openSUSE Commits
Threads by month
- ----- 2025 -----
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
April 2023
- 1 participants
- 3149 discussions
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package teleport for openSUSE:Factory checked in at 2023-04-30 16:07:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/teleport (Old)
and /work/SRC/openSUSE:Factory/.teleport.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "teleport"
Sun Apr 30 16:07:54 2023 rev:55 rq:1083717 version:12.2.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/teleport/teleport.changes 2023-04-21 14:17:26.130723310 +0200
+++ /work/SRC/openSUSE:Factory/.teleport.new.1533/teleport.changes 2023-04-30 16:08:07.452280088 +0200
@@ -1,0 +2,90 @@
+Sun Apr 30 07:15:36 UTC 2023 - kastl(a)b1-systems.de
+
+- Update to version 12.2.5:
+ * Release 12.2.5 (#25326)
+ * Integrations: AWS OIDC - ListDatabases action (#24877)
+ * Record and verify WebAuthn RPIDs (#25238) (#25289)
+ * [v12] Fuzz TDP protocol, fix two issues. (#25308)
+ * Add option to override kube context on `tsh kube login`
+ (#25253)
+ * Fix `TestAuthSignKubeconfig` test (#25269)
+ * Update Electron to 22.3.6 (#25184)
+ * Fix cluster alerts timeout (#25300)
+ * Properly handle SAML IdP enable/disable. (#25309)
+ * Addresses #23554 (#25296)
+ * Do not try to verify PROXY signature for non-Teleport TLVs
+ (#25302)
+ * Bump gh-trigger-workflow timeout to 2h30m (#25174)
+ * [v12] Clean up Drone slack notifcations (#25217)
+ * Use the correct emitter in auth.TLSServer (#25272)
+ * Fix `underlying reader not a terminal` issues (#25102) (#25242)
+ * [v12] docs: Login Rule k8s operator docs (#25158)
+ * [v12] Show <1m for remaining tsh status valid time for last
+ minute (#25225)
+ * Move db cert renewal message to debug log (#25222)
+ * docs: add information on viewing status and logs for systemd
+ service (#25199)
+ * * Save ssh_service.public_addr values to Server.PublicAddrs
+ instead of discarding them (#25223)
+ * Add new field to license spec (#23194) (#25197)
+ * fix: avoid inadvertent deletion of active HSM keys (#25208)
+ * [v12] Update headless tsh command descriptions (#25148)
+ * [v12] Update e ref. (#25205)
+ * Connect: Fix logout sequence (#24978) (#25182)
+ * Avoid prompting users for mfa when using `tsh ssh --headless`
+ (#24701) (#25187)
+ * [v12] Simplify Okta assignment statuses. (#25189)
+ * Improve performance of MFA ceremony (#24804)
+ * Headless Login explicit username (#24689) (#25112)
+ * Alphabetize the GUI Client page (#25120)
+ * [v12] Document relative link paths in partials (#25117)
+ * [v12] docs: append cluster name for example ansible hosts list
+ (#25124)
+ * [v12] Order sudoers file lines by role name (#24792)
+ * [web] Add storeUser to console context (#24159) (#24809)
+ * Add login hooks. (#24828) (#25105)
+ * Join Script: fix tarball folder for ent builds (#25076)
+ * fix github url formatting (#25089) (#25098)
+ * Add key attestation to generate user certs to catch non-login
+ flows. (#24867) (#24956)
+ * add comment specifying kubernetes user (#24916)
+ * docs: Add warning about TLS multiplexing to Kubernetes IAM
+ joining (#24820)
+ * OktaAssignment and UserGroup in auth cache. (#25067)
+ * docs: fix spelling and remove misspelled word from spellcheck
+ skip (#25030)
+ * Add in group labels for role conditions. (#25080)
+ * Log informative messages for device authn failures (#24912)
+ * [v12] docs: Change `listen_addr` to `web_listen_addr` in custom
+ Helm deployment guide (#24974)
+ * docs: fix directory instruction for docs contributing (#24994)
+ * docs: Adds common Teleport configure,start and helm charts for
+ non-iam db access guides (#25001)
+ * Pass the auth.Server itself to inventory.NewController (#25007)
+ * [v12] local proxy not required for mysql separate port (#24827)
+ * replace 'machine' with 'host' or 'workstation' (#24986)
+ * clarify tctl command location and secret destination (#24982)
+ * Make tsh check SSH_ user, proxy, and cluster env variables if
+ not already set. (#24470)
+ * [v12] docs: update version (#24957)
+ * [v12] Proxy Client (#24734)
+ * docs: make adopters table markdown for cleaner look (#24951)
+ * Fix example API client imports (#24375)
+ * docs: remove unneeded sudo for removing user data dirs (#24919)
+ * [v12] Makes the `Per Role` per session mfa example accurate
+ (#24927)
+ * [v12] docs: remove duplicate content in oracle guide (#24907)
+ * docs: bump cloud to 12.2.3 (#24769) (#24843)
+ * [v12] docs: provide warning on Amazon Linux 2023 installations
+ (#24853)
+ * Update e ref (#24894)
+ * Use apt.releases to fetch pub key (#24875)
+ * [v12] Update crewjam/saml dependency. (#24898)
+ * [v12] Edit Homebrew installation instructions (#24824)
+ * Remove unnecessary sudo from Connect uninstall docs (#24888)
+ * Update Cloud FAQ doc to remove latency note (#24891)
+ * refactor how 'tsh scp' destinations are parsed (#24861)
+ * [v12] docs: provider faq answer for configurable maintenance
+ times for cloud (#24855)
+
+-------------------------------------------------------------------
Old:
----
teleport-12.2.4.tar.gz
New:
----
teleport-12.2.5.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ teleport.spec ++++++
--- /var/tmp/diff_new_pack.DRa78l/_old 2023-04-30 16:08:11.064302124 +0200
+++ /var/tmp/diff_new_pack.DRa78l/_new 2023-04-30 16:08:11.068302148 +0200
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: teleport
-Version: 12.2.4
+Version: 12.2.5
Release: 0
Summary: Identity-aware, multi-protocol access proxy
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.DRa78l/_old 2023-04-30 16:08:11.104302367 +0200
+++ /var/tmp/diff_new_pack.DRa78l/_new 2023-04-30 16:08:11.108302392 +0200
@@ -4,7 +4,7 @@
<param name="scm">git</param>
<param name="submodules">disable</param>
<param name="exclude">.git</param>
- <param name="revision">v12.2.4</param>
+ <param name="revision">v12.2.5</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.DRa78l/_old 2023-04-30 16:08:11.128302514 +0200
+++ /var/tmp/diff_new_pack.DRa78l/_new 2023-04-30 16:08:11.132302539 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/gravitational/teleport</param>
- <param name="changesrevision">0f5a2d86b6a261f019759094e0d9e77ee9953e7b</param></service></servicedata>
+ <param name="changesrevision">6a5808d309e6512ed55bbf4ae75c18d682541d38</param></service></servicedata>
(No newline at EOF)
++++++ teleport-12.2.4.tar.gz -> teleport-12.2.5.tar.gz ++++++
/work/SRC/openSUSE:Factory/teleport/teleport-12.2.4.tar.gz /work/SRC/openSUSE:Factory/.teleport.new.1533/teleport-12.2.5.tar.gz differ: char 14, line 1
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/teleport/vendor.tar.gz /work/SRC/openSUSE:Factory/.teleport.new.1533/vendor.tar.gz differ: char 5, line 1
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package dagger for openSUSE:Factory checked in at 2023-04-30 16:07:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/dagger (Old)
and /work/SRC/openSUSE:Factory/.dagger.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dagger"
Sun Apr 30 16:07:53 2023 rev:34 rq:1083712 version:0.5.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/dagger/dagger.changes 2023-04-13 17:02:48.315607500 +0200
+++ /work/SRC/openSUSE:Factory/.dagger.new.1533/dagger.changes 2023-04-30 16:08:04.164260029 +0200
@@ -1,0 +2,71 @@
+Sun Apr 30 07:00:11 UTC 2023 - kastl(a)b1-systems.de
+
+- Update to version 0.5.1:
+ * core: Implicitly call `entrypoint` + `defaultArgs` when needed
+ (#5039)
+ * docs: Clarified Python get started steps (#5029)
+ * docs: Fixed inconsistent Node.js tab labels (#5018)
+ * engine: upgrade buildkit to fix for cache ref leak (#5031)
+ * engine: Ensure that dnsmasq subprocess is killed (#5032)
+ * Ensure engine exits 0 when it receives SIGTERM/SIGINT. (#5024)
+ * dnsmasq: stability improvements + greater debuggability (#5015)
+ * engine/cache: release refs after push (#5022)
+ * strip sourcemap from Dockerfile builds (#5012)
+ * Use strings.Builder for querybuilder build method (#5007)
+ * TUI: support PgUp/PgDn/Home/End in log output (#4998)
+ * docs: Updated CI guide (#4952)
+ * keep 755 perms for cache with changed owner (#5006)
+ * Add some more debug endpoints to the engine process. (#5003)
+ * Use background context to release gateway containers. (#5005)
+ * core: refactor away from fooIDPayload pattern (#4973)
+ * Support configuring ownership (almost) everywhere (#4932)
+ * docs: Updated FAQ (#4959)
+ * fix(tui): added h and l as alt collapse/expand bindings (#4997)
+ * fix out-of-order event delivery (#4996)
+ * avoid using HTML chars in doc string (#4988)
+ * docs: improve Copy Embedded Directories into a Container
+ (#4974)
+ * feat: pass secrets to Container.Build and Directory.Build
+ (#4971)
+ * ci: set proper octal notation file permissions (#4985)
+ * fix flock usage for addnhosts (#4983)
+ * Flush cache mounts on cache manager close. (#4980)
+ * Bump graphql-tools-go for session start performance fix (#4977)
+ * test: fix test for directory.dockerBuild (#4976)
+ * ci: use mounted cache for go modules download (#4975)
+ * Fix goroutine leak in cache import. (#4970)
+ * docs: Added Dagger with PHP and Laravel guide (#4913)
+ * First pass at dagger-in-dagger CI! (#4848)
+ * docs: Added cookbook (#4938)
+ * docs: use withDirectory (#4969)
+ * Print engine name to it's own logs (#4964)
+ * Sort out custom transport logic for CLI sessions to fix
+ goroutine leak (#4960)
+ * Add ability for clients to print which engine they are
+ connected to. (#4909)
+ * Add support for cache service. (#4923)
+ * docs: Added note to secrets guide (#4956)
+ * docs: Added note in services guides (#4955)
+ * collect `github.com/pr.branch` label (#4933)
+ * docs: Merged CI guides (#4937)
+ * build(deps): bump oss.terrastruct.com/d2 from 0.1.5 to 0.2.4
+ (#4722)
+ * tests: add additional test on chain operations (#4907)
+ * Go: Implementation of (Container|Directory)With (#4898)
+ * build(deps): bump github.com/docker/docker (#4891)
+ * build(deps): bump golang.org/x/term from 0.5.0 to 0.7.0 (#4895)
+ * build(deps): bump google.golang.org/protobuf from 1.29.0 to
+ 1.29.1 (#4899)
+ * Improve releases instructions during v0.5.0 (#4908)
+ * ci: bump dagger version in mage targets (#4931)
+ * Container: add withExec(skipEntrypoint: Boolean) (#4919)
+ * Set HTTP source filename to be URL. (#4927)
+ * build(deps): bump sass from 1.59.3 to 1.61.0 in /website
+ (#4917)
+ * docs: Updated service containers guide reg. ports (#4897)
+ * docs: Updated requirements for PHP/Rust (#4869)
+ * docs: Added multi-language snippets to multibuild guide (#4875)
+ * build(deps): bump google.golang.org/grpc from 1.52.3 to 1.54.0
+ (#4815)
+
+-------------------------------------------------------------------
Old:
----
dagger-0.5.0.obscpio
New:
----
dagger-0.5.1.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dagger.spec ++++++
--- /var/tmp/diff_new_pack.pohi0c/_old 2023-04-30 16:08:05.364267349 +0200
+++ /var/tmp/diff_new_pack.pohi0c/_new 2023-04-30 16:08:05.368267374 +0200
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: dagger
-Version: 0.5.0
+Version: 0.5.1
Release: 0
Summary: A portable devkit for CI/CD pipelines
License: GPL-3.0-only
++++++ _service ++++++
--- /var/tmp/diff_new_pack.pohi0c/_old 2023-04-30 16:08:05.396267544 +0200
+++ /var/tmp/diff_new_pack.pohi0c/_new 2023-04-30 16:08:05.400267569 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/dagger/dagger</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v0.5.0</param>
+ <param name="revision">v0.5.1</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.pohi0c/_old 2023-04-30 16:08:05.420267691 +0200
+++ /var/tmp/diff_new_pack.pohi0c/_new 2023-04-30 16:08:05.420267691 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/dagger/dagger</param>
- <param name="changesrevision">ff7653d0dd6e2bb50243f05b57a3d5d57fad1a92</param></service></servicedata>
+ <param name="changesrevision">00540aab79993e33bb76933edbb174db1d06a87e</param></service></servicedata>
(No newline at EOF)
++++++ dagger-0.5.0.obscpio -> dagger-0.5.1.obscpio ++++++
/work/SRC/openSUSE:Factory/dagger/dagger-0.5.0.obscpio /work/SRC/openSUSE:Factory/.dagger.new.1533/dagger-0.5.1.obscpio differ: char 49, line 1
++++++ dagger.obsinfo ++++++
--- /var/tmp/diff_new_pack.pohi0c/_old 2023-04-30 16:08:05.452267886 +0200
+++ /var/tmp/diff_new_pack.pohi0c/_new 2023-04-30 16:08:05.456267911 +0200
@@ -1,5 +1,5 @@
name: dagger
-version: 0.5.0
-mtime: 1680820427
-commit: ff7653d0dd6e2bb50243f05b57a3d5d57fad1a92
+version: 0.5.1
+mtime: 1682679202
+commit: 00540aab79993e33bb76933edbb174db1d06a87e
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/dagger/vendor.tar.gz /work/SRC/openSUSE:Factory/.dagger.new.1533/vendor.tar.gz differ: char 5, line 1
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package octave for openSUSE:Factory checked in at 2023-04-30 16:07:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/octave (Old)
and /work/SRC/openSUSE:Factory/.octave.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "octave"
Sun Apr 30 16:07:51 2023 rev:85 rq:1083693 version:8.2.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/octave/octave.changes 2023-01-06 17:06:41.684565179 +0100
+++ /work/SRC/openSUSE:Factory/.octave.new.1533/octave.changes 2023-04-30 16:08:01.348242849 +0200
@@ -1,0 +2,55 @@
+Tue Apr 18 04:17:35 UTC 2023 - Atri Bhattacharya <badshah400(a)gmail.com>
+
+- Update to version 8.2.0:
+ * fopen: Use ���UTF-8��� as default encoding for fopen
+ (https://savannah.gnu.org/bugs/?63930)
+ * fopen, unicode2native: Fix converting the encoding of short
+ char arrays with invalid UTF-8
+ (https://savannah.gnu.org/bugs/?63930)
+ * fopen: Try to gather complete UTF-8 surrogates when converting
+ encoding (https://savannah.gnu.org/bugs/?63930)
+ * fopen: Do not convert encoding for file streams with libc++
+ (https://savannah.gnu.org/bugs/?63930)
+ * pr-output.cc: Fix output for format native-bit
+ (https://savannah.gnu.org/bugs/?63940)
+ * Fix evaluation of & and | expressions in conditional contexts
+ (https://savannah.gnu.org/bugs/?63935)
+ * Avoid clang warning about very unlikely buffer overflow.
+ * mpoles.m: Overhaul function and use absolute tolerance for
+ zero poles (https://savannah.gnu.org/bugs/?63937)
+ * perms.m: Change "unique" output order to reverse lexicographic
+ to match non-unique order
+ (https://savannah.gnu.org/bugs/?63962)
+ * Remove trailing '\r' from curl dir list
+ (https://savannah.gnu.org/bugs/?63851)
+ * Fix display of scalar complex variables with mixed Inf/NaN and
+ floating point values (https://savannah.gnu.org/bugs/?63961)
+ * Don���t use encoding facet when writing bytes to stream
+ (https://savannah.gnu.org/bugs/?63931)
+ * GUI: Speedup loading and saving preferences dialog
+ (https://savannah.gnu.org/bugs/?63909)
+ * Build system / Tests:
+ - inpolygon.m: Fix demo code
+ (https://savannah.gnu.org/bugs/?63865)
+ - if.tst: New test for (https://savannah.gnu.org/bugs/?63935)
+ - acinclude.m4: Correct typo in #define PCRE2_CODE_UNIT_WIDTH.
+ - lu: Add self-test with complex valued input.
+ - Disable visibility flags by default
+ (https://savannah.gnu.org/bugs/?61855, bug #63916).
+ - Check whether using STL from LLVM or Apple
+ (https://savannah.gnu.org/bugs/?63930)
+ - Documentation:
+ - Improve documentation for linspace and logspace functions.
+ - Correct and improve documentation for sparse() function.
+
+-------------------------------------------------------------------
+Sun Mar 12 11:38:54 UTC 2023 - Atri Bhattacharya <badshah400(a)gmail.com>
+
+- Update to version 8.1.0:
+ * Long list of changes, see <https://octave.org/NEWS-8.html>.
+- API version bumped from 57 to 58.
+- Minor re-base of
+ 0001-Add-explicit-ctime-include-required-for-clock.patch for
+ update (file-name change only).
+
+-------------------------------------------------------------------
Old:
----
octave-7.3.0.tar.lz
New:
----
octave-8.2.0.tar.lz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ octave.spec ++++++
--- /var/tmp/diff_new_pack.jDlK5Q/_old 2023-04-30 16:08:03.536256197 +0200
+++ /var/tmp/diff_new_pack.jDlK5Q/_new 2023-04-30 16:08:03.544256246 +0200
@@ -16,9 +16,9 @@
#
-%define apiver v57
+%define apiver v58
# Required for RC builds, in this case version contains ~rc, src_ver -rc
-%define pkg_ver 7.3.0
+%define pkg_ver 8.2.0
%define src_ver %{pkg_ver}
# Use native graphics or gnuplot
++++++ 0001-Disable-signal-handler-thread-avoid-duplicate-signal.patch ++++++
--- /var/tmp/diff_new_pack.jDlK5Q/_old 2023-04-30 16:08:03.564256368 +0200
+++ /var/tmp/diff_new_pack.jDlK5Q/_new 2023-04-30 16:08:03.572256417 +0200
@@ -29,14 +29,14 @@
Not using a dedicated signal handler thread removes a source of
indeterminism, and also fixes https://savannah.gnu.org/bugs/?54607
---
- liboctave/wrappers/signal-wrappers.c | 2 +-
+ liboctave/wrappers/cxx-signal-helpers.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-Index: octave-6.1.0/liboctave/wrappers/signal-wrappers.c
+Index: octave-8.1.0/liboctave/wrappers/cxx-signal-helpers.cc
===================================================================
---- octave-6.1.0.orig/liboctave/wrappers/signal-wrappers.c
-+++ octave-6.1.0/liboctave/wrappers/signal-wrappers.c
-@@ -709,7 +709,7 @@ signal_watcher (void *arg)
+--- octave-8.1.0.orig/liboctave/wrappers/cxx-signal-helpers.cc
++++ octave-8.1.0/liboctave/wrappers/cxx-signal-helpers.cc
+@@ -192,7 +192,7 @@ signal_watcher (void *arg)
void
octave_create_interrupt_watcher_thread (octave_sig_handler *handler)
{
@@ -44,5 +44,5 @@
+#if 0
pthread_t sighandler_thread_id;
- if (pthread_create (&sighandler_thread_id, 0, signal_watcher, handler))
+ if (pthread_create (&sighandler_thread_id, 0, signal_watcher,
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package octave-forge-tisean for openSUSE:Factory checked in at 2023-04-30 16:07:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/octave-forge-tisean (Old)
and /work/SRC/openSUSE:Factory/.octave-forge-tisean.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "octave-forge-tisean"
Sun Apr 30 16:07:48 2023 rev:2 rq:1083691 version:0.2.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/octave-forge-tisean/octave-forge-tisean.changes 2015-08-31 22:58:58.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.octave-forge-tisean.new.1533/octave-forge-tisean.changes 2023-04-30 16:07:59.572232014 +0200
@@ -1,0 +2,7 @@
+Wed Apr 19 08:51:06 UTC 2023 - Atri Bhattacharya <badshah400(a)gmail.com>
+
+- Add tisean-drop-error_state-use.patch -- Drop the use of
+ error_state to support octave >= 8
+ (https://savannah.gnu.org/bugs/index.php?61583)
+
+-------------------------------------------------------------------
New:
----
tisean-drop-error_state-use.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ octave-forge-tisean.spec ++++++
--- /var/tmp/diff_new_pack.LK7bMb/_old 2023-04-30 16:07:59.980234504 +0200
+++ /var/tmp/diff_new_pack.LK7bMb/_new 2023-04-30 16:07:59.984234528 +0200
@@ -1,7 +1,7 @@
#
# spec file for package octave-forge-tisean
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@@ -21,10 +21,12 @@
Version: 0.2.3
Release: 0
Summary: Nonlinear Time Series Analysis
-License: GPL-3.0+
+License: GPL-3.0-or-later
Group: Productivity/Scientific/Math
-Url: http://octave.sourceforge.net
+URL: http://octave.sourceforge.net
Source0: http://downloads.sourceforge.net/octave/%{octpkg}-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM tisean-drop-error_state-use.patch badshah400(a)gmail.com -- Drop the use of error_state to support octave >= 8 (https://savannah.gnu.org/bugs/index.php?61583)
+Patch0: tisean-drop-error_state-use.patch
BuildRequires: gcc-c++
BuildRequires: gcc-fortran
BuildRequires: octave-devel
@@ -37,6 +39,9 @@
%prep
%setup -q -c %{name}-%{version}
+pushd %{octpkg}-%{version}
+%autopatch -p1
+popd
%octave_pkg_src
%build
++++++ tisean-drop-error_state-use.patch ++++++
++++ 3726 lines (skipped)
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package octave-forge-image-acquisition for openSUSE:Factory checked in at 2023-04-30 16:07:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/octave-forge-image-acquisition (Old)
and /work/SRC/openSUSE:Factory/.octave-forge-image-acquisition.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "octave-forge-image-acquisition"
Sun Apr 30 16:07:49 2023 rev:2 rq:1083692 version:0.2.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/octave-forge-image-acquisition/octave-forge-image-acquisition.changes 2015-06-16 15:11:56.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.octave-forge-image-acquisition.new.1533/octave-forge-image-acquisition.changes 2023-04-30 16:08:00.352236773 +0200
@@ -1,0 +2,7 @@
+Wed Apr 19 06:54:34 UTC 2023 - Atri Bhattacharya <badshah400(a)gmail.com>
+
+- Add image-acquisition-error-state.patch -- Fix build failure
+ against octave >= 6 by dropping use of error_state
+ [https://savannah.gnu.org/bugs/index.php?63136]
+
+-------------------------------------------------------------------
New:
----
image-acquisition-error-state.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ octave-forge-image-acquisition.spec ++++++
--- /var/tmp/diff_new_pack.KDeU0g/_old 2023-04-30 16:08:00.716238993 +0200
+++ /var/tmp/diff_new_pack.KDeU0g/_new 2023-04-30 16:08:00.720239018 +0200
@@ -1,7 +1,7 @@
#
# spec file for package octave-forge-image-acquisition
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@@ -21,10 +21,12 @@
Version: 0.2.2
Release: 0
Summary: Image Acquisition functions for Octave
-License: GPL-3.0+
+License: GPL-3.0-or-later
Group: Productivity/Scientific/Math
-Url: http://octave.sourceforge.net
+URL: http://octave.sourceforge.net
Source0: http://downloads.sourceforge.net/octave/%{octpkg}-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM image-acquisition-error-state.patch badshah400(a)gmail.com -- Fix build failure against octave >= 6 by dropping use of error_state (https://savannah.gnu.org/bugs/index.php?63136)
+Patch0: image-acquisition-error-state.patch
BuildRequires: fltk-devel
BuildRequires: gcc-c++
BuildRequires: libv4l-devel
@@ -38,6 +40,9 @@
%prep
%setup -q -c %{name}-%{version}
+pushd %{octpkg}-%{version}
+%autopatch -p1
+popd
%octave_pkg_src
%build
@@ -56,8 +61,7 @@
%octave --eval "pkg rebuild"
%files
-%defattr(-,root,root)
-%{octpackages_dir}/%{octpkg}-%{version}
-%{octlib_dir}/%{octpkg}-%{version}
+%{octpackages_dir}/%{octpkg}-%{version}/
+%{octlib_dir}/%{octpkg}-%{version}/
%changelog
++++++ image-acquisition-error-state.patch ++++++
# HG changeset patch
# User John Donoghue <john.donoghue(a)ieee.org>
# Date 1664479839 14400
# Thu Sep 29 15:30:39 2022 -0400
# Node ID d9d55170b0a643f91b0330ac5c1dec9275e1440a
# Parent 54ca9d1133df4652058212cd94a8457938703f4b
* src/__v4l2_handler__.cc, src/cl_v4l2_handler.cc: remove usage of error_state (Bug #63136)
diff -r 54ca9d1133df -r d9d55170b0a6 src/__v4l2_handler__.cc
--- a/src/__v4l2_handler__.cc Thu Jul 14 13:01:04 2022 +0200
+++ b/src/__v4l2_handler__.cc Thu Sep 29 15:30:39 2022 -0400
@@ -43,13 +43,13 @@
v4l2_handler::register_type();
type_loaded = true;
}
+
string device = args(0).string_value ();
- if (! error_state)
- {
- v4l2_handler *h = new v4l2_handler ();
- h->open (device.c_str ());
- retval.append (octave_value (h));
- }
+
+ v4l2_handler *h = new v4l2_handler ();
+ h->open (device.c_str ());
+ retval.append (octave_value (h));
+
return retval;
}
@@ -149,11 +149,13 @@
v4l2_handler* imgh = get_v4l2_handler_from_ov (args(0));
if (imgh)
{
- int num = args(1).int_value ();
- if (!error_state)
- imgh->s_input (num);
+ if (! args(1).isnumeric())
+ error("N has to be a integer selecting the desired video input, starting from 0.");
else
- error("N has to be a integer selecting the desired video input, starting from 0.");
+ {
+ int num = args(1).int_value ();
+ imgh->s_input (num);
+ }
}
return retval;
}
@@ -232,15 +234,16 @@
v4l2_handler* imgh = get_v4l2_handler_from_ov (args(0));
if (imgh)
{
- Matrix s = args(1).matrix_value ();
- unsigned int width = s(0);
- unsigned int height = s(1);
- if (error_state)
+ if (!args (1).is_matrix_type())
+ print_usage();
+ else
{
- print_usage();
+ Matrix s = args(1).matrix_value ();
+ unsigned int width = s(0);
+ unsigned int height = s(1);
+ string pixel_format = args(2).string_value ();
+ retval = octave_value(imgh->enum_frameintervals (pixel_format, width, height));
}
- string pixel_format = args(2).string_value ();
- retval = octave_value(imgh->enum_frameintervals (pixel_format, width, height));
}
return retval;
}
@@ -336,6 +339,11 @@
print_usage ();
return retval;
}
+ if (!args (1).is_string() || !args (2).is_matrix_type())
+ {
+ print_usage();
+ return retval;
+ }
v4l2_handler* imgh = get_v4l2_handler_from_ov (args(0));
if (imgh)
@@ -344,10 +352,8 @@
Matrix s = args(2).matrix_value ();
unsigned int xres = s(0);
unsigned int yres = s(1);
- if (! error_state)
- {
- imgh->s_fmt (fmt, xres, yres);
- }
+
+ imgh->s_fmt (fmt, xres, yres);
}
return retval;
}
@@ -398,15 +404,17 @@
print_usage ();
return retval;
}
+ if (!args (1).isnumeric())
+ {
+ error("ID has to be an integer value");
+ return retval;
+ }
v4l2_handler* imgh = get_v4l2_handler_from_ov (args(0));
if (imgh)
{
unsigned int id = args(1).int_value ();
- if (!error_state)
- retval = octave_value(imgh->g_ctrl (id));
- else
- error("ID has to be an integer value");
+ retval = octave_value(imgh->g_ctrl (id));
}
return retval;
}
@@ -429,16 +437,17 @@
print_usage ();
return retval;
}
-
+ if (!args (1).isnumeric() || !args (2).isnumeric())
+ {
+ error("ID and VALUE has to be integer values");
+ return retval;
+ }
v4l2_handler* imgh = get_v4l2_handler_from_ov (args(0));
if (imgh)
{
unsigned int id = args(1).int_value ();
unsigned int value = args(2).int_value ();
- if (!error_state)
- imgh->s_ctrl (id, value);
- else
- error("ID and VALUE has to be integer values");
+ imgh->s_ctrl (id, value);
}
return retval;
}
@@ -485,15 +494,16 @@
print_usage ();
return retval;
}
+ if (!args (1).isnumeric())
+ {
+ return retval;
+ }
v4l2_handler* imgh = get_v4l2_handler_from_ov (args(0));
if (imgh)
{
unsigned int n_buffers = args(1).int_value ();
- if (! error_state)
- {
- imgh->streamon (n_buffers);
- }
+ imgh->streamon (n_buffers);
}
return retval;
}
@@ -515,6 +525,10 @@
print_usage ();
return retval;
}
+ if (nargin > 1 && !args (1).isnumeric())
+ {
+ return retval;
+ }
v4l2_handler* imgh = get_v4l2_handler_from_ov (args(0));
if (imgh)
@@ -522,10 +536,7 @@
int preview = 0;
if (nargin==2)
preview = args(1).int_value ();
- if (!error_state)
- {
- retval = imgh->capture (nargout, preview);
- }
+ retval = imgh->capture (nargout, preview);
}
return retval;
}
diff -r 54ca9d1133df -r d9d55170b0a6 src/cl_v4l2_handler.cc
--- a/src/cl_v4l2_handler.cc Thu Jul 14 13:01:04 2022 +0200
+++ b/src/cl_v4l2_handler.cc Thu Sep 29 15:30:39 2022 -0400
@@ -226,17 +226,16 @@
xioctl (fd, VIDIOC_QUERYCAP, &cap);
octave_scalar_map st;
- if (!error_state)
- {
- st.assign ("driver", std::string((const char*)cap.driver));
- st.assign ("card", std::string((const char*)cap.card));
- st.assign ("bus_info", std::string((const char*)cap.bus_info));
+
+ st.assign ("driver", std::string((const char*)cap.driver));
+ st.assign ("card", std::string((const char*)cap.card));
+ st.assign ("bus_info", std::string((const char*)cap.bus_info));
- char tmp[15];
- snprintf (tmp, 15, "%u.%u.%u", (cap.version >> 16) & 0xFF, (cap.version >> 8) & 0xFF, cap.version & 0xFF);
- st.assign ("version", std::string(tmp));
- st.assign ("capabilities", (unsigned int)(cap.capabilities));
- }
+ char tmp[15];
+ snprintf (tmp, 15, "%u.%u.%u", (cap.version >> 16) & 0xFF, (cap.version >> 8) & 0xFF, cap.version & 0xFF);
+ st.assign ("version", std::string(tmp));
+ st.assign ("capabilities", (unsigned int)(cap.capabilities));
+
return octave_value (st);
}
@@ -407,19 +406,16 @@
CLEAR(sparam);
sparam.type = V4L2_BUF_TYPE_VIDEO_CAPTURE;
xioctl(fd, VIDIOC_G_PARM, &sparam);
- if(!error_state)
+ if(sparam.parm.capture.capability & V4L2_CAP_TIMEPERFRAME)
{
- if(sparam.parm.capture.capability & V4L2_CAP_TIMEPERFRAME)
- {
- const struct v4l2_fract &tf = sparam.parm.capture.timeperframe;
- ret(0) = tf.numerator;
- ret(1) = tf.denominator;
- }
- else
- {
- warning("v4l2_handler::g_parm: V4L2_CAP_TIMEPERFRAME is not supported");
- return Matrix(0,0);
- }
+ const struct v4l2_fract &tf = sparam.parm.capture.timeperframe;
+ ret(0) = tf.numerator;
+ ret(1) = tf.denominator;
+ }
+ else
+ {
+ warning("v4l2_handler::g_parm: V4L2_CAP_TIMEPERFRAME is not supported");
+ return Matrix(0,0);
}
return ret;
}
@@ -979,7 +975,7 @@
error("v4l2_handler::capture_to_ppm: Cannot open file '%s'", fn);
}
fprintf (fout, "P6\n%d %d 255\n",
- img.dim2(), img.dim3());
+ (int)img.dim2(), (int)img.dim3());
fwrite (p, img.numel(), 1, fout);
fclose (fout);
}
@@ -1012,8 +1008,7 @@
enum v4l2_buf_type type;
type = V4L2_BUF_TYPE_VIDEO_CAPTURE;
xioctl(fd, VIDIOC_STREAMON, &type);
- if (!error_state)
- streaming = 1;
+ streaming = 1;
}
}
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-papermill for openSUSE:Factory checked in at 2023-04-30 16:07:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-papermill (Old)
and /work/SRC/openSUSE:Factory/.python-papermill.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-papermill"
Sun Apr 30 16:07:44 2023 rev:11 rq:1083673 version:2.4.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-papermill/python-papermill.changes 2023-01-08 21:25:58.459402093 +0100
+++ /work/SRC/openSUSE:Factory/.python-papermill.new.1533/python-papermill.changes 2023-04-30 16:07:57.804221229 +0200
@@ -1,0 +2,6 @@
+Sat Apr 29 19:52:16 UTC 2023 - Ben Greiner <code(a)bnavigator.de>
+
+- Add typing extensions if azuore-storage-blob
+- Don't skip pyarrow tests anymore
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-papermill.spec ++++++
--- /var/tmp/diff_new_pack.xoVbfk/_old 2023-04-30 16:07:58.208223693 +0200
+++ /var/tmp/diff_new_pack.xoVbfk/_new 2023-04-30 16:07:58.212223718 +0200
@@ -42,6 +42,8 @@
Requires(postun):update-alternatives
Recommends: python-azure-datalake-store >= 0.0.30
Recommends: python-azure-storage-blob
+# https://build.opensuse.org/request/show/1083380#comments
+Requires: (python-typing_extensions if python-azure-storage-blob)
Recommends: python-black
Recommends: python-boto3
Recommends: python-gcsfs >= 0.2.0
@@ -55,6 +57,8 @@
BuildRequires: %{python_module click}
BuildRequires: %{python_module entrypoints}
BuildRequires: %{python_module gcsfs}
+# for python-azure-storage-blob (https://build.opensuse.org/request/show/1083380#comments)
+BuildRequires: %{python_module typing_extensions}
BuildRequires: %{python_module ipython >= 5.0}
BuildRequires: %{python_module ipywidgets}
BuildRequires: %{python_module moto}
@@ -62,6 +66,7 @@
BuildRequires: %{python_module nbformat >= 5.1.2}
BuildRequires: %{python_module notebook}
BuildRequires: %{python_module pandas}
+BuildRequires: %{python_module pyarrow}
BuildRequires: %{python_module pytest-env}
BuildRequires: %{python_module pytest-mock}
BuildRequires: %{python_module pytest}
@@ -89,8 +94,6 @@
%check
# different output type expected
donttest="TestBrokenNotebook2"
-# no pyarrow
-donttest="$donttest or test_hdfs_listdir"
%pytest -k "not ($donttest)"
%post
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package foot for openSUSE:Factory checked in at 2023-04-30 16:07:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/foot (Old)
and /work/SRC/openSUSE:Factory/.foot.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "foot"
Sun Apr 30 16:07:42 2023 rev:20 rq:1083658 version:1.14.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/foot/foot.changes 2023-04-05 21:36:22.662815938 +0200
+++ /work/SRC/openSUSE:Factory/.foot.new.1533/foot.changes 2023-04-30 16:07:56.788215030 +0200
@@ -1,0 +2,6 @@
+Sat Apr 22 15:36:15 UTC 2023 - Arnav Singh <opensuse(a)arnavion.dev>
+
+- Fix dependency on tllist to be >=1.1.0 since the code uses a feature
+ not found in older versions.
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ foot.spec ++++++
--- /var/tmp/diff_new_pack.Prr7GG/_old 2023-04-30 16:07:57.268217958 +0200
+++ /var/tmp/diff_new_pack.Prr7GG/_new 2023-04-30 16:07:57.276218007 +0200
@@ -37,7 +37,7 @@
BuildRequires: pkgconfig(pixman-1)
BuildRequires: pkgconfig(systemd)
BuildRequires: pkgconfig(tic)
-BuildRequires: pkgconfig(tllist) >= 1.0.4
+BuildRequires: pkgconfig(tllist) >= 1.1.0
BuildRequires: pkgconfig(wayland-client)
BuildRequires: pkgconfig(wayland-cursor)
BuildRequires: pkgconfig(wayland-protocols)
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package go for openSUSE:Factory checked in at 2023-04-30 16:07:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/go (Old)
and /work/SRC/openSUSE:Factory/.go.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "go"
Sun Apr 30 16:07:40 2023 rev:105 rq:1083582 version:1.20
Changes:
--------
--- /work/SRC/openSUSE:Factory/go/go.changes 2022-08-27 11:47:51.733551460 +0200
+++ /work/SRC/openSUSE:Factory/.go.new.1533/go.changes 2023-04-30 16:07:56.152211150 +0200
@@ -1,0 +2,9 @@
+Fri Apr 28 14:22:09 UTC 2023 - Jeff Kowalczyk <jkowalczyk(a)suse.com>
+
+- Update to current stable go1.20
+ Refs boo#1206346 go1.20 release tracking
+- Packaging improvements:
+ * Re-enable debuginfo boo#1210938 remove spec comment "# nodebug"
+ * Use Group: Development/Languages/Go instead of Other
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ go.spec ++++++
--- /var/tmp/diff_new_pack.tF2ZQa/_old 2023-04-30 16:07:56.592213834 +0200
+++ /var/tmp/diff_new_pack.tF2ZQa/_new 2023-04-30 16:07:56.592213834 +0200
@@ -1,7 +1,7 @@
#
# spec file for package go
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -14,7 +14,6 @@
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
-# nodebuginfo
# NOTE: This logic must come from the latest go1.x package specfile.
# We only build go-race on supported systems.
@@ -27,13 +26,13 @@
%endif
Name: go
-Version: 1.19
+Version: 1.20
# Version must always be a valid golang(API) version
%define api_version %{version}
Release: 0
Summary: A compiled, garbage-collected, concurrent programming language
License: BSD-3-Clause
-Group: Development/Languages/Other
+Group: Development/Languages/Go
Url: http://golang.org
Source: README
Recommends: go-doc = %{version}
@@ -73,7 +72,7 @@
%package race
Summary: Go runtime race detector
License: NCSA or MIT
-Group: Development/Languages/Other
+Group: Development/Languages/Go
Url: https://compiler-rt.llvm.org/
Requires: go = %{version}
Supplements: go = %{version}
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package grub2 for openSUSE:Factory checked in at 2023-04-30 16:07:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grub2 (Old)
and /work/SRC/openSUSE:Factory/.grub2.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2"
Sun Apr 30 16:07:39 2023 rev:294 rq:1082902 version:2.06
Changes:
--------
--- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2023-04-22 21:57:36.604193973 +0200
+++ /work/SRC/openSUSE:Factory/.grub2.new.1533/grub2.changes 2023-04-30 16:07:48.844166566 +0200
@@ -1,0 +2,49 @@
+Wed Apr 26 07:22:03 UTC 2023 - Gary Ching-Pang Lin <glin(a)suse.com>
+
+- Exclude the deprecated EFI location, /usr/lib64/efi/, from
+ Tumbleweed and ALP
+
+-------------------------------------------------------------------
+Fri Apr 21 07:53:30 UTC 2023 - Gary Ching-Pang Lin <glin(a)suse.com>
+
+- Update TPM 2.0 key unsealing patches
+ * Add the new upstreaming patches
+ 0001-protectors-Add-key-protectors-framework.patch
+ 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
+ 0003-protectors-Add-TPM2-Key-Protector.patch
+ 0004-cryptodisk-Support-key-protectors.patch
+ 0005-util-grub-protect-Add-new-tool.patch
+ * Add the authorized policy patches based on the upstreaming
+ patches
+ 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
+ 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
+ 0003-tpm2-Implement-more-TPM2-commands.patch
+ 0004-tpm2-Support-authorized-policy.patch
+ * Drop the old patches
+ 0010-protectors-Add-key-protectors-framework.patch
+ 0011-tpm2-Add-TPM-Software-Stack-TSS.patch
+ 0012-protectors-Add-TPM2-Key-Protector.patch
+ 0013-cryptodisk-Support-key-protectors.patch
+ 0014-util-grub-protect-Add-new-tool.patch
+ fix-tpm2-build.patch
+ tpm-protector-dont-measure-sealed-key.patch
+ tpm-protector-export-secret-key.patch
+ grub-unseal-debug.patch
+ 0001-tpm2-adjust-the-input-parameters-of-TPM2_EvictContro.patch
+ 0002-tpm2-declare-the-input-arguments-of-TPM2-functions-a.patch
+ 0003-tpm2-resend-the-command-on-TPM_RC_RETRY.patch
+ 0004-tpm2-add-new-TPM2-types-structures-and-command-const.patch
+ 0005-tpm2-add-more-marshal-unmarshal-functions.patch
+ 0006-tpm2-check-the-command-parameters-of-TPM2-commands.patch
+ 0007-tpm2-pack-the-missing-authorization-command-for-TPM2.patch
+ 0008-tpm2-allow-some-command-parameters-to-be-NULL.patch
+ 0009-tpm2-remove-the-unnecessary-variables.patch
+ 0010-tpm2-add-TPM2-commands-to-support-authorized-policy.patch
+ 0011-tpm2-make-the-file-reading-unmarshal-functions-gener.patch
+ 0012-tpm2-initialize-the-PCR-selection-list-early.patch
+ 0013-tpm2-support-unsealing-key-with-authorized-policy.patch
+ * Refresh grub-read-pcr.patch
+ * Introduce a new build requirement: libtasn1-devel
+- Only package grub2-protect for the architectures with EFI support
+
+-------------------------------------------------------------------
Old:
----
0001-tpm2-adjust-the-input-parameters-of-TPM2_EvictContro.patch
0002-tpm2-declare-the-input-arguments-of-TPM2-functions-a.patch
0003-tpm2-resend-the-command-on-TPM_RC_RETRY.patch
0004-tpm2-add-new-TPM2-types-structures-and-command-const.patch
0005-tpm2-add-more-marshal-unmarshal-functions.patch
0006-tpm2-check-the-command-parameters-of-TPM2-commands.patch
0007-tpm2-pack-the-missing-authorization-command-for-TPM2.patch
0008-tpm2-allow-some-command-parameters-to-be-NULL.patch
0009-tpm2-remove-the-unnecessary-variables.patch
0010-protectors-Add-key-protectors-framework.patch
0010-tpm2-add-TPM2-commands-to-support-authorized-policy.patch
0011-tpm2-Add-TPM-Software-Stack-TSS.patch
0011-tpm2-make-the-file-reading-unmarshal-functions-gener.patch
0012-protectors-Add-TPM2-Key-Protector.patch
0012-tpm2-initialize-the-PCR-selection-list-early.patch
0013-cryptodisk-Support-key-protectors.patch
0013-tpm2-support-unsealing-key-with-authorized-policy.patch
0014-util-grub-protect-Add-new-tool.patch
fix-tpm2-build.patch
grub-unseal-debug.patch
tpm-protector-dont-measure-sealed-key.patch
tpm-protector-export-secret-key.patch
New:
----
0001-protectors-Add-key-protectors-framework.patch
0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
0002-tpm2-Add-TPM-Software-Stack-TSS.patch
0002-tpm2-Add-more-marshal-unmarshal-functions.patch
0003-protectors-Add-TPM2-Key-Protector.patch
0003-tpm2-Implement-more-TPM2-commands.patch
0004-cryptodisk-Support-key-protectors.patch
0004-tpm2-Support-authorized-policy.patch
0005-util-grub-protect-Add-new-tool.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grub2.spec ++++++
--- /var/tmp/diff_new_pack.3qedkw/_old 2023-04-30 16:07:52.336187870 +0200
+++ /var/tmp/diff_new_pack.3qedkw/_new 2023-04-30 16:07:52.344187919 +0200
@@ -48,6 +48,7 @@
BuildRequires: gnu-unifont
%endif
BuildRequires: help2man
+BuildRequires: libtasn1-devel
BuildRequires: xz
%if 0%{?suse_version} >= 1210
BuildRequires: makeinfo
@@ -413,13 +414,15 @@
Patch891: 0007-cryptodisk-Refactor-password-input-out-of-crypto-dev.patch
Patch892: 0008-cryptodisk-Move-global-variables-into-grub_cryptomou.patch
Patch893: 0009-cryptodisk-Improve-handling-of-partition-name-in-cry.patch
-Patch894: 0010-protectors-Add-key-protectors-framework.patch
-Patch895: 0011-tpm2-Add-TPM-Software-Stack-TSS.patch
-Patch896: 0012-protectors-Add-TPM2-Key-Protector.patch
-Patch897: 0013-cryptodisk-Support-key-protectors.patch
-Patch898: 0014-util-grub-protect-Add-new-tool.patch
-Patch899: fix-tpm2-build.patch
-Patch900: 0001-crytodisk-fix-cryptodisk-module-looking-up.patch
+
+# TPM 2.0 protector
+Patch894: 0001-protectors-Add-key-protectors-framework.patch
+Patch895: 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
+Patch896: 0003-protectors-Add-TPM2-Key-Protector.patch
+Patch897: 0004-cryptodisk-Support-key-protectors.patch
+Patch898: 0005-util-grub-protect-Add-new-tool.patch
+Patch899: 0001-crytodisk-fix-cryptodisk-module-looking-up.patch
+
# fde
Patch901: 0001-devmapper-getroot-Have-devmapper-recognize-LUKS2.patch
Patch902: 0002-devmapper-getroot-Set-up-cheated-LUKS2-cryptodisk-mo.patch
@@ -434,10 +437,8 @@
Patch911: grub-read-pcr.patch
Patch912: efi-set-variable-with-attrs.patch
Patch913: tpm-record-pcrs.patch
-Patch914: tpm-protector-dont-measure-sealed-key.patch
-Patch915: tpm-protector-export-secret-key.patch
+
Patch916: grub-install-record-pcrs.patch
-Patch917: grub-unseal-debug.patch
# efi mm
Patch919: 0001-mm-Allow-dynamically-requesting-additional-memory-re.patch
Patch920: 0002-kern-efi-mm-Always-request-a-fixed-number-of-pages-o.patch
@@ -480,19 +481,13 @@
Patch954: 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
Patch955: 0001-grub-core-modify-sector-by-sysfs-as-disk-sector.patch
Patch956: 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
-Patch957: 0001-tpm2-adjust-the-input-parameters-of-TPM2_EvictContro.patch
-Patch958: 0002-tpm2-declare-the-input-arguments-of-TPM2-functions-a.patch
-Patch959: 0003-tpm2-resend-the-command-on-TPM_RC_RETRY.patch
-Patch960: 0004-tpm2-add-new-TPM2-types-structures-and-command-const.patch
-Patch961: 0005-tpm2-add-more-marshal-unmarshal-functions.patch
-Patch962: 0006-tpm2-check-the-command-parameters-of-TPM2-commands.patch
-Patch963: 0007-tpm2-pack-the-missing-authorization-command-for-TPM2.patch
-Patch964: 0008-tpm2-allow-some-command-parameters-to-be-NULL.patch
-Patch965: 0009-tpm2-remove-the-unnecessary-variables.patch
-Patch966: 0010-tpm2-add-TPM2-commands-to-support-authorized-policy.patch
-Patch967: 0011-tpm2-make-the-file-reading-unmarshal-functions-gener.patch
-Patch968: 0012-tpm2-initialize-the-PCR-selection-list-early.patch
-Patch969: 0013-tpm2-support-unsealing-key-with-authorized-policy.patch
+
+# Support TPM 2.0 Authorized Policy
+Patch957: 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
+Patch958: 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
+Patch959: 0003-tpm2-Implement-more-TPM2-commands.patch
+Patch960: 0004-tpm2-Support-authorized-policy.patch
+
# Set efi variables LoaderDevicePartUUID & LoaderInfo (needed for UKI)
Patch970: grub2-add-module-for-boot-loader-interface.patch
# Fix out of memory error on lpar installation from virtual cdrom (bsc#1208024)
@@ -1056,6 +1051,7 @@
%define sysefidir %{sysefibasedir}/%{_target_cpu}
install -d %{buildroot}/%{sysefidir}
ln -sr %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/grub.efi %{buildroot}%{sysefidir}/grub.efi
+%if 0%{?suse_version} < 1600
%ifarch x86_64
# provide compatibility sym-link for previous shim-install and the like
install -d %{buildroot}/usr/lib64/efi
@@ -1066,6 +1062,7 @@
may vanish at any point in time. Please use the new location!
EoM
%endif
+%endif
%ifarch x86_64 aarch64
export BRP_PESIGN_FILES="%{_datadir}/%{name}/%{grubefiarch}/grub.efi"
@@ -1415,7 +1412,9 @@
%{_bindir}/%{name}-render-label
%{_bindir}/%{name}-script-check
%{_bindir}/%{name}-syslinux2cfg
+%ifarch %{efi}
%{_bindir}/%{name}-protect
+%endif
%if 0%{?has_systemd:1}
%{_unitdir}/grub2-once.service
%endif
++++++ 0010-protectors-Add-key-protectors-framework.patch -> 0001-protectors-Add-key-protectors-framework.patch ++++++
--- /work/SRC/openSUSE:Factory/grub2/0010-protectors-Add-key-protectors-framework.patch 2022-11-09 12:56:55.552175555 +0100
+++ /work/SRC/openSUSE:Factory/.grub2.new.1533/0001-protectors-Add-key-protectors-framework.patch 2023-04-30 16:07:48.648165371 +0200
@@ -1,21 +1,22 @@
-From 2d959549857305d5e4d95a19a0850885f85179d6 Mon Sep 17 00:00:00 2001
+From 5affde982dea827580e36ccc658e439397f51ce8 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta(a)linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:53 -0800
-Subject: [PATCH 10/14] protectors: Add key protectors framework
+Subject: [PATCH 1/5] protectors: Add key protectors framework
-A key protector encapsulates functionality to retrieve an unlocking key for a
-fully-encrypted disk from a specific source. A key protector module registers
-itself with the key protectors framework when it is loaded and unregisters when
-unloaded. Additionally, a key protector may accept parameters that describe how
-it should operate.
+A key protector encapsulates functionality to retrieve an unlocking key
+for a fully-encrypted disk from a specific source. A key protector
+module registers itself with the key protectors framework when it is
+loaded and unregisters when unloaded. Additionally, a key protector may
+accept parameters that describe how it should operate.
-The key protectors framework, besides offering registration and unregistration
-functions, also offers a one-stop routine for finding and invoking a key
-protector by name. If a key protector with the specified name exists and if an
-unlocking key is successfully retrieved by it, the function returns to the
-caller the retrieved key and its length.
+The key protectors framework, besides offering registration and
+unregistration functions, also offers a one-stop routine for finding and
+invoking a key protector by name. If a key protector with the specified
+name exists and if an unlocking key is successfully retrieved by it, the
+function returns to the caller the retrieved key and its length.
Signed-off-by: Hernan Gatta <hegatta(a)linux.microsoft.com>
+Signed-off-by: Gary Lin <glin(a)suse.com>
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 1 +
@@ -26,7 +27,7 @@
create mode 100644 include/grub/protector.h
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
-index de241f0d04..dc07ba6f87 100644
+index 80e7a83ed..79d17a3d2 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -90,6 +90,7 @@ endif
@@ -38,10 +39,10 @@
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
-index f3140815b8..b0001a33cf 100644
+index d83c9f7b6..0335d9add 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
-@@ -138,6 +138,7 @@ kernel = {
+@@ -144,6 +144,7 @@ kernel = {
common = kern/misc.c;
common = kern/parser.c;
common = kern/partition.c;
@@ -51,7 +52,7 @@
common = kern/term.c;
diff --git a/grub-core/kern/protectors.c b/grub-core/kern/protectors.c
new file mode 100644
-index 0000000000..21954dfa48
+index 000000000..5ee059565
--- /dev/null
+++ b/grub-core/kern/protectors.c
@@ -0,0 +1,75 @@
@@ -83,16 +84,16 @@
+grub_err_t
+grub_key_protector_register (struct grub_key_protector *protector)
+{
-+ if (!protector || !protector->name || !grub_strlen(protector->name))
++ if (protector == NULL || protector->name == NULL || grub_strlen(protector->name) == 0)
+ return GRUB_ERR_BAD_ARGUMENT;
+
+ if (grub_key_protectors &&
+ grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
-+ protector->name))
++ protector->name))
+ return GRUB_ERR_BAD_ARGUMENT;
+
+ grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors),
-+ GRUB_AS_LIST (protector));
++ GRUB_AS_LIST (protector));
+
+ return GRUB_ERR_NONE;
+}
@@ -100,7 +101,7 @@
+grub_err_t
+grub_key_protector_unregister (struct grub_key_protector *protector)
+{
-+ if (!protector)
++ if (protector == NULL)
+ return GRUB_ERR_BAD_ARGUMENT;
+
+ grub_list_remove (GRUB_AS_LIST (protector));
@@ -110,29 +111,29 @@
+
+grub_err_t
+grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
-+ grub_size_t *key_size)
++ grub_size_t *key_size)
+{
+ struct grub_key_protector *kp = NULL;
+
-+ if (!grub_key_protectors)
++ if (grub_key_protectors == NULL)
+ return GRUB_ERR_OUT_OF_RANGE;
+
-+ if (!protector || !grub_strlen (protector))
++ if (protector == NULL || grub_strlen (protector) == 0)
+ return GRUB_ERR_BAD_ARGUMENT;
+
+ kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
-+ protector);
-+ if (!kp)
++ protector);
++ if (kp == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
-+ N_("A key protector with name '%s' could not be found. "
-+ "Is the name spelled correctly and is the "
-+ "corresponding module loaded?"), protector);
++ N_("A key protector with name '%s' could not be found. "
++ "Is the name spelled correctly and is the "
++ "corresponding module loaded?"), protector);
+
+ return kp->recover_key (key, key_size);
+}
diff --git a/include/grub/protector.h b/include/grub/protector.h
new file mode 100644
-index 0000000000..179020a344
+index 000000000..3d9f69bce
--- /dev/null
+++ b/include/grub/protector.h
@@ -0,0 +1,48 @@
@@ -180,10 +181,10 @@
+
+grub_err_t
+EXPORT_FUNC (grub_key_protector_recover_key) (const char *protector,
-+ grub_uint8_t **key,
-+ grub_size_t *key_size);
++ grub_uint8_t **key,
++ grub_size_t *key_size);
+
+#endif /* ! GRUB_PROTECTOR_HEADER */
--
-2.34.1
+2.35.3
++++++ 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch ++++++
From 5a417f32f1afe0ffca7f5cbff67145a157b1589b Mon Sep 17 00:00:00 2001
From: Gary Lin <glin(a)suse.com>
Date: Tue, 7 Feb 2023 18:31:12 +0800
Subject: [PATCH 1/4] tpm2: Add TPM2 types, structures, and command constants
Add new TPM2 types and structures as the preparation to support
authorized policy.
* New types:
TPM_ALG_ECDAA, TPM_ALG_ECDSA, TPM_ALG_ECSCHNORR, TPM_ALG_RSASSA,
TPM_ALG_RSAPSS, TPM_ALG_SM2, and TPMI_ALG_SIG_SCHEME
* New structures:
TPMS_EMPTY, TPMS_SIGNATURE_RSA, TPMS_SIGNATURE_ECC,
TPMS_SIGNATURE_ECDSA, TPMS_SIGNATURE_ECDAA, TPMS_SIGNATURE_SM2,
TPMS_SIGNATURE_ECSCHNORR, TPMU_SIGNATURE, and TPMT_TK_VERIFIED
* New command constants:
TPM_CC_LoadExternal, TPM_CC_HashSequenceStart, TPM_CC_SequenceUpdate,
TPM_CC_SequenceComplete, TPM_CC_Hash, TPM_CC_VerifySignature,
TPM_CC_PolicyAuthorize
Signed-off-by: Gary Lin <glin(a)suse.com>
---
include/grub/tpm2/internal/structs.h | 86 ++++++++++++++++++++++++++++
include/grub/tpm2/internal/types.h | 42 +++++++++-----
2 files changed, 114 insertions(+), 14 deletions(-)
diff --git a/include/grub/tpm2/internal/structs.h b/include/grub/tpm2/internal/structs.h
index 72d71eb70..db9eb6cf6 100644
--- a/include/grub/tpm2/internal/structs.h
+++ b/include/grub/tpm2/internal/structs.h
@@ -672,4 +672,90 @@ struct TPMT_TK_CREATION
};
typedef struct TPMT_TK_CREATION TPMT_TK_CREATION;
+/* TPMS_EMPTY Structure */
+struct TPMS_EMPTY {
+ grub_uint8_t empty[1]; /* a structure with no member */
+};
+typedef struct TPMS_EMPTY TPMS_EMPTY;
+
+/* TPMS_SIGNATURE_RSA Structure */
+struct TPMS_SIGNATURE_RSA {
+ TPMI_ALG_HASH hash;
+ TPM2B_PUBLIC_KEY_RSA sig;
+};
+typedef struct TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSA;
+
+/* Definition of Types for RSA Signature */
+typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSASSA;
+typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSAPSS;
+
+/* TPMS_SIGNATURE_ECC Structure */
+struct TPMS_SIGNATURE_ECC {
+ TPMI_ALG_HASH hash;
+ TPM2B_ECC_PARAMETER signatureR;
+ TPM2B_ECC_PARAMETER signatureS;
+};
+typedef struct TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECC;
+
+/* Definition of Types for ECC TPMS_SIGNATURE_ECC */
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDSA;
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDAA;
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_SM2;
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECSCHNORR;
+
+/* TPMU_SIGNATURE Structure */
+union TPMU_SIGNATURE {
+ TPMS_SIGNATURE_RSASSA rsassa;
+ TPMS_SIGNATURE_RSAPSS rsapss;
+ TPMS_SIGNATURE_ECDSA ecdsa;
+ TPMS_SIGNATURE_ECDAA ecdaa;
+ TPMS_SIGNATURE_SM2 sm2;
+ TPMS_SIGNATURE_ECSCHNORR ecschnorr;
+ TPMT_HA hmac;
+ TPMS_SCHEME_HASH any;
+ TPMS_EMPTY null;
+};
+typedef union TPMU_SIGNATURE TPMU_SIGNATURE;
+
+/* TPMT_SIGNATURE Structure */
+struct TPMT_SIGNATURE {
+ TPMI_ALG_SIG_SCHEME sigAlg;
+ TPMU_SIGNATURE signature;
+};
+typedef struct TPMT_SIGNATURE TPMT_SIGNATURE;
+
+static inline TPMI_ALG_HASH
+TPMT_SIGNATURE_get_hash_alg (TPMT_SIGNATURE *sig)
+{
+ switch (sig->sigAlg)
+ {
+ case TPM_ALG_RSASSA:
+ return sig->signature.rsassa.hash;
+ case TPM_ALG_RSAPSS:
+ return sig->signature.rsapss.hash;
+ case TPM_ALG_ECDSA:
+ return sig->signature.ecdsa.hash;
+ case TPM_ALG_ECDAA:
+ return sig->signature.ecdaa.hash;
+ case TPM_ALG_SM2:
+ return sig->signature.sm2.hash;
+ case TPM_ALG_ECSCHNORR:
+ return sig->signature.ecschnorr.hash;
+ case TPM_ALG_HMAC:
+ return sig->signature.hmac.hashAlg;
+ default:
+ break;
+ }
+
+ return TPM_ALG_NULL;
+}
+
+/* TPMT_TK_VERIFIED Structure */
+struct TPMT_TK_VERIFIED {
+ TPM_ST tag;
+ TPMI_RH_HIERARCHY hierarchy;
+ TPM2B_DIGEST digest;
+};
+typedef struct TPMT_TK_VERIFIED TPMT_TK_VERIFIED;
+
#endif /* ! GRUB_TPM2_INTERNAL_STRUCTS_HEADER */
diff --git a/include/grub/tpm2/internal/types.h b/include/grub/tpm2/internal/types.h
index 9714f75d4..a1902ef0c 100644
--- a/include/grub/tpm2/internal/types.h
+++ b/include/grub/tpm2/internal/types.h
@@ -181,6 +181,9 @@ typedef grub_uint16_t TPM_ALG_ID;
#define TPM_ALG_CFB ((TPM_ALG_ID) 0x0043)
#define TPM_ALG_ECB ((TPM_ALG_ID) 0x0044)
#define TPM_ALG_ECC ((TPM_ALG_ID) 0x0023)
+#define TPM_ALG_ECDAA ((TPM_ALG_ID) 0x001A)
+#define TPM_ALG_ECDSA ((TPM_ALG_ID) 0x0018)
+#define TPM_ALG_ECSCHNORR ((TPM_ALG_ID) 0x001C)
#define TPM_ALG_HMAC ((TPM_ALG_ID) 0x0005)
#define TPM_ALG_KDF1_SP800_108 ((TPM_ALG_ID) 0x0022)
#define TPM_ALG_KDF1_SP800_56A ((TPM_ALG_ID) 0x0020)
@@ -189,10 +192,13 @@ typedef grub_uint16_t TPM_ALG_ID;
#define TPM_ALG_MGF1 ((TPM_ALG_ID) 0x0007)
#define TPM_ALG_NULL ((TPM_ALG_ID) 0x0010)
#define TPM_ALG_RSA ((TPM_ALG_ID) 0x0001)
+#define TPM_ALG_RSASSA ((TPM_ALG_ID) 0x0014)
+#define TPM_ALG_RSAPSS ((TPM_ALG_ID) 0x0016)
#define TPM_ALG_SHA1 ((TPM_ALG_ID) 0x0004)
#define TPM_ALG_SHA256 ((TPM_ALG_ID) 0x000B)
#define TPM_ALG_SHA384 ((TPM_ALG_ID) 0x000C)
#define TPM_ALG_SHA512 ((TPM_ALG_ID) 0x000D)
+#define TPM_ALG_SM2 ((TPM_ALG_ID) 0x001B)
#define TPM_ALG_SM3_256 ((TPM_ALG_ID) 0x0012)
#define TPM_ALG_SM4 ((TPM_ALG_ID) 0x0013)
#define TPM_ALG_SYMCIPHER ((TPM_ALG_ID) 0x0025)
@@ -299,20 +305,27 @@ typedef grub_uint16_t TPM2_ECC_CURVE;
/* TPM_CC Constants */
typedef grub_uint32_t TPM_CC;
-#define TPM_CC_EvictControl ((TPM_CC) 0x00000120)
-#define TPM_CC_CreatePrimary ((TPM_CC) 0x00000131)
-#define TPM_CC_Create ((TPM_CC) 0x00000153)
-#define TPM_CC_FlushContext ((TPM_CC) 0x00000165)
-#define TPM_CC_ReadPublic ((TPM_CC) 0x00000173)
-#define TPM_CC_StartAuthSession ((TPM_CC) 0x00000176)
-#define TPM_CC_PolicyPCR ((TPM_CC) 0x0000017f)
-#define TPM_CC_NV_Read ((TPM_CC) 0x0000014e)
-#define TPM_CC_NV_ReadPublic ((TPM_CC) 0x00000169)
-#define TPM_CC_GetCapability ((TPM_CC) 0x0000017a)
-#define TPM_CC_PCR_Read ((TPM_CC) 0x0000017e)
-#define TPM_CC_Load ((TPM_CC) 0x00000157)
-#define TPM_CC_Unseal ((TPM_CC) 0x0000015e)
-#define TPM_CC_PolicyGetDigest ((TPM_CC) 0x00000189)
+#define TPM_CC_EvictControl ((TPM_CC) 0x00000120)
+#define TPM_CC_CreatePrimary ((TPM_CC) 0x00000131)
+#define TPM_CC_Create ((TPM_CC) 0x00000153)
+#define TPM_CC_FlushContext ((TPM_CC) 0x00000165)
+#define TPM_CC_ReadPublic ((TPM_CC) 0x00000173)
+#define TPM_CC_StartAuthSession ((TPM_CC) 0x00000176)
+#define TPM_CC_PolicyPCR ((TPM_CC) 0x0000017f)
+#define TPM_CC_NV_Read ((TPM_CC) 0x0000014e)
+#define TPM_CC_NV_ReadPublic ((TPM_CC) 0x00000169)
+#define TPM_CC_GetCapability ((TPM_CC) 0x0000017a)
+#define TPM_CC_PCR_Read ((TPM_CC) 0x0000017e)
+#define TPM_CC_Load ((TPM_CC) 0x00000157)
+#define TPM_CC_LoadExternal ((TPM_CC) 0x00000167)
+#define TPM_CC_Unseal ((TPM_CC) 0x0000015e)
+#define TPM_CC_PolicyGetDigest ((TPM_CC) 0x00000189)
+#define TPM_CC_HashSequenceStart ((TPM_CC) 0x00000186)
+#define TPM_CC_SequenceUpdate ((TPM_CC) 0x0000015c)
+#define TPM_CC_SequenceComplete ((TPM_CC) 0x0000013e)
+#define TPM_CC_Hash ((TPM_CC) 0x0000017d)
+#define TPM_CC_VerifySignature ((TPM_CC) 0x00000177)
+#define TPM_CC_PolicyAuthorize ((TPM_CC) 0x0000016a)
/* Hash algorithm sizes */
#define TPM_SHA1_DIGEST_SIZE 20
@@ -354,6 +367,7 @@ typedef TPM_ALG_ID TPMI_ALG_ECC_SCHEME;
typedef TPM_ALG_ID TPMI_ALG_ASYM_SCHEME;
typedef TPM_ALG_ID TPMI_ALG_RSA_SCHEME;
typedef TPM_ALG_ID TPMI_ALG_SYM;
+typedef TPM_ALG_ID TPMI_ALG_SIG_SCHEME;
/* TPM_KEY_BITS Type */
typedef grub_uint16_t TPM_KEY_BITS;
--
2.35.3
++++++ 0011-tpm2-Add-TPM-Software-Stack-TSS.patch -> 0002-tpm2-Add-TPM-Software-Stack-TSS.patch ++++++
++++ 1977 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/grub2/0011-tpm2-Add-TPM-Software-Stack-TSS.patch
++++ and /work/SRC/openSUSE:Factory/.grub2.new.1533/0002-tpm2-Add-TPM-Software-Stack-TSS.patch
++++++ 0002-tpm2-Add-more-marshal-unmarshal-functions.patch ++++++
From 1d34522075949581ccb34a08dd73607566517824 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin(a)suse.com>
Date: Tue, 7 Feb 2023 18:33:42 +0800
Subject: [PATCH 2/4] tpm2: Add more marshal/unmarshal functions
Add a few more marshal/unmarshal functions to support authorized policy.
* Marshal:
grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal()
grub_tpm2_mu_TPMT_SENSITIVE_Marshal()
grub_tpm2_mu_TPM2B_SENSITIVE_Marshal()
grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal()
grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal()
grub_tpm2_mu_TPMU_HA_Marshal()
grub_tpm2_mu_TPMT_HA_Marshal()
grub_tpm2_mu_TPMU_SIGNATURE_Marshal()
grub_tpm2_mu_TPMT_SIGNATURE_Marshal()
grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal()
* Unmarshal:
grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal()
grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal()
grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal()
grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal()
grub_tpm2_mu_TPMU_HA_Unmarshal()
grub_tpm2_mu_TPMT_HA_Unmarshal()
grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal()
grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal()
Signed-off-by: Gary Lin <glin(a)suse.com>
---
grub-core/tpm2/mu.c | 262 +++++++++++++++++++++++++++++++++++++++++
include/grub/tpm2/mu.h | 75 ++++++++++++
2 files changed, 337 insertions(+)
diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c
index 1617f37cd..3a9a3c1be 100644
--- a/grub-core/tpm2/mu.c
+++ b/grub-core/tpm2/mu.c
@@ -383,6 +383,49 @@ grub_tpm2_mu_TPMS_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
grub_tpm2_mu_TPM2B_Marshal (buffer, p->data.size, p->data.buffer);
}
+void
+grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMI_ALG_PUBLIC type,
+ const TPMU_SENSITIVE_COMPOSITE *p)
+{
+ switch(type)
+ {
+ case TPM_ALG_RSA:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->rsa.size, p->rsa.buffer);
+ break;
+ case TPM_ALG_ECC:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->ecc.size, p->ecc.buffer);
+ break;
+ case TPM_ALG_KEYEDHASH:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->bits.size, p->bits.buffer);
+ break;
+ case TPM_ALG_SYMCIPHER:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sym.size, p->sym.buffer);
+ break;
+ default:
+ buffer->error = 1;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_SENSITIVE *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->sensitiveType);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->authValue.size, p->authValue.buffer);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->seedValue.size, p->seedValue.buffer);
+ grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (buffer, p->sensitiveType,
+ &p->sensitive);
+}
+
+void
+grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPM2B_SENSITIVE *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->size);
+ grub_tpm2_mu_TPMT_SENSITIVE_Marshal (buffer, &p->sensitiveArea);
+}
+
void
grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
const TPM2B_SENSITIVE_CREATE *sensitiveCreate)
@@ -405,6 +448,113 @@ grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
grub_tpm2_buffer_pack_u16 (buffer, 0);
}
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMS_SIGNATURE_RSA *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->hash);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sig.size, p->sig.buffer);
+}
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMS_SIGNATURE_ECC *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->hash);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureR.size, p->signatureR.buffer);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureS.size, p->signatureS.buffer);
+}
+
+void
+grub_tpm2_mu_TPMU_HA_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMU_HA *p)
+{
+ switch (hashAlg)
+ {
+ case TPM_ALG_SHA1:
+ for (grub_uint16_t i = 0; i < TPM_SHA1_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha1[i]);
+ break;
+ case TPM_ALG_SHA256:
+ for (grub_uint16_t i = 0; i < TPM_SHA256_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha256[i]);
+ break;
+ case TPM_ALG_SHA384:
+ for (grub_uint16_t i = 0; i < TPM_SHA384_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha384[i]);
+ break;
+ case TPM_ALG_SHA512:
+ for (grub_uint16_t i = 0; i < TPM_SHA512_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha512[i]);
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_HA_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_HA *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->hashAlg);
+ grub_tpm2_mu_TPMU_HA_Marshal (buffer, p->hashAlg, &p->digest);
+}
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMI_ALG_SIG_SCHEME sigAlg,
+ const TPMU_SIGNATURE *p)
+{
+ switch (sigAlg)
+ {
+ case TPM_ALG_RSASSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsassa);
+ break;
+ case TPM_ALG_RSAPSS:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsapss);
+ break;
+ case TPM_ALG_ECDSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdsa);
+ break;
+ case TPM_ALG_ECDAA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdaa);
+ break;
+ case TPM_ALG_SM2:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->sm2);
+ break;
+ case TPM_ALG_ECSCHNORR:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecschnorr);
+ break;
+ case TPM_ALG_HMAC:
+ grub_tpm2_mu_TPMT_HA_Marshal (buffer, &p->hmac);
+ break;
+ case TPM_ALG_NULL:
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_SIGNATURE *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->sigAlg);
+ grub_tpm2_mu_TPMU_SIGNATURE_Marshal (buffer, p->sigAlg, &p->signature);
+}
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_TK_VERIFIED *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->tag);
+ grub_tpm2_buffer_pack_u32 (buffer, p->hierarchy);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->digest.size, p->digest.buffer);
+}
+
void
grub_tpm2_mu_TPM2B_Unmarshal (grub_tpm2_buffer_t buffer,
TPM2B* p)
@@ -775,6 +925,24 @@ grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buffer,
grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
}
+void
+grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_TK_HASHCHECK *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag);
+ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
+}
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_TK_VERIFIED *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag);
+ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
+}
+
void
grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf,
TPMS_PCR_SELECTION* pcrSelection)
@@ -805,3 +973,97 @@ grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buf,
for (grub_uint32_t i = 0; i < digest->count; i++)
grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buf, &digest->digests[i]);
}
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMS_SIGNATURE_RSA *rsa)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &rsa->hash);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&rsa->sig);
+}
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMS_SIGNATURE_ECC *ecc)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &ecc->hash);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&ecc->signatureR);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&ecc->signatureS);
+}
+
+void
+grub_tpm2_mu_TPMU_HA_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMI_ALG_HASH hashAlg,
+ TPMU_HA *p)
+{
+ switch (hashAlg)
+ {
+ case TPM_ALG_SHA1:
+ grub_tpm2_buffer_unpack (buffer, &p->sha1, TPM_SHA1_DIGEST_SIZE);
+ break;
+ case TPM_ALG_SHA256:
+ grub_tpm2_buffer_unpack (buffer, &p->sha256, TPM_SHA256_DIGEST_SIZE);
+ break;
+ case TPM_ALG_SHA384:
+ grub_tpm2_buffer_unpack (buffer, &p->sha384, TPM_SHA384_DIGEST_SIZE);
+ break;
+ case TPM_ALG_SHA512:
+ grub_tpm2_buffer_unpack (buffer, &p->sha512, TPM_SHA512_DIGEST_SIZE);
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_HA_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_HA *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->hashAlg);
+ grub_tpm2_mu_TPMU_HA_Unmarshal (buffer, p->hashAlg, &p->digest);
+}
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMI_ALG_SIG_SCHEME sigAlg,
+ TPMU_SIGNATURE *p)
+{
+ switch (sigAlg)
+ {
+ case TPM_ALG_RSASSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsassa);
+ break;
+ case TPM_ALG_RSAPSS:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsapss);
+ break;
+ case TPM_ALG_ECDSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdsa);
+ break;
+ case TPM_ALG_ECDAA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdaa);
+ break;
+ case TPM_ALG_SM2:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->sm2);
+ break;
+ case TPM_ALG_ECSCHNORR:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecschnorr);
+ break;
+ case TPM_ALG_HMAC:
+ grub_tpm2_mu_TPMT_HA_Unmarshal (buffer, &p->hmac);
+ break;
+ case TPM_ALG_NULL:
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_SIGNATURE *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->sigAlg);
+ grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (buffer, p->sigAlg, &p->signature);
+}
diff --git a/include/grub/tpm2/mu.h b/include/grub/tpm2/mu.h
index c545976db..afb842ab5 100644
--- a/include/grub/tpm2/mu.h
+++ b/include/grub/tpm2/mu.h
@@ -147,6 +147,47 @@ grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buf,
const TPM2B_SENSITIVE_CREATE *sensitiveCreate);
void
+grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMI_ALG_PUBLIC type,
+ const TPMU_SENSITIVE_COMPOSITE *p);
+void
+grub_tpm2_mu_TPMT_SENSITIVE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_SENSITIVE *p);
+
+void
+grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (grub_tpm2_buffer_t buf,
+ const TPM2B_SENSITIVE *p);
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (grub_tpm2_buffer_t buf,
+ const TPMS_SIGNATURE_RSA *p);
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (grub_tpm2_buffer_t buf,
+ const TPMS_SIGNATURE_ECC *p);
+
+void
+grub_tpm2_mu_TPMU_HA_Marshal (grub_tpm2_buffer_t buf,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMU_HA *p);
+
+void
+grub_tpm2_mu_TPMT_HA_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_HA *p);
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMI_ALG_SIG_SCHEME sigAlg,
+ const TPMU_SIGNATURE *p);
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_SIGNATURE *p);
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_TK_VERIFIED *p);
+void
grub_tpm2_mu_TPM2B_Unmarshal (grub_tpm2_buffer_t buf,
TPM2B* p);
@@ -277,6 +318,14 @@ void
grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buf,
TPMT_TK_CREATION *p);
+void
+grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_TK_HASHCHECK *p);
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_TK_VERIFIED *p);
+
void
grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf,
TPMS_PCR_SELECTION* pcrSelection);
@@ -289,4 +338,30 @@ void
grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buf,
TPML_DIGEST* digest);
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMS_SIGNATURE_RSA *p);
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMS_SIGNATURE_ECC *p);
+
+void
+grub_tpm2_mu_TPMU_HA_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMI_ALG_HASH hashAlg,
+ TPMU_HA *p);
+
+void
+grub_tpm2_mu_TPMT_HA_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_HA *p);
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMI_ALG_SIG_SCHEME sigAlg,
+ TPMU_SIGNATURE *p);
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_SIGNATURE *p);
+
#endif /* ! GRUB_TPM2_MU_HEADER */
--
2.35.3
++++++ 0012-protectors-Add-TPM2-Key-Protector.patch -> 0003-protectors-Add-TPM2-Key-Protector.patch ++++++
++++ 2126 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/grub2/0012-protectors-Add-TPM2-Key-Protector.patch
++++ and /work/SRC/openSUSE:Factory/.grub2.new.1533/0003-protectors-Add-TPM2-Key-Protector.patch
++++++ 0003-tpm2-Implement-more-TPM2-commands.patch ++++++
From a49c4dcbcb04078434f461ed3356c04042be461a Mon Sep 17 00:00:00 2001
From: Gary Lin <glin(a)suse.com>
Date: Wed, 8 Feb 2023 10:30:55 +0800
Subject: [PATCH 3/4] tpm2: Implement more TPM2 commands
This commit implements a few more TPM2 commands as the preparation for
the authorized policy support.
* TPM2_LoadExternal
This command is added to load the external public key to verify the
signed policy digest
* TPM2_HashSequenceStart, TPM2_SequenceUpdate, TPM2_SequenceComplete,
and TPM2_Hash
With those commands, we can use the TPM as a coprocessor to calculate
the hash of a given binary blob.
* TPM2_VerifySignature
This command verifies the given signature with the given public key
and returns the validation ticket to authorize the policy.
* TPM2_PolicyAuthorize
This command approves the given policy digest so that we can unseal
the key with the newly authorized policy.
Signed-off-by: Gary Lin <glin(a)suse.com>
---
grub-core/tpm2/tpm2.c | 424 +++++++++++++++++++++++++
include/grub/tpm2/internal/functions.h | 57 ++++
2 files changed, 481 insertions(+)
diff --git a/grub-core/tpm2/tpm2.c b/grub-core/tpm2/tpm2.c
index d67699a24..159353b08 100644
--- a/grub-core/tpm2/tpm2.c
+++ b/grub-core/tpm2/tpm2.c
@@ -427,6 +427,73 @@ TPM2_Load (const TPMI_DH_OBJECT parent_handle,
return TPM_RC_SUCCESS;
}
+TPM_RC
+TPM2_LoadExternal (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_SENSITIVE *inPrivate,
+ const TPM2B_PUBLIC *inPublic,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM_HANDLE *objectHandle,
+ TPM2B_NAME *name,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPM_HANDLE objectHandleTmp;
+ TPM2B_NAME nameTmp;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (!inPublic)
+ return TPM_RC_VALUE;
+
+ if (!objectHandle)
+ objectHandle = &objectHandleTmp;
+ if (!name)
+ name = &nameTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (objectHandle, 0, sizeof (*objectHandle));
+ grub_memset (name, 0, sizeof (*name));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (inPrivate)
+ grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (&in, inPrivate);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_mu_TPM2B_PUBLIC_Marshal (&in, inPublic);
+ grub_tpm2_buffer_pack_u32 (&in, hierarchy);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_LoadExternal, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ grub_tpm2_buffer_unpack_u32 (&out, objectHandle);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size);
+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)name);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
TPM_RC
TPM2_Unseal (const TPMI_DH_OBJECT itemHandle,
const TPMS_AUTH_COMMAND *authCommand,
@@ -759,3 +826,360 @@ TPM2_EvictControl (const TPMI_RH_PROVISION auth,
return TPM_RC_SUCCESS;
}
+
+TPM_RC
+TPM2_HashSequenceStart (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_AUTH *auth,
+ const TPMI_ALG_HASH hashAlg,
+ TPMI_DH_OBJECT *sequenceHandle,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMI_DH_OBJECT sequenceHandleTmp;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ TPM_RC rc;
+ grub_uint32_t parameterSize;
+
+ if (!auth)
+ return TPM_RC_VALUE;
+
+ if (!sequenceHandle)
+ sequenceHandle = &sequenceHandleTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (sequenceHandle, 0, sizeof (*sequenceHandle));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ grub_tpm2_mu_TPM2B_Marshal (&in, auth->size, auth->buffer);
+ grub_tpm2_buffer_pack_u16 (&in, hashAlg);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_HashSequenceStart, &responseCode, &in,
+ &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal */
+ grub_tpm2_buffer_unpack_u32 (&out, sequenceHandle);
+ if (tag == TPM_ST_SESSIONS)
+ {
+ grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize);
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse);
+ }
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_SequenceUpdate (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPM_RC responseCode;
+ TPM_RC rc;
+ grub_uint32_t parameterSize;
+
+ if (!authCommand)
+ return TPM_RC_VALUE;
+
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ grub_tpm2_buffer_pack_u32 (&in, sequenceHandle);
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (buffer)
+ grub_tpm2_mu_TPM2B_Marshal (&in, buffer->size, buffer->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (TPM_ST_SESSIONS, TPM_CC_SequenceUpdate,
+ &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal */
+ grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize);
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_SequenceComplete (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *result,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPM2B_DIGEST resultTmp;
+ TPMT_TK_HASHCHECK validationTmp;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPM_RC responseCode;
+ TPM_RC rc;
+ grub_uint32_t parameterSize;
+
+ if (!authCommand)
+ return TPM_RC_VALUE;
+
+ if (!result)
+ result = &resultTmp;
+ if (!validation)
+ validation = &validationTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (result, 0, sizeof (*result));
+ grub_memset (validation, 0, sizeof (*validation));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ grub_tpm2_buffer_pack_u32 (&in, sequenceHandle);
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (buffer)
+ grub_tpm2_mu_TPM2B_Marshal (&in, buffer->size, buffer->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_buffer_pack_u32 (&in, hierarchy);
+
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (TPM_ST_SESSIONS, TPM_CC_SequenceComplete,
+ &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal */
+ grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize);
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, result);
+ grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (&out, validation);
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_Hash (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *data,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *outHash,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPM2B_DIGEST outHashTmp;
+ TPMT_TK_HASHCHECK validationTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (hashAlg == TPM_ALG_NULL)
+ return TPM_RC_VALUE;
+
+ if (!outHash)
+ outHash = &outHashTmp;
+ if (!validation)
+ validation = &validationTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (outHash, 0, sizeof (*outHash));
+ grub_memset (validation, 0, sizeof (*validation));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (data)
+ grub_tpm2_mu_TPM2B_Marshal (&in, data->size, data->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_buffer_pack_u16 (&in, hashAlg);
+ grub_tpm2_buffer_pack_u32 (&in, hierarchy);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_Hash, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size);
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, outHash);
+ grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (&out, validation);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_VerifySignature (const TPMI_DH_OBJECT keyHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *digest,
+ const TPMT_SIGNATURE *signature,
+ TPMT_TK_VERIFIED *validation,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPMT_TK_VERIFIED validationTmp;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (!digest || !signature)
+ return TPM_RC_VALUE;
+
+ if (!validation)
+ validation = &validationTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (validation, 0, sizeof (*validation));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ grub_tpm2_buffer_pack_u32 (&in, keyHandle);
+ grub_tpm2_mu_TPM2B_Marshal (&in, digest->size, digest->buffer);
+ grub_tpm2_mu_TPMT_SIGNATURE_Marshal (&in, signature);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_VerifySignature, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size);
+ grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (&out, validation);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_PolicyAuthorize (const TPMI_SH_POLICY policySession,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *approvedPolicy,
+ const TPM2B_NONCE *policyRef,
+ const TPM2B_NAME *keySign,
+ const TPMT_TK_VERIFIED *checkTicket,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (!approvedPolicy || !keySign || !checkTicket)
+ return TPM_RC_VALUE;
+
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ grub_tpm2_buffer_pack_u32 (&in, policySession);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ grub_tpm2_mu_TPM2B_Marshal (&in, approvedPolicy->size, approvedPolicy->buffer);
+ if (policyRef)
+ grub_tpm2_mu_TPM2B_Marshal (&in, policyRef->size, policyRef->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_mu_TPM2B_Marshal (&in, keySign->size, keySign->name);
+ grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (&in, checkTicket);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_PolicyAuthorize, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
diff --git a/include/grub/tpm2/internal/functions.h b/include/grub/tpm2/internal/functions.h
index 9380f26a2..67b78fab8 100644
--- a/include/grub/tpm2/internal/functions.h
+++ b/include/grub/tpm2/internal/functions.h
@@ -70,6 +70,15 @@ TPM2_Load (const TPMI_DH_OBJECT parent_handle,
TPM2B_NAME *name,
TPMS_AUTH_RESPONSE *authResponse);
+TPM_RC
+TPM2_LoadExternal (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_SENSITIVE *inPrivate,
+ const TPM2B_PUBLIC *inPublic,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM_HANDLE *objectHandle,
+ TPM2B_NAME *name,
+ TPMS_AUTH_RESPONSE *authResponse);
+
TPM_RC
TPM2_Unseal (const TPMI_DH_OBJECT item_handle,
const TPMS_AUTH_COMMAND *authCommand,
@@ -114,4 +123,52 @@ TPM2_EvictControl (const TPMI_RH_PROVISION auth,
const TPMI_DH_PERSISTENT persistentHandle,
TPMS_AUTH_RESPONSE *authResponse);
+TPM_RC
+TPM2_HashSequenceStart (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_AUTH *auth,
+ const TPMI_ALG_HASH hashAlg,
+ TPMI_DH_OBJECT *sequenceHandle,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_SequenceUpdate (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_SequenceComplete (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *result,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_Hash (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *data,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *outHash,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_VerifySignature (const TPMI_DH_OBJECT keyHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *digest,
+ const TPMT_SIGNATURE *signature,
+ TPMT_TK_VERIFIED *validation,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_PolicyAuthorize (const TPMI_SH_POLICY policySession,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *approvedPolicy,
+ const TPM2B_NONCE *policyRef,
+ const TPM2B_NAME *keySign,
+ const TPMT_TK_VERIFIED *checkTicket,
+ TPMS_AUTH_RESPONSE *authResponse);
+
#endif /* ! GRUB_TPM2_INTERNAL_FUNCTIONS_HEADER */
--
2.35.3
++++++ 0013-cryptodisk-Support-key-protectors.patch -> 0004-cryptodisk-Support-key-protectors.patch ++++++
++++++ 0004-tpm2-Support-authorized-policy.patch ++++++
From d6e2d32d53d9a1aac2383fc6c075f3827111b643 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin(a)suse.com>
Date: Thu, 6 Apr 2023 16:00:25 +0800
Subject: [PATCH 4/4] tpm2: Support authorized policy
TPM2_PolicyAuthorize is the key command to support authorized policy
which allows the users to sign TPM policies with their own keys.
Per TPM 2.0 Key File(*), CommandPolicy for TPM2_PolicyAuthorize
comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
'TPMT_SIGNATURE signature'. This commit unmarshals those data
structures, fetches the current policy digest, hashes the policy digest
with the hash algorithm written in 'signature', and then verifies
'signature' with 'pubkey'. If everything goes well, TPM2_PolicyAuthorize
is invoked to authorize the signed policy.
(*) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
Signed-off-by: Gary Lin <glin(a)suse.com>
---
grub-core/tpm2/module.c | 98 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 98 insertions(+)
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index 5274296b7..e5235c2ac 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -454,6 +454,101 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
return GRUB_ERR_NONE;
}
+static grub_err_t
+grub_tpm2_protector_policyauthorize (TPMI_SH_AUTH_SESSION session,
+ struct grub_tpm2_buffer *cmd_buf)
+{
+ TPM2B_PUBLIC pubkey;
+ TPM2B_DIGEST policy_ref;
+ TPMT_SIGNATURE signature;
+ TPM2B_DIGEST pcr_policy;
+ TPM2B_DIGEST pcr_policy_hash;
+ TPMI_ALG_HASH sig_hash;
+ TPMT_TK_VERIFIED verification_ticket;
+ TPM_HANDLE pubkey_handle = 0;
+ TPM2B_NAME pubname;
+ TPM_RC rc;
+ grub_err_t err;
+
+ grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (cmd_buf, &pubkey);
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
+ grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
+ if (cmd_buf->error != 0)
+ {
+ err = GRUB_ERR_BAD_ARGUMENT;
+ return grub_error (err, N_("Failed to unmarshal the buffer for "
+ "TPM2_PolicyAuthorize"));
+ }
+
+ /* Retrieve Policy Digest */
+ rc = TPM2_PolicyGetDigest (session, NULL, &pcr_policy, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = GRUB_ERR_BAD_DEVICE;
+ grub_error (err, N_("Failed to get policy digest (TPM error: 0x%x)."),
+ rc);
+ return err;
+ }
+
+ /* Calculate the digest of the polcy for VerifySignature */
+ sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
+ if (sig_hash == TPM_ALG_NULL)
+ {
+ err = GRUB_ERR_BAD_ARGUMENT;
+ grub_error (err, N_("Failed to get the hash algorithm of the signature"));
+ return err;
+ }
+ rc = TPM2_Hash (NULL, (TPM2B_MAX_BUFFER *)&pcr_policy, sig_hash,
+ TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = GRUB_ERR_BAD_DEVICE;
+ grub_error (err, N_("Failed to create PCR policy hash (TPM2_Hash failed "
+ "with TSS/TPM error %u)"), rc);
+ return err;
+ }
+
+ /* Load the public key */
+ rc = TPM2_LoadExternal (NULL, NULL, &pubkey, TPM_RH_OWNER,
+ &pubkey_handle, &pubname, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = GRUB_ERR_BAD_DEVICE;
+ grub_error (err, N_("Failed to load public key (TPM2_LoadExternal failed "
+ "with TSS/TPM error %u)"), rc);
+ return err;
+ }
+
+ /* Verify the signature against the public key and the policy digest */
+ rc = TPM2_VerifySignature (pubkey_handle, NULL, &pcr_policy_hash, &signature,
+ &verification_ticket, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = GRUB_ERR_BAD_DEVICE;
+ grub_error (err, N_("Failed to verify signature (TPM2_VerifySignature "
+ "failed with TSS/TPM error %u)"), rc);
+ goto error;
+ }
+
+ /* Authorize the signed policy with the public key and the verification ticket */
+ rc = TPM2_PolicyAuthorize (session, NULL, &pcr_policy, &policy_ref, &pubname,
+ &verification_ticket, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = GRUB_ERR_BAD_DEVICE;
+ grub_error (err, N_("Failed to authorize PCR policy (TPM2_PolicyAuthorize "
+ "failed with TSS/TPM error: 0x%u).\n"), rc);
+ goto error;
+ }
+
+ err = GRUB_ERR_NONE;
+
+error:
+ TPM2_FlushContext (pubkey_handle);
+
+ return err;
+}
+
static grub_err_t
grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION session)
{
@@ -473,6 +568,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
case TPM_CC_PolicyPCR:
err = grub_tpm2_protector_policypcr (session, &buf);
break;
+ case TPM_CC_PolicyAuthorize:
+ err = grub_tpm2_protector_policyauthorize (session, &buf);
+ break;
default:
return grub_error (GRUB_ERR_BAD_ARGUMENT,
N_("Unknown TPM Command: 0x%x"), policy->cmd_code);
--
2.35.3
++++++ 0014-util-grub-protect-Add-new-tool.patch -> 0005-util-grub-protect-Add-new-tool.patch ++++++
++++ 1411 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/grub2/0014-util-grub-protect-Add-new-tool.patch
++++ and /work/SRC/openSUSE:Factory/.grub2.new.1533/0005-util-grub-protect-Add-new-tool.patch
++++++ grub-read-pcr.patch ++++++
--- /var/tmp/diff_new_pack.3qedkw/_old 2023-04-30 16:07:55.636208002 +0200
+++ /var/tmp/diff_new_pack.3qedkw/_new 2023-04-30 16:07:55.640208026 +0200
@@ -42,7 +42,7 @@
+ pcr = &o->pcrSelections[o->count++];
+ pcr->hash = algo;
+ pcr->sizeOfSelect = 3;
-+ pcr->pcrSelect[TPM2_PCR_TO_SELECT(pcrIndex)] |= TPM2_PCR_TO_BIT(pcrIndex);
++ TPMS_PCR_SELECTION_SelectPCR (pcr, pcrIndex);
+}
+
+struct grub_tpm_hash_info {
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package yast2-country for openSUSE:Factory checked in at 2023-04-30 16:07:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-country (Old)
and /work/SRC/openSUSE:Factory/.yast2-country.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-country"
Sun Apr 30 16:07:38 2023 rev:238 rq:1082893 version:4.6.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-country/yast2-country.changes 2023-03-30 22:50:58.652481841 +0200
+++ /work/SRC/openSUSE:Factory/.yast2-country.new.1533/yast2-country.changes 2023-04-30 16:07:46.780153974 +0200
@@ -1,0 +2,7 @@
+Thu Apr 20 14:10:19 UTC 2023 - Martin Vidner <mvidner(a)suse.com>
+
+- Cleanup: use "ru" keymap for Russian, not "ruwin_alt-UTF-8"
+ (bsc#1194609)
+- 4.6.2
+
+-------------------------------------------------------------------
Old:
----
yast2-country-4.6.1.tar.bz2
New:
----
yast2-country-4.6.2.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-country.spec ++++++
--- /var/tmp/diff_new_pack.0rVSZ2/_old 2023-04-30 16:07:48.228162808 +0200
+++ /var/tmp/diff_new_pack.0rVSZ2/_new 2023-04-30 16:07:48.232162833 +0200
@@ -17,7 +17,7 @@
Name: yast2-country
-Version: 4.6.1
+Version: 4.6.2
Release: 0
Summary: YaST2 - Country Settings (Language, Keyboard, and Timezone)
License: GPL-2.0-only
++++++ yast2-country-4.6.1.tar.bz2 -> yast2-country-4.6.2.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-country-4.6.1/dropping_kbd_legacy.md new/yast2-country-4.6.2/dropping_kbd_legacy.md
--- old/yast2-country-4.6.1/dropping_kbd_legacy.md 2023-03-29 17:07:54.000000000 +0200
+++ new/yast2-country-4.6.2/dropping_kbd_legacy.md 2023-04-26 09:27:58.000000000 +0200
@@ -67,7 +67,7 @@
| Legacy keyboard map | Selected replacement | Other options | Note |
| -------------------- | -------------------- | ------------- | --------- |
| gr | ? | | Greek |
-| ruwin_alt-UTF-8 | ? | | Russian |
+| ru | ? | | Russian |
| tj_alt-UTF8 | ? | | Tajik |
| ua-utf | ? | | Ukrainian |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-country-4.6.1/keyboard/src/lib/y2keyboard/keyboards.rb new/yast2-country-4.6.2/keyboard/src/lib/y2keyboard/keyboards.rb
--- old/yast2-country-4.6.1/keyboard/src/lib/y2keyboard/keyboards.rb 2023-03-29 17:07:54.000000000 +0200
+++ new/yast2-country-4.6.2/keyboard/src/lib/y2keyboard/keyboards.rb 2023-04-26 09:27:58.000000000 +0200
@@ -226,7 +226,7 @@
},
{ "description" => _("Russian"),
"alias" => "russian",
- "code" => "ruwin_alt-UTF-8", # not_in_xkb
+ "code" => "ru", # not_in_xkb
"suggested_for_lang" => ["ru", "ru_RU.KOI8-R"]
},
{ "description" => _("Serbian"),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-country-4.6.1/package/yast2-country.changes new/yast2-country-4.6.2/package/yast2-country.changes
--- old/yast2-country-4.6.1/package/yast2-country.changes 2023-03-29 17:07:54.000000000 +0200
+++ new/yast2-country-4.6.2/package/yast2-country.changes 2023-04-26 09:27:58.000000000 +0200
@@ -1,4 +1,11 @@
-------------------------------------------------------------------
+Thu Apr 20 14:10:19 UTC 2023 - Martin Vidner <mvidner(a)suse.com>
+
+- Cleanup: use "ru" keymap for Russian, not "ruwin_alt-UTF-8"
+ (bsc#1194609)
+- 4.6.2
+
+-------------------------------------------------------------------
Tue Mar 28 20:10:19 UTC 2023 - Josef Reidinger <jreidinger(a)suse.com>
- Replace call to mkinitrd with dracut (bsc#1203019)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-country-4.6.1/package/yast2-country.spec new/yast2-country-4.6.2/package/yast2-country.spec
--- old/yast2-country-4.6.1/package/yast2-country.spec 2023-03-29 17:07:54.000000000 +0200
+++ new/yast2-country-4.6.2/package/yast2-country.spec 2023-04-26 09:27:58.000000000 +0200
@@ -16,7 +16,7 @@
#
Name: yast2-country
-Version: 4.6.1
+Version: 4.6.2
Release: 0
Summary: YaST2 - Country Settings (Language, Keyboard, and Timezone)
License: GPL-2.0-only
1
0