tag | b00837c3cefe3fba087eea1ea0dab078bb4bdafb | |
---|---|---|
tagger | William Roberts <william.c.roberts@intel.com> | Mon Jan 02 09:16:50 2023 -0600 |
object | b827242c15f6343f385eb7e075c9e74096cbb4d6 |
[4.0.0] - 2023-01-02 Fixed - tcti-ldr: Use heap instead of stack when tcti initialize - Fix usage of NULL pointer if Esys_TR_SetAuth is calles with ESYS_TR_NONE. - Conditionally check user/group manipulation commands. - Store VERSION into the release tarball. - When using DESTDIR for make einstall, do not invoke systemd-sysusers and systemd-tmpfiles. - esys_iutil: fix possible NPD. - Tss2_Sys_Flushcontext: flushHandle was encoded as a handleArea handle and not as parameter one, this affected the contents of cpHash. - esys: fix allow usage of HMAC sessions for Esys_TR_FromTPMPublic. - fapi: fix usage of policy_nv with a TPM nv index. - linking tcti for libtpms against tss2-tctildr. It should be linked against tss2-mu. - build: Remove erroneous trailing comma in linker option. Bug #2391. - fapi: fix encoding of complex tpm2bs in authorize nv, duplication select and policy template policies. Now the complex and TPMT or TPMS representations can be used. Bug #2383 - The error message for unsupported FAPI curves was in hex without a leading 0x, make it integer output to clarify. - Documentation that had various scalar out pointers as "callee allocated". - test: build with opaque FILE structure like in musl libc. - Transient endorsement keys were not recreated according to the EK credential profile. - Evict control for a persistent EK failed during provisioning if an auth value for the storage hierarchy was set. - The authorization of the storage hierarchy is now added. Fixes FAPI: Provisioning error if an auth value is needed for the storage hierarchy #2438. - Usage of a second profile in a path was not possible because the default profile was always used. - The setting of an empty auth value for Fapi_Provision was fixed. - JSON encoding of a structure TPMS_POLICYAUTHORIZATION used the field keyPEMhashAlg instead of hashAlg as defined in "TCG TSS 2.0 JSON Data Types and Policy Language Specification". Rename to hashAlg but preserve support for reading keyPEMhashAlg for backwards compatibility. - fapi: PolicySecret did not work with keys as secret object. - Esys_PCR_SetAuthValue: remembers the auth like other SetAutg ESAPI functions. - tests: esys-pcr-auth-value.int moved to destructive tests. - FAPI: Fix double free if keystore is corrupted. - Marshaling of TPMU_CAPABILITIES data, only field intelPttProperty was broken before.a - Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string. This is API breaking but considered a bug since it deviated from the FAPI spec. - FAPI: undefined reference to curl_url_strerror when using curl less than 7.80.0. - FAPI: Fixed support for EK templates in NV inidices per the spec, see #2518 for details. - FAPI: fix NPD in ifapi_curl logging. - FAPI: Improve documentation fapi-profile - FAPI: Fix CURL HTTP handling. - FAPI: Return FAPI_RC_IO_ERROR if a policy does not exist in keystore. Added - TPM version 1.59 support. - ci: ubuntu-22.04 added. - mbedTLS 3.0 is supported by ESAPI. - Add CreationHash to JSON output for usage between applications not using the FAPI keystore, like command line tools. - Reduced code size for SAPI. - Support for Runtime Switchable ESAPI Crypto Backend via `Esys_SetCryptoCallbacks`. - Testing for TCG EK Credential Profile TPM 2.0, Version 2.4 Rev. 3, 2021 for the low and high address range of EK templates. - tss2-rc: Tss2_RC_DecodeInfo function for parsing TSS2_RC into the various bit fields. - FAPI support for P_ECC384 profile. - tss2-rc: Tss2_RC_DecodeInfoError: Function to get a human readable error from a TSS2_RC_INFO returned by Tss2_RC_DecodeInfo - tcti: Generic SPI driver, implementors only need to connect to acquire/release, transmit/receive, and sleep/timeout functions. - FAPI: Add event logging for Firmware and IMA Events. See #2170 for details. - FAPI: Fix Fapi_ChangeAuth updates on hierarchy objects not being reflected across profiles. - FAPI: Allow keyedhash keys in PolicySigned. - ESAPI: Support sha512 for mbedtls crypto backend. - TPM2B_MAX_CAP_BUFFER and mu routines - vendor field to TPMU_CAPABILTIIES - FAPI: support for PolicyTemplate Changed - libmu soname from 0:0:0 to 0:1:0. - tss2-sys soname from 1:0:0 to 1:1:0 - tss2-esys: from 0:0:0 to 0:1:0 - FAPI ignores vendor properties on Fapi_GetInfo - FAPI Event Logging JSON format, See #2170 for details. Removed - Dead struct TPMS_ALGORITHM_DESCRIPTION - Dead field intelPttProperty from TPMU_CAPABILITIES - Dead code Tss2_MU_TPMS_ALGORITHM_DESCRIPTION_Marshal - Dead code Tss2_MU_TPMS_ALGORITHM_DESCRIPTION_Unmarshal
commit | b827242c15f6343f385eb7e075c9e74096cbb4d6 | [log] [tgz] |
---|---|---|
author | William Roberts <william.c.roberts@intel.com> | Mon Jan 02 09:13:37 2023 -0600 |
committer | William Roberts <william.c.roberts@intel.com> | Mon Jan 02 09:16:46 2023 -0600 |
tree | 1060c3d9e7f6f31ebccdc268358bf5edd3337d18 | |
parent | edcebaaf4b1407ef21f7737c2f6adb4f67c59c60 [diff] |
CHANGELOG: update to 4.0.0 Signed-off-by: William Roberts <william.c.roberts@intel.com>
This repository hosts source code implementing the Trusted Computing Group's (TCG) TPM2 Software Stack (TSS). This stack consists of the following layers from top to bottom:
Instructions to build and install tpm2-tss are available in the INSTALL file.
If you're looking to discuss the source code in this project or get some questions answered you should join the 01.org TPM2 mailing list:
We also have an IRC channel set up on FreeNode called #tpm2.0-tss. You can also try Gitter
You can join a weekly online call at TPM.dev, where we are discussing the tpm2-tss stack, the tpm2-pkcs11 project and other Linux TPM2 & TSS2-Software.
In case you want to contribute to the project, please also have a look at the Contribution Guidelines.
The doxygen documentation can either be built by oneself (see the INSTALL file) or browsed directly on tpm2-tss.readthedocs.io.
This repository contains a test suite intended to exercise the TCTI, SAPI and ESAPI code. This test suite is not intended to test a TPM implementation, so this test suite should only be run against a TPM simulator. If this test suite is executed against a TPM other than the software simulator it may cause damage to the TPM (NV storage wear out, etc.). You have been warned.
The TPM library specification contains reference code sufficient to construct a software TPM 2.0 simulator. This code was provided by Microsoft and they provide a binary download for Windows here.
There are two implementations that enable building and running this code on Linux. Issues building or running the simulator should be reported to respective project.
The Software TPM is an open-source TPM emulator with different front-end interfaces such as socket and character device. Its code is hosted on GitHub and building is faciliated by the GNU Autotools. The TCTI module for using this simulator is called swtpm.
Since tpm2-tss v3.0 swtpm is the default simulator used by this project.
IBM has also repackaged this code with a few Makefiles so that the Microsoft code can be built and run on Linux systems. The Linux version of the Microsoft TPM 2.0 simulator can be obtained on SourceForge. Once you've downloaded and successfully built and execute the simulator it will, by default, be accepting connections on the localhost, TCP ports 2321 and 2322. The TCTI module for using this simulator is called mssim.
To test the various TCTI, SAPI and ESAPI api calls, unit and integration tests can be run by configuring the build to enable unit testing and running the “check” build target. It is recommended to use a simulator for testing, and the simulator will be automatically launched by the tests. Please review the dependency list in INSTALL for dependencies when building the test suite.
$ ./configure --enable-unit --enable-integration $ make -j$(nproc) check
This will generate a file called “test-suite.log” in the root of the build directory.
Please report failures in a Github ‘issue’ with a full log of the test run.
NOTE: The unit and integration tests can be enabled independently. The --enable-unit option controls unit tests, and --enable-integration controls the integration tests.
To run integration tests on a physical TPM device, including a TPM hardware or a software TPM implemented in platform firmware the configure script provides two options. The first option is called --with-device and it is used to point to the TPM device interface exposed by the OS, for example:
$ ./configure --with-device=/dev/tpm0
The second option, --with-devicetests, enables a “class” of test. There are three classes:
For example to enable both mandatory and optional test cases during configure one needs to set this flag as follows:
$ ./configure --with-devicetests="mandatory,optional"
Tht default value for the flag is “mandatory” Any combination of the three is valid. The two flags are only valid when the integration tests are enabled with --enable-integration flag.
After that the following command is used to run the test on the configured TPM device:
$ sudo make check-device
or
$ sudo make check -j 1
Note: The tests can not be run in paralel.
The unit and integration tests can be run under the valgrind tool, which performs additional checks on the library and test code, such as memory leak checks etc. The following command is used to run the tests under valgrind:
$ make check-valgrind
This command will enable all valgrind “tools” and kick off as many test as they support. It is possible to enable different valgrind tools (checks) in more granularity. This can be controlled by invoking different tools separately using check-valgrind-<tool>, for instance:
$ make check-valgrind-memcheck
or
$ make check-valgrind-drd
Currently the the following tools are supported:
memcheck - Performs memory related checks. This is the default tool. helgrind - Performs synchronization errors checks. drd - Performs thread related checks. sgcheck - Performs stack overrun related checks.
Note that the valgring tool can also be invoked manually using the standard libtool:
$ libtool exec valgrind --tool=memcheck --leak-check=full \ test/integration/esys-auto-session-flags.int
This allows for more control on what checks are performed.
While investigating issues it might be helpful to enable extra debug/trace output. It can be enabled separately for different components. The description how to do this can be found in the logging file.
All system API function calls can be tested using a fuzzing library. The description how to do this can be found in the fuzzing file.
SAPI library, TAB/RM, and Test Code Block Diagram:
|-- doc : various bits of documentation\ |-- include : header files installed in $(includedir)\ | +-- tss2 : all public headers for this project\ |-- lib : data files used by the build or installed into $(libdir)\ |-- m4 : autoconf support macros\ |-- man : man pages\ |-- script : scripts used by the build or CI\ |-- src : all source files\ | |-- tss2-esys : enhanced system API (ESAPI) implementation\ | | +-- api : ESAPI TPM API implementation\ | |-- tss2-mu : TPM2 type marshaling/unmarshaling (MU) API implementation\ | |-- tss2-sys : system API (SAPI) implementation\ | | +-- api : SAPI public API implementation\ | |-- tss2-tcti : TCTI implementations for device and mssim\ | +-- util : Internal utility library (e.g. logging framework)\ +-- test : test code\ |-- integration : integration test harness and test cases\ |-- tpmclient : monolithic, legacy test application\ +-- unit : unit tests