Stefan Berger [Wed, 25 May 2022 19:47:04 +0000 (15:47 -0400)]
swtpm: Handle case where unknown blobtype is given (Coverity)
Handle the case where an unknown blobtype is given and therefore
cannot be translated to a filename and blobname is NULL. Previously
this would have lead to an error when trying to read the file, now
we handle the failure case earlier.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 25 May 2022 19:31:05 +0000 (15:31 -0400)]
swtpm: Cast '1' to uint64_t before shift and assign to uint64_t variable
To avoid an overflowing expression cast '1' to uint64_t before shifting
it and assigning it to a uint64_t variable. In practice this kind of
overflow would never happen because there aren't that many available
PCR banks.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 25 May 2022 18:23:41 +0000 (14:23 -0400)]
swtpm_setup: Initialize pubek_len (Coverity)
Initialize pubek_len even though it isn't necessary to do so since
it will be initialized in the first function to which it is passed.
However, Coverity complains about pubek_len passed to print_as_hex()
not being initialized, even though this is not possible.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 11 May 2022 02:28:30 +0000 (22:28 -0400)]
swtpm: Avoid locking directory multiple times
Commit 2d3deaef29 forgot to move the check for whether the lock file has
already been opened into the new function opening the lock file and there-
fore the lock file is now opened whenever swtpm gets a PTM_INIT. This fix
prevents the reopening of the lockfile if it has already been opened.
Otherwise many PTM_INIT's will lead to failure since no more files can
be opened.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sat, 7 May 2022 18:18:35 +0000 (14:18 -0400)]
test: Recreate TPM 2 state files with header
Use libtpms v0.6.6 and recreate the TPM 2 state file with header.
Start swtpm with the existing state files and have it rewrite the
volatiles state (swtpm_ioctl -v) and permanent state (tssnvdefine
+ tssnvundefine) files so that the header is on the files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 6 May 2022 22:31:13 +0000 (18:31 -0400)]
test: Recreate TPM 2 state files with header
Recreate TPM 2 state files that didn't have a header. Use latest
version of libtpms from the stable-0.6.0 branch to create the
state that more recent version have to be able to read.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 6 May 2022 22:08:17 +0000 (18:08 -0400)]
test: Recreate TPM 1.2 state files with header
Recreate a TPM 1.2 state file with header.
The state of the TPM 1.2 must be initialized with Startup(ST_CLEAR)
and then saved so that the proper error code appears as a result
when running this test.
The PCR values was originally created by extending PCR 10 with
sha1("test"). This was recreated using this sequence:
Stefan Berger [Fri, 6 May 2022 20:47:42 +0000 (16:47 -0400)]
test: Recreate TPM 1.2 state files with header
Recreate TPM 1.2 state files with similar content but with the state
file header. The older versions of the state files were created before
the header was introduced in v0.1. The goal is to be able to get rid
of code supporting pre-v0.1 files that had no header.
The PCR values was originally created by extending PCR 10 with
sha1("test"). This was recreated using this sequence:
Lena Voytek [Thu, 5 May 2022 20:07:23 +0000 (13:07 -0700)]
debian: Add swtpm apparmor profile
An apparmor profile was added for Debian-based distributions in order to
increase security. This blocks swtpm from accessing restricted and unnecessary
files, folders, and network interfaces. swtpm works as normal alongside libvirt
and its configurations, however users may run into issues when using swtpm on
its own when providing it with a restricted directory. The apparmor profile can
be modified to include additional permissions by creating and adding to the
file /etc/apparmor.d/local/usr.bin.swtpm.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
Stefan Berger [Mon, 4 Apr 2022 12:49:37 +0000 (08:49 -0400)]
build-sys: Fix configure script to support _FORTIFY_SOURCE=3
gcc 12.1 supports _FORTIFY_SOURCE=3. Modify the existing check for whether
_FORTIFY_SOURCE=2 can be used to test compile with the user provided
CFLAGS and only add _D_FORTIFY_SOURCE=2 to the HARDENING_CFLAGS if the
user doesn't provide anything that's not compatible.
Following an online article _FORTIFY_SOURCE=3 may add more overhead, so
we only go up to level 2 for now and let build servers or user provide
the higher level via the CFLAGS.
Stefan Berger [Mon, 4 Apr 2022 14:30:47 +0000 (10:30 -0400)]
build-sys: Define __USE_LINUX_IOCTL_DEFS in header file (Cygwin)
To be able to test-compile with include/swtpm/tpm_ioctl.h in configure.ac
move the definition of __USE_LINUX_IOCTL_DEFS out of the configure script
into the header file so that the #define is there when needed. In the
configure.ac script the CFLAGS were extended only after the test-compiling
to determine the HARDENING_CFLAGS and the test-compilation failed on Cygwin
(only) since the tpm_ioctl.h didn't compile because of this missing
#define.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 28 Mar 2022 15:23:11 +0000 (11:23 -0400)]
swtpm: Use uint64_t in tlv_data_append() to avoid integer overflows
Instead of uint32_t use uint64_t's for accumulating needed buffer sizes
that are calculated by adding uint32_t length indicators. Use the uint64_t
to check for excessively large buffer sizes that could cause an integer
overflow if uint32_t was used.
This patch addresses the case where a user passes an old version of TPM
state file to swtpm for reading and the file is 4GB in size and thus can
cause an integer overflow in this particular function.
Otherwise, the previous fix to tlv_data_find_tag() protects swtpm from
integer overflows and later out-of-bound accesses when the TPM state is
initially read from a file (assuming the state file has a header, which
is the case since swtpm 0.1). If an excessively large buffer was passed
to libtpms, it would reject it since it would never be able to take in
that much data.
Data written to the file are coming from libtpms that we can trust in
terms of length indicators.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sat, 26 Mar 2022 03:28:21 +0000 (23:28 -0400)]
swtpm: Use uint64_t to avoid integer wrap-around when adding a uint32_t
To avoid an integer wrap-around use uint64_t for 'offset' so that adding
an untrusted 32-bit number will allow for comparison against the trusted
'buffer_len' 32-bit number:
if (offset + td->tlv.length > buffer_len)
return NULL;
This avoids possible out-of-bound accesses and crashes when reading
specially crafted TPM state input data that have a tlv.length that is so
large that is causes an integer overflow.
Resolves: https://github.com/stefanberger/swtpm/issues/678 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sat, 26 Mar 2022 02:54:21 +0000 (22:54 -0400)]
swtpm_bios: Use unsigned int tcp_port to filter out negative port numbers
The port being parsed must be given as unsigned int so that the comparison
of *tcp_port >= 65536 also filters out negative numbers passed via the
command line. Previously one could pass -1 and swtpm_bios would try to
connect.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sat, 26 Mar 2022 02:41:00 +0000 (22:41 -0400)]
swtpm_ioctl: Use unsigned int tcp_port to filter out negative port numbers
The port being parsed must be given as unsigned int so that the comparison
of *tcp_port >= 65536 also filters out negative numbers passed via the
command line. Previously one could pass -1 and swtpm_ioctl would try to
connect to port 65535.
Resolves: https://github.com/stefanberger/swtpm/issues/679 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 3 Mar 2022 14:13:26 +0000 (09:13 -0500)]
swtpm: Do not chdir(/) when using --daemon
With relative paths being used the chdir("/") in daemonize_finish() will
cause file access errors.
Fixes: 98d1d12 ("swtpm: Make --daemon not racy")
Resolves: https://github.com/stefanberger/swtpm/issues/671 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 21 Feb 2022 23:37:34 +0000 (18:37 -0500)]
swtpm-localca: Re-implement variable resolution for swtpm-localca.conf
swtpm_localca v0.5 supported resolution of environment variables for
the swtpm-localca.conf configuration file. This functionality was lost
during the port to 'C' in v0.6. This patch now re-implements it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolves: https://github.com/stefanberger/swtpm/issues/663
Stefan Berger [Tue, 1 Feb 2022 17:40:06 +0000 (12:40 -0500)]
swtpm_localca: Test for available issuercert before creating CA
Avoid trying to create TPM certificates while the issuer certificate has
not been created, yet (in a 2nd step).
To resolve this do not just test for availability of the signing key, which
is created first, but also test for the issuer certifcate, which is created
in a 2nd step when the local CA is created. If either one is missing,
attempt to create the CA.
Resolves: https://github.com/stefanberger/swtpm/issues/644 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 16 Feb 2022 16:17:47 +0000 (11:17 -0500)]
swtpm: Check header size indicator against expected size (CID 375869)
This fix addresses Coverity issue CID 375869.
Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.
Without this fix a specially craft header could have cause out-of-bounds
accesses on the byte array containing the swtpm's state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 16 Feb 2022 15:21:15 +0000 (10:21 -0500)]
swtpm_setup: Check for unreasonable number of PCR banks (CID 370783)
This fix addresses Coverity issue CID 370783.
Check for an unreasonable number of PCR banks returned from command sent
to swtpm. Limit the number of PCR banks that can be returned to '20',
which is more than enough.
Previously we may not have sanitized the variable correctly but safeguards
were in place:
Even if the 16 bit variable count was the maximum possible (0xffff) we
should be able to allocate the all_pcr_banks array of string pointers.
Safeguards to not overstep the parsed array are in place in the loop
that's entered afterwards where the count variable serves as a limit
for the loop.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Seunghun Han [Thu, 11 Nov 2021 02:38:22 +0000 (11:38 +0900)]
Move *.conf and *.options to man5
According to the man page sections guideline, man8 should be used
for system administration commands. So this commit moves *.conf and
*.options files to man5.
Signed-off-by: Seunghun Han <kkamagui@gmail.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 5 Nov 2021 19:02:05 +0000 (15:02 -0400)]
swtpm: Fix compilation error on 32bit machines
Fix the following compilation error occurring on 32bit machines:
swtpm_nvstore_linear_file.c: In function 'SWTPM_NVRAM_LinearFile_Mmap':
swtpm_nvstore_linear_file.c:58:20: error: comparison of integer expressions of different signedness: '__off_t' {aka 'long int'} and 'unsigned int' [-Werror=sign-compare]
58 | if (st.st_size >= (uint32_t)sizeof(struct nvram_linear_hdr)) {
| ^~
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 29 Oct 2021 17:04:07 +0000 (13:04 -0400)]
swtpm_setup: Add support for --reconfigure flag to change active PCR banks
Add support for --reconfigure option for the swtpm_setup to be able to
change the active PCR banks. This option only works with --tpm2 and does
not allow to pass several other options such --create-ek or
--create-ek-cert or --create-platform-cert that would alter the state of
the TPM 2 in other ways.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 1 Nov 2021 13:08:22 +0000 (09:08 -0400)]
swtpm_localca: Replace '+' and ',' characters in VMId's
Certain characters are not accepted by gnutls when creating the
subject with the 'CN' from the vmid, so we have to replace those
characters with another one, such as '_'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 28 Oct 2021 16:23:14 +0000 (12:23 -0400)]
swtpm_setup: Get active PCR banks from swtpm_setup.conf
If the user did not provide the PCR banks to activate through the command
line options, try to read it from the config file and if nothing is found
there, fall back to the DEFAULT_PCR_BANKS as set during configure time.
Move the check for the PCR banks after the access check to the
configuration file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 28 Oct 2021 15:25:31 +0000 (11:25 -0400)]
build-sys: Add support for --enable-default-pcr-banks=list of PCR banks
Add an option that allows for the configuration of the default PCR bank
to use. This was currently hard coded to sha256 and now may be passed
via this option. The fallback is still sha256. Valid PCR bank names are
sha1, sha256, sha384, and sha512. The passed list must be a comma-
separated list of the valid PCR bank names.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 28 Oct 2021 18:06:29 +0000 (14:06 -0400)]
swtpm_setup.conf: Use /usr/bin/swtpm_localca for create_certs_tool
swtpm_setup.conf has traditionally pointed to
/usr/share/swtpm/swtpm-localca for create_certs_tool but since
/usr/bin/swtpm_localca is now available, have newly created
config files point to this executable instead.
Since there are possibly many swtpm_setup.conf out there pointing
to /usr/share/swtpm/swtpm-localca, we have to still install
swtm_localca there as well and package it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 15 Oct 2021 03:34:53 +0000 (23:34 -0400)]
swtpm: Disable fsync on file & dir due to TPM timeouts (issue #597)
We cannot currently fsync on the TPM's state file and the dir since this
takes too long and commands in a VM may time out. The reason for this is
that the TPM 2 code occasionally writes the permanent state out even on
commands like TPM2_PCR_Extend that must not take a long time.
See explanation for this in the libtpms PR https://github.com/stefanberger/libtpms/pull/274 .
We will re-enable this feature in 'a while' once the updated libtpms
version has been made more widely available.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 15 Oct 2021 11:44:53 +0000 (07:44 -0400)]
swtpm_setup: Initialize variables to avoid compiler warnings
Fix issue #591 by initializing the variables swtpm_has_tpm2 and
swtpm_has_tpm12.
swtpm_setup.c:1178:31: note: 'swtpm_has_tpm2' was declared here
gboolean swtpm_has_tpm12, swtpm_has_tpm2;
^~~~~~~~~~~~~~
swtpm_setup.c:1019:5: error: 'swtpm_has_tpm12' may be used uninitialized in this function [-Werror=maybe-uninitialized]
printf("{ \"type\": \"swtpm_setup\", "
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"\"features\": [ %s%s\"cmdarg-keyfile-fd\", \"cmdarg-pwdfile-fd\", \"tpm12-not-need-root\""
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since sending a startup message to the TPM will cause it to
want to store permanent state, we have to handle the case when
no storage backend was given and therefore the backend_uri
is NULL.
Previously the above command line caused a NULL pointer exception
but now handles this case with the following output:
swtpm: SWTPM_NVRAM_Init: Missing backend URI.
swtpm: Error: Could not initialize libtpms.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 6 Oct 2021 20:58:04 +0000 (16:58 -0400)]
swtpm_setup: Implement option --create-config-files to create config files
Implement the option --create-config-files to create config files
for swtpm_setup and swtpm-localca for a user account. The files will
be created under the $XDG_CONFIG_HOME or $HOME/.config directories.
This option supports optional arguments 'overwrite' to allow overwriting
existing config files as well as the optional argument 'root' to create
config files under root's home directory. Both options can be passed
by separating them with a ','.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
d/swtpm-tools postinst: create the TSS user if it does not exist
Adapted from tpm-udev [0] which handles that, but it is not really a
hard-requirement for swtpm and TSS_USER is configurable after all
(even if that is mostly used for the test system).
So, create that user and group if it does not exists to avoid errors
and failing installation.
d/swtpm-tools postinst: avoid trying to create/chown in non-configure steps
configure steps should be limited to get only executed on, well
configuration, so check for that and do nothing in the remaining
commands [0] the postinst can be called with.