Get rid of the 'c' code that only changed the user and add for support of
the --runas option to change to a different user in the python part.
To get 'make distcheck' to work I needed to name the swtpm_setup python
script with the suffix .in so that it gets copied to the build directory
as swtpm_setup. We need to change execute permissions on this file after
copying.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the --print-capabilities option to also report supported RSA
key sizes. Only the TPM 2 may support anything else than 2048 bit RSA
keys, so we only consult 'swtpm socket --tpm2 --print-capabilities'
and grep for 2048 and 3072 key sizes and report them.
If nothing is found, nothing is reported, as before, and 2048 bit RSA
keys should be assumed.
'swtpm_setup --tpm2 --print-capabilities' may now show the following:
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"tpm2-rsa-keysize-2048",
"tpm2-rsa-keysize-3072"
]
}
Also adjust a test case to use a regular expression for matching
against an expected string that may nor may not have rsa-keysize
verbs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Construct RSA key size capability strings from libtpms TPMLIB_GetInfo()
string so that we can easily show which RSA key sizes are supported by
the TPM 2 implementation. If none are advertised, 1024 & 2048 can be
assumed to be supported.
'swtpm socket --tpm2 --print-capabilities' may now print the following:
{
"type": "swtpm",
"features": [
"tpm-send-command-header",
"flags-opt-startup",
"cmdarg-seccomp",
"cmdarg-key-fd",
"cmdarg-pwd-fd",
"no-tpm12-tools",
"rsa-keysize-1024",
"rsa-keysize-2048",
"rsa-keysize-3072"
]
}
We need to adapt the related test case to use a regular expression since
the rsa-keysize-xyz strings may or may not be there depending on libtpms
version.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the host is missing tcsd (trousers) or the tpm-tools, swtpm_setup
will now report the 'no-tpm12-tools' verb like this:
> swtpm_setup --print-capabilities | jq
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"no-tpm12-tools"
]
}
The only TPM 1.2 setup parameter that requires interaction with
the TPM 1.2 that can be pass is then '--createek'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a test case testing the returned value from
swtpm <iface> --tpm2 --print-capabilities
along with those return from swtpm_setup.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
