Stefan Berger [Tue, 25 Aug 2020 16:39:16 +0000 (12:39 -0400)]
debian/rpm: Adjust build and runtime dependencies and directory ownership
Remove tpm-tools from runtime dependencies. Keep trousers for the
creation of the 'tss' user for now. Add python related dependencies.
Adjust the directory ownership for /var/lib/swtpm-localca to tss:root and
the mode flags to 0750. The new CA now may still be created as tss:tss but
users in the tss group will not have access to it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 24 Aug 2020 14:45:34 +0000 (10:45 -0400)]
swtpm_setup: Switch over to new python tool and get rid of the bash script
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 20 Aug 2020 18:12:43 +0000 (14:12 -0400)]
swtpm_setup: Rewrite swtpm_setup.sh in python
Rewrite swtpm_setup.sh in python. Use a permanent connection from the
tool to swtpm via passing file descriptors of a unix socketpair. Implement
all functionality in python so that we don't rely on trousers and tpm-tools
for swtpm_setup. This now allows any user to setup a TPM 1.2 whereas before
it had to be root or the tss user.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 27 Aug 2020 23:50:30 +0000 (19:50 -0400)]
tests: Have softhsm_setup use the temporary directory now
Modify the pkcs11 related test case to set the environment variable for
softhsm_setup to use the temporary directory for config file and state
of softhsm. Also set the SOFTHSM2_CONF environment variable since
certtool also uses the pkcs11 module which in turn will look for its
config file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 27 Aug 2020 23:35:09 +0000 (19:35 -0400)]
tests: Enable softhsm_setup to work with a temporary directory
Use softhsm's SOFTHSM2_CONF environment variable to set the directory
where the configration file is located so that we can now use a temporary
directory for the location of the directory. Use the environment variable
SOFTHSM_SETUP_CONFIGDIR to set the directory where softhsm_setup can
setup its temporary environment for the config file and state of softhsm.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 27 Aug 2020 00:53:10 +0000 (20:53 -0400)]
tests: Fix tests for slow/busy system by taking time again (DA timeout test)
Slow systems, like Cygwin, need so much time from taking the time to sending
the command that we need to take the current time again to check whether the
success is valid. Previously the test may have failed since the old time that
was taken did not allow the success to be valid.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 26 Aug 2020 22:23:21 +0000 (18:23 -0400)]
tests: Squeeze spaces in case od print two space between hexbytes (OpenBSD)
The OpenBSD implementation of 'od -tx1' prints two spaces between
hexbytes, thus the grep for "00 00 00 00" fails and we report an
invalid error. This patch fixes this by squeezing the two consecutive
spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 19 Aug 2020 17:57:14 +0000 (13:57 -0400)]
tests: Skip test if time was detected to be going backwards
We have occasional test failures on Travis running tests on OS X where
time seems to be going backwards in the dictionary attack timeout test.
This patch tries to detect that the time went backwards and skip the
test once a failure would have been detected.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 19 Aug 2020 13:48:59 +0000 (09:48 -0400)]
build-sys: Add build targets selinux-install and selinux-uninstall
Add build targets selinux-install and selinux-uninstall to install
and uninstall the SELinux policy rules at a given priority. The
priority defeaults to 400, which works fine on Fedora.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 10 Aug 2020 02:24:41 +0000 (22:24 -0400)]
swtpm_setup: Get rid of eval when calling external tool (swtpm-localca)
Get rid of using eval when calling $create_certs_tool and only use
eval for resolving variables from the config file.
We only want variable substitution for entries from configuration
files, so escape all other special shell characters that may be
making it onto the command line so that no subshells are opened
and no redirection to files can occurr.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 7 Aug 2020 20:18:27 +0000 (16:18 -0400)]
samples: Get rid of using eval when running swtpm_cert
Get rid of using eval when running swtpm_cert in swtpm-localca.
This is to avoid further evaluation of bash expression that can
spawn subshells ('$(echo foo)') or do other bad things. Bad input
could come from malformed configuration files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 7 Aug 2020 15:29:34 +0000 (11:29 -0400)]
samples: Escape many more characters before calling eval on an entry
Escape many more special shell characters before calling eval on
an entry to convert a variable to its value. Uncareful writing of
a swtpm-local.conf config file could have lead to files being over-
written using '>' for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 31 Jul 2020 14:47:27 +0000 (10:47 -0400)]
tests: Modify sample key to be 2048 bit rather than only 2033 bit
The generated sample keys started with 00010203, thus leaving the upper
15 bits of the key as '0', which in turn causes gnutls to think that the
key is only 2033 bit long, thus rejecting certificate verification once
the min-verification-profile is set to 'medium' in gnutls's config file
in /etc/crypto-policies/back-ends/gnutls.config.
We now create sample keys starting with 800102, which sets the highest bit.
This fixes test errors on Fedora Rawhide due to the change in the
min-verification-profile setting in gnutls.config.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 24 Jul 2020 19:11:18 +0000 (15:11 -0400)]
tests: Squeeze spaces in case od print two space between hexbytes (OpenBSD)
The OpenBSD implementation of 'od -tx1' prints two spaces between
hexbytes, thus the grep for "00 00 00 00" fails and we report an
invalid error. This patch fixes this by squeezing the two consecutive
spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 23 Jul 2020 18:17:44 +0000 (14:17 -0400)]
build-sys: Check whether tss user and group are available
If the tcsd (trousers) is available, TPM 1.2 support should work as well.
Typically the tss user and group should be defined at this point, but
this may not always be the case, so make sure that this user and group
are available on the system.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 23 Jul 2020 04:55:49 +0000 (00:55 -0400)]
swtpm_setup: Only change file and directory ownership if needed
Change the file and directory ownership of tcsd related files only if it
is absolutely needed. It is not needed if we are running as user TCSD_USER
in group TCSD_GROUP because then the files were created with the needed
owner and group. This avoids problems when trying to change file ownership
when invoked by libvirt where we do not have the capabilities to change
file ownership even as root.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 23 Jul 2020 04:47:37 +0000 (00:47 -0400)]
swtpm_setup: Allow group read-rights on $TCSD_CONFIG file if tss user != tss group
When the TSS_USER != TSS_GROUP, e.g., user 'root' and group 'tss', then
tcsd requires that the access mode bits on the $TCSD_CONFIG file are set
to 0640, otherwise we get this error:
TCSD ERROR: TCSD config file (/tmp/tmp.Yd4LIF7mCE) must be mode 0640
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 23 Jul 2020 04:42:52 +0000 (00:42 -0400)]
swtpm_setup: log errors from tcsd in logfile
Redirect stdout and stderr from tcsd into a file and if tcsd reported
an error copy the error into the logfile. This makes debugging tcsd
related issues, such as ownership or access mode issues, easier.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 13 Jul 2020 13:10:43 +0000 (09:10 -0400)]
tests: Use the IBM TSS2 v1.5.0's test suite
Upgrade to use the IBM TSS2 tests from v1.5.0.
Add a patch that eliminates all testing of 3072 bit RSA keys in case
libtpms does not support such keys. This test also passes with libtpms
0.6.0 and 0.7.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 26 Jun 2020 22:31:35 +0000 (18:31 -0400)]
tests: Adapt test cases' expected PCR result due to libtpms TPM 2 fix
libtpms version 0.6.3, 0.7.3, and master have a change to the TPM 2 code
that affects the pcrUpdateCounter, which now returns a smaller value than
before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
James Bottomley [Sun, 10 May 2020 19:32:43 +0000 (12:32 -0700)]
build-sys: Let swtpm build with in-place libtpms
Building things like this in-place is really useful when you can't be
bothered to package and install them for your distribution but still
want to use them. This patch allows building swtpm with libtpms in
place. Simply specify the location to LDFLAGS and CFLAGS on the
configure line
It will then build a version that can run in-place.
I also think it corrects a bug in the original in that if pkg-config
had specified a non standard library location, the version check
wouldn't have used it.
Signed-off-by: James E.J. Bottomley <jejb@linux.ibm.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 23 Apr 2020 17:18:07 +0000 (13:18 -0400)]
swtpm_setup: Report supported RSA key sizes useful for EK key creation
Extend the --print-capabilities option to also report supported RSA
key sizes. Only the TPM 2 may support anything else than 2048 bit RSA
keys, so we only consult 'swtpm socket --tpm2 --print-capabilities'
and grep for 2048 and 3072 key sizes and report them.
If nothing is found, nothing is reported, as before, and 2048 bit RSA
keys should be assumed.
'swtpm_setup --tpm2 --print-capabilities' may now show the following:
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"tpm2-rsa-keysize-2048",
"tpm2-rsa-keysize-3072"
]
}
Also adjust a test case to use a regular expression for matching
against an expected string that may nor may not have rsa-keysize
verbs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 20 Apr 2020 15:36:12 +0000 (11:36 -0400)]
tests: Remove RSA 3072 tests only if libtpms not show RSA 3072 support
Check the libtpms capabilities via 'swtpm_ioctl -i 4' to see whether
libtpms supports RSA 3072 bit keys. Only if this is not the case
deactivate all RSA 3072 bit key tests.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 23 Apr 2020 14:19:50 +0000 (10:19 -0400)]
swtpm: Construct RSA key size capabilities from TPMLIB_GetInfo()
Construct RSA key size capability strings from libtpms TPMLIB_GetInfo()
string so that we can easily show which RSA key sizes are supported by
the TPM 2 implementation. If none are advertised, 1024 & 2048 can be
assumed to be supported.
'swtpm socket --tpm2 --print-capabilities' may now print the following:
{
"type": "swtpm",
"features": [
"tpm-send-command-header",
"flags-opt-startup",
"cmdarg-seccomp",
"cmdarg-key-fd",
"cmdarg-pwd-fd",
"no-tpm12-tools",
"rsa-keysize-1024",
"rsa-keysize-2048",
"rsa-keysize-3072"
]
}
We need to adapt the related test case to use a regular expression since
the rsa-keysize-xyz strings may or may not be there depending on libtpms
version.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 1 May 2020 19:10:03 +0000 (15:10 -0400)]
swtpm_setup: bugfix: Create ECC storage primary key in owner hierarchy
The ECC storage primary key was mistakently created in the endorsement
hierarchy but should be in the owner hierarchy. This patch corrects this
to have this key created in the owner hierarchy (like the RSA key),
thus using 0x40 00 00 01.
This only mattered if one used --create-spk and --ecc together.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 1 May 2020 01:12:26 +0000 (21:12 -0400)]
swtpm_setup: bugfix: remove tpm2_stirrandom and tpm2_changeeps
Remove tpm2_stirrandom, which we should not need to run on a newly
created TPM 2.
Also remove tpm2_changeeps which was called twice when creating two
EKs, thus invalidating a previous EK that may have been created.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 30 Apr 2020 05:41:13 +0000 (01:41 -0400)]
swtpm_setup: Create RSA 2048 and ECC NIST P256 keys and certs
Following "TCG PC Client Platform TPM Profile Specification for
TPM 2.0, version 1.04, Rev 37" create and RSA and an ECC NIST P256
key now. We will upgrade the ECC NIST key to P384 in the next
step.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 29 Apr 2020 20:58:00 +0000 (16:58 -0400)]
swtpm_setup: Pass the ECC curve id and hash alg. into functions
Pass the ECC curve id and hash algorithm and the ECC_NONCE to the
function creating the ECC keys rather than hard coding them. Rename
the functions that create the NIST_P256 ECC keys to have _nist_p256
suffix in the name.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sat, 25 Apr 2020 16:07:22 +0000 (12:07 -0400)]
tests: Pass -pc 80 to tssgetcapability to see all 65 handles
tssgetcapability only retrieves a maximum of 64 handles by default.
However, there are 65 persisted keys. Pass -pc 80 to the command to
see all 65 Handles.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 23 Apr 2020 00:55:15 +0000 (20:55 -0400)]
tests: Add test case for loading of an NVRAM completely full with keys
Add a test case that fills up the NVRAM area with as many persisted keys
as possible and then fills up the rest with an NVRAM index so that all
space is occupied. We have to be able to load this state again into the
NVRAM once the OBJECT's size increases due to RSA keys size increase,
which must have us increase the total size of NVRAM in libtpm's TPM profile.
The state in tests/data/tpm2state5/tpm2-00.permall was created using
libtpms 0.6.0, where only 2048 bit keys were supported and total NVRAM size
was 128kb. This state file should never be changed and always be loadable
into a current libtpms. In its USER NVRAM it holds 64 persisted 2048 bit
keys and an NVRAM index with 236 bytes. For this to stay the reference
NVRAM, we need to make sure that it fits exactly to the byte.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 24 Apr 2020 15:17:54 +0000 (11:17 -0400)]
tests: Repeat download of TPM 1.2 test suite with random wait intervals
Sometimes the download of the TPM 1.2 test suite from sourceforge
fails. So retry up to 3 times and wait a random seconds in the interval
of [3..10] before retrying.
Check the hash of the file we downloaded to make sure we get what we
expected.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
It's not necessary anymore to #include <seccomp.h> from the main programs.
Once removed, it also fixes the build on SuSE where seccomp.h is in
seccomp/seccomp.h and we didn't use the LIBSECCOMP_CFLAGS for swtpm.c etc.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Tue, 30 Oct 2018 02:02:06 +0000 (22:02 -0400)]
samples: Extend script to create a CA using a TPM 2 for signing
Extend the script that creates a CA that uses a TPM 2 for signing.
For this we have to create tokens using the TPM 2 pkcs11 module's
tpm2_ptool and can then use the p11tool for creating keys.
Add a test case that requires a running tpm2-abrmd and tpm2_ptool.
Eventually the test case should (try to) start its own tpm2-abrmd
and talk to swtpm directly but the tcti module to do that isn't
available as a package, yet.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sun, 12 Apr 2020 00:19:12 +0000 (20:19 -0400)]
swtpm: Address cygwin compilation warning
Compilation on cygwin reports the following issue:
In file included from key.c:43:
key.c: In function ‘key_stream_to_bin’:
key.c:135:26: error: array subscript has type ‘char’ [-Werror=char-subscripts]
135 | !isspace(input[digits]) &&
| ~~~~~^~~~~~~~
key.c:143:40: error: array subscript has type ‘char’ [-Werror=char-subscripts]
143 | if (input[digits] && !isspace(input[digits]))
| ~~~~~^~~~~~~~
Address the issue using an explicit cast of char to int.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 9 Apr 2020 22:54:37 +0000 (18:54 -0400)]
tests: Modify test to create 2 orderly indices
Modify the test_tpm2_save_load_state_3 to create 2 orderly NVRAM indices
in the first two locations. Those indices will be cleared by a reset
of the TPM and therefore cannot be read once the TPM 2 restarts after
the reset. This also provides better test coverage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 9 Apr 2020 16:50:03 +0000 (12:50 -0400)]
tests: Change localhost to 127.0.0.1 or explicityly set 127.0.0.1
To make the test cases work on Travis on Bionic replace all occurrences of
localhost with 127.0.0.1. The only affected client tools seem to be those
related to the TPM 1.2 and the IBM TSS2. For some reason the API used
there cannot resolve localhost to 127.0.0.1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 9 Apr 2020 22:18:00 +0000 (18:18 -0400)]
swtpm_setup: Explicitly set TCSD_TCP_DEVICE_HOSTNAME=127.0.0.1
To make swtpm_setup.sh work on Travis on Bionic we need to
explicitly set TCSD_TCP_DEVICE_HOSTAME=127.0.0.1 since lookup
of localhost (with the API the tcsd is using) does not work.
It doesn't negatively affect any other use case, so no problem
setting it.
Also replace localhost in the bash tcp device path with 127.0.0.1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Tue, 7 Apr 2020 19:30:25 +0000 (15:30 -0400)]
tests: Better detect a 32 bit TPM for the TPM2 derived keys test
The simplest way to detect whether SWTPM_EXE is a 64 bit application on
Linux is to check whether it links against any library in a */lib64/*
directory and only if this is the case we run a particular test case for
which we know what keys 64 bit TPMs are producing given a pre-created
state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 6 Mar 2020 15:16:33 +0000 (10:16 -0500)]
swtpm: Fix vtpm proxy case without startup flags
'swtpm chardev --vptm-proxy' currently requires a '--flag startup-xyz'
to be passed since otherwise the need_init_cmd variable would not be
set to false and swtpm would terminate after sending the startup
command. To maintain backwards compatibility we have to always
set the need_init_cmd variable to false for the --vtpm-proxy case
and must not require a startup flag to be passed.
Roll back one of the test case to not use the startup flag.
projects / swtpm.git / log