Hello Pierre, I've prepared a package for the new tpm-tools upstream version 1.3.9.2.
Please see the attached diff (only the debian directory given) or if you prefer, visit https://salsa.debian.org/debian/tpm-tools
The package is currently in DELAYED/10 to give you time to react. -Timo
diff -Naur tpm-tools-1.3.9.1/debian/changelog tpm-tools/debian/changelog --- tpm-tools-1.3.9.1/debian/changelog 2017-05-22 01:20:40.000000000 +0300 +++ tpm-tools/debian/changelog 2022-07-03 14:46:00.952191745 +0300 @@ -1,3 +1,14 @@ +tpm-tools (1.3.9.2-0.1) unstable; urgency=medium + + * Non-maintainer upload. + * New upstream release (Closes: #1010799). + - Drop patches/05-openssl1.1_fix_data_mgmt.patch + * Bump Standards-Version to 4.6.1. + * Add compiler hardening flags. + * Add autokpkgtest for nvram handling. + + -- Timo Lindfors <timo.lindf...@iki.fi> Fri, 01 Jul 2022 23:34:48 +0300 + tpm-tools (1.3.9.1-0.2) unstable; urgency=medium * Non-maintainer upload. diff -Naur tpm-tools-1.3.9.1/debian/control tpm-tools/debian/control --- tpm-tools-1.3.9.1/debian/control 2017-05-14 03:21:06.000000000 +0300 +++ tpm-tools/debian/control 2022-07-03 14:43:59.576089266 +0300 @@ -3,11 +3,14 @@ Priority: optional Maintainer: Pierre Chifflier <pol...@debian.org> Build-Depends: - debhelper (>= 10), autotools-dev, automake, libopencryptoki-dev, + debhelper (>= 10), automake, libopencryptoki-dev, libtspi-dev (>= 0.3.10), - quilt, dh-autoreconf, autopoint -Standards-Version: 3.9.8 + quilt, autopoint +Standards-Version: 4.6.1 Homepage: http://trousers.sourceforge.net/ +Rules-Requires-Root: no +Vcs-Browser: https://salsa.debian.org/debian/tpm-tools +Vcs-Git: https://salsa.debian.org/debian/tpm-tools.git Package: tpm-tools Architecture: any diff -Naur tpm-tools-1.3.9.1/debian/copyright tpm-tools/debian/copyright --- tpm-tools-1.3.9.1/debian/copyright 2015-03-25 19:03:39.000000000 +0200 +++ tpm-tools/debian/copyright 2022-07-03 14:43:59.576089266 +0300 @@ -1,5 +1,7 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: tpm-tools Author: Kent Yoder <shpedoi...@gmail.com> -Download: http://trousers.sourceforge.net/ +Source: https://trousers.sourceforge.net/ Files: * Copyright: 2005-2007 IBM, Corp. <http://www.ibm.com/> diff -Naur tpm-tools-1.3.9.1/debian/files tpm-tools/debian/files --- tpm-tools-1.3.9.1/debian/files 1970-01-01 02:00:00.000000000 +0200 +++ tpm-tools/debian/files 2022-07-03 14:53:46.676706778 +0300 @@ -0,0 +1 @@ +tpm-tools_1.3.9.2-0.1_source.buildinfo admin optional diff -Naur tpm-tools-1.3.9.1/debian/patches/05-openssl1.1_fix_data_mgmt.patch tpm-tools/debian/patches/05-openssl1.1_fix_data_mgmt.patch --- tpm-tools-1.3.9.1/debian/patches/05-openssl1.1_fix_data_mgmt.patch 2017-02-05 23:05:18.000000000 +0200 +++ tpm-tools/debian/patches/05-openssl1.1_fix_data_mgmt.patch 1970-01-01 02:00:00.000000000 +0200 @@ -1,106 +0,0 @@ -Author: Philipp Kern <pk...@debian.org> -Subject: Fix openssl1.1 support in data_mgmt -Date: Tue, 31 Jan 2017 22:40:10 +0100 - - ---- - src/data_mgmt/data_import.c | 60 ++++++++++++++++++++++++++++---------------- - 1 file changed, 39 insertions(+), 21 deletions(-) - ---- a/src/data_mgmt/data_import.c -+++ b/src/data_mgmt/data_import.c -@@ -372,7 +372,7 @@ readX509Cert( const char *a_pszFile, - goto out; - } - -- if ( EVP_PKEY_type( pKey->type ) != EVP_PKEY_RSA ) { -+ if ( EVP_PKEY_base_id( pKey ) != EVP_PKEY_RSA ) { - logError( TOKEN_RSA_KEY_ERROR ); - - X509_free( pX509 ); -@@ -691,8 +691,13 @@ createRsaPubKeyObject( RSA - - int rc = -1; - -- int nLen = BN_num_bytes( a_pRsa->n ); -- int eLen = BN_num_bytes( a_pRsa->e ); -+ const BIGNUM *bn; -+ const BIGNUM *be; -+ -+ RSA_get0_key( a_pRsa, &bn, &be, NULL ); -+ -+ int nLen = BN_num_bytes( bn ); -+ int eLen = BN_num_bytes( be ); - - CK_RV rv; - -@@ -732,8 +737,8 @@ createRsaPubKeyObject( RSA - } - - // Get binary representations of the RSA key information -- BN_bn2bin( a_pRsa->n, n ); -- BN_bn2bin( a_pRsa->e, e ); -+ BN_bn2bin( bn, n ); -+ BN_bn2bin( be, e ); - - // Create the RSA public key object - rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); -@@ -760,14 +765,27 @@ createRsaPrivKeyObject( RSA - - int rc = -1; - -- int nLen = BN_num_bytes( a_pRsa->n ); -- int eLen = BN_num_bytes( a_pRsa->e ); -- int dLen = BN_num_bytes( a_pRsa->d ); -- int pLen = BN_num_bytes( a_pRsa->p ); -- int qLen = BN_num_bytes( a_pRsa->q ); -- int dmp1Len = BN_num_bytes( a_pRsa->dmp1 ); -- int dmq1Len = BN_num_bytes( a_pRsa->dmq1 ); -- int iqmpLen = BN_num_bytes( a_pRsa->iqmp ); -+ const BIGNUM *bn; -+ const BIGNUM *be; -+ const BIGNUM *bd; -+ const BIGNUM *bp; -+ const BIGNUM *bq; -+ const BIGNUM *bdmp1; -+ const BIGNUM *bdmq1; -+ const BIGNUM *biqmp; -+ -+ RSA_get0_key( a_pRsa, &bn, &be, &bd); -+ RSA_get0_factors( a_pRsa, &bp, &bq); -+ RSA_get0_crt_params( a_pRsa, &bdmp1, &bdmq1, &biqmp ); -+ -+ int nLen = BN_num_bytes( bn ); -+ int eLen = BN_num_bytes( be ); -+ int dLen = BN_num_bytes( bd ); -+ int pLen = BN_num_bytes( bp ); -+ int qLen = BN_num_bytes( bq ); -+ int dmp1Len = BN_num_bytes( bdmp1 ); -+ int dmq1Len = BN_num_bytes( bdmq1 ); -+ int iqmpLen = BN_num_bytes( biqmp ); - - CK_RV rv; - -@@ -821,14 +839,14 @@ createRsaPrivKeyObject( RSA - } - - // Get binary representations of the RSA key information -- BN_bn2bin( a_pRsa->n, n ); -- BN_bn2bin( a_pRsa->e, e ); -- BN_bn2bin( a_pRsa->d, d ); -- BN_bn2bin( a_pRsa->p, p ); -- BN_bn2bin( a_pRsa->q, q ); -- BN_bn2bin( a_pRsa->dmp1, dmp1 ); -- BN_bn2bin( a_pRsa->dmq1, dmq1 ); -- BN_bn2bin( a_pRsa->iqmp, iqmp ); -+ BN_bn2bin( bn, n ); -+ BN_bn2bin( be, e ); -+ BN_bn2bin( bd, d ); -+ BN_bn2bin( bp, p ); -+ BN_bn2bin( bq, q ); -+ BN_bn2bin( bdmp1, dmp1 ); -+ BN_bn2bin( bdmq1, dmq1 ); -+ BN_bn2bin( biqmp, iqmp ); - - // Create the RSA private key object - rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); diff -Naur tpm-tools-1.3.9.1/debian/patches/series tpm-tools/debian/patches/series --- tpm-tools-1.3.9.1/debian/patches/series 2017-02-06 00:20:35.000000000 +0200 +++ tpm-tools/debian/patches/series 2022-07-03 14:43:51.264082939 +0300 @@ -1,4 +1,3 @@ 01-opencryptoki-soname.patch 03-fix-bool-error-parseStringWithValues.patch 04-fix-FTBFS-clang.patch -05-openssl1.1_fix_data_mgmt.patch diff -Naur tpm-tools-1.3.9.1/debian/README.source tpm-tools/debian/README.source --- tpm-tools-1.3.9.1/debian/README.source 1970-01-01 02:00:00.000000000 +0200 +++ tpm-tools/debian/README.source 2022-07-03 14:46:00.936191730 +0300 @@ -0,0 +1,17 @@ +Upgrading the Debian source package to a new upstream version +------------------------------------------------------------- + +The following commands can be useful for updating the source package +to a new upstream version: + +gbp clone --pristine-tar https://salsa.debian.org/debian/tpm-tools +cd tpm-tools +gbp import-orig --pristine-tar --uscan --filter=.git +dch -i +git commit debian/changelog +gbp buildpackage -S +sudo pbuilder build ../tpm-tools_$(dpkg-parsechangelog -SVersion).dsc +lintian -EvIL +pedantic /var/cache/pbuilder/result/tpm-tools_$(dpkg-parsechangelog -SVersion)_amd64.changes + +sudo autopkgtest-build-qemu unstable ~/autopkgtest-unstable.img +autopkgtest ././../tpm-tools_$(dpkg-parsechangelog -SVersion).dsc -- qemu ~/autopkgtest-unstable.img diff -Naur tpm-tools-1.3.9.1/debian/rules tpm-tools/debian/rules --- tpm-tools-1.3.9.1/debian/rules 2017-05-14 03:17:32.000000000 +0300 +++ tpm-tools/debian/rules 2022-07-03 14:43:59.572089263 +0300 @@ -1,11 +1,12 @@ #!/usr/bin/make -f +export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow %: dh ${@} --with autoreconf +override_dh_autoreconf: + dh_autoreconf sh bootstrap.sh + override_dh_install: find debian/tmp -name "*.la" -delete; \ dh_install --fail-missing - -override_dh_strip: - dh_strip --dbgsym-migration='tpm-tools-dbg (<< 1.3.9.1-0.2~)' diff -Naur tpm-tools-1.3.9.1/debian/tests/control tpm-tools/debian/tests/control --- tpm-tools-1.3.9.1/debian/tests/control 1970-01-01 02:00:00.000000000 +0200 +++ tpm-tools/debian/tests/control 2022-07-03 14:46:00.944191737 +0300 @@ -0,0 +1,3 @@ +Tests: tpm-nvram +Depends: @, swtpm, trousers, expect +Restrictions: needs-root, isolation-machine, skippable diff -Naur tpm-tools-1.3.9.1/debian/tests/tpm-nvram tpm-tools/debian/tests/tpm-nvram --- tpm-tools-1.3.9.1/debian/tests/tpm-nvram 1970-01-01 02:00:00.000000000 +0200 +++ tpm-tools/debian/tests/tpm-nvram 2022-07-03 14:46:00.944191737 +0300 @@ -0,0 +1,128 @@ +#!/bin/sh + +unsupported_machine() { + echo "$1" 1>&2 + cleanup + exit 77 +} + +failing_test() { + echo "$1" 1>&2 + cleanup + exit 1 +} + +cleanup() { + status "Cleaning up" + if [ -n "$swtmp_pid" ]; then + kill $swtpm_pid 2>/dev/null + fi + rmmod tpm_vtpm_proxy 2>/dev/null +} + +status() { + echo "$1" +} + +if [ ! -e "$AUTOPKGTEST_TMP" ]; then + unsupported_machine "AUTOPKGTEST_TMP is not set or does not point to a directory" +fi +swtpm_pid="" + +cleanup + +if ! modprobe tpm_vtpm_proxy; then + unsupported_machine "cannot modprobe tpm_vtpm_proxy" +fi + +if [ -e /dev/tpm0 ]; then + unsupported_machine "/dev/tpm0 seems to already exist" +fi + +systemctl stop tcsd + +status "Starting swtmp TPM simulator" +mkdir $AUTOPKGTEST_TMP/tpm_state +swtpm chardev --vtpm-proxy --tpmstate dir=$AUTOPKGTEST_TMP/tpm_state & +swtpm_pid=$! + +while [ ! -e /dev/tpm0 ]; do + sleep 1 +done + +systemctl start tcsd +sleep 2 + +status "Testing tpm_version" +if ! tpm_version 2> /dev/null; then + failing_test "tpm_version failed" +fi + + +status "Testing tpm_createek" +if ! tpm_createek; then + failing_test "Creating endorsement key failed" +fi + +status "Testing tpm_takeownerzip" +if ! expect -c "spawn tpm_takeownership -z; expect \"Enter owner password:\"; send \"1234\n\"; expect \"Confirm password:\"; send \"1234\n\"; expect eof"; then + failing_test "Unable to take ownership" +fi + +status "Testing tpm_nvdefine" +if ! tpm_nvdefine -i 2 -s 8 -p OWNERWRITE --pwdo=1234 -z; then + failing_test "tpm_nvdefine failed" +fi + +status "Locking TPM nvram" +if ! tpm_nvdefine -i 0xffffffff -s 0; then + failing_test "tmp_nvdefine failed" +fi + +status "Testing a more complex tpm_nvdefine case" +sys_pcrs="$(find /sys -name pcrs|head -n1)" +if [ ! -e "$sys_pcrs" ]; then + unsupported_machine "For some reason we cannot find pcrs file" +fi +for pcr in 17 18 19; do + value="$(grep PCR-$pcr $sys_pcrs | cut -d':' -f2- | tr -d ' ')" + echo "r $pcr $value" >> $AUTOPKGTEST_TMP/pcr_info +done +if ! tpm_nvdefine -i 1 -s 8 -p "OWNERWRITE|READ_STCLEAR" --pwdo=1234 -z -f $AUTOPKGTEST_TMP/pcr_info; then + failing_test "tpm_nvdefine failed" +fi + +status "Testing tpm_nvwrite" +dd if=/dev/random of=$AUTOPKGTEST_TMP/data bs=8 count=1 2>/dev/null +if ! tpm_nvwrite -i 1 -f $AUTOPKGTEST_TMP/data -z --password=1234; then + failing_test "tpm_nvwrite failed" +fi + +status "Testing tpm_nvread" +if ! tpm_nvread -i 1 -f $AUTOPKGTEST_TMP/data2; then + failing_test "tpm_nvread failed" +fi + +if ! cmp -l $AUTOPKGTEST_TMP/data $AUTOPKGTEST_TMP/data2; then + hexdump -C $AUTOPKGTEST_TMP/data + hexdump -C $AUTOPKGTEST_TMP/data2 + failing_test "data was modified" +fi + +status "Testing tpm_nvread with zero size" +if ! tpm_nvread -i 1 -s 0; then + failing_test "tpm_nvread with zero size failed" +fi + +status "Verifying that tpm_nvread can no longer access the data" +if tpm_nvread -i 1 -f $AUTOPKGTEST_TMP/data2 2>/dev/null; then + failing_test "tmp_nvread worked even after ST_CLEAR" +fi + +status "Testing tpm_nvrelease" +if ! tpm_nvrelease -i 1 --pwdo=1234; then + failing_test "tpm_nvrelease failed" +fi + +cleanup +exit 0 diff -Naur tpm-tools-1.3.9.1/debian/upstream/metadata tpm-tools/debian/upstream/metadata --- tpm-tools-1.3.9.1/debian/upstream/metadata 1970-01-01 02:00:00.000000000 +0200 +++ tpm-tools/debian/upstream/metadata 2022-07-03 14:43:59.576089266 +0300 @@ -0,0 +1,2 @@ +Repository: https://git.code.sf.net/p/trousers/tpm-tools +Repository-Browse: https://sourceforge.net/p/trousers/tpm-tools/ci/master/tree/