Re: [PATCH 09/10] tests/tpm2_key_protector_test: Amend the NV index mode

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 09/10] tests/tpm2_key_protector_test: Amend the NV index mode

From:	Stefan Berger
Subject:	Re: [PATCH 09/10] tests/tpm2_key_protector_test: Amend the NV index mode test
Date:	Thu, 2 Jan 2025 16:11:42 -0500
User-agent:	Mozilla Thunderbird



On 12/19/24 3:12 AM, Gary Lin wrote:

Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
replaced with one 'grub-protect' command to simplify the test script.

Two more NV index test cases are also added to test key sealing and
unsealing with the NV index handle, 0x1000000.


with the NV index handle 0x1000000


Signed-off-by: Gary Lin <glin@suse.com>
---
  tests/tpm2_key_protector_test.in | 151 ++++++++++---------------------
  1 file changed, 48 insertions(+), 103 deletions(-)

diff --git a/tests/tpm2_key_protector_test.in b/tests/tpm2_key_protector_test.in
index a92e5f498..9e808f019 100644
--- a/tests/tpm2_key_protector_test.in
+++ b/tests/tpm2_key_protector_test.in
@@ -225,112 +225,45 @@ EOF
      fi
  }

-tpm2_seal_nv () {

-    keyfile="$1"
-    nv_index="$2"
-    pcr_list="$3"
-
-    primary_file=${tpm2testdir}/primary.ctx
-    session_file=${tpm2testdir}/session.dat
-    policy_file=${tpm2testdir}/policy.dat
-    keypub_file=${tpm2testdir}/key.pub
-    keypriv_file=${tpm2testdir}/key.priv
-    name_file=${tpm2testdir}/sealing.name
-    sealing_ctx_file=${tpm2testdir}/sealing.ctx
-
-    # Since we don't run a resource manager on our swtpm instance, it has
-    # to flush the transient handles after tpm2_createprimary, tpm2_create
-    # and tpm2_load to avoid the potential out-of-memory (0x902) errors.
-    # Ref: 
https://github.com/tpm2-software/tpm2-tools/issues/1338#issuecomment-469689398
-
-    # Create the primary object
-    tpm2_createprimary -Q -C o -g sha256 -G ecc -c "${primary_file}" || ret=$?
-    if [ "${ret}" -ne 0 ]; then
-       echo "Failed to create the primary object: ${ret}" >&2
-       return 1
-    fi
-    tpm2_flushcontext -t || ret=$?
-    if [ "${ret}" -ne 0 ]; then
-       echo "Failed to flush the transient handles: ${ret}" >&2
-       return 1
-    fi
-
-    # Create the policy object
-    tpm2_startauthsession -S "${session_file}" || ret=$?
-    if [ "${ret}" -ne 0 ]; then
-       echo "Failed to start auth session: ${ret}" >&2
-       return 1
-    fi
-    tpm2_policypcr -Q -S "${session_file}" -l "${pcr_list}" -L 
"${policy_file}" || ret=$?
-    if [ "${ret}" -ne 0 ]; then
-       echo "Failed to create the policy object: ${ret}" >&2
-       return 1
-    fi
-    tpm2_flushcontext "${session_file}" || ret=$?
-    if [ "${ret}" -ne 0 ]; then
-       echo "Failed to flush the transient handles: ${ret}" >&2
-       return 1
-    fi
+tpm2_seal_unseal_nv() {
+    handle_type="$1"
+    key_type="$2"

- # Seal the key into TPM

-    tpm2_create -Q \
-       -C "${primary_file}" \
-       -u "${keypub_file}" \
-       -r "${keypriv_file}" \
-       -L "${policy_file}" \
-       -i "${keyfile}" || ret=$?
-    if [ "${ret}" -ne 0 ]; then
-       echo "Failed to seal \"${keyfile}\": ${ret}" >&2
-       return 1
-    fi
-    tpm2_flushcontext -t || ret=$?
-    if [ "${ret}" -ne 0 ]; then
-       echo "Failed to flush the transient handles: ${ret}" >&2
-       return 1
-    fi
+    extra_opt=""
+    extra_grub_opt=""

- tpm2_load -Q \

-       -C "${primary_file}" \
-       -u "${keypub_file}" \
-       -r "${keypriv_file}" \
-       -n "${name_file}" \
-       -c "${sealing_ctx_file}" || ret=$?
-    if [ "${ret}" -ne 0 ]; then
-       echo "Failed to load the sealed key into TPM: ${ret}" >&2
-       return 1
-    fi
-    tpm2_flushcontext -t || ret=$?
-    if [ "${ret}" -ne 0 ]; then
-       echo "Failed to flush the transient handles: ${ret}" >&2
-       return 1
+    if [ "$handle_type" == "nvindex" ]; then
+       nv_index="0x1000000"
+    else
+       nv_index="0x81000000"
      fi

- tpm2_evictcontrol -Q -C o -c "${sealing_ctx_file}" ${nv_index} || ret=$?

-    if [ "${ret}" -ne 0 ]; then
-       echo "Failed to store the sealed key into ${nv_index}: ${ret}" >&2
-       return 1
+    if [ "$key_type" == "tpm2key" ]; then
+       extra_opt="--tpm2key"
+    else
+       extra_grub_opt="--pcrs=0,1"
      fi

- return 0

-}
-
-tpm2_seal_unseal_nv() {
-    nv_index="0x81000000"
-    pcr_list="sha256:0,1"
-
      grub_cfg=${tpm2testdir}/testcase.cfg

# Seal the key into a NV index guarded by PCR 0 and 1

-    tpm2_seal_nv "${lukskeyfile}" ${nv_index} ${pcr_list} || ret=$?
+    grub-protect ${extra_opt} \
+       --tpm2-device="${tpm2dev}" \
+       --action=add \
+       --protector=tpm2 \
+       --tpm2-bank=sha256 \
+       --tpm2-pcrs=0,1 \
+       --tpm2-keyfile="${lukskeyfile}" \
+       --tpm2-nvindex="${nv_index}" || ret=$?
      if [ "${ret}" -ne 0 ]; then
-       echo "Failed to seal the secret key into ${nv_index}" >&2
+       echo "Failed to seal the secret key into ${nv_index}: ${ret}" >&2
        return 99
      fi

# Write the TPM unsealing script

      cat > ${grub_cfg} <<EOF
  loopback luks (host)${luksfile}
-tpm2_key_protector_init --mode=nv --nvindex=${nv_index} --pcrs=0,1
+tpm2_key_protector_init --mode=nv --nvindex=${nv_index} ${extra_grub_opt}
  if cryptomount -a --protector tpm2; then
      cat (crypto0)+1
  fi
@@ -340,7 +273,12 @@ EOF
      ${grubshell} --timeout=${timeout} --emu-opts="-t ${tpm2dev}" < "${grub_cfg}" > 
"${testoutput}" || ret=$?

# Remove the object from the NV index

-    tpm2_evictcontrol -Q -C o -c "${nv_index}" || :
+    grub-protect \
+       --tpm2-device="${tpm2dev}" \
+       --protector=tpm2 \
+       --action=remove \
+       --tpm2-nvindex=${nv_index} \
+       --tpm2-evict || :

if [ "${ret}" -eq 0 ]; then

        if ! grep -q "^${vtext}$" "${testoutput}"; then
@@ -366,24 +304,31 @@ srktests+=("ECC transient fallback_srk")
  for i in "${!srktests[@]}"; do
      tpm2_seal_unseal ${srktests[$i]} || ret=$?

Hm, due to the || : Once ret was set to '1' here all subsequent testwill indicate failure since ret will never be set to 0 agin.

You probably should do the following if you want to keep on runningtests and not exit ${ret} on first failure.


tpm2_seal_unseal ${srktests[$i]}
ret=$?

      if [ "${ret}" -eq 0 ]; then
-        echo "TPM2 [${srktests[$i]}]: PASS"
+        echo "TPM2 [SRK][${srktests[$i]}]: PASS"
      elif [ "${ret}" -eq 1 ]; then
-        echo "TPM2 [${srktests[$i]}]: FAIL"
+        echo "TPM2 [SRK][${srktests[$i]}]: FAIL"
      else
        echo "Unexpected failure [${srktests[$i]}]" >&2
        exit ${ret}
      fi
  done

-# Testcase for NV index mode

-tpm2_seal_unseal_nv || ret=$?
-if [ "${ret}" -eq 0 ]; then
-    echo "TPM2 [NV Index]: PASS"
-elif [ "${ret}" -eq 1 ]; then
-    echo "TPM2 [NV Index]: FAIL"
-else
-    echo "Unexpected failure [NV index]" >&2
-    exit ${ret}
-fi
+# Testcases for NV index mode
+declare -a nvtests=()
+nvtests+=("persistent raw")
+nvtests+=("nvindex raw")
+nvtests+=("nvindex tpm2key")
+
+for i in "${!nvtests[@]}"; do
+    tpm2_seal_unseal_nv ${nvtests[$i]} || ret=$?


same here.

+    if [ "${ret}" -eq 0 ]; then
+       echo "TPM2 [NV Index][${nvtests[$i]}]: PASS"
+    elif [ "${ret}" -eq 1 ]; then
+       echo "TPM2 [NV Index][${nvtests[$i]}]: FAIL"
+    else
+       echo "Unexpected failure [NV index][${nvtests[$i]}]" >&2
+       exit ${ret}
+    fi
+done

exit 0

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 09/10] tests/tpm2_key_protector_test: Amend the NV index mode test, Stefan Berger <=
- Re: [PATCH 09/10] tests/tpm2_key_protector_test: Amend the NV index mode test, Gary Lin, 2025/01/03

Prev by Date: Re: [PATCH 08/10] util/grub-protect: Support NV index mode
Next by Date: Re: [PATCH 10/10] docs: Update NV index mode of TPM2 key protector
Previous by thread: Re: [PATCH 08/10] util/grub-protect: Support NV index mode
Next by thread: Re: [PATCH 09/10] tests/tpm2_key_protector_test: Amend the NV index mode test
Index(es):
- Date
- Thread