The IBM TSS2 is available starting with Bionic. Use it there
to extend the test coverage of the code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To make the test cases work on Travis on Bionic replace all occurrences of
localhost with 127.0.0.1. The only affected client tools seem to be those
related to the TPM 1.2 and the IBM TSS2. For some reason the API used
there cannot resolve localhost to 127.0.0.1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To make swtpm_setup.sh work on Travis on Bionic we need to
explicitly set TCSD_TCP_DEVICE_HOSTAME=127.0.0.1 since lookup
of localhost (with the API the tcsd is using) does not work.
It doesn't negatively affect any other use case, so no problem
setting it.
Also replace localhost in the bash tcp device path with 127.0.0.1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Previous commit broke the run_test script and only ended up running
the first test. This patch fixes it and displays an success message
at the end.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Diable testing with the CUSE interface in run_test.sh. The CUSE driver
in Linux seems to have some stability problems.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The simplest way to detect whether SWTPM_EXE is a 64 bit application on
Linux is to check whether it links against any library in a */lib64/*
directory and only if this is the case we run a particular test case for
which we know what keys 64 bit TPMs are producing given a pre-created
state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Upgrade to use the IBM TSS2 tests from v1.4.0 but eliminate all testing
with 3072 bit RSA keys.
This test also passes with libtpms 0.6.0 and 0.7.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow specifying a libtpms revision to test with, defaulting to
master branch.
Have the OS X test use the stable-0.6.0 branch.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
'swtpm chardev --vptm-proxy' currently requires a '--flag startup-xyz'
to be passed since otherwise the need_init_cmd variable would not be
set to false and swtpm would terminate after sending the startup
command. To maintain backwards compatibility we have to always
set the need_init_cmd variable to false for the --vtpm-proxy case
and must not require a startup flag to be passed.
Roll back one of the test case to not use the startup flag.
Fixes: e6bc4bdf0 ('swtpm: Enable sending startup commands ...')
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libtpms may not support TDES, so we have to skip test case 4 in
case we encounter an allowed error message.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove the CUSE TPM from the build and adjust the rules file
so that the build works on Ubuntu servers for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Adjust the vtpm proxy test case and others to make use of the new
startup options. Make sure that subsequent Startups sent to the
TPM fail with the expected error code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add documentation about the new startup options support as well
as the new capability and its meaning.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The vtpm proxy device requires that the TPM be 'Startup' otherwise it
fails sending the first command to it and will send the 'Startup'
(SU_CLEAR/TPM_ST_CLEAR) itself while adding a log entry. We want to
avoid the kernel log entry.
Add options to the existing --flags option that allows one to start
up the TPM 1.2 or TPM 2.0 with the startup types 'clear', 'state'
and 'deactivate' (TPM 1.2 only). Extend the --print-capabilities to
advertise the availability of these options with the string
'flags-opt-startup'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Give swtpm more time to close the port. This became an issue when running
the tests and all executables are valgrind'ed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for the --print-capabilities option to display newly
added capabilities. Adpat the man page and related test case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the swtpm_cert --signkey-pwd and --parentkey-pwd to pass key passwords
using files rather than using the command line options.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow passing signing key and parent key via files and file descriptors
and environment variables. Adapt a test case to exercise this new
functionality.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address several issues reported by shellcheck and protect
variables with quotes so we now can have filenames with spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch addresses several issues found with shellcheck. In particular
it now enables variables with spaces in them, such as file paths that
contain spaces.
Adjust one of the accompanying test cases to use spaces in the path.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Protect variables with quotes so that pathnames with spaces are now
supported.
Adjust the accompanying test case to make use of spaces in file paths.
Address several issues found by shellcheck. Some of them are false
positives especially when it comes to protecting variables passed
to a commaned in an 'eval' line. They must not be protected, otherwise
they are not passed correctly.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Block the SIGPIPE so that a failing write() can return an EPIPE
rather than killing the process with a SIGPIPE.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Block the SIGPIPE so that a failing write() can return an EPIPE
rather than killing the process with a SIGPIPE.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Only accept new client connection on the control channel if we
currently do not have a client on the control channel.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm_setup will fail once libtpms starts supporting other PCR
hash banks than sha1, sha256, sha384, sha512, and sm3-256. So,
this patch allows to choose active PCR banks of the SHA3 series.
Further, unknown hash banks will not fail the tool anymore when
it tries to determine which hash banks are supported by the TPM
since it will then add the hex number of the hash algorithm to
the collection of supported hashes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The Ubuntu (PPA) build system executes the build on an environment that
has problems with seccomp profiles. It does not allow us to run the test
suite with swtpm applying its seccomp profile since it fails with a
'bad system call' error. To work around this we introduce the env. variable
SWTPM_TEST_SECCOMP_OPT that we can set to "--seccomp action=none" to avoid
having swtpm apply it seccomp profile.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move wait_port_open and wait_port_closed to common file and handle
the timeout errors in test_commandline.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Wait for the PID file to appear rather than reading it right away.
This addresses an issue when runnin the test suite under valgrind
(make -j $(nproc) check).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
SWTPM_EXE may be 'valgrind ... swtpm', so we have to protect it with quotes
when passing it as a parameter to a function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Search for the SWTPM_EXE / SWTPM_IOCTL executable using 'type -P' to
determine whether it is an executable rather than assuming a full path
is given on which we can check -x.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Delay the reading of the PID file if it is found to be empty.
This can happend if swtpm is run by valgrind.
Also, use the passed parameters rather than the global ones to check
the PID file contents against the expected pid. So far this worked
because PID and PID_FILE were variables used by every caller.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When running the TPM 1.2 vtpm_proxy test cases by launching the
swtpm with valgrind it may take a long time for the log to be
written and the device to appear. This is due to the self test
of the TPM 1.2 taking a while. So we need to move the reading
of the device into a loop and set the timeout of the loop to 10s
so that it passed under these circumstances.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm_setup.sh uses file descriptor 100 for 'exec 100 <> ...'.
So we have to make sure that the file descriptor inherited from
the caller of swtpm_setup does not overlap with a reserved range
to be used by swtpm_setup.sh, which we declare to be [100..109].
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
