When returncode 0x922 is received from NVWrite then retry the command so
that it gets the expected error code from failing to provide a password.
When checking the lockout counter, increase the numbers now.
Patched versions of libtpms may not return 0x922 anymore, so write the code
that it can test both cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libtpms v0.11 will support RSA-4096 keys. Adjust the test case
regex for optional output of 'tpm2-rsa-keysize-4096'.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Ensure that no profile is passed to the TPM 2 when it is to be reconfigured
by:
- Showing an error if user tries to pass a profile when also --reconfigure
is passed
- Not taking the default profile from the swtpm_setup.conf configuration
file if the user did not pass a profile
Extend an existing test case with a default profile in its swtpm_setup.conf
so that the above 2nd item is tested.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check the help screen for necessary supported options since the IBM TSS2
test will have to be patched to support swtpm directly. If it does not
support it, exit the tests early with an error message.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Only display profile capabilities when --tpm2 is given since they are only
relevant when a TPM 2 is used.
Adjust test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The default-v1 profile may soon also set Attributes in the JSON and
therefore extend the regular expressions matching profiles to optionally
match for Attributes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the new capability tpmstate-opt-lock, adjust test cases,
and document it in the swptm man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for locking the storage file using fcntl(fd, F_SETLK, ...).
Since fcntl needs a file descriptor of the actual storage file, call
SWTPM_NVRAM_LinearFile_DoOpenURI() to open the file in case it has not
been opened, yet. In case of error close the file again but be careful
about the fact that it may not have been mmap'ed, yet.
Since now all backends have .lock and .unlock nvram_backend_ops, they can
be called without checking for a NULL pointer.
Extend an existing test case with a file-backend storage lock test.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Restrict available PCR banks to sha256 & sha384 and try to enable sha256
and sha512 and check the expected results.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement --print-info that takes a number as argument and uses this number
as flags to call TPMLIB_GetInfo with. Display the JSON string and exit.
Extend the man page and update other parts where swtpm_ioctl is not necessary
anymore to use.
Extend a test case to also check that swtpm now returns the same result as
swtpm_ioctl does.
Append cmdarg-print-info to printed out capabilties. Adjust test cases.
(Expect 'profiles' to always be part of capabilties JSON.)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable SWTPM_TEST_PROFILE for running the test_tpm2_ibmtss2 test cases
with a user provided profile. Document it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the support for 'remove-disabled' option parameter of the --profile
option to also work for profiles whose name starts with 'custom:'.
Modify an existing test case to use custom:test as profile name with this
option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for the --print-profiles option to search the local
and distro profiles directories for profiles (files with .json extension)
and then get the built-in ones from swtpm. Print them all to stdout.
Extend a test case and add description to the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --profile-name option that searches for a profile in a
configurable local directory or a distro directory
(typically /usr/share/swtpm/profiles).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Accept profiles that start their name with 'custom:' and do not exceed
32 characters. The content of these profiles will be derived from the
built-in 'custom' profile unless Algorithms, Commands, or Attributes
are provided on the command line.
Adjust a test case to test with profile name starting with 'custom:'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable reading a profile from a file. Pass it as open file descriptor to
swtpm.
Adjust one test case to read a profile from a file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Ignore the remove-disabled parameter on non-'custom' profile identified
by return value '1'. Switch to negative return values in the called function.
Extend a test case to ensure that the --profile-remove-disabled option
on swtpm_setup, which is passed through to swtpm, has no effect on 'null'
and 'default-v1' profiles.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Very old OpenSSL versions (e.g., 1.1.0i) are using /dev/urandom to get
entropy while newer ones are using the getrandom syscall that does not
need the device file. In some environments access to the created
/dev/urandom device file may not work (EACCESS; chroot test case) and
then OpenSSL will start failing operations that depend on good entropy.
Therefore, check the status of the random number generator after chroot.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
CentOS 9 and RHEL >= 9.4 (maybe earlier also) are expected to log the
setting of OPENSSL_ENABLE_SHA1_SIGNATURES when a libtpms v0.9 state is
used where signing a SHA1 was allowed and needs to be enable with this
environment variable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the --profile-remove-fips-disabled option that is used to tell
swtpm to remove algorithms that are disabled by FIPS mode on the host.
Internally, this option passes the remove-fips-disabled option parameter
with the --profile option to swtpm.
Add a test cases passing this option and check that the resulting profiles
have key sizes adjusted and relevant attributes set.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a function that checks whether a crypto algorithm identified by
TPM algorithm identifiers is disabled.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Consoldiate some test cases related to the custom profile and add
additional checks for various StateFormatLevels.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Convert the TPM 1.2 test case test_samples_create_tpmca to be able to run
installed. It also needs to have the test_config file installed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since there is a BSD variant of sed that requires a parameter for the -i
option provide a sed-inplace wrapper script.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since there is a BSD variant of install that does not support the -D option
like install on Linux, provide a fileinstall wrapper script.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Commit 96fe5afa forgot to add cmdarg-print-profiles to the list of
capabilities. Also fix typo in the man page and sort shown output
to match application output.
Fixes: 96fe5afa ("swtpm: Add support for --print-profiles option")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use an absolute path for TESTDIR, as we refer to it from different
directories.
Also fix killing gone swtpm process.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Run against the installed version only when SWTPM_TEST_IBMTSS is
set to the directory that has the tests, otherwise, build the known
version.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Use 'swtpm --help | grep cuse' to determine whether CUSE interface
is supported and CUSE related tests need to run. Make sure that
SWTPM_EXE is available when test_cuse is sourced.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
SWTPM was set to 'swtpm' and only for uninstalled tests. Remove it and
replace its usage with 'swtpm' everywhere.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Skip the test_tpm2_libtpms_versions_profiles since it requires that swtpm is
built from a git checkout so that various versions of swtpm can be built.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The IBMTSS2 tests suite creates signatures over SHA1 that may now fail on
RHEL 9.x and CentOS 9. To have these tests succeed set
OPENSSL_ENABLE_SHA1_SIGNATURES=1 so the tests do not need to be modified
and also check that the TPM 2 can handle SHA1 signatures as before.
'swtpm socket --tpm2' should set this environment variable automatically
if needed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Use 3072bit RSA keys if possible; not possible on Ubuntu 22.04
- Add test case with NIST p256 key and signing
- Store modified files in git repo *after* the copy of the repo
- Suppress more tools output
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
A version of sed on FreeBSD requires some adjustments to the sed
expressions for the test case to work. It does not support the
following:
- insertion of newline using '\n' -> replace with $'...\\\n...'
- request for matching of at least one character using '\+'
-> replace with '*' to match any number
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following issues:
- use a regular expression instead of hard coded '4' to match
StateFormatLevel number that will change in the future
- get all available profiles from running tpm rather than only the active
profile -> use --info 0x40
- only compare with regular experssion if it is non-empty because
this otherwise fails on Cygwin
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
With swtpm now requiring libtpms >= 0.10 some of the patches applied to
the IBM TSS2 test suite have become obsolete. Remove them but also
have swtpm use the default-v1 profile that enables some of the newer
commands that were previously disabled.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a test case for testing profiles across libtpms versions. For now only
an instance with the NULL profile is being tested with the latest libtpms
version and the state is then attempted to be used by libtpms v0.9.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Print a list of names of profiles implemented by libtpms as part of the
capabilities JSON. The profiles map will only be visible if libtpms v0.10
with the TPMLIB_SetProfile() API is used.
swtpm_setup --print-capabilities --tpm2 | jq
{
"type": "swtpm_setup",
"features": [
[...]
],
"profiles": [
"default-v1",
"null",
"custom"
],
"version": "0.10.0"
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Print a list of names of profiles implemented by libtpms as part of the
capabilities JSON. The profiles map will only be visible if libtpms v0.10
with the TPMLIB_SetProfile() API is used.
swtpm socket --print-capabilities --tpm2| jq
{
"type": "swtpm",
"features": [
[...]
],
"profiles": {
"names": [
"default-v1",
"null",
"custom"
],
...
},
"version": "0.10.0"
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
