pkgconf supports setting GMP_CFLAGS and GMP_LIBS if the pkgconf file
does not exist, for older (pre-2019) distributions.
Signed-off-by: Christopher Byrne <salah.coronya@gmail.com>
libfuse2 contains unaddressed security issue. (libfuse/libfuse#15)
libfuse3 is preferred over libfuse2, while libfuse2 support is kept as
fallback.
- src/swtpm/cuse_tpm.c: fuse3 as default, add a macro `WITH_FUSE2` when fallback fuse library is linked against
- configure.ac: check fuse3, if not found, check fuse2, if still not found, fail out; show LIBFUSE_CFLAGS and LIBFUSE_LIBS in `./configure` output
Signed-off-by: Leo <i@hardrain980.com>
My local filesystem is btrfs with a long life. It's inodes ecxeed 32-bit
space and that causes test failures in `swtpm` on `i686-linux`
containers:
FAIL: test_parameters
FAIL: test_swtpm_setup_file_backend
FAIL: test_swtpm_setup_overwrite
FAIL: test_tpm2_swtpm_setup_create_cert
FAIL: test_tpm2_swtpm_setup_overwrite
FAIL: test_swtpm_setup_create_cert
FAIL: test_tpm2_parameters
The example test failure log looks this way:
FAIL: test_migration_key
========================
Need to be root to run test with CUSE interface.
Need to be root to run test with CUSE interface.
==== Starting swtpm with interfaces socket+socket ====
Test 1: Ok
==== Starting swtpm with interfaces socket+socket ====
Test 2: Ok
==== Starting swtpm with interfaces socket+socket ====
swtpm: Missing migration key to decrypt volatilestate
Test 3: Ok
==== Starting swtpm with interfaces socket+socket ====
Could not stat file '/build/tests/data/migkey1/volatilestate.bin': Value too large for defined data type
Error: Could not load encrypted volatile state into TPM.
FAIL test_migration_key (exit status: 1)
The `stat()` fails because inode value exceeds 32-bit value:
$ stat /build/tests/data/migkey1/volatilestate.bin
File: /build/tests/data/migkey1/volatilestate.bin
Size: 1290 Blocks: 8 IO Block: 4096 regular file
Device: 0,30 Inode: 9639547569 Links: 1
...
The change fixes all the test failures. To fix
`test_tpm2_swtpm_setup_create_cert` I also had to include `config.h`
into `swtpm_backend_dir.c` to get 64-bit file open there as well.
Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
Libtpms v0.10 adds the TPMLIB_SetProfile call that swtpm needs to set a
profile. Check whether the API call is available in the local libtpms
installation.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --disable-tests to disable the tests and the checking
for tools that only need to be installed for the tests. Keep the tests
enabled as default as it was before.
Resolves: https://github.com/stefanberger/swtpm/issues/843
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since many older gmp development packages do not provide the pkg-config
file for gmp, just display a warning and fall back to default values.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
PCR Bank verification needs bash, so check for bash. While at it use the
autoconf shell construct macros over raw shell syntax which is slightly
more portable.
Examples:
./configure --enable-default-pcr-banks=sha256,sha920
checking which PCR banks to activate by default... configure: error: sha256,sha920 is an invalid list of PCR banks
./configure --enable-default-pcr-banks=sha256,sha512
checking which PCR banks to activate by default... sha256,sha512
./configure
checking which PCR banks to activate by default... sha256
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Replace the hardcoded install path in src/selinux/swtpm.fc and
src/selinux/swtpmcuse.fc with @prefix@ and append .in to these files so
that they are generated when running configure.
Add the selinux policy input files with their suffix to the CLEANFILES
variable so they get cleaned up and 'make distcheck' works.
Resolves: https://github.com/stefanberger/swtpm/issues/711
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
While libtpms does not provide any means to disable FIPS-disabled crypto
algorithms from being used, work around the issue by simply disabling the
FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit
swtpm with a failure message that it cannot be disabled. If FIPS mode
was successfully disabled, print out a message as well.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090219
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To be able to test-compile with include/swtpm/tpm_ioctl.h in configure.ac
move the definition of __USE_LINUX_IOCTL_DEFS out of the configure script
into the header file so that the #define is there when needed. In the
configure.ac script the CFLAGS were extended only after the test-compiling
to determine the HARDENING_CFLAGS and the test-compilation failed on Cygwin
(only) since the tpm_ioctl.h didn't compile because of this missing
#define.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Mof the block with the CUSE-related tests further up to be following the
first set of CUSE-related tests.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Show the value of with_chardev after the test for whether to build
with chadev rather than with_cuse.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Determine GNUTLS_LIBS using pkg-config rather than hard-coding
it. On OS X it may return a -L<path> to succeed the linking.
Resolves: https://github.com/stefanberger/swtpm/issues/676
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add probing for -fstack-protector to the existing
-fstack-protector-strong since not all platforms support either one
of them.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
According to the man page sections guideline, man8 should be used
for system administration commands. So this commit moves *.conf and
*.options files to man5.
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option that allows for the configuration of the default PCR bank
to use. This was currently hard coded to sha256 and now may be passed
via this option. The fallback is still sha256. Valid PCR bank names are
sha1, sha256, sha384, and sha512. The passed list must be a comma-
separated list of the valid PCR bank names.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the EVP_CIPHER implementation for the AES CBC computations. This
API has been supported already in OpenSSL 1.1.x for sure and is also
not deprecated in OpenSSL 3.0.
This now resolves issue #538.
We can build src/swtpm without having to suppress deprecated API warnings.
Since this is the last issue related to OpenSSL deprecated APIs, we don't
need to suppress any OpenSSL 3.0 deprecated API warnings anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the (undocumented) OPENSSL_SUPPRESS_DEPRECATED to suppress the
deprecated API warnings when compiling swtpm and swtpm_setup with
OpenSSL 3.0.0 replacing the global -Wno-deprecated-declarations.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
