Remove tpm-tools from runtime dependencies. Keep trousers for the
creation of the 'tss' user for now. Add python related dependencies.
Adjust the directory ownership for /var/lib/swtpm-localca to tss:root and
the mode flags to 0750. The new CA now may still be created as tss:tss but
users in the tss group will not have access to it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rewrite swtpm_setup.sh in python. Use a permanent connection from the
tool to swtpm via passing file descriptors of a unix socketpair. Implement
all functionality in python so that we don't rely on trousers and tpm-tools
for swtpm_setup. This now allows any user to setup a TPM 1.2 whereas before
it had to be root or the tss user.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Modify the pkcs11 related test case to set the environment variable for
softhsm_setup to use the temporary directory for config file and state
of softhsm. Also set the SOFTHSM2_CONF environment variable since
certtool also uses the pkcs11 module which in turn will look for its
config file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use softhsm's SOFTHSM2_CONF environment variable to set the directory
where the configration file is located so that we can now use a temporary
directory for the location of the directory. Use the environment variable
SOFTHSM_SETUP_CONFIGDIR to set the directory where softhsm_setup can
setup its temporary environment for the config file and state of softhsm.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Slow systems, like Cygwin, need so much time from taking the time to sending
the command that we need to take the current time again to check whether the
success is valid. Previously the test may have failed since the old time that
was taken did not allow the success to be valid.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The OpenBSD implementation of 'od -tx1' prints two spaces between
hexbytes, thus the grep for "00 00 00 00" fails and we report an
invalid error. This patch fixes this by squeezing the two consecutive
spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Extend swtpm_setup.pod showing swtpm-create-user-config-files usage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
BSD's sed does not print \n as newline, so we have to split the string
into different lines using tr.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
We have occasional test failures on Travis running tests on OS X where
time seems to be going backwards in the dictionary attack timeout test.
This patch tries to detect that the time went backwards and skip the
test once a failure would have been detected.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add build targets selinux-install and selinux-uninstall to install
and uninstall the SELinux policy rules at a given priority. The
priority defeaults to 400, which works fine on Fedora.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of using eval when calling $create_certs_tool and only use
eval for resolving variables from the config file.
We only want variable substitution for entries from configuration
files, so escape all other special shell characters that may be
making it onto the command line so that no subshells are opened
and no redirection to files can occurr.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the swtpm-localca test with odd vmid string to ensure
that they go into the certificate unmodified.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of using eval when running swtpm_cert in swtpm-localca.
This is to avoid further evaluation of bash expression that can
spawn subshells ('$(echo foo)') or do other bad things. Bad input
could come from malformed configuration files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Escape many more special shell characters before calling eval on
an entry to convert a variable to its value. Uncareful writing of
a swtpm-local.conf config file could have lead to files being over-
written using '>' for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Have the tpm2_ptool use a store in the temporary directory so that
with every test we have a clean environment.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign the unique port 65452/65354 to test_tpm2_save_load_state to
avoid conflict with test_tpm_probe also using
SWTPM_SERVER_PORT=65526
SWTPM_CTRL_PORT=65527
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign the unique ports 65450/65451 to test_tpm2_sample_create_tpmca
to avoid clashes with test_samples_create_tpmca that is using
SWTPM_SERVER_PORT=65434
SWTPM_CTRL_PORT=65435
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign unique ports 65448/65449 to test_tpm2_setbuffersize to avoid clash
with test_samples_create_tpmca using TCSD_LISTEN_PORT=65436.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The generated sample keys started with 00010203, thus leaving the upper
15 bits of the key as '0', which in turn causes gnutls to think that the
key is only 2033 bit long, thus rejecting certificate verification once
the min-verification-profile is set to 'medium' in gnutls's config file
in /etc/crypto-policies/back-ends/gnutls.config.
We now create sample keys starting with 800102, which sets the highest bit.
This fixes test errors on Fedora Rawhide due to the change in the
min-verification-profile setting in gnutls.config.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
A typo in the condition meant that netstat was always required regardless of
whether tcsd is available or not.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
The OpenBSD implementation of 'od -tx1' prints two spaces between
hexbytes, thus the grep for "00 00 00 00" fails and we report an
invalid error. This patch fixes this by squeezing the two consecutive
spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the tcsd (trousers) is available, TPM 1.2 support should work as well.
Typically the tss user and group should be defined at this point, but
this may not always be the case, so make sure that this user and group
are available on the system.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Change the file and directory ownership of tcsd related files only if it
is absolutely needed. It is not needed if we are running as user TCSD_USER
in group TCSD_GROUP because then the files were created with the needed
owner and group. This avoids problems when trying to change file ownership
when invoked by libvirt where we do not have the capabilities to change
file ownership even as root.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the TSS_USER != TSS_GROUP, e.g., user 'root' and group 'tss', then
tcsd requires that the access mode bits on the $TCSD_CONFIG file are set
to 0640, otherwise we get this error:
TCSD ERROR: TCSD config file (/tmp/tmp.Yd4LIF7mCE) must be mode 0640
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Redirect stdout and stderr from tcsd into a file and if tcsd reported
an error copy the error into the logfile. This makes debugging tcsd
related issues, such as ownership or access mode issues, easier.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Error out if libtpms.pc cannot be found for pkg-config. This now requires that an
in-place libtpms be accessed like this:
PKG_CONFIG_PATH=/home/stefanb/libtpms/ \
LIBTPMS_CFLAGS=-I/home/stefanb/libtpms/include/ \
LIBTPMS_LDFLAGS=-L/home/stefanb/libtpms/src/.libs/ \
./configure --prefix=/usr
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch fixes the following linker issue reported for Gentoo in
issue #280.
ld.lld: error: /var/tmp/portage/app-crypt/swtpm-0.3.1-r1/work/swtpm-0.3.1/src/swtpm/.libs/libswtpm_libtpms.so: undefined reference to EVP_sha512
ld.lld: error: /var/tmp/portage/app-crypt/swtpm-0.3.1-r1/work/swtpm-0.3.1/src/swtpm/.libs/libswtpm_libtpms.so: undefined reference to PKCS5_PBKDF2_HMAC
ld.lld: error: /var/tmp/portage/app-crypt/swtpm-0.3.1-r1/work/swtpm-0.3.1/src/swtpm/.libs/libswtpm_libtpms.so: undefined reference to SHA512
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch fixes a clang issue report in issue #280.
clang does not use ld, so we cannot grep for support of certain linker
flags but have to test-compile.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Upgrade to use the IBM TSS2 tests from v1.5.0.
Add a patch that eliminates all testing of 3072 bit RSA keys in case
libtpms does not support such keys. This test also passes with libtpms
0.6.0 and 0.7.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove swtpm_cuse related install script since not needed anymore.
Also address the following issues:
E: swtpm-tools: unknown-control-interpreter control/postinst #!/usr/bin/env
W: swtpm: syntax-error-in-debian-changelog line 25 "bad key-value after `;': `urgency medium'"
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libtpms version 0.6.3, 0.7.3, and master have a change to the TPM 2 code
that affects the pcrUpdateCounter, which now returns a smaller value than
before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
