Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Extend swtpm_setup.pod showing swtpm-create-user-config-files usage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Escape many more special shell characters before calling eval on
an entry to convert a variable to its value. Uncareful writing of
a swtpm-local.conf config file could have lead to files being over-
written using '>' for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the --print-capabilities option to also report supported RSA
key sizes. Only the TPM 2 may support anything else than 2048 bit RSA
keys, so we only consult 'swtpm socket --tpm2 --print-capabilities'
and grep for 2048 and 3072 key sizes and report them.
If nothing is found, nothing is reported, as before, and 2048 bit RSA
keys should be assumed.
'swtpm_setup --tpm2 --print-capabilities' may now show the following:
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"tpm2-rsa-keysize-2048",
"tpm2-rsa-keysize-3072"
]
}
Also adjust a test case to use a regular expression for matching
against an expected string that may nor may not have rsa-keysize
verbs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Construct RSA key size capability strings from libtpms TPMLIB_GetInfo()
string so that we can easily show which RSA key sizes are supported by
the TPM 2 implementation. If none are advertised, 1024 & 2048 can be
assumed to be supported.
'swtpm socket --tpm2 --print-capabilities' may now print the following:
{
"type": "swtpm",
"features": [
"tpm-send-command-header",
"flags-opt-startup",
"cmdarg-seccomp",
"cmdarg-key-fd",
"cmdarg-pwd-fd",
"no-tpm12-tools",
"rsa-keysize-1024",
"rsa-keysize-2048",
"rsa-keysize-3072"
]
}
We need to adapt the related test case to use a regular expression since
the rsa-keysize-xyz strings may or may not be there depending on libtpms
version.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the host is missing tcsd (trousers) or the tpm-tools, swtpm_setup
will now report the 'no-tpm12-tools' verb like this:
> swtpm_setup --print-capabilities | jq
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"no-tpm12-tools"
]
}
The only TPM 1.2 setup parameter that requires interaction with
the TPM 1.2 that can be pass is then '--createek'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for passing the curve id via the --curve-id
option. Default assumes secp256r1. secp384r1 is also supported.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the script that creates a CA that uses a TPM 2 for signing.
For this we have to create tokens using the TPM 2 pkcs11 module's
tpm2_ptool and can then use the p11tool for creating keys.
Add a test case that requires a running tpm2-abrmd and tpm2_ptool.
Eventually the test case should (try to) start its own tpm2-abrmd
and talk to swtpm directly but the tcti module to do that isn't
available as a package, yet.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add documentation about the new startup options support as well
as the new capability and its meaning.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for the --print-capabilities option to display newly
added capabilities. Adpat the man page and related test case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow passing signing key and parent key via files and file descriptors
and environment variables. Adapt a test case to exercise this new
functionality.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The signingkey entry can also be a pkcs11: URI. The semilcolons in the URI
have to be escaped due to the shell reading the entries.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the --tcsp-system-ps-file option to make a backup of
TCSD's system_ps_file for later use of the setup TPM with the
TCSD. We need this for a test case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Support creation and usage of the root CA with a password protected
private key. The root CA's key password can be set using the environment
variable SWTPM_ROOTCA_PASSWORD.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This (experimental) script uses GnuTLS tpmtool to create a TPM 1.2
intermediate CA that can sign a vTPM's EK and platform certificates.
Add a man page for this tool.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
GnuTLS can use TPM 1.2 keys for signing. For this we just need to support
key URLs in the GnuTLS format:
tpmkey:uuid=...
tpmkey:file=...
We don't try to read these URLs as files but pass them through as URLs to
the swtpm_cert tool that will then try to sign with the TPM 1.2 key by
passing the URL to GnuTLS API calls.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Gnutls supports TPM 1.2 keys in its API and we can use a TPM 1.2
signing key for signing the EK or platform certs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To make the RPM building easier for the --without-cuse case we have to omit
a couple of files from being built so that they are not left-overs when
packing the RPM without building swtpm-cuse.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The swtpm man page incorrectly showed binaddress as the option parameter
for the address to bind to. It must be called bindaddr.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement command line support for choosing the cipher to use for
the TPM state encryption. Either aes-128-cbc or aes-256-cbc can be
used. The same cipher has to be passed on the swtpm command line
when using the TPM.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend the buffer the key is read into to hold an 256bit key.
Add support for aes-256-cbc. Also, aes-128-cbc is now a synonym for
aes-cbc.
Update the man pages to reflect the AES 128 support.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use pbkdf2 as the default kdf and sha512 for the existing
test case. Do away with file limit of 32 bytes. This may
break backwards compatibility for some but better to do this
before a release...
Switch the existing test cases to use kdf=sha512 on the command
line where necessary to that the state for these test cases
does not need to be recreated.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement --pcr-banks to allow a user to choose the set of active
PCR banks. We determine the PCR banks available and enable those
that the user chose and that are available.
The log will now print out the following:
Successfully activated PCR banks sha1,sha256 among sha1,sha256,sha384.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend the swtpm_setup man page with an example for how a non-root
user can create a TPM 2 with an EK and platform certificate.
Document the default locations of the config file swtpm_setup uses.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add the --decryption option to enable key encipherment separately
from enabling signing for the EK. The key encipherment is not set
but needs to be set if --allow-signing is used and key encipherment
is also requested.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To allow the creation of EKs with signing and/or key encipherment
capabilities, add the --allow-signing and --decryption options
to swtpm-localca program.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
In case of a TPM 2 we allow the creation of a signing key by passing
--allow signing. To also enable key encipherment, we add the --decryption
option to allow key encipherment and signing at the same time.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
