When the ${HOME} directory is used for finding swtpm_setup.conf it is
to be found in ${HOME}/.config/swtpm_setup.conf.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolves: https://github.com/stefanberger/swtpm/issues/664
Add support for --reconfigure option for the swtpm_setup to be able to
change the active PCR banks. This option only works with --tpm2 and does
not allow to pass several other options such --create-ek or
--create-ek-cert or --create-platform-cert that would alter the state of
the TPM 2 in other ways.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the user did not provide the PCR banks to activate through the command
line options, try to read it from the config file and if nothing is found
there, fall back to the DEFAULT_PCR_BANKS as set during configure time.
Move the check for the PCR banks after the access check to the
configuration file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for skipping over creating the files
if any one of the config files already exist.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the option --create-config-files to create config files
for swtpm_setup and swtpm-localca for a user account. The files will
be created under the $XDG_CONFIG_HOME or $HOME/.config directories.
This option supports optional arguments 'overwrite' to allow overwriting
existing config files as well as the optional argument 'root' to create
config files under root's home directory. Both options can be passed
by separating them with a ','.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement get_supported_tpm_versions to get swtpm's support for TPM 1.2
and TPM 2 and use it error out in case user choose a TPM version that
is not supported. Also display the supported TPM versions in the
capabilites JSON.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Write the EK certificate files into the directory specified as parameter
to the --write-ek-cert-files option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Move content of swtpm-localca(8) manual page to swtpm_localca(8)
and make swtpm-localca(8) an alias for swtpm_localca(8), mirroring
the fact that /usr/bin/swtpm_localca is the actual program and
/usr/share/swtpm/swtpm-localca a wrapper for it.
- Change references to `swtpm-localca` in manual pages' content to
`swtpm_localca`, reflecting the actual name of the program they are
meant to document.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Write a note in swtpm_setup's help screen and man page that the usage
of --allow-signing will lead to a non-standard EK. Be more precise in the
man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Extend swtpm_setup.pod showing swtpm-create-user-config-files usage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the --print-capabilities option to also report supported RSA
key sizes. Only the TPM 2 may support anything else than 2048 bit RSA
keys, so we only consult 'swtpm socket --tpm2 --print-capabilities'
and grep for 2048 and 3072 key sizes and report them.
If nothing is found, nothing is reported, as before, and 2048 bit RSA
keys should be assumed.
'swtpm_setup --tpm2 --print-capabilities' may now show the following:
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"tpm2-rsa-keysize-2048",
"tpm2-rsa-keysize-3072"
]
}
Also adjust a test case to use a regular expression for matching
against an expected string that may nor may not have rsa-keysize
verbs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the host is missing tcsd (trousers) or the tpm-tools, swtpm_setup
will now report the 'no-tpm12-tools' verb like this:
> swtpm_setup --print-capabilities | jq
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"no-tpm12-tools"
]
}
The only TPM 1.2 setup parameter that requires interaction with
the TPM 1.2 that can be pass is then '--createek'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the --tcsp-system-ps-file option to make a backup of
TCSD's system_ps_file for later use of the setup TPM with the
TCSD. We need this for a test case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement command line support for choosing the cipher to use for
the TPM state encryption. Either aes-128-cbc or aes-256-cbc can be
used. The same cipher has to be passed on the swtpm command line
when using the TPM.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement --pcr-banks to allow a user to choose the set of active
PCR banks. We determine the PCR banks available and enable those
that the user chose and that are available.
The log will now print out the following:
Successfully activated PCR banks sha1,sha256 among sha1,sha256,sha384.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Extend the swtpm_setup man page with an example for how a non-root
user can create a TPM 2 with an EK and platform certificate.
Document the default locations of the config file swtpm_setup uses.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add the --decryption option to enable key encipherment separately
from enabling signing for the EK. The key encipherment is not set
but needs to be set if --allow-signing is used and key encipherment
is also requested.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Support TPM 2 in swtpm_setup and swtpm_setup.sh.
Implement support for all command line options except for:
o --take-ownership and anything related to ownership passwords
o --lock-nvram
o --display
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the new --info parameter for swtpm_ioctl to get TPM specification
info from the swtpm and use this as a parameter for creating the EK
certificate.
Extend the man page.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Only pass through the vmid parameter to the tool creating the cert
if this parameter was set. The tool creating the cert may require
it or ignore it and is supposed to be able to track certificates
for which it minted certs using this parameter.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Add options --overwrite and --not-overwrite to allow or prevent
overwriting of existing TPM state. If neiter of the options is
given and existing state is found, an error is returned.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Allow running swtpm_setup directly as tss user using the following
command lines as an example for how to do it:
mkdir /tmp/test-tss
chown tss:tss /tmp/test-tss
chmod 770 /tmp/test-tss
su -c "swtpm_setup --tpm-state /tmp/test-tss" -s /bin/sh tss
This change prevents us from requiring invocation under the root
user.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Support --tpm-state option as an alias for the --tpmstate option.
--tpm-state is a parameter that is also supported by the swtpm
program, so for consistency reasons we should have the same name
for the option here.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
