packages/tpm2-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:d9f44b7de7a65e88d5b139360a151cbba591f39c
Branches Tags
packages:main
..
compare: packages:558b88d4f33ab0c987fd31cd758fc2ca674b2cdb
Branches Tags
packages:main

No commits in common. "d9f44b7de7a65e88d5b139360a151cbba591f39c" and "558b88d4f33ab0c987fd31cd758fc2ca674b2cdb" have entirely different histories.
d9f44b7de7 ... 558b88d4f3

6 changed files with 2 additions and 330 deletions
Show Stats Expand all files Collapse all files

46
backport-CVE-2021-3565.patch
View File

@ -1,46 +0,0 @@
From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Fri, 21 May 2021 12:22:31 -0500
Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
tpm2_import used a fixed AES key for the inner wrapper, which means that
a MITM attack would be able to unwrap the imported key. Even the
use of an encrypted session will not prevent this. The TPM only
encrypts the first parameter which is the fixed symmetric key.
To fix this, ensure the key size is 16 bytes or bigger and use
OpenSSL to generate a secure random AES key.
Fixes: #2738
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
tools/tpm2_import.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
index cfb6f20..f44326c 100644
--- a/tools/tpm2_import.c
+++ b/tools/tpm2_import.c
@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
TPM2B_DATA enc_sensitive_key = {
.size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
};
- memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
+
+ if(enc_sensitive_key.size < 16) {
+ LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
+ return tool_rc_general_error;
+ }
+
+ int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
+ if (ossl_rc != 1) {
+ LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
+ return tool_rc_general_error;
+ }
/*
* Calculate the object name.
--
1.8.3.1

30
backport-CVE-2024-29038.patch
View File

@ -1,30 +0,0 @@
From c9d57cae9316ab22d37db87a123e9255bfd21112 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 2 May 2024 09:53:57 +0800
Subject: [PATCH] init
---
tools/misc/tpm2_checkquote.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
index ca78238..6d1a9f6 100644
--- a/tools/misc/tpm2_checkquote.c
+++ b/tools/misc/tpm2_checkquote.c
@@ -115,6 +115,13 @@ static bool verify(void) {
goto err;
}
+ // check magic
+ if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
+ LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
+ ctx.attest.magic, TPM2_GENERATED_VALUE);
+ return false;
+ }
+
// Also ensure digest from quote matches PCR digest
if (ctx.flags.pcr) {
if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
--
2.23.0

78
backport-CVE-2024-29039.patch
View File

@ -1,78 +0,0 @@
From accff7c58b4d01aacdb4260b3e2a1e374a2be0df Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 2 May 2024 09:57:07 +0800
Subject: [PATCH] backport CVE-2024-29039
---
tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
index 6d1a9f6..c4fdff6 100644
--- a/tools/misc/tpm2_checkquote.c
+++ b/tools/misc/tpm2_checkquote.c
@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = {
.pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
};
+static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
+ if (attest_sel->count != pcr_sel->count) {
+ LOG_ERR("Selection sizes do not match.");
+ return false;
+ }
+ for (uint32_t i = 0; i < attest_sel->count; i++) {
+ for (uint32_t j = 0; j < pcr_sel->count; j++) {
+ if (attest_sel->pcrSelections[i].hash ==
+ pcr_sel->pcrSelections[j].hash) {
+ if (attest_sel->pcrSelections[i].sizeofSelect !=
+ pcr_sel->pcrSelections[j].sizeofSelect) {
+ LOG_ERR("Bitmask size does not match");
+ return false;
+ }
+ if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
+ &pcr_sel->pcrSelections[j].pcrSelect[0],
+ attest_sel->pcrSelections[i].sizeofSelect) != 0) {
+ LOG_ERR("Selection bitmasks do not match");
+ return false;
+ }
+ break;
+ }
+ if (j == pcr_sel->count - 1) {
+ LOG_ERR("Hash selections to not match.");
+ return false;
+ }
+ }
+ }
+ return true;
+}
+
static bool verify(void) {
bool result = false;
@@ -381,7 +412,7 @@ static tool_rc init(void) {
}
TPM2B_ATTEST *msg = NULL;
- TPML_PCR_SELECTION pcr_select;
+ TPML_PCR_SELECTION pcr_select = { 0 };
tpm2_pcrs *pcrs;
tpm2_pcrs temp_pcrs;
tool_rc return_value = tool_rc_general_error;
@@ -544,6 +575,14 @@ static tool_rc init(void) {
goto err;
}
+ if (ctx.flags.pcr) {
+ if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
+ &pcr_select)) {
+ LOG_ERR("PCR selection does not match PCR slection from attest!");
+ goto err;
+ }
+ }
+
// Figure out the digest for this message
res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
msg->size, &ctx.msg_hash);
--
2.23.0

43
backport-Don-t-assume-end-of-argv-is-NULL.patch
View File

@ -1,43 +0,0 @@
From fb1e0d98eca5279bf33304deedd9019b0130393a Mon Sep 17 00:00:00 2001
From: Erik Larsson <who+github@cnackers.org>
Date: Sat, 21 Nov 2020 10:59:13 +0100
Subject: [PATCH] Don't assume end of argv is NULL
On a musl based system argv[optind] && strcmp(...) where optind > argc might read random memory and segfault.
Signed-off-by: Erik Larsson <who+github@cnackers.org>
---
lib/tpm2_options.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/tpm2_options.c b/lib/tpm2_options.c
index e9aaa0364..9fa583c60 100644
--- a/lib/tpm2_options.c
+++ b/lib/tpm2_options.c
@@ -300,7 +300,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
if (argv[optind - 1]) {
if (!strcmp(argv[optind - 1], "--help=no-man") ||
!strcmp(argv[optind - 1], "-h=no-man") ||
- (argv[optind] && !strcmp(argv[optind], "no-man"))) {
+ (argc < optind && !strcmp(argv[optind], "no-man"))) {
manpager = false;
optind++;
/*
@@ -309,7 +309,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
*/
} else if (!strcmp(argv[optind - 1], "--help=man") ||
!strcmp(argv[optind - 1], "-h=man") ||
- (argv[optind] && !strcmp(argv[optind], "man"))) {
+ (argc < optind && !strcmp(argv[optind], "man"))) {
manpager = true;
explicit_manpager = true;
optind++;
@@ -318,7 +318,7 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
* argv[0] = "tool name"
* argv[1] = "--help" argv[2] = 0
*/
- if (!argv[optind] && argc == 2) {
+ if (optind >= argc && argc == 2) {
manpager = false;
} else {
/*

109
backport-clarify-return-values-from-string.patch
View File

@ -1,109 +0,0 @@
From d6e7e673a6179400b66339bb5f66b0da87006fb1 Mon Sep 17 00:00:00 2001
From: Imran Desai <imran.desai@intel.com>
Date: Tue, 21 Dec 2021 13:53:40 -0700
Subject: [PATCH] lib/tpm2_options.c: clarify return values from string
comparisons
See #2890
Signed-off-by: Imran Desai <imran.desai@intel.com>
---
lib/tpm2_options.c | 58 +++++++++++++++++++++++++++++-----------------
1 file changed, 37 insertions(+), 21 deletions(-)
diff --git a/lib/tpm2_options.c b/lib/tpm2_options.c
index 8c8af2af7..ab6660dc5 100644
--- a/lib/tpm2_options.c
+++ b/lib/tpm2_options.c
@@ -119,8 +119,6 @@ void tpm2_options_free(tpm2_options *opts) {
static bool execute_man(char *prog_name, bool show_errors) {
pid_t pid;
- int status;
-
if ((pid = fork()) < 0) {
LOG_ERR("Could not fork process to execute man, error: %s",
strerror(errno));
@@ -129,7 +127,6 @@ static bool execute_man(char *prog_name, bool show_errors) {
#define MAX_TOOL_NAME_LEN 64
if (pid == 0) {
-
if (!show_errors) {
/* redirect manpager errors to stderr */
int fd = open("/dev/null", O_WRONLY);
@@ -141,29 +138,45 @@ static bool execute_man(char *prog_name, bool show_errors) {
close(fd);
}
+ /*
+ * Handle the case where tpm2 is specified without tool-name or help
+ */
const char *manpage = basename(prog_name);
- if (!strcmp(manpage, "tpm2")) {
- /*
- * Handle the case where tpm2 is specified without tool-name or help
- */
+ bool is_only_tpm2 = (strcmp(manpage, "tpm2") == 0);
+ if (is_only_tpm2) {
execlp("man", "man", "tpm2", NULL);
- } else if (strncmp(manpage, "tpm2_", strlen("tpm2_"))) {
- /*
- * Handle the case where the tool is specified as tpm2< >tool-name
- */
- char man_tool_name[MAX_TOOL_NAME_LEN] = {'t','p','m','2','_'};
- strncat(man_tool_name, manpage,
+ }
+
+ /*
+ * Handle the case where the tool is specified as tpm2< >tool-name
+ */
+ bool is_tpm2_space_toolname =
+ (strncmp(manpage, "tpm2_", strlen("tpm2_")) != 0);
+ if (is_tpm2_space_toolname) {
+ uint8_t toolname_len =
strlen(manpage) < (MAX_TOOL_NAME_LEN - strlen("tpm2_")) ?
- strlen(manpage) : (MAX_TOOL_NAME_LEN - strlen("tpm2_")));
+ strlen(manpage) : MAX_TOOL_NAME_LEN - strlen("tpm2_");
+
+ char man_tool_name[MAX_TOOL_NAME_LEN] = {'t','p','m','2','_'};
+
+ strncat(man_tool_name, manpage, toolname_len);
execlp("man", "man", man_tool_name, NULL);
- } else {
- /*
- * Handle the case where the tool is specified as tpm2<_>tool-name
- */
+ }
+
+ /*
+ * Handle the case where the tool is specified as tpm2<_>tool-name
+ */
+ bool is_tpm2_underscore_toolname =
+ (!is_only_tpm2 && !is_tpm2_space_toolname);
+ if (is_tpm2_underscore_toolname) {
execlp("man", "man", manpage, NULL);
}
- } else {
- if (waitpid(pid, &status, 0) == -1) {
+ }
+
+ if (pid != 0) {
+ int status;
+ bool is_child_process_incomplete = (waitpid(pid, &status, 0) == -1);
+ if (is_child_process_incomplete) {
LOG_ERR("Waiting for child process that executes man failed, error:"
" %s", strerror(errno));
return false;
@@ -524,7 +537,10 @@ tpm2_option_code tpm2_handle_options(int argc, char **argv,
if (!did_manpager) {
tpm2_print_usage(argv[0], tool_opts);
}
- if (tcti_conf_option && strcmp(tcti_conf_option, "none")) {
+
+ bool is_tcti_not_none = tcti_conf_option ?
+ (strcmp(tcti_conf_option, "none") != 0) : false;
+ if (is_tcti_not_none) {
TSS2_TCTI_INFO *info = NULL;
rc_tcti = Tss2_TctiLdr_GetInfo(tcti_conf_option, &info);
if (rc_tcti == TSS2_RC_SUCCESS && info) {

26
tpm2-tools.spec
View File

@ -1,22 +1,15 @@
Name: tpm2-tools
Version: 5.0
Release: 6
Release: 1
Summary: A TPM2.0 testing tool based on TPM2.0-TSS
License: BSD
URL: https://github.com/tpm2-software/tpm2-tools
Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz
Patch0: backport-Don-t-assume-end-of-argv-is-NULL.patch
Patch1: backport-CVE-2021-3565.patch
Patch2: backport-clarify-return-values-from-string.patch
Patch3: backport-CVE-2024-29038.patch
Patch4: backport-CVE-2024-29039.patch
BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl)
BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) git libgcrypt
BuildRequires: libgcrypt-devel
BuildRequires: libgcrypt-devel gdb
Requires: tpm2-tss >= 2.3.1
Requires: tpm2-tools-help = %{version}-%{release}
Obsoletes: tpm2-tools <= 2.1.1-2
%description
@ -62,21 +55,6 @@ make check
%{_mandir}/*/*
%changelog
* Thu May 02 2024 cenhuilin <cenhuilin@kylinos.cn> - 5.0-6
- fix CVE-2024-29038 CVE-2024-29039
* Fri Dec 16 2022 jinlun <jinlun@huawei.com> - 5.0-5
- fix build error
* Mon Sep 27 2021 fuanan <fuanan3@huawei.com> - 5.0-4
- fix CVE-2021-3565
* Mon Jul 26 2021 fuanan <fuanan3@huawei.com> - 5.0-3
- Remove redundant gdb from BuildRequires
* Fri Apr 30 2021 Hugel <gengqihu1@huawei.com> - 5.0-2
- fix segmentation fault on tpm2
* Mon Jan 25 2021 panxiaohe <panxiaohe@huawei.com> - 5.0-1
- update to 5.0