Extend the previously modified test case to also test on
Darwin now that we are able to convert a file descriptor
to a filename.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
On Linux and Cygwin we can pass a file descriptor for the pid
file, on other platforms it doesn't work (yet).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pass the --runas parameter to swtpm so we can test switching it
to a given user 'nobody'.
We also have to change ownership of files and directories so that
the nobody user can write the coverage files when swtpm ends.
In the test case we then use the trick of changing file ownership
just before we terminate swtpm, which will trigger the writing
of the .gcda files. We need to have nobody own these files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the mode= parameter of the TPM's state file and a unix
socket to have swtpm set the file mode bits and check that
they are set as expected.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Clean up state files in case the test suite was interrupted
- Allow running it from the test directory by creating an absolute
path for TESTDIR so we can find the patch file; error out in
case the patching fails
- Run test case 2 and 1 as well but ignore ERROR output in case
of test 1. The errors stem from us not restarting the TPM when
the test suite asks for it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a test case that downloads the TPM 1.2 package from sourceforge,
patches a few files for OpenSSL compatibility, and runs a few test
cases of that test suite. Look for ERROR output in the test suite.
This test suite also provides better code coverage for libtpms.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To prevent the test case from failing when an no --prefix is used
when configuring, use an empty options file via /dev/null. Otherwise
swtpm-localca starts looking for the options file in a place where
there is none.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If no prefix is passed to the configure line we get prefix=NONE
in evaluations of variables that depend on prefix at this point.
If the user provides no --prefix we assume /usr/local as the
default and override the 'NONE' value we have at this point.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable support for the seccomp blacklist profile that is
enabled by default and can be disabled using the following option:
--seccomp action=none
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Do not run the 'asan' test with seccomp compiled in since the asan
libraries seem to use syscalls that we blacklist in the seccomp
profile. In particular those are:
- clone
- sigaltstack
- ptrace
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for --with-seccomp and --without-seccomp for Linux
systems with --with-seccomp being the default. On all other systems
--without-seccomp is the implicit default.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
According to the XDG spec,
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html:
"If $XDG_CONFIG_HOME is either not set or empty, a default equal to
$HOME/.config should be used."
This fixes setting up a TPM with libvirt running in a user session.
It works by checking if configuration files are readable in the
directory priority order (XDG_CONFIG_HOME, then HOME, then SYSCONFDIR).
When libvirt is running as a system instance, $HOME isn't set, so it
will fall back on @SYSCONFDIR@ (/etc usually)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The extension of the travis.yml with the matrix broke the Coverity
submission. This patch fixes this. We have to build libtpms in
build_command_prepend since before_script now does something different.
We only build in task .1 and exit early on all the other ones if
we are using the coverity_scan git branch.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Libtpms is now libtpms0 as a dependency.
Gnutls is neede for swtpm_cert to create the certs. Force it to
be available.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a post install script for swtpm-tools that creates
the /var/lib/swtpm-localca directory and changes ownersip
on it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Softhsm cannot be installed as an i386 executable/library and as
a x86_64 executable/library on a Fedora host. The pkcs11 test then
fails since it cannot pick up the libsofthsm.so needed for an i386
executable (swtpm_cert) on a x86_64 host. This fixes test run errors
for run_test.sh by skipping the test in case swtpm_cert returns
a specific error message related to not being able to import the
pkcs11 URI object.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use wait_process_gone with 2 seconds timeout to wait for the swtpm to
have terminated after SIGTERM or connection loss. This avoids test
failures on slow Raspberry Pi 2.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
We need to run the softhsm/pkcs11 test case as root (sudo) under OS X
so that we can write the file /etc/gnutls/pkcs11.conf. However, once
we run the tests as root we cannot run the 'brew ls' command anymore
since it refuses to run with high privileges. So, if we run as root we
need to use sudo to switch to the nobody user to run the 'brew ls'
command that gives us the name of the softhsm pkcs11 module.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
On OS X we need to be able to change /etc/gnutls/pkcs11.conf for
p11tool to pick up the softhsm pkcs11 module correctly. We need
(password-less) sudo to be able to do this.
Unforutnately this test case does not run on Travis since Travis
seems to require passwords under some circumstances.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use SoftHSM to create a pkcs11 URI and then use the pkcs11 URI
to sign the certificate of a TPM 2.0 with this key using swtpm-localca.
This test case works with softhsm >= 2.3.0 on Fedora and should work
with a recent version of Ubuntu. If an error is encountered setting
up the softhsm2 environment, we just skip the test.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Older versions of the IBM TSS2, such as in FC26 for example, behave
slightly different than the code in the test case expects (certain
files are not generated or may have a different name). So gate this
test case with SWTPM_TEST_IBMTSS2 environment variable so we don't run
it by default if the TSS tools are found and so we do not run into
possible errors due to an older version of the stack installed on the
system.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid failures with mktemp call on BSD type of systems replace
mktemp --tmpdir=<dir> with TMPDIR=<dir> mktemp, which seems more portable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
OS X cannot resolve the path we get from genenv("_") when running a
test script on Travis (reason unknown). So we use _NSGetExecutablePath()
instead and display the path in the error message in case realpath()
fails.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Run the build on OSX as well and run a quick test that exercises
some of the config files installed in --prefix=/usr/local
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Adjust the localstatedir variable to not have ${prefix} if
prefix is '/usr/', otherwise use ${prefix}.
Also adjust the files that were pointing to directories that
are controlled by $localstatedir.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the project is configured with --prefix=/usr/local several configuration
files are installed to /usr/local/etc but not read by the programs that
need them. This patch fixes this issue by replacing @SYSCONFDIR@ in the source
code of those files with the actual used path.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
