| #!/usr/bin/env bash |
| |
| # For the license, see the LICENSE file in the root directory. |
| |
| TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..} |
| TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..} |
| TESTDIR=${abs_top_testdir:-$(dirname "$0")} |
| |
| SWTPM_SETUP=${TOPBUILD}/src/swtpm_setup/swtpm_setup |
| SWTPM_LOCALCA=${TOPSRC}/samples/swtpm-localca |
| SWTPM=${TOPBUILD}/src/swtpm/swtpm |
| SWTPM_IOCTL=${TOPBUILD}/src/swtpm_ioctl/swtpm_ioctl |
| |
| workdir=$(mktemp -d) |
| |
| SIGNINGKEY=${workdir}/signingkey.pem |
| ISSUERCERT=${workdir}/issuercert.pem |
| CERTSERIAL=${workdir}/certserial |
| |
| PATH=${TOPBUILD}/src/swtpm_bios:$PATH |
| |
| trap "cleanup" SIGTERM EXIT |
| |
| function cleanup() |
| { |
| rm -rf ${workdir} |
| } |
| |
| # Quirk for Cygwin |
| if [[ "$(uname -s)" =~ ^CYGWIN ]]; then |
| # quirk for CYGWIN where the swtpm_setup executable in is .libs/ |
| cp ${SWTPM_SETUP}.sh $(dirname ${SWTPM_SETUP})/.libs |
| fi |
| |
| # We want swtpm_cert to use the local CA and see that the |
| # local CA script automatically creates a signingkey and |
| # self-signed certificate |
| |
| cat <<_EOF_ > ${workdir}/swtpm-localca.conf |
| statedir=${workdir} |
| signingkey = ${SIGNINGKEY} |
| issuercert = ${ISSUERCERT} |
| certserial = ${CERTSERIAL} |
| _EOF_ |
| |
| cat <<_EOF_ > ${workdir}/swtpm-localca.options |
| --tpm-manufacturer IBM |
| --tpm-model swtpm-libtpms |
| --tpm-version 2 |
| --platform-manufacturer Fedora |
| --platform-version 2.1 |
| --platform-model QEMU |
| _EOF_ |
| |
| cat <<_EOF_ > ${workdir}/swtpm_setup.conf |
| create_certs_tool=${SWTPM_LOCALCA} |
| create_certs_tool_config=${workdir}/swtpm-localca.conf |
| create_certs_tool_options=${workdir}/swtpm-localca.options |
| _EOF_ |
| |
| # We need to adapt the PATH so the correct swtpm_cert is picked |
| export PATH=${TOPBUILD}/src/swtpm_cert:${PATH} |
| |
| # we need to create at least one cert: --create-ek-cert |
| $SWTPM_SETUP \ |
| --tpm2 \ |
| --allow-signing \ |
| --tpm-state ${workdir} \ |
| --create-ek-cert \ |
| --create-platform-cert \ |
| --config ${workdir}/swtpm_setup.conf \ |
| --logfile ${workdir}/logfile \ |
| --tpm "${SWTPM} socket ${SWTPM_TEST_SECCOMP_OPT}" \ |
| --swtpm_ioctl ${SWTPM_IOCTL} |
| |
| if [ $? -ne 0 ]; then |
| echo "Error: Could not run $SWTPM_SETUP." |
| echo "Logfile output:" |
| cat ${workdir}/logfile |
| exit 1 |
| fi |
| |
| if [ ! -r "${SIGNINGKEY}" ]; then |
| echo "Error: Signingkey file ${SIGNINGKEY} was not created." |
| exit 1 |
| fi |
| |
| if [ ! -r "${ISSUERCERT}" ]; then |
| echo "Error: Issuer cert file ${ISSUERCERT} was not created." |
| exit 1 |
| fi |
| |
| if [ ! -r "${CERTSERIAL}" ]; then |
| echo "Error: Cert serial number file ${CERTSERIAL} was not created." |
| exit 1 |
| fi |
| |
| echo "Test 1: OK" |
| |
| rm -rf ${SIGNINGKEY} ${ISSUERCERT} ${CERTSERIAL} |
| |
| # we need to create at least one cert: --create-ek-cert |
| $SWTPM_SETUP \ |
| --tpm2 \ |
| --ecc \ |
| --tpm-state ${workdir} \ |
| --create-ek-cert \ |
| --config ${workdir}/swtpm_setup.conf \ |
| --logfile ${workdir}/logfile \ |
| --tpm "${SWTPM} socket ${SWTPM_TEST_SECCOMP_OPT}" \ |
| --swtpm_ioctl ${SWTPM_IOCTL} \ |
| --overwrite |
| |
| if [ $? -ne 0 ]; then |
| echo "Error: Could not run $SWTPM_SETUP." |
| echo "Logfile output:" |
| cat ${workdir}/logfile |
| exit 1 |
| fi |
| |
| if [ ! -r "${SIGNINGKEY}" ]; then |
| echo "Error: Signingkey file ${SIGNINGKEY} was not created." |
| exit 1 |
| fi |
| |
| if [ ! -r "${ISSUERCERT}" ]; then |
| echo "Error: Issuer cert file ${ISSUERCERT} was not created." |
| exit 1 |
| fi |
| |
| if [ ! -r "${CERTSERIAL}" ]; then |
| echo "Error: Cert serial number file ${CERTSERIAL} was not created." |
| exit 1 |
| fi |
| |
| echo "Test 2: OK" |
| |
| exit 0 |