Avoid trying to create TPM certificates while the issuer certificate has
not been created, yet (in a 2nd step).
To resolve this do not just test for availability of the signing key, which
is created first, but also test for the issuer certifcate, which is created
in a 2nd step when the local CA is created. If either one is missing,
attempt to create the CA.
Resolves: #644
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To force the installation of the python programs add a python-install
target. This solves an installation issue with non-standard prefix,
like not using /usr or /usr/local, as may be the case on OS X (Apple)
when using homebrew. It leaves the 'make distcheck' working, which also
uses a non-standard prefix and where we don't want to install the tools
due to issues with removing them afterwards where pip3 cannot be used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When creating the user config files, fall back to using ${HOME}/.config
if XDG_CONFIG_HOME is not set on a system.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pass the CA's private key password via the template file. Remove recently
added old GnuTLS support. Extend man page with a paragraph about short-
comings of certtool that doesn't seem to allow private key password being
passed either as environment variable or template file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Older versions of GnuTLS need --password on the command line while
newer versions require GNUTLS_PIN to be set to pass the password.
So, this patch accomodates older versions of GnuTLS.
Older version of GnuTLS seem to NOT be able to handle a CA private
key needing a password and a signing key needing a password when
creating the intermediate CA. So this case of 2 passwords will
always fail.
The value of the local CA is not so high that passing passwords on
the command line would be an issue. Later on when using the CA the
password are set via environment variables, so not visible to other
users.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for pkcs11 module environment variables to the config file.
These variables may have the following format:
env:VARNAME=VALUE
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Apply the password for the signing key and parent key when creating a
platform certificate. The bug was introduced in commit 961bb827
"samples: Use new pwd format option for secretly passing passwords"
Extend a test case to ensure that the passwords are always used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the local CA was create the signing key of the intermediate CA
was not properly protected by the passwords. This patch fixes this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Extend swtpm_setup.pod showing swtpm-create-user-config-files usage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of using eval when running swtpm_cert in swtpm-localca.
This is to avoid further evaluation of bash expression that can
spawn subshells ('$(echo foo)') or do other bad things. Bad input
could come from malformed configuration files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Escape many more special shell characters before calling eval on
an entry to convert a variable to its value. Uncareful writing of
a swtpm-local.conf config file could have lead to files being over-
written using '>' for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the script that creates a CA that uses a TPM 2 for signing.
For this we have to create tokens using the TPM 2 pkcs11 module's
tpm2_ptool and can then use the p11tool for creating keys.
Add a test case that requires a running tpm2-abrmd and tpm2_ptool.
Eventually the test case should (try to) start its own tpm2-abrmd
and talk to swtpm directly but the tcti module to do that isn't
available as a package, yet.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the swtpm_cert --signkey-pwd and --parentkey-pwd to pass key passwords
using files rather than using the command line options.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address several issues reported by shellcheck and protect
variables with quotes so we now can have filenames with spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Protect variables with quotes so that pathnames with spaces are now
supported.
Adjust the accompanying test case to make use of spaces in file paths.
Address several issues found by shellcheck. Some of them are false
positives especially when it comes to protecting variables passed
to a commaned in an 'eval' line. They must not be protected, otherwise
they are not passed correctly.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
According to the XDG spec,
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html:
"If $XDG_CONFIG_HOME is either not set or empty, a default equal to
$HOME/.config should be used."
This fixes setting up a TPM with libvirt running in a user session.
It works by checking if configuration files are readable in the
directory priority order (XDG_CONFIG_HOME, then HOME, then SYSCONFDIR).
When libvirt is running as a system instance, $HOME isn't set, so it
will fall back on @SYSCONFDIR@ (/etc usually)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Adjust the localstatedir variable to not have ${prefix} if
prefix is '/usr/', otherwise use ${prefix}.
Also adjust the files that were pointing to directories that
are controlled by $localstatedir.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the project is configured with --prefix=/usr/local several configuration
files are installed to /usr/local/etc but not read by the programs that
need them. This patch fixes this issue by replacing @SYSCONFDIR@ in the source
code of those files with the actual used path.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
GnuTLS PKCS11 URLs have ';' in the string that we need to preserve for
passing to GnuTLS. So we escape the semicolons before using them on the
command line.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If tpmtool supports --srk-well-known we also support the well known
SRK password and allow the user not to provide an SRK password on
the command line.
This patch should have been applied before the previous patch that
tests this. Luckily, only very few systems have tpmtool with
--srk-well-known so that the order would matter there (and cause test
failures).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return the result code from the expect script to the caller.
Also, display possible log messages in case the private key file
was not written properly.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Support creation and usage of the root CA with a password protected
private key. The root CA's key password can be set using the environment
variable SWTPM_ROOTCA_PASSWORD.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This (experimental) script uses GnuTLS tpmtool to create a TPM 1.2
intermediate CA that can sign a vTPM's EK and platform certificates.
Add a man page for this tool.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
GnuTLS can use TPM 1.2 keys for signing. For this we just need to support
key URLs in the GnuTLS format:
tpmkey:uuid=...
tpmkey:file=...
We don't try to read these URLs as files but pass them through as URLs to
the swtpm_cert tool that will then try to sign with the TPM 1.2 key by
passing the URL to GnuTLS API calls.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm-localca was missing a help screen. This patch adds it and
is shown when --help or -? or -h is passed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
On some systems /bin/bash does not exists but the bash is somewhere
else and can be invoked with /usr/bin/env bash.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
OS/X has a flock (v0.2.3) implementation using
brew tap discoteq/discoteq
brew install flock
The current version doesn't support -x as a parameter for
an exclusive lock but uses an exclusive lock when no parameter
is passed at all.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To avoid clashes with the lock files created by swtpm, have
swtpm-localca creata a lock file with the name .lock.swtpm-localca
so they can share directories if necessary.
This patch makes tests/test_tpm2_swtpm_setup_create_cert run on
OpenBSD since the swtpm and swtpm-localca then do not interfere
with the file locks. This doesn't seem to be an issue on Linux
or Cygwin, though, where probably the file locking is implemented
differently.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.om>
OpenBSD uses an older sed implementation that doesn't understand the
meaning of the '+' for getting one or multiple occurrences of a letter.
Work around this by not using it and trimming white spaces at the end
of a variable using bash.
Use 100 as file descriptor rather than 200 to accomodate OpenBSD,
which only support file descriptors <= 127.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cleanse the tmp variable before running eval on it. This is to prevent
execution of commands that a hidden in variable values read from a config
file. We only need to resolve the values of variables and don't want
the execution of a subshell command initated by either $(...) or `...` .
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
This will allow to expand environment variables in config files, such as:
statedir = $XDG_RUNTIME_DIR/swtpm-localca
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
To allow the creation of EKs with signing and/or key encipherment
capabilities, add the --allow-signing and --decryption options
to swtpm-localca program.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
