The compiler (though wrongly) identifies that the @argv variable
inside of get_swtpm_capabilities() function cam be used
uninitialized. While this is a spurious warning, it's common
practice to initialize g_autofree variables to NULL.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Users have option to disable CUSE interface (just pass
--without-cuse argument to the configure script). But the
swtpm_cuse.8 man page is installed regardless of the argument.
This leaves distros having to remove the file before packing
builddir into packages.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
When opening a log file fails (--log file=/some/path) for
whatever reason the @logfd variable is left set to -1 (the retval
of open()). And due to how _logprintf() is written, the
subsequent attempt to log this failure (logprintf()) returns too
early not printing the useful error.
Therefore, restore the original (CONSOLE_LOGGING) value.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
certtool emits the following message if --verify-profile is not
passed:
Note that no verification profile was selected. In the future the medium profile will be enabled by default.
Use --verify-profile low to apply the default verification of NORMAL priority string.
Pass the --verify-profile option if certtool supports it (since ~3.6.12).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If swtpm_setup is configured with a log file, it launches swtpm
configured with the same log file. If not, swtpm_setup logs will go to
stdout/stderr and it should configure swtpm to do the same.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Move existing exit label before the return statement and add another
label that includes the free(filebuffer). This avoids a false positive
by 'gcc -fanalyzer' that seems to think that free(filebuffer)
would double-free filebuffer after filebuffer = realloc(tmp, ..)
failure.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return TPM_FAIL if SWTPM_NVRAM_DecryptData() is called without a key or
if an unhandle type of encryption mode is encountered. Previously this
function would return no error but also would not do any decryption if
no key was provided. Consequently, it would then also not return a byte
array with decrypted data which in turn could led to potential NULL
pointer accesses in subsequent calls. However, all current callers check
whether they have a valid key before they call this function. So the
change is primarily done for static analyzers, such as gcc -fanalyzer,
to ease code analysis.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the test_ctrlchannel3 to test for automatic termination of swtpm
upon loss of control channel connection.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch to SOCK_STREAM for the CMD_SET_DATAFD socketpair where the one
end is passed to swtpm to test that this type of socket will cause
automatic termination of swtpm when the connection is lost. This is also
the socket type that QEMU uses.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the capabilities JSON and show the support for the terminate
parameter of the --ctrl option.
Adjust test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for the terminate parameter for the control channel
option so that swtpm terminates once the control channel connection is
lost. The primary use case is QEMU that holds the control channel
permanently.
Resolves: https://github.com/stefanberger/swtpm/issues/753
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Set tpm_running = false after TPMLIB_Terminate() call on CMD_SHUTDOWN
to prevent a call to tpmlib_maybe_send_tpm2_shutdown() at the exit
of the mainloop.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Also send TPM2_Shutdown when swtpm is terminated by a signal or due to
lost connection (--terminate option). Previously supported reasons for
sending the TPM2_Shutdown were primarily related to commands sent via
the command channel.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Increase the number of locking retries to 300 over 3 seconds
instead of 100 over 1 second. This gives the failing side more
time to release the lock.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm_cuse.8 is not generated anymore but its a static file now
that must not be removed anymore via the debian/clean file.
Resolves: https://github.com/stefanberger/swtpm/issues/751
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a test case that monitors the locking of the storage by swtpm using the
directory storage backend to ensure that the lock is taken at the right
time and released when required.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement CMD_LOCK_STORAGE / PTM_LOCK_STORAGE for a user to be able to
lock the storage of the storage backend (if supported) after its lock
has been released for example when the 'savestate' blob was received
while the TPM state was migrated.
Also adjust test case and extend man pages.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Advertise the capability of supporting the --migration option
in the capabilies JSON that now has the cmdarg-migration verb:
$ swtpm socket --print-capabilities | jq
{
"type": "swtpm",
"features": [
"tpm-1.2",
"tpm-2.0",
"tpm-send-command-header",
"flags-opt-startup",
"flags-opt-disable-auto-shutdown",
"cmdarg-seccomp",
"cmdarg-key-fd",
"cmdarg-pwd-fd",
"cmdarg-print-states",
"cmdarg-migration",
"nvram-backend-dir",
"nvram-backend-file"
],
"version": "0.8.0"
}
Adjust test cases and extend man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the release-lock-outgoing parameter for the --migration option
that causes the storage lock to be released once the 'savestate' blob
transfer has been initiated. To not release the lock too early users must
first get the 'permanent' and 'volatile' state blobs and the 'savestate'
blob must be transferred as the last blob.
When migrating a VM the migration may fail and execution will then resume
on the originating side. In this fallback case the swtpm on the
destination side may need some time to terminate and release the lock.
Therefore, add a loop to the code attempting to re-lock the storage
directory on the source side for a few times until on the destination
side swtpm has released the lock. Retry the locking for 100 times
with 10ms in between. The retries will only ever be necessary if a TPM
command is immediately executed upon resume [this may be difficult
to test]. The negative side effects of this could be that the loop is not
long enough to grab the lock or that a short-duration TPM command will
time out inside the VM due to the retries delaying when it is processed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolves: https://github.com/stefanberger/swtpm/issues/724
Introduce the --migration option along with the 'incoming' parameter
that allows to defer the locking of the storage until either
- the reception of the TPM's state is started
- a TPM command is about to be processed
Note that the reception of CMD_INIT does not enable the storage lock.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolves: https://github.com/stefanberger/swtpm/issues/724
Move the locking of the storage into tpmlib_start() after the call to
TPMLIB_MainInit() which was previously doing the locking when the prepare
function was called in the SWTPM_NVRAM_Init() callback invoked by
TPMLIB_MainInit().
This allows for conditional locking in tpmlib_start() using a flag later
on.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Apply recent changes to this file from upstream QEMU project using
a few #ifndef _WIN32 to make code compileable on Windows.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Older versions of fallocate do not support the --posix option that the test
needs. If --posix is not supported, skip the test.
Also check for availability of the losetup tool.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
QEMU has made a change to a copy of this header file with the following
reason:
On Solaris and Haiku, the _IO() macros are defined in <sys/ioccom.h>.
Add a proper check for this header to our build system, and make sure
to include the header in tpm_ioctl.h to fix a build failure on Solaris
and Haiku.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
On OpenBSD openssl/fips.h is not available and FIPS_mode() is not
available, so implement a stub for fips_mode_enabled().
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Advertise the availability of the chroot option with the cmdarg-chroot
verb. Document it in the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The CUSE TPM test will not work if the filesystem the test case runs
on is mounted with the 'nodev' option since the CUSE TPM can then
not use /tmp/.../dev/cuse.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option to enter a chroot after starting swtpm. This is useful for
sandboxing purposes. When this option is used, it is expected that swtpm
is started as root and the --runas option is used to subsequently drop
privileges (otherwise the chroot could be escaped).
Signed-off-by: Jennifer Herbert <jennifer.herbert@citrix.com>
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Address the following compilation error on Debian:
In file included from /usr/include/seccomp.h:821,
from seccomp_profile.c:44:
seccomp_profile.c: In function 'create_seccomp_profile':
seccomp_profile.c:115:9: error: '__NR_mount_setattr' undeclared (first use in this function)
115 | SCMP_SYS(mount_setattr),
| ^~~~~~~~
seccomp_profile.c:115:9: note: each undeclared identifier is reported only once for each function it appears in
seccomp_profile.c:172:9: error: '__NR_quotactl_fd' undeclared (first use in this function)
172 | SCMP_SYS(quotactl_fd),
| ^~~~~~~~
We need to do this since they are defined like this:
#define __SNR_mount_setattr __NR_mount_setattr
#define __SNR_quotactl_fd __NR_quotactl_fd
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Include openssl/opensslv.h to avoid the following error on Ubuntu:
fips.c: In function 'fips_mode_enabled':
fips.c:61:16: error: implicit declaration of function 'EVP_default_properties_is_fips_enabled' [-Werror=implicit-function-declaration]
61 | int mode = EVP_default_properties_is_fips_enabled(NULL);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Resolves: https://github.com/stefanberger/libtpms/issues/345
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a test case that checks that swtpm sends a TPM2_Shutdown() to the
TPM 2 upon abrupt re-initialization (CMD_INIT) or graceful shutdown
(control channel, CMD_SHUTDOWN) of the TPM 2 and avoids a potential
dictionary attack (DA) lock-out. A previously sent command failing
authorization with DA implications would otherwise trigger the
TPM_PT_LOCKOUT_COUNTER to increase by '1' if the TPM 2 was not properly
shut down by the client (guest OS) with a TPM2_Shutdown() command.
The test case tests whether a TPM2_Shutdown() is now sent before a reset.
The defined password-protected NVRAM area has the DA flag set and the test
case tries to read from it without providing a password. If we didn't send
the TPM2_Shutdown() before the test cases sends the reset (CMD_INIT), then
the dictionary attack lockout counter would be increased by one. With the
instrumentation in the previous patch the automatically sent
TPM2_Shutdown() keeps the counter at 0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Introduce disable-auto-shutdown flag for the --flags option to disable
the sending of TPM2_Shutdown() if swtpm determines that it needs to send
this command to a TPM 2 before device reset or swtpm program termination.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
