Hello community, here is the log from the commit of package ima-evm-utils for openSUSE:Factory checked in at 2020-07-26 16:17:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ima-evm-utils (Old) and /work/SRC/openSUSE:Factory/.ima-evm-utils.new.3592 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ima-evm-utils" Sun Jul 26 16:17:30 2020 rev:16 rq:822318 version:1.3 Changes: -------- --- /work/SRC/openSUSE:Factory/ima-evm-utils/ima-evm-utils.changes 2019-08-14 11:36:09.616709883 +0200 +++ /work/SRC/openSUSE:Factory/.ima-evm-utils.new.3592/ima-evm-utils.changes 2020-07-26 16:18:48.968778668 +0200 @@ -1,0 +2,79 @@ +Thu Jul 23 07:15:19 UTC 2020 - Petr Vorel <pvo...@suse.cz> + +- Use %autosetup -p1 + +------------------------------------------------------------------- +Wed Jul 22 12:10:45 UTC 2020 - Petr Vorel <pvo...@suse.cz> + +- Remove suse_version check for tpm2-0-tss-devel as the package is available + for back as far as SLE 12 SP2 and respective openSUSE versions (also check + was wrong, should have been 1500). + +------------------------------------------------------------------- +Wed Jul 22 11:35:42 UTC 2020 - Petr Vorel <pvo...@suse.cz> + +- Fixes from previous SR (reported by fvogt): + * Move ibmtss runtime dependency to evmctl package + * Remove dependencies to devel package (should not be needed) + +------------------------------------------------------------------- +Wed Jul 22 08:23:08 UTC 2020 - Petr Vorel <pvo...@suse.cz> + +- Update to version 1.3 + version 1.3 new features: + * NEW ima-evm-utils regression test infrastructure with two initial + tests: + - ima_hash.test: calculate/verify different crypto hash algorithms + - sign_verify.test: EVM and IMA sign/verify signature tests + * TPM 2.0 support + - Calculate the new per TPM 2.0 bank template data digest + - Support original padding the SHA1 template data digest + - Compare ALL the re-calculated TPM 2.0 bank PCRs against the + TPM 2.0 bank PCR values + - Calculate the per TPM bank "boot_aggregate" values, including + PCRs 8 & 9 in calculation + - Support reading the per TPM 2.0 Bank PCRs using Intel's TSS + - boot_aggregate.test: compare the calculated "boot_aggregate" + values with the "boot_aggregate" value included in the IMA + measurement. + * TPM 1.2 support + - Additionally support reading the TPM 1.2 PCRs from a supplied file + ("--pcrs" option) + * Based on original IMA LTP and standalone version support + - Calculate the TPM 1.2 "boot_aggregate" based on the exported + TPM 1.2 BIOS event log. + - In addition to verifying the IMA measurement list against the + the TPM PCRs, verify the IMA template data digest against the + template data. (Based on LTP "--verify" option.) + - Ignore file measurement violations while verifying the IMA + measurment list. (Based on LTP "--validate" option.) + - Verify the file data signature included in the measurement list + based on the file hash also included in the measurement list + (--verify-sig) + - Support original "ima" template (mixed templates not supported) + * Support "sm3" crypto name + + Bug fixes and code cleanup: + * Don't exit with -1 on failure, exit with 125 + * On signature verification failure, include pathname. + * Provide minimal hash_info.h file in case one doesn't exist, needed + by the ima-evm-utils regression tests. + * On systems with TPM 1.2, skip "boot_aggregate.test" using sample logs + * Fix hash_algo type comparison mismatch + * Simplify/clean up code + * Address compiler complaints and failures + * Fix memory allocations and leaks + * Sanity check provided input files are regular files + * Revert making "tsspcrread" a compile build time decision. + * Limit additional messages based on log level (-v) + +- Add patch 0001-pcr_tss-Fix-compilation-for-old-compilers.patch +- Upstream bumped soname to 2.0.0 +- Add tpm2-0-tss-devel for Tumbleweed as build dependency, for the rest ibmtss + as runtime dependency (needed for for reading PCR in ima_boot_aggregate cmd; + better to use libtss2-esys and libtss2-rc than require tsspcrread binary in + runtime, but tpm2-0-tss-devel is available only for Tumbleweed) + the same + logic as runtime dependency for devel package +- Mark COPYING as %license + +------------------------------------------------------------------- Old: ---- ima-evm-utils-1.2.1.tar.gz New: ---- 0001-pcr_tss-Fix-compilation-for-old-compilers.patch ima-evm-utils-1.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ima-evm-utils.spec ++++++ --- /var/tmp/diff_new_pack.WlU8U5/_old 2020-07-26 16:18:50.328779939 +0200 +++ /var/tmp/diff_new_pack.WlU8U5/_new 2020-07-26 16:18:50.332779943 +0200 @@ -1,7 +1,7 @@ # # spec file for package ima-evm-utils # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,16 +16,17 @@ # -%define sover 1 +%define sover 2 %define libname libimaevm%{sover} Name: ima-evm-utils -Version: 1.2.1 +Version: 1.3 Release: 0 Summary: IMA/EVM control utility License: LGPL-2.1-or-later Group: System/Base -Url: http://sourceforge.net/projects/linux-ima/ +URL: http://sourceforge.net/projects/linux-ima/ Source0: http://downloads.sourceforge.net/project/linux-ima/ima-evm-utils/%{name}-%{version}.tar.gz +Patch1: 0001-pcr_tss-Fix-compilation-for-old-compilers.patch BuildRequires: asciidoc BuildRequires: autoconf BuildRequires: automake @@ -36,6 +37,7 @@ BuildRequires: libxslt-tools BuildRequires: openssl-devel BuildRequires: pkgconfig +BuildRequires: tpm2-0-tss-devel %description This package provides the control utility for IMA/EVM (Integrity @@ -70,7 +72,7 @@ used to import keys into the kernel keyring. %prep -%setup -q +%autosetup -p1 %build autoreconf -fiv @@ -93,7 +95,8 @@ %{_libdir}/libimaevm.so %files -n %{libname} -%doc README COPYING NEWS AUTHORS +%doc README NEWS AUTHORS +%license COPYING %{_libdir}/libimaevm.so.%{sover}* %files -n evmctl ++++++ 0001-pcr_tss-Fix-compilation-for-old-compilers.patch ++++++ >From 8e98b5bbf2127131f968a5d864f86e8443505639 Mon Sep 17 00:00:00 2001 From: Petr Vorel <pvo...@suse.cz> Date: Wed, 22 Jul 2020 12:06:28 +0200 Subject: [PATCH ima-evm-utils v2] pcr_tss: Fix compilation for old compilers Cc: Mimi Zohar <zo...@linux.vnet.ibm.com> pcr_tss.c: In function 'pcr_selections_match': pcr_tss.c:73:2: error: 'for' loop initial declarations are only allowed in C99 mode for (int i = 0; i < a->count; i++) { ^ pcr_tss.c:73:2: note: use option -std=c99 or -std=gnu99 to compile your code pcr_tss.c:78:3: error: 'for' loop initial declarations are only allowed in C99 mode for (int j = 0; j < a->pcrSelections[i].sizeofSelect; j++) { ^ Fixes: 03f99ea ("ima-evm-utils: Add support for Intel TSS2 for PCR reading") Signed-off-by: Petr Vorel <pvo...@suse.cz> [ upstream status: https://lore.kernel.org/linux-integrity/20200722105202.32507-1-pvo...@suse.cz/T/#u ] --- src/pcr_tss.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/pcr_tss.c b/src/pcr_tss.c index 11b247b..feb1ff7 100644 --- a/src/pcr_tss.c +++ b/src/pcr_tss.c @@ -68,14 +68,17 @@ int tpm2_pcr_supported(void) static int pcr_selections_match(TPML_PCR_SELECTION *a, TPML_PCR_SELECTION *b) { + int i, j; + if (a->count != b->count) return 0; - for (int i = 0; i < a->count; i++) { + + for (i = 0; i < a->count; i++) { if (a->pcrSelections[i].hash != b->pcrSelections[i].hash) return 0; if (a->pcrSelections[i].sizeofSelect != b->pcrSelections[i].sizeofSelect) return 0; - for (int j = 0; j < a->pcrSelections[i].sizeofSelect; j++) { + for (j = 0; j < a->pcrSelections[i].sizeofSelect; j++) { if (a->pcrSelections[i].pcrSelect[j] != b->pcrSelections[i].pcrSelect[j]) return 0; } -- 2.27.0 ++++++ ima-evm-utils-1.2.1.tar.gz -> ima-evm-utils-1.3.tar.gz ++++++ ++++ 3022 lines of diff (skipped)