Since the CUSE TPM starts TPM in one process but then daemonizes and
effectively runs in a child process, the lock records on the storage
that the parent may have set up are lost due to them not being inherited
by the child. Fix the issue by daemonizing before the TPM is started so
that the child grabs the lock on the storage. Prevent CUSE from forking
so that not another child is created.
As a side-effect, this now moves any error reporting, that may previously
have occurred in the main process and where messages were show on stderr,
into the child process. A log is now required for these messages to become
visible.
Resolves: https://github.com/stefanberger/swtpm/issues/1050
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When printing the output of the info flags, the resuling JSON printed to
stdout should be the only printout. Therefore, suppress all informative
output to stdout so that either the JSON is the only output or only error
messages are printed.
Fixes: 3f551e1dc ("swtpm: Implement --print-info to run TPMLIB_GetInfo with flags")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the special logging file descriptor SUPPRESS_INFO_LOGGING is chosen,
then only suppress informative and warning messages while still allowing
error messages to be printed to stderr.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prevent an integer overflow with the recvd variable. However, the
buffer_len variable serves as an upper bound for how many bytes will ever
be received, so that this integer overflow will never occur. Therefore,
this is a false positive reported by Coverity. Fix it anyway.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prevent an integer overflow that could result from adding the return value
of 'n' to an existing value. However, for this to occurr in this function,
one would have to write() more than 4G of data on a 32bit system for
example. So, this is a false positive reported by Covertity, but fix it
anyway.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Change the type of buffersize parameter of SWTPM_IO_Read from size_t to
uint32_t to match that of the caller and to avoid Coverity complaints
about possible integer overflows. Also change the offset to uint32_t.
An integer overflow would never have occurred since buffersize always
served as an upper bound of the number of bytes received.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Catch the unlikely case that sysconf returns 0 for _SC_PAGESIZE and avoid
integer overflow with the pagesize calculation, that should never occur if
pagesize is within normal limits. Also ensure that no overflow happens
with the msync_count variable.
On 64bit machines, casting count to size_t could work but would not work on
32bit platforms where size_t is the same as uint32_t, so the overflow
complain would not go away there.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return ssize_t rather than int from logging function to resolve Coverity
complaints about possible integer overflows. Since no caller looks at the
return value from the logging functions, no other changes are necessary.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display an error if the user set the backup option when using the
linear storage backend. Update the documentation about the rejection.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option to have the storage backend use fsync whenever state is
written to disk. Advertise this capability with
'tpmstate-dir-backend-opt-fsync' and adjust a test case.
Only support for the directory-backend is implemented.
Extend the swtpm man page with a description of this new option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for fsync on a file and directory when using the
directory-backend. Pass the user's choice for whether to call fsync and
pass the boolean into the storage backend. Only the directory-backend is
supporting this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
respbuffer_len is a pointer that may be NULL but will not be NULL when
respbuffer is not NULL. Nevertheless, also check it for NULL pointer before
accessing it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libfuse2 contains unaddressed security issue. (libfuse/libfuse#15)
libfuse3 is preferred over libfuse2, while libfuse2 support is kept as
fallback.
- src/swtpm/cuse_tpm.c: fuse3 as default, add a macro `WITH_FUSE2` when fallback fuse library is linked against
- configure.ac: check fuse3, if not found, check fuse2, if still not found, fail out; show LIBFUSE_CFLAGS and LIBFUSE_LIBS in `./configure` output
Signed-off-by: Leo <i@hardrain980.com>
Return an error code if HASH_DATA received more bytes from the user than
what the user indicated in the length field that he wanted to send. This
avoids an integer underrun of the 'remain' variable in the loop that would
then cause the loop to wanting to receive around 4GB of data.
Also fix some indentation issues.
Use be32toh instead of (the equivalent) htobe32 when reading from the
packet.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If TPM2_CreatePrimary(RSA) fails with 0x2c4 error code, display an error
message hinting the user at using the 'default-v2' profile since most likely
the RSA key size is too large for the default or given profile.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the users specifies that a backup file is to be made and the permanent
state file is missing when the NVRAM is initialized (SWPTM_NVRAM_Init), but
the backup state file exists, then swtpm will permanently rename the backup
file to permanent state file and attempt to start with it. Otherwise, it
will try to start with the 'normal' permanent state file first and if this
fails, it will rename the backup file to the permanent state file and
attempt to start with it. If both cases fail, it will revert any renaming.
Only support for the directory-backend is implemented.
Extend the swtpm man page with a description of this behavior.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option to have the storage backend make a backup file of
the permanent state file. Advertise this capability with
'tpmstate-dir-backend-opt-backup' and adjust a test case.
Extend the documentation.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Query for tpmstate_get_make_backup() to decide whether to make a backup of
the permanent state file. If a backup is requested, then rename the current
state file in the directory backend to the backup file (suffix .bak).
Only the directory backend supports backing up of the permanent state file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for RSA-4096 kyes for EKs. This requires users to choose the
default-v2 profile because this is the only profile that currently enables
this type of a key.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove the unused fsync code from the directory backend since it could not
be used due to potential reason for TPM command timeouts.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Coverity complains that the assignment of connection_fd.fd = mlp->fd
leaks the value of connection_fd.fd. However, the logic is so that
this cannot happen because further down in the loop:
1) only when connection_fd.fd < 0, then pollfds[DATA_SERVER_FD] gets
a value
2) connection_fd.fd = accept() only happens if 1) happened
However, if mlp->flags & MAIN_LOOP_FLAG_USE_FD is != 0 then
connection_fd was assigned a value and 1) never happens.
=> Fix the Coverity complaint even though it is a false positive.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the custom profile's Algorithms when adjusting them for FIPS mode,
rather than the list of all implemented Algorithms. The list of implemented
Algorithms contains for example elliptic curve identifiers, such as
ecc-nist-p192, ecc-nist-p224, ecc-nist-p256, ecc-nist-p384, ecc-nist-p521,
ecc-bn-p256, ecc-bn-p638, that are not part of the custom profile but are
enabled with the ecc-min-size=192, ecc-nist, and ecc-bn shortcuts there.
Using the algorithms of the custom profile avoids confusion since otherwise
the additional ecc-nist-* and ecc-bn-* algorithm identifiers appear in the
modified custom profile even though the were not part of the original one.
Test:
swtpm_setup --tpm2 --tpmstate . --overwrite \
--profile-name custom --profile-remove-disabled fips-host
before:
...,ecc,ecc-min-size=224,ecc-nist,ecc-bn,ecc-nist-p224,ecc-nist-p256,
ecc-nist-p384,ecc-nist-p521,ecc-bn-p256,ecc-bn-p638,ecc-sm2-p256,...
now:
...,ecc,ecc-min-size=224,ecc-nist,ecc-bn,ecc-sm2-p256,...
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Ensure that no profile is passed to the TPM 2 when it is to be reconfigured
by:
- Showing an error if user tries to pass a profile when also --reconfigure
is passed
- Not taking the default profile from the swtpm_setup.conf configuration
file if the user did not pass a profile
Extend an existing test case with a default profile in its swtpm_setup.conf
so that the above 2nd item is tested.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When listing profiles, then the profiles in the distro directory did not
show up since the directory formed by 'DATAROOTDIR "swtpm/profiles"' was
missing a '/' at the end of DATAROOTDIR. Use DISTRO_PROFILES_DIR instead.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm fails with a NFS mount. `setsebool virt_use_nfs on` should fix it.
Resolves: https://issues.redhat.com/browse/RHEL-73809
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Fix the following build error due to missing include of config.h where
_FILE_OFFSET_BITS is defined and leads to different sizes of off_t depending
on whether it is defined and/or included:
tpmlib.h:76:7: error: type of 'tpmlib_handle_tcg_tpm2_cmd_header' does not match original declaration [-Werror=lto-type-mismatch]
76 | off_t tpmlib_handle_tcg_tpm2_cmd_header(const unsigned char *command,
| ^
tpmlib.c:576:7: note: return value type mismatch
576 | off_t tpmlib_handle_tcg_tpm2_cmd_header(const unsigned char *command,
| ^
tpmlib.c:576:7: note: 'tpmlib_handle_tcg_tpm2_cmd_header' was previously declared here
tpmlib.c:576:7: note: code may be misoptimized unless '-fno-strict-aliasing' is used
lto1: all warnings being treated as errors
lto-wrapper: fatal error: gcc returned 1 exit status
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334600
Fixes: 599e2436d4 ("configure.ac: enable 64-bit file API on 32-bit systems")
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Improve the swtpm_setup --tpm option documentation that did not mention
that the socket option must be passed along when swtpm is being used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When building an rpm with swtpm.spec on Fedora 40 this type of errors
appear on variables that normally do not need to be initialized.
In file included from /usr/include/glib-2.0/glib.h:117,
from profile.c:14:
In function ‘g_autoptr_cleanup_generic_gfree’,
inlined from ‘profile_gather_local’ at profile.c:307:23,
inlined from ‘profile_printall’ at profile.c:366:10:
/usr/include/glib-2.0/glib/glib-autocleanups.h:32:3: error: ‘dir’ may be used uninitialized [-Werror=maybe-uninitialized]
32 | g_free (*pp);
| ^~~~~~~~~~~~
profile.c: In function ‘profile_printall’:
profile.c:307:23: note: ‘dir’ was declared here
307 | g_autofree gchar *dir;
| ^~~
Include string.h since in some older build environments strcmp and strlen
do not have prototypes otherwise.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check for a null pointer from parsing the string value in
json_get_submap_value(). All callers assume that the returned value is
non-NULL and therefore ensure that there is always a valid string.
However, all callers also provide trusted input from TPMLIB_GetInfo that
should never cause a NULL pointer.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The profile '{"Name": null}' will not lead to a parser error but return
NULL for the 'Name'. Therefore, check for variable name being a NULL
pointer. Since the user may provide this type of profile this could have
lead to crashes when name was accessed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move the error message about the failure to import a signing key into the
else branch where it should be (all other branches of the if-then-else
statement have a check already). Also mention the key's filename and hint
at possibly corrupted key.
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2325901
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Comment the flags used for creating the storage primary key.
Deprecate the --create-spk option since it may create an RSA-3072 key
and it creates a NIST P384 instead of NIST P256, both of which users may
not expect and know how to use.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move the 'Tested: tdes' type of debugging output one more indentation
level up so that they can be filtered-out easier from control and data
channel communication.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
My local filesystem is btrfs with a long life. It's inodes ecxeed 32-bit
space and that causes test failures in `swtpm` on `i686-linux`
containers:
FAIL: test_parameters
FAIL: test_swtpm_setup_file_backend
FAIL: test_swtpm_setup_overwrite
FAIL: test_tpm2_swtpm_setup_create_cert
FAIL: test_tpm2_swtpm_setup_overwrite
FAIL: test_swtpm_setup_create_cert
FAIL: test_tpm2_parameters
The example test failure log looks this way:
FAIL: test_migration_key
========================
Need to be root to run test with CUSE interface.
Need to be root to run test with CUSE interface.
==== Starting swtpm with interfaces socket+socket ====
Test 1: Ok
==== Starting swtpm with interfaces socket+socket ====
Test 2: Ok
==== Starting swtpm with interfaces socket+socket ====
swtpm: Missing migration key to decrypt volatilestate
Test 3: Ok
==== Starting swtpm with interfaces socket+socket ====
Could not stat file '/build/tests/data/migkey1/volatilestate.bin': Value too large for defined data type
Error: Could not load encrypted volatile state into TPM.
FAIL test_migration_key (exit status: 1)
The `stat()` fails because inode value exceeds 32-bit value:
$ stat /build/tests/data/migkey1/volatilestate.bin
File: /build/tests/data/migkey1/volatilestate.bin
Size: 1290 Blocks: 8 IO Block: 4096 regular file
Device: 0,30 Inode: 9639547569 Links: 1
...
The change fixes all the test failures. To fix
`test_tpm2_swtpm_setup_create_cert` I also had to include `config.h`
into `swtpm_backend_dir.c` to get 64-bit file open there as well.
Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
