Implement support for skipping over creating the files
if any one of the config files already exist.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the option --create-config-files to create config files
for swtpm_setup and swtpm-localca for a user account. The files will
be created under the $XDG_CONFIG_HOME or $HOME/.config directories.
This option supports optional arguments 'overwrite' to allow overwriting
existing config files as well as the optional argument 'root' to create
config files under root's home directory. Both options can be passed
by separating them with a ','.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the --print-states capability in the --print-capabilites
output as cmdarg-print-states.
Document availability in the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an options to specify pluggable backend URI.
Ex:
--tpmstate backend-uri=dir://<path_to_dir>
Backend URI is specific to each backend plugin which points to the
location of the NVRAM files.
Currently, "dir" is the only one available backend. In this case
backend-uri should be a path to the directory where files are stored.
This option is designed to compatible with existing "dir" option.
If "dir" is specified, swtpm prioritize "dir" ignoring "backend-uri".
Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
Implement get_supported_tpm_versions to get swtpm's support for TPM 1.2
and TPM 2 and use it error out in case user choose a TPM version that
is not supported. Also display the supported TPM versions in the
capabilites JSON.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Write the EK certificate files into the directory specified as parameter
to the --write-ek-cert-files option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Move content of swtpm-localca(8) manual page to swtpm_localca(8)
and make swtpm-localca(8) an alias for swtpm_localca(8), mirroring
the fact that /usr/bin/swtpm_localca is the actual program and
/usr/share/swtpm/swtpm-localca a wrapper for it.
- Change references to `swtpm-localca` in manual pages' content to
`swtpm_localca`, reflecting the actual name of the program they are
meant to document.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Add a missing '\' to the list of pod files and reduce the EXTRA_DIST
files list to only those that available via git and not generated.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following `make distcheck` cleanup issue:
ERROR: files left in build directory after distclean:
./man/man8/swtpm_cuse.8
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Write a note in swtpm_setup's help screen and man page that the usage
of --allow-signing will lead to a non-standard EK. Be more precise in the
man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since the device can be passed using --tpm-device <device>, we now
mark the last parameter, which can also be the device, as optional.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Also fix an error in the man page on the way. 'startup-deactivated'
can only be used with a TPM 1.2, not a TPM 2.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pass the CA's private key password via the template file. Remove recently
added old GnuTLS support. Extend man page with a paragraph about short-
comings of certtool that doesn't seem to allow private key password being
passed either as environment variable or template file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for pkcs11 module environment variables to the config file.
These variables may have the following format:
env:VARNAME=VALUE
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the man pages with further locations for the options and config
files in ${XDG_CONFIG_HOME} or ${HOME}/.confg.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Extend swtpm_setup.pod showing swtpm-create-user-config-files usage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Escape many more special shell characters before calling eval on
an entry to convert a variable to its value. Uncareful writing of
a swtpm-local.conf config file could have lead to files being over-
written using '>' for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the --print-capabilities option to also report supported RSA
key sizes. Only the TPM 2 may support anything else than 2048 bit RSA
keys, so we only consult 'swtpm socket --tpm2 --print-capabilities'
and grep for 2048 and 3072 key sizes and report them.
If nothing is found, nothing is reported, as before, and 2048 bit RSA
keys should be assumed.
'swtpm_setup --tpm2 --print-capabilities' may now show the following:
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"tpm2-rsa-keysize-2048",
"tpm2-rsa-keysize-3072"
]
}
Also adjust a test case to use a regular expression for matching
against an expected string that may nor may not have rsa-keysize
verbs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Construct RSA key size capability strings from libtpms TPMLIB_GetInfo()
string so that we can easily show which RSA key sizes are supported by
the TPM 2 implementation. If none are advertised, 1024 & 2048 can be
assumed to be supported.
'swtpm socket --tpm2 --print-capabilities' may now print the following:
{
"type": "swtpm",
"features": [
"tpm-send-command-header",
"flags-opt-startup",
"cmdarg-seccomp",
"cmdarg-key-fd",
"cmdarg-pwd-fd",
"no-tpm12-tools",
"rsa-keysize-1024",
"rsa-keysize-2048",
"rsa-keysize-3072"
]
}
We need to adapt the related test case to use a regular expression since
the rsa-keysize-xyz strings may or may not be there depending on libtpms
version.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the host is missing tcsd (trousers) or the tpm-tools, swtpm_setup
will now report the 'no-tpm12-tools' verb like this:
> swtpm_setup --print-capabilities | jq
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"no-tpm12-tools"
]
}
The only TPM 1.2 setup parameter that requires interaction with
the TPM 1.2 that can be pass is then '--createek'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for passing the curve id via the --curve-id
option. Default assumes secp256r1. secp384r1 is also supported.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the script that creates a CA that uses a TPM 2 for signing.
For this we have to create tokens using the TPM 2 pkcs11 module's
tpm2_ptool and can then use the p11tool for creating keys.
Add a test case that requires a running tpm2-abrmd and tpm2_ptool.
Eventually the test case should (try to) start its own tpm2-abrmd
and talk to swtpm directly but the tcti module to do that isn't
available as a package, yet.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add documentation about the new startup options support as well
as the new capability and its meaning.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for the --print-capabilities option to display newly
added capabilities. Adpat the man page and related test case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow passing signing key and parent key via files and file descriptors
and environment variables. Adapt a test case to exercise this new
functionality.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The signingkey entry can also be a pkcs11: URI. The semilcolons in the URI
have to be escaped due to the shell reading the entries.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the --tcsp-system-ps-file option to make a backup of
TCSD's system_ps_file for later use of the setup TPM with the
TCSD. We need this for a test case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Support creation and usage of the root CA with a password protected
private key. The root CA's key password can be set using the environment
variable SWTPM_ROOTCA_PASSWORD.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This (experimental) script uses GnuTLS tpmtool to create a TPM 1.2
intermediate CA that can sign a vTPM's EK and platform certificates.
Add a man page for this tool.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
GnuTLS can use TPM 1.2 keys for signing. For this we just need to support
key URLs in the GnuTLS format:
tpmkey:uuid=...
tpmkey:file=...
We don't try to read these URLs as files but pass them through as URLs to
the swtpm_cert tool that will then try to sign with the TPM 1.2 key by
passing the URL to GnuTLS API calls.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Gnutls supports TPM 1.2 keys in its API and we can use a TPM 1.2
signing key for signing the EK or platform certs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To make the RPM building easier for the --without-cuse case we have to omit
a couple of files from being built so that they are not left-overs when
packing the RPM without building swtpm-cuse.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The swtpm man page incorrectly showed binaddress as the option parameter
for the address to bind to. It must be called bindaddr.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement command line support for choosing the cipher to use for
the TPM state encryption. Either aes-128-cbc or aes-256-cbc can be
used. The same cipher has to be passed on the swtpm command line
when using the TPM.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend the buffer the key is read into to hold an 256bit key.
Add support for aes-256-cbc. Also, aes-128-cbc is now a synonym for
aes-cbc.
Update the man pages to reflect the AES 128 support.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use pbkdf2 as the default kdf and sha512 for the existing
test case. Do away with file limit of 32 bytes. This may
break backwards compatibility for some but better to do this
before a release...
Switch the existing test cases to use kdf=sha512 on the command
line where necessary to that the state for these test cases
does not need to be recreated.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement --pcr-banks to allow a user to choose the set of active
PCR banks. We determine the PCR banks available and enable those
that the user chose and that are available.
The log will now print out the following:
Successfully activated PCR banks sha1,sha256 among sha1,sha256,sha384.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend the swtpm_setup man page with an example for how a non-root
user can create a TPM 2 with an EK and platform certificate.
Document the default locations of the config file swtpm_setup uses.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add the --decryption option to enable key encipherment separately
from enabling signing for the EK. The key encipherment is not set
but needs to be set if --allow-signing is used and key encipherment
is also requested.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To allow the creation of EKs with signing and/or key encipherment
capabilities, add the --allow-signing and --decryption options
to swtpm-localca program.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
In case of a TPM 2 we allow the creation of a signing key by passing
--allow signing. To also enable key encipherment, we add the --decryption
option to allow key encipherment and signing at the same time.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Provide support for creating certificates for TPM2 ECC type of keys.
Extend the test cases and the man pages.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Support TPM 2 in swtpm_setup and swtpm_setup.sh.
Implement support for all command line options except for:
o --take-ownership and anything related to ownership passwords
o --lock-nvram
o --display
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
TPM2 allows the primary key to also be a signing key, so in case
--tpm2 is provided, --allow-signing can be provided as well in
case the primary can also be used for signing operations.
We use SHA256 for the signing algorithm when TPM 2 is being used.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend the swtpm_bios tool with a --tpm2 command line parameter
to support TPM 2 initialization.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for TPM2. Some of the capabilities are not supported yet in
this patch.
Extend the man pages with description for --tpm2.
Missing: configure should probe for needed API calls in libtpms
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Since swtpm_setup now uses the swtpm_ioctl tool to get some of the
TPM attributes directly from the TPM, we don't need to pass these
options via the options file anymore.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the new --info parameter for swtpm_ioctl to get TPM specification
info from the swtpm and use this as a parameter for creating the EK
certificate.
Extend the man page.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement the --info option that takes a flag as an argument
and returns information about the TPM implementation. Only the
value '1' has been defined for now, which returns a line as
the following:
{"TPMSpecification":{"family":"1.2","level":2,"revision":116}}
Extend the man page.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement options --tpm-spec-family, --tpm-spec-revision, and
tpm-spec-level to pass to swtpm_cert for EK creation.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
We are currently missing the Authority Key Id in the certificate used for
creating the EK cert. To get this, we create a root CA for our local CA
and use that root CA to sign the local CA's certificate. Our local
CA is now an intermediate CA and the Authority Key Id can now be copied
into the EK cert.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement a mode parameter for the tpmstate option so that the user
can choose what the file mode bits of the TPM's state files will be.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for uid and gid parameters that allows us to set the file
ownership of a UnixIO socket.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for a mode parameter that allows us to set the file
mode bits on a UnixIO socket.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Only pass through the vmid parameter to the tool creating the cert
if this parameter was set. The tool creating the cert may require
it or ignore it and is supposed to be able to track certificates
for which it minted certs using this parameter.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add options --overwrite and --not-overwrite to allow or prevent
overwriting of existing TPM state. If neiter of the options is
given and existing state is found, an error is returned.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement a command for setting and querying the buffer size the
TPM implementation (libtpms) is using. The setting of the
buffersize allows to reduce the size of the buffer to a size
that the interface can support so that these two sizes match
and the TPM will not produce larger responses than what the
interface can support.
Extend swtpm_ioctl with an option to set the buffersize.
Adapt the existing tests to reflect the newly supported command.
Implement a new test for getting/setting of the buffer size.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Update the description in the man page to reflect ioctl's and
control channel commands.
Update to the latest supported commands.
Fix a few text locations on the way.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Change the startup behavior with respect to requiring an INIT command
via control channel. We change this for the socket and chardev
interfaces so that the behavior now is the same as that of the CUSE
interface.
Introduce the --flag not-need-init command line option for the socket
and chardev interfaces to allow the old behavior using this option.
Adapt some of the test cases and swtpm_setup.sh.in that now need this
command line flag.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Allow running swtpm_setup directly as tss user using the following
command lines as an example for how to do it:
mkdir /tmp/test-tss
chown tss:tss /tmp/test-tss
chmod 770 /tmp/test-tss
su -c "swtpm_setup --tpm-state /tmp/test-tss" -s /bin/sh tss
This change prevents us from requiring invocation under the root
user.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
