Ubuntu
swtpm package

Merge ~paelzer/ubuntu/+source/swtpm:bump-0.6.3-jammy into ubuntu/+source/swtpm:ubuntu/jammy-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/swtpm
  3. bump-0.6.3-jammy
  4. Merge into ubuntu/jammy-devel
Proposed by Christian Ehrhardt 
Status: Merged
Merge reported by: Christian Ehrhardt 
Merged at revision: b6ff3a510f8f766ae20aedbfe1e0ac72612c5ef6
Proposed branch: ~paelzer/ubuntu/+source/swtpm:bump-0.6.3-jammy
Merge into: ubuntu/+source/swtpm:ubuntu/jammy-devel
Diff against target: 395 lines (+125/-30)
14 files modified
CHANGES (+22/-0)
configure.ac (+9/-6)
debian/changelog (+23/-0)
debian/usr.bin.swtpm (+1/-0)
man/man8/swtpm_setup.pod (+1/-1)
samples/swtpm_localca.c (+16/-1)
samples/swtpm_localca_utils.c (+6/-4)
src/swtpm/swtpm.c (+2/-2)
src/swtpm/swtpm_chardev.c (+2/-2)
src/swtpm/swtpm_nvfile.c (+10/-1)
src/swtpm_setup/swtpm_setup.c (+10/-4)
swtpm.spec (+7/-1)
swtpm.spec.in (+6/-0)
tests/test_swtpm_setup_create_cert (+10/-8)
Reviewer Review Type Date Requested Status
Lena Voytek (community) Approve
Canonical Server packageset reviewers Pending
git-ubuntu import Pending
Review via email: mp+417221@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This contains
- upstream v6.1.0..v6.3.0 stable changes (kept as individual commits).
- tarball is from https://github.com/stefanberger/swtpm/releases/tag/v0.6.3
- a fix for the apparmor profile

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4809/+packages

This fixes:
- the request by security (https://bugs.launchpad.net/ubuntu/+source/swtpm/+bug/1948748/comments/11)
- apparmor issue blocking migration (bug 1950631)
- generally stabilizes swtpm for jammy

(now good) Autopkgtest logs:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4809/jammy/amd64/s/swtpm/20220322_115315_f84ac@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4809/jammy/s390x/s/swtpm/20220322_115802_f84ac@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4809/jammy/armhf/s/swtpm/20220322_120054_8a59f@/log.gz
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-ci-train-ppa-service-4809/jammy/arm64/s/swtpm/20220322_120216_ab240@/log.gz

Revision history for this message
Lena Voytek (lvoytek) wrote :

The upstream additions look good to me. I don't see the apparmor profile change here though, should that show up in the diff?

changelog, builds, and tests look good to me

review: Needs Information
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Indeed I didn't push that part yet, doing so now ...

Revision history for this message
Lena Voytek (lvoytek) wrote :

Looks good to me! I confirm the apparmor profile addition works properly

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Review here, tests and foundations feedback is ok - uploading.

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading swtpm_0.6.3-0ubuntu1.dsc: done.
  Uploading swtpm_0.6.3.orig.tar.gz: done.
  Uploading swtpm_0.6.3-0ubuntu1.debian.tar.xz: done.
  Uploading swtpm_0.6.3-0ubuntu1_source.buildinfo: done.
  Uploading swtpm_0.6.3-0ubuntu1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/CHANGES b/CHANGES
2index 5040187..75a6170 100644
3--- a/CHANGES
4+++ b/CHANGES
5@@ -1,5 +1,27 @@
6 CHANGES - changes for swtpm
7
8+version 0.6.3:
9+ - swtpm:
10+ - Do not chdir(/) when using --daemon
11+ - swtpm-localca:
12+ - Re-implement variable resolution for swtpm-localca.conf
13+ - tests:
14+ - Use ${WORKDIR} in config files to test env. var replacement
15+ - man:
16+ - Add missing .config directory to path description when using ${HOME}
17+ - build-sys:
18+ - Add probing for -fstack-protector
19+ - configure: Fix typo TPM2 -> TMP2
20+
21+version 0.6.2:
22+ - swtpm:
23+ - Check header size indicator against expected size (CVE-2022-23645)
24+ - swtpm-localca:
25+ - Test for available issuercert before creating CA
26+ - swtpm_setup:
27+ - Report stderr as returned by external tool (swtpm-localcal)
28+ - Fix exit code on error to be '1'.
29+
30 version 0.6.1:
31 - swtpm:
32 - Clear keys from stack and heap
33diff --git a/configure.ac b/configure.ac
34index 6614d5d..aa5bbfc 100644
35--- a/configure.ac
36+++ b/configure.ac
37@@ -23,7 +23,7 @@
38 # This file is derived from tpm-tool's configure.in.
39 #
40
41-AC_INIT([swtpm], [0.6.1])
42+AC_INIT([swtpm], [0.6.3])
43 AC_PREREQ([2.69])
44 AC_CONFIG_SRCDIR(Makefile.am)
45 AC_CONFIG_HEADERS([config.h])
46@@ -384,17 +384,20 @@ AC_ARG_ENABLE([hardening],
47 AS_HELP_STRING([--disable-hardening], [Disable hardening flags]))
48
49 if test "x$enable_hardening" != "xno"; then
50- TMP="$($CC -fstack-protector-strong $srcdir/include/swtpm/tpm_ioctl.h 2>&1)"
51- if echo $TMP | $GREP 'unrecognized command line option' >/dev/null; then
52- HARDENING_CFLAGS="-fstack-protector -Wstack-protector "
53+ # Some versions of gcc fail with -Wstack-protector,
54+ # some with -Wstack-protector-strong enabled
55+ if ! $CC -fstack-protector-strong -Wstack-protector $srcdir/include/swtpm/tpm_ioctl.h 2>/dev/null; then
56+ if $CC -fstack-protector -Wstack-protector $srcdir/include/swtpm/tpm_ioctl.h 2>/dev/null; then
57+ HARDENING_CFLAGS="-fstack-protector -Wstack-protector"
58+ fi
59 else
60- HARDENING_CFLAGS="-fstack-protector-strong -Wstack-protector "
61+ HARDENING_CFLAGS="-fstack-protector-strong -Wstack-protector"
62 fi
63
64 dnl Must not have -O0 but must have a -O for -D_FORTIFY_SOURCE=2
65 TMP1="$(echo $CFLAGS | sed -n 's/.*\(-O0\).*/\1/p')"
66 TMP2="$(echo $CFLAGS | sed -n 's/.*\(-O\).*/\1/p')"
67- if test -z "$TMP1" && test -n "$TPM2"; then
68+ if test -z "$TMP1" && test -n "$TMP2"; then
69 HARDENING_CFLAGS="$HARDENING_CFLAGS -D_FORTIFY_SOURCE=2 "
70 fi
71 dnl Check linker for 'relro' and 'now'
72diff --git a/debian/changelog b/debian/changelog
73index bafaa79..2358ac3 100644
74--- a/debian/changelog
75+++ b/debian/changelog
76@@ -1,3 +1,26 @@
77+swtpm (0.6.3-0ubuntu1) jammy; urgency=medium
78+
79+ * Update to the stable release v0.6.3 (LP: 1948748)
80+ - swtpm:
81+ + Do not chdir(/) when using --daemon
82+ + Check header size indicator against expected size (CVE-2022-23645)
83+ - swtpm-localca:
84+ + Re-implement variable resolution for swtpm-localca.conf
85+ + Test for available issuercert before creating CA
86+ - tests:
87+ + Use ${WORKDIR} in config files to test env. var replacement
88+ - man:
89+ + Add missing .config directory to path description when using ${HOME}
90+ - build-sys:
91+ + Add probing for -fstack-protector
92+ + configure: Fix typo TPM2 -> TMP2
93+ - swtpm_setup:
94+ + Report stderr as returned by external tool (swtpm-localcal)
95+ + Fix exit code on error to be '1'.
96+ * d/usr.bin.swtpm: fix hang on unix sockets due to apparmor rules
97+
98+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 22 Mar 2022 09:31:40 +0100
99+
100 swtpm (0.6.1-0ubuntu6) jammy; urgency=medium
101
102 * Add apparmor profile to swtpm (LP: #1950631)
103diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm
104index 9223918..3d79c9f 100644
105--- a/debian/usr.bin.swtpm
106+++ b/debian/usr.bin.swtpm
107@@ -16,6 +16,7 @@ profile swtpm /usr/bin/swtpm {
108
109 network inet stream,
110 network inet6 stream,
111+ unix (send) type=dgram addr=none peer=(addr=none),
112
113 owner /tmp/** rwk,
114 owner /usr/bin/swtpm r,
115diff --git a/man/man8/swtpm_setup.pod b/man/man8/swtpm_setup.pod
116index 178337b..13e8464 100644
117--- a/man/man8/swtpm_setup.pod
118+++ b/man/man8/swtpm_setup.pod
119@@ -28,7 +28,7 @@ If this parameter is not provided, the default configuration file
120 will be used. The search order for the default configuration file is
121 as follows. If the environment variable XDG_CONFIG_HOME is set,
122 ${XDG_CONFIG_HOME}/swtpm_setup.conf will be used if available, otherwise if
123-the environment variable HOME is set, ${HOME}/swtpm_setup.conf
124+the environment variable HOME is set, ${HOME}/.config/swtpm_setup.conf
125 will be used if available. If none of the previous ones are available, /etc/swtpm_setup.conf
126 will be used.
127
128diff --git a/samples/swtpm_localca.c b/samples/swtpm_localca.c
129index 1617977..2a5aaa0 100644
130--- a/samples/swtpm_localca.c
131+++ b/samples/swtpm_localca.c
132@@ -135,7 +135,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir,
133 goto error;
134 }
135
136- if (access(signkey, R_OK) != 0) {
137+ if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) {
138 g_autofree gchar *directory = g_path_get_dirname(signkey);
139 g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL);
140 g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL);
141@@ -821,13 +821,28 @@ int main(int argc, char *argv[])
142 if (ret != 0)
143 goto error;
144 } else {
145+ int create_certs = 0;
146+
147+ /* create certificate if either the signing key or issuer cert are missing */
148 if (access(signkey, R_OK) != 0) {
149 if (stat(signkey, &statbuf) == 0) {
150 logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n",
151 signkey, curr_user ? curr_user->pw_name : "<unknown>");
152 goto error;
153 }
154+ create_certs = 1;
155+ }
156+
157+ if (access(issuercert, R_OK) != 0) {
158+ if (stat(issuercert, &statbuf) == 0) {
159+ logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n",
160+ issuercert, curr_user ? curr_user->pw_name : "<unknown>");
161+ goto error;
162+ }
163+ create_certs = 1;
164+ }
165
166+ if (create_certs) {
167 logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n");
168 if (create_localca_cert(lockfile, statedir, signkey, signkey_password,
169 issuercert) != 0) {
170diff --git a/samples/swtpm_localca_utils.c b/samples/swtpm_localca_utils.c
171index 7aeb9cf..76cb57f 100644
172--- a/samples/swtpm_localca_utils.c
173+++ b/samples/swtpm_localca_utils.c
174@@ -58,10 +58,12 @@ gchar *get_config_value(gchar **config_file_lines, const gchar *configname, cons
175 for (idx = 0; config_file_lines[idx] != NULL; idx++) {
176 const gchar *line = config_file_lines[idx];
177 if (regexec(&preg, line, 2, pmatch, 0) == 0) {
178- result = g_strndup(&line[pmatch[1].rm_so],
179- pmatch[1].rm_eo - pmatch[1].rm_so);
180- /* coverity: g_strchmop modifies in-place */
181- result = g_strchomp(result);
182+ g_autofree gchar *tmp = NULL;
183+
184+ tmp = g_strndup(&line[pmatch[1].rm_so],
185+ pmatch[1].rm_eo - pmatch[1].rm_so);
186+ g_strchomp(tmp);
187+ result = resolve_string(tmp);
188 break;
189 }
190 }
191diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c
192index 476b398..8e6f52a 100644
193--- a/src/swtpm/swtpm.c
194+++ b/src/swtpm/swtpm.c
195@@ -461,9 +461,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface)
196
197 if (daemonize) {
198 #ifdef __APPLE__
199- if (0 != osx_daemon(0, 0)) {
200+ if (0 != osx_daemon(1, 0)) {
201 #else
202- if (0 != daemon(0, 0)) {
203+ if (0 != daemon(1, 0)) {
204 #endif
205 logprintf(STDERR_FILENO, "Error: Could not daemonize.\n");
206 goto exit_failure;
207diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c
208index 7ccd754..2fa2668 100644
209--- a/src/swtpm/swtpm_chardev.c
210+++ b/src/swtpm/swtpm_chardev.c
211@@ -510,9 +510,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i
212
213 if (daemonize) {
214 #if defined __APPLE__
215- if (0 != osx_daemon(0, 0)) {
216+ if (0 != osx_daemon(1, 0)) {
217 #else
218- if (0 != daemon(0, 0)) {
219+ if (0 != daemon(1, 0)) {
220 #endif
221 logprintf(STDERR_FILENO, "Error: Could not daemonize.\n");
222 goto exit_failure;
223diff --git a/src/swtpm/swtpm_nvfile.c b/src/swtpm/swtpm_nvfile.c
224index 9f5c9bb..7f69cbd 100644
225--- a/src/swtpm/swtpm_nvfile.c
226+++ b/src/swtpm/swtpm_nvfile.c
227@@ -1266,6 +1266,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
228 uint8_t *hdrversion, bool quiet)
229 {
230 blobheader *bh = (blobheader *)data;
231+ uint16_t hdrsize;
232
233 if (length < sizeof(bh)) {
234 if (!quiet)
235@@ -1291,8 +1292,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
236 return TPM_BAD_VERSION;
237 }
238
239+ hdrsize = ntohs(bh->hdrsize);
240+ if (hdrsize != sizeof(blobheader)) {
241+ logprintf(STDERR_FILENO,
242+ "bad header size: %u != %zu\n",
243+ hdrsize, sizeof(blobheader));
244+ return TPM_BAD_DATASIZE;
245+ }
246+
247 *hdrversion = bh->version;
248- *dataoffset = ntohs(bh->hdrsize);
249+ *dataoffset = hdrsize;
250 *hdrflags = ntohs(bh->flags);
251
252 return TPM_SUCCESS;
253diff --git a/src/swtpm_setup/swtpm_setup.c b/src/swtpm_setup/swtpm_setup.c
254index ddbcc64..c254096 100644
255--- a/src/swtpm_setup/swtpm_setup.c
256+++ b/src/swtpm_setup/swtpm_setup.c
257@@ -254,6 +254,7 @@ static int call_create_certs(unsigned long flags, const gchar *configfile, const
258 for (idx = 0; flags_to_certfiles[idx].filename != NULL; idx++) {
259 if (flags & flags_to_certfiles[idx].flag) {
260 g_autofree gchar *standard_output = NULL;
261+ g_autofree gchar *standard_error = NULL;
262 GError *error = NULL;
263 gchar **lines;
264
265@@ -263,8 +264,8 @@ static int call_create_certs(unsigned long flags, const gchar *configfile, const
266 logit(gl_LOGFILE, " Invoking %s\n", s);
267 g_free(s);
268
269- success = g_spawn_sync(NULL, cmd, NULL, G_SPAWN_STDERR_TO_DEV_NULL, NULL, NULL,
270- &standard_output, NULL, &exit_status, &error);
271+ success = g_spawn_sync(NULL, cmd, NULL, 0, NULL, NULL,
272+ &standard_output, &standard_error, &exit_status, &error);
273 if (!success) {
274 logerr(gl_LOGFILE, "An error occurred running %s: %s\n",
275 create_certs_tool, error->message);
276@@ -273,7 +274,7 @@ static int call_create_certs(unsigned long flags, const gchar *configfile, const
277 break;
278 } else if (exit_status != 0) {
279 logerr(gl_LOGFILE, "%s exit with status %d: %s\n",
280- prgname, exit_status, standard_output);
281+ prgname, WEXITSTATUS(exit_status), standard_error);
282 ret = 1;
283 break;
284 }
285@@ -287,6 +288,8 @@ static int call_create_certs(unsigned long flags, const gchar *configfile, const
286
287 g_free(standard_output);
288 standard_output = NULL;
289+ g_free(standard_error);
290+ standard_error = NULL;
291 }
292 }
293 }
294@@ -1468,9 +1471,12 @@ int main(int argc, char *argv[])
295 tmpbuffer);
296
297 out:
298-error:
299 g_strfreev(swtpm_prg_l);
300 g_free(gl_LOGFILE);
301
302 exit(ret);
303+
304+error:
305+ ret = 1;
306+ goto out;
307 }
308diff --git a/swtpm.spec b/swtpm.spec
309index 35a2a4a..f8757a3 100644
310--- a/swtpm.spec
311+++ b/swtpm.spec
312@@ -7,7 +7,7 @@
313
314 Summary: TPM Emulator
315 Name: swtpm
316-Version: 0.6.1
317+Version: 0.6.3
318 Release: 1%{?dist}
319 License: BSD
320 Url: https://github.com/stefanberger/swtpm
321@@ -172,6 +172,12 @@ fi
322 %{_datadir}/swtpm/swtpm-create-tpmca
323
324 %changelog
325+* Mon Mar 07 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.6.3-1.20220225git-------
326+- v0.6.3 release
327+
328+* Fri Feb 18 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.6.2-1.20220218git-------
329+- v0.6.2 release
330+
331 * Mon Sep 20 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.6.1-0.20210917git-------
332 - v0.6.1 release
333
334diff --git a/swtpm.spec.in b/swtpm.spec.in
335index d69ede0..81196ec 100644
336--- a/swtpm.spec.in
337+++ b/swtpm.spec.in
338@@ -172,6 +172,12 @@ fi
339 %{_datadir}/swtpm/swtpm-create-tpmca
340
341 %changelog
342+* Mon Mar 07 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.6.3-1.20220225git-------
343+- v0.6.3 release
344+
345+* Fri Feb 18 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.6.2-1.20220218git-------
346+- v0.6.2 release
347+
348 * Mon Sep 20 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.6.1-0.20210917git-------
349 - v0.6.1 release
350
351diff --git a/tests/test_swtpm_setup_create_cert b/tests/test_swtpm_setup_create_cert
352index 3bb753c..f80505c 100755
353--- a/tests/test_swtpm_setup_create_cert
354+++ b/tests/test_swtpm_setup_create_cert
355@@ -30,13 +30,14 @@ function cleanup()
356
357 # We want swtpm_cert to use the local CA and see that the
358 # local CA script automatically creates a signingkey and
359-# self-signed certificate
360+# self-signed certificate; use ${WORKDIR} in the config files
361+# to test env variable resolution
362
363 cat <<_EOF_ > ${workdir}/swtpm-localca.conf
364-statedir=${workdir}
365-signingkey = ${SIGNINGKEY}
366-issuercert = ${ISSUERCERT}
367-certserial = ${CERTSERIAL}
368+statedir=\${WORKDIR}
369+signingkey = \${WORKDIR}/signingkey.pem
370+issuercert = \${WORKDIR}/issuercert.pem
371+certserial = \${WORKDIR}/certserial
372 _EOF_
373
374 cat <<_EOF_ > ${workdir}/swtpm-localca.options
375@@ -50,8 +51,8 @@ _EOF_
376
377 cat <<_EOF_ > ${workdir}/swtpm_setup.conf
378 create_certs_tool=${SWTPM_LOCALCA}
379-create_certs_tool_config=${workdir}/swtpm-localca.conf
380-create_certs_tool_options=${workdir}/swtpm-localca.options
381+create_certs_tool_config=\${WORKDIR}/swtpm-localca.conf
382+create_certs_tool_options=\${WORKDIR}/swtpm-localca.options
383 _EOF_
384
385 # We need to adapt the PATH so the correct swtpm_cert is picked
386@@ -61,7 +62,8 @@ export PATH=${ROOT}/src/swtpm_cert:${PATH}
387 export SWTPM_ROOTCA_PASSWORD=password
388
389 # we need to create at least one cert: --create-ek-cert
390-$SWTPM_SETUP \
391+WORKDIR=${workdir} \
392+ $SWTPM_SETUP \
393 --tpm-state ${workdir} \
394 --create-ek-cert \
395 --config ${workdir}/swtpm_setup.conf \

Subscribers

People subscribed via source and target branches