Implement tpmlib_choose_tpm_version() that reports an error when an un-
supported version is chosen. Have it used by existing code where possible.
If TPM 1.2 is not supported by libtpms, the following message is now
displayed:
swtpm: Error: TPM 1.2 is not supported by libtpms.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2024583
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of a Coverity complaint by not assigning the same pointer
to the result of g_strchomp() as the parameter to the function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of a Coverity complaint by not assigning the same pointer
to the result of g_strchomp() as the parameter to the function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
certtool on 32 bit machines seems to expire a never expiring certificate
in 2037 rather than 9999.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following compilation error occurring on 32bit machines:
swtpm_nvstore_linear_file.c: In function 'SWTPM_NVRAM_LinearFile_Mmap':
swtpm_nvstore_linear_file.c:58:20: error: comparison of integer expressions of different signedness: '__off_t' {aka 'long int'} and 'unsigned int' [-Werror=sign-compare]
58 | if (st.st_size >= (uint32_t)sizeof(struct nvram_linear_hdr)) {
| ^~
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add CFLAGS="-DOPENSSL_SUPPRESS_DEPRECATED=1" to the configure line
to avoid compile-time errors when building the TPM 1.2 test with
OpenSSL 3.0.
IBM TSS2 v1.6 test does not currently work with OpenSSL 3.0, so
skip it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --reconfigure option for the swtpm_setup to be able to
change the active PCR banks. This option only works with --tpm2 and does
not allow to pass several other options such --create-ek or
--create-ek-cert or --create-platform-cert that would alter the state of
the TPM 2 in other ways.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Certain characters are not accepted by gnutls when creating the
subject with the 'CN' from the vmid, so we have to replace those
characters with another one, such as '_'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Write the active_pcr_banks into swtpm_setup.conf with the default
PCR banks from the configure script.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the user did not provide the PCR banks to activate through the command
line options, try to read it from the config file and if nothing is found
there, fall back to the DEFAULT_PCR_BANKS as set during configure time.
Move the check for the PCR banks after the access check to the
configuration file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option that allows for the configuration of the default PCR bank
to use. This was currently hard coded to sha256 and now may be passed
via this option. The fallback is still sha256. Valid PCR bank names are
sha1, sha256, sha384, and sha512. The passed list must be a comma-
separated list of the valid PCR bank names.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm_setup.conf has traditionally pointed to
/usr/share/swtpm/swtpm-localca for create_certs_tool but since
/usr/bin/swtpm_localca is now available, have newly created
config files point to this executable instead.
Since there are possibly many swtpm_setup.conf out there pointing
to /usr/share/swtpm/swtpm-localca, we have to still install
swtm_localca there as well and package it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
We cannot currently fsync on the TPM's state file and the dir since this
takes too long and commands in a VM may time out. The reason for this is
that the TPM 2 code occasionally writes the permanent state out even on
commands like TPM2_PCR_Extend that must not take a long time.
See explanation for this in the libtpms PR https://github.com/stefanberger/libtpms/pull/274 .
We will re-enable this feature in 'a while' once the updated libtpms
version has been made more widely available.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix issue #591 by initializing the variables swtpm_has_tpm2 and
swtpm_has_tpm12.
swtpm_setup.c:1178:31: note: 'swtpm_has_tpm2' was declared here
gboolean swtpm_has_tpm12, swtpm_has_tpm2;
^~~~~~~~~~~~~~
swtpm_setup.c:1019:5: error: 'swtpm_has_tpm12' may be used uninitialized in this function [-Werror=maybe-uninitialized]
printf("{ \"type\": \"swtpm_setup\", "
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"\"features\": [ %s%s\"cmdarg-keyfile-fd\", \"cmdarg-pwdfile-fd\", \"tpm12-not-need-root\""
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
It is possible to start swtpm with this command line even though
neither storage nor communication channels have been provided.
./src/swtpm/swtpm socket --flags not-need-init,startup-clear
Since sending a startup message to the TPM will cause it to
want to store permanent state, we have to handle the case when
no storage backend was given and therefore the backend_uri
is NULL.
Previously the above command line caused a NULL pointer exception
but now handles this case with the following output:
swtpm: SWTPM_NVRAM_Init: Missing backend URI.
swtpm: Error: Could not initialize libtpms.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rather than having the CA certificates, that are created on the fly,
expire in 10 years, have them not expire at all.
Also create TPM certificates that don't expire and extend a test
case for this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Have swtpm-create-user-config-files run swtpm_setup with the new
--create-config-files option and possible parameters.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for skipping over creating the files
if any one of the config files already exist.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the option --create-config-files to create config files
for swtpm_setup and swtpm-localca for a user account. The files will
be created under the $XDG_CONFIG_HOME or $HOME/.config directories.
This option supports optional arguments 'overwrite' to allow overwriting
existing config files as well as the optional argument 'root' to create
config files under root's home directory. Both options can be passed
by separating them with a ','.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Adapted from tpm-udev [0] which handles that, but it is not really a
hard-requirement for swtpm and TSS_USER is configurable after all
(even if that is mostly used for the test system).
So, create that user and group if it does not exists to avoid errors
and failing installation.
[0]: https://salsa.debian.org/debian/tpm-udev/-/blob/master/debian/tpm-udev.postinst
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
