Skip the test_tpm2_libtpms_versions_profiles since it requires that swtpm is
built from a git checkout so that various versions of swtpm can be built.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The IBMTSS2 tests suite creates signatures over SHA1 that may now fail on
RHEL 9.x and CentOS 9. To have these tests succeed set
OPENSSL_ENABLE_SHA1_SIGNATURES=1 so the tests do not need to be modified
and also check that the TPM 2 can handle SHA1 signatures as before.
'swtpm socket --tpm2' should set this environment variable automatically
if needed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get the list of enabled 'RuntimeAlgorithms' from libtpms and determine
whether any of these enabled algorithms is disabled in OpenSSL due to FIPS
mode. If FIPS mode on the host is enabled then disabled FIPS mode in
OpenSSL so that the TPM 2 can function properly.
The following algorithms are disabled when OpenSSL is in FIPS mode:
- camellia
- rsaes
- tdes
- ECC keys <224 bits
- RSA keys <2048 bits
Per openssl-ciphers man page it should be possible to disable the following
algorithms use by cipher-suites:
- AES128, AES256, AES
- CAMELLIA128, CAMELLIA256, CAMELLIA
- 3DES
- SHA1, SHA, SHA256, SHA384
- CBC
Note: It's not clear at what API level these are disabled. I have not been able
to use !SHA256 to disabled SHA256.
Also test whether signatures with SHA1 are working and enable them by setting
OPENSSL_ENABLE_SHA1_SIGNATURES=1.
The following output is expected for RHEL 9.x and CentOS 9 but does not
appear on Fedora 40 since there sha1 signatures are not (yet) disabled.
> swtpm socket \
--tpmstate dir=/tmp/myvtpm \
--ctrl type=tcp,port=2322 \
--server type=tcp,port=2321,disconnect \
--flags not-need-init,startup-clear \
--log level=0 \
--tpm2 \
--profile name=null
Warning: Profile-enabled algorithms contain disabled 'RSA-1024-sign(SHA1, pkcs1-pss)'
Warning: Setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Use 3072bit RSA keys if possible; not possible on Ubuntu 22.04
- Add test case with NIST p256 key and signing
- Store modified files in git repo *after* the copy of the repo
- Suppress more tools output
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
A version of sed on FreeBSD requires some adjustments to the sed
expressions for the test case to work. It does not support the
following:
- insertion of newline using '\n' -> replace with $'...\\\n...'
- request for matching of at least one character using '\+'
-> replace with '*' to match any number
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following issues:
- use a regular expression instead of hard coded '4' to match
StateFormatLevel number that will change in the future
- get all available profiles from running tpm rather than only the active
profile -> use --info 0x40
- only compare with regular experssion if it is non-empty because
this otherwise fails on Cygwin
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check whether the bufferSize parameter is too small and an underflow of the
expression bufferSize - offset could theoretically occur. However, in
practice this will never happen since the caller will always provide a
bufferSize of around 4kb.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since 'comma1' will always be true combine it with cmdarg_profile into one
string formatting parameter following the same formatting as further above.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
With swtpm now requiring libtpms >= 0.10 some of the patches applied to
the IBM TSS2 test suite have become obsolete. Remove them but also
have swtpm use the default-v1 profile that enables some of the newer
commands that were previously disabled.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the user did not provide the profile on the command line read the
default profile from the swtpm_setup.conf configuration file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --print-profiles option to print all profiles supported
by libtpms.
Usage:
swtpm socket --tpm2 --print-profiles | jq
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a test case for testing profiles across libtpms versions. For now only
an instance with the NULL profile is being tested with the latest libtpms
version and the state is then attempted to be used by libtpms v0.9.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Print a list of names of profiles implemented by libtpms as part of the
capabilities JSON. The profiles map will only be visible if libtpms v0.10
with the TPMLIB_SetProfile() API is used.
swtpm_setup --print-capabilities --tpm2 | jq
{
"type": "swtpm_setup",
"features": [
[...]
],
"profiles": [
"default-v1",
"null",
"custom"
],
"version": "0.10.0"
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Print a list of names of profiles implemented by libtpms as part of the
capabilities JSON. The profiles map will only be visible if libtpms v0.10
with the TPMLIB_SetProfile() API is used.
swtpm socket --print-capabilities --tpm2| jq
{
"type": "swtpm",
"features": [
[...]
],
"profiles": {
"names": [
"default-v1",
"null",
"custom"
],
...
},
"version": "0.10.0"
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the new capability verb 'cmdarg-profile' indicating that the
--profile option with the name= and profile= parameters is supported.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for the --profile option for a TPM 2. The 'name=' parameter
allows a user to select a specific profile available in libtpms. The
'profile=' parameter allows a user to pass a JSON profile that must
contain a name field with a profile known to libtpms. It may contain
an algorithm field that has a comma-separated list of verbs with the
names of algorithms that the TPM 2 is supposed to provide.
The --profile option only has an effect the first time a TPM 2 is started
since afterwards whenever the state of the TPM 2 is read, the profile
found in the state is being used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow passing a JSON map as part of an option value in the format of
--foo name={...},... Prior to this patch this would not have worked since
the option values were broken apart around commas, which a map may also
contain. Now, if a '{' is following the '=', the value is attempted to be
parsed as a JSON map and the end of the map is searched considering
possibly embedded maps.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Libtpms v0.10 adds the TPMLIB_SetProfile call that swtpm needs to set a
profile. Check whether the API call is available in the local libtpms
installation.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
It is better to have it as separate action.
So it can grow with nore thiungs to do on release.
It calls existing docker build and push to avoid duplication.
Signed-off-by: Boris Glimcher <Boris.Glimcher@emc.com>
Auto testing as well as good example on:
how to run SWTPM in docker or compose.
Simply run `docker-compose up` to bring both swtpm and test.
Or run `docker-compose up --build --force-recreate` to re-build.
Or run `docker-compose up swtpm` to only start swtpm service without
test.
Added new job in the github action to automate this as well.
Signed-off-by: Boris Glimcher <Boris.Glimcher@emc.com>
Fixes#869
Using popular Hadolint linter for dockers.
Using standard GitHub action for building.
Build will also publish to GHCR after PR is merged, not before.
Signed-off-by: Boris Glimcher <Boris.Glimcher@emc.com>
Fixed#869
Used multi-stage build here to reduce final image size.
Builder should have packages for dev and compile.
Final image should only have dependencies for runtime.
Building is simple using `docker build .` command.
Or `docker build --build-arg="LIBTPMS_BRANCH=v0.9.6" .`
if you want another branch/tag of libtpms.
Next patch will add:
- linter
- build
- tpm2 tools testing
Signed-off-by: Boris Glimcher <Boris.Glimcher@emc.com>
If the user did not provide the RSA keysize to use try to read it from
setup_setup.conf and if nothing is found there fall back to using the
internal default RSA keysize (2048).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Factor-out read_file_lines from get_default_pcr_banks and pass the array
of lines from the config file into get_default_pcr_banks now. Now other
functions will also be able to access the lines from the config file
without having to re-read the config file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace usage of samples/swtpm_setup.conf, use the one from tests/
instead. This allows installed-tests to refer to it.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
swtpm sometimes needs to create lock files in subdirectories of
/var/lib/libvirt/swtpm/. Since libvirt sets the owner of these
subdirectories to root, apparmor blocks swtpm's access to this when set to
owner. Add write permissions for lock files without the owner restriction
tothe folder to fix wc denials.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
Some features of swtpm require kernel modules, such as --vtpm-proxy. Fix
apparmor denials related to this by adding capability sys_admin to the apparmor
profile.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
Older versions of libtpms produced smaller initial state files.
Therefore, use a regular expression to compare the sizes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
