[swtpm.git] / src / swtpm_setup / swtpm_setup.c

/* SPDX-License-Identifier: BSD-3-Clause */
/*
 * swtpm_setup.c: Tool to simulate TPM 1.2 & TPM 2 manufacturing
 *
 * Author: Stefan Berger, stefanb@linux.ibm.com
 *
 * Copyright (c) IBM Corporation, 2021
 */

#include "config.h"

#include <errno.h>
#include <getopt.h>
#include <grp.h>
#include <limits.h>
#include <pwd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <glib.h>
#include <glib/gstdio.h>
#include <glib/gprintf.h>

#include <glib-object.h>
#include <json-glib/json-glib.h>

#include <libtpms/tpm_nvfilename.h>

#include "swtpm.h"
#include "swtpm_setup_conf.h"
#include "swtpm_setup_utils.h"
#include "swtpm_utils.h"

#include <openssl/sha.h>

/* default values for passwords */
#define DEFAULT_OWNER_PASSWORD "ooo"
#define DEFAULT_SRK_PASSWORD   "sss"

#define SETUP_CREATE_EK_F           (1 << 0)
#define SETUP_TAKEOWN_F             (1 << 1)
#define SETUP_EK_CERT_F             (1 << 2)
#define SETUP_PLATFORM_CERT_F       (1 << 3)
#define SETUP_LOCK_NVRAM_F          (1 << 4)
#define SETUP_SRKPASS_ZEROS_F       (1 << 5)
#define SETUP_OWNERPASS_ZEROS_F     (1 << 6)
#define SETUP_STATE_OVERWRITE_F     (1 << 7)
#define SETUP_STATE_NOT_OVERWRITE_F (1 << 8)
#define SETUP_TPM2_F                (1 << 9)
#define SETUP_ALLOW_SIGNING_F       (1 << 10)
#define SETUP_TPM2_ECC_F            (1 << 11)
#define SETUP_CREATE_SPK_F          (1 << 12)
#define SETUP_DISPLAY_RESULTS_F     (1 << 13)
#define SETUP_DECRYPTION_F          (1 << 14)
#define SETUP_WRITE_EK_CERT_FILES_F (1 << 15)

/* default configuration file */
#define SWTPM_SETUP_CONF "swtpm_setup.conf"

/* Default logging goes to stderr */
gchar *gl_LOGFILE = NULL;

#define DEFAULT_RSA_KEYSIZE 2048


static const struct flag_to_certfile {
    unsigned long flag;
    const char *filename;
    const char *type;
} flags_to_certfiles[] = {
    {.flag = SETUP_EK_CERT_F      , .filename = "ek.cert",       .type = "ek" },
    {.flag = SETUP_PLATFORM_CERT_F, .filename = "platform.cert", .type = "platform" },
    {.flag = 0,                     .filename = NULL,            .type = NULL},
};

/* initialize the path of the config_file */
static int init(gchar **config_file)
{
    const gchar *configdir = g_get_user_config_dir();

    *config_file = g_build_filename(configdir, SWTPM_SETUP_CONF, NULL);
    if (access(*config_file, R_OK) != 0) {
        g_free(*config_file);
        *config_file = g_build_filename(SYSCONFDIR, SWTPM_SETUP_CONF, NULL);
    }

    return 0;
}

/* Get the spec and attributes parameters from swtpm */
static int tpm_get_specs_and_attributes(struct swtpm *swtpm, gchar ***params)
{
    int ret;
    g_autofree gchar *json = NULL;
    JsonParser *jp = NULL;
    GError *error = NULL;
    JsonReader *jr = NULL;
    JsonNode *root;
    static const struct parse_rule {
         const char *node1;
         const char *node2;
         gboolean is_int;
         const char *optname;
    } parser_rules[7] = {
         {"TPMSpecification", "family", FALSE, "--tpm-spec-family"},
         {"TPMSpecification", "level", TRUE, "--tpm-spec-level"},
         {"TPMSpecification", "revision", TRUE, "--tpm-spec-revision"},
         {"TPMAttributes", "manufacturer", FALSE, "--tpm-manufacturer"},
         {"TPMAttributes", "model", FALSE, "--tpm-model"},
         {"TPMAttributes", "version", FALSE, "--tpm-version"},
         {NULL, NULL, FALSE, NULL},
    };
    size_t idx;

    ret = swtpm->cops->ctrl_get_tpm_specs_and_attrs(swtpm, &json);
    if (ret != 0) {
        logerr(gl_LOGFILE, "Could not get the TPM spec and attribute parameters.\n");
        return 1;
    }

    jp = json_parser_new();

    if (!json_parser_load_from_data(jp, json, -1, &error)) {
        logerr(gl_LOGFILE, "JSON parser failed: %s\n", error->message);
        g_error_free(error);
        goto error;
    }

    *params = NULL;
    root = json_parser_get_root(jp);

    for (idx = 0; parser_rules[idx].node1 != NULL; idx++) {
        jr = json_reader_new(root);
        if (json_reader_read_member(jr, parser_rules[idx].node1) &&
            json_reader_read_member(jr, parser_rules[idx].node2)) {
            gchar *str;

            if (parser_rules[idx].is_int)
                str = g_strdup_printf("%ld", (long)json_reader_get_int_value(jr));
            else
                str = g_strdup(json_reader_get_string_value(jr));

            *params = concat_arrays(*params,
                                    (gchar*[]){
                                        g_strdup(parser_rules[idx].optname),
                                        str,
                                        NULL
                                    }, TRUE);
        } else {
            logerr(gl_LOGFILE, "Could not find [%s][%s] in '%s'\n",
                   parser_rules[idx].node1, parser_rules[idx].node2, json);
            ret = 1;
            break;
        }
        g_object_unref(jr);
        jr = NULL;
    }

    if (ret) {
        g_strfreev(*params);
        *params = NULL;
        g_object_unref(jr);
    }
error:
    g_object_unref(jp);

    return ret;
}

/* Call an external tool to create the certificates */
static int call_create_certs(unsigned long flags, const gchar *configfile, const gchar *certsdir,
                             const gchar *ekparam, const gchar *vmid, struct swtpm *swtpm)
{
    gchar **config_file_lines = NULL; /* must free */
    g_autofree gchar *create_certs_tool = NULL;
    g_autofree gchar *create_certs_tool_config = NULL;
    g_autofree gchar *create_certs_tool_options = NULL;
    g_autofree gchar **cmd = NULL;
    gchar **params = NULL; /* must free */
    g_autofree gchar *prgname = NULL;
    gboolean success;
    gint exit_status;
    size_t idx, j;
    gchar *s;
    int ret;

    ret = tpm_get_specs_and_attributes(swtpm, &params);
    if (ret != 0)
        goto error;

    ret = read_file_lines(configfile, &config_file_lines);
    if (ret != 0)
        goto error;

    create_certs_tool = get_config_value(config_file_lines, "create_certs_tool");
    create_certs_tool_config = get_config_value(config_file_lines, "create_certs_tool_config");
    create_certs_tool_options = get_config_value(config_file_lines, "create_certs_tool_options");

    ret = 0;

    if (create_certs_tool != NULL) {
        g_autofree gchar *create_certs_tool_path = g_find_program_in_path(create_certs_tool);
        if (create_certs_tool_path == NULL) {
            logerr(gl_LOGFILE, "Could not find %s in PATH.\n", create_certs_tool);
            ret = 1;
            goto error;
        }

        if (flags & SETUP_TPM2_F) {
            params = concat_arrays(params,
                                (gchar*[]){
                                    g_strdup("--tpm2"),
                                    NULL
                                }, TRUE);
        }
        cmd = concat_arrays((gchar*[]) {
                                create_certs_tool_path,
                                "--type", "_",  /* '_' must be at index '2' ! */
                                "--ek", (gchar *)ekparam,
                                "--dir", (gchar *)certsdir,
                                NULL
                            }, NULL, FALSE);
        if (gl_LOGFILE != NULL)
            cmd = concat_arrays(cmd, (gchar*[]){"--logfile", (gchar *)gl_LOGFILE, NULL}, TRUE);
        if (vmid != NULL)
            cmd = concat_arrays(cmd, (gchar*[]){"--vmid", (gchar *)vmid, NULL}, TRUE);
        cmd = concat_arrays(cmd, params, TRUE);
        if (create_certs_tool_config != NULL)
            cmd = concat_arrays(cmd, (gchar*[]){"--configfile", create_certs_tool_config, NULL}, TRUE);
        if (create_certs_tool_options != NULL)
            cmd = concat_arrays(cmd, (gchar*[]){"--optsfile", create_certs_tool_options, NULL}, TRUE);

        s = g_strrstr(create_certs_tool, G_DIR_SEPARATOR_S);
        if (s)
            prgname = strdup(&s[1]);
        else
            prgname = strdup(create_certs_tool);

        for (idx = 0; flags_to_certfiles[idx].filename != NULL; idx++) {
            if (flags & flags_to_certfiles[idx].flag) {
                g_autofree gchar *standard_output = NULL;
                g_autofree gchar *standard_error = NULL;
                GError *error = NULL;
                gchar **lines;

                cmd[2] = (gchar *)flags_to_certfiles[idx].type; /* replaces the "_" above */

                s = g_strjoinv(" ", cmd);
                logit(gl_LOGFILE, "  Invoking %s\n", s);
                g_free(s);

                success = g_spawn_sync(NULL, cmd, NULL, 0, NULL, NULL,
                                       &standard_output, &standard_error, &exit_status, &error);
                if (!success) {
                    logerr(gl_LOGFILE, "An error occurred running %s: %s\n",
                           create_certs_tool, error->message);
                    g_error_free(error);
                    ret = 1;
                    break;
                } else if (exit_status != 0) {
                    logerr(gl_LOGFILE, "%s exit with status %d: %s\n",
                           prgname, WEXITSTATUS(exit_status), standard_error);
                    ret = 1;
                    break;
                }

                lines = g_strsplit(standard_output, "\n", -1);
                for (j = 0; lines[j] != NULL; j++) {
                    if (strlen(lines[j]) > 0)
                        logit(gl_LOGFILE, "%s: %s\n", prgname, lines[j]);
                }
                g_strfreev(lines);

                g_free(standard_output);
                standard_output = NULL;
                g_free(standard_error);
                standard_error = NULL;
            }
        }
    }

error:
    g_strfreev(config_file_lines);
    g_strfreev(params);

    return ret;
}

static char *create_ek_certfile_name(const gchar *user_certsdir, const gchar *key_description)
{
    g_autofree gchar *filename = g_strdup_printf("ek-%s.crt", key_description);

    return g_strjoin(G_DIR_SEPARATOR_S, user_certsdir, filename, NULL);
}

/*
 * Remove the cert file unless the user wants a copy of it (EK only).
 */
static int certfile_move_or_delete(unsigned long flags, gboolean is_ek, const gchar *certfile,
                                   const gchar *user_certsdir, const gchar *key_description)
{
    g_autofree gchar *content = NULL;
    g_autofree gchar *cf = NULL;
    gsize content_length;
    GError *error = NULL;
    size_t offset = 0;

    if (is_ek && (flags & SETUP_WRITE_EK_CERT_FILES_F) && user_certsdir != NULL) {
        if (!g_file_get_contents(certfile, &content, &content_length, &error))
            goto error;

        cf = create_ek_certfile_name(user_certsdir, key_description);
        if (!(flags & SETUP_TPM2_F)) {
            /* A TPM 1.2 certificate has a 7 byte header at the beginning
             * that we now remove */
            if (content_length >= 8)
                offset = 7;
        }
        if (!g_file_set_contents(cf, &content[offset], content_length - offset,
                                 &error))
            goto error;
        if (g_chmod(cf, S_IRUSR | S_IWUSR | S_IRGRP) < 0) {
            logerr(gl_LOGFILE, "Failed to chmod file '%s': %s\n", cf, strerror(errno));
            goto error_unlink;
        }
    }
    unlink(certfile);

    return 0;

error:
    logerr(gl_LOGFILE, "%s\n", error->message);
    g_error_free(error);

error_unlink:
    unlink(certfile);

    return 1;
}

/* Create EK and certificate for a TPM 2 */
static int tpm2_create_ek_and_cert(unsigned long flags, const gchar *config_file,
                                   const gchar *certsdir, const gchar *vmid,
                                   unsigned int rsa_keysize, struct swtpm2 *swtpm2,
                                   const gchar *user_certsdir)
{
    g_autofree gchar *filecontent = NULL;
    size_t filecontent_len;
    g_autofree gchar *certfile = NULL;
    g_autofree gchar *ekparam = NULL;
    const char *key_description;
    size_t idx;
    int ret;

    if (flags & SETUP_CREATE_EK_F) {
        ret = swtpm2->ops->create_ek(&swtpm2->swtpm, !!(flags & SETUP_TPM2_ECC_F), rsa_keysize,
                                     !!(flags & SETUP_ALLOW_SIGNING_F),
                                     !!(flags & SETUP_DECRYPTION_F),
                                     !!(flags & SETUP_LOCK_NVRAM_F),
                                     &ekparam, &key_description);
        if (ret != 0)
            return 1;
    }

    if (flags & (SETUP_EK_CERT_F | SETUP_PLATFORM_CERT_F)) {
        ret = call_create_certs(flags, config_file, certsdir, ekparam, vmid, &swtpm2->swtpm);
        if (ret != 0)
            return 1;

        for (idx = 0; flags_to_certfiles[idx].filename; idx++) {
            if (flags & flags_to_certfiles[idx].flag) {
                g_free(certfile);
                certfile = g_strjoin(G_DIR_SEPARATOR_S, certsdir, flags_to_certfiles[idx].filename, NULL);

                g_free(filecontent);
                filecontent = NULL;
                ret = read_file(certfile, &filecontent, &filecontent_len);
                if (ret != 0)
                    return 1;

                if (flags_to_certfiles[idx].flag == SETUP_EK_CERT_F) {
                    ret = swtpm2->ops->write_ek_cert_nvram(&swtpm2->swtpm,
                                                   !!(flags & SETUP_TPM2_ECC_F), rsa_keysize,
                                                   !!(flags & SETUP_LOCK_NVRAM_F),
                                                   (const unsigned char*)filecontent, filecontent_len);
                } else {
                    ret = swtpm2->ops->write_platform_cert_nvram(&swtpm2->swtpm,
                                                     !!(flags & SETUP_LOCK_NVRAM_F),
                                                     (const unsigned char *)filecontent, filecontent_len);
                }

                if (ret != 0) {
                    unlink(certfile);
                    return 1;
                }

                if (certfile_move_or_delete(flags, !!(flags_to_certfiles[idx].flag & SETUP_EK_CERT_F),
                                            certfile, user_certsdir, key_description) != 0)
                    return 1;
            }
        }
    }

    return 0;
}

/* Create endorsement keys and certificates for a TPM 2 */
static int tpm2_create_eks_and_certs(unsigned long flags, const gchar *config_file,
                                     const gchar *certsdir, const gchar *vmid,
                                     unsigned int rsa_keysize, struct swtpm2 *swtpm2,
                                     const gchar *user_certsdir)
{
     int ret;

     /* 1st key will be RSA */
     flags = flags & ~SETUP_TPM2_ECC_F;
     ret = tpm2_create_ek_and_cert(flags, config_file, certsdir, vmid, rsa_keysize, swtpm2,
                                   user_certsdir);
     if (ret != 0)
         return 1;

     /* 2nd key will be an ECC; no more platform cert */
     flags = (flags & ~SETUP_PLATFORM_CERT_F) | SETUP_TPM2_ECC_F;
     return tpm2_create_ek_and_cert(flags, config_file, certsdir, vmid, rsa_keysize, swtpm2,
                                    user_certsdir);
}

/* Get the default PCR banks from the config file and if nothing can
   be found there use the DEFAULT_PCR_BANKS #define.
 */
static gchar *get_default_pcr_banks(const gchar *config_file)
{
    g_auto(GStrv) config_file_lines = NULL;
    gchar *pcr_banks;
    int ret;

    ret = read_file_lines(config_file, &config_file_lines);
    if (ret != 0)
        return NULL;

    pcr_banks = get_config_value(config_file_lines, "active_pcr_banks");
    if (pcr_banks)
        g_strstrip(pcr_banks);
    if (pcr_banks == NULL || strlen(pcr_banks) == 0) {
        g_free(pcr_banks);
        pcr_banks = g_strdup(DEFAULT_PCR_BANKS);
    }
    return pcr_banks;
}

/* Activate the given list of PCR banks. If pcr_banks is '-' then leave
 * the configuration as-is.
 */
static int tpm2_activate_pcr_banks(struct swtpm2 *swtpm2,
                                   const gchar *pcr_banks)
{
    g_autofree gchar *active_pcr_banks_join = NULL;
    g_autofree gchar *all_pcr_banks_join = NULL;
    g_auto(GStrv) active_pcr_banks = NULL;
    g_auto(GStrv) all_pcr_banks = NULL;
    g_auto(GStrv) pcr_banks_l = NULL;
    struct swtpm *swtpm = &swtpm2->swtpm;
    int ret = 0;

    if (g_str_equal(pcr_banks, "-"))
        return 0;

    ret = swtpm2->ops->get_all_pcr_banks(swtpm, &all_pcr_banks);
    if (ret != 0)
        return ret;

    pcr_banks_l = g_strsplit(pcr_banks, ",", -1);
    ret = swtpm2->ops->set_active_pcr_banks(swtpm, pcr_banks_l, all_pcr_banks,
                                            &active_pcr_banks);
    if (ret != 0)
        return ret;

    active_pcr_banks_join = g_strjoinv(",", active_pcr_banks);
    all_pcr_banks_join = g_strjoinv(",", all_pcr_banks);
    logit(gl_LOGFILE, "Successfully activated PCR banks %s among %s.\n",
          active_pcr_banks_join, all_pcr_banks_join);

    return 0;
}

/* Simulate manufacturing a TPM 2: create keys and certificates */
static int init_tpm2(unsigned long flags, gchar **swtpm_prg_l, const gchar *config_file,
                     const gchar *tpm2_state_path, const gchar *vmid, const gchar *pcr_banks,
                     const gchar *swtpm_keyopt, int *fds_to_pass, size_t n_fds_to_pass,
                     unsigned int rsa_keysize, const gchar *certsdir,
                     const gchar *user_certsdir)
{
    struct swtpm2 *swtpm2;
    struct swtpm *swtpm;
    int ret;

    swtpm2 = swtpm2_new(swtpm_prg_l, tpm2_state_path, swtpm_keyopt, gl_LOGFILE,
                        fds_to_pass, n_fds_to_pass);
    if (swtpm2 == NULL)
        return 1;
    swtpm = &swtpm2->swtpm;

    ret = swtpm->cops->start(swtpm);
    if (ret != 0) {
        logerr(gl_LOGFILE, "Could not start the TPM 2.\n");
        goto error;
    }

    if ((flags & SETUP_CREATE_SPK_F)) {
        ret = swtpm2->ops->create_spk(swtpm, !!(flags & SETUP_TPM2_ECC_F), rsa_keysize);
        if (ret != 0)
            goto destroy;
    }

    ret = tpm2_create_eks_and_certs(flags, config_file, certsdir, vmid, rsa_keysize, swtpm2,
                                    user_certsdir);
    if (ret != 0)
        goto destroy;

    ret = tpm2_activate_pcr_banks(swtpm2, pcr_banks);
    if (ret != 0)
        goto destroy;

    ret = swtpm2->ops->shutdown(swtpm);

destroy:
    swtpm->cops->destroy(swtpm);

error:
    swtpm_free(swtpm);

    return ret;
}

/* Create the owner password digest */
static void tpm12_get_ownerpass_digest(unsigned long flags, const gchar *ownerpass,
                                       unsigned char ownerpass_digest[SHA_DIGEST_LENGTH])
{
    const gchar zeros[SHA_DIGEST_LENGTH]= {0, };
    size_t len;

    if (ownerpass == NULL) {
        if (flags & SETUP_OWNERPASS_ZEROS_F) {
            ownerpass = zeros;
            len = sizeof(zeros);
        } else {
            ownerpass = DEFAULT_OWNER_PASSWORD;
            len = strlen(ownerpass);
        }
    } else {
        len = strlen(ownerpass);
    }
    SHA1((const unsigned char *)ownerpass, len, ownerpass_digest);
}

/* Create the SRK password digest */
static void tpm12_get_srkpass_digest(unsigned long flags, const gchar *srkpass,
                                     unsigned char srkpass_digest[SHA_DIGEST_LENGTH])
{
    const gchar zeros[SHA_DIGEST_LENGTH]= {0, };
    size_t len;

    if (srkpass == NULL) {
        if (flags & SETUP_SRKPASS_ZEROS_F) {
            srkpass = zeros;
            len = sizeof(zeros);
        } else {
            srkpass = DEFAULT_SRK_PASSWORD;
            len = strlen(srkpass);
        }
    } else {
        len = strlen(srkpass);
    }
    SHA1((const unsigned char *)srkpass, len, srkpass_digest);
}

/* Take ownership of a TPM 1.2 */
static int tpm12_take_ownership(unsigned long flags, const gchar *ownerpass,
                                const gchar *srkpass, gchar *pubek, size_t pubek_len,
                                struct swtpm12 *swtpm12)
{
    unsigned char ownerpass_digest[SHA_DIGEST_LENGTH];
    unsigned char srkpass_digest[SHA_DIGEST_LENGTH];

    tpm12_get_ownerpass_digest(flags, ownerpass, ownerpass_digest);
    tpm12_get_srkpass_digest(flags, srkpass, srkpass_digest);

    return swtpm12->ops->take_ownership(&swtpm12->swtpm, ownerpass_digest, srkpass_digest,
                                        (const unsigned char *)pubek, pubek_len);
}

/* Create the certificates for a TPM 1.2 */
static int tpm12_create_certs(unsigned long flags, const gchar *config_file,
                              const gchar *certsdir, const gchar *ekparam,
                              const gchar *vmid, struct swtpm12 *swtpm12,
                              const gchar *user_certsdir)
{
    g_autofree gchar *filecontent = NULL;
    g_autofree gchar *certfile = NULL;
    gsize filecontent_len;
    size_t idx;
    int ret;

    ret = call_create_certs(flags, config_file, certsdir, ekparam, vmid, &swtpm12->swtpm);
    if (ret != 0)
        return 1;

    for (idx = 0; flags_to_certfiles[idx].filename; idx++) {
        if (flags & flags_to_certfiles[idx].flag) {
            g_free(certfile);
            certfile = g_strjoin(G_DIR_SEPARATOR_S, certsdir,
                                 flags_to_certfiles[idx].filename, NULL);

            g_free(filecontent);
            filecontent = NULL;
            ret = read_file(certfile, &filecontent, &filecontent_len);
            if (ret != 0)
                return 1;

            if (flags_to_certfiles[idx].flag == SETUP_EK_CERT_F) {
                ret = swtpm12->ops->write_ek_cert_nvram(&swtpm12->swtpm,
                                                (const unsigned char*)filecontent, filecontent_len);
                if (ret == 0)
                    logit(gl_LOGFILE, "Successfully created NVRAM area for EK certificate.\n");
            } else {
                ret = swtpm12->ops->write_platform_cert_nvram(&swtpm12->swtpm,
                                                  (const unsigned char*)filecontent, filecontent_len);
                if (ret == 0)
                    logit(gl_LOGFILE, "Successfully created NVRAM area for Platform certificate.\n");
            }

            if (ret != 0) {
                unlink(certfile);
                return 1;
            }

            if (certfile_move_or_delete(flags, !!(flags_to_certfiles[idx].flag & SETUP_EK_CERT_F),
                                        certfile, user_certsdir, "rsa2048") != 0)
                return 1;
        }
    }

    return 0;
}

/* Simulate manufacturing a TPM 1.2: create keys and certificate and possibly take ownership */
static int init_tpm(unsigned long flags, gchar **swtpm_prg_l, const gchar *config_file,
                    const gchar *tpm_state_path, const gchar *ownerpass, const gchar *srkpass,
                    const gchar *vmid, const gchar *swtpm_keyopt,
                    int *fds_to_pass, size_t n_fds_to_pass, const gchar *certsdir,
                    const gchar *user_certsdir)
{
    struct swtpm12 *swtpm12;
    struct swtpm *swtpm;
    g_autofree gchar *pubek = NULL;
    size_t pubek_len;
    int ret = 1;

    swtpm12 = swtpm12_new(swtpm_prg_l, tpm_state_path, swtpm_keyopt, gl_LOGFILE,
                          fds_to_pass, n_fds_to_pass);
    if (swtpm12 == NULL)
        return 1;
    swtpm = &swtpm12->swtpm;

    ret = swtpm->cops->start(swtpm);
    if (ret != 0) {
        logerr(gl_LOGFILE, "Could not start the TPM 1.2.\n");
        goto error;
    }

    ret = swtpm12->ops->run_swtpm_bios(swtpm);
    if (ret != 0)
         goto destroy;

    if ((flags & SETUP_CREATE_EK_F)) {
        ret = swtpm12->ops->create_endorsement_key_pair(swtpm, &pubek, &pubek_len);
        if (ret != 0)
            goto destroy;

        logit(gl_LOGFILE, "Successfully created EK.\n");

        /* can only take owernship if created an EK */
        if ((flags & SETUP_TAKEOWN_F)) {
            ret = tpm12_take_ownership(flags, ownerpass, srkpass, pubek, pubek_len, swtpm12);
            if (ret != 0)
                goto destroy;

            logit(gl_LOGFILE, "Successfully took ownership of the TPM.\n");
        }

        /* can only create EK cert if created an EK */
        if ((flags & SETUP_EK_CERT_F)) {
            g_autofree gchar *ekparam = print_as_hex((unsigned char *)pubek, pubek_len);

            ret = tpm12_create_certs(flags, config_file, certsdir, ekparam, vmid, swtpm12,
                                     user_certsdir);
            if (ret != 0)
                goto destroy;
        }
    }

    if ((flags & SETUP_LOCK_NVRAM_F)) {
        ret = swtpm12->ops->nv_lock(swtpm);
        if (ret == 0)
            logit(gl_LOGFILE, "Successfully locked NVRAM access.\n");
    }

destroy:
    swtpm->cops->destroy(swtpm);

error:
    swtpm_free(swtpm);

    return ret;
}

/* Check whether we are allowed to overwrite existing state.
 * This function returns 2 if the state exists but flag is set to not to overwrite it,
 * 0 in case we can overwrite it, 1 if the state exists.
 */
static int check_state_overwrite(gchar **swtpm_prg_l, unsigned int flags,
                                 const char *tpm_state_path)
{
    gboolean success;
    g_autofree gchar *standard_output = NULL;
    int exit_status = 0;
    g_autoptr(GError) error = NULL;
    g_autofree gchar **argv = NULL;
    g_autofree gchar *statearg = g_strdup_printf("backend-uri=%s", tpm_state_path);
    g_autofree gchar *logop = NULL;
    g_autofree gchar **my_argv = NULL;

    my_argv = concat_arrays((gchar*[]) {
                                "--print-states",
                                "--tpmstate",
                                statearg,
                                NULL
                            }, NULL, FALSE);

    if (flags & SETUP_TPM2_F)
        my_argv = concat_arrays(my_argv, (gchar*[]) { "--tpm2", NULL }, TRUE);

    if (gl_LOGFILE != NULL) {
        logop = g_strdup_printf("file=%s", gl_LOGFILE);
        my_argv = concat_arrays(my_argv, (gchar*[]){"--log", logop, NULL}, TRUE);
    }

    argv = concat_arrays(swtpm_prg_l, my_argv, FALSE);

    success = g_spawn_sync(NULL, argv, NULL, G_SPAWN_STDERR_TO_DEV_NULL, NULL, NULL,
                           &standard_output, NULL, &exit_status, &error);
    if (!success) {
        logerr(gl_LOGFILE, "Could not start swtpm '%s': %s\n", swtpm_prg_l[0], error->message);
        return 1;
    }

    if (exit_status != 0) {
        logerr(gl_LOGFILE, "%s exit with status %d: %s\n",
               swtpm_prg_l[0], exit_status, standard_output);
        return 1;
    }

    if (g_strstr_len(standard_output, -1, TPM_PERMANENT_ALL_NAME) != NULL) {
        /* State file exists */
        if (flags & SETUP_STATE_NOT_OVERWRITE_F) {
            logit(gl_LOGFILE, "Not overwriting existing state file.\n");
            return 2;
        }
        if (flags & SETUP_STATE_OVERWRITE_F)
            return 0;
        logerr(gl_LOGFILE, "Found existing TPM state '%s'.\n", TPM_PERMANENT_ALL_NAME);
        return 1;
    }

    return 0;
}

static void versioninfo(void)
{
    printf("TPM emulator setup tool version %d.%d.%d\n",
           SWTPM_VER_MAJOR, SWTPM_VER_MINOR, SWTPM_VER_MICRO);
}

static void usage(const char *prgname, const char *default_config_file)
{
    versioninfo();
    printf(
        "Usage: %s [options]\n"
        "\n"
        "The following options are supported:\n"
        "\n"
        "--runas <user>   : Run this program under the given user's account.\n"
        "\n"
        "--tpm-state <dir>: Path where the TPM's state will be written to;\n"
        "                   this is a mandatory argument. Prefix with dir:// to"
        "                   use directory backend, or file:// to use linear file.\n"
        "\n"
        "--tpmstate <dir> : This is an alias for --tpm-state <dir>.\n"
        "\n"
        "--tpm <executable>\n"
        "                 : Path to the TPM executable; this is an optional argument and\n"
        "                   by default 'swtpm' in the PATH is used.\n"
        "\n"
        "--swtpm_ioctl <executable>\n"
        "                 : Path to the swtpm_ioctl executable; this is deprecated\n"
        "                   argument.\n"
        "\n"
        "--tpm2           : Setup a TPM 2; by default a TPM 1.2 is setup.\n"
        "\n"
        "--createek       : Create the EK; for a TPM 2 an RSA and ECC EK will be\n"
        "                   created\n"
        "\n"
        "--allow-signing  : Create an EK that can be used for signing;\n"
        "                   this option requires --tpm2.\n"
        "                   Note: Careful, this option will create a non-standard EK!\n"
        "\n"
        "--decryption     : Create an EK that can be used for key encipherment;\n"
        "                   this is the default unless --allow-signing is given;\n"
        "                   this option requires --tpm2.\n"
        "\n"
        "--ecc            : This option allows to create a TPM 2's ECC key as storage\n"
        "                   primary key; a TPM 2 always gets an RSA and an ECC EK key.\n"
        "\n"
        "--take-ownership : Take ownership; this option implies --createek\n"
        "  --ownerpass  <password>\n"
        "                 : Provide custom owner password; default is %s\n"
        "  --owner-well-known:\n"
        "                 : Use an owner password of 20 zero bytes\n"
        "  --srkpass <password>\n"
        "                 : Provide custom SRK password; default is %s\n"
        "  --srk-well-known:\n"
        "                 : Use an SRK password of 20 zero bytes\n"
        "--create-ek-cert : Create an EK certificate; this implies --createek\n"
        "\n"
        "--create-platform-cert\n"
        "                 : Create a platform certificate; this implies --create-ek-cert\n"
        "\n"
        "--create-spk     : Create storage primary key; this requires --tpm2\n"
        "\n"
        "--lock-nvram     : Lock NVRAM access\n"
        "\n"
        "--display        : At the end display as much info as possible about the\n"
        "                   configuration of the TPM\n"
        "\n"
        "--config <config file>\n"
        "                 : Path to configuration file; default is %s\n"
        "\n"
        "--logfile <logfile>\n"
        "                 : Path to log file; default is logging to stderr\n"
        "\n"
        "--keyfile <keyfile>\n"
        "                 : Path to a key file containing the encryption key for the\n"
        "                   TPM to encrypt its persistent state with. The content\n"
        "                   must be a 32 hex digit number representing a 128bit AES key.\n"
        "                   This parameter will be passed to the TPM using\n"
        "                   '--key file=<file>'.\n"
        "\n"
        "--keyfile-fd <fd>: Like --keyfile but a file descriptor is given to read the\n"
        "                   encryption key from.\n"
        "\n"
        "--pwdfile <pwdfile>\n"
        "                 : Path to a file containing a passphrase from which the\n"
        "                   TPM will derive the 128bit AES key. The passphrase can be\n"
        "                   32 bytes long.\n"
        "                   This parameter will be passed to the TPM using\n"
        "                   '--key pwdfile=<file>'.\n"
        "\n"
        "--pwdfile-fd <fd>: Like --pwdfile but a file descriptor is given to to read\n"
        "                   the passphrase from.\n"
        "\n"
        "--cipher <cipher>: The cipher to use; either aes-128-cbc or aes-256-cbc;\n"
        "                   the default is aes-128-cbc; the same cipher must be\n"
        "                   used on the swtpm command line\n"
        "\n"
        "--overwrite      : Overwrite existing TPM state by re-initializing it; if this\n"
        "                   option is not given, this program will return an error if\n"
        "                   existing state is detected\n"
        "\n"
        "--not-overwrite  : Do not overwrite existing TPM state but silently end\n"
        "\n"
        "--pcr-banks <banks>\n"
        "                 : Set of PCR banks to activate. Provide a comma separated list\n"
        "                   like 'sha1,sha256'. '-' to skip and leave all banks active.\n"
        "                   Default: %s\n"
        "\n"
        "--rsa-keysize <keysize>\n"
        "                 : The RSA key size of the EK key; 3072 bits may be supported\n"
        "                   if libtpms supports it.\n"
        "                   Default: %u\n"
        "\n"
        "--write-ek-cert-files <directory>\n"
        "                 : Write EK cert files into the given directory\n"
        "\n"
        "--tcsd-system-ps-file <file>\n"
        "                 : This option is deprecated and has no effect.\n"
        "\n"
        "--print-capabilities\n"
        "                 : Print JSON formatted capabilites added after v0.1 and exit.\n"
        "\n"
        "--create-config-files [[overwrite][,root]]\n"
        "                 : Create swtpm_setup and swtpm-localca config files for a\n"
        "                   user account.\n"
        "                   overwrite: overwrite any existing files\n"
        "                   root: allow to create files under root's home directory\n"
        "                   skip-if-exist: if any file exists exit without error\n"
        "\n"
        "--version        : Display version and exit\n"
        "\n"
        "--help,-h        : Display this help screen\n\n",
            prgname,
            DEFAULT_OWNER_PASSWORD,
            DEFAULT_SRK_PASSWORD,
            default_config_file,
            DEFAULT_PCR_BANKS,
            DEFAULT_RSA_KEYSIZE
        );
}

static int get_supported_tpm_versions(gchar **swtpm_prg_l, gboolean *swtpm_has_tpm12,
                                      gboolean *swtpm_has_tpm2)
{
    gboolean success;
    g_autofree gchar *standard_output = NULL;
    int exit_status = 0;
    g_autoptr(GError) error = NULL;
    g_autofree gchar **argv = NULL;
    gchar *my_argv[] = { "--print-capabilities", NULL };
    g_autofree gchar *logop = NULL;

    argv = concat_arrays(swtpm_prg_l, my_argv, FALSE);

    if (gl_LOGFILE != NULL) {
        logop = g_strdup_printf("file=%s", gl_LOGFILE);
        argv = concat_arrays(argv, (gchar*[]){"--log", logop, NULL}, TRUE);
    }

    success = g_spawn_sync(NULL, argv, NULL, G_SPAWN_STDERR_TO_DEV_NULL, NULL, NULL,
                           &standard_output, NULL, &exit_status, &error);
    if (!success) {
        logerr(gl_LOGFILE, "Could not start swtpm '%s': %s\n", swtpm_prg_l[0], error->message);
        return 1;
    }

    *swtpm_has_tpm12 = g_strstr_len(standard_output, -1, "\"tpm-1.2\"") != NULL;
    *swtpm_has_tpm2 = g_strstr_len(standard_output, -1, "\"tpm-2.0\"") != NULL;

    return 0;
}

/* Get the support RSA key sizes.
 *  This function returns an array of ints like the following
 *  - [ 1024, 2048, 3072 ]
 *  - [] (empty array, indicating only 2048 bit RSA keys are supported)
 */
static int get_rsa_keysizes(unsigned long flags, gchar **swtpm_prg_l,
                            unsigned int **keysizes, size_t *n_keysizes)
{
    gboolean success;
    gchar *standard_output = NULL;
    int exit_status = 0;
    GError *error = NULL;
    int ret = 1;
    const gchar *needle = "\"rsa-keysize-";
    unsigned int keysize;
    gchar **argv = NULL;
    char *p;
    int n;
    g_autofree gchar *logop = NULL;

    *n_keysizes = 0;

    if (flags & SETUP_TPM2_F) {
        gchar *my_argv[] = { "--tpm2", "--print-capabilities", NULL };

        argv = concat_arrays(swtpm_prg_l, my_argv, FALSE);

        if (gl_LOGFILE != NULL) {
            logop = g_strdup_printf("file=%s", gl_LOGFILE);
            argv = concat_arrays(argv, (gchar*[]){"--log", logop, NULL}, TRUE);
        }

        success = g_spawn_sync(NULL, argv, NULL, G_SPAWN_STDERR_TO_DEV_NULL, NULL, NULL,
                               &standard_output, NULL, &exit_status, &error);
        if (!success) {
            logerr(gl_LOGFILE, "Could not start swtpm '%s': %s\n", swtpm_prg_l[0], error->message);
            g_error_free(error);
            goto error;
        }

        p = standard_output;
        /* A crude way of parsing the json output just looking for "rsa-keysize-%u" */
        while ((p = g_strstr_len(p, -1, needle)) != NULL) {
            p += strlen(needle);
            n = sscanf(p, "%u\"", &keysize);
            if (n == 1) {
                *keysizes = g_realloc(*keysizes, (*n_keysizes + 1) * sizeof(unsigned int));
                (*keysizes)[*n_keysizes] = keysize;
                (*n_keysizes)++;
            }
        }
    }
    ret = 0;

error:
    g_free(argv);
    g_free(standard_output);

    return ret;
}

/* Return the RSA key size capabilities in a NULL-terminated array */
static int get_rsa_keysize_caps(unsigned long flags, gchar **swtpm_prg_l,
                                gchar ***keysize_strs)
{
    unsigned int *keysizes = NULL;
    size_t n_keysizes = 0;
    size_t i, j;
    int ret = get_rsa_keysizes(flags, swtpm_prg_l, &keysizes, &n_keysizes);
    if (ret)
        return ret;

    *keysize_strs = g_malloc0(sizeof(char *) * (n_keysizes + 1));
    for (i = 0, j = 0; i < n_keysizes; i++) {
        if (keysizes[i] >= 2048)
            (*keysize_strs)[j++] = g_strdup_printf("tpm2-rsa-keysize-%u", keysizes[i]);
    }

    g_free(keysizes);

    return 0;
}

/* Print teh JSON object of swtpm_setup's capabilities */
static int print_capabilities(char **swtpm_prg_l, gboolean swtpm_has_tpm12,
                              gboolean swtpm_has_tpm2)
{
    g_autofree gchar *param = g_strdup("");
    gchar **keysize_strs = NULL;
    gchar *tmp;
    size_t i;
    int ret = 0;

    ret = get_rsa_keysize_caps(SETUP_TPM2_F, swtpm_prg_l, &keysize_strs);
    if (ret)
        return 1;

    for (i = 0; keysize_strs[i] != NULL; i++) {
        tmp = g_strdup_printf("%s, \"%s\"", param, keysize_strs[i]);
        g_free(param);
        param = tmp;
    }

    printf("{ \"type\": \"swtpm_setup\", "
           "\"features\": [ %s%s\"cmdarg-keyfile-fd\", \"cmdarg-pwdfile-fd\", \"tpm12-not-need-root\""
           ", \"cmdarg-write-ek-cert-files\", \"cmdarg-create-config-files\""
           "%s ], "
           "\"version\": \"" VERSION "\" "
           "}\n",
           swtpm_has_tpm12 ? "\"tpm-1.2\", " : "",
           swtpm_has_tpm2  ? "\"tpm-2.0\", " : "",
           param);

    g_strfreev(keysize_strs);

    return 0;
}

static int change_process_owner(const char *user)
{
    char *endptr;
    unsigned long long uid = strtoull(user, &endptr, 10);
    gid_t gid;
    struct passwd *passwd;
    int ret = 1;

    if (*endptr != '\0') {
        /* assuming a name */
        passwd = getpwnam(user);
        if (passwd == NULL) {
            logerr(gl_LOGFILE, "Error: User '%s' does not exist.\n", user);
            goto error;
        }

        if (initgroups(passwd->pw_name, passwd->pw_gid) != 0) {
            logerr(gl_LOGFILE, "Error: initgroups() failed: %s\n", strerror(errno));
            goto error;
        }

        gid = passwd->pw_gid;
        uid = passwd->pw_uid;
    } else {
        if (uid > 0xffffffff) {
            logerr(gl_LOGFILE, "Error: uid %s outside valid range.\n", user);
            goto error;
        }
        gid = (gid_t)uid;
    }

    if (setgid(gid) != 0) {
        logerr(gl_LOGFILE, "Error: setgid(%d) failed: %s\n", gid, strerror(errno));
        goto error;
    }

    if (setuid(uid) != 0) {
        logerr(gl_LOGFILE, "Error: setuid(%d) failed: %s\n", uid, strerror(errno));
        goto error;
    }

    ret = 0;

error:
    return ret;
}

static int handle_create_config_files(const char *optarg)
{
    g_auto(GStrv) tokens = NULL;
    gboolean overwrite = FALSE;
    gboolean root_flag = FALSE;
    gboolean skip_if_exist = FALSE;

    if (optarg) {
        tokens = g_strsplit_set(optarg, ", ", -1);
        overwrite = g_strv_contains((const gchar **)tokens, "overwrite");
        root_flag = g_strv_contains((const gchar **)tokens, "root");
        skip_if_exist = g_strv_contains((const gchar **)tokens, "skip-if-exist");
        if (overwrite && skip_if_exist) {
            fprintf(stderr, "Error: overwrite and skip-if-exist cannot both be used\n");
            return 1;
        }
    }

    return create_config_files(overwrite, root_flag, skip_if_exist);
}

int main(int argc, char *argv[])
{
    int opt, option_index = 0;
    static const struct option long_options[] = {
        {"tpm-state", required_argument, NULL, 't'},
        {"tpmstate", required_argument, NULL, 't'}, /* alias for tpm-state */
        {"tpm", required_argument, NULL, 'T'},
        {"swtpm_ioctl", required_argument, NULL, '_'},
        {"tpm2", no_argument, NULL, '2'},
        {"ecc", no_argument, NULL, 'e'},
        {"createek", no_argument, NULL, 'c'},
        {"create-spk", no_argument, NULL, 'C'},
        {"take-ownership", no_argument, NULL, 'o'},
        {"ownerpass", required_argument, NULL, 'O'},
        {"owner-well-known", no_argument, NULL, 'w'},
        {"srkpass", required_argument, NULL, 'S'},
        {"srk-well-known", no_argument, NULL, 's'},
        {"create-ek-cert", no_argument, NULL, 'E'},
        {"create-platform-cert", no_argument, NULL, 'P'},
        {"lock-nvram", no_argument, NULL, 'L'},
        {"display", no_argument, NULL, 'i'},
        {"config", required_argument, NULL, 'f'},
        {"vmid", required_argument, NULL, 'm'},
        {"keyfile", required_argument, NULL, 'x'},
        {"keyfile-fd", required_argument, NULL, 'X'},
        {"pwdfile", required_argument, NULL, 'k'},
        {"pwdfile-fd", required_argument, NULL, 'K'},
        {"cipher", required_argument, NULL, 'p'},
        {"runas", required_argument, NULL, 'r'},
        {"logfile", required_argument, NULL, 'l'},
        {"overwrite", no_argument, NULL, 'v'},
        {"not-overwrite", no_argument, NULL, 'V'},
        {"allow-signing", no_argument, NULL, 'a'},
        {"decryption", no_argument, NULL, 'd'},
        {"pcr-banks", required_argument, NULL, 'b'},
        {"rsa-keysize", required_argument, NULL, 'A'},
        {"write-ek-cert-files", required_argument, NULL, '3'},
        {"create-config-files", optional_argument, NULL, 'u'},
        {"tcsd-system-ps-file", required_argument, NULL, 'F'},
        {"version", no_argument, NULL, '1'},
        {"print-capabilities", no_argument, NULL, 'y'},
        {"help", no_argument, NULL, 'h'},
        {NULL, 0, NULL, 0}
    };
    unsigned long flags = 0;
    g_autofree gchar *swtpm_prg = NULL;
    g_autofree gchar *tpm_state_path = NULL;
    struct swtpm_backend_ops *backend_ops = &swtpm_backend_dir;
    void *backend_state = NULL;
    g_autofree gchar *config_file = NULL;
    g_autofree gchar *ownerpass = NULL;
    gboolean got_ownerpass = FALSE;
    g_autofree gchar *srkpass = NULL;
    gboolean got_srkpass = FALSE;
    g_autofree gchar *vmid = NULL;
    g_autofree gchar *pcr_banks = NULL;
    gboolean printcapabilities = FALSE;
    g_autofree gchar *keyfile = NULL;
    long int keyfile_fd = -1;
    g_autofree gchar *pwdfile = NULL;
    long int pwdfile_fd = -1;
    g_autofree gchar *cipher = g_strdup("aes-128-cbc");
    g_autofree gchar *rsa_keysize_str = g_strdup_printf("%d", DEFAULT_RSA_KEYSIZE);
    unsigned int rsa_keysize;
    g_autofree gchar *swtpm_keyopt = NULL;
    g_autofree gchar *runas = NULL;
    g_autofree gchar *certsdir = NULL;
    g_autofree gchar *user_certsdir = NULL;
    gchar *tmp;
    gchar **swtpm_prg_l = NULL;
    gchar **tmp_l = NULL;
    size_t i, n;
    struct stat statbuf;
    const struct passwd *curr_user;
    struct group *curr_grp;
    char *endptr;
    gboolean swtpm_has_tpm12 = FALSE;
    gboolean swtpm_has_tpm2 = FALSE;
    int fds_to_pass[1] = { -1 };
    unsigned n_fds_to_pass = 0;
    char tmpbuffer[200];
    time_t now;
    struct tm *tm;
    int ret = 1;
    g_autoptr(GError) error = NULL;

    if (init(&config_file) < 0)
        goto error;

    swtpm_prg = g_find_program_in_path("swtpm");
    if (swtpm_prg) {
        tmp = g_strconcat(swtpm_prg, " socket", NULL);
        g_free(swtpm_prg);
        swtpm_prg = tmp;
    }

    while ((opt = getopt_long(argc, argv, "h?",
                              long_options, &option_index)) != -1) {
        switch (opt) {
        case 't': /* --tpmstate, --tpm-state */
            g_free(tpm_state_path);
            if (strncmp(optarg, "dir://", 6) == 0) {
                tpm_state_path = g_strdup(optarg);
            } else if (strncmp(optarg, "file://", 7) == 0) {
                tpm_state_path = g_strdup(optarg);
                backend_ops = &swtpm_backend_file;
            } else {
                /* always prefix with dir:// so we can pass verbatim to swtpm */
                tpm_state_path = g_strconcat("dir://", optarg, NULL);
            }
            break;
        case 'T': /* --tpm */
            g_free(swtpm_prg);
            swtpm_prg = g_strdup(optarg);
            break;
        case '_': /* --swtpm_ioctl */
            fprintf(stdout, "Warning: --swtpm_ioctl is deprecated and has no effect.");
            break;
        case '2': /* --tpm2 */
            flags |= SETUP_TPM2_F;
            break;
        case 'e': /* --ecc */
            flags |= SETUP_TPM2_ECC_F;
            break;
        case 'c': /* --createek */
            flags |= SETUP_CREATE_EK_F;
            break;
        case 'C': /* --create-spk */
            flags |= SETUP_CREATE_SPK_F;
            break;
        case 'o': /* --take-ownership */
            flags |= SETUP_CREATE_EK_F | SETUP_TAKEOWN_F;
            break;
        case 'O': /* --ownerpass */
            g_free(ownerpass);
            ownerpass = g_strdup(optarg);
            got_ownerpass = TRUE;
            break;
        case 'w': /* --owner-well-known */
            flags |= SETUP_OWNERPASS_ZEROS_F;
            got_ownerpass = TRUE;
            break;
        case 'S': /* --srk-pass */
            g_free(srkpass);
            srkpass = g_strdup(optarg);
            got_srkpass = TRUE;
            break;
        case 's': /* --srk-well-known */
            flags |= SETUP_SRKPASS_ZEROS_F;
            got_srkpass = TRUE;
            break;
        case 'E': /* --create-ek-cert */
            flags |= SETUP_CREATE_EK_F | SETUP_EK_CERT_F;
            break;
        case 'P': /* --create-platform-cert */
            flags |= SETUP_CREATE_EK_F | SETUP_PLATFORM_CERT_F;
            break;
        case 'L': /* --lock-nvram */
            flags |= SETUP_LOCK_NVRAM_F;
            break;
        case 'i': /* --display */
            flags |= SETUP_DISPLAY_RESULTS_F;
            break;
        case 'f': /* --config */
            g_free(config_file);
            config_file = g_strdup(optarg);
            break;
        case 'm': /* --vmid */
            g_free(vmid);
            vmid = g_strdup(optarg);
            break;
        case 'x': /* --keyfile */
            g_free(keyfile);
            keyfile = g_strdup(optarg);
            break;
        case 'X': /* --pwdfile-fd' */
            keyfile_fd = strtoull(optarg, &endptr, 10);
            if (*endptr != '\0' && keyfile_fd >= INT_MAX) {
                fprintf(stderr, "Invalid file descriptor '%s'\n", optarg);
                goto error;
            }
            break;
        case 'k': /* --pwdfile */
            g_free(pwdfile);
            pwdfile = g_strdup(optarg);
            break;
        case 'K': /* --pwdfile-fd' */
            pwdfile_fd = strtoull(optarg, &endptr, 10);
            if (*endptr != '\0' || pwdfile_fd >= INT_MAX) {
                fprintf(stderr, "Invalid file descriptor '%s'\n", optarg);
                goto error;
            }
            break;
        case 'p': /* --cipher */
            g_free(cipher);
            cipher = g_strdup(optarg);
            break;
        case 'r': /* --runas */
            g_free(runas);
            runas = g_strdup(optarg);
            break;
        case 'l': /* --logfile */
            g_free(gl_LOGFILE);
            gl_LOGFILE = g_strdup(optarg);
            break;
        case 'v': /* --overwrite */
            flags |= SETUP_STATE_OVERWRITE_F;
            break;
        case 'V': /* --not-overwrite */
            flags |= SETUP_STATE_NOT_OVERWRITE_F;
            break;
        case 'a': /* --allow-signing */
            flags |= SETUP_ALLOW_SIGNING_F;
            break;
        case 'd': /* --decryption */
            flags |= SETUP_DECRYPTION_F;
            break;
        case 'b': /* --pcr-banks */
            tmp = g_strconcat(pcr_banks ? pcr_banks: "",
                              pcr_banks ? "," : "", g_strstrip(optarg), NULL);
            g_free(pcr_banks);
            pcr_banks = tmp;
            break;
        case 'A': /* --rsa-keysize */
            g_free(rsa_keysize_str);
            rsa_keysize_str = strdup(optarg);
            break;
        case '3': /* --write-ek-cert-files */
            g_free(user_certsdir);
            user_certsdir = g_strdup(optarg);
            flags |= SETUP_WRITE_EK_CERT_FILES_F;
            break;
        case 'u':
            if (optarg == NULL && optind < argc && argv[optind][0] != '0')
                optarg = argv[optind++];
            ret = handle_create_config_files(optarg);
            goto out;
        case 'F': /* --tcsd-system-ps-file */
            printf("Warning: --tcsd-system-ps-file is deprecated and has no effect.");
            break;
        case '1': /* --version */
            versioninfo();
            ret = 0;
            goto error;
        case 'y': /* --print-capabilities */
            printcapabilities = TRUE;
            break;
        case '?':
        case 'h': /* --help */
            usage(argv[0], config_file);
            if (opt == 'h')
                ret = 0;
            goto out;
        default:
            fprintf(stderr, "Unknown option code %d\n", opt);
            usage(argv[0], config_file);
            goto error;
        }
    }

    if (swtpm_prg == NULL) {
        logerr(gl_LOGFILE,
               "Default TPM 'swtpm' could not be found and was not provided using --tpm\n.");
        goto error;
    }

    swtpm_prg_l = split_cmdline(swtpm_prg);
    tmp = g_find_program_in_path(swtpm_prg_l[0]);
    if (!tmp) {
        logerr(gl_LOGFILE, "swtpm at %s is not an executable.\n", swtpm_prg_l[0]);
        goto error;
    }
    g_free(tmp);


    ret = get_supported_tpm_versions(swtpm_prg_l, &swtpm_has_tpm12, &swtpm_has_tpm2);
    if (ret != 0)
        goto error;

    if (printcapabilities) {
        ret = print_capabilities(swtpm_prg_l, swtpm_has_tpm12, swtpm_has_tpm2);
        goto out;
    }

    if ((flags & SETUP_TPM2_F) != 0 && !swtpm_has_tpm2) {
        logerr(gl_LOGFILE, "swtpm at %s does not support TPM 2\n", swtpm_prg_l[0]);
        goto error;
    } else if ((flags & SETUP_TPM2_F) == 0 && !swtpm_has_tpm12){
        logerr(gl_LOGFILE, "swtpm at %s does not support TPM 1.2\n", swtpm_prg_l[0]);
        goto error;
    }

    if (runas) {
        ret = change_process_owner(runas);
        if (ret != 0)
            goto error;
    }

    if (!got_ownerpass)
        ownerpass = g_strdup(DEFAULT_OWNER_PASSWORD);
    if (!got_srkpass)
        srkpass = g_strdup(DEFAULT_SRK_PASSWORD);

    if (gl_LOGFILE != NULL) {
        FILE *tmpfile;
        if (stat(gl_LOGFILE, &statbuf) == 0 &&
            (statbuf.st_mode & S_IFMT) == S_IFLNK) {
            fprintf(stderr, "Logfile must not be a symlink.\n");
            goto error;
        }
        tmpfile = fopen(gl_LOGFILE, "a");
        if (tmpfile == NULL) {
            fprintf(stderr, "Cannot write to logfile %s.\n", gl_LOGFILE);
            goto error;
        }
        fclose(tmpfile);
    }

    curr_user = getpwuid(getuid());

    // Check tpm_state_path directory and access rights
    if (tpm_state_path == NULL) {
        logerr(gl_LOGFILE, "--tpm-state must be provided\n");
        goto error;
    }

    backend_state = backend_ops->parse_backend(tpm_state_path);
    if (!backend_state)
        goto error;

    if (backend_ops->check_access(backend_state, R_OK|W_OK, curr_user) != 0)
        goto error;

    if ((flags & SETUP_WRITE_EK_CERT_FILES_F)) {
        if (check_directory_access(user_certsdir, W_OK, curr_user) != 0)
            goto error;
    }

    if (flags & SETUP_TPM2_F) {
        if (flags & SETUP_TAKEOWN_F) {
            logerr(gl_LOGFILE, "Taking ownership is not supported for TPM 2.\n");
            goto error;
        }
    } else {
        if (flags & SETUP_TPM2_ECC_F) {
            logerr(gl_LOGFILE, "--ecc requires --tpm2.\n");
            goto error;
        }
        if (flags & SETUP_CREATE_SPK_F) {
            logerr(gl_LOGFILE, "--create-spk requires --tpm2.\n");
            goto error;
        }
    }

    ret = check_state_overwrite(swtpm_prg_l, flags, tpm_state_path);
    if (ret == 1) {
        goto error;
    } else if (ret == 2) {
        ret = 0;
        goto out;
    }

    ret = backend_ops->delete_state(backend_state);
    if (ret != 0)
        goto error;

    if (access(config_file, R_OK) != 0) {
        logerr(gl_LOGFILE, "User %s cannot read config file %s.\n",
               curr_user ? curr_user->pw_name : "<unknown>", config_file);
        goto error;
    }

    /* check pcr_banks; read from config file if not given */
    tmp_l = g_strsplit(pcr_banks ? pcr_banks : "", ",", -1);
    for (i = 0, n = 0; tmp_l[i]; i++) {
        g_strstrip(tmp_l[i]);
        n += strlen(tmp_l[i]);
    }
    g_strfreev(tmp_l);
    if (n == 0) {
        g_free(pcr_banks);
        pcr_banks = get_default_pcr_banks(config_file);
    }

    if (cipher != NULL) {
        if (strcmp(cipher, "aes-128-cbc") != 0 &&
            strcmp(cipher, "aes-cbc") != 0 &&
            strcmp(cipher, "aes-256-cbc") != 0) {
            logerr(gl_LOGFILE, "Unsupported cipher %s.\n", cipher);
            goto error;
        }
        tmp = g_strdup_printf(",mode=%s", cipher);
        g_free(cipher);
        cipher = tmp;
    }

    if (keyfile != NULL) {
        if (access(keyfile, R_OK) != 0) {
            logerr(gl_LOGFILE, "User %s cannot read keyfile %s.\n",
                   curr_user ? curr_user->pw_name : "<unknown>", keyfile);
            goto error;
        }
        swtpm_keyopt = g_strdup_printf("file=%s%s", keyfile, cipher);
        logit(gl_LOGFILE, "  The TPM's state will be encrypted with a provided key.\n");
    } else if (pwdfile != NULL) {
        if (access(pwdfile, R_OK) != 0) {
            logerr(gl_LOGFILE, "User %s cannot read passphrase file %s.\n",
                   curr_user ? curr_user->pw_name : "<unknown>", pwdfile);
            goto error;
        }
        swtpm_keyopt = g_strdup_printf("pwdfile=%s%s", pwdfile, cipher);
        logit(gl_LOGFILE, "  The TPM's state will be encrypted using a key derived from a passphrase.\n");
    } else if (keyfile_fd >= 0) {
        fds_to_pass[n_fds_to_pass++] = keyfile_fd;
        swtpm_keyopt = g_strdup_printf("fd=%ld%s", keyfile_fd, cipher);
        logit(gl_LOGFILE, "  The TPM's state will be encrypted with a provided key (fd).\n");
    } else if (pwdfile_fd >= 0) {
        fds_to_pass[n_fds_to_pass++] = pwdfile_fd;
        swtpm_keyopt = g_strdup_printf("pwdfd=%ld%s", pwdfile_fd, cipher);
        logit(gl_LOGFILE, "  The TPM's state will be encrypted using a key derived from a passphrase (fd).\n");
    }

    if (strcmp(rsa_keysize_str, "max") == 0) {
        unsigned int *keysizes = NULL;
        size_t n_keysizes;

        ret = get_rsa_keysizes(flags, swtpm_prg_l, &keysizes, &n_keysizes);
        if (ret)
            goto error;
        g_free(rsa_keysize_str);
        if (n_keysizes > 0) {
            /* last one is the biggest one */
            rsa_keysize_str = g_strdup_printf("%u", keysizes[n_keysizes - 1]);
        } else {
            rsa_keysize_str = g_strdup("2048");
        }
        g_free(keysizes);
    }
    if (strcmp(rsa_keysize_str, "2048") == 0 || strcmp(rsa_keysize_str, "3072") == 0) {
        unsigned int *keysizes = NULL;
        size_t n_keysizes;
        gboolean found = FALSE;

        ret = get_rsa_keysizes(flags, swtpm_prg_l, &keysizes, &n_keysizes);
        if (ret)
            goto error;

        rsa_keysize = strtoull(rsa_keysize_str, NULL, 10);
        for (i = 0; i < n_keysizes && found == FALSE; i++)
            found = (keysizes[i] == rsa_keysize);
        if (!found && rsa_keysize != 2048) {
            logerr(gl_LOGFILE, "%u bit RSA keys are not supported by libtpms.\n", rsa_keysize);
            goto error;
        }
        g_free(keysizes);
    } else {
        logit(gl_LOGFILE, "Unsupported RSA key size %s.\n", rsa_keysize_str);
        goto error;
    }

    now = time(NULL);
    tm = localtime(&now);
    if (strftime(tmpbuffer, sizeof(tmpbuffer), "%a %d %h %Y %I:%M:%S %p %Z", tm) == 0) {
        logerr(gl_LOGFILE, "Could not format time/date string.\n");
        goto error;
    }
    curr_grp = getgrgid(getgid());
    logit(gl_LOGFILE, "Starting vTPM manufacturing as %s:%s @ %s\n",
          curr_user ? curr_user->pw_name : "<unknown>",
          curr_grp ? curr_grp->gr_name : "<unknown>",
          tmpbuffer);

    if (flags & (SETUP_EK_CERT_F | SETUP_PLATFORM_CERT_F)) {
        certsdir = g_dir_make_tmp("swtpm_setup.certs.XXXXXX", &error);
        if (certsdir == NULL) {
            logerr(gl_LOGFILE, "Could not create temporary directory for certs: %s\n",
                   error->message);
            goto error;
        }
    }

    if ((flags & SETUP_TPM2_F) == 0) {
        ret = init_tpm(flags, swtpm_prg_l, config_file, tpm_state_path, ownerpass, srkpass, vmid,
                       swtpm_keyopt, fds_to_pass, n_fds_to_pass, certsdir, user_certsdir);
    } else {
        ret = init_tpm2(flags, swtpm_prg_l, config_file, tpm_state_path, vmid, pcr_banks,
                       swtpm_keyopt, fds_to_pass, n_fds_to_pass, rsa_keysize, certsdir,
                       user_certsdir);
    }

    if (ret == 0) {
        logit(gl_LOGFILE, "Successfully authored TPM state.\n");
    } else {
        logerr(gl_LOGFILE, "An error occurred. Authoring the TPM state failed.\n");
        backend_ops->delete_state(backend_state);
    }

    now = time(NULL);
    tm = localtime(&now);
    if (strftime(tmpbuffer, sizeof(tmpbuffer), "%a %d %h %Y %I:%M:%S %p %Z", tm) == 0) {
        logerr(gl_LOGFILE, "Could not format time/date string.\n");
        goto error;
    }
    logit(gl_LOGFILE, "Ending vTPM manufacturing @ %s\n",
          tmpbuffer);

out:
    if (certsdir && g_rmdir(certsdir) != 0)
        logerr(gl_LOGFILE, "Could not remove temporary directory for certs: %s\n",
               strerror(errno));

    if (backend_ops && backend_state)
        backend_ops->free_backend(backend_state);
    g_strfreev(swtpm_prg_l);
    g_free(gl_LOGFILE);

    return ret;

error:
    ret = 1;
    goto out;
}