.\" ========================================================================
.\"
.IX Title "swtpm_setup 8"
-.TH swtpm_setup 8 "2018-04-18" "swtpm" ""
+.TH swtpm_setup 8 "2018-04-21" "swtpm" ""
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Optional \s-1VM ID\s0 that can be used to keep track of certificates issued
for VMs (or containers). This parameter will be passed through to the tool
used for creating the certificates and may be required by that tool.
+.IP "\fB\-\-swtpm_ioctl <executable\fR>" 4
+.IX Item "--swtpm_ioctl <executable>"
+Pass the path to the swtpm_ioctl executable. By default the swtpm_ioctl
+in the \s-1PATH\s0 is used.
.IP "\fB\-\-help, \-h\fR" 4
.IX Item "--help, -h"
Display the help screen
-.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
+.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.31)
.\"
.\" Standard preamble:
.\" ========================================================================
.\" ========================================================================
.\"
.IX Title "swtpm_setup.conf 8"
-.TH swtpm_setup.conf 8 "2014-11-07" "swtpm" ""
+.TH swtpm_setup.conf 8 "2018-04-21" "swtpm" ""
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
The options file to use. This file typically contains options that the
invoked program uses. If omitted, the program must use its default
options file.
+.IP "\fB\-\-tpm\-spec\-family <family\fR>, \fB\-\-tpm\-spec\-level <level\fR>, \fB\-\-tpm\-spec\-revision <revision\fR>" 4
+.IX Item "--tpm-spec-family <family>, --tpm-spec-level <level>, --tpm-spec-revision <revision>"
+These 3 options describe the \s-1TPM\s0 specification that was followed for
+the implementation of the \s-1TPM\s0 and will be part of the \s-1EK\s0 certificate.
.RE
.RS 4
.RE
invoked program uses. If omitted, the program must use its default
options file.
+=item B<--tpm-spec-family <family>>, B<--tpm-spec-level <level>>, B<--tpm-spec-revision <revision>>
+
+These 3 options describe the TPM specification that was followed for
+the implementation of the TPM and will be part of the EK certificate.
+
=back
=item B<create_certs_tool_config>
for VMs (or containers). This parameter will be passed through to the tool
used for creating the certificates and may be required by that tool.
+=item B<--swtpm_ioctl <executable>>
+
+Pass the path to the swtpm_ioctl executable. By default the swtpm_ioctl
+in the PATH is used.
+
=item B<--help, -h>
Display the help screen
"--logfile",
"--keyfile",
"--pwdfile",
+ "--swtpm_ioctl",
NULL
};
echo "Error: tcsd program not found. (PATH=$PATH)"
exit 1
fi
+SWTPM_IOCTL=`type -P swtpm_ioctl`
ECHO=`which echo`
if [ -z "$ECHO" ]; then
# Default logging goes to stderr
LOGFILE=""
+TPMLIB_INFO_TPMSPECIFICATION=1
+
trap "cleanup" SIGTERM EXIT
logit()
fi
}
+# Get the TPM specification parameters from the TPM using swtpm_ioctl
+get_tpm_spec_parameters()
+{
+ local json
+ local res part arr
+
+ json="$($SWTPM_IOCTL \
+ --info $TPMLIB_INFO_TPMSPECIFICATION \
+ --tcp :$((TPM_PORT+1)) 2>&1)"
+ if [ $? -ne 0 ]; then
+ logerr "Error: $SWTPM_IOCTL failed: $json"
+ return 1
+ fi
+
+ for params in \
+ 's/.*"family":\s*"\([^"]*\)".*/\1/p --tpm-spec-family' \
+ 's/.*"level":\s*\([0-9\.]*\).*/\1/p --tpm-spec-level' \
+ 's/.*"revision":\s*\([0-9]*\).*/\1/p --tpm-spec-revision';
+ do
+ arr=($params)
+ part=$(echo "$json" | sed -n "${arr[0]}")
+ if [ -z "$part" ]; then
+ logerr "Error: Could not parse JSON output"
+ logerr " No result from \"echo '$json' | sed -n '${arr[0]}'\""
+ return 1
+ fi
+ res+="${arr[1]} ${part} "
+ done
+
+ echo "${res}"
+
+ return 0
+}
+
# Call external program to create certificates
#
# @param1: flags
logparam="--logfile $LOGFILE"
fi
+ params+="$(get_tpm_spec_parameters) "
+ [ $? -ne 0 ] && return 1
+
if [ $((flags & SETUP_EK_CERT_F)) -ne 0 ] || \
[ $((flags & SETUP_PLATFORM_CERT_F)) -ne 0 ]; then
if [ -r "$configfile" ]; then
# skip used ports
if [ -n "$(netstat -lnpt 2>/dev/null |
gawk '{print $4}' |
- grep ":${TPM_PORT} ")" ]; then
+ grep -E ":(${TPM_PORT}|$((TPM_PORT+1))) ")" ]; then
let ctr=$ctr+1
continue
fi
- $swtpm --flags not-need-init -p $TPM_PORT --tpmstate dir=$swtpm_state 2>&1 1>/dev/null &
+ $swtpm \
+ --flags not-need-init \
+ -p $TPM_PORT \
+ --tpmstate dir=$swtpm_state \
+ --ctrl type=tcp,port=$((TPM_PORT+1)) \
+ 2>&1 1>/dev/null &
SWTPM_PID=$!
# poll for open port (good) or the process to have
: Path to the TPM executable; this is an optional argument and
by default $SWTPM is used.
+--swtpm_ioctl <executable>
+ : Path to the swtpm_ioctl executable; this is an optional
+ argument and by default $SWTPM_IOCTL is used.
+
--createek : Create the EK
--take-ownership : Take ownership; this option implies --createek
case "$1" in
--tpm-state|--tpmstate) shift; tpm_state_path="$1";;
--tpm) shift; SWTPM="$1";;
+ --swtpm_ioctl) shift; SWTPM_IOCTL="$1";;
--createek) flags=$((flags | SETUP_CREATE_EK_F));;
--take-ownership) flags=$((flags |
SETUP_CREATE_EK_F|SETUP_TAKEOWN_F));;
exit 1
fi
+ if [ -z "$SWTPM_IOCTL" ]; then
+ logerr "Default 'swtpm_ioctl' could not be found and was not provided using --swtpm_ioctl."
+ exit 1
+ fi
+
+ if [ ! -x "$(echo $SWTPM_IOCTL | cut -d " " -f1)" ]; then
+ logerr "swtpm_ioctl at $SWTPM_IOCTL is not an executable."
+ exit 1
+ fi
+
if [ ! -r "$config_file" ]; then
logerr "Cannot access config file ${config_file}."
exit 1
SWTPM=swtpm
SWTPM_EXE=${SWTPM_EXE:-$ROOT/src/swtpm/$SWTPM}
+SWTPM_IOCTL=${SWTPM_IOCTL:-$ROOT/src/swtpm_ioctl/swtpm_ioctl}
TCSD=`type -P tcsd`
TPMDIR=`mktemp -d`
SWTPM_SETUP_CONF=$ROOT/etc/swtpm_setup.conf
$TPMAUTHORING \
--tpm-state $TPMDIR \
--tpm "$SWTPM_EXE socket" \
+ --swtpm_ioctl "$SWTPM_IOCTL" \
${PARAMETERS[$i]} 2>&1 >/dev/null
if [ $? -ne 0 ]; then
SWTPM_SETUP=${ROOT}/src/swtpm_setup/swtpm_setup
SWTPM_LOCALCA=${ROOT}/samples/swtpm-localca
SWTPM=${ROOT}/src/swtpm/swtpm
+SWTPM_IOCTL=${ROOT}/src/swtpm_ioctl/swtpm_ioctl
workdir=$(mktemp -d)
--create-ek-cert \
--config ${workdir}/swtpm_setup.conf \
--logfile ${workdir}/logfile \
- --tpm "${SWTPM} socket"
+ --tpm "${SWTPM} socket" \
+ --swtpm_ioctl ${SWTPM_IOCTL}
if [ $? -ne 0 ]; then
echo "Error: Could not run $SWTPM_SETUP."