mirror of
https://github.com/stefanberger/swtpm.git
synced 2025-08-22 19:04:35 +00:00
cc410ca91b
Switch over to the new python implementation of swtpm_setup. We need to also adjust test cases that involved the tcsd that otherwise fail for various reasons. For in-place testing we need to adjust the PYTHONPATH and PATH so that swtpm_setup.py can be found and so that swtpm_setup.py then finds swtpm if it is not explicitly passed as parameter. Adjust the man page for swtpm_setup to reflect the changes. We now can run swtpm_setup as any user. However, libvirt still runs it as tss:tss (for example), which is then creating the signing key as tss:tss as well. Ideally libvirt would run it as tss:root or any other combination since the tss group may be used for user wanting to access /dev/tpmrm0 for example. We at least change the directory ownership of /var/lib/swtpm-localca to tss:root and keep the world out of this directory. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
146 lines
3.4 KiB
Bash
Executable File
146 lines
3.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# For the license, see the LICENSE file in the root directory.
|
|
|
|
TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
|
|
TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
|
|
TESTDIR=${abs_top_testdir:-$(dirname "$0")}
|
|
|
|
# We need to be able to find swtpm_setup.py and swtpm_setup.py needs to find swtpm
|
|
export PYTHONPATH=${TOPBUILD}/src/swtpm_setup
|
|
PATH=${TOPBUILD}/src/swtpm:$PATH
|
|
|
|
SWTPM_SETUP=${TOPBUILD}/src/swtpm_setup/swtpm_setup
|
|
SWTPM_LOCALCA=${TOPBUILD}/samples/swtpm-localca
|
|
SWTPM=${TOPBUILD}/src/swtpm/swtpm
|
|
|
|
workdir=$(mktemp -d "/tmp/path with spaces.XXXXXX")
|
|
|
|
SIGNINGKEY=${workdir}/signingkey.pem
|
|
ISSUERCERT=${workdir}/issuercert.pem
|
|
CERTSERIAL=${workdir}/certserial
|
|
|
|
PATH=${TOPBUILD}/src/swtpm_bios:$PATH
|
|
|
|
trap "cleanup" SIGTERM EXIT
|
|
|
|
function cleanup()
|
|
{
|
|
rm -rf "${workdir}"
|
|
}
|
|
|
|
# We want swtpm_cert to use the local CA and see that the
|
|
# local CA script automatically creates a signingkey and
|
|
# self-signed certificate
|
|
|
|
cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
|
|
statedir=${workdir}
|
|
signingkey = ${SIGNINGKEY}
|
|
issuercert = ${ISSUERCERT}
|
|
certserial = ${CERTSERIAL}
|
|
_EOF_
|
|
|
|
cat <<_EOF_ > "${workdir}/swtpm-localca.options"
|
|
--tpm-manufacturer IBM
|
|
--tpm-model swtpm-libtpms
|
|
--tpm-version 2
|
|
--platform-manufacturer "Fedora XYZ"
|
|
--platform-version 2.1
|
|
--platform-model "QEMU A.B"
|
|
_EOF_
|
|
|
|
cat <<_EOF_ > "${workdir}/swtpm_setup.conf"
|
|
create_certs_tool=${SWTPM_LOCALCA}
|
|
create_certs_tool_config=${workdir}/swtpm-localca.conf
|
|
create_certs_tool_options=${workdir}/swtpm-localca.options
|
|
_EOF_
|
|
|
|
# We need to adapt the PATH so the correct swtpm_cert is picked
|
|
export PATH=${TOPBUILD}/src/swtpm_cert:${PATH}
|
|
|
|
keysizes="2048"
|
|
if [ -n "$($SWTPM_SETUP --tpm2 --print-capabilities |
|
|
grep tpm2-rsa-keysize-3072 )" ]; then
|
|
keysizes+=" 3072"
|
|
fi
|
|
|
|
for keysize in $(echo $keysizes); do
|
|
echo "Testing with RSA keysize $keysize"
|
|
# we need to create at least one cert: --create-ek-cert
|
|
$SWTPM_SETUP \
|
|
--tpm2 \
|
|
--allow-signing \
|
|
--tpm-state "${workdir}" \
|
|
--create-ek-cert \
|
|
--create-platform-cert \
|
|
--config "${workdir}/swtpm_setup.conf" \
|
|
--logfile "${workdir}/logfile" \
|
|
--tpm "${SWTPM} socket ${SWTPM_TEST_SECCOMP_OPT}" \
|
|
--rsa-keysize ${keysize} \
|
|
--overwrite
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not run $SWTPM_SETUP."
|
|
echo "Logfile output:"
|
|
cat "${workdir}/logfile"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${SIGNINGKEY}" ]; then
|
|
echo "Error: Signingkey file ${SIGNINGKEY} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${ISSUERCERT}" ]; then
|
|
echo "Error: Issuer cert file ${ISSUERCERT} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${CERTSERIAL}" ]; then
|
|
echo "Error: Cert serial number file ${CERTSERIAL} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
rm -rf ${SIGNINGKEY} ${ISSUERCERT} ${CERTSERIAL}
|
|
done
|
|
|
|
echo "Test 1: OK"
|
|
|
|
|
|
# we need to create at least one cert: --create-ek-cert
|
|
$SWTPM_SETUP \
|
|
--tpm2 \
|
|
--ecc \
|
|
--tpm-state "${workdir}" \
|
|
--create-ek-cert \
|
|
--config "${workdir}/swtpm_setup.conf" \
|
|
--logfile "${workdir}/logfile" \
|
|
--tpm "${SWTPM} socket ${SWTPM_TEST_SECCOMP_OPT}" \
|
|
--overwrite
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not run $SWTPM_SETUP."
|
|
echo "Logfile output:"
|
|
cat "${workdir}/logfile"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${SIGNINGKEY}" ]; then
|
|
echo "Error: Signingkey file ${SIGNINGKEY} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${ISSUERCERT}" ]; then
|
|
echo "Error: Issuer cert file ${ISSUERCERT} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${CERTSERIAL}" ]; then
|
|
echo "Error: Cert serial number file ${CERTSERIAL} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
echo "Test 2: OK"
|
|
|
|
exit 0
|