Having the spec file in the top-level directory of the dist
archive makes it possible to build rpms with a single,
convenient command.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Using these instead of the regular version number makes it
more complicated than necessary to perform builds, and there
doesn't seem to be any advantage in keeping them around.
After this change, the rpm building instructions contained in
the INSTALL file actually work.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
These are never going to change, so using string substitution
serves no purpose beyon mild obfuscation.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
This file is generated from swtpm.spec.in, and as such should
not be tracked in git; in fact, an entry for it exists in the
gitignore file.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
autogen.sh will automatically invoke configure passing it any
command line arguments it received, so we shouldn't instruct
the user to unnecessarily run it again immediately afterwards.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Configure generates include/swtpm/tpm_ioctl.h.gch when trying
to figure out which hardening options can be enabled.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Modify a test case and write an environment variable into the
swtpm_setup.conf config file to test that it gets resolved.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is a 1:1 rewrite of swtpm_localca in 'C' as a final step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent),
Fedora 28 PPC Big Endian
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is a 1:1 rewrite of swtpm_setup in 'C' as a first step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Have the statedir created in case it doesn't exist before checking for read
and write access to it.
Set the default directory where to write the results into to the current
directory '.' rather than to what would result in the root directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some of the wording in the help screen was odd, so rephrase it.
Fix the default owner and SRK passwords for the TPM 1.2 case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix some typos. The value for TPM2_ALG_SHA3_512 was wrong but also is
currently not used since libtpms does not support it yet.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following issue due to multiple .PHONY definitions.
Makefile.am:34: warning: .PHONY was already defined in condition WITH_SELINUX, which is included in condition TRUE ...
Makefile.am:28: ... '.PHONY' previously defined here
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following `make distcheck` cleanup issue:
ERROR: files left in build directory after distclean:
./man/man8/swtpm_cuse.8
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize the key structure before loading the key into it. This
resolves an issue raised by Coverity, but doesn't seem to be really
necessary.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
These types have been renamed in libtasn1 version 3.0 (released 2012-10-28).
The most recent libtasn1 version 4.17.0 (released 2021-05-13) now prints
deprecation warnings that are made fatal by -Werror:
ek-cert.c:76:13: error: 'ASN1_ARRAY_TYPE' macro is deprecated, use 'asn1_static_node' instead. [-Werror]
76 | extern const ASN1_ARRAY_TYPE tpm_asn1_tab[];
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
The new types were introduced almost ten years ago, so they should be pretty
universally available by now.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Changes to libtpms will require that the volatile state files
during this test may be larger than 9000 bytes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Thos patch fixes the following issue when building a Debian package:
dh clean --parallel
dh: warning: Compatibility levels before 10 are deprecated (level 9 in use)
dh_auto_clean -O--parallel
dh_auto_clean: warning: Compatibility levels before 10 are deprecated (level 9 in use)
dh_clean -O--parallel
dh_clean: warning: Compatibility levels before 10 are deprecated (level 9 in use)
dpkg-source -b .
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add restoring of the volatile state after having it stored.
Since this is now taking a long time it must be explicitly enabled
by setting the environment variable SWTPM_TEST_STORE_VOLATILE=1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If we are running the tests as a user that doesn't have a git config
setup we run into the following issue when trying to apply patches
suing 'git am':
Committer identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
This patch fixes this by setting the git config on the local checkout
before using 'git am'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
RHEL 7's gnutls 3.3.29 does not take the private key passwords like later
versions take it. We require at least 3.4.0, though I am not entirely sure
when that change occurred. We may actually require >3.4.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Apply patches to the IBM TSS2 test suite rather than using sed on its
files and other types of file manipulations.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Write a note in swtpm_setup's help screen and man page that the usage
of --allow-signing will lead to a non-standard EK. Be more precise in the
man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch adds a test case for testing the fix for libtpms
issue 195: https://github.com/stefanberger/libtpms/issues/195
This patch now requires that the latest TPM version from master or the
branches is installed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Start using timeouts when communicating with swtpm over Unix sockets so
that swtpm_ioctl does not just hang when it cannot communicate with swtpm
such as establishing a connection or reading results. This is because swtpm
listens to nlye one control channel connections.
This patch addresses an aspect of the problem reported in issue #415
but may also starting hiding bugs if certain operations are done in
the wrong order, as was the case in libvirt (6.10 & 7.0).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Upgrade to use the IBM TSS2 tests from v1.6.0.
Add a patch that eliminates all testing of 3072 bit RSA keys in case
libtpms does not support such keys. Also disable a test case related
to ACT for older revisions.
This test passes with libtpms 0.8.0 as well libtpms 0.6.0 and 0.7.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
test_samples_create_tpmca needs to wait longer for the pid file content
to be there not just until the file is available.
test_tpm2_save_load_state_2 needs to dump the TPM log file on failure.
Failures occurred rarely because the previous instance of swtpm had
not shut down yet and released the lock file while the new instance
wanted to lock the lockfile. So we have to wait a bit until the
previous instance is gone.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
We need to probe for the support socketpair() domain. On Linux only
socket.AF_UNIX is support and on Cygwin AF_INET works.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pip 21.0.0 seems to be broken when upgraded to on Xenial. So
let's just only upgrade to 20.3.3.
$ sudo pip3 install --upgrade cryptography
Traceback (most recent call last):
File "/usr/local/bin/pip3", line 7, in <module>
from pip._internal.cli.main import main
File "/usr/local/lib/python3.5/dist-packages/pip/_internal/cli/main.py", line 60
sys.stderr.write(f"ERROR: {exc}")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch fixes the following issue:
$ ./src/swtpm/swtpm chardev --print-capabilities --tpm2
swtpm: Error: Missing character device or file descriptor
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch adds support for partial reads to the CUSE swtpm.
We introduce a ptm_read_offset variable that holds the offset where to read
from next. It is reset every time a command has been processed as part of a
write() so that subsequent read()s start reading from offset 0. It is
advanced by the number of bytes that were read.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Asan reports this error for the CUSE TPM. The file_ops_lock was accidentally
duplicated in a code move of threadpool related code out of cuse_tpm.c
This patch removes the unused file_ops_lock from threadpool.c to resolve
the ASAN issue.
=================================================================
==545493==ERROR: AddressSanitizer: odr-violation (0x000000419340):
[1] size=8 'file_ops_lock' cuse_tpm.c:112:8
[2] size=8 'file_ops_lock' threadpool.c:55:8
These globals were registered at these points:
[1]:
#0 0x14f6c27f3cc8 (/lib64/libasan.so.6+0x37cc8)
#1 0x40c2c3 in _sub_I_00099_1 (/home/stefanb/tmp/swtpm/src/swtpm/.libs/lt-swtpm+0x40c2c3)
#2 0x40c31c in __libc_csu_init (/home/stefanb/tmp/swtpm/src/swtpm/.libs/lt-swtpm+0x40c31c)
[2]:
#0 0x14f6c27f3cc8 (/lib64/libasan.so.6+0x37cc8)
#1 0x14f6c27aad1a in _sub_I_00099_1 (/home/stefanb/tmp/swtpm/src/swtpm/.libs/libswtpm_libtpms.so.0+0x25d1a)
#2 0x14f6c31dc7b1 in call_init.part.0 (/lib64/ld-linux-x86-64.so.2+0x117b1)
==545493==HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_odr_violation=0
SUMMARY: AddressSanitizer: odr-violation: global 'file_ops_lock' at cuse_tpm.c:112:8
==545493==ABORTING
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
