Since 0 is a valid file descriptor and checks for valid file descriptors
is typically '>= 0', initialize the file descriptor to -1 to indicate
that it is unused.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This reverts commit 8d4b247e3d since
CMD_GET_STATEBLOB can have more than 4 bytes in response when an
error happened (long-standing protocol error).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the new ptm_caps_n to create the response for PTM_GET_CAPABILITY in the
socket and chardev implementations. Due to how the result was created
before, the tpm_result part of the response will always have to be
TPM_SUCCESS, since it was always 0 before.
Leave the CUSE implementation untouched since there the result was returned
in native endianess resulting in the first 4 bytes carrying the capability
flags.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Define a structure to use for returning the PTM_GET_CAPABILITY result that
resembles the layout of all the commands' structures. Since only 17bits for
capabilities are currenlty defined and they are returned in big endian
format as part of a 64bit number, this change can be done without any side
effects. The upper 32bit of this number now become the tpm_result, which
will always be 0. The lower 32bits are the possible capability flags, of
which the 17 are used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move the display of the help screen into its own function to be able
to usage fprintf with the help screen as format string to avoid static
analyzer warnings.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Restrict available PCR banks to sha256 & sha384 and try to enable sha256
and sha512 and check the expected results.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement --print-info that takes a number as argument and uses this number
as flags to call TPMLIB_GetInfo with. Display the JSON string and exit.
Extend the man page and update other parts where swtpm_ioctl is not necessary
anymore to use.
Extend a test case to also check that swtpm now returns the same result as
swtpm_ioctl does.
Append cmdarg-print-info to printed out capabilties. Adjust test cases.
(Expect 'profiles' to always be part of capabilties JSON.)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable SWTPM_TEST_PROFILE for running the test_tpm2_ibmtss2 test cases
with a user provided profile. Document it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the support for 'remove-disabled' option parameter of the --profile
option to also work for profiles whose name starts with 'custom:'.
Modify an existing test case to use custom:test as profile name with this
option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow a user to pass profiles from the distro or local dirs directly
to swtpm. A rule to allow reading profiles from somewhere under the
HOME directory already exists.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for the --print-profiles option to search the local
and distro profiles directories for profiles (files with .json extension)
and then get the built-in ones from swtpm. Print them all to stdout.
Extend a test case and add description to the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --profile-name option that searches for a profile in a
configurable local directory or a distro directory
(typically /usr/share/swtpm/profiles).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Accept profiles that start their name with 'custom:' and do not exceed
32 characters. The content of these profiles will be derived from the
built-in 'custom' profile unless Algorithms, Commands, or Attributes
are provided on the command line.
Adjust a test case to test with profile name starting with 'custom:'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
I was able to recreate the issue on one of my machines where swtpm_t
was trying to append to the log labeled with svirt_image_t. On another
machine this combination of labels does not seem to cause a problem.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2306817
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When swtpm --print-capabilities for example fails to be able to access
the log file that swtpm_setup logs into, then it may fail to run. In
this case log the stderr output of swtpm.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return an error if the reading of the config file failed so that
config_file_lines can never be NULL. Remove all checks for
config_file_lines == NULL.
It's very unlikely reading of the config file failed since there's a file
access check right before it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize the empty array authpolicy[0] to quiet a static analyzer.
This array only serves the purpose of providing a non-NULL pointer
when passed to memconcat.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return TPM_FAIL in case of an invalid header version number to avoid a
potential segmentation fault when accessing an unavailable buffer due to
the header parser not returning an error code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable reading a profile from a file. Pass it as open file descriptor to
swtpm.
Adjust one test case to read a profile from a file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable reading a profile from a file.
If setting a profile fails, display the profile in the error message.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
An empty input string will for example cause json_parser_get_root to return
NULL. Return early in this case to avoid glib error messages.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize seccomp_action with a default value that it will also
get assigned when handle_seccomp_options is called. This is done
to silence a static analyzer even though it's not necessary.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement concat_varrays that takes gchar ** as input and returns gchar **.
The concat_arrays has the identical implementation but takes const gchar **
as parameters and returns const gchar **. Use concat_arrays from
concat_varrays. Adjust all callers to cast arrays with constant strings to
const gchar *[] when calling concat_arrays. Modify some callers to call
concat_varrays now.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement warpper for g_spawn_sync and g_spawn_async that that take argv
and envp arguments as 'const gchar **' since they will be called like
this from swtpm_localca and swtpm_setup. Internally glib also uses the
parameters like this when calling fork_exec() for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize key_description with a default string rather than using it
possibly uninitialized. In practice it would never be used uninitialized
since if a platform certificate is to be created, then the ek certificate
would have also been created and therefore swtpm2->ops->create_ek()
would have been called and set key_description.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
