Stefan Berger [Sat, 26 Mar 2022 02:54:21 +0000 (22:54 -0400)]
swtpm_bios: Use unsigned int tcp_port to filter out negative port numbers
The port being parsed must be given as unsigned int so that the comparison
of *tcp_port >= 65536 also filters out negative numbers passed via the
command line. Previously one could pass -1 and swtpm_bios would try to
connect.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sat, 26 Mar 2022 02:41:00 +0000 (22:41 -0400)]
swtpm_ioctl: Use unsigned int tcp_port to filter out negative port numbers
The port being parsed must be given as unsigned int so that the comparison
of *tcp_port >= 65536 also filters out negative numbers passed via the
command line. Previously one could pass -1 and swtpm_ioctl would try to
connect to port 65535.
Resolves: https://github.com/stefanberger/swtpm/issues/679 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 3 Mar 2022 14:13:26 +0000 (09:13 -0500)]
swtpm: Do not chdir(/) when using --daemon
With relative paths being used the chdir("/") in daemonize_finish() will
cause file access errors.
Fixes: 98d1d12 ("swtpm: Make --daemon not racy")
Resolves: https://github.com/stefanberger/swtpm/issues/671 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 21 Feb 2022 23:37:34 +0000 (18:37 -0500)]
swtpm-localca: Re-implement variable resolution for swtpm-localca.conf
swtpm_localca v0.5 supported resolution of environment variables for
the swtpm-localca.conf configuration file. This functionality was lost
during the port to 'C' in v0.6. This patch now re-implements it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolves: https://github.com/stefanberger/swtpm/issues/663
Stefan Berger [Tue, 1 Feb 2022 17:40:06 +0000 (12:40 -0500)]
swtpm_localca: Test for available issuercert before creating CA
Avoid trying to create TPM certificates while the issuer certificate has
not been created, yet (in a 2nd step).
To resolve this do not just test for availability of the signing key, which
is created first, but also test for the issuer certifcate, which is created
in a 2nd step when the local CA is created. If either one is missing,
attempt to create the CA.
Resolves: https://github.com/stefanberger/swtpm/issues/644 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 16 Feb 2022 16:17:47 +0000 (11:17 -0500)]
swtpm: Check header size indicator against expected size (CID 375869)
This fix addresses Coverity issue CID 375869.
Check the header size indicated in the header of the state against the
expected size and return an error code in case the header size indicator
is different. There was only one header size so far since blobheader was
introduced, so we don't need to deal with different sizes.
Without this fix a specially craft header could have cause out-of-bounds
accesses on the byte array containing the swtpm's state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 16 Feb 2022 15:21:15 +0000 (10:21 -0500)]
swtpm_setup: Check for unreasonable number of PCR banks (CID 370783)
This fix addresses Coverity issue CID 370783.
Check for an unreasonable number of PCR banks returned from command sent
to swtpm. Limit the number of PCR banks that can be returned to '20',
which is more than enough.
Previously we may not have sanitized the variable correctly but safeguards
were in place:
Even if the 16 bit variable count was the maximum possible (0xffff) we
should be able to allocate the all_pcr_banks array of string pointers.
Safeguards to not overstep the parsed array are in place in the loop
that's entered afterwards where the count variable serves as a limit
for the loop.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Seunghun Han [Thu, 11 Nov 2021 02:38:22 +0000 (11:38 +0900)]
Move *.conf and *.options to man5
According to the man page sections guideline, man8 should be used
for system administration commands. So this commit moves *.conf and
*.options files to man5.
Signed-off-by: Seunghun Han <kkamagui@gmail.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 5 Nov 2021 19:02:05 +0000 (15:02 -0400)]
swtpm: Fix compilation error on 32bit machines
Fix the following compilation error occurring on 32bit machines:
swtpm_nvstore_linear_file.c: In function 'SWTPM_NVRAM_LinearFile_Mmap':
swtpm_nvstore_linear_file.c:58:20: error: comparison of integer expressions of different signedness: '__off_t' {aka 'long int'} and 'unsigned int' [-Werror=sign-compare]
58 | if (st.st_size >= (uint32_t)sizeof(struct nvram_linear_hdr)) {
| ^~
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 29 Oct 2021 17:04:07 +0000 (13:04 -0400)]
swtpm_setup: Add support for --reconfigure flag to change active PCR banks
Add support for --reconfigure option for the swtpm_setup to be able to
change the active PCR banks. This option only works with --tpm2 and does
not allow to pass several other options such --create-ek or
--create-ek-cert or --create-platform-cert that would alter the state of
the TPM 2 in other ways.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 1 Nov 2021 13:08:22 +0000 (09:08 -0400)]
swtpm_localca: Replace '+' and ',' characters in VMId's
Certain characters are not accepted by gnutls when creating the
subject with the 'CN' from the vmid, so we have to replace those
characters with another one, such as '_'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 28 Oct 2021 16:23:14 +0000 (12:23 -0400)]
swtpm_setup: Get active PCR banks from swtpm_setup.conf
If the user did not provide the PCR banks to activate through the command
line options, try to read it from the config file and if nothing is found
there, fall back to the DEFAULT_PCR_BANKS as set during configure time.
Move the check for the PCR banks after the access check to the
configuration file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 28 Oct 2021 15:25:31 +0000 (11:25 -0400)]
build-sys: Add support for --enable-default-pcr-banks=list of PCR banks
Add an option that allows for the configuration of the default PCR bank
to use. This was currently hard coded to sha256 and now may be passed
via this option. The fallback is still sha256. Valid PCR bank names are
sha1, sha256, sha384, and sha512. The passed list must be a comma-
separated list of the valid PCR bank names.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 28 Oct 2021 18:06:29 +0000 (14:06 -0400)]
swtpm_setup.conf: Use /usr/bin/swtpm_localca for create_certs_tool
swtpm_setup.conf has traditionally pointed to
/usr/share/swtpm/swtpm-localca for create_certs_tool but since
/usr/bin/swtpm_localca is now available, have newly created
config files point to this executable instead.
Since there are possibly many swtpm_setup.conf out there pointing
to /usr/share/swtpm/swtpm-localca, we have to still install
swtm_localca there as well and package it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 15 Oct 2021 03:34:53 +0000 (23:34 -0400)]
swtpm: Disable fsync on file & dir due to TPM timeouts (issue #597)
We cannot currently fsync on the TPM's state file and the dir since this
takes too long and commands in a VM may time out. The reason for this is
that the TPM 2 code occasionally writes the permanent state out even on
commands like TPM2_PCR_Extend that must not take a long time.
See explanation for this in the libtpms PR https://github.com/stefanberger/libtpms/pull/274 .
We will re-enable this feature in 'a while' once the updated libtpms
version has been made more widely available.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 15 Oct 2021 11:44:53 +0000 (07:44 -0400)]
swtpm_setup: Initialize variables to avoid compiler warnings
Fix issue #591 by initializing the variables swtpm_has_tpm2 and
swtpm_has_tpm12.
swtpm_setup.c:1178:31: note: 'swtpm_has_tpm2' was declared here
gboolean swtpm_has_tpm12, swtpm_has_tpm2;
^~~~~~~~~~~~~~
swtpm_setup.c:1019:5: error: 'swtpm_has_tpm12' may be used uninitialized in this function [-Werror=maybe-uninitialized]
printf("{ \"type\": \"swtpm_setup\", "
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"\"features\": [ %s%s\"cmdarg-keyfile-fd\", \"cmdarg-pwdfile-fd\", \"tpm12-not-need-root\""
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since sending a startup message to the TPM will cause it to
want to store permanent state, we have to handle the case when
no storage backend was given and therefore the backend_uri
is NULL.
Previously the above command line caused a NULL pointer exception
but now handles this case with the following output:
swtpm: SWTPM_NVRAM_Init: Missing backend URI.
swtpm: Error: Could not initialize libtpms.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 6 Oct 2021 20:58:04 +0000 (16:58 -0400)]
swtpm_setup: Implement option --create-config-files to create config files
Implement the option --create-config-files to create config files
for swtpm_setup and swtpm-localca for a user account. The files will
be created under the $XDG_CONFIG_HOME or $HOME/.config directories.
This option supports optional arguments 'overwrite' to allow overwriting
existing config files as well as the optional argument 'root' to create
config files under root's home directory. Both options can be passed
by separating them with a ','.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
d/swtpm-tools postinst: create the TSS user if it does not exist
Adapted from tpm-udev [0] which handles that, but it is not really a
hard-requirement for swtpm and TSS_USER is configurable after all
(even if that is mostly used for the test system).
So, create that user and group if it does not exists to avoid errors
and failing installation.
d/swtpm-tools postinst: avoid trying to create/chown in non-configure steps
configure steps should be limited to get only executed on, well
configuration, so check for that and do nothing in the remaining
commands [0] the postinst can be called with.
debian: downgrade trousers package dependency to recommended
Currently `trousers` is listed as (hard) Dependency, but it does not
seems to be required for quite a few usecases, e.g., ours where we
mainly using swtpm for providing a tpm to VMs.
With trousers in Debian one gets an additional pain point: it comes
with rather dated and in some cirumstances failing by mistake init
script [0] that can throw errors when setting up during installation
and thus fail the whole installation of swtpm as Debian policy for
`Depends` hits:
> A package will not be configured unless all of the packages listed
> in its Depends field have been correctly configured
-- [1]
Declaring dependencies for things are not a hard requirement means
that a user will be required to install more dependencies than
actually needed.
Just documenting that as fact why I investigated in the
hard-requirement on trousers in the first place, not an actual
justification - it's a packaging bug after all.
So downgrade the dependency to "Suggests", as it seems a reasonable
level when checking its documented meaning:
> This is used to declare that one package may be more useful with
> one or more others. Using this field tells the packaging system and
> the user that the listed packages are related to this one and can
> perhaps enhance its usefulness, but that installing this one without
> them is perfectly reasonable.
-- [1]
Stefan Berger [Tue, 5 Oct 2021 18:29:51 +0000 (14:29 -0400)]
swtpm: Call msync with length = 0 on Cygwin
Cygwin internally uses the Windows API call FlushViewOfFile that
seems to not like to be called with an excessive number of bytes.
Instead, call it with length = 0 so that 'the file is flushed from
the base address to the end of the mapping' and then msync() succeeds.
Stefan Berger [Tue, 5 Oct 2021 16:39:49 +0000 (12:39 -0400)]
swtpm_setup: Use pidfile filename rather than fd (Cygwni, BSDs)
Use the pidfile filename rather than the fd because Cygwin for example
does not seem to support passed file descriptors and also OpenBSD
does not pass some test cases because of this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Reiter [Thu, 30 Sep 2021 08:03:05 +0000 (10:03 +0200)]
swtpm_setup: add abstract swtpm_backend_ops with dir:// implementation
Abstract away implementation specific code for handling TPM state in
swtpm_setup. The current code for handling directories is moved to
'swtpm_backend_dir.c'.
Where possible, the input argument is simply passed verbatim as
'backend-uri' to swtpm.
No functional change intended, aside from supporting 'dir://' as
optional prefix. The checks for lock-file accessibility are moved to
check_access(), but that shouldn't affect anything AFAICT.
Stefan Reiter [Thu, 30 Sep 2021 07:30:45 +0000 (09:30 +0200)]
swtpm_setup: remove redundant delete_state function
...and use delete_swtpm_statefiles instead. This function iterates the
folder instead of just deleting one file, but since it is already called
before the init call guarded here, it can only affect files created by
this run anyway.
Note that delete_state had slightly different return semantics, but it
doesn't matter, as the return value is ignored here anyway (best effort
cleanup).
Stefan Reiter [Thu, 5 Aug 2021 12:14:15 +0000 (14:14 +0200)]
swtpm: Add tests for "linear file" backend
Adapt save_load_state tests to include coverage of the "linear file"
backend mode. "tpm2" is save/load is tested with both a regular file and
a loop device to excercise the blockdev mmap code.
Stefan Reiter [Thu, 5 Aug 2021 12:09:55 +0000 (14:09 +0200)]
swtpm: Add "linear file" nvram store backend
Implements a second abstraction layer as an NVRAM storage backend: The
"linear" backend stores data in a simple format that can contain
multiple files (multiple TPM states and numbers) in one linear address
space. This can then be mapped to files or other "block-device-like"
interfaces using nvram_linear_file_ops implementations.
A simple one using mmap is provided with the URI type "file://".
Does not support any locking at the moment, users must ensure exclusive
access themselves.
Stefan Berger [Mon, 4 Oct 2021 22:07:43 +0000 (18:07 -0400)]
tests: Skip TPM 2 pkcs11-related test when ASAN is used
The key is freed using 'gnutls_privkey_deinit(pkcs11key)', yet the
following memory leaks show up that are most likely in the pkcs11 module.
Skip the test if ASAN is being used to avoid the test failure.
Direct leak of 55080 byte(s) in 1 object(s) allocated from:
#0 0x7fdabb152af7 in calloc (/lib64/libasan.so.6+0xaeaf7)
#1 0x7fdab6b737c6 in C_Initialize (/usr/lib64/pkcs11/libtpm2_pkcs11.so+0x147c6)
#2 0x7fdab9a5f8a9 in initialize_module_inlock_reentrant (/lib64/libp11-kit.so.0+0x2b8a9)
#3 0x7fdab9a5fc88 in managed_C_Initialize (/lib64/libp11-kit.so.0+0x2bc88)
#4 0x7fdab9a66018 in p11_kit_modules_initialize (/lib64/libp11-kit.so.0+0x32018)
#5 0x7fdab9a66778 in p11_kit_modules_load_and_initialize (/lib64/libp11-kit.so.0+0x32778)
#6 0x7fdabab10dc5 in auto_load (/lib64/libgnutls.so.30+0x9cdc5)
#7 0x7fdabab12656 in gnutls_pkcs11_init (/lib64/libgnutls.so.30+0x9e656)
#8 0x7fdabab12779 in _gnutls_pkcs11_check_init (/lib64/libgnutls.so.30+0x9e779)
#9 0x7fdabab1af1f in gnutls_pkcs11_privkey_import_url (/lib64/libgnutls.so.30+0xa6f1f)
#10 0x7fdabaaee0e3 in gnutls_privkey_import_url (/lib64/libgnutls.so.30+0x7a0e3)
#11 0x40abee in main /home/stefanb/dev/swtpm/src/swtpm_cert/ek-cert.c:1399
#12 0x7fdab9f5ab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
#13 0x40366d in _start (/home/stefanb/dev/swtpm/src/swtpm_cert/swtpm_cert+0x40366d)
Indirect leak of 8208 byte(s) in 1 object(s) allocated from:
#0 0x7fdabb152af7 in calloc (/lib64/libasan.so.6+0xaeaf7)
#1 0x7fdab6b736f9 in C_Initialize (/usr/lib64/pkcs11/libtpm2_pkcs11.so+0x146f9)
#2 0x7fdab9a5f8a9 in initialize_module_inlock_reentrant (/lib64/libp11-kit.so.0+0x2b8a9)
#3 0x7fdab9a5fc88 in managed_C_Initialize (/lib64/libp11-kit.so.0+0x2bc88)
#4 0x7fdab9a66018 in p11_kit_modules_initialize (/lib64/libp11-kit.so.0+0x32018)
#5 0x7fdab9a66778 in p11_kit_modules_load_and_initialize (/lib64/libp11-kit.so.0+0x32778)
#6 0x7fdabab10dc5 in auto_load (/lib64/libgnutls.so.30+0x9cdc5)
#7 0x7fdabab12656 in gnutls_pkcs11_init (/lib64/libgnutls.so.30+0x9e656)
#8 0x7fdabab12779 in _gnutls_pkcs11_check_init (/lib64/libgnutls.so.30+0x9e779)
#9 0x7fdabab1af1f in gnutls_pkcs11_privkey_import_url (/lib64/libgnutls.so.30+0xa6f1f)
#10 0x7fdabaaee0e3 in gnutls_privkey_import_url (/lib64/libgnutls.so.30+0x7a0e3)
#11 0x40abee in main /home/stefanb/dev/swtpm/src/swtpm_cert/ek-cert.c:1399
#12 0x7fdab9f5ab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
#13 0x40366d in _start (/home/stefanb/dev/swtpm/src/swtpm_cert/swtpm_cert+0x40366d)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 1 Oct 2021 20:50:07 +0000 (16:50 -0400)]
swtpm: Make fsync-related errors non-fatal (for libvirt using AppArmor)
Only recent libvirt versions have the patch for the AppArmor profile for
libvirt to allow fsync after opening a directory for reading. Rather
than failing hard on the open-directory-for-reading error, log it once
and continue and do not try it again after.
This patch addresses the problems seen on Ubuntu related to an older
version of libvirt without the AppArmor profile update.
- issue #484
- issue #549
- issue #559
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 1 Oct 2021 13:18:58 +0000 (09:18 -0400)]
swtpm: Make fsync() errors non-fatal (for libvirt using AppArmor)
Only recent libvirt versions have the patch for the AppArmor profile
for libvirt to allow fsync on dir and directory. Rather than failing
hard on this error, log it once and continue and do not try fsync
again after.
This patch addresses the problems seen on Ubuntu related to an older
version of libvirt without the AppArmor profile update.
- issue #484
- issue #549
- issue #559
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 30 Sep 2021 17:40:26 +0000 (13:40 -0400)]
swtpm_setup: Fix errno comparison on end-of-directory (FreeBSD)
FreeBSD may return errno EINVAL beside ENOENT once there are no more
entries in a directory to walk over. It claims that readdir() follows
the getdirentries() return codes, which do include EINVAL but not
ENOENT. But ENOENT is also being used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 29 Sep 2021 16:35:58 +0000 (12:35 -0400)]
tests: Use nm and grep to check for ASAN
clang doesn't link executables built with ASAN support to libasan, like
gcc does, so we have to use nm rather than ldd for checking for whether
the executable was built with ASAN. nm is part of the binutils package
and should be available on all systems where gcc was installed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>