subtree updates
meta-security: 53c5cc794f..ddf301c45c:
Adrian Zaharia (1):
libmhash: fix multilib header conflict - mutils/mhash_config.h
Alexander Kanavin (1):
maintainers.inc: rename to avoid clashes with oe-core
Armin Kuster (15):
meta-tpm: rename recipes-tpm to recipes-tpm1
recipes-tpm: use this for common tpm recipes
swtpm: update to 0.8.0
libtpm: update to 0.9.6
ossec-hids: update to tip of 3.7.0
libhtp: update to 0.5.43
suricata: update to 6.0.11
fscryptctl: update to 1.0.1
oeqa: fix hash test to match new changes
integrity-image-minimal: adapt QEMU cmdline to new changes
lynis: Add decoding OE and Poky
os-release.bbappend: drop now CPE_NAME is in core
openembedded-release: drop as os-release does this now
tpm2-tss: drop vendor from PACKAGECONFIG
packagegroup-security-tpm2: restore pkgs removed earlier
Paul Gortmaker (4):
dm-verity: ensure people don't ignore the DISTRO_FEATURES warning
dm-verity: don't make read-only-rootfs sound like a requirement
dm-verity: document the meta-intel dependency in the systemd example
dm-verity: add x86-64 systemd based example instructions
Peter Hoyes (1):
meta-parsec/layer.conf: Insert addpylib declaration
Peter Kjellerstedt (1):
tpm2-tools: Remove unnecessary and optional dependencies
Stefan Berger (12):
ima: Document and replace keys and adapt scripts for EC keys
ima: Fix the ima_policy_appraise_all to appraise executables & libraries
ima: Fix the IMA kernel feature
ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
ima: Sign all executables and the ima-policy in the root filesystem
integrity: Update the README for IMA support
linux: overlayfs: Add kernel patch resolving a file change notification issue
ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch
linux: overlayfs: Drop kernel patch resolving a file change notification issue
ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg
integrity: Fix the do_configure function
integrity: Rename linux-%.bbappend to linux-yocto%.bbappend
meta-raspberrypi: bf948e0aa8..928bb234bb:
Martin Jansa (3):
rpi-libcamera-apps: fix flags used in aarch64 builds
rpi-libcamera-apps: fix version generation on hosts with older python
rpi-libcamera-apps: bump to latest SRCREV and set PV
meta-arm: 0b5724266a..f9d80e1a14:
Emekcan Aras (2):
arm-bsp/trusted-firmware-m: Align Capsule Update with GPT changes
arm-bsp/wic: corstone1000: Fix and limit the partition size for corstone1000
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I56f7d26070d879e3138618332841c30cf57eb7d9
diff --git a/meta-security/meta-tpm/recipes-tpm/hoth/libhoth_git.bb b/meta-security/meta-tpm/recipes-tpm/hoth/libhoth_git.bb
deleted file mode 100644
index a3ebce7..0000000
--- a/meta-security/meta-tpm/recipes-tpm/hoth/libhoth_git.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-SUMMARY = "Google Hoth USB library"
-DESCRIPTION = "Libraries and example programs for interacting with a \
- hoth-class root of trust."
-HOMEPAGE = "https://github.com/google/libhoth"
-
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
-
-SRC_URI = "git://github.com/google/libhoth;protocol=https;branch=main"
-SRCREV = "1622e8a040d21dd564fdc1cb4df5eda01688c197"
-
-DEPENDS += "libusb1"
-
-S = "${WORKDIR}/git"
-
-inherit pkgconfig meson
-
diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb
similarity index 88%
rename from meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb
rename to meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb
index cf80064..a860319 100644
--- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb
+++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb
@@ -2,7 +2,7 @@
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"
-SRCREV = "df1c3e98d697f3c1f09262d2ba161a7db784d6cc"
+SRCREV = "f8c2dc7e12a730dcca4220d7ac5ad86d13dfd630"
SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.9;protocol=https"
PE = "1"
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
deleted file mode 100644
index bed8b92..0000000
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
-Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
-Date: Wed Jun 19 18:57:13 2013 +0800
-
-support well-known password in openssl-tpm-engine.
-
-Add "-z" option to select well known password in create_tpm_key tool.
-
-Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
-
-Index: git/src/create_tpm_key.c
-===================================================================
---- git.orig/src/create_tpm_key.c
-+++ git/src/create_tpm_key.c
-@@ -48,6 +48,8 @@
-
- #include "ssl_compat.h"
-
-+#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/
-+
- #define print_error(a,b) \
- fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \
- a, b, Trspi_Error_String(b))
-@@ -72,6 +74,7 @@ usage(char *argv0)
- "\t\t-e|--enc-scheme encryption scheme to use [PKCSV15] or OAEP\n"
- "\t\t-q|--sig-scheme signature scheme to use [DER] or SHA1\n"
- "\t\t-s|--key-size key size in bits [2048]\n"
-+ "\t\t-z|--zerokey use well known 20 bytes zero as SRK password.\n"
- "\t\t-a|--auth require a password for the key [NO]\n"
- "\t\t-p|--popup use TSS GUI popup dialogs to get the password "
- "for the\n\t\t\t\t key [NO] (implies --auth)\n"
-@@ -154,6 +157,7 @@ int main(int argc, char **argv)
- int asn1_len;
- char *filename, c, *openssl_key = NULL;
- int option_index, auth = 0, popup = 0, wrap = 0;
-+ int wellknownkey = 0;
- UINT32 enc_scheme = TSS_ES_RSAESPKCSV15;
- UINT32 sig_scheme = TSS_SS_RSASSAPKCS1V15_DER;
- UINT32 key_size = 2048;
-@@ -161,12 +165,15 @@ int main(int argc, char **argv)
-
- while (1) {
- option_index = 0;
-- c = getopt_long(argc, argv, "pe:q:s:ahw:",
-+ c = getopt_long(argc, argv, "pe:q:s:zahw:",
- long_options, &option_index);
- if (c == -1)
- break;
-
- switch (c) {
-+ case 'z':
-+ wellknownkey = 1;
-+ break;
- case 'a':
- initFlags |= TSS_KEY_AUTHORIZATION;
- auth = 1;
-@@ -300,6 +307,8 @@ int main(int argc, char **argv)
-
- if (srk_authusage) {
- char *authdata = calloc(1, 128);
-+ TSS_FLAG secretMode = TSS_SECRET_MODE_PLAIN;
-+ int authlen = 0;
-
- if (!authdata) {
- fprintf(stderr, "malloc failed.\n");
-@@ -316,17 +325,26 @@ int main(int argc, char **argv)
- exit(result);
- }
-
-- if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
-- Tspi_Context_CloseObject(hContext, hKey);
-- Tspi_Context_Close(hContext);
-- free(authdata);
-- exit(result);
-+ if (wellknownkey) {
-+ memset(authdata, 0, TPM_WELL_KNOWN_KEY_LEN);
-+ secretMode = TSS_SECRET_MODE_SHA1;
-+ authlen = TPM_WELL_KNOWN_KEY_LEN;
-+ }
-+ else {
-+ if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
-+ Tspi_Context_CloseObject(hContext, hKey);
-+ Tspi_Context_Close(hContext);
-+ free(authdata);
-+ exit(result);
-+ }
-+ secretMode = TSS_SECRET_MODE_PLAIN;
-+ authlen = strlen(authdata);
- }
-
- //Set Secret
- if ((result = Tspi_Policy_SetSecret(srkUsagePolicy,
-- TSS_SECRET_MODE_PLAIN,
-- strlen(authdata),
-+ secretMode,
-+ authlen,
- (BYTE *)authdata))) {
- print_error("Tspi_Policy_SetSecret", result);
- free(authdata);
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
deleted file mode 100644
index 2caaaf0..0000000
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
-Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
-Date: Wed Jun 19 18:57:13 2013 +0800
-
-support reading SRK password from env TPM_SRK_PW
-
-Add "env TPM_SRK_PW=xxxx" to set password for libtpm.so. Specially,
-use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password.
-
-Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
-
-Index: git/src/e_tpm.c
-===================================================================
---- git.orig/src/e_tpm.c
-+++ git/src/e_tpm.c
-@@ -38,6 +38,8 @@
- #include "e_tpm.h"
- #include "ssl_compat.h"
-
-+#define TPM_WELL_KNOWN_KEY_LEN 20 /*well know key length is 20 bytes zero*/
-+
- //#define DLOPEN_TSPI
-
- #ifndef OPENSSL_NO_HW
-@@ -262,6 +264,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
- TSS_RESULT result;
- UINT32 authusage;
- BYTE *auth;
-+ char *srkPasswd = NULL;
-+ TSS_FLAG secretMode = secret_mode;
-+ int authlen = 0;
-+
-
- if (hSRK != NULL_HKEY) {
- DBGFN("SRK is already loaded.");
-@@ -313,18 +319,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
- return 0;
- }
-
-- if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ",
-- cb_data)) {
-- Tspi_Context_CloseObject(hContext, hSRK);
-- free(auth);
-- TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
-- return 0;
-+ srkPasswd = getenv("TPM_SRK_PW");
-+ if (NULL != srkPasswd) {
-+ if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
-+ memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
-+ secretMode = TSS_SECRET_MODE_SHA1;
-+ authlen = TPM_WELL_KNOWN_KEY_LEN;
-+ } else {
-+ int authbuflen = 128;
-+ memset(auth, 0, authbuflen);
-+ strncpy(auth, srkPasswd, authbuflen-1);
-+ secretMode = TSS_SECRET_MODE_PLAIN;
-+ authlen = strlen(auth);
-+ }
-+ }
-+ else {
-+ if (!tpm_engine_get_auth(ui, (char *)auth, 128,
-+ "SRK authorization: ", cb_data)) {
-+ Tspi_Context_CloseObject(hContext, hSRK);
-+ free(auth);
-+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
-+ return 0;
-+ }
-+ secretMode = secret_mode;
-+ authlen = strlen(auth);
- }
-
- /* secret_mode is a global that may be set by engine ctrl
- * commands. By default, its set to TSS_SECRET_MODE_PLAIN */
-- if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secret_mode,
-- strlen((char *)auth), auth))) {
-+ if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secretMode,
-+ authlen, auth))) {
- Tspi_Context_CloseObject(hContext, hSRK);
- free(auth);
- TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
deleted file mode 100644
index cc8772d..0000000
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
+++ /dev/null
@@ -1,251 +0,0 @@
-From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001
-From: Limeng <Meng.Li@windriver.com>
-Date: Fri, 23 Jun 2017 11:39:04 +0800
-Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password
- from env
-
-Before, we support reading SRK password from env TPM_SRK_PW,
-but it is a plain password and not secure.
-So, we improve it and support to get an encrypted (AES algorithm)
-SRK password from env, and then parse it. The default decrypting
-AES password and salt is set in bb file.
-When we initialize TPM, and set a SRK pw, and then we need to
-encrypt it with the same AES password and salt by AES algorithm.
-At last, we set a env as below:
-export TPM_SRK_ENC_PW=xxxxxxxx
-"xxxxxxxx" is the encrypted SRK password for libtpm.so.
-
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
----
- e_tpm.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
- e_tpm.h | 4 ++
- e_tpm_err.c | 4 ++
- 3 files changed, 164 insertions(+), 1 deletion(-)
-
-Index: git/src/e_tpm.c
-===================================================================
---- git.orig/src/e_tpm.c
-+++ git/src/e_tpm.c
-@@ -259,6 +259,118 @@ void ENGINE_load_tpm(void)
- ERR_clear_error();
- }
-
-+static int tpm_decode_base64(unsigned char *indata,
-+ int in_len,
-+ unsigned char *outdata,
-+ int *out_len)
-+{
-+ int total_len, len, ret;
-+ EVP_ENCODE_CTX dctx;
-+
-+ EVP_DecodeInit(&dctx);
-+
-+ total_len = 0;
-+ ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
-+ if (ret < 0) {
-+ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
-+ return 1;
-+ }
-+
-+ total_len += len;
-+ ret = EVP_DecodeFinal(&dctx, outdata, &len);
-+ if (ret < 0) {
-+ TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
-+ return 1;
-+ }
-+ total_len += len;
-+
-+ *out_len = total_len;
-+
-+ return 0;
-+}
-+
-+static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len,
-+ unsigned char *outdata,
-+ int *out_len)
-+{
-+ int dec_data_len, dec_data_lenfinal;
-+ unsigned char dec_data[256];
-+ unsigned char *aes_pw;
-+ unsigned char aes_salt[PKCS5_SALT_LEN];
-+ unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
-+ const EVP_CIPHER *cipher = NULL;
-+ const EVP_MD *dgst = NULL;
-+ EVP_CIPHER_CTX *ctx = NULL;
-+
-+ if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) {
-+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+ return 1;
-+ }
-+
-+ aes_pw = malloc(sizeof(SRK_DEC_PW) - 1);
-+ if (aes_pw == NULL) {
-+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+ return 1;
-+ }
-+
-+ memset(aes_salt, 0x00, sizeof(aes_salt));
-+ memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1);
-+ memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1);
-+
-+ cipher = EVP_get_cipherbyname("aes-128-cbc");
-+ if (cipher == NULL) {
-+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+ free(aes_pw);
-+ return 1;
-+ }
-+ dgst = EVP_sha256();
-+
-+ EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv);
-+
-+ ctx = EVP_CIPHER_CTX_new();
-+ /* Don't set key or IV right away; we want to check lengths */
-+ if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) {
-+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+ free(aes_pw);
-+ return 1;
-+ }
-+
-+ OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
-+ OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
-+
-+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) {
-+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+ free(aes_pw);
-+ return 1;
-+ }
-+
-+ if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) {
-+ /* Error */
-+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+ free(aes_pw);
-+ EVP_CIPHER_CTX_free(ctx);
-+ return 1;
-+ }
-+
-+ if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) {
-+ /* Error */
-+ TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+ free(aes_pw);
-+ EVP_CIPHER_CTX_free(ctx);
-+ return 1;
-+ }
-+
-+ dec_data_len = dec_data_len + dec_data_lenfinal;
-+
-+ memcpy(outdata, dec_data, dec_data_len);
-+ *out_len = dec_data_len;
-+
-+ free(aes_pw);
-+ EVP_CIPHER_CTX_free(ctx);
-+
-+ return 0;
-+}
-+
- int tpm_load_srk(UI_METHOD *ui, void *cb_data)
- {
- TSS_RESULT result;
-@@ -319,8 +431,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
- return 0;
- }
-
-- srkPasswd = getenv("TPM_SRK_PW");
-+ srkPasswd = getenv("TPM_SRK_ENC_PW");
- if (NULL != srkPasswd) {
-+ int in_len = strlen(srkPasswd);
-+ int out_len;
-+ unsigned char *out_buf;
-+
-+ if (!in_len || in_len % 4) {
-+ Tspi_Context_CloseObject(hContext, hSRK);
-+ free(auth);
-+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
-+ return 0;
-+ }
-+
-+ out_len = in_len * 3 / 4;
-+ out_buf = malloc(out_len);
-+ if (NULL == out_buf) {
-+ Tspi_Context_CloseObject(hContext, hSRK);
-+ free(auth);
-+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (tpm_decode_base64(srkPasswd, strlen(srkPasswd),
-+ out_buf, &out_len)) {
-+ Tspi_Context_CloseObject(hContext, hSRK);
-+ free(auth);
-+ free(out_buf);
-+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
-+ return 0;
-+ }
-+
-+ if (tpm_decrypt_srk_pw(out_buf, out_len,
-+ auth, &authlen)) {
-+ Tspi_Context_CloseObject(hContext, hSRK);
-+ free(auth);
-+ free(out_buf);
-+ TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
-+ return 0;
-+ }
-+ secretMode = TSS_SECRET_MODE_PLAIN;
-+ free(out_buf);
-+ }
-+#ifdef TPM_SRK_PLAIN_PW
-+ else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) {
- if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
- memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
- secretMode = TSS_SECRET_MODE_SHA1;
-@@ -333,6 +487,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
- authlen = strlen(auth);
- }
- }
-+#endif
- else {
- if (!tpm_engine_get_auth(ui, (char *)auth, 128,
- "SRK authorization: ", cb_data)) {
-Index: git/src/e_tpm.h
-===================================================================
---- git.orig/src/e_tpm.h
-+++ git/src/e_tpm.h
-@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int rea
- #define TPM_F_TPM_FILL_RSA_OBJECT 116
- #define TPM_F_TPM_ENGINE_GET_AUTH 117
- #define TPM_F_TPM_CREATE_SRK_POLICY 118
-+#define TPM_F_TPM_DECODE_BASE64 119
-+#define TPM_F_TPM_DECRYPT_SRK_PW 120
-
- /* Reason codes. */
- #define TPM_R_ALREADY_LOADED 100
-@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int rea
- #define TPM_R_ID_INVALID 125
- #define TPM_R_UI_METHOD_FAILED 126
- #define TPM_R_UNKNOWN_SECRET_MODE 127
-+#define TPM_R_DECODE_BASE64_FAILED 128
-+#define TPM_R_DECRYPT_SRK_PW_FAILED 129
-
- /* structure pointed to by the RSA object's app_data pointer */
- struct rsa_app_data
-Index: git/src/e_tpm_err.c
-===================================================================
---- git.orig/src/e_tpm_err.c
-+++ git/src/e_tpm_err.c
-@@ -234,6 +234,8 @@ static ERR_STRING_DATA TPM_str_functs[]
- {ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"},
- {ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"},
- {ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"},
-+ {ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"},
-+ {ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"},
- {0, NULL}
- };
-
-@@ -264,6 +266,8 @@ static ERR_STRING_DATA TPM_str_reasons[]
- {TPM_R_FILE_READ_FAILED, "failed reading the key file"},
- {TPM_R_ID_INVALID, "engine id doesn't match"},
- {TPM_R_UI_METHOD_FAILED, "ui function failed"},
-+ {TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"},
-+ {TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"},
- {0, NULL}
- };
-
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
deleted file mode 100644
index 535472a..0000000
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From fb44e2814fd819c086f9a4c925427f89c0e8cec6 Mon Sep 17 00:00:00 2001
-From: Limeng <Meng.Li@windriver.com>
-Date: Fri, 21 Jul 2017 16:32:02 +0800
-Subject: [PATCH] tpm:openssl-tpm-engine: change variable c type from char
- into int
-
-refer to getopt_long() function definition, its return value type is
-int. So, change variable c type from char into int.
-On arm platform, when getopt_long() calling fails, if we define c as
-char type, its value will be 255, not -1. This will cause code enter
-wrong case.
-
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
----
- create_tpm_key.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-Index: git/src/create_tpm_key.c
-===================================================================
---- git.orig/src/create_tpm_key.c
-+++ git/src/create_tpm_key.c
-@@ -155,7 +155,8 @@ int main(int argc, char **argv)
- ASN1_OCTET_STRING *blob_str;
- unsigned char *blob_asn1 = NULL;
- int asn1_len;
-- char *filename, c, *openssl_key = NULL;
-+ char *filename, *openssl_key = NULL;
-+ int c;
- int option_index, auth = 0, popup = 0, wrap = 0;
- int wellknownkey = 0;
- UINT32 enc_scheme = TSS_ES_RSAESPKCSV15;
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch
deleted file mode 100644
index 2f8eb81..0000000
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Fix compiling for openssl 1.1
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: git/src/e_tpm.c
-===================================================================
---- git.orig/src/e_tpm.c
-+++ git/src/e_tpm.c
-@@ -265,19 +265,20 @@ static int tpm_decode_base64(unsigned ch
- int *out_len)
- {
- int total_len, len, ret;
-- EVP_ENCODE_CTX dctx;
-+ EVP_ENCODE_CTX *dctx;
-
-- EVP_DecodeInit(&dctx);
-+ dctx = EVP_ENCODE_CTX_new();
-+ EVP_DecodeInit(dctx);
-
- total_len = 0;
-- ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
-+ ret = EVP_DecodeUpdate(dctx, outdata, &len, indata, in_len);
- if (ret < 0) {
- TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
- return 1;
- }
-
- total_len += len;
-- ret = EVP_DecodeFinal(&dctx, outdata, &len);
-+ ret = EVP_DecodeFinal(dctx, outdata, &len);
- if (ret < 0) {
- TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
- return 1;
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
deleted file mode 100644
index e3e643e..0000000
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
+++ /dev/null
@@ -1,65 +0,0 @@
-DESCRIPTION = "OpenSSL secure engine based on TPM hardware"
-HOMEPAGE = "https://github.com/mgerstner/openssl_tpm_engine"
-SECTION = "security/tpm"
-
-LICENSE = "OpenSSL"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52"
-
-DEPENDS += "openssl trousers"
-
-SRC_URI = "\
- git://github.com/mgerstner/openssl_tpm_engine.git;branch=master;protocol=https \
- file://0001-create-tpm-key-support-well-known-key-option.patch \
- file://0002-libtpm-support-env-TPM_SRK_PW.patch \
- file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
- file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \
- file://openssl11_build_fix.patch \
-"
-SRCREV = "b28de5065e6eb9aa5d5afe2276904f7624c2cbaf"
-
-S = "${WORKDIR}/git"
-
-inherit autotools-brokensep pkgconfig
-
-# The definitions below are used to decrypt the srk password.
-# It is allowed to define the values in 3 forms: string, hex number and
-# the hybrid, e.g,
-# srk_dec_pw = "incendia"
-# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61"
-# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a"
-#
-# Due to the limit of escape character, the hybrid must be written in
-# above style. The actual values defined below in C code style are:
-# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' };
-# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' };
-srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
-srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
-
-CFLAGS:append = " -DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
-
-# Uncomment below line if using the plain srk password for development
-#CFLAGS:append = " -DTPM_SRK_PLAIN_PW"
-
-do_configure:prepend() {
- cd ${B}
- cp LICENSE COPYING
- touch NEWS AUTHORS ChangeLog README
-}
-
-FILES:${PN}-staticdev += "${libdir}/ssl/engines-3/tpm.la"
-FILES:${PN}-dbg += "\
- ${libdir}/ssl/engines-3/.debug \
- ${libdir}/engines-3/.debug \
- ${prefix}/local/ssl/lib/engines-3/.debug \
-"
-FILES:${PN} += "\
- ${libdir}/ssl/engines-3/tpm.so* \
- ${libdir}/engines-3/tpm.so* \
- ${libdir}/libtpm.so* \
- ${prefix}/local/ssl/lib/engines-3/tpm.so* \
-"
-
-RDEPENDS:${PN} += "libcrypto libtspi"
-
-INSANE_SKIP:${PN} = "libdir"
-INSANE_SKIP:${PN}-dbg = "libdir"
diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch b/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch
deleted file mode 100644
index cf2d437..0000000
--- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Enable building with openssl 1.1
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: git/src/pcr-extend.c
-===================================================================
---- git.orig/src/pcr-extend.c
-+++ git/src/pcr-extend.c
-@@ -118,7 +118,7 @@ dump_buf (FILE *file, char *buf, size_t
- static unsigned char*
- sha1_file (FILE *file, unsigned int *hash_len)
- {
-- EVP_MD_CTX ctx = { 0 };
-+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
- unsigned char *buf = NULL, *hash = NULL;
- size_t num_read = 0;
-
-@@ -127,7 +127,7 @@ sha1_file (FILE *file, unsigned int *has
- perror ("malloc:\n");
- goto sha1_fail;
- }
-- if (EVP_DigestInit (&ctx, EVP_sha1 ()) == 0) {
-+ if (EVP_DigestInit (ctx, EVP_sha1 ()) == 0) {
- ERR_print_errors_fp (stderr);
- goto sha1_fail;
- }
-@@ -135,7 +135,7 @@ sha1_file (FILE *file, unsigned int *has
- num_read = fread (buf, 1, BUF_SIZE, file);
- if (num_read <= 0)
- break;
-- if (EVP_DigestUpdate (&ctx, buf, num_read) == 0) {
-+ if (EVP_DigestUpdate (ctx, buf, num_read) == 0) {
- ERR_print_errors_fp (stderr);
- goto sha1_fail;
- }
-@@ -149,7 +149,7 @@ sha1_file (FILE *file, unsigned int *has
- perror ("calloc of hash buffer:\n");
- goto sha1_fail;
- }
-- if (EVP_DigestFinal (&ctx, hash, hash_len) == 0) {
-+ if (EVP_DigestFinal (ctx, hash, hash_len) == 0) {
- ERR_print_errors_fp (stderr);
- goto sha1_fail;
- }
diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
deleted file mode 100644
index 45da416..0000000
--- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
+++ /dev/null
@@ -1,26 +0,0 @@
-SUMMARY = "Command line utility to extend hash of arbitrary data into a TPMs PCR."
-HOMEPAGE = "https://github.com/flihp/pcr-extend"
-SECTION = "security/tpm"
-LICENSE = "GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-
-DEPENDS = "libtspi"
-
-PV = "0.1+git${SRCPV}"
-SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316"
-
-SRC_URI = "git://github.com/flihp/pcr-extend.git;branch=master;protocol=https \
- file://fix_openssl11_build.patch "
-
-inherit autotools
-
-S = "${WORKDIR}/git"
-
-do_compile() {
- oe_runmake -C ${S}/src
-}
-
-do_install() {
- install -d ${D}${bindir}
- oe_runmake -C ${S}/src DESTDIR="${D}" install
-}
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.3.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb
similarity index 92%
rename from meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.3.bb
rename to meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb
index 55d83f9..614b07f 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.3.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb
@@ -6,8 +6,8 @@
# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests
DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib"
-SRCREV = "f2268eebb0d1adf89bad83fa4cf91e37b4e3fa53"
-SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.7-next;protocol=https \
+SRCREV = "2ae7b019370760e17f4f2675195a91ca53950eda"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=master;protocol=https \
"
PE = "1"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
deleted file mode 100644
index 4672bba..0000000
--- a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
+++ /dev/null
@@ -1,22 +0,0 @@
-SUMMARY = "The TPM Quote Tools is a collection of programs that provide support \
- for TPM based attestation using the TPM quote mechanism. \
- "
-DESCRIPTION = "The TPM Quote Tools is a collection of programs that provide support \
- for TPM based attestation using the TPM quote mechanism. The manual \
- page for tpm_quote_tools provides a usage overview. \
- \
- TPM Quote Tools has been tested with TrouSerS on Linux and NTRU on \
- Windows XP. It was ported to Windows using MinGW and MSYS. \
- "
-HOMEPAGE = "https://sourceforge.net/projects/tpmquotetools/"
-SECTION = "security/tpm"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://COPYING;md5=8ec30b01163d242ecf07d9cd84e3611f"
-
-DEPENDS = "libtspi tpm-tools"
-
-SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools;branch=master"
-SRCREV = "4511874d5c9b4504bb96e94f8a14bd6c39a36295"
-
-S = "${WORKDIR}/git"
-inherit autotools
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch
deleted file mode 100644
index 5018d45..0000000
--- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-Title: Fix FTBFS with clang due to uninitialized values
-Date: 2015-06-28
-Author: Alexander <sanek23994@gmail.com>
-Bug-Debian: http://bugs.debian.org/753063
-
-Upstream-Status: Backport
-tpm-tools_1.3.9.1-0.1.debian.tar
-
-Signed-off-by: Armin kuster <akuster808@gmail.com>
-
---- tpm-tools-1.3.8/src/tpm_mgmt/tpm_present.c 2012-05-17 21:49:58.000000000 +0400
-+++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_present.c 2014-06-29 01:01:11.502081468 +0400
-@@ -165,7 +165,7 @@
-
- TSS_BOOL bCmd, bHwd;
- BOOL bRc;
-- TSS_HPOLICY hTpmPolicy;
-+ TSS_HPOLICY hTpmPolicy = 0;
- char *pwd = NULL;
- int pswd_len;
- char rsp[5];
---- tpm-tools-1.3.8/src/tpm_mgmt/tpm_takeownership.c 2010-09-30 21:28:09.000000000 +0400
-+++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_takeownership.c 2014-06-29 01:01:51.069373655 +0400
-@@ -67,7 +67,7 @@
- char *szSrkPasswd = NULL;
- int tpm_len, srk_len;
- TSS_HTPM hTpm;
-- TSS_HKEY hSrk;
-+ TSS_HKEY hSrk = 0;
- TSS_FLAG fSrkAttrs;
- TSS_HPOLICY hTpmPolicy, hSrkPolicy;
- int iRc = -1;
---- tpm-tools-1.3.8/src/tpm_mgmt/tpm_nvwrite.c 2011-08-17 16:20:35.000000000 +0400
-+++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_nvwrite.c 2014-06-29 01:02:45.836397172 +0400
-@@ -220,7 +220,7 @@
- close(fd);
- fd = -1;
- } else if (fillvalue >= 0) {
-- if (length < 0) {
-+ if (length == 0) {
- logError(_("Requiring size parameter.\n"));
- return -1;
- }
---- tpm-tools-1.3.8/src/data_mgmt/data_protect.c 2012-05-17 21:49:58.000000000 +0400
-+++ tpm-tools-1.3.8-my/src/data_mgmt/data_protect.c 2014-06-29 01:03:49.863254459 +0400
-@@ -432,8 +432,8 @@
-
- char *pszPin = NULL;
-
-- CK_RV rv;
-- CK_SESSION_HANDLE hSession;
-+ CK_RV rv = 0;
-+ CK_SESSION_HANDLE hSession = 0;
- CK_OBJECT_HANDLE hObject;
- CK_MECHANISM tMechanism = { CKM_AES_ECB, NULL, 0 };
-
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch
deleted file mode 100644
index 9ae3f72..0000000
--- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Upstream-Status: Pending
-Update to build with openssl 1.1.x
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: git/src/cmds/tpm_extendpcr.c
-===================================================================
---- git.orig/src/cmds/tpm_extendpcr.c
-+++ git/src/cmds/tpm_extendpcr.c
-@@ -136,7 +136,7 @@ int main(int argc, char **argv)
-
- unsigned char msg[EVP_MAX_MD_SIZE];
- unsigned int msglen;
-- EVP_MD_CTX ctx;
-+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
- EVP_DigestInit(&ctx, EVP_sha1());
- while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0)
- EVP_DigestUpdate(&ctx, line, lineLen);
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
deleted file mode 100644
index 40150af..0000000
--- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
+++ /dev/null
@@ -1,244 +0,0 @@
-Index: git/include/tpm_tspi.h
-===================================================================
---- git.orig/include/tpm_tspi.h
-+++ git/include/tpm_tspi.h
-@@ -117,6 +117,10 @@ TSS_RESULT tpmPcrRead(TSS_HTPM a_hTpm, U
- UINT32 *a_PcrSize, BYTE **a_PcrValue);
- TSS_RESULT pcrcompositeSetPcrValue(TSS_HPCRS a_hPcrs, UINT32 a_Idx,
- UINT32 a_PcrSize, BYTE *a_PcrValue);
-+TSS_RESULT tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx,
-+ UINT32 a_DataSize, BYTE *a_Data,
-+ TSS_PCR_EVENT *a_Event,
-+ UINT32 *a_PcrSize, BYTE **a_PcrValue);
- #ifdef TSS_LIB_IS_12
- TSS_RESULT unloadVersionInfo(UINT64 *offset, BYTE *blob, TPM_CAP_VERSION_INFO *v);
- TSS_RESULT pcrcompositeSetPcrLocality(TSS_HPCRS a_hPcrs, UINT32 localityValue);
-Index: git/lib/tpm_tspi.c
-===================================================================
---- git.orig/lib/tpm_tspi.c
-+++ git/lib/tpm_tspi.c
-@@ -594,6 +594,20 @@ pcrcompositeSetPcrValue(TSS_HPCRS a_hPcr
- return result;
- }
-
-+TSS_RESULT
-+tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx,
-+ UINT32 a_DataSize, BYTE *a_Data,
-+ TSS_PCR_EVENT *a_Event,
-+ UINT32 *a_PcrSize, BYTE **a_PcrValue)
-+{
-+ TSS_RESULT result =
-+ Tspi_TPM_PcrExtend(a_hTpm, a_Idx, a_DataSize, a_Data, a_Event,
-+ a_PcrSize, a_PcrValue);
-+ tspiResult("Tspi_TPM_PcrExtend", result);
-+
-+ return result;
-+}
-+
- #ifdef TSS_LIB_IS_12
- /*
- * These getPasswd functions will wrap calls to the other functions and check to see if the TSS
-Index: git/src/cmds/Makefile.am
-===================================================================
---- git.orig/src/cmds/Makefile.am
-+++ git/src/cmds/Makefile.am
-@@ -22,6 +22,7 @@
- #
-
- bin_PROGRAMS = tpm_sealdata \
-+ tpm_extendpcr \
- tpm_unsealdata
-
- if TSS_LIB_IS_12
-@@ -33,4 +34,5 @@ endif
- LDADD = $(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto @INTLLIBS@
-
- tpm_sealdata_SOURCES = tpm_sealdata.c
-+tpm_extendpcr_SOURCES = tpm_extendpcr.c
- tpm_unsealdata_SOURCES = tpm_unsealdata.c
-Index: git/src/cmds/tpm_extendpcr.c
-===================================================================
---- /dev/null
-+++ git/src/cmds/tpm_extendpcr.c
-@@ -0,0 +1,181 @@
-+/*
-+ * The Initial Developer of the Original Code is International
-+ * Business Machines Corporation. Portions created by IBM
-+ * Corporation are Copyright (C) 2005, 2006 International Business
-+ * Machines Corporation. All Rights Reserved.
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the Common Public License as published by
-+ * IBM Corporation; either version 1 of the License, or (at your option)
-+ * any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ * Common Public License for more details.
-+ *
-+ * You should have received a copy of the Common Public License
-+ * along with this program; if not, a copy can be viewed at
-+ * http://www.opensource.org/licenses/cpl1.0.php.
-+ */
-+#include <openssl/evp.h>
-+#include <openssl/sha.h>
-+#include <limits.h>
-+#include "tpm_tspi.h"
-+#include "tpm_utils.h"
-+#include "tpm_seal.h"
-+
-+// #define TPM_EXTENDPCR_DEBUG
-+
-+static void help(const char *aCmd)
-+{
-+ logCmdHelp(aCmd);
-+ logCmdOption("-i, --infile FILE",
-+ _
-+ ("Filename containing data to extend PCRs with. Default is STDIN."));
-+ logCmdOption("-p, --pcr NUMBER",
-+ _("PCR to extend."));
-+
-+}
-+
-+static char in_filename[PATH_MAX] = "";
-+static TSS_HPCRS hPcrs = NULL_HPCRS;
-+static TSS_HTPM hTpm;
-+static UINT32 selectedPcrs[24];
-+static UINT32 selectedPcrsLen = 0;
-+TSS_HCONTEXT hContext = 0;
-+
-+static int parse(const int aOpt, const char *aArg)
-+{
-+ int rc = -1;
-+
-+ switch (aOpt) {
-+ case 'i':
-+ if (aArg) {
-+ strncpy(in_filename, aArg, PATH_MAX);
-+ rc = 0;
-+ }
-+ break;
-+ case 'p':
-+ if (aArg) {
-+ selectedPcrs[selectedPcrsLen++] = atoi(aArg);
-+ rc = 0;
-+ }
-+ break;
-+ default:
-+ break;
-+ }
-+ return rc;
-+
-+}
-+
-+int main(int argc, char **argv)
-+{
-+
-+ int iRc = -1;
-+ struct option opts[] = {
-+ {"infile", required_argument, NULL, 'i'},
-+ {"pcr", required_argument, NULL, 'p'},
-+ };
-+ unsigned char line[EVP_MD_block_size(EVP_sha1()) * 16];
-+ int lineLen;
-+ UINT32 i;
-+
-+ BIO *bin = NULL;
-+
-+ initIntlSys();
-+
-+ if (genericOptHandler(argc, argv, "i:p:", opts,
-+ sizeof(opts) / sizeof(struct option), parse,
-+ help) != 0)
-+ goto out;
-+
-+ if (contextCreate(&hContext) != TSS_SUCCESS)
-+ goto out;
-+
-+ if (contextConnect(hContext) != TSS_SUCCESS)
-+ goto out_close;
-+
-+ if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
-+ goto out_close;
-+
-+ /* Create a BIO for the input file */
-+ if ((bin = BIO_new(BIO_s_file())) == NULL) {
-+ logError(_("Unable to open input BIO\n"));
-+ goto out_close;
-+ }
-+
-+ /* Assign the input file to the BIO */
-+ if (strlen(in_filename) == 0)
-+ BIO_set_fp(bin, stdin, BIO_NOCLOSE);
-+ else if (!BIO_read_filename(bin, in_filename)) {
-+ logError(_("Unable to open input file: %s\n"),
-+ in_filename);
-+ goto out_close;
-+ }
-+
-+ /* Create the PCRs object. If any PCRs above 15 are selected, this will need to be
-+ * a 1.2 TSS/TPM */
-+ if (selectedPcrsLen) {
-+ TSS_FLAG initFlag = 0;
-+ UINT32 pcrSize;
-+ BYTE *pcrValue;
-+
-+ for (i = 0; i < selectedPcrsLen; i++) {
-+ if (selectedPcrs[i] > 15) {
-+#ifdef TSS_LIB_IS_12
-+ initFlag |= TSS_PCRS_STRUCT_INFO_LONG;
-+#else
-+ logError(_("This version of %s was compiled for a v1.1 TSS, which "
-+ "can only seal\n data to PCRs 0-15. PCR %u is out of range"
-+ "\n"), argv[0], selectedPcrs[i]);
-+ goto out_close;
-+#endif
-+ }
-+ }
-+
-+ unsigned char msg[EVP_MAX_MD_SIZE];
-+ unsigned int msglen;
-+ EVP_MD_CTX ctx;
-+ EVP_DigestInit(&ctx, EVP_sha1());
-+ while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0)
-+ EVP_DigestUpdate(&ctx, line, lineLen);
-+ EVP_DigestFinal(&ctx, msg, &msglen);
-+
-+ if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag,
-+ &hPcrs) != TSS_SUCCESS)
-+ goto out_close;
-+
-+ for (i = 0; i < selectedPcrsLen; i++) {
-+#ifdef TPM_EXTENDPCR_DEBUG
-+ if (tpmPcrRead(hTpm, selectedPcrs[i], &pcrSize, &pcrValue) != TSS_SUCCESS)
-+ goto out_close;
-+
-+ unsigned int j;
-+ for (j = 0; j < pcrSize; j++)
-+ printf("%02X ", pcrValue[j]);
-+ printf("\n");
-+#endif
-+
-+ if (tpmPcrExtend(hTpm, selectedPcrs[i], msglen, msg, NULL, &pcrSize, &pcrValue) != TSS_SUCCESS)
-+ goto out_close;
-+
-+#ifdef TPM_EXTENDPCR_DEBUG
-+ for (j = 0; j < pcrSize; j++)
-+ printf("%02X ", pcrValue[j]);
-+ printf("\n");
-+#endif
-+ }
-+ }
-+
-+ iRc = 0;
-+ logSuccess(argv[0]);
-+
-+out_close:
-+ contextClose(hContext);
-+
-+out:
-+ if (bin)
-+ BIO_free(bin);
-+ return iRc;
-+}
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
deleted file mode 100644
index b47d53a..0000000
--- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
+++ /dev/null
@@ -1,35 +0,0 @@
-SUMMARY = "The tpm-tools package contains commands to allow the platform administrator the ability to manage and diagnose the platform's TPM."
-DESCRIPTION = " \
- The tpm-tools package contains commands to allow the platform administrator \
- the ability to manage and diagnose the platform's TPM. Additionally, the \
- package contains commands to utilize some of the capabilities available \
- in the TPM PKCS#11 interface implemented in the openCryptoki project. \
- "
-SECTION = "tpm"
-LICENSE = "CPL-1.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9"
-
-DEPENDS = "libtspi openssl perl-native"
-DEPENDS:class-native = "trousers-native"
-
-SRCREV = "bf43837575c5f7d31865562dce7778eae970052e"
-SRC_URI = " \
- git://git.code.sf.net/p/trousers/tpm-tools;branch=master \
- file://tpm-tools-extendpcr.patch \
- file://04-fix-FTBFS-clang.patch \
- file://openssl1.1_fix.patch \
- "
-
-inherit autotools-brokensep gettext
-
-S = "${WORKDIR}/git"
-
-do_configure:prepend () {
- mkdir -p po
- mkdir -p m4
- cp -R po_/* po/
- touch po/Makefile.in.in
- touch m4/Makefile.am
-}
-
-BBCLASSEXTEND = "native"
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
deleted file mode 100644
index 7b3cc77..0000000
--- a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 3396fc7a184293c23135161f034802062f7f3816 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <adraszik@tycoint.com>
-Date: Wed, 1 Nov 2017 11:41:48 +0000
-Subject: [PATCH] build: don't override --localstatedir --mandir --sysconfdir
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It is currently impossible to override localstatedir,
-mandir and sysconfdir during ./configure, because they
-are being overriden unconditionally because of they
-way trousers is built using rpmbuild.
-
-If they need massaging for rpmbuild, the values should
-be specified inside the spec file, not in ./configure
-and thereby overriding user-requested values.
-
-With this patch it is now possible to set above
-locations as needed. The .spec file is being modified
-as well so as to restore previous behaviour.
-
-Signed-off-by: André Draszik <adraszik@tycoint.com>
----
-Upstream-Status: Submitted [https://sourceforge.net/p/trousers/mailman/message/36099290/]
-Signed-off-by: André Draszik <adraszik@tycoint.com>
- configure.ac | 11 ++---------
- dist/trousers.spec.in | 2 +-
- 2 files changed, 3 insertions(+), 10 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index b9626af..7fe5f8e 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -376,16 +376,9 @@ CFLAGS="$CFLAGS -I../include \
- KERNEL_VERSION=`uname -r`
- AC_SUBST(CFLAGS)
-
--# When we build the rpms, prefix will be /usr. This'll do some things that make sense,
--# like put our sbin stuff in /usr/sbin and our library in /usr/lib. It'll do some other
--# things that don't make sense like put our config file in /usr/etc. So, I'll just hack
--# it here. If the --prefix option isn't specified during configure, let it all go to
-+# If the --prefix option isn't specified during configure, let it all go to
- # /usr/local, even /usr/local/etc. :-P
--if test x"${prefix}" = x"/usr"; then
-- sysconfdir="/etc"
-- localstatedir="/var"
-- mandir="/usr/share/man"
--elif test x"${prefix}" = x"NONE"; then
-+if test x"${prefix}" = x"NONE"; then
- localstatedir="/usr/local/var"
- fi
-
-diff --git a/dist/trousers.spec.in b/dist/trousers.spec.in
-index b298b0e..10ef178 100644
---- a/dist/trousers.spec.in
-+++ b/dist/trousers.spec.in
-@@ -45,7 +45,7 @@ applications.
-
- %build
- %{?arch64:export PKG_CONFIG_PATH=%{pkgconfig_path}:$PKG_CONFIG_PATH}
--./configure --prefix=/usr --libdir=%{_libdir}
-+./configure --prefix=/usr --libdir=%{_libdir} --sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man
- make
-
- %clean
---
-2.15.0.rc1
-
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
deleted file mode 100644
index 3f5a144..0000000
--- a/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-trousers: fix compiling with musl
-
-use POSIX getpwent instead of getpwent_r
-
-Upstream-Status: Submitted
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
-Index: git/src/tspi/ps/tspps.c
-===================================================================
---- git.orig/src/tspi/ps/tspps.c
-+++ git/src/tspi/ps/tspps.c
-@@ -66,9 +66,6 @@ get_user_ps_path(char **file)
- TSS_RESULT result;
- char *file_name = NULL, *home_dir = NULL;
- struct passwd *pwp;
--#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
-- struct passwd pw;
--#endif
- struct stat stat_buf;
- char buf[PASSWD_BUFSIZE];
- uid_t euid;
-@@ -96,24 +93,15 @@ get_user_ps_path(char **file)
- #else
- setpwent();
- while (1) {
--#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
-- rc = getpwent_r(&pw, buf, PASSWD_BUFSIZE, &pwp);
-- if (rc) {
-- LogDebugFn("USER PS: Error getting path to home directory: getpwent_r: %s",
-- strerror(rc));
-- endpwent();
-- return TSPERR(TSS_E_INTERNAL_ERROR);
-- }
--
--#elif (defined (__FreeBSD__) || defined (__OpenBSD__))
- if ((pwp = getpwent()) == NULL) {
- LogDebugFn("USER PS: Error getting path to home directory: getpwent: %s",
- strerror(rc));
- endpwent();
-+#if (defined (__FreeBSD__) || defined (__OpenBSD__))
- MUTEX_UNLOCK(user_ps_path);
-+#endif
- return TSPERR(TSS_E_INTERNAL_ERROR);
- }
--#endif
- if (euid == pwp->pw_uid) {
- home_dir = strdup(pwp->pw_dir);
- break;
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service b/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service
deleted file mode 100644
index 787d4e9..0000000
--- a/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Description=TCG Core Services Daemon
-After=syslog.target
-
-[Service]
-Type=forking
-ExecStart=@SBINDIR@/tcsd
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules b/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules
deleted file mode 100644
index 256babd..0000000
--- a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules
+++ /dev/null
@@ -1,2 +0,0 @@
-# trousers daemon expects tpm device to be owned by tss user & group
-KERNEL=="tpm[0-9]*", MODE="0600", OWNER="tss", GROUP="tss"
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh b/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh
deleted file mode 100644
index d0d6cb3..0000000
--- a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/bin/sh
-
-### BEGIN INIT INFO
-# Provides: tcsd trousers
-# Required-Start: $local_fs $remote_fs $network
-# Required-Stop: $local_fs $remote_fs $network
-# Should-Start:
-# Should-Stop:
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: starts tcsd
-# Description: tcsd belongs to the TrouSerS TCG Software Stack
-### END INIT INFO
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-DAEMON=/usr/sbin/tcsd
-NAME=tcsd
-DESC="Trusted Computing daemon"
-USER="tss"
-
-test -x "${DAEMON}" || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-
-case "${1}" in
- start)
- echo "Starting $DESC: "
-
- if [ ! -e /dev/tpm* ]
- then
- echo "device driver not loaded, skipping."
- exit 0
- fi
-
- start-stop-daemon --start --quiet --oknodo \
- --pidfile /var/run/${NAME}.pid --make-pidfile --background \
- --user ${USER} --chuid ${USER} \
- --exec ${DAEMON} -- ${DAEMON_OPTS} --foreground
- RETVAL="$?"
- echo "$NAME."
- exit $RETVAL
- ;;
-
- stop)
- echo "Stopping $DESC: "
-
- start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --exec ${DAEMON}
- RETVAL="$?"
- echo "$NAME."
- rm -f /var/run/${NAME}.pid
- exit $RETVAL
- ;;
-
- restart|force-reload)
- "${0}" stop
- sleep 1
- "${0}" start
- exit $?
- ;;
- *)
- echo "Usage: ${NAME} {start|stop|restart|force-reload|status}" >&2
- exit 3
- ;;
-esac
-
-exit 0
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
deleted file mode 100644
index 192c66c..0000000
--- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
+++ /dev/null
@@ -1,120 +0,0 @@
-SUMMARY = "TrouSerS - An open-source TCG Software Stack implementation."
-LICENSE = "BSD-3-Clause"
-HOMEPAGE = "http://sourceforge.net/projects/trousers/"
-LIC_FILES_CHKSUM = "file://README;startline=3;endline=4;md5=2af28fbed0832e4d83a9e6dd68bb4413"
-SECTION = "security/tpm"
-
-DEPENDS = "openssl"
-
-SRCREV = "94144b0a1dcef6e31845d6c319e9bd7357208eb9"
-PV = "0.3.15+git${SRCPV}"
-
-SRC_URI = " \
- git://git.code.sf.net/p/trousers/trousers;branch=master \
- file://trousers.init.sh \
- file://trousers-udev.rules \
- file://tcsd.service \
- file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \
- file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
- "
-
-S = "${WORKDIR}/git"
-
-inherit autotools pkgconfig useradd update-rc.d ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
-
-PACKAGECONFIG ?= "gmp "
-PACKAGECONFIG[gmp] = "--with-gmp, --with-gmp=no, gmp"
-PACKAGECONFIG[gtk] = "--with-gui=gtk, --with-gui=none, gtk+"
-
-do_install () {
- oe_runmake DESTDIR=${D} install
-}
-
-do_install:append() {
- install -d ${D}${sysconfdir}/init.d
- install -m 0755 ${WORKDIR}/trousers.init.sh ${D}${sysconfdir}/init.d/trousers
- install -d ${D}${sysconfdir}/udev/rules.d
- install -m 0644 ${WORKDIR}/trousers-udev.rules ${D}${sysconfdir}/udev/rules.d/45-trousers.rules
-
- if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
- install -d ${D}${systemd_unitdir}/system
- install -m 0644 ${WORKDIR}/tcsd.service ${D}${systemd_unitdir}/system/
- sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/tcsd.service
- fi
-}
-
-CONFFILES:${PN} += "${sysconfig}/tcsd.conf"
-
-PROVIDES = "${PACKAGES}"
-PACKAGES = " \
- libtspi \
- libtspi-dbg \
- libtspi-dev \
- libtspi-doc \
- libtspi-staticdev \
- trousers \
- trousers-dbg \
- trousers-doc \
- "
-
-# libtspi needs tcsd for most (all?) operations, so suggest to
-# install that.
-RRECOMMENDS:libtspi = "${PN}"
-
-FILES:libtspi = " \
- ${libdir}/*.so.1 \
- ${libdir}/*.so.1.2.0 \
- "
-FILES:libtspi-dbg = " \
- ${libdir}/.debug \
- ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tspi \
- ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trspi \
- ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/*.h \
- ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/tss \
- "
-FILES:libtspi-dev = " \
- ${includedir} \
- ${libdir}/*.so \
- "
-FILES:libtspi-doc = " \
- ${mandir}/man3 \
- "
-FILES:libtspi-staticdev = " \
- ${libdir}/*.la \
- ${libdir}/*.a \
- "
-FILES:${PN} = " \
- ${sbindir}/tcsd \
- ${sysconfdir} \
- ${localstatedir} \
- "
-
-FILES:${PN}-dev += "${libdir}/trousers"
-
-FILES:${PN}-dbg = " \
- ${sbindir}/.debug \
- ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcs \
- ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcsd \
- ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tddl \
- ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trousers \
- ${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/trousers \
- "
-FILES:${PN}-doc = " \
- ${mandir}/man5 \
- ${mandir}/man8 \
- "
-
-FILES:${PN} += "${systemd_unitdir}/*"
-
-INITSCRIPT_NAME = "trousers"
-INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
-
-USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM:${PN} = "--system tss"
-USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
-
-SYSTEMD_PACKAGES = "${PN}"
-SYSTEMD_SERVICE:${PN} = "tcsd.service"
-SYSTEMD_AUTO_ENABLE = "disable"
-
-BBCLASSEXTEND = "native"