When running a VM connected to qemu:///session, swtpm needs access to its own
process id and socket files in /run/user/<UID>/libvirt/qemu/run/swtpm/. Add
permissions to access them in the apparmor profile.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
swtpm_cuse.8 is not generated anymore but its a static file now
that must not be removed anymore via the debian/clean file.
Resolves: https://github.com/stefanberger/swtpm/issues/751
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
An apparmor profile was added for Debian-based distributions in order to
increase security. This blocks swtpm from accessing restricted and unnecessary
files, folders, and network interfaces. swtpm works as normal alongside libvirt
and its configurations, however users may run into issues when using swtpm on
its own when providing it with a restricted directory. The apparmor profile can
be modified to include additional permissions by creating and adding to the
file /etc/apparmor.d/local/usr.bin.swtpm.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
According to the man page sections guideline, man8 should be used
for system administration commands. So this commit moves *.conf and
*.options files to man5.
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Adapted from tpm-udev [0] which handles that, but it is not really a
hard-requirement for swtpm and TSS_USER is configurable after all
(even if that is mostly used for the test system).
So, create that user and group if it does not exists to avoid errors
and failing installation.
[0]: https://salsa.debian.org/debian/tpm-udev/-/blob/master/debian/tpm-udev.postinst
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Currently `trousers` is listed as (hard) Dependency, but it does not
seems to be required for quite a few usecases, e.g., ours where we
mainly using swtpm for providing a tpm to VMs.
With trousers in Debian one gets an additional pain point: it comes
with rather dated and in some cirumstances failing by mistake init
script [0] that can throw errors when setting up during installation
and thus fail the whole installation of swtpm as Debian policy for
`Depends` hits:
> A package will not be configured unless all of the packages listed
> in its Depends field have been correctly configured
-- [1]
Declaring dependencies for things are not a hard requirement means
that a user will be required to install more dependencies than
actually needed.
Just documenting that as fact why I investigated in the
hard-requirement on trousers in the first place, not an actual
justification - it's a packaging bug after all.
So downgrade the dependency to "Suggests", as it seems a reasonable
level when checking its documented meaning:
> This is used to declare that one package may be more useful with
> one or more others. Using this field tells the packaging system and
> the user that the listed packages are related to this one and can
> perhaps enhance its usefulness, but that installing this one without
> them is perfectly reasonable.
-- [1]
[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895201
[1]: https://www.debian.org/doc/debian-policy/ch-relationships.html
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
- Move content of swtpm-localca(8) manual page to swtpm_localca(8)
and make swtpm-localca(8) an alias for swtpm_localca(8), mirroring
the fact that /usr/bin/swtpm_localca is the actual program and
/usr/share/swtpm/swtpm-localca a wrapper for it.
- Change references to `swtpm-localca` in manual pages' content to
`swtpm_localca`, reflecting the actual name of the program they are
meant to document.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
- debian/clean: Add files that were not being automatically cleaned
up by dh(1)'s `clean` target.
- debian/control:
- Add new recommended/required fields and bump Standards-Version.
- Remove redundant build dependencies that are implied transitively.
- Bump debhelper dependency version to match debian/compat.
- Move swtpm-libs's ${misc:Pre-Depends} dependency to `Pre-Depends`.
Resolves `depends-on-misc-pre-depends` Lintian warning.
- Sort packages and dependency lists alphabetically as per
wrap-and-sort(1).
- debian/not-installed: List deliberately non-installed files to
avoid dh_missing(1) warnings.
- debian/rules:
- Pass --no-scripts to dh_makeshlibs(1) in order to keep a
ldconfig(8) trigger from being implicitly added, which for
this package was redundant and triggered Lintian warning
`package-has-unnecessary-activation-of-ldconfig-trigger`.
- Remove redundant --parallel dh flag.
- Remove redundant dh_usrlocal override.
- debian/*.install:
- Add swtpm-create-tpmca(8) and its manpage, which were missing.
- Remove redundant `#! /usr/bin/dh-exec` lines.
- Sort entries alphabetically as per wrap-and-sort(1).
- debian/swtpm-tools.postinst.in: Add `set -e` to fail in case of
error. Fixes `maintainer-script-ignores-errors` Lintian warning.
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Replace the binary swtpm_localca with a script that now calls the binary
swtpm-localca, which is to be installed in $bindir.
So that we can use this for script for calling swtpm-localca during testing
(when it is not installed), write the script in such a way that it de-
termines whether there's swtpm-localca in the same directory and if not call
it from ${bindir}/swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is a 1:1 rewrite of swtpm_localca in 'C' as a final step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent),
Fedora 28 PPC Big Endian
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is a 1:1 rewrite of swtpm_setup in 'C' as a first step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Thos patch fixes the following issue when building a Debian package:
dh clean --parallel
dh: warning: Compatibility levels before 10 are deprecated (level 9 in use)
dh_auto_clean -O--parallel
dh_auto_clean: warning: Compatibility levels before 10 are deprecated (level 9 in use)
dh_clean -O--parallel
dh_clean: warning: Compatibility levels before 10 are deprecated (level 9 in use)
dpkg-source -b .
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
$ dpkg-buildpackage -us -uc
dpkg-buildpackage: info: source package swtpm
dpkg-buildpackage: info: source version 0.5.0-1
dpkg-buildpackage: info: source distribution RELEASED
dpkg-buildpackage: info: source changed by Stefan Berger <stefanb@linux.ibm.com>
dpkg-source: error: can't build with source format '3.0 (native)':
native package version may not have a revision
Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
The only place where pip is required is in src/swtpm_setup/Makefile.am, l. 48,
to uninstall a manually built package. Most people will have pip already
installed, since it comes bundled with Python by default. It might not be
installed by default in minimal build environments used for distribution
packaging, but these rely on the file tracking by a package manager instead of
using "make uninstall".
In conclusion, I think requiring pip is only helpful for a very limited number
of people, and is just a superfluous build dependency for distribution
packagers. Issuing a warning that the package cannot be uninstalled cleanly if
pip is not found seems enough.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Remove tpm-tools from runtime dependencies. Keep trousers for the
creation of the 'tss' user for now. Add python related dependencies.
Adjust the directory ownership for /var/lib/swtpm-localca to tss:root and
the mode flags to 0750. The new CA now may still be created as tss:tss but
users in the tss group will not have access to it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove swtpm_cuse related install script since not needed anymore.
Also address the following issues:
E: swtpm-tools: unknown-control-interpreter control/postinst #!/usr/bin/env
W: swtpm: syntax-error-in-debian-changelog line 25 "bad key-value after `;': `urgency medium'"
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove the CUSE TPM from the build and adjust the rules file
so that the build works on Ubuntu servers for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Libtpms is now libtpms0 as a dependency.
Gnutls is neede for swtpm_cert to create the certs. Force it to
be available.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a post install script for swtpm-tools that creates
the /var/lib/swtpm-localca directory and changes ownersip
on it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use SoftHSM to create a pkcs11 URI and then use the pkcs11 URI
to sign the certificate of a TPM 2.0 with this key using swtpm-localca.
This test case works with softhsm >= 2.3.0 on Fedora and should work
with a recent version of Ubuntu. If an error is encountered setting
up the softhsm2 environment, we just skip the test.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Install the private libswtpm_libtpms into $(libdir)/swtpm
rather than into the shared libaries directory.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
