgorithms",
"Implemented",
- &value);
+ info_data = TPMLIB_GetInfo(TPMLIB_INFO_AVAILABLE_PROFILES);
+ /* In the AvailableProfiles entry get the custom profile's Algorithms
*/
+ ret = json_get_array_entry_value(info_data,
+ "AvailableProfiles",
+ "Name", "custom", "Algorithms",
+ &value);
if (ret)
return -1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/src/swtpm/tpmlib.h
new/swtpm-0.10.1/src/swtpm/tpmlib.h
--- old/swtpm-0.10.0/src/swtpm/tpmlib.h 2024-11-15 20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/src/swtpm/tpmlib.h 2025-04-30 14:32:33.000000000 +0200
@@ -38,6 +38,8 @@
#ifndef _SWTPM_TPMLIB_H_
#define _SWTPM_TPMLIB_H_
+#include <config.h> /* ensure consistent definition of _FILE_OFFSET_BITS */
+
#include <stdint.h>
#include <stdbool.h>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/src/swtpm/utils.c
new/swtpm-0.10.1/src/swtpm/utils.c
--- old/swtpm-0.10.0/src/swtpm/utils.c 2024-11-15 20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/src/swtpm/utils.c 2025-04-30 14:32:33.000000000 +0200
@@ -504,6 +504,89 @@
return 0;
}
+/*
+ * In the given JSON map select @field0_name whose value must be an array.
+ * Inside the array of maps, find a map whose @field1_name has the value
+ * @field1_value. Then select field2_name and return its value.
+ *
+ * @json_input: JSON array of maps as a string
+ * @field0_name: The name of the map entry holding the array of maps
+ * @field1_name: The name of an entry in the map
+ * @field1_value: The value of an entry in the map
+ * @field2_name: Name of entry in map whose value to return
+ * @value: Results is returned here
+ *
+ * Returns 0 in case of success, -1 otherwise.
+ */
+int json_get_array_entry_value(const char *json_input,
+ const char *field0_name,
+ const char *field1_name, const char
*field1_value,
+ const char *field2_name, char **value)
+{
+ g_autoptr(JsonParser) jp = NULL;
+ g_autoptr(JsonReader) jr = NULL;
+ g_autoptr(GError) error = NULL;
+ const gchar *strval;
+ JsonNode *root;
+ guint idx;
+
+ jp = json_parser_new();
+ if (!json_parser_load_from_data(jp, json_input, -1, &error)) {
+ logprintf(STDERR_FILENO,
+ "Could not parse JSON '%s': %s\n", json_input,
error->message);
+ return -1;
+ }
+
+ root = json_parser_get_root(jp);
+ if (!root) {
+ logprintf(STDERR_FILENO,
+ "Could not get root of JSON '%s'\n", json_input);
+ return -1;
+ }
+ jr = json_reader_new(root);
+
+ if (!json_reader_read_member(jr, field0_name)) {
+ logprintf(STDERR_FILENO,
+ "Could not find the initial field '%s'in '%s'\n",
+ field0_name, json_input);
+ return -1;
+ }
+ for (idx = 0;; idx++) {
+ if (!json_reader_read_element(jr, idx)) {
+ logprintf(STDERR_FILENO,
+ "Could not find an element with name '%s' and value
'%s'\n",
+ field1_name, field1_value);
+ return -1;
+ }
+ if (json_reader_read_member(jr, field1_name)) {
+ if ((strval = json_reader_get_string_value(jr)) != NULL &&
+ g_strcmp0(strval, field1_value) == 0) {
+
+ json_reader_end_member(jr);
+ if (!json_reader_read_member(jr, field2_name)) {
+ logprintf(STDERR_FILENO,
+ "Found map entry in '%s' but could not find
field '%s'",
+ json_input, field2_name);
+ return -1;
+ }
+ *value = g_strdup(json_reader_get_string_value(jr));
+ if (*value == NULL) {
+ /* value not a string */
+ logprintf(STDERR_FILENO,
+ "'%s' field in '%s' is not a string\n",
+ field2_name, json_input);
+ return -1;
+ }
+ return 0;
+ }
+ json_reader_end_member(jr);
+ }
+ json_reader_end_element(jr);
+ }
+ /* must never get here */
+ return -1;
+}
+
ssize_t strv_strncmp(const gchar *const*str_array, const gchar *s, size_t n)
{
size_t i;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/src/swtpm/utils.h
new/swtpm-0.10.1/src/swtpm/utils.h
--- old/swtpm-0.10.0/src/swtpm/utils.h 2024-11-15 20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/src/swtpm/utils.h 2025-04-30 14:32:33.000000000 +0200
@@ -81,6 +81,10 @@
const char *key, char **value);
int json_set_map_key_value(char **json_input,
const char *key, const char *value);
+int json_get_array_entry_value(const char *json_input,
+ const char *field0_name,
+ const char *field1_name, const char
*field1_value,
+ const char *field2_name, char **value);
ssize_t strv_strncmp(const gchar *const*str_array, const gchar *s, size_t n);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/src/swtpm_setup/profile.c
new/swtpm-0.10.1/src/swtpm_setup/profile.c
--- old/swtpm-0.10.0/src/swtpm_setup/profile.c 2024-11-15 20:19:43.000000000
+0100
+++ new/swtpm-0.10.1/src/swtpm_setup/profile.c 2025-04-30 14:32:33.000000000
+0200
@@ -23,7 +23,7 @@
#include "swtpm_setup_utils.h"
#include "compiler_dependencies.h"
-#define DISTRO_PROFILES_DIR DATAROOTDIR "swtpm/profiles"
+#define DISTRO_PROFILES_DIR DATAROOTDIR "/swtpm/profiles"
/* Return the names of the supported profiles */
@@ -373,7 +373,7 @@
if (ja)
json_object_set_array_member(jo, "local", ja);
- ja = profile_gather_dir(DATAROOTDIR "swtpm/profiles");
+ ja = profile_gather_dir(DISTRO_PROFILES_DIR);
if (ja)
json_object_set_array_member(jo, "distro", ja);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/src/swtpm_setup/swtpm_setup.c
new/swtpm-0.10.1/src/swtpm_setup/swtpm_setup.c
--- old/swtpm-0.10.0/src/swtpm_setup/swtpm_setup.c 2024-11-15
20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/src/swtpm_setup/swtpm_setup.c 2025-04-30
14:32:33.000000000 +0200
@@ -1816,6 +1816,15 @@
goto error;
}
+ if ((flags & SETUP_RECONFIGURE_F) &&
+ (json_profile ||
+ json_profile_name ||
+ json_profile_file ||
+ json_profile_fd > 0)) {
+ logerr(gl_LOGFILE, "Reconfiguration does not accept a (new)
profile.\n");
+ goto error;
+ }
+
if (json_profile_name) {
if (profile_name_check(json_profile_name) < 0)
goto error;
@@ -1842,9 +1851,14 @@
}
}
- /* read default profile from swtpm_setup.conf */
+ /*
+ * Read default profile from swtpm_setup.conf;
+ * Do not read it when --reconfigure'ing
+ */
if ((flags & SETUP_TPM2_F) != 0 &&
- json_profile == NULL && json_profile_fd < 0) {
+ json_profile == NULL && json_profile_fd < 0 &&
+ (flags & SETUP_RECONFIGURE_F) == 0) {
+
json_profile_fd = get_default_profile_fd(config_file_lines);
if (json_profile_fd == -2)
goto error;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/swtpm.spec new/swtpm-0.10.1/swtpm.spec
--- old/swtpm-0.10.0/swtpm.spec 2024-11-15 20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/swtpm.spec 2025-04-30 14:32:33.000000000 +0200
@@ -8,7 +8,7 @@
Summary: TPM Emulator
Name: swtpm
-Version: 0.10.0
+Version: 0.10.1
Release: 1%{?dist}
License: BSD-3-Clause
Url: https://github.com/stefanberger/swtpm
@@ -122,6 +122,9 @@
%make_install
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so}
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
%post selinux
for pp in /usr/share/selinux/packages/swtpm.pp \
/usr/share/selinux/packages/swtpm_libvirt.pp \
@@ -131,7 +134,7 @@
%postun selinux
if [ $1 -eq 0 ]; then
- for p in swtpm swtpm_libvirt swtpm_svirt; do
+ for p in swtpm_svirt swtpm_libvirt swtpm; do
%selinux_modules_uninstall -s %{selinuxtype} $p
done
fi
@@ -200,6 +203,9 @@
%{_libexecdir}/installed-tests/swtpm/
%changelog
+* Wed Apr 30 2025 Stefan Berger <stef...@linux.ibm.com> -
0.10.1-0.20250430git-------
+- v0.10.1 release
+
* Fri Nov 15 2024 Stefan Berger <stef...@linux.ibm.com> -
0.10.0-0.20241115git-------
- v0.10.0 release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/swtpm.spec.in
new/swtpm-0.10.1/swtpm.spec.in
--- old/swtpm-0.10.0/swtpm.spec.in 2024-11-15 20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/swtpm.spec.in 2025-04-30 14:32:33.000000000 +0200
@@ -122,6 +122,9 @@
%make_install
rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so}
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
%post selinux
for pp in /usr/share/selinux/packages/swtpm.pp \
/usr/share/selinux/packages/swtpm_libvirt.pp \
@@ -131,7 +134,7 @@
%postun selinux
if [ $1 -eq 0 ]; then
- for p in swtpm swtpm_libvirt swtpm_svirt; do
+ for p in swtpm_svirt swtpm_libvirt swtpm; do
%selinux_modules_uninstall -s %{selinuxtype} $p
done
fi
@@ -200,6 +203,9 @@
%{_libexecdir}/installed-tests/swtpm/
%changelog
+* Wed Apr 30 2025 Stefan Berger <stef...@linux.ibm.com> -
0.10.1-0.20250430git-------
+- v0.10.1 release
+
* Fri Nov 15 2024 Stefan Berger <stef...@linux.ibm.com> -
0.10.0-0.20241115git-------
- v0.10.0 release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/swtpm-0.10.0/tests/test_tpm2_swtpm_setup_create_cert
new/swtpm-0.10.1/tests/test_tpm2_swtpm_setup_create_cert
--- old/swtpm-0.10.0/tests/test_tpm2_swtpm_setup_create_cert 2024-11-15
20:19:43.000000000 +0100
+++ new/swtpm-0.10.1/tests/test_tpm2_swtpm_setup_create_cert 2025-04-30
14:32:33.000000000 +0200
@@ -55,6 +55,7 @@
create_certs_tool=\${MY_SWTPM_LOCALCA}
create_certs_tool_config=${workdir}/swtpm-localca.conf
create_certs_tool_options=${workdir}/swtpm-localca.options
+profile = {"Name": "default-v1"}
_EOF_
# We need to adapt the PATH so the correct swtpm_cert is picked
