Implement support for --with-seccomp and --without-seccomp for Linux
systems with --with-seccomp being the default. On all other systems
--without-seccomp is the implicit default.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
According to the XDG spec,
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html:
"If $XDG_CONFIG_HOME is either not set or empty, a default equal to
$HOME/.config should be used."
This fixes setting up a TPM with libvirt running in a user session.
It works by checking if configuration files are readable in the
directory priority order (XDG_CONFIG_HOME, then HOME, then SYSCONFDIR).
When libvirt is running as a system instance, $HOME isn't set, so it
will fall back on @SYSCONFDIR@ (/etc usually)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
The extension of the travis.yml with the matrix broke the Coverity
submission. This patch fixes this. We have to build libtpms in
build_command_prepend since before_script now does something different.
We only build in task .1 and exit early on all the other ones if
we are using the coverity_scan git branch.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Libtpms is now libtpms0 as a dependency.
Gnutls is neede for swtpm_cert to create the certs. Force it to
be available.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a post install script for swtpm-tools that creates
the /var/lib/swtpm-localca directory and changes ownersip
on it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Softhsm cannot be installed as an i386 executable/library and as
a x86_64 executable/library on a Fedora host. The pkcs11 test then
fails since it cannot pick up the libsofthsm.so needed for an i386
executable (swtpm_cert) on a x86_64 host. This fixes test run errors
for run_test.sh by skipping the test in case swtpm_cert returns
a specific error message related to not being able to import the
pkcs11 URI object.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use wait_process_gone with 2 seconds timeout to wait for the swtpm to
have terminated after SIGTERM or connection loss. This avoids test
failures on slow Raspberry Pi 2.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
We need to run the softhsm/pkcs11 test case as root (sudo) under OS X
so that we can write the file /etc/gnutls/pkcs11.conf. However, once
we run the tests as root we cannot run the 'brew ls' command anymore
since it refuses to run with high privileges. So, if we run as root we
need to use sudo to switch to the nobody user to run the 'brew ls'
command that gives us the name of the softhsm pkcs11 module.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
On OS X we need to be able to change /etc/gnutls/pkcs11.conf for
p11tool to pick up the softhsm pkcs11 module correctly. We need
(password-less) sudo to be able to do this.
Unforutnately this test case does not run on Travis since Travis
seems to require passwords under some circumstances.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use SoftHSM to create a pkcs11 URI and then use the pkcs11 URI
to sign the certificate of a TPM 2.0 with this key using swtpm-localca.
This test case works with softhsm >= 2.3.0 on Fedora and should work
with a recent version of Ubuntu. If an error is encountered setting
up the softhsm2 environment, we just skip the test.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Older versions of the IBM TSS2, such as in FC26 for example, behave
slightly different than the code in the test case expects (certain
files are not generated or may have a different name). So gate this
test case with SWTPM_TEST_IBMTSS2 environment variable so we don't run
it by default if the TSS tools are found and so we do not run into
possible errors due to an older version of the stack installed on the
system.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid failures with mktemp call on BSD type of systems replace
mktemp --tmpdir=<dir> with TMPDIR=<dir> mktemp, which seems more portable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
OS X cannot resolve the path we get from genenv("_") when running a
test script on Travis (reason unknown). So we use _NSGetExecutablePath()
instead and display the path in the error message in case realpath()
fails.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Run the build on OSX as well and run a quick test that exercises
some of the config files installed in --prefix=/usr/local
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Adjust the localstatedir variable to not have ${prefix} if
prefix is '/usr/', otherwise use ${prefix}.
Also adjust the files that were pointing to directories that
are controlled by $localstatedir.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the project is configured with --prefix=/usr/local several configuration
files are installed to /usr/local/etc but not read by the programs that
need them. This patch fixes this issue by replacing @SYSCONFDIR@ in the source
code of those files with the actual used path.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow to build without the TPM 1.2 NVRAM area tools but print out a warning
that they are needed for TPM 1.2 certificate injection.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The signingkey entry can also be a pkcs11: URI. The semilcolons in the URI
have to be escaped due to the shell reading the entries.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
For PKCS11 modules (such as SoftHSM) to sign a TPM EK or platform
certificate we use 'pkcs11:' prefixed URIs like those URIs for
TPM 1.2 starting with tpmkey:.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
GnuTLS PKCS11 URLs have ';' in the string that we need to preserve for
passing to GnuTLS. So we escape the semicolons before using them on the
command line.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement terminate_proc, which first tries to gracefully terminate a
process and then, if synchronization is requested, waits for 1 second
for it to disappear and then kills it with SIGKILL if it didn't go away.
Use this function for stop_tpm and stop_tcsd, which will first try
to send a SIGTERM to a process assuming it will terminate while we
do something else and then, in case the process needs to be restarted,
make sure that it's gone before it is restarted.
This addresses an issue where previously SIGTERM was sent to a process
before it was restarted but the restarting failed due to the previous
process still holding a lock on the file because it wasn't able to react
to the SIGTERM fast enough.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Uninstall the signal handler before we close the signal handler's
notification file descriptor so that signals received after the file
descriptor is closed do not cause an error.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Make sure that the msg parameter passed into recvmsg wasn't modified
by the library and verify that the pointers and sizes it contains are
still valid after the call. This addresses an issue raised by Coverity.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To get better code coverage, convert existing test case to
use one time a hex formatted key and the other time the same
key in binary format.
Do some improvements on the test code on the way.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2 file sizes were missing. Also use $() to execut commands rather
than ``. Use get_filesize to get the size of a file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move the packages to install into the addons section and
rename the before_install section to before_script section.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
