Create the IAK hwSerialNum from the authority key identifier and
serial number extracted from the EK certificate.
Adjust a test script that now needs to use a valid certificate for the EK
so that we can get the authority key identifier and serial from it to
create the serial number for the IAK certificate.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend swtpm_setup to create IAK and IDevID keys and certificates.
Use the same CA for signing the IAK and IDevID certificates as used for
the EK and platform certificates since all these certificates are issued
at the same time anyway.
Add documentation to the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prepare the code to allow EC keys to be created with 2 different nonces.
So far always 2 identical nonces were used in all templates.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for the --tpm-serial-num command line option to pass it on to
swtpm_cert.
Make the vmid part of the serialNumber of the subject passed to
swtpm_cert (following an email exchange with TCG IWG).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for certificate types iak and idevid. Both require the new
command line option --tpm-serial-num to be passed.
Add support for creating the ASN.1 for the SAN for the new certificates.
Advertise the support for the new certificate types using the capabilities
JSON with entries "cmdarg-tpm-serial-num" and "supports-iak-idevid".
Add documentation to the man page and extend test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check the help screen for necessary supported options since the IBM TSS2
test will have to be patched to support swtpm directly. If it does not
support it, exit the tests early with an error message.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Only display profile capabilities when --tpm2 is given since they are only
relevant when a TPM 2 is used.
Adjust test cases.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Give two oif the (unused) fields in the tpm2_authblock better names and
since these two and the continueSession fields are always initialized with
'0', simplify the initializer macro to only take one argument.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The default-v1 profile may soon also set Attributes in the JSON and
therefore extend the regular expressions matching profiles to optionally
match for Attributes.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Display the new capability tpmstate-opt-lock, adjust test cases,
and document it in the swptm man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To support storage backend locking on the file backend, add support for a
lock option parameter to the --tpmstate option. By default the value of
this option (if not given) has to be 'true' for the dir backend, since this
backend has always been locking, and 'false' on the file backend, since
this backend did not lock so far.
If the user chooses no storage backend locking then SWTPM_NVRAM_Unlock &
SWTPM_NVRAM_Lock_Storage do not call the backend for locking at all
anymore.
Document the new option parameter in the swtpm man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for locking the storage file using fcntl(fd, F_SETLK, ...).
Since fcntl needs a file descriptor of the actual storage file, call
SWTPM_NVRAM_LinearFile_DoOpenURI() to open the file in case it has not
been opened, yet. In case of error close the file again but be careful
about the fact that it may not have been mmap'ed, yet.
Since now all backends have .lock and .unlock nvram_backend_ops, they can
be called without checking for a NULL pointer.
Extend an existing test case with a file-backend storage lock test.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove the broken logic to check for neither dir:// nor file:// backend.
If an unknow backend type is used, then it will be detected later on
and an error message will be printed out. Even though the logic was
broken it didn't seem to cause failures.
Also have tpmstate_set_mode return void since it cannot fail.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since 0 is a valid file descriptor and checks for valid file descriptors
is typically '>= 0', initialize the file descriptor to -1 to indicate
that it is unused.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This reverts commit 8d4b247e3d since
CMD_GET_STATEBLOB can have more than 4 bytes in response when an
error happened (long-standing protocol error).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the new ptm_caps_n to create the response for PTM_GET_CAPABILITY in the
socket and chardev implementations. Due to how the result was created
before, the tpm_result part of the response will always have to be
TPM_SUCCESS, since it was always 0 before.
Leave the CUSE implementation untouched since there the result was returned
in native endianess resulting in the first 4 bytes carrying the capability
flags.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Define a structure to use for returning the PTM_GET_CAPABILITY result that
resembles the layout of all the commands' structures. Since only 17bits for
capabilities are currenlty defined and they are returned in big endian
format as part of a 64bit number, this change can be done without any side
effects. The upper 32bit of this number now become the tpm_result, which
will always be 0. The lower 32bits are the possible capability flags, of
which the 17 are used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Move the display of the help screen into its own function to be able
to usage fprintf with the help screen as format string to avoid static
analyzer warnings.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Restrict available PCR banks to sha256 & sha384 and try to enable sha256
and sha512 and check the expected results.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement --print-info that takes a number as argument and uses this number
as flags to call TPMLIB_GetInfo with. Display the JSON string and exit.
Extend the man page and update other parts where swtpm_ioctl is not necessary
anymore to use.
Extend a test case to also check that swtpm now returns the same result as
swtpm_ioctl does.
Append cmdarg-print-info to printed out capabilties. Adjust test cases.
(Expect 'profiles' to always be part of capabilties JSON.)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable SWTPM_TEST_PROFILE for running the test_tpm2_ibmtss2 test cases
with a user provided profile. Document it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the support for 'remove-disabled' option parameter of the --profile
option to also work for profiles whose name starts with 'custom:'.
Modify an existing test case to use custom:test as profile name with this
option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow a user to pass profiles from the distro or local dirs directly
to swtpm. A rule to allow reading profiles from somewhere under the
HOME directory already exists.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for the --print-profiles option to search the local
and distro profiles directories for profiles (files with .json extension)
and then get the built-in ones from swtpm. Print them all to stdout.
Extend a test case and add description to the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for --profile-name option that searches for a profile in a
configurable local directory or a distro directory
(typically /usr/share/swtpm/profiles).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Accept profiles that start their name with 'custom:' and do not exceed
32 characters. The content of these profiles will be derived from the
built-in 'custom' profile unless Algorithms, Commands, or Attributes
are provided on the command line.
Adjust a test case to test with profile name starting with 'custom:'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
I was able to recreate the issue on one of my machines where swtpm_t
was trying to append to the log labeled with svirt_image_t. On another
machine this combination of labels does not seem to cause a problem.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2306817
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When swtpm --print-capabilities for example fails to be able to access
the log file that swtpm_setup logs into, then it may fail to run. In
this case log the stderr output of swtpm.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Return an error if the reading of the config file failed so that
config_file_lines can never be NULL. Remove all checks for
config_file_lines == NULL.
It's very unlikely reading of the config file failed since there's a file
access check right before it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
