When returncode 0x922 is received from NVWrite then retry the command so
that it gets the expected error code from failing to provide a password.
When checking the lockout counter, increase the numbers now.
Patched versions of libtpms may not return 0x922 anymore, so write the code
that it can test both cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libtpms v0.11 will support RSA-4096 keys. Adjust the test case
regex for optional output of 'tpm2-rsa-keysize-4096'.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The build for RISC-V causes timeouts when running tests in parallel due
to the CPU being emulated. Avoid the timeouts by not running parallel
tests.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Github actions does not run ubuntu-20.04 anymore due to EOL. Update the
20.04 entries to use 24.04.
cpp-coveralls needs an older version of python3 due to pkgutil.ImpImporter
having disappeared in more recent python versions. Therefore, leave
test-coveralls at 22.04.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reverse the order of uninstallation of the ‘swtpm’ and ‘swtpm_svirt’
selinux modules. The current order fails because 'swtpm-svirt' module
has a dependency on the 'swtpm' module. This results in the ‘swtpm'
module not being cleaned up during %postun:
$ semodule -l | grep swtpm
swtpm
swtpm_svirt
$ semodule -n -X 200 -s targeted -r swtpm
libsemanage.semanage_direct_remove_key: Removing last swtpm module (no other swtpm module exists at another priority).
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/swtpm_svirt/cil:4
/sbin/semodule: Failed!
$ sudo semodule -n -X 200 -s targeted -r swtpm_svirt
libsemanage.semanage_direct_remove_key: Removing last swtpm_svirt module (no other swtpm_svirt module exists at another priority).
$ semodule -l | grep swtpm
swtpm
Signed-off-by: Ajeeth Adithya <ajeeth.adithya@nutanix.com>
Add the %selinux_relabel_pre macro in the %pre section to back up the
current file contexts lists. This is required since %selinux_relabel_post
macro in the %posttrans section uses the backup to revert to the original contexts.
Signed-off-by: Ajeeth Adithya <ajeeth.adithya@nutanix.com>
Use the custom profile's Algorithms when adjusting them for FIPS mode,
rather than the list of all implemented Algorithms. The list of implemented
Algorithms contains for example elliptic curve identifiers, such as
ecc-nist-p192, ecc-nist-p224, ecc-nist-p256, ecc-nist-p384, ecc-nist-p521,
ecc-bn-p256, ecc-bn-p638, that are not part of the custom profile but are
enabled with the ecc-min-size=192, ecc-nist, and ecc-bn shortcuts there.
Using the algorithms of the custom profile avoids confusion since otherwise
the additional ecc-nist-* and ecc-bn-* algorithm identifiers appear in the
modified custom profile even though the were not part of the original one.
Test:
swtpm_setup --tpm2 --tpmstate . --overwrite \
--profile-name custom --profile-remove-disabled fips-host
before:
...,ecc,ecc-min-size=224,ecc-nist,ecc-bn,ecc-nist-p224,ecc-nist-p256,
ecc-nist-p384,ecc-nist-p521,ecc-bn-p256,ecc-bn-p638,ecc-sm2-p256,...
now:
...,ecc,ecc-min-size=224,ecc-nist,ecc-bn,ecc-sm2-p256,...
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Ensure that no profile is passed to the TPM 2 when it is to be reconfigured
by:
- Showing an error if user tries to pass a profile when also --reconfigure
is passed
- Not taking the default profile from the swtpm_setup.conf configuration
file if the user did not pass a profile
Extend an existing test case with a default profile in its swtpm_setup.conf
so that the above 2nd item is tested.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When listing profiles, then the profiles in the distro directory did not
show up since the directory formed by 'DATAROOTDIR "swtpm/profiles"' was
missing a '/' at the end of DATAROOTDIR. Use DISTRO_PROFILES_DIR instead.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm fails with a NFS mount. `setsebool virt_use_nfs on` should fix it.
Resolves: https://issues.redhat.com/browse/RHEL-73809
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Fix the following build error due to missing include of config.h where
_FILE_OFFSET_BITS is defined and leads to different sizes of off_t depending
on whether it is defined and/or included:
tpmlib.h:76:7: error: type of 'tpmlib_handle_tcg_tpm2_cmd_header' does not match original declaration [-Werror=lto-type-mismatch]
76 | off_t tpmlib_handle_tcg_tpm2_cmd_header(const unsigned char *command,
| ^
tpmlib.c:576:7: note: return value type mismatch
576 | off_t tpmlib_handle_tcg_tpm2_cmd_header(const unsigned char *command,
| ^
tpmlib.c:576:7: note: 'tpmlib_handle_tcg_tpm2_cmd_header' was previously declared here
tpmlib.c:576:7: note: code may be misoptimized unless '-fno-strict-aliasing' is used
lto1: all warnings being treated as errors
lto-wrapper: fatal error: gcc returned 1 exit status
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2334600
Fixes: 599e2436d4 ("configure.ac: enable 64-bit file API on 32-bit systems")
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
There seems to be a well known error in setuptools 71.x that prevents
installation of cpp-coveralls on Travis now:
File "/usr/local/lib/python3.10/dist-packages/setuptools/_core_metadata.py", line 285, in _distribution_fullname
canonicalize_version(version, strip_trailing_zero=False),
TypeError: canonicalize_version() got an unexpected keyword argument 'strip_trailing_zero'
Fall back to the default version that is used in Ubuntu Jammy (59.6.0)
since later versions also lead to the same error.
Link: https://github.com/pypa/setuptools/issues/4483
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When building an rpm with swtpm.spec on Fedora 40 this type of errors
appear on variables that normally do not need to be initialized.
In file included from /usr/include/glib-2.0/glib.h:117,
from profile.c:14:
In function ‘g_autoptr_cleanup_generic_gfree’,
inlined from ‘profile_gather_local’ at profile.c:307:23,
inlined from ‘profile_printall’ at profile.c:366:10:
/usr/include/glib-2.0/glib/glib-autocleanups.h:32:3: error: ‘dir’ may be used uninitialized [-Werror=maybe-uninitialized]
32 | g_free (*pp);
| ^~~~~~~~~~~~
profile.c: In function ‘profile_printall’:
profile.c:307:23: note: ‘dir’ was declared here
307 | g_autofree gchar *dir;
| ^~~
Include string.h since in some older build environments strcmp and strlen
do not have prototypes otherwise.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check for a null pointer from parsing the string value in
json_get_submap_value(). All callers assume that the returned value is
non-NULL and therefore ensure that there is always a valid string.
However, all callers also provide trusted input from TPMLIB_GetInfo that
should never cause a NULL pointer.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The profile '{"Name": null}' will not lead to a parser error but return
NULL for the 'Name'. Therefore, check for variable name being a NULL
pointer. Since the user may provide this type of profile this could have
lead to crashes when name was accessed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move the error message about the failure to import a signing key into the
else branch where it should be (all other branches of the if-then-else
statement have a check already). Also mention the key's filename and hint
at possibly corrupted key.
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2325901
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Comment the flags used for creating the storage primary key.
Deprecate the --create-spk option since it may create an RSA-3072 key
and it creates a NIST P384 instead of NIST P256, both of which users may
not expect and know how to use.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
QEMU's functional tests need access to /var/tmp/**. To avoid the following
type of AppArmor permission failures add a rule that allows access to
/var/tmp/**.
type=AVC msg=audit(1730829888.863:260): apparmor="DENIED" \
operation="mknod" class="file" profile="swtpm" \
name="/var/tmp/qemu_3r9txw7z/swtpm-socket" pid=3925 comm="swtpm" \
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000FSUID="stefanb" \
OUID="stefanb"
[ To run the QEMU's functional tests use the following command:
make check-functional ]
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move the 'Tested: tdes' type of debugging output one more indentation
level up so that they can be filtered-out easier from control and data
channel communication.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
My local filesystem is btrfs with a long life. It's inodes ecxeed 32-bit
space and that causes test failures in `swtpm` on `i686-linux`
containers:
FAIL: test_parameters
FAIL: test_swtpm_setup_file_backend
FAIL: test_swtpm_setup_overwrite
FAIL: test_tpm2_swtpm_setup_create_cert
FAIL: test_tpm2_swtpm_setup_overwrite
FAIL: test_swtpm_setup_create_cert
FAIL: test_tpm2_parameters
The example test failure log looks this way:
FAIL: test_migration_key
========================
Need to be root to run test with CUSE interface.
Need to be root to run test with CUSE interface.
==== Starting swtpm with interfaces socket+socket ====
Test 1: Ok
==== Starting swtpm with interfaces socket+socket ====
Test 2: Ok
==== Starting swtpm with interfaces socket+socket ====
swtpm: Missing migration key to decrypt volatilestate
Test 3: Ok
==== Starting swtpm with interfaces socket+socket ====
Could not stat file '/build/tests/data/migkey1/volatilestate.bin': Value too large for defined data type
Error: Could not load encrypted volatile state into TPM.
FAIL test_migration_key (exit status: 1)
The `stat()` fails because inode value exceeds 32-bit value:
$ stat /build/tests/data/migkey1/volatilestate.bin
File: /build/tests/data/migkey1/volatilestate.bin
Size: 1290 Blocks: 8 IO Block: 4096 regular file
Device: 0,30 Inode: 9639547569 Links: 1
...
The change fixes all the test failures. To fix
`test_tpm2_swtpm_setup_create_cert` I also had to include `config.h`
into `swtpm_backend_dir.c` to get 64-bit file open there as well.
Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
Check the help screen for necessary supported options since the IBM TSS2
test will have to be patched to support swtpm directly. If it does not
support it, exit the tests early with an error message.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Only display profile capabilities when --tpm2 is given since they are only
relevant when a TPM 2 is used.
Adjust test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Give two oif the (unused) fields in the tpm2_authblock better names and
since these two and the continueSession fields are always initialized with
'0', simplify the initializer macro to only take one argument.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The default-v1 profile may soon also set Attributes in the JSON and
therefore extend the regular expressions matching profiles to optionally
match for Attributes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the new capability tpmstate-opt-lock, adjust test cases,
and document it in the swptm man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To support storage backend locking on the file backend, add support for a
lock option parameter to the --tpmstate option. By default the value of
this option (if not given) has to be 'true' for the dir backend, since this
backend has always been locking, and 'false' on the file backend, since
this backend did not lock so far.
If the user chooses no storage backend locking then SWTPM_NVRAM_Unlock &
SWTPM_NVRAM_Lock_Storage do not call the backend for locking at all
anymore.
Document the new option parameter in the swtpm man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for locking the storage file using fcntl(fd, F_SETLK, ...).
Since fcntl needs a file descriptor of the actual storage file, call
SWTPM_NVRAM_LinearFile_DoOpenURI() to open the file in case it has not
been opened, yet. In case of error close the file again but be careful
about the fact that it may not have been mmap'ed, yet.
Since now all backends have .lock and .unlock nvram_backend_ops, they can
be called without checking for a NULL pointer.
Extend an existing test case with a file-backend storage lock test.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove the broken logic to check for neither dir:// nor file:// backend.
If an unknow backend type is used, then it will be detected later on
and an error message will be printed out. Even though the logic was
broken it didn't seem to cause failures.
Also have tpmstate_set_mode return void since it cannot fail.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
