From: David Woodhouse Date: Thu, 13 May 2021 12:04:59 +0000 (+0100) Subject: Allow TPM_INTERFACE_TYPE=socsim to force swtpm even for Intel TSS X-Git-Tag: v8.20~195 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=c2f09ab7a113164c9e80ca03ae1408a225a8a115;p=users%2Fdwmw2%2Fopenconnect.git Allow TPM_INTERFACE_TYPE=socsim to force swtpm even for Intel TSS If we want to have a swtpm-based test, we need to *use* the swtpm even if a real hardware TPM is available. Not for general purpose use, but allow it to be overridden by using the same TPM_INTERFACE_TYPE variable that already works for the IBM TSS because the IBM library handles it internally. Signed-off-by: David Woodhouse --- diff --git a/configure.ac b/configure.ac index e1b2b1df..a41fd834 100644 --- a/configure.ac +++ b/configure.ac @@ -625,7 +625,7 @@ case "$ssl_library" in PKG_CHECK_MODULES(TASN1, [libtasn1], [have_tasn1=yes], [have_tasn1=no]) if test "$have_tasn1" = "yes"; then if test "$with_gnutls_tss2" = "yes" -o "$with_gnutls_tss2" = "tss2-esys" -o "$with_gnutls_tss2" = ""; then - PKG_CHECK_MODULES(TSS2_ESYS, [tss2-esys tss2-mu], + PKG_CHECK_MODULES(TSS2_ESYS, [tss2-esys tss2-mu tss2-tctildr], [AC_DEFINE(HAVE_TSS2, 1, [Have TSS2]) AC_SUBST(TPM2_CFLAGS, ['$(TASN1_CFLAGS) $(TSS2_ESYS_CFLAGS)']) AC_SUBST(TPM2_LIBS, ['$(TASN1_LIBS) $(TSS2_ESYS_LIBS)']) diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c index 8fa71f64..3adcb544 100644 --- a/gnutls_tpm2_esys.c +++ b/gnutls_tpm2_esys.c @@ -59,8 +59,10 @@ #include #include +#include struct oc_tpm2_ctx { + TSS2_TCTI_CONTEXT *tcti_ctx; TPM2B_PUBLIC pub; TPM2B_PRIVATE priv; TPM2B_DIGEST userauth; @@ -251,7 +253,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle, vpn_progress(vpninfo, PRG_DEBUG, _("Establishing connection with TPM.\n")); - r = Esys_Initialize(ctx, NULL, NULL); + r = Esys_Initialize(ctx, certinfo->tpm2->tcti_ctx, NULL); if (r) { vpn_progress(vpninfo, PRG_ERR, _("TPM2 Esys_Initialize failed: 0x%x\n"), @@ -570,6 +572,24 @@ int install_tpm2_key(struct openconnect_info *vpninfo, struct cert_info *certinf certinfo->tpm2->parent = parent; + /* This is the variable which the *IBM* TSS uses, to force it to use + * the swtpm; it happens in the library automatically. To allow the + * swtpm test to work on platforms where a real TPM is available, + * emulate the same thing. Not really intended for production use. */ + const char *tpm_type = getenv("TPM_INTERFACE_TYPE"); + if (tpm_type && !strcmp(tpm_type, "socsim")) { + vpn_progress(vpninfo, PRG_DEBUG, + _("Using SWTPM due to TPM_INTERFACE_TYPE environment variable\n")); + + r = Tss2_TctiLdr_Initialize("swtpm", &certinfo->tpm2->tcti_ctx); + if (r) { + vpn_progress(vpninfo, PRG_ERR, + _("TSS2_TctiLdr_Initialize failed for swtpm: 0x%x\n"), + r); + goto err_out; + } + } + r = Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL, &certinfo->tpm2->priv); if (r) { @@ -619,6 +639,8 @@ void release_tpm2_ctx(struct openconnect_info *vpninfo, struct cert_info *certin if (certinfo->tpm2) { clear_mem(certinfo->tpm2->ownerauth.buffer, sizeof(certinfo->tpm2->ownerauth.buffer)); clear_mem(certinfo->tpm2->userauth.buffer, sizeof(certinfo->tpm2->userauth.buffer)); + if (certinfo->tpm2->tcti_ctx) + Tss2_TctiLdr_Finalize(&certinfo->tpm2->tcti_ctx); free(certinfo->tpm2); } certinfo->tpm2 = NULL;