-
swtpm (0.6.3-0ubuntu3.3) jammy; urgency=medium
* d/usr.bin.swtpm:
- Add sys_admin capability to apparmor profile to allow access to kernel
modules such as tpm_vtpm_proxy (LP: #2071478)
- Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
apparmor denials when working with TPM2 locks (LP: #2072524)
-- Lena Voytek <email address hidden> Tue, 30 Jul 2024 15:22:09 -0700
-
swtpm (0.6.3-0ubuntu3.2) jammy; urgency=medium
* d/p/create-user-config-files-use-correct-swtpm-localca.patch: Fix the path
to swtpm-localca used in swtpm-create-user-config-files (LP: #2016744)
-- Lena Voytek <email address hidden> Wed, 26 Apr 2023 15:06:00 -0700
-
swtpm (0.6.3-0ubuntu3.1) jammy; urgency=medium
* d/usr.bin.swtpm: Update apparmor profile to match swtpm upstream
In between adding the apparmor profile to Ubuntu and merging upstream
additional rules were used to cover more common use cases. (LP: #1992377)
- The six capability lines fix the broken upstream unit test cases:
test_ctrlchannel, test_vtpm_proxy, test_tpm2_file_permissions,
test_tpm2_save_load_state_2_block, and test_tpm2_ctrlchannel2
- owner @{HOME}/** rwk was added as using a folder in one's home directory
is common for managing tpm states
- Access in the tmp directory is further generalized as this is where swtpm
interacts with qemu and libvirt
- The ability to read from /etc/nsswitch.conf was added for vtpm proxy to
work
-- Lena Voytek <email address hidden> Wed, 16 Nov 2022 13:54:54 -0700
-
swtpm (0.6.3-0ubuntu3) jammy; urgency=medium
* d/usr.bin.swtpm: Add additional apparmor rules
- allow full interaction with libvirt (LP: #1968187)
- add qemu socket rules (LP: #1968335)
-- Lena Voytek <email address hidden> Tue, 12 Apr 2022 07:49:45 -0700
-
swtpm (0.6.3-0ubuntu2) jammy; urgency=medium
* d/p/openssl-not-certtool.patch: do not use rnd file (LP: #1968131)
RANDFILE isn't needed anymore in openssl and furthermore breaks many
use cases here as HOME isn't resolved and therefore it accessed $CWD/.rnd
which often ends up in places it isn't able to access the file.
Thanks to Simon Deziel for the suggested fix!
-- Christian Ehrhardt <email address hidden> Thu, 07 Apr 2022 16:07:21 +0200
-
swtpm (0.6.3-0ubuntu1) jammy; urgency=medium
* Update to the stable release v0.6.3 (LP: 1948748)
- swtpm:
+ Do not chdir(/) when using --daemon
+ Check header size indicator against expected size (CVE-2022-23645)
- swtpm-localca:
+ Re-implement variable resolution for swtpm-localca.conf
+ Test for available issuercert before creating CA
- tests:
+ Use ${WORKDIR} in config files to test env. var replacement
- man:
+ Add missing .config directory to path description when using ${HOME}
- build-sys:
+ Add probing for -fstack-protector
+ configure: Fix typo TPM2 -> TMP2
- swtpm_setup:
+ Report stderr as returned by external tool (swtpm-localcal)
+ Fix exit code on error to be '1'.
* d/usr.bin.swtpm: fix hang on unix sockets due to apparmor rules
swtpm (0.6.1-0ubuntu6) jammy; urgency=medium
* Add apparmor profile to swtpm (LP: #1950631)
- d/usr.bin.swtpm: Create new apparmor profile
- d/swtpm.install: Copy apparmor profile to /etc/apparmor.d/
- d/rules: Deploy the swtpm apparmor profile
- d/control: Add dh-apparmor as a dependency
-- Christian Ehrhardt <email address hidden> Tue, 22 Mar 2022 09:31:40 +0100
-
swtpm (0.6.1-0ubuntu6) jammy; urgency=medium
* Add apparmor profile to swtpm (LP: #1950631)
- d/usr.bin.swtpm: Create new apparmor profile
- d/swtpm.install: Copy apparmor profile to /etc/apparmor.d/
- d/rules: Deploy the swtpm apparmor profile
- d/control: Add dh-apparmor as a dependency
-- Lena Voytek <email address hidden> Fri, 18 Feb 2022 14:24:14 -0700
-
swtpm (0.6.1-0ubuntu5) jammy; urgency=medium
* debian/patches/openssl-not-certtool.patch: Use traditional format
output as expected by tests.
* Set executable bit on debian/tests/run-tests.
-- Dimitri John Ledkov <email address hidden> Thu, 02 Dec 2021 17:54:13 +0000
-
swtpm (0.6.1-0ubuntu4) jammy; urgency=medium
* debian/patches/openssl-not-certtool.patch: Use openssl at runtime,
not certtool.
-- Steve Langasek <email address hidden> Fri, 05 Nov 2021 13:16:42 -0700
-
swtpm (0.6.1-0ubuntu3) jammy; urgency=medium
* Don't use the tss user for swtpm, this overloads a user already used for
physical tpm ACLs. LP: #1949060.
* Add missing adduser dependency to swtpm-tools.
* Add missing debhelper token to swtpm-tools.postinst.
-- Steve Langasek <email address hidden> Thu, 28 Oct 2021 05:47:30 -0700
-
swtpm (0.6.1-0ubuntu2) jammy; urgency=medium
* Include packaging fixes from upstream to the postinst.
* Drop tpm-udev dependency, not needed because we create the tss user
ourselves now as needed.
* Add autopkgtests.
-- Steve Langasek <email address hidden> Mon, 25 Oct 2021 20:52:45 -0700
-
swtpm (0.6.1-0ubuntu1) jammy; urgency=medium
* Initial release, using packaging from upstream.
* debian/patches/0001-Install-swtpm-localca-to-the-correct-path.patch:
Install swtpm-localca to the correct path.
* debian/patches/no-autoconf-in-debian.patch: don't modify debian
directory from upstream configure script.
-- Steve Langasek <email address hidden> Sun, 24 Oct 2021 01:04:51 +0000
