Merge ~paelzer/ubuntu/+source/swtpm:bump-0.6.3-jammy into ubuntu/+source/swtpm:ubuntu/jammy-devel
- Git
- lp:~paelzer/ubuntu/+source/swtpm
- bump-0.6.3-jammy
- Merge into ubuntu/jammy-devel
Proposed by
Christian Ehrhardt
Status: | Merged |
---|---|
Merge reported by: | Christian Ehrhardt |
Merged at revision: | b6ff3a510f8f766ae20aedbfe1e0ac72612c5ef6 |
Proposed branch: | ~paelzer/ubuntu/+source/swtpm:bump-0.6.3-jammy |
Merge into: | ubuntu/+source/swtpm:ubuntu/jammy-devel |
Diff against target: |
395 lines (+125/-30) 14 files modified
CHANGES (+22/-0) configure.ac (+9/-6) debian/changelog (+23/-0) debian/usr.bin.swtpm (+1/-0) man/man8/swtpm_setup.pod (+1/-1) samples/swtpm_localca.c (+16/-1) samples/swtpm_localca_utils.c (+6/-4) src/swtpm/swtpm.c (+2/-2) src/swtpm/swtpm_chardev.c (+2/-2) src/swtpm/swtpm_nvfile.c (+10/-1) src/swtpm_setup/swtpm_setup.c (+10/-4) swtpm.spec (+7/-1) swtpm.spec.in (+6/-0) tests/test_swtpm_setup_create_cert (+10/-8) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Lena Voytek (community) | Approve | ||
Canonical Server packageset reviewers | Pending | ||
git-ubuntu import | Pending | ||
Review via email: mp+417221@code.launchpad.net |
Commit message
Description of the change
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt (paelzer) wrote : | # |
Revision history for this message
Lena Voytek (lvoytek) wrote : | # |
The upstream additions look good to me. I don't see the apparmor profile change here though, should that show up in the diff?
changelog, builds, and tests look good to me
review:
Needs Information
Revision history for this message
Christian Ehrhardt (paelzer) wrote : | # |
Indeed I didn't push that part yet, doing so now ...
Revision history for this message
Lena Voytek (lvoytek) wrote : | # |
Looks good to me! I confirm the apparmor profile addition works properly
review:
Approve
Revision history for this message
Christian Ehrhardt (paelzer) wrote : | # |
Review here, tests and foundations feedback is ok - uploading.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading swtpm_0.
Uploading swtpm_0.
Uploading swtpm_0.
Uploading swtpm_0.
Uploading swtpm_0.
Successfully uploaded packages.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/CHANGES b/CHANGES | |||
2 | index 5040187..75a6170 100644 | |||
3 | --- a/CHANGES | |||
4 | +++ b/CHANGES | |||
5 | @@ -1,5 +1,27 @@ | |||
6 | 1 | CHANGES - changes for swtpm | 1 | CHANGES - changes for swtpm |
7 | 2 | 2 | ||
8 | 3 | version 0.6.3: | ||
9 | 4 | - swtpm: | ||
10 | 5 | - Do not chdir(/) when using --daemon | ||
11 | 6 | - swtpm-localca: | ||
12 | 7 | - Re-implement variable resolution for swtpm-localca.conf | ||
13 | 8 | - tests: | ||
14 | 9 | - Use ${WORKDIR} in config files to test env. var replacement | ||
15 | 10 | - man: | ||
16 | 11 | - Add missing .config directory to path description when using ${HOME} | ||
17 | 12 | - build-sys: | ||
18 | 13 | - Add probing for -fstack-protector | ||
19 | 14 | - configure: Fix typo TPM2 -> TMP2 | ||
20 | 15 | |||
21 | 16 | version 0.6.2: | ||
22 | 17 | - swtpm: | ||
23 | 18 | - Check header size indicator against expected size (CVE-2022-23645) | ||
24 | 19 | - swtpm-localca: | ||
25 | 20 | - Test for available issuercert before creating CA | ||
26 | 21 | - swtpm_setup: | ||
27 | 22 | - Report stderr as returned by external tool (swtpm-localcal) | ||
28 | 23 | - Fix exit code on error to be '1'. | ||
29 | 24 | |||
30 | 3 | version 0.6.1: | 25 | version 0.6.1: |
31 | 4 | - swtpm: | 26 | - swtpm: |
32 | 5 | - Clear keys from stack and heap | 27 | - Clear keys from stack and heap |
33 | diff --git a/configure.ac b/configure.ac | |||
34 | index 6614d5d..aa5bbfc 100644 | |||
35 | --- a/configure.ac | |||
36 | +++ b/configure.ac | |||
37 | @@ -23,7 +23,7 @@ | |||
38 | 23 | # This file is derived from tpm-tool's configure.in. | 23 | # This file is derived from tpm-tool's configure.in. |
39 | 24 | # | 24 | # |
40 | 25 | 25 | ||
42 | 26 | AC_INIT([swtpm], [0.6.1]) | 26 | AC_INIT([swtpm], [0.6.3]) |
43 | 27 | AC_PREREQ([2.69]) | 27 | AC_PREREQ([2.69]) |
44 | 28 | AC_CONFIG_SRCDIR(Makefile.am) | 28 | AC_CONFIG_SRCDIR(Makefile.am) |
45 | 29 | AC_CONFIG_HEADERS([config.h]) | 29 | AC_CONFIG_HEADERS([config.h]) |
46 | @@ -384,17 +384,20 @@ AC_ARG_ENABLE([hardening], | |||
47 | 384 | AS_HELP_STRING([--disable-hardening], [Disable hardening flags])) | 384 | AS_HELP_STRING([--disable-hardening], [Disable hardening flags])) |
48 | 385 | 385 | ||
49 | 386 | if test "x$enable_hardening" != "xno"; then | 386 | if test "x$enable_hardening" != "xno"; then |
53 | 387 | TMP="$($CC -fstack-protector-strong $srcdir/include/swtpm/tpm_ioctl.h 2>&1)" | 387 | # Some versions of gcc fail with -Wstack-protector, |
54 | 388 | if echo $TMP | $GREP 'unrecognized command line option' >/dev/null; then | 388 | # some with -Wstack-protector-strong enabled |
55 | 389 | HARDENING_CFLAGS="-fstack-protector -Wstack-protector " | 389 | if ! $CC -fstack-protector-strong -Wstack-protector $srcdir/include/swtpm/tpm_ioctl.h 2>/dev/null; then |
56 | 390 | if $CC -fstack-protector -Wstack-protector $srcdir/include/swtpm/tpm_ioctl.h 2>/dev/null; then | ||
57 | 391 | HARDENING_CFLAGS="-fstack-protector -Wstack-protector" | ||
58 | 392 | fi | ||
59 | 390 | else | 393 | else |
61 | 391 | HARDENING_CFLAGS="-fstack-protector-strong -Wstack-protector " | 394 | HARDENING_CFLAGS="-fstack-protector-strong -Wstack-protector" |
62 | 392 | fi | 395 | fi |
63 | 393 | 396 | ||
64 | 394 | dnl Must not have -O0 but must have a -O for -D_FORTIFY_SOURCE=2 | 397 | dnl Must not have -O0 but must have a -O for -D_FORTIFY_SOURCE=2 |
65 | 395 | TMP1="$(echo $CFLAGS | sed -n 's/.*\(-O0\).*/\1/p')" | 398 | TMP1="$(echo $CFLAGS | sed -n 's/.*\(-O0\).*/\1/p')" |
66 | 396 | TMP2="$(echo $CFLAGS | sed -n 's/.*\(-O\).*/\1/p')" | 399 | TMP2="$(echo $CFLAGS | sed -n 's/.*\(-O\).*/\1/p')" |
68 | 397 | if test -z "$TMP1" && test -n "$TPM2"; then | 400 | if test -z "$TMP1" && test -n "$TMP2"; then |
69 | 398 | HARDENING_CFLAGS="$HARDENING_CFLAGS -D_FORTIFY_SOURCE=2 " | 401 | HARDENING_CFLAGS="$HARDENING_CFLAGS -D_FORTIFY_SOURCE=2 " |
70 | 399 | fi | 402 | fi |
71 | 400 | dnl Check linker for 'relro' and 'now' | 403 | dnl Check linker for 'relro' and 'now' |
72 | diff --git a/debian/changelog b/debian/changelog | |||
73 | index bafaa79..2358ac3 100644 | |||
74 | --- a/debian/changelog | |||
75 | +++ b/debian/changelog | |||
76 | @@ -1,3 +1,26 @@ | |||
77 | 1 | swtpm (0.6.3-0ubuntu1) jammy; urgency=medium | ||
78 | 2 | |||
79 | 3 | * Update to the stable release v0.6.3 (LP: 1948748) | ||
80 | 4 | - swtpm: | ||
81 | 5 | + Do not chdir(/) when using --daemon | ||
82 | 6 | + Check header size indicator against expected size (CVE-2022-23645) | ||
83 | 7 | - swtpm-localca: | ||
84 | 8 | + Re-implement variable resolution for swtpm-localca.conf | ||
85 | 9 | + Test for available issuercert before creating CA | ||
86 | 10 | - tests: | ||
87 | 11 | + Use ${WORKDIR} in config files to test env. var replacement | ||
88 | 12 | - man: | ||
89 | 13 | + Add missing .config directory to path description when using ${HOME} | ||
90 | 14 | - build-sys: | ||
91 | 15 | + Add probing for -fstack-protector | ||
92 | 16 | + configure: Fix typo TPM2 -> TMP2 | ||
93 | 17 | - swtpm_setup: | ||
94 | 18 | + Report stderr as returned by external tool (swtpm-localcal) | ||
95 | 19 | + Fix exit code on error to be '1'. | ||
96 | 20 | * d/usr.bin.swtpm: fix hang on unix sockets due to apparmor rules | ||
97 | 21 | |||
98 | 22 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 22 Mar 2022 09:31:40 +0100 | ||
99 | 23 | |||
100 | 1 | swtpm (0.6.1-0ubuntu6) jammy; urgency=medium | 24 | swtpm (0.6.1-0ubuntu6) jammy; urgency=medium |
101 | 2 | 25 | ||
102 | 3 | * Add apparmor profile to swtpm (LP: #1950631) | 26 | * Add apparmor profile to swtpm (LP: #1950631) |
103 | diff --git a/debian/usr.bin.swtpm b/debian/usr.bin.swtpm | |||
104 | index 9223918..3d79c9f 100644 | |||
105 | --- a/debian/usr.bin.swtpm | |||
106 | +++ b/debian/usr.bin.swtpm | |||
107 | @@ -16,6 +16,7 @@ profile swtpm /usr/bin/swtpm { | |||
108 | 16 | 16 | ||
109 | 17 | network inet stream, | 17 | network inet stream, |
110 | 18 | network inet6 stream, | 18 | network inet6 stream, |
111 | 19 | unix (send) type=dgram addr=none peer=(addr=none), | ||
112 | 19 | 20 | ||
113 | 20 | owner /tmp/** rwk, | 21 | owner /tmp/** rwk, |
114 | 21 | owner /usr/bin/swtpm r, | 22 | owner /usr/bin/swtpm r, |
115 | diff --git a/man/man8/swtpm_setup.pod b/man/man8/swtpm_setup.pod | |||
116 | index 178337b..13e8464 100644 | |||
117 | --- a/man/man8/swtpm_setup.pod | |||
118 | +++ b/man/man8/swtpm_setup.pod | |||
119 | @@ -28,7 +28,7 @@ If this parameter is not provided, the default configuration file | |||
120 | 28 | will be used. The search order for the default configuration file is | 28 | will be used. The search order for the default configuration file is |
121 | 29 | as follows. If the environment variable XDG_CONFIG_HOME is set, | 29 | as follows. If the environment variable XDG_CONFIG_HOME is set, |
122 | 30 | ${XDG_CONFIG_HOME}/swtpm_setup.conf will be used if available, otherwise if | 30 | ${XDG_CONFIG_HOME}/swtpm_setup.conf will be used if available, otherwise if |
124 | 31 | the environment variable HOME is set, ${HOME}/swtpm_setup.conf | 31 | the environment variable HOME is set, ${HOME}/.config/swtpm_setup.conf |
125 | 32 | will be used if available. If none of the previous ones are available, /etc/swtpm_setup.conf | 32 | will be used if available. If none of the previous ones are available, /etc/swtpm_setup.conf |
126 | 33 | will be used. | 33 | will be used. |
127 | 34 | 34 | ||
128 | diff --git a/samples/swtpm_localca.c b/samples/swtpm_localca.c | |||
129 | index 1617977..2a5aaa0 100644 | |||
130 | --- a/samples/swtpm_localca.c | |||
131 | +++ b/samples/swtpm_localca.c | |||
132 | @@ -135,7 +135,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir, | |||
133 | 135 | goto error; | 135 | goto error; |
134 | 136 | } | 136 | } |
135 | 137 | 137 | ||
137 | 138 | if (access(signkey, R_OK) != 0) { | 138 | if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) { |
138 | 139 | g_autofree gchar *directory = g_path_get_dirname(signkey); | 139 | g_autofree gchar *directory = g_path_get_dirname(signkey); |
139 | 140 | g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL); | 140 | g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL); |
140 | 141 | g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL); | 141 | g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL); |
141 | @@ -821,13 +821,28 @@ int main(int argc, char *argv[]) | |||
142 | 821 | if (ret != 0) | 821 | if (ret != 0) |
143 | 822 | goto error; | 822 | goto error; |
144 | 823 | } else { | 823 | } else { |
145 | 824 | int create_certs = 0; | ||
146 | 825 | |||
147 | 826 | /* create certificate if either the signing key or issuer cert are missing */ | ||
148 | 824 | if (access(signkey, R_OK) != 0) { | 827 | if (access(signkey, R_OK) != 0) { |
149 | 825 | if (stat(signkey, &statbuf) == 0) { | 828 | if (stat(signkey, &statbuf) == 0) { |
150 | 826 | logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n", | 829 | logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n", |
151 | 827 | signkey, curr_user ? curr_user->pw_name : "<unknown>"); | 830 | signkey, curr_user ? curr_user->pw_name : "<unknown>"); |
152 | 828 | goto error; | 831 | goto error; |
153 | 829 | } | 832 | } |
154 | 833 | create_certs = 1; | ||
155 | 834 | } | ||
156 | 835 | |||
157 | 836 | if (access(issuercert, R_OK) != 0) { | ||
158 | 837 | if (stat(issuercert, &statbuf) == 0) { | ||
159 | 838 | logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n", | ||
160 | 839 | issuercert, curr_user ? curr_user->pw_name : "<unknown>"); | ||
161 | 840 | goto error; | ||
162 | 841 | } | ||
163 | 842 | create_certs = 1; | ||
164 | 843 | } | ||
165 | 830 | 844 | ||
166 | 845 | if (create_certs) { | ||
167 | 831 | logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n"); | 846 | logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n"); |
168 | 832 | if (create_localca_cert(lockfile, statedir, signkey, signkey_password, | 847 | if (create_localca_cert(lockfile, statedir, signkey, signkey_password, |
169 | 833 | issuercert) != 0) { | 848 | issuercert) != 0) { |
170 | diff --git a/samples/swtpm_localca_utils.c b/samples/swtpm_localca_utils.c | |||
171 | index 7aeb9cf..76cb57f 100644 | |||
172 | --- a/samples/swtpm_localca_utils.c | |||
173 | +++ b/samples/swtpm_localca_utils.c | |||
174 | @@ -58,10 +58,12 @@ gchar *get_config_value(gchar **config_file_lines, const gchar *configname, cons | |||
175 | 58 | for (idx = 0; config_file_lines[idx] != NULL; idx++) { | 58 | for (idx = 0; config_file_lines[idx] != NULL; idx++) { |
176 | 59 | const gchar *line = config_file_lines[idx]; | 59 | const gchar *line = config_file_lines[idx]; |
177 | 60 | if (regexec(&preg, line, 2, pmatch, 0) == 0) { | 60 | if (regexec(&preg, line, 2, pmatch, 0) == 0) { |
182 | 61 | result = g_strndup(&line[pmatch[1].rm_so], | 61 | g_autofree gchar *tmp = NULL; |
183 | 62 | pmatch[1].rm_eo - pmatch[1].rm_so); | 62 | |
184 | 63 | /* coverity: g_strchmop modifies in-place */ | 63 | tmp = g_strndup(&line[pmatch[1].rm_so], |
185 | 64 | result = g_strchomp(result); | 64 | pmatch[1].rm_eo - pmatch[1].rm_so); |
186 | 65 | g_strchomp(tmp); | ||
187 | 66 | result = resolve_string(tmp); | ||
188 | 65 | break; | 67 | break; |
189 | 66 | } | 68 | } |
190 | 67 | } | 69 | } |
191 | diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c | |||
192 | index 476b398..8e6f52a 100644 | |||
193 | --- a/src/swtpm/swtpm.c | |||
194 | +++ b/src/swtpm/swtpm.c | |||
195 | @@ -461,9 +461,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface) | |||
196 | 461 | 461 | ||
197 | 462 | if (daemonize) { | 462 | if (daemonize) { |
198 | 463 | #ifdef __APPLE__ | 463 | #ifdef __APPLE__ |
200 | 464 | if (0 != osx_daemon(0, 0)) { | 464 | if (0 != osx_daemon(1, 0)) { |
201 | 465 | #else | 465 | #else |
203 | 466 | if (0 != daemon(0, 0)) { | 466 | if (0 != daemon(1, 0)) { |
204 | 467 | #endif | 467 | #endif |
205 | 468 | logprintf(STDERR_FILENO, "Error: Could not daemonize.\n"); | 468 | logprintf(STDERR_FILENO, "Error: Could not daemonize.\n"); |
206 | 469 | goto exit_failure; | 469 | goto exit_failure; |
207 | diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c | |||
208 | index 7ccd754..2fa2668 100644 | |||
209 | --- a/src/swtpm/swtpm_chardev.c | |||
210 | +++ b/src/swtpm/swtpm_chardev.c | |||
211 | @@ -510,9 +510,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i | |||
212 | 510 | 510 | ||
213 | 511 | if (daemonize) { | 511 | if (daemonize) { |
214 | 512 | #if defined __APPLE__ | 512 | #if defined __APPLE__ |
216 | 513 | if (0 != osx_daemon(0, 0)) { | 513 | if (0 != osx_daemon(1, 0)) { |
217 | 514 | #else | 514 | #else |
219 | 515 | if (0 != daemon(0, 0)) { | 515 | if (0 != daemon(1, 0)) { |
220 | 516 | #endif | 516 | #endif |
221 | 517 | logprintf(STDERR_FILENO, "Error: Could not daemonize.\n"); | 517 | logprintf(STDERR_FILENO, "Error: Could not daemonize.\n"); |
222 | 518 | goto exit_failure; | 518 | goto exit_failure; |
223 | diff --git a/src/swtpm/swtpm_nvfile.c b/src/swtpm/swtpm_nvfile.c | |||
224 | index 9f5c9bb..7f69cbd 100644 | |||
225 | --- a/src/swtpm/swtpm_nvfile.c | |||
226 | +++ b/src/swtpm/swtpm_nvfile.c | |||
227 | @@ -1266,6 +1266,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length, | |||
228 | 1266 | uint8_t *hdrversion, bool quiet) | 1266 | uint8_t *hdrversion, bool quiet) |
229 | 1267 | { | 1267 | { |
230 | 1268 | blobheader *bh = (blobheader *)data; | 1268 | blobheader *bh = (blobheader *)data; |
231 | 1269 | uint16_t hdrsize; | ||
232 | 1269 | 1270 | ||
233 | 1270 | if (length < sizeof(bh)) { | 1271 | if (length < sizeof(bh)) { |
234 | 1271 | if (!quiet) | 1272 | if (!quiet) |
235 | @@ -1291,8 +1292,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length, | |||
236 | 1291 | return TPM_BAD_VERSION; | 1292 | return TPM_BAD_VERSION; |
237 | 1292 | } | 1293 | } |
238 | 1293 | 1294 | ||
239 | 1295 | hdrsize = ntohs(bh->hdrsize); | ||
240 | 1296 | if (hdrsize != sizeof(blobheader)) { | ||
241 | 1297 | logprintf(STDERR_FILENO, | ||
242 | 1298 | "bad header size: %u != %zu\n", | ||
243 | 1299 | hdrsize, sizeof(blobheader)); | ||
244 | 1300 | return TPM_BAD_DATASIZE; | ||
245 | 1301 | } | ||
246 | 1302 | |||
247 | 1294 | *hdrversion = bh->version; | 1303 | *hdrversion = bh->version; |
249 | 1295 | *dataoffset = ntohs(bh->hdrsize); | 1304 | *dataoffset = hdrsize; |
250 | 1296 | *hdrflags = ntohs(bh->flags); | 1305 | *hdrflags = ntohs(bh->flags); |
251 | 1297 | 1306 | ||
252 | 1298 | return TPM_SUCCESS; | 1307 | return TPM_SUCCESS; |
253 | diff --git a/src/swtpm_setup/swtpm_setup.c b/src/swtpm_setup/swtpm_setup.c | |||
254 | index ddbcc64..c254096 100644 | |||
255 | --- a/src/swtpm_setup/swtpm_setup.c | |||
256 | +++ b/src/swtpm_setup/swtpm_setup.c | |||
257 | @@ -254,6 +254,7 @@ static int call_create_certs(unsigned long flags, const gchar *configfile, const | |||
258 | 254 | for (idx = 0; flags_to_certfiles[idx].filename != NULL; idx++) { | 254 | for (idx = 0; flags_to_certfiles[idx].filename != NULL; idx++) { |
259 | 255 | if (flags & flags_to_certfiles[idx].flag) { | 255 | if (flags & flags_to_certfiles[idx].flag) { |
260 | 256 | g_autofree gchar *standard_output = NULL; | 256 | g_autofree gchar *standard_output = NULL; |
261 | 257 | g_autofree gchar *standard_error = NULL; | ||
262 | 257 | GError *error = NULL; | 258 | GError *error = NULL; |
263 | 258 | gchar **lines; | 259 | gchar **lines; |
264 | 259 | 260 | ||
265 | @@ -263,8 +264,8 @@ static int call_create_certs(unsigned long flags, const gchar *configfile, const | |||
266 | 263 | logit(gl_LOGFILE, " Invoking %s\n", s); | 264 | logit(gl_LOGFILE, " Invoking %s\n", s); |
267 | 264 | g_free(s); | 265 | g_free(s); |
268 | 265 | 266 | ||
271 | 266 | success = g_spawn_sync(NULL, cmd, NULL, G_SPAWN_STDERR_TO_DEV_NULL, NULL, NULL, | 267 | success = g_spawn_sync(NULL, cmd, NULL, 0, NULL, NULL, |
272 | 267 | &standard_output, NULL, &exit_status, &error); | 268 | &standard_output, &standard_error, &exit_status, &error); |
273 | 268 | if (!success) { | 269 | if (!success) { |
274 | 269 | logerr(gl_LOGFILE, "An error occurred running %s: %s\n", | 270 | logerr(gl_LOGFILE, "An error occurred running %s: %s\n", |
275 | 270 | create_certs_tool, error->message); | 271 | create_certs_tool, error->message); |
276 | @@ -273,7 +274,7 @@ static int call_create_certs(unsigned long flags, const gchar *configfile, const | |||
277 | 273 | break; | 274 | break; |
278 | 274 | } else if (exit_status != 0) { | 275 | } else if (exit_status != 0) { |
279 | 275 | logerr(gl_LOGFILE, "%s exit with status %d: %s\n", | 276 | logerr(gl_LOGFILE, "%s exit with status %d: %s\n", |
281 | 276 | prgname, exit_status, standard_output); | 277 | prgname, WEXITSTATUS(exit_status), standard_error); |
282 | 277 | ret = 1; | 278 | ret = 1; |
283 | 278 | break; | 279 | break; |
284 | 279 | } | 280 | } |
285 | @@ -287,6 +288,8 @@ static int call_create_certs(unsigned long flags, const gchar *configfile, const | |||
286 | 287 | 288 | ||
287 | 288 | g_free(standard_output); | 289 | g_free(standard_output); |
288 | 289 | standard_output = NULL; | 290 | standard_output = NULL; |
289 | 291 | g_free(standard_error); | ||
290 | 292 | standard_error = NULL; | ||
291 | 290 | } | 293 | } |
292 | 291 | } | 294 | } |
293 | 292 | } | 295 | } |
294 | @@ -1468,9 +1471,12 @@ int main(int argc, char *argv[]) | |||
295 | 1468 | tmpbuffer); | 1471 | tmpbuffer); |
296 | 1469 | 1472 | ||
297 | 1470 | out: | 1473 | out: |
298 | 1471 | error: | ||
299 | 1472 | g_strfreev(swtpm_prg_l); | 1474 | g_strfreev(swtpm_prg_l); |
300 | 1473 | g_free(gl_LOGFILE); | 1475 | g_free(gl_LOGFILE); |
301 | 1474 | 1476 | ||
302 | 1475 | exit(ret); | 1477 | exit(ret); |
303 | 1478 | |||
304 | 1479 | error: | ||
305 | 1480 | ret = 1; | ||
306 | 1481 | goto out; | ||
307 | 1476 | } | 1482 | } |
308 | diff --git a/swtpm.spec b/swtpm.spec | |||
309 | index 35a2a4a..f8757a3 100644 | |||
310 | --- a/swtpm.spec | |||
311 | +++ b/swtpm.spec | |||
312 | @@ -7,7 +7,7 @@ | |||
313 | 7 | 7 | ||
314 | 8 | Summary: TPM Emulator | 8 | Summary: TPM Emulator |
315 | 9 | Name: swtpm | 9 | Name: swtpm |
317 | 10 | Version: 0.6.1 | 10 | Version: 0.6.3 |
318 | 11 | Release: 1%{?dist} | 11 | Release: 1%{?dist} |
319 | 12 | License: BSD | 12 | License: BSD |
320 | 13 | Url: https://github.com/stefanberger/swtpm | 13 | Url: https://github.com/stefanberger/swtpm |
321 | @@ -172,6 +172,12 @@ fi | |||
322 | 172 | %{_datadir}/swtpm/swtpm-create-tpmca | 172 | %{_datadir}/swtpm/swtpm-create-tpmca |
323 | 173 | 173 | ||
324 | 174 | %changelog | 174 | %changelog |
325 | 175 | * Mon Mar 07 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.6.3-1.20220225git------- | ||
326 | 176 | - v0.6.3 release | ||
327 | 177 | |||
328 | 178 | * Fri Feb 18 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.6.2-1.20220218git------- | ||
329 | 179 | - v0.6.2 release | ||
330 | 180 | |||
331 | 175 | * Mon Sep 20 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.6.1-0.20210917git------- | 181 | * Mon Sep 20 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.6.1-0.20210917git------- |
332 | 176 | - v0.6.1 release | 182 | - v0.6.1 release |
333 | 177 | 183 | ||
334 | diff --git a/swtpm.spec.in b/swtpm.spec.in | |||
335 | index d69ede0..81196ec 100644 | |||
336 | --- a/swtpm.spec.in | |||
337 | +++ b/swtpm.spec.in | |||
338 | @@ -172,6 +172,12 @@ fi | |||
339 | 172 | %{_datadir}/swtpm/swtpm-create-tpmca | 172 | %{_datadir}/swtpm/swtpm-create-tpmca |
340 | 173 | 173 | ||
341 | 174 | %changelog | 174 | %changelog |
342 | 175 | * Mon Mar 07 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.6.3-1.20220225git------- | ||
343 | 176 | - v0.6.3 release | ||
344 | 177 | |||
345 | 178 | * Fri Feb 18 2022 Stefan Berger <stefanb@linux.ibm.com> - 0.6.2-1.20220218git------- | ||
346 | 179 | - v0.6.2 release | ||
347 | 180 | |||
348 | 175 | * Mon Sep 20 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.6.1-0.20210917git------- | 181 | * Mon Sep 20 2021 Stefan Berger <stefanb@linux.ibm.com> - 0.6.1-0.20210917git------- |
349 | 176 | - v0.6.1 release | 182 | - v0.6.1 release |
350 | 177 | 183 | ||
351 | diff --git a/tests/test_swtpm_setup_create_cert b/tests/test_swtpm_setup_create_cert | |||
352 | index 3bb753c..f80505c 100755 | |||
353 | --- a/tests/test_swtpm_setup_create_cert | |||
354 | +++ b/tests/test_swtpm_setup_create_cert | |||
355 | @@ -30,13 +30,14 @@ function cleanup() | |||
356 | 30 | 30 | ||
357 | 31 | # We want swtpm_cert to use the local CA and see that the | 31 | # We want swtpm_cert to use the local CA and see that the |
358 | 32 | # local CA script automatically creates a signingkey and | 32 | # local CA script automatically creates a signingkey and |
360 | 33 | # self-signed certificate | 33 | # self-signed certificate; use ${WORKDIR} in the config files |
361 | 34 | # to test env variable resolution | ||
362 | 34 | 35 | ||
363 | 35 | cat <<_EOF_ > ${workdir}/swtpm-localca.conf | 36 | cat <<_EOF_ > ${workdir}/swtpm-localca.conf |
368 | 36 | statedir=${workdir} | 37 | statedir=\${WORKDIR} |
369 | 37 | signingkey = ${SIGNINGKEY} | 38 | signingkey = \${WORKDIR}/signingkey.pem |
370 | 38 | issuercert = ${ISSUERCERT} | 39 | issuercert = \${WORKDIR}/issuercert.pem |
371 | 39 | certserial = ${CERTSERIAL} | 40 | certserial = \${WORKDIR}/certserial |
372 | 40 | _EOF_ | 41 | _EOF_ |
373 | 41 | 42 | ||
374 | 42 | cat <<_EOF_ > ${workdir}/swtpm-localca.options | 43 | cat <<_EOF_ > ${workdir}/swtpm-localca.options |
375 | @@ -50,8 +51,8 @@ _EOF_ | |||
376 | 50 | 51 | ||
377 | 51 | cat <<_EOF_ > ${workdir}/swtpm_setup.conf | 52 | cat <<_EOF_ > ${workdir}/swtpm_setup.conf |
378 | 52 | create_certs_tool=${SWTPM_LOCALCA} | 53 | create_certs_tool=${SWTPM_LOCALCA} |
381 | 53 | create_certs_tool_config=${workdir}/swtpm-localca.conf | 54 | create_certs_tool_config=\${WORKDIR}/swtpm-localca.conf |
382 | 54 | create_certs_tool_options=${workdir}/swtpm-localca.options | 55 | create_certs_tool_options=\${WORKDIR}/swtpm-localca.options |
383 | 55 | _EOF_ | 56 | _EOF_ |
384 | 56 | 57 | ||
385 | 57 | # We need to adapt the PATH so the correct swtpm_cert is picked | 58 | # We need to adapt the PATH so the correct swtpm_cert is picked |
386 | @@ -61,7 +62,8 @@ export PATH=${ROOT}/src/swtpm_cert:${PATH} | |||
387 | 61 | export SWTPM_ROOTCA_PASSWORD=password | 62 | export SWTPM_ROOTCA_PASSWORD=password |
388 | 62 | 63 | ||
389 | 63 | # we need to create at least one cert: --create-ek-cert | 64 | # we need to create at least one cert: --create-ek-cert |
391 | 64 | $SWTPM_SETUP \ | 65 | WORKDIR=${workdir} \ |
392 | 66 | $SWTPM_SETUP \ | ||
393 | 65 | --tpm-state ${workdir} \ | 67 | --tpm-state ${workdir} \ |
394 | 66 | --create-ek-cert \ | 68 | --create-ek-cert \ |
395 | 67 | --config ${workdir}/swtpm_setup.conf \ | 69 | --config ${workdir}/swtpm_setup.conf \ |
This contains /github. com/stefanberge r/swtpm/ releases/ tag/v0. 6.3
- upstream v6.1.0..v6.3.0 stable changes (kept as individual commits).
- tarball is from https:/
- a fix for the apparmor profile
PPA: https:/ /launchpad. net/~ci- train-ppa- service/ +archive/ ubuntu/ 4809/+packages
This fixes: /bugs.launchpad .net/ubuntu/ +source/ swtpm/+ bug/1948748/ comments/ 11)
- the request by security (https:/
- apparmor issue blocking migration (bug 1950631)
- generally stabilizes swtpm for jammy
(now good) Autopkgtest logs: /autopkgtest. ubuntu. com/results/ autopkgtest- jammy-ci- train-ppa- service- 4809/jammy/ amd64/s/ swtpm/20220322_ 115315_ f84ac@/ log.gz /autopkgtest. ubuntu. com/results/ autopkgtest- jammy-ci- train-ppa- service- 4809/jammy/ s390x/s/ swtpm/20220322_ 115802_ f84ac@/ log.gz /autopkgtest. ubuntu. com/results/ autopkgtest- jammy-ci- train-ppa- service- 4809/jammy/ armhf/s/ swtpm/20220322_ 120054_ 8a59f@/ log.gz /autopkgtest. ubuntu. com/results/ autopkgtest- jammy-ci- train-ppa- service- 4809/jammy/ arm64/s/ swtpm/20220322_ 120216_ ab240@/ log.gz
https:/
https:/
https:/
https:/