head	1.2;
access;
symbols
	pkgsrc-2026Q2:1.2.0.2
	pkgsrc-2026Q2-base:1.2
	pkgsrc-2026Q1:1.1.0.12
	pkgsrc-2026Q1-base:1.1
	pkgsrc-2025Q4:1.1.0.10
	pkgsrc-2025Q4-base:1.1
	pkgsrc-2025Q3:1.1.0.8
	pkgsrc-2025Q3-base:1.1
	pkgsrc-2025Q2:1.1.0.6
	pkgsrc-2025Q2-base:1.1
	pkgsrc-2025Q1:1.1.0.4
	pkgsrc-2025Q1-base:1.1
	pkgsrc-2024Q4:1.1.0.2
	pkgsrc-2024Q4-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2026.05.05.10.21.46;	author jperkin;	state Exp;
branches;
next	1.1;
commitid	a6yLSk6GgF4jZBEG;

1.1
date	2024.12.09.13.48.40;	author ryoon;	state Exp;
branches;
next	;
commitid	zLlYxiu5Yc7JAPAF;


desc
@@


1.2
log
@swtpm: Portability, sysconfdir, and pkglint fixes.
@
text
@$NetBSD: patch-tests_sed-inplace,v 1.1 2024/12/09 13:48:40 ryoon Exp $

Support sed -i on more OS.

--- tests/sed-inplace.orig	2024-12-04 15:21:18.719762588 +0000
+++ tests/sed-inplace
@@@@ -1,6 +1,6 @@@@
 #!/usr/bin/env bash
 
-if [[ "$(uname -s)" =~ (Linux|CYGWIN_NT-) ]]; then
+if [[ "$(uname -s)" =~ (Linux|CYGWIN_NT-|BSD|SunOS) ]]; then
 	sed -i "$1" "$2"
 else
 	sed -i '' "$1" "$2"
@


1.1
log
@sysutils/swtpm: Update to 0.10.0

Changelog:
version 0.10.0:
   - swtpm:
     - Requires libtpms v0.10.0
     - Display tpmstate-opt-lock as a new capability
     - Add support for lock option parameter to tpmstate option
     - nvstore_linear: Add support for file-backend locking
     - Remove broken logic to check for neither dir nor file backend
     - Use ptm_cap_n to build PTM_GET_CAPABILITY response
     - Define a structure to return PTM_GET_CAPABILITY result
     - Implement --print-info to run TPMLIB_GetInfo with flags
     - Support --profile fd=<fd> to read profile from file descriptor
     - Support --profile file=<filename> to read profile from file
     - Ignore remove-disabled parameter on non-'custom' profile
     - Check for good entropy source in chroot environment
     - Implement a check for HMAC+sha1 for testing future restriction
     - Implement function to check whether a crypto algorithm is disabled
     - Print cmdarg-print-profiles as part of capabilities
     - Check whether SHA1 signature support is disabled in profile
     - Use TPMLIB_WasManufactured to check whether profile was applied
     - Determine whether OpenSSL needs to be configured (FIPs, SHA1 signature)
     - Add support for --print-profiles option
     - Print profile names as part of capabilities JSON
     - Display new capability to allow setting a profile
     - Add support for --profile option to set a profile on TPM 2
   - swtpm_setup:
     - Comment flags for storage primary key and deprecate --create-spk
     - Implement --print-profiles to display all profile
     - Add profile entries to swtpm_setup.conf written by swtpm_setup
     - Add support for --profile-name option
     - Accept profiles with name starting with 'custom:'
     - Support default profile from file in swtpm_setup.conf
     - Support --profile-file-fd to read profile from file descriptor
     - Support --profile-file <file> to read profile from file
     - Always log the active profile
     - Implement --profile-remove-fips-disabled option
     - Read default profile from swtpm_setup.conf
     - Print profile names as part of capabilities JSON
     - Add support for --profile parameter
     - Get default rsa keysize from setup_setup.conf if not given
   - swtpm_ioctl:
     - Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response
   - selinux:
     - Change write to append for appending to log
     - Add rule for logging to svirt_image_t labeled files from swtpm_t
   - tests:
     - Update IBMTSS2 test suite to v2.4.0
     - Test activation of PCR banks when not all are available
     - Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with profile
     - Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file
     - Consolidate custom profile test cases and check for StateFormatLevel
     - Convert test_samples_create_tpmca to run installed
     - Mention test_tpm2_libtpms_versions_profiles requiring env. variables
     - allow running ibmtss2 tests against installed version
     - Derive support for CUSE from SWTPM_EXE help screen
     - Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test
     - Extend test case testing across libtpms versions
     - Add test case for testing profiles across libtpms versions
     - Test the --profile option of swtpm_setup and swtpm
     - teach them to run installed
     - add installed-runner.sh
     - install tests on the system
     - lookup system binaries if INSTALLED is set
   - build-sys:
     - enable 64-bit file API on 32-bit systems
     - Add -Wshadow to the CFLAGS
     - Require that libtpms v0.10 is available for TPMLIB_SetProfile
   - debian:
     - Add rule to allow usage of /var/tmp directory (QEMU)
     - Add rules for reading profiles from distro and local dirs
     - Allow non-owner file write access in /var/lib/libvirt/swtpm/
     - Add sys_admin capability to apparmor profile

version 0.9.0:
  Note: The SElinux policy for swtpm was completely redone. For systems
        with an SELinux policy the same policy (>= 40.17) as used in
        Fedora >= 40 is required due to changes in labels related to libvirt
        that made the re-development of the SELinux policy necessary.
  - swtpm:
    - Use umask() to create/truncated state file rather than fchmod()
    - Use fchmod to set mode bits provided by user
    - Replace mkstemp with g_mkstemp_full (Coverity)
    - fix typo in help message
    - cuse: Fix Coverity complaints regarding locks
    - Fix double free in error path
    - Close fd after main loop
    - Restore logging to stderr on log open failure
  - swtpm_setup:
    - Fail --pcr-banks without --tpm2
    - Fail --decryption or --allow-signing without --tpm2
    - Initialized @@argv in get_swtpm_capabilities()
    - Flush spk after persisting to create room for another key
    - Refactor duplicate code into swtpm_tpm2_write_cert_nvram
    - Move persisting of certificate into tpm2_persist_certificate
    - Pass key_type to function creating filename for key
    - Add scheme parameter before curveid to createprimary_ecc
    - Rename is_ek to preserve for future extension
    - Mask-out EK and plaform certificate flags and set cert_flags
    - Move common code into new function read_certificate_file()
    - Exit with '0' upon --version rather than '1'
    - Close file descriptors passed to swtpm process on parent side
    - Make stdout unbuffered
    - Use medium duration on TSC_PhysicalPresence to avoid timeouts
    - Add poll() after write() and before read() to detect errors
  - swtpm_localca:
    - Add support for up to 20 bytes serial numbers
    - Introduce --key as more generic alias for --ek
    - Add missing NULL option to end of array
    - Make stdout unbuffered
  - swtpm_cert:
    - Add support for serial numbers up to 20 bytes long
  - swtpm_ioctl:
    - Separate return code from flags
    - Repeatedly call PTM_GET_INFO for long responses
  - selinux:
    - Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install)
    - New SELinux policy that requires Fedora 40 or later
  - tests:
    - Fixed occurrences of stray '\' before '-'
    - Rearrange order of test cases to run some also as 'root'
    - Add tests for command line options and combinations of options
    - Add softhsm_setup to shellcheck'ed files and fix issues
    - Add missing 'exit 1' on unexpected file size on --reconfigure
    - Add test cases for swtpm_cert with max serial number
    - Fix spelling mistakes
    - reformat regexs for easier readability and extension
    - ibmtss2: Add patch to disable x509 test with older libtpms
    - Upgrade to ibmtss2 v2.0.1
    - Fixed several issues detected by shellcheck
  - build-sys:
    - Add support for --disable-tests to disable tests
    - Display GMP_LIBS and GMP_CFLAGS
    - Only display warning if pkg-config for gmp fails
    - Add gmp library and devel package as dependency
    - use PKG_CHECK_MODULES to check libtpms version
  - rpm:
    - Add gmp library and devel package as dependency
    - Split off SELinux files to build an selinux package
  - debian:
    - Sync AppArmor profile with what is used by Ubuntu
    - Add gmp library and devel package as dependency
    - Allow apparmor access to qemu session bus swtpm files

version 0.8.0:
  - swtpm:
    - Implement release-lock-outgoing parameter for --migration option
    - Introduce --migration option and 'incoming' parameter
    - Implement terminate parameter for ctrl channel loss
    - Add a chroot option
    - Introduce disable-auto-shutdown flag for --flags option
    - If necessary send TPM2_Shutdown() before TPMLIB_Terminate()
    - Add some more recent syscalls to seccomp profile
    - Disable OpenSSL FIPS mode to avoid libtpms failures
    - Avoid locking directory multiple times
    - Remove support for pre-v0.1 state files without header
    - Use uint64_t in tlv_data_append() to avoid integer overflows
    - Use uint64_t to avoid integer wrap-around when adding a uint32_t
    - Do not chdir(/) when using --daemon
    - Check header size indicator against expected size (CVE-2022-23645)
    - Fixes for gcc 12.2.1 -fanalyzer
  - build-sys:
    - Fix configure script to support _FORTIFY_SOURCE=3
    - Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
  - swtpm-localca:
    - Re-implement variable resolution for swtpm-localca.conf
    - Test for available issuercert before creating CA
  - swtpm_setup:
    - Configure swtpm to log to stdout/err if needed (glib >=2.74)
  - tests:
    - Use ${WORKDIR} in config files to test env. var replacement
    - Patch IBM TSS2 test suite for OpenSSL 3.x
  - build-sys:
    - Add probing for -fstack-protector
@
text
@d1 3
a3 1
$NetBSD$
d11 1
a11 1
+if [[ "$(uname -s)" =~ (Linux|CYGWIN_NT-|BSD) ]]; then
@