Thomas Lamprecht [Thu, 25 May 2023 13:34:19 +0000 (15:34 +0200)]
add packaging make file
(mis)using the fact that GNU make uses the following Makefile order
GNUmakefile, makefile and Makefile.
https://www.gnu.org/software/make/manual/make.html#Makefile-Names
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fiona Ebner [Wed, 18 Jan 2023 12:21:07 +0000 (13:21 +0100)]
control channel: add error logs upon receiving short input
There was a recent failure when migrating a production VM
> kvm: tpm-emulator: Setting the stateblob (type 1) failed with a TPM error 0x3 a parameter is bad
> kvm: error while loading state for instance 0x0 of device 'tpm-emulator'
> kvm: load of migration failed: Input/output error
and it's not clear what exactly triggered it. Note that 0x3 is
TPM_BAD_PARAMETER.
The timeout check when receiving the command+body is a good candidate,
but since poll() is called with the remaining timeout, it seems hard
to trigger. In both cases with short input, QEMU would've not managed
to even send the full header (16 bytes for CMD_SET_STATEBLOB).
Another possibility is that the blob header got corrupted and the
TPM_BAD_PARAMETER error orignated from the SWTPM_NVRAM_SetStateBlob()
call. The checks there already have logging.
Thomas Lamprecht [Fri, 11 Nov 2022 14:25:11 +0000 (15:25 +0100)]
apparmor profile: adapt state file locations PVE supports
we can have them as standard file (*most* of the time that would be
in /var/lib/vz or /mnt/pve/**), as LV/RBD in /dev or as zfs volume
anywhere, so basically we need to cut the profile in scope a lot and
allow write access in any place of the FS hierarchy for now (we plan
to have a mount namspace where we bind mount VM disk/state into in
the long term).
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stefan Berger [Wed, 2 Nov 2022 14:21:52 +0000 (10:21 -0400)]
tests: Pass --verify-profile=medium to certtool if supported
certtool emits the following message if --verify-profile is not
passed:
Note that no verification profile was selected. In the future the medium profile will be enabled by default.
Use --verify-profile low to apply the default verification of NORMAL priority string.
Pass the --verify-profile option if certtool supports it (since ~3.6.12).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Ross Lagerwall [Thu, 27 Oct 2022 15:30:11 +0000 (16:30 +0100)]
swtpm_setup: Configure swtpm to log to stdout/err if needed
If swtpm_setup is configured with a log file, it launches swtpm
configured with the same log file. If not, swtpm_setup logs will go to
stdout/stderr and it should configure swtpm to do the same.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Stefan Berger [Wed, 5 Oct 2022 00:22:34 +0000 (20:22 -0400)]
swtpm: Add another exit label to avoid gcc -fanalyzer false positive
Move existing exit label before the return statement and add another
label that includes the free(filebuffer). This avoids a false positive
by 'gcc -fanalyzer' that seems to think that free(filebuffer)
would double-free filebuffer after filebuffer = realloc(tmp, ..)
failure.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 30 Sep 2022 16:17:00 +0000 (12:17 -0400)]
swtpm: Return TPM_FAIL if SWTPM_NVRAM_DecrytpData is called without key
Return TPM_FAIL if SWTPM_NVRAM_DecryptData() is called without a key or
if an unhandle type of encryption mode is encountered. Previously this
function would return no error but also would not do any decryption if
no key was provided. Consequently, it would then also not return a byte
array with decrypted data which in turn could led to potential NULL
pointer accesses in subsequent calls. However, all current callers check
whether they have a valid key before they call this function. So the
change is primarily done for static analyzers, such as gcc -fanalyzer,
to ease code analysis.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 22 Sep 2022 14:28:21 +0000 (10:28 -0400)]
tests: Use SOCK_STREAM for CMD_SET_DATAFD socketpair
Switch to SOCK_STREAM for the CMD_SET_DATAFD socketpair where the one
end is passed to swtpm to test that this type of socket will cause
automatic termination of swtpm when the connection is lost. This is also
the socket type that QEMU uses.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 22 Sep 2022 12:47:49 +0000 (08:47 -0400)]
swtpm: Implement terminate parameter for ctrl channel loss
Implement support for the terminate parameter for the control channel
option so that swtpm terminates once the control channel connection is
lost. The primary use case is QEMU that holds the control channel
permanently.
Resolves: https://github.com/stefanberger/swtpm/issues/753 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 22 Sep 2022 12:17:15 +0000 (08:17 -0400)]
swtpm: Set tpm_running = false after TPMLIB_Terminate() on CMD_SHUTDOWN
Set tpm_running = false after TPMLIB_Terminate() call on CMD_SHUTDOWN
to prevent a call to tpmlib_maybe_send_tpm2_shutdown() at the exit
of the mainloop.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 22 Sep 2022 00:11:12 +0000 (20:11 -0400)]
swtpm: Also send TPM2_Shutdown when swtpm terminates by signal
Also send TPM2_Shutdown when swtpm is terminated by a signal or due to
lost connection (--terminate option). Previously supported reasons for
sending the TPM2_Shutdown were primarily related to commands sent via
the command channel.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 11 Aug 2022 15:56:26 +0000 (11:56 -0400)]
tests: Add test case for state migration and storage locking
Add a test case that monitors the locking of the storage by swtpm using the
directory storage backend to ensure that the lock is taken at the right
time and released when required.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Tue, 23 Aug 2022 20:07:24 +0000 (16:07 -0400)]
swtpm: Implement CMD_LOCK_STORAGE to lock storage
Implement CMD_LOCK_STORAGE / PTM_LOCK_STORAGE for a user to be able to
lock the storage of the storage backend (if supported) after its lock
has been released for example when the 'savestate' blob was received
while the TPM state was migrated.
Also adjust test case and extend man pages.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 10 Aug 2022 20:25:36 +0000 (16:25 -0400)]
swtpm: Implement release-lock-outgoing parameter for --migration option
Implement the release-lock-outgoing parameter for the --migration option
that causes the storage lock to be released once the 'savestate' blob
transfer has been initiated. To not release the lock too early users must
first get the 'permanent' and 'volatile' state blobs and the 'savestate'
blob must be transferred as the last blob.
When migrating a VM the migration may fail and execution will then resume
on the originating side. In this fallback case the swtpm on the
destination side may need some time to terminate and release the lock.
Therefore, add a loop to the code attempting to re-lock the storage
directory on the source side for a few times until on the destination
side swtpm has released the lock. Retry the locking for 100 times
with 10ms in between. The retries will only ever be necessary if a TPM
command is immediately executed upon resume [this may be difficult
to test]. The negative side effects of this could be that the loop is not
long enough to grab the lock or that a short-duration TPM command will
time out inside the VM due to the retries delaying when it is processed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolves: https://github.com/stefanberger/swtpm/issues/724
Stefan Berger [Wed, 10 Aug 2022 16:17:37 +0000 (12:17 -0400)]
swtpm: Move locking of storage into tpmlib_start()
Move the locking of the storage into tpmlib_start() after the call to
TPMLIB_MainInit() which was previously doing the locking when the prepare
function was called in the SWTPM_NVRAM_Init() callback invoked by
TPMLIB_MainInit().
This allows for conditional locking in tpmlib_start() using a flag later
on.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 26 Aug 2022 11:42:56 +0000 (07:42 -0400)]
headers: Synchronize with header in QEMU project
QEMU has made a change to a copy of this header file with the following
reason:
On Solaris and Haiku, the _IO() macros are defined in <sys/ioccom.h>.
Add a proper check for this header to our build system, and make sure
to include the header in tpm_ioctl.h to fix a build failure on Solaris
and Haiku.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Thu, 25 Aug 2022 15:58:06 +0000 (11:58 -0400)]
tests: If filesystem is mounted with nodev opt skip CUSE chroot test
The CUSE TPM test will not work if the filesystem the test case runs
on is mounted with the 'nodev' option since the CUSE TPM can then
not use /tmp/.../dev/cuse.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Jennifer Herbert [Tue, 23 Aug 2022 16:08:10 +0000 (17:08 +0100)]
swtpm: Add a chroot option
Add an option to enter a chroot after starting swtpm. This is useful for
sandboxing purposes. When this option is used, it is expected that swtpm
is started as root and the --runas option is used to subsequently drop
privileges (otherwise the chroot could be escaped).
Signed-off-by: Jennifer Herbert <jennifer.herbert@citrix.com> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Stefan Berger [Mon, 22 Aug 2022 18:11:47 +0000 (14:11 -0400)]
swtpm: Check for defined __SNR_MOUNT_setattr and __NR_mount_setattr
Address the following compilation error on Debian:
In file included from /usr/include/seccomp.h:821,
from seccomp_profile.c:44:
seccomp_profile.c: In function 'create_seccomp_profile':
seccomp_profile.c:115:9: error: '__NR_mount_setattr' undeclared (first use in this function)
115 | SCMP_SYS(mount_setattr),
| ^~~~~~~~
seccomp_profile.c:115:9: note: each undeclared identifier is reported only once for each function it appears in
seccomp_profile.c:172:9: error: '__NR_quotactl_fd' undeclared (first use in this function)
172 | SCMP_SYS(quotactl_fd),
| ^~~~~~~~
We need to do this since they are defined like this:
Stefan Berger [Mon, 22 Aug 2022 17:59:34 +0000 (13:59 -0400)]
swtpm: Include opensslv.h to get OPENSSL_VERSION_NUMBER
Include openssl/opensslv.h to avoid the following error on Ubuntu:
fips.c: In function 'fips_mode_enabled':
fips.c:61:16: error: implicit declaration of function 'EVP_default_properties_is_fips_enabled' [-Werror=implicit-function-declaration]
61 | int mode = EVP_default_properties_is_fips_enabled(NULL);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Resolves: https://github.com/stefanberger/libtpms/issues/345 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 1 Jun 2022 12:44:00 +0000 (08:44 -0400)]
tests: Add test case to check that swtpm sends a TPM2_Shutdown
Add a test case that checks that swtpm sends a TPM2_Shutdown() to the
TPM 2 upon abrupt re-initialization (CMD_INIT) or graceful shutdown
(control channel, CMD_SHUTDOWN) of the TPM 2 and avoids a potential
dictionary attack (DA) lock-out. A previously sent command failing
authorization with DA implications would otherwise trigger the
TPM_PT_LOCKOUT_COUNTER to increase by '1' if the TPM 2 was not properly
shut down by the client (guest OS) with a TPM2_Shutdown() command.
The test case tests whether a TPM2_Shutdown() is now sent before a reset.
The defined password-protected NVRAM area has the DA flag set and the test
case tries to read from it without providing a password. If we didn't send
the TPM2_Shutdown() before the test cases sends the reset (CMD_INIT), then
the dictionary attack lockout counter would be increased by one. With the
instrumentation in the previous patch the automatically sent
TPM2_Shutdown() keeps the counter at 0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 17 Aug 2022 18:19:59 +0000 (14:19 -0400)]
swtpm: Introduce disable-auto-shutdown flag for --flags option
Introduce disable-auto-shutdown flag for the --flags option to disable
the sending of TPM2_Shutdown() if swtpm determines that it needs to send
this command to a TPM 2 before device reset or swtpm program termination.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 30 May 2022 15:10:14 +0000 (11:10 -0400)]
swtpm: If necessary send TPM2_Shutdown() before TPMLIB_Terminate()
If necessary send a TPM2_Shutdown() command to libtpms before processing
CMD_INIT. However, this is only necessary for a TPM 2 and only if the
TPM2_Shutdown command has not been sent by the client (VM TPM driver) as
the last command as it should do under normal circumstances, for example
upon graceful VM shutdown.
This fixes a bug where abrupt VM resets may trigger the TPM 2's dictionary
attack lockout logic due to the TPM 2 not having received a TPM2_Shutdown
command before it was reset using CMD_INIT for example. An OS driver is
typically supposed to send a TPM2_Shutdown to the TPM 2 but an abrupt VM
reset prevents it.
There are 3 control commands where this needs to be done since they
call TPMLIB_Terminate():
- CMD_STOP:
This command is typically called before setting the state blobs of the
TPM or before configuring the buffer size [QEMU, test cases].
- CMD_INIT:
This command is called for resetting and initializing the TPM 2.
- CMD_SHUTDOWN:
This command is called for a graceful shutdown of the TPM 2.
There are no negative side effects to be expected if TPM2_Shutdown()
is sent before any of these. Also, since none of these are sent before
the state of the TPM is marshalled (for migration for example) migrated
state will not have a TPM2_Shutdown() applied to it (accidentally).
Edk2 sends a sequence of TPM2_Shutdown(SU_STATE) + TPM2_GetRandom()
before suspend-to-ram. Upon wake up a CMD_INIT is sent to the TPM to
reset it, which in this case now requires a TPM2_Shutdown(SU_STATE)
to be sent to the TPM 2 so that certain TPM 2 state is available
again upon resume. To avoid invaliding the SU_STATE, first send a
TPM2_Shutdown(SU_STATE) in *all cases* and only if this fails send a
TPM2_Shutdown(SU_CLEAR). This way the internal state is preserved and
the VM (or user) are expected to use TPM2_Startup(SU_CLEAR) when
staring up the TPM 2 and no previous state needs to be resumed.
Note: The VM's firmware is trusted to use SU_CLEAR under normal circum-
stances and SU_STATE upon resume. So it wouldn't restore the state if
it wasn't needed.
Note: The TPM 2 spec describes the command as follows:
"This command is used to prepare the TPM for a power cycle. The
shutdownType parameter indicates how the subsequent TPM2_Startup() will be
processed.[...]
This command saves TPM state but does not change the state other than the
internal indication that the context has been saved. The TPM shall
continue to accept commands. If a subsequent command changes TPM state
saved by this command, then the effect of this command is nullified. The
TPM MAY nullify this command for any subsequent command rather than check
whether the command changed state saved by this command. If this command
is nullified and if no TPM2_Shutdown() occurs before the next
TPM2_Startup(), then the next TPM2_Startup() shall be
TPM2_Startup(CLEAR)."
Stefan Berger [Mon, 30 May 2022 14:40:01 +0000 (10:40 -0400)]
swtpm: Track last command processed by the TPM
Track the last command processed by the TPM so we can determine whether
we may need to send a TPM2_Shutdown() before reset of the TPM 2.
Introduce a variable lastCommand to help track the last command that
was sent to the TPM 2.
In relation to deciding whether a TPM2_Shutdown() needs to be sent, the
tracking of the last-sent command is merely an optimization since for
example a VM with EDK2 will send a TPM2_Shutdown() followed by a
TPM2_GetRandom() upon suspend-to-ram, thus indicating that the last
command was TPM2_GetRandom(). However, under most circumstances it helps
to avoid sending an additional TPM2_Shutdown() if the OS TPM driver sent
one already.
When the suspended VM resume swtpm gets a CMD_INIT that requires swtpm
to decide whether a TPM2_Shutdown() needs to be sent and per the last-sent
command it will then send a TPM2_Shutdown(SU_STATE) as in the abrupt
termination case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Mon, 15 Aug 2022 17:49:31 +0000 (13:49 -0400)]
swtpm: seccomp: Check for __SNR_xyz rather than __NR_xyz
If seccomp-syscalls.h lags behind the syscall definition of __NR_xyz then
the __SNR_xyz #define is not available. Therefore, switch to check for
__SNR_xyz #define because they are available if __NR_xyz is available.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Hans [Mon, 15 Aug 2022 12:06:27 +0000 (14:06 +0200)]
swtpm: Fixed typo `fs_mount` vs `fsmount` and removed duplicates.
The project wouldn't compile on my ubuntu 20.04.1 based system with the error message:
```
CC libswtpm_libtpms_la-seccomp_profile.lo
In file included from seccomp_profile.c:44:
seccomp_profile.c: In function ‘create_seccomp_profile’:
seccomp_profile.c:105:9: error: ‘__SNR_fs_mount’ undeclared (first use in this function)
105 | SCMP_SYS(fs_mount),
| ^~~~~~~~
seccomp_profile.c:105:9: note: each undeclared identifier is reported only once for each function it appears in
```
Additionally, there were some duplicates in the profile.
Stefan Berger [Tue, 9 Aug 2022 23:58:33 +0000 (19:58 -0400)]
swtpm: cuse: Extend usage of FILE_OPS_LOCK to protect a reading thread
Extend usage of the FILE_OPS_LOCK to prevent other threads from reading or
writing commands or doing ioctls while the current thread is reading a
response. This prevents a race condition where ptm_read_offset is set to 0
by a thread writing a new command to the device while the current thread
is reading a response from the device and needs this offset.
Resolves: https://github.com/stefanberger/swtpm/issues/725 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 10 Aug 2022 22:43:07 +0000 (18:43 -0400)]
man: Replace swtpm_cuse man page with redirect to swtpm man page
The swtpm man page also covers the CUSE TPM, so do not maintain the
swtpm_cuse man page anymore but replace it with a redirect to the swtpm
mane page instead.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Tue, 9 Aug 2022 18:40:49 +0000 (14:40 -0400)]
swtpm: cuse: Restrict opening CUSE device to one openable file descriptor
Restrict the opening of the CUSE device to one single file descriptor. We
can modify the CUSE TPM in this way since the kernel's /dev/tpm0 cannot be
opened multiple times, either, and the CUSE TPM should behave in the same
way.
Adjust test the partial reads case to only open CUSE device file once by
using a python program. Close the open file descriptor 100 before using
swtpm_ioctl to avoid failures.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Tue, 9 Aug 2022 20:04:43 +0000 (16:04 -0400)]
tests: Move swtpm_open_cmddev into swtpm_cmd_tx
Move swtpm_open_cmddev call into swtpm_cmd_tx since the latter function is
always called in a subshell that previously inherited the file descriptor
opened by the test cases. Remove swtpm_cmd_tx from nearly all test cases
and also remove closing of file descriptor 100 via 'exec 100>&-' from test
cases since this is not necessary anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Tue, 19 Jul 2022 23:27:56 +0000 (19:27 -0400)]
swtpm: Ignore error if TPMLIB_ChooseTPMVersion for printing caps fails
Revert the change from the previous patch that shows an error when
TPMLIB_ChooseTPMVersion fails but rather ignore the error as before.
If a TPM 2 is supported then tpm-2.0 capability verb will be shown
and if a TPM 1.2 is supported then tpm-1.2 will be shown, thus
allowing someone reading the JSON to determine what is supported.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
William Roberts [Tue, 12 Jul 2022 17:04:10 +0000 (12:04 -0500)]
configure: check for bash
PCR Bank verification needs bash, so check for bash. While at it use the
autoconf shell construct macros over raw shell syntax which is slightly
more portable.
Examples:
./configure --enable-default-pcr-banks=sha256,sha920
checking which PCR banks to activate by default... configure: error: sha256,sha920 is an invalid list of PCR banks
./configure --enable-default-pcr-banks=sha256,sha512
checking which PCR banks to activate by default... sha256,sha512
./configure
checking which PCR banks to activate by default... sha256
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Stefan Berger [Mon, 27 Jun 2022 12:42:38 +0000 (08:42 -0400)]
selinux: Replace hardcoded install path with @prefix@
Replace the hardcoded install path in src/selinux/swtpm.fc and
src/selinux/swtpmcuse.fc with @prefix@ and append .in to these files so
that they are generated when running configure.
Add the selinux policy input files with their suffix to the CLEANFILES
variable so they get cleaned up and 'make distcheck' works.
Resolves: https://github.com/stefanberger/swtpm/issues/711 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 8 Jun 2022 13:19:07 +0000 (09:19 -0400)]
swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures
While libtpms does not provide any means to disable FIPS-disabled crypto
algorithms from being used, work around the issue by simply disabling the
FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit
swtpm with a failure message that it cannot be disabled. If FIPS mode
was successfully disabled, print out a message as well.
Stefan Berger [Wed, 25 May 2022 19:47:04 +0000 (15:47 -0400)]
swtpm: Handle case where unknown blobtype is given (Coverity)
Handle the case where an unknown blobtype is given and therefore
cannot be translated to a filename and blobname is NULL. Previously
this would have lead to an error when trying to read the file, now
we handle the failure case earlier.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 25 May 2022 19:31:05 +0000 (15:31 -0400)]
swtpm: Cast '1' to uint64_t before shift and assign to uint64_t variable
To avoid an overflowing expression cast '1' to uint64_t before shifting
it and assigning it to a uint64_t variable. In practice this kind of
overflow would never happen because there aren't that many available
PCR banks.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 25 May 2022 18:23:41 +0000 (14:23 -0400)]
swtpm_setup: Initialize pubek_len (Coverity)
Initialize pubek_len even though it isn't necessary to do so since
it will be initialized in the first function to which it is passed.
However, Coverity complains about pubek_len passed to print_as_hex()
not being initialized, even though this is not possible.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Wed, 11 May 2022 02:28:30 +0000 (22:28 -0400)]
swtpm: Avoid locking directory multiple times
Commit 2d3deaef29 forgot to move the check for whether the lock file has
already been opened into the new function opening the lock file and there-
fore the lock file is now opened whenever swtpm gets a PTM_INIT. This fix
prevents the reopening of the lockfile if it has already been opened.
Otherwise many PTM_INIT's will lead to failure since no more files can
be opened.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Sat, 7 May 2022 18:18:35 +0000 (14:18 -0400)]
test: Recreate TPM 2 state files with header
Use libtpms v0.6.6 and recreate the TPM 2 state file with header.
Start swtpm with the existing state files and have it rewrite the
volatiles state (swtpm_ioctl -v) and permanent state (tssnvdefine
+ tssnvundefine) files so that the header is on the files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 6 May 2022 22:31:13 +0000 (18:31 -0400)]
test: Recreate TPM 2 state files with header
Recreate TPM 2 state files that didn't have a header. Use latest
version of libtpms from the stable-0.6.0 branch to create the
state that more recent version have to be able to read.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Stefan Berger [Fri, 6 May 2022 22:08:17 +0000 (18:08 -0400)]
test: Recreate TPM 1.2 state files with header
Recreate a TPM 1.2 state file with header.
The state of the TPM 1.2 must be initialized with Startup(ST_CLEAR)
and then saved so that the proper error code appears as a result
when running this test.
The PCR values was originally created by extending PCR 10 with
sha1("test"). This was recreated using this sequence:
Stefan Berger [Fri, 6 May 2022 20:47:42 +0000 (16:47 -0400)]
test: Recreate TPM 1.2 state files with header
Recreate TPM 1.2 state files with similar content but with the state
file header. The older versions of the state files were created before
the header was introduced in v0.1. The goal is to be able to get rid
of code supporting pre-v0.1 files that had no header.
The PCR values was originally created by extending PCR 10 with
sha1("test"). This was recreated using this sequence:
Lena Voytek [Thu, 5 May 2022 20:07:23 +0000 (13:07 -0700)]
debian: Add swtpm apparmor profile
An apparmor profile was added for Debian-based distributions in order to
increase security. This blocks swtpm from accessing restricted and unnecessary
files, folders, and network interfaces. swtpm works as normal alongside libvirt
and its configurations, however users may run into issues when using swtpm on
its own when providing it with a restricted directory. The apparmor profile can
be modified to include additional permissions by creating and adding to the
file /etc/apparmor.d/local/usr.bin.swtpm.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>