meta-security: subtree update:787ba6faea..d6baccc068

Armin Kuster (20):
      trousers: update to tip
      upload-error-report: add script to upload errors
      kas/kas-security-base.yml: lets enable error reporting
      .gitlab: send error reports
      cryptsetup-tpm-incubator: drop recipe
      sssd: Avoid nss function conflicts with glibc nss.h
      cryptsetup-tpm-incubator: remove reference from other files
      packagegroup-core-security: dont include suricata on riscv or ppc
      kas-security-base: add testimage
      kas: add test config
      kas: add one dm-verify image build
      gitlab-ci: add dm-verify-image
      gitlab-ci: add testimage
      meta-harden: Add a layer to demo harding OE/YP
      kas-security-base: define sections as base
      packagegroup-core-security: add more pkgs to base group
      apparmor: exclude mips64, not supported
      kas: add alt and mutli build images
      kas-security-base: set RPM and disable ptest
      qemu test: set ptest

Charlie Davies (1):
      clamav: update SO_VER to 9.0.4

Jens Rehsack (2):
      ibmswtpm2: update to 1637
      ibmtpm2tss: add recipe

Jonatan Pålsson (1):
      sssd: Make manpages buildable

Qi.Chen@windriver.com (1):
      nss: update patch to fix do_patch error

Zheng Ruoqin (1):
      trousers: Fix the problem that do_package fails when multilib is enabled.

niko.mauno@vaisala.com (12):
      dm-verity-img.bbclass: Fix bashisms
      dm-verity-img.bbclass: Reorder parse-time check
      dm-verity-image-initramfs: Ensure verity hash sync
      dm-verity-image-initramfs: Bind at do_image instead
      linux-yocto(-dev): Add dm-verity fragment as needed
      dm-verity-img.bbclass: Stage verity.env file
      initramfs-framework: Add dmverity module
      dm-verity-image-initramfs: Use initramfs-framework
      dm-verity-initramfs-image: Cosmetic improvements
      dm-verity-image-initramfs: Add base-passwd package
      dm-verity-image-initramfs: Drop locales from image
      beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I9f2debc1f48092734569fd106b56cd7bcb6180b7

13 files changed, 271 insertions, 214 deletions

diff --git a/meta-security/meta-tpm/conf/distro/include/maintainers.inc b/meta-security/meta-tpm/conf/distro/include/maintainers.inc
index 74c1a1812..dcf53d0cc 100644
--- a/meta-security/meta-tpm/conf/distro/include/maintainers.inc
+++ b/meta-security/meta-tpm/conf/distro/include/maintainers.inc
@@ -33,7 +33,6 @@ RECIPE_MAINTAINER_pn-tpm2-tcti-uefi = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-cryptsetup-tpm-incubator = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>"
 
diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
index a553a63d8..8b6f03023 100644
--- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -7,7 +7,6 @@ inherit packagegroup
 
 PACKAGES = "${PN}"
 
-PREFERRED_PROVIDER_cryptsetup ?= "cryptsetup-tpm-incubator"
 SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support"
 RDEPENDS_packagegroup-security-tpm2 = " \
     tpm2-tools \
@@ -20,5 +19,4 @@ RDEPENDS_packagegroup-security-tpm2 = " \
     tpm2-abrmd \
     tpm2-pkcs11 \
     ibmswtpm2 \
-    ${PREFERRED_PROVIDER_cryptsetup} \
     "
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch
deleted file mode 100644
index 72c81d11a..000000000
--- a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
-From: Matthias Gerstner <mgerstner@suse.de>
-Date: Fri, 14 Aug 2020 22:14:36 -0700
-Subject: [PATCH] Correct multiple security issues that are present if the tcsd
- is started by root instead of the tss user.
-
-Patch fixes the following 3 CVEs:
-
-CVE-2020-24332
-If the tcsd daemon is started with root privileges,
-the creation of the system.data file is prone to symlink attacks
-
-CVE-2020-24330
-If the tcsd daemon is started with root privileges,
-it fails to drop the root gid after it is no longer needed
-
-CVE-2020-24331
-If the tcsd daemon is started with root privileges,
-the tss user has read and write access to the /etc/tcsd.conf file
-
-Authored-by: Matthias Gerstner <mgerstner@suse.de>
-Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
-
-Upstream-Status: Backport
-CVE: CVE-2020-24332
-CVE: CVE-2020-24330
-CVE: CVE-2020-24331
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- src/tcs/ps/tcsps.c   |  2 +-
- src/tcsd/svrside.c   |  1 +
- src/tcsd/tcsd_conf.c | 10 +++++-----
- 3 files changed, 7 insertions(+), 6 deletions(-)
-
-Index: git/src/tcs/ps/tcsps.c
-===================================================================
---- git.orig/src/tcs/ps/tcsps.c
-+++ git/src/tcs/ps/tcsps.c
-@@ -72,7 +72,7 @@ get_file()
- 	}
- 
- 	/* open and lock the file */
--	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
-+	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
- 	if (system_ps_fd < 0) {
- 		LogError("system PS: open() of %s failed: %s",
- 				tcsd_options.system_ps_file, strerror(errno));
-Index: git/src/tcsd/svrside.c
-===================================================================
---- git.orig/src/tcsd/svrside.c
-+++ git/src/tcsd/svrside.c
-@@ -473,6 +473,7 @@ main(int argc, char **argv)
- 		}
- 		return TCSERR(TSS_E_INTERNAL_ERROR);
- 	}
-+	setgid(pwd->pw_gid);
- 	setuid(pwd->pw_uid);
- #endif
- #endif
-Index: git/src/tcsd/tcsd_conf.c
-===================================================================
---- git.orig/src/tcsd/tcsd_conf.c
-+++ git/src/tcsd/tcsd_conf.c
-@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
- #ifndef SOLARIS
- 	struct group *grp;
- 	struct passwd *pw;
--	mode_t mode = (S_IRUSR|S_IWUSR);
-+	mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
- #endif /* SOLARIS */
- 	TSS_RESULT result;
- 
-@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
- 	}
- 
- 	/* make sure user/group TSS owns the conf file */
--	if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
-+	if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
- 		LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
--				TSS_USER_NAME, TSS_GROUP_NAME);
-+				"root", TSS_GROUP_NAME);
- 		return TCSERR(TSS_E_INTERNAL_ERROR);
- 	}
- 
--	/* make sure only the tss user can manipulate the config file */
-+	/* make sure only the tss user can read (but not manipulate) the config file */
- 	if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
--		LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
-+		LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
- 		return TCSERR(TSS_E_INTERNAL_ERROR);
- 	}
- #endif /* SOLARIS */
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
index 95e821bfa..27b4e2f51 100644
--- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
@@ -6,7 +6,7 @@ SECTION = "security/tpm"
 
 DEPENDS = "openssl"
 
-SRCREV = "4b9a70d5789b0b74f43957a6c19ab2156a72d3e0"
+SRCREV = "e74dd1d96753b0538192143adf58d04fcd3b242b"
 PV = "0.3.14+git${SRCPV}"
 
 SRC_URI = " \
@@ -16,7 +16,6 @@ SRC_URI = " \
     	file://tcsd.service \
         file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \
         file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
-        file://0001-Correct-multiple-security-issues-that-are-present-if.patch \
     	"
 
 S = "${WORKDIR}/git"
@@ -105,6 +104,8 @@ FILES_${PN}-doc = " \
 	${mandir}/man8 \
 	"
 
+FILES_${PN} += "${systemd_unitdir}/*" 
+
 INITSCRIPT_NAME = "trousers"
 INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
 
diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
deleted file mode 100644
index 261716235..000000000
--- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
+++ /dev/null
@@ -1,47 +0,0 @@
-SUMMARY = "An extension to cryptsetup/LUKS that enables use of the TPM 2.0 via tpm2-tss"
-DESCRIPTION = "Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module."
-
-SECTION = "security/tpm"
-LICENSE = "LGPL-2.1 | GPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326 \
-                    file://COPYING.LGPL;md5=1960515788100ce5f9c98ea78a65dc52 \
-                    "
-
-DEPENDS = "autoconf-archive pkgconfig gettext libtss2-dev libdevmapper popt libgcrypt json-c"
-
-SRC_URI = "git://github.com/AndreasFuchsSIT/cryptsetup-tpm-incubator.git;branch=luks2tpm \
-           file://configure_fix.patch "
-
-SRCREV = "15c283195f19f1d980e39ba45448683d5e383179"
-
-S = "${WORKDIR}/git"
-
-inherit autotools pkgconfig gettext
-
-PACKAGECONFIG ??= "openssl"
-PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl"
-PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt"
-
-EXTRA_OECONF = "--enable-static"
-
-RRECOMMENDS_${PN} = "kernel-module-aes-generic \
-                     kernel-module-dm-crypt \
-                     kernel-module-md5 \
-                     kernel-module-cbc \
-                     kernel-module-sha256-generic \
-                     kernel-module-xts \
-                    "
-
-FILES_${PN} += "${libdir}/tmpfiles.d"
-RDEPENDS_${PN} += "lvm2 libdevmapper"
-RRECOMMENDS_${PN} += "lvm2-udevrules"
-
-RPROVIDES_${PN} = "cryptsetup"
-RREPLACES_${PN} = "cryptsetup"
-RCONFLICTS_${PN}  ="cryptsetup"
-
-RPROVIDES_${PN}-dev = "cryptsetup-dev"
-RREPLACES_${PN}-dev = "cryptsetup-dev"
-RCONFLICTS_${PN}-dev  ="cryptsetup-dev"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch
deleted file mode 100644
index 8c7b6da41..000000000
--- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Upstream-Status: OE specific
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: git/configure.ac
-===================================================================
---- git.orig/configure.ac
-+++ git/configure.ac
-@@ -16,7 +16,7 @@ AC_CONFIG_HEADERS([config.h:config.h.in]
- 
- # For old automake use this
- #AM_INIT_AUTOMAKE(dist-xz subdir-objects)
--AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects])
-+AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects foreign])
- 
- if test "x$prefix" = "xNONE"; then
- 	sysconfdir=/etc
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
new file mode 100644
index 000000000..f2938e0e0
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
@@ -0,0 +1,27 @@
+Fix strict aliasing issue of gcc10
+
+fixes:
+
+TpmFail.c: In function 'TpmLogFailure':
+TpmFail.c:217:23: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing]
+  217 |     s_failFunction = *(UINT32 *)&function; /* kgold */
+      |                       ^~~~~~~~~~~~~~~~~~~
+cc1: all warnings being treated as errors
+
+Upstream-Status: Submitted
+
+Signed-off-by: Jens Rehsack <sno@NetBSD.org>
+
+Index: src/TpmFail.c
+===================================================================
+--- src.orig/TpmFail.c	2020-09-10 15:43:57.085063875 +0200
++++ src/TpmFail.c	2020-09-10 15:48:35.563302634 +0200
+@@ -214,7 +214,7 @@
+     // On a 64-bit machine, this may truncate the address of the string
+     // of the function name where the error occurred.
+ #if FAIL_TRACE
+-    s_failFunction = *(UINT32 *)&function;	/* kgold */
++    memcpy(&s_failFunction, function, sizeof(uint32_t));	/* kgold */
+     s_failLine = line;
+ #else
+     s_failFunction = 0;
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch
deleted file mode 100644
index 2919e2e54..000000000
--- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Allow recipe to overide optimization.
-
-fixes:
-
-397 | #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
-|       |    ^~~~~~~
-| cc1: all warnings being treated as errors
-
-
-Upstream-Status: OE specific
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: src/makefile
-===================================================================
---- src.orig/makefile
-+++ src/makefile
-@@ -43,7 +43,7 @@ CC = /usr/bin/gcc
- CCFLAGS = -Wall  			\
- 	-Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
- 	-Werror -Wsign-compare \
--	 -c -ggdb -O0 			\
-+	 -c -ggdb -O 			\
- 	-DTPM_POSIX			\
- 	-D_POSIX_			\
- 	-DTPM_NUVOTON
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
new file mode 100644
index 000000000..eebddb9e7
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
@@ -0,0 +1,50 @@
+1) Allow recipe to overide optimization.
+
+fixes:
+
+397 | #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
+|       |    ^~~~~~~
+| cc1: all warnings being treated as errors
+
+2) Allow recipe to override OE related compile-/link-flags
+
+fixes:
+
+ERROR: QA Issue: File /usr/bin/tpm_server in package ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags]
+
+Upstream-Status: OE specific
+
+Signed-off-by: Jens Rehsack <sno@NetBSD.org>
+
+Index: src/makefile
+===================================================================
+--- src.orig/makefile
++++ src/makefile
+@@ -38,12 +38,10 @@
+ #################################################################################
+ 
+ 
+-CC = /usr/bin/gcc
+-
+ CCFLAGS = -Wall  			\
+ 	-Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
+ 	-Werror -Wsign-compare \
+-	 -c -ggdb -O0 			\
++	 -c -ggdb -O 			\
+ 	-DTPM_POSIX			\
+ 	-D_POSIX_			\
+ 	-DTPM_NUVOTON
+@@ -79,11 +77,11 @@
+ .PRECIOUS:	%.o
+ 
+ tpm_server:	$(OBJFILES)
+-		$(CC) $(OBJFILES) $(LNFLAGS) -o tpm_server
++		$(CCLD) $(OBJFILES) $(LDFLAGS) $(LNFLAGS) -o tpm_server
+ 
+ clean:		
+ 		rm -f *.o tpm_server *~
+ 
+ %.o:		%.c
+-		$(CC) $(CCFLAGS) $< -o $@
++		$(CC) $(CCFLAGS) $(CFLAGS) $< -o $@
+ 
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb
deleted file mode 100644
index 3373a307f..000000000
--- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb
+++ /dev/null
@@ -1,26 +0,0 @@
-SUMMARY = "IBM's Software TPM 2.0"
-LICENSE = "BSD"
-SECTION = "securty/tpm"
-LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
-
-DEPENDS = "openssl"
-
-SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \
-           file://remove_optimization.patch \
-           "
-SRC_URI[md5sum] = "bfd3eca2411915f24de628b9ec36f259"
-SRC_URI[sha256sum] = "a8e874e7a1ae13a1290d7679d846281f72d0eb6a5e4cfbafca5297dbf4e29ea3"
-SRC_URI[sha1sum] = "7c8241a4e97a801eace9f0eea8cdda7c58114f7f"
-SRC_URI[sha384sum] = "eec25cc8ba0e3cb27d41ba4fa4c71d8158699953ccb61bb6d440236dcbd8f52b6954eaae9d640a713186e0b99311fd91"
-SRC_URI[sha512sum] = "ab47caa4406ba57c0afc6fadae304fc9ef5e3e125be0f2fb1955a419cf93cd5e9176e103f0b566825abc16cca00b795f98d2b407f0a2bf7b141ef4b025d907d0"
-
-S = "${WORKDIR}/src"
-
-do_compile () {
-   make CC='${CC}'
-}
-
-do_install () {
-   install -d ${D}/${bindir}
-   install -m 0755 tpm_server  ${D}/${bindir}
-}
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
new file mode 100644
index 000000000..32afd377d
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
@@ -0,0 +1,39 @@
+SUMMARY = "IBM's Software TPM 2.0"
+DESCRIPTION = "The software TPM 2.0 is targeted toward application development, \
+education, and virtualization. \
+\
+The intent is that an application can be developed using the software TPM. \
+The application should then run using a hardware TPM without changes. \
+Advantages of this approach: \
+* In contrast to a hardware TPM, it runs on many platforms and it's generally faster. \
+* Application software errors are easily reversed by simply removing the TPM state and starting over. \
+* Difficult crypto errors are quickly debugged by looking inside the TPM."
+HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmswtpm2.html"
+LICENSE = "BSD"
+SECTION = "securty/tpm"
+LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
+
+DEPENDS = "openssl"
+
+SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \
+           file://tune-makefile.patch \
+           file://fix-wrong-cast.patch \
+           "
+SRC_URI[md5sum] = "43b217d87056e9155633925eb6ef749c"
+SRC_URI[sha256sum] = "dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327"
+SRC_URI[sha1sum] = "ab4b94079e57a86996991e8a2b749ce063e4ad3e"
+SRC_URI[sha384sum] = "bbef16a934853ce78cba7ddc766aa9d7ef3cde3430a322b1be772bf3ad4bd6d413ae9c4de21bc1a4879d17dfe2aadc1d"
+SRC_URI[sha512sum] = "007aa415cccf19a2bcf789c426727dc4032dcb04cc9d11eedc231d2add708c1134d3d5ee5cfbe7de68307c95fff7a30bd306fbd8d53c198a5ef348440440a6ed"
+
+S = "${WORKDIR}/src"
+
+CFLAGS += "-Wno-error=maybe-uninitialized"
+
+do_compile () {
+   make CC='${CC}'
+}
+
+do_install () {
+   install -d ${D}/${bindir}
+   install -m 0755 tpm_server  ${D}/${bindir}
+}
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch
new file mode 100644
index 000000000..8b13fb66c
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch
@@ -0,0 +1,125 @@
+From 26091b7830d84a12308442b238652ee9475d407b Mon Sep 17 00:00:00 2001
+From: Jens Rehsack <sno@netbsd.org>
+Date: Fri, 11 Sep 2020 07:46:41 +0200
+Subject: [PATCH] utils{,12}/Makefile.am: expand wildcards in prereqs
+
+Expand wildcards of required sources to avoid errors like:
+make[2]: *** No rule to make target 'man/man1/*.1', needed by 'all-am'.  Stop.
+make[2]: *** Waiting for unfinished jobs....
+
+Upstream-Status: Submitted
+
+Signed-off-by: Jens Rehsack <sno@netbsd.org>
+---
+ utils/Makefile.am   | 75 +++++++++++++++++++++++++++++++++++++++++++--
+ utils12/Makefile.am |  8 ++++-
+ 2 files changed, 79 insertions(+), 4 deletions(-)
+
+diff --git a/utils/Makefile.am b/utils/Makefile.am
+index 1e51fe3..170a26e 100644
+--- a/utils/Makefile.am
++++ b/utils/Makefile.am
+@@ -81,9 +81,78 @@ libibmtssutils_la_LIBADD = libibmtss.la $(LIBCRYPTO_LIBS)
+ 
+ noinst_HEADERS = CommandAttributes.h imalib.h tssdev.h ntc2lib.h tssntc.h Commands_fp.h objecttemplates.h tssproperties.h cryptoutils.h Platform.h tssauth.h tsssocket.h ekutils.h eventlib.h tssccattributes.h
+ # install every header in ibmtss
+-nobase_include_HEADERS = ibmtss/*.h
+-
+-notrans_man_MANS = man/man1/*.1
++nobase_include_HEADERS = ibmtss/ActivateCredential_fp.h ibmtss/ActivateIdentity_fp.h ibmtss/BaseTypes.h \
++	ibmtss/CertifyCreation_fp.h ibmtss/Certify_fp.h ibmtss/CertifyX509_fp.h ibmtss/ChangeEPS_fp.h \
++	ibmtss/ChangePPS_fp.h ibmtss/ClearControl_fp.h ibmtss/Clear_fp.h ibmtss/ClockRateAdjust_fp.h \
++	ibmtss/ClockSet_fp.h ibmtss/Commit_fp.h ibmtss/ContextLoad_fp.h ibmtss/ContextSave_fp.h \
++	ibmtss/CreateEndorsementKeyPair_fp.h ibmtss/Create_fp.h ibmtss/CreateLoaded_fp.h \
++	ibmtss/CreatePrimary_fp.h ibmtss/CreateWrapKey_fp.h ibmtss/DictionaryAttackLockReset_fp.h \
++	ibmtss/DictionaryAttackParameters_fp.h ibmtss/Duplicate_fp.h ibmtss/ECC_Parameters_fp.h \
++	ibmtss/ECDH_KeyGen_fp.h ibmtss/ECDH_ZGen_fp.h ibmtss/EC_Ephemeral_fp.h ibmtss/EncryptDecrypt2_fp.h \
++	ibmtss/EncryptDecrypt_fp.h ibmtss/EventSequenceComplete_fp.h ibmtss/EvictControl_fp.h ibmtss/Extend_fp.h \
++	ibmtss/FlushContext_fp.h ibmtss/FlushSpecific_fp.h ibmtss/GetCapability12_fp.h ibmtss/GetCapability_fp.h \
++	ibmtss/GetCommandAuditDigest_fp.h ibmtss/GetRandom_fp.h ibmtss/GetSessionAuditDigest_fp.h \
++	ibmtss/GetTestResult_fp.h ibmtss/GetTime_fp.h ibmtss/Hash_fp.h ibmtss/HashSequenceStart_fp.h \
++	ibmtss/HierarchyChangeAuth_fp.h ibmtss/HierarchyControl_fp.h ibmtss/HMAC_fp.h ibmtss/HMAC_Start_fp.h \
++	ibmtss/Implementation.h ibmtss/Import_fp.h ibmtss/IncrementalSelfTest_fp.h ibmtss/LoadExternal_fp.h \
++	ibmtss/Load_fp.h ibmtss/LoadKey2_fp.h ibmtss/MakeCredential_fp.h ibmtss/MakeIdentity_fp.h ibmtss/NTC_fp.h \
++	ibmtss/NV_Certify_fp.h ibmtss/NV_ChangeAuth_fp.h ibmtss/NV_DefineSpace12_fp.h ibmtss/NV_DefineSpace_fp.h \
++	ibmtss/NV_Extend_fp.h ibmtss/NV_GlobalWriteLock_fp.h ibmtss/NV_Increment_fp.h ibmtss/NV_Read_fp.h \
++	ibmtss/NV_ReadLock_fp.h ibmtss/NV_ReadPublic_fp.h ibmtss/NV_ReadValueAuth_fp.h ibmtss/NV_ReadValue_fp.h \
++	ibmtss/NV_SetBits_fp.h ibmtss/NV_UndefineSpace_fp.h ibmtss/NV_UndefineSpaceSpecial_fp.h ibmtss/NV_Write_fp.h \
++	ibmtss/NV_WriteLock_fp.h ibmtss/NV_WriteValueAuth_fp.h ibmtss/NV_WriteValue_fp.h ibmtss/ObjectChangeAuth_fp.h \
++	ibmtss/OIAP_fp.h ibmtss/OSAP_fp.h ibmtss/OwnerReadInternalPub_fp.h ibmtss/OwnerSetDisable_fp.h \
++	ibmtss/Parameters12.h ibmtss/Parameters.h ibmtss/PCR_Allocate_fp.h ibmtss/PCR_Event_fp.h ibmtss/PCR_Extend_fp.h \
++	ibmtss/PcrRead12_fp.h ibmtss/PCR_Read_fp.h ibmtss/PCR_Reset12_fp.h ibmtss/PCR_Reset_fp.h ibmtss/PCR_SetAuthPolicy_fp.h \
++	ibmtss/PCR_SetAuthValue_fp.h ibmtss/PolicyAuthorize_fp.h ibmtss/PolicyAuthorizeNV_fp.h ibmtss/PolicyAuthValue_fp.h \
++	ibmtss/PolicyCommandCode_fp.h ibmtss/PolicyCounterTimer_fp.h ibmtss/PolicyCpHash_fp.h ibmtss/PolicyDuplicationSelect_fp.h \
++	ibmtss/PolicyGetDigest_fp.h ibmtss/PolicyLocality_fp.h ibmtss/PolicyNameHash_fp.h ibmtss/PolicyNV_fp.h \
++	ibmtss/PolicyNvWritten_fp.h ibmtss/PolicyOR_fp.h ibmtss/PolicyPassword_fp.h ibmtss/PolicyPCR_fp.h \
++	ibmtss/PolicyPhysicalPresence_fp.h ibmtss/PolicyRestart_fp.h ibmtss/PolicySecret_fp.h ibmtss/PolicySigned_fp.h \
++	ibmtss/PolicyTemplate_fp.h ibmtss/PolicyTicket_fp.h ibmtss/PP_Commands_fp.h ibmtss/Quote2_fp.h ibmtss/Quote_fp.h \
++	ibmtss/ReadClock_fp.h ibmtss/ReadPubek_fp.h ibmtss/ReadPublic_fp.h ibmtss/Rewrap_fp.h ibmtss/RSA_Decrypt_fp.h \
++	ibmtss/RSA_Encrypt_fp.h ibmtss/SelfTest_fp.h ibmtss/SequenceComplete_fp.h ibmtss/SequenceUpdate_fp.h \
++	ibmtss/SetAlgorithmSet_fp.h ibmtss/SetCommandCodeAuditStatus_fp.h ibmtss/SetPrimaryPolicy_fp.h ibmtss/Shutdown_fp.h \
++	ibmtss/Sign12_fp.h ibmtss/Sign_fp.h ibmtss/StartAuthSession_fp.h ibmtss/Startup12_fp.h ibmtss/Startup_fp.h \
++	ibmtss/StirRandom_fp.h ibmtss/TakeOwnership_fp.h ibmtss/TestParms_fp.h ibmtss/TPMB.h ibmtss/TpmBuildSwitches.h \
++	ibmtss/tpmconstants12.h ibmtss/tpmstructures12.h ibmtss/tpmtypes12.h ibmtss/TPM_Types.h ibmtss/tsscrypto.h \
++	ibmtss/tsscryptoh.h ibmtss/tsserror12.h ibmtss/tsserror.h ibmtss/tssfile.h ibmtss/tss.h ibmtss/tssmarshal12.h \
++	ibmtss/tssmarshal.h ibmtss/tssprintcmd.h ibmtss/tssprint.h ibmtss/tssresponsecode.h ibmtss/tsstransmit.h \
++	ibmtss/tssutils.h ibmtss/Unmarshal12_fp.h ibmtss/Unmarshal_fp.h ibmtss/Unseal_fp.h ibmtss/VerifySignature_fp.h \
++	ibmtss/ZGen_2Phase_fp.h
++
++notrans_man_MANS = man/man1/tssactivatecredential.1 man/man1/tsscertify.1 man/man1/tsscertifycreation.1 \
++	man/man1/tsscertifyx509.1 man/man1/tsschangeeps.1 man/man1/tsschangepps.1 man/man1/tssclear.1 \
++	man/man1/tssclearcontrol.1 man/man1/tssclockrateadjust.1 man/man1/tssclockset.1 man/man1/tsscommit.1 \
++	man/man1/tsscontextload.1 man/man1/tsscontextsave.1 man/man1/tsscreate.1 man/man1/tsscreateek.1 \
++	man/man1/tsscreateekcert.1 man/man1/tsscreateloaded.1 man/man1/tsscreateprimary.1 \
++	man/man1/tssdictionaryattacklockreset.1 man/man1/tssdictionaryattackparameters.1 man/man1/tssduplicate.1 \
++	man/man1/tsseccparameters.1 man/man1/tssecephemeral.1 man/man1/tssencryptdecrypt.1 man/man1/tsseventextend.1 \
++	man/man1/tsseventsequencecomplete.1 man/man1/tssevictcontrol.1 man/man1/tssflushcontext.1 man/man1/tssgetcapability.1 \
++	man/man1/tssgetcommandauditdigest.1 man/man1/tssgetcryptolibrary.1 man/man1/tssgetrandom.1 \
++	man/man1/tssgetsessionauditdigest.1 man/man1/tssgettestresult.1 man/man1/tssgettime.1 man/man1/tsshash.1 \
++	man/man1/tsshashsequencestart.1 man/man1/tsshierarchychangeauth.1 man/man1/tsshierarchycontrol.1 \
++	man/man1/tsshmac.1 man/man1/tsshmacstart.1 man/man1/tssimaextend.1 man/man1/tssimport.1 man/man1/tssimportpem.1 \
++	man/man1/tssload.1 man/man1/tssloadexternal.1 man/man1/tssmakecredential.1 man/man1/tssntc2getconfig.1 \
++	man/man1/tssntc2lockconfig.1 man/man1/tssntc2preconfig.1 man/man1/tssnvcertify.1 man/man1/tssnvchangeauth.1 \
++	man/man1/tssnvdefinespace.1 man/man1/tssnvextend.1 man/man1/tssnvglobalwritelock.1 man/man1/tssnvincrement.1 \
++	man/man1/tssnvread.1 man/man1/tssnvreadlock.1 man/man1/tssnvreadpublic.1 man/man1/tssnvsetbits.1 \
++	man/man1/tssnvundefinespace.1 man/man1/tssnvundefinespacespecial.1 man/man1/tssnvwrite.1 man/man1/tssnvwritelock.1 \
++	man/man1/tssobjectchangeauth.1 man/man1/tsspcrallocate.1 man/man1/tsspcrevent.1 man/man1/tsspcrextend.1 \
++	man/man1/tsspcrread.1 man/man1/tsspcrreset.1 man/man1/tsspolicyauthorize.1 man/man1/tsspolicyauthorizenv.1 \
++	man/man1/tsspolicyauthvalue.1 man/man1/tsspolicycommandcode.1 man/man1/tsspolicycountertimer.1 \
++	man/man1/tsspolicycphash.1 man/man1/tsspolicyduplicationselect.1 man/man1/tsspolicygetdigest.1 \
++	man/man1/tsspolicymaker.1 man/man1/tsspolicymakerpcr.1 man/man1/tsspolicynamehash.1 man/man1/tsspolicynv.1 \
++	man/man1/tsspolicynvwritten.1 man/man1/tsspolicyor.1 man/man1/tsspolicypassword.1 man/man1/tsspolicypcr.1 \
++	man/man1/tsspolicyrestart.1 man/man1/tsspolicysecret.1 man/man1/tsspolicysigned.1 man/man1/tsspolicytemplate.1 \
++	man/man1/tsspolicyticket.1 man/man1/tsspowerup.1 man/man1/tssprintattr.1 man/man1/tsspublicname.1 \
++	man/man1/tssquote.1 man/man1/tssreadclock.1 man/man1/tssreadpublic.1 man/man1/tssreturncode.1 \
++	man/man1/tssrewrap.1 man/man1/tssrsadecrypt.1 man/man1/tssrsaencrypt.1 man/man1/tsssequencecomplete.1 \
++	man/man1/tsssequenceupdate.1 man/man1/tsssetcommandcodeauditstatus.1 man/man1/tsssetprimarypolicy.1 \
++	man/man1/tssshutdown.1 man/man1/tsssign.1 man/man1/tsssignapp.1 man/man1/tssstartauthsession.1 \
++	man/man1/tssstartup.1 man/man1/tssstirrandom.1 man/man1/tsstimepacket.1 man/man1/tsstpm2pem.1 \
++	man/man1/tsstpmcmd.1 man/man1/tsstpmpublic2eccpoint.1 man/man1/tssunseal.1 man/man1/tssverifysignature.1 \
++	man/man1/tsswriteapp.1 man/man1/tsszgen2phase.1
+ 
+ if CONFIG_TPM20
+ noinst_HEADERS += tss20.h tssauth20.h ibmtss/tssprintcmd.h
+diff --git a/utils12/Makefile.am b/utils12/Makefile.am
+index a01f47c..e9fe61e 100644
+--- a/utils12/Makefile.am
++++ b/utils12/Makefile.am
+@@ -9,7 +9,13 @@ libibmtssutils12_la_CFLAGS = -I$(top_srcdir)/utils
+ # result: [current-age].age.revision
+ libibmtssutils12_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@ ../utils/libibmtss.la
+ 
+-notrans_man_MANS = man/man1/*.1
++notrans_man_MANS = man/man1/tss1activateidentity.1 man/man1/tss1createekcert.1 man/man1/tss1createendorsementkeypair.1 \
++	man/man1/tss1createwrapkey.1 man/man1/tss1eventextend.1 man/man1/tss1extend.1 man/man1/tss1flushspecific.1 \
++	man/man1/tss1getcapability.1 man/man1/tss1imaextend.1 man/man1/tss1loadkey2.1 man/man1/tss1makeekblob.1 \
++	man/man1/tss1makeidentity.1 man/man1/tss1nvdefinespace.1 man/man1/tss1nvreadvalue.1 man/man1/tss1nvreadvalueauth.1 \
++	man/man1/tss1nvwritevalue.1 man/man1/tss1nvwritevalueauth.1 man/man1/tss1oiap.1 man/man1/tss1osap.1 \
++	man/man1/tss1ownerreadinternalpub.1 man/man1/tss1ownersetdisable.1 man/man1/tss1pcrread.1 man/man1/tss1quote2.1 \
++	man/man1/tss1sign.1 man/man1/tss1startup.1 man/man1/tss1takeownership.1 man/man1/tss1tpminit.1
+ noinst_HEADERS = ekutils12.h
+ 
+ bin_PROGRAMS = activateidentity createendorsementkeypair createwrapkey extend flushspecific getcapability loadkey2 makeidentity nvdefinespace nvreadvalueauth nvreadvalue nvwritevalueauth nvwritevalue oiap osap ownerreadinternalpub ownersetdisable pcrread quote2 sign startup takeownership tpminit createekcert makeekblob eventextend imaextend
+-- 
+2.17.1
+
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb
new file mode 100644
index 000000000..18ad7eb43
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb
@@ -0,0 +1,27 @@
+SUMMARY = "IBM's Software TPM 2.0 TSS"
+DESCRIPTION = "This is a user space TSS for TPM 2.0. It implements the \
+functionality equivalent to (but not API compatible with) the TCG TSS \
+working group's ESAPI, SAPI, and TCTI API's (and perhaps more) but with a \
+hopefully simpler interface. \
+It comes with over 110 'TPM tools' samples that can be used for scripted \
+apps, rapid prototyping, education, and debugging. \
+It also comes with a web based TPM interface, suitable for a demo to an \
+audience that is unfamiliar with TCG technology. It is also useful for \
+basic TPM management."
+HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmtss2.html"
+LICENSE = "BSD"
+SECTION = "securty/tpm"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
+
+DEPENDS = "openssl ibmswtpm2"
+
+inherit autotools pkgconfig
+
+SRCREV = "aa6c6ec83793ba21782033c03439977c26d3cc87"
+SRC_URI = " git://git.code.sf.net/p/ibmtpm20tss/tss;nobranch=1 \
+           file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \
+           "
+
+EXTRA_OECONF = "--disable-tpm-1.2"
+
+S = "${WORKDIR}/git"