diff --git a/0001-swtpm_setup-Initialized-argv-to-NULL-Fedore-Rawhide.patch b/0001-swtpm_setup-Initialized-argv-to-NULL-Fedore-Rawhide.patch deleted file mode 100644 index efc0b2753344daf91da66603bbdf5f38f3c1623c..0000000000000000000000000000000000000000 --- a/0001-swtpm_setup-Initialized-argv-to-NULL-Fedore-Rawhide.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 5b8c9d205a59932ce4e1894dbf09f5df4cfbb907 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Thu, 10 Nov 2022 14:20:53 -0500 -Subject: [PATCH] swtpm_setup: Initialized **argv to NULL (Fedore Rawhide) - -gcc 12.2.1 on Fedora Rawhide emits this message: - -In file included from /usr/include/glib-2.0/glib.h:116, - from swtpm_setup.c:26: -In function 'g_autoptr_cleanup_generic_gfree', - inlined from 'get_swtpm_capabilities.constprop.0' at swtpm_setup.c:940:24: -/usr/include/glib-2.0/glib/glib-autocleanups.h:30:3: error: 'argv' may be used uninitialized [-Werror=maybe-uninitialized] - 30 | g_free (*pp); - | ^~~~~~~~~~~~ -swtpm_setup.c: In function 'get_swtpm_capabilities.constprop.0': -swtpm_setup.c:940:24: note: 'argv' was declared here - 940 | g_autofree gchar **argv; - | ^~~~ -cc1: all warnings being treated as errors - -This makes little sense since the variable is then first used like this: - - argv = concat_arrays(swtpm_prg_l, my_argv, FALSE); - -Signed-off-by: Stefan Berger ---- - src/swtpm_setup/swtpm_setup.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/swtpm_setup/swtpm_setup.c b/src/swtpm_setup/swtpm_setup.c -index 1b528c8..3570235 100644 ---- a/src/swtpm_setup/swtpm_setup.c -+++ b/src/swtpm_setup/swtpm_setup.c -@@ -937,7 +937,7 @@ static int get_swtpm_capabilities(gchar **swtpm_prg_l, gboolean is_tpm2, - gchar *my_argv[] = { "--print-capabilities", is_tpm2 ? "--tpm2" : NULL, NULL }; - g_autofree gchar *logop = NULL; - g_autoptr(GError) error = NULL; -- g_autofree gchar **argv; -+ g_autofree gchar **argv = NULL; - int exit_status = 0; - gboolean success; - int ret = 1; --- -2.38.0 - diff --git a/openssl-swtpm.cnf b/openssl-swtpm.cnf new file mode 100644 index 0000000000000000000000000000000000000000..6195ecbb5a2f396be3cf3ad25db5fdb1024d7e1e --- /dev/null +++ b/openssl-swtpm.cnf @@ -0,0 +1,4 @@ +.include /etc/ssl/openssl.cnf + +[evp_properties] +rh-allow-sha1-signatures = yes diff --git a/selinux.patch b/selinux.patch new file mode 100644 index 0000000000000000000000000000000000000000..7fc0d4b6723b2ee7f250312974c951af5417086a --- /dev/null +++ b/selinux.patch @@ -0,0 +1,34 @@ +From 1eab90cc323509eda1b43ef81fccb4bcf28056f0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Sat, 13 Jul 2024 13:37:29 +0400 +Subject: [PATCH] selinux + +--- + src/selinux/swtpm_svirt.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/selinux/swtpm_svirt.te b/src/selinux/swtpm_svirt.te +index f7b886c..424efa7 100644 +--- a/src/selinux/swtpm_svirt.te ++++ b/src/selinux/swtpm_svirt.te +@@ -13,6 +13,7 @@ require { + type user_tmp_t; + type virtd_t; + type virtqemud_t; ++ type virt_var_run_t; + } + + swtpm_domtrans(svirt_t) +@@ -27,6 +28,9 @@ allow svirt_t user_tmp_t:sock_file { create setattr unlink }; + allow svirt_t virtd_t:dir search; + allow svirt_t virtd_t:fifo_file write; + allow svirt_t virtqemud_t:fifo_file write; ++allow svirt_t virt_var_run_t:dir { write add_name remove_name }; ++allow svirt_t virt_var_run_t:file { create write setattr unlink }; ++allow svirt_t virt_var_run_t:sock_file { create write setattr unlink }; + + # For virt-install (see https://bugzilla.redhat.com/show_bug.cgi?id=2283878 ) + allow svirt_tcg_t user_tmp_t:sock_file { create setattr unlink }; +-- +2.41.0.28.gd7d8841f67 + diff --git a/swtpm-0.9.0.tar.gz b/swtpm-0.9.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..9374ff19fc6c0343c3e152e7189af2073b7a9bed Binary files /dev/null and b/swtpm-0.9.0.tar.gz differ diff --git a/swtpm-custom-openssl.patch b/swtpm-custom-openssl.patch new file mode 100644 index 0000000000000000000000000000000000000000..6bd1b40b0c4ed6488b0f38aae7516ce098a10747 --- /dev/null +++ b/swtpm-custom-openssl.patch @@ -0,0 +1,12 @@ +Binary files swtpm-0.9.0/.git/index and swtpm-0.9.0.new/.git/index differ +diff -rup swtpm-0.9.0/src/swtpm/main.c swtpm-0.9.0.new/src/swtpm/main.c +--- swtpm-0.9.0/src/swtpm/main.c 2024-07-08 09:34:00.488080859 +0100 ++++ swtpm-0.9.0.new/src/swtpm/main.c 2024-07-08 09:33:40.057884795 +0100 +@@ -70,6 +70,7 @@ int main(int argc, char **argv) + fprintf(stderr, "Missing TPM interface type.\n"); + return 1; + } ++ setenv("OPENSSL_CONF", "/etc/ssl/openssl-swtpm.cnf", 1); + if (!strcmp(argv[1], "socket")) { + return swtpm_main(argc-1, &argv[1], argv[0], "socket"); + #ifdef WITH_CHARDEV diff --git a/swtpm.spec b/swtpm.spec index 1d108e755d385ecc539755ac2e85a54ef05ab49a..1a9a75d050d4dfaca9ec990c8feaffb924509217 100644 --- a/swtpm.spec +++ b/swtpm.spec @@ -9,13 +9,18 @@ Summary: TPM Emulator Name: swtpm -Version: 0.8.0 +Version: 0.9.0 Release: %{anolis_release}%{?dist} -License: BSD +License: BSD-3-Clause Url: http://github.com/stefanberger/swtpm -Source0: https://github.com/stefanberger/swtpm/archive/refs/tags/v%{version}.tar.gz +Source0: https://github.com/stefanberger/swtpm/archive/v%{version}/%{name}-%{version}.tar.gz +Source1: openssl-swtpm.cnf -Patch0001: 0001-swtpm_setup-Initialized-argv-to-NULL-Fedore-Rawhide.patch +# Prevent crypto policies disabling SHA-1. +# swtpm algorithm list is unconditional. Since it advertizes +# SHA-1, we MUST always provide a working SHA-1 impl +Patch0002: swtpm-custom-openssl.patch +Patch0003: selinux.patch BuildRequires: make BuildRequires: git-core @@ -27,7 +32,7 @@ BuildRequires: expect BuildRequires: net-tools BuildRequires: openssl-devel BuildRequires: socat -BuildRequires: trousers >= 0.3.9 +BuildRequires: tpm2-tss BuildRequires: softhsm BuildRequires: json-glib-devel %if %{with gnutls} @@ -42,24 +47,26 @@ BuildRequires: gcc BuildRequires: libseccomp-devel BuildRequires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd BuildRequires: python3-devel +BuildRequires: gmp-devel Requires: %{name}-libs = %{version}-%{release} Requires: libtpms >= 0.6.0 -%{?selinux_requires} +Requires: (%{name}-selinux if selinux-policy-targeted) + %description TPM emulator built on libtpms providing TPM functionality for QEMU VMs %package libs Summary: Private libraries for swtpm TPM emulators -License: BSD +License: BSD-3-Clause %description libs A private library with callback functions for libtpms based swtpm TPM emulator %package devel Summary: Include files for the TPM emulator's CUSE interface for usage by clients -License: BSD +License: BSD-3-Clause Requires: %{name}-libs = %{version}-%{release} %description devel @@ -67,7 +74,7 @@ Include files for the TPM emulator's CUSE interface. %package tools Summary: Tools for the TPM emulator -License: BSD +License: BSD-3-Clause Requires: swtpm = %{version}-%{release} # trousers: for tss account Requires: trousers >= 0.3.9 bash gnutls-utils @@ -77,7 +84,7 @@ Tools for the TPM emulator from the swtpm package %package tools-pkcs11 Summary: Tools for creating a local CA based on a TPM pkcs11 device -License: BSD +License: BSD-3-Clause Requires: swtpm-tools = %{version}-%{release} Requires: tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools tpm2-abrmd Requires: expect gnutls-utils trousers >= 0.3.9 @@ -85,6 +92,15 @@ Requires: expect gnutls-utils trousers >= 0.3.9 %description tools-pkcs11 Tools for creating a local CA based on a pkcs11 device +%package selinux +Summary: SELinux security policy for swtpm +Requires(post): swtpm = %{version}-%{release} +BuildArch: noarch +%{?selinux_requires} + +%description selinux +SELinux security policy for swtpm. + %package doc Summary: Doc files for %{name} Requires: %{name} = %{EVR} @@ -115,25 +131,30 @@ make %{?_smp_mflags} check VERBOSE=1 %make_install rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so} +%__install -d %{buildroot}%{_sysconfdir}/ssl +cp %{SOURCE1} %{buildroot}/%{_sysconfdir}/ssl/ + %generate_compatibility_deps -%post +%post selinux for pp in /usr/share/selinux/packages/swtpm.pp \ - /usr/share/selinux/packages/swtpm_svirt.pp; do + /usr/share/selinux/packages/swtpm_svirt.pp \ + /usr/share/selinux/packages/swtpm_libvirt.pp; do %selinux_modules_install -s %{selinuxtype} ${pp} done restorecon %{_bindir}/swtpm -%postun +%postun selinux if [ $1 -eq 0 ]; then - for p in swtpm swtpm_svirt; do + for p in swtpm_libvirt swtpm swtpm_svirt; do %selinux_modules_uninstall -s %{selinuxtype} $p done fi -%posttrans +%posttrans selinux %selinux_relabel_post -s %{selinuxtype} + %ldconfig_post libs %ldconfig_postun libs @@ -141,8 +162,11 @@ fi %license LICENSE %{_bindir}/swtpm %{_mandir}/man8/swtpm.8* +%files selinux %{_datadir}/selinux/packages/swtpm.pp +%{_datadir}/selinux/packages/swtpm_libvirt.pp %{_datadir}/selinux/packages/swtpm_svirt.pp +%{_sysconfdir}/ssl/openssl-swtpm.cnf %files libs %license LICENSE @@ -175,8 +199,6 @@ fi %{_mandir}/man8/swtpm-localca.8* %{_mandir}/man8/swtpm_localca.8* %{_mandir}/man8/swtpm_setup.8* -%{_mandir}/man8/swtpm_cuse.8* -%exclude %{_mandir}/man8/swtpm_cuse.8.gz %config(noreplace) %{_sysconfdir}/swtpm_setup.conf %config(noreplace) %{_sysconfdir}/swtpm-localca.options %config(noreplace) %{_sysconfdir}/swtpm-localca.conf @@ -194,5 +216,12 @@ fi %doc README %changelog +* Thu Mar 20 2025 happy_orange - 0.9.0-1 +- update to 0.9.0 +- split swtpm-selinux package from swtpm +- remove patches that have been merged upstream + [Patches cherry-pick from c10s. Original changelog: + - Add extra SELinux policies.(0.9.0-5)] + * Sat Mar 18 2023 Chunmei Xu - 0.8.0-1 - init from upstream diff --git a/v0.8.0.tar.gz b/v0.8.0.tar.gz deleted file mode 100644 index ee5865e2c325ed35e333c654e93455e0f01798ad..0000000000000000000000000000000000000000 Binary files a/v0.8.0.tar.gz and /dev/null differ