vtpm: Get the supported capabilities of swtpm and swtpm_setup

Call 'swtpm chardev --print-capabilities' to get the supported capabilites
from swtpm. An JSON object is printed by swtpm that we unmarshal and
we pick the 'features' part from it that is an array of strings indicating
what this version of swtpm supports. This option was added in v0.2.
For older versions of swtpm we return an empty array.

Signed-off-by: Stefan Berger <[email protected]>

Author: stefanberger

libcontainer/vtpm/vtpm.go

@@ -3,6 +3,7 @@
 package vtpm
 
 import (
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -62,6 +63,12 @@ type VTPM struct {
 
 	// The AppArmor profile's full path
 	aaprofile string
+
+	// swtpm_setup capabilities
+	swtpmSetupCaps []string
+
+	// swtpm capabilities
+	swtpmCaps []string
 }
 
 // ioctl
@@ -121,6 +128,49 @@ func vtpmx_ioctl(cmd, msg uintptr) error {
 	return nil
 }
 
+// getCapabilities gets the capabilities map of an executable by invoking it with
+// --print-capabilities. It returns the array of feature strings.
+// This function returns an empty array if the executable does not support --print-capabilities.
+// Expected output looks like this:
+// { "type": "swtpm_setup", "features": [ "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd" ] }
+func getCapabilities(cmd *exec.Cmd) ([]string, error) {
+	caps := make(map[string]interface{})
+
+	output, err := cmd.Output()
+	if err != nil {
+		return nil, nil
+	}
+
+	err = json.Unmarshal([]byte(output), &caps)
+	if err != nil {
+		return nil, fmt.Errorf("Could not unmarshal output: %s: %v\n", output, err)
+	}
+
+	features, _ := caps["features"].([]interface{})
+	res := make([]string, 0)
+	for _, f := range features {
+		res = append(res, f.(string))
+	}
+	return res, nil
+}
+
+func getSwtpmSetupCapabilities() ([]string, error) {
+	return getCapabilities(exec.Command("swtpm_setup", "--print-capabilities"))
+}
+
+func getSwtpmCapabilities() ([]string, error) {
+	return getCapabilities(exec.Command("swtpm", "chardev", "--print-capabilities"))
+}
+
+func hasCapability(capabilities []string, capability string) bool {
+	for _, c := range capabilities {
+		if capability == c {
+			return true
+		}
+	}
+	return false
+}
+
 // Create a new VTPM object
 //
 // @statepath: directory where the vTPM's state will be written into
@@ -165,6 +215,15 @@ func NewVTPM(statepath string, statepathismanaged bool, vtpmversion string, crea
 	}
 	runas = usr.Uid
 
+	swtpmSetupCaps, err := getSwtpmSetupCapabilities()
+	if err != nil {
+		return nil, err
+	}
+	swtpmCaps, err := getSwtpmCapabilities()
+	if err != nil {
+		return nil, err
+	}
+
 	return &VTPM{
 		user:               runas,
 		StatePath:          statepath,
@@ -174,6 +233,8 @@ func NewVTPM(statepath string, statepathismanaged bool, vtpmversion string, crea
 		PcrBanks:           pcrbanks,
 		Tpm_dev_num:        VTPM_DEV_NUM_INVALID,
 		fd:                 ILLEGAL_FD,
+		swtpmSetupCaps:     swtpmSetupCaps,
+		swtpmCaps:          swtpmCaps,
 	}, nil
 }