Merge a248400 into 1974f2c

stefanberger · May 4, 2020 · 670ddb1 · 670ddb1
2 parents 1974f2c + a248400
commit 670ddb1
Show file tree

Hide file tree

Showing 5 changed files with 104 additions and 9 deletions.
diff --git a/man/man8/swtpm.8 b/man/man8/swtpm.8
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "swtpm 8"
-.TH swtpm 8 "2020-02-08" "swtpm" ""
+.TH swtpm 8 "2020-04-23" "swtpm" ""
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -380,7 +380,10 @@ may contain the following:
 \&        "cmdarg\-key\-fd",
 \&        "cmdarg\-pwd\-fd",
 \&        "tpm\-send\-command\-header",
-\&        "flags\-opt\-startup"
+\&        "flags\-opt\-startup",
+\&        "rsa\-keysize\-1024",
+\&        "rsa\-keysize\-2048",
+\&        "rsa\-keysize\-3072"
 \&      ]
 \&    }
 .Ve
@@ -405,6 +408,10 @@ The \s-1TPM 2\s0 will respond by preprending a 4\-byte response indicator and a
 .IP "\fBflags-opt-startup\fR" 4
 .IX Item "flags-opt-startup"
 The \fI\-\-flags\fR option supports the \fIstartup\-...\fR options.
+.IP "\fBrsa\-keysize\-2048\fR" 4
+.IX Item "rsa-keysize-2048"
+The \s-1TPM 2\s0 supports the shown \s-1RSA\s0 key sizes. If none of the
+rsa-keysize verbs is shown then only \s-1RSA 2048\s0 bit keys are supported.
 .RE
 .RS 4
 .RE

diff --git a/man/man8/swtpm.pod b/man/man8/swtpm.pod
@@ -294,7 +294,10 @@ may contain the following:
         "cmdarg-key-fd",
         "cmdarg-pwd-fd",
         "tpm-send-command-header",
-        "flags-opt-startup"
+        "flags-opt-startup",
+        "rsa-keysize-1024",
+        "rsa-keysize-2048",
+        "rsa-keysize-3072"
       ]
     }
 
@@ -325,6 +328,11 @@ The TPM 2 will respond by preprending a 4-byte response indicator and a
 
 The I<--flags> option supports the I<startup-...> options.
 
+=item B<rsa-keysize-2048>
+
+The TPM 2 supports the shown RSA key sizes. If none of the
+rsa-keysize verbs is shown then only RSA 2048 bit keys are supported.
+
 =back
 
 =item B<-h|--help>

diff --git a/src/swtpm/capabilities.c b/src/swtpm/capabilities.c
@@ -40,10 +40,78 @@
 #define _GNU_SOURCE
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
+
+#include <libtpms/tpm_library.h>
 
 #include "capabilities.h"
 #include "logging.h"
 
+/* Convert the RSA key size indicators supported by libtpms into capability
+ * strings.
+ * libtpms may return us something like this here:
+ * "TPMAttributes":{"manufacturer":"id:00001014",\
+ * "version":"id:20191023","model":"swtpm","RSAKeySizes":[1024,2048,3072]}}
+ *
+ * or an older version may not report RSA keysizes:
+ * "TPMAttributes":{"manufacturer":"id:00001014",\
+ * "version":"id:20191023","model":"swtpm"}}
+ */
+static int get_rsa_keysize_caps(char **keysizecaps)
+{
+    int ret = 0;
+    char *start, *endptr;
+    const char *needle = "\"RSAKeySizes\":[";
+    char *info_data = TPMLIB_GetInfo(4 /*TPMLIB_INFO_TPMFEATURES*/);
+    char buffer[128];
+    off_t offset = 0;
+    int n;
+
+    if (!info_data)
+        goto oom;
+
+    start = strstr(info_data, needle);
+    if (start) {
+        start += strlen(needle);
+        while (1) {
+            unsigned long int keysize = strtoul(start, &endptr, 10);
+
+            if (*endptr != ',' && *endptr != ']') {
+                logprintf(STDERR_FILENO, "Malformed TPMLIB_GetInfo() string\n");
+                ret = -1;
+                goto cleanup;
+            }
+
+            n = snprintf(buffer + offset, sizeof(buffer) - offset,
+                         ", \"rsa-keysize-%lu\"",
+                          keysize);
+            if (n < 0 || (unsigned)n >= sizeof(buffer) - offset) {
+                logprintf(STDERR_FILENO, "%s: buffer is too small\n", __func__);
+                ret = -1;
+                goto cleanup;
+            }
+            if (*endptr == ']')
+                break;
+
+            offset += n;
+            start = endptr + 1;
+        }
+
+        *keysizecaps = strndup(buffer, sizeof(buffer) - 1);
+        if (*keysizecaps == NULL)
+            goto oom;
+    }
+
+cleanup:
+    free(info_data);
+    return ret;
+
+oom:
+    logprintf(STDERR_FILENO, "Out of memory\n");
+    ret = -1;
+    goto cleanup;
+}
+
 int capabilities_print_json(bool cusetpm)
 {
     char *string = NULL;
@@ -54,19 +122,25 @@ int capabilities_print_json(bool cusetpm)
 #else
     const char *cmdarg_seccomp = "";
 #endif
+    char *keysizecaps = NULL;
+
+    ret = get_rsa_keysize_caps(&keysizecaps);
+    if (ret < 0)
+        goto cleanup;
 
     n =  asprintf(&string,
          "{ "
          "\"type\": \"swtpm\", "
          "\"features\": [ "
-             "%s%s%s%s%s"
+             "%s%s%s%s%s%s"
           " ] "
          "}",
          !cusetpm     ? "\"tpm-send-command-header\", ": "",
          !cusetpm     ? "\"flags-opt-startup\", "      : "",
          cmdarg_seccomp,
          true         ? "\"cmdarg-key-fd\", "          : "",
-         true         ? "\"cmdarg-pwd-fd\""            : ""
+         true         ? "\"cmdarg-pwd-fd\""            : "",
+         keysizecaps  ? keysizecaps                    : ""
     );
 
     if (n < 0) {
@@ -79,6 +153,7 @@ int capabilities_print_json(bool cusetpm)
     fprintf(stdout, "%s\n", string);
 
 cleanup:
+    free(keysizecaps);
     free(string);
 
     return ret;

diff --git a/tests/_test_tpm2_print_capabilities b/tests/_test_tpm2_print_capabilities
@@ -23,8 +23,9 @@ if [ "${SWTPM_IFACE}" != "cuse" ]; then
 	noncuse='"tpm-send-command-header", "flags-opt-startup", '
 fi
 
-exp='{ "type": "swtpm", "features": [ '${noncuse}${seccomp}'"cmdarg-key-fd", "cmdarg-pwd-fd" ] }'
-if [ "${msg}" != "${exp}" ]; then
+# The rsa key size reporting is variable, so use a regex
+exp='\{ "type": "swtpm", "features": \[ '${noncuse}${seccomp}'"cmdarg-key-fd", "cmdarg-pwd-fd"(, "rsa-keysize-1024")?(, "rsa-keysize-2048")?(, "rsa-keysize-3072")? \] \}'
+if ! [[ ${msg} =~ ${exp} ]]; then
 	echo "Unexpected response from ${SWTPM_IFACE} TPM to --print-capabilities:"
 	echo "Actual   : ${msg}"
 	echo "Expected : ${exp}"

diff --git a/tests/test_tpm2_ibmtss2 b/tests/test_tpm2_ibmtss2
@@ -78,8 +78,10 @@ if [ $revision -lt 155 ]; then
 	done
 fi
 
-# libtpms may at some revision start supporting RSA 3072 keys...
-if [ $revision -gt 0 ]; then
+rsa3072=$(run_swtpm_ioctl ${SWTPM_INTERFACE} --info 4 |
+          sed -n 's/.*"RSAKeySizes":\[\([0-9,]*\)\].*/\1/p' |
+          grep 3072)
+if [ -z "$rsa3072" ]; then
 	pushd regtests &>/dev/null
 
 	echo "Modifying test cases related to RSA 3072 keys."
@@ -92,6 +94,8 @@ if [ $revision -gt 0 ]; then
 	sed -i "s| \"-rsa 3072\"||" testsalt.sh
 
 	popd &>/dev/null
+else
+	echo "swptm/libtpms support RSA 3072 bit keys"
 fi
 
 export TPM_SERVER_NAME=127.0.0.1