Extend an existing test case to use the new fsync option to at least test
the option parser. That fsync() is actually being called is not easy to
observe.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option to have the storage backend use fsync whenever state is
written to disk. Advertise this capability with
'tpmstate-dir-backend-opt-fsync' and adjust a test case.
Only support for the directory-backend is implemented.
Extend the swtpm man page with a description of this new option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When returncode 0x922 is received from NVWrite then retry the command so
that it gets the expected error code from failing to provide a password.
When checking the lockout counter, increase the numbers now.
Patched versions of libtpms may not return 0x922 anymore, so write the code
that it can test both cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
A patch was applied to the IBMTSS2 test cases due to a bug in OpenSSL. At
least with OpenSSL 3.2.4 (and possibly much earlier), this bug has been
found to have been fixed, so disable the patching for now and leave a FIXME
in there directing that the code block can be removed entriely at some
point.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend an existing test case with the backup option for the directory
backend. Check correct behavior by trying to start swtpm with missing
state decryption key and ensure that file renamings are handled as
expected.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option to have the storage backend make a backup file of
the permanent state file. Advertise this capability with
'tpmstate-dir-backend-opt-backup' and adjust a test case.
Extend the documentation.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libtpms v0.11 will support RSA-4096 keys. Adjust the test case
regex for optional output of 'tpm2-rsa-keysize-4096'.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Enable passing the usual curve names of secp256r1 and secp384r1 instead
of ecc256 and ecc384 on the command line of swtpm-create-tpmca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend swtpm-create-tpm to support rsa2048 (default), rsa3072, ecc256
(NIST P256), and ecc384 (NIST P384) for the created TPM 2 CA. The names
are taken from the output of:
tpm2_ptool addkey --help
ecc521 does not seem to work with the TPM 2 stack even though it is
advertised as a possible option.
Extend an existing test case to create an ecc256 key and extend man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Ensure that no profile is passed to the TPM 2 when it is to be reconfigured
by:
- Showing an error if user tries to pass a profile when also --reconfigure
is passed
- Not taking the default profile from the swtpm_setup.conf configuration
file if the user did not pass a profile
Extend an existing test case with a default profile in its swtpm_setup.conf
so that the above 2nd item is tested.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check the help screen for necessary supported options since the IBM TSS2
test will have to be patched to support swtpm directly. If it does not
support it, exit the tests early with an error message.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Only display profile capabilities when --tpm2 is given since they are only
relevant when a TPM 2 is used.
Adjust test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The default-v1 profile may soon also set Attributes in the JSON and
therefore extend the regular expressions matching profiles to optionally
match for Attributes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the new capability tpmstate-opt-lock, adjust test cases,
and document it in the swptm man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for locking the storage file using fcntl(fd, F_SETLK, ...).
Since fcntl needs a file descriptor of the actual storage file, call
SWTPM_NVRAM_LinearFile_DoOpenURI() to open the file in case it has not
been opened, yet. In case of error close the file again but be careful
about the fact that it may not have been mmap'ed, yet.
Since now all backends have .lock and .unlock nvram_backend_ops, they can
be called without checking for a NULL pointer.
Extend an existing test case with a file-backend storage lock test.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Restrict available PCR banks to sha256 & sha384 and try to enable sha256
and sha512 and check the expected results.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement --print-info that takes a number as argument and uses this number
as flags to call TPMLIB_GetInfo with. Display the JSON string and exit.
Extend the man page and update other parts where swtpm_ioctl is not necessary
anymore to use.
Extend a test case to also check that swtpm now returns the same result as
swtpm_ioctl does.
Append cmdarg-print-info to printed out capabilties. Adjust test cases.
(Expect 'profiles' to always be part of capabilties JSON.)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable SWTPM_TEST_PROFILE for running the test_tpm2_ibmtss2 test cases
with a user provided profile. Document it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the support for 'remove-disabled' option parameter of the --profile
option to also work for profiles whose name starts with 'custom:'.
Modify an existing test case to use custom:test as profile name with this
option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for the --print-profiles option to search the local
and distro profiles directories for profiles (files with .json extension)
and then get the built-in ones from swtpm. Print them all to stdout.
Extend a test case and add description to the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --profile-name option that searches for a profile in a
configurable local directory or a distro directory
(typically /usr/share/swtpm/profiles).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Accept profiles that start their name with 'custom:' and do not exceed
32 characters. The content of these profiles will be derived from the
built-in 'custom' profile unless Algorithms, Commands, or Attributes
are provided on the command line.
Adjust a test case to test with profile name starting with 'custom:'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable reading a profile from a file. Pass it as open file descriptor to
swtpm.
Adjust one test case to read a profile from a file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Ignore the remove-disabled parameter on non-'custom' profile identified
by return value '1'. Switch to negative return values in the called function.
Extend a test case to ensure that the --profile-remove-disabled option
on swtpm_setup, which is passed through to swtpm, has no effect on 'null'
and 'default-v1' profiles.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Very old OpenSSL versions (e.g., 1.1.0i) are using /dev/urandom to get
entropy while newer ones are using the getrandom syscall that does not
need the device file. In some environments access to the created
/dev/urandom device file may not work (EACCESS; chroot test case) and
then OpenSSL will start failing operations that depend on good entropy.
Therefore, check the status of the random number generator after chroot.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
CentOS 9 and RHEL >= 9.4 (maybe earlier also) are expected to log the
setting of OPENSSL_ENABLE_SHA1_SIGNATURES when a libtpms v0.9 state is
used where signing a SHA1 was allowed and needs to be enable with this
environment variable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the --profile-remove-fips-disabled option that is used to tell
swtpm to remove algorithms that are disabled by FIPS mode on the host.
Internally, this option passes the remove-fips-disabled option parameter
with the --profile option to swtpm.
Add a test cases passing this option and check that the resulting profiles
have key sizes adjusted and relevant attributes set.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a function that checks whether a crypto algorithm identified by
TPM algorithm identifiers is disabled.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Consoldiate some test cases related to the custom profile and add
additional checks for various StateFormatLevels.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Convert the TPM 1.2 test case test_samples_create_tpmca to be able to run
installed. It also needs to have the test_config file installed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since there is a BSD variant of sed that requires a parameter for the -i
option provide a sed-inplace wrapper script.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since there is a BSD variant of install that does not support the -D option
like install on Linux, provide a fileinstall wrapper script.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Commit 96fe5afa forgot to add cmdarg-print-profiles to the list of
capabilities. Also fix typo in the man page and sort shown output
to match application output.
Fixes: 96fe5afa ("swtpm: Add support for --print-profiles option")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use an absolute path for TESTDIR, as we refer to it from different
directories.
Also fix killing gone swtpm process.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Run against the installed version only when SWTPM_TEST_IBMTSS is
set to the directory that has the tests, otherwise, build the known
version.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Use 'swtpm --help | grep cuse' to determine whether CUSE interface
is supported and CUSE related tests need to run. Make sure that
SWTPM_EXE is available when test_cuse is sourced.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
SWTPM was set to 'swtpm' and only for uninstalled tests. Remove it and
replace its usage with 'swtpm' everywhere.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Skip the test_tpm2_libtpms_versions_profiles since it requires that swtpm is
built from a git checkout so that various versions of swtpm can be built.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The IBMTSS2 tests suite creates signatures over SHA1 that may now fail on
RHEL 9.x and CentOS 9. To have these tests succeed set
OPENSSL_ENABLE_SHA1_SIGNATURES=1 so the tests do not need to be modified
and also check that the TPM 2 can handle SHA1 signatures as before.
'swtpm socket --tpm2' should set this environment variable automatically
if needed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Use 3072bit RSA keys if possible; not possible on Ubuntu 22.04
- Add test case with NIST p256 key and signing
- Store modified files in git repo *after* the copy of the repo
- Suppress more tools output
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
