swtpm_setup: Add support for checking for TPM 1.2 and TPM 2 support

Implement get_supported_tpm_versions to get swtpm's support for TPM 1.2
and TPM 2 and use it error out in case user choose a TPM version that
is not supported. Also display the supported TPM versions in the
capabilites JSON.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

man/man8/swtpm_setup.pod

@@ -197,7 +197,9 @@ The output may contain the following:
         "cmdarg-write-ek-cert-files",
         "tpm2-rsa-keysize-2048",
         "tpm2-rsa-keysize-3072",
-        "tpm12-not-need-root"
+        "tpm12-not-need-root",
+        "tpm-1.2",
+        "tpm-2.0"
       ],
       "version": "0.7.0"
     }
@@ -231,6 +233,14 @@ This option implies that any user can setup a TPM 1.2. Previously only root
 or the 'tss' user, depending on configuration and availability of this account,
 could do that.
 
+=item B<tpm-1.2> (since 0.7)
+
+TPM 1.2 setup is supported (libtpms is compiled with TPM 1.2 support).
+
+==item B<tpm-2.0> (since 0.7)
+
+TPM 2 setup is supported (libtpms is compiled with TPM 2 support).
+
 =back
 
 =item B<--write-ek-cert-files <directory>>

src/swtpm_setup/swtpm_setup.c

@@ -879,6 +879,37 @@ static void usage(const char *prgname, const char *default_config_file)
         );
 }
 
+static int get_supported_tpm_versions(gchar **swtpm_prg_l, gboolean *swtpm_has_tpm12,
+                                      gboolean *swtpm_has_tpm2)
+{
+    gboolean success;
+    g_autofree gchar *standard_output = NULL;
+    int exit_status = 0;
+    GError *error = NULL;
+    int ret = 1;
+    g_autofree gchar **argv = NULL;
+    gchar *my_argv[] = { "--print-capabilities", NULL };
+
+    argv = concat_arrays(swtpm_prg_l, my_argv, FALSE);
+    success = g_spawn_sync(NULL, argv, NULL, G_SPAWN_STDERR_TO_DEV_NULL, NULL, NULL,
+                           &standard_output, NULL, &exit_status, &error);
+    if (!success) {
+        logerr(gl_LOGFILE, "Could not start swtpm '%s': %s\n", swtpm_prg_l[0], error->message);
+        g_error_free(error);
+        goto error;
+    }
+
+    if (swtpm_has_tpm2)
+        *swtpm_has_tpm2 = g_strstr_len(standard_output, -1, "\"tpm-2.0\"") != NULL;
+    if (swtpm_has_tpm12)
+        *swtpm_has_tpm12 = g_strstr_len(standard_output, -1, "\"tpm-1.2\"") != NULL;
+
+    ret = 0;
+
+error:
+    return ret;
+}
+
 /* Get the support RSA key sizes.
  *  This function returns an array of ints like the following
  *  - [ 1024, 2048, 3072 ]
@@ -957,7 +988,8 @@ static int get_rsa_keysize_caps(unsigned long flags, gchar **swtpm_prg_l,
 }
 
 /* Print teh JSON object of swtpm_setup's capabilities */
-static int print_capabilities(char **swtpm_prg_l)
+static int print_capabilities(char **swtpm_prg_l, gboolean swtpm_has_tpm12,
+                              gboolean swtpm_has_tpm2)
 {
     g_autofree gchar *param = g_strdup("");
     gchar **keysize_strs = NULL;
@@ -976,11 +1008,14 @@ static int print_capabilities(char **swtpm_prg_l)
     }
 
     printf("{ \"type\": \"swtpm_setup\", "
-           "\"features\": [ \"cmdarg-keyfile-fd\", \"cmdarg-pwdfile-fd\", \"tpm12-not-need-root\""
+           "\"features\": [ %s%s\"cmdarg-keyfile-fd\", \"cmdarg-pwdfile-fd\", \"tpm12-not-need-root\""
            ", \"cmdarg-write-ek-cert-files\""
            "%s ], "
            "\"version\": \"" VERSION "\" "
-           "}\n", param);
+           "}\n",
+           swtpm_has_tpm12 ? "\"tpm-1.2\", " : "",
+           swtpm_has_tpm2  ? "\"tpm-2.0\", " : "",
+           param);
 
     g_strfreev(keysize_strs);
 
@@ -1151,6 +1186,7 @@ int main(int argc, char *argv[])
     char *endptr;
     char path[PATH_MAX];
     char *p;
+    gboolean swtpm_has_tpm12, swtpm_has_tpm2;
     g_autofree gchar *lockfile = NULL;
     int fds_to_pass[1] = { -1 };
     unsigned n_fds_to_pass = 0;
@@ -1333,11 +1369,24 @@ int main(int argc, char *argv[])
     }
     g_free(tmp);
 
+
+    ret = get_supported_tpm_versions(swtpm_prg_l, &swtpm_has_tpm12, &swtpm_has_tpm2);
+    if (ret != 0)
+        goto error;
+
     if (printcapabilities) {
-        ret = print_capabilities(swtpm_prg_l);
+        ret = print_capabilities(swtpm_prg_l, swtpm_has_tpm12, swtpm_has_tpm2);
         goto out;
     }
 
+    if ((flags & SETUP_TPM2_F) && !swtpm_has_tpm2) {
+        logerr(gl_LOGFILE, "swtpm at %s does not support TPM 2\n", swtpm_prg);
+        goto error;
+    } else if (!swtpm_has_tpm12) {
+        logerr(gl_LOGFILE, "swtpm at %s does not support TPM 1.2\n", swtpm_prg);
+        goto error;
+    }
+
     if (runas) {
         ret = change_process_owner(runas);
         if (ret != 0)

tests/_test_print_capabilities

@@ -43,7 +43,7 @@ if [ $? -ne 0 ]; then
 fi
 
 # The are some variable parameters at the end, use regex
-exp='\{ "type": "swtpm_setup", "features": \[ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", "tpm12-not-need-root", "cmdarg-write-ek-cert-files"(, "tpm2-rsa-keysize-2048")?(, "tpm2-rsa-keysize-3072")? \], "version": "[^"]*" \}'
+exp='\{ "type": "swtpm_setup", "features": \[ "tpm-1.2",( "tpm-2.0",)? "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", "tpm12-not-need-root", "cmdarg-write-ek-cert-files"(, "tpm2-rsa-keysize-2048")?(, "tpm2-rsa-keysize-3072")? \], "version": "[^"]*" \}'
 if ! [[ ${msg} =~ ${exp} ]]; then
 	echo "Unexpected response from ${SWTPM_SETUP} to --print-capabilities:"
 	echo "Actual   : ${msg}"

tests/_test_tpm2_print_capabilities

@@ -44,7 +44,7 @@ if [ $? -ne 0 ]; then
 fi
 
 # The are some variable parameters at the end, use regex
-exp='\{ "type": "swtpm_setup", "features": \[ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", "tpm12-not-need-root", "cmdarg-write-ek-cert-files"(, "tpm2-rsa-keysize-2048")?(, "tpm2-rsa-keysize-3072")? \], "version": "[^"]*" \}'
+exp='\{ "type": "swtpm_setup", "features": \[( "tpm-1.2",)? "tpm-2.0", "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", "tpm12-not-need-root", "cmdarg-write-ek-cert-files"(, "tpm2-rsa-keysize-2048")?(, "tpm2-rsa-keysize-3072")? \], "version": "[^"]*" \}'
 if ! [[ ${msg} =~ ${exp} ]]; then
 	echo "Unexpected response from ${SWTPM_SETUP} to --print-capabilities:"
 	echo "Actual   : ${msg}"