From 2fe8594b5e370c15d5d105781a36092f0df96698 Mon Sep 17 00:00:00 2001 From: Justin W Smith Date: Fri, 14 Nov 2025 13:59:53 +0000 Subject: [PATCH] Fix tpm2-tss CI; update patches --- .../integration/run_tpm2_tss_integration.sh | 4 +- .../tpm2_tools_patch/aws-lc-tpm2-tools.patch | 54 +++----- .../tpm2_tss_patch/aws-lc-tpm2-tss.patch | 115 +++++++----------- 3 files changed, 62 insertions(+), 111 deletions(-) diff --git a/tests/ci/integration/run_tpm2_tss_integration.sh b/tests/ci/integration/run_tpm2_tss_integration.sh index 23dcd720de1..0d505181e2a 100755 --- a/tests/ci/integration/run_tpm2_tss_integration.sh +++ b/tests/ci/integration/run_tpm2_tss_integration.sh @@ -60,7 +60,7 @@ function tpm2_tss_build() { function tpm2_abrmd_build() { export PKG_CONFIG_PATH="${AWS_LC_INSTALL_FOLDER}/lib/pkgconfig:${TPM2_TSS_INSTALL_FOLDER}/lib/pkgconfig" /bin/sh ./bootstrap - ./configure --enable-unit --with-crypto=ossl --prefix="${TPM2_ABRMD_INSTALL_FOLDER}" + ./configure --enable-unit --with-crypto=ossl --prefix="${TPM2_ABRMD_INSTALL_FOLDER}" make -j "${NUM_CPU_THREADS}" all VERBOSE=1 make -j "${NUM_CPU_THREADS}" check VERBOSE=1 make -j "${NUM_CPU_THREADS}" install @@ -108,5 +108,3 @@ tpm2_tools_build popd popd - - diff --git a/tests/ci/integration/tpm2_tools_patch/aws-lc-tpm2-tools.patch b/tests/ci/integration/tpm2_tools_patch/aws-lc-tpm2-tools.patch index fb959bbe622..10c63bb92fb 100644 --- a/tests/ci/integration/tpm2_tools_patch/aws-lc-tpm2-tools.patch +++ b/tests/ci/integration/tpm2_tools_patch/aws-lc-tpm2-tools.patch @@ -1,14 +1,13 @@ -From dea6a384d56f631eba23188f57dd4e4d84c10657 Mon Sep 17 00:00:00 2001 +From c27eac2efc587eae07f62136a4a50725d0660240 Mon Sep 17 00:00:00 2001 From: Justin W Smith -Date: Fri, 25 Apr 2025 21:19:12 +0000 -Subject: [PATCH] AWS-LC Support +Date: Fri, 14 Nov 2025 13:48:40 +0000 +Subject: [PATCH] Support AWS-LC --- - lib/tpm2_identity_util.c | 2 +- - lib/tpm2_openssl.c | 4 ++-- - tools/misc/tpm2_checkquote.c | 2 +- - tools/tpm2_getekcertificate.c | 4 ++-- - 4 files changed, 6 insertions(+), 6 deletions(-) + lib/tpm2_identity_util.c | 2 +- + lib/tpm2_openssl.c | 4 ++-- + tools/misc/tpm2_checkquote.c | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/tpm2_identity_util.c b/lib/tpm2_identity_util.c index fbf1e938..2c6448d3 100644 @@ -24,7 +23,7 @@ index fbf1e938..2c6448d3 100644 LOG_ERR("Failed EVP_PKEY_CTX_set0_rsa_oaep_label"); free(newlabel); diff --git a/lib/tpm2_openssl.c b/lib/tpm2_openssl.c -index d2f07a7c..ca1a6b40 100644 +index d2f07a7c..6b6c16ef 100644 --- a/lib/tpm2_openssl.c +++ b/lib/tpm2_openssl.c @@ -36,7 +36,7 @@ int tpm2_openssl_halgid_from_tpmhalg(TPMI_ALG_HASH algorithm) { @@ -32,7 +31,7 @@ index d2f07a7c..ca1a6b40 100644 case TPM2_ALG_SHA512: return NID_sha512; -#if OPENSSL_VERSION_NUMBER >= 0x10101000L -+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && HAVE_EVP_SM3 ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && HAVE_EVP_SM3 case TPM2_ALG_SM3_256: return NID_sm3; #endif @@ -41,15 +40,15 @@ index d2f07a7c..ca1a6b40 100644 { TPM2_ECC_NIST_P384, NID_secp384r1 }, { TPM2_ECC_NIST_P521, NID_secp521r1 }, -#if OPENSSL_VERSION_NUMBER >= 0x10101003L -+#if OPENSSL_VERSION_NUMBER >= 0x10101003L && HAVE_EVP_SM3 ++#if OPENSSL_VERSION_NUMBER >= 0x10101003L && HAVE_EVP_SM3 { TPM2_ECC_SM2_P256, NID_sm2 }, #endif /* diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c -index 498dffbc..d5bef7af 100644 +index 259d9c62..051dafe7 100644 --- a/tools/misc/tpm2_checkquote.c +++ b/tools/misc/tpm2_checkquote.c -@@ -110,7 +110,7 @@ static bool verify(void) { +@@ -115,7 +115,7 @@ static bool verify(void) { return false; } @@ -58,28 +57,15 @@ index 498dffbc..d5bef7af 100644 #if OPENSSL_VERSION_MAJOR < 3 if (ctx.halg == TPM2_ALG_SM3_256) { ret = EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); -diff --git a/tools/tpm2_getekcertificate.c b/tools/tpm2_getekcertificate.c -index 79d859c7..fb525c63 100644 ---- a/tools/tpm2_getekcertificate.c -+++ b/tools/tpm2_getekcertificate.c -@@ -519,7 +519,7 @@ static bool retrieve_web_endorsement_certificate(char *uri) { - * should not be used - Used only on platforms with older CA certificates. - */ - if (ctx.SSL_NO_VERIFY) { -- rc = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); -+ rc = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); - if (rc != CURLE_OK) { - LOG_ERR("curl_easy_setopt for CURLOPT_SSL_VERIFYPEER failed: %s", - curl_easy_strerror(rc)); -@@ -564,7 +564,7 @@ static bool retrieve_web_endorsement_certificate(char *uri) { - goto out_easy_cleanup; +@@ -356,7 +356,7 @@ static bool parse_selection_data_from_file(FILE *pcr_input, + for (i = 0; i < pcr_select->count; i++) { + pcr_select->pcrSelections[i].hash = le16toh(pcr_select->pcrSelections[i].hash); } - -- rc = curl_easy_setopt(curl, CURLOPT_FAILONERROR, true); -+ rc = curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1L); - if (rc != CURLE_OK) { - LOG_ERR("curl_easy_setopt for CURLOPT_FAILONERROR failed: %s", - curl_easy_strerror(rc)); +- ++ + // Import PCR digests to pcr outfile + if (fread(&pcrs->count, sizeof(UINT32), 1, pcr_input) != 1) { + LOG_ERR("Failed to read PCR digests header from file"); -- 2.43.0 diff --git a/tests/ci/integration/tpm2_tss_patch/aws-lc-tpm2-tss.patch b/tests/ci/integration/tpm2_tss_patch/aws-lc-tpm2-tss.patch index dfb8f515c85..cd847b78fbd 100644 --- a/tests/ci/integration/tpm2_tss_patch/aws-lc-tpm2-tss.patch +++ b/tests/ci/integration/tpm2_tss_patch/aws-lc-tpm2-tss.patch @@ -1,18 +1,18 @@ -From 6eb70474d5767afc3a9111cfbfab8ed83f673d87 Mon Sep 17 00:00:00 2001 +From addb67ba10371f03a7ab42a82016f117f2efde10 Mon Sep 17 00:00:00 2001 From: Justin W Smith -Date: Fri, 25 Apr 2025 21:18:07 +0000 -Subject: [PATCH] AWS-LC support +Date: Fri, 14 Nov 2025 13:26:27 +0000 +Subject: [PATCH] Support AWS-LC --- configure.ac | 6 ------ src/tss2-esys/esys_crypto_ossl.c | 2 +- - src/tss2-fapi/ifapi_curl.c | 8 ++++---- + src/tss2-fapi/ifapi_curl.c | 6 +++--- src/tss2-fapi/ifapi_verify_cert_chain.c | 2 +- - test/unit/fapi-eventlog.c | 8 +++++--- - 5 files changed, 11 insertions(+), 15 deletions(-) + test/unit/fapi-eventlog.c | 2 +- + 5 files changed, 6 insertions(+), 12 deletions(-) diff --git a/configure.ac b/configure.ac -index 6cc3efc8..9029383d 100644 +index 9df86bce..d5f3bbe2 100644 --- a/configure.ac +++ b/configure.ac @@ -189,12 +189,6 @@ AS_IF([test "x$enable_esys" = xyes], @@ -29,54 +29,52 @@ index 6cc3efc8..9029383d 100644 TSS2_ESYS_LDFLAGS_CRYPTO="$CRYPTO_LIBS" ], [test "x$with_crypto" = xmbed], [ diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c -index 15e534ce..75043897 100644 +index 50d00c4b..84b16347 100644 --- a/src/tss2-esys/esys_crypto_ossl.c +++ b/src/tss2-esys/esys_crypto_ossl.c -@@ -752,7 +752,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, - "Could not duplicate OAEP label", cleanup); +@@ -711,7 +711,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC *pub_tpm_key, + goto_error(r, TSS2_ESYS_RC_MEMORY, "Could not duplicate OAEP label", cleanup); } -- if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_copy, (int) strlen(label_copy)+1)) { -+ if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, (uint8_t*)label_copy, strlen(label_copy)+1)) { +- if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_copy, (int)strlen(label_copy) + 1)) { ++ if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, (uint8_t*)label_copy, (int)strlen(label_copy) + 1)) { OPENSSL_free(label_copy); - goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, - "Could not set RSA label.", cleanup); + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not set RSA label.", cleanup); + } diff --git a/src/tss2-fapi/ifapi_curl.c b/src/tss2-fapi/ifapi_curl.c -index 75e81141..79f77fdf 100644 +index 2b92210d..65096b5f 100644 --- a/src/tss2-fapi/ifapi_curl.c +++ b/src/tss2-fapi/ifapi_curl.c -@@ -88,13 +88,13 @@ ifapi_get_crl_from_cert(X509 *cert, X509_CRL **crl) +@@ -89,11 +89,11 @@ ifapi_get_crl_from_cert(X509 *cert, X509_CRL **crl) { int curl_rc; *crl = NULL; -- for (int i = 0; i < sk_DIST_POINT_num(dist_points); i++) -+ for (size_t i = 0; i < sk_DIST_POINT_num(dist_points); i++) - { - DIST_POINT *dp = sk_DIST_POINT_value(dist_points, i); - DIST_POINT_NAME *distpoint = dp->distpoint; - if (distpoint->type==0) - { -- for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) -+ for (size_t j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) - { - GENERAL_NAME *gen_name = sk_GENERAL_NAME_value(distpoint->name.fullname, j); +- for (int i = 0; i < sk_DIST_POINT_num(dist_points); i++) { ++ for (size_t i = 0; i < sk_DIST_POINT_num(dist_points); i++) { + DIST_POINT *dp = sk_DIST_POINT_value(dist_points, i); + DIST_POINT_NAME *distpoint = dp->distpoint; + if (distpoint->type == 0) { +- for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) { ++ for (size_t j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) { + GENERAL_NAME *gen_name = sk_GENERAL_NAME_value(distpoint->name.fullname, j); ASN1_IA5STRING *asn1_str = gen_name->d.uniformResourceIdentifier; -@@ -179,7 +179,7 @@ ifapi_curl_verify_ek_cert( - X509_STORE_CTX *ctx = NULL; - X509_CRL *crl_intermed = NULL; - X509_CRL *crl_ek = NULL; -- int i; -+ size_t i; - size_t ui; + SAFE_FREE(url); +@@ -173,7 +173,7 @@ ifapi_curl_verify_ek_cert(char *root_cert_pem, char *intermed_cert_pem, char *ek + X509_STORE_CTX *ctx = NULL; + X509_CRL *crl_intermed = NULL; + X509_CRL *crl_ek = NULL; +- int i; ++ size_t i; + size_t ui; AUTHORITY_INFO_ACCESS *info = NULL; - ASN1_IA5STRING *uri = NULL; + ASN1_IA5STRING *uri = NULL; diff --git a/src/tss2-fapi/ifapi_verify_cert_chain.c b/src/tss2-fapi/ifapi_verify_cert_chain.c -index b495e512..c741c8ad 100644 +index df295d99..3fb475dc 100644 --- a/src/tss2-fapi/ifapi_verify_cert_chain.c +++ b/src/tss2-fapi/ifapi_verify_cert_chain.c -@@ -64,7 +64,7 @@ char* get_issuer_url(X509 *cert) { - AUTHORITY_INFO_ACCESS *info = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL); - if (!info) return NULL; +@@ -65,7 +65,7 @@ get_issuer_url(X509 *cert) { + if (!info) + return NULL; - for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) { + for (size_t i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) { @@ -84,43 +82,12 @@ index b495e512..c741c8ad 100644 if (OBJ_obj2nid(ad->method) == NID_ad_ca_issuers && ad->location->type == GEN_URI) { ASN1_IA5STRING *uri = ad->location->d.uniformResourceIdentifier; diff --git a/test/unit/fapi-eventlog.c b/test/unit/fapi-eventlog.c -index 3b859e39..796894ee 100644 +index 7e49e112..d3077a96 100644 --- a/test/unit/fapi-eventlog.c +++ b/test/unit/fapi-eventlog.c -@@ -130,6 +130,7 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size, - uint8_t *eventlog; - size_t size; - json_object *json_event_list = NULL; -+#if HAVE_EVP_SM3 - IFAPI_PCR_REG pcrs[TPM2_MAX_PCRS]; - - TPML_PCR_SELECTION pcr_selection = -@@ -149,19 +150,20 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size, - .buffer = { 0x15, 0xf4, 0xe6, 0xca, 0x45, 0x7d, 0x1a, 0xf6, 0xbc, 0x49, - 0x51, 0x1a, 0x93, 0xba, 0x35, 0x00, 0xad, 0x69, 0xac, 0xc5 }, - }; -- -+#endif - /* Read file to get file size for comparison. */ - eventlog = file_to_buffer(file, &size); - assert_non_null(eventlog); - - r = ifapi_get_tcg_firmware_event_list(file, pcr_list, pcr_list_size, &json_event_list); - assert_int_equal (r, TSS2_RC_SUCCESS); -- -+#if HAVE_EVP_SM3 - r = ifapi_calculate_pcrs(json_event_list, &pcr_selection, TPM2_ALG_SHA1, NULL, &pcrs[0]); - assert_int_equal (r, TSS2_RC_SUCCESS); - - /* Compare with the pcr0 value got from system with HCRTM events */ - assert_true(!memcmp(&expected_pcr0.buffer[0], &pcrs[0].value.buffer[0], 20)); -+#endif - - json_object_put(json_event_list); - SAFE_FREE(eventlog); -@@ -171,7 +173,7 @@ static void - check_bios_hcrtm(void **state) - { +@@ -163,7 +163,7 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size, + static void + check_bios_hcrtm(void **state) { -#ifdef __FreeBSD__ +#ifndef HAVE_EVP_SM3