From a5cc0bf6e26eb4af5cbfd0e66fcd7e6af13f503d Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Thu, 28 Oct 2021 12:23:14 -0400 Subject: [PATCH] swtpm_setup: Get active PCR banks from swtpm_setup.conf If the user did not provide the PCR banks to activate through the command line options, try to read it from the config file and if nothing is found there, fall back to the DEFAULT_PCR_BANKS as set during configure time. Move the check for the PCR banks after the access check to the configuration file. Signed-off-by: Stefan Berger --- man/man8/swtpm_setup.conf.pod | 6 +++++ man/man8/swtpm_setup.pod | 8 +++++-- src/swtpm_setup/swtpm_setup.c | 43 ++++++++++++++++++++++++++++------- 3 files changed, 47 insertions(+), 10 deletions(-) diff --git a/man/man8/swtpm_setup.conf.pod b/man/man8/swtpm_setup.conf.pod index a5b237b..cb97709 100644 --- a/man/man8/swtpm_setup.conf.pod +++ b/man/man8/swtpm_setup.conf.pod @@ -89,6 +89,12 @@ that will be passed to the invoked program using the --optsfile option described above. If omitted, the invoked program will use the default options file. +=item B (since v0.7) + +This keyword is to be followed by a comma-separated list +of names of PCR banks. The list must not contain any spaces. +Valid PCR bank names are sha1, sha256, sha384, and sha512. + =back =head1 SEE ALSO diff --git a/man/man8/swtpm_setup.pod b/man/man8/swtpm_setup.pod index 1b0ff67..59f98d6 100644 --- a/man/man8/swtpm_setup.pod +++ b/man/man8/swtpm_setup.pod @@ -164,8 +164,12 @@ used for creating the certificates and may be required by that tool. =item B<--pcr-banks > Optional comma-separated list of PCR banks to activate. Providing '-' -allows a user to skip the selection and activates all PCR banks. By default -the sha1 and sha256 banks are activated. +allows a user to skip the selection and activates all PCR banks. +If this option is not provided, the I configuration +file will be consulted for the active_pcr_banks entry. If no such +entry is found then the default set of PCR banks will be activated. +The default set of PCR banks can be determined using the I<--help> +option. =item B<--swtpm_ioctl > diff --git a/src/swtpm_setup/swtpm_setup.c b/src/swtpm_setup/swtpm_setup.c index 794fe08..c3bafe9 100644 --- a/src/swtpm_setup/swtpm_setup.c +++ b/src/swtpm_setup/swtpm_setup.c @@ -431,6 +431,29 @@ static int tpm2_create_eks_and_certs(unsigned long flags, const gchar *config_fi user_certsdir); } +/* Get the default PCR banks from the config file and if nothing can + be found there use the DEFAULT_PCR_BANKS #define. + */ +static gchar *get_default_pcr_banks(const gchar *config_file) +{ + g_auto(GStrv) config_file_lines = NULL; + gchar *pcr_banks; + int ret; + + ret = read_file_lines(config_file, &config_file_lines); + if (ret != 0) + return NULL; + + pcr_banks = get_config_value(config_file_lines, "active_pcr_banks"); + if (pcr_banks) + g_strstrip(pcr_banks); + if (pcr_banks == NULL || strlen(pcr_banks) == 0) { + g_free(pcr_banks); + pcr_banks = g_strdup(DEFAULT_PCR_BANKS); + } + return pcr_banks; +} + /* Activate the given list of PCR banks. If pcr_banks is '-' then leave * the configuration as-is. */ @@ -1419,14 +1442,6 @@ int main(int argc, char *argv[]) if (!got_srkpass) srkpass = g_strdup(DEFAULT_SRK_PASSWORD); - /* check pcr_banks */ - tmp_l = g_strsplit(pcr_banks ? pcr_banks : "", ",", -1); - for (i = 0, n = 0; tmp_l[i]; i++) - n += strlen(tmp_l[i]); - g_strfreev(tmp_l); - if (n == 0) - pcr_banks = g_strdup(DEFAULT_PCR_BANKS); - if (gl_LOGFILE != NULL) { FILE *tmpfile; if (stat(gl_LOGFILE, &statbuf) == 0 && @@ -1496,6 +1511,18 @@ int main(int argc, char *argv[]) goto error; } + /* check pcr_banks; read from config file if not given */ + tmp_l = g_strsplit(pcr_banks ? pcr_banks : "", ",", -1); + for (i = 0, n = 0; tmp_l[i]; i++) { + g_strstrip(tmp_l[i]); + n += strlen(tmp_l[i]); + } + g_strfreev(tmp_l); + if (n == 0) { + g_free(pcr_banks); + pcr_banks = get_default_pcr_banks(config_file); + } + if (cipher != NULL) { if (strcmp(cipher, "aes-128-cbc") != 0 && strcmp(cipher, "aes-cbc") != 0 &&