#1 tpm-tools: Fix tpm_version output and clean up manpages
Opened 18 days ago by snits. Modified 18 days ago
rpms/ snits/tpm-tools rebase  into  master

@@ -0,0 +1,232 @@ 

+ From 65ca7418b9a884bb5271e602cf63fc8845397988 Mon Sep 17 00:00:00 2001

+ From: Jerry Snitselaar <jsnitsel@redhat.com>

+ Date: Sun, 27 Jan 2019 21:55:19 -0700

+ Subject: [PATCH] man: manpage cleanup

+ 

+ tpm_restrictsrk and tpm_unsealdata are missing manpages.

+ Add missing options to tpm_nvdefine and tpm_setpresence.

+ 

+ Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>

+ ---

+  man/man1/Makefile.am       |  1 +

+  man/man1/tpm_unsealdata.1  | 60 +++++++++++++++++++++++++++++++++

+  man/man8/Makefile.am       |  1 +

+  man/man8/tpm_nvdefine.8    | 13 ++++++--

+  man/man8/tpm_restrictsrk.8 | 68 ++++++++++++++++++++++++++++++++++++++

+  man/man8/tpm_setpresence.8 |  3 ++

+  6 files changed, 144 insertions(+), 2 deletions(-)

+  create mode 100644 man/man1/tpm_unsealdata.1

+  create mode 100644 man/man8/tpm_restrictsrk.8

+ 

+ diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am

+ index ff8b571..f833363 100644

+ --- a/man/man1/Makefile.am

+ +++ b/man/man1/Makefile.am

+ @@ -22,6 +22,7 @@

+  #

+  

+  man1_MANS	=	tpm_sealdata.1		\

+ +			tpm_unsealdata.1	\

+  			tpm_version.1

+  if P11_SUPPORT

+  man1_MANS	+=	tpmtoken_init.1		\

+ diff --git a/man/man1/tpm_unsealdata.1 b/man/man1/tpm_unsealdata.1

+ new file mode 100644

+ index 0000000..80e8f12

+ --- /dev/null

+ +++ b/man/man1/tpm_unsealdata.1

+ @@ -0,0 +1,60 @@

+ +.\" Copyright (C) 2019 International Business Machines Corporation

+ +.\"

+ +.de Sh \" Subsection

+ +.br

+ +.if t .Sp

+ +.ne 5

+ +.PP

+ +\fB\\$1\fR

+ +.PP

+ +..

+ +.de Sp \" Vertical space (when we can't use .PP)

+ +.if t .sp .5v

+ +.if n .sp

+ +..

+ +.de Ip \" List item

+ +.br

+ +.ie \\n(.$>=3 .ne \\$3

+ +.el .ne 3

+ +.IP "\\$1" \\$2

+ +..

+ +.TH "tpm_unsealdata" 1 "2019-01-27"  "TPM Management"

+ +.ce 1

+ +TPM Management - tpm_unsealdata

+ +.SH NAME

+ +tpm_unsealdata \- unseal input data with the SRK of the system's TPM

+ +.SH "SYNOPSIS"

+ +.ad l

+ +.hy 0

+ +.B tpm_unsealdata

+ +.RB [ OPTION ]

+ +

+ +.SH "DESCRIPTION"

+ +.PP

+ +\fBtpm_unsealdata\fR unseals sensitive data that was sealed the SRK of the system's TPM.

+ +

+ +.TP

+ +\fB\-h\fR, \fB\-\-help\fR

+ +Display command usage info.

+ +.TP

+ +\fB-v\fR, \fB\-\-version\fR

+ +Display command version info.

+ +.TP

+ +\fB-l\fR, \fB\-\-log\fR [none|error|info|debug]

+ +Set logging level.

+ +.TP

+ +\fB-i\fR, \fB\-\-infile FILE\fR

+ +File containing data to unseal.

+ +.TP

+ +\fB-o\fR, \fB\-\-outfile FILE\fR

+ +Filename to write unsealed data to.  Default is STDOUT.

+ +.TP

+ +\fB-z\fR, \fB\-\-well-known\fR

+ +Use TSS_WELL_KNOWN_SECRET (20 zero bytes) as the SRK password. You will not be prompted for the SRK password with this option.

+ +

+ +.SH "SEE ALSO"

+ +.PP

+ +\fBtpm_sealdata\fR(1), \fBtpmUnsealFile\fR(3)

+ +

+ +.SH "REPORTING BUGS"

+ +Report bugs to <trousers-users@lists.sourceforge.net>

+ diff --git a/man/man8/Makefile.am b/man/man8/Makefile.am

+ index b38ac18..487a4c8 100644

+ --- a/man/man8/Makefile.am

+ +++ b/man/man8/Makefile.am

+ @@ -36,6 +36,7 @@ man8_MANS =	tpm_changeownerauth.8	\

+  		tpm_createek.8		\

+  		tpm_getpubek.8		\

+  		tpm_restrictpubek.8	\

+ +		tpm_restrictsrk.8	\

+  		tpm_selftest.8		\

+  		tpm_setactive.8		\

+  		tpm_setclearable.8	\

+ diff --git a/man/man8/tpm_nvdefine.8 b/man/man8/tpm_nvdefine.8

+ index 13edb78..0eecc2a 100644

+ --- a/man/man8/tpm_nvdefine.8

+ +++ b/man/man8/tpm_nvdefine.8

+ @@ -161,8 +161,8 @@ using \s-1TSS\s0 popup boxes

+  .IP "\fB\-y, \-\-owner\-well\-known\fR" 4

+  .IX Item "-y, --owner-well-known"

+  Use a secret of all zeros (20 bytes of zeros) as the owner's secret.

+ -.IP "\fB\-z, \-\-area\-well\-known\fR" 4

+ -.IX Item "-z, --area-well-known"

+ +.IP "\fB\-z, \-\-data\-well\-known\fR" 4

+ +.IX Item "-z, --data-well-known"

+  Use a secret of all zeros (20 bytes of zeros) as the \s-1NVRAM\s0 area's secret.

+  .IP "\fB\-o, \-\-pwdo\fR (optional parameter)" 4

+  .IX Item "-o, --pwdo (optional parameter)"

+ @@ -189,6 +189,15 @@ To select the \s-1NVRAM\s0 area with index 0x100, the command line parameter sho

+  .IX Item "-s, --size"

+  The size of the \s-1NVRAM\s0 area.

+  The parameter must either be a decimal number or a hexadecimal number starting with '0x'.

+ +.IP "\fB\-r, \-\-rpcsr\fR" 4

+ +.IX Item "-r, --rpcrs"

+ +PCRs to seal the NVRAM area to for reading (use multiple times)

+ +.IP "\fB\-w, \-\-wpcrs\fR" 4

+ +.IX Item "-w, --wpcrs"

+ +PCRs to seal the NVRAM area to for writing (use multiple times)

+ +.IP "\fB\-f, \-\-filename\fR" 4

+ +.IX Item "-f, --filename"

+ +File containing PCR info for the NVRAM area.

+  .IP "\fB\-p, \-\-permissions\fR" 4

+  .IX Item "-p, --permissions"

+  The access permissions associated with the \s-1NVRAM\s0 area.

+ diff --git a/man/man8/tpm_restrictsrk.8 b/man/man8/tpm_restrictsrk.8

+ new file mode 100644

+ index 0000000..7935b7b

+ --- /dev/null

+ +++ b/man/man8/tpm_restrictsrk.8

+ @@ -0,0 +1,68 @@

+ +.\" Copyright (C) 2019 International Business Machines Corporation

+ +.\"

+ +.de Sh \" Subsection

+ +.br

+ +.if t .Sp

+ +.ne 5

+ +.PP

+ +\fB\\$1\fR

+ +.PP

+ +..

+ +.de Sp \" Vertical space (when we can't use .PP)

+ +.if t .sp .5v

+ +.if n .sp

+ +..

+ +.de Ip \" List item

+ +.br

+ +.ie \\n(.$>=3 .ne \\$3

+ +.el .ne 3

+ +.IP "\\$1" \\$2

+ +..

+ +.TH "tpm_restrictsrk" 8 "2019-01-27"  "TPM Management"

+ +.ce 1

+ +TPM Management - tpm_restrictsrk

+ +.SH NAME

+ +tpm_restrictsrk \- restrict the ability to access the Storage Root Key

+ +.SH "SYNOPSIS"

+ +.ad l

+ +.hy 0

+ +.B tpm_restrictsrk

+ +.RB [ OPTION ]

+ +

+ +.SH "DESCRIPTION"

+ +.PP

+ +\fBtpm_restrictsrk\fR reports the status of who can access the Storage Root Key.  This is the default behavior and also available with the \fB\-\-status\fR option.

+ +This operation will be in effect until the owner is cleared and prompts for the owner passord.  With the \fB\-\-restrict\fR option, the ability to access the Storage Root Key is resticted to the owner.

+ +The command prompts for the owner password to complete the operation.  The \fB\-\-allow\fR and \fB\-\-restrict\fR options are mutually exclusive and the last one on the command line will be carried out.

+ +

+ +.TP

+ +\fB\-h\fR, \fB\-\-help\fR

+ +Display command usage info.

+ +.TP

+ +\fB-v\fR, \fB\-\-version\fR

+ +Display command version info.

+ +.TP

+ +\fB-l\fR, \fB\-\-log\fR [none|error|info|debug]

+ +Set logging level.

+ +.TP

+ +\fB-u\fR, \fB\-\-unicode\fR

+ +Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes

+ +.TP

+ +\fB-a\fR, \fB\-\-allow\fR

+ +Allow SRK read access using SRK auth

+ +.TP

+ +\fB-s\fR, \fB\-\-status\fR

+ +Display the status of who can access the Storage Root Key

+ +.TP

+ +\fB-r\fR, \fB\-\-restrict\fR

+ +Restrict SRK read to owner only

+ +.TP

+ +\fB-z\fR, \fB\-\-well-known\fR

+ +Authenticate using 20 bytes of zeros as owner password (the default TSS Well Known Secret), instead of prompting for an owner password.

+ +

+ +.SH "SEE ALSO"

+ +.PP

+ +\fBtpm_version\fR(1), \fBtpm_takeownership\fR(8), \fBtcsd\fR(8)

+ +

+ +.SH "REPORTING BUGS"

+ +Report bugs to <trousers-users@lists.sourceforge.net>

+ diff --git a/man/man8/tpm_setpresence.8 b/man/man8/tpm_setpresence.8

+ index a04c70f..96670e0 100644

+ --- a/man/man8/tpm_setpresence.8

+ +++ b/man/man8/tpm_setpresence.8

+ @@ -46,6 +46,9 @@ Set logging level.

+  \fB-u\fR, \fB\-\-unicode\fR

+  Use TSS UNICODE encoding for passwords to comply with applications using TSS popup boxes

+  .TP

+ +\fB-s\fR, \fB\-\-status\fR

+ +Report current physical presence states.

+ +.TP

+  \fB-a\fR, \fB\-\-assert\fR

+  Assert that an admin is physically present at the machine.

+  .TP

+ -- 

+ 2.20.1.98.gecbdaf0899

+ 

@@ -0,0 +1,29 @@ 

+ From d11a2d62797e6794105470c1dd5f99017d9484e3 Mon Sep 17 00:00:00 2001

+ From: Jerry Snitselaar <jsnitsel@redhat.com>

+ Date: Sun, 27 Jan 2019 23:17:02 -0700

+ Subject: [PATCH] tpm-tools: fix outdated function signature in tpmUnsealFile

+  manpage

+ 

+ The tpmUnsealFile manpage hasn't been updated with changes to tpmUnsealFile.

+ 

+ Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>

+ ---

+  man/man3/tpmUnsealFile.3 | 2 +-

+  1 file changed, 1 insertion(+), 1 deletion(-)

+ 

+ diff --git a/man/man3/tpmUnsealFile.3 b/man/man3/tpmUnsealFile.3

+ index 1fda48f..c362298 100644

+ --- a/man/man3/tpmUnsealFile.3

+ +++ b/man/man3/tpmUnsealFile.3

+ @@ -28,7 +28,7 @@ tpmUnsealFile, tpmUnsealShred, tpmUnsealStrerror - unseal routines

+  .hy 0

+  .B #include <tpm_unseal/tpm_unseal.h>

+  .sp

+ -.B int tpmUnsealFile(char* file, char** data, int* size);

+ +.B int tpmUnsealFile(char* fname, char** tss_data, int* tss_size, BOOL srkWellKnown);

+  .br

+  .B void tpmUnsealShred(char* data, int size);

+  .br

+ -- 

+ 2.20.1.98.gecbdaf0899

+ 

@@ -0,0 +1,54 @@ 

+ From c927f67f36a4719bd15b8a535efb6980f1e87a6b Mon Sep 17 00:00:00 2001

+ From: Matthias Gerstner <matthias.gerstner@suse.de>

+ Date: Fri, 30 Nov 2018 12:48:37 +0100

+ Subject: [PATCH] tpm_version: avoid outputting NULL bytes from tpmVendorID

+ 

+ When the vendor ID contains null bytes then '^@' characters appear in

+ the tpm_version output. This can confuse users and it also causes e.g.

+ 'grep' to treat the input as binary. Example:

+ 

+   TPM Vendor ID:       WEC\000

+ 

+ This change copies the vendor ID bytes over into a local string object.

+ This makes the code more independent of the vendor ID dimension and also

+ avoids NULL bytes being printed.

+ ---

+  src/tpm_mgmt/tpm_version.c | 9 ++++++---

+  1 file changed, 6 insertions(+), 3 deletions(-)

+ 

+ diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c

+ index 1019b71..78b78e8 100644

+ --- a/src/tpm_mgmt/tpm_version.c

+ +++ b/src/tpm_mgmt/tpm_version.c

+ @@ -133,6 +133,7 @@ int cmdVersion(const char *a_szCmd)

+  		UINT64 offset;

+  		TSS_RESULT uiResult;

+  		TPM_CAP_VERSION_INFO versionInfo;

+ +		char vendor_id[sizeof(versionInfo.tpmVendorID)+1];

+  		char *errbuf = NULL; // Buffer containing what was sent to stderr during getCapability.

+  

+  		/* Disable logging to of "Bad Mode" during this call. 

+ @@ -169,15 +170,17 @@ int cmdVersion(const char *a_szCmd)

+  			goto out_close;

+  		}

+  

+ +		// copy over the individual characters into a regular string.

+ +		// This avoids that null bytes are written to stdout.

+ +		snprintf ( vendor_id, sizeof(vendor_id), "%s", (const char*)versionInfo.tpmVendorID );

+ +

+  		logMsg(_("  TPM 1.2 Version Info:\n"));

+  		logMsg(_("  Chip Version:        %hhu.%hhu.%hhu.%hhu\n"),

+  		       versionInfo.version.major, versionInfo.version.minor,

+  		       versionInfo.version.revMajor, versionInfo.version.revMinor);

+  		logMsg(_("  Spec Level:          %hu\n"), versionInfo.specLevel);

+  		logMsg(_("  Errata Revision:     %hhu\n"), versionInfo.errataRev);

+ -		logMsg(_("  TPM Vendor ID:       %c%c%c%c\n"),

+ -		       versionInfo.tpmVendorID[0], versionInfo.tpmVendorID[1],

+ -		       versionInfo.tpmVendorID[2], versionInfo.tpmVendorID[3]);

+ +		logMsg(_("  TPM Vendor ID:       %s\n"), vendor_id);

+  

+  		if (versionInfo.vendorSpecificSize) {

+  			logMsg(_("  Vendor Specific data: "));

+ -- 

+ 2.18.1

+ 

@@ -0,0 +1,38 @@ 

+ From f0f30ff3e3b08751ebb8524303d80b6e94882134 Mon Sep 17 00:00:00 2001

+ From: Matthias Gerstner <matthias.gerstner@suse.de>

+ Date: Fri, 30 Nov 2018 13:17:01 +0100

+ Subject: [PATCH] tpm_version: avoid outputting undefined data on stderr

+ 

+ If there was no data written to the temporary file then memsize == 1, no

+ data will be read from the file into the buffer and the buffer will not

+ be null terminated. This can cause random data to be output later on to

+ the original stderr like:

+ 

+ '#precedence ::ffff:0:0/'

+ 

+ or

+ 

+ 'xl?8?'

+ 

+ Fix this by making sure the buffer is always zero terminated.

+ ---

+  src/tpm_mgmt/tpm_version.c | 3 +++

+  1 file changed, 3 insertions(+)

+ 

+ diff --git a/src/tpm_mgmt/tpm_version.c b/src/tpm_mgmt/tpm_version.c

+ index 78b78e8..e563a8c 100644

+ --- a/src/tpm_mgmt/tpm_version.c

+ +++ b/src/tpm_mgmt/tpm_version.c

+ @@ -99,6 +99,9 @@ char* end_capture_stderr(int olderr)

+      perror("read()");

+    }

+  

+ +  // make sure the buffer is null terminated.

+ +  buf[st.st_size] = '\0';

+ +

+    // Restore stderr.

+   errout:

+    if (0 > dup2(olderr, STDERR_FILENO)) {

+ -- 

+ 2.18.1

+ 

file modified
+11 -1

@@ -1,7 +1,7 @@ 

  Name:             tpm-tools

  Summary:          Management tools for the TPM hardware

  Version:          1.3.9

- Release:          7%{?dist}

+ Release:          8%{?dist}

  License:          CPL

  URL:              http://trousers.sourceforge.net

  Source0:          http://downloads.sourceforge.net/trousers/%{name}-%{version}.tar.gz

@@ -10,6 +10,12 @@ 

  Patch0001:        0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch

  Patch0002:        0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch

  Patch0003:        0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch

+ # Patches 4 & 5 submitted upstream by SUSE

+ Patch0004:        0001-tpm_version-avoid-outputting-NULL-bytes-from-tpmVend.patch

+ Patch0005:        0001-tpm_version-avoid-outputting-undefined-data-on-stder.patch

+ # submitted upstream

+ Patch0006:        0001-man-manpage-cleanup.patch

+ Patch0007:        0001-tpm-tools-fix-outdated-function-signature-in-tpmUnse.patch

  

  %description

  tpm-tools is a group of tools to manage and utilize the Trusted Computing

@@ -70,6 +76,10 @@ 

  %{_mandir}/man3/tpmUnseal*

  

  %changelog

+ * Tue Nov 19 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1.3.9-8

+ - tpm_version fix

+ - manpage cleanups

+ 

  * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.9-7

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild