[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v3 09/10] tests/tpm2_key_protector_test: Amend the NV index mode
|
From: |
Gary Lin |
|
Subject: |
[PATCH v3 09/10] tests/tpm2_key_protector_test: Amend the NV index mode test |
|
Date: |
Mon, 13 Jan 2025 11:07:12 +0800 |
Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
replaced with one 'grub-protect' command to simplify the test script.
Two more NV index test cases are also added to test key sealing and
unsealing with the NV index handle 0x1000000.
Also, there is a minor fix to reset 'ret' to 0 when a test case fails so
that the other test cases could continue.
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
tests/tpm2_key_protector_test.in | 155 ++++++++++---------------------
1 file changed, 51 insertions(+), 104 deletions(-)
diff --git a/tests/tpm2_key_protector_test.in b/tests/tpm2_key_protector_test.in
index a92e5f498..1ba70a3d5 100644
--- a/tests/tpm2_key_protector_test.in
+++ b/tests/tpm2_key_protector_test.in
@@ -225,112 +225,45 @@ EOF
fi
}
-tpm2_seal_nv () {
- keyfile="$1"
- nv_index="$2"
- pcr_list="$3"
-
- primary_file=${tpm2testdir}/primary.ctx
- session_file=${tpm2testdir}/session.dat
- policy_file=${tpm2testdir}/policy.dat
- keypub_file=${tpm2testdir}/key.pub
- keypriv_file=${tpm2testdir}/key.priv
- name_file=${tpm2testdir}/sealing.name
- sealing_ctx_file=${tpm2testdir}/sealing.ctx
-
- # Since we don't run a resource manager on our swtpm instance, it has
- # to flush the transient handles after tpm2_createprimary, tpm2_create
- # and tpm2_load to avoid the potential out-of-memory (0x902) errors.
- # Ref:
https://github.com/tpm2-software/tpm2-tools/issues/1338#issuecomment-469689398
-
- # Create the primary object
- tpm2_createprimary -Q -C o -g sha256 -G ecc -c "${primary_file}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to create the primary object: ${ret}" >&2
- return 1
- fi
- tpm2_flushcontext -t || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to flush the transient handles: ${ret}" >&2
- return 1
- fi
-
- # Create the policy object
- tpm2_startauthsession -S "${session_file}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to start auth session: ${ret}" >&2
- return 1
- fi
- tpm2_policypcr -Q -S "${session_file}" -l "${pcr_list}" -L
"${policy_file}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to create the policy object: ${ret}" >&2
- return 1
- fi
- tpm2_flushcontext "${session_file}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to flush the transient handles: ${ret}" >&2
- return 1
- fi
+tpm2_seal_unseal_nv() {
+ handle_type="$1"
+ key_type="$2"
- # Seal the key into TPM
- tpm2_create -Q \
- -C "${primary_file}" \
- -u "${keypub_file}" \
- -r "${keypriv_file}" \
- -L "${policy_file}" \
- -i "${keyfile}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to seal \"${keyfile}\": ${ret}" >&2
- return 1
- fi
- tpm2_flushcontext -t || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to flush the transient handles: ${ret}" >&2
- return 1
- fi
+ extra_opt=""
+ extra_grub_opt=""
- tpm2_load -Q \
- -C "${primary_file}" \
- -u "${keypub_file}" \
- -r "${keypriv_file}" \
- -n "${name_file}" \
- -c "${sealing_ctx_file}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to load the sealed key into TPM: ${ret}" >&2
- return 1
- fi
- tpm2_flushcontext -t || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to flush the transient handles: ${ret}" >&2
- return 1
+ if [ "$handle_type" == "nvindex" ]; then
+ nv_index="0x1000000"
+ else
+ nv_index="0x81000000"
fi
- tpm2_evictcontrol -Q -C o -c "${sealing_ctx_file}" ${nv_index} || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to store the sealed key into ${nv_index}: ${ret}" >&2
- return 1
+ if [ "$key_type" == "tpm2key" ]; then
+ extra_opt="--tpm2key"
+ else
+ extra_grub_opt="--pcrs=0,1"
fi
- return 0
-}
-
-tpm2_seal_unseal_nv() {
- nv_index="0x81000000"
- pcr_list="sha256:0,1"
-
grub_cfg=${tpm2testdir}/testcase.cfg
# Seal the key into a NV index guarded by PCR 0 and 1
- tpm2_seal_nv "${lukskeyfile}" ${nv_index} ${pcr_list} || ret=$?
+ grub-protect ${extra_opt} \
+ --tpm2-device="${tpm2dev}" \
+ --action=add \
+ --protector=tpm2 \
+ --tpm2-bank=sha256 \
+ --tpm2-pcrs=0,1 \
+ --tpm2-keyfile="${lukskeyfile}" \
+ --tpm2-nvindex="${nv_index}" || ret=$?
if [ "${ret}" -ne 0 ]; then
- echo "Failed to seal the secret key into ${nv_index}" >&2
+ echo "Failed to seal the secret key into ${nv_index}: ${ret}" >&2
return 99
fi
# Write the TPM unsealing script
cat > ${grub_cfg} <<EOF
loopback luks (host)${luksfile}
-tpm2_key_protector_init --mode=nv --nvindex=${nv_index} --pcrs=0,1
+tpm2_key_protector_init --mode=nv --nvindex=${nv_index} ${extra_grub_opt}
if cryptomount -a --protector tpm2; then
cat (crypto0)+1
fi
@@ -340,7 +273,12 @@ EOF
${grubshell} --timeout=${timeout} --emu-opts="-t ${tpm2dev}" <
"${grub_cfg}" > "${testoutput}" || ret=$?
# Remove the object from the NV index
- tpm2_evictcontrol -Q -C o -c "${nv_index}" || :
+ grub-protect \
+ --tpm2-device="${tpm2dev}" \
+ --protector=tpm2 \
+ --action=remove \
+ --tpm2-nvindex=${nv_index} \
+ --tpm2-evict || :
if [ "${ret}" -eq 0 ]; then
if ! grep -q "^${vtext}$" "${testoutput}"; then
@@ -366,24 +304,33 @@ srktests+=("ECC transient fallback_srk")
for i in "${!srktests[@]}"; do
tpm2_seal_unseal ${srktests[$i]} || ret=$?
if [ "${ret}" -eq 0 ]; then
- echo "TPM2 [${srktests[$i]}]: PASS"
+ echo "TPM2 [SRK][${srktests[$i]}]: PASS"
elif [ "${ret}" -eq 1 ]; then
- echo "TPM2 [${srktests[$i]}]: FAIL"
+ echo "TPM2 [SRK][${srktests[$i]}]: FAIL"
+ ret=0
else
- echo "Unexpected failure [${srktests[$i]}]" >&2
+ echo "Unexpected failure [SRK][${srktests[$i]}]" >&2
exit ${ret}
fi
done
-# Testcase for NV index mode
-tpm2_seal_unseal_nv || ret=$?
-if [ "${ret}" -eq 0 ]; then
- echo "TPM2 [NV Index]: PASS"
-elif [ "${ret}" -eq 1 ]; then
- echo "TPM2 [NV Index]: FAIL"
-else
- echo "Unexpected failure [NV index]" >&2
- exit ${ret}
-fi
+# Testcases for NV index mode
+declare -a nvtests=()
+nvtests+=("persistent raw")
+nvtests+=("nvindex raw")
+nvtests+=("nvindex tpm2key")
+
+for i in "${!nvtests[@]}"; do
+ tpm2_seal_unseal_nv ${nvtests[$i]} || ret=$?
+ if [ "${ret}" -eq 0 ]; then
+ echo "TPM2 [NV Index][${nvtests[$i]}]: PASS"
+ elif [ "${ret}" -eq 1 ]; then
+ echo "TPM2 [NV Index][${nvtests[$i]}]: FAIL"
+ ret=0
+ else
+ echo "Unexpected failure [NV index][${nvtests[$i]}]" >&2
+ exit ${ret}
+ fi
+done
exit 0
--
2.43.0
- [PATCH v3 00/10] TPM2 key protector follow-up patches, Gary Lin, 2025/01/12
- [PATCH v3 01/10] tpm2_key_protector: dump PCRs on policy fail, Gary Lin, 2025/01/12
- [PATCH v3 02/10] tpm2_key_protector: Add 'tpm2_dump_pcr' command, Gary Lin, 2025/01/12
- [PATCH v3 03/10] docs: Document tpm2_dump_pcr, Gary Lin, 2025/01/12
- [PATCH v3 04/10] tss2: Fix the missing authCommand, Gary Lin, 2025/01/12
- [PATCH v3 05/10] tss2: Add TPM 2.0 NV index commands, Gary Lin, 2025/01/12
- [PATCH v3 06/10] tpm2_key_protector: Unseal key from a buffer, Gary Lin, 2025/01/12
- [PATCH v3 07/10] tpm2_key_protector: Support NV index handles, Gary Lin, 2025/01/12
- [PATCH v3 08/10] util/grub-protect: Support NV index mode, Gary Lin, 2025/01/12
- [PATCH v3 09/10] tests/tpm2_key_protector_test: Amend the NV index mode test,
Gary Lin <=
- [PATCH v3 10/10] docs: Update NV index mode of TPM2 key protector, Gary Lin, 2025/01/12