Extend an existing test case to ensure that a 2nd swtpm process terminates
with an error related to not being able to get a lock on the storage's
lockfile.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since the CUSE TPM starts TPM in one process but then daemonizes and
effectively runs in a child process, the lock records on the storage
that the parent may have set up are lost due to them not being inherited
by the child. Fix the issue by daemonizing before the TPM is started so
that the child grabs the lock on the storage. Prevent CUSE from forking
so that not another child is created.
As a side-effect, this now moves any error reporting, that may previously
have occurred in the main process and where messages were show on stderr,
into the child process. A log is now required for these messages to become
visible.
Resolves: https://github.com/stefanberger/swtpm/issues/1050
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When printing the output of the info flags, the resuling JSON printed to
stdout should be the only printout. Therefore, suppress all informative
output to stdout so that either the JSON is the only output or only error
messages are printed.
Fixes: 3f551e1dc ("swtpm: Implement --print-info to run TPMLIB_GetInfo with flags")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the special logging file descriptor SUPPRESS_INFO_LOGGING is chosen,
then only suppress informative and warning messages while still allowing
error messages to be printed to stderr.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
RSA-4096 is enabled in libtpms v0.11 and requires that default-v2
profile be used. Extend existing test case with test for RSA-4096
and default-v2 profile.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
pkgconf supports setting GMP_CFLAGS and GMP_LIBS if the pkgconf file
does not exist, for older (pre-2019) distributions.
Signed-off-by: Christopher Byrne <salah.coronya@gmail.com>
Prevent an integer overflow with the recvd variable. However, the
buffer_len variable serves as an upper bound for how many bytes will ever
be received, so that this integer overflow will never occur. Therefore,
this is a false positive reported by Coverity. Fix it anyway.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prevent an integer overflow that could result from adding the return value
of 'n' to an existing value. However, for this to occurr in this function,
one would have to write() more than 4G of data on a 32bit system for
example. So, this is a false positive reported by Covertity, but fix it
anyway.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Change the type of buffersize parameter of SWTPM_IO_Read from size_t to
uint32_t to match that of the caller and to avoid Coverity complaints
about possible integer overflows. Also change the offset to uint32_t.
An integer overflow would never have occurred since buffersize always
served as an upper bound of the number of bytes received.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Catch the unlikely case that sysconf returns 0 for _SC_PAGESIZE and avoid
integer overflow with the pagesize calculation, that should never occur if
pagesize is within normal limits. Also ensure that no overflow happens
with the msync_count variable.
On 64bit machines, casting count to size_t could work but would not work on
32bit platforms where size_t is the same as uint32_t, so the overflow
complain would not go away there.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return ssize_t rather than int from logging function to resolve Coverity
complaints about possible integer overflows. Since no caller looks at the
return value from the logging functions, no other changes are necessary.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display an error if the user set the backup option when using the
linear storage backend. Update the documentation about the rejection.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend an existing test case to use the new fsync option to at least test
the option parser. That fsync() is actually being called is not easy to
observe.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option to have the storage backend use fsync whenever state is
written to disk. Advertise this capability with
'tpmstate-dir-backend-opt-fsync' and adjust a test case.
Only support for the directory-backend is implemented.
Extend the swtpm man page with a description of this new option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for fsync on a file and directory when using the
directory-backend. Pass the user's choice for whether to call fsync and
pass the boolean into the storage backend. Only the directory-backend is
supporting this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
respbuffer_len is a pointer that may be NULL but will not be NULL when
respbuffer is not NULL. Nevertheless, also check it for NULL pointer before
accessing it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libfuse2 contains unaddressed security issue. (libfuse/libfuse#15)
libfuse3 is preferred over libfuse2, while libfuse2 support is kept as
fallback.
- src/swtpm/cuse_tpm.c: fuse3 as default, add a macro `WITH_FUSE2` when fallback fuse library is linked against
- configure.ac: check fuse3, if not found, check fuse2, if still not found, fail out; show LIBFUSE_CFLAGS and LIBFUSE_LIBS in `./configure` output
Signed-off-by: Leo <i@hardrain980.com>
Return an error code if HASH_DATA received more bytes from the user than
what the user indicated in the length field that he wanted to send. This
avoids an integer underrun of the 'remain' variable in the loop that would
then cause the loop to wanting to receive around 4GB of data.
Also fix some indentation issues.
Use be32toh instead of (the equivalent) htobe32 when reading from the
packet.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When returncode 0x922 is received from NVWrite then retry the command so
that it gets the expected error code from failing to provide a password.
When checking the lockout counter, increase the numbers now.
Patched versions of libtpms may not return 0x922 anymore, so write the code
that it can test both cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
A patch was applied to the IBMTSS2 test cases due to a bug in OpenSSL. At
least with OpenSSL 3.2.4 (and possibly much earlier), this bug has been
found to have been fixed, so disable the patching for now and leave a FIXME
in there directing that the code block can be removed entriely at some
point.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If TPM2_CreatePrimary(RSA) fails with 0x2c4 error code, display an error
message hinting the user at using the 'default-v2' profile since most likely
the RSA key size is too large for the default or given profile.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend an existing test case with the backup option for the directory
backend. Check correct behavior by trying to start swtpm with missing
state decryption key and ensure that file renamings are handled as
expected.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the users specifies that a backup file is to be made and the permanent
state file is missing when the NVRAM is initialized (SWPTM_NVRAM_Init), but
the backup state file exists, then swtpm will permanently rename the backup
file to permanent state file and attempt to start with it. Otherwise, it
will try to start with the 'normal' permanent state file first and if this
fails, it will rename the backup file to the permanent state file and
attempt to start with it. If both cases fail, it will revert any renaming.
Only support for the directory-backend is implemented.
Extend the swtpm man page with a description of this behavior.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option to have the storage backend make a backup file of
the permanent state file. Advertise this capability with
'tpmstate-dir-backend-opt-backup' and adjust a test case.
Extend the documentation.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Query for tpmstate_get_make_backup() to decide whether to make a backup of
the permanent state file. If a backup is requested, then rename the current
state file in the directory backend to the backup file (suffix .bak).
Only the directory backend supports backing up of the permanent state file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
