Only display profile capabilities when --tpm2 is given since they are only
relevant when a TPM 2 is used.
Adjust test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Give two oif the (unused) fields in the tpm2_authblock better names and
since these two and the continueSession fields are always initialized with
'0', simplify the initializer macro to only take one argument.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the new capability tpmstate-opt-lock, adjust test cases,
and document it in the swptm man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To support storage backend locking on the file backend, add support for a
lock option parameter to the --tpmstate option. By default the value of
this option (if not given) has to be 'true' for the dir backend, since this
backend has always been locking, and 'false' on the file backend, since
this backend did not lock so far.
If the user chooses no storage backend locking then SWTPM_NVRAM_Unlock &
SWTPM_NVRAM_Lock_Storage do not call the backend for locking at all
anymore.
Document the new option parameter in the swtpm man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for locking the storage file using fcntl(fd, F_SETLK, ...).
Since fcntl needs a file descriptor of the actual storage file, call
SWTPM_NVRAM_LinearFile_DoOpenURI() to open the file in case it has not
been opened, yet. In case of error close the file again but be careful
about the fact that it may not have been mmap'ed, yet.
Since now all backends have .lock and .unlock nvram_backend_ops, they can
be called without checking for a NULL pointer.
Extend an existing test case with a file-backend storage lock test.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove the broken logic to check for neither dir:// nor file:// backend.
If an unknow backend type is used, then it will be detected later on
and an error message will be printed out. Even though the logic was
broken it didn't seem to cause failures.
Also have tpmstate_set_mode return void since it cannot fail.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since 0 is a valid file descriptor and checks for valid file descriptors
is typically '>= 0', initialize the file descriptor to -1 to indicate
that it is unused.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This reverts commit 8d4b247e3d since
CMD_GET_STATEBLOB can have more than 4 bytes in response when an
error happened (long-standing protocol error).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the new ptm_caps_n to create the response for PTM_GET_CAPABILITY in the
socket and chardev implementations. Due to how the result was created
before, the tpm_result part of the response will always have to be
TPM_SUCCESS, since it was always 0 before.
Leave the CUSE implementation untouched since there the result was returned
in native endianess resulting in the first 4 bytes carrying the capability
flags.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move the display of the help screen into its own function to be able
to usage fprintf with the help screen as format string to avoid static
analyzer warnings.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement --print-info that takes a number as argument and uses this number
as flags to call TPMLIB_GetInfo with. Display the JSON string and exit.
Extend the man page and update other parts where swtpm_ioctl is not necessary
anymore to use.
Extend a test case to also check that swtpm now returns the same result as
swtpm_ioctl does.
Append cmdarg-print-info to printed out capabilties. Adjust test cases.
(Expect 'profiles' to always be part of capabilties JSON.)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the support for 'remove-disabled' option parameter of the --profile
option to also work for profiles whose name starts with 'custom:'.
Modify an existing test case to use custom:test as profile name with this
option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for the --print-profiles option to search the local
and distro profiles directories for profiles (files with .json extension)
and then get the built-in ones from swtpm. Print them all to stdout.
Extend a test case and add description to the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --profile-name option that searches for a profile in a
configurable local directory or a distro directory
(typically /usr/share/swtpm/profiles).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Accept profiles that start their name with 'custom:' and do not exceed
32 characters. The content of these profiles will be derived from the
built-in 'custom' profile unless Algorithms, Commands, or Attributes
are provided on the command line.
Adjust a test case to test with profile name starting with 'custom:'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
I was able to recreate the issue on one of my machines where swtpm_t
was trying to append to the log labeled with svirt_image_t. On another
machine this combination of labels does not seem to cause a problem.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2306817
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When swtpm --print-capabilities for example fails to be able to access
the log file that swtpm_setup logs into, then it may fail to run. In
this case log the stderr output of swtpm.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return an error if the reading of the config file failed so that
config_file_lines can never be NULL. Remove all checks for
config_file_lines == NULL.
It's very unlikely reading of the config file failed since there's a file
access check right before it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize the empty array authpolicy[0] to quiet a static analyzer.
This array only serves the purpose of providing a non-NULL pointer
when passed to memconcat.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return TPM_FAIL in case of an invalid header version number to avoid a
potential segmentation fault when accessing an unavailable buffer due to
the header parser not returning an error code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable reading a profile from a file. Pass it as open file descriptor to
swtpm.
Adjust one test case to read a profile from a file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable reading a profile from a file.
If setting a profile fails, display the profile in the error message.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
An empty input string will for example cause json_parser_get_root to return
NULL. Return early in this case to avoid glib error messages.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize seccomp_action with a default value that it will also
get assigned when handle_seccomp_options is called. This is done
to silence a static analyzer even though it's not necessary.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement concat_varrays that takes gchar ** as input and returns gchar **.
The concat_arrays has the identical implementation but takes const gchar **
as parameters and returns const gchar **. Use concat_arrays from
concat_varrays. Adjust all callers to cast arrays with constant strings to
const gchar *[] when calling concat_arrays. Modify some callers to call
concat_varrays now.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement warpper for g_spawn_sync and g_spawn_async that that take argv
and envp arguments as 'const gchar **' since they will be called like
this from swtpm_localca and swtpm_setup. Internally glib also uses the
parameters like this when calling fork_exec() for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize key_description with a default string rather than using it
possibly uninitialized. In practice it would never be used uninitialized
since if a platform certificate is to be created, then the ek certificate
would have also been created and therefore swtpm2->ops->create_ek()
would have been called and set key_description.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Avoid shadowing global msg through local variables with the same name
by renaming the global msg to g_msg.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Avoid this type of complaint from static analyzer:
src/swtpm/tpmlib.c:392:37: note: Result of 'malloc' is converted to a
pointer of type 'unsigned char', which is incompatible with sizeof
operand type 'struct tpm_resp_header'
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
OSSL_PARAM_construct_utf8_string takes a char * as parameter.
The OpenSSL code base casts constant strings to char *, so we can do this
also.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
serverdata will be assiged a const char * later on, therefore make it a
const char *. This can then also be passed into options_parse.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some function pass a const char * into the options parse function.
Therefore, convert it to accept a const char * now.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the list of SWTPM_INFO flags with recently added flags for
TPMLIB_GetInfo. Use the CMD_GET_INFO control channel command to get
the currently active profile for a TPM 2 from swtpm and display it in
the log unless it is reconfigured.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Ignore the remove-disabled parameter on non-'custom' profile identified
by return value '1'. Switch to negative return values in the called function.
Extend a test case to ensure that the --profile-remove-disabled option
on swtpm_setup, which is passed through to swtpm, has no effect on 'null'
and 'default-v1' profiles.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Very old OpenSSL versions (e.g., 1.1.0i) are using /dev/urandom to get
entropy while newer ones are using the getrandom syscall that does not
need the device file. In some environments access to the created
/dev/urandom device file may not work (EACCESS; chroot test case) and
then OpenSSL will start failing operations that depend on good entropy.
Therefore, check the status of the random number generator after chroot.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
HMAC+sha1 may be restricted next, so test for it but do not support
forced removal of support for it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the --profile-remove-fips-disabled option that is used to tell
swtpm to remove algorithms that are disabled by FIPS mode on the host.
Internally, this option passes the remove-fips-disabled option parameter
with the --profile option to swtpm.
Add a test cases passing this option and check that the resulting profiles
have key sizes adjusted and relevant attributes set.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a function that checks whether a crypto algorithm identified by
TPM algorithm identifiers is disabled.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
strv_remove: Remove matches from a 2nd array in a 1st array
strv_dedup: Remove duplicates in an array
strv_extend: Append elements of a 2nd array to a 1st array
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Convert check_rsaes to check_rsa_encryption that can also be used for
testing of unpadded RSA encryption.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Do not ignore the padding parameter passed to swtpm_rsasign but use
it as parameter to the OpenSSL function.
Change "rsapss" to "tsassa" in one case where it was wrong.
Also rename swtpm_rsasign to swtpm_rsa_sign.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Commit 96fe5afa forgot to add cmdarg-print-profiles to the list of
capabilities. Also fix typo in the man page and sort shown output
to match application output.
Fixes: 96fe5afa ("swtpm: Add support for --print-profiles option")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid setting the environment variable OPENSSL_ENABLE_SHA1_SIGNATURES
check whether SHA1 signature support is disabled in the TPM 2 profile.
It is disabled if either 'fips-host' or the pair 'no-sha1-signing' and
'no-sha1-verification' are found among the enabled attributes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use TPMLIB_WasManufactured to check whether a profile was applied since a
new instance was created. If a profile was given and no new TPM 2 instance
was created then display an error message and exit with an error code.
This avoids silently ignoring a provided profile that was not applied
since the TPM 2 instance already existed.
Make sure that a profile is only applied once by swtpm by clearing the
json_profile once TPMLIB_MainInit succeeded.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get the list of enabled 'RuntimeAlgorithms' from libtpms and determine
whether any of these enabled algorithms is disabled in OpenSSL due to FIPS
mode. If FIPS mode on the host is enabled then disabled FIPS mode in
OpenSSL so that the TPM 2 can function properly.
The following algorithms are disabled when OpenSSL is in FIPS mode:
- camellia
- rsaes
- tdes
- ECC keys <224 bits
- RSA keys <2048 bits
Per openssl-ciphers man page it should be possible to disable the following
algorithms use by cipher-suites:
- AES128, AES256, AES
- CAMELLIA128, CAMELLIA256, CAMELLIA
- 3DES
- SHA1, SHA, SHA256, SHA384
- CBC
Note: It's not clear at what API level these are disabled. I have not been able
to use !SHA256 to disabled SHA256.
Also test whether signatures with SHA1 are working and enable them by setting
OPENSSL_ENABLE_SHA1_SIGNATURES=1.
The following output is expected for RHEL 9.x and CentOS 9 but does not
appear on Fedora 40 since there sha1 signatures are not (yet) disabled.
> swtpm socket \
--tpmstate dir=/tmp/myvtpm \
--ctrl type=tcp,port=2322 \
--server type=tcp,port=2321,disconnect \
--flags not-need-init,startup-clear \
--log level=0 \
--tpm2 \
--profile name=null
Warning: Profile-enabled algorithms contain disabled 'RSA-1024-sign(SHA1, pkcs1-pss)'
Warning: Setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check whether the bufferSize parameter is too small and an underflow of the
expression bufferSize - offset could theoretically occur. However, in
practice this will never happen since the caller will always provide a
bufferSize of around 4kb.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since 'comma1' will always be true combine it with cmdarg_profile into one
string formatting parameter following the same formatting as further above.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the user did not provide the profile on the command line read the
default profile from the swtpm_setup.conf configuration file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --print-profiles option to print all profiles supported
by libtpms.
Usage:
swtpm socket --tpm2 --print-profiles | jq
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Print a list of names of profiles implemented by libtpms as part of the
capabilities JSON. The profiles map will only be visible if libtpms v0.10
with the TPMLIB_SetProfile() API is used.
swtpm_setup --print-capabilities --tpm2 | jq
{
"type": "swtpm_setup",
"features": [
[...]
],
"profiles": [
"default-v1",
"null",
"custom"
],
"version": "0.10.0"
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Print a list of names of profiles implemented by libtpms as part of the
capabilities JSON. The profiles map will only be visible if libtpms v0.10
with the TPMLIB_SetProfile() API is used.
swtpm socket --print-capabilities --tpm2| jq
{
"type": "swtpm",
"features": [
[...]
],
"profiles": {
"names": [
"default-v1",
"null",
"custom"
],
...
},
"version": "0.10.0"
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the new capability verb 'cmdarg-profile' indicating that the
--profile option with the name= and profile= parameters is supported.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for the --profile option for a TPM 2. The 'name=' parameter
allows a user to select a specific profile available in libtpms. The
'profile=' parameter allows a user to pass a JSON profile that must
contain a name field with a profile known to libtpms. It may contain
an algorithm field that has a comma-separated list of verbs with the
names of algorithms that the TPM 2 is supposed to provide.
The --profile option only has an effect the first time a TPM 2 is started
since afterwards whenever the state of the TPM 2 is read, the profile
found in the state is being used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow passing a JSON map as part of an option value in the format of
--foo name={...},... Prior to this patch this would not have worked since
the option values were broken apart around commas, which a map may also
contain. Now, if a '{' is following the '=', the value is attempted to be
parsed as a JSON map and the end of the map is searched considering
possibly embedded maps.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the user did not provide the RSA keysize to use try to read it from
setup_setup.conf and if nothing is found there fall back to using the
internal default RSA keysize (2048).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Factor-out read_file_lines from get_default_pcr_banks and pass the array
of lines from the config file into get_default_pcr_banks now. Now other
functions will also be able to access the lines from the config file
without having to re-read the config file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since swtpm does not use concurrency while writing state files, set
the process umask to 0 when the state file is created or truncated for
writing and the user requested specific mode bits. This avoids an
additional syscall in the possibly timing critical path when processing
a TPM command and having to write the state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The mode bits that the user provided were only applied with open() and were
subject to masking with the value of current umask. When umask was set to
0027 the test case test_commandline was failing because the mode bits on
the create TPM state file were not the expected ones (masked by umask).
Therefore, set the mode bits using fchmod if the user provided them,
otherwise do not set them. This way the mode bits will be set to the values
the user requested.
Currently the directory storage backend was setting the mode bits to the
default value (0640) *after* opening the TPM state file. Now, if the user
did not provide any mode bits then the mode bits will be set so that the
file can be written to as owner. This ensures that at least mode bits 0600
are set by default. However, if the user provided mode bit flags then these
will be used without modification.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace mkstemp with g_mkstemp_full and pass parameters that lead to
the same mode bits and file opening flags and mkstemp had. This addresses
a Coverity complaint regarding missing application of umask before
mkstemp.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
