To make the ASN.1 look like the one from the spec. we have to
use a lower-level GNUTLS API function to set it.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Put the code that creates the ASN.1 for the platform and
TPM manufacturer info into their own functions.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Since swtpm_setup now uses the swtpm_ioctl tool to get some of the
TPM attributes directly from the TPM, we don't need to pass these
options via the options file anymore.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the swtpm_ioctl tool also to get TPM manufacturer, firmware
version and TPM model and pass it to the external tool creating
the certificate.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Simplify the two's complement implementation by converting the number
into a big endian and writing it out into a byte array that is prefixed
with a 0-byte. This covers all unsigned ints while the previous imple-
mentation would have been wrong once the number exceeded 255.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To avoid test failures in test_ctrchannel2 due to the swtpm process
still running after it has removed the PID file, give it 0.5 seconds
to actually terminate.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Calculate the two's completement of the spec_level and spec_revision
numbers so that ASN.1 properly stores them as unsigned integers.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create ASN.1 for the Extended Key Usage field for the EK certificate
that has the oid 2.23.133.8.1 and for the platform certificate the
oid 2.23.133.8.2. Both are registered OIDs:
http://oid-info.com/get/2.23.133.8.1http://oid-info.com/get/2.23.133.8.2
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Non-privileged mode needs another rule and on Fedora 27 we need
a swtpm_exec_t related rule we did not need on Fedora 23.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The extern cert program was called with --vmid <foo>--tpm-spec-family ...
and failed due to a missing whitespace. This patch fixes it.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
If the swtpm_cert was missing, nothing was reported in the error log. Change
this and report it in the error log rather than writing the error in the
certificate file.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the new --info parameter for swtpm_ioctl to get TPM specification
info from the swtpm and use this as a parameter for creating the EK
certificate.
Extend the man page.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement the --info option that takes a flag as an argument
and returns information about the TPM implementation. Only the
value '1' has been defined for now, which returns a line as
the following:
{"TPMSpecification":{"family":"1.2","level":2,"revision":116}}
Extend the man page.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement options --tpm-spec-family, --tpm-spec-revision, and
tpm-spec-level to pass to swtpm_cert for EK creation.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
We quetry the swtpm for TPM specification info that goes into the
certificate for the EK.
Update the test cases that now see more capabilties being returned
by the swtpm.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
If the key is not readable as the current user, such as tss:tss,
but it is there, we don't try to create it but error out.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Since the EK cert must have an Authority Key Id, we error out if
the signing certificate we are given does not have an Authority
Key Id. The typical reason why it wouldn't have it is that we are
using a self-signed (rootCA) certificate directly.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Update the test case test_swtpm_cert to have its issuercert signed
by a created root CA so that we have the Authority Key Id in the cert.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
We are currently missing the Authority Key Id in the certificate used for
creating the EK cert. To get this, we create a root CA for our local CA
and use that root CA to sign the local CA's certificate. Our local
CA is now an intermediate CA and the Authority Key Id can now be copied
into the EK cert.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Log the output of the tool that is creating the certificate and
prefix every line with the name of the tool.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To not loose stderr we have to run the exec command in a subshell
and suppress the output of the subshell otherwise the exec command
seems to close stderr on us.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create the TPMSpecification SEQUENCE and add it to the subject
directory attributes of an EK cert.
The code generates the same ASN.1 for the Subject Directory Attributes
as the example in the EK spec has.
> openssl asn1parse -in ${cert} -strparse 603
0:d=0 hl=2 l= 30 cons: SEQUENCE
2:d=1 hl=2 l= 28 cons: SEQUENCE
4:d=2 hl=2 l= 5 prim: OBJECT :2.23.133.2.16
11:d=2 hl=2 l= 19 cons: SET
13:d=3 hl=2 l= 17 cons: SEQUENCE
15:d=4 hl=2 l= 3 prim: UTF8STRING :1.2
20:d=4 hl=2 l= 4 prim: INTEGER :41010000
26:d=4 hl=2 l= 4 prim: INTEGER :7B000000
Extend existing test case so they create the ASN.1 as well.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
TPM 1.2 certificates need a header when written to NVRAM. This patch
adds a --add-header option for this and prepends the header to.
Also see TCG PC Specific Inmplementation Specification section 7.4.4 and
7.4.5.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement a mode parameter for the tpmstate option so that the user
can choose what the file mode bits of the TPM's state files will be.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Replace the previously used swtpmcuse_svirt type of policy with
swtpm_svirt. This policy contains the minimum set of rules necessary
to start swtpm from within libvirt.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address the issue that the pidfile needs to be removed at the end if
a file descriptor was passed in. So we have to look up the file
given the file descriptor and by using /proc/self/fd/.
We also want to make sure that the given file descriptor describes
a regular file.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Update the SELinux for swtpm so that swtpm can be launched from
libvirtd and QEMU can access swtpm's UnixIO socket and talk to it.
Use this as follows:
> cd src/selinux
> make clean all
> semodule -i *.pp
> restorecon /usr/bin/swtpm*
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for uid and gid parameters that allows us to set the file
ownership of a UnixIO socket.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for a mode parameter that allows us to set the file
mode bits on a UnixIO socket.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Loading an invalid state blobs now fails ealier since libtpms is
called to check whether it can accept the blob.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create tpmlib_register_callbacks and call it to register the
libtpms callbacks a lot earlier. Before it was done in tpmlib_start,
which was invoked by CMD_INIT, which was after state blobs could
have been set already.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
