Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pcr-oracle for openSUSE:Factory checked in at 2026-03-17 19:02:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pcr-oracle (Old) and /work/SRC/openSUSE:Factory/.pcr-oracle.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pcr-oracle" Tue Mar 17 19:02:28 2026 rev:25 rq:1339283 version:0.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/pcr-oracle/pcr-oracle.changes 2026-02-02 14:55:57.388451121 +0100 +++ /work/SRC/openSUSE:Factory/.pcr-oracle.new.8177/pcr-oracle.changes 2026-03-17 19:03:43.534752209 +0100 @@ -1,0 +2,10 @@ +Mon Mar 16 08:14:36 UTC 2026 - Gary Ching-Pang Lin <[email protected]> + +- Update to 0.6.0 + + Initial support for CI tests + + Fix additional arguments following the PCR index + + CI: Shutdown the swtpm instance after tests + + Fix stop event check crash for grub-command (bsc#1258119) + + Print PCR values during signing or sealing + +------------------------------------------------------------------- Old: ---- pcr-oracle-0.5.9.tar.xz New: ---- pcr-oracle-0.6.0.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pcr-oracle.spec ++++++ --- /var/tmp/diff_new_pack.O1n6UW/_old 2026-03-17 19:03:44.074774588 +0100 +++ /var/tmp/diff_new_pack.O1n6UW/_new 2026-03-17 19:03:44.078774753 +0100 @@ -18,7 +18,7 @@ Name: pcr-oracle -Version: 0.5.9 +Version: 0.6.0 Release: 0 Summary: Predict TPM PCR values License: GPL-2.0-or-later ++++++ _service ++++++ --- /var/tmp/diff_new_pack.O1n6UW/_old 2026-03-17 19:03:44.118776411 +0100 +++ /var/tmp/diff_new_pack.O1n6UW/_new 2026-03-17 19:03:44.118776411 +0100 @@ -7,7 +7,7 @@ <param name="url">https://github.com/openSUSE/pcr-oracle.git</param> <param name="filename">pcr-oracle</param> <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">refs/tags/0.5.9</param> + <param name="revision">refs/tags/0.6.0</param> </service> <service name="recompress" mode="disabled"> <param name="file">pcr-oracle*.tar</param> ++++++ pcr-oracle-0.5.9.tar.xz -> pcr-oracle-0.6.0.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.9/.github/workflows/ci.yml new/pcr-oracle-0.6.0/.github/workflows/ci.yml --- old/pcr-oracle-0.5.9/.github/workflows/ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/pcr-oracle-0.6.0/.github/workflows/ci.yml 2026-03-16 09:10:52.000000000 +0100 @@ -0,0 +1,67 @@ +name: CI + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + build-and-test: + name: Test on ${{ matrix.os-name }} + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + include: + - os-name: "openSUSE Tumbleweed" + container-image: "registry.opensuse.org/opensuse/tumbleweed:latest" + - os-name: "openSUSE Leap 16.0" + container-image: "registry.opensuse.org/opensuse/leap:16.0" + + container: + image: ${{ matrix.container-image }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install dependencies + run: | + zypper --non-interactive ref + zypper --non-interactive in \ + autoconf automake gcc make \ + pkg-config tpm2.0-tools swtpm \ + libtss2-tcti-swtpm0 diffutils \ + systemd systemd-devel \ + tpm2-0-tss-devel libjson-c-devel \ + libopenssl-devel libfdisk-devel \ + libelf-devel + + - name: Build the code + run: | + ./configure + make -j$(nproc) + + - name: Run the test scripts + run: | + # Set up the swtpm instance + mkdir -p /tmp/swtpm-state + swtpm socket --tpm2 \ + --flags startup-clear \ + --server type=unixio,path=/tmp/swtpm-sock \ + --ctrl type=unixio,path=/tmp/swtpm-sock.ctrl \ + --log level=20 \ + --tpmstate dir=/tmp/swtpm-state -d + export TPM2TOOLS_TCTI="swtpm:path=/tmp/swtpm-sock" + export PCRORACLE_TCTI="swtpm:path=/tmp/swtpm-sock" + + # Run the test scripts + ./test-pcr.sh + ./test-systemd.sh + ./test-tpm2key.sh + ./test-authorized.sh + + # Shutdown swtpm + swtpm_ioctl -s --unix /tmp/swtpm-sock.ctrl diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.9/configure new/pcr-oracle-0.6.0/configure --- old/pcr-oracle-0.5.9/configure 2026-02-02 08:35:19.000000000 +0100 +++ new/pcr-oracle-0.6.0/configure 2026-03-16 09:10:52.000000000 +0100 @@ -12,7 +12,7 @@ # Invoke with --help for a description of options # # microconf:begin -# version 0.5.9 +# version 0.6.0 # require libtss2 # require json # require libfdisk diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.9/microconf/version new/pcr-oracle-0.6.0/microconf/version --- old/pcr-oracle-0.5.9/microconf/version 2026-02-02 08:35:19.000000000 +0100 +++ new/pcr-oracle-0.6.0/microconf/version 2026-03-16 09:10:52.000000000 +0100 @@ -1 +1 @@ -uc_version=0.5.9 +uc_version=0.6.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.9/src/oracle.c new/pcr-oracle-0.6.0/src/oracle.c --- old/pcr-oracle-0.5.9/src/oracle.c 2026-02-02 08:35:19.000000000 +0100 +++ new/pcr-oracle-0.6.0/src/oracle.c 2026-03-16 09:10:52.000000000 +0100 @@ -444,7 +444,7 @@ return false; grub_cmd = grub_arg; - while (grub_cmd != NULL && !isalpha(*grub_cmd)) + while (grub_cmd != NULL && *grub_cmd != '\0' && !isalpha(*grub_cmd)) grub_cmd++; return !strcmp(grub_cmd, value); @@ -828,21 +828,12 @@ return okay; } -static const char * -get_next_arg(int *index_p, int argc, char **argv) -{ - int i = *index_p; - - if (i >= argc) - usage(1, "Missing argument\n"); - *index_p += 1; - return argv[i]; -} +static const char *next_argument(int argc, char **argv); static bool predictor_update_all(struct predictor *pred, int argc, char **argv) { - int i = 0, pcr_index = -1; + int pcr_index = -1; if (!strcmp(pred->initial_source, "eventlog")) { if (!predictor_update_eventlog(pred)) @@ -858,14 +849,17 @@ mask >>= 1; } - while (i < argc) { + /* Check if there is any argument following the PCR selection + * NOTE: Those arugments (string, file, and eventlog) only work + * when only one PCR is selected. */ + while (optind < argc) { const char *type, *arg; - type = get_next_arg(&i, argc, argv); + type = next_argument(argc, argv); if (isdigit(*type)) { if (!parse_pcr_index(type, (unsigned int *) &pcr_index)) fatal("unable to parse PCR index \"%s\"\n", type); - type = get_next_arg(&i, argc, argv); + type = next_argument(argc, argv); } if (!strcmp(type, "eventlog")) { @@ -873,7 +867,7 @@ continue; } - arg = get_next_arg(&i, argc, argv); + arg = next_argument(argc, argv); if (pcr_index < 0) { fprintf(stderr, "Unable to infer which PCR to update for %s %s\n", type, arg); usage(1, NULL); @@ -1327,10 +1321,12 @@ fatal("Unsupported target platform %s\n", opt_target_platform); /* Validate options */ + /* ACTION_PREDICT, ACTION_SEAL, and ACTION_SIGN may need to extend the + * selected PCR further with a 'string' or 'file'. For those actions, + * argument parsing is ended after predictor_update_all(). */ switch (action) { case ACTION_PREDICT: pcr_selection = get_pcr_selection_argument(argc, argv, opt_algo); - end_arguments(argc, argv); break; case ACTION_STORE_PUBLIC_KEY: @@ -1355,7 +1351,8 @@ case ACTION_SEAL: if (opt_authorized_policy == NULL) pcr_selection = get_pcr_selection_argument(argc, argv, opt_algo); - end_arguments(argc, argv); + else + end_arguments(argc, argv); break; case ACTION_UNSEAL: @@ -1383,7 +1380,6 @@ usage(1, "You need to specify the --output option when signing a policy\n"); pcr_selection = get_pcr_selection_argument(argc, argv, opt_algo); - end_arguments(argc, argv); break; case ACTION_SELFTEST: @@ -1485,9 +1481,12 @@ runtime_replay_testcase(tc_playback); } - if (!predictor_update_all(pred, argc - optind, argv + optind)) + if (!predictor_update_all(pred, argc, argv)) return 1; + /* No more argument parsing */ + end_arguments(argc, argv); + if (action == ACTION_PREDICT) { if (opt_verify) exit_code = !!predictor_verify(pred, opt_verify); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.9/src/pcr-policy.c new/pcr-oracle-0.6.0/src/pcr-policy.c --- old/pcr-oracle-0.5.9/src/pcr-policy.c 2026-02-02 08:35:19.000000000 +0100 +++ new/pcr-oracle-0.6.0/src/pcr-policy.c 2026-03-16 09:10:52.000000000 +0100 @@ -1130,6 +1130,23 @@ return okay; } +static void +print_pcr_bank (const tpm_pcr_bank_t *bank) +{ + unsigned int pcr_index, i; + const tpm_evdigest_t *pcr; + + for (pcr_index = 0; pcr_index < PCR_BANK_REGISTER_MAX; ++pcr_index) { + if (pcr_bank_register_is_valid(bank, pcr_index)) { + pcr = &bank->pcr[pcr_index]; + printf("%s:%u ", bank->algo_name, pcr_index); + for (i = 0; i < pcr->size; i++) + printf("%02x", pcr->data[i]); + printf("\n"); + } + } +} + bool pcr_seal_secret(const target_platform_t *platform, const tpm_pcr_bank_t *bank, const char *opt_persistent_srk, const char *input_path, const char *output_path) @@ -1148,6 +1165,11 @@ ok = esys_seal_secret(platform, esys_context, pcr_policy, &pcr_sel, opt_persistent_srk, input_path, output_path); + if (ok) { + infomsg("Sealed with PCR policy\n"); + print_pcr_bank(bank); + } + free(pcr_policy); return ok; } @@ -1256,8 +1278,10 @@ okay = platform->write_signed_policy(input_path, output_path, policy_name, bank, pcr_policy, rsa_key, signed_policy); - if (okay) + if (okay) { infomsg("Signed PCR policy written to %s\n", output_path?: "(standard output)"); + print_pcr_bank(bank); + } out: if (pcr_policy) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pcr-oracle-0.5.9/src/tpm.c new/pcr-oracle-0.6.0/src/tpm.c --- old/pcr-oracle-0.5.9/src/tpm.c 2026-02-02 08:35:19.000000000 +0100 +++ new/pcr-oracle-0.6.0/src/tpm.c 2026-03-16 09:10:52.000000000 +0100 @@ -65,8 +65,19 @@ if (esys_ctx == NULL) { TSS2_RC rc; + TSS2_RC rc_tcti; + char *tcti_env = NULL; + TSS2_TCTI_CONTEXT *tcti = NULL; - rc = Esys_Initialize(&esys_ctx, NULL, NULL); + tcti_env = getenv("PCRORACLE_TCTI"); + if (tcti_env != NULL) { + infomsg("Using TCTI env: %s\n", tcti_env); + rc_tcti = Tss2_TctiLdr_Initialize(tcti_env, &tcti); + if (!tss_check_error(rc_tcti, "Failed to initialize TCTI context")) + tcti = NULL; + } + + rc = Esys_Initialize(&esys_ctx, tcti, NULL); if (!tss_check_error(rc, "Unable to initialize TSS2 ESAPI context")) fatal("Aborting.\n");
