If tpmtool supports --srk-well-known we also support the well known
SRK password and allow the user not to provide an SRK password on
the command line.
This patch should have been applied before the previous patch that
tests this. Luckily, only very few systems have tpmtool with
--srk-well-known so that the order would matter there (and cause test
failures).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return the result code from the expect script to the caller.
Also, display possible log messages in case the private key file
was not written properly.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Support creation and usage of the root CA with a password protected
private key. The root CA's key password can be set using the environment
variable SWTPM_ROOTCA_PASSWORD.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This (experimental) script uses GnuTLS tpmtool to create a TPM 1.2
intermediate CA that can sign a vTPM's EK and platform certificates.
Add a man page for this tool.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
GnuTLS can use TPM 1.2 keys for signing. For this we just need to support
key URLs in the GnuTLS format:
tpmkey:uuid=...
tpmkey:file=...
We don't try to read these URLs as files but pass them through as URLs to
the swtpm_cert tool that will then try to sign with the TPM 1.2 key by
passing the URL to GnuTLS API calls.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm-localca was missing a help screen. This patch adds it and
is shown when --help or -? or -h is passed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
On some systems /bin/bash does not exists but the bash is somewhere
else and can be invoked with /usr/bin/env bash.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
OS/X has a flock (v0.2.3) implementation using
brew tap discoteq/discoteq
brew install flock
The current version doesn't support -x as a parameter for
an exclusive lock but uses an exclusive lock when no parameter
is passed at all.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To avoid clashes with the lock files created by swtpm, have
swtpm-localca creata a lock file with the name .lock.swtpm-localca
so they can share directories if necessary.
This patch makes tests/test_tpm2_swtpm_setup_create_cert run on
OpenBSD since the swtpm and swtpm-localca then do not interfere
with the file locks. This doesn't seem to be an issue on Linux
or Cygwin, though, where probably the file locking is implemented
differently.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.om>
OpenBSD uses an older sed implementation that doesn't understand the
meaning of the '+' for getting one or multiple occurrences of a letter.
Work around this by not using it and trimming white spaces at the end
of a variable using bash.
Use 100 as file descriptor rather than 200 to accomodate OpenBSD,
which only support file descriptors <= 127.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cleanse the tmp variable before running eval on it. This is to prevent
execution of commands that a hidden in variable values read from a config
file. We only need to resolve the values of variables and don't want
the execution of a subshell command initated by either $(...) or `...` .
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
This will allow to expand environment variables in config files, such as:
statedir = $XDG_RUNTIME_DIR/swtpm-localca
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
To allow the creation of EKs with signing and/or key encipherment
capabilities, add the --allow-signing and --decryption options
to swtpm-localca program.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Support TPM 2 in swtpm_setup and swtpm_setup.sh.
Implement support for all command line options except for:
o --take-ownership and anything related to ownership passwords
o --lock-nvram
o --display
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Since swtpm_setup now uses the swtpm_ioctl tool to get some of the
TPM attributes directly from the TPM, we don't need to pass these
options via the options file anymore.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
If the swtpm_cert was missing, nothing was reported in the error log. Change
this and report it in the error log rather than writing the error in the
certificate file.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement options --tpm-spec-family, --tpm-spec-revision, and
tpm-spec-level to pass to swtpm_cert for EK creation.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
If the key is not readable as the current user, such as tss:tss,
but it is there, we don't try to create it but error out.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
We are currently missing the Authority Key Id in the certificate used for
creating the EK cert. To get this, we create a root CA for our local CA
and use that root CA to sign the local CA's certificate. Our local
CA is now an intermediate CA and the Authority Key Id can now be copied
into the EK cert.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Certtool seems to not verify a certificate chain properly unless
the certificate has a distinguished name.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Remove the hardcodes tss user and group and to configure with
--with-tss-user=tss --with-tss-group=tss to set the tss user
and group to be used.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Disable the chown commands when building an RPM; we try to detect this
by the usage of DESTDIR.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Automatically create the signing key and a self-signed issuer
certificate if the state dir has to be created.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
