Since many older gmp development packages do not provide the pkg-config
file for gmp, just display a warning and fall back to default values.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
x509 certificate serial numbers can be up to 20 bytes long.
Support this via gmp library.
A serial number must not have its most significant bit set, which
would indicate a negative number. If this is the case, insert '0'
as the first byte.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm_localca may also receive the key parameters of other keys than
the ek, therefore introduce the --key alias for --ek and rename the
variable ekparmas to key_params throughout the code.
Extend the man page to describe the --key option as an alias that
is to be used for other public key parameters than specifically those
of an ek.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To make the function creating filenames for keys less ek-specific,
pass the key_type, such as "ek", into this function.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To be able to extend the flags_to_certfiles array with new certifcates
while carrying new flags for new certificate, mask-out exising EK and
platform certificate flags and set the cert_flags variable with it to limit
the view of the entries in the table.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Follow the changes in Fedora to build a separate swtpm-selinux package
so that swtpm can also be installed without SELinux on the system.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
With a memoryBacking node added to the libvirt domain XML, the unlink
permission on user_tmp_t:sockfile becomes necessary to avoid an avc
denial.
<currentMemory unit='KiB'>2097152</currentMemory>
<memoryBacking>
<hugepages>
<page size='2048' unit='KiB'/>
</hugepages>
</memoryBacking>
Also add the unlink permission to the other occurrences of sock_file.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2165142
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The following command line did not function on an x86_64 host due to missing
SELinux rules:
virt-install -v \
--name fedora-38-aarch64 \
--ram 4096 \
--disk path=fedora-38.img,cache=none \
--nographics \
--os-variant fedora38 \
--import \
--virt-type=qemu \
--arch aarch64 \
--check all=off
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2228423
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When running a VM connected to qemu:///session, swtpm needs access to its own
process id and socket files in /run/user/<UID>/libvirt/qemu/run/swtpm/. Add
permissions to access them in the apparmor profile.
Signed-off-by: Lena Voytek <lena.voytek@canonical.com>
swtpm_setup and swtpm_localca may be run by a toolstack with log
messages going to a pipe via stdout. Set stdout to be unbuffered to
avoid log messages being lost if the process terminates unexpectedly.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
The --version option was using the wrong goto label error rather than
out to now also exit with exitcode 0.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Close the file descriptors passed to the swtpm process on the parent
side for faster detection of errors in the swtpm process that can
occur if swtpm was passed a profile that it cannot run with.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
On busy systems TSC_PhysicalPresence may time out when used with short
duration, so use medium duration instead.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
In case swtpm does not start properly the write() to it may work but
then the read() gets stuck. Detect a failed swtpm by adding a poll()
before the read(). Use some extended durations considering possibly
busy systems.
A terminating swtpm instance can be caused when an unacceptable
profile is passed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Fix the display of long responses that require calling PTM_GET_INFO
multiple times to get parts of the response from increasing offsets
until the whole response has been received.
Long responses are only returned when libtpms has profiles support and
several flags are passed to PTM_GET_INFO.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Older versions of libtpms need to have another patch applied that disables
x509 certificate creation (0013-Disable-x509-test-cases-part2.patch).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To support install paths that are not covered by $PATH, and still allow
swtpm_setup and swtpm_localca to find swtpm and swtpm_cert executables,
implement find_program() to prepend the install path if only the program
name is given and otherwise fall back to g_find_program_in_path().
Update the man page stating that swtpm from the installation directory
(BINDIR) is tried to be used before one is attempted to be found in
the PATH.
Resolves: https://github.com/stefanberger/swtpm/issues/795
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since the tss2 package is commonly available in focal and jammy
move it into to the general list of packages to installed.
libtpm2-pkcs11-tools is available since jammy, so installed it
there to enable the TPM 2 pkcs11 tests.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since the package libasan2 does not exist in focal anymore, remove. The
bionic builds do not seem to require this package to be installed (maybe
it's already there), so there's no need to install it in a before_script.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Recent GnuTLS does not package tpmtool anymore. Check for
the missing tpmtool and report an error as appropriate.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
