head 1.18; access; symbols pkgsrc-2026Q1:1.16.0.2 pkgsrc-2026Q1-base:1.16 pkgsrc-2025Q4:1.14.0.2 pkgsrc-2025Q4-base:1.14 pkgsrc-2025Q3:1.13.0.4 pkgsrc-2025Q3-base:1.13 pkgsrc-2025Q2:1.13.0.2 pkgsrc-2025Q2-base:1.13 pkgsrc-2025Q1:1.12.0.4 pkgsrc-2025Q1-base:1.12 pkgsrc-2024Q4:1.12.0.2 pkgsrc-2024Q4-base:1.12 pkgsrc-2024Q3:1.8.0.4 pkgsrc-2024Q3-base:1.8 pkgsrc-2024Q2:1.8.0.2 pkgsrc-2024Q2-base:1.8 pkgsrc-2024Q1:1.6.0.4 pkgsrc-2024Q1-base:1.6 pkgsrc-2023Q4:1.6.0.2 pkgsrc-2023Q4-base:1.6 pkgsrc-2023Q3:1.4.0.4 pkgsrc-2023Q3-base:1.4 pkgsrc-2023Q2:1.4.0.2 pkgsrc-2023Q2-base:1.4 pkgsrc-2023Q1:1.2.0.4 pkgsrc-2023Q1-base:1.2 pkgsrc-2022Q4:1.2.0.2 pkgsrc-2022Q4-base:1.2 pkgsrc-2022Q3:1.1.0.6 pkgsrc-2022Q3-base:1.1 pkgsrc-2022Q2:1.1.0.4 pkgsrc-2022Q2-base:1.1 pkgsrc-2022Q1:1.1.0.2 pkgsrc-2022Q1-base:1.1; locks; strict; comment @# @; 1.18 date 2026.05.14.16.42.11; author ryoon; state Exp; branches; next 1.17; commitid tKipFjQKzke3NNFG; 1.17 date 2026.05.05.10.21.45; author jperkin; state Exp; branches; next 1.16; commitid a6yLSk6GgF4jZBEG; 1.16 date 2026.02.06.10.05.58; author wiz; state Exp; branches; next 1.15; commitid MwQEYCXeWSFvIitG; 1.15 date 2026.01.07.08.48.59; author wiz; state Exp; branches; next 1.14; commitid 1wQ3ICD8eebefrpG; 1.14 date 2025.10.23.20.39.27; author wiz; state Exp; branches; next 1.13; commitid 1V2hBZn9ypXaCJfG; 1.13 date 2025.04.17.21.52.31; author wiz; state Exp; branches; next 1.12; commitid xcIXAVA292fk6sRF; 1.12 date 2024.12.09.13.48.39; author ryoon; state Exp; branches; next 1.11; commitid zLlYxiu5Yc7JAPAF; 1.11 date 2024.11.14.22.21.47; author wiz; state Exp; branches; next 1.10; commitid JmuDYqwL4erbdFxF; 1.10 date 2024.11.01.12.54.32; author wiz; state Exp; branches; next 1.9; commitid QB4Wk02mZPuBuWvF; 1.9 date 2024.11.01.00.53.45; author wiz; state Exp; branches; next 1.8; commitid QT27BdVP362gvSvF; 1.8 date 2024.05.29.16.34.32; author adam; state Exp; branches; next 1.7; commitid n8aFyEjEVZA0JUbF; 1.7 date 2024.05.16.06.15.36; author wiz; state Exp; branches; next 1.6; commitid kYKPUni8AkogJbaF; 1.6 date 2023.11.08.13.21.02; author wiz; state Exp; branches; next 1.5; commitid PsuHTklAIsF4bOLE; 1.5 date 2023.10.24.22.11.14; author wiz; state Exp; branches; next 1.4; commitid MTsrqKm6aGrQAVJE; 1.4 date 2023.06.06.12.42.23; author riastradh; state Exp; branches; next 1.3; commitid xhspr6Z8JLQOWSrE; 1.3 date 2023.04.19.08.11.34; author adam; state Exp; branches; next 1.2; commitid B8gCWhWtMX9vZGlE; 1.2 date 2022.10.26.10.32.01; author wiz; state Exp; branches; next 1.1; commitid PVFjlIYUKslkpdZD; 1.1 date 2022.02.05.03.13.12; author ryoon; state Exp; branches; next ; commitid CL4sQbBclArnrnrD; desc @@ 1.18 log @*: Recursive revbump from security/nettle-4.0 @ text @# $NetBSD: Makefile,v 1.17 2026/05/05 10:21:45 jperkin Exp $ DISTNAME= swtpm-0.10.0 PKGREVISION= 5 CATEGORIES= sysutils MASTER_SITES= ${MASTER_SITE_GITHUB:=stefanberger/} GITHUB_PROJECT= swtpm GITHUB_TAG= v${PKGVERSION_NOREV} MAINTAINER= ryoon@@NetBSD.org HOMEPAGE= https://github.com/stefanberger/swtpm/ COMMENT= Software TPM (Trusted Platform Module) emulator LICENSE= modified-bsd TOOL_DEPENDS+= tcl-expect-[0-9]*:../../lang/tcl-expect TOOL_DEPENDS+= socat-[0-9]*:../../net/socat SUBST_CLASSES+= varbase SUBST_STAGE.varbase= pre-configure SUBST_MESSAGE.varbase= Use VARBASE SUBST_FILES.varbase+= configure.ac SUBST_VARS.varbase= VARBASE BUILD_DEFS+= VARBASE USE_LANGUAGES+= c # Avoid `error: 'saved_stack.30' may be used uninitialized in this function [-Werror=maybe-uninitialized]` or similar errors BUILDLINK_TRANSFORM+= rm:-Werror CPPFLAGS.SunOS+= -D__EXTENSIONS__ -D_XOPEN_SOURCE=600 LDFLAGS.SunOS+= -lsocket -lnsl USE_LIBTOOL= yes USE_TOOLS= automake bash gawk gmake gsed pkg-config GNU_CONFIGURE= yes CONFIGURE_SCRIPT= autogen.sh CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} CONFIGURE_ARGS+= --without-cuse CONFIGURE_ARGS+= --with-tss-user=${REAL_ROOT_USER} CONFIGURE_ARGS+= --with-tss-group=${REAL_ROOT_GROUP} # Avoid `error: stack protector not protecting local variables: variable length buffer [-Werror=stack-protector]` errors CONFIGURE_ARGS+= --disable-hardening CONFIGURE_ARGS+= --disable-tests REPLACE_BASH+= samples/* REPLACE_BASH+= tests/* EGDIR= ${PREFIX}/share/examples/swtpm CONF_FILES+= ${EGDIR}/swtpm-localca.conf \ ${PKG_SYSCONFDIR}/swtpm-localca.conf CONF_FILES+= ${EGDIR}/swtpm-localca.options \ ${PKG_SYSCONFDIR}/swtpm-localca.options CONF_FILES+= ${EGDIR}/swtpm_setup.conf \ ${PKG_SYSCONFDIR}/swtpm_setup.conf OWN_DIRS_PERMS+= ${VARBASE}/lib/swtpm-localca \ ${REAL_ROOT_USER} ${REAL_ROOT_GROUP} 0755 post-install: # Do not install tests. ${RM} -rf ${DESTDIR}${PREFIX}/libexec .include "../../security/gnutls/buildlink3.mk" .include "../../security/libtasn1/buildlink3.mk" .include "../../security/openssl/buildlink3.mk" .include "../../sysutils/libtpms/buildlink3.mk" .include "../../textproc/json-glib/buildlink3.mk" .include "../../mk/bsd.pkg.mk" @ 1.17 log @swtpm: Portability, sysconfdir, and pkglint fixes. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.16 2026/02/06 10:05:58 wiz Exp $ d4 1 a4 1 PKGREVISION= 4 @ 1.16 log @*: recursive bump for nettle 4.0 shlib major bump @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.15 2026/01/07 08:48:59 wiz Exp $ a2 2 GITHUB_PROJECT= swtpm GITHUB_TAG= v${PKGVERSION_NOREV} d7 2 d31 3 d38 1 @ 1.15 log @*: recursive bump for icu 78.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.14 2025/10/23 20:39:27 wiz Exp $ d6 1 a6 1 PKGREVISION= 3 @ 1.14 log @*: recursive bump for pcre2 Running an old binary against the new pcre doesn't work: /usr/pkg/lib/libpcre2-8.so.0: version PCRE2_10.47 required by /usr/pkg/lib/libglib-2.0.so.0 not defined @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.13 2025/04/17 21:52:31 wiz Exp $ d6 1 a6 1 PKGREVISION= 2 @ 1.13 log @*: recursive bump for icu 77 and libxml2 2.14 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.12 2024/12/09 13:48:39 ryoon Exp $ d6 1 a6 1 PKGREVISION= 1 @ 1.12 log @sysutils/swtpm: Update to 0.10.0 Changelog: version 0.10.0: - swtpm: - Requires libtpms v0.10.0 - Display tpmstate-opt-lock as a new capability - Add support for lock option parameter to tpmstate option - nvstore_linear: Add support for file-backend locking - Remove broken logic to check for neither dir nor file backend - Use ptm_cap_n to build PTM_GET_CAPABILITY response - Define a structure to return PTM_GET_CAPABILITY result - Implement --print-info to run TPMLIB_GetInfo with flags - Support --profile fd= to read profile from file descriptor - Support --profile file= to read profile from file - Ignore remove-disabled parameter on non-'custom' profile - Check for good entropy source in chroot environment - Implement a check for HMAC+sha1 for testing future restriction - Implement function to check whether a crypto algorithm is disabled - Print cmdarg-print-profiles as part of capabilities - Check whether SHA1 signature support is disabled in profile - Use TPMLIB_WasManufactured to check whether profile was applied - Determine whether OpenSSL needs to be configured (FIPs, SHA1 signature) - Add support for --print-profiles option - Print profile names as part of capabilities JSON - Display new capability to allow setting a profile - Add support for --profile option to set a profile on TPM 2 - swtpm_setup: - Comment flags for storage primary key and deprecate --create-spk - Implement --print-profiles to display all profile - Add profile entries to swtpm_setup.conf written by swtpm_setup - Add support for --profile-name option - Accept profiles with name starting with 'custom:' - Support default profile from file in swtpm_setup.conf - Support --profile-file-fd to read profile from file descriptor - Support --profile-file to read profile from file - Always log the active profile - Implement --profile-remove-fips-disabled option - Read default profile from swtpm_setup.conf - Print profile names as part of capabilities JSON - Add support for --profile parameter - Get default rsa keysize from setup_setup.conf if not given - swtpm_ioctl: - Use ptm_cap_n for non-CUSE PTM_GET_CAPABILITY response - selinux: - Change write to append for appending to log - Add rule for logging to svirt_image_t labeled files from swtpm_t - tests: - Update IBMTSS2 test suite to v2.4.0 - Test activation of PCR banks when not all are available - Enable SWTPM_TEST_PROFILE for running test_tpm2_ibmtss2 with profile - Add a check for OPENSSL_ENABLE_SHA1_SIGNATURES in log file - Consolidate custom profile test cases and check for StateFormatLevel - Convert test_samples_create_tpmca to run installed - Mention test_tpm2_libtpms_versions_profiles requiring env. variables - allow running ibmtss2 tests against installed version - Derive support for CUSE from SWTPM_EXE help screen - Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 for IBMTSS2 test - Extend test case testing across libtpms versions - Add test case for testing profiles across libtpms versions - Test the --profile option of swtpm_setup and swtpm - teach them to run installed - add installed-runner.sh - install tests on the system - lookup system binaries if INSTALLED is set - build-sys: - enable 64-bit file API on 32-bit systems - Add -Wshadow to the CFLAGS - Require that libtpms v0.10 is available for TPMLIB_SetProfile - debian: - Add rule to allow usage of /var/tmp directory (QEMU) - Add rules for reading profiles from distro and local dirs - Allow non-owner file write access in /var/lib/libvirt/swtpm/ - Add sys_admin capability to apparmor profile version 0.9.0: Note: The SElinux policy for swtpm was completely redone. For systems with an SELinux policy the same policy (>= 40.17) as used in Fedora >= 40 is required due to changes in labels related to libvirt that made the re-development of the SELinux policy necessary. - swtpm: - Use umask() to create/truncated state file rather than fchmod() - Use fchmod to set mode bits provided by user - Replace mkstemp with g_mkstemp_full (Coverity) - fix typo in help message - cuse: Fix Coverity complaints regarding locks - Fix double free in error path - Close fd after main loop - Restore logging to stderr on log open failure - swtpm_setup: - Fail --pcr-banks without --tpm2 - Fail --decryption or --allow-signing without --tpm2 - Initialized @@argv in get_swtpm_capabilities() - Flush spk after persisting to create room for another key - Refactor duplicate code into swtpm_tpm2_write_cert_nvram - Move persisting of certificate into tpm2_persist_certificate - Pass key_type to function creating filename for key - Add scheme parameter before curveid to createprimary_ecc - Rename is_ek to preserve for future extension - Mask-out EK and plaform certificate flags and set cert_flags - Move common code into new function read_certificate_file() - Exit with '0' upon --version rather than '1' - Close file descriptors passed to swtpm process on parent side - Make stdout unbuffered - Use medium duration on TSC_PhysicalPresence to avoid timeouts - Add poll() after write() and before read() to detect errors - swtpm_localca: - Add support for up to 20 bytes serial numbers - Introduce --key as more generic alias for --ek - Add missing NULL option to end of array - Make stdout unbuffered - swtpm_cert: - Add support for serial numbers up to 20 bytes long - swtpm_ioctl: - Separate return code from flags - Repeatedly call PTM_GET_INFO for long responses - selinux: - Re-add rule for svirt_tcg_t and user_tmp_t:sock_file (virt-install) - New SELinux policy that requires Fedora 40 or later - tests: - Fixed occurrences of stray '\' before '-' - Rearrange order of test cases to run some also as 'root' - Add tests for command line options and combinations of options - Add softhsm_setup to shellcheck'ed files and fix issues - Add missing 'exit 1' on unexpected file size on --reconfigure - Add test cases for swtpm_cert with max serial number - Fix spelling mistakes - reformat regexs for easier readability and extension - ibmtss2: Add patch to disable x509 test with older libtpms - Upgrade to ibmtss2 v2.0.1 - Fixed several issues detected by shellcheck - build-sys: - Add support for --disable-tests to disable tests - Display GMP_LIBS and GMP_CFLAGS - Only display warning if pkg-config for gmp fails - Add gmp library and devel package as dependency - use PKG_CHECK_MODULES to check libtpms version - rpm: - Add gmp library and devel package as dependency - Split off SELinux files to build an selinux package - debian: - Sync AppArmor profile with what is used by Ubuntu - Add gmp library and devel package as dependency - Allow apparmor access to qemu session bus swtpm files version 0.8.0: - swtpm: - Implement release-lock-outgoing parameter for --migration option - Introduce --migration option and 'incoming' parameter - Implement terminate parameter for ctrl channel loss - Add a chroot option - Introduce disable-auto-shutdown flag for --flags option - If necessary send TPM2_Shutdown() before TPMLIB_Terminate() - Add some more recent syscalls to seccomp profile - Disable OpenSSL FIPS mode to avoid libtpms failures - Avoid locking directory multiple times - Remove support for pre-v0.1 state files without header - Use uint64_t in tlv_data_append() to avoid integer overflows - Use uint64_t to avoid integer wrap-around when adding a uint32_t - Do not chdir(/) when using --daemon - Check header size indicator against expected size (CVE-2022-23645) - Fixes for gcc 12.2.1 -fanalyzer - build-sys: - Fix configure script to support _FORTIFY_SOURCE=3 - Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin) - swtpm-localca: - Re-implement variable resolution for swtpm-localca.conf - Test for available issuercert before creating CA - swtpm_setup: - Configure swtpm to log to stdout/err if needed (glib >=2.74) - tests: - Use ${WORKDIR} in config files to test env. var replacement - Patch IBM TSS2 test suite for OpenSSL 3.x - build-sys: - Add probing for -fstack-protector @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.11 2024/11/14 22:21:47 wiz Exp $ d6 1 @ 1.11 log @*: recursive bump for icu 76 shlib major version bump @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.10 2024/11/01 12:54:32 wiz Exp $ d5 1 a5 2 DISTNAME= swtpm-0.7.0 PKGREVISION= 9 d31 1 a31 1 USE_TOOLS= automake bash gawk gmake pkg-config d39 1 d42 1 d55 4 @ 1.10 log @*: revbump for icu downgrade @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.9 2024/11/01 00:53:45 wiz Exp $ d6 1 a6 1 PKGREVISION= 8 @ 1.9 log @*: recursive bump for icu 76.1 shlib bump @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.8 2024/05/29 16:34:32 adam Exp $ d6 1 a6 1 PKGREVISION= 7 @ 1.8 log @revbump after icu and protobuf updates @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.7 2024/05/16 06:15:36 wiz Exp $ d6 1 a6 1 PKGREVISION= 6 @ 1.7 log @*: recursive bump for gnutls p11-kit option (existing installations need the bl3.mk included, but it's now only optionally included) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.6 2023/11/08 13:21:02 wiz Exp $ d6 1 a6 1 PKGREVISION= 5 @ 1.6 log @*: recursive bump for icu 74.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.5 2023/10/24 22:11:14 wiz Exp $ d6 1 a6 1 PKGREVISION= 4 @ 1.5 log @*: bump for openssl 3 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2023/06/06 12:42:23 riastradh Exp $ d6 1 a6 1 PKGREVISION= 3 @ 1.4 log @Mass-change BUILD_DEPENDS to TOOL_DEPENDS outside mk/. Almost all uses, if not all of them, are wrong, according to the semantics of BUILD_DEPENDS (packages built for target available for use _by_ tools at build-time) and TOOL_DEPEPNDS (packages built for host available for use _as_ tools at build-time). No change to BUILD_DEPENDS as used correctly inside buildlink3. As proposed on tech-pkg: https://mail-index.netbsd.org/tech-pkg/2023/06/03/msg027632.html @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2023/04/19 08:11:34 adam Exp $ d6 1 a6 1 PKGREVISION= 2 @ 1.3 log @revbump after textproc/icu update @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2 2022/10/26 10:32:01 wiz Exp $ d15 2 a16 2 BUILD_DEPENDS+= tcl-expect-[0-9]*:../../lang/tcl-expect BUILD_DEPENDS+= socat-[0-9]*:../../net/socat @ 1.2 log @*: bump PKGREVISION for libunistring shlib major bump @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1 2022/02/05 03:13:12 ryoon Exp $ d6 1 a6 1 PKGREVISION= 1 @ 1.1 log @sysutils/swtpm: import swtpm-0.7.0 The SWTPM package provides TPM emulators with different front-end interfaces to libtpms. TPM emulators provide socket interfaces (TCP/IP and Unix) and the Linux CUSE interface for the creation of multiple native /dev/vtpm* devices. The SWTPM package also provides several tools for using the TPM emulator, creating certificates for a TPM, and simulating the manufacturing of a TPM by creating a TPM's EK and platform certificates etc. @ text @d1 1 a1 1 # $NetBSD$ d6 1 @