swtpm_setup: Report 'no-tpm12-tools' if tcsd or tpm-tools missing

If the host is missing tcsd (trousers) or the tpm-tools, swtpm_setup will now report the 'no-tpm12-tools' verb like this: > swtpm_setup --print-capabilities | jq { "type": "swtpm_setup", "features": [ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", "no-tpm12-tools" ] } The only TPM 1.2 setup parameter that requires interaction with the TPM 1.2 that can be pass is then '--createek'. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger · May 1, 2020 · 1974f2c · 1974f2c
1 parent c7c2f90
commit 1974f2c
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 10 deletions.
diff --git a/man/man8/swtpm_setup.8 b/man/man8/swtpm_setup.8
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35)
+.\" Automatically generated by Pod::Man 4.12 (Pod::Simple 3.39)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "swtpm_setup 8"
-.TH swtpm_setup 8 "2019-07-09" "swtpm" ""
+.TH swtpm_setup 8 "2020-05-01" "swtpm" ""
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -282,12 +282,13 @@ This option is only useful with \s-1TPM 1.2\s0 and in if ownership is taken.
 Print capabilities that were added to swtpm_setup after version 0.1. The output
 contains the following:
 .Sp
-.Vb 7
+.Vb 8
 \&    {
 \&      "type": "swtpm_setup",
 \&      "features": [
 \&        "cmdarg\-keyfile\-fd",
-\&        "cmdarg\-pwdfile\-fd"
+\&        "cmdarg\-pwdfile\-fd",
+\&        "no\-tpm12\-tools"
 \&      ]
 \&    }
 .Ve
@@ -300,6 +301,11 @@ The \fI\-\-keyfile\-fd\fR option is supported.
 .IP "\fBcmdarg-pwd-fd\fR" 4
 .IX Item "cmdarg-pwd-fd"
 The \fI\-\-pwdfile\-fd\fR option is supported.
+.IP "\fBno\-tpm12\-tools\fR" 4
+.IX Item "no-tpm12-tools"
+\&\s-1TPM 1.2\s0 tools cannot be found in the \s-1PATH.\s0 This means that no certificates can
+be created since they cannot be written into the \s-1NVRAM\s0 and the \s-1NVRAM\s0 cannot be
+locked. Among the \s-1TPM 1.2\s0 setup parameters only \fI\-\-createek\fR can be passed.
 .RE
 .RS 4
 .RE

diff --git a/man/man8/swtpm_setup.pod b/man/man8/swtpm_setup.pod
@@ -182,7 +182,8 @@ contains the following:
       "type": "swtpm_setup",
       "features": [
         "cmdarg-keyfile-fd",
-        "cmdarg-pwdfile-fd"
+        "cmdarg-pwdfile-fd",
+        "no-tpm12-tools"
       ]
     }
 
@@ -198,6 +199,12 @@ The I<--keyfile-fd> option is supported.
 
 The I<--pwdfile-fd> option is supported.
 
+=item B<no-tpm12-tools>
+
+TPM 1.2 tools cannot be found in the PATH. This means that no certificates can
+be created since they cannot be written into the NVRAM and the NVRAM cannot be
+locked. Among the TPM 1.2 setup parameters only I<--createek> can be passed.
+
 =back
 
 =item B<--help, -h>

diff --git a/src/swtpm_setup/swtpm_setup.sh.in b/src/swtpm_setup/swtpm_setup.sh.in
@@ -1992,8 +1992,16 @@ EOF
 
 print_capabilities()
 {
+	local param=""
+
+	if [ -z "$(type -P tcsd)" ] || \
+	   [ -z "$(type -P tpm_nvinfo)" ] || \
+	   [ -z "$(type -P tpm_takeownership)" ]; then
+		param=', "no-tpm12-tools"'
+	fi
+
 	echo '{ "type": "swtpm_setup",' \
-		'"features": [ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd" ]'\
+		'"features": [ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd"'${param}' ]'\
 	'}'
 }
 

diff --git a/tests/_test_print_capabilities b/tests/_test_print_capabilities
@@ -40,8 +40,9 @@ if [ $? -ne 0 ]; then
 	exit 1
 fi
 
-exp='{ "type": "swtpm_setup", "features": [ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd" ] }'
-if [ "${msg}" != "${exp}" ]; then
+# The are some variable parameters at the end, use regex
+exp='\{ "type": "swtpm_setup", "features": \[ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd"(, "no-tpm12-tools")? \] \}'
+if ! [[ ${msg} =~ ${exp} ]]; then
 	echo "Unexpected response from ${SWTPM_SETUP} to --print-capabilities:"
 	echo "Actual   : ${msg}"
 	echo "Expected : ${exp}"

diff --git a/tests/_test_tpm2_print_capabilities b/tests/_test_tpm2_print_capabilities
@@ -40,8 +40,9 @@ if [ $? -ne 0 ]; then
 	exit 1
 fi
 
-exp='{ "type": "swtpm_setup", "features": [ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd" ] }'
-if [ "${msg}" != "${exp}" ]; then
+# The are some variable parameters at the end, use regex
+exp='\{ "type": "swtpm_setup", "features": \[ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd"(, "no-tpm12-tools")? \] \}'
+if ! [[ ${msg} =~ ${exp} ]]; then
 	echo "Unexpected response from ${SWTPM_SETUP} to --print-capabilities:"
 	echo "Actual   : ${msg}"
 	echo "Expected : ${exp}"