Stefan Berger [Fri, 5 Nov 2021 19:02:05 +0000 (15:02 -0400)]
swtpm: Fix compilation error on 32bit machines
Fix the following compilation error occurring on 32bit machines:
swtpm_nvstore_linear_file.c: In function 'SWTPM_NVRAM_LinearFile_Mmap':
swtpm_nvstore_linear_file.c:58:20: error: comparison of integer expressions of different signedness: '__off_t' {aka 'long int'} and 'unsigned int' [-Werror=sign-compare]
58 | if (st.st_size >= (uint32_t)sizeof(struct nvram_linear_hdr)) {
| ^~
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 29 Oct 2021 17:04:07 +0000 (13:04 -0400)]
swtpm_setup: Add support for --reconfigure flag to change active PCR banks
Add support for --reconfigure option for the swtpm_setup to be able to
change the active PCR banks. This option only works with --tpm2 and does
not allow to pass several other options such --create-ek or
--create-ek-cert or --create-platform-cert that would alter the state of
the TPM 2 in other ways.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 1 Nov 2021 13:08:22 +0000 (09:08 -0400)]
swtpm_localca: Replace '+' and ',' characters in VMId's
Certain characters are not accepted by gnutls when creating the
subject with the 'CN' from the vmid, so we have to replace those
characters with another one, such as '_'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 28 Oct 2021 16:23:14 +0000 (12:23 -0400)]
swtpm_setup: Get active PCR banks from swtpm_setup.conf
If the user did not provide the PCR banks to activate through the command
line options, try to read it from the config file and if nothing is found
there, fall back to the DEFAULT_PCR_BANKS as set during configure time.
Move the check for the PCR banks after the access check to the
configuration file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 28 Oct 2021 15:25:31 +0000 (11:25 -0400)]
build-sys: Add support for --enable-default-pcr-banks=list of PCR banks
Add an option that allows for the configuration of the default PCR bank
to use. This was currently hard coded to sha256 and now may be passed
via this option. The fallback is still sha256. Valid PCR bank names are
sha1, sha256, sha384, and sha512. The passed list must be a comma-
separated list of the valid PCR bank names.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 28 Oct 2021 18:06:29 +0000 (14:06 -0400)]
swtpm_setup.conf: Use /usr/bin/swtpm_localca for create_certs_tool
swtpm_setup.conf has traditionally pointed to
/usr/share/swtpm/swtpm-localca for create_certs_tool but since
/usr/bin/swtpm_localca is now available, have newly created
config files point to this executable instead.
Since there are possibly many swtpm_setup.conf out there pointing
to /usr/share/swtpm/swtpm-localca, we have to still install
swtm_localca there as well and package it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 15 Oct 2021 03:34:53 +0000 (23:34 -0400)]
swtpm: Disable fsync on file & dir due to TPM timeouts (issue #597)
We cannot currently fsync on the TPM's state file and the dir since this
takes too long and commands in a VM may time out. The reason for this is
that the TPM 2 code occasionally writes the permanent state out even on
commands like TPM2_PCR_Extend that must not take a long time.
See explanation for this in the libtpms PR https://github.com/stefanberger/libtpms/pull/274 .
We will re-enable this feature in 'a while' once the updated libtpms
version has been made more widely available.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 15 Oct 2021 11:44:53 +0000 (07:44 -0400)]
swtpm_setup: Initialize variables to avoid compiler warnings
Fix issue #591 by initializing the variables swtpm_has_tpm2 and
swtpm_has_tpm12.
swtpm_setup.c:1178:31: note: 'swtpm_has_tpm2' was declared here
gboolean swtpm_has_tpm12, swtpm_has_tpm2;
^~~~~~~~~~~~~~
swtpm_setup.c:1019:5: error: 'swtpm_has_tpm12' may be used uninitialized in this function [-Werror=maybe-uninitialized]
printf("{ \"type\": \"swtpm_setup\", "
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"\"features\": [ %s%s\"cmdarg-keyfile-fd\", \"cmdarg-pwdfile-fd\", \"tpm12-not-need-root\""
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since sending a startup message to the TPM will cause it to
want to store permanent state, we have to handle the case when
no storage backend was given and therefore the backend_uri
is NULL.
Previously the above command line caused a NULL pointer exception
but now handles this case with the following output:
swtpm: SWTPM_NVRAM_Init: Missing backend URI.
swtpm: Error: Could not initialize libtpms.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 6 Oct 2021 20:58:04 +0000 (16:58 -0400)]
swtpm_setup: Implement option --create-config-files to create config files
Implement the option --create-config-files to create config files
for swtpm_setup and swtpm-localca for a user account. The files will
be created under the $XDG_CONFIG_HOME or $HOME/.config directories.
This option supports optional arguments 'overwrite' to allow overwriting
existing config files as well as the optional argument 'root' to create
config files under root's home directory. Both options can be passed
by separating them with a ','.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
d/swtpm-tools postinst: create the TSS user if it does not exist
Adapted from tpm-udev [0] which handles that, but it is not really a
hard-requirement for swtpm and TSS_USER is configurable after all
(even if that is mostly used for the test system).
So, create that user and group if it does not exists to avoid errors
and failing installation.
d/swtpm-tools postinst: avoid trying to create/chown in non-configure steps
configure steps should be limited to get only executed on, well
configuration, so check for that and do nothing in the remaining
commands [0] the postinst can be called with.
debian: downgrade trousers package dependency to recommended
Currently `trousers` is listed as (hard) Dependency, but it does not
seems to be required for quite a few usecases, e.g., ours where we
mainly using swtpm for providing a tpm to VMs.
With trousers in Debian one gets an additional pain point: it comes
with rather dated and in some cirumstances failing by mistake init
script [0] that can throw errors when setting up during installation
and thus fail the whole installation of swtpm as Debian policy for
`Depends` hits:
> A package will not be configured unless all of the packages listed
> in its Depends field have been correctly configured
-- [1]
Declaring dependencies for things are not a hard requirement means
that a user will be required to install more dependencies than
actually needed.
Just documenting that as fact why I investigated in the
hard-requirement on trousers in the first place, not an actual
justification - it's a packaging bug after all.
So downgrade the dependency to "Suggests", as it seems a reasonable
level when checking its documented meaning:
> This is used to declare that one package may be more useful with
> one or more others. Using this field tells the packaging system and
> the user that the listed packages are related to this one and can
> perhaps enhance its usefulness, but that installing this one without
> them is perfectly reasonable.
-- [1]
Stefan Berger [Tue, 5 Oct 2021 18:29:51 +0000 (14:29 -0400)]
swtpm: Call msync with length = 0 on Cygwin
Cygwin internally uses the Windows API call FlushViewOfFile that
seems to not like to be called with an excessive number of bytes.
Instead, call it with length = 0 so that 'the file is flushed from
the base address to the end of the mapping' and then msync() succeeds.
Stefan Berger [Tue, 5 Oct 2021 16:39:49 +0000 (12:39 -0400)]
swtpm_setup: Use pidfile filename rather than fd (Cygwni, BSDs)
Use the pidfile filename rather than the fd because Cygwin for example
does not seem to support passed file descriptors and also OpenBSD
does not pass some test cases because of this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Reiter [Thu, 30 Sep 2021 08:03:05 +0000 (10:03 +0200)]
swtpm_setup: add abstract swtpm_backend_ops with dir:// implementation
Abstract away implementation specific code for handling TPM state in
swtpm_setup. The current code for handling directories is moved to
'swtpm_backend_dir.c'.
Where possible, the input argument is simply passed verbatim as
'backend-uri' to swtpm.
No functional change intended, aside from supporting 'dir://' as
optional prefix. The checks for lock-file accessibility are moved to
check_access(), but that shouldn't affect anything AFAICT.
Stefan Reiter [Thu, 30 Sep 2021 07:30:45 +0000 (09:30 +0200)]
swtpm_setup: remove redundant delete_state function
...and use delete_swtpm_statefiles instead. This function iterates the
folder instead of just deleting one file, but since it is already called
before the init call guarded here, it can only affect files created by
this run anyway.
Note that delete_state had slightly different return semantics, but it
doesn't matter, as the return value is ignored here anyway (best effort
cleanup).
Stefan Reiter [Thu, 5 Aug 2021 12:14:15 +0000 (14:14 +0200)]
swtpm: Add tests for "linear file" backend
Adapt save_load_state tests to include coverage of the "linear file"
backend mode. "tpm2" is save/load is tested with both a regular file and
a loop device to excercise the blockdev mmap code.
Stefan Reiter [Thu, 5 Aug 2021 12:09:55 +0000 (14:09 +0200)]
swtpm: Add "linear file" nvram store backend
Implements a second abstraction layer as an NVRAM storage backend: The
"linear" backend stores data in a simple format that can contain
multiple files (multiple TPM states and numbers) in one linear address
space. This can then be mapped to files or other "block-device-like"
interfaces using nvram_linear_file_ops implementations.
A simple one using mmap is provided with the URI type "file://".
Does not support any locking at the moment, users must ensure exclusive
access themselves.
Stefan Berger [Mon, 4 Oct 2021 22:07:43 +0000 (18:07 -0400)]
tests: Skip TPM 2 pkcs11-related test when ASAN is used
The key is freed using 'gnutls_privkey_deinit(pkcs11key)', yet the
following memory leaks show up that are most likely in the pkcs11 module.
Skip the test if ASAN is being used to avoid the test failure.
Direct leak of 55080 byte(s) in 1 object(s) allocated from:
#0 0x7fdabb152af7 in calloc (/lib64/libasan.so.6+0xaeaf7)
#1 0x7fdab6b737c6 in C_Initialize (/usr/lib64/pkcs11/libtpm2_pkcs11.so+0x147c6)
#2 0x7fdab9a5f8a9 in initialize_module_inlock_reentrant (/lib64/libp11-kit.so.0+0x2b8a9)
#3 0x7fdab9a5fc88 in managed_C_Initialize (/lib64/libp11-kit.so.0+0x2bc88)
#4 0x7fdab9a66018 in p11_kit_modules_initialize (/lib64/libp11-kit.so.0+0x32018)
#5 0x7fdab9a66778 in p11_kit_modules_load_and_initialize (/lib64/libp11-kit.so.0+0x32778)
#6 0x7fdabab10dc5 in auto_load (/lib64/libgnutls.so.30+0x9cdc5)
#7 0x7fdabab12656 in gnutls_pkcs11_init (/lib64/libgnutls.so.30+0x9e656)
#8 0x7fdabab12779 in _gnutls_pkcs11_check_init (/lib64/libgnutls.so.30+0x9e779)
#9 0x7fdabab1af1f in gnutls_pkcs11_privkey_import_url (/lib64/libgnutls.so.30+0xa6f1f)
#10 0x7fdabaaee0e3 in gnutls_privkey_import_url (/lib64/libgnutls.so.30+0x7a0e3)
#11 0x40abee in main /home/stefanb/dev/swtpm/src/swtpm_cert/ek-cert.c:1399
#12 0x7fdab9f5ab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
#13 0x40366d in _start (/home/stefanb/dev/swtpm/src/swtpm_cert/swtpm_cert+0x40366d)
Indirect leak of 8208 byte(s) in 1 object(s) allocated from:
#0 0x7fdabb152af7 in calloc (/lib64/libasan.so.6+0xaeaf7)
#1 0x7fdab6b736f9 in C_Initialize (/usr/lib64/pkcs11/libtpm2_pkcs11.so+0x146f9)
#2 0x7fdab9a5f8a9 in initialize_module_inlock_reentrant (/lib64/libp11-kit.so.0+0x2b8a9)
#3 0x7fdab9a5fc88 in managed_C_Initialize (/lib64/libp11-kit.so.0+0x2bc88)
#4 0x7fdab9a66018 in p11_kit_modules_initialize (/lib64/libp11-kit.so.0+0x32018)
#5 0x7fdab9a66778 in p11_kit_modules_load_and_initialize (/lib64/libp11-kit.so.0+0x32778)
#6 0x7fdabab10dc5 in auto_load (/lib64/libgnutls.so.30+0x9cdc5)
#7 0x7fdabab12656 in gnutls_pkcs11_init (/lib64/libgnutls.so.30+0x9e656)
#8 0x7fdabab12779 in _gnutls_pkcs11_check_init (/lib64/libgnutls.so.30+0x9e779)
#9 0x7fdabab1af1f in gnutls_pkcs11_privkey_import_url (/lib64/libgnutls.so.30+0xa6f1f)
#10 0x7fdabaaee0e3 in gnutls_privkey_import_url (/lib64/libgnutls.so.30+0x7a0e3)
#11 0x40abee in main /home/stefanb/dev/swtpm/src/swtpm_cert/ek-cert.c:1399
#12 0x7fdab9f5ab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
#13 0x40366d in _start (/home/stefanb/dev/swtpm/src/swtpm_cert/swtpm_cert+0x40366d)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 1 Oct 2021 20:50:07 +0000 (16:50 -0400)]
swtpm: Make fsync-related errors non-fatal (for libvirt using AppArmor)
Only recent libvirt versions have the patch for the AppArmor profile for
libvirt to allow fsync after opening a directory for reading. Rather
than failing hard on the open-directory-for-reading error, log it once
and continue and do not try it again after.
This patch addresses the problems seen on Ubuntu related to an older
version of libvirt without the AppArmor profile update.
- issue #484
- issue #549
- issue #559
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 1 Oct 2021 13:18:58 +0000 (09:18 -0400)]
swtpm: Make fsync() errors non-fatal (for libvirt using AppArmor)
Only recent libvirt versions have the patch for the AppArmor profile
for libvirt to allow fsync on dir and directory. Rather than failing
hard on this error, log it once and continue and do not try fsync
again after.
This patch addresses the problems seen on Ubuntu related to an older
version of libvirt without the AppArmor profile update.
- issue #484
- issue #549
- issue #559
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 30 Sep 2021 17:40:26 +0000 (13:40 -0400)]
swtpm_setup: Fix errno comparison on end-of-directory (FreeBSD)
FreeBSD may return errno EINVAL beside ENOENT once there are no more
entries in a directory to walk over. It claims that readdir() follows
the getdirentries() return codes, which do include EINVAL but not
ENOENT. But ENOENT is also being used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 29 Sep 2021 16:35:58 +0000 (12:35 -0400)]
tests: Use nm and grep to check for ASAN
clang doesn't link executables built with ASAN support to libasan, like
gcc does, so we have to use nm rather than ldd for checking for whether
the executable was built with ASAN. nm is part of the binutils package
and should be available on all systems where gcc was installed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Whenever swtpm_setup is executed with --logfile option, forward the
option to swtpm (--log file=...). This helps debugging swtpm
initialization issues.
Stefan Berger [Tue, 28 Sep 2021 14:08:29 +0000 (10:08 -0400)]
test: Fix test_tpm2_file_permissions for BSD
BSD cp does not understand the -d option, so remove it.
It's better to use "su -u nobody -c '...'" than sudo, which makes
this test also work on the BSDs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sun, 26 Sep 2021 02:26:40 +0000 (22:26 -0400)]
tests: Add a test case for testing --runas and ability to access files
Add a test case for testing the --runas parameter and the ability to access
existing files that have restrictive access permission so that only allow
the --runas user is able to access these files. This is to ensure that
swtpm can access these files properly when the handling of options and the
changing to the --runas user is moved around within swtpm.
Skip the test case if swtpm is linked with ASAN since then we get these
types of error messages that fail tests:
==== Starting swtpm with interfaces socket+socket ====
==3303263==LeakSanitizer has encountered a fatal error.
==3303263==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1
==3303263==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 27 Sep 2021 02:38:50 +0000 (22:38 -0400)]
tests: Fix tests using tpm2-abrmd by preventing concurrency
The two tests test_tpm2_samples_create_tpmca and
test_tpm2_swtpm_localca_pkcs11 cannot complete successfully if run in
parallel. To solve this issue, introduce a dependency via the log files
to prevent parallel execution of the two test. We have to append the
.test suffix to their names to be able to do this.
Stefan Berger [Sat, 25 Sep 2021 00:23:22 +0000 (20:23 -0400)]
swtpm: Search for all state files and use abstracted names in JSON
Search for all the state files not just the permanent state and
when printing the JSON use the abstracted names rather than concrete
filenames that are only valid for the dir backend but will likely
not exist in other backends.
Adjust swtpm_setup to search for the abstracted name and also
adjust the error message to print out the abstracted name.
Adjust the test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sat, 25 Sep 2021 00:24:52 +0000 (20:24 -0400)]
swtpm: Implement CheckState interface function for checking for stateblob
Implement a CheckState interface function for checking for the
TPM_PERMANENT_ALL_NAME blog. The dirctory backend does a simple stat on the
file without actually reading it, which otherwise may require the (correct)
key if it was encrypted.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sat, 25 Sep 2021 00:24:32 +0000 (20:24 -0400)]
swtpm: Remove all interface functions from swtpm_nvstore_dir.h
Remove all interface functions from swtpm_nvstore_dir.h and make them
static in swtpm_nvstore_dir.c. This way we avoid direct calls to these
functions from elsewhere.
Move the declaration of the interface structure into swtpm_nvstore.h
to get rid of swtpm_nvstore_dir.h entirely.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Nick Chevsky [Sat, 18 Sep 2021 21:23:55 +0000 (16:23 -0500)]
swtpm: Don't set END_ON_HUP flag in CMD_SET_DATAFD handler
Don't set flag MAIN_LOOP_FLAG_END_ON_HUP in the handler for control
channel command CMD_SET_DATAFD, since this caused the swtpm daemon to
unconditionally terminate when the data channel connection dropped.
Removing the flag allows this behavior to be controlled by the user
via the --terminate command-line switch, as it was meant to be.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Stefan Berger [Mon, 20 Sep 2021 01:49:02 +0000 (21:49 -0400)]
swtpm: Use EVP_CIPHER in SWTPM_SymmetricKeyData_Encrypt/Decrypt
Use the EVP_CIPHER implementation for the AES CBC computations. This
API has been supported already in OpenSSL 1.1.x for sure and is also
not deprecated in OpenSSL 3.0.
This now resolves issue #538.
We can build src/swtpm without having to suppress deprecated API warnings.
Since this is the last issue related to OpenSSL deprecated APIs, we don't
need to suppress any OpenSSL 3.0 deprecated API warnings anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>