When the ${HOME} directory is used for finding swtpm_setup.conf it is
to be found in ${HOME}/.config/swtpm_setup.conf.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolves: https://github.com/stefanberger/swtpm/issues/664
Add support for --reconfigure option for the swtpm_setup to be able to
change the active PCR banks. This option only works with --tpm2 and does
not allow to pass several other options such --create-ek or
--create-ek-cert or --create-platform-cert that would alter the state of
the TPM 2 in other ways.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the user did not provide the PCR banks to activate through the command
line options, try to read it from the config file and if nothing is found
there, fall back to the DEFAULT_PCR_BANKS as set during configure time.
Move the check for the PCR banks after the access check to the
configuration file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for skipping over creating the files
if any one of the config files already exist.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the option --create-config-files to create config files
for swtpm_setup and swtpm-localca for a user account. The files will
be created under the $XDG_CONFIG_HOME or $HOME/.config directories.
This option supports optional arguments 'overwrite' to allow overwriting
existing config files as well as the optional argument 'root' to create
config files under root's home directory. Both options can be passed
by separating them with a ','.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the --print-states capability in the --print-capabilites
output as cmdarg-print-states.
Document availability in the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an options to specify pluggable backend URI.
Ex:
--tpmstate backend-uri=dir://<path_to_dir>
Backend URI is specific to each backend plugin which points to the
location of the NVRAM files.
Currently, "dir" is the only one available backend. In this case
backend-uri should be a path to the directory where files are stored.
This option is designed to compatible with existing "dir" option.
If "dir" is specified, swtpm prioritize "dir" ignoring "backend-uri".
Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
Implement get_supported_tpm_versions to get swtpm's support for TPM 1.2
and TPM 2 and use it error out in case user choose a TPM version that
is not supported. Also display the supported TPM versions in the
capabilites JSON.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Write the EK certificate files into the directory specified as parameter
to the --write-ek-cert-files option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Move content of swtpm-localca(8) manual page to swtpm_localca(8)
and make swtpm-localca(8) an alias for swtpm_localca(8), mirroring
the fact that /usr/bin/swtpm_localca is the actual program and
/usr/share/swtpm/swtpm-localca a wrapper for it.
- Change references to `swtpm-localca` in manual pages' content to
`swtpm_localca`, reflecting the actual name of the program they are
meant to document.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Add a missing '\' to the list of pod files and reduce the EXTRA_DIST
files list to only those that available via git and not generated.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the following `make distcheck` cleanup issue:
ERROR: files left in build directory after distclean:
./man/man8/swtpm_cuse.8
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Write a note in swtpm_setup's help screen and man page that the usage
of --allow-signing will lead to a non-standard EK. Be more precise in the
man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since the device can be passed using --tpm-device <device>, we now
mark the last parameter, which can also be the device, as optional.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Also fix an error in the man page on the way. 'startup-deactivated'
can only be used with a TPM 1.2, not a TPM 2.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pass the CA's private key password via the template file. Remove recently
added old GnuTLS support. Extend man page with a paragraph about short-
comings of certtool that doesn't seem to allow private key password being
passed either as environment variable or template file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for pkcs11 module environment variables to the config file.
These variables may have the following format:
env:VARNAME=VALUE
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the man pages with further locations for the options and config
files in ${XDG_CONFIG_HOME} or ${HOME}/.confg.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Extend swtpm_setup.pod showing swtpm-create-user-config-files usage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Escape many more special shell characters before calling eval on
an entry to convert a variable to its value. Uncareful writing of
a swtpm-local.conf config file could have lead to files being over-
written using '>' for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the --print-capabilities option to also report supported RSA
key sizes. Only the TPM 2 may support anything else than 2048 bit RSA
keys, so we only consult 'swtpm socket --tpm2 --print-capabilities'
and grep for 2048 and 3072 key sizes and report them.
If nothing is found, nothing is reported, as before, and 2048 bit RSA
keys should be assumed.
'swtpm_setup --tpm2 --print-capabilities' may now show the following:
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"tpm2-rsa-keysize-2048",
"tpm2-rsa-keysize-3072"
]
}
Also adjust a test case to use a regular expression for matching
against an expected string that may nor may not have rsa-keysize
verbs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Construct RSA key size capability strings from libtpms TPMLIB_GetInfo()
string so that we can easily show which RSA key sizes are supported by
the TPM 2 implementation. If none are advertised, 1024 & 2048 can be
assumed to be supported.
'swtpm socket --tpm2 --print-capabilities' may now print the following:
{
"type": "swtpm",
"features": [
"tpm-send-command-header",
"flags-opt-startup",
"cmdarg-seccomp",
"cmdarg-key-fd",
"cmdarg-pwd-fd",
"no-tpm12-tools",
"rsa-keysize-1024",
"rsa-keysize-2048",
"rsa-keysize-3072"
]
}
We need to adapt the related test case to use a regular expression since
the rsa-keysize-xyz strings may or may not be there depending on libtpms
version.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the host is missing tcsd (trousers) or the tpm-tools, swtpm_setup
will now report the 'no-tpm12-tools' verb like this:
> swtpm_setup --print-capabilities | jq
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"no-tpm12-tools"
]
}
The only TPM 1.2 setup parameter that requires interaction with
the TPM 1.2 that can be pass is then '--createek'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for passing the curve id via the --curve-id
option. Default assumes secp256r1. secp384r1 is also supported.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the script that creates a CA that uses a TPM 2 for signing.
For this we have to create tokens using the TPM 2 pkcs11 module's
tpm2_ptool and can then use the p11tool for creating keys.
Add a test case that requires a running tpm2-abrmd and tpm2_ptool.
Eventually the test case should (try to) start its own tpm2-abrmd
and talk to swtpm directly but the tcti module to do that isn't
available as a package, yet.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
