| #!/usr/bin/env bash |
| #;**********************************************************************; |
| # SPDX-License-Identifier: BSD-2-Clause |
| # |
| # Copyright (c) 2017 - 2020, Intel Corporation |
| # Copyright (c) 2018 - 2020, Fraunhofer SIT sponsored by Infineon Technologies AG |
| # |
| # All rights reserved. |
| #;**********************************************************************; |
| |
| # source the int-log-compiler-common sript |
| . ${srcdir}/script/int-log-compiler-common.sh |
| |
| sanity_test |
| |
| # start simulator if needed |
| if [[ ${INTEGRATION_TCTI} == "mssim" || ${INTEGRATION_TCTI} == "swtpm" ]]; then |
| echo "Trying to start simulator ${INTEGRATION_TCTI}" |
| try_simulator_start |
| TPM20TEST_SOCKET_PORT="${SIM_PORT_DATA}" |
| TPM20TEST_TCTI="${INTEGRATION_TCTI}:host=${TPM20TEST_SOCKET_ADDRESS},port=${TPM20TEST_SOCKET_PORT}" |
| else |
| # Device will be used. |
| TPM20TEST_TCTI="${INTEGRATION_TCTI}:${TPM20TEST_DEVICE_FILE}" |
| fi |
| |
| while true; do |
| |
| # Some debug prints |
| echo "TPM20TEST_TCTI_NAME=${TPM20TEST_TCTI_NAME}" |
| echo "TPM20TEST_DEVICE_FILE=${TPM20TEST_DEVICE_FILE}" |
| echo "TPM20TEST_SOCKET_ADDRESS=${TPM20TEST_SOCKET_ADDRESS}" |
| echo "TPM20TEST_SOCKET_PORT=${TPM20TEST_SOCKET_PORT}" |
| echo "TPM20TEST_TCTI=${TPM20TEST_TCTI}" |
| |
| if [ "${TPM20TEST_TCTI_NAME}" != "device" ]; then |
| env TPM20TEST_TCTI_NAME="${TPM20TEST_TCTI_NAME}" \ |
| TPM20TEST_SOCKET_ADDRESS="${TPM20TEST_SOCKET_ADDRESS}" \ |
| TPM20TEST_SOCKET_PORT="${TPM20TEST_SOCKET_PORT}" \ |
| TPM20TEST_TCTI="${TPM20TEST_TCTI}" \ |
| G_MESSAGES_DEBUG=all ./test/helper/tpm_startup |
| if [ $? -ne 0 ]; then |
| echo "TPM_StartUp failed" |
| ret=99 |
| break |
| fi |
| else |
| env TPM20TEST_TCTI_NAME=${TPM20TEST_TCTI_NAME} \ |
| TPM20TEST_DEVICE_FILE=${TPM20TEST_DEVICE_FILE} \ |
| G_MESSAGES_DEBUG=all ./test/helper/tpm_transientempty |
| if [ $? -ne 0 ]; then |
| echo "TPM transient area not empty => skipping" |
| ret=99 |
| break |
| fi |
| fi |
| |
| # Certificate generation for simulator tests |
| if [ "${TPM20TEST_TCTI_NAME}" != "device" ]; then |
| EKPUB_FILE=${TEST_BIN}_ekpub.pem |
| EKCERT_FILE=${TEST_BIN}_ekcert.crt |
| EKCERT_PEM_FILE=${TEST_BIN}_ekcert.pem |
| |
| env TPM20TEST_TCTI_NAME="${TPM20TEST_TCTI_NAME}" \ |
| TPM20TEST_SOCKET_ADDRESS="${TPM20TEST_SOCKET_ADDRESS}" \ |
| TPM20TEST_SOCKET_PORT="${TPM20TEST_SOCKET_PORT}" \ |
| TPM20TEST_TCTI="${TPM20TEST_TCTI}" \ |
| TPM20TEST_DEVICE_FILE="${TPM20TEST_DEVICE_FILE}" \ |
| G_MESSAGES_DEBUG=all ./test/helper/tpm_getek ${EKPUB_FILE} |
| if [ $? -ne 0 ]; then |
| echo "TPM_getek failed" |
| ret=99 |
| break |
| fi |
| |
| EKECCPUB_FILE=${TEST_BIN}_ekeccpub.pem |
| EKECCCERT_FILE=${TEST_BIN}_ekecccert.crt |
| EKECCCERT_PEM_FILE=${TEST_BIN}_ekecccert.pem |
| |
| env TPM20TEST_TCTI_NAME="${TPM20TEST_TCTI_NAME}" \ |
| TPM20TEST_SOCKET_ADDRESS="${TPM20TEST_SOCKET_ADDRESS}" \ |
| TPM20TEST_SOCKET_PORT="${TPM20TEST_SOCKET_PORT}" \ |
| TPM20TEST_TCTI="${TPM20TEST_TCTI}" \ |
| TPM20TEST_DEVICE_FILE="${TPM20TEST_DEVICE_FILE}" \ |
| G_MESSAGES_DEBUG=all ./test/helper/tpm_getek_ecc ${EKECCPUB_FILE} |
| if [ $? -ne 0 ]; then |
| echo "TPM_getek_ecc failed" |
| ret=99 |
| break |
| fi |
| |
| INTERMEDCA_FILE=${TEST_BIN}_intermedecc-ca |
| ROOTCA_FILE=${TEST_BIN}_root-ca |
| |
| SCRIPTDIR="$(dirname $(realpath $0))/" |
| ${SCRIPTDIR}/ekca/create_ca.sh "${EKPUB_FILE}" "${EKECCPUB_FILE}" "${EKCERT_FILE}" \ |
| "${EKECCCERT_FILE}" "${INTERMEDCA_FILE}" "${ROOTCA_FILE}" >${TEST_BIN}_ca.log 2>&1 |
| if [ $? -ne 0 ]; then |
| echo "ek-cert ca failed" |
| ret=99 |
| break |
| fi |
| |
| # Determine the fingerprint of the RSA EK public. |
| FINGERPRINT=$(openssl pkey -pubin -inform PEM -in ${EKPUB_FILE} -outform DER | shasum -a 256 | cut -f 1 -d ' ') |
| export FAPI_TEST_FINGERPRINT=" { \"hashAlg\" : \"sha256\", \"digest\" : \"${FINGERPRINT}\" }" |
| openssl x509 -inform DER -in ${EKCERT_FILE} -outform PEM -out ${EKCERT_PEM_FILE} |
| export FAPI_TEST_CERTIFICATE="file:${EKCERT_PEM_FILE}" |
| |
| # Determine the fingerprint of the RSA EK public. |
| FINGERPRINT_ECC=$(openssl pkey -pubin -inform PEM -in ${EKECCPUB_FILE} -outform DER | shasum -a 256 | cut -f 1 -d ' ') |
| export FAPI_TEST_FINGERPRINT_ECC=" { \"hashAlg\" : \"sha256\", \"digest\" : \"${FINGERPRINT_ECC}\" }" |
| openssl x509 -inform DER -in ${EKECCCERT_FILE} -outform PEM -out ${EKECCCERT_PEM_FILE} |
| export FAPI_TEST_CERTIFICATE_ECC="file:${EKECCCERT_PEM_FILE}" |
| |
| cat $EKCERT_FILE | \ |
| env TPM20TEST_TCTI_NAME="${TPM20TEST_TCTI_NAME}" \ |
| TPM20TEST_SOCKET_ADDRESS="${TPM20TEST_SOCKET_ADDRESS}" \ |
| TPM20TEST_SOCKET_PORT="${TPM20TEST_SOCKET_PORT}" \ |
| TPM20TEST_TCTI="${TPM20TEST_TCTI}" \ |
| TPM20TEST_DEVICE_FILE="${TPM20TEST_DEVICE_FILE}" \ |
| G_MESSAGES_DEBUG=all ./test/helper/tpm_writeekcert 1C00002 |
| if [ $? -ne 0 ]; then |
| echo "TPM_writeekcert failed" |
| ret=99 |
| break |
| fi |
| |
| cat $EKECCCERT_FILE | \ |
| env TPM20TEST_TCTI_NAME="${TPM20TEST_TCTI_NAME}" \ |
| TPM20TEST_SOCKET_ADDRESS="${TPM20TEST_SOCKET_ADDRESS}" \ |
| TPM20TEST_SOCKET_PORT="${TPM20TEST_SOCKET_PORT}" \ |
| TPM20TEST_TCTI="${TPM20TEST_TCTI}" \ |
| TPM20TEST_DEVICE_FILE="${TPM20TEST_DEVICE_FILE}" \ |
| G_MESSAGES_DEBUG=all ./test/helper/tpm_writeekcert 1C0000A |
| if [ $? -ne 0 ]; then |
| echo "TPM_writeekcert failed" |
| ret=99 |
| fi |
| fi # certificate generation |
| |
| TPMSTATE_FILE1=${TEST_BIN}_state1 |
| TPMSTATE_FILE2=${TEST_BIN}_state2 |
| |
| env TPM20TEST_TCTI_NAME="${TPM20TEST_TCTI_NAME}" \ |
| TPM20TEST_SOCKET_ADDRESS="${TPM20TEST_SOCKET_ADDRESS}" \ |
| TPM20TEST_SOCKET_PORT="${TPM20TEST_SOCKET_PORT}" \ |
| TPM20TEST_TCTI="${TPM20TEST_TCTI}" \ |
| TPM20TEST_DEVICE_FILE="${TPM20TEST_DEVICE_FILE}" \ |
| G_MESSAGES_DEBUG=all ./test/helper/tpm_dumpstate>${TPMSTATE_FILE1} |
| if [ $? -ne 0 ]; then |
| echo "Error during dumpstate" |
| ret=99 |
| break |
| fi |
| |
| echo "Execute the test script" |
| if [ "${TPM20TEST_TCTI_NAME}" == "device" ]; then |
| # No root certificate needed |
| env TPM20TEST_TCTI_NAME="${TPM20TEST_TCTI_NAME}" \ |
| TPM20TEST_SOCKET_ADDRESS="${TPM20TEST_SOCKET_ADDRESS}" \ |
| TPM20TEST_SOCKET_PORT="${TPM20TEST_SOCKET_PORT}" \ |
| TPM20TEST_TCTI="${TPM20TEST_TCTI}" \ |
| TPM20TEST_DEVICE_FILE="${TPM20TEST_DEVICE_FILE}" \ |
| G_MESSAGES_DEBUG=all ${@: -1} |
| else |
| # Run test with generated certificate. |
| env TPM20TEST_TCTI_NAME="${TPM20TEST_TCTI_NAME}" \ |
| TPM20TEST_SOCKET_ADDRESS="${TPM20TEST_SOCKET_ADDRESS}" \ |
| TPM20TEST_SOCKET_PORT="${TPM20TEST_SOCKET_PORT}" \ |
| TPM20TEST_TCTI="${TPM20TEST_TCTI}" \ |
| FAPI_TEST_ROOT_CERT=${ROOTCA_FILE}.pem \ |
| TPM20TEST_DEVICE_FILE="${TPM20TEST_DEVICE_FILE}" \ |
| G_MESSAGES_DEBUG=all ${@: -1} |
| fi |
| ret=$? |
| echo "Script returned $ret" |
| |
| #We check the state before a reboot to see if transients and NV were chagned. |
| env TPM20TEST_TCTI_NAME="${TPM20TEST_TCTI_NAME}" \ |
| TPM20TEST_SOCKET_ADDRESS="${TPM20TEST_SOCKET_ADDRESS}" \ |
| TPM20TEST_SOCKET_PORT="${TPM20TEST_SOCKET_PORT}" \ |
| TPM20TEST_TCTI="${TPM20TEST_TCTI}" \ |
| G_MESSAGES_DEBUG=all ./test/helper/tpm_dumpstate>${TPMSTATE_FILE2} |
| if [ $? -ne 0 ]; then |
| echo "Error during dumpstate" |
| ret=99 |
| break |
| fi |
| |
| if [ "$(cat ${TPMSTATE_FILE1})" != "$(cat ${TPMSTATE_FILE2})" ]; then |
| echo "TPM changed state during test" |
| echo "State before ($TPMSTATE_FILE1):" |
| cat ${TPMSTATE_FILE1} |
| echo "State after ($TPMSTATE_FILE2):" |
| cat ${TPMSTATE_FILE2} |
| ret=1 |
| break |
| fi |
| |
| #TODO: Add a tpm-restart/reboot here |
| |
| break |
| done |
| |
| if [ "${TPM20TEST_TCTI_NAME}" != "device" ]; then |
| # This sleep is sadly necessary: If we kill the tabrmd w/o sleeping for a |
| # second after the test finishes the simulator will die too. Bug in the |
| # simulator? |
| sleep 1 |
| # teardown |
| daemon_stop ${SIM_PID_FILE} |
| rm -rf ${SIM_TMP_DIR} ${SIM_PID_FILE} |
| fi |
| |
| exit $ret |