CHANGES - changes for swtpm
+version 0.8.0:
+ - swtpm:
+ - Implement release-lock-outgoing parameter for --migration option
+ - Introduce --migration option and 'incoming' parameter
+ - Implement terminate parameter for ctrl channel loss
+ - Add a chroot option
+ - Introduce disable-auto-shutdown flag for --flags option
+ - If necessary send TPM2_Shutdown() before TPMLIB_Terminate()
+ - Add some more recent syscalls to seccomp profile
+ - Disable OpenSSL FIPS mode to avoid libtpms failures
+ - Avoid locking directory multiple times
+ - Remove support for pre-v0.1 state files without header
+ - Use uint64_t in tlv_data_append() to avoid integer overflows
+ - Use uint64_t to avoid integer wrap-around when adding a uint32_t
+ - Do not chdir(/) when using --daemon
+ - Check header size indicator against expected size (CVE-2022-23645)
+ - Fixes for gcc 12.2.1 -fanalyzer
+ - build-sys:
+ - Fix configure script to support _FORTIFY_SOURCE=3
+ - Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
+ - swtpm-localca:
+ - Re-implement variable resolution for swtpm-localca.conf
+ - Test for available issuercert before creating CA
+ - swtpm_setup:
+ - Configure swtpm to log to stdout/err if needed (glib >=2.74)
+ - tests:
+ - Use ${WORKDIR} in config files to test env. var replacement
+ - Patch IBM TSS2 test suite for OpenSSL 3.x
+ - build-sys:
+ - Add probing for -fstack-protector
+
+version 0.7.0:
+ - swtpm:
+ - Support for linear file storage backend (file://)
+ - Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what
+ libtpms supports
+ - Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs
+ - Wipe keys from stack and heap
+ - Many other small changes
+ - Make --daemon not racy
+ - swtpm_setup:
+ - Only activate SHA256 PCR bank, not SHA1 bank anymore by default
+ - Support for linear file storage backend (file://)
+ - Implement option --create-config-files to create config files
+ - Use non-deprecated APIs to contruct RSA key (OSSL 3)
+ - Report stderr as returned by external tool (swtpm-localcal)
+ - Replace '+' and ',' characters in VMId's to make work with
+ common name in X509 subject
+ - Add support for --reconfigure flag to change active PCR banks
+ - swtpm_localca:
+ - Created certificates for CAs and TPM that do not expire
+ - swtpm_cert:
+ - Allow passing -1 for days to get a non-expiring certificate
+ - test:
+ - ASAN-related test changes and skipping of tests if ASAN is used
+ - Fix tests using tpm2-abrmd by preventing concurrency
+ - Skip chardev related tests after checking for chardev support
+ - exit with error code if mktemp fails
+ - OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test
+ - build-sys:
+ - Introduce --enable-sanitizers to configure
+ - Remove check for pip3 that was used by python swtpm_setup
+ - Allow passing of aditional CFLAGS during build
+
+version 0.6.0:
+ - swtpm:
+ - Fix --print-capabilities for 'swtpm chardev'
+ - Various cleanups and fixes (coverity)
+ - Addressed potential symlink attack issue (CVE-2020-28407)
+ - swtpm_setup:
+ - Rewritten in 'C'; needs json-glib
+ - Addressed potential symlink attack issue (CVE-2020-28407)
+ - swtpm_ioctl:
+ - Use timeouts for communicating with swtpm (Unix socket)
+ - swtpm-localca:
+ - Rewritten in 'C'
+ - tests:
+ - Use the IBM TSS2 v1.6.0's test suite
+ - Store and also restore the volatile state at every step when running
+ IBM TSS2 test suite
+ - Various cleanup
+ - build-sys:
+ - Add HARDENING_CFLAGS and _LDFLAGS to all C programs
+
+version 0.5.0:
+ - swtpm:
+ - Write files atomically using a temp file and then renaming
+ - swtpm_setup:
+ - Removed remaining 'c' wrapper program
+ - Do not truncate logfile when testing write-access (regression)
+ - Remove TPM state file in case error occurred
+ - swtpm-localca:
+ - Rewrite in python
+ - Allow passing pkcs11 PIN using signingkey_password
+ - Allow passing environment variables needed for pkcs11 modules using
+ swtpm-localca.conf and format 'env:VARNAME=VALUE'.
+ - build-sys:
+ - Add python-install and python-uninstall targets
+ - Add configure option to disable installation of Python module
+ - Use -Wl,-z,relro and -Wl,-z,now only when linking (clang)
+ - Use AC_LINK_IFELSE to check whether support for hardening flags
+
version 0.4.0:
- swtpm:
- - Invoke print capabilites after choosing TPM version
+ - Invoke print capabilities after choosing TPM version
- Add some recent syscalls to seccomp blacklist
- swtpm_cert:
- Support --ecc-curveid option to pass curve id
- swtpm_setup & related scripts:
- - Added support for RSA 3072 keys and ECC NIST P386 curves; default
- RSA keysize is still 2048;
+ - Rewrite swtpm_setup.sh in python with TPM 1.2 not requiring tcsd
+ and TPM tools anymore; new dependencies:
+ - python3: pip, cryptography, setuptools
+ dropped dependencies for swtpm_setup:
+ - tcsd, expect, tpm-tools (some still needed for pkcs11 tests)
+ - Added support for RSA 3072 keys (for libtpms-0.8.0) and moved to
+ ECC NIST P384 curve; default RSA key size is still 2048
- Added support for --rsa-keysize option
- Extend script to create a CA using a TPM 2 for signing
- tests:
- Use the IBM TSS2 v1.5.0's test suite
- Add test case for loading of an NVRAM completely full with keys
- - various other
+ - Have softhsm_setup use temporary directory for softhsm config & state
+ - various other improvements
+ - man pages:
+ - Improvements
- build-sys:
- clang: properly test for linker flag 'now' and 'relro'
- Gentoo: explicitly link libswtpm_libtpms with -lcrypto
+ - Ownership of /var/lib/swtpm-localca is now tss:root and
+ mode flags 0750.
version 0.3.0:
- swtpm: