Add support for --profile-name option that searches for a profile in a
configurable local directory or a distro directory
(typically /usr/share/swtpm/profiles).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the user did not provide the profile on the command line read the
default profile from the swtpm_setup.conf configuration file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If the user did not provide the RSA keysize to use try to read it from
setup_setup.conf and if nothing is found there fall back to using the
internal default RSA keysize (2048).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Recent GnuTLS does not package tpmtool anymore. Check for
the missing tpmtool and report an error as appropriate.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Write the active_pcr_banks into swtpm_setup.conf with the default
PCR banks from the configure script.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
swtpm_setup.conf has traditionally pointed to
/usr/share/swtpm/swtpm-localca for create_certs_tool but since
/usr/bin/swtpm_localca is now available, have newly created
config files point to this executable instead.
Since there are possibly many swtpm_setup.conf out there pointing
to /usr/share/swtpm/swtpm-localca, we have to still install
swtm_localca there as well and package it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Have swtpm-create-user-config-files run swtpm_setup with the new
--create-config-files option and possible parameters.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
- Move swtpm_localca's sources out of samples/ (where they no longer
belong now that swtpm_localca is a binary) to src/swtpm_localca/.
- Tests now call the swtpm_localca binary directly at the location
where it was built, as they do with all other compiled programs.
- Simplify samples/swtpm-localca.in and delete swtpm-localca.2inst,
removing the now-unnecessary logic to selectively call swtpm_localca
from different locations (samples/ when running tests vs. /usr/bin/
post-installation).
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
- Makes swtpm_setup.conf.in consistent with the rest of the sample
configuration files in swtpm, whose templates ship in samples/ and
install the generated files to /etc.
- Works around dh_missing(1) erroneously reporting swtpm_setup.conf as
non-installed due to its having two copies in the build tree (one in
etc/ and another in debian/tmp/etc/).
Signed-off-by: Nick Chevsky <nchevsky@users.noreply.github.com>
Use a different script for local testing that what is installed into
/usr/share/swtpm/swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace the binary swtpm_localca with a script that now calls the binary
swtpm-localca, which is to be installed in $bindir.
So that we can use this for script for calling swtpm-localca during testing
(when it is not installed), write the script in such a way that it de-
termines whether there's swtpm-localca in the same directory and if not call
it from ${bindir}/swtpm-localca.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a missing else branch that was forgotten about when the code was trans-
lated from python. This now also gets the test case
test_tpm2_samples_create_tpmca to work again when it is run from the command
line. This test case doesn't work as part of the test suite due to
concurreny issues with other test cases using tpm2-abrmd at the same.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
GnuTLS on 32-bit platforms complains about the long expiration time
of the certificates since they overflow the 32-bit time_t. Reduce
the duration to 12 years.
This system expresses time with a 32-bit time_t; that prevents dates after 2038 to be expressed by GnuTLS.
Overflow while parsing days
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch addresses the following gcc-11 compiler issues:
In file included from /usr/include/glib-2.0/glib.h:114,
from ../src/utils/swtpm_utils.h:13,
from swtpm_localca_utils.c:24:
swtpm_localca_utils.c: In function 'get_config_envvars':
/usr/include/glib-2.0/glib/glib-autocleanups.h:28:3: error: 'value' may be used uninitialized in this function [-Werror=maybe-uninitialized]
28 | g_free (*pp);
| ^~~~~~~~~~~~
swtpm_localca_utils.c:98:37: note: 'value' was declared here
98 | g_autofree gchar *key, *value;
| ^~~~~
In file included from /usr/include/glib-2.0/glib.h:114,
from ../src/utils/swtpm_utils.h:13,
from swtpm_localca_utils.c:24:
/usr/include/glib-2.0/glib/glib-autocleanups.h:28:3: error: 'key' may be used uninitialized in this function [-Werror=maybe-uninitialized]
28 | g_free (*pp);
| ^~~~~~~~~~~~
swtpm_localca_utils.c:98:31: note: 'key' was declared here
98 | g_autofree gchar *key, *value;
| ^~~
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This is a 1:1 rewrite of swtpm_localca in 'C' as a final step to get
rid of the python dependency. It addresses issue #437.
Tested on: Cygwin, Fedora 33, Ubuntu Xenial & Bionic, FreeBSD,
DragonFlyBSD, OpenBSD (i386), Mac, Debian (recent), Centos-8,
CentOS (recent), Alpine (recent), OpenSUSE (recent),
Fedora 28 PPC Big Endian
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Have the statedir created in case it doesn't exist before checking for read
and write access to it.
Set the default directory where to write the results into to the current
directory '.' rather than to what would result in the root directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since the config files created by the swtpm-create-user-config-files
script will shadow those typically installed in /etc, we now require the
option --root if 'root' runs this script so that root is aware what he is
doing.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To force the installation of the python programs add a python-install
target. This solves an installation issue with non-standard prefix,
like not using /usr or /usr/local, as may be the case on OS X (Apple)
when using homebrew. It leaves the 'make distcheck' working, which also
uses a non-standard prefix and where we don't want to install the tools
due to issues with removing them afterwards where pip3 cannot be used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When creating the user config files, fall back to using ${HOME}/.config
if XDG_CONFIG_HOME is not set on a system.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pass the CA's private key password via the template file. Remove recently
added old GnuTLS support. Extend man page with a paragraph about short-
comings of certtool that doesn't seem to allow private key password being
passed either as environment variable or template file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Older versions of GnuTLS need --password on the command line while
newer versions require GNUTLS_PIN to be set to pass the password.
So, this patch accomodates older versions of GnuTLS.
Older version of GnuTLS seem to NOT be able to handle a CA private
key needing a password and a signing key needing a password when
creating the intermediate CA. So this case of 2 passwords will
always fail.
The value of the local CA is not so high that passing passwords on
the command line would be an issue. Later on when using the CA the
password are set via environment variables, so not visible to other
users.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for pkcs11 module environment variables to the config file.
These variables may have the following format:
env:VARNAME=VALUE
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Apply the password for the signing key and parent key when creating a
platform certificate. The bug was introduced in commit 961bb827
"samples: Use new pwd format option for secretly passing passwords"
Extend a test case to ensure that the passwords are always used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the local CA was create the signing key of the intermediate CA
was not properly protected by the passwords. This patch fixes this.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch over to the new python implementation of swtpm_setup. We need to
also adjust test cases that involved the tcsd that otherwise fail for
various reasons. For in-place testing we need to adjust the PYTHONPATH
and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py
then finds swtpm if it is not explicitly passed as parameter.
Adjust the man page for swtpm_setup to reflect the changes.
We now can run swtpm_setup as any user. However, libvirt still runs it
as tss:tss (for example), which is then creating the signing key as tss:tss
as well. Ideally libvirt would run it as tss:root or any other combination
since the tss group may be used for user wanting to access /dev/tpmrm0 for
example. We at least change the directory ownership of /var/lib/swtpm-localca
to tss:root and keep the world out of this directory.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Extend swtpm_setup.pod showing swtpm-create-user-config-files usage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a script that creates the user config files in the
${XDG_CONFIG_HOME} directory and sub-directories.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Get rid of using eval when running swtpm_cert in swtpm-localca.
This is to avoid further evaluation of bash expression that can
spawn subshells ('$(echo foo)') or do other bad things. Bad input
could come from malformed configuration files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Escape many more special shell characters before calling eval on
an entry to convert a variable to its value. Uncareful writing of
a swtpm-local.conf config file could have lead to files being over-
written using '>' for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the script that creates a CA that uses a TPM 2 for signing.
For this we have to create tokens using the TPM 2 pkcs11 module's
tpm2_ptool and can then use the p11tool for creating keys.
Add a test case that requires a running tpm2-abrmd and tpm2_ptool.
Eventually the test case should (try to) start its own tpm2-abrmd
and talk to swtpm directly but the tcti module to do that isn't
available as a package, yet.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use the swtpm_cert --signkey-pwd and --parentkey-pwd to pass key passwords
using files rather than using the command line options.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address several issues reported by shellcheck and protect
variables with quotes so we now can have filenames with spaces.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Protect variables with quotes so that pathnames with spaces are now
supported.
Adjust the accompanying test case to make use of spaces in file paths.
Address several issues found by shellcheck. Some of them are false
positives especially when it comes to protecting variables passed
to a commaned in an 'eval' line. They must not be protected, otherwise
they are not passed correctly.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
According to the XDG spec,
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html:
"If $XDG_CONFIG_HOME is either not set or empty, a default equal to
$HOME/.config should be used."
This fixes setting up a TPM with libvirt running in a user session.
It works by checking if configuration files are readable in the
directory priority order (XDG_CONFIG_HOME, then HOME, then SYSCONFDIR).
When libvirt is running as a system instance, $HOME isn't set, so it
will fall back on @SYSCONFDIR@ (/etc usually)
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Adjust the localstatedir variable to not have ${prefix} if
prefix is '/usr/', otherwise use ${prefix}.
Also adjust the files that were pointing to directories that
are controlled by $localstatedir.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When the project is configured with --prefix=/usr/local several configuration
files are installed to /usr/local/etc but not read by the programs that
need them. This patch fixes this issue by replacing @SYSCONFDIR@ in the source
code of those files with the actual used path.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
GnuTLS PKCS11 URLs have ';' in the string that we need to preserve for
passing to GnuTLS. So we escape the semicolons before using them on the
command line.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
