Create orderly NVRAM indices and then clear the TPM 2 so that NvDeleteRam()
gets executed and we get better code coverage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Modify the test_tpm2_save_load_state_3 to create 2 orderly NVRAM indices
in the first two locations. Those indices will be cleared by a reset
of the TPM and therefore cannot be read once the TPM 2 restarts after
the reset. This also provides better test coverage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The IBM TSS2 is available starting with Bionic. Use it there
to extend the test coverage of the code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To make the test cases work on Travis on Bionic replace all occurrences of
localhost with 127.0.0.1. The only affected client tools seem to be those
related to the TPM 1.2 and the IBM TSS2. For some reason the API used
there cannot resolve localhost to 127.0.0.1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The simplest way to detect whether SWTPM_EXE is a 64 bit application on
Linux is to check whether it links against any library in a */lib64/*
directory and only if this is the case we run a particular test case for
which we know what keys 64 bit TPMs are producing given a pre-created
state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Upgrade to use the IBM TSS2 tests from v1.4.0 but eliminate all testing
with 3072 bit RSA keys.
This test also passes with libtpms 0.6.0 and 0.7.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
'swtpm chardev --vptm-proxy' currently requires a '--flag startup-xyz'
to be passed since otherwise the need_init_cmd variable would not be
set to false and swtpm would terminate after sending the startup
command. To maintain backwards compatibility we have to always
set the need_init_cmd variable to false for the --vtpm-proxy case
and must not require a startup flag to be passed.
Roll back one of the test case to not use the startup flag.
Fixes: e6bc4bdf0 ('swtpm: Enable sending startup commands ...')
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libtpms may not support TDES, so we have to skip test case 4 in
case we encounter an allowed error message.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Adjust the vtpm proxy test case and others to make use of the new
startup options. Make sure that subsequent Startups sent to the
TPM fail with the expected error code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Give swtpm more time to close the port. This became an issue when running
the tests and all executables are valgrind'ed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for the --print-capabilities option to display newly
added capabilities. Adpat the man page and related test case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow passing signing key and parent key via files and file descriptors
and environment variables. Adapt a test case to exercise this new
functionality.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address several issues reported by shellcheck and protect
variables with quotes so we now can have filenames with spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch addresses several issues found with shellcheck. In particular
it now enables variables with spaces in them, such as file paths that
contain spaces.
Adjust one of the accompanying test cases to use spaces in the path.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Protect variables with quotes so that pathnames with spaces are now
supported.
Adjust the accompanying test case to make use of spaces in file paths.
Address several issues found by shellcheck. Some of them are false
positives especially when it comes to protecting variables passed
to a commaned in an 'eval' line. They must not be protected, otherwise
they are not passed correctly.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The Ubuntu (PPA) build system executes the build on an environment that
has problems with seccomp profiles. It does not allow us to run the test
suite with swtpm applying its seccomp profile since it fails with a
'bad system call' error. To work around this we introduce the env. variable
SWTPM_TEST_SECCOMP_OPT that we can set to "--seccomp action=none" to avoid
having swtpm apply it seccomp profile.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move wait_port_open and wait_port_closed to common file and handle
the timeout errors in test_commandline.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Wait for the PID file to appear rather than reading it right away.
This addresses an issue when runnin the test suite under valgrind
(make -j $(nproc) check).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
SWTPM_EXE may be 'valgrind ... swtpm', so we have to protect it with quotes
when passing it as a parameter to a function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Delay the reading of the PID file if it is found to be empty.
This can happend if swtpm is run by valgrind.
Also, use the passed parameters rather than the global ones to check
the PID file contents against the expected pid. So far this worked
because PID and PID_FILE were variables used by every caller.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When running the TPM 1.2 vtpm_proxy test cases by launching the
swtpm with valgrind it may take a long time for the log to be
written and the device to appear. This is due to the self test
of the TPM 1.2 taking a while. So we need to move the reading
of the device into a loop and set the timeout of the loop to 10s
so that it passed under these circumstances.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The byte stream contained the TDES identifier at the wrong position,
so no TDES key was created. This patch fixes this but needs an update
to libtpms since some unmarshalling/marshaling code related to TDES
was missing there as well.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the existing key derivation test case for TPM 2 with test cases
that use a newer TPM 2 state where we now exercise the new
CryptAdjustPrimeCandidate algorithm that produces the same results on
big and little enidan 32 bit and 64 bit machines. This newer algorithm
is available in libtpms with revision 155 of the TPM 2 code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use v1.3.0 of the IBM TSS 2.0 repo.
Depending on the revision that libtpms implements, some test cases have to be
replaced with empty files.
The test suite now works with the libtpms stable-0.6.0 and stable-0.7.0
branches. A patch fixing an NV PIN issue needed to be applied to those
branches.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The test_print_capability is failing if SWTPM_EXE is for example
holding more than one parameter like 'valgrind ... /bin/swtpm' since the
variable was not protected with quotes. This patch fixes this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the test environment is running in a seccomp profile do not check
that the seccomp profile of the swtpm process runs with the action
provided in --seccomp action=... since the environment may override
this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get the PID of the started swtpm from the shell and validate it
against the contents of the pidfile afterwards.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add TPM 1.2 test cases to test_parameters for testing the passing of key
and passphrase via file descriptor. Also extend the test to check whether
the state files are encrypted.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Make sure that when keyfile/keyfile-fd or pwdfile/pwdfile-fd are passed
to swtpm_setup that the resulting state is actually encrypted. We check
for encrypted state by making sure that 4-byte sequences of 0-bytes are
not there while they are there for un-encrypted state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The old prime number generation algorithm also does not return
the same numbers on ppc64 (big endian) as on x86_64 or ppc64le,
so do not run the test there.
Signed-off-by: Stefan Berger <stefanb@linu.ibm.com>
When the PID_FILE is passed to swtpm as a file descriptor in one test,
we already create a file without content when running
'exec 100<>$PID_FILE'. So we have to extend wait_for_file to also
wait for file content since the 0.2 seconds delay are sometimes not
enough for content to have been written. Otherwise we do not get the
PID of the process. We can extend the function in this way since all
its usages imply that some content should become available.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the IPv6 bindaddr ::1 where available on Linux. Travis doesn't
seem to support IPv6 addresses at the moment.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the previously modified test case to also test on
Darwin now that we are able to convert a file descriptor
to a filename.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
On Linux and Cygwin we can pass a file descriptor for the pid
file, on other platforms it doesn't work (yet).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pass the --runas parameter to swtpm so we can test switching it
to a given user 'nobody'.
We also have to change ownership of files and directories so that
the nobody user can write the coverage files when swtpm ends.
In the test case we then use the trick of changing file ownership
just before we terminate swtpm, which will trigger the writing
of the .gcda files. We need to have nobody own these files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the mode= parameter of the TPM's state file and a unix
socket to have swtpm set the file mode bits and check that
they are set as expected.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Clean up state files in case the test suite was interrupted
- Allow running it from the test directory by creating an absolute
path for TESTDIR so we can find the patch file; error out in
case the patching fails
- Run test case 2 and 1 as well but ignore ERROR output in case
of test 1. The errors stem from us not restarting the TPM when
the test suite asks for it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a test case that downloads the TPM 1.2 package from sourceforge,
patches a few files for OpenSSL compatibility, and runs a few test
cases of that test suite. Look for ERROR output in the test suite.
This test suite also provides better code coverage for libtpms.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To prevent the test case from failing when an no --prefix is used
when configuring, use an empty options file via /dev/null. Otherwise
swtpm-localca starts looking for the options file in a place where
there is none.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Softhsm cannot be installed as an i386 executable/library and as
a x86_64 executable/library on a Fedora host. The pkcs11 test then
fails since it cannot pick up the libsofthsm.so needed for an i386
executable (swtpm_cert) on a x86_64 host. This fixes test run errors
for run_test.sh by skipping the test in case swtpm_cert returns
a specific error message related to not being able to import the
pkcs11 URI object.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use wait_process_gone with 2 seconds timeout to wait for the swtpm to
have terminated after SIGTERM or connection loss. This avoids test
failures on slow Raspberry Pi 2.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
We need to run the softhsm/pkcs11 test case as root (sudo) under OS X
so that we can write the file /etc/gnutls/pkcs11.conf. However, once
we run the tests as root we cannot run the 'brew ls' command anymore
since it refuses to run with high privileges. So, if we run as root we
need to use sudo to switch to the nobody user to run the 'brew ls'
command that gives us the name of the softhsm pkcs11 module.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
On OS X we need to be able to change /etc/gnutls/pkcs11.conf for
p11tool to pick up the softhsm pkcs11 module correctly. We need
(password-less) sudo to be able to do this.
Unforutnately this test case does not run on Travis since Travis
seems to require passwords under some circumstances.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use SoftHSM to create a pkcs11 URI and then use the pkcs11 URI
to sign the certificate of a TPM 2.0 with this key using swtpm-localca.
This test case works with softhsm >= 2.3.0 on Fedora and should work
with a recent version of Ubuntu. If an error is encountered setting
up the softhsm2 environment, we just skip the test.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Older versions of the IBM TSS2, such as in FC26 for example, behave
slightly different than the code in the test case expects (certain
files are not generated or may have a different name). So gate this
test case with SWTPM_TEST_IBMTSS2 environment variable so we don't run
it by default if the TSS tools are found and so we do not run into
possible errors due to an older version of the stack installed on the
system.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To get better code coverage, convert existing test case to
use one time a hex formatted key and the other time the same
key in binary format.
Do some improvements on the test code on the way.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2 file sizes were missing. Also use $() to execut commands rather
than ``. Use get_filesize to get the size of a file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the swtpm-create-tpmca test with test cases using the
'well known' password of 20 zero bytes if tpmtool supports the
--srk-well-known option.
Besides that, extend the existing test to actually use the TPM CA
for signing a TPM 1.2 or TPM 2 (test) EK and check the contents of the
certificate by grepping through the text info provided by certtool.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Refactor the swtpm-create-tpmca test case so we can use it for
testing with the 'well known' (20 bytes of zeros) SRK password
in the next pass.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Run the TPM CA setup script with a local swtpm and tcsd instance.
We have to take ownership of the TPM and set its SRK passwork so
that the TPM CA setup script can create a signing key as a child
key of the SRK.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Support creation and usage of the root CA with a password protected
private key. The root CA's key password can be set using the environment
variable SWTPM_ROOTCA_PASSWORD.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some tests are expected to fail. Capture the error output and test it
against epected error output. This also makes the test output less
noisy.
Also remove some other output noise.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Shut down the swtpm process at the end to avoid it being killed
and with that getting noise in the test log.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Get the IBM TSS2 test suite from its git repo, compile it, and run
its test suite if SWTPM_TEST_EXPENSIVE=1 is set.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Wait a few seconds for files to appear or disappear after starting the
swtpm process. This helps avoid test failures when the system is under
load.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add a delay of 0.2s after a file is found in wait_for_file so that the
process can also write into it. Sometimes we are also interested in the
content and don't seem to get the content since we didn't wait for
the file to have been written to. It happens occasionally when the system
is under load that we don't seem to be able to read the file content
afterwards.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To avoid timeouts when running the tests with valgrind, increase
the timeout until the swtpm process must have terminated after a
shutdown signal to 4 seconds.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Call a function display_processes_by_name that displays all processes
if needed. The function is quiet, though.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Fedora policy seems to be to use python3 explicitly for the hashbang
rather than python, which could be either python2 or python3. So convert
it to python3. Also adapt configure.ac to require python3 executable.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use pbkdf2 as the default kdf and sha512 for the existing
test case. Do away with file limit of 32 bytes. This may
break backwards compatibility for some but better to do this
before a release...
Switch the existing test cases to use kdf=sha512 on the command
line where necessary to that the state for these test cases
does not need to be recreated.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
On some systems /bin/bash does not exists but the bash is somewhere
else and can be invoked with /usr/bin/env bash.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Some test cases that root has to run did not pass the out-of-tree
builds. We need to pass the top level source dir to these test cases
and change some variable accessing config files to the right directory
for the out-of-tree build to work.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
If the file descriptor 100 is open prior to trying to open
it, it must be closed first on OS/X, otherwise we get test
case failures due to interrupted connections.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The -cs parameter to swtpm_bios is like -c -s and therefore ambiguous.
Use the unambiguous long version --cs. This makes the test case work
on NetBSD, which does not support getopt_long_only().
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
test_tpm2_ctrlchannel2 was not active and was not complete. This
patch fixes the test case and activates it. It uses chardev, so
it needs to be gated by WITH_CHARDEV.
Signed-off-by: Stefran Berger <stefanb@linux.vnet.ibm.com>
With the SAN data in the certificate properly generated and accepted by
certtool, we can now activate the test case for swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
On Cygwin the swtpm_setup executable is located in src/swtpm_setup/.libs
dir and we need to copy the swtpm_setup.sh file there as well.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Introduce compile-time variable HAVE_TCSD if the TCSD could
be found. It influences whether TPM 1.2 related swtpm_setup
test cases can be run. If it is set, they can be run.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Run TPM 2 related swtpm_setup tests under less restrictions.
For TPM 2 related tests only WITH_GNUTLS, which allows swtpm_cert
to be built, needs to be set since swtpm_setup is now being built
under all conditions.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Remove the requirement to run the test_tpm2_swtpm_setup_create_cert
test with root rights. It's not necessary to run this as root.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Pass the top_builddir and top_srcdir via TESTS_ENVIRONMENT
variable in Makefile.am.
Use TESTDIR for the path to the test directory and replace
previously used DIR in all occurences.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Adapt the loop that is polling for the authentication failure due
to lockout until a certain time. We run the tests also when $timeout
has been reached but don't care for the result if it failed. This
accomodates slow or busy systems that run some of the commands too
slowly and allow the TPM to release the lockout.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
A few files were wrong in the EXTRA_DIST file list due to changes to
test cases. Add the proper files.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Test that a key written to volatile state is properly loaded again
and produces the same signature as before.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Test the certs created by swtpm_localca by verifying the certificate
chain and checking their key usage.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add a test case that tests the TPM 2 volatile state. This test
requires the latest TPM2 version of libtpms that also writes the
TPM Established bit into the volatile state.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Check the TPM2 state using the TPM2 utilities, if available.
Create persistent state and check it, then shut down the TPM 2 and
restart it, and check the persistent state again.
Use previously created state and have the TPM 2 start with it
and check the persistent state. The persistent state must be
readable on little and big endian machines.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
libtpms preview branch tpm2-preview.rev142 enables volatile state
marshalling and unmarshalling which in turn enables the suspending
and resumption of the TPM state. This patch enables the capabilty
bits and adds test cases for testing the TPM state suspending and
resumption.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Provide support for creating certificates for TPM2 ECC type of keys.
Extend the test cases and the man pages.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Support TPM 2 in swtpm_setup and swtpm_setup.sh.
Implement support for all command line options except for:
o --take-ownership and anything related to ownership passwords
o --lock-nvram
o --display
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
TPM2 allows the primary key to also be a signing key, so in case
--tpm2 is provided, --allow-signing can be provided as well in
case the primary can also be used for signing operations.
We use SHA256 for the signing algorithm when TPM 2 is being used.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend the swtpm_bios tool with a --tpm2 command line parameter
to support TPM 2 initialization.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Have the test cases wait for the process to be gone after 1s using
wait_process_gone rather than trying use kill -0 once after 0.5s.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Whenever we encrypt the data we generate a new random IV and append a
tlv block with the IV to the byte stream. We mark the IV with different
tags depending on whether they are for the migration data or the (TPM)
data directly. All IVs are part of the HMAC and are added to it after
the data blob.
Adjust test cases that now return larger sizes of data. A constant
checksum over the data cannot be expected anymore, thus we have to remove
the verification of the checksum over the returned state (IV changes
every time).
The size of the blobs grow by 22 bytes, 6 for the tlv header, 16 bytes
for the IV (128 bit AES key).
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Prepend tag-length-value (tlv) headers in front of all data being stored in
the byte stream following the header. This lets us uniquely identify plain
data (= TPM state), encrypted data (= encrytped TPM state), migration data
(which is wrapped plain or encrytped TPM state), and an HMAC block to
validate the plain data.
We keep support for version 1 for reading the data but convert them to
version 2 when writing them out. This way we loose backwards compatibility
(downgrading of swtpm is not possible), but it allows us to extend the state
in the future by adding addition blocks with tlv headers.
Version 1 of the encryption was prepending the hash on the plaintext data
then encrypting all of it. This method is not so good. In version 2 we now
use Encrypt-then-MAC (EtM) where we encrypt the data and then calculate an
HMAC on the encrypted data.
Files written by the swtpm didn't have a header before. Now they also get a
header. This means that the state written into files and the state retrieved
using the API (swtpm_ioctl --save) have the same format, but still differ
in so far as the API wraps the data in a tlv header for migration, which the
files written out as state would never get.
Adapt a couple of test cases show file sizes and hashes have changed now.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Check for a '#define WITH_CUSE 1' line in config.h to determine whether
the swtpm was compiled with the CUSE interface and skip the tests with
the CUSE interface if no such line can be found.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Poll for process to be gone for 1 seconds after a shutdown was requested
and it was found that the PID file had been removed.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Rather than writing to files directly and having to validate the state in
those files using TPMLIB_ValidatetState(), we now use the new
TPMLIB_SetState() call to set the TPM's state blobs. The advantage of this
call is that it doesn't overwrite state files and ends up leaving state in
files that the TPM cannot use. Instead, it validates the state immediately
when the blob is set and returns an error in case the state cannot be
accepted.
We need to adapt one test case that now gets a failure earlier than before.
Before the TPM_INIT failed, now setting the encrypted blob fails because it
cannot be decrypted and thus cannot be accepted by the TPM.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To avoid test failures in test_ctrchannel2 due to the swtpm process
still running after it has removed the PID file, give it 0.5 seconds
to actually terminate.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the new --info parameter for swtpm_ioctl to get TPM specification
info from the swtpm and use this as a parameter for creating the EK
certificate.
Extend the man page.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
We quetry the swtpm for TPM specification info that goes into the
certificate for the EK.
Update the test cases that now see more capabilties being returned
by the swtpm.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Update the test case test_swtpm_cert to have its issuercert signed
by a created root CA so that we have the Authority Key Id in the cert.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create the TPMSpecification SEQUENCE and add it to the subject
directory attributes of an EK cert.
The code generates the same ASN.1 for the Subject Directory Attributes
as the example in the EK spec has.
> openssl asn1parse -in ${cert} -strparse 603
0:d=0 hl=2 l= 30 cons: SEQUENCE
2:d=1 hl=2 l= 28 cons: SEQUENCE
4:d=2 hl=2 l= 5 prim: OBJECT :2.23.133.2.16
11:d=2 hl=2 l= 19 cons: SET
13:d=3 hl=2 l= 17 cons: SEQUENCE
15:d=4 hl=2 l= 3 prim: UTF8STRING :1.2
20:d=4 hl=2 l= 4 prim: INTEGER :41010000
26:d=4 hl=2 l= 4 prim: INTEGER :7B000000
Extend existing test case so they create the ASN.1 as well.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Loading an invalid state blobs now fails ealier since libtpms is
called to check whether it can accept the blob.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend the encrypted state test with a test case using a wrong key
for decrypting the state and make sure that the init fails and the
state files remain unmodified.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement a command for setting and querying the buffer size the
TPM implementation (libtpms) is using. The setting of the
buffersize allows to reduce the size of the buffer to a size
that the interface can support so that these two sizes match
and the TPM will not produce larger responses than what the
interface can support.
Extend swtpm_ioctl with an option to set the buffersize.
Adapt the existing tests to reflect the newly supported command.
Implement a new test for getting/setting of the buffer size.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
