Internal restructuring of stx-integ

Create new directories: ceph config config-files filesystem kernel kernel/kernel-modules ldap logging strorage-drivers tools utilities virt Retire directories: connectivity core devtools support extended Delete two packages: tgt irqbalance Relocated packages: base/ dhcp initscripts libevent lighttpd linuxptp memcached net-snmp novnc ntp openssh pam procps sanlock shadow sudo systemd util-linux vim watchdog ceph/ python-cephclient config/ facter puppet-4.8.2 puppet-modules filesystem/ e2fsprogs nfs-utils nfscheck kernel/ kernel-std kernel-rt kernel/kernel-modules/ mlnx-ofa_kernel ldap/ nss-pam-ldapd openldap logging/ syslog-ng logrotate networking/ lldpd iproute mellanox python-ryu mlx4-config python/ python-2.7.5 python-django python-gunicorn python-setuptools python-smartpm python-voluptuous security/ shim-signed shim-unsigned tboot strorage-drivers/ python-3parclient python-lefthandclient virt/ cloud-init libvirt libvirt-python qemu tools/ storage-topology vm-topology utilities/ tis-extensions namespace-utils nova-utils update-motd Change-Id: I37ade764d873c701b35eac5881eb40412ba64a86 Story: 2002801 Task: 22687 Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 10:02:19 -04:00
parent 2705f4934d
commit bab9bb6b69
936 changed files with 96 additions and 596 deletions
--- a/security/shim-signed/centos/build_srpm.data
+++ b/security/shim-signed/centos/build_srpm.data
@@ -0,0 +1 @@
+TIS_PATCH_VER=2
--- a/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch
+++ b/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch
@@ -0,0 +1,24 @@
+From a19b16baa019609714fb741db4e3c73d67f2adf1 Mon Sep 17 00:00:00 2001
+From: jmckenna <jason.mckenna@windriver.com>
+Date: Tue, 16 Jan 2018 08:14:08 -0500
+Subject: [PATCH 1/2] Titanium release info
+
+---
+ SPECS/shim-signed.spec | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
+index d2a13b1..9cfcb2f 100644
+--- a/SPECS/shim-signed.spec
+++ b/SPECS/shim-signed.spec
+@@ -1,6 +1,6 @@
+ Name:           shim-signed
+ Version:        12
+-Release:        1%{?dist}%{?buildid}
+Release:        1%{?_tis_dist}.%{tis_patch_ver}
+ Summary:        First-stage UEFI bootloader
+ %define unsigned_release 1%{?dist}
+ 
+-- 
+1.8.3.1
+
--- a/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch
+++ b/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch
@@ -0,0 +1,147 @@
+diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
+old mode 100644
+new mode 100755
+index 9cfcb2f..f6ce87e
+--- a/SPECS/shim-signed.spec
+++ b/SPECS/shim-signed.spec
+@@ -2,7 +2,6 @@ Name:           shim-signed
+ Version:        12
+ Release:        1%{?_tis_dist}.%{tis_patch_ver}
+ Summary:        First-stage UEFI bootloader
+-%define unsigned_release 1%{?dist}
+ 
+ License:        BSD
+ URL:            http://www.codon.org.uk/~mjg59/shim/
+@@ -16,10 +15,12 @@ Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
+ Patch0005: 0005-Make-all-efi_guid_t-const.patch
+ Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
+ Patch0007: 0007-Add-bash-completion-file.patch
+%global srcbasename shimx64
+%global srcbasenameia32 shimia32
+ 
+ Source1:	centos.crt
+-Source10:	shimx64.efi
+-Source11:	shimia32.efi
+Source10:	%{srcbasename}.efi
+Source11:	%{srcbasenameia32}.efi
+ #Source12:	shimaa64.efi
+ Source20:	BOOTX64.CSV
+ Source21:	BOOTIA32.CSV
+@@ -47,11 +48,17 @@ BuildRequires: git
+ BuildRequires: openssl-devel openssl
+ BuildRequires: pesign >= 0.106-5%{dist}
+ BuildRequires: efivar-devel
+-BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release}
+BuildRequires: shim-unsigned-%{efiarchlc}
+ %ifarch x86_64
+-BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release}
+BuildRequires: shim-unsigned-ia32
+ %endif
+ 
+# Rather than hardcode a release, we get the release from the installed shim-unsigned package
+%define unsigned_release %(rpm -q shim-unsigned-x64 --info | grep Release | awk '{print $3}')
+%define unsigned_dir "%{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/"
+%define unsigned_release_ia32 %(rpm -q shim-unsigned-ia32 --info | grep Release | awk '{print $3}')
+%define unsigned_dir_ia32 "%{_datadir}/shim/ia32-%{version}-%{unsigned_release_ia32}/"
+
+ # for mokutil's configure
+ BuildRequires: autoconf automake
+ 
+@@ -143,39 +150,34 @@ cd ..
+ %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
+ 
+ %ifarch %{ca_signed_arches}
+-pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash
+-if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
+-	echo Invalid signature\! > /dev/stderr
+-	echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
+-	echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
+-	exit 1
+
+# if we already have a presigned EFI image, then do not do signing -- just
+# use the presigned one.
+if  [ -e %{unsigned_dir}%{srcbasename}-presigned.efi ]; then
+        cp %{unsigned_dir}%{srcbasename}-presigned.efi %{srcbasename}.efi
+        cp %{unsigned_dir}%{srcbasename}-presigned.efi shim%{efiarchlc}.efi
+else
+        cp %{shimsrc} shim%{efiarchlc}.efi
+ fi
+-cp %{shimsrc} shim%{efiarchlc}.efi
+ %ifarch x86_64
+-pesign -i %{shimsrcia32} -h -P > shimia32.hash
+-if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then
+-	echo Invalid signature\! > /dev/stderr
+-	echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
+-	echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
+-	exit 1
+if  [ -e %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi ]; then
+        cp %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi %{srcbasenameia32}.efi
+else
+	cp %{shimsrcia32} %{srcbasenameia32}.efi
+ fi
+-cp %{shimsrcia32} shimia32.efi
+-%endif
+-%endif
+-%ifarch %{rh_signed_arches}
+-%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}  -o shim%{efiarchlc}-%{efidir}.efi
+-%ifarch x86_64
+-%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE1} -c %{SOURCE1}  -o shimia32-%{efidir}.efi
+-%endif
+-%endif
+-%ifarch %{rh_signed_arches}
+-%ifnarch %{ca_signed_arches}
+-cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi
+ %endif
+ %endif
+ 
+-%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}
+-%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}
+if  [ -e %{unsigned_dir}mm%{efiarchlc}-presigned.efi ]; then
+	cp %{unsigned_dir}mm%{efiarchlc}-presigned.efi mm%{efiarchlc}.efi
+else
+	%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}
+fi
+if  [ -e %{unsigned_dir}fb%{efiarchlc}-presigned.efi ]; then
+	cp %{unsigned_dir}fb%{efiarchlc}-presigned.efi fb%{efiarchlc}.efi
+else
+	%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}
+fi
+ 
+ %ifarch x86_64
+ %pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE1} -c %{SOURCE1} 
+@@ -191,7 +193,7 @@ make %{?_smp_mflags}
+ rm -rf $RPM_BUILD_ROOT
+ install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
+ install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
+-install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
+#install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
+ install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
+ install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
+ 
+@@ -211,7 +213,7 @@ install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
+ 
+ install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
+ install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
+-install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
+#install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
+ install -m 0644 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
+ install -m 0644 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
+ 
+@@ -224,7 +226,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
+ 
+ %files -n shim-%{efiarchlc}
+ /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
+-/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
+#/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
+ /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
+ /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
+ /boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
+@@ -236,7 +238,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
+ 
+ %files -n shim-ia32
+ /boot/efi/EFI/%{efidir}/shimia32.efi
+-/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
+#/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
+ /boot/efi/EFI/%{efidir}/mmia32.efi
+ /boot/efi/EFI/%{efidir}/BOOTIA32.CSV
+ /boot/efi/EFI/BOOT/BOOTIA32.EFI
--- a/security/shim-signed/centos/meta_patches/PATCH_ORDER
+++ b/security/shim-signed/centos/meta_patches/PATCH_ORDER
@@ -0,0 +1,2 @@
+0001-Titanium-release-info.patch
+0002-Use-presigned-binaries.patch
--- a/security/shim-signed/centos/srpm_path
+++ b/security/shim-signed/centos/srpm_path
@@ -0,0 +1 @@
+mirror:Source/shim-signed-12-1.el7.centos.src.rpm
--- a/security/shim-unsigned/centos/build_srpm.data
+++ b/security/shim-unsigned/centos/build_srpm.data
@@ -0,0 +1,2 @@
+TIS_PATCH_VER=2
+COPY_LIST="$PKG_BASE/files/tis-shim.crt"
--- a/security/shim-unsigned/centos/meta_patches/0001-Ti-version-string.patch
+++ b/security/shim-unsigned/centos/meta_patches/0001-Ti-version-string.patch
@@ -0,0 +1,27 @@
+From fc1f1853e99c5afaae334b0c37296e34e9cf19fd Mon Sep 17 00:00:00 2001
+From: root <root@yow-cgts4-lx.wrs.com>
+Date: Mon, 15 Jan 2018 13:09:41 -0500
+Subject: [PATCH 1/2] Ti version string
+
+---
+ SPECS/shim.spec | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ mode change 100755 => 100644 SPECS/shim.spec
+
+diff --git a/SPECS/shim.spec b/SPECS/shim.spec
+old mode 100755
+new mode 100644
+index afd533b..de216b6
+--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
+@@ -1,6 +1,6 @@
+ Name:           shim
+ Version:        12
+-Release:        1%{?dist}
+Release:        1.el7%{?_tis_dist}.%{tis_patch_ver}
+ Summary:        First-stage UEFI bootloader
+ 
+ License:        BSD
+-- 
+1.8.3.1
+
--- a/security/shim-unsigned/centos/meta_patches/0002-Add-Ti-certificate.patch
+++ b/security/shim-unsigned/centos/meta_patches/0002-Add-Ti-certificate.patch
@@ -0,0 +1,45 @@
+From fb4da7f4d7d8e8565371ed236150de2e4bb47b95 Mon Sep 17 00:00:00 2001
+From: root <root@yow-cgts4-lx.wrs.com>
+Date: Mon, 15 Jan 2018 13:22:09 -0500
+Subject: [PATCH 2/2] Add Ti certificate
+
+---
+ SPECS/shim.spec | 5 +++++
+ 1 file changed, 5 insertions(+)
+ mode change 100644 => 100755 SPECS/shim.spec
+
+diff --git a/SPECS/shim.spec b/SPECS/shim.spec
+old mode 100644
+new mode 100755
+index de216b6..83da6cd
+--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
+@@ -11,6 +11,9 @@ Source1:	centos.crt
+ #Source2:	dbx-x64.esl
+ #Source3:	dbx-aa64.esl
+ Source4:	shim-find-debuginfo.sh
+Source1000:     tis-shim.crt
+
+Patch1000:      0001-Use-Titanium-certificate.patch
+ 
+ BuildRequires: git openssl-devel openssl
+ BuildRequires: pesign >= 0.106-1
+@@ -101,6 +104,7 @@ git commit -a -q -m "%{version} baseline."
+ git am --ignore-whitespace %{patches} </dev/null
+ git config --unset user.email
+ git config --unset user.name
+cp %{SOURCE1000} .
+ 
+ %ifarch x86_64
+ cd ..
+@@ -115,6 +119,7 @@ git commit -a -q -m "%{version} baseline."
+ git am --ignore-whitespace %{patches} </dev/null
+ git config --unset user.email
+ git config --unset user.name
+cp %{SOURCE1000} .
+ %endif
+ 
+ %build
+-- 
+1.8.3.1
+
--- a/security/shim-unsigned/centos/meta_patches/PATCH_ORDER
+++ b/security/shim-unsigned/centos/meta_patches/PATCH_ORDER
@@ -0,0 +1,2 @@
+0001-Ti-version-string.patch
+0002-Add-Ti-certificate.patch
--- a/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch
+++ b/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch
@@ -0,0 +1,74 @@
+From 057532ac6c77d20ae8d6ce0354e7ef67b1870eb6 Mon Sep 17 00:00:00 2001
+From: root <root@yow-cgts4-lx.wrs.com>
+Date: Mon, 15 Jan 2018 13:25:04 -0500
+Subject: [PATCH] Use Titanium certificate
+
+---
+ Makefile | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 6ece282..bb4f7f9 100644
+--- a/Makefile
+++ b/Makefile
+@@ -36,6 +36,12 @@ FBNAME		= fallback
+ 
+ COMMITID ?= $(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)
+ 
+# We compile a certificate into shim.  Usually this is a one-time generated
+# certificate (make-certs script) however we want to include a custom
+# certificate for which we have the key.  We use the key to sign the kernel and
+# grub down the road
+INTERNAL_CERT = tis-shim
+
+ ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
+ 	CFLAGS	+= -DOVERRIDE_SECURITY_POLICY
+ endif
+@@ -90,7 +96,7 @@ LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsym
+ 
+ TARGET	= $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed
+ OBJS	= shim.o netboot.o cert.o replacements.o tpm.o version.o
+-KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+KEYS    = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer
+ SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
+ MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
+ MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
+@@ -104,13 +110,17 @@ endif
+ 
+ all: $(TARGET)
+ 
+-shim.crt:
+-	./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
+# certificate is now provided in source.  To generate a random certificate,
+# uncomment this rule
+#$(INTERNAL_CERT).crt:
+#	./make-certs $(INTERNAL_CERT) shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
+ 
+-shim.cer: shim.crt
+$(INTERNAL_CERT).cer: $(INTERNAL_CERT).crt
+ 	openssl x509 -outform der -in $< -out $@
+ 
+-shim_cert.h: shim.cer
+# name "shim_cert.h" rather than "$(INTERNAL_CERT).h" used so C files can just
+# use a fixed name for #include
+shim_cert.h: $(INTERNAL_CERT).cer
+ 	echo "static UINT8 shim_cert[] = {" > $@
+ 	hexdump -v -e '1/1 "0x%02x, "' $< >> $@
+ 	echo "};" >> $@
+@@ -121,10 +131,10 @@ version.c : version.c.in
+ 		-e "s,@@COMMIT@@,$(COMMITID)," \
+ 		< version.c.in > version.c
+ 
+-certdb/secmod.db: shim.crt
+certdb/secmod.db: $(INTERNAL_CERT).crt
+ 	-mkdir certdb
+-	pk12util -d certdb/ -i shim.p12 -W "" -K ""
+-	certutil -d certdb/ -A -i shim.crt -n shim -t u
+	pk12util -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K ""
+	certutil -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
+ 
+ shim.o: $(SOURCES) shim_cert.h
+ shim.o: $(wildcard *.h)
+-- 
+1.8.3.1
+
--- a/security/shim-unsigned/centos/srpm_path
+++ b/security/shim-unsigned/centos/srpm_path
@@ -0,0 +1 @@
+mirror:Source/shim-12-1.el7.centos.src.rpm
--- a/security/shim-unsigned/files/tis-shim.crt
+++ b/security/shim-unsigned/files/tis-shim.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIJAK2dlnyaByQOMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkNBMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTcwMzAxMDEzNTUwWhcNMTgwMzAxMDEzNTUwWjBF
+MQswCQYDVQQGEwJDQTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA8XK4jSYD9/WgUu4uZ50fPnRkFZmfK837oCZzgezlORzR38F1frX+3Qjx
+Nohg5uINP8l45mXpEMgD2tzsFGO6pcFpzzKPMAsmPJwODbGYbWr29RCd25h8IGRg
+5RqAjWn2E0vUpweZbo9nVvA1vukSjeUxOoHZmAsTBFWf10HOfTOdQnJ7IcHLPtb7
+bqVPxpexVSwr5lLT8iCzisIVjHJE9G/WqEkhgbYaM8cNa1QmZFJJubHLIqlru73V
+SO2dItQ89LLBi/tb2QXTz+0xhgMlD8tzcYMPeiScSwdO9GURghsqWnltnNB+R/HA
+RKOip1DHRicEgBOhE2s42qBwZP67kwIDAQABo1AwTjAdBgNVHQ4EFgQU4ncd0+jE
+zjXeo8yTEhEZc5kLdMwwHwYDVR0jBBgwFoAU4ncd0+jEzjXeo8yTEhEZc5kLdMww
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAc1WR6lgUM5Onz2eaA/Vt
+AsEnSmjslr5pHP1UuageaLixTmYaqMl7+KiHGmhsZDjME0d3lbjebadp9t4Yjjlf
+Vgx0QcvHHuI/eIFs/femJXDYUrr2JPKMF1quS4MaKiem71pHeouwyAzbzvxS3wh1
+a6ia27kuqvMyq2738kbfjmVQnc0D9etw5kaWouDMUMj5W2awxMbKBFLPmpqMGlku
+Sw4uStDSlmiMrro41Tfkmh57AbYXP7i7bqbz/smnQ6YZdMcFYdlB7k2IePt6DVG+
+/zM2npEBopXi/5MWzmG0xBSEiiy9Yo+mSTh+3RvXtYxBmmwZb7wvJ6Cgp92NuA6B
+Eg==
+-----END CERTIFICATE-----
--- a/security/tboot/centos/build_srpm.data
+++ b/security/tboot/centos/build_srpm.data
@@ -0,0 +1 @@
+TIS_PATCH_VER=2
--- a/security/tboot/centos/meta_patches/0001-tboot-Update-package-versioning-for-TIS-format.patch
+++ b/security/tboot/centos/meta_patches/0001-tboot-Update-package-versioning-for-TIS-format.patch
@@ -0,0 +1,32 @@
+From f7ac0c586ee46b67c7b5a541ee823f459e19c5c6 Mon Sep 17 00:00:00 2001
+From: Bin Qian <bin.qian@windriver.com>
+Date: Mon, 27 Nov 2017 08:35:10 -0500
+Subject: [PATCH 1/1] WRS: 8000-TiS-tboot.patch
+
+---
+ SPECS/tboot.spec | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
+index 5827214..9ae8f9b 100644
+--- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec
+@@ -1,13 +1,14 @@
+ Summary:        Performs a verified launch using Intel TXT
+ Name:           tboot
+ Version:        1.9.5
+-Release:        1%{?dist}
+Release:        1.e17%{?_tis_dist}.%{tis_patch_ver}
+ Epoch:          1
+ 
+ Group:          System Environment/Base
+ License:        BSD
+ URL:            http://sourceforge.net/projects/tboot/
+ Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
+
+ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+ 
+ BuildRequires:  trousers-devel
+-- 
+1.8.3.1
+
--- a/security/tboot/centos/meta_patches/0002-TiS-tboot.patch
+++ b/security/tboot/centos/meta_patches/0002-TiS-tboot.patch
@@ -0,0 +1,43 @@
+From 16a82ea84332a117c4524caaa4209b912e18e888 Mon Sep 17 00:00:00 2001
+From: Bin Qian <bin.qian@windriver.com>
+Date: Wed, 6 Dec 2017 08:47:12 -0500
+Subject: [PATCH 1/1] TiS tboot
+
+---
+ SPECS/tboot.spec | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
+index 9ae8f9b..4c479ad 100644
+--- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec
+@@ -8,11 +8,12 @@ Group:          System Environment/Base
+ License:        BSD
+ URL:            http://sourceforge.net/projects/tboot/
+ Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
+Patch999:       1000-tboot-for-tis.patch
+ 
+ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+ 
+ BuildRequires:  trousers-devel
+-BuildRequires:  openssl-devel
+BuildRequires:  openssl-devel git
+ ExclusiveArch:  x86_64
+ 
+ %description
+@@ -22,6 +23,12 @@ and verified launch of an OS kernel/VMM.
+ 
+ %prep
+ %setup -q
+git init
+git config user.email "example@example.com"
+git config user.name "RHEL example"
+git add .
+git commit -a -q -m "baseline."
+git am %{patches}
+ 
+ %build
+ CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS
+-- 
+1.8.3.1
+
--- a/security/tboot/centos/meta_patches/0003-security-set-immutable-attribute.patch
+++ b/security/tboot/centos/meta_patches/0003-security-set-immutable-attribute.patch
@@ -0,0 +1,56 @@
+From 15d8e3a327bc4ee96845163f962837cfcb4699bb Mon Sep 17 00:00:00 2001
+From: Kam Nasim <kam.nasim@windriver.com>
+Date: Tue, 6 Feb 2018 15:25:00 -0500
+Subject: [PATCH] CGTS-8849: Security: Set immutable attribute and permissions
+
+---
+ SPECS/tboot.spec | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
+index 4c479ad..d0039d4 100644
+--- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec
+@@ -43,8 +43,14 @@ if [ -e "/sys/firmware/efi" ]; then
+ 	putk "WARNING: tboot is not supported on UEFI-based systems."
+ 	putk "         Please see https://access.redhat.com/articles/2217041."
+ 	putk "         and https://access.redhat.com/articles/2464721"
+-	exit 0;
+ fi
+# On updating this package, we want to clear the immutable
+# attribute so that the module files can get overwritten
+if [ $1 -gt 1 ]; then
+    chattr -i /boot/tboot.gz /boot/tboot-syms
+fi
+exit 0
+
+ 
+ %install
+ rm -rf $RPM_BUILD_ROOT
+@@ -53,6 +59,12 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install
+ %clean
+ rm -rf $RPM_BUILD_ROOT
+ 
+%post
+# Set immutable attribute on tboot modules
+chattr +i /boot/tboot.gz /boot/tboot-syms
+exit 0
+
+
+ %files
+ %defattr(-,root,root,-)
+ %doc README COPYING docs/* lcptools/lcptools2.txt lcptools/Linux_LCP_Tools_User_Manual.pdf
+@@ -89,8 +101,8 @@ rm -rf $RPM_BUILD_ROOT
+ %{_mandir}/man8/lcp_writepol.8.gz
+ %{_mandir}/man8/tb_polgen.8.gz
+ %{_mandir}/man8/txt-stat.8.gz
+-/boot/tboot.gz
+-/boot/tboot-syms
+%attr(0400,root,root) /boot/tboot.gz
+%attr(0400,root,root) /boot/tboot-syms
+ 
+ %changelog
+ * Fri Jan 27 2017 Tony Camuso <tcamuso@redhat.com> - 1:1.9.5-1
+-- 
+1.8.3.1
+
--- a/security/tboot/centos/meta_patches/PATCH_ORDER
+++ b/security/tboot/centos/meta_patches/PATCH_ORDER
@@ -0,0 +1,3 @@
+0001-tboot-Update-package-versioning-for-TIS-format.patch
+0002-TiS-tboot.patch
+0003-security-set-immutable-attribute.patch
--- a/security/tboot/centos/patches/1000-tboot-for-tis.patch
+++ b/security/tboot/centos/patches/1000-tboot-for-tis.patch
@@ -0,0 +1,188 @@
+From c2edea1ff347242a70075808652fa1ad4c86037a Mon Sep 17 00:00:00 2001
+From: Bin Qian <bin.qian@windriver.com>
+Date: Mon, 27 Nov 2017 08:35:11 -0500
+Subject: [PATCH 1/1] WRS: Patch1: 9000-tboot-for-tis.patch
+
+---
+ tboot/20_linux_tboot     | 21 ++++++++++++---------
+ tboot/20_linux_xen_tboot |  2 +-
+ tboot/common/policy.c    | 16 +++++++++++-----
+ tboot/common/tpm_20.c    |  7 ++++---
+ 4 files changed, 28 insertions(+), 18 deletions(-)
+
+diff --git a/tboot/20_linux_tboot b/tboot/20_linux_tboot
+index 7c25181..e4fd557 100644
+--- a/tboot/20_linux_tboot
+++ b/tboot/20_linux_tboot
+@@ -22,6 +22,13 @@ exec_prefix=${prefix}
+ bindir=${exec_prefix}/bin
+ libdir=${exec_prefix}/lib
+ sysconfdir=/etc
+
+
+tboot=`cat /proc/cmdline | xargs -n1 | grep '^tboot=true$'` || true
+if [ -z "$tboot"  ]; then
+  exit 0
+fi
+
+ if test -e /usr/share/grub/grub-mkconfig_lib; then
+   . /usr/share/grub/grub-mkconfig_lib
+ elif test -e ${libdir}/grub/grub-mkconfig_lib; then
+@@ -38,7 +45,7 @@ fi
+ [ -z "${GRUB_CMDLINE_LINUX_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_TBOOT
+ [ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
+ # Command line for tboot itself
+-: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
+: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga extpol=sha256'}
+ # Linux kernel parameters to append for tboot
+ : ${GRUB_CMDLINE_LINUX_TBOOT='intel_iommu=on'}
+ # Base name of LCP policy data file for list policy
+@@ -67,10 +74,8 @@ export TEXTDOMAINDIR=${prefix}/share/locale
+ 
+ CLASS="--class gnu-linux --class gnu --class os --class tboot"
+ 
+-if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
+-  OS=GNU/Linux
+-else
+-  OS="${GRUB_DISTRIBUTOR} GNU/Linux"
+OS="CentOS GNU/Linux"
+if [ -n "${GRUB_DISTRIBUTOR}" ] ; then
+   CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr '[A-Z]' '[a-z]' | cut -d' ' -f1) ${CLASS}"
+ fi
+ 
+@@ -107,9 +112,9 @@ linux_entry ()
+   iommu_args="$7"
+   
+   if ${recovery} ; then
+-    title="$(gettext_quoted "%s, with tboot %s and Linux %s (recovery mode)")"
+    title="$(gettext_quoted "%s, w/ tboot %s & Linux %s (recovery mode)")"
+   else
+-    title="$(gettext_quoted "%s, with tboot %s and Linux %s")"
+    title="$(gettext_quoted "%s, w/ tboot %s & Linux %s")"
+   fi
+ 
+   if [ -d /sys/firmware/efi ] ; then
+@@ -200,7 +205,6 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do
+     rel_tboot_dirname=`make_system_path_relative_to_its_root $tboot_dirname`
+ #    tboot_version=`echo $tboot_basename | sed -e "s,.gz$,,g;s,^tboot-,,g"`
+     tboot_version="1.9.5"
+-    echo "submenu \"tboot ${tboot_version}\" {"
+     while [ "x$list" != "x" ] ; do
+ 	linux=`version_find_latest $list`
+ 	echo "Found linux image: $linux" >&2
+@@ -241,6 +245,5 @@ while [ "x${tboot_list}" != "x" ] && [ "x$linux_list" != "x" ] ; do
+ 
+ 	list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '`
+     done
+-    echo "}"
+     tboot_list=`echo $tboot_list | tr ' ' '\n' | grep -vx $current_tboot | tr '\n' ' '`
+ done
+diff --git a/tboot/20_linux_xen_tboot b/tboot/20_linux_xen_tboot
+index b674834..4dc8d68 100644
+--- a/tboot/20_linux_xen_tboot
+++ b/tboot/20_linux_xen_tboot
+@@ -39,7 +39,7 @@ fi
+ [ -z "${GRUB_CMDLINE_LINUX_XEN_TBOOT}" ] && unset GRUB_CMDLINE_LINUX_XEN_TBOOT
+ [ -z "${GRUB_TBOOT_POLICY_DATA}" ] && unset GRUB_TBOOT_POLICY_DATA
+ # Command line for tboot itself
+-: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga'}
+: ${GRUB_CMDLINE_TBOOT='logging=serial,memory,vga extpol=sha256'}
+ # Xen parameters to append for tboot
+ : ${GRUB_CMDLINE_XEN_TBOOT=''}
+ # Linux kernel parameters to append for tboot + Xen
+diff --git a/tboot/common/policy.c b/tboot/common/policy.c
+index b30d299..9ec02be 100644
+--- a/tboot/common/policy.c
+++ b/tboot/common/policy.c
+@@ -347,6 +347,7 @@ tb_error_t set_policy(void)
+      * type is LCP_POLTYPE_LIST (since we could have been give a policy data
+      * file even though the policy was not a LIST */
+     printk(TBOOT_INFO"reading Launch Control Policy from TPM NV...\n");
+
+     if ( read_policy_from_tpm(g_tpm->lcp_own_index,
+              _policy_index_buf, &policy_index_size) ) {
+         printk(TBOOT_DETA"\t:%lu bytes read\n", policy_index_size);
+@@ -406,6 +407,7 @@ bool hash_policy(tb_hash_t *hash, uint16_t hash_alg)
+ 
+ /* generate hash by hashing cmdline and module image */
+ static bool hash_module(hash_list_t *hl,
+                        u16 cur_alg,
+                         const char* cmdline, void *base,
+                         size_t size)
+ {
+@@ -414,6 +416,7 @@ static bool hash_module(hash_list_t *hl,
+         return false;
+     }
+ 
+    printk(TBOOT_INFO"Using hash algorithm %d\n", cur_alg);
+     /* final hash is SHA-1( SHA-1(cmdline) | SHA-1(image) ) */
+     /* where cmdline is first stripped of leading spaces, file name, then */
+     /* any spaces until the next non-space char */
+@@ -428,16 +431,17 @@ static bool hash_module(hash_list_t *hl,
+     switch (g_tpm->extpol) {
+     case TB_EXTPOL_FIXED: 
+         hl->count = 1;
+-        hl->entries[0].alg = g_tpm->cur_alg;
+        // hl->entries[0].alg = g_tpm->cur_alg;
+        hl->entries[0].alg = cur_alg;
+ 
+         if ( !hash_buffer((const unsigned char *)cmdline, strlen(cmdline),
+-                    &hl->entries[0].hash, g_tpm->cur_alg) )
+                    &hl->entries[0].hash, cur_alg) )
+             return false;
+         /* hash image and extend into cmdline hash */
+         tb_hash_t img_hash;
+-        if ( !hash_buffer(base, size, &img_hash, g_tpm->cur_alg) )
+        if ( !hash_buffer(base, size, &img_hash, cur_alg) )
+             return false;
+-        if ( !extend_hash(&hl->entries[0].hash, &img_hash, g_tpm->cur_alg) )
+        if ( !extend_hash(&hl->entries[0].hash, &img_hash, cur_alg) )
+             return false;
+ 
+         break;
+@@ -633,7 +637,7 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
+     }
+ 
+     hash_list_t hl;
+-    if ( !hash_module(&hl, cmdline, base, size) ) {
+    if ( !hash_module(&hl, hash_alg, cmdline, base, size) ) {
+         printk(TBOOT_ERR"\t hash cannot be generated.\n");
+         return TB_ERR_MODULE_VERIFICATION_FAILED;
+     }
+@@ -657,6 +661,8 @@ static tb_error_t verify_module(module_t *module, tb_policy_entry_t *pol_entry,
+     if ( pol_entry != NULL &&
+          !is_hash_in_policy_entry(pol_entry, &hl.entries[0].hash, hash_alg) ) {
+         printk(TBOOT_ERR"\t verification failed\n");
+        print_hash(&hl.entries[0].hash, hash_alg);
+        print_hash(&pol_entry->hashes[0], hash_alg);
+         return TB_ERR_MODULE_VERIFICATION_FAILED;
+     }
+ 
+diff --git a/tboot/common/tpm_20.c b/tboot/common/tpm_20.c
+index 678a3d2..63ca9dd 100644
+--- a/tboot/common/tpm_20.c
+++ b/tboot/common/tpm_20.c
+@@ -1933,7 +1933,7 @@ static bool tpm20_nv_read(struct tpm_if *ti, uint32_t locality,
+ 
+     ret = _tpm20_nv_read(locality, &read_in, &read_out);
+     if ( ret != TPM_RC_SUCCESS ) {
+-        printk(TBOOT_WARN"TPM: read NV index %08x from offset %08x, return value = %08X\n",
+        printk(TBOOT_WARN"TPM 2.0: read NV index %08x from offset %08x, return value = %08X\n",
+                 index, offset, ret);
+         ti->error = ret;
+         return false;
+@@ -2273,8 +2273,9 @@ static bool tpm20_init(struct tpm_if *ti)
+     get_tboot_extpol();
+     if (info_list->capabilities.tpm_nv_index_set == 0){
+         /* init NV index */
+-        ti->tb_policy_index = 0x1200001;
+-        ti->lcp_own_index = 0x1400001;
+        ti->tb_policy_index = 0x1800001;
+        // ti->lcp_own_index = 0x1400001;
+        ti->lcp_own_index = 0x1c10131;
+         ti->tb_err_index = 0x1200002;
+         ti->sgx_svn_index = 0x01800004;
+     }
+-- 
+1.8.3.1
+
--- a/security/tboot/centos/srpm_path
+++ b/security/tboot/centos/srpm_path
@@ -0,0 +1 @@
+mirror:Source/tboot-1.9.5-1.el7.src.rpm
				`@@ -0,0 +1 @@`
				`mirror:Source/shim-signed-12-1.el7.centos.src.rpm`