Tpm2 Tools Versions Save

Security

• Fixed CVE-2024-29038
• Fixed CVE-2024-29039

Security

• Fixed CVE-2024-29038
• Fixed CVE-2024-29039

Fixed

• tpm2_sessionconfig: fix handling of --disable-continue session so that the subsequent command will not fail.
• tpm2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems.
• Auth file: Ensure 0-termination when reading auths from a file.
• cirrus.yml fix tss compilation with libtpms for FreeBSD.
• tpm2_tool.c Fix missing include for basename to enable compilation on netbsd.
• tpm2_nvread: fix input handling no nv index.
• options: fix TCTI handling to avoid failures for commands that should work with no options.
• tpm2_getekcertificate.c Fix leak. ek_uri was not freed if get_ek_server_address failed.

Removed

• Testing on Ubuntu 18.04 as it's near EOL (May 2023).m2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems.

Security

• Fixed CVE-2024-29038
• Fixed CVE-2024-29039

Fixed

• Fix eventlog test
• Fix issues with reading NV indexes
• Fix context save error on tpm2_create
• tpm2_sessionconfig: fix handling of --disable-continue session so that the subsequent command will not fail when attempting to context save a flushed session.
• detection of functions within libcrypto when CRYPTO_LIBS is set and system has install libcrypto.
• tpm2_send: fix EOF detection on input stream.
• tpm2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems.
• tpm2_nvread: fix input handling no nv index.
• Auth file: Ensure 0-termination when reading auths from a file.
• configure.ac: fix bashisms. configure scripts need to be runnable with a POSIX-compliant /bin/sh.
• cirrus.yml fix tss compilation with libtpms for FreeBSD.
• tpm2_tool.c Fix missing include for basename to enable compilation on netbsd.
• options: fix TCTI handling to avoid failures for commands that should work with no options.
• tpm2_getekcertificate.c Fix leak. ek_uri was not freed if get_ek_server_address failed.

Added

• Add the possibility for autoflush (environment variable "TPM2TOOLS_AUTOFLUSH", or -R option)

Removed

• Testing on Ubuntu 18.04 as it's near EOL (May 2023).m2_policy.c fix compilation error caused by format directive for size_t on 32 bit systems.
• tpm2_nvread: fix input handling no nv index.

• tpm2_eventlog: - add H-CRTM event support - add support of efivar versions less than 38 - Add support to check for efivar/efivar.h manually - Minor formatting fixes - tpm2_eventlog: add support for replay with different StartupLocality - Fix pcr extension for EV_NO_ACTION - Extend test of yaml string representation - Use helper for printing a string dump - Fix upper bound on unique data size - Fix YAML string formatting

• tpm2_policy:

  • Add support for parsing forward seal TPM values
  • Use forward seal values in creating policies
  • Move dgst_size in evaluate_populate_pcr_digests()
  • Allow more than 8 PCRs for sealing
  • Move dgst_size in evaluate_populate_pcr_digests
  • Allow more than 8 PCRs for sealing
  • Make __wrap_Esys_PCR_Read() more dynamic to enable testing more PCRs

• tpm2_encryptdecrypt: Fix pkcs7 padding stripping

• tpm2_duplicate:

  • Support -a option for attributes
  • Add --key-algorithm option

• tpm2_encodeobject: Use the correct -O option instead of -C

• tpm2_unseal: Add qualifier static to enhance the privacy of unseal function

• tpm2_sign:

  • Remove -m option which was added mistakenly
  • Revert sm2 sign and verifysignature

• tpm2_createek: - Correct man page example

  • Fix usage of nonce
  • Fix integrating nonce

• tpm2_clear: add more details about the action

• tpm2_startauthsession: allow the file attribute for policy authorization.

• tpm2_getekcertificate: Add AMD EK support

• tpm2_ecdhzgen: Add public-key parameter

• tpm2_nvreadpublic: Prevent free of unallocated pointers on failure

• Bug-fixes:

  • The readthedocs build failed with module 'jinja2' has no attribute 'contextfilter' a requirement file was added to fix this problem

  • An error caused by the flags -flto -_FORTIFY_SOURCE=3 in kdfa implementation. This error can be avoided by switching off the optimization with pragma

  • Changed wrong function name of "Esys_Load" to "Esys_Load"

  • Function names beginning with Esys_ are wrongly written as Eys_

  • Reading and writing a serialized persistent ESYS_TR handles

  • cirrus-ci update image-family to freebsd-13-2 from 13-1

• misc:

  • Change the default Python version to Python3 in the helper's code

  • Skip test which uses the sign operator for comparison in abrmd_policynv.sh

  • tools/tr_encode: Add a tool that can encode serialized ESYS_TR for persistent handles from the TPM2B_PUBLIC and the raw persistent TPM2_HANDLE

  • Add safe directory in config

• tpm2_eventlog:

  • add H-CRTM event support
  • add support of efivar versions less than 38
  • Add support to check for efivar/efivar.h manually
  • Minor formatting fixes
  • tpm2_eventlog: add support for replay with different StartupLocality
  • Fix pcr extension for EV_NO_ACTION
  • Extend test of yaml string representation
  • Use helper for printing a string dump
  • Fix upper bound on unique data size
  • Fix YAML string formatting

• tpm2_policy:

  • Add support for parsing forward seal TPM values
  • Use forward seal values in creating policies
  • Move dgst_size in evaluate_populate_pcr_digests()
  • Allow more than 8 PCRs for sealing
  • Move dgst_size in evaluate_populate_pcr_digests
  • Allow more than 8 PCRs for sealing
  • Make __wrap_Esys_PCR_Read() more dynamic to enable testing more PCRs

• tpm2_encryptdecrypt: Fix pkcs7 padding stripping

• tpm2_duplicate:

  • Support -a option for attributes
  • Add --key-algorithm option

• tpm2_encodeobject: Use the correct -O option instead of -C

• tpm2_unseal: Add qualifier static to enhance the privacy of unseal function

• tpm2_sign:

  • Remove -m option which was added mistakenly
  • Revert sm2 sign and verifysignature

• tpm2_createek:

  • Correct man page example
  • Fix usage of nonce
  • Fix integrating nonce

• tpm2_clear: add more details about the action

• tpm2_startauthsession: allow the file attribute for policy authorization.

• tpm2_getekcertificate: Add AMD EK support

• tpm2_ecdhzgen: Add public-key parameter

• tpm2_nvreadpublic: Prevent free of unallocated pointers on failure

• Bug-fixes:

  • The readthedocs build failed with module 'jinja2' has no attribute 'contextfilter' a requirement file was added to fix this problem

  • An error caused by the flags -flto -_FORTIFY_SOURCE=3 in kdfa implementation. This error can be avoided by switching off the optimization with pragma

  • Changed wrong function name of "Esys_Load" to "Esys_Load"

  • Function names beginning with Esys_ are wrongly written as Eys_

  • Reading and writing a serialized persistent ESYS_TR handles

  • cirrus-ci update image-family to freebsd-13-2 from 13-1

• misc:

  • Change the default Python version to Python3 in the helper's code

  • Skip test which uses the sign operator for comparison in abrmd_policynv.sh

  • tools/tr_encode: Add a tool that can encode serialized ESYS_TR for persistent handles from the TPM2B_PUBLIC and the raw persistent TPM2_HANDLE

5.5 - 2022-02-13

Added

• tpm2_createek:

  • SM2 EK Support

• misc:

  • SM2 support to internal OSSL format key routines. Fixes --format flags for conversions.

Fixed:

• echo_tcti.py: set to use python3 named executable in shebang.

5.5-rc1 - 2022-12-12

Added

• tpm2_createek:

  • SM2 EK Support

• misc:

  • SM2 support to internal OSSL format key routines. Fixes --format flags for conversions.

Fixed:

• echo_tcti.py: set to use python3 named executable in shebang.

5.5-rc0 - 2022-12-05

Added

• tpm2_createek:

  • SM2 EK Support

• misc:

  • SM2 support to internal OSSL format key routines. Fixes --format flags for conversions.

5.4 - 2022-12-05

Added:

• tpm2_policyrestart:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyRestart.

• tpm2_policynvwritten:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyNvWritten.

• tpm2_policylocality:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyLocality.

• tpm2_policycountertimer:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyCounterTimer.

• tpm2_policycommandcode:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyCommandCode.

• tpm2_policypassword:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyPassword.

• tpm2_policyauthvalue:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyAuthValue.

• tpm2_policyauthorize:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyAuthorize.

• tpm2_print:

  • Support printing serialized ESYS_TR's

• tpm2_create:

  • Add a clarifying message to usage of -c when TPM2_CreateLoaded is not supported.

• tpm2_getcap:

  • Add support for vendor agnostic capabilites. Requires tpm2-tss version 4.0 and higher to enable.

• Add a script, check_endorsement_cert.sh, to validate the endorsement certificate chain. It takes two inputs - A TPM2B_PUBLIC format EKpublic and a PEM format EKcertificate specified in that order as arguments.

5.4-rc0 - 2022-11-28

Added:

• tpm2_policyrestart:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyRestart.

• tpm2_policynvwritten:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyNvWritten.

• tpm2_policylocality:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyLocality.

• tpm2_policycountertimer:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyCounterTimer.

• tpm2_policycommandcode:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyCommandCode.

• tpm2_policypassword:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyPassword.

• tpm2_policyauthvalue:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyAuthValue.

• tpm2_policyauthorize:

  • Added option --cphash to output the cpHash for the command TPM2_CC_PolicyAuthorize.

• tpm2_print:

  • Support printing serialized ESYS_TR's

• tpm2_create:

  • Add a clarifying message to usage of -c when TPM2_CreateLoaded is not supported.

• tpm2_getcap:

  • Add support for vendor agnostic capabilites. Requires tpm2-tss version 4.0 and higher to enable.

• Add a script, check_endorsement_cert.sh, to validate the endorsement certificate chain. It takes two inputs - A TPM2B_PUBLIC format EKpublic and a PEM format EKcertificate specified in that order as arguments.