Make swtpm_setup.sh work on FreeBSD.
A common fix for the problem related to echo stopping to write
data into a socket after the first occurrence of \x0a sees to
write it into a pipe and cat the data from there.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
A (draft) specification indicates the ECC key NVRAM indices to use.
Adapt the code to use them in case of EK ECC key.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The OpenBSD stat tool uses -f%z to return the file size in bytes.
So we wrap stat in get_filesize and call it with different parameters
depending on the system.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
On OpenBSD 6.2 we have an older version of od that does not support the
-w parameter. Also we have to use the bash echo there since /bin/echo
does not support the -e parameter. We are using /bin/echo on the other
systems since there was (once) a bug when \x0a had to be converted to a
hex number.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
OpenBSD does not have a proc file system from which we could
determine the path that swtpm_setup was run from and where we
expect swtpm_setup.sh to be located in as well. Using getenv("_")
seems to work as a replacement in the OpenBSD case.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Replace usage of shuf with a get_random function that produces
a random number between an upper and lower bound.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Fix the number of bytes passed into the control channel for commands
and expected for responses. The pointer to the memory is ok.
This fixes uninitialized memory errors reported by valgrind.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement a common function for cleaning up before exit.
This should now always remove the pid file.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Introduce compile-time variable HAVE_TCSD if the TCSD could
be found. It influences whether TPM 1.2 related swtpm_setup
test cases can be run. If it is set, they can be run.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Get rid of the dependency on netstat so that we can at least support
swtpm_setup with TPM 2 on Cygwin and BSD later on. This is the first
step into this direction.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Check that the netstat tool, which may not be required to be installed,
is indeed installed and usable with a set of command line options.
If this tool is not installed it may end up causing swtpm_setup to
hang forever.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The include file include/swtpm.h will be generated from swtpm.h.in and
reside under the $(top_builddir) rather than the $(top_srcdir).
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement --pcr-banks to allow a user to choose the set of active
PCR banks. We determine the PCR banks available and enable those
that the user chose and that are available.
The log will now print out the following:
Successfully activated PCR banks sha1,sha256 among sha1,sha256,sha384.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Remove the -s parameter to tpm2_nv_define since it was causing
a 0-size NVRAM location to be created for the platform cert.
Also use the nvindex parameter rather than TPM2_NV_INDEX_PlatformCert
for addressing the platform NVRAM index.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Adjust the flags for the TPM 2 NVRAM locations to adhere to the
specification:
TCG PC Client Platform: TPM Profile (PTP) Specification
Family "2.0"; Level 00; Rev 01.03 v22; May 22, 2017
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To prepare for writing data into different locations for ECC keys,
assign a variable the location of the NVRAM to write RSA related data
into.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
We write the EK template into the NVRAM location when it is non-standard.
It's non-standard once the EK can be used for signing.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add the --decryption option to enable key encipherment separately
from enabling signing for the EK. The key encipherment is not set
but needs to be set if --allow-signing is used and key encipherment
is also requested.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
In case of a TPM 2 we allow the creation of a signing key by passing
--allow signing. To also enable key encipherment, we add the --decryption
option to allow key encipherment and signing at the same time.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the standard EK and SRK handles per IWG spec
"TCG TPM v2.0 Provisioning Guidance"; Version 1.0, Rev 1.0, March 15 2017
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create the tpm2_createprimary_rsa_params function that has common code
for creating a primary RSA key with parameters.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Don't require root privileges to run swtpm_setup with a TPM 2 target.
For TPM 1.2 we need the high privilges due to TrouSerS wanting to be
started as root (or 'tss'), but for TPM 2 we do not use any tools
to manufacture the initial state that would require high privileges.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
libtpms preview branch tpm2-preview.rev142 enables volatile state
marshalling and unmarshalling which in turn enables the suspending
and resumption of the TPM state. This patch enables the capabilty
bits and adds test cases for testing the TPM state suspending and
resumption.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Provide support for creating certificates for TPM2 ECC type of keys.
Extend the test cases and the man pages.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Support TPM 2 in swtpm_setup and swtpm_setup.sh.
Implement support for all command line options except for:
o --take-ownership and anything related to ownership passwords
o --lock-nvram
o --display
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
TPM2 allows the primary key to also be a signing key, so in case
--tpm2 is provided, --allow-signing can be provided as well in
case the primary can also be used for signing operations.
We use SHA256 for the signing algorithm when TPM 2 is being used.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend the swtpm_bios tool with a --tpm2 command line parameter
to support TPM 2 initialization.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Call the libtpms API for resetting the TPM Established flag rather
than sending a TPM command, which only works for TPM1.2.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for TPM2. Some of the capabilities are not supported yet in
this patch.
Extend the man pages with description for --tpm2.
Missing: configure should probe for needed API calls in libtpms
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The subject alternative name need to have a special sequence of
bytes prepended to them for certtool to accept the data. Also TCG's
sample certificate does show the sequence. The byte sequence is of
the form: 0x30 <subsequent length> 0xa4 <subsequent length> <data>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The previous patch's reversal was partially wrong. The authority
key id needs to be set explicitly from the key id of the signing
key of the issuing CA.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Remove the copying of the authority key id from the given issuer
cert to the created cert since this copies the wrong key id and
besides that it will be set automatically when the certificate is
created.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create a .lock file in the directory with the TPM state and get
a lock on this file and hold on to the lock until swtpm ends.
This precludes other swtpm instances to step on the same state.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Whenever we encrypt the data we generate a new random IV and append a
tlv block with the IV to the byte stream. We mark the IV with different
tags depending on whether they are for the migration data or the (TPM)
data directly. All IVs are part of the HMAC and are added to it after
the data blob.
Adjust test cases that now return larger sizes of data. A constant
checksum over the data cannot be expected anymore, thus we have to remove
the verification of the checksum over the returned state (IV changes
every time).
The size of the blobs grow by 22 bytes, 6 for the tlv header, 16 bytes
for the IV (128 bit AES key).
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Get the IV from a tlv block in the data stream. If none is found, which
is the case when reading older state, we get a NULL pointer for the IV
and call the functions with the NULL pointer, which provides backwards
compatibility.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Enable a caller to pass an IV into the AES CBC encryption/decryption
function. If the caller passes NULL, we use the IV with all zeroes.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Refactor the functions calculating the HMAC so that we can later on
pass the IV for the AES CBC encryption as well.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Prepend tag-length-value (tlv) headers in front of all data being stored in
the byte stream following the header. This lets us uniquely identify plain
data (= TPM state), encrypted data (= encrytped TPM state), migration data
(which is wrapped plain or encrytped TPM state), and an HMAC block to
validate the plain data.
We keep support for version 1 for reading the data but convert them to
version 2 when writing them out. This way we loose backwards compatibility
(downgrading of swtpm is not possible), but it allows us to extend the state
in the future by adding addition blocks with tlv headers.
Version 1 of the encryption was prepending the hash on the plaintext data
then encrypting all of it. This method is not so good. In version 2 we now
use Encrypt-then-MAC (EtM) where we encrypt the data and then calculate an
HMAC on the encrypted data.
Files written by the swtpm didn't have a header before. Now they also get a
header. This means that the state written into files and the state retrieved
using the API (swtpm_ioctl --save) have the same format, but still differ
in so far as the API wraps the data in a tlv header for migration, which the
files written out as state would never get.
Adapt a couple of test cases show file sizes and hashes have changed now.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement functions for supporting tag-length-value headers
in the byte stream we store the TPM's data into.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Remove FreeBL support for swtpm since there will not be support
for FreeBL with TPM 2 in libtpms.
Since a lot of documentation shows --with-openssl, we leave that for
now.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Coverity found that the usage of strncpy may leave an unterminated
string. In this case it is ok, if the string is unterminated since
it would only be the part of a response and the client would have
to collect all the parts as indicated by the total length of the
string. So we use memcpy instead and leave a note in the code. So
far the strings would not nearly be 3k to get close to the maximum.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Rather than writing to files directly and having to validate the state in
those files using TPMLIB_ValidatetState(), we now use the new
TPMLIB_SetState() call to set the TPM's state blobs. The advantage of this
call is that it doesn't overwrite state files and ends up leaving state in
files that the TPM cannot use. Instead, it validates the state immediately
when the blob is set and returns an error in case the state cannot be
accepted.
We need to adapt one test case that now gets a failure earlier than before.
Before the TPM_INIT failed, now setting the encrypted blob fails because it
cannot be decrypted and thus cannot be accepted by the TPM.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
For TPM 1.2 the spec says that we must not set the subject, so we
do not set it but keep it around for TPM 2 certificates.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To make the ASN.1 look like the one from the spec. we have to
use a lower-level GNUTLS API function to set it.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Put the code that creates the ASN.1 for the platform and
TPM manufacturer info into their own functions.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the swtpm_ioctl tool also to get TPM manufacturer, firmware
version and TPM model and pass it to the external tool creating
the certificate.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Simplify the two's complement implementation by converting the number
into a big endian and writing it out into a byte array that is prefixed
with a 0-byte. This covers all unsigned ints while the previous imple-
mentation would have been wrong once the number exceeded 255.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Calculate the two's completement of the spec_level and spec_revision
numbers so that ASN.1 properly stores them as unsigned integers.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create ASN.1 for the Extended Key Usage field for the EK certificate
that has the oid 2.23.133.8.1 and for the platform certificate the
oid 2.23.133.8.2. Both are registered OIDs:
http://oid-info.com/get/2.23.133.8.1http://oid-info.com/get/2.23.133.8.2
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Non-privileged mode needs another rule and on Fedora 27 we need
a swtpm_exec_t related rule we did not need on Fedora 23.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The extern cert program was called with --vmid <foo>--tpm-spec-family ...
and failed due to a missing whitespace. This patch fixes it.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the new --info parameter for swtpm_ioctl to get TPM specification
info from the swtpm and use this as a parameter for creating the EK
certificate.
Extend the man page.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement the --info option that takes a flag as an argument
and returns information about the TPM implementation. Only the
value '1' has been defined for now, which returns a line as
the following:
{"TPMSpecification":{"family":"1.2","level":2,"revision":116}}
Extend the man page.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
We quetry the swtpm for TPM specification info that goes into the
certificate for the EK.
Update the test cases that now see more capabilties being returned
by the swtpm.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Since the EK cert must have an Authority Key Id, we error out if
the signing certificate we are given does not have an Authority
Key Id. The typical reason why it wouldn't have it is that we are
using a self-signed (rootCA) certificate directly.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Log the output of the tool that is creating the certificate and
prefix every line with the name of the tool.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To not loose stderr we have to run the exec command in a subshell
and suppress the output of the subshell otherwise the exec command
seems to close stderr on us.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create the TPMSpecification SEQUENCE and add it to the subject
directory attributes of an EK cert.
The code generates the same ASN.1 for the Subject Directory Attributes
as the example in the EK spec has.
> openssl asn1parse -in ${cert} -strparse 603
0:d=0 hl=2 l= 30 cons: SEQUENCE
2:d=1 hl=2 l= 28 cons: SEQUENCE
4:d=2 hl=2 l= 5 prim: OBJECT :2.23.133.2.16
11:d=2 hl=2 l= 19 cons: SET
13:d=3 hl=2 l= 17 cons: SEQUENCE
15:d=4 hl=2 l= 3 prim: UTF8STRING :1.2
20:d=4 hl=2 l= 4 prim: INTEGER :41010000
26:d=4 hl=2 l= 4 prim: INTEGER :7B000000
Extend existing test case so they create the ASN.1 as well.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
TPM 1.2 certificates need a header when written to NVRAM. This patch
adds a --add-header option for this and prepends the header to.
Also see TCG PC Specific Inmplementation Specification section 7.4.4 and
7.4.5.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement a mode parameter for the tpmstate option so that the user
can choose what the file mode bits of the TPM's state files will be.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Replace the previously used swtpmcuse_svirt type of policy with
swtpm_svirt. This policy contains the minimum set of rules necessary
to start swtpm from within libvirt.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address the issue that the pidfile needs to be removed at the end if
a file descriptor was passed in. So we have to look up the file
given the file descriptor and by using /proc/self/fd/.
We also want to make sure that the given file descriptor describes
a regular file.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Update the SELinux for swtpm so that swtpm can be launched from
libvirtd and QEMU can access swtpm's UnixIO socket and talk to it.
Use this as follows:
> cd src/selinux
> make clean all
> semodule -i *.pp
> restorecon /usr/bin/swtpm*
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for uid and gid parameters that allows us to set the file
ownership of a UnixIO socket.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for a mode parameter that allows us to set the file
mode bits on a UnixIO socket.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create tpmlib_register_callbacks and call it to register the
libtpms callbacks a lot earlier. Before it was done in tpmlib_start,
which was invoked by CMD_INIT, which was after state blobs could
have been set already.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Validate the state blobs after they have been set (during
state migration) so that we can fall back to the migration
source in case they are not accepted by the TPM.
This patch requires the latest version of libtpms 0.6
from the master branch.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Avoid using the expect tool as much as possible. Use it only if
the user requested a special owner and/or SRK password.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the passwords as specified by the user also when only temporarily
taking ownership. Use the zero password in case nothing has been
provided by the user. This is a first step to loosen the dependency
on expect, which pulls in too many dependencies.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
In case the poll() is interrupted by a signal handler and we
get EINTR, we loop again assuming that the signal handler will
send us a notification to end.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
POLLERR is indicated in some error cases when using the chardev with the
vtpm_proxy with runc. In case the flag is set, we terminate the client
connection rather than endlessly looping.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
File descriptors 0, 1, and 2, when used for file descriptor passing,
as is the case in some older version of runc/docker-ce (17.06), do
not work. So we refuse accepting these values and log the error message.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Only pass through the vmid parameter to the tool creating the cert
if this parameter was set. The tool creating the cert may require
it or ignore it and is supposed to be able to track certificates
for which it minted certs using this parameter.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The certificate chain could not be verified due to a wrong
API call for getting the authority key id where the key id
was gotten instead.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Determine the size of the unix_path parameter and then only copy
those number of bytes + terminating null into the destination.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Determine the size of the unix_path parameter and then only copy
those number of bytes + terminating null into the destination.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Check whether filename and input pointers are NULL pointers.
Per previous code this is currently not possibly but should
resolve some issues with Coverity.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use void * for the command rather than tpm_header *, which we do
not need. This addresses a few Coverity complaints.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Move some of the debugging output into its own function and
differentiate output by TPM Version number.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add options --overwrite and --not-overwrite to allow or prevent
overwriting of existing TPM state. If neiter of the options is
given and existing state is found, an error is returned.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement a command for setting and querying the buffer size the
TPM implementation (libtpms) is using. The setting of the
buffersize allows to reduce the size of the buffer to a size
that the interface can support so that these two sizes match
and the TPM will not produce larger responses than what the
interface can support.
Extend swtpm_ioctl with an option to set the buffersize.
Adapt the existing tests to reflect the newly supported command.
Implement a new test for getting/setting of the buffer size.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Changeset aa3999 introduced a segfault when calling
ctrlchannel_set_client_fd() with a NULL pointer. Like all the other
functions, we return with -1 in this case.
Since the segfault occurred on process shutdown no problems were
noticeable through bad test results or so.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Introduce another parameter to ctrlchannel_new and server_new
to pass the Unix socket's path. Implement ctrlchannel_free and
server_free to clean up and remove the Unix socket's path.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement ctrlchannel_set_client_fd() to set a new client
fd and return its current value.
Use this new function to set the file descriptor to -1 upon
closing its associate file descriptor in the main loop.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement server_set_fd() function to get the current file descriptor
and set a new one on the server structure.
Use this function to transfer the server file descriptor from the
server structure to the mainloop structure and have the main loop
close the file descriptor.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
On OpenBSD the socket's name would be cut short by one letter at the
end due to an off-by-one for the calculated sockaddr struct's length.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The control channel of a UnixIO socket is not supported
on Cygwin, so do not present this flag. Return an error
if this command is run.
Adapt the test case.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cast the exponent to unsigned long int to avoid a compiler
error reporting comparison of signed and unsigned integers.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Consider TPM_PORT environment at the time of parsing server options. This way we
can avoid the code duplication, hence removed obslote code.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
As objected by QEMU upstream developers to use two different sockets for
starting/using of swtpm, This commit adds support for passing unix domain
socket over control channel.
The summary of the changes include:
- Defined new control command CMD_SET_DATAFD, using this clients can send data
socket.
- set mlp.fd and mlp.flags outside of the mainloop
- updated the testcases
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
In preparation for receiving control messages via UnixIO sockets,
switch to recvmsg() for receiving the first chunk of data.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Enable receiving control commands in small chnunks. Allow 500ms
for the whole control command to be received.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add the missing PTM_CAP_GET_CONFIG to the returned flags.
Fix the order of the flags on the way.
Fix the test cases that test for the flags.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Remove the check for the FUSE_IOCTL_COMPAT flag to make a 32bit
CUSE swtpm work on 64bit host.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Fix possible illegal buffer access in case a character device
is used via ioctl. In this case we have to make sure we only
access the number of bytes in the ioctl structure itself.
In case of a socket, make sure we received enough bytes to
be able to access the payload.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Change the startup behavior with respect to requiring an INIT command
via control channel. We change this for the socket and chardev
interfaces so that the behavior now is the same as that of the CUSE
interface.
Introduce the --flag not-need-init command line option for the socket
and chardev interfaces to allow the old behavior using this option.
Adapt some of the test cases and swtpm_setup.sh.in that now need this
command line flag.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Allow running swtpm_setup directly as tss user using the following
command lines as an example for how to do it:
mkdir /tmp/test-tss
chown tss:tss /tmp/test-tss
chmod 770 /tmp/test-tss
su -c "swtpm_setup --tpm-state /tmp/test-tss" -s /bin/sh tss
This change prevents us from requiring invocation under the root
user.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Replace the show_help variable with change_user varaible with
opposite logic. The name of the variable is better for upcoming
changes.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
If the return code from the command processing function is 0,
get the error code from the command response and return that one
instead. The problem was that clients though resetting the
establishment bit worked in locality 0 for example, while it did
not.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Return the number of bytes received in case ctrlcmd does not
use an ioctl because in this case we need to know how many bytes
we received in the response.
The receiving of the state blob also needs to take into account
how many bytes were received in the initial response so we write
the proper amount of bytes from that response into the file.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
While parsing the options we modified the argv[] values and
the commas disappeared, which showed when checking for the
swtpm processes using 'ps'. So, work on a copy of the options
parameter.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
There was an offset bug in the code getting the state blobs
from a client.
Also fix an endianess bug in a control channel command.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement allow-set-locality for CUSE TPM and extend the existing
locality test case with commands that try to write the SetLocality
comamnd to the device.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for --locality allow-set-locality option that
is primarily useful in cases when the VTPM proxy access is enabled
by file descriptor passing.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add options for locality handling so that commands in locality
4 for example are rejected per command line parameter. This is
useful when the vTPM is used with containers.
Also implement the custom TPM/TPM2_SetLocality command to allow
the Linux vTPM proxy driver to set the locality in which subsequent
TPM commands will be executed.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Fix the missing check of return code from handle_server_options
to check for negative value like all the other checks also do.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use logprintf wherever possible. While the logging is not set up,
print error messages to stderr and prefix them with 'swtpm: '. After
the logging has been set up all error messages go into the log file.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use a buffer for printing in TPM_PrintAll. Emit the buffer
upon a new line. This prepares for printing every line with
a prefix.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add MAIN_LOOP_FLAG_READALL for non SOCK_STREAM client sockets. This allows
reading all socket data once.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
swtpm server is closing the client data connection after serving a single
request, which shall not happen. Hence added MAIN_LOOP_FLAG_KEEP_CONNECTION
mainloop flag to keep the client data connection alive, till client is alive.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
New option '--ctrl clientfd=<fd>' is added to the control socket parameters.
The passed 'fd' is used as control channel client-fd and treated as single
client mode.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Initialize variables in ctrlchannel_return_state so that all error cases
are properly handled.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Set the default log level to 1 so that console output is shown.
This can be turned off with --log level=0
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Following the example in the Appendix A.1 of the TCG EK Credential
Profile Spec Version 2.0, a ASN.1 SET is supposed to be created for
each one of the items. This patch fixes the format.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the GNUTLS 3.5 function gnutls_x509_crt_set_subject_alt_othername
to set the TP<M and platform manufacturer info since the other function
does not accept binary data.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Expose the logging level to the command line by extending the
log option with a level parameter.
Extend the man swtpm man page with the level parameter.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Introduce a log level for the logging functions. The log level
is defined by the number of spaces used for indentation. Adapt
the log functions to only log when the number of leading spaces
in a string is appropriate for logging.
Call the log function of libtpms to set the file descriptor to
log to, the log level, and log line prefix.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Fix the missing mentioning of the bindaddr and ifname parameters for
the --server option on the help screen.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement the option --vtpm-proxy that create a Linux vtpm proxy device
and makes the chardev TPM listen on the anaonymous file descriptor that
is returned from the ioctl creating the device.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Detect whether to build with the chardev interface and only run tests that
need the chardev if it is supported on a particular platform.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Support --tpm-state option as an alias for the --tpmstate option.
--tpm-state is a parameter that is also supported by the swtpm
program, so for consistency reasons we should have the same name
for the option here.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add support for UnixIO and TCP control channels. Both types of
transport require that packets are sent in big endian format
and therefore some code needs to be adjusted for that. The
ioctl interface is local and in that case no endianess conversion
is done.
Add a new test case that uses the extended swtpm_ioctl tool to
test the control channel.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Fix a typo in two command names so that they are similar to
the command name spelling used for the ioctl's.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Fix the size of the receive buffer input.body to match the largest
buffer any type of command has.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Deactivate the code around resetting the TPM established bit
since its implementation currently requires libtpms 0.6.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement two more control channel commands:
- CMD_STORE_VOLATILE
- CMD_HASH_DATA
Implement test cases.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add support for --connect option for the socket version of the TPM.
This parameter takes the type, port, file descriptor and disconnect
options. Only TCP connections are currently supported.
See updated man pages.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Only let certain commands that are cancelable be processed
by the thread. Directly process all other commands.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Rather than checking whether the given file descriptor is a character
device, check whether it is one of the unsupported ones. This addresses
a problem when passing anonymous file descriptors that are not character
devices.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Move the code to change process ownership into its own function and enable
--runas|-r <owner> in all implementations.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
If the 'swtpm chardev' receives an error on write() or not all bytes
could be written, log an error and terminate.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the macros defined in endian.h for endianess conversion.
Fix the conversion of a 64bit variable.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Replace the CUSE TPM with the new BSD implementation.
Update the license references and the license itself.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Eric Richter implemented a clean-room skeleton CUSE driver which
we will now convert to the CUSE TPM. The goal is to replace the
GPL CUSE TPM implementation with this 3-clause BSD implementation.
Among other things, this makes it easier to link with OpenSSL.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend the swtpm_bios tool with an option to give up physical presence.
Have the TPM error codes reflected in the exit error of 128.
Add a test case for the tool.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Move src/swtpm/swtpm.h.in to include/swtpm.h.in to make it commonly
available. Adapt all other programs to use it and display version information
in the help screen.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement a control channel for the 'chardev' swtpm that implements
a minimal set of control messages for now.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add support for 'swtpm chardev' that listens for TPM commands on a given
character device and sends responses through it.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Remove the hardcodes tss user and group and to configure with
--with-tss-user=tss --with-tss-group=tss to set the tss user
and group to be used.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Check for an existing device with the same name and print an error
if the device already exists.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add support for the --tpmstate dir=<dir> command line parameter.
It will be used instead of the TPM_PATH, unless it is not set.
Adapt two test cases for the new parameter.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add support for --pid file=<pidfile> command line parameter support.
The swtpm_cuse and swtpm now write their process IDs (pids) into
a file.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Disable the chown commands when building an RPM; we try to detect this
by the usage of DESTDIR.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Some more changes to tpm_ioctl.h including
- comment for request and response part of an ioctl
- unified format
- prefix all constants with PTM_
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Remove the extension of PATH to the local dir('.') from swtpm_setup.sh
and adapt test cases accordingly.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cleanup the code a bit:
o added description to several functions
o remove empty lines between functions
o cleanup the usage screen
o fix the parameters to logerr
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The receiving of TPM state blob ends when the last byte has been copied
into a response to the user. No more request need to be sent afterwards.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
If a blob with length 0 is set, we make sure the corresponding file
that would hold this blob is not available.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Support the read/write interface and POSIX API calls for transfer of
TPM state blobs.
Extend the swtpm_ioctl program to support this as well. Use the
environment variable SWTPM_IOCTL_BUFFERSIZE to set the size of the
buffer to use and enable the read/write interface in this (test)
program.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Since POSIX reserves the *_t namespace of types, remove it from
all our typedefs. While doing that, adjust the typedefs to all have
the prefix ptm_ .
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Move the code to get the TPM state blobs into is own function and introduce
a caching layer that retrieves the state blob from the TPM once and has
subsequent requests to copy the state work on the cached blob.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add an ioctl that lets an application retrieve which keys are in use by the
TPM, i.e., file encryption or migration key
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The migration key ensures that TPM state blobs, when retrieved using the
ioctl for getting state blobs, are always encrypted with this key.
When the state is later on loaded back into the TPM using the ioctl
to set the state blobs, the migration key is used to decrypt them.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Have the crypto functions use a key as a parameter rather than having them
operate on a specific fixed key.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Break the key parsing function apart into a common parsing function
and one specific to the file encryption key.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Prepend a header in front of all blobs retrieved from the TPM.
Write flags into this header indicating whether the blob is
encrypted.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Integrity protect the TPM state when it is written in entrypted form.
libtpms state (for TPM1.2) is also integrity protecting the blobs, but
we better determine the integrity of the decrypted data on the layer
above it.
Change the type of the len variable from size_t to ssize_t for
comparison against neg. values to work.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Change variable type of val1 and val2 from unsigned char to char for
the comparison with neg. numbers to work.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add documentation to the options source code and introduce an explicit
default value to return in case an option was not found while parsing.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
On rare occassions TCSD refuses connections after start and nothing
works; so we test the connection with TCSD and kill it if it doesn't
work.
This now seems to fix the tests/test_parameters that occosionally
had been reporting an error.
Only allow a single command per TCP connection to be sent to
the socket TPM. This solves a problem with the test_parameters
testcase where the TPM seems to get stuck in the poll().
However, the testcase still is not entirely error-free.
Add new ioctls to get and set the 3 different types of state blobs
from and to the CUSE TPM. Add test cases for testing the new ioctl's
on a CUSE TPM that stores the state encrypted and on a CUSE TPM that
stores it non-encrypted.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Only root can change the ownership of swtpm_setup.sh to tss:tss, so
only root can install the file.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Protect the stack, create position indep. executables, use Relocation
Read-Only (RELRO) and have the linker resolve all symbols upon
program start.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend configure.ac to make SELinux policy extension support
chooseable. By default configure will check whether SELinux
support is installed on the local system and will add SELinux
policy extension support if support is found.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Don't build up a global LIBS variable but put the libraries into
individual variables that can be used for linking individual programs
with. Do the same for CFLAGS.
