The default-v1 profile may soon also set Attributes in the JSON and
therefore extend the regular expressions matching profiles to optionally
match for Attributes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Restrict available PCR banks to sha256 & sha384 and try to enable sha256
and sha512 and check the expected results.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement --print-info that takes a number as argument and uses this number
as flags to call TPMLIB_GetInfo with. Display the JSON string and exit.
Extend the man page and update other parts where swtpm_ioctl is not necessary
anymore to use.
Extend a test case to also check that swtpm now returns the same result as
swtpm_ioctl does.
Append cmdarg-print-info to printed out capabilties. Adjust test cases.
(Expect 'profiles' to always be part of capabilties JSON.)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the support for 'remove-disabled' option parameter of the --profile
option to also work for profiles whose name starts with 'custom:'.
Modify an existing test case to use custom:test as profile name with this
option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Accept profiles that start their name with 'custom:' and do not exceed
32 characters. The content of these profiles will be derived from the
built-in 'custom' profile unless Algorithms, Commands, or Attributes
are provided on the command line.
Adjust a test case to test with profile name starting with 'custom:'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable reading a profile from a file. Pass it as open file descriptor to
swtpm.
Adjust one test case to read a profile from a file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Ignore the remove-disabled parameter on non-'custom' profile identified
by return value '1'. Switch to negative return values in the called function.
Extend a test case to ensure that the --profile-remove-disabled option
on swtpm_setup, which is passed through to swtpm, has no effect on 'null'
and 'default-v1' profiles.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
CentOS 9 and RHEL >= 9.4 (maybe earlier also) are expected to log the
setting of OPENSSL_ENABLE_SHA1_SIGNATURES when a libtpms v0.9 state is
used where signing a SHA1 was allowed and needs to be enable with this
environment variable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the --profile-remove-fips-disabled option that is used to tell
swtpm to remove algorithms that are disabled by FIPS mode on the host.
Internally, this option passes the remove-fips-disabled option parameter
with the --profile option to swtpm.
Add a test cases passing this option and check that the resulting profiles
have key sizes adjusted and relevant attributes set.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Consoldiate some test cases related to the custom profile and add
additional checks for various StateFormatLevels.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
A version of sed on FreeBSD requires some adjustments to the sed
expressions for the test case to work. It does not support the
following:
- insertion of newline using '\n' -> replace with $'...\\\n...'
- request for matching of at least one character using '\+'
-> replace with '*' to match any number
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following issues:
- use a regular expression instead of hard coded '4' to match
StateFormatLevel number that will change in the future
- get all available profiles from running tpm rather than only the active
profile -> use --info 0x40
- only compare with regular experssion if it is non-empty because
this otherwise fails on Cygwin
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
