|
|
8d419f |
From 6a31abd9fdfe9b08c169b315dd3bc18abbe200b0 Mon Sep 17 00:00:00 2001
|
|
|
8d419f |
From: Grigori Goronzy <greg@chown.ath.cx>
|
|
|
8d419f |
Date: Thu, 24 Feb 2022 01:28:29 +0100
|
|
|
8d419f |
Subject: [PATCH] cryptenroll: add tests for TPM2 unlocking
|
|
|
8d419f |
|
|
|
8d419f |
Add tests for enrolling and unlocking. Various cases are tested:
|
|
|
8d419f |
|
|
|
8d419f |
- Default PCR 7 policy w/o PIN, good and bad cases (wrong PCR)
|
|
|
8d419f |
- PCR 7 + PIN policy, good and bad cases (wrong PCR, wrong PIN)
|
|
|
8d419f |
- Non-default PCR 0+7 policy w/o PIN, good and bad cases (wrong PCR 0)
|
|
|
8d419f |
|
|
|
8d419f |
v2: rename test, fix tss2 library installation, fix CI failures
|
|
|
8d419f |
v3: fix ppc64, load module
|
|
|
8d419f |
(cherry picked from commit fd8b9248206734b655de503f8bb16c2d154934ed)Q
|
|
|
8d419f |
|
|
|
8d419f |
Related: #2087652
|
|
|
8d419f |
---
|
|
|
8d419f |
test/TEST-70-TPM2/Makefile | 6 +++++
|
|
|
8d419f |
test/TEST-70-TPM2/test.sh | 40 +++++++++++++++++++++++++++
|
|
|
8d419f |
test/test-functions | 2 +-
|
|
|
8d419f |
test/units/testsuite-70.service | 7 +++++
|
|
|
8d419f |
test/units/testsuite-70.sh | 48 +++++++++++++++++++++++++++++++++
|
|
|
8d419f |
5 files changed, 102 insertions(+), 1 deletion(-)
|
|
|
8d419f |
create mode 100644 test/TEST-70-TPM2/Makefile
|
|
|
8d419f |
create mode 100755 test/TEST-70-TPM2/test.sh
|
|
|
8d419f |
create mode 100644 test/units/testsuite-70.service
|
|
|
8d419f |
create mode 100755 test/units/testsuite-70.sh
|
|
|
8d419f |
|
|
|
8d419f |
diff --git a/test/TEST-70-TPM2/Makefile b/test/TEST-70-TPM2/Makefile
|
|
|
8d419f |
new file mode 100644
|
|
|
8d419f |
index 0000000000..9f65d4ca4f
|
|
|
8d419f |
--- /dev/null
|
|
|
8d419f |
+++ b/test/TEST-70-TPM2/Makefile
|
|
|
8d419f |
@@ -0,0 +1,6 @@
|
|
|
8d419f |
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
8d419f |
+
|
|
|
8d419f |
+all setup run clean clean-again:
|
|
|
8d419f |
+ @TEST_BASE_DIR=../ ./test.sh --$@
|
|
|
8d419f |
+
|
|
|
8d419f |
+.PHONY: all setup run clean clean-again
|
|
|
8d419f |
diff --git a/test/TEST-70-TPM2/test.sh b/test/TEST-70-TPM2/test.sh
|
|
|
8d419f |
new file mode 100755
|
|
|
8d419f |
index 0000000000..d716614bcf
|
|
|
8d419f |
--- /dev/null
|
|
|
8d419f |
+++ b/test/TEST-70-TPM2/test.sh
|
|
|
8d419f |
@@ -0,0 +1,40 @@
|
|
|
8d419f |
+#!/usr/bin/env bash
|
|
|
8d419f |
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
8d419f |
+set -e
|
|
|
8d419f |
+
|
|
|
8d419f |
+TEST_DESCRIPTION="cryptenroll/cryptsetup with TPM2 devices"
|
|
|
8d419f |
+IMAGE_NAME="tpm2"
|
|
|
8d419f |
+TEST_NO_NSPAWN=1
|
|
|
8d419f |
+TEST_REQUIRE_INSTALL_TESTS=0
|
|
|
8d419f |
+
|
|
|
8d419f |
+# shellcheck source=test/test-functions
|
|
|
8d419f |
+. "${TEST_BASE_DIR:?}/test-functions"
|
|
|
8d419f |
+
|
|
|
8d419f |
+command -v swtpm >/dev/null 2>&1 || exit 0
|
|
|
8d419f |
+command -v tpm2_pcrextend >/dev/null 2>&1 || exit 0
|
|
|
8d419f |
+
|
|
|
8d419f |
+test_append_files() {
|
|
|
8d419f |
+ (
|
|
|
8d419f |
+ local workspace="${1:?}"
|
|
|
8d419f |
+
|
|
|
8d419f |
+ instmods tpm tpm_tis tpm_ibmvtpm
|
|
|
8d419f |
+ install_dmevent
|
|
|
8d419f |
+ generate_module_dependencies
|
|
|
8d419f |
+ inst_binary tpm2_pcrextend
|
|
|
8d419f |
+ )
|
|
|
8d419f |
+}
|
|
|
8d419f |
+
|
|
|
8d419f |
+machine="$(uname -m)"
|
|
|
8d419f |
+tpmdevice="tpm-tis"
|
|
|
8d419f |
+if [ "$machine" = "ppc64le" ]; then
|
|
|
8d419f |
+ # tpm-spapr support was introduced in qemu 5.0.0. Skip test for old qemu versions.
|
|
|
8d419f |
+ qemu_min_version "5.0.0" || exit 0
|
|
|
8d419f |
+ tpmdevice="tpm-spapr"
|
|
|
8d419f |
+fi
|
|
|
8d419f |
+
|
|
|
8d419f |
+tpmstate=$(mktemp -d)
|
|
|
8d419f |
+swtpm socket --tpm2 --tpmstate dir="$tpmstate" --ctrl type=unixio,path="$tpmstate/sock" &
|
|
|
8d419f |
+trap 'kill %%; rm -rf $tpmstate' SIGINT EXIT
|
|
|
8d419f |
+QEMU_OPTIONS="-chardev socket,id=chrtpm,path=$tpmstate/sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device $tpmdevice,tpmdev=tpm0"
|
|
|
8d419f |
+
|
|
|
8d419f |
+do_test "$@"
|
|
|
8d419f |
diff --git a/test/test-functions b/test/test-functions
|
|
|
8d419f |
index 4a6436a74b..050fefaf1b 100644
|
|
|
8d419f |
--- a/test/test-functions
|
|
|
8d419f |
+++ b/test/test-functions
|
|
|
8d419f |
@@ -1198,7 +1198,7 @@ install_missing_libraries() {
|
|
|
8d419f |
local lib path
|
|
|
8d419f |
# A number of dependencies is now optional via dlopen, so the install
|
|
|
8d419f |
# script will not pick them up, since it looks at linkage.
|
|
|
8d419f |
- for lib in libcryptsetup libidn libidn2 pwquality libqrencode tss2-esys tss2-rc tss2-mu libfido2 libbpf libelf libdw; do
|
|
|
8d419f |
+ for lib in libcryptsetup libidn libidn2 pwquality libqrencode tss2-esys tss2-rc tss2-mu tss2-tcti-device libfido2 libbpf libelf libdw; do
|
|
|
8d419f |
ddebug "Searching for $lib via pkg-config"
|
|
|
8d419f |
if pkg-config --exists "$lib"; then
|
|
|
8d419f |
path="$(pkg-config --variable=libdir "$lib")"
|
|
|
8d419f |
diff --git a/test/units/testsuite-70.service b/test/units/testsuite-70.service
|
|
|
8d419f |
new file mode 100644
|
|
|
8d419f |
index 0000000000..c13c2d51a3
|
|
|
8d419f |
--- /dev/null
|
|
|
8d419f |
+++ b/test/units/testsuite-70.service
|
|
|
8d419f |
@@ -0,0 +1,7 @@
|
|
|
8d419f |
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
8d419f |
+[Unit]
|
|
|
8d419f |
+Description=TEST-70-TPM2
|
|
|
8d419f |
+
|
|
|
8d419f |
+[Service]
|
|
|
8d419f |
+Type=oneshot
|
|
|
8d419f |
+ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh
|
|
|
8d419f |
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
|
|
|
8d419f |
new file mode 100755
|
|
|
8d419f |
index 0000000000..f395ef4e5e
|
|
|
8d419f |
--- /dev/null
|
|
|
8d419f |
+++ b/test/units/testsuite-70.sh
|
|
|
8d419f |
@@ -0,0 +1,48 @@
|
|
|
8d419f |
+#!/usr/bin/env bash
|
|
|
8d419f |
+# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
8d419f |
+set -ex
|
|
|
8d419f |
+
|
|
|
8d419f |
+export SYSTEMD_LOG_LEVEL=debug
|
|
|
8d419f |
+
|
|
|
8d419f |
+
|
|
|
8d419f |
+# Prepare fresh disk image
|
|
|
8d419f |
+img="/var/tmp/test.img"
|
|
|
8d419f |
+dd if=/dev/zero of=$img bs=1024k count=20 status=none
|
|
|
8d419f |
+echo -n passphrase >/tmp/passphrase
|
|
|
8d419f |
+cryptsetup luksFormat -q --use-urandom $img /tmp/passphrase
|
|
|
8d419f |
+
|
|
|
8d419f |
+# Enroll unlock with default PCR policy
|
|
|
8d419f |
+env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto $img
|
|
|
8d419f |
+/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
|
|
|
8d419f |
+/usr/lib/systemd/systemd-cryptsetup detach test-volume
|
|
|
8d419f |
+
|
|
|
8d419f |
+# Check with wrong PCR
|
|
|
8d419f |
+tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
|
|
|
8d419f |
+/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
|
|
|
8d419f |
+
|
|
|
8d419f |
+# Enroll unlock with PCR+PIN policy
|
|
|
8d419f |
+systemd-cryptenroll --wipe-slot=tpm2 $img
|
|
|
8d419f |
+env PASSWORD=passphrase NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true $img
|
|
|
8d419f |
+env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
|
|
|
8d419f |
+/usr/lib/systemd/systemd-cryptsetup detach test-volume
|
|
|
8d419f |
+
|
|
|
8d419f |
+# Check failure with wrong PIN
|
|
|
8d419f |
+env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
|
|
|
8d419f |
+
|
|
|
8d419f |
+# Check failure with wrong PCR (and correct PIN)
|
|
|
8d419f |
+tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
|
|
|
8d419f |
+env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
|
|
|
8d419f |
+
|
|
|
8d419f |
+# Enroll unlock with PCR 0+7
|
|
|
8d419f |
+systemd-cryptenroll --wipe-slot=tpm2 $img
|
|
|
8d419f |
+env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 $img
|
|
|
8d419f |
+/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
|
|
|
8d419f |
+/usr/lib/systemd/systemd-cryptsetup detach test-volume
|
|
|
8d419f |
+
|
|
|
8d419f |
+# Check with wrong PCR 0
|
|
|
8d419f |
+tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000
|
|
|
8d419f |
+/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && exit 1
|
|
|
8d419f |
+
|
|
|
8d419f |
+echo OK >/testok
|
|
|
8d419f |
+
|
|
|
8d419f |
+exit 0
|