| #!/usr/bin/env bash |
| |
| # For the license, see the LICENSE file in the root directory. |
| |
| # shellcheck disable=SC1091 |
| |
| TESTDIR=${abs_top_testdir:-$(dirname "$0")} |
| ROOT=${abs_top_builddir:-$(dirname "$0")/..} |
| source "${TESTDIR}/common" |
| skip_test_no_tpm20 "${SWTPM_EXE}" |
| |
| SRCDIR=${abs_top_srcdir:-$(dirname "$0")/..} |
| |
| PATH=$ROOT/src/swtpm:$PATH |
| |
| source "${abs_top_builddir:-$(dirname "$0")/..}/tests/test_config" |
| |
| PARAMETERS=( |
| "" |
| "--createek" |
| "--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display" |
| "--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt" |
| "--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt" |
| "--createek --allow-signing" |
| "--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display" |
| "--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt" |
| "--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt" |
| "--createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile256bit.txt --cipher aes-256-cbc" |
| "--createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --cipher aes-256-cbc" |
| "--createek --create-spk --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --lock-nvram" |
| "--ecc --createek" |
| "--ecc --createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display" |
| "--ecc --createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt" |
| "--ecc --createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt" |
| "--ecc --createek --allow-signing" |
| "--ecc --createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display" |
| "--ecc --createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt" |
| "--ecc --createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt" |
| "--ecc --createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile256bit.txt --cipher aes-256-cbc" |
| "--ecc --createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --cipher aes-256-cbc" |
| "--ecc --createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile-fd 100 --cipher aes-256-cbc" |
| "--ecc --createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile-fd 101 --cipher aes-256-cbc" |
| "--ecc --createek --create-spk --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --lock-nvram" |
| ) |
| |
| # Tests for 3072 bit RSA keys to be appended to above array if RSA 3072 keys are supported |
| PARAMETERS_3072=( |
| "--createek --rsa-keysize 3072" |
| "--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --rsa-keysize 3072" |
| "--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt --rsa-keysize 3072" |
| "--createek --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --rsa-keysize 3072" |
| "--createek --allow-signing --rsa-keysize 3072" |
| "--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --rsa-keysize 3072" |
| "--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile.txt --rsa-keysize 3072" |
| "--createek --allow-signing --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --rsa-keysize 3072" |
| "--createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --keyfile ${TESTDIR}/data/keyfile256bit.txt --cipher aes-256-cbc --rsa-keysize 3072" |
| "--createek --allow-signing --decryption --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --display --pwdfile ${TESTDIR}/data/pwdfile.txt --cipher aes-256-cbc --rsa-keysize 3072" |
| "--createek --create-spk --create-ek-cert --create-platform-cert --config ${TESTDIR}/swtpm_setup.conf --vmid test --lock-nvram --rsa-keysize 3072" |
| ) |
| |
| # Open read-only file descriptors referenced in test cases |
| exec 100<"${TESTDIR}/data/keyfile256bit.txt" |
| exec 101<"${TESTDIR}/data/pwdfile.txt" |
| |
| # produced file size is always the same with TPM2 |
| |
| SWTPM=swtpm |
| SWTPM_EXE=$ROOT/src/swtpm/$SWTPM |
| TPMDIR="$(mktemp -d)" || exit 1 |
| SWTPM_SETUP_CONF=$SRCDIR/samples/swtpm_setup.conf |
| TPMAUTHORING="$ROOT/src/swtpm_setup/swtpm_setup --tpm2 --config ${SWTPM_SETUP_CONF}" |
| PATH=${ROOT}/src/swtpm_bios:$PATH |
| |
| |
| trap "cleanup" SIGTERM EXIT |
| |
| function cleanup() |
| { |
| if [ -n "$TPMDIR" ]; then |
| rm -rf "$TPMDIR" |
| fi |
| } |
| |
| if $TPMAUTHORING --tpm2 --print-capabilities | grep -q tpm2-rsa-keysize-3072; then |
| PARAMETERS+=( "${PARAMETERS_3072[@]}" ) |
| fi |
| |
| # swtpm_setup.conf points to the local create_certs.sh |
| # For create_certs.sh to be found (with out full path) |
| # add this directory to the PATH |
| PATH=$PATH:$TESTDIR |
| |
| for (( i=0; i<${#PARAMETERS[*]}; i++)); do |
| rm -rf "${TPMDIR:?}"/* |
| echo -n "Test $i: " |
| params=${PARAMETERS[$i]} |
| if ! $TPMAUTHORING \ |
| --tpm-state "$TPMDIR" \ |
| --tpm "$SWTPM_EXE socket ${SWTPM_TEST_SECCOMP_OPT}" \ |
| ${params:+${params}} &>/dev/null; |
| then |
| echo "ERROR: Test with parameters '${params}' failed." |
| exit 1 |
| elif [ ! -f "$TPMDIR/tpm2-00.permall" ]; then |
| echo "ERROR: Test with parameters '${params}' did not |
| produce file $TPMDIR/tpm2-00.permall." |
| exit 1 |
| fi |
| |
| # Make sure the state is encrypted when a key was given. |
| # We expect sequences of 4 0-bytes in unencrypted state |
| # and no such sequences in encrypted state. |
| nullseq="$(od -t x1 -A n < "$TPMDIR/tpm2-00.permall" | tr -d '\n' | tr -s ' ' | |
| grep "00 00 00 00")" |
| if [[ "${params}" =~ (keyfile|pwdfile) ]]; then |
| if [ -n "${nullseq}" ]; then |
| echo "ERROR: State file is not encrypted with" \ |
| "parameters '${params}'" |
| fi |
| else |
| if [ -z "${nullseq}" ]; then |
| echo "ERROR: State must not be encrypted with" \ |
| "parameters '${params}'" |
| fi |
| fi |
| |
| echo "SUCCESS with parameters '${params}'." |
| done |
| |
| exec 100>&- |
| exec 101>&- |