]>
Commit | Line | Data |
---|---|---|
e9b08c71 SB |
1 | CHANGES - changes for swtpm |
2 | ||
8cbb6dae SB |
3 | version 0.8.0: |
4 | - swtpm: | |
5 | - Implement release-lock-outgoing parameter for --migration option | |
6 | - Introduce --migration option and 'incoming' parameter | |
7 | - Implement terminate parameter for ctrl channel loss | |
8 | - Add a chroot option | |
9 | - Introduce disable-auto-shutdown flag for --flags option | |
10 | - If necessary send TPM2_Shutdown() before TPMLIB_Terminate() | |
11 | - Add some more recent syscalls to seccomp profile | |
12 | - Disable OpenSSL FIPS mode to avoid libtpms failures | |
13 | - Avoid locking directory multiple times | |
14 | - Remove support for pre-v0.1 state files without header | |
15 | - Use uint64_t in tlv_data_append() to avoid integer overflows | |
16 | - Use uint64_t to avoid integer wrap-around when adding a uint32_t | |
17 | - Do not chdir(/) when using --daemon | |
18 | - Check header size indicator against expected size (CVE-2022-23645) | |
441d8839 | 19 | - Fixes for gcc 12.2.1 -fanalyzer |
8cbb6dae SB |
20 | - build-sys: |
21 | - Fix configure script to support _FORTIFY_SOURCE=3 | |
22 | - Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin) | |
23 | - swtpm-localca: | |
24 | - Re-implement variable resolution for swtpm-localca.conf | |
25 | - Test for available issuercert before creating CA | |
441d8839 SB |
26 | - swtpm_setup: |
27 | - Configure swtpm to log to stdout/err if needed (glib >=2.74) | |
8cbb6dae SB |
28 | - tests: |
29 | - Use ${WORKDIR} in config files to test env. var replacement | |
30 | - Patch IBM TSS2 test suite for OpenSSL 3.x | |
31 | - build-sys: | |
32 | - Add probing for -fstack-protector | |
33 | ||
0a194745 SB |
34 | version 0.7.0: |
35 | - swtpm: | |
36 | - Support for linear file storage backend (file://) | |
37 | - Report 'tpm-1.2' & 'tpm-2.0' in --print-capabilities depending what | |
38 | libtpms supports | |
39 | - Add implementation of SWTPM_HMAC using OpenSSL 3.0 APIs | |
40 | - Wipe keys from stack and heap | |
41 | - Many other small changes | |
42 | - Make --daemon not racy | |
43 | - swtpm_setup: | |
44 | - Only activate SHA256 PCR bank, not SHA1 bank anymore by default | |
45 | - Support for linear file storage backend (file://) | |
46 | - Implement option --create-config-files to create config files | |
47 | - Use non-deprecated APIs to contruct RSA key (OSSL 3) | |
48 | - Report stderr as returned by external tool (swtpm-localcal) | |
49 | - Replace '+' and ',' characters in VMId's to make work with | |
50 | common name in X509 subject | |
51 | - Add support for --reconfigure flag to change active PCR banks | |
52 | - swtpm_localca: | |
53 | - Created certificates for CAs and TPM that do not expire | |
54 | - swtpm_cert: | |
55 | - Allow passing -1 for days to get a non-expiring certificate | |
56 | - test: | |
57 | - ASAN-related test changes and skipping of tests if ASAN is used | |
58 | - Fix tests using tpm2-abrmd by preventing concurrency | |
59 | - Skip chardev related tests after checking for chardev support | |
60 | - exit with error code if mktemp fails | |
61 | - OSSL 3: Make TPM 1.2 test compile; skip IBM TSS 2 test | |
62 | - build-sys: | |
63 | - Introduce --enable-sanitizers to configure | |
64 | - Remove check for pip3 that was used by python swtpm_setup | |
65 | - Allow passing of aditional CFLAGS during build | |
66 | ||
1415cfaa SB |
67 | version 0.6.0: |
68 | - swtpm: | |
69 | - Fix --print-capabilities for 'swtpm chardev' | |
70 | - Various cleanups and fixes (coverity) | |
71 | - Addressed potential symlink attack issue (CVE-2020-28407) | |
c125e34b SB |
72 | - swtpm_setup: |
73 | - Rewritten in 'C'; needs json-glib | |
1415cfaa SB |
74 | - Addressed potential symlink attack issue (CVE-2020-28407) |
75 | - swtpm_ioctl: | |
76 | - Use timeouts for communicating with swtpm (Unix socket) | |
e689684c SB |
77 | - swtpm-localca: |
78 | - Rewritten in 'C' | |
1415cfaa SB |
79 | - tests: |
80 | - Use the IBM TSS2 v1.6.0's test suite | |
81 | - Store and also restore the volatile state at every step when running | |
82 | IBM TSS2 test suite | |
83 | - Various cleanup | |
84 | - build-sys: | |
85 | - Add HARDENING_CFLAGS and _LDFLAGS to all C programs | |
c125e34b | 86 | |
611c5896 SB |
87 | version 0.5.0: |
88 | - swtpm: | |
89 | - Write files atomically using a temp file and then renaming | |
90 | - swtpm_setup: | |
91 | - Removed remaining 'c' wrapper program | |
92 | - Do not truncate logfile when testing write-access (regression) | |
93 | - Remove TPM state file in case error occurred | |
94 | - swtpm-localca: | |
95 | - Rewrite in python | |
96 | - Allow passing pkcs11 PIN using signingkey_password | |
97 | - Allow passing environment variables needed for pkcs11 modules using | |
98 | swtpm-localca.conf and format 'env:VARNAME=VALUE'. | |
99 | - build-sys: | |
100 | - Add python-install and python-uninstall targets | |
101 | - Add configure option to disable installation of Python module | |
102 | - Use -Wl,-z,relro and -Wl,-z,now only when linking (clang) | |
103 | - Use AC_LINK_IFELSE to check whether support for hardening flags | |
104 | ||
e9b08c71 SB |
105 | version 0.4.0: |
106 | - swtpm: | |
2feefb2c | 107 | - Invoke print capabilities after choosing TPM version |
e9b08c71 SB |
108 | - Add some recent syscalls to seccomp blacklist |
109 | - swtpm_cert: | |
110 | - Support --ecc-curveid option to pass curve id | |
111 | - swtpm_setup & related scripts: | |
2feefb2c SB |
112 | - Rewrite swtpm_setup.sh in python with TPM 1.2 not requiring tcsd |
113 | and TPM tools anymore; new dependencies: | |
114 | - python3: pip, cryptography, setuptools | |
115 | dropped dependencies for swtpm_setup: | |
116 | - tcsd, expect, tpm-tools (some still needed for pkcs11 tests) | |
117 | - Added support for RSA 3072 keys (for libtpms-0.8.0) and moved to | |
118 | ECC NIST P384 curve; default RSA key size is still 2048 | |
e9b08c71 SB |
119 | - Added support for --rsa-keysize option |
120 | - Extend script to create a CA using a TPM 2 for signing | |
121 | - tests: | |
122 | - Use the IBM TSS2 v1.5.0's test suite | |
123 | - Add test case for loading of an NVRAM completely full with keys | |
2feefb2c SB |
124 | - Have softhsm_setup use temporary directory for softhsm config & state |
125 | - various other improvements | |
126 | - man pages: | |
127 | - Improvements | |
e9b08c71 SB |
128 | - build-sys: |
129 | - clang: properly test for linker flag 'now' and 'relro' | |
130 | - Gentoo: explicitly link libswtpm_libtpms with -lcrypto | |
2feefb2c SB |
131 | - Ownership of /var/lib/swtpm-localca is now tss:root and |
132 | mode flags 0750. | |
e9b08c71 | 133 | |
16952a5f SB |
134 | version 0.3.0: |
135 | - swtpm: | |
136 | - Support for applying 'TPM Startup' command during initialization | |
137 | - Use writev_full rather than writev; fixes --vtpm-proxy EIO error | |
138 | - Only accept() new client ctrl connection if we have none (bugfix) | |
139 | - swtpm_setup & related scripts: | |
140 | - Support whitespaces in filenames and paths | |
141 | - Do not fail on future PCR banks' hashes | |
142 | - swtpm_cert: | |
143 | - Fix OIDs for TPM 2 platforms data | |
144 | - Option parsing cleanup | |
145 | - Support for passing password in various forms | |
146 | - Use gnutls_x509_crt_get_subject_key_id API call for subj keyId | |
147 | - Support 64bit serial numbers read from command line | |
148 | - swtpm_ioctl: | |
149 | - Block SIGPIPE so we can get EPIPE on write() | |
150 | - swtpm_bios: | |
151 | - Block SIGPIPE so we can get EPIPE on write() | |
152 | - tests: | |
153 | - Increased timeouts and better support for running tests with | |
154 | executables run by valgrind | |
155 | - Allow running tests with choice of seccomp profile option | |
156 | (SWTPM_TEST_SECCOMP_OPT) to enable building for Ubuntu | |
157 | - Various cleanups & fixes | |
158 | - SELinux: | |
159 | - More rules added for support on F30 | |
160 | ||
933f4055 SB |
161 | version 0.2.0: |
162 | - Linux: swtpm now runs with a seccomp profile (blacklist) if compiled with | |
163 | libseccomp support | |
e6512b84 SB |
164 | - Added subpport for passing key and passphrase via file descriptor |
165 | - TPM 2 commands can now be prefixed by 'the TCG header' and responses will | |
166 | have a 4-byte prefix and 4-byte suffix. | |
167 | - Added --print-capabilities command line option | |
168 | - Proper handling on EINTR on read, poll, and write | |
933f4055 | 169 | |
0c1ecae2 SB |
170 | version 0.1.0: |
171 | first public release |