heads/patches/tpm2-tools-5.2.patch

diff --git a/Makefile.am b/Makefile.am
index 7132215..32e2193 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -93,7 +93,7 @@ tss2_tools = \
 
 # Bundle all the tools into a single program similar to busybox
 bin_PROGRAMS += tools/tpm2
-tools_tpm2_LDADD = $(LDADD) $(CURL_LIBS)
+tools_tpm2_LDADD = $(LDADD)
 tools_tpm2_CFLAGS = $(AM_CFLAGS) -DTPM2_TOOLS_MAX="$(words $(tpm2_tools))"
 tools_tpm2_SOURCES = \
 	tools/tpm2_tool.c \
@@ -127,7 +127,6 @@ tpm2_tools = \
     tools/tpm2_encryptdecrypt.c \
     tools/tpm2_evictcontrol.c \
     tools/tpm2_flushcontext.c \
-    tools/tpm2_getekcertificate.c \
     tools/tpm2_getrandom.c \
     tools/tpm2_gettime.c \
     tools/tpm2_hash.c \
diff --git a/configure.ac b/configure.ac
index f1c1711..7279baa 100644
--- a/configure.ac
+++ b/configure.ac
@@ -59,7 +59,6 @@ PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])
 PKG_CHECK_MODULES([TSS2_RC], [tss2-rc])
 PKG_CHECK_MODULES([TSS2_SYS], [tss2-sys])
 PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0])
-PKG_CHECK_MODULES([CURL], [libcurl])
 
 # pretty print of devicepath if efivar library is present
 PKG_CHECK_MODULES([EFIVAR], [efivar],,[true])
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities 2022-08-25 18:43:31 +00:00			`diff --git a/Makefile.am b/Makefile.am`
tpm2-tools: Remove curl dependency The actual use of curl was already removed, update tpm2-tools patch to also remove the check for curl. Remove the curl module and CONFIG_CURL. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> 2023-02-21 22:15:09 +00:00			`index 7132215..32e2193 100644`
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities 2022-08-25 18:43:31 +00:00			`--- a/Makefile.am`
			`+++ b/Makefile.am`
			`@@ -93,7 +93,7 @@ tss2_tools = \`

			`# Bundle all the tools into a single program similar to busybox`
			`bin_PROGRAMS += tools/tpm2`
			`-tools_tpm2_LDADD = $(LDADD) $(CURL_LIBS)`
			`+tools_tpm2_LDADD = $(LDADD)`
			`tools_tpm2_CFLAGS = $(AM_CFLAGS) -DTPM2_TOOLS_MAX="$(words $(tpm2_tools))"`
			`tools_tpm2_SOURCES = \`
			`tools/tpm2_tool.c \`
			`@@ -127,7 +127,6 @@ tpm2_tools = \`
			`tools/tpm2_encryptdecrypt.c \`
			`tools/tpm2_evictcontrol.c \`
			`tools/tpm2_flushcontext.c \`
			`- tools/tpm2_getekcertificate.c \`
			`tools/tpm2_getrandom.c \`
			`tools/tpm2_gettime.c \`
			`tools/tpm2_hash.c \`
tpm2-tools: Remove curl dependency The actual use of curl was already removed, update tpm2-tools patch to also remove the check for curl. Remove the curl module and CONFIG_CURL. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> 2023-02-21 22:15:09 +00:00			`diff --git a/configure.ac b/configure.ac`
			`index f1c1711..7279baa 100644`
			`--- a/configure.ac`
			`+++ b/configure.ac`
			`@@ -59,7 +59,6 @@ PKG_CHECK_MODULES([TSS2_MU], [tss2-mu])`
			`PKG_CHECK_MODULES([TSS2_RC], [tss2-rc])`
			`PKG_CHECK_MODULES([TSS2_SYS], [tss2-sys])`
			`PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0])`
			`-PKG_CHECK_MODULES([CURL], [libcurl])`

			`# pretty print of devicepath if efivar library is present`
			`PKG_CHECK_MODULES([EFIVAR], [efivar],,[true])`