| #!/usr/bin/env bash |
| |
| # For the license, see the LICENSE file in the root directory. |
| |
| ROOT=${abs_top_builddir:-$(dirname "$0")/..} |
| TESTDIR=${abs_top_testdir:-$(dirname "$0")} |
| |
| SWTPM=swtpm |
| SWTPM_EXE=${SWTPM_EXE:-$ROOT/src/swtpm/$SWTPM} |
| SWTPM_IOCTL=${SWTPM_IOCTL:-$ROOT/src/swtpm_ioctl/swtpm_ioctl} |
| TPMDIR="$(mktemp -d)" || exit 1 |
| PID_FILE=$TPMDIR/${SWTPM}.pid |
| SOCK_PATH=$TPMDIR/sock |
| VOLATILESTATE=$TPMDIR/volatile |
| |
| source "${TESTDIR}/common" |
| skip_test_no_chardev "${SWTPM_EXE}" |
| skip_test_no_tpm12 "${SWTPM_EXE}" |
| |
| trap "cleanup" SIGTERM EXIT |
| |
| function cleanup() |
| { |
| rm -rf "$TPMDIR" |
| if [ -n "$PID" ]; then |
| kill_quiet -SIGTERM "$PID" 2>/dev/null |
| fi |
| } |
| |
| # Test 1: test the control channel on the chardev tpm |
| |
| # use a pseudo terminal |
| exec 100<>/dev/ptmx |
| $SWTPM_EXE chardev \ |
| --fd 100 \ |
| --tpmstate "dir=$TPMDIR" \ |
| --pid "file=$PID_FILE" \ |
| --ctrl "type=unixio,path=$SOCK_PATH" \ |
| --daemon \ |
| ${SWTPM_TEST_SECCOMP_OPT:+${SWTPM_TEST_SECCOMP_OPT}} |
| |
| if [ ! -f "$PID_FILE" ]; then |
| echo "Error: Chardev TPM did not write pidfile." |
| exit 1 |
| fi |
| |
| PID=$(cat "$PID_FILE") |
| |
| # Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01 |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -c 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_GET_CAPABILITY failed: $act" |
| exit 1 |
| fi |
| |
| exp="ptm capability is 0x([[:xdigit:]]+)" |
| if ! [[ "$act" =~ ^${exp}$ ]]; then |
| echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'." |
| exit 1 |
| fi |
| |
| # Send TPM_Init to the TPM: CMD_INIT = 0x00 00 00 02 + flags |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -i 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act" |
| exit 1 |
| fi |
| |
| # Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -v 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act" |
| exit 1 |
| fi |
| |
| if [ ! -r "$TPMDIR/tpm-00.volatilestate" ]; then |
| echo "Error: Socket TPM: Did not write volatile state file" |
| exit 1 |
| fi |
| |
| # Send stop command to the TPM: CMD_STOP = 00 00 00 0e |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" --stop 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act" |
| exit 1 |
| fi |
| |
| # Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0f |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -g 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_GET_CONFIG failed: $act" |
| exit 1 |
| fi |
| |
| exp="ptm configuration flags: 0x([[:xdigit:]]+)" |
| if ! [[ "$act" =~ ^${exp}$ ]]; then |
| echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'." |
| exit 1 |
| fi |
| |
| # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03 |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -s 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act" |
| exit 1 |
| fi |
| |
| if wait_file_gone "$PID_FILE" 2; then |
| echo "Error: TPM should have removed PID file by now." |
| exit 1 |
| fi |
| |
| if wait_process_gone "${PID}" 4; then |
| echo "Error: TPM should not be running anymore." |
| exit 1 |
| fi |
| |
| echo "OK" |
| |
| # Test 2: test the control channel on the socket tpm |
| |
| # There are a few more tests here that require sending commands to the TPM |
| |
| BINDADDR="127.0.0.1" |
| case $(uname -s) in |
| Linux*) |
| # make sure IPv6 is available |
| ip -6 addr show lo | grep -q " ::1/128" && BINDADDR="::1" |
| ;; |
| esac |
| |
| # use a pseudo terminal |
| $SWTPM_EXE socket \ |
| --server port=65431,disconnect=true,bindaddr=$BINDADDR \ |
| --tpmstate "dir=$TPMDIR" \ |
| --pid "file=$PID_FILE" \ |
| --ctrl "type=unixio,path=$SOCK_PATH" \ |
| ${SWTPM_TEST_SECCOMP_OPT:+${SWTPM_TEST_SECCOMP_OPT}} & |
| PID=$! |
| |
| if wait_for_file "$PID_FILE" 3; then |
| echo "Error: Socket TPM did not write pidfile." |
| exit 1 |
| fi |
| |
| validate_pidfile "$PID" "$PID_FILE" |
| |
| # Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01 |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -c 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_GET_CAPABILITY failed: $act" |
| exit 1 |
| fi |
| |
| exp="ptm capability is 0x([[:xdigit:]]+)" |
| if ! [[ "$act" =~ ^${exp}$ ]]; then |
| echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'." |
| exit 1 |
| fi |
| |
| # Send TPM_Init to the TPM: CMD_INIT = 0x00 00 00 02 + flags |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -i 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act" |
| exit 1 |
| fi |
| |
| # Startup the TPM |
| if ! msg=$($SWTPM_BIOS --tcp ${BINDADDR}:65431 -o 2>&1); then |
| echo "Error: Failed to startup TPM: $msg" |
| exit 1 |
| fi |
| |
| # Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -v 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act" |
| exit 1 |
| fi |
| |
| if [ ! -r "$TPMDIR/tpm-00.volatilestate" ]; then |
| echo "Error: Socket TPM: Did not write volatile state file" |
| exit 1 |
| fi |
| |
| # 1. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04 |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -e 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act" |
| exit 1 |
| fi |
| |
| exp="tpmEstablished is 0" |
| if [ "$act" != "$exp" ]; then |
| echo "Error: Expected '$exp' but got '$act'." |
| exit 1 |
| fi |
| |
| # 2. Hash the given data |
| data="a" |
| while [ ${#data} -lt $((0x2000)) ]; do |
| data="${data}${data}" |
| done |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -h $data 2>&1); then |
| echo "Error: $SWTPM_IOCTL data hashing failed: $act" |
| exit 1 |
| fi |
| |
| # 3. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04 |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -e 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act" |
| exit 1 |
| fi |
| |
| exp="tpmEstablished is 1" |
| if [ "$act" != "$exp" ]; then |
| echo "Error: Expected '$exp' but got '$act'." |
| exit 1 |
| fi |
| |
| # 4. Send command to reset TPM established flag: CMD_RESET_TPMESTABLISHED = 00 00 00 0b 03 |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -r 3 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_RESET_TPMESTABLISHED failed: $act" |
| exit 1 |
| fi |
| |
| # 5. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04 |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -e 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act" |
| exit 1 |
| fi |
| |
| exp="tpmEstablished is 0" |
| if [ "$act" != "$exp" ]; then |
| echo "Error: Expected '$exp' but got '$act'." |
| exit 1 |
| fi |
| |
| # Read PCR 17 |
| exec 100<>/dev/tcp/${BINDADDR}/65431 |
| echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x11' >&100 |
| RES=$(cat <&100 | od -t x1 -A n | tr -d "\n") |
| exp=' 00 c4 00 00 00 1e 00 00 00 00 f9 87 3e 96 6b 9e 46 c8 45 46 2d 1f f2 52 eb cc c1 9b df fd' |
| if [ "$RES" != "$exp" ]; then |
| echo "Error: (1) Did not get expected result from TPM_PCRRead(17)" |
| echo "expected: $exp" |
| echo "received: $RES" |
| exit 1 |
| fi |
| |
| # Get the volatile state of the TPM: CMD_GET_STATEBLOB = 00 00 00 0c |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" --save volatile "$VOLATILESTATE" 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_GET_STATEBLOB failed: $act" |
| exit 1 |
| fi |
| |
| # Send stop command to the TPM: CMD_STOP = 00 00 00 0e |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" --stop 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act" |
| exit 1 |
| fi |
| |
| # Read PCR 17 -- should fail now |
| exec 100<>/dev/tcp/${BINDADDR}/65431 |
| echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x11' >&100 |
| RES=$(cat <&100 | od -t x1 -A n | tr -d "\n") |
| exp=' 00 c4 00 00 00 0a 00 00 00 09' |
| if [ "$RES" != "$exp" ]; then |
| echo "Error: (1) Did not get expected result from TPM_PCRRead(17)" |
| echo "expected: $exp" |
| echo "received: $RES" |
| exit 1 |
| fi |
| |
| # Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0f |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -g 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_GET_CONFIG failed: $act" |
| exit 1 |
| fi |
| |
| exp="ptm configuration flags: 0x([[:xdigit:]]+)" |
| if ! [[ "$act" =~ ^${exp}$ ]]; then |
| echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'." |
| exit 1 |
| fi |
| |
| # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03 |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -s 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act" |
| exit 1 |
| fi |
| |
| if wait_file_gone "$PID_FILE" 2; then |
| echo "Error: TPM should have removed PID file by now." |
| exit 1 |
| fi |
| |
| if wait_process_gone "${PID}" 4; then |
| echo "Error: Socket TPM should not be running anymore." |
| exit 1 |
| fi |
| |
| echo "OK" |
| |
| # Test 3: test the control channel on the socket tpm: resume encrypted state |
| |
| # copy all the state files |
| cp "${TESTDIR}/data/tpmstate2/"* "${TPMDIR}" |
| |
| $SWTPM_EXE socket \ |
| --server port=65431,disconnect=true \ |
| --tpmstate "dir=$TPMDIR" \ |
| --pid "file=$PID_FILE" \ |
| --ctrl "type=unixio,path=$SOCK_PATH" \ |
| --key "pwdfile=${TESTDIR}/data/tpmstate2/pwdfile.txt,kdf=sha512" \ |
| --flags not-need-init \ |
| ${SWTPM_TEST_SECCOMP_OPT:+${SWTPM_TEST_SECCOMP_OPT}} & |
| PID=$! |
| |
| if wait_for_file "$PID_FILE" 3; then |
| echo "Error: Socket TPM did not write pidfile." |
| exit 1 |
| fi |
| |
| validate_pidfile "$PID" "$PID_FILE" |
| |
| # Read PCR 10 |
| exec 100<>/dev/tcp/localhost/65431 |
| echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100 |
| RES=$(cat <&100 | od -t x1 -A n -w128) |
| exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5' |
| if [ "$RES" != "$exp" ]; then |
| echo "Error: (1) Did not get expected result from TPM_PCRRead(10)" |
| echo "expected: $exp" |
| echo "received: $RES" |
| exit 1 |
| fi |
| |
| # Get the volatile state of the TPM: CMD_GET_STATEBLOB = 00 00 00 0c |
| rm -f "$VOLATILESTATE" |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" --save volatile "$VOLATILESTATE" 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_GET_STATEBLOB failed: $act" |
| exit 1 |
| fi |
| |
| # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03 |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -s 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act" |
| exit 1 |
| fi |
| |
| if wait_file_gone "$PID_FILE" 2; then |
| echo "Error: TPM should have removed PID file by now." |
| exit 1 |
| fi |
| |
| if wait_process_gone "${PID}" 4; then |
| echo "Error: Socket TPM should not be running anymore." |
| exit 1 |
| fi |
| |
| # remove volatile state |
| rm -f "$TPMDIR"/*.volatilestate |
| |
| $SWTPM_EXE socket \ |
| --server port=65431,disconnect=true \ |
| --tpmstate "dir=$TPMDIR" \ |
| --pid "file=$PID_FILE" \ |
| --ctrl "type=unixio,path=$SOCK_PATH" \ |
| --key "pwdfile=${TESTDIR}/data/tpmstate2/pwdfile.txt,kdf=sha512" \ |
| --flags not-need-init \ |
| ${SWTPM_TEST_SECCOMP_OPT:+${SWTPM_TEST_SECCOMP_OPT}} & |
| PID=$! |
| |
| if wait_for_file "$PID_FILE" 3; then |
| echo "Error: Socket TPM did not write pidfile." |
| exit 1 |
| fi |
| |
| validate_pidfile "$PID" "$PID_FILE" |
| |
| # Read PCR 10 -- this should fail now |
| exec 100<>/dev/tcp/localhost/65431 |
| echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100 |
| RES=$(cat <&100 | od -t x1 -A n -w128) |
| exp=' 00 c4 00 00 00 0a 00 00 00 26' |
| if [ "$RES" != "$exp" ]; then |
| echo "Error: (1) Did not get expected result from TPM_PCRRead(10)" |
| echo "expected: $exp" |
| echo "received: $RES" |
| exit 1 |
| fi |
| |
| # Send stop command to the TPM: CMD_STOP = 00 00 00 0e |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" --stop 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act" |
| exit 1 |
| fi |
| |
| # Send the volatile state to the TPM (while it is stopped) |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" --load volatile "$VOLATILESTATE" 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_SET_STATEBLOB failed: $act" |
| exit 1 |
| fi |
| |
| # Send init command to the TPM: CMD_INIT = 00 00 00 02 |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -i 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act" |
| exit 1 |
| fi |
| |
| # Read PCR 10 -- has to return same result as before |
| exec 100<>/dev/tcp/localhost/65431 |
| echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100 |
| RES=$(cat <&100 | od -t x1 -A n -w128) |
| exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5' |
| if [ "$RES" != "$exp" ]; then |
| echo "Error: (1) Did not get expected result from TPM_PCRRead(10)" |
| echo "expected: $exp" |
| echo "received: $RES" |
| exit 1 |
| fi |
| |
| |
| # Reset PCR 20 while in locality 0 -- should not work |
| exec 100<>/dev/tcp/localhost/65431 |
| echo -en '\x00\xC1\x00\x00\x00\x0F\x00\x00\x00\xC8\x00\x03\x00\x00\x10' >&100 |
| RES=$(cat <&100 | od -t x1 -A n) |
| exp=' 00 c4 00 00 00 0a 00 00 00 33' |
| if [ "$RES" != "$exp" ]; then |
| echo "Error: Trying to reset PCR 20 in locality 0 returned unexpected result" |
| echo "expected: $exp" |
| echo "received: $RES" |
| exit 1 |
| fi |
| |
| # In locality 2 we can reset PCR 20 |
| # Set the locality on the TPM: CMD_SET_LOCALITY = 00 00 00 05 <locality> |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -l 2 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_SET_LOCALITY failed: $act" |
| exit 1 |
| fi |
| |
| # Reset PCR 20 while in locality 2 -- has to work |
| exec 100<>/dev/tcp/localhost/65431 |
| echo -en '\x00\xC1\x00\x00\x00\x0F\x00\x00\x00\xC8\x00\x03\x00\x00\x10' >&100 |
| RES=$(cat <&100 | od -t x1 -A n) |
| exp=' 00 c4 00 00 00 0a 00 00 00 00' |
| if [ "$RES" != "$exp" ]; then |
| echo "Error: Could not reset PCR 20 in locality 2" |
| echo "expected: $exp" |
| echo "received: $RES" |
| exit 1 |
| fi |
| |
| # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03 |
| if ! act=$($SWTPM_IOCTL --unix "$SOCK_PATH" -s 2>&1); then |
| echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act" |
| exit 1 |
| fi |
| |
| if wait_file_gone "$PID_FILE" 2; then |
| echo "Error: TPM should have removed PID file by now." |
| exit 1 |
| fi |
| |
| if wait_process_gone "${PID}" 4; then |
| echo "Error: Socket TPM should not be running anymore." |
| exit 1 |
| fi |
| |
| echo "OK" |
| |
| exit 0 |