ryantimwilson / rpms / systemd

Forked from rpms/systemd a month ago
Clone
8d419f
From 6a31abd9fdfe9b08c169b315dd3bc18abbe200b0 Mon Sep 17 00:00:00 2001
8d419f
From: Grigori Goronzy <greg@chown.ath.cx>
8d419f
Date: Thu, 24 Feb 2022 01:28:29 +0100
8d419f
Subject: [PATCH] cryptenroll: add tests for TPM2 unlocking
8d419f
8d419f
Add tests for enrolling and unlocking. Various cases are tested:
8d419f
8d419f
- Default PCR 7 policy w/o PIN, good and bad cases (wrong PCR)
8d419f
- PCR 7 + PIN policy, good and bad cases (wrong PCR, wrong PIN)
8d419f
- Non-default PCR 0+7 policy w/o PIN, good and bad cases (wrong PCR 0)
8d419f
8d419f
v2: rename test, fix tss2 library installation, fix CI failures
8d419f
v3: fix ppc64, load module
8d419f
(cherry picked from commit fd8b9248206734b655de503f8bb16c2d154934ed)Q
8d419f
8d419f
Related: #2087652
8d419f
---
8d419f
 test/TEST-70-TPM2/Makefile      |  6 +++++
8d419f
 test/TEST-70-TPM2/test.sh       | 40 +++++++++++++++++++++++++++
8d419f
 test/test-functions             |  2 +-
8d419f
 test/units/testsuite-70.service |  7 +++++
8d419f
 test/units/testsuite-70.sh      | 48 +++++++++++++++++++++++++++++++++
8d419f
 5 files changed, 102 insertions(+), 1 deletion(-)
8d419f
 create mode 100644 test/TEST-70-TPM2/Makefile
8d419f
 create mode 100755 test/TEST-70-TPM2/test.sh
8d419f
 create mode 100644 test/units/testsuite-70.service
8d419f
 create mode 100755 test/units/testsuite-70.sh
8d419f
8d419f
diff --git a/test/TEST-70-TPM2/Makefile b/test/TEST-70-TPM2/Makefile
8d419f
new file mode 100644
8d419f
index 0000000000..9f65d4ca4f
8d419f
--- /dev/null
8d419f
+++ b/test/TEST-70-TPM2/Makefile
8d419f
@@ -0,0 +1,6 @@
8d419f
+# SPDX-License-Identifier: LGPL-2.1-or-later
8d419f
+
8d419f
+all setup run clean clean-again:
8d419f
+	@TEST_BASE_DIR=../ ./test.sh --$@
8d419f
+
8d419f
+.PHONY: all setup run clean clean-again
8d419f
diff --git a/test/TEST-70-TPM2/test.sh b/test/TEST-70-TPM2/test.sh
8d419f
new file mode 100755
8d419f
index 0000000000..d716614bcf
8d419f
--- /dev/null
8d419f
+++ b/test/TEST-70-TPM2/test.sh
8d419f
@@ -0,0 +1,40 @@
8d419f
+#!/usr/bin/env bash
8d419f
+# SPDX-License-Identifier: LGPL-2.1-or-later
8d419f
+set -e
8d419f
+
8d419f
+TEST_DESCRIPTION="cryptenroll/cryptsetup with TPM2 devices"
8d419f
+IMAGE_NAME="tpm2"
8d419f
+TEST_NO_NSPAWN=1
8d419f
+TEST_REQUIRE_INSTALL_TESTS=0
8d419f
+
8d419f
+# shellcheck source=test/test-functions
8d419f
+. "${TEST_BASE_DIR:?}/test-functions"
8d419f
+
8d419f
+command -v swtpm >/dev/null 2>&1 || exit 0
8d419f
+command -v tpm2_pcrextend >/dev/null 2>&1 || exit 0
8d419f
+
8d419f
+test_append_files() {
8d419f
+    (
8d419f
+        local workspace="${1:?}"
8d419f
+
8d419f
+        instmods tpm tpm_tis tpm_ibmvtpm
8d419f
+        install_dmevent
8d419f
+        generate_module_dependencies
8d419f
+        inst_binary tpm2_pcrextend
8d419f
+    )
8d419f
+}
8d419f
+
8d419f
+machine="$(uname -m)"
8d419f
+tpmdevice="tpm-tis"
8d419f
+if [ "$machine" = "ppc64le" ]; then
8d419f
+    # tpm-spapr support was introduced in qemu 5.0.0. Skip test for old qemu versions.
8d419f
+    qemu_min_version "5.0.0" || exit 0
8d419f
+    tpmdevice="tpm-spapr"
8d419f
+fi
8d419f
+
8d419f
+tpmstate=$(mktemp -d)
8d419f
+swtpm socket --tpm2 --tpmstate dir="$tpmstate" --ctrl type=unixio,path="$tpmstate/sock" &
8d419f
+trap 'kill %%; rm -rf $tpmstate' SIGINT EXIT
8d419f
+QEMU_OPTIONS="-chardev socket,id=chrtpm,path=$tpmstate/sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device $tpmdevice,tpmdev=tpm0"
8d419f
+
8d419f
+do_test "$@"
8d419f
diff --git a/test/test-functions b/test/test-functions
8d419f
index 4a6436a74b..050fefaf1b 100644
8d419f
--- a/test/test-functions
8d419f
+++ b/test/test-functions
8d419f
@@ -1198,7 +1198,7 @@ install_missing_libraries() {
8d419f
     local lib path
8d419f
     # A number of dependencies is now optional via dlopen, so the install
8d419f
     # script will not pick them up, since it looks at linkage.
8d419f
-    for lib in libcryptsetup libidn libidn2 pwquality libqrencode tss2-esys tss2-rc tss2-mu libfido2 libbpf libelf libdw; do
8d419f
+    for lib in libcryptsetup libidn libidn2 pwquality libqrencode tss2-esys tss2-rc tss2-mu tss2-tcti-device libfido2 libbpf libelf libdw; do
8d419f
         ddebug "Searching for $lib via pkg-config"
8d419f
         if pkg-config --exists "$lib"; then
8d419f
                 path="$(pkg-config --variable=libdir "$lib")"
8d419f
diff --git a/test/units/testsuite-70.service b/test/units/testsuite-70.service
8d419f
new file mode 100644
8d419f
index 0000000000..c13c2d51a3
8d419f
--- /dev/null
8d419f
+++ b/test/units/testsuite-70.service
8d419f
@@ -0,0 +1,7 @@
8d419f
+# SPDX-License-Identifier: LGPL-2.1-or-later
8d419f
+[Unit]
8d419f
+Description=TEST-70-TPM2
8d419f
+
8d419f
+[Service]
8d419f
+Type=oneshot
8d419f
+ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh
8d419f
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
8d419f
new file mode 100755
8d419f
index 0000000000..f395ef4e5e
8d419f
--- /dev/null
8d419f
+++ b/test/units/testsuite-70.sh
8d419f
@@ -0,0 +1,48 @@
8d419f
+#!/usr/bin/env bash
8d419f
+# SPDX-License-Identifier: LGPL-2.1-or-later
8d419f
+set -ex
8d419f
+
8d419f
+export SYSTEMD_LOG_LEVEL=debug
8d419f
+
8d419f
+
8d419f
+# Prepare fresh disk image
8d419f
+img="/var/tmp/test.img"
8d419f
+dd if=/dev/zero of=$img bs=1024k count=20 status=none
8d419f
+echo -n passphrase >/tmp/passphrase
8d419f
+cryptsetup luksFormat -q --use-urandom $img /tmp/passphrase
8d419f
+
8d419f
+# Enroll unlock with default PCR policy
8d419f
+env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto $img
8d419f
+/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
8d419f
+/usr/lib/systemd/systemd-cryptsetup detach test-volume
8d419f
+
8d419f
+# Check with wrong PCR
8d419f
+tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
8d419f
+/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
8d419f
+
8d419f
+# Enroll unlock with PCR+PIN policy
8d419f
+systemd-cryptenroll --wipe-slot=tpm2 $img
8d419f
+env PASSWORD=passphrase NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true $img
8d419f
+env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
8d419f
+/usr/lib/systemd/systemd-cryptsetup detach test-volume
8d419f
+
8d419f
+# Check failure with wrong PIN
8d419f
+env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
8d419f
+
8d419f
+# Check failure with wrong PCR (and correct PIN)
8d419f
+tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
8d419f
+env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
8d419f
+
8d419f
+# Enroll unlock with PCR 0+7
8d419f
+systemd-cryptenroll --wipe-slot=tpm2 $img
8d419f
+env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 $img
8d419f
+/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
8d419f
+/usr/lib/systemd/systemd-cryptsetup detach test-volume
8d419f
+
8d419f
+# Check with wrong PCR 0
8d419f
+tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000
8d419f
+/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && exit 1
8d419f
+
8d419f
+echo OK >/testok
8d419f
+
8d419f
+exit 0