[meta-security][PATCH 0/8] tpm: virtual TPM for qemu

[meta-security][PATCH 0/8] tpm: virtual TPM for qemu

[Patrick Ohly]

I recently started using swtpm-native in combination with the qemu-tpm
patches to simulate a virtual TPM chip in qemu. The qemu-tpm patches
should go into OE-core, but currently usage is a bit cumbersome
(requires root privileges and manually starting swtpm before each
runqemu invocation), so at this time I only consider the meta-security
changes ready and useful enough for merging.

Inside the virtual machine I used tpm-tools + trousers to set up
sealed keys for EVM, which required fixing a few things.

These patches were based on Armin's swtpm+trousers version update
series which needs to be merged first to avoid merge conflicts.

Patrick Ohly (8):
  trousers: missing libtspi.so.1 in libtspi package
  trousers: recommend tcsd
  trousers: tcsd.conf must be owned tss:tss
  swtpm: enable native and nativesdk flavors
  swtpm: depends on tpm-tools
  swtpm: fix compiler format warning
  swtpm: cuse packageconfig
  swtpm-wrappers: simplify using swtpm-native

 recipes-tpm/swtpm/files/fix_lib_search_path.patch | 64 ++++++++++++++++-
 recipes-tpm/swtpm/files/fix_signed_issue.patch    |  2 +-
 recipes-tpm/swtpm/swtpm-wrappers.bb               | 41 ++++++++++-
 recipes-tpm/swtpm/swtpm_1.0.bb                    | 12 ++-
 recipes-tpm/trousers/trousers_git.bb              |  7 +-
 5 files changed, 121 insertions(+), 5 deletions(-)
 create mode 100644 recipes-tpm/swtpm/files/fix_lib_search_path.patch
 create mode 100644 recipes-tpm/swtpm/swtpm-wrappers.bb

base-commit: 6787dd986122cd6420b1f348c4550a42ed596f57
-- 
git-series 0.9.1

[meta-security][PATCH 1/8] trousers: missing libtspi.so.1 in libtspi package

[Patrick Ohly]

The soname of libtspi.so is "libtspi.so.1" and therefore apps
linked against that library depend on the libtspi.so.1 symlink
to find the library.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/trousers/trousers_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-tpm/trousers/trousers_git.bb b/recipes-tpm/trousers/trousers_git.bb
index 1dedd7c..0a7e5b6 100644
--- a/recipes-tpm/trousers/trousers_git.bb
+++ b/recipes-tpm/trousers/trousers_git.bb
@@ -57,6 +57,7 @@ PACKAGES = " \
 	"
 
 FILES_libtspi = " \
+	${libdir}/*.so.1 \
 	${libdir}/*.so.1.2.0 \
 	"
 FILES_libtspi-dbg = " \
@@ -69,7 +70,6 @@ FILES_libtspi-dbg = " \
 FILES_libtspi-dev = " \
 	${includedir} \
 	${libdir}/*.so \
-	${libdir}/*.so.1 \
 	"
 FILES_libtspi-doc = " \
 	${mandir}/man3 \
-- 
git-series 0.9.1

[meta-security][PATCH 2/8] trousers: recommend tcsd

[Patrick Ohly]

Installing tpm-tools for tools like tpm_takeown pull in the libtspi
package, but the resulting system is not functional unless the tcsd
(from the main "trousers" package) also gets installed. A RRECOMMENDS
entry for that takes care of that automatically.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/trousers/trousers_git.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/recipes-tpm/trousers/trousers_git.bb b/recipes-tpm/trousers/trousers_git.bb
index 0a7e5b6..5737de3 100644
--- a/recipes-tpm/trousers/trousers_git.bb
+++ b/recipes-tpm/trousers/trousers_git.bb
@@ -56,6 +56,10 @@ PACKAGES = " \
 	trousers-doc \
 	"
 
+# libtspi needs tcsd for most (all?) operations, so suggest to
+# install that.
+RRECOMMENDS_libtspi = "${PN}"
+
 FILES_libtspi = " \
 	${libdir}/*.so.1 \
 	${libdir}/*.so.1.2.0 \
-- 
git-series 0.9.1

[meta-security][PATCH 3/8] trousers: tcsd.conf must be owned tss:tss

[Patrick Ohly]

The upstream dist/Makefile.am ensures that /etc/tcsd.conf
is owned by tss:tss, and that must not be changed because
otherwise tcsd refuses to start.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/trousers/trousers_git.bb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/recipes-tpm/trousers/trousers_git.bb b/recipes-tpm/trousers/trousers_git.bb
index 5737de3..a256bfa 100644
--- a/recipes-tpm/trousers/trousers_git.bb
+++ b/recipes-tpm/trousers/trousers_git.bb
@@ -39,7 +39,6 @@ do_install_append() {
         install -m 0644 ${WORKDIR}/tcsd.service ${D}${systemd_unitdir}/system/
         sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/tcsd.service
     fi        
-    chown -R root:root ${D}${sysconfdir}/tcsd.conf
 }
 
 CONFFILES_${PN} += "${sysconfig}/tcsd.conf"
-- 
git-series 0.9.1

[meta-security][PATCH 4/8] swtpm: enable native and nativesdk flavors

[Patrick Ohly]

For use with qemu-tpm as described in the swtpm main README, swtpm
must be compiled natively. nativesdk is added just in case that
someone wants to add this to an SDK.

The fix_lib_search_path.patch was recently removed during the version
update, but it is still needed when building natively. Here's a
version that applies cleanly again.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/swtpm/files/fix_lib_search_path.patch | 64 ++++++++++++++++-
 recipes-tpm/swtpm/swtpm_1.0.bb                    |  3 +-
 2 files changed, 67 insertions(+)
 create mode 100644 recipes-tpm/swtpm/files/fix_lib_search_path.patch

diff --git a/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/recipes-tpm/swtpm/files/fix_lib_search_path.patch
new file mode 100644
index 0000000..28aca4a
--- /dev/null
+++ b/recipes-tpm/swtpm/files/fix_lib_search_path.patch
@@ -0,0 +1,64 @@
+From 85706ceb6877ade3b589d3c390abf5b3492bb718 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Thu, 13 Oct 2016 02:03:56 -0700
+Subject: [PATCH] swtpm: add new package
+
+Upstream-Status: Inappropriate [OE config]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Rebased to current tip.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
+---
+ configure.ac | 32 ++++++++++----------------------
+ 1 file changed, 10 insertions(+), 22 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index c4a9c6d..6267f64 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -395,29 +395,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-security"
+ dnl We have to make sure libtpms is using the same crypto library
+ dnl to avoid problems
+ AC_MSG_CHECKING([the crypto library libtpms is using])
+-dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \
+-       sed -n '/SEARCH_DIR/p' | \
+-       sed 's/SEARCH_DIR("=\?\(@<:@^"@:>@\+\)"); */\1\n/g')
+-for dir in $dirs $LIBRARY_PATH; do
+-  if test -r $dir/libtpms.so; then
+-    if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
+-      libtpms_cryptolib="openssl"
+-      break
+-    fi
+-    if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
+-      libtpms_cryptolib="freebl"
+-      break
+-    fi
++dir="$SEARCH_DIR"
++if test -r $dir/libtpms.so; then
++  if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
++    libtpms_cryptolib="openssl"
++    break
+   fi
+-  case $host_os in
+-  cygwin)
+-    if test -r $dir/libtpms.a; then
+-      if test -n "$(nm $dir/libtpms.a | grep "U AES_encrypt")"; then
+-        libtpms_cryptolib="openssl"
+-      fi
+-    fi
+-  esac
+-done
++  if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
++    libtpms_cryptolib="freebl"
++    break
++  fi
++fi
+ 
+ if test -z "$libtpms_cryptolib"; then
+   AC_MSG_ERROR([Could not determine libtpms crypto library.])
+-- 
+2.1.4
+
diff --git a/recipes-tpm/swtpm/swtpm_1.0.bb b/recipes-tpm/swtpm/swtpm_1.0.bb
index 27b4b8c..d5a2a58 100644
--- a/recipes-tpm/swtpm/swtpm_1.0.bb
+++ b/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -9,6 +9,7 @@ SRCREV = "ca906a02124d0ed8b6194e845d272d23ee394a34"
 SRC_URI = " \
 	git://github.com/stefanberger/swtpm.git \
 	file://fix_signed_issue.patch \
+	file://fix_lib_search_path.patch \
 	"
 
 S = "${WORKDIR}/git"
@@ -45,3 +46,5 @@ USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir  \
     --no-create-home  --shell /bin/false ${BPN}"
 
 RDEPENDS_${PN} = "libtpm expect socat bash"
+
+BBCLASSEXTEND = "native nativesdk"
-- 
git-series 0.9.1

[meta-security][PATCH 5/8] swtpm: depends on tpm-tools

[Patrick Ohly]

The configure script checks for tpm_nvdefine from tpm-tools and fails
when it is not present.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/swtpm/swtpm_1.0.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/recipes-tpm/swtpm/swtpm_1.0.bb b/recipes-tpm/swtpm/swtpm_1.0.bb
index d5a2a58..5283f5d 100644
--- a/recipes-tpm/swtpm/swtpm_1.0.bb
+++ b/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -5,6 +5,11 @@ SECTION = "apps"
 
 DEPENDS = "libtasn1 fuse expect socat glib-2.0 libtpm libtpm-native"
 
+# configure checks for the tools already during compilation and
+# then swtpm_setup needs them at runtime
+DEPENDS += "tpm-tools-native"
+RDEPENDS_${PN} += "tpm-tools"
+
 SRCREV = "ca906a02124d0ed8b6194e845d272d23ee394a34"
 SRC_URI = " \
 	git://github.com/stefanberger/swtpm.git \
-- 
git-series 0.9.1

[meta-security][PATCH 6/8] swtpm: fix compiler format warning

[Patrick Ohly]

When building for x86-64, gcc complains:

tpm_ioctl.c:866:9: error: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 2 has type ‘long unsigned int’ [-Werror=format=]
|          printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
|          ^
| cc1: all warnings being treated as errors

Casting to "long long unsigned" matches the format specifier in all
cases, including those where "long long" is larger than 64 bits.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/swtpm/files/fix_signed_issue.patch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-tpm/swtpm/files/fix_signed_issue.patch b/recipes-tpm/swtpm/files/fix_signed_issue.patch
index 427df62..140585b 100644
--- a/recipes-tpm/swtpm/files/fix_signed_issue.patch
+++ b/recipes-tpm/swtpm/files/fix_signed_issue.patch
@@ -42,7 +42,7 @@ Index: git/src/swtpm_ioctl/tpm_ioctl.c
          }
          /* no tpm_result here */
 -        printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap));
-+        printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
++        printf("ptm capability is 0x%llx\n", (long long unsigned)devtoh64(is_chardev, cap));
  
      } else if (!strcmp(command, "-i")) {
          init.u.req.init_flags = htodev32(is_chardev, PTM_INIT_FLAG_DELETE_VOLATILE);
-- 
git-series 0.9.1

[meta-security][PATCH 7/8] swtpm: cuse packageconfig

[Patrick Ohly]

The CUSE support in swtpm does not depend on selinux. It is needed
for simulating a virtual TPM, one of the use cases for swtpm-native, so
enable it by default.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/swtpm/swtpm_1.0.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-tpm/swtpm/swtpm_1.0.bb b/recipes-tpm/swtpm/swtpm_1.0.bb
index 5283f5d..0733adc 100644
--- a/recipes-tpm/swtpm/swtpm_1.0.bb
+++ b/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -25,12 +25,12 @@ PARALLEL_MAKE = ""
 TSS_USER="tss"
 TSS_GROUP="tss"
 
-PACKAGECONFIG ?= "openssl"
+PACKAGECONFIG ?= "openssl cuse"
 PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
 PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
 PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
 PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
-PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, libselinux"
+PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse"
 
 EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}"
 
-- 
git-series 0.9.1

[meta-security][PATCH 8/8] swtpm-wrappers: simplify using swtpm-native

[Patrick Ohly]

Native tools exist in recipe specific sysroots and are normally
not meant to be called from outside a build. But that's what we
need to do when using swtpm-native together with qemu, so these
wrappers make that possible by setting up the necessary environment
and hiding the internal paths.

Invoking swtpm_setup.sh gets some special support: swtpm_setup.sh runs
two daemons, tcsd and swtpm, of which tcsd insists on running as root
or tss. In practice, running as the normal user is perfectly
fine. Instead of patching the upstream source code, the approach take
here is to run under pseudo.

Usage examples:

$ bitbake swtpm-wrappers
$ mkdir -p my-machine/myvtpm0
$ tmp-glibc/work/x86_64-linux/swtpm-wrappers/1.0-r0/swtpm_setup_oe.sh --tpm-state my-machine/myvtpm0
Starting vTPM manufacturing as root:root @ Mon 16 Jan 2017 04:09:21 PM CET
TPM is listening on TCP port 55675.
-rw------- 1 root root 65 Jan 16 16:09 /tmp/tmp.2yJBKTTwRk
Ending vTPM manufacturing @ Mon 16 Jan 2017 04:09:21 PM CET

The resulting "my-machine/myvtpm0" can then be used with swtpm (this time,
it really has to be running as root because it uses CUSES to create /dev/vtpm0)
and qemu-tpm (patches not currently in OE-core, have to be applied manually):

$ sudo env TPM_DIR=my-machine/myvtpm0 tmp-glibc/work/x86_64-linux/swtpm-wrappers/1.0-r0/swtpm_cuse_oe.sh -n vtpm0
$ sudo chmod a+rw /dev/vtpm0
$ runqemu ... 'qemuparams=-tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 -device tpm-tis,tpmdev=tpm0'

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 recipes-tpm/swtpm/swtpm-wrappers.bb | 41 ++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+)
 create mode 100644 recipes-tpm/swtpm/swtpm-wrappers.bb

diff --git a/recipes-tpm/swtpm/swtpm-wrappers.bb b/recipes-tpm/swtpm/swtpm-wrappers.bb
new file mode 100644
index 0000000..676c35e
--- /dev/null
+++ b/recipes-tpm/swtpm/swtpm-wrappers.bb
@@ -0,0 +1,41 @@
+SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools"
+LICENSE = "MIT"
+DEPENDS = "swtpm-native tpm-tools-native"
+
+inherit native
+
+# The whole point of the recipe is to make files available
+# for use after the build is done, so don't clean up...
+RM_WORK_EXCLUDE += "${PN}"
+
+do_create_wrapper () {
+    cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
+#! /bin/sh
+#
+# Wrapper around swtpm_setup.sh which adds parameters required to
+# run the setup as non-root directly from the native sysroot.
+
+PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
+export PATH
+
+# tcsd only allows to be run as root or tss. Pretend to be root...
+exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
+EOF
+
+    cat >${WORKDIR}/swtpm_cuse_oe.sh <<EOF
+#! /bin/sh
+#
+# Wrapper around swtpm_cuse which makes it easier to invoke
+# the right binary. Has to be run as root with TPM_PATH set
+# to a directory initialized as virtual TPM by swtpm_setup_oe.sh.
+
+PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
+export PATH
+
+exec swtpm_cuse "\$@"
+EOF
+
+    chmod a+rx ${WORKDIR}/*.sh
+}
+
+addtask do_create_wrapper before do_build after do_prepare_recipe_sysroot
-- 
git-series 0.9.1

Re: [meta-security][PATCH 0/8] tpm: virtual TPM for qemu

[akuster808]

Patrick,



On 01/30/2017 11:47 PM, Patrick Ohly wrote:
> I recently started using swtpm-native in combination with the qemu-tpm
> patches to simulate a virtual TPM chip in qemu. The qemu-tpm patches
> should go into OE-core, but currently usage is a bit cumbersome
> (requires root privileges and manually starting swtpm before each
> runqemu invocation), so at this time I only consider the meta-security
> changes ready and useful enough for merging.
>
> Inside the virtual machine I used tpm-tools + trousers to set up
> sealed keys for EVM, which required fixing a few things.
>
> These patches were based on Armin's swtpm+trousers version update
> series which needs to be merged first to avoid merge conflicts.
>
> Patrick Ohly (8):
>    trousers: missing libtspi.so.1 in libtspi package
>    trousers: recommend tcsd
>    trousers: tcsd.conf must be owned tss:tss
>    swtpm: enable native and nativesdk flavors
>    swtpm: depends on tpm-tools
>    swtpm: fix compiler format warning
>    swtpm: cuse packageconfig
>    swtpm-wrappers: simplify using swtpm-native

Thanks for the patch series, I am looking at them now.

- armin
>
>   recipes-tpm/swtpm/files/fix_lib_search_path.patch | 64 ++++++++++++++++-
>   recipes-tpm/swtpm/files/fix_signed_issue.patch    |  2 +-
>   recipes-tpm/swtpm/swtpm-wrappers.bb               | 41 ++++++++++-
>   recipes-tpm/swtpm/swtpm_1.0.bb                    | 12 ++-
>   recipes-tpm/trousers/trousers_git.bb              |  7 +-
>   5 files changed, 121 insertions(+), 5 deletions(-)
>   create mode 100644 recipes-tpm/swtpm/files/fix_lib_search_path.patch
>   create mode 100644 recipes-tpm/swtpm/swtpm-wrappers.bb
>
> base-commit: 6787dd986122cd6420b1f348c4550a42ed596f57