swtpm (0.7.3-0ubuntu5.24.04.1) noble; urgency=medium

  * d/usr.bin.swtpm:
    - Add sys_admin capability to apparmor profile to allow access to kernel
      modules such as tpm_vtpm_proxy (LP: #2071478)
    - Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
      apparmor denials when working with TPM2 locks (LP: #2072524)

 -- Lena Voytek <lena.voytek@canonical.com>  Tue, 30 Jul 2024 15:16:43 -0700

swtpm (0.7.3-0ubuntu5) noble; urgency=medium

  * Add patch to force the buildsystem to build with -D_FORTIFY_SOURCE=3

 -- Jeremy Bícha <jbicha@ubuntu.com>  Tue, 02 Apr 2024 15:18:02 -0400

swtpm (0.7.3-0ubuntu4) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- William Grant <wgrant@ubuntu.com>  Mon, 01 Apr 2024 19:21:09 +1100

swtpm (0.7.3-0ubuntu3) noble; urgency=medium

  * No-change rebuild against libssl3t64

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Mar 2024 21:29:18 +0000

swtpm (0.7.3-0ubuntu2) mantic; urgency=medium

  * d/usr.bin.swtpm: Configure apparmor to grant access to relevant files in
    /run/user/<UID>/libvirt/qemu/run/swtpm/ files when using the
    qemu:///session bus (LP: #2017874)

 -- Olivier Gayot <olivier.gayot@canonical.com>  Fri, 04 Aug 2023 11:10:37 +0200

swtpm (0.7.3-0ubuntu1) lunar; urgency=medium

  * New upstream release 0.7.3:
    - Bug fixes include:
      + Fix secure boot failure - TPM 2.0 not supported (LP: #2012028)
  * Add new debian/ files from upstream
    - d/clean: Clean man and gch files from source tree during build
    - d/not-installed: Do not install .la lib files with package
    - d/swtpm-libs.install: Install swtpm .so files with swtpm-libs package
  * d/rules: Add dh_clean and dh_makeshlibs overrides from upstream
  * d/swtpm-tools.install: Update installation of swtpm-tools files for 0.7
  * d/control: Remove unneeded dependencies for 0.7
  * Remove d/p/0001-Install-swtpm-localca-to-the-correct-path.patch as it is
    no longer needed to change swtpm-localca's path
  * d/p/no-autoconf-in-debian.patch: Refresh to clean fuzz
  * d/p/openssl-not-certtool.patch: Update and refresh to apply with 0.7

 -- Lena Voytek <lena.voytek@canonical.com>  Wed, 22 Mar 2023 14:03:19 -0700

swtpm (0.6.3-0ubuntu5) lunar; urgency=medium

  * d/usr.bin.swtpm: Allow swtpm to also access /run/libvirt/qemu/swtpm/*.pid
    files that it does not own (LP: #1989100)

 -- Lena Voytek <lena.voytek@canonical.com>  Mon, 24 Oct 2022 10:52:06 -0700

swtpm (0.6.3-0ubuntu4) kinetic; urgency=medium

  * d/usr.bin.swtpm: Update apparmor profile to match swtpm upstream
    In between adding the apparmor profile to Ubuntu and merging upstream
    additional rules were used to cover more common use cases. (LP: #1992377)
    - The six capability lines fix the broken upstream unit test cases:
      test_ctrlchannel, test_vtpm_proxy, test_tpm2_file_permissions,
      test_tpm2_save_load_state_2_block, and test_tpm2_ctrlchannel2
    - owner @{HOME}/** rwk was added as using a folder in one's home directory
      is common for managing tpm states
    - Access in the tmp directory is further generalized as this is where swtpm
      interacts with qemu and libvirt
    - The ability to read from /etc/nsswitch.conf was added for vtpm proxy to
      work

 -- Lena Voytek <lena.voytek@canonical.com>  Tue, 11 Oct 2022 10:54:21 -0700

swtpm (0.6.3-0ubuntu3) jammy; urgency=medium

  * d/usr.bin.swtpm: Add additional apparmor rules
    - allow full interaction with libvirt (LP: #1968187)
    - add qemu socket rules (LP: #1968335)

 -- Lena Voytek <lena.voytek@canonical.com>  Tue, 12 Apr 2022 07:49:45 -0700

swtpm (0.6.3-0ubuntu2) jammy; urgency=medium

  * d/p/openssl-not-certtool.patch: do not use rnd file (LP: #1968131)
    RANDFILE isn't needed anymore in openssl and furthermore breaks many
    use cases here as HOME isn't resolved and therefore it accessed $CWD/.rnd
    which often ends up in places it isn't able to access the file.
    Thanks to Simon Deziel for the suggested fix!

 -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 07 Apr 2022 16:07:21 +0200

swtpm (0.6.3-0ubuntu1) jammy; urgency=medium

  * Update to the stable release v0.6.3 (LP: 1948748)
    - swtpm:
      + Do not chdir(/) when using --daemon
      + Check header size indicator against expected size (CVE-2022-23645)
    - swtpm-localca:
      + Re-implement variable resolution for swtpm-localca.conf
      + Test for available issuercert before creating CA
    - tests:
      + Use ${WORKDIR} in config files to test env. var replacement
    - man:
      + Add missing .config directory to path description when using ${HOME}
    - build-sys:
      + Add probing for -fstack-protector
      + configure: Fix typo TPM2 -> TMP2
    - swtpm_setup:
      + Report stderr as returned by external tool (swtpm-localcal)
      + Fix exit code on error to be '1'.
  * d/usr.bin.swtpm: fix hang on unix sockets due to apparmor rules

 -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 22 Mar 2022 09:31:40 +0100

swtpm (0.6.1-0ubuntu6) jammy; urgency=medium

  * Add apparmor profile to swtpm (LP: #1950631)
    - d/usr.bin.swtpm: Create new apparmor profile
    - d/swtpm.install: Copy apparmor profile to /etc/apparmor.d/
    - d/rules: Deploy the swtpm apparmor profile
    - d/control: Add dh-apparmor as a dependency

 -- Lena Voytek <lena.voytek@canonical.com>  Fri, 18 Feb 2022 14:24:14 -0700

swtpm (0.6.1-0ubuntu5) jammy; urgency=medium

  * debian/patches/openssl-not-certtool.patch: Use traditional format
    output as expected by tests.
  * Set executable bit on debian/tests/run-tests.

 -- Dimitri John Ledkov <dimitri.ledkov@canonical.com>  Thu, 02 Dec 2021 17:54:13 +0000

swtpm (0.6.1-0ubuntu4) jammy; urgency=medium

  * debian/patches/openssl-not-certtool.patch: Use openssl at runtime,
    not certtool.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 05 Nov 2021 13:16:42 -0700

swtpm (0.6.1-0ubuntu3) jammy; urgency=medium

  * Don't use the tss user for swtpm, this overloads a user already used for
    physical tpm ACLs.  LP: #1949060.
  * Add missing adduser dependency to swtpm-tools.
  * Add missing debhelper token to swtpm-tools.postinst.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 28 Oct 2021 05:47:30 -0700

swtpm (0.6.1-0ubuntu2) jammy; urgency=medium

  * Include packaging fixes from upstream to the postinst.
  * Drop tpm-udev dependency, not needed because we create the tss user
    ourselves now as needed.
  * Add autopkgtests.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 25 Oct 2021 20:52:45 -0700

swtpm (0.6.1-0ubuntu1) jammy; urgency=medium

  * Initial release, using packaging from upstream.
  * debian/patches/0001-Install-swtpm-localca-to-the-correct-path.patch:
    Install swtpm-localca to the correct path.
  * debian/patches/no-autoconf-in-debian.patch: don't modify debian
    directory from upstream configure script.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 24 Oct 2021 01:04:51 +0000
