Remove the unused fsync code from the directory backend since it could not
be used due to potential reason for TPM command timeouts.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Github actions does not run ubuntu-20.04 anymore due to EOL. Update the
20.04 entries to use 24.04.
cpp-coveralls needs an older version of python3 due to pkgutil.ImpImporter
having disappeared in more recent python versions. Therefore, leave
test-coveralls at 22.04.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reverse the order of uninstallation of the ‘swtpm’ and ‘swtpm_svirt’
selinux modules. The current order fails because 'swtpm-svirt' module
has a dependency on the 'swtpm' module. This results in the ‘swtpm'
module not being cleaned up during %postun:
$ semodule -l | grep swtpm
swtpm
swtpm_svirt
$ semodule -n -X 200 -s targeted -r swtpm
libsemanage.semanage_direct_remove_key: Removing last swtpm module (no other swtpm module exists at another priority).
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/swtpm_svirt/cil:4
/sbin/semodule: Failed!
$ sudo semodule -n -X 200 -s targeted -r swtpm_svirt
libsemanage.semanage_direct_remove_key: Removing last swtpm_svirt module (no other swtpm_svirt module exists at another priority).
$ semodule -l | grep swtpm
swtpm
Signed-off-by: Ajeeth Adithya <ajeeth.adithya@nutanix.com>
Add the %selinux_relabel_pre macro in the %pre section to back up the
current file contexts lists. This is required since %selinux_relabel_post
macro in the %posttrans section uses the backup to revert to the original contexts.
Signed-off-by: Ajeeth Adithya <ajeeth.adithya@nutanix.com>
Coverity complains that the assignment of connection_fd.fd = mlp->fd
leaks the value of connection_fd.fd. However, the logic is so that
this cannot happen because further down in the loop:
1) only when connection_fd.fd < 0, then pollfds[DATA_SERVER_FD] gets
a value
2) connection_fd.fd = accept() only happens if 1) happened
However, if mlp->flags & MAIN_LOOP_FLAG_USE_FD is != 0 then
connection_fd was assigned a value and 1) never happens.
=> Fix the Coverity complaint even though it is a false positive.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the custom profile's Algorithms when adjusting them for FIPS mode,
rather than the list of all implemented Algorithms. The list of implemented
Algorithms contains for example elliptic curve identifiers, such as
ecc-nist-p192, ecc-nist-p224, ecc-nist-p256, ecc-nist-p384, ecc-nist-p521,
ecc-bn-p256, ecc-bn-p638, that are not part of the custom profile but are
enabled with the ecc-min-size=192, ecc-nist, and ecc-bn shortcuts there.
Using the algorithms of the custom profile avoids confusion since otherwise
the additional ecc-nist-* and ecc-bn-* algorithm identifiers appear in the
modified custom profile even though the were not part of the original one.
Test:
swtpm_setup --tpm2 --tpmstate . --overwrite \
--profile-name custom --profile-remove-disabled fips-host
before:
...,ecc,ecc-min-size=224,ecc-nist,ecc-bn,ecc-nist-p224,ecc-nist-p256,
ecc-nist-p384,ecc-nist-p521,ecc-bn-p256,ecc-bn-p638,ecc-sm2-p256,...
now:
...,ecc,ecc-min-size=224,ecc-nist,ecc-bn,ecc-sm2-p256,...
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable passing the usual curve names of secp256r1 and secp384r1 instead
of ecc256 and ecc384 on the command line of swtpm-create-tpmca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend swtpm-create-tpm to support rsa2048 (default), rsa3072, ecc256
(NIST P256), and ecc384 (NIST P384) for the created TPM 2 CA. The names
are taken from the output of:
tpm2_ptool addkey --help
ecc521 does not seem to work with the TPM 2 stack even though it is
advertised as a possible option.
Extend an existing test case to create an ecc256 key and extend man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Ensure that no profile is passed to the TPM 2 when it is to be reconfigured
by:
- Showing an error if user tries to pass a profile when also --reconfigure
is passed
- Not taking the default profile from the swtpm_setup.conf configuration
file if the user did not pass a profile
Extend an existing test case with a default profile in its swtpm_setup.conf
so that the above 2nd item is tested.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When listing profiles, then the profiles in the distro directory did not
show up since the directory formed by 'DATAROOTDIR "swtpm/profiles"' was
missing a '/' at the end of DATAROOTDIR. Use DISTRO_PROFILES_DIR instead.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm fails with a NFS mount. `setsebool virt_use_nfs on` should fix it.
Resolves: https://issues.redhat.com/browse/RHEL-73809
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Fix the following build error due to missing include of config.h where
_FILE_OFFSET_BITS is defined and leads to different sizes of off_t depending
on whether it is defined and/or included:
tpmlib.h:76:7: error: type of 'tpmlib_handle_tcg_tpm2_cmd_header' does not match original declaration [-Werror=lto-type-mismatch]
76 | off_t tpmlib_handle_tcg_tpm2_cmd_header(const unsigned char *command,
| ^
tpmlib.c:576:7: note: return value type mismatch
576 | off_t tpmlib_handle_tcg_tpm2_cmd_header(const unsigned char *command,
| ^
tpmlib.c:576:7: note: 'tpmlib_handle_tcg_tpm2_cmd_header' was previously declared here
tpmlib.c:576:7: note: code may be misoptimized unless '-fno-strict-aliasing' is used
lto1: all warnings being treated as errors
lto-wrapper: fatal error: gcc returned 1 exit status
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334600
Fixes: 599e2436d4 ("configure.ac: enable 64-bit file API on 32-bit systems")
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Improve the swtpm_setup --tpm option documentation that did not mention
that the socket option must be passed along when swtpm is being used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
There seems to be a well known error in setuptools 71.x that prevents
installation of cpp-coveralls on Travis now:
File "/usr/local/lib/python3.10/dist-packages/setuptools/_core_metadata.py", line 285, in _distribution_fullname
canonicalize_version(version, strip_trailing_zero=False),
TypeError: canonicalize_version() got an unexpected keyword argument 'strip_trailing_zero'
Fall back to the default version that is used in Ubuntu Jammy (59.6.0)
since later versions also lead to the same error.
Link: https://github.com/pypa/setuptools/issues/4483
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When building an rpm with swtpm.spec on Fedora 40 this type of errors
appear on variables that normally do not need to be initialized.
In file included from /usr/include/glib-2.0/glib.h:117,
from profile.c:14:
In function ‘g_autoptr_cleanup_generic_gfree’,
inlined from ‘profile_gather_local’ at profile.c:307:23,
inlined from ‘profile_printall’ at profile.c:366:10:
/usr/include/glib-2.0/glib/glib-autocleanups.h:32:3: error: ‘dir’ may be used uninitialized [-Werror=maybe-uninitialized]
32 | g_free (*pp);
| ^~~~~~~~~~~~
profile.c: In function ‘profile_printall’:
profile.c:307:23: note: ‘dir’ was declared here
307 | g_autofree gchar *dir;
| ^~~
Include string.h since in some older build environments strcmp and strlen
do not have prototypes otherwise.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check for a null pointer from parsing the string value in
json_get_submap_value(). All callers assume that the returned value is
non-NULL and therefore ensure that there is always a valid string.
However, all callers also provide trusted input from TPMLIB_GetInfo that
should never cause a NULL pointer.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The profile '{"Name": null}' will not lead to a parser error but return
NULL for the 'Name'. Therefore, check for variable name being a NULL
pointer. Since the user may provide this type of profile this could have
lead to crashes when name was accessed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move the error message about the failure to import a signing key into the
else branch where it should be (all other branches of the if-then-else
statement have a check already). Also mention the key's filename and hint
at possibly corrupted key.
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2325901
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Comment the flags used for creating the storage primary key.
Deprecate the --create-spk option since it may create an RSA-3072 key
and it creates a NIST P384 instead of NIST P256, both of which users may
not expect and know how to use.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
QEMU's functional tests need access to /var/tmp/**. To avoid the following
type of AppArmor permission failures add a rule that allows access to
/var/tmp/**.
type=AVC msg=audit(1730829888.863:260): apparmor="DENIED" \
operation="mknod" class="file" profile="swtpm" \
name="/var/tmp/qemu_3r9txw7z/swtpm-socket" pid=3925 comm="swtpm" \
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000FSUID="stefanb" \
OUID="stefanb"
[ To run the QEMU's functional tests use the following command:
make check-functional ]
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move the 'Tested: tdes' type of debugging output one more indentation
level up so that they can be filtered-out easier from control and data
channel communication.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
My local filesystem is btrfs with a long life. It's inodes ecxeed 32-bit
space and that causes test failures in `swtpm` on `i686-linux`
containers:
FAIL: test_parameters
FAIL: test_swtpm_setup_file_backend
FAIL: test_swtpm_setup_overwrite
FAIL: test_tpm2_swtpm_setup_create_cert
FAIL: test_tpm2_swtpm_setup_overwrite
FAIL: test_swtpm_setup_create_cert
FAIL: test_tpm2_parameters
The example test failure log looks this way:
FAIL: test_migration_key
========================
Need to be root to run test with CUSE interface.
Need to be root to run test with CUSE interface.
==== Starting swtpm with interfaces socket+socket ====
Test 1: Ok
==== Starting swtpm with interfaces socket+socket ====
Test 2: Ok
==== Starting swtpm with interfaces socket+socket ====
swtpm: Missing migration key to decrypt volatilestate
Test 3: Ok
==== Starting swtpm with interfaces socket+socket ====
Could not stat file '/build/tests/data/migkey1/volatilestate.bin': Value too large for defined data type
Error: Could not load encrypted volatile state into TPM.
FAIL test_migration_key (exit status: 1)
The `stat()` fails because inode value exceeds 32-bit value:
$ stat /build/tests/data/migkey1/volatilestate.bin
File: /build/tests/data/migkey1/volatilestate.bin
Size: 1290 Blocks: 8 IO Block: 4096 regular file
Device: 0,30 Inode: 9639547569 Links: 1
...
The change fixes all the test failures. To fix
`test_tpm2_swtpm_setup_create_cert` I also had to include `config.h`
into `swtpm_backend_dir.c` to get 64-bit file open there as well.
Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
Check the help screen for necessary supported options since the IBM TSS2
test will have to be patched to support swtpm directly. If it does not
support it, exit the tests early with an error message.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Only display profile capabilities when --tpm2 is given since they are only
relevant when a TPM 2 is used.
Adjust test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Give two oif the (unused) fields in the tpm2_authblock better names and
since these two and the continueSession fields are always initialized with
'0', simplify the initializer macro to only take one argument.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The default-v1 profile may soon also set Attributes in the JSON and
therefore extend the regular expressions matching profiles to optionally
match for Attributes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the new capability tpmstate-opt-lock, adjust test cases,
and document it in the swptm man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
