7 files changed, 61 insertions, 14 deletions

diff --git a/security/tpm2-abrmd/files/patch-dist_tpm2-abrmd.conf b/security/tpm2-abrmd/files/patch-dist_tpm2-abrmd.conf
index 755942458792..29c02ab9640d 100644
--- a/security/tpm2-abrmd/files/patch-dist_tpm2-abrmd.conf
+++ b/security/tpm2-abrmd/files/patch-dist_tpm2-abrmd.conf
@@ -1,25 +1,37 @@
 --- dist/tpm2-abrmd.conf.orig	2022-05-09 15:39:53 UTC
 +++ dist/tpm2-abrmd.conf
-@@ -2,7 +2,7 @@
+@@ -2,27 +2,25 @@
   "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
  <busconfig>
    <!-- ../system.conf have denied everything, so we just punch some holes -->
 -  <policy user="tss">
-+  <policy user="_tss">
-     <allow own="com.intel.tss2.Tabrmd"/>
-   </policy>
+-    <allow own="com.intel.tss2.Tabrmd"/>
+-  </policy>
+-  <policy user="root">
+-    <allow own="com.intel.tss2.Tabrmd"/>
+-  </policy>
+   <!-- Match /dev/tpmrm0 permissions tss tss 0660 -->
    <policy user="root">
-@@ -17,11 +17,11 @@
      <allow send_destination="com.intel.tss2.Tabrmd"/>
      <allow receive_sender="com.intel.tss2.Tabrmd"/>
++    <allow own="com.intel.tss2.Tabrmd"/>
+   </policy>
+-  <policy group="root">
++  <policy group="wheel">
+     <allow send_destination="com.intel.tss2.Tabrmd"/>
+     <allow receive_sender="com.intel.tss2.Tabrmd"/>
++    <allow own="com.intel.tss2.Tabrmd"/>
    </policy>
 -  <policy user="tss">
 +  <policy user="_tss">
      <allow send_destination="com.intel.tss2.Tabrmd"/>
      <allow receive_sender="com.intel.tss2.Tabrmd"/>
++    <allow own="com.intel.tss2.Tabrmd"/>
    </policy>
 -  <policy group="tss">
 +  <policy group="_tss">
      <allow send_destination="com.intel.tss2.Tabrmd"/>
      <allow receive_sender="com.intel.tss2.Tabrmd"/>
++    <allow own="com.intel.tss2.Tabrmd"/>
    </policy>
+ </busconfig>
diff --git a/security/tpm2-abrmd/files/patch-src_response-sink.c b/security/tpm2-abrmd/files/patch-src_response-sink.c
new file mode 100644
index 000000000000..a54debd6835a
--- /dev/null
+++ b/security/tpm2-abrmd/files/patch-src_response-sink.c
@@ -0,0 +1,11 @@
+--- src/response-sink.c.orig	2025-02-22 21:59:15 UTC
++++ src/response-sink.c
+@@ -188,7 +188,7 @@ response_sink_process_response (Tpm2Response *response
+ 
+     g_debug ("%s: writing 0x%x bytes", __func__, size);
+     g_debug_bytes (buffer, size, 16, 4);
+-    written = write_all (ostream, buffer, size);
++    written = g_write_all (ostream, buffer, size);
+     g_object_unref (connection);
+ 
+     return written;
diff --git a/security/tpm2-abrmd/files/patch-src_tcti-tabrmd.c b/security/tpm2-abrmd/files/patch-src_tcti-tabrmd.c
new file mode 100644
index 000000000000..4af7e9727b29
--- /dev/null
+++ b/security/tpm2-abrmd/files/patch-src_tcti-tabrmd.c
@@ -0,0 +1,11 @@
+--- src/tcti-tabrmd.c.orig	2025-02-22 21:59:15 UTC
++++ src/tcti-tabrmd.c
+@@ -46,7 +46,7 @@ tss2_tcti_tabrmd_transmit (TSS2_TCTI_CONTEXT *context,
+     g_debug_bytes (command, size, 16, 4);
+     ostream = g_io_stream_get_output_stream (TSS2_TCTI_TABRMD_IOSTREAM (context));
+     g_debug ("%s: blocking write on ostream", __func__);
+-    write_ret = write_all (ostream, command, size);
++    write_ret = g_write_all (ostream, command, size);
+     /* should switch on possible errors to translate to TSS2 error codes */
+     switch (write_ret) {
+     case -1:
diff --git a/security/tpm2-abrmd/files/patch-src_util.c b/security/tpm2-abrmd/files/patch-src_util.c
new file mode 100644
index 000000000000..32c36126c75b
--- /dev/null
+++ b/security/tpm2-abrmd/files/patch-src_util.c
@@ -0,0 +1,11 @@
+--- src/util.c.orig	2025-02-22 21:59:15 UTC
++++ src/util.c
+@@ -68,7 +68,7 @@ ssize_t
+ /** Write as many of the size bytes from buf to fd as possible.
+  */
+ ssize_t
+-write_all (GOutputStream *ostream,
++g_write_all (GOutputStream *ostream,
+            const uint8_t *buf,
+            const size_t   size)
+ {
diff --git a/security/tpm2-abrmd/files/patch-src_util.h b/security/tpm2-abrmd/files/patch-src_util.h
new file mode 100644
index 000000000000..2c8936779c7f
--- /dev/null
+++ b/security/tpm2-abrmd/files/patch-src_util.h
@@ -0,0 +1,11 @@
+--- src/util.h.orig	2025-02-22 21:59:15 UTC
++++ src/util.h
+@@ -79,7 +79,7 @@ typedef TSS2_RC (*KeyValueFunc) (const key_value_t* ke
+ #define TPMA_CC_RES(attrs)         (attrs.val & 0xc0000000)
+ */
+ 
+-ssize_t     write_all                       (GOutputStream    *ostream,
++ssize_t     g_write_all                       (GOutputStream    *ostream,
+                                              const uint8_t    *buf,
+                                              const size_t      size);
+ int         read_data                       (GInputStream     *istream,
diff --git a/security/tpm2-abrmd/files/tpm2-abrmd-devd.conf b/security/tpm2-abrmd/files/tpm2-abrmd-devd.conf
deleted file mode 100644
index f7f4091a25a5..000000000000
--- a/security/tpm2-abrmd/files/tpm2-abrmd-devd.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# Allow members of _tss group to access tpm device
-
-notify 100 {
-	match "system"		"DEVFS";
-	match "subsystem"	"CDEV";
-	match "type"		"CREATE";
-	match "cdev"		"tpm[0-9]+";
-	action				"chgrp _tss /dev/tpm0; chmod g+rw /dev/tpm0";
-};
diff --git a/security/tpm2-abrmd/files/tpm2-abrmd.in b/security/tpm2-abrmd/files/tpm2_abrmd.in
index 62d61d98b1d6..62d61d98b1d6 100644
--- a/security/tpm2-abrmd/files/tpm2-abrmd.in
+++ b/security/tpm2-abrmd/files/tpm2_abrmd.in