When returncode 0x922 is received from NVWrite then retry the command so
that it gets the expected error code from failing to provide a password.
When checking the lockout counter, increase the numbers now.
Patched versions of libtpms may not return 0x922 anymore, so write the code
that it can test both cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libtpms v0.11 will support RSA-4096 keys. Adjust the test case
regex for optional output of 'tpm2-rsa-keysize-4096'.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Users should use swtpm >= 0.10.0, since it handles SHA1 signatures
better. This version needs users to set OPENSSL_ENABLE_SHA1_SIGNATURES=1
for swtpm to be able to sign a SHA1.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To keep the IBMTSS2 test running, set OPENSSL_ENABLE_SHA1_SIGNATURES=1
on swtpm so that it is allowed to sign a SHA1 and does not create
and error.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The IBMTSS2 tests suite creates signatures over SHA1 that may now fail on
RHEL 9.x and CentOS 9. To have these tests succeed set
OPENSSL_ENABLE_SHA1_SIGNATURES=1 so the tests do not need to be modified
and also check that the TPM 2 can handle SHA1 signatures as before.
'swtpm socket --tpm2' should set this environment variable automatically
if needed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To keep the older version of the IBM TSS2 test suite working, remove the
unnecessary include of openssl/engine.h to allow it to compile with more
recent versions of OpenSSL where this header file is missing.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Github actions does not run ubuntu-20.04 anymore due to EOL. Update the
20.04 entries to use 24.04.
cpp-coveralls needs an older version of python3 due to pkgutil.ImpImporter
having disappeared in more recent python versions. Therefore, leave
test-coveralls at 22.04.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reverse the order of uninstallation of the ‘swtpm’ and ‘swtpm_svirt’
selinux modules. The current order fails because 'swtpm-svirt' module
has a dependency on the 'swtpm' module. This results in the ‘swtpm'
module not being cleaned up during %postun:
$ semodule -l | grep swtpm
swtpm
swtpm_svirt
$ semodule -n -X 200 -s targeted -r swtpm
libsemanage.semanage_direct_remove_key: Removing last swtpm module (no other swtpm module exists at another priority).
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/swtpm_svirt/cil:4
/sbin/semodule: Failed!
$ sudo semodule -n -X 200 -s targeted -r swtpm_svirt
libsemanage.semanage_direct_remove_key: Removing last swtpm_svirt module (no other swtpm_svirt module exists at another priority).
$ semodule -l | grep swtpm
swtpm
Signed-off-by: Ajeeth Adithya <ajeeth.adithya@nutanix.com>
Add the %selinux_relabel_pre macro in the %pre section to back up the
current file contexts lists. This is required since %selinux_relabel_post
macro in the %posttrans section uses the backup to revert to the original contexts.
Signed-off-by: Ajeeth Adithya <ajeeth.adithya@nutanix.com>
swtpm fails with a NFS mount. `setsebool virt_use_nfs on` should fix it.
Resolves: https://issues.redhat.com/browse/RHEL-73809
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
There seems to be a well known error in setuptools 71.x that prevents
installation of cpp-coveralls on Travis now:
File "/usr/local/lib/python3.10/dist-packages/setuptools/_core_metadata.py", line 285, in _distribution_fullname
canonicalize_version(version, strip_trailing_zero=False),
TypeError: canonicalize_version() got an unexpected keyword argument 'strip_trailing_zero'
Fall back to the default version that is used in Ubuntu Jammy (59.6.0)
since later versions also lead to the same error.
Link: https://github.com/pypa/setuptools/issues/4483
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
I was able to recreate the issue on one of my machines where swtpm_t
was trying to append to the log labeled with svirt_image_t. On another
machine this combination of labels does not seem to cause a problem.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2306817
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return TPM_FAIL in case of an invalid header version number to avoid a
potential segmentation fault when accessing an unavailable buffer due to
the header parser not returning an error code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize key_description with a default string rather than using it
possibly uninitialized. In practice it would never be used uninitialized
since if a platform certificate is to be created, then the ek certificate
would have also been created and therefore swtpm2->ops->create_ek()
would have been called and set key_description.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Older versions of libtpms produced smaller initial state files.
Therefore, use a regular expression to compare the sizes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since swtpm does not use concurrency while writing state files, set
the process umask to 0 when the state file is created or truncated for
writing and the user requested specific mode bits. This avoids an
additional syscall in the possibly timing critical path when processing
a TPM command and having to write the state.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The mode bits that the user provided were only applied with open() and were
subject to masking with the value of current umask. When umask was set to
0027 the test case test_commandline was failing because the mode bits on
the create TPM state file were not the expected ones (masked by umask).
Therefore, set the mode bits using fchmod if the user provided them,
otherwise do not set them. This way the mode bits will be set to the values
the user requested.
Currently the directory storage backend was setting the mode bits to the
default value (0640) *after* opening the TPM state file. Now, if the user
did not provide any mode bits then the mode bits will be set so that the
file can be written to as owner. This ensures that at least mode bits 0600
are set by default. However, if the user provided mode bit flags then these
will be used without modification.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace mkstemp with g_mkstemp_full and pass parameters that lead to
the same mode bits and file opening flags and mkstemp had. This addresses
a Coverity complaint regarding missing application of umask before
mkstemp.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm <0.8 tried to lock the .lock file when executing --print-states,
which then failed when another swtpm was holding the lock. This adds
a test case for this scenario.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Due to a significant change in the targeted SELinux policy re-develop
the SELinux policy for swtpm. New rules in swtpm_libvirt.te are needed
when libvirt causes new interactions between swtpm and other types.
Also consider extensions to the SELinux policy previously added due to
domain XML and command lines described in the following patches:
- 63825b296c
- 7dac1dbf6f
Also:
- add rules related to user_tmp_t are due to the following paths being used
in session mode: /run/user/*/libvirt/qemu/run/swtpm
- add rules for swtpm_t accessing qemu_var_run_t file/dir/sockfile
- add rules for swtpm_localca (newly installed F40 system) needed once when
/var/lib/swtpm-localca is empty and files there are created
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Coverity is complaining that thread_busy needs to be locked before
reading. For consistency reasons now also lock thread_busy before reading
it. However, in this case it does not make a difference whether this lock
is held when reading thread_busy since file_ops_lock is held when the
thread_busy flag is set and when it is read with a call to this function
(worker_thread_is_busy). Also while the thread is busy no further commands
can be submitted and it can then reset the thread_busy flag without holding
the file_ops_lock.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Coverity is complaining that ptm_response in the worker_thread needs to
be locked via the file_ops_lock since it is always locked when
ptm_response is accessed. However, once the thread has been started any
concurrent modification of the ptm_response is prevented with the
thread_busy flag. Therefore, add comments to the thread and ptm_reponse
variable about the locking.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Even though concurrency is not possible before ptm_cuse_lowlevel_main
is called lock the file_ops_lock since Coverity is complaining that
- g_lastCommand in ptm_send_startup
- ptm_repsonse in ptm_send_startup
- tpm_running in main
are not locked. For consistency reasons now also lock these variables
even before activation of concurrency.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Lock the file_ops_lock before reading the tpm_running variable so that
access to access to it is serialized among all possible threads.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --disable-tests to disable the tests and the checking
for tools that only need to be installed for the tests. Keep the tests
enabled as default as it was before.
Resolves: https://github.com/stefanberger/swtpm/issues/843
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Separate the return code returned from change_fd_flags from the current/
original flags of the file descriptor. Return the flags in an optional
integer.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some test cases can be run as root, so rearrange the order of the
test cases so that not all of them are skipped if the test case
runs as 'root'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The help screen states that --decryption and --allow-signing require
--tpm2. Enforce this now also when checking flag combination since
neither flags would have any effect for a TPM 1.2.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
On error, the caller will call options_value_free() so don't free
ovs->options to avoid a double free.
Fixes: c94a1c4cbd ("swtpm: Fix memory leak in case realloc fails")
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
If we've accepted a connection fd during the main loop, close it once
the main loop terminates.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Test cases using swtpm_localca were failing because swtpm_localca
now picked up the swtpm_cert installed in /usr/bin/swtpm_cert rather
than the one in the PATH. This revert fixes the issue and users will
have to adjust their PATH for out-of-PATH installations.
Resolves: https://github.com/stefanberger/swtpm/issues/829
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
