[meta-security][PATCH 1/6] tpm2.0-tss: fix musl build error

[meta-security][PATCH 1/6] tpm2.0-tss: fix musl build error

[Armin Kuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../tpm2.0-tss/fix_musl_select_include.patch       | 31 ++++++++++++++++++++++
 recipes-tpm/tpm2.0-tss/tpm2.0-tss_git.bb           |  3 ++-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch

diff --git a/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch b/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch
new file mode 100644
index 0000000..ecaca6e
--- /dev/null
+++ b/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch
@@ -0,0 +1,31 @@
+This fixes musl build issue do to missing FD_* defines.
+Add sys/select.h
+
+Upstream-Status: Pending
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: TPM2.0-TSS/tcti/tcti_socket.cpp
+===================================================================
+--- TPM2.0-TSS.orig/tcti/tcti_socket.cpp
++++ TPM2.0-TSS/tcti/tcti_socket.cpp
+@@ -28,6 +28,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>   // Needed for _wtoi
+ 
++#include "sys/select.h"
+ #include <sapi/tpm20.h>
+ #include <tcti/tcti_socket.h>
+ #include "sysapi_util.h"
+Index: TPM2.0-TSS/resourcemgr/resourcemgr.c
+===================================================================
+--- TPM2.0-TSS.orig/resourcemgr/resourcemgr.c
++++ TPM2.0-TSS/resourcemgr/resourcemgr.c
+@@ -28,6 +28,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>   // Needed for _wtoi
+ 
++#include "sys/select.h"
+ #include <sapi/tpm20.h>
+ #include <tcti/tcti_device.h>
+ #include <tcti/tcti_socket.h>
diff --git a/recipes-tpm/tpm2.0-tss/tpm2.0-tss_git.bb b/recipes-tpm/tpm2.0-tss/tpm2.0-tss_git.bb
index c4b5c8c..a03559c 100644
--- a/recipes-tpm/tpm2.0-tss/tpm2.0-tss_git.bb
+++ b/recipes-tpm/tpm2.0-tss/tpm2.0-tss_git.bb
@@ -7,7 +7,8 @@ SECTION = "tpm"
 SRCREV = "8e25d0cbb287d30c93b2b77e99bc761dc67e31a9"
 SRC_URI = " \
     git://github.com/01org/TPM2.0-TSS.git;protocol=git;branch=master;name=TPM2.0-TSS;destsuffix=TPM2.0-TSS \
-    file://ax_pthread.m4"
+    file://ax_pthread.m4 \
+    file://fix_musl_select_include.patch "
 
 inherit autotools pkgconfig
 
-- 
2.7.4

[meta-security][PATCH 2/6] qemu: use wildcard for PV

[Armin Kuster]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 recipes-devtools/qemu/{qemu_2.7.0.bbappend => qemu_2%.bbappend} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename recipes-devtools/qemu/{qemu_2.7.0.bbappend => qemu_2%.bbappend} (100%)

diff --git a/recipes-devtools/qemu/qemu_2.7.0.bbappend b/recipes-devtools/qemu/qemu_2%.bbappend
similarity index 100%
rename from recipes-devtools/qemu/qemu_2.7.0.bbappend
rename to recipes-devtools/qemu/qemu_2%.bbappend
-- 
2.7.4

[meta-security][PATCH 3/6] tpm-tools: update to 1.3.9

[Armin Kuster]

remove incorperated patches.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../tpm-tools-extendpcr.patch                      |  0
 .../03-fix-bool-error-parseStringWithValues.patch  | 30 ----------------------
 .../gcc6_missleading_indent_fix.patch              | 24 -----------------
 .../{tpm-tools_1.3.8.bb => tpm-tools_git.bb}       | 27 ++++++++++++-------
 4 files changed, 18 insertions(+), 63 deletions(-)
 rename recipes-tpm/tpm-tools/{tpm-tools-1.3.8 => files}/tpm-tools-extendpcr.patch (100%)
 delete mode 100644 recipes-tpm/tpm-tools/tpm-tools-1.3.8/03-fix-bool-error-parseStringWithValues.patch
 delete mode 100644 recipes-tpm/tpm-tools/tpm-tools-1.3.8/gcc6_missleading_indent_fix.patch
 rename recipes-tpm/tpm-tools/{tpm-tools_1.3.8.bb => tpm-tools_git.bb} (62%)

diff --git a/recipes-tpm/tpm-tools/tpm-tools-1.3.8/tpm-tools-extendpcr.patch b/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
similarity index 100%
rename from recipes-tpm/tpm-tools/tpm-tools-1.3.8/tpm-tools-extendpcr.patch
rename to recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
diff --git a/recipes-tpm/tpm-tools/tpm-tools-1.3.8/03-fix-bool-error-parseStringWithValues.patch b/recipes-tpm/tpm-tools/tpm-tools-1.3.8/03-fix-bool-error-parseStringWithValues.patch
deleted file mode 100644
index 9497e89..0000000
--- a/recipes-tpm/tpm-tools/tpm-tools-1.3.8/03-fix-bool-error-parseStringWithValues.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Title: Fix boolean comparison error (and FTBFS with gcc-5)
-Date: 2015-06-28
-Author: Pierre Chifflier <pollux@debian.org>
-Bug-Debian: http://bugs.debian.org/778147
-Index: tpm-tools/src/tpm_mgmt/tpm_nvcommon.c
-===================================================================
---- tpm-tools.orig/src/tpm_mgmt/tpm_nvcommon.c
-+++ tpm-tools/src/tpm_mgmt/tpm_nvcommon.c
-@@ -140,8 +140,8 @@ int parseStringWithValues(const char *aA
- 						 aArg);
- 					return -1;
- 				}
--				if (!aArg[offset+numbytes] == '|' &&
--				    !aArg[offset+numbytes] == 0) {
-+				if (!(aArg[offset+numbytes] == '|' ||
-+				      aArg[offset+numbytes] == 0)) {
- 					logError(_("Illegal character following "
-                                                    "hexadecimal number in %s\n"),
- 						 aArg + offset);
-@@ -164,8 +164,8 @@ int parseStringWithValues(const char *aA
- 				return -1;
- 			}
- 
--			if (!aArg[offset+numbytes] == '|' &&
--			    !aArg[offset+numbytes] == 0) {
-+			if (!(aArg[offset+numbytes] == '|' ||
-+			      aArg[offset+numbytes] == 0)) {
- 				logError(_("Illegal character following decimal "
- 				           "number in %s\n"),
- 					 aArg + offset);
diff --git a/recipes-tpm/tpm-tools/tpm-tools-1.3.8/gcc6_missleading_indent_fix.patch b/recipes-tpm/tpm-tools/tpm-tools-1.3.8/gcc6_missleading_indent_fix.patch
deleted file mode 100644
index aec5e7a..0000000
--- a/recipes-tpm/tpm-tools/tpm-tools-1.3.8/gcc6_missleading_indent_fix.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-Index: tpm-tools-1.3.8/src/tpm_mgmt/tpm_present.c
-===================================================================
---- tpm-tools-1.3.8.orig/src/tpm_mgmt/tpm_present.c
-+++ tpm-tools-1.3.8/src/tpm_mgmt/tpm_present.c
-@@ -349,13 +349,13 @@ int main(int argc, char **argv)
- 		}
- 	} while (flags[++i].name);
- 
--      out_success:
-+out_success:
- 	logSuccess(argv[0]);
- 	iRc = 0;
--      out_close:
-+out_close:
- 	contextClose(hContext);
--      out:
--    if (szTpmPasswd && !isWellKnown)
--	shredPasswd( szTpmPasswd );
--	return iRc;
-+out:
-+	if (szTpmPasswd && !isWellKnown)
-+		shredPasswd( szTpmPasswd );
-+return iRc;
- }
diff --git a/recipes-tpm/tpm-tools/tpm-tools_1.3.8.bb b/recipes-tpm/tpm-tools/tpm-tools_git.bb
similarity index 62%
rename from recipes-tpm/tpm-tools/tpm-tools_1.3.8.bb
rename to recipes-tpm/tpm-tools/tpm-tools_git.bb
index 790894a..83f1091 100644
--- a/recipes-tpm/tpm-tools/tpm-tools_1.3.8.bb
+++ b/recipes-tpm/tpm-tools/tpm-tools_git.bb
@@ -8,19 +8,28 @@ DESCRIPTION = " \
 SECTION = "tpm"
 LICENSE = "CPL-1.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9"
+
 DEPENDS = "libtspi openssl"
 DEPENDS_class-native = "trousers-native"
 
-SRC_URI += " \
-    http://downloads.sourceforge.net/project/trousers/${BPN}/${PV}/${BP}.tar.gz \
-    file://tpm-tools-extendpcr.patch \
-    file://03-fix-bool-error-parseStringWithValues.patch \
-    file://gcc6_missleading_indent_fix.patch \
-"
+SRCREV = "80954ab83be8d091c6e3112514945556aaa09d39"
+SRC_URI = " \
+	git://git.code.sf.net/p/trousers/tpm-tools \
+	file://tpm-tools-extendpcr.patch \
+	"
+
+PV = "1.3.9+git${SRCPV}"
+
+inherit autotools-brokensep gettext
 
-SRC_URI[md5sum] = "85a978c4e03fefd4b73cbeadde7c4d0b"
-SRC_URI[sha256sum] = "66eb4ff095542403db6b4bd4b574e8a5c08084fe4e9e5aa9a829ee84e20bea83"
+S = "${WORKDIR}/git"
 
-inherit autotools gettext
+do_configure_prepend () {
+	mkdir -p po
+	mkdir -p m4
+	cp -R po_/* po/
+	touch po/Makefile.in.in
+	touch m4/Makefile.am
+}
 
 BBCLASSEXTEND = "native"
-- 
2.7.4

[meta-security][PATCH 4/6] trousers: update to 0.3.14

[Armin Kuster]

convert to git and remove incorperated patches

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...t-getpwent_r-is-available-before-using-it.patch | 85 ----------------------
 ...si_param.c-Include-limits.h-for-POSIX_MAX.patch | 36 ---------
 .../trousers/files/07-read_data-not-inline.patch   | 65 -----------------
 .../{trousers_0.3.13.bb => trousers_git.bb}        | 40 +++++-----
 4 files changed, 20 insertions(+), 206 deletions(-)
 delete mode 100644 recipes-tpm/trousers/files/0001-Check-that-getpwent_r-is-available-before-using-it.patch
 delete mode 100644 recipes-tpm/trousers/files/0001-tsp_tcsi_param.c-Include-limits.h-for-POSIX_MAX.patch
 delete mode 100644 recipes-tpm/trousers/files/07-read_data-not-inline.patch
 rename recipes-tpm/trousers/{trousers_0.3.13.bb => trousers_git.bb} (67%)

diff --git a/recipes-tpm/trousers/files/0001-Check-that-getpwent_r-is-available-before-using-it.patch b/recipes-tpm/trousers/files/0001-Check-that-getpwent_r-is-available-before-using-it.patch
deleted file mode 100644
index e7ba2eb..0000000
--- a/recipes-tpm/trousers/files/0001-Check-that-getpwent_r-is-available-before-using-it.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From bb721b0ae5882992037153e7257791101172556e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?No=C3=A9=20Rubinstein?= <nrubinstein@aldebaran.com>
-Date: Wed, 24 Aug 2016 18:55:25 +0200
-Subject: [PATCH] Check that getpwent_r is available before using it
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This fixes building trousers with musl
-
-Signed-off-by: Noé Rubinstein <nrubinstein@aldebaran.com>
----
-Upstream-Status: Inappropriate [not author https://git.busybox.net/buildroot/plain/package/trousers/0004-Check-that-getpwent_r-is-available-before-using-it.patch]
-Signed-off-by: André Draszik <adraszik@tycoint.com>
- configure.in        |  4 ++++
- src/tspi/ps/tspps.c | 10 +++++-----
- 2 files changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/configure.in b/configure.in
-index add23dc..cfdfcaa 100644
---- a/configure.in
-+++ b/configure.in
-@@ -144,6 +144,10 @@ else
- 	AC_MSG_ERROR(["gtk", "openssl" and "none" are the only supported gui options for trousers])
- fi
- 
-+# Look for getpwent_r. If it is not found, getpwent will be used instead, with
-+# an additional mutex.
-+AC_CHECK_FUNC(getpwent_r, [AC_DEFINE(HAVE_GETPWENT_R)])
-+
- #
- # The default port that the TCS daemon listens on
- #
-diff --git a/src/tspi/ps/tspps.c b/src/tspi/ps/tspps.c
-index c6f9c3d..9d00d2a 100644
---- a/src/tspi/ps/tspps.c
-+++ b/src/tspi/ps/tspps.c
-@@ -45,7 +45,7 @@
- 
- static int user_ps_fd = -1;
- static MUTEX_DECLARE_INIT(user_ps_lock);
--#if (defined (__FreeBSD__) || defined (__OpenBSD__))
-+#ifndef HAVE_GETPWENT_R
- static MUTEX_DECLARE_INIT(user_ps_path);
- #endif
- static struct flock fl;
-@@ -60,7 +60,7 @@ get_user_ps_path(char **file)
- 	TSS_RESULT result;
- 	char *file_name = NULL, *home_dir = NULL;
- 	struct passwd *pwp;
--#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
-+#ifdef HAVE_GETPWENT_R
- 	struct passwd pw;
- #endif
- 	struct stat stat_buf;
-@@ -72,7 +72,7 @@ get_user_ps_path(char **file)
- 		*file = strdup(file_name);
- 		return (*file) ? TSS_SUCCESS : TSPERR(TSS_E_OUTOFMEMORY);
- 	}
--#if (defined (__FreeBSD__) || defined (__OpenBSD__))
-+#ifndef HAVE_GETPWENT_R
- 	MUTEX_LOCK(user_ps_path);
- #endif
- 
-@@ -90,7 +90,7 @@ get_user_ps_path(char **file)
- #else
- 	setpwent();
- 	while (1) {
--#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
-+#ifdef HAVE_GETPWENT_R
- 		rc = getpwent_r(&pw, buf, PASSWD_BUFSIZE, &pwp);
- 		if (rc) {
- 			LogDebugFn("USER PS: Error getting path to home directory: getpwent_r: %s",
-@@ -99,7 +99,7 @@ get_user_ps_path(char **file)
- 			return TSPERR(TSS_E_INTERNAL_ERROR);
- 		}
- 
--#elif (defined (__FreeBSD__) || defined (__OpenBSD__))
-+#else
- 		if ((pwp = getpwent()) == NULL) {
- 			LogDebugFn("USER PS: Error getting path to home directory: getpwent: %s",
-                                    strerror(rc));
--- 
-2.10.2
-
diff --git a/recipes-tpm/trousers/files/0001-tsp_tcsi_param.c-Include-limits.h-for-POSIX_MAX.patch b/recipes-tpm/trousers/files/0001-tsp_tcsi_param.c-Include-limits.h-for-POSIX_MAX.patch
deleted file mode 100644
index c01040d..0000000
--- a/recipes-tpm/trousers/files/0001-tsp_tcsi_param.c-Include-limits.h-for-POSIX_MAX.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From c1b5f33845c56dc7aef769c99758b4f77a041d43 Mon Sep 17 00:00:00 2001
-From: Felix Janda <felix.janda@posteo.de>
-Date: Wed, 31 Aug 2016 22:52:58 -0400
-Subject: [PATCH] tsp_tcsi_param.c: Include <limits.h> for POSIX_MAX
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use POSIX instead of glibc-specific header.
-Fixes compilation with musl libc.
-
-Signed-off-by: Felix Janda <felix.janda@posteo.de>
-Reviewed-by: Hon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com>
-
----
-Upstream-Status: Backport [https://sourceforge.net/p/trousers/trousers/ci/59351a56cac1710e89d207dff07eb23bbc644c13/]
-Signed-off-by: André Draszik <adraszik@tycoint.com>
- src/tspi/tsp_tcsi_param.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tspi/tsp_tcsi_param.c b/src/tspi/tsp_tcsi_param.c
-index 670f86f..8f2b4e4 100644
---- a/src/tspi/tsp_tcsi_param.c
-+++ b/src/tspi/tsp_tcsi_param.c
-@@ -11,7 +11,7 @@
- #include <stdlib.h>
- #include <string.h>
- #include <stdio.h>
--#include <bits/local_lim.h>
-+#include <limits.h>
- #include "trousers/tss.h"
- #include "trousers/trousers.h"
- #include "trousers_types.h"
--- 
-2.10.2
-
diff --git a/recipes-tpm/trousers/files/07-read_data-not-inline.patch b/recipes-tpm/trousers/files/07-read_data-not-inline.patch
deleted file mode 100644
index 76ba98a..0000000
--- a/recipes-tpm/trousers/files/07-read_data-not-inline.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-Title: Remove inline keyword for read_data and write_data
-Date: 2015-06-28
-Origin: https://chromium.googlesource.com/chromiumos%2Fthird_party%2Ftrousers/+/c9c7cd50640c2d8882a04f59f1bcb383a88b19e9
-Bug-Debian: http://bugs.debian.org/778149
-Index: trousers/src/include/tcsps.h
-===================================================================
---- trousers.orig/src/include/tcsps.h
-+++ trousers/src/include/tcsps.h
-@@ -23,13 +23,6 @@ int		   get_file();
- int		   put_file(int);
- void		   close_file(int);
- void		   ps_destroy();
--#ifdef SOLARIS
--TSS_RESULT  read_data(int, void *, UINT32);
--TSS_RESULT  write_data(int, void *, UINT32);
--#else
--inline TSS_RESULT  read_data(int, void *, UINT32);
--inline TSS_RESULT  write_data(int, void *, UINT32);
--#endif
- int		   write_key_init(int, UINT32, UINT32, UINT32);
- TSS_RESULT	   cache_key(UINT32, UINT16, TSS_UUID *, TSS_UUID *, UINT16, UINT32, UINT32);
- TSS_RESULT	   UnloadBlob_KEY_PS(UINT16 *, BYTE *, TSS_KEY *);
-Index: trousers/src/include/tspps.h
-===================================================================
---- trousers.orig/src/include/tspps.h
-+++ trousers/src/include/tspps.h
-@@ -18,8 +18,8 @@
- 
- TSS_RESULT	   get_file(int *);
- int		   put_file(int);
--inline TSS_RESULT  read_data(int, void *, UINT32);
--inline TSS_RESULT  write_data(int, void *, UINT32);
-+TSS_RESULT	   read_data(int, void *, UINT32);
-+TSS_RESULT	   write_data(int, void *, UINT32);
- UINT32		   psfile_get_num_keys(int);
- TSS_RESULT	   psfile_get_parent_uuid_by_uuid(int, TSS_UUID *, TSS_UUID *);
- TSS_RESULT	   psfile_remove_key_by_uuid(int, TSS_UUID *);
-Index: trousers/src/tcs/ps/ps_utils.c
-===================================================================
---- trousers.orig/src/tcs/ps/ps_utils.c
-+++ trousers/src/tcs/ps/ps_utils.c
-@@ -42,11 +42,7 @@
- struct key_disk_cache *key_disk_cache_head = NULL;
- 
- 
--#ifdef SOLARIS
- TSS_RESULT
--#else
--inline TSS_RESULT
--#endif
- read_data(int fd, void *data, UINT32 size)
- {
- 	int rc;
-@@ -64,11 +60,7 @@ read_data(int fd, void *data, UINT32 siz
- }
- 
- 
--#ifdef SOLARIS
- TSS_RESULT
--#else
--inline TSS_RESULT
--#endif
- write_data(int fd, void *data, UINT32 size)
- {
- 	int rc;
diff --git a/recipes-tpm/trousers/trousers_0.3.13.bb b/recipes-tpm/trousers/trousers_git.bb
similarity index 67%
rename from recipes-tpm/trousers/trousers_0.3.13.bb
rename to recipes-tpm/trousers/trousers_git.bb
index a69f763..1dedd7c 100644
--- a/recipes-tpm/trousers/trousers_0.3.13.bb
+++ b/recipes-tpm/trousers/trousers_git.bb
@@ -6,17 +6,17 @@ SECTION = "security/tpm"
 
 DEPENDS = "openssl"
 
-SRC_URI = "http://sourceforge.net/projects/trousers/files/${BPN}/${PV}/${BPN}-${PV}.tar.gz \
-    file://0001-tsp_tcsi_param.c-Include-limits.h-for-POSIX_MAX.patch \
-    file://0001-Check-that-getpwent_r-is-available-before-using-it.patch \
-    file://07-read_data-not-inline.patch \
-    file://trousers.init.sh \
-    file://trousers-udev.rules \
-    file://tcsd.service \
-    "
-
-SRC_URI[md5sum] = "ad508f97b406f6e48cd90e85d78e7ca8"
-SRC_URI[sha256sum] = "bb908e4a3c88a17b247a4fc8e0fff3419d8a13170fe7bdfbe0e2c5c082a276d3"
+SRCREV = "4b9a70d5789b0b74f43957a6c19ab2156a72d3e0"
+PV = "0.3.14+git${SRCPV}"
+
+SRC_URI = " \
+	git://git.code.sf.net/p/trousers/trousers \
+    	file://trousers.init.sh \
+    	file://trousers-udev.rules \
+    	file://tcsd.service \
+    	"
+
+S = "${WORKDIR}/git"
 
 inherit autotools pkgconfig useradd update-rc.d ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
 
@@ -61,10 +61,10 @@ FILES_libtspi = " \
 	"
 FILES_libtspi-dbg = " \
 	${libdir}/.debug \
-	${prefix}/src/debug/${PN}/${PV}-${PR}/${PN}-${PV}/src/tspi \
-	${prefix}/src/debug/${PN}/${PV}-${PR}/${PN}-${PV}/src/trspi \
-	${prefix}/src/debug/${PN}/${PV}-${PR}/${PN}-${PV}/src/include/*.h \
-	${prefix}/src/debug/${PN}/${PV}-${PR}/${PN}-${PV}/src/include/tss \
+	${prefix}/src/debug/${BPN}/${PV}-${PR}/git/src/tspi \
+	${prefix}/src/debug/${BPN}/${PV}-${PR}/git/src/trspi \
+	${prefix}/src/debug/${BPN}/${PV}-${PR}/git/src/include/*.h \
+	${prefix}/src/debug/${BPN}/${PV}-${PR}/git/src/include/tss \
 	"
 FILES_libtspi-dev = " \
 	${includedir} \
@@ -88,11 +88,11 @@ FILES_${PN}-dev += "${libdir}/trousers"
 
 FILES_${PN}-dbg = " \
 	${sbindir}/.debug \
-	${prefix}/src/debug/${PN}/${PV}-${PR}/${PN}-${PV}/src/tcs \
-	${prefix}/src/debug/${PN}/${PV}-${PR}/${PN}-${PV}/src/tcsd \
-	${prefix}/src/debug/${PN}/${PV}-${PR}/${PN}-${PV}/src/tddl \
-	${prefix}/src/debug/${PN}/${PV}-${PR}/${PN}-${PV}/src/trousers \
-	${prefix}/src/debug/${PN}/${PV}-${PR}/${PN}-${PV}/src/include/trousers \
+	${prefix}/src/debug/${BPN}/${PV}-${PR}/git/src/tcs \
+	${prefix}/src/debug/${BPN}/${PV}-${PR}/git/src/tcsd \
+	${prefix}/src/debug/${BPN}/${PV}-${PR}/git/src/tddl \
+	${prefix}/src/debug/${BPN}/${PV}-${PR}/git/src/trousers \
+	${prefix}/src/debug/${BPN}/${PV}-${PR}/git/src/include/trousers \
 	"
 FILES_${PN}-doc = " \
 	${mandir}/man5 \
-- 
2.7.4

[meta-security][PATCH 5/6] libtpm: update to tip.

[Armin Kuster]

fix several build issues

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 recipes-tpm/libtpm/files/fix_dprintf_issue.patch | 18 +++++++++
 recipes-tpm/libtpm/files/fix_signed_issue.patch  | 48 ++++++++++++++++++++++++
 recipes-tpm/libtpm/libtpm_1.0.bb                 |  8 +++-
 3 files changed, 72 insertions(+), 2 deletions(-)
 create mode 100644 recipes-tpm/libtpm/files/fix_dprintf_issue.patch
 create mode 100644 recipes-tpm/libtpm/files/fix_signed_issue.patch

diff --git a/recipes-tpm/libtpm/files/fix_dprintf_issue.patch b/recipes-tpm/libtpm/files/fix_dprintf_issue.patch
new file mode 100644
index 0000000..25760bb
--- /dev/null
+++ b/recipes-tpm/libtpm/files/fix_dprintf_issue.patch
@@ -0,0 +1,18 @@
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: src/tpm_library.c
+===================================================================
+--- git.orig/src/tpm_library.c
++++ git/src/tpm_library.c
+@@ -405,8 +405,8 @@ int TPMLIB_LogPrintf(const char *format,
+     }
+ 
+     if (debug_prefix)
+-        dprintf(debug_fd, debug_prefix);
+-    dprintf(debug_fd, buffer);
++        dprintf(debug_fd, "%s" , debug_prefix);
++    dprintf(debug_fd, "%s" , buffer);
+ 
+     return i;
+ }
diff --git a/recipes-tpm/libtpm/files/fix_signed_issue.patch b/recipes-tpm/libtpm/files/fix_signed_issue.patch
new file mode 100644
index 0000000..fc13aa5
--- /dev/null
+++ b/recipes-tpm/libtpm/files/fix_signed_issue.patch
@@ -0,0 +1,48 @@
+Upstream-Status: Pending
+Signed-off-by: Armin kuster <akuster808@gmail.com>
+
+Index: git/src/swtpm/ctrlchannel.c
+===================================================================
+--- git.orig/src/swtpm/ctrlchannel.c
++++ git/src/swtpm/ctrlchannel.c
+@@ -152,7 +152,8 @@ static int ctrlchannel_receive_state(ptm
+     uint32_t tpm_number = 0;
+     unsigned char *blob = NULL;
+     uint32_t blob_length = be32toh(pss->u.req.length);
+-    uint32_t remain = blob_length, offset = 0;
++    ssize_t remain = (ssize_t) blob_length;
++    uint32_t offset = 0;
+     TPM_RESULT res;
+     uint32_t flags = be32toh(pss->u.req.state_flags);
+     TPM_BOOL is_encrypted = (flags & PTM_STATE_FLAG_ENCRYPTED) != 0;
+Index: git/src/swtpm_ioctl/tpm_ioctl.c
+===================================================================
+--- git.orig/src/swtpm_ioctl/tpm_ioctl.c
++++ git/src/swtpm_ioctl/tpm_ioctl.c
+@@ -303,7 +303,7 @@ static int do_save_state_blob(int fd, bo
+         numbytes = write(file_fd, pgs.u.resp.data,
+                          devtoh32(is_chardev, pgs.u.resp.length));
+ 
+-        if (numbytes != devtoh32(is_chardev, pgs.u.resp.length)) {
++        if (numbytes != (ssize_t) devtoh32(is_chardev, pgs.u.resp.length)) {
+             fprintf(stderr,
+                     "Could not write to file '%s': %s\n",
+                     filename, strerror(errno));
+@@ -420,7 +420,7 @@ static int do_load_state_blob(int fd, bo
+                had_error = true;
+                break;
+             }
+-            pss.u.req.length = htodev32(is_chardev, numbytes);
++            pss.u.req.length = htodev32(is_chardev, (uint32_t) numbytes);
+ 
+             /* the returnsize is zero on all intermediate packets */
+             returnsize = ((size_t)numbytes < sizeof(pss.u.req.data))
+@@ -863,7 +863,7 @@ int main(int argc, char *argv[])
+             return EXIT_FAILURE;
+         }
+         /* no tpm_result here */
+-        printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap));
++        printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
+ 
+     } else if (!strcmp(command, "-i")) {
+         init.u.req.init_flags = htodev32(is_chardev, PTM_INIT_FLAG_DELETE_VOLATILE);
diff --git a/recipes-tpm/libtpm/libtpm_1.0.bb b/recipes-tpm/libtpm/libtpm_1.0.bb
index 83b78a0..449e8c1 100644
--- a/recipes-tpm/libtpm/libtpm_1.0.bb
+++ b/recipes-tpm/libtpm/libtpm_1.0.bb
@@ -1,8 +1,12 @@
 SUMMARY = "LIBPM - Software TPM Library"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=97e5eea8d700d76b3ddfd35c4c96485f"
-SRCREV = "e5dc628043e981c9f8d7711ddfe5812c8f4e38cc"
-SRC_URI = "git://github.com/stefanberger/libtpms.git"
+
+SRCREV = "ad44846dda5a96e269ad2f78a532e01e9a2f02a1"
+SRC_URI = " \
+	git://github.com/stefanberger/libtpms.git \
+	file://fix_dprintf_issue.patch \
+	"
 
 S = "${WORKDIR}/git"
 inherit autotools-brokensep pkgconfig
-- 
2.7.4

[meta-security][PATCH 6/6] swtpm: update to tip

[Armin Kuster]

fix signed build issues

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 recipes-tpm/swtpm/files/fix_lib_search_path.patch | 41 -------------------
 recipes-tpm/swtpm/files/fix_signed_issue.patch    | 48 +++++++++++++++++++++++
 recipes-tpm/swtpm/swtpm_1.0.bb                    | 18 +++++++--
 3 files changed, 63 insertions(+), 44 deletions(-)
 delete mode 100644 recipes-tpm/swtpm/files/fix_lib_search_path.patch
 create mode 100644 recipes-tpm/swtpm/files/fix_signed_issue.patch

diff --git a/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/recipes-tpm/swtpm/files/fix_lib_search_path.patch
deleted file mode 100644
index 015f418..0000000
--- a/recipes-tpm/swtpm/files/fix_lib_search_path.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-
-Upstream-Status: Inappropriate [OE config]
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: configure.ac
-===================================================================
---- a/configure.ac
-+++ b/configure.ac
-@@ -349,21 +349,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-securi
- dnl We have to make sure libtpms is using the same crypto library
- dnl to avoid problems
- AC_MSG_CHECKING([the crypto library libtpms is using])
--dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \
--       sed -n '/SEARCH_DIR/p' | \
--       sed 's/SEARCH_DIR("=\?\(@<:@^"@:>@\+\)"); */\1\n/g')
--for dir in $dirs; do
--  if test -r $dir/libtpms.so; then
--    if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
--      libtpms_cryptolib="openssl"
--      break
--    fi
--    if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
--      libtpms_cryptolib="freebl"
--      break
--    fi
-+dir="$SEARCH_DIR"
-+if test -r $dir/libtpms.so; then
-+  if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
-+    libtpms_cryptolib="openssl"
-+    break
-   fi
--done
-+  if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
-+    libtpms_cryptolib="freebl"
-+    break
-+  fi
-+fi
- 
- if test -z "$libtpms_cryptolib"; then
-   AC_MSG_ERROR([Could not determine libtpms crypto library.])
diff --git a/recipes-tpm/swtpm/files/fix_signed_issue.patch b/recipes-tpm/swtpm/files/fix_signed_issue.patch
new file mode 100644
index 0000000..427df62
--- /dev/null
+++ b/recipes-tpm/swtpm/files/fix_signed_issue.patch
@@ -0,0 +1,48 @@
+Upstream-Status: Pending
+Signed-off-by Armin Kuster <akuster808@gmail>
+
+Index: git/src/swtpm/ctrlchannel.c
+===================================================================
+--- git.orig/src/swtpm/ctrlchannel.c
++++ git/src/swtpm/ctrlchannel.c
+@@ -152,7 +152,8 @@ static int ctrlchannel_receive_state(ptm
+     uint32_t tpm_number = 0;
+     unsigned char *blob = NULL;
+     uint32_t blob_length = be32toh(pss->u.req.length);
+-    uint32_t remain = blob_length, offset = 0;
++    ssize_t remain = (ssize_t) blob_length;
++    uint32_t offset = 0;
+     TPM_RESULT res;
+     uint32_t flags = be32toh(pss->u.req.state_flags);
+     TPM_BOOL is_encrypted = (flags & PTM_STATE_FLAG_ENCRYPTED) != 0;
+Index: git/src/swtpm_ioctl/tpm_ioctl.c
+===================================================================
+--- git.orig/src/swtpm_ioctl/tpm_ioctl.c
++++ git/src/swtpm_ioctl/tpm_ioctl.c
+@@ -303,7 +303,7 @@ static int do_save_state_blob(int fd, bo
+         numbytes = write(file_fd, pgs.u.resp.data,
+                          devtoh32(is_chardev, pgs.u.resp.length));
+ 
+-        if (numbytes != devtoh32(is_chardev, pgs.u.resp.length)) {
++        if (numbytes != (ssize_t) devtoh32(is_chardev, pgs.u.resp.length)) {
+             fprintf(stderr,
+                     "Could not write to file '%s': %s\n",
+                     filename, strerror(errno));
+@@ -420,7 +420,7 @@ static int do_load_state_blob(int fd, bo
+                had_error = true;
+                break;
+             }
+-            pss.u.req.length = htodev32(is_chardev, numbytes);
++            pss.u.req.length = htodev32(is_chardev, (uint32_t) numbytes);
+ 
+             /* the returnsize is zero on all intermediate packets */
+             returnsize = ((size_t)numbytes < sizeof(pss.u.req.data))
+@@ -863,7 +863,7 @@ int main(int argc, char *argv[])
+             return EXIT_FAILURE;
+         }
+         /* no tpm_result here */
+-        printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap));
++        printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
+ 
+     } else if (!strcmp(command, "-i")) {
+         init.u.req.init_flags = htodev32(is_chardev, PTM_INIT_FLAG_DELETE_VOLATILE);
diff --git a/recipes-tpm/swtpm/swtpm_1.0.bb b/recipes-tpm/swtpm/swtpm_1.0.bb
index 04777e1..27b4b8c 100644
--- a/recipes-tpm/swtpm/swtpm_1.0.bb
+++ b/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -5,9 +5,11 @@ SECTION = "apps"
 
 DEPENDS = "libtasn1 fuse expect socat glib-2.0 libtpm libtpm-native"
 
-SRCREV = "2cd10cee2f74c84bda22081514b6b2cb566fa42d"
-SRC_URI = "git://github.com/stefanberger/swtpm.git \
-	   file://fix_lib_search_path.patch"
+SRCREV = "ca906a02124d0ed8b6194e845d272d23ee394a34"
+SRC_URI = " \
+	git://github.com/stefanberger/swtpm.git \
+	file://fix_signed_issue.patch \
+	"
 
 S = "${WORKDIR}/git"
 
@@ -22,11 +24,21 @@ PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux',
 PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
 PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
 PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
+PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, libselinux"
 
 EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}"
 
 export SEARCH_DIR = "${STAGING_LIBDIR_NATIVE}"
 
+# dup bootstrap 
+do_configure_prepend () {
+	libtoolize --force --copy
+	autoheader
+	aclocal
+	automake --add-missing -c
+	autoconf
+}
+
 USERADD_PACKAGES = "${PN}"
 GROUPADD_PARAM_${PN} = "--system ${TSS_USER}"
 USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir  \
-- 
2.7.4

Re: [meta-security][PATCH 5/6] libtpm: update to tip.

[Patrick Ohly]

On Sun, 2017-01-29 at 09:12 -0800, Armin Kuster wrote:
> diff --git a/recipes-tpm/libtpm/files/fix_dprintf_issue.patch
> b/recipes-tpm/libtpm/files/fix_dprintf_issue.patch
> new file mode 100644
> index 0000000..25760bb
> --- /dev/null
> +++ b/recipes-tpm/libtpm/files/fix_dprintf_issue.patch
> @@ -0,0 +1,18 @@
> +Upstream-Status: Pending
> +Signed-off-by: Armin Kuster <akuster808@gmail.com>

Just wondering: what's your approach regarding "pending" patches? Accept
them into the layer, then submit upstream later as time permits?

Besides that, the six patches are all fine, so please consider them

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>

However, when I started using these recipes already before the latest
changes, I had to fix quite a few things before the recipes were usable
(will send patches shortly):
- tcsd from trousers doesn't start because of incorrect ownership of 
  /etc/tcsd.conf
- swtpm was more useful for me as a native tool in combination with
  Stefan's qemu-tpm patches, but couldn't be compiled natively
- libtspi.so.1 was not getting installed, causing tpm tools to fail

I had the impression that the recipes were mostly in a "they build" kind
of state, but not really used much in practice. Is that correct?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [meta-security][PATCH 6/6] swtpm: update to tip

[Patrick Ohly]

On Sun, 2017-01-29 at 09:12 -0800, Armin Kuster wrote:
> fix signed build issues
> 
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
>  recipes-tpm/swtpm/files/fix_lib_search_path.patch | 41 -------------------
>  recipes-tpm/swtpm/files/fix_signed_issue.patch    | 48 +++++++++++++++++++++++
>  recipes-tpm/swtpm/swtpm_1.0.bb                    | 18 +++++++--
>  3 files changed, 63 insertions(+), 44 deletions(-)
>  delete mode 100644 recipes-tpm/swtpm/files/fix_lib_search_path.patch
>  create mode 100644 recipes-tpm/swtpm/files/fix_signed_issue.patch
> 
> diff --git a/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/recipes-tpm/swtpm/files/fix_lib_search_path.patch
> deleted file mode 100644
> index 015f418..0000000
> --- a/recipes-tpm/swtpm/files/fix_lib_search_path.patch
> +++ /dev/null

This patch is still needed when building swtpm-native. I'll add back a
version that applies to latest tip.

> diff --git a/recipes-tpm/swtpm/files/fix_signed_issue.patch b/recipes-tpm/swtpm/files/fix_signed_issue.patch
> new file mode 100644
> index 0000000..427df62
> --- /dev/null
> +++ b/recipes-tpm/swtpm/files/fix_signed_issue.patch
> @@ -0,0 +1,48 @@
> +Upstream-Status: Pending
> +Signed-off-by Armin Kuster <akuster808@gmail>

[...]

> +Index: git/src/swtpm_ioctl/tpm_ioctl.c
> +===================================================================
> +--- git.orig/src/swtpm_ioctl/tpm_ioctl.c
> ++++ git/src/swtpm_ioctl/tpm_ioctl.c
> +@@ -303,7 +303,7 @@ static int do_save_state_blob(int fd, bo
[...]
> +         /* no tpm_result here */
> +-        printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap));
> ++        printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));

This is causing an error when building for x86-64:

tpm_ioctl.c:866:9: error: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 2 has type ‘long unsigned int’ [-Werror=format=]
|          printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
|          ^
| cc1: all warnings being treated as errors

If you want, I can fix it as part of my upcoming patches with:

printf("ptm capability is 0x%llx\n", (long long unsigned)devtoh64(is_chardev, cap));

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.