Release of v0.9.0

version 0.9.0:
Note: The SElinux policy for swtpm was completely redone. For systems
with an SELinux policy the same policy (>= 40.17) as used in
Fedora >= 40 is required due to changes in labels related to libvirt
that made the re-development of the SELinux policy necessary.

• swtpm:
  • Use umask() to create/truncated state file rather than fchmod()
  • Use fchmod to set mode bits provided by user
  • Replace mkstemp with g_mkstemp_full (Coverity)
  • fix typo in help message
  • cuse: Fix Coverity complaints regarding locks
  • Fix double free in error path
  • Close fd after main loop
  • Restore logging to stderr on log open failure
• swtpm_setup:
  • Fail --pcr-banks without --tpm2
  • Fail --decryption or --allow-signing without --tpm2
  • Initialized argv in get_swtpm_capabilities()
  • Flush spk after persisting to create room for another key
  • Refactor duplicate code into swtpm_tpm2_write_cert_nvram
  • Move persisting of certificate into tpm2_persist_certificate
  • Pass key_type to function creating filename for key
  • Add scheme parameter before curveid to createprimary_ecc
  • Rename is_ek to preserve for future extension
  • Mask-out EK and plaform certificate flags and set cert_flags
  • Move common code into new function read_certificate_file()
  • Exit with '0' upon --version rather than '1'
  • Close file descriptors passed to swtpm process on parent side
  • Make stdout unbuffered
  • Use medium duration on TSC_PhysicalPresence to avoid timeouts
  • Add poll() after write() and before read() to detect errors
• swtpm_localca:
  • Add support for up to 20 bytes serial numbers
  • Introduce --key as more generic alias for --ek
  • Add missing NULL option to end of array
  • Make stdout unbuffered
• swtpm_cert:
  • Add support for serial numbers up to 20 bytes long
• swtpm_ioctl:
  • Separate return code from flags
  • Repeatedly call PTM_GET_INFO for long responses
• selinux:
  • Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install)
  • New SELinux policy that requires Fedora 40 or later
• tests:
  • Fixed occurrences of stray '' before '-'
  • Rearrange order of test cases to run some also as 'root'
  • Add tests for command line options and combinations of options
  • Add softhsm_setup to shellcheck'ed files and fix issues
  • Add missing 'exit 1' on unexpected file size on --reconfigure
  • Add test cases for swtpm_cert with max serial number
  • Fix spelling mistakes
  • reformat regexs for easier readability and extension
  • ibmtss2: Add patch to disable x509 test with older libtpms
  • Upgrade to ibmtss2 v2.0.1
  • Fixed several issues detected by shellcheck
• build-sys:
  • Add support for --disable-tests to disable tests
  • Display GMP_LIBS and GMP_CFLAGS
  • Only display warning if pkg-config for gmp fails
  • Add gmp library and devel package as dependency
  • use PKG_CHECK_MODULES to check libtpms version
• rpm:
  • Add gmp library and devel package as dependency
  • Split off SELinux files to build an selinux package
• debian:
  • Sync AppArmor profile with what is used by Ubuntu
  • Add gmp library and devel package as dependency
  • Allow apparmor access to qemu session bus swtpm files

Release of v0.8.2

version 0.8.2:

• swtpm:
  • cuse: Lock file_ops_lock before reading tpm_running
• build-sys:
  • Add support for --disable-tests to disable tests

Release of v0.7.4

Version 0.7.4:

• swtpm:
  • Restore logging to stderr on log open failure
  • Disable OpenSSL FIPS mode to avoid libtpms failures
  • Avoid locking directory multiple times
• swtpm_setup:
  • Exit with '0' upon --version rather than '1'.
• swtpm_localca:
  • Add missing NULL option to end of array
• SELinux:
  • Add rules for user_tpm_t:sockfile to allow unlink
  • Add rules for sock_file on user_tmp_t

Release of v0.8.1

Version 0.8.1:

• swtpm:
  • Restore logging to stderr on log open failure
• swtpm_setup:
  • Exit with '0' upon --version rather than '1'.
  • Initialized @argv in get_swtpm_capabilities()
• swtpm_localca:
  • Add missing NULL option to end of array
• SELinux:
  • Add rules for user_tpm_t:sockfile to allow unlink
  • Add rules for sock_file on user_tmp_t
• debian: Allow apparmor access to qemu session bus swtpm files

Release of v0.8.0

version 0.8.0:

• swtpm:
  • Implement release-lock-outgoing parameter for --migration option
  • Introduce --migration option and 'incoming' parameter
  • Implement terminate parameter for ctrl channel loss
  • Add a chroot option
  • Introduce disable-auto-shutdown flag for --flags option
  • If necessary send TPM2_Shutdown() before TPMLIB_Terminate()
  • Add some more recent syscalls to seccomp profile
  • Disable OpenSSL FIPS mode to avoid libtpms failures
  • Avoid locking directory multiple times
  • Remove support for pre-v0.1 state files without header
  • Use uint64_t in tlv_data_append() to avoid integer overflows
  • Use uint64_t to avoid integer wrap-around when adding a uint32_t
  • Do not chdir(/) when using --daemon
  • Check header size indicator against expected size (CVE-2022-23645)
  • Fixes for gcc 12.2.1 -fanalyzer
• build-sys:
  • Fix configure script to support _FORTIFY_SOURCE=3
  • Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
• swtpm-localca:
  • Re-implement variable resolution for swtpm-localca.conf
  • Test for available issuercert before creating CA
• swtpm_setup:
  • Configure swtpm to log to stdout/err if needed (glib >=2.74)
• tests:
  • Use ${WORKDIR} in config files to test env. var replacement
  • Patch IBM TSS2 test suite for OpenSSL 3.x
• build-sys:
  • Add probing for -fstack-protector

Release of v0.6.4

version 0.6.4:

• swtpm
  • Use uint64_t in tlv_data_append() to avoid integer overflows
  • Use uint64_t to avoid integer wrap-around when adding a uint32_t

Release of v0.7.3

version 0.7.3:

• swtpm:
  • Use uint64_t in tlv_data_append() to avoid integer overflows
  • Use uint64_t to avoid integer wrap-around when adding a uint32_t
• build-sys:
  • Fix configure script to support _FORTIFY_SOURCE=3
  • Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)

Release of v0.5.4

version 0.5.4:

• swtpm:
  • Do not chdir(/) when using --daemon

Release of v0.7.2

version 0.7.2:

• swtpm:
  • Do not chdir(/) when using --daemon
• swtpm-localca:
  • Re-implement variable resolution for swtpm-localca.conf
• tests:
  • Use ${WORKDIR} in config files to test env. var replacement
• man pages:
  • Add missing .config directory to path description when using ${HOME}
• build-sys:
  • Add probing for -fstack-protector

Release of v0.6.3

version 0.6.3:

• swtpm:
  • Do not chdir(/) when using --daemon
• swtpm-localca:
  • Re-implement variable resolution for swtpm-localca.conf
• tests:
  • Use ${WORKDIR} in config files to test env. var replacement
• man:
  • Add missing .config directory to path description when using ${HOME}
• build-sys:
  • Add probing for -fstack-protector
  • configure: Fix typo TPM2 -> TMP2