Coverity found that the usage of strncpy may leave an unterminated
string. In this case it is ok, if the string is unterminated since
it would only be the part of a response and the client would have
to collect all the parts as indicated by the total length of the
string. So we use memcpy instead and leave a note in the code. So
far the strings would not nearly be 3k to get close to the maximum.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Rather than writing to files directly and having to validate the state in
those files using TPMLIB_ValidatetState(), we now use the new
TPMLIB_SetState() call to set the TPM's state blobs. The advantage of this
call is that it doesn't overwrite state files and ends up leaving state in
files that the TPM cannot use. Instead, it validates the state immediately
when the blob is set and returns an error in case the state cannot be
accepted.
We need to adapt one test case that now gets a failure earlier than before.
Before the TPM_INIT failed, now setting the encrypted blob fails because it
cannot be decrypted and thus cannot be accepted by the TPM.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
For TPM 1.2 the spec says that we must not set the subject, so we
do not set it but keep it around for TPM 2 certificates.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To make the ASN.1 look like the one from the spec. we have to
use a lower-level GNUTLS API function to set it.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Put the code that creates the ASN.1 for the platform and
TPM manufacturer info into their own functions.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the swtpm_ioctl tool also to get TPM manufacturer, firmware
version and TPM model and pass it to the external tool creating
the certificate.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Simplify the two's complement implementation by converting the number
into a big endian and writing it out into a byte array that is prefixed
with a 0-byte. This covers all unsigned ints while the previous imple-
mentation would have been wrong once the number exceeded 255.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Calculate the two's completement of the spec_level and spec_revision
numbers so that ASN.1 properly stores them as unsigned integers.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create ASN.1 for the Extended Key Usage field for the EK certificate
that has the oid 2.23.133.8.1 and for the platform certificate the
oid 2.23.133.8.2. Both are registered OIDs:
http://oid-info.com/get/2.23.133.8.1http://oid-info.com/get/2.23.133.8.2
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Non-privileged mode needs another rule and on Fedora 27 we need
a swtpm_exec_t related rule we did not need on Fedora 23.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The extern cert program was called with --vmid <foo>--tpm-spec-family ...
and failed due to a missing whitespace. This patch fixes it.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the new --info parameter for swtpm_ioctl to get TPM specification
info from the swtpm and use this as a parameter for creating the EK
certificate.
Extend the man page.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement the --info option that takes a flag as an argument
and returns information about the TPM implementation. Only the
value '1' has been defined for now, which returns a line as
the following:
{"TPMSpecification":{"family":"1.2","level":2,"revision":116}}
Extend the man page.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
We quetry the swtpm for TPM specification info that goes into the
certificate for the EK.
Update the test cases that now see more capabilties being returned
by the swtpm.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Since the EK cert must have an Authority Key Id, we error out if
the signing certificate we are given does not have an Authority
Key Id. The typical reason why it wouldn't have it is that we are
using a self-signed (rootCA) certificate directly.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Log the output of the tool that is creating the certificate and
prefix every line with the name of the tool.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
To not loose stderr we have to run the exec command in a subshell
and suppress the output of the subshell otherwise the exec command
seems to close stderr on us.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create the TPMSpecification SEQUENCE and add it to the subject
directory attributes of an EK cert.
The code generates the same ASN.1 for the Subject Directory Attributes
as the example in the EK spec has.
> openssl asn1parse -in ${cert} -strparse 603
0:d=0 hl=2 l= 30 cons: SEQUENCE
2:d=1 hl=2 l= 28 cons: SEQUENCE
4:d=2 hl=2 l= 5 prim: OBJECT :2.23.133.2.16
11:d=2 hl=2 l= 19 cons: SET
13:d=3 hl=2 l= 17 cons: SEQUENCE
15:d=4 hl=2 l= 3 prim: UTF8STRING :1.2
20:d=4 hl=2 l= 4 prim: INTEGER :41010000
26:d=4 hl=2 l= 4 prim: INTEGER :7B000000
Extend existing test case so they create the ASN.1 as well.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
TPM 1.2 certificates need a header when written to NVRAM. This patch
adds a --add-header option for this and prepends the header to.
Also see TCG PC Specific Inmplementation Specification section 7.4.4 and
7.4.5.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement a mode parameter for the tpmstate option so that the user
can choose what the file mode bits of the TPM's state files will be.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Replace the previously used swtpmcuse_svirt type of policy with
swtpm_svirt. This policy contains the minimum set of rules necessary
to start swtpm from within libvirt.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address the issue that the pidfile needs to be removed at the end if
a file descriptor was passed in. So we have to look up the file
given the file descriptor and by using /proc/self/fd/.
We also want to make sure that the given file descriptor describes
a regular file.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Update the SELinux for swtpm so that swtpm can be launched from
libvirtd and QEMU can access swtpm's UnixIO socket and talk to it.
Use this as follows:
> cd src/selinux
> make clean all
> semodule -i *.pp
> restorecon /usr/bin/swtpm*
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for uid and gid parameters that allows us to set the file
ownership of a UnixIO socket.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Implement support for a mode parameter that allows us to set the file
mode bits on a UnixIO socket.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Create tpmlib_register_callbacks and call it to register the
libtpms callbacks a lot earlier. Before it was done in tpmlib_start,
which was invoked by CMD_INIT, which was after state blobs could
have been set already.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Validate the state blobs after they have been set (during
state migration) so that we can fall back to the migration
source in case they are not accepted by the TPM.
This patch requires the latest version of libtpms 0.6
from the master branch.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Avoid using the expect tool as much as possible. Use it only if
the user requested a special owner and/or SRK password.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Use the passwords as specified by the user also when only temporarily
taking ownership. Use the zero password in case nothing has been
provided by the user. This is a first step to loosen the dependency
on expect, which pulls in too many dependencies.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
In case the poll() is interrupted by a signal handler and we
get EINTR, we loop again assuming that the signal handler will
send us a notification to end.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
POLLERR is indicated in some error cases when using the chardev with the
vtpm_proxy with runc. In case the flag is set, we terminate the client
connection rather than endlessly looping.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
File descriptors 0, 1, and 2, when used for file descriptor passing,
as is the case in some older version of runc/docker-ce (17.06), do
not work. So we refuse accepting these values and log the error message.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
