For being able to run tests with runtime-deactivated SHA-1 (in libtpms),
do not test with SHA-1 bank anymore.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use libtpms v0.6.6 and recreate the TPM 2 state file with header.
Start swtpm with the existing state files and have it rewrite the
volatiles state (swtpm_ioctl -v) and permanent state (tssnvdefine
+ tssnvundefine) files so that the header is on the files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Recreate TPM 2 state files that didn't have a header. Use latest
version of libtpms from the stable-0.6.0 branch to create the
state that more recent version have to be able to read.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Recreate a TPM 1.2 state file with header.
The state of the TPM 1.2 must be initialized with Startup(ST_CLEAR)
and then saved so that the proper error code appears as a result
when running this test.
The PCR values was originally created by extending PCR 10 with
sha1("test"). This was recreated using this sequence:
s=$(echo -en test | sha1sum | cut -d " " -f1 | sed -n 's/\([a-f0-9]\{2\}\)/\\x\1/pg')
echo -en $s > input
tss1extend -ha 10 -if input
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Recreate TPM 1.2 state files with similar content but with the state
file header. The older versions of the state files were created before
the header was introduced in v0.1. The goal is to be able to get rid
of code supporting pre-v0.1 files that had no header.
The PCR values was originally created by extending PCR 10 with
sha1("test"). This was recreated using this sequence:
s=$(echo -en test | sha1sum | cut -d " " -f1 | sed -n 's/\([a-f0-9]\{2\}\)/\\x\1/pg')
echo -en $s > input
tss1extend -ha 10 -if input
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To test the replacement of environment variables with their values
use ${WORKDIR} in the test case config files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
certtool on 32 bit machines seems to expire a never expiring certificate
in 2037 rather than 9999.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add CFLAGS="-DOPENSSL_SUPPRESS_DEPRECATED=1" to the configure line
to avoid compile-time errors when building the TPM 1.2 test with
OpenSSL 3.0.
IBM TSS2 v1.6 test does not currently work with OpenSSL 3.0, so
skip it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --reconfigure option for the swtpm_setup to be able to
change the active PCR banks. This option only works with --tpm2 and does
not allow to pass several other options such --create-ek or
--create-ek-cert or --create-platform-cert that would alter the state of
the TPM 2 in other ways.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rather than having the CA certificates, that are created on the fly,
expire in 10 years, have them not expire at all.
Also create TPM certificates that don't expire and extend a test
case for this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement the option --create-config-files to create config files
for swtpm_setup and swtpm-localca for a user account. The files will
be created under the $XDG_CONFIG_HOME or $HOME/.config directories.
This option supports optional arguments 'overwrite' to allow overwriting
existing config files as well as the optional argument 'root' to create
config files under root's home directory. Both options can be passed
by separating them with a ','.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the --print-states capability in the --print-capabilites
output as cmdarg-print-states.
Document availability in the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The header file fs/linux.h only exists on Linux but we can also
use sys/mount.h, which also exists on Cygwin and the BSDs.
Only support block devices if BLKGETSIZE64 is defined.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Adapt save_load_state tests to include coverage of the "linear file"
backend mode. "tpm2" is save/load is tested with both a regular file and
a loop device to excercise the blockdev mmap code.
Signed-off-by: Stefan Reiter <stefan@pimaker.at>
The key is freed using 'gnutls_privkey_deinit(pkcs11key)', yet the
following memory leaks show up that are most likely in the pkcs11 module.
Skip the test if ASAN is being used to avoid the test failure.
Direct leak of 55080 byte(s) in 1 object(s) allocated from:
#0 0x7fdabb152af7 in calloc (/lib64/libasan.so.6+0xaeaf7)
#1 0x7fdab6b737c6 in C_Initialize (/usr/lib64/pkcs11/libtpm2_pkcs11.so+0x147c6)
#2 0x7fdab9a5f8a9 in initialize_module_inlock_reentrant (/lib64/libp11-kit.so.0+0x2b8a9)
#3 0x7fdab9a5fc88 in managed_C_Initialize (/lib64/libp11-kit.so.0+0x2bc88)
#4 0x7fdab9a66018 in p11_kit_modules_initialize (/lib64/libp11-kit.so.0+0x32018)
#5 0x7fdab9a66778 in p11_kit_modules_load_and_initialize (/lib64/libp11-kit.so.0+0x32778)
#6 0x7fdabab10dc5 in auto_load (/lib64/libgnutls.so.30+0x9cdc5)
#7 0x7fdabab12656 in gnutls_pkcs11_init (/lib64/libgnutls.so.30+0x9e656)
#8 0x7fdabab12779 in _gnutls_pkcs11_check_init (/lib64/libgnutls.so.30+0x9e779)
#9 0x7fdabab1af1f in gnutls_pkcs11_privkey_import_url (/lib64/libgnutls.so.30+0xa6f1f)
#10 0x7fdabaaee0e3 in gnutls_privkey_import_url (/lib64/libgnutls.so.30+0x7a0e3)
#11 0x40abee in main /home/stefanb/dev/swtpm/src/swtpm_cert/ek-cert.c:1399
#12 0x7fdab9f5ab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
#13 0x40366d in _start (/home/stefanb/dev/swtpm/src/swtpm_cert/swtpm_cert+0x40366d)
Indirect leak of 8208 byte(s) in 1 object(s) allocated from:
#0 0x7fdabb152af7 in calloc (/lib64/libasan.so.6+0xaeaf7)
#1 0x7fdab6b736f9 in C_Initialize (/usr/lib64/pkcs11/libtpm2_pkcs11.so+0x146f9)
#2 0x7fdab9a5f8a9 in initialize_module_inlock_reentrant (/lib64/libp11-kit.so.0+0x2b8a9)
#3 0x7fdab9a5fc88 in managed_C_Initialize (/lib64/libp11-kit.so.0+0x2bc88)
#4 0x7fdab9a66018 in p11_kit_modules_initialize (/lib64/libp11-kit.so.0+0x32018)
#5 0x7fdab9a66778 in p11_kit_modules_load_and_initialize (/lib64/libp11-kit.so.0+0x32778)
#6 0x7fdabab10dc5 in auto_load (/lib64/libgnutls.so.30+0x9cdc5)
#7 0x7fdabab12656 in gnutls_pkcs11_init (/lib64/libgnutls.so.30+0x9e656)
#8 0x7fdabab12779 in _gnutls_pkcs11_check_init (/lib64/libgnutls.so.30+0x9e779)
#9 0x7fdabab1af1f in gnutls_pkcs11_privkey_import_url (/lib64/libgnutls.so.30+0xa6f1f)
#10 0x7fdabaaee0e3 in gnutls_privkey_import_url (/lib64/libgnutls.so.30+0x7a0e3)
#11 0x40abee in main /home/stefanb/dev/swtpm/src/swtpm_cert/ek-cert.c:1399
#12 0x7fdab9f5ab74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
#13 0x40366d in _start (/home/stefanb/dev/swtpm/src/swtpm_cert/swtpm_cert+0x40366d)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
clang doesn't link executables built with ASAN support to libasan, like
gcc does, so we have to use nm rather than ldd for checking for whether
the executable was built with ASAN. nm is part of the binutils package
and should be available on all systems where gcc was installed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
BSD cp does not understand the -d option, so remove it.
It's better to use "su -u nobody -c '...'" than sudo, which makes
this test also work on the BSDs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a test case for testing the --runas parameter and the ability to access
existing files that have restrictive access permission so that only allow
the --runas user is able to access these files. This is to ensure that
swtpm can access these files properly when the handling of options and the
changing to the --runas user is moved around within swtpm.
Skip the test case if swtpm is linked with ASAN since then we get these
types of error messages that fail tests:
==== Starting swtpm with interfaces socket+socket ====
==3303263==LeakSanitizer has encountered a fatal error.
==3303263==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1
==3303263==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add the size of the type state to the --print-states output and switch
back to a JSON object when enumerating the blobs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The two tests test_tpm2_samples_create_tpmca and
test_tpm2_swtpm_localca_pkcs11 cannot complete successfully if run in
parallel. To solve this issue, introduce a dependency via the log files
to prevent parallel execution of the two test. We have to append the
.test suffix to their names to be able to do this.
docs:
https://www.gnu.org/software/automake/manual/html_node/Parallel-Test-Harness.html
Resolves issue #501, though the problem with stability of the tpm2 pkcs11
module is not resolved.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Search for all the state files not just the permanent state and
when printing the JSON use the abstracted names rather than concrete
filenames that are only valid for the dir backend but will likely
not exist in other backends.
Adjust swtpm_setup to search for the abstracted name and also
adjust the error message to print out the abstracted name.
Adjust the test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When there is a delay between "Sending TPM2_NV_Write with wrong
password" and "timenow=$(date +%s)", the test can fail with "Error: Did
not get expected failure from TPM2_NV_Write() with good password.
Lockout should be enabled.". This can sometimes happen on slow or busy
systems.
To stabilize the test, this patch introduces precise recovery time
measurement ($timerecovery) and check good password works after that
time. As for lockout timeout, moves starting timer just before
TPM2_NV_Write and check good password fails before that time.
Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
--print-states reports TPM states stored in --tpmstate backend.
This feature is supposed to be used by swtpm_setup for checking TPM state
existence.
Sample output is as follows:
$ swtpm socket --print-states --tpmstate dir=/tmp --tpm2 | jq .
{
"type": "swtpm",
"states": [
{
"name": "tpm2-00.permall"
}
]
}
Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
The tests for the following options:
- with "--overwrite"
- with "--not-overwrite"
- without "--overwrite" nor "--not-overwrite"
Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
Skip tests that require the chardev after checking for the chardev
interface support in swtpm. Remove the conditional addition of chardev
related tests from the Makefile.am.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an options to specify pluggable backend URI.
Ex:
--tpmstate backend-uri=dir://<path_to_dir>
Backend URI is specific to each backend plugin which points to the
location of the NVRAM files.
Currently, "dir" is the only one available backend. In this case
backend-uri should be a path to the directory where files are stored.
This option is designed to compatible with existing "dir" option.
If "dir" is specified, swtpm prioritize "dir" ignoring "backend-uri".
Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
Implement get_supported_tpm_versions to get swtpm's support for TPM 1.2
and TPM 2 and use it error out in case user choose a TPM version that
is not supported. Also display the supported TPM versions in the
capabilites JSON.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The "version" field can be used to decide when capabilities are
supported/reported and give some library build details.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Skip test cases for TPM 1.2 if TPM 1.2 support is not provided by swtpm.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
[ skip more tests ]
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Use the --write-ek-cert-files option in existing test cases
and check for written files and correctness of the files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Write the EK certificate files into the directory specified as parameter
to the --write-ek-cert-files option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The PID filename was generated using the ${SWTPM} environment variable,
which caused test failures if set to a URL for example. Replace it with
'swptm'.
This issue was reported in issue #454.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Move swtpm_localca's sources out of samples/ (where they no longer
belong now that swtpm_localca is a binary) to src/swtpm_localca/.
- Tests now call the swtpm_localca binary directly at the location
where it was built, as they do with all other compiled programs.
- Simplify samples/swtpm-localca.in and delete swtpm-localca.2inst,
removing the now-unnecessary logic to selectively call swtpm_localca
from different locations (samples/ when running tests vs. /usr/bin/
post-installation).
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
- Makes swtpm_setup.conf.in consistent with the rest of the sample
configuration files in swtpm, whose templates ship in samples/ and
install the generated files to /etc.
- Works around dh_missing(1) erroneously reporting swtpm_setup.conf as
non-installed due to its having two copies in the build tree (one in
etc/ and another in debian/tmp/etc/).
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
The test test_tpm2_save_load_state seems to have been forgotten
about and was not run. Add it now to the the tests to run.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Modify a test case and write an environment variable into the
swtpm_setup.conf config file to test that it gets resolved.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Changes to libtpms will require that the volatile state files
during this test may be larger than 9000 bytes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add restoring of the volatile state after having it stored.
Since this is now taking a long time it must be explicitly enabled
by setting the environment variable SWTPM_TEST_STORE_VOLATILE=1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If we are running the tests as a user that doesn't have a git config
setup we run into the following issue when trying to apply patches
suing 'git am':
Committer identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
This patch fixes this by setting the git config on the local checkout
before using 'git am'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Apply patches to the IBM TSS2 test suite rather than using sed on its
files and other types of file manipulations.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch adds a test case for testing the fix for libtpms
issue 195: https://github.com/stefanberger/libtpms/issues/195
This patch now requires that the latest TPM version from master or the
branches is installed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Upgrade to use the IBM TSS2 tests from v1.6.0.
Add a patch that eliminates all testing of 3072 bit RSA keys in case
libtpms does not support such keys. Also disable a test case related
to ACT for older revisions.
This test passes with libtpms 0.8.0 as well libtpms 0.6.0 and 0.7.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
test_samples_create_tpmca needs to wait longer for the pid file content
to be there not just until the file is available.
test_tpm2_save_load_state_2 needs to dump the TPM log file on failure.
Failures occurred rarely because the previous instance of swtpm had
not shut down yet and released the lock file while the new instance
wanted to lock the lockfile. So we have to wait a bit until the
previous instance is gone.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch fixes the following issue:
$ ./src/swtpm/swtpm chardev --print-capabilities --tpm2
swtpm: Error: Missing character device or file descriptor
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch adds support for partial reads to the CUSE swtpm.
We introduce a ptm_read_offset variable that holds the offset where to read
from next. It is reset every time a command has been processed as part of a
write() so that subsequent read()s start reading from offset 0. It is
advanced by the number of bytes that were read.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Due to recent changes in tcsd, it doesn't accept 'tss:tss 0600' anymore
for the tcsd config file but we need to use 'root:tss 0640' for it.
So far only Fedora seems to be affected. It now depends on whether tcsd
has been patched what ownership is required. So we try first the old
configuration and then the new one.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch fixes the path to swtpm-localca to avoid this type of
error because of swtpm_localca_conf having been created in another
directory. This error occurred whan running
sudo bash -c "make -j32 distcheck"
Traceback (most recent call last):
File "/home/stefanb/tmp/swtpm/swtpm-0.5.0/samples/swtpm-localca", line 5, in <
from py_swtpm_localca.swtpm_localca import main
File "/home/stefanb/tmp/swtpm/swtpm-0.5.0/samples/py_swtpm_localca/swtpm_local
from py_swtpm_localca.swtpm_localca_conf import SYSCONFDIR
ModuleNotFoundError: No module named 'py_swtpm_localca.swtpm_localca_conf'
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some distros (openSUSE) have deprecated the 'net-tools' package,
so we allow for 'ss' as an alternative tool from the
iproute/iproute2 package. This is only relevant for test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Start tpm2-abrmd for the test case 'test_tpm2_samples_create_tpmca' rather than
expecting it to be already running.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Apply the password for the signing key and parent key when creating a
platform certificate. The bug was introduced in commit 961bb827
"samples: Use new pwd format option for secretly passing passwords"
Extend a test case to ensure that the passwords are always used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of the 'c' code that only changed the user and add for support of
the --runas option to change to a different user in the python part.
To get 'make distcheck' to work I needed to name the swtpm_setup python
script with the suffix .in so that it gets copied to the build directory
as swtpm_setup. We need to change execute permissions on this file after
copying.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Modify the pkcs11 related test case to set the environment variable for
softhsm_setup to use the temporary directory for config file and state
of softhsm. Also set the SOFTHSM2_CONF environment variable since
certtool also uses the pkcs11 module which in turn will look for its
config file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use softhsm's SOFTHSM2_CONF environment variable to set the directory
where the configration file is located so that we can now use a temporary
directory for the location of the directory. Use the environment variable
SOFTHSM_SETUP_CONFIGDIR to set the directory where softhsm_setup can
setup its temporary environment for the config file and state of softhsm.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Slow systems, like Cygwin, need so much time from taking the time to sending
the command that we need to take the current time again to check whether the
success is valid. Previously the test may have failed since the old time that
was taken did not allow the success to be valid.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The OpenBSD implementation of 'od -tx1' prints two spaces between
hexbytes, thus the grep for "00 00 00 00" fails and we report an
invalid error. This patch fixes this by squeezing the two consecutive
spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
We have occasional test failures on Travis running tests on OS X where
time seems to be going backwards in the dictionary attack timeout test.
This patch tries to detect that the time went backwards and skip the
test once a failure would have been detected.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the swtpm-localca test with odd vmid string to ensure
that they go into the certificate unmodified.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Have the tpm2_ptool use a store in the temporary directory so that
with every test we have a clean environment.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign the unique port 65452/65354 to test_tpm2_save_load_state to
avoid conflict with test_tpm_probe also using
SWTPM_SERVER_PORT=65526
SWTPM_CTRL_PORT=65527
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign the unique ports 65450/65451 to test_tpm2_sample_create_tpmca
to avoid clashes with test_samples_create_tpmca that is using
SWTPM_SERVER_PORT=65434
SWTPM_CTRL_PORT=65435
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Assign unique ports 65448/65449 to test_tpm2_setbuffersize to avoid clash
with test_samples_create_tpmca using TCSD_LISTEN_PORT=65436.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The generated sample keys started with 00010203, thus leaving the upper
15 bits of the key as '0', which in turn causes gnutls to think that the
key is only 2033 bit long, thus rejecting certificate verification once
the min-verification-profile is set to 'medium' in gnutls's config file
in /etc/crypto-policies/back-ends/gnutls.config.
We now create sample keys starting with 800102, which sets the highest bit.
This fixes test errors on Fedora Rawhide due to the change in the
min-verification-profile setting in gnutls.config.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The OpenBSD implementation of 'od -tx1' prints two spaces between
hexbytes, thus the grep for "00 00 00 00" fails and we report an
invalid error. This patch fixes this by squeezing the two consecutive
spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Upgrade to use the IBM TSS2 tests from v1.5.0.
Add a patch that eliminates all testing of 3072 bit RSA keys in case
libtpms does not support such keys. This test also passes with libtpms
0.6.0 and 0.7.0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
libtpms version 0.6.3, 0.7.3, and master have a change to the TPM 2 code
that affects the pcrUpdateCounter, which now returns a smaller value than
before.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The first part of the derived key test only works fine on 64 bit
little endian machines. Skip big endian machines.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the --print-capabilities option to also report supported RSA
key sizes. Only the TPM 2 may support anything else than 2048 bit RSA
keys, so we only consult 'swtpm socket --tpm2 --print-capabilities'
and grep for 2048 and 3072 key sizes and report them.
If nothing is found, nothing is reported, as before, and 2048 bit RSA
keys should be assumed.
'swtpm_setup --tpm2 --print-capabilities' may now show the following:
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"tpm2-rsa-keysize-2048",
"tpm2-rsa-keysize-3072"
]
}
Also adjust a test case to use a regular expression for matching
against an expected string that may nor may not have rsa-keysize
verbs.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check the libtpms capabilities via 'swtpm_ioctl -i 4' to see whether
libtpms supports RSA 3072 bit keys. Only if this is not the case
deactivate all RSA 3072 bit key tests.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Construct RSA key size capability strings from libtpms TPMLIB_GetInfo()
string so that we can easily show which RSA key sizes are supported by
the TPM 2 implementation. If none are advertised, 1024 & 2048 can be
assumed to be supported.
'swtpm socket --tpm2 --print-capabilities' may now print the following:
{
"type": "swtpm",
"features": [
"tpm-send-command-header",
"flags-opt-startup",
"cmdarg-seccomp",
"cmdarg-key-fd",
"cmdarg-pwd-fd",
"no-tpm12-tools",
"rsa-keysize-1024",
"rsa-keysize-2048",
"rsa-keysize-3072"
]
}
We need to adapt the related test case to use a regular expression since
the rsa-keysize-xyz strings may or may not be there depending on libtpms
version.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the host is missing tcsd (trousers) or the tpm-tools, swtpm_setup
will now report the 'no-tpm12-tools' verb like this:
> swtpm_setup --print-capabilities | jq
{
"type": "swtpm_setup",
"features": [
"cmdarg-keyfile-fd",
"cmdarg-pwdfile-fd",
"no-tpm12-tools"
]
}
The only TPM 1.2 setup parameter that requires interaction with
the TPM 1.2 that can be pass is then '--createek'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
