!85 删除spec文件中多余参数

From: @shen-chenbang 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001

0001-FAPI-Skip-test-fapi-fix-provisioning-with-template-i.patch

@@ -0,0 +1,91 @@
+From d5a956fab36b3d5780b4f0fcd325d0f84bddb7b6 Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Wed, 22 Mar 2023 10:54:59 +0100
+Subject: [PATCH] FAPI: Skip test fapi-fix-provisioning-with template if no
+ certificate is available.
+
+If the configure option --enable-self-generated-certificate is not used this
+test can't be executed because no certificate will be stored in NV ram. The
+test will be skipped if no certificate is available.
+Fixes: #2558
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+---
+ .../fapi-provisioning-with-template.int.c     | 40 ++++++++++++++++++-
+ 1 file changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/test/integration/fapi-provisioning-with-template.int.c b/test/integration/fapi-provisioning-with-template.int.c
+index 27f8e57..ddef2a8 100644
+--- a/test/integration/fapi-provisioning-with-template.int.c
++++ b/test/integration/fapi-provisioning-with-template.int.c
+@@ -4,6 +4,8 @@
+ #endif
+ 
+ #include <stdlib.h>
++#include <stdio.h>
++#include <unistd.h>
+ 
+ #include "tss2_esys.h"
+ #include "tss2_fapi.h"
+@@ -31,6 +33,39 @@
+  * @retval EXIT_SKIP
+  *
+  */
++static bool
++fapi_ek_certless()
++{
++    FILE *stream = NULL;
++    long config_size;
++    char *config = NULL;
++    char *fapi_config_file = getenv("TSS2_FAPICONF");
++
++    stream = fopen(fapi_config_file, "r");
++    if (!stream) {
++        LOG_ERROR("File %s does not exist", fapi_config_file);
++        return NULL;
++    }
++    fseek(stream, 0L, SEEK_END);
++    config_size = ftell(stream);
++    fclose(stream);
++    config = malloc(config_size + 1);
++    stream = fopen(fapi_config_file, "r");
++    ssize_t ret = read(fileno(stream), config, config_size);
++    if (ret != config_size) {
++        LOG_ERROR("IO error %s.", fapi_config_file);
++        return NULL;
++    }
++    config[config_size] = '\0';
++    if (strstr(config, "\"ek_cert_less\": \"yes\"") == NULL) {
++        SAFE_FREE(config);
++        return false;
++    } else {
++        SAFE_FREE(config);
++        return true;
++    }
++}
++
+ int
+ test_fapi_provision_template(FAPI_CONTEXT *context)
+ {
+@@ -148,6 +183,9 @@ test_fapi_provision_template(FAPI_CONTEXT *context)
+     TPM2B_AUTH auth = { .size = 0, .buffer = {} };
+     TPM2B_MAX_NV_BUFFER nv_data;
+ 
++    if (fapi_ek_certless())
++        return EXIT_SKIP;
++
+     if (strcmp(FAPI_PROFILE, "P_ECC") == 0) {
+         nv_template_idx = ecc_nv_template_idx;
+         nv_nonce_idx = ecc_nv_nonce_idx;
+@@ -166,7 +204,7 @@ test_fapi_provision_template(FAPI_CONTEXT *context)
+     r = Esys_Initialize(&esys_ctx, tcti, NULL);
+     goto_if_error(r, "Error Esys_Initialize", error);
+ 
+-     /*
++    /*
+      * Store template (marshaled TPMT_PUBLIC) in NV ram.
+      */
+     r = Tss2_MU_TPMT_PUBLIC_Marshal(&in_public, &nv_data.buffer[0],
+-- 
+2.43.0
+

backport-CVE-2023-22745.patch

@@ -1,139 +0,0 @@
-From 306490c8d848c367faa2d9df81f5e69dab46ffb5 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Thu, 19 Jan 2023 11:53:06 -0600
-Subject: [PATCH] tss2_rc: ensure layer number is in bounds
-
-The layer handler array was defined as 255, the max number of uint8,
-which is the size of the layer field, however valid values are 0-255
-allowing for 256 possibilities and thus the array was off by one and
-needed to be sized to 256 entries. Update the size and add tests.
-
-Note: previous implementations incorrectly dropped bits on unknown error
-output, ie TSS2_RC of 0xFFFFFF should yeild a string of 255:0xFFFFFF,
-but earlier implementations returned 255:0xFFFF, dropping the middle
-bits, this patch fixes that.
-
-Fixes: CVE-2023-22745
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/tss2-rc/tss2_rc.c    | 31 +++++++++++++++++++++----------
- test/unit/test_tss2_rc.c | 21 ++++++++++++++++++++-
- 2 files changed, 41 insertions(+), 11 deletions(-)
-
-diff --git a/src/tss2-rc/tss2_rc.c b/src/tss2-rc/tss2_rc.c
-index 15ced56..4e14659 100644
---- a/src/tss2-rc/tss2_rc.c
-+++ b/src/tss2-rc/tss2_rc.c
-@@ -1,5 +1,8 @@
- /* SPDX-License-Identifier: BSD-2-Clause */
--
-+#ifdef HAVE_CONFIG_H
-+#include "config.h"
-+#endif
-+#include <assert.h>
- #include <stdarg.h>
- #include <stdbool.h>
- #include <stdio.h>
-@@ -834,7 +837,7 @@ tss_err_handler (TSS2_RC rc)
- static struct {
-     char name[TSS2_ERR_LAYER_NAME_MAX];
-     TSS2_RC_HANDLER handler;
--} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT] = {
-+} layer_handler[TPM2_ERROR_TSS2_RC_LAYER_COUNT + 1] = {
-     ADD_HANDLER("tpm" , tpm2_ehandler),
-     ADD_NULL_HANDLER,                       /* layer 1  is unused */
-     ADD_NULL_HANDLER,                       /* layer 2  is unused */
-@@ -869,7 +872,7 @@ unknown_layer_handler(TSS2_RC rc)
-     static __thread char buf[32];
- 
-     clearbuf(buf);
--    catbuf(buf, "0x%X", tpm2_error_get(rc));
-+    catbuf(buf, "0x%X", rc);
- 
-     return buf;
- }
-@@ -966,19 +969,27 @@ Tss2_RC_Decode(TSS2_RC rc)
-         catbuf(buf, "%u:", layer);
-     }
- 
--    handler = !handler ? unknown_layer_handler : handler;
--
-     /*
-      * Handlers only need the error bits. This way they don't
-      * need to concern themselves with masking off the layer
-      * bits or anything else.
-      */
--    UINT16 err_bits = tpm2_error_get(rc);
--    const char *e = err_bits ? handler(err_bits) : "success";
--    if (e) {
--        catbuf(buf, "%s", e);
-+    if (handler) {
-+        UINT16 err_bits = tpm2_error_get(rc);
-+        const char *e = err_bits ? handler(err_bits) : "success";
-+        if (e) {
-+            catbuf(buf, "%s", e);
-+        } else {
-+            catbuf(buf, "0x%X", err_bits);
-+        }
-     } else {
--        catbuf(buf, "0x%X", err_bits);
-+        /*
-+         * we don't want to drop any bits if we don't know what to do with it
-+         * so drop the layer byte since we we already have that.
-+         */
-+        const char *e = unknown_layer_handler(rc >> 8);
-+        assert(e);
-+        catbuf(buf, "%s", e);
-     }
- 
-     return buf;
-diff --git a/test/unit/test_tss2_rc.c b/test/unit/test_tss2_rc.c
-index f4249b7..6d8428b 100644
---- a/test/unit/test_tss2_rc.c
-+++ b/test/unit/test_tss2_rc.c
-@@ -199,7 +199,7 @@ test_custom_handler(void **state)
-      * Test an unknown layer
-      */
-     e = Tss2_RC_Decode(rc);
--    assert_string_equal(e, "1:0x2A");
-+    assert_string_equal(e, "1:0x100");
- }
- 
- static void
-@@ -282,6 +282,23 @@ test_tcti(void **state)
-     assert_string_equal(e, "tcti:Fails to connect to next lower layer");
- }
- 
-+static void
-+test_all_FFs(void **state)
-+{
-+    (void) state;
-+
-+    const char *e = Tss2_RC_Decode(0xFFFFFFFF);
-+    assert_string_equal(e, "255:0xFFFFFF");
-+}
-+
-+static void
-+test_all_FFs_set_handler(void **state)
-+{
-+    (void) state;
-+    Tss2_RC_SetHandler(0xFF, "garbage", custom_err_handler);
-+    Tss2_RC_SetHandler(0xFF, NULL, NULL);
-+}
-+
- /* link required symbol, but tpm2_tool.c declares it AND main, which
-  * we have a main below for cmocka tests.
-  */
-@@ -313,6 +330,8 @@ main(int argc, char* argv[])
-             cmocka_unit_test(test_esys),
-             cmocka_unit_test(test_mu),
-             cmocka_unit_test(test_tcti),
-+            cmocka_unit_test(test_all_FFs),
-+            cmocka_unit_test(test_all_FFs_set_handler)
-     };
- 
-     return cmocka_run_group_tests(tests, NULL, NULL);
--- 
-2.27.0
-

backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch

@@ -0,0 +1,112 @@
+From 710cd0b6adf3a063f34a8e92da46df7a107d9a99 Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Tue, 31 Oct 2023 11:08:41 +0100
+Subject: [PATCH] FAPI: Fix check of magic number in verify quote.
+
+After deserializing the quote info it was not checked whether
+the magic number in the attest is equal TPM2_GENERATED_VALUE.
+So an malicious attacker could generate arbitrary quote data
+which was not detected by Fapi_VerifyQuote.
+Now the number magic number is checket in verify quote and also
+in the deserialization of TPM2_GENERATED.
+The check is also added to the Unmarshal function for TPMS_ATTEST.
+
+Fixes: CVE-2024-29040
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
+---
+ src/tss2-fapi/api/Fapi_VerifyQuote.c |  5 +++++
+ src/tss2-fapi/tpm_json_deserialize.c | 11 +++++++++--
+ src/tss2-mu/tpms-types.c             | 23 ++++++++++++++++++++++-
+ 3 files changed, 36 insertions(+), 3 deletions(-)
+
+diff --git a/src/tss2-fapi/api/Fapi_VerifyQuote.c b/src/tss2-fapi/api/Fapi_VerifyQuote.c
+index 8a0e119c..50474c6b 100644
+--- a/src/tss2-fapi/api/Fapi_VerifyQuote.c
++++ b/src/tss2-fapi/api/Fapi_VerifyQuote.c
+@@ -289,6 +289,11 @@ Fapi_VerifyQuote_Finish(
+                                      &command->fapi_quote_info);
+             goto_if_error(r, "Get quote info.", error_cleanup);
+ 
++            if (command->fapi_quote_info.attest.magic != TPM2_GENERATED_VALUE) {
++                goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED,
++                           "Attest without TPM2 generated value", error_cleanup);
++            }
++
+             /* Verify the signature over the attest2b structure. */
+             r = ifapi_verify_signature_quote(&key_object,
+                                              command->signature,
+diff --git a/src/tss2-fapi/tpm_json_deserialize.c b/src/tss2-fapi/tpm_json_deserialize.c
+index 4c45458a..1b27a83f 100644
+--- a/src/tss2-fapi/tpm_json_deserialize.c
++++ b/src/tss2-fapi/tpm_json_deserialize.c
+@@ -698,6 +698,7 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out)
+     const char *s = json_object_get_string(jso);
+     const char *str = strip_prefix(s, "TPM_", "TPM2_", "GENERATED_", NULL);
+     LOG_TRACE("called for %s parsing %s", s, str);
++    TSS2_RC r;
+ 
+     if (str) {
+         for (size_t i = 0; i < sizeof(tab) / sizeof(tab[0]); i++) {
+@@ -707,8 +708,14 @@ ifapi_json_TPM2_GENERATED_deserialize(json_object *jso, TPM2_GENERATED *out)
+             }
+         }
+     }
+-
+-    return ifapi_json_UINT32_deserialize(jso, out);
++    r = ifapi_json_UINT32_deserialize(jso, out);
++    return_if_error(r, "Could not deserialize UINT32");
++    if (*out != TPM2_GENERATED_VALUE) {
++        return_error2(TSS2_FAPI_RC_BAD_VALUE,
++                      "Value %x not equal TPM self generated value %x",
++                      *out, TPM2_GENERATED_VALUE);
++    }
++    return TSS2_RC_SUCCESS;
+ }
+ 
+ /** Deserialize a TPM2_ALG_ID json object.
+diff --git a/src/tss2-mu/tpms-types.c b/src/tss2-mu/tpms-types.c
+index 3ad72520..56aca0c3 100644
+--- a/src/tss2-mu/tpms-types.c
++++ b/src/tss2-mu/tpms-types.c
+@@ -22,6 +22,27 @@
+ #define VAL
+ #define TAB_SIZE(tab) (sizeof(tab) / sizeof(tab[0]))
+ 
++static TSS2_RC
++TPM2_GENERATED_Unmarshal(
++    uint8_t const   buffer[],
++    size_t          buffer_size,
++    size_t         *offset,
++    TPM2_GENERATED *magic)
++{
++    TPM2_GENERATED mymagic = 0;
++    TSS2_RC rc = Tss2_MU_UINT32_Unmarshal(buffer, buffer_size, offset, &mymagic);
++    if (rc != TSS2_RC_SUCCESS) {
++        return rc;
++    }
++    if (mymagic != TPM2_GENERATED_VALUE) {
++        LOG_ERROR("Bad magic in tpms_attest");
++        return TSS2_SYS_RC_BAD_VALUE;
++    }
++    if (magic != NULL)
++        *magic = mymagic;
++    return TSS2_RC_SUCCESS;
++}
++
+ #define TPMS_PCR_MARSHAL(type, firstFieldMarshal) \
+ TSS2_RC \
+ Tss2_MU_##type##_Marshal(const type *src, uint8_t buffer[], \
+@@ -1219,7 +1240,7 @@ TPMS_MARSHAL_7_U(TPMS_ATTEST,
+                  attested, ADDR, Tss2_MU_TPMU_ATTEST_Marshal)
+ 
+ TPMS_UNMARSHAL_7_U(TPMS_ATTEST,
+-                   magic, Tss2_MU_UINT32_Unmarshal,
++                   magic, TPM2_GENERATED_Unmarshal,
+                    type, Tss2_MU_TPM2_ST_Unmarshal,
+                    qualifiedSigner, Tss2_MU_TPM2B_NAME_Unmarshal,
+                    extraData, Tss2_MU_TPM2B_DATA_Unmarshal,
+-- 
+2.33.0
+

tpm2-tss.spec

@@ -1,14 +1,15 @@
 Name:          tpm2-tss
-Version:       3.2.1
+Version:       4.0.1
-Release:       3
+Release:       4
 Summary:       TPM2.0 Software Stack
 License:       BSD
 URL:           https://github.com/tpm2-software/tpm2-tss
 Source0:       https://github.com/tpm2-software/tpm2-tss/releases/download/%{version}/%{name}-%{version}.tar.gz
 
-Patch1: backport-CVE-2023-22745.patch
+Patch0: 0001-FAPI-Skip-test-fapi-fix-provisioning-with-template-i.patch
+Patch1: backport-CVE-2024-29040-FAPI-Fix-check-of-magic-.patch
 
-BuildRequires: gcc-c++ autoconf-archive libtool pkgconfig systemd libgcrypt-devel openssl-devel doxygen json-c-devel libcurl-devel
+BuildRequires: gcc-c++ autoconf-archive libtool pkgconfig systemd libgcrypt-devel openssl-devel doxygen json-c-devel libcurl-devel util-linux-devel
 BuildRequires: curl >= 7.80.0 libcmocka-devel iproute uthash-devel swtpm
 
 %description
@@ -30,10 +31,14 @@ Obsoletes: %{name}-static
 %autosetup -n %{name}-%{version} -p1
 
 %build
+%if "%toolchain" == "clang"
+%configure --disable-static --disable-silent-rules --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=80- \
+           --with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir} 
+%else
 %configure --disable-static --disable-silent-rules --with-udevrulesdir=%{_udevrulesdir} --with-udevrulesprefix=80- \
            --with-runstatedir=%{_rundir} --with-tmpfilesdir=%{_tmpfilesdir} --with-sysusersdir=%{_sysusersdir} \
            --enable-unit --enable-integration
-
+%endif
 %make_build
 
 %install
@@ -73,6 +78,43 @@ make check
 %{_mandir}/man*/*
 
 %changelog
+* Tue Aug 27 2024 shenchenbang <1944340417@qq.com> - 4.0.1-4
+- Fix incorrect function definition
+
+* Fri May 10 2024 gengqihu <gengqihu2@h-partners.com> - 4.0.1-3
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2024-29040
+
+* Wed Apr 10 2024 wangxiaomeng <wangxiaomeng@kylinos.cn> - 4.0.1-2
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: Backport patch to fix check error
+
+* Tue Jan 23 2024 jinlun <jinlun@huawei.com> - 4.0.1-1
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:update version to 4.0.1
+  - Fix CVE-2023-22745
+  - TPM version 1.59 support
+  - libmu soname from 0:0:0 to 0:1:0.
+  - tss2-sys soname from 1:0:0 to 1:1:0
+  - FAPI ignores vendor properties on Fapi_GetInfo
+  - FAPI Event Logging JSON format
+  - Dead struct TPMS_ALGORITHM_DESCRIPTION
+  - Dead field intelPttProperty from TPMU_CAPABLITIES
+  - Dead code Tss2_MU_TPMS_ALGORITHM_DESCRIPTION_Marshal
+  - Dead code Tss2_MU_TPMS_ALGORITHM_DESCRIPTION_Unmarshal
+
+* Tue Jul 18 2023 jinlun <jinlun@huawei.com> - 3.2.2-1
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:update version to 3.2.2
+
 * Tue Mar 21 2023 jinlun <jinlun@huawei.com> - 3.2.1-3
 - Type:bugfix
 - ID:NA