Tags: strongX509/tpm2-tools
Tags
5.2 2021-09-28
* tpm2_nvextend:
* Added option -n, --name to specify the name of the nvindex in hex bytes.
This is used when cpHash ought to be calculated without dispatching the
TPM2_NV_Extend command to the TPM.
* tpm2_nvread:
* Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
* Added option **\-n**, **\--name** to specify the name of the nvindex in
hex bytes. This is used when cpHash ought to be calculated without
dispatching the TPM2_NVRead command to the TPM.
* Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
* tpm2_nvsetbits:
* Added option **\--rphash**=_FILE_ to specify file path to record the hash
of the response parameters. This is commonly termed as rpHash.
* Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
* Added option **\-n**, **\--name** to specify the name of the nvindex in
hex bytes. This is used when cpHash ought to be calculated without
dispatching the TPM2_NV_SetBits command to the TPM.
* tpm2_createprimary:
* Support public-key output at creation time in various public-key formats.
* tpm2_create:
* Support public-key output at creation time in various public-key formats.
* tpm2_print:
* Support outputing public key in various public key formats over the default
YAML output. Supports taking `-u` output from `tpm2_create` and converting
it to a PEM or DER file format.
* tpm2_import:
* Add support for importing keys with sealed-data-blobs.
* tpm2_rsaencrypt, tpm2_rsadecrypt:
* Add support for specifying the hash algorithm with oaep.
* tpm2_pcrread, tpm2_quote:
* Add option **-F**, **\--pcrs_format** to specify PCR format selection for
the binary blob in the PCR output file. 'values' will output a binary blob
of the PCR values. 'serialized' will output a binary blob of the PCR
values in the form of serialized data structure in little endian format.
* tpm2_eventlog:
* Add support for decoding StartupLocality.
* Add support for printing the partition information.
* Add support for reading eventlogs longer than 64kb including from
/sys/kernel/security/tpm0/binary_bios-measurements.
* tpm2_duplicate:
* Add option **-L**, **\--policy** to specify an authorization policy to be
associated with the duplicated object.
* Added support for external key duplication without needing the TCTI.
* tools:
* Enhance error message on invalid passwords when sessions cannot be used.
* lib/tpm2_options:
* Add option to specify fake tcti which is required in cases where sapi ctx
is required to be initialized for retrieving command parameters without
invoking the tcti to talk to the TPM.
* openssl:
* Dropped support for OpenSSL < 1.1.0
* Add support for OpenSSL 3.0.0
* Support added to make the repository documentation and man pages available
live on readthedocs.
* Bug-fixes:
* tpm2_import: Don't allow setting passwords for imported object with -p
option as the tool doesn't modify the TPM2B_SENSITIVE structure. Added
appropriate logging to indicate using **tpm2_changeauth** after import.
* lib/tpm2_util.c: The function to calculate pHash algorithm returned error
when input session is a password session and the only session in the command.
* lib/tpm2_alg_util.c: Fix an error where oaep was parsed under ECC.
* tpm2_sign: Fix segfaults when tool does not find TPM resources (TPM or RM).
* tpm2_makecredential: Fix an issue where reading input from stdin could
result in unsupported data size larger than the largest digest size.
* tpm2_loadexternal: Fix an issue where restricted attribute could not be set.
* lib/tpm2_nv_util.h: The NV index size is dependent on different data sets
read from the GetCapability structures because there is a dependency on the
NV operation type: Define vs Read vs Write vs Extend. Fix a sane default in
the case where GetCapability fails or fails to report the specific property/
data set. This is especially true because some properties are TPM
implementation dependent.
* tpm2_createpolicy: Fix an issue where tool exited silently without reporting
an error if wrong pcr string is specified.
* lib/tpm2_alg_util: add error message on public init to prevent tools from
dying silently, add an error message.
* tpm2_import: fix an issue where an imported hmac object scheme was NULL.
While allowed, it was inconsistent with other tools like tpm2_create which
set the scheme as hmac->sha256 when generating a keyedhash object.
5.2-rc0 2021-09-01
* tpm2_nvextend:
* Added option -n, --name to specify the name of the nvindex in hex bytes.
This is used when cpHash ought to be calculated without dispatching the
TPM2_NV_Extend command to the TPM.
* tpm2_nvread:
* Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
* Added option **\-n**, **\--name** to specify the name of the nvindex in
hex bytes. This is used when cpHash ought to be calculated without
dispatching the TPM2_NVRead command to the TPM.
* Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
* tpm2_nvsetbits:
* Added option **\--rphash**=_FILE_ to specify file path to record the hash
of the response parameters. This is commonly termed as rpHash.
* Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
* Added option **\-n**, **\--name** to specify the name of the nvindex in
hex bytes. This is used when cpHash ought to be calculated without
dispatching the TPM2_NV_SetBits command to the TPM.
* tpm2_createprimary:
* Support public-key output at creation time in various public-key formats.
* tpm2_create:
* Support public-key output at creation time in various public-key formats.
* tpm2_print:
* Support outputing public key in various public key formats over the default
YAML output. Supports taking `-u` output from `tpm2_create` and converting
it to a PEM or DER file format.
* tpm2_import:
* Add support for importing keys with sealed-data-blobs.
* tpm2_rsaencrypt, tpm2_rsadecrypt:
* Add support for specifying the hash algorithm with oaep.
* tpm2_pcrread, tpm2_quote:
* Add option **-F**, **\--pcrs_format** to specify PCR format selection for
the binary blob in the PCR output file. 'values' will output a binary blob
of the PCR values. 'serialized' will output a binary blob of the PCR
values in the form of serialized data structure in little endian format.
* tpm2_eventlog:
* Add support for decoding StartupLocality.
* Add support for printing the partition information.
* Add support for reading eventlogs longer than 64kb including from
/sys/kernel/security/tpm0/binary_bios-measurements.
* tpm2_duplicate:
* Add option **-L**, **\--policy** to specify an authorization policy to be
associated with the duplicated object.
* Added support for external key duplication without needing the TCTI.
* tools:
* Enhance error message on invalid passwords when sessions cannot be used.
* lib/tpm2_options:
* Add option to specify fake tcti which is required in cases where sapi ctx
is required to be initialized for retrieving command parameters without
invoking the tcti to talk to the TPM.
* openssl:
* Dropped support for OpenSSL < 1.1.0
* Add support for OpenSSL 3.0.0
* Support added to make the repository documentation and man pages available
live on readthedocs.
* Bug-fixes:
* tpm2_import: Don't allow setting passwords for imported object with -p
option as the tool doesn't modify the TPM2B_SENSITIVE structure. Added
appropriate logging to indicate using **tpm2_changeauth** after import.
* lib/tpm2_util.c: The function to calculate pHash algorithm returned error
when input session is a password session and the only session in the command.
* lib/tpm2_alg_util.c: Fix an error where oaep was parsed under ECC.
* tpm2_sign: Fix segfaults when tool does not find TPM resources (TPM or RM).
* tpm2_makecredential: Fix an issue where reading input from stdin could
result in unsupported data size larger than the largest digest size.
* tpm2_loadexternal: Fix an issue where restricted attribute could not be set.
* lib/tpm2_nv_util.h: The NV index size is dependent on different data sets
read from the GetCapability structures because there is a dependency on the
NV operation type: Define vs Read vs Write vs Extend. Fix a sane default in
the case where GetCapability fails or fails to report the specific property/
data set. This is especially true because some properties are TPM
implementation dependent.
* tpm2_createpolicy: Fix an issue where tool exited silently without reporting
an error if wrong pcr string is specified.
* lib/tpm2_alg_util: add error message on public init to prevent tools from
dying silently, add an error message.
* tpm2_import: fix an issue where an imported hmac object scheme was NULL.
While allowed, it was inconsistent with other tools like tpm2_create which
set the scheme as hmac->sha256 when generating a keyedhash object.
5.1.1 2021-06-21 * tpm2_import: fix fixed AES key CVE-2021-3565 - tpm2_import used a fixed AES key for the inner wrapper, which means that a MITM attack would be able to unwrap the imported key. To fix this, ensure the key size is 16 bytes or bigger and use OpenSSL to generate a secure random AES key.
4.3.2 2021-06-21 * tpm2_import: fix fixed AES key CVE-2021-3565 - tpm2_import used a fixed AES key for the inner wrapper, which means that a MITM attack would be able to unwrap the imported key. To fix this, ensure the key size is 16 bytes or bigger and use OpenSSL to generate a secure random AES key.
5.1.1-rc0 2021-05-28 * tpm2_import: fix fixed AES key CVE-2021-3565 - tpm2_import used a fixed AES key for the inner wrapper, which means that a MITM attack would be able to unwrap the imported key. To fix this, ensure the key size is 16 bytes or bigger and use OpenSSL to generate a secure random AES key.
4.3.2-rc0 2021-06-02 * tpm2_import: fix fixed AES key CVE-2021-3565 - tpm2_import used a fixed AES key for the inner wrapper, which means that a MITM attack would be able to unwrap the imported key. To fix this, ensure the key size is 16 bytes or bigger and use OpenSSL to generate a secure random AES key.
5.1 2021-05-24
* Build
- Dependency-update: Minimum tpm2-tss version dependency bumped to 3.1.0
- Dependency-update: Minimum tpm2-abrmd version dependency bumped to 2.4.0
- tpm2_eventlog: Fix build errors on 64 bit arm systems.
- tpm2_checkquote: Fix build on 32b little-endian platforms.
- Fixes builds on CentOS 7 which notably has an ancient version of
GCC: 4.8.5 and an older version of OSSL, 1.0.2
- Configure handles searching for python executable more gracefully, thus
just having python3, will work.
- Moved to GitHub Actions for CI testing.
- Added fedora-32 to CI testing configurations and related fixes.
- FreeBSD testing is bumped up to version 12.2
- Fix compiler and packaging warnings for OpenSuse builds.
- configure: make build gnu99.
- configure: make -Wbool-compare non fatal.
- configure: only use -Werror for non-release builds
* tss2:
- Support in tools for PolicyRef inclusion in policy search per latest TSS.
- Support to use TPM objects protected by a policy with PolicySigned.
- Enable backward compatibility to old Fapi callback API.
- Fix PCR selection for tss2 quote.
- Support policy signed policies by implementing Fapi_SetSignCB.
* Command/ response parameter support for auditing and pHash policies:
- lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash
- Add support to calculate rphash for tpm2_create, tpm2_activatecredential,
tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps,
tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal
- Add support to calculate cphash for tpm2_changeeps, tpm2_changepps.
* Session-support:
- tpm2_sessionconfig: Add tool to display and configure session attributes.
- tpm2_getrandom: Fix— session input was hardcoded for audit-only
- tpm2_startauthsession: Add option to specify the bind object and its
authorization value.
- tpm2_startauthsession: support for bounded-only session.
- tpm2_startauthsession: support for salted-only session.
- tpm2_startauthsession: add option to specify an hmac session type.
- Add support for specifying non-authorization sessions for audit and
parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend,
tpm2_nvdefine, tpm2_unseal, tpm2_activatecredential, tpm2_certify,
tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, tpm2_changepps.
* tpm2_eventlog:
- Support for event type: EV_IPL extensively used by the Shim and Grub.
- Support for event type: EV_EFI_GPT_EVENT to parse.
UEFI_PARTITION_TABLE_HEADER and UEFI_PARTITION_ENTRY.
- Support for event type: EFI_SIGNATURE_LIST, which contains one or more
EFI_SIGNATURE_DATA.
- Support for event type EV_EFI_VARIABLE_AUTHORITY.
- Parse UEFI_PLATFORM_FIRMWARE_BLOB structure that the CRTM MUST put into
the Event Log entry TCG_PCR_EVENT2.event field for event types
EV_POST_CODE, EV_S_CRTM_CONTENTS, and EV_EFI_PLATFORM_FIRMWARE_BLOB.
- Parse secureboot variable to indicate enable as 'Yes'.
- Parse BootOrder variable to a more readable format.
- Parse Boot variables per EFI_LOAD_OPTION described in more details in
UEFI Spec Section 3.1.3
- Parse Device-path in a readable format using the efivar library.
- Support for logs longer than 64 kilobytes.
- Perform verification for event types where digest can be verified from
their event payload.
- Better support for multiline strings.
- Fix handling of event log EV_POST_CODE data where field is empty and len
is specified.
* scripts/utils: Add a utility to read the cert chain of embedded CA.
* tpm2_getekcertificate: Fix tool failing to return error/non-zero for HTTP 404.
* tpm2_nvdefine: allow setting hash algorithm by command line parameter for NV
indices set in extend mode.
* tpm2_duplicate, tpm2_import: support duplicating non-TPM keys to a remote TPM
without first requiring them to be loaded to a local TPM.
* tpm2_dictionarylockout: Fix issue where setting value for one parameter caused
to reset the others.
* tpm2_getpolicydigest: Add new tool to enable TPM2_CC_PolicyGetDigest.
* Fix segfault where optind > argc.
* tools/tpm2_checkquote: fix missing initializer
* tpm2_convert: fix EVP_EncodeUpdate usage for OSSL < 1.1.0
* openssl: fix EVP_ENCODE_CTX_(new|free)
* test: Add support for swTPM simulator to the testing framework and make it the
default if mssim isn't available.
* tpm2_unseal:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
* tpm2_nvextend:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
* tpm2_nvdefine:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
* tpm2_changepps:
- Added option **\--cphash**=_FILE_ to specify ile path to record the hash
of the command parameters. This is commonly termed as cpHash.
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
* tpm2_changeeps:
- Added option **\--cphash**=_FILE_ to specify ile path to record the hash
of the command parameters. This is commonly termed as cpHash.
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
* tpm2_changeauth:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
* tpm2_certifycreation:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
* tpm2_certify:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
* tpm2_activatecredential:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
- Added option **-S**, **\--session** to specify to specify an auxiliary
session for auditing and or encryption/decryption of the parameters.
* tpm2_create:
- Added option **\--rphash**=_FILE_ to specify ile path to record the hash
of the response parameters. This is commonly termed as rpHash.
* tpm2_unseal:
- Added option **-S**, **--session** to specify auxiliary sessions for
audit and encryption.
* tpm2_nvdefine:
- Added option **-S**, **--session** to specify auxiliary sessions for
audit and encryption.
* tpm2_nvextend:
- Added option **-S**, **--session** to specify auxilary sessions for
audit and encryption.
4.3.1 2021-05-18
* tpm2_dictionarylockout: Fix issue where setting value reset others
* tpm2_create.c: Fix an issue where userwithauth attr cleared if policy
specified
* tss2_quote: Tool now correctly supports to quote against a list of passed
PCR registers
* Fix fapi-branch-select integration test to correctly use the PolicyRef
parameter (triggered by recent bug-fix in tpm2-tss)
* Fix an outdated parameter in the fapi-provision integration test
* tpm2_getekcertificate: Fix tool failing to return error/non-zero
for HTTP 404
4.3.1-rc0 2021-05-03
* tpm2_dictionarylockout: Fix issue where setting value reset others
* tpm2_create.c: Fix an issue where userwithauth attr cleared if policy
specified
* tss2_quote: Tool now correctly supports to quote against a list of passed
PCR registers
* Fix fapi-branch-select integration test to correctly use the PolicyRef
parameter (triggered by recent bug-fix in tpm2-tss)
* Fix an outdated parameter in the fapi-provision integration test
* tpm2_getekcertificate: Fix tool failing to return error/non-zero
for HTTP 404
PreviousNext