Due to recent changes in tcsd, it doesn't accept 'tss:tss 0600' anymore
for the tcsd config file but we need to use 'root:tss 0640' for it.
So far only Fedora seems to be affected. It now depends on whether tcsd
has been patched what ownership is required. So we try first the old
configuration and then the new one.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch fixes the path to swtpm-localca to avoid this type of
error because of swtpm_localca_conf having been created in another
directory. This error occurred whan running
sudo bash -c "make -j32 distcheck"
Traceback (most recent call last):
File "/home/stefanb/tmp/swtpm/swtpm-0.5.0/samples/swtpm-localca", line 5, in <
from py_swtpm_localca.swtpm_localca import main
File "/home/stefanb/tmp/swtpm/swtpm-0.5.0/samples/py_swtpm_localca/swtpm_local
from py_swtpm_localca.swtpm_localca_conf import SYSCONFDIR
ModuleNotFoundError: No module named 'py_swtpm_localca.swtpm_localca_conf'
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of the 'c' code that only changed the user and add for support of
the --runas option to change to a different user in the python part.
To get 'make distcheck' to work I needed to name the swtpm_setup python
script with the suffix .in so that it gets copied to the build directory
as swtpm_setup. We need to change execute permissions on this file after
copying.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address several issues reported by shellcheck and protect
variables with quotes so we now can have filenames with spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The Ubuntu (PPA) build system executes the build on an environment that
has problems with seccomp profiles. It does not allow us to run the test
suite with swtpm applying its seccomp profile since it fails with a
'bad system call' error. To work around this we introduce the env. variable
SWTPM_TEST_SECCOMP_OPT that we can set to "--seccomp action=none" to avoid
having swtpm apply it seccomp profile.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To prevent the test case from failing when an no --prefix is used
when configuring, use an empty options file via /dev/null. Otherwise
swtpm-localca starts looking for the options file in a place where
there is none.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the swtpm-create-tpmca test with test cases using the
'well known' password of 20 zero bytes if tpmtool supports the
--srk-well-known option.
Besides that, extend the existing test to actually use the TPM CA
for signing a TPM 1.2 or TPM 2 (test) EK and check the contents of the
certificate by grepping through the text info provided by certtool.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Refactor the swtpm-create-tpmca test case so we can use it for
testing with the 'well known' (20 bytes of zeros) SRK password
in the next pass.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Run the TPM CA setup script with a local swtpm and tcsd instance.
We have to take ownership of the TPM and set its SRK passwork so
that the TPM CA setup script can create a signing key as a child
key of the SRK.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
