Releases: tpm2-software/tpm2-tools
Release list
5.8
Security
- Fixes: GHSA-v7w4-4gc9-qcgv
- Fixes: GHSA-gwfg-w3jr-xh66
- Fixes: GHSA-qp88-8f4j-wv7q
Fixed
- tpm2_makecredential: fix wrong tcg ek templates
- tpm2_checkquote: Fix memory leaks, malloced buffer not always freed
- tpm2_checkquote: Fix missing error checking
- tpm2_getekcertificate: Fix curl_easy_setopt type warnings
- tpm2_makecredential: Fix usage of name parameter.
- tpm2_quote/checkquote: Fix usage of little endian serialization.
- tpm2_eventlog: parse vendor_db as EFI_SIGNATURE_DATA
- tpm2_eventlog: Fix parsing on big-endian systems
- tpm2_clockrateadjust: Fix segfault.
- tpm2_policy: Do not overflow list of policy digests
- tpm2_eventlog: Fix pretty print for efivar 39
- tpm2_encode: Fix setting emptyAuth in generated pem file.
- tpm2_eventlog_yaml.c Fix output of BlobDescription.
- tpm2_getrandom: Fix --force parameter
- tpm2_getekcertificate: fix impl to prioritize low range certificate
- Options: Add option to allow usage of password session.
- tpm2_createpolicy: flush session for trial policy.
- tpm2_evictcontrol.c: Fix segfault for output of handle ESYS_TR_NONE
- pcr commands: Fix session leaks
- tools, test: Fix several missing NULL checks after malloc
- tpm2_util: fix buffer overflow in string validation checks.
- tpm2_getekcertificate: ensure curl buffer grows to required size.
- tpm2_getekcertificate: fix heap buffer overflow.
Added
- tpm2_quote/checkquote: Add new serialization format is added (-F marshaled).
- tpm2_loadexternal: Add option rsa_exponent_zero
- tpm2_createek: Add high range templates for rsa20248 and eccp256
- tpm2_certify: Add parameter qualifying-data.
- pcr commands: session support added.
- tpm2_getekcertificate: add option --x509-trunc
- tpm2_getekcertificate: Provide option -u for certs in NV ram.
- tpm2_gettestresult: Fix handling of test result.
- tpm2_checkquote: Fix usage of more than 7 PCRs
- tpm2_send: Validate command_size before computing data_size.
- tpm2_send: Avoid unintended stdio closing a file
- tpm2_util: Allow file names with whitspace characters.
- tools: fix out-of-bounds write with too many aux sessions.
- tss2_sign: Add new parameter from which the digest is computed.
- OpenSSL use 4.0 compatible macros
5.7.1
Security
- Fixes: GHSA-v7w4-4gc9-qcgv
- Fixes: GHSA-gwfg-w3jr-xh66
- Fixes: GHSA-qp88-8f4j-wv7q
5.7
Security
- Fixed CVE-2024-29038
- Fixed CVE-2024-29039
Fixed
- Fix eventlog test
- Fix issues with reading NV indexes
- Fix context save error on tpm2_create
- tpm2_sessionconfig: fix handling of
--disable-continue sessionso that the subsequent command will not fail
when attempting to context save a flushed session. - detection of functions within libcrypto when CRYPTO_LIBS is set and system has install libcrypto.
- tpm2_send: fix EOF detection on input stream.
- tpm2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems.
- tpm2_nvread: fix input handling no nv index.
- Auth file: Ensure 0-termination when reading auths from a file.
- configure.ac: fix bashisms. configure scripts need to be runnable with a POSIX-compliant /bin/sh.
- cirrus.yml fix tss compilation with libtpms for FreeBSD.
- tpm2_tool.c Fix missing include for basename to enable compilation on netbsd.
- options: fix TCTI handling to avoid failures for commands that should work with no options.
- tpm2_getekcertificate.c Fix leak. ek_uri was not freed if get_ek_server_address failed.
Added
- Add the possibility for autoflush (environment variable "TPM2TOOLS_AUTOFLUSH", or -R option)
Removed
- Testing on Ubuntu 18.04 as it's near EOL (May 2023).m2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems.
- tpm2_nvread: fix input handling no nv index.
5.6.1
Security
- Fixed CVE-2024-29038
- Fixed CVE-2024-29039
Fixed
- tpm2_sessionconfig: fix handling of --disable-continue session so that the subsequent command will not fail.
- tpm2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems.
- Auth file: Ensure 0-termination when reading auths from a file.
- cirrus.yml fix tss compilation with libtpms for FreeBSD.
- tpm2_tool.c Fix missing include for basename to enable compilation on netbsd.
- tpm2_nvread: fix input handling no nv index.
- options: fix TCTI handling to avoid failures for commands that should work with no options.
- tpm2_getekcertificate.c Fix leak. ek_uri was not freed if get_ek_server_address failed.
Removed
- Testing on Ubuntu 18.04 as it's near EOL (May 2023).m2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems.
5.5.1
Security
- Fixed CVE-2024-29038
- Fixed CVE-2024-29039
5.6 - 2023-11-08
-
tpm2_eventlog:
- add H-CRTM event support
- add support of efivar versions less than 38
- Add support to check for efivar/efivar.h manually
- Minor formatting fixes
- tpm2_eventlog: add support for replay with different StartupLocality
- Fix pcr extension for EV_NO_ACTION
- Extend test of yaml string representation
- Use helper for printing a string dump
- Fix upper bound on unique data size
- Fix YAML string formatting -
tpm2_policy:
- Add support for parsing forward seal TPM values
- Use forward seal values in creating policies
- Move dgst_size in evaluate_populate_pcr_digests()
- Allow more than 8 PCRs for sealing
- Move dgst_size in evaluate_populate_pcr_digests
- Allow more than 8 PCRs for sealing
- Make __wrap_Esys_PCR_Read() more dynamic to enable testing more PCRs
-
tpm2_encryptdecrypt: Fix pkcs7 padding stripping
-
tpm2_duplicate:
- Support -a option for attributes
- Add --key-algorithm option
-
tpm2_encodeobject: Use the correct -O option instead of -C
-
tpm2_unseal: Add qualifier static to enhance the privacy of unseal function
-
tpm2_sign:
- Remove -m option which was added mistakenly
- Revert sm2 sign and verifysignature
-
tpm2_createek:
- Correct man page example- Fix usage of nonce
- Fix integrating nonce
-
tpm2_clear: add more details about the action
-
tpm2_startauthsession: allow the file attribute for policy authorization.
-
tpm2_getekcertificate: Add AMD EK support
-
tpm2_ecdhzgen: Add public-key parameter
-
tpm2_nvreadpublic: Prevent free of unallocated pointers on failure
-
Bug-fixes:
-
The readthedocs build failed with module 'jinja2' has no attribute 'contextfilter'
a requirement file was added to fix this problem -
An error caused by the flags -flto -_FORTIFY_SOURCE=3 in kdfa implementation.
This error can be avoided by switching off the optimization with pragma -
Changed wrong function name of "Esys_Load" to "Esys_Load"
-
Function names beginning with Esys_ are wrongly written as Eys_
-
Reading and writing a serialized persistent ESYS_TR handles
-
cirrus-ci update image-family to freebsd-13-2 from 13-1
-
-
misc:
-
Change the default Python version to Python3 in the helper's code
-
Skip test which uses the sign operator for comparison in abrmd_policynv.sh
-
tools/tr_encode: Add a tool that can encode serialized ESYS_TR for persistent handles
from the TPM2B_PUBLIC and the raw persistent TPM2_HANDLE -
Add safe directory in config
-
5.6-rc0 - 2023-09-26
-
tpm2_eventlog:
- add H-CRTM event support
- add support of efivar versions less than 38
- Add support to check for efivar/efivar.h manually
- Minor formatting fixes
- tpm2_eventlog: add support for replay with different StartupLocality
- Fix pcr extension for EV_NO_ACTION
- Extend test of yaml string representation
- Use helper for printing a string dump
- Fix upper bound on unique data size
- Fix YAML string formatting
-
tpm2_policy:
- Add support for parsing forward seal TPM values
- Use forward seal values in creating policies
- Move dgst_size in evaluate_populate_pcr_digests()
- Allow more than 8 PCRs for sealing
- Move dgst_size in evaluate_populate_pcr_digests
- Allow more than 8 PCRs for sealing
- Make __wrap_Esys_PCR_Read() more dynamic to enable testing more PCRs
-
tpm2_encryptdecrypt: Fix pkcs7 padding stripping
-
tpm2_duplicate:
- Support -a option for attributes
- Add --key-algorithm option
-
tpm2_encodeobject: Use the correct -O option instead of -C
-
tpm2_unseal: Add qualifier static to enhance the privacy of unseal function
-
tpm2_sign:
- Remove -m option which was added mistakenly
- Revert sm2 sign and verifysignature
-
tpm2_createek:
- Correct man page example
- Fix usage of nonce
- Fix integrating nonce
-
tpm2_clear: add more details about the action
-
tpm2_startauthsession: allow the file attribute for policy authorization.
-
tpm2_getekcertificate: Add AMD EK support
-
tpm2_ecdhzgen: Add public-key parameter
-
tpm2_nvreadpublic: Prevent free of unallocated pointers on failure
-
Bug-fixes:
-
The readthedocs build failed with module 'jinja2' has no attribute 'contextfilter'
a requirement file was added to fix this problem -
An error caused by the flags -flto -_FORTIFY_SOURCE=3 in kdfa implementation.
This error can be avoided by switching off the optimization with pragma -
Changed wrong function name of "Esys_Load" to "Esys_Load"
-
Function names beginning with Esys_ are wrongly written as Eys_
-
Reading and writing a serialized persistent ESYS_TR handles
-
cirrus-ci update image-family to freebsd-13-2 from 13-1
-
-
misc:
-
Change the default Python version to Python3 in the helper's code
-
Skip test which uses the sign operator for comparison in abrmd_policynv.sh
-
tools/tr_encode: Add a tool that can encode serialized ESYS_TR for persistent handles
from the TPM2B_PUBLIC and the raw persistent TPM2_HANDLE
-
5.5
5.5 - 2022-02-13
Added
-
tpm2_createek:
- SM2 EK Support
-
misc:
- SM2 support to internal OSSL format key routines. Fixes --format
flags for conversions.
- SM2 support to internal OSSL format key routines. Fixes --format
Fixed:
- echo_tcti.py: set to use python3 named executable in shebang.
5.5-rc1
5.5-rc1 - 2022-12-12
Added
-
tpm2_createek:
- SM2 EK Support
-
misc:
- SM2 support to internal OSSL format key routines. Fixes --format
flags for conversions.
- SM2 support to internal OSSL format key routines. Fixes --format
Fixed:
- echo_tcti.py: set to use python3 named executable in shebang.
5.4
5.4 - 2022-12-05
Added:
-
tpm2_policyrestart:
- Added option --cphash to output the cpHash for the command
TPM2_CC_PolicyRestart.
- Added option --cphash to output the cpHash for the command
-
tpm2_policynvwritten:
- Added option --cphash to output the cpHash for the command
TPM2_CC_PolicyNvWritten.
- Added option --cphash to output the cpHash for the command
-
tpm2_policylocality:
- Added option --cphash to output the cpHash for the command
TPM2_CC_PolicyLocality.
- Added option --cphash to output the cpHash for the command
-
tpm2_policycountertimer:
- Added option --cphash to output the cpHash for the command
TPM2_CC_PolicyCounterTimer.
- Added option --cphash to output the cpHash for the command
-
tpm2_policycommandcode:
- Added option --cphash to output the cpHash for the command
TPM2_CC_PolicyCommandCode.
- Added option --cphash to output the cpHash for the command
-
tpm2_policypassword:
- Added option --cphash to output the cpHash for the command
TPM2_CC_PolicyPassword.
- Added option --cphash to output the cpHash for the command
-
tpm2_policyauthvalue:
- Added option --cphash to output the cpHash for the command
TPM2_CC_PolicyAuthValue.
- Added option --cphash to output the cpHash for the command
-
tpm2_policyauthorize:
- Added option --cphash to output the cpHash for the command
TPM2_CC_PolicyAuthorize.
- Added option --cphash to output the cpHash for the command
-
tpm2_print:
- Support printing serialized ESYS_TR's
-
tpm2_create:
- Add a clarifying message to usage of
-cwhen TPM2_CreateLoaded
is not supported.
- Add a clarifying message to usage of
-
tpm2_getcap:
- Add support for vendor agnostic capabilites. Requires tpm2-tss version 4.0
and higher to enable.
- Add support for vendor agnostic capabilites. Requires tpm2-tss version 4.0
-
Add a script, check_endorsement_cert.sh, to validate the endorsement
certificate chain. It takes two inputs - A TPM2B_PUBLIC format EKpublic and
a PEM format EKcertificate specified in that order as arguments.