Merge 72108f5 into b931e10

stefanberger · Oct 13, 2020 · 4726dcc · 4726dcc
2 parents b931e10 + 72108f5
commit 4726dcc
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 16 deletions.
diff --git a/man/man8/swtpm.pod b/man/man8/swtpm.pod
@@ -141,20 +141,6 @@ This operation requires root privileges.
 
 The control channel enables out-of-band control of the TPM, such as resetting the TPM.
 
-=item B<--flags [not-need-init] [,startup-clear|startup-state|startup-deactivated|startup-none]>
-
-The I<not-need-init> flag enables the TPM to accept TPM commands right after
-start without requiring a INIT to be sent to it through the command channel
-(see the '-i' option of swtpm_ioctl).
-
-The I<startup> options cause a TPM_Startup or TPM2_Startup command to
-automatically be sent. The I<startup-deactivated> option is only valid for
-a TPM 2.0. These options imply I<not-need-init>, except for the
-I<startup-none> option, which results in no command being sent.
-
-If I<--vtpm-proxy> is used, I<startup-clear> is automatically chosen but
-this can be changed with this option.
-
 =back
 
 
@@ -282,6 +268,20 @@ The I<log> action is only available if libseccomp supports logging.
 This option is only available on Linux and only if swtpm was compiled with
 libseccomp support.
 
+=item B<--flags [not-need-init] [,startup-clear|startup-state|startup-deactivated|startup-none]>
+
+The I<not-need-init> flag enables the TPM to accept TPM commands right after
+start without requiring an INIT to be sent to it through the command channel
+(see the '-i' option of swtpm_ioctl).
+
+The I<startup> options cause a TPM_Startup or TPM2_Startup command to
+automatically be sent. The I<startup-deactivated> option is only valid for
+a TPM 1.2. These options imply I<not-need-init>, except for the
+I<startup-none> option, which results in no command being sent.
+
+If I<--vtpm-proxy> is used, I<startup-clear> is automatically chosen but
+this can be changed with this option.
+
 =item B<--print-capabilities> (since v0.2)
 
 Print capabilities that were added to swtpm after version 0.1. The output

diff --git a/man/man8/swtpm_cuse.pod b/man/man8/swtpm_cuse.pod
@@ -154,6 +154,20 @@ The I<log> action is only available if libseccomp supports logging.
 This option is only available on Linux and only if swtpm was compiled with
 libseccomp support.
 
+=item B<--flags [not-need-init] [,startup-clear|startup-state|startup-deactivated|startup-none]>
+
+The I<not-need-init> flag enables the TPM to accept TPM commands right after
+start without requiring an INIT to be sent to it through the command channel
+(see the '-i' option of swtpm_ioctl).
+
+The I<startup> options cause a TPM_Startup or TPM2_Startup command to
+automatically be sent. The I<startup-deactivated> option is only valid for
+a TPM 1.2. These options imply I<not-need-init>, except for the
+I<startup-none> option, which results in no command being sent.
+
+If I<--vtpm-proxy> is used, I<startup-clear> is automatically chosen but
+this can be changed with this option.
+
 =item B<--print-capabilities> (since v0.2)
 
 Print capabilities that were added to swtpm after version 0.1. The output

diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c
@@ -134,6 +134,8 @@ struct cuse_param {
     char *localitydata;
     char *seccompdata;
     unsigned int seccomp_action;
+    char *flagsdata;
+    uint16_t startupType;
 };
 
 /* single message to send to the worker thread */
@@ -219,6 +221,9 @@ static const char *usage =
 "                       instead;\n"
 "                       mode allows a user to set the file mode bits of the state\n"
 "                       files; the default mode is 0640;\n"
+"--flags [not-need-init][,startup-clear|startup-state|startup-deactivated|startup-none]\n"
+"                    :  not-need-init: commands can be sent without needing to\n"
+"                       send an INIT via control channel;\n"
 "-r|--runas <user>   :  after creating the CUSE device, change to the given\n"
 "                       user\n"
 "--tpm2              :  choose TPM2 functionality\n"
@@ -485,6 +490,35 @@ static void ptm_write_fatal_error_response(TPMLIB_TPMVersion l_tpmversion)
                                       l_tpmversion);
 }
 
+/*
+ * ptm_send_startup: Send a TPM/TPM2_Startup
+ */
+static int ptm_send_startup(uint16_t startupType, TPMLIB_TPMVersion l_tpmversion)
+{
+    uint32_t command_length;
+    unsigned char command[sizeof(struct tpm_startup)];
+    uint32_t max_command_length = sizeof(command);
+    int ret = 0;
+    TPM_RESULT rc = TPM_SUCCESS;
+
+    command_length = tpmlib_create_startup_cmd(
+                               startupType,
+                               tpmversion,
+                               command, max_command_length);
+    if (command_length > 0)
+        rc = TPMLIB_Process(&ptm_response, &ptm_res_len, &ptm_res_tot,
+                           (unsigned char *)command, command_length);
+
+    if (rc || command_length == 0) {
+        if (rc) {
+            logprintf(STDERR_FILENO, "Could not send Startup: 0x%x\n", rc);
+            ret = -1;
+        }
+    }
+
+    return ret;
+}
+
 /************************************ read() support ***************************/
 
 /*
@@ -1394,6 +1428,7 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
         {"migration-key" , required_argument, 0, 'K'},
         {"pid"           , required_argument, 0, 'p'},
         {"tpmstate"      , required_argument, 0, 's'},
+        {"flags"         , required_argument, 0, 'F'},
         {"tpm2"          ,       no_argument, 0, '2'},
         {"help"          ,       no_argument, 0, 'h'},
         {"version"       ,       no_argument, 0, 'v'},
@@ -1405,7 +1440,9 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
         {NULL            , 0                , 0, 0  },
     };
     struct cuse_info cinfo;
-    struct cuse_param param;
+    struct cuse_param param = {
+        .startupType = _TPM_ST_NONE,
+    };
     const char *devname = NULL;
     char *cinfo_argv[1] = { 0 };
     unsigned int num;
@@ -1415,6 +1452,8 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
     char path[PATH_MAX];
     int ret = 0;
     bool printcapabilities = false;
+    bool need_init_cmd = true;
+    TPM_RESULT res;
 
     memset(&cinfo, 0, sizeof(cinfo));
     memset(&param, 0, sizeof(param));
@@ -1496,6 +1535,9 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
         case 'L':
             param.localitydata = optarg;
             break;
+        case 'F':
+            param.flagsdata = optarg;
+            break;
         case '2':
             tpmversion = TPMLIB_TPM_VERSION_2;
             break;
@@ -1555,7 +1597,9 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
         handle_pid_options(param.piddata) < 0 ||
         handle_tpmstate_options(param.tpmstatedata) < 0 ||
         handle_seccomp_options(param.seccompdata, &param.seccomp_action) < 0 ||
-        handle_locality_options(param.localitydata, &locality_flags) < 0) {
+        handle_locality_options(param.localitydata, &locality_flags) < 0 ||
+        handle_flags_options(param.flagsdata, &need_init_cmd,
+                             &param.startupType) < 0) {
         ret = -3;
         goto exit;
     }
@@ -1616,6 +1660,21 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
 
     worker_thread_init();
 
+    if (!need_init_cmd) {
+        if (tpm_start(0, tpmversion, &res) < 0) {
+            ret = -1;
+            goto exit;
+        }
+        tpm_running = true;
+    }
+
+    if (param.startupType != _TPM_ST_NONE) {
+        if (ptm_send_startup(param.startupType, tpmversion) < 0) {
+            ret = -1;
+            goto exit;
+        }
+    }
+
 #if GLIB_MINOR_VERSION >= 32
     g_mutex_init(FILE_OPS_LOCK);
 #else