Releases: tpm2-software/tpm2-tss
Releases · tpm2-software/tpm2-tss
4.1.3
4.1.2
Fixed
- configure.ac: Fix test of == to = to be POSIX comliant
- Remove use of which in favor of command -v
4.1.1
Fixed
- Fixed inclusion of .map and .def files in release tar balls
4.1.0
Security
- Fixed CVE-2024-29040
Fixed
- fapi: Fix length check on FAPI auth callbacks
- mu: Correct error message for errors
- tss2-rc: fix unknown laer handler dropping bits.
- fapi: Fix deviation from CEL specification (template_value was used instead of template_data).
- fapi: Fix json syntax error in FAPI profiles which was ignored by json-c.
- build: fix build fail after make clean.
- mu: Fix unneeded size check in TPM2B unmarshaling.
- fapi: Fix missing parameter encryption.
- build: Fix failed build with --disable-vendor.
- fapi: Fix flush of persistent handles.
- fapi: Fix test provisioning with template with self generated certificate disabled.
- fapi: Fix error in Fapi_GetInfo it TPM supports SHA3 hash algs.
- fapi: Revert pcr extension for EV_NO_ACTION events.
- fapi: Fix strange error messages if nv, ext, or policy path does not exits.
- fapi: Fix segfault caused by wrong allocation of pcr policy.
- esys: Fix leak in Esys_EvictControl for persistent handles.
- tss2-tcti: tcti-libtpms: fix test failure on big-endian platform.
- esys: Add reference counting for Esys_TR_FromTPMPublic.
- esys: Fix HMAC error if session bind key has an auth value with a trailing 0.
- fapi: fix usage of self signed certificates in TPM.
- fapi: Usage of self signed certificates.
- fapi: A segfault after the error handling of non existing keys.
- fapi: Fix several leaks.
- fapi: Fix error handling for policy execution.
- fapi: Fix usage of persistent handles (should not be flushed)
- fapi: Fix test provisioning with template (skip test without self generated certificate).
- fapi: Fix pcr extension for EV_NO_ACTION
- test: Fix fapi-key-create-policy-signed-keyedhash with P_ECC384 profile
- tcti_spi_helper_transmit: ensure FIFO is accessed only after TPM reports commandReady bit is set
- fapi: Fix read large system eventlog (> UINT16_MAX).
- esys tests: Fix layer check for TPM2_RC_COMMAND_CODE (for /dev/tpmrm0)
- test: unit: tcti-libtpms: fix test failed at 32-bit platforms.
- fapi: Fix possible null pointer dereferencing in Fapi_List.
- sys: Fix size check in Tss2_Sys_GetCapability.
- esys: Fix leak in Esys_TR_FromTPMPublic.
- esys: fix unchecked return value in esys crypto.
- fapi: Fix wrong usage of local variable in provisioning.
- fapi: Fix memset 0 in ifapi_json_TPMS_POLICYNV_deserialize.
- fapi: Fix possible out of bound array access in IMA parser.
- tcti device: Fix possible unmarshalling from uninitialized variable.
- fapi: Fix error checking authorization of signing key.
- fapi: Fix cleanup of policy sessions.
- fapi: Eventlog H-CRTM events and different localities.
- fapi: Fix missing synchronization of quote and eventlog.
- faii: Fix invalid free in Fapi_Quote with empty eventlog.
Added
- tcti: LetsTrust-TPM2Go TCTI module spi-ltt2go.
- mbedtls: add sha512 hmac.
- fapi: Enable usage of external keys for Fapi_Encrypt.
- fapi: Support download of AMD certificates.
- tcti: Add USB TPM (FTDI MPSSE USB to SPI bridge) TCTI module.
- fapi: The recreation of primaries (except EK) in the owner hierarchy instead the endorsement hierarchy is fixed.
- rc: New TPM return codes added.
- fapi: Further Nuvoton certificates added.
- tpm_types/esys: Add support for Attestable TPM changes in latest TPM spec.
- tcti: Add '/dev/tcm0' to default conf
- fapi: New Nuvoton certificates added.
- esys: Fix leak in Esys_TR_FromTPMPublic.
Removed
- Testing on Ubuntu 18.04 as it's near EOL (May 2023).
4.0.2
Security
- Fixed CVE-2024-29040
Fixed
- fapi: Fix length check on FAPI auth callbacks
- fapi: Fix deviation from CEL specification.
- Makefile: Add tss2-tcti-swtpm.7.in to EXTRA_DIST to fix make clean.
- MU: Fix unneeded size check in TPM2B unmarshaling.
- fapi: Fix missing parameter encryption.
- build: Fix failed build with --disable-vendor
- fapi: Fix usage of persistent handles (should not be flushed)
- fapi: Fix test provisioning with template (skip test without self generated certificate).
- FAPI: Fix event logging for big endian machines.
- FAPI: Fix pcr extension for EV_NO_ACTION event.
- fapi: Fix error in Fapi_GetInfo it TPM supports SHA3 hash algs.
- test: Fix usage of hashes in test cases.
- test: Fix fapi-key-create-policy-signed-keyedhash with P_ECC384 profile
- tcti_spi_helper_transmit: ensure FIFO is accessed only after TPM reports commandReady bit is set
- fapi: Fix read large system eventlog (> UINT16_MAX).
- fapi: Fix wrong allocation of pcr policy.
- esys tests: Fix layer check for TPM2_RC_COMMAND_CODE (for /dev/tpmrm0)
- test: unit: tcti-libtpms: fix test failed at 32-bit platforms.
- esys: close TR handle for input persistent handle in EvictControl_Finish.
- Fix FormatStrings for non-32-bit platforms.
- esys: Add reference counting for Esys_TR_FromTPMPublic.
- fapi: Fix usage of wrong endorsement handle (TPM2_RH_EK).
- fapi: Fix authorization session handling.
- Makefile.am add missing flags UUID cand CRYPTO flags which caused problems during
cross compilation. - esys: remove trailing zeros in auth value
- aux_util: fix missing format specifier
- esys: fix unchecked return value in esys crypto.
- fapi: Fix possible null pointer dereferencing in Fapi_List.
- sys: Fix size check in Tss2_Sys_GetCapability.
- esys: Fix leak in Esys_TR_FromTPMPublic.
- fapi: Fix wrong usage of local variable in provisioning.
- fapi: fix memset 0 in ifapi_json_TPMS_POLICYNV_deserialize.
- fapi: Fix possible out of bound array access in IMA parser.
- tcti device: Fix possible unmarshalling from uninitialized variable.
- fapi: Fix error checking authorization of signing key.
- fapi: Fix cleanup of policy sessions.
- fapi: Eventlog H-CRTM events and different localities.
- fapi: Fix missing synchronization of quote and eventlog.
- faii: Fix invalid free in Fapi_Quote with empty eventlog.
3.2.3
Security
- Fixed CVE-2024-29040
Fixed
- fapi: Fix length check on FAPI auth callbacks
- build: fix build fail after make clean.
- tss2-rc: fix unknown layer handler dropping bits.
- fapi: Fix missing parameter encryption.
- fapi: Fix flush of persistent handles.
- build: Fix failed build with --disable-vendor.
- fapi: Fix error in Fapi_GetInfo it TPM supports SHA3 hash algs.
- fapi: Fix strange error messages if nv, ext, or policy path does not exits.
- fapi: Fix segfault caused by wrong allocation of pcr policy.
- esys: Add reference counting for Esys_TR_FromTPMPublic.
- fapi: A segfault after the error handling of non existing keys.
- esys: Fix leak in Esys_EvictControl for persistent handles.
- fapi: The recreation of primaries (except EK) in the owner hierarchy instead the endorsement hierarchy is fixed.
- fapi: Fix usage of persistent handles (should not be flushed)
- fapi: Fix read large system eventlog (> UINT16_MAX).
- esys tests: Fix layer check for TPM2_RC_COMMAND_CODE (for /dev/tpmrm0).
- test: unit: tcti-libtpms: fix test failed at 32-bit platforms.
- esys: close TR handle for input persistent handle in EvictControl_Finish.
- Fix FormatStrings for non-32-bit platforms
- fapi: Fix usage of wrong endorsement handle (TPM2_RH_EK).
- fapi: Fix authorization session handling.
- fapi: Fix possible null pointer dereferencing in Fapi_List.
- sys: Fix size check in Tss2_Sys_GetCapability.
- esys: Fix leak in Esys_TR_FromTPMPublic.
- fapi: fix memset 0 in ifapi_json_TPMS_POLICYNV_deserialize.
- tcti device: Fix possible unmarshalling from uninitialized variable.
3.2.2
[3.2.2] - 2023-01-31
Fixed:
- A buffer overflow in tss2-rc as CVE-2023-22745.
- The drv layer in tss2-rc should have been the policy layer.
- Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string.
This is API breaking but considered a bug since it deviated from the FAPI spec. - FAPI: undefined reference to curl_url_strerror when using curl less than 7.80.0.
4.0.1
[4.0.1] - 2023-01-23
Fixed:
- A buffer overflow in tss2-rc as CVE-2023-22745.
4.0.0
[4.0.0] - 2023-01-02
Fixed
- tcti-ldr: Use heap instead of stack when tcti initialize
- Fix usage of NULL pointer if Esys_TR_SetAuth is calles with ESYS_TR_NONE.
- Conditionally check user/group manipulation commands.
- Store VERSION into the release tarball.
- When using DESTDIR for make einstall, do not invoke systemd-sysusers and systemd-tmpfiles.
- esys_iutil: fix possible NPD.
- Tss2_Sys_Flushcontext: flushHandle was encoded as a handleArea handle and not as parameter one, this affected the contents of cpHash.
- esys: fix allow usage of HMAC sessions for Esys_TR_FromTPMPublic.
- fapi: fix usage of policy_nv with a TPM nv index.
- linking tcti for libtpms against tss2-tctildr. It should be linked against tss2-mu.
- build: Remove erroneous trailing comma in linker option. Bug #2391.
- fapi: fix encoding of complex tpm2bs in authorize nv, duplication select and policy template policies. Now the complex and TPMT or TPMS representations can be used. Bug #2383
- The error message for unsupported FAPI curves was in hex without a leading 0x, make it integer output to clarify.
- Documentation that had various scalar out pointers as "callee allocated".
- test: build with opaque FILE structure like in musl libc.
- Transient endorsement keys were not recreated according to the EK credential profile.
- Evict control for a persistent EK failed during provisioning if an auth value for the storage hierarchy was set.
- The authorization of the storage hierarchy is now added. Fixes FAPI: Provisioning error if an auth value is needed for the
storage hierarchy #2438. - Usage of a second profile in a path was not possible because the default profile was always used.
- The setting of an empty auth value for Fapi_Provision was fixed.
- JSON encoding of a structure TPMS_POLICYAUTHORIZATION used the field keyPEMhashAlg instead of hashAlg as
defined in "TCG TSS 2.0 JSON Data Types and Policy Language Specification". Rename to hashAlg but preserve support
for reading keyPEMhashAlg for backwards compatibility. - fapi: PolicySecret did not work with keys as secret object.
- Esys_PCR_SetAuthValue: remembers the auth like other SetAutg ESAPI functions.
- tests: esys-pcr-auth-value.int moved to destructive tests.
- FAPI: Fix double free if keystore is corrupted.
- Marshaling of TPMU_CAPABILITIES data, only field intelPttProperty was broken before.a
- Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string.
This is API breaking but considered a bug since it deviated from the FAPI spec. - FAPI: undefined reference to curl_url_strerror when using curl less than 7.80.0.
- FAPI: Fixed support for EK templates in NV inidices per the spec, see #2518 for details.
- FAPI: fix NPD in ifapi_curl logging.
- FAPI: Improve documentation fapi-profile
- FAPI: Fix CURL HTTP handling.
- FAPI: Return FAPI_RC_IO_ERROR if a policy does not exist in keystore.
Added
- TPM version 1.59 support.
- ci: ubuntu-22.04 added.
- mbedTLS 3.0 is supported by ESAPI.
- Add CreationHash to JSON output for usage between applications not using the FAPI keystore, like command line tools.
- Reduced code size for SAPI.
- Support for Runtime Switchable ESAPI Crypto Backend via
Esys_SetCryptoCallbacks
. - Testing for TCG EK Credential Profile TPM 2.0, Version 2.4 Rev. 3, 2021 for the low and high address range of EK templates.
- tss2-rc: Tss2_RC_DecodeInfo function for parsing TSS2_RC into the various bit fields.
- FAPI support for P_ECC384 profile.
- tss2-rc: Tss2_RC_DecodeInfoError: Function to get a human readable error from a TSS2_RC_INFO returned by
Tss2_RC_DecodeInfo - tcti: Generic SPI driver, implementors only need to connect to acquire/release, transmit/receive, and sleep/timeout functions.
- FAPI: Add event logging for Firmware and IMA Events. See #2170 for details.
- FAPI: Fix Fapi_ChangeAuth updates on hierarchy objects not being reflected across profiles.
- FAPI: Allow keyedhash keys in PolicySigned.
- ESAPI: Support sha512 for mbedtls crypto backend.
- TPM2B_MAX_CAP_BUFFER and mu routines
- vendor field to TPMU_CAPABILTIIES
- FAPI: support for PolicyTemplate
Changed
- libmu soname from 0:0:0 to 0:1:0.
- tss2-sys soname from 1:0:0 to 1:1:0
- tss2-esys: from 0:0:0 to 0:1:0
- FAPI ignores vendor properties on Fapi_GetInfo
- FAPI Event Logging JSON format, See #2170 for details.
Removed
- Dead struct TPMS_ALGORITHM_DESCRIPTION
- Dead field intelPttProperty from TPMU_CAPABILITIES
- Dead code Tss2_MU_TPMS_ALGORITHM_DESCRIPTION_Marshal
- Dead code Tss2_MU_TPMS_ALGORITHM_DESCRIPTION_Unmarshal
3.2.1
[3.2.1] - 2022-12-12
Fixed
- Makefile.am: make all EXTRA_DIST includes unconditional to fix pristine tars
- Fix usage of NULL pointer if Esys_TR_SetAuth is calles with ESYS_TR_NONE.
- Store VERSION into the release tarball.
- fapi: fix usage of policy_nv with a TPM nv index.
- Tss2_Sys_Flushcontext: flushHandle was encoded as a handleArea handle and not as parameter one, this affected the contents of cpHash.
- linking tcti for libtpms against tss2-tctildr. It should be linked against tss2-mu.
- build: Remove erroneous trailing comma in linker option. Bug #2391.
- esys: fix allow usage of HMAC sessions for Esys_TR_FromTPMPublic.
- test: build with opaque FILE structure like in musl libc.
- Usage of a second profile in a path was not possible because the default profile was always used.
- FAPI: Fix provisioning if auth value for storage hierarchy was set.
- FAPI: Fix recreation of EK.
- FAPI: Fix usage of lockout auth value in Fapi_Provison.
- FAPI: Fix loading of key in policy execution.
- FAPI: Fix Fapi_ChangeAuth updates on hierarchy objects not being reflected across profiles.
- Esys_PCR_SetAuthValue: remembers the auth like other SetAutg ESAPI functions.
- tests: esys-pcr-auth-value.int moved to destructive tests.
- FAPI: Fix double free if keystore is corrupted.
- Spec deviation in Fapi_GetDescription caused description to be NULL when it should be empty string.
This is API breaking but considered a bug since it deviated from the FAPI spec.