Display an error if the user set the backup option when using the
linear storage backend. Update the documentation about the rejection.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option to have the storage backend use fsync whenever state is
written to disk. Advertise this capability with
'tpmstate-dir-backend-opt-fsync' and adjust a test case.
Only support for the directory-backend is implemented.
Extend the swtpm man page with a description of this new option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the users specifies that a backup file is to be made and the permanent
state file is missing when the NVRAM is initialized (SWPTM_NVRAM_Init), but
the backup state file exists, then swtpm will permanently rename the backup
file to permanent state file and attempt to start with it. Otherwise, it
will try to start with the 'normal' permanent state file first and if this
fails, it will rename the backup file to the permanent state file and
attempt to start with it. If both cases fail, it will revert any renaming.
Only support for the directory-backend is implemented.
Extend the swtpm man page with a description of this behavior.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option to have the storage backend make a backup file of
the permanent state file. Advertise this capability with
'tpmstate-dir-backend-opt-backup' and adjust a test case.
Extend the documentation.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for RSA-4096 kyes for EKs. This requires users to choose the
default-v2 profile because this is the only profile that currently enables
this type of a key.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend swtpm-create-tpm to support rsa2048 (default), rsa3072, ecc256
(NIST P256), and ecc384 (NIST P384) for the created TPM 2 CA. The names
are taken from the output of:
tpm2_ptool addkey --help
ecc521 does not seem to work with the TPM 2 stack even though it is
advertised as a possible option.
Extend an existing test case to create an ecc256 key and extend man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Improve the swtpm_setup --tpm option documentation that did not mention
that the socket option must be passed along when swtpm is being used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the new capability tpmstate-opt-lock, adjust test cases,
and document it in the swptm man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To support storage backend locking on the file backend, add support for a
lock option parameter to the --tpmstate option. By default the value of
this option (if not given) has to be 'true' for the dir backend, since this
backend has always been locking, and 'false' on the file backend, since
this backend did not lock so far.
If the user chooses no storage backend locking then SWTPM_NVRAM_Unlock &
SWTPM_NVRAM_Lock_Storage do not call the backend for locking at all
anymore.
Document the new option parameter in the swtpm man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Define a structure to use for returning the PTM_GET_CAPABILITY result that
resembles the layout of all the commands' structures. Since only 17bits for
capabilities are currenlty defined and they are returned in big endian
format as part of a 64bit number, this change can be done without any side
effects. The upper 32bit of this number now become the tpm_result, which
will always be 0. The lower 32bits are the possible capability flags, of
which the 17 are used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement --print-info that takes a number as argument and uses this number
as flags to call TPMLIB_GetInfo with. Display the JSON string and exit.
Extend the man page and update other parts where swtpm_ioctl is not necessary
anymore to use.
Extend a test case to also check that swtpm now returns the same result as
swtpm_ioctl does.
Append cmdarg-print-info to printed out capabilties. Adjust test cases.
(Expect 'profiles' to always be part of capabilties JSON.)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for the --print-profiles option to search the local
and distro profiles directories for profiles (files with .json extension)
and then get the built-in ones from swtpm. Print them all to stdout.
Extend a test case and add description to the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --profile-name option that searches for a profile in a
configurable local directory or a distro directory
(typically /usr/share/swtpm/profiles).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable reading a profile from a file. Pass it as open file descriptor to
swtpm.
Adjust one test case to read a profile from a file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable reading a profile from a file.
If setting a profile fails, display the profile in the error message.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the --profile-remove-fips-disabled option that is used to tell
swtpm to remove algorithms that are disabled by FIPS mode on the host.
Internally, this option passes the remove-fips-disabled option parameter
with the --profile option to swtpm.
Add a test cases passing this option and check that the resulting profiles
have key sizes adjusted and relevant attributes set.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a function that checks whether a crypto algorithm identified by
TPM algorithm identifiers is disabled.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add missing cmdarg-profile to the man page of swtpm_setup and adjust the
order to follow the order of the application output.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Commit 96fe5afa forgot to add cmdarg-print-profiles to the list of
capabilities. Also fix typo in the man page and sort shown output
to match application output.
Fixes: 96fe5afa ("swtpm: Add support for --print-profiles option")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use TPMLIB_WasManufactured to check whether a profile was applied since a
new instance was created. If a profile was given and no new TPM 2 instance
was created then display an error message and exit with an error code.
This avoids silently ignoring a provided profile that was not applied
since the TPM 2 instance already existed.
Make sure that a profile is only applied once by swtpm by clearing the
json_profile once TPMLIB_MainInit succeeded.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --print-profiles option to print all profiles supported
by libtpms.
Usage:
swtpm socket --tpm2 --print-profiles | jq
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the new capability verb 'cmdarg-profile' indicating that the
--profile option with the name= and profile= parameters is supported.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for the --profile option for a TPM 2. The 'name=' parameter
allows a user to select a specific profile available in libtpms. The
'profile=' parameter allows a user to pass a JSON profile that must
contain a name field with a profile known to libtpms. It may contain
an algorithm field that has a comma-separated list of verbs with the
names of algorithms that the TPM 2 is supposed to provide.
The --profile option only has an effect the first time a TPM 2 is started
since afterwards whenever the state of the TPM 2 is read, the profile
found in the state is being used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the user did not provide the RSA keysize to use try to read it from
setup_setup.conf and if nothing is found there fall back to using the
internal default RSA keysize (2048).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Test cases using swtpm_localca were failing because swtpm_localca
now picked up the swtpm_cert installed in /usr/bin/swtpm_cert rather
than the one in the PATH. This revert fixes the issue and users will
have to adjust their PATH for out-of-PATH installations.
Resolves: https://github.com/stefanberger/swtpm/issues/829
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm_localca may also receive the key parameters of other keys than
the ek, therefore introduce the --key alias for --ek and rename the
variable ekparmas to key_params throughout the code.
Extend the man page to describe the --key option as an alias that
is to be used for other public key parameters than specifically those
of an ek.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To support install paths that are not covered by $PATH, and still allow
swtpm_setup and swtpm_localca to find swtpm and swtpm_cert executables,
implement find_program() to prepend the install path if only the program
name is given and otherwise fall back to g_find_program_in_path().
Update the man page stating that swtpm from the installation directory
(BINDIR) is tried to be used before one is attempted to be found in
the PATH.
Resolves: https://github.com/stefanberger/swtpm/issues/795
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Users have option to disable CUSE interface (just pass
--without-cuse argument to the configure script). But the
swtpm_cuse.8 man page is installed regardless of the argument.
This leaves distros having to remove the file before packing
builddir into packages.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Implement support for the terminate parameter for the control channel
option so that swtpm terminates once the control channel connection is
lost. The primary use case is QEMU that holds the control channel
permanently.
Resolves: https://github.com/stefanberger/swtpm/issues/753
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement CMD_LOCK_STORAGE / PTM_LOCK_STORAGE for a user to be able to
lock the storage of the storage backend (if supported) after its lock
has been released for example when the 'savestate' blob was received
while the TPM state was migrated.
Also adjust test case and extend man pages.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Advertise the capability of supporting the --migration option
in the capabilies JSON that now has the cmdarg-migration verb:
$ swtpm socket --print-capabilities | jq
{
"type": "swtpm",
"features": [
"tpm-1.2",
"tpm-2.0",
"tpm-send-command-header",
"flags-opt-startup",
"flags-opt-disable-auto-shutdown",
"cmdarg-seccomp",
"cmdarg-key-fd",
"cmdarg-pwd-fd",
"cmdarg-print-states",
"cmdarg-migration",
"nvram-backend-dir",
"nvram-backend-file"
],
"version": "0.8.0"
}
Adjust test cases and extend man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the release-lock-outgoing parameter for the --migration option
that causes the storage lock to be released once the 'savestate' blob
transfer has been initiated. To not release the lock too early users must
first get the 'permanent' and 'volatile' state blobs and the 'savestate'
blob must be transferred as the last blob.
When migrating a VM the migration may fail and execution will then resume
on the originating side. In this fallback case the swtpm on the
destination side may need some time to terminate and release the lock.
Therefore, add a loop to the code attempting to re-lock the storage
directory on the source side for a few times until on the destination
side swtpm has released the lock. Retry the locking for 100 times
with 10ms in between. The retries will only ever be necessary if a TPM
command is immediately executed upon resume [this may be difficult
to test]. The negative side effects of this could be that the loop is not
long enough to grab the lock or that a short-duration TPM command will
time out inside the VM due to the retries delaying when it is processed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolves: https://github.com/stefanberger/swtpm/issues/724
Introduce the --migration option along with the 'incoming' parameter
that allows to defer the locking of the storage until either
- the reception of the TPM's state is started
- a TPM command is about to be processed
Note that the reception of CMD_INIT does not enable the storage lock.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolves: https://github.com/stefanberger/swtpm/issues/724
Advertise the availability of the chroot option with the cmdarg-chroot
verb. Document it in the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option to enter a chroot after starting swtpm. This is useful for
sandboxing purposes. When this option is used, it is expected that swtpm
is started as root and the --runas option is used to subsequently drop
privileges (otherwise the chroot could be escaped).
Signed-off-by: Jennifer Herbert <jennifer.herbert@citrix.com>
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
