From dc9d614711d1f205166fa42a0af05054fe06b26d Mon Sep 17 00:00:00 2001
From: Andrew Geissler <geissonator@yahoo.com>
Date: Fri, 19 May 2023 09:38:37 -0500
Subject: subtree updates

meta-security: 53c5cc794f..ddf301c45c:
  Adrian Zaharia (1):
        libmhash: fix multilib header conflict - mutils/mhash_config.h

  Alexander Kanavin (1):
        maintainers.inc: rename to avoid clashes with oe-core

  Armin Kuster (15):
        meta-tpm: rename recipes-tpm to recipes-tpm1
        recipes-tpm: use this for common tpm recipes
        swtpm: update to 0.8.0
        libtpm: update to 0.9.6
        ossec-hids: update to tip of 3.7.0
        libhtp: update to 0.5.43
        suricata: update to 6.0.11
        fscryptctl: update to 1.0.1
        oeqa: fix hash test to match new changes
        integrity-image-minimal: adapt QEMU cmdline to new changes
        lynis: Add decoding OE and Poky
        os-release.bbappend: drop now CPE_NAME is in core
        openembedded-release: drop as os-release does this now
        tpm2-tss: drop vendor from PACKAGECONFIG
        packagegroup-security-tpm2: restore pkgs removed earlier

  Paul Gortmaker (4):
        dm-verity: ensure people don't ignore the DISTRO_FEATURES warning
        dm-verity: don't make read-only-rootfs sound like a requirement
        dm-verity: document the meta-intel dependency in the systemd example
        dm-verity: add x86-64 systemd based example instructions

  Peter Hoyes (1):
        meta-parsec/layer.conf: Insert addpylib declaration

  Peter Kjellerstedt (1):
        tpm2-tools: Remove unnecessary and optional dependencies

  Stefan Berger (12):
        ima: Document and replace keys and adapt scripts for EC keys
        ima: Fix the ima_policy_appraise_all to appraise executables & libraries
        ima: Fix the IMA kernel feature
        ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
        ima: Sign all executables and the ima-policy in the root filesystem
        integrity: Update the README for IMA support
        linux: overlayfs: Add kernel patch resolving a file change notification issue
        ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch
        linux: overlayfs: Drop kernel patch resolving a file change notification issue
        ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg
        integrity: Fix the do_configure function
        integrity: Rename linux-%.bbappend to linux-yocto%.bbappend

meta-raspberrypi: bf948e0aa8..928bb234bb:
  Martin Jansa (3):
        rpi-libcamera-apps: fix flags used in aarch64 builds
        rpi-libcamera-apps: fix version generation on hosts with older python
        rpi-libcamera-apps: bump to latest SRCREV and set PV

meta-arm: 0b5724266a..f9d80e1a14:
  Emekcan Aras (2):
        arm-bsp/trusted-firmware-m: Align Capsule Update with GPT changes
        arm-bsp/wic: corstone1000: Fix and limit the partition size for corstone1000
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I56f7d26070d879e3138618332841c30cf57eb7d9
---
 ...-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch | 251 ---------------------
 1 file changed, 251 deletions(-)
 delete mode 100644 meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch

(limited to 'meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch')

diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
deleted file mode 100644
index cc8772d20c..0000000000
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
+++ /dev/null
@@ -1,251 +0,0 @@
-From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001
-From: Limeng <Meng.Li@windriver.com>
-Date: Fri, 23 Jun 2017 11:39:04 +0800
-Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password 
- from env
-
-Before, we support reading SRK password from env TPM_SRK_PW,
-but it is a plain password and not secure.
-So, we improve it and support to get an encrypted (AES algorithm)
-SRK password from env, and then parse it. The default decrypting
-AES password and salt is set in bb file.
-When we initialize TPM, and set a SRK pw, and then we need to
-encrypt it with the same AES password and salt by AES algorithm.
-At last, we set a env as below:
-export TPM_SRK_ENC_PW=xxxxxxxx
-"xxxxxxxx" is the encrypted SRK password for libtpm.so.
-
-Signed-off-by: Meng Li <Meng.Li@windriver.com>
----
- e_tpm.c     | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
- e_tpm.h     |   4 ++
- e_tpm_err.c |   4 ++
- 3 files changed, 164 insertions(+), 1 deletion(-)
-
-Index: git/src/e_tpm.c
-===================================================================
---- git.orig/src/e_tpm.c
-+++ git/src/e_tpm.c
-@@ -259,6 +259,118 @@ void ENGINE_load_tpm(void)
- 	ERR_clear_error();
- }
- 
-+static int tpm_decode_base64(unsigned char *indata,
-+				int in_len,
-+				unsigned char *outdata,
-+				int *out_len)
-+{
-+	int total_len, len, ret;
-+	EVP_ENCODE_CTX dctx;
-+
-+	EVP_DecodeInit(&dctx);
-+
-+	total_len = 0;
-+	ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
-+	if (ret < 0) {
-+		TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
-+		return 1;
-+	}
-+
-+	total_len += len;
-+	ret = EVP_DecodeFinal(&dctx, outdata, &len);
-+	if (ret < 0) {
-+		TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
-+		return 1;
-+	}
-+	total_len += len;
-+
-+	*out_len = total_len;
-+
-+	return 0;
-+}
-+
-+static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len,
-+				unsigned char *outdata,
-+				int *out_len)
-+{
-+	int dec_data_len, dec_data_lenfinal;
-+	unsigned char dec_data[256];
-+	unsigned char *aes_pw;
-+	unsigned char aes_salt[PKCS5_SALT_LEN];
-+	unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
-+	const EVP_CIPHER *cipher = NULL;
-+	const EVP_MD *dgst = NULL;
-+	EVP_CIPHER_CTX *ctx = NULL;
-+
-+	if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) {
-+		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+		return 1;
-+	}
-+
-+	aes_pw = malloc(sizeof(SRK_DEC_PW) - 1);
-+	if (aes_pw == NULL) {
-+		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+		return 1;
-+	}
-+
-+	memset(aes_salt, 0x00, sizeof(aes_salt));
-+	memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1);
-+	memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1);
-+
-+	cipher = EVP_get_cipherbyname("aes-128-cbc");
-+	if (cipher == NULL) {
-+		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+		free(aes_pw);
-+		return 1;
-+	}
-+	dgst = EVP_sha256();
-+
-+	EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv);
-+
-+	ctx = EVP_CIPHER_CTX_new();
-+	/* Don't set key or IV right away; we want to check lengths */
-+	if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) {
-+		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+		free(aes_pw);
-+		return 1;
-+	}
-+
-+	OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
-+	OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
-+
-+	if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) {
-+		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+		free(aes_pw);
-+		return 1;
-+	}
-+
-+	if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) {
-+		/* Error */
-+		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+		free(aes_pw);
-+		EVP_CIPHER_CTX_free(ctx);
-+		return 1;
-+	}
-+
-+	if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) {
-+		/* Error */
-+		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
-+		free(aes_pw);
-+		EVP_CIPHER_CTX_free(ctx);
-+		return 1;
-+	}
-+
-+	dec_data_len = dec_data_len + dec_data_lenfinal;
-+
-+	memcpy(outdata, dec_data, dec_data_len);
-+	*out_len = dec_data_len;
-+
-+	free(aes_pw);
-+	EVP_CIPHER_CTX_free(ctx);
-+
-+	return 0;
-+}
-+
- int tpm_load_srk(UI_METHOD *ui, void *cb_data)
- {
- 	TSS_RESULT result;
-@@ -319,8 +431,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
- 		return 0;
- 	}
- 
--	srkPasswd = getenv("TPM_SRK_PW");
-+	srkPasswd = getenv("TPM_SRK_ENC_PW");
- 	if (NULL != srkPasswd) {
-+		int in_len = strlen(srkPasswd);
-+		int out_len;
-+		unsigned char *out_buf;
-+
-+		if (!in_len || in_len % 4) {
-+			Tspi_Context_CloseObject(hContext, hSRK);
-+			free(auth);
-+			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
-+			return 0;
-+		}
-+
-+		out_len = in_len * 3 / 4;
-+		out_buf = malloc(out_len);
-+		if (NULL == out_buf) {
-+			Tspi_Context_CloseObject(hContext, hSRK);
-+			free(auth);
-+			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
-+			return 0;
-+		}
-+
-+		if (tpm_decode_base64(srkPasswd, strlen(srkPasswd),
-+					out_buf, &out_len)) {
-+			Tspi_Context_CloseObject(hContext, hSRK);
-+			free(auth);
-+			free(out_buf);
-+			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
-+			return 0;
-+		}
-+
-+		if (tpm_decrypt_srk_pw(out_buf, out_len,
-+							auth, &authlen)) {
-+			Tspi_Context_CloseObject(hContext, hSRK);
-+			free(auth);
-+			free(out_buf);
-+			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
-+			return 0;
-+		}
-+		secretMode = TSS_SECRET_MODE_PLAIN;
-+		free(out_buf);
-+	}
-+#ifdef TPM_SRK_PLAIN_PW
-+	else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) {
- 		if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
- 			memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
- 			secretMode = TSS_SECRET_MODE_SHA1;
-@@ -333,6 +487,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
- 			authlen = strlen(auth);
- 		}
- 	}
-+#endif
- 	else {
- 		if (!tpm_engine_get_auth(ui, (char *)auth, 128,
- 				"SRK authorization: ", cb_data)) {
-Index: git/src/e_tpm.h
-===================================================================
---- git.orig/src/e_tpm.h
-+++ git/src/e_tpm.h
-@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int rea
- #define TPM_F_TPM_FILL_RSA_OBJECT		116
- #define TPM_F_TPM_ENGINE_GET_AUTH		117
- #define TPM_F_TPM_CREATE_SRK_POLICY		118
-+#define TPM_F_TPM_DECODE_BASE64			119
-+#define TPM_F_TPM_DECRYPT_SRK_PW		120
- 
- /* Reason codes. */
- #define TPM_R_ALREADY_LOADED			100
-@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int rea
- #define TPM_R_ID_INVALID			125
- #define TPM_R_UI_METHOD_FAILED			126
- #define TPM_R_UNKNOWN_SECRET_MODE		127
-+#define TPM_R_DECODE_BASE64_FAILED		128
-+#define TPM_R_DECRYPT_SRK_PW_FAILED		129
- 
- /* structure pointed to by the RSA object's app_data pointer */
- struct rsa_app_data
-Index: git/src/e_tpm_err.c
-===================================================================
---- git.orig/src/e_tpm_err.c
-+++ git/src/e_tpm_err.c
-@@ -234,6 +234,8 @@ static ERR_STRING_DATA TPM_str_functs[]
- 	{ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"},
- 	{ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"},
- 	{ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"},
-+	{ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"},
-+	{ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"},
- 	{0, NULL}
- };
- 
-@@ -264,6 +266,8 @@ static ERR_STRING_DATA TPM_str_reasons[]
- 	{TPM_R_FILE_READ_FAILED, "failed reading the key file"},
- 	{TPM_R_ID_INVALID, "engine id doesn't match"},
- 	{TPM_R_UI_METHOD_FAILED, "ui function failed"},
-+	{TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"},
-+	{TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"},
- 	{0, NULL}
- };
- 
-- 
cgit v1.2.3