During the rewrite the additonal "/.config/" got dropped from the
path when using ${HOME} for locating he default config file.
Re-add it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Apply the password for the signing key and parent key when creating a
platform certificate. The bug was introduced in commit 961bb827
"samples: Use new pwd format option for secretly passing passwords"
Extend a test case to ensure that the passwords are always used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the local CA was create the signing key of the intermediate CA
was not properly protected by the passwords. This patch fixes this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The only place where pip is required is in src/swtpm_setup/Makefile.am, l. 48,
to uninstall a manually built package. Most people will have pip already
installed, since it comes bundled with Python by default. It might not be
installed by default in minimal build environments used for distribution
packaging, but these rely on the file tracking by a package manager instead of
using "make uninstall".
In conclusion, I think requiring pip is only helpful for a very limited number
of people, and is just a superfluous build dependency for distribution
packagers. Issuing a warning that the package cannot be uninstalled cleanly if
pip is not found seems enough.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Distributions often have their own guidelines regarding installation of Python
modules (e.g. Arch Linux mandates using --optimize=1 for setup.py install,
which the Makefile in this project does not do). Add an option
"--disable-python-installation" (disabled by default) to allow skipping the
Python installation process entirely so that distributions can take care of
this process manually in their preferred way.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Clang complains if eiher one of those linker flags are used during compilation:
clang-9: error: -Wl,-z,relro: 'linker' input unused [-Werror,-Wunused-command-line-argument]
clang-9: error: -Wl,-z,now: 'linker' input unused [-Werror,-Wunused-command-line-argument]
This patch applies those flags only when linking.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Cygwin's linker does not support -Wl,-z,relro and -Wl,-z,now and
AC_COMPILE_IFELSE did only compile but not link, so it wouldn't detect
whether these flags are supported. So, use AC_LINK_IFELSE to detect
support for these flags.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of the 'c' code that only changed the user and add for support of
the --runas option to change to a different user in the python part.
To get 'make distcheck' to work I needed to name the swtpm_setup python
script with the suffix .in so that it gets copied to the build directory
as swtpm_setup. We need to change execute permissions on this file after
copying.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove tpm-tools from runtime dependencies. Keep trousers for the
creation of the 'tss' user for now. Add python related dependencies.
Adjust the directory ownership for /var/lib/swtpm-localca to tss:root and
the mode flags to 0750. The new CA now may still be created as tss:tss but
users in the tss group will not have access to it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rewrite swtpm_setup.sh in python. Use a permanent connection from the
tool to swtpm via passing file descriptors of a unix socketpair. Implement
all functionality in python so that we don't rely on trousers and tpm-tools
for swtpm_setup. This now allows any user to setup a TPM 1.2 whereas before
it had to be root or the tss user.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Modify the pkcs11 related test case to set the environment variable for
softhsm_setup to use the temporary directory for config file and state
of softhsm. Also set the SOFTHSM2_CONF environment variable since
certtool also uses the pkcs11 module which in turn will look for its
config file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use softhsm's SOFTHSM2_CONF environment variable to set the directory
where the configration file is located so that we can now use a temporary
directory for the location of the directory. Use the environment variable
SOFTHSM_SETUP_CONFIGDIR to set the directory where softhsm_setup can
setup its temporary environment for the config file and state of softhsm.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Slow systems, like Cygwin, need so much time from taking the time to sending
the command that we need to take the current time again to check whether the
success is valid. Previously the test may have failed since the old time that
was taken did not allow the success to be valid.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The OpenBSD implementation of 'od -tx1' prints two spaces between
hexbytes, thus the grep for "00 00 00 00" fails and we report an
invalid error. This patch fixes this by squeezing the two consecutive
spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Extend swtpm_setup.pod showing swtpm-create-user-config-files usage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
BSD's sed does not print \n as newline, so we have to split the string
into different lines using tr.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
We have occasional test failures on Travis running tests on OS X where
time seems to be going backwards in the dictionary attack timeout test.
This patch tries to detect that the time went backwards and skip the
test once a failure would have been detected.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add build targets selinux-install and selinux-uninstall to install
and uninstall the SELinux policy rules at a given priority. The
priority defeaults to 400, which works fine on Fedora.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of using eval when calling $create_certs_tool and only use
eval for resolving variables from the config file.
We only want variable substitution for entries from configuration
files, so escape all other special shell characters that may be
making it onto the command line so that no subshells are opened
and no redirection to files can occurr.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the swtpm-localca test with odd vmid string to ensure
that they go into the certificate unmodified.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of using eval when running swtpm_cert in swtpm-localca.
This is to avoid further evaluation of bash expression that can
spawn subshells ('$(echo foo)') or do other bad things. Bad input
could come from malformed configuration files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Escape many more special shell characters before calling eval on
an entry to convert a variable to its value. Uncareful writing of
a swtpm-local.conf config file could have lead to files being over-
written using '>' for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Have the tpm2_ptool use a store in the temporary directory so that
with every test we have a clean environment.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign the unique port 65452/65354 to test_tpm2_save_load_state to
avoid conflict with test_tpm_probe also using
SWTPM_SERVER_PORT=65526
SWTPM_CTRL_PORT=65527
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign the unique ports 65450/65451 to test_tpm2_sample_create_tpmca
to avoid clashes with test_samples_create_tpmca that is using
SWTPM_SERVER_PORT=65434
SWTPM_CTRL_PORT=65435
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign unique ports 65448/65449 to test_tpm2_setbuffersize to avoid clash
with test_samples_create_tpmca using TCSD_LISTEN_PORT=65436.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The generated sample keys started with 00010203, thus leaving the upper
15 bits of the key as '0', which in turn causes gnutls to think that the
key is only 2033 bit long, thus rejecting certificate verification once
the min-verification-profile is set to 'medium' in gnutls's config file
in /etc/crypto-policies/back-ends/gnutls.config.
We now create sample keys starting with 800102, which sets the highest bit.
This fixes test errors on Fedora Rawhide due to the change in the
min-verification-profile setting in gnutls.config.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
A typo in the condition meant that netstat was always required regardless of
whether tcsd is available or not.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
The OpenBSD implementation of 'od -tx1' prints two spaces between
hexbytes, thus the grep for "00 00 00 00" fails and we report an
invalid error. This patch fixes this by squeezing the two consecutive
spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the tcsd (trousers) is available, TPM 1.2 support should work as well.
Typically the tss user and group should be defined at this point, but
this may not always be the case, so make sure that this user and group
are available on the system.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Change the file and directory ownership of tcsd related files only if it
is absolutely needed. It is not needed if we are running as user TCSD_USER
in group TCSD_GROUP because then the files were created with the needed
owner and group. This avoids problems when trying to change file ownership
when invoked by libvirt where we do not have the capabilities to change
file ownership even as root.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the TSS_USER != TSS_GROUP, e.g., user 'root' and group 'tss', then
tcsd requires that the access mode bits on the $TCSD_CONFIG file are set
to 0640, otherwise we get this error:
TCSD ERROR: TCSD config file (/tmp/tmp.Yd4LIF7mCE) must be mode 0640
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
