While libtpms does not provide any means to disable FIPS-disabled crypto
algorithms from being used, work around the issue by simply disabling the
FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit
swtpm with a failure message that it cannot be disabled. If FIPS mode
was successfully disabled, print out a message as well.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090219
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To be able to test-compile with include/swtpm/tpm_ioctl.h in configure.ac
move the definition of __USE_LINUX_IOCTL_DEFS out of the configure script
into the header file so that the #define is there when needed. In the
configure.ac script the CFLAGS were extended only after the test-compiling
to determine the HARDENING_CFLAGS and the test-compilation failed on Cygwin
(only) since the tpm_ioctl.h didn't compile because of this missing
#define.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add probing for -fstack-protector to the existing
-fstack-protector-strong since not all platforms support either one
of them.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option that allows for the configuration of the default PCR bank
to use. This was currently hard coded to sha256 and now may be passed
via this option. The fallback is still sha256. Valid PCR bank names are
sha1, sha256, sha384, and sha512. The passed list must be a comma-
separated list of the valid PCR bank names.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the EVP_CIPHER implementation for the AES CBC computations. This
API has been supported already in OpenSSL 1.1.x for sure and is also
not deprecated in OpenSSL 3.0.
This now resolves issue #538.
We can build src/swtpm without having to suppress deprecated API warnings.
Since this is the last issue related to OpenSSL deprecated APIs, we don't
need to suppress any OpenSSL 3.0 deprecated API warnings anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the (undocumented) OPENSSL_SUPPRESS_DEPRECATED to suppress the
deprecated API warnings when compiling swtpm and swtpm_setup with
OpenSSL 3.0.0 replacing the global -Wno-deprecated-declarations.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To be able to build with OpenSSL 3.0 we need to added
-Wno-deprecated-declarations to the default CFLAGS.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid the following warning use MY_ as a prefix for the offending
variables that have AM_ as a prefix:
configure.ac:587: warning: macro 'AM_CFLAGS' not found in library
configure.ac:590: warning: macro 'AM_LDFLAGS' not found in library
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Move swtpm_localca's sources out of samples/ (where they no longer
belong now that swtpm_localca is a binary) to src/swtpm_localca/.
- Tests now call the swtpm_localca binary directly at the location
where it was built, as they do with all other compiled programs.
- Simplify samples/swtpm-localca.in and delete swtpm-localca.2inst,
removing the now-unnecessary logic to selectively call swtpm_localca
from different locations (samples/ when running tests vs. /usr/bin/
post-installation).
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
- Makes swtpm_setup.conf.in consistent with the rest of the sample
configuration files in swtpm, whose templates ship in samples/ and
install the generated files to /etc.
- Works around dh_missing(1) erroneously reporting swtpm_setup.conf as
non-installed due to its having two copies in the build tree (one in
etc/ and another in debian/tmp/etc/).
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Use a different script for local testing that what is installed into
/usr/share/swtpm/swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace the binary swtpm_localca with a script that now calls the binary
swtpm-localca, which is to be installed in $bindir.
So that we can use this for script for calling swtpm-localca during testing
(when it is not installed), write the script in such a way that it de-
termines whether there's swtpm-localca in the same directory and if not call
it from ${bindir}/swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Currently multiple spaces are used when a single one would do,
which will still achieve the same result but is not quite as
aesthetically pleasing :)
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
This will result in -D_FORTIFY_SOURCE=2 actually being added to
HARDENING_CFLAGS where applicable.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Resolve autoreconf warnings:
configure.ac:602: warning: macro 'AM_CFLAGS' not found in library
configure.ac:605: warning: macro 'AM_LDFLAGS' not found in library
Signed-off-by: Tomasz Kłoczko <kloczek@github.com>
autoreconf from autoconf 2.71 emmits a lot of warnings:
```
+ autoreconf -fiv
autoreconf: export WARNINGS=
autoreconf: Entering directory '.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
aclocal: warning: couldn't open directory 'm4': No such file or directory
configure.ac:587: warning: macro 'AM_CFLAGS' not found in library
configure.ac:590: warning: macro 'AM_LDFLAGS' not found in library
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
autoreconf: configure.ac: not using Intltool
autoreconf: configure.ac: not using Gtkdoc
autoreconf: running: aclocal --force -I m4
configure.ac:587: warning: macro 'AM_CFLAGS' not found in library
configure.ac:590: warning: macro 'AM_LDFLAGS' not found in library
autoreconf: running: /usr/bin/autoconf --force
configure.ac:29: warning: The macro `AC_CONFIG_HEADER' is obsolete.
configure.ac:29: You should run autoupdate.
./lib/autoconf/status.m4:719: AC_CONFIG_HEADER is expanded from...
configure.ac:29: the top level
configure.ac:53: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:53: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:53: the top level
configure.ac:76: warning: The macro `AC_HEADER_STDC' is obsolete.
configure.ac:76: You should run autoupdate.
./lib/autoconf/headers.m4:704: AC_HEADER_STDC is expanded from...
configure.ac:76: the top level
configure.ac:81: warning: The macro `AC_TYPE_SIGNAL' is obsolete.
configure.ac:81: You should run autoupdate.
./lib/autoconf/types.m4:776: AC_TYPE_SIGNAL is expanded from...
configure.ac:81: the top level
configure.ac:202: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:202: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:202: the top level
configure.ac:279: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:279: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:279: the top level
configure.ac:434: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:434: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:434: the top level
configure.ac:441: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:441: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:441: the top level
configure.ac:521: warning: The macro `AC_HELP_STRING' is obsolete.
configure.ac:521: You should run autoupdate.
./lib/autoconf/general.m4:204: AC_HELP_STRING is expanded from...
configure.ac:521: the top level
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:40: installing './compile'
configure.ac:43: installing './config.guess'
configure.ac:43: installing './config.sub'
configure.ac:41: installing './install-sh'
configure.ac:48: installing './missing'
samples/Makefile.am: installing './depcomp'
parallel-tests: installing './test-driver'
autoreconf: Leaving directory '.'
```
Execute autoupdate to apply all those chenges and then cleanup that
in next commits.
Signed-off-by: Tomasz Kłoczko <kloczek@github.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Having the spec file in the top-level directory of the dist
archive makes it possible to build rpms with a single,
convenient command.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
This is a 1:1 rewrite of swtpm_localca in 'C' as a final step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent),
Fedora 28 PPC Big Endian
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is a 1:1 rewrite of swtpm_setup in 'C' as a first step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
RHEL 7's gnutls 3.3.29 does not take the private key passwords like later
versions take it. We require at least 3.4.0, though I am not entirely sure
when that change occurred. We may actually require >3.4.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some distros (openSUSE) have deprecated the 'net-tools' package,
so we allow for 'ss' as an alternative tool from the
iproute/iproute2 package. This is only relevant for test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The only place where pip is required is in src/swtpm_setup/Makefile.am, l. 48,
to uninstall a manually built package. Most people will have pip already
installed, since it comes bundled with Python by default. It might not be
installed by default in minimal build environments used for distribution
packaging, but these rely on the file tracking by a package manager instead of
using "make uninstall".
In conclusion, I think requiring pip is only helpful for a very limited number
of people, and is just a superfluous build dependency for distribution
packagers. Issuing a warning that the package cannot be uninstalled cleanly if
pip is not found seems enough.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Distributions often have their own guidelines regarding installation of Python
modules (e.g. Arch Linux mandates using --optimize=1 for setup.py install,
which the Makefile in this project does not do). Add an option
"--disable-python-installation" (disabled by default) to allow skipping the
Python installation process entirely so that distributions can take care of
this process manually in their preferred way.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Clang complains if eiher one of those linker flags are used during compilation:
clang-9: error: -Wl,-z,relro: 'linker' input unused [-Werror,-Wunused-command-line-argument]
clang-9: error: -Wl,-z,now: 'linker' input unused [-Werror,-Wunused-command-line-argument]
This patch applies those flags only when linking.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Cygwin's linker does not support -Wl,-z,relro and -Wl,-z,now and
AC_COMPILE_IFELSE did only compile but not link, so it wouldn't detect
whether these flags are supported. So, use AC_LINK_IFELSE to detect
support for these flags.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of the 'c' code that only changed the user and add for support of
the --runas option to change to a different user in the python part.
To get 'make distcheck' to work I needed to name the swtpm_setup python
script with the suffix .in so that it gets copied to the build directory
as swtpm_setup. We need to change execute permissions on this file after
copying.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rewrite swtpm_setup.sh in python. Use a permanent connection from the
tool to swtpm via passing file descriptors of a unix socketpair. Implement
all functionality in python so that we don't rely on trousers and tpm-tools
for swtpm_setup. This now allows any user to setup a TPM 1.2 whereas before
it had to be root or the tss user.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
