Check that the netstat tool, which may not be required to be installed,
is indeed installed and usable with a set of command line options.
If this tool is not installed it may end up causing swtpm_setup to
hang forever.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Follow more closely the https://github.com/cgwalters/build-api.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
We also have to move the Travis tests to xenail since PKG_CHECK_VAR
was not available in trusty (14.04).
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Pass the top_builddir and top_srcdir via TESTS_ENVIRONMENT
variable in Makefile.am.
Use TESTDIR for the path to the test directory and replace
previously used DIR in all occurences.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The include file include/swtpm.h will be generated from swtpm.h.in and
reside under the $(top_builddir) rather than the $(top_srcdir).
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Adapt the loop that is polling for the authentication failure due
to lockout until a certain time. We run the tests also when $timeout
has been reached but don't care for the result if it failed. This
accomodates slow or busy systems that run some of the commands too
slowly and allow the TPM to release the lockout.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement --pcr-banks to allow a user to choose the set of active
PCR banks. We determine the PCR banks available and enable those
that the user chose and that are available.
The log will now print out the following:
Successfully activated PCR banks sha1,sha256 among sha1,sha256,sha384.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
A few files were wrong in the EXTRA_DIST file list due to changes to
test cases. Add the proper files.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend the swtpm_setup man page with an example for how a non-root
user can create a TPM 2 with an EK and platform certificate.
Document the default locations of the config file swtpm_setup uses.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cleanse the tmp variable before running eval on it. This is to prevent
execution of commands that a hidden in variable values read from a config
file. We only need to resolve the values of variables and don't want
the execution of a subshell command initated by either $(...) or `...` .
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
This will allow to expand environment variables in config files, such as:
statedir = $XDG_RUNTIME_DIR/swtpm-localca
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Remove the -s parameter to tpm2_nv_define since it was causing
a 0-size NVRAM location to be created for the platform cert.
Also use the nvindex parameter rather than TPM2_NV_INDEX_PlatformCert
for addressing the platform NVRAM index.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Test that a key written to volatile state is properly loaded again
and produces the same signature as before.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Adjust the flags for the TPM 2 NVRAM locations to adhere to the
specification:
TCG PC Client Platform: TPM Profile (PTP) Specification
Family "2.0"; Level 00; Rev 01.03 v22; May 22, 2017
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To prepare for writing data into different locations for ECC keys,
assign a variable the location of the NVRAM to write RSA related data
into.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
We write the EK template into the NVRAM location when it is non-standard.
It's non-standard once the EK can be used for signing.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Test the certs created by swtpm_localca by verifying the certificate
chain and checking their key usage.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add the --decryption option to enable key encipherment separately
from enabling signing for the EK. The key encipherment is not set
but needs to be set if --allow-signing is used and key encipherment
is also requested.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To allow the creation of EKs with signing and/or key encipherment
capabilities, add the --allow-signing and --decryption options
to swtpm-localca program.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
In case of a TPM 2 we allow the creation of a signing key by passing
--allow signing. To also enable key encipherment, we add the --decryption
option to allow key encipherment and signing at the same time.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the standard EK and SRK handles per IWG spec
"TCG TPM v2.0 Provisioning Guidance"; Version 1.0, Rev 1.0, March 15 2017
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create the tpm2_createprimary_rsa_params function that has common code
for creating a primary RSA key with parameters.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Don't require root privileges to run swtpm_setup with a TPM 2 target.
For TPM 1.2 we need the high privilges due to TrouSerS wanting to be
started as root (or 'tss'), but for TPM 2 we do not use any tools
to manufacture the initial state that would require high privileges.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add a test case that tests the TPM 2 volatile state. This test
requires the latest TPM2 version of libtpms that also writes the
TPM Established bit into the volatile state.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Check the TPM2 state using the TPM2 utilities, if available.
Create persistent state and check it, then shut down the TPM 2 and
restart it, and check the persistent state again.
Use previously created state and have the TPM 2 start with it
and check the persistent state. The persistent state must be
readable on little and big endian machines.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
