On OpenBSD openssl/fips.h is not available and FIPS_mode() is not
available, so implement a stub for fips_mode_enabled().
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Advertise the availability of the chroot option with the cmdarg-chroot
verb. Document it in the man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add an option to enter a chroot after starting swtpm. This is useful for
sandboxing purposes. When this option is used, it is expected that swtpm
is started as root and the --runas option is used to subsequently drop
privileges (otherwise the chroot could be escaped).
Signed-off-by: Jennifer Herbert <jennifer.herbert@citrix.com>
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Address the following compilation error on Debian:
In file included from /usr/include/seccomp.h:821,
from seccomp_profile.c:44:
seccomp_profile.c: In function 'create_seccomp_profile':
seccomp_profile.c:115:9: error: '__NR_mount_setattr' undeclared (first use in this function)
115 | SCMP_SYS(mount_setattr),
| ^~~~~~~~
seccomp_profile.c:115:9: note: each undeclared identifier is reported only once for each function it appears in
seccomp_profile.c:172:9: error: '__NR_quotactl_fd' undeclared (first use in this function)
172 | SCMP_SYS(quotactl_fd),
| ^~~~~~~~
We need to do this since they are defined like this:
#define __SNR_mount_setattr __NR_mount_setattr
#define __SNR_quotactl_fd __NR_quotactl_fd
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Include openssl/opensslv.h to avoid the following error on Ubuntu:
fips.c: In function 'fips_mode_enabled':
fips.c:61:16: error: implicit declaration of function 'EVP_default_properties_is_fips_enabled' [-Werror=implicit-function-declaration]
61 | int mode = EVP_default_properties_is_fips_enabled(NULL);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Resolves: https://github.com/stefanberger/libtpms/issues/345
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Introduce disable-auto-shutdown flag for the --flags option to disable
the sending of TPM2_Shutdown() if swtpm determines that it needs to send
this command to a TPM 2 before device reset or swtpm program termination.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If necessary send a TPM2_Shutdown() command to libtpms before processing
CMD_INIT. However, this is only necessary for a TPM 2 and only if the
TPM2_Shutdown command has not been sent by the client (VM TPM driver) as
the last command as it should do under normal circumstances, for example
upon graceful VM shutdown.
This fixes a bug where abrupt VM resets may trigger the TPM 2's dictionary
attack lockout logic due to the TPM 2 not having received a TPM2_Shutdown
command before it was reset using CMD_INIT for example. An OS driver is
typically supposed to send a TPM2_Shutdown to the TPM 2 but an abrupt VM
reset prevents it.
There are 3 control commands where this needs to be done since they
call TPMLIB_Terminate():
- CMD_STOP:
This command is typically called before setting the state blobs of the
TPM or before configuring the buffer size [QEMU, test cases].
- CMD_INIT:
This command is called for resetting and initializing the TPM 2.
- CMD_SHUTDOWN:
This command is called for a graceful shutdown of the TPM 2.
There are no negative side effects to be expected if TPM2_Shutdown()
is sent before any of these. Also, since none of these are sent before
the state of the TPM is marshalled (for migration for example) migrated
state will not have a TPM2_Shutdown() applied to it (accidentally).
Edk2 sends a sequence of TPM2_Shutdown(SU_STATE) + TPM2_GetRandom()
before suspend-to-ram. Upon wake up a CMD_INIT is sent to the TPM to
reset it, which in this case now requires a TPM2_Shutdown(SU_STATE)
to be sent to the TPM 2 so that certain TPM 2 state is available
again upon resume. To avoid invaliding the SU_STATE, first send a
TPM2_Shutdown(SU_STATE) in *all cases* and only if this fails send a
TPM2_Shutdown(SU_CLEAR). This way the internal state is preserved and
the VM (or user) are expected to use TPM2_Startup(SU_CLEAR) when
staring up the TPM 2 and no previous state needs to be resumed.
Note: The VM's firmware is trusted to use SU_CLEAR under normal circum-
stances and SU_STATE upon resume. So it wouldn't restore the state if
it wasn't needed.
Note: The TPM 2 spec describes the command as follows:
"This command is used to prepare the TPM for a power cycle. The
shutdownType parameter indicates how the subsequent TPM2_Startup() will be
processed.[...]
This command saves TPM state but does not change the state other than the
internal indication that the context has been saved. The TPM shall
continue to accept commands. If a subsequent command changes TPM state
saved by this command, then the effect of this command is nullified. The
TPM MAY nullify this command for any subsequent command rather than check
whether the command changed state saved by this command. If this command
is nullified and if no TPM2_Shutdown() occurs before the next
TPM2_Startup(), then the next TPM2_Startup() shall be
TPM2_Startup(CLEAR)."
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2087538
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Track the last command processed by the TPM so we can determine whether
we may need to send a TPM2_Shutdown() before reset of the TPM 2.
Introduce a variable lastCommand to help track the last command that
was sent to the TPM 2.
In relation to deciding whether a TPM2_Shutdown() needs to be sent, the
tracking of the last-sent command is merely an optimization since for
example a VM with EDK2 will send a TPM2_Shutdown() followed by a
TPM2_GetRandom() upon suspend-to-ram, thus indicating that the last
command was TPM2_GetRandom(). However, under most circumstances it helps
to avoid sending an additional TPM2_Shutdown() if the OS TPM driver sent
one already.
When the suspended VM resume swtpm gets a CMD_INIT that requires swtpm
to decide whether a TPM2_Shutdown() needs to be sent and per the last-sent
command it will then send a TPM2_Shutdown(SU_STATE) as in the abrupt
termination case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
If seccomp-syscalls.h lags behind the syscall definition of __NR_xyz then
the __SNR_xyz #define is not available. Therefore, switch to check for
__SNR_xyz #define because they are available if __NR_xyz is available.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement fips_mode_enabeld() to check whether FIPS is enabledand
use the new function to check for FIPS mode enablement before
trying to disable it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rename disable_fips_mode() to fips_mode_disable() amd move into
tpmlib_start() after TPMLIB_MainInit(). Clean up the duplicate
prototype.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The project wouldn't compile on my ubuntu 20.04.1 based system with the error message:
```
CC libswtpm_libtpms_la-seccomp_profile.lo
In file included from seccomp_profile.c:44:
seccomp_profile.c: In function ‘create_seccomp_profile’:
seccomp_profile.c:105:9: error: ‘__SNR_fs_mount’ undeclared (first use in this function)
105 | SCMP_SYS(fs_mount),
| ^~~~~~~~
seccomp_profile.c:105:9: note: each undeclared identifier is reported only once for each function it appears in
```
Additionally, there were some duplicates in the profile.
Signed-off-by: Hans Niklas Jacob <hnj@posteo.de>
Extend usage of the FILE_OPS_LOCK to prevent other threads from reading or
writing commands or doing ioctls while the current thread is reading a
response. This prevents a race condition where ptm_read_offset is set to 0
by a thread writing a new command to the device while the current thread
is reading a response from the device and needs this offset.
Resolves: https://github.com/stefanberger/swtpm/issues/725
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Restrict the opening of the CUSE device to one single file descriptor. We
can modify the CUSE TPM in this way since the kernel's /dev/tpm0 cannot be
opened multiple times, either, and the CUSE TPM should behave in the same
way.
Adjust test the partial reads case to only open CUSE device file once by
using a python program. Close the open file descriptor 100 before using
swtpm_ioctl to avoid failures.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Revert the change from the previous patch that shows an error when
TPMLIB_ChooseTPMVersion fails but rather ignore the error as before.
If a TPM 2 is supported then tpm-2.0 capability verb will be shown
and if a TPM 1.2 is supported then tpm-1.2 will be shown, thus
allowing someone reading the JSON to determine what is supported.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
All callers to capabilities_print_json() call TPMLIB_ChooseTPMVersion
right before. Move it into the function now and check the return
code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement get_swtpm_capabilities() and call it from two existing functions
that now become a lot simpler.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Commit 6559a902 implemented support for the startup-xyz flags for the CUSE
interface but the capability has not been advertised.
Adjust test cases to reflect the new verb being shown for
--print-capabilities.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Replace the hardcoded install path in src/selinux/swtpm.fc and
src/selinux/swtpmcuse.fc with @prefix@ and append .in to these files so
that they are generated when running configure.
Add the selinux policy input files with their suffix to the CLEANFILES
variable so they get cleaned up and 'make distcheck' works.
Resolves: https://github.com/stefanberger/swtpm/issues/711
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
While libtpms does not provide any means to disable FIPS-disabled crypto
algorithms from being used, work around the issue by simply disabling the
FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit
swtpm with a failure message that it cannot be disabled. If FIPS mode
was successfully disabled, print out a message as well.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2090219
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Do not use TPM2_ALG_SHA1 anymore as parameter to TPM2_IncrementalSelfTest()
so that this also works when SHA1 support in libtpms is runtime-disabled.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Handle the case where an unknown blobtype is given and therefore
cannot be translated to a filename and blobname is NULL. Previously
this would have lead to an error when trying to read the file, now
we handle the failure case earlier.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid an overflowing expression cast '1' to uint64_t before shifting
it and assigning it to a uint64_t variable. In practice this kind of
overflow would never happen because there aren't that many available
PCR banks.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize the 'res' variable at the beginning of the function
even though this wouldn't be necessary in this case.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a comment stating that failure to read the optsfile is not an
issue since the optsfile does not need to exist.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Initialize pubek_len even though it isn't necessary to do so since
it will be initialized in the first function to which it is passed.
However, Coverity complains about pubek_len passed to print_as_hex()
not being initialized, even though this is not possible.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Avoid a memory leaks if --tcp is provided multiple times by freeing
the previously allocated memory in the tcp_hostname variable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Close the file descriptor at the end of the main function.
To avoid closing random file descriptors initialize it with -1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Avoid memory leaks if one of the parameters --tcp, --tpm-device,
or --unix was passed multiple times by freeing the previously
parsed value.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Avoid memory leaks if one of the parameters --modulus, --ecc-x,
or --ecc-y was passed multiple times by freeing the previously
parsed value.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Commit 2d3deaef29 forgot to move the check for whether the lock file has
already been opened into the new function opening the lock file and there-
fore the lock file is now opened whenever swtpm gets a PTM_INIT. This fix
prevents the reopening of the lockfile if it has already been opened.
Otherwise many PTM_INIT's will lead to failure since no more files can
be opened.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove support for TPM state files that didn't have the header
because they were created some time before v0.1.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To be able to test-compile with include/swtpm/tpm_ioctl.h in configure.ac
move the definition of __USE_LINUX_IOCTL_DEFS out of the configure script
into the header file so that the #define is there when needed. In the
configure.ac script the CFLAGS were extended only after the test-compiling
to determine the HARDENING_CFLAGS and the test-compilation failed on Cygwin
(only) since the tpm_ioctl.h didn't compile because of this missing
#define.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Instead of uint32_t use uint64_t's for accumulating needed buffer sizes
that are calculated by adding uint32_t length indicators. Use the uint64_t
to check for excessively large buffer sizes that could cause an integer
overflow if uint32_t was used.
This patch addresses the case where a user passes an old version of TPM
state file to swtpm for reading and the file is 4GB in size and thus can
cause an integer overflow in this particular function.
Otherwise, the previous fix to tlv_data_find_tag() protects swtpm from
integer overflows and later out-of-bound accesses when the TPM state is
initially read from a file (assuming the state file has a header, which
is the case since swtpm 0.1). If an excessively large buffer was passed
to libtpms, it would reject it since it would never be able to take in
that much data.
Data written to the file are coming from libtpms that we can trust in
terms of length indicators.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid an integer wrap-around use uint64_t for 'offset' so that adding
an untrusted 32-bit number will allow for comparison against the trusted
'buffer_len' 32-bit number:
if (offset + td->tlv.length > buffer_len)
return NULL;
This avoids possible out-of-bound accesses and crashes when reading
specially crafted TPM state input data that have a tlv.length that is so
large that is causes an integer overflow.
Resolves: https://github.com/stefanberger/swtpm/issues/678
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The port being parsed must be given as unsigned int so that the comparison
of *tcp_port >= 65536 also filters out negative numbers passed via the
command line. Previously one could pass -1 and swtpm_bios would try to
connect.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
