There seems to be a well known error in setuptools 71.x that prevents
installation of cpp-coveralls on Travis now:
File "/usr/local/lib/python3.10/dist-packages/setuptools/_core_metadata.py", line 285, in _distribution_fullname
canonicalize_version(version, strip_trailing_zero=False),
TypeError: canonicalize_version() got an unexpected keyword argument 'strip_trailing_zero'
Fall back to the default version that is used in Ubuntu Jammy (59.6.0)
since later versions also lead to the same error.
Link: https://github.com/pypa/setuptools/issues/4483
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since the tss2 package is commonly available in focal and jammy
move it into to the general list of packages to installed.
libtpm2-pkcs11-tools is available since jammy, so installed it
there to enable the TPM 2 pkcs11 tests.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since the package libasan2 does not exist in focal anymore, remove. The
bionic builds do not seem to require this package to be installed (maybe
it's already there), so there's no need to install it in a before_script.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is a 1:1 rewrite of swtpm_setup in 'C' as a first step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add restoring of the volatile state after having it stored.
Since this is now taking a long time it must be explicitly enabled
by setting the environment variable SWTPM_TEST_STORE_VOLATILE=1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pip 21.0.0 seems to be broken when upgraded to on Xenial. So
let's just only upgrade to 20.3.3.
$ sudo pip3 install --upgrade cryptography
Traceback (most recent call last):
File "/usr/local/bin/pip3", line 7, in <module>
from pip._internal.cli.main import main
File "/usr/local/lib/python3.5/dist-packages/pip/_internal/cli/main.py", line 60
sys.stderr.write(f"ERROR: {exc}")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The IBM TSS2 is available starting with Bionic. Use it there
to extend the test coverage of the code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow specifying a libtpms revision to test with, defaulting to
master branch.
Have the OS X test use the stable-0.6.0 branch.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since I am not often using the non-openssl crypto function usage
in libtpms, add a build to Travis that exercises the old code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The Travis build on OSX was failing due to the following error:
/usr/local/Homebrew/Library/Homebrew/brew.rb:23:in `require_relative': \
/usr/local/Homebrew/Library/Homebrew/global.rb:110: \
syntax error, unexpected keyword_rescue, expecting keyword_end (SyntaxError)
from /usr/local/Homebrew/Library/Homebrew/brew.rb:23:in `<main>'
The command "brew tap discoteq/discoteq" failed and exited with 1 during .
This patch resolves the issue.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Only build the libtpms dir if it doesn't exist. When we do a Coverity
scan build it looks like we are now running the script afterwards as
well and this creates a build failure due to the 2nd clone.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Set the LIBTPMS_CFLAGS for libtpms to sanitize the same as we sanitize
in swtpm. Also set UBSAN_OPTIONS and ASAN_OPTIONS for directing runtime
behavior to halt_on_error=1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pass the --runas parameter to swtpm so we can test switching it
to a given user 'nobody'.
We also have to change ownership of files and directories so that
the nobody user can write the coverage files when swtpm ends.
In the test case we then use the trick of changing file ownership
just before we terminate swtpm, which will trigger the writing
of the .gcda files. We need to have nobody own these files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Do not run the 'asan' test with seccomp compiled in since the asan
libraries seem to use syscalls that we blacklist in the seccomp
profile. In particular those are:
- clone
- sigaltstack
- ptrace
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The extension of the travis.yml with the matrix broke the Coverity
submission. This patch fixes this. We have to build libtpms in
build_command_prepend since before_script now does something different.
We only build in task .1 and exit early on all the other ones if
we are using the coverity_scan git branch.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
We need to run the softhsm/pkcs11 test case as root (sudo) under OS X
so that we can write the file /etc/gnutls/pkcs11.conf. However, once
we run the tests as root we cannot run the 'brew ls' command anymore
since it refuses to run with high privileges. So, if we run as root we
need to use sudo to switch to the nobody user to run the 'brew ls'
command that gives us the name of the softhsm pkcs11 module.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use SoftHSM to create a pkcs11 URI and then use the pkcs11 URI
to sign the certificate of a TPM 2.0 with this key using swtpm-localca.
This test case works with softhsm >= 2.3.0 on Fedora and should work
with a recent version of Ubuntu. If an error is encountered setting
up the softhsm2 environment, we just skip the test.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Run the build on OSX as well and run a quick test that exercises
some of the config files installed in --prefix=/usr/local
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move the packages to install into the addons section and
rename the before_install section to before_script section.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Integrate the Travis builds with Coveralls.io by sumitting the coverage
results to Coveralls.io.
We have to run the coveralls script with sudo rights since otherwise we
get permission denied errors.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get the IBM TSS2 test suite from its git repo, compile it, and run
its test suite if SWTPM_TEST_EXPENSIVE=1 is set.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To test the creation of the tar and out-of-tree builds all the time, do
'distcheck' rather than a simple 'check'.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
With the SAN data in the certificate properly generated and accepted by
certtool, we can now activate the test case for swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Follow more closely the https://github.com/cgwalters/build-api.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
We also have to move the Travis tests to xenail since PKG_CHECK_VAR
was not available in trusty (14.04).
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for TPM2. Some of the capabilities are not supported yet in
this patch.
Extend the man pages with description for --tpm2.
Missing: configure should probe for needed API calls in libtpms
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the send1msg() ot the twisted sendmsg package since sendmsg()
is only supported in more recent versions of twisted.
Following this we also don't need to install a recent version of twisted
via pip on Travis, which runs Ubuntu 14.04.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Rather than sending two separate messages with the bare python 2
API, use the python twisted package to send the control and data
in one sendmsg() call. This avoids occasional test failures in
the ctrlchannel test case that is currently sending the data and
control part of the message in 2 steps, which can lead to the
recpient not seeing the whole message.
Add python-twisted as a build dependency to the rpm and Debian
builds and the .travis.yml.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use a new and encrypted token. Fix other parameters. Build works now
and submits to coverity if coverty_scan branch is pushed to.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
