Merge ~sylvain-pineau/plainbox-provider-tpm2:upstream-4.1.1-focal into plainbox-provider-tpm2:master
- Git
- lp:~sylvain-pineau/plainbox-provider-tpm2
- upstream-4.1.1-focal
- Merge into master
Proposed by
Sylvain Pineau
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Sylvain Pineau | ||||
Approved revision: | 582c435daed3d7aa2dd16d0ac583093c953eb5b1 | ||||
Merged at revision: | d3ec7e277377934a4f38e7042a96307a1e688391 | ||||
Proposed branch: | ~sylvain-pineau/plainbox-provider-tpm2:upstream-4.1.1-focal | ||||
Merge into: | plainbox-provider-tpm2:master | ||||
Diff against target: |
6180 lines (+5788/-0) 60 files modified
data/tpm2-tools-4.1.1/integration/helpers.sh (+676/-0) data/tpm2-tools-4.1.1/integration/tests/activecredential.sh (+57/-0) data/tpm2-tools-4.1.1/integration/tests/attestation.sh (+113/-0) data/tpm2-tools-4.1.1/integration/tests/certify.sh (+30/-0) data/tpm2-tools-4.1.1/integration/tests/certifycreation.sh (+63/-0) data/tpm2-tools-4.1.1/integration/tests/changeauth.sh (+55/-0) data/tpm2-tools-4.1.1/integration/tests/checkquote.sh (+62/-0) data/tpm2-tools-4.1.1/integration/tests/clear.sh (+37/-0) data/tpm2-tools-4.1.1/integration/tests/clockrateadjust.sh (+60/-0) data/tpm2-tools-4.1.1/integration/tests/create.sh (+107/-0) data/tpm2-tools-4.1.1/integration/tests/createak.sh (+44/-0) data/tpm2-tools-4.1.1/integration/tests/createek.sh (+56/-0) data/tpm2-tools-4.1.1/integration/tests/createpolicy.sh (+48/-0) data/tpm2-tools-4.1.1/integration/tests/createprimary.sh (+90/-0) data/tpm2-tools-4.1.1/integration/tests/dictionarylockout.sh (+42/-0) data/tpm2-tools-4.1.1/integration/tests/duplicate.sh (+125/-0) data/tpm2-tools-4.1.1/integration/tests/evictcontrol.sh (+55/-0) data/tpm2-tools-4.1.1/integration/tests/flushcontext.sh (+37/-0) data/tpm2-tools-4.1.1/integration/tests/getcap.sh (+52/-0) data/tpm2-tools-4.1.1/integration/tests/getekcertificate.sh (+58/-0) data/tpm2-tools-4.1.1/integration/tests/getrandom.sh (+52/-0) data/tpm2-tools-4.1.1/integration/tests/gettestresult.sh (+22/-0) data/tpm2-tools-4.1.1/integration/tests/gettime.sh (+20/-0) data/tpm2-tools-4.1.1/integration/tests/hash.sh (+75/-0) data/tpm2-tools-4.1.1/integration/tests/hmac.sh (+103/-0) data/tpm2-tools-4.1.1/integration/tests/import.sh (+234/-0) data/tpm2-tools-4.1.1/integration/tests/import_tpm.sh (+146/-0) data/tpm2-tools-4.1.1/integration/tests/incrementalselftest.sh (+71/-0) data/tpm2-tools-4.1.1/integration/tests/load.sh (+70/-0) data/tpm2-tools-4.1.1/integration/tests/loadexternal.sh (+239/-0) data/tpm2-tools-4.1.1/integration/tests/makecredential.sh (+52/-0) data/tpm2-tools-4.1.1/integration/tests/nv.sh (+288/-0) data/tpm2-tools-4.1.1/integration/tests/nvcertify.sh (+54/-0) data/tpm2-tools-4.1.1/integration/tests/nvinc.sh (+152/-0) data/tpm2-tools-4.1.1/integration/tests/output_formats.sh (+118/-0) data/tpm2-tools-4.1.1/integration/tests/pcrallocate.sh (+36/-0) data/tpm2-tools-4.1.1/integration/tests/pcrevent.sh (+74/-0) data/tpm2-tools-4.1.1/integration/tests/pcrextend.sh (+49/-0) data/tpm2-tools-4.1.1/integration/tests/pcrlist.sh (+29/-0) data/tpm2-tools-4.1.1/integration/tests/pcrreset.sh (+31/-0) data/tpm2-tools-4.1.1/integration/tests/print.sh (+75/-0) data/tpm2-tools-4.1.1/integration/tests/quote.sh (+96/-0) data/tpm2-tools-4.1.1/integration/tests/rc_decode.sh (+78/-0) data/tpm2-tools-4.1.1/integration/tests/readclock.sh (+21/-0) data/tpm2-tools-4.1.1/integration/tests/readpublic.sh (+55/-0) data/tpm2-tools-4.1.1/integration/tests/rsadecrypt.sh (+102/-0) data/tpm2-tools-4.1.1/integration/tests/rsaencrypt.sh (+53/-0) data/tpm2-tools-4.1.1/integration/tests/selftest.sh (+22/-0) data/tpm2-tools-4.1.1/integration/tests/send.sh (+24/-0) data/tpm2-tools-4.1.1/integration/tests/setclock.sh (+38/-0) data/tpm2-tools-4.1.1/integration/tests/setprimarypolicy.sh (+44/-0) data/tpm2-tools-4.1.1/integration/tests/sign.sh (+294/-0) data/tpm2-tools-4.1.1/integration/tests/startup.sh (+17/-0) data/tpm2-tools-4.1.1/integration/tests/stirrandom.sh (+46/-0) data/tpm2-tools-4.1.1/integration/tests/testparms.sh (+72/-0) data/tpm2-tools-4.1.1/integration/tests/unseal.sh (+145/-0) data/tpm2-tools-4.1.1/integration/tests/verifysignature.sh (+71/-0) units/packaging.pxu (+5/-0) units/test-plan.pxu (+12/-0) units/tpm2_4.1.1.pxu (+736/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Jonathan Cave (community) | Approve | ||
Review via email: mp+382561@code.launchpad.net |
Commit message
Description of the change
Focal TPM2 4.1.1 upstream tests
New version, new test, new test plan. It's a mix of the integration tests found in the original source archive and various fixes only available on master (April 2020).
A couple of tests that are way too destructive have been removed (e.g tpm2_clearcontrols) as they could result in a complete tpm2 DA lockout (for a week...).
Tested on stock 20.04 beta: https:/
To post a comment you must log in.
Revision history for this message
Sylvain Pineau (sylvain-pineau) wrote : | # |
templated test plans? such thing does not exist
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | diff --git a/data/tpm2-tools-4.1.1/integration/fixtures/ek-template-default.bin b/data/tpm2-tools-4.1.1/integration/fixtures/ek-template-default.bin |
2 | new file mode 100644 |
3 | index 0000000..508267e |
4 | Binary files /dev/null and b/data/tpm2-tools-4.1.1/integration/fixtures/ek-template-default.bin differ |
5 | diff --git a/data/tpm2-tools-4.1.1/integration/fixtures/event-uefiaction.bin b/data/tpm2-tools-4.1.1/integration/fixtures/event-uefiaction.bin |
6 | new file mode 100644 |
7 | index 0000000..9088a8c |
8 | Binary files /dev/null and b/data/tpm2-tools-4.1.1/integration/fixtures/event-uefiaction.bin differ |
9 | diff --git a/data/tpm2-tools-4.1.1/integration/fixtures/event-uefiservices.bin b/data/tpm2-tools-4.1.1/integration/fixtures/event-uefiservices.bin |
10 | new file mode 100644 |
11 | index 0000000..88507dc |
12 | Binary files /dev/null and b/data/tpm2-tools-4.1.1/integration/fixtures/event-uefiservices.bin differ |
13 | diff --git a/data/tpm2-tools-4.1.1/integration/fixtures/event-uefivar.bin b/data/tpm2-tools-4.1.1/integration/fixtures/event-uefivar.bin |
14 | new file mode 100644 |
15 | index 0000000..130a549 |
16 | Binary files /dev/null and b/data/tpm2-tools-4.1.1/integration/fixtures/event-uefivar.bin differ |
17 | diff --git a/data/tpm2-tools-4.1.1/integration/fixtures/event.bin b/data/tpm2-tools-4.1.1/integration/fixtures/event.bin |
18 | new file mode 100644 |
19 | index 0000000..2ec9344 |
20 | Binary files /dev/null and b/data/tpm2-tools-4.1.1/integration/fixtures/event.bin differ |
21 | diff --git a/data/tpm2-tools-4.1.1/integration/fixtures/get-capability-tpm-prop-fixed.bin b/data/tpm2-tools-4.1.1/integration/fixtures/get-capability-tpm-prop-fixed.bin |
22 | new file mode 100644 |
23 | index 0000000..66fb259 |
24 | Binary files /dev/null and b/data/tpm2-tools-4.1.1/integration/fixtures/get-capability-tpm-prop-fixed.bin differ |
25 | diff --git a/data/tpm2-tools-4.1.1/integration/fixtures/specid-vendordata.bin b/data/tpm2-tools-4.1.1/integration/fixtures/specid-vendordata.bin |
26 | new file mode 100644 |
27 | index 0000000..cca24e6 |
28 | Binary files /dev/null and b/data/tpm2-tools-4.1.1/integration/fixtures/specid-vendordata.bin differ |
29 | diff --git a/data/tpm2-tools-4.1.1/integration/helpers.sh b/data/tpm2-tools-4.1.1/integration/helpers.sh |
30 | new file mode 100644 |
31 | index 0000000..1501e19 |
32 | --- /dev/null |
33 | +++ b/data/tpm2-tools-4.1.1/integration/helpers.sh |
34 | @@ -0,0 +1,676 @@ |
35 | +# SPDX-License-Identifier: BSD-3-Clause |
36 | + |
37 | +set -E |
38 | + |
39 | +# Return 0 if run by a TPM simulator, return 1 otherwise |
40 | +is_simulator() { |
41 | + # both simulators mssim and swtpm have their vendor sting set to "SW": |
42 | + # TPM2_PT_VENDOR_STRING_1: |
43 | + # raw: 0x53572020 |
44 | + # value: "SW" |
45 | + tpm2_getcap properties-fixed \ |
46 | + | grep -zP "TPM2_PT_VENDOR_STRING_1:\s*raw: 0x53572020" &>/dev/null |
47 | +} |
48 | + |
49 | +# Return 0 if algorithm is supported, return 1 otherwise |
50 | +# Error if TPM is simulator and algorithm is unsupported |
51 | +is_alg_supported() { |
52 | + if tpm2_testparms $1 2> /dev/null; then |
53 | + return 0 |
54 | + else |
55 | + if is_simulator; then |
56 | + echo "ERROR: $1 is not supported by the TPM simulator." |
57 | + exit 1 |
58 | + else |
59 | + echo "SKIP: Testing on a non-simulator TPM. Skipping unsupported algorithm $1" |
60 | + return 1 |
61 | + fi |
62 | + fi |
63 | +} |
64 | + |
65 | +# Return 0 if command is supported, return 1 otherwise |
66 | +# Error if TPM is simulator and command is unsupported |
67 | +is_cmd_supported() { |
68 | + if tpm2_getcap commands | grep -i "$1:" &> /dev/null; then |
69 | + return 0 |
70 | + else |
71 | + if is_simulator; then |
72 | + echo "ERROR: $1 is not supported by the TPM simulator." |
73 | + exit 1 |
74 | + else |
75 | + echo "SKIP: Testing on a non-simulator TPM. Skipping unsupported command $1" |
76 | + return 1 |
77 | + fi |
78 | + fi |
79 | +} |
80 | + |
81 | +function filter_algs_by() { |
82 | + |
83 | +python3 << pyscript |
84 | +from __future__ import print_function |
85 | + |
86 | +import sys |
87 | +import yaml |
88 | + |
89 | +with open("$1") as f: |
90 | + try: |
91 | + y = yaml.safe_load(f) |
92 | + for alg, details in y.items(): |
93 | + if $2: |
94 | + print(alg) |
95 | + except yaml.YAMLError as exc: |
96 | + sys.exit(exc) |
97 | +pyscript |
98 | +} |
99 | + |
100 | +populate_algs() { |
101 | + algs="$(mktemp)" |
102 | + tpm2_getcap algorithms > "${algs}" |
103 | + filter_algs_by "${algs}" "${1}" |
104 | + rm "${algs}" |
105 | +} |
106 | + |
107 | +populate_hash_algs() { |
108 | + populate_algs "details['hash'] and not details['method'] and not details['symmetric'] and not details['signing'] $1" |
109 | +} |
110 | + |
111 | +# Return alg argument if supported by TPM. |
112 | +hash_alg_supported() { |
113 | + local orig_alg="$1" |
114 | + local alg="$orig_alg" |
115 | + local algs_supported |
116 | + |
117 | + algs_supported="$(populate_hash_algs name)" |
118 | + local hex2name=( |
119 | + [0x04]="sha1" |
120 | + [0x0B]="sha256" |
121 | + [0x0C]="sha384" |
122 | + [0x0D]="sha512" |
123 | + [0x12]="sm3_256" |
124 | + ) |
125 | + |
126 | + if [ -z "$alg" ]; then |
127 | + echo "$algs_supported" |
128 | + return |
129 | + fi |
130 | + |
131 | + if [ "$alg" = "${alg//[^0-9a-fA-FxX]/}" ]; then |
132 | + alg=${hex2name["$alg"]} |
133 | + [ -z "$alg" ] && return |
134 | + fi |
135 | + |
136 | + local t_alg |
137 | + for t_alg in $algs_supported; do |
138 | + if [ "$t_alg" = "$alg" ]; then |
139 | + echo "$orig_alg" |
140 | + return |
141 | + fi |
142 | + done |
143 | +} |
144 | + |
145 | +# Get nice names of supported algorithms lengths |
146 | +# Does not work with hashes! |
147 | +# e.g. calling "populate_alg_lengths rsa" will print: |
148 | +# rsa1024 |
149 | +# rsa2048 |
150 | +populate_alg_lengths() { |
151 | + #set -x |
152 | + alg="$1" |
153 | + local lengths="1 128 192 224 256 384 512 1024 2048 4096" |
154 | + local populated="" |
155 | + for len in $lengths; do |
156 | + if tpm2_testparms "$alg$len" 2> /dev/null; then |
157 | + if [ -z "$populated" ]; then |
158 | + populated="$alg$len" |
159 | + else |
160 | + populated="$populated\n$alg$len" |
161 | + fi |
162 | + fi |
163 | + done; |
164 | + printf "$populated" |
165 | +} |
166 | + |
167 | +# Get nice name of the algorithm with its weakest supported key size |
168 | +# Does not work with hashes! |
169 | +# e.g. calling "weakest_alg aes" will print "aes128" |
170 | +weakest_alg() { |
171 | + populate_alg_lengths "$1" | head -n1 |
172 | +} |
173 | + |
174 | +# Get nice name of the algorithm with its strongest supported key size |
175 | +# Does not work with hashes! |
176 | +# e.g. calling "strongest_alg aes" will print "aes256" |
177 | +strongest_alg() { |
178 | + populate_alg_lengths "$1" | tail -n1 |
179 | +} |
180 | + |
181 | +# Get nice names of supported algorithm modes |
182 | +# Does not work with hashes! |
183 | +# e.g. calling "populate_alg_modes aes128" will print: |
184 | +# aes128cfb |
185 | +# aes128cbc |
186 | +populate_alg_modes() { |
187 | + #set -x |
188 | + alg="$1" |
189 | + local modes="ctr ofb cbc cfb ecb" |
190 | + local populated="" |
191 | + for mode in $modes; do |
192 | + if tpm2_testparms "$alg$mode" 2> /dev/null; then |
193 | + if [ -z "$populated" ]; then |
194 | + populated="$alg$mode" |
195 | + else |
196 | + populated="$populated\n$alg$mode" |
197 | + fi |
198 | + fi |
199 | + done; |
200 | + printf "$populated" |
201 | +} |
202 | + |
203 | +# |
204 | +# Verifies that the contexts of a file path provided |
205 | +# as the first argument loads as a YAML file. |
206 | +# |
207 | +function yaml_verify() { |
208 | +python3 << pyscript |
209 | +from __future__ import print_function |
210 | + |
211 | +import sys |
212 | +import yaml |
213 | + |
214 | +with open("$1") as f: |
215 | + try: |
216 | + y = yaml.safe_load(f) |
217 | + except yaml.YAMLError as exc: |
218 | + sys.exit(exc) |
219 | +pyscript |
220 | +} |
221 | + |
222 | +# |
223 | +# Given a file as argument 1, prints the value of the key |
224 | +# provided as argument 2 and optionally argument 3 (for nested maps). |
225 | +# Note that all names and values are parsed as strings. |
226 | +# |
227 | +function yaml_get_kv() { |
228 | + |
229 | + third_arg="" |
230 | + if [ $# -eq 3 ]; then |
231 | + third_arg=$3 |
232 | + fi |
233 | + |
234 | +python3 << pyscript |
235 | +from __future__ import print_function |
236 | + |
237 | +import sys |
238 | +import yaml |
239 | + |
240 | +with open("$1") as f: |
241 | + try: |
242 | + y = yaml.load(f, Loader=yaml.BaseLoader) |
243 | + if $# == 3: |
244 | + print(y["$2"]["$third_arg"]) |
245 | + else: |
246 | + print(y["$2"]) |
247 | + except yaml.YAMLError as exc: |
248 | + sys.exit(exc) |
249 | +pyscript |
250 | +} |
251 | + |
252 | +function recreate_info() { |
253 | + echo |
254 | + echo "--- To recreate this test run the following: ---" |
255 | + local a="export TPM2_ABRMD=\"$TPM2_ABRMD\"\n" |
256 | + a="$a""export TPM2_SIM=\"$TPM2_SIM\"\n" |
257 | + a="$a""export TPM2ABRMD_TCTI=\"$TPM2ABRMD_TCTI\"\n" |
258 | + a="$a""export TPM2_SIMPORT=\"$TPM2_SIMPORT\"\n" |
259 | + a="$a""export TPM2TOOLS_TEST_TCTI=\"$TPM2TOOLS_TEST_TCTI\"\n" |
260 | + a="$a""export PATH=\"$PATH\"\n" |
261 | + a="$a""TPM2_SIM_NV_CHIP=\"$TPM2_SIM_NV_CHIP\"\n" |
262 | + a="$a""TPM2_TOOLS_TEST_FIXTURES=\"$TPM2_TOOLS_TEST_FIXTURES\"\n" |
263 | + echo "#!/usr/bin/env bash" |
264 | + echo -e "$a" |
265 | + local script="$tpm2_test_original_cwd""/""$0" |
266 | + echo $(realpath "$script") |
267 | + echo "--- EOF ---" |
268 | + echo |
269 | +} |
270 | + |
271 | +tpm2_test_original_cwd="" |
272 | +tpm2_test_cwd="" |
273 | +function switch_to_test_dir() { |
274 | + tpm2_test_original_cwd=`pwd`; |
275 | + tpm2_test_cwd=$(mktemp -d ${TMPDIR:-/tmp}/tpm2_test_XXXXXX) |
276 | + echo "creating simulator working dir: $tpm2_test_cwd" |
277 | + pushd "$tpm2_test_cwd" |
278 | + echo "Switched to CWD: $(pwd)" |
279 | +} |
280 | + |
281 | +function switch_back_from_test_dir() { |
282 | + popd |
283 | +} |
284 | + |
285 | +tpm2_sim_pid="" |
286 | +tpm2_abrmd_pid="" |
287 | +tpm2_tcti_opts="" |
288 | +tpm2tools_tcti="" |
289 | + |
290 | +sock_tool="unknown" |
291 | +OS=$(uname) |
292 | + |
293 | +if [ "$OS" == "Linux" ]; then |
294 | + sock_tool="ss -lntp4" |
295 | +elif [ "$OS" == "FreeBSD" ]; then |
296 | + sock_tool="sockstat -l4" |
297 | +fi |
298 | + |
299 | +function start_sim() { |
300 | + local max_cnt=10 |
301 | + |
302 | + # if a user is specifying the sim port, then only attempt it once |
303 | + if [ -n "$TPM2_SIMPORT" ]; then |
304 | + max_cnt=1 |
305 | + fi |
306 | + |
307 | + while [ $max_cnt -gt 0 ]; do |
308 | + # If either the requested simulator port or the port that will be used |
309 | + # by mssim TCTI which is tpm2_sim_port + 1 is occupied (ESTABLISHED, TIME_WAIT, etc...), |
310 | + # just continue up to 10 retries |
311 | + # (See : https://github.com/tpm2-software/tpm2-tss/blob/master/src/tss2-tcti/tcti-mssim.c:559) |
312 | + if [ -z "$TPM2_SIMPORT" ]; then |
313 | + tpm2_sim_port="$(shuf -i 2321-65534 -n 1)" |
314 | + else |
315 | + tpm2_sim_port=$TPM2_SIMPORT |
316 | + fi |
317 | + tpm2_sim_cmd_port=$((tpm2_sim_port + 1)) |
318 | + echo "Attempting to start simulator on port: $tpm2_sim_port" |
319 | + $TPM2_SIM -port $tpm2_sim_port & |
320 | + tpm2_sim_pid=$! |
321 | + sleep 1 |
322 | + |
323 | + ${sock_tool} 2>/dev/null | grep ${TPM2_SIM} | grep ${tpm2_sim_pid} | grep ${tpm2_sim_port} |
324 | + tpm2_sim_port_rc=$? |
325 | + ${sock_tool} 2>/dev/null | grep ${TPM2_SIM} | grep ${tpm2_sim_pid} | grep ${tpm2_sim_cmd_port} |
326 | + tpm2_sim_cmd_port_rc=$? |
327 | + |
328 | + if [[ $tpm2_sim_port_rc -eq 0 ]] && [[ $tpm2_sim_cmd_port_rc -eq 0 ]]; then |
329 | + echo "Started simulator on port $tpm2_sim_port in dir \"$PWD\"" |
330 | + TPM2_SIMPORT=$tpm2_sim_port |
331 | + # set a possible tools tcti to use mssim |
332 | + tpm2tools_tcti="mssim:host=localhost,port=$TPM2_SIMPORT" |
333 | + echo "tpm2tools_tcti=\"$tpm2tools_tcti\"" |
334 | + return 0 |
335 | + else |
336 | + echo "Could not start simulator at port: $tpm2_sim_port" |
337 | + kill "$tpm2_sim_pid" |
338 | + let "max_cnt=max_cnt-1" |
339 | + echo "Tries left: $max_cnt" |
340 | + fi |
341 | + done |
342 | + |
343 | + echo "Maximum attempts reached. Aborting" |
344 | + return 1 |
345 | +} |
346 | + |
347 | +function start_abrmd() { |
348 | + |
349 | + local tpm2_tabrmd_opts |
350 | + |
351 | + # if we don't have an explicit TCTI to connect to, generate it |
352 | + if [ -z "$TPM2ABRMD_TCTI" ]; then |
353 | + echo "TPM2ABRMD_TCTI is empty, configuring" |
354 | + |
355 | + if [ -z "$TPM2_SIMPORT" ]; then |
356 | + echo "No simulator port found, can not determine ABRMD TCTI conf" |
357 | + return 1 |
358 | + fi |
359 | + |
360 | + # TCTI information for use with ABRMD |
361 | + local name="com.intel.tss2.Tabrmd${TPM2_SIMPORT}" |
362 | + tpm2_tabrmd_opts="--session --dbus-name=$name --tcti=mssim:port=$TPM2_SIMPORT" |
363 | + echo "TPM2ABRMD_TCTI=\"$tpm2_tabrmd_opts\"" |
364 | + TPM2ABRMD_TCTI="$tpm2_tabrmd_opts" |
365 | + fi |
366 | + |
367 | + if [ $UID -eq 0 ]; then |
368 | + tpm2_tabrmd_opts="--allow-root $tpm2_tabrmd_opts" |
369 | + fi |
370 | + |
371 | + echo "tpm2-abrmd command: $TPM2_ABRMD $tpm2_tabrmd_opts $TPM2ABRMD_TCTI" |
372 | + $TPM2_ABRMD $tpm2_tabrmd_opts $TPM2ABRMD_TCTI & |
373 | + tpm2_abrmd_pid=$! |
374 | + sleep 2 |
375 | + |
376 | + if ! kill -0 "$tpm2_abrmd_pid"; then |
377 | + (>&2 echo "Could not start tpm2-abrmd \"$TPM2_ABRMD\", exit code: $?") |
378 | + kill -9 $tpm2_abrmd_pid |
379 | + return 1 |
380 | + fi |
381 | + |
382 | + # set a possible tools tcti to use abrmd |
383 | + tpm2tools_tcti="tabrmd:bus_type=session,bus_name=$name" |
384 | + echo "tpm2tools_tcti=\"$tpm2tools_tcti\"" |
385 | + |
386 | + return 0 |
387 | +} |
388 | + |
389 | +# |
390 | +# This start up routine performs the following actions and should |
391 | +# be called by testing scripts if they need a TCTI. It also outputs |
392 | +# information for how to recreate the test outside of the test harness. |
393 | +# |
394 | +# 1. Start the simulator if specified via env var TPM2_SIM. if TPM2_SIMPORT |
395 | +# is set, it attempts to start the simulator AT that port, else it tries |
396 | +# a random port, and sets TPM2_SIMPORT to the random port if successful. |
397 | +# |
398 | +# 2. Start abrmd if specified via env var TPM2_ABRMD. if TPM2ABRMD_TCTI is |
399 | +# set it starts abrmd using that TCTI, else it uses the value of TPM2_SIMPORT. |
400 | +# |
401 | +# 3. Pick a TCTI for the tools based on: |
402 | +# a) TPM2TOOLS_TEST_TCTI user specified, just use it. |
403 | +# b) TPM2TOOLS_TEST_TCTI not specified, the start_sim and start_anrmd routines |
404 | +# set tpm2tools_tcti variable, so use that. |
405 | +# |
406 | +function start_up() { |
407 | + |
408 | + switch_to_test_dir |
409 | + |
410 | + run_startup=true |
411 | + |
412 | + #if [ -n "$TPM2_SIM" ]; then |
413 | + # # Start the simulator |
414 | + # echo "Starting the simulator" |
415 | + # start_sim || exit 1 |
416 | + # echo "Started the simulator" |
417 | + #else |
418 | + # echo "not starting simulator" |
419 | + #fi |
420 | + # |
421 | + #if [ -n "$TPM2_ABRMD" ]; then |
422 | + # echo "Starting tpm2-abrmd" |
423 | + # # Start tpm2-abrmd |
424 | + # start_abrmd || exit 1 |
425 | + # run_startup=false |
426 | + #else |
427 | + # echo "not starting abrmd" |
428 | + #fi |
429 | + # |
430 | + #echo "TPM2TOOLS_TEST_TCTI=$TPM2TOOLS_TEST_TCTI" |
431 | + #if [ -z "$TPM2TOOLS_TEST_TCTI" ]; then |
432 | + # echo "TPM2TOOLS_TEST_TCTI not set, attempting to figure out default" |
433 | + # if [ -z "$tpm2tools_tcti" ]; then |
434 | + # echo "The simulator not abrmd was started, cannot determine a TCTI for tools." |
435 | + # exit 1; |
436 | + # fi |
437 | + # TPM2TOOLS_TEST_TCTI="$tpm2tools_tcti" |
438 | + #fi |
439 | + # |
440 | + #echo "export TPM2TOOLS_TCTI=\"$TPM2TOOLS_TEST_TCTI\"" |
441 | + export TPM2TOOLS_TCTI="$TPM2TOOLS_TEST_TCTI" |
442 | + |
443 | + #recreate_info |
444 | + |
445 | + #echo "run_startup: $run_startup" |
446 | + |
447 | + if [ $run_startup = true ]; then |
448 | + tpm2_startup -c |
449 | + fi |
450 | + |
451 | + if ! tpm2_clear; then |
452 | + exit 1 |
453 | + fi |
454 | +} |
455 | + |
456 | +function shut_down() { |
457 | + |
458 | + #echo "Shutting down" |
459 | + |
460 | + switch_back_from_test_dir |
461 | + |
462 | + fail=0 |
463 | + if [ -n "$tpm2_abrmd_pid" ]; then |
464 | + if kill -0 "$tpm2_abrmd_pid"; then |
465 | + if ! kill -9 "$tpm2_abrmd_pid"; then |
466 | + (>&2 echo "ERROR: could not kill tpm2_abrmd on pid: $tpm2_abrmd_pid") |
467 | + fail=1 |
468 | + fi |
469 | + else |
470 | + (>&2 echo "WARNING: tpm2_abrmd already stopped ($tpm2_abrmd_pid)") |
471 | + fi |
472 | + fi |
473 | + tpm2_abrmd_pid="" |
474 | + |
475 | + if [ -n "$tpm2_sim_pid" ]; then |
476 | + if kill -0 "$tpm2_sim_pid"; then |
477 | + if ! kill -9 "$tpm2_sim_pid"; then |
478 | + (>&2 echo "ERROR: could not kill tpm2 simulator on pid: $tpm2_sim_pid") |
479 | + fail=1 |
480 | + fi |
481 | + else |
482 | + (>&2 echo "WARNING: TPM simulator already stopped ($tpm2_sim_pid)") |
483 | + fi |
484 | + fi |
485 | + tpm2_sim_pid="" |
486 | + |
487 | + #echo "Removing sim dir: $tpm2_test_cwd" |
488 | + rm -rf "$tpm2_test_cwd" 2>/dev/null |
489 | + |
490 | + if [ $fail -ne 0 ]; then |
491 | + exit 1 |
492 | + fi |
493 | +} |
494 | + |
495 | +# |
496 | +# Set the default EXIT handler to always shut down, tests |
497 | +# can override this. |
498 | +# |
499 | +trap shut_down EXIT |
500 | + |
501 | +# |
502 | +# Set the default on ERR handler to print the line number |
503 | +# and failed command. |
504 | +# |
505 | +onerror() { |
506 | + echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" |
507 | + exit 1 |
508 | +} |
509 | +trap onerror ERR |
510 | + |
511 | +# |
512 | +# print 0 if the list of arguments 1 to n-1 contains the last argument n |
513 | +# print 1 otherwise |
514 | +# |
515 | +function ina() { |
516 | + local n=$# |
517 | + local value=${!n} |
518 | + for ((i=1;i < $#;i++)) { |
519 | + if [ "${!i}" == "${value}" ]; then |
520 | + echo 0 |
521 | + return |
522 | + fi |
523 | + } |
524 | + echo 1 |
525 | +} |
526 | + |
527 | +# Causes a test to skip by exiting with error code 77 |
528 | +# See the automake manual for the exit codes: |
529 | +# https://www.gnu.org/software/automake/manual/html_node/Scripts_002dbased-Testsuites.html |
530 | +function skip_test() { |
531 | + exit 77 |
532 | +} |
533 | + |
534 | +function setup_fapi() { |
535 | + tempdir=`pwd`/$(mktemp -d tss2_fapi.XXXXXX) |
536 | + |
537 | + KEYSTORE_USER=keystore_user |
538 | + KEYSTORE_SYSTEM=keystore_system |
539 | + LOG_DIR=log |
540 | + PROFILE_NAME=P_RSA |
541 | + |
542 | + mkdir -p $tempdir/$KEYSTORE_USER/policy $tempdir/$KEYSTORE_SYSTEM/policy \ |
543 | + $tempdir/$LOG_DIR |
544 | + |
545 | +cat > $tempdir/fapi_config.json <<EOF |
546 | +{ |
547 | + "profile_name": "${PROFILE_NAME}", |
548 | + "profile_dir": "$tempdir/", |
549 | + "user_dir": "$tempdir/${KEYSTORE_USER}", |
550 | + "system_dir": "$tempdir/${KEYSTORE_SYSTEM}", |
551 | + "tcti": "${TPM2TOOLS_TCTI}", |
552 | + "system_pcrs" : [], |
553 | + "ek_cert_less": "yes", |
554 | + "log_dir" : "$tempdir/${LOG_DIR}", |
555 | +} |
556 | +EOF |
557 | + |
558 | + export TSS2_FAPICONF=$tempdir/fapi_config.json |
559 | + export TEMP_DIR=$tempdir |
560 | + |
561 | + PATH=${BUILDDIR}/tools/fapi:$PATH |
562 | + |
563 | + setup_profile $tempdir |
564 | + setup_policies $tempdir |
565 | + resetPCR16 |
566 | + |
567 | +} |
568 | + |
569 | +# Reset PCR 16. Important when using physical TPM |
570 | +function resetPCR16(){ |
571 | + tpm2_pcrreset 16 |
572 | +} |
573 | + |
574 | +function setup_profile() { |
575 | +# Setup Profile |
576 | +cat > $tempdir/${PROFILE_NAME}.json <<EOF |
577 | +{ |
578 | + "type": "TPM2_ALG_RSA", |
579 | + "nameAlg":"TPM2_ALG_SHA256", |
580 | + "srk_template": "system,restricted,decrypt", |
581 | + "srk_persistent": 0, |
582 | + "ek_template": "system,restricted,decrypt", |
583 | + "ecc_signing_scheme": { |
584 | + "scheme":"TPM2_ALG_ECDSA", |
585 | + "details":{ |
586 | + "hashAlg":"TPM2_ALG_SHA256" |
587 | + }, |
588 | + }, |
589 | + "rsa_signing_scheme": { |
590 | + "scheme":"TPM2_ALG_RSAPSS", |
591 | + "details":{ |
592 | + "hashAlg":"TPM2_ALG_SHA256" |
593 | + } |
594 | + }, |
595 | + "rsa_decrypt_scheme": { |
596 | + "scheme":"TPM2_ALG_OAEP", |
597 | + "details":{ |
598 | + "hashAlg":"TPM2_ALG_SHA256" |
599 | + } |
600 | + }, |
601 | + "sym_mode":"TPM2_ALG_CFB", |
602 | + "sym_parameters": { |
603 | + "algorithm":"TPM2_ALG_AES", |
604 | + "keyBits":"128", |
605 | + "mode":"TPM2_ALG_CFB" |
606 | + }, |
607 | + "sym_block_size": 16, |
608 | + "pcr_selection": [ |
609 | + { "hash": "TPM2_ALG_SHA1", |
610 | + "pcrSelect": [ 9, 15, 13 ] |
611 | + }, |
612 | + { "hash": "TPM2_ALG_SHA256", |
613 | + "pcrSelect": [ 8, 16, 14 ] |
614 | + } |
615 | + ], |
616 | + "exponent": 0, |
617 | + "keyBits": 2048 |
618 | +} |
619 | +EOF |
620 | +} |
621 | + |
622 | +function setup_policies() { |
623 | + tempdir=$1 |
624 | + |
625 | +# Setup Policy Authorize |
626 | +cat > $tempdir/pol_authorize.json <<EOF |
627 | +{ |
628 | + "description":"Description pol_authorize", |
629 | + "policy":[ |
630 | + { |
631 | + "type": "POLICYAUTHORIZE", |
632 | + "keyPath": "/HS/SRK/myPolicySignKey" |
633 | + } |
634 | + ] |
635 | +} |
636 | +EOF |
637 | + |
638 | +# Setup Policy Authorize with reference value |
639 | +cat > $tempdir/pol_authorize_ref.json <<EOF |
640 | +{ |
641 | + "description":"Description pol_authorize", |
642 | + "policy":[ |
643 | + { |
644 | + "type": "POLICYAUTHORIZE", |
645 | + "keyPath": "/HS/SRK/myPolicySignKey", |
646 | + "policyRef": "f0f1f2f3f4f5f6f7f8f9" |
647 | + } |
648 | + ] |
649 | +} |
650 | +EOF |
651 | + |
652 | +# Setup Policy Authorize NV |
653 | +cat > $tempdir/pol_authorize_nv.json <<EOF |
654 | +{ |
655 | + "description":"Description pol_authorize_nv", |
656 | + "policy":[ |
657 | + { |
658 | + "type": "POLICYAUTHORIZENV", |
659 | + "nvPath": "/nv/Owner/myNV", |
660 | + } |
661 | + ] |
662 | +} |
663 | +EOF |
664 | + |
665 | +# Setup Policy Duplicate |
666 | +cat > $tempdir/pol_duplicate.json <<EOF |
667 | +{ |
668 | + "description":"Description pol_duplicate", |
669 | + "policy":[ |
670 | + { |
671 | + "type": "POLICYDUPLICATIONSELECT", |
672 | + "newParentPath": "ext/myNewParent", |
673 | + } |
674 | + ] |
675 | +} |
676 | +EOF |
677 | + |
678 | +# Setup Policy PCR |
679 | +cat > $tempdir/pol_pcr16_0.json <<EOF |
680 | +{ |
681 | + "description":"Description pol_16_0", |
682 | + "policy":[ |
683 | + { |
684 | + "type":"POLICYPCR", |
685 | + "pcrs":[ |
686 | + { |
687 | + "pcr":16, |
688 | + "hashAlg":"TPM2_ALG_SHA", |
689 | + "digest":"0000000000000000000000000000000000000000" |
690 | + } |
691 | + ] |
692 | + } |
693 | + ] |
694 | +} |
695 | +EOF |
696 | + |
697 | +# Setup Policy Signed |
698 | +cat > $tempdir/pol_signed.json <<EOF |
699 | +{ |
700 | + "description":"Description pol_signed", |
701 | + "policy":[ |
702 | + { |
703 | + "type": "POLICYSIGNED", |
704 | + "keyPEM": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoGL6IrCSAznmIIzBessI\nmW7tPOUy78uWTIaub32KnYHn78KXprrZ3ykp6WDrOQeMjv4AA+14mJbg77apVYXy\nEnkFdOMa1hszSJnp6cJvx7ILngLvFUxzbVki\/ehvgS3nRk67Njal+nMTe8hpe3UK\nQeV\/Ij+F0r6Yz91W+4LPmncAiUesRZLetI2BZsKwHYRMznmpIYpoua1NtS8QpEXR\nMmsUue19eS\/XRAPmmCfnb5BX2Tn06iCpk6wO+RfMo9etcX5cLSAuIYEQYCvV2\/0X\nTfEw607vttBN0Y54LrVOKno1vRXd5sxyRlfB0WL42F4VG5TfcJo5u1Xq7k9m9K57\n8wIDAQAB\n-----END PUBLIC KEY-----\n" |
705 | + } |
706 | + ] |
707 | +} |
708 | +EOF |
709 | + |
710 | +} |
711 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/activecredential.sh b/data/tpm2-tools-4.1.1/integration/tests/activecredential.sh |
712 | new file mode 100755 |
713 | index 0000000..e079409 |
714 | --- /dev/null |
715 | +++ b/data/tpm2-tools-4.1.1/integration/tests/activecredential.sh |
716 | @@ -0,0 +1,57 @@ |
717 | +# SPDX-License-Identifier: BSD-3-Clause |
718 | + |
719 | +source helpers.sh |
720 | + |
721 | +cleanup() { |
722 | + rm -f secret.data ek.pub ak.pub ak.name mkcred.out actcred.out ak.out \ |
723 | + ak.ctx session.ctx |
724 | + |
725 | + # Evict persistent handles, we want them to always succeed and never trip |
726 | + # the onerror trap. |
727 | + tpm2_evictcontrol -Q -C o -c 0x81010009 2>/dev/null || true |
728 | + |
729 | + if [ "$1" != "no-shut-down" ]; then |
730 | + shut_down |
731 | + fi |
732 | +} |
733 | +trap cleanup EXIT |
734 | + |
735 | +start_up |
736 | + |
737 | +cleanup "no-shut-down" |
738 | + |
739 | +echo 12345678 > secret.data |
740 | + |
741 | +tpm2_createek -Q -c 0x81010009 -G rsa -u ek.pub |
742 | + |
743 | +tpm2_createak -C 0x81010009 -c ak.ctx -G rsa -g sha256 -s rsassa -u ak.pub \ |
744 | +-n ak.name -p akpass> ak.out |
745 | + |
746 | +# Capture the yaml output and verify that its the same as the name output |
747 | +loaded_key_name_yaml=`python3 << pyscript |
748 | +from __future__ import print_function |
749 | + |
750 | +import yaml |
751 | + |
752 | +with open('ak.out', 'r') as f: |
753 | + doc = yaml.safe_load(f) |
754 | + print(doc['loaded-key']['name']) |
755 | +pyscript` |
756 | + |
757 | +# Use -c in xxd so there is no line wrapping |
758 | +file_size=`ls -l ak.name | awk {'print $5'}` |
759 | +loaded_key_name=`cat ak.name | xxd -p -c $file_size` |
760 | + |
761 | +test "$loaded_key_name_yaml" == "$loaded_key_name" |
762 | + |
763 | +tpm2_makecredential -Q -e ek.pub -s secret.data -n $loaded_key_name \ |
764 | +-o mkcred.out |
765 | + |
766 | +TPM2_RH_ENDORSEMENT=0x4000000B |
767 | +tpm2_startauthsession --policy-session -S session.ctx |
768 | +tpm2_policysecret -S session.ctx -c $TPM2_RH_ENDORSEMENT |
769 | +tpm2_activatecredential -Q -c ak.ctx -C 0x81010009 -i mkcred.out \ |
770 | +-o actcred.out -p akpass -P"session:session.ctx" |
771 | +tpm2_flushcontext session.ctx |
772 | + |
773 | +exit 0 |
774 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/attestation.sh b/data/tpm2-tools-4.1.1/integration/tests/attestation.sh |
775 | new file mode 100755 |
776 | index 0000000..fa30d43 |
777 | --- /dev/null |
778 | +++ b/data/tpm2-tools-4.1.1/integration/tests/attestation.sh |
779 | @@ -0,0 +1,113 @@ |
780 | +# SPDX-License-Identifier: BSD-3-Clause |
781 | + |
782 | +source helpers.sh |
783 | + |
784 | +handle_ek=0x81010009 |
785 | +context_ak=ak.ctx |
786 | +handle_nv=0x1500018 |
787 | +handle_hier=0x40000001 |
788 | +ek_alg=rsa |
789 | +ak_alg=rsa |
790 | +digestAlg=sha256 |
791 | +signAlg=rsassa |
792 | +ownerpw=ownerpass |
793 | +endorsepw=endorsepass |
794 | +akpw=akpass |
795 | +rand_pcr_value=6ea40aa7267bb71251c1de1c3605a3df759b86b22fa9f62aa298d4197cd88a38 |
796 | +debug_pcr=16 |
797 | +debug_pcr_list=15,16,22 |
798 | + |
799 | +file_input_data=secret.data |
800 | +file_input_key=nv.data |
801 | +output_ek_pub_pem=ekpub.pem |
802 | +output_ek_pub=ek.pub |
803 | +output_ak_pub_pem=akpub.pem |
804 | +output_ak_pub=ak.pub |
805 | +output_ak_pub_name=ak.name |
806 | +output_mkcredential=mkcred.out |
807 | +output_actcredential=actcred.out |
808 | +output_quote=quote.out |
809 | +output_quotesig=quotesig.out |
810 | +output_quotepcr=quotepcr.out |
811 | + |
812 | +cleanup() { |
813 | + rm -f $file_input_data $file_input_key $output_ek_pub $output_ek_pub_pem \ |
814 | + $output_ak_pub $output_ak_pub_pem $output_ak_pub_name $output_mkcredential \ |
815 | + $output_actcredential $output_quote $output_quotesig $output_quotepcr \ |
816 | + $context_ak rand.out session.ctx |
817 | + |
818 | + tpm2_pcrreset -Q $debug_pcr |
819 | + tpm2_evictcontrol -Q -C o -c $handle_ek -P "$ownerpw" 2>/dev/null || true |
820 | + tpm2_evictcontrol -Q -C o -c $context_ak -P "$ownerpw" 2>/dev/null || true |
821 | + |
822 | + tpm2_nvundefine -Q $handle_nv -C $handle_hier \ |
823 | + -P "$ownerpw" 2>/dev/null || true |
824 | + |
825 | + if [ $(ina "$@" "no-shut-down") -ne 0 ]; then |
826 | + shut_down |
827 | + fi |
828 | +} |
829 | +trap cleanup EXIT |
830 | + |
831 | +start_up |
832 | +cleanup "no-shut-down" |
833 | + |
834 | +echo 12345678 > $file_input_data |
835 | +echo 1234567890123456789012345678901 > $file_input_key |
836 | + |
837 | +getrandom() { |
838 | + loaded_randomness=`tpm2_getrandom --hex $1` |
839 | +} |
840 | + |
841 | +tpm2_changeauth -c o "$ownerpw" |
842 | +tpm2_changeauth -c e "$endorsepw" |
843 | + |
844 | +# Key generation |
845 | +tpm2_createek -Q -c $handle_ek -G $ek_alg -u $output_ek_pub_pem -f pem \ |
846 | +-w "$ownerpw" -P "$endorsepw" |
847 | +tpm2_readpublic -Q -c $handle_ek -o $output_ek_pub |
848 | + |
849 | +tpm2_createak -Q -C $handle_ek -c $context_ak -G $ak_alg -g $digestAlg \ |
850 | +-s $signAlg -u $output_ak_pub_pem -f pem -n $output_ak_pub_name -p "$akpw" \ |
851 | +-P "$endorsepw" |
852 | +tpm2_readpublic -Q -c $context_ak -o $output_ak_pub |
853 | + |
854 | + |
855 | +# Validate keys (registrar) |
856 | +file_size=`ls -l $output_ak_pub_name | awk {'print $5'}` |
857 | +loaded_key_name=`cat $output_ak_pub_name | xxd -p -c $file_size` |
858 | +tpm2_makecredential -Q -T none -e $output_ek_pub -s $file_input_data \ |
859 | +-n $loaded_key_name -o $output_mkcredential |
860 | + |
861 | +TPM2_RH_ENDORSEMENT=0x4000000B |
862 | +tpm2_startauthsession --policy-session -S session.ctx |
863 | +tpm2_policysecret -S session.ctx -c $TPM2_RH_ENDORSEMENT $endorsepw |
864 | +tpm2_activatecredential -Q -c $context_ak -C $handle_ek \ |
865 | +-i $output_mkcredential -o $output_actcredential -p "$akpw" \ |
866 | +-P "session:session.ctx" |
867 | +tpm2_flushcontext session.ctx |
868 | +diff $file_input_data $output_actcredential |
869 | + |
870 | + |
871 | +# Quoting |
872 | +tpm2_pcrreset -Q $debug_pcr |
873 | +tpm2_pcrextend -Q $debug_pcr:sha256=$rand_pcr_value |
874 | +tpm2_pcrread -Q |
875 | +getrandom 20 |
876 | +tpm2_quote -Q -c $context_ak -l $digestAlg:$debug_pcr_list \ |
877 | +-q $loaded_randomness -m $output_quote -s $output_quotesig -o $output_quotepcr \ |
878 | +-g $digestAlg -p "$akpw" |
879 | + |
880 | + |
881 | +# Verify quote |
882 | +tpm2_checkquote -Q -u $output_ak_pub_pem -m $output_quote -s $output_quotesig \ |
883 | +-f $output_quotepcr -g $digestAlg -q $loaded_randomness |
884 | + |
885 | + |
886 | +# Save U key from verifier |
887 | +tpm2_nvdefine -Q $handle_nv -C $handle_hier -s 32 -a "ownerread|ownerwrite" \ |
888 | +-p "indexpass" -P "$ownerpw" |
889 | +tpm2_nvwrite -Q $handle_nv -C $handle_hier -P "$ownerpw" -i $file_input_key |
890 | +tpm2_nvread -Q $handle_nv -C $handle_hier -s 32 -P "$ownerpw" |
891 | + |
892 | +exit 0 |
893 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/certify.sh b/data/tpm2-tools-4.1.1/integration/tests/certify.sh |
894 | new file mode 100755 |
895 | index 0000000..e398815 |
896 | --- /dev/null |
897 | +++ b/data/tpm2-tools-4.1.1/integration/tests/certify.sh |
898 | @@ -0,0 +1,30 @@ |
899 | +# SPDX-License-Identifier: BSD-3-Clause |
900 | + |
901 | +source helpers.sh |
902 | + |
903 | +cleanup() { |
904 | + rm -f primary.ctx certify.ctx certify.pub certify.priv certify.name \ |
905 | + attest.out sig.out &>/dev/null |
906 | + |
907 | + if [ "$1" != "no-shut-down" ]; then |
908 | + shut_down |
909 | + fi |
910 | +} |
911 | +trap cleanup EXIT |
912 | + |
913 | +start_up |
914 | + |
915 | +cleanup "no-shut-down" |
916 | + |
917 | +tpm2_clear -Q |
918 | + |
919 | +tpm2_createprimary -Q -C e -g sha256 -G rsa -c primary.ctx |
920 | + |
921 | +tpm2_create -Q -g sha256 -G rsa -u certify.pub -r certify.priv -C primary.ctx |
922 | + |
923 | +tpm2_load -Q -C primary.ctx -u certify.pub -r certify.priv -n certify.name \ |
924 | +-c certify.ctx |
925 | + |
926 | +tpm2_certify -Q -c primary.ctx -C certify.ctx -g sha256 -o attest.out -s sig.out |
927 | + |
928 | +exit 0 |
929 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/certifycreation.sh b/data/tpm2-tools-4.1.1/integration/tests/certifycreation.sh |
930 | new file mode 100755 |
931 | index 0000000..fb902bf |
932 | --- /dev/null |
933 | +++ b/data/tpm2-tools-4.1.1/integration/tests/certifycreation.sh |
934 | @@ -0,0 +1,63 @@ |
935 | +# SPDX-License-Identifier: BSD-3-Clause |
936 | + |
937 | +source helpers.sh |
938 | + |
939 | +cleanup() { |
940 | + rm -f primary.ctx creation.data creation.digest creation.ticket rsa.pub \ |
941 | + rsa.priv signature.bin attestation.bin sslpub.pem qual.dat sec_key.pub \ |
942 | + sec_key.priv sec_key.ctx |
943 | + |
944 | + if [ "$1" != "no-shut-down" ]; then |
945 | + shut_down |
946 | + fi |
947 | +} |
948 | +trap cleanup EXIT |
949 | + |
950 | +start_up |
951 | + |
952 | +cleanup "no-shut-down" |
953 | + |
954 | +tpm2_clear -Q |
955 | + |
956 | +tpm2_createprimary -C o -c primary.ctx --creation-data creation.data \ |
957 | +-d creation.digest -t creation.ticket -Q |
958 | + |
959 | +tpm2_create -G rsa -u rsa.pub -r rsa.priv -C primary.ctx -c signing_key.ctx -Q |
960 | + |
961 | +tpm2_readpublic -c signing_key.ctx -f pem -o sslpub.pem |
962 | + |
963 | +tpm2_certifycreation -C signing_key.ctx -c primary.ctx -d creation.digest \ |
964 | +-t creation.ticket -g sha256 -o signature.bin --attestation attestation.bin \ |
965 | +-f plain -s rsassa |
966 | + |
967 | +openssl dgst -verify sslpub.pem -keyform pem -sha256 -signature signature.bin \ |
968 | +attestation.bin |
969 | + |
970 | +# |
971 | +# Test with qualifier data |
972 | +# |
973 | +dd if=/dev/urandom of=qual.dat bs=1 count=32 |
974 | + |
975 | +tpm2_certifycreation -C signing_key.ctx -c primary.ctx -d creation.digest \ |
976 | +-t creation.ticket -g sha256 -o signature.bin --attestation attestation.bin \ |
977 | +-f plain -s rsassa -q qual.dat |
978 | + |
979 | +openssl dgst -verify sslpub.pem -keyform pem -sha256 -signature signature.bin \ |
980 | +attestation.bin |
981 | + |
982 | +# |
983 | +# Test certification with non primary keys |
984 | +# |
985 | +tpm2_create -C primary.ctx -u sec_key.pub -r sec_key.priv -t creation.ticket \ |
986 | +-d creation.digest --creation-data creation.data -Q |
987 | + |
988 | +tpm2_load -C primary.ctx -u sec_key.pub -r sec_key.priv -c sec_key.ctx -Q |
989 | + |
990 | +tpm2_certifycreation -C signing_key.ctx -c sec_key.ctx -d creation.digest \ |
991 | +-t creation.ticket -g sha256 -o signature.bin --attestation attestation.bin \ |
992 | +-f plain -s rsassa |
993 | + |
994 | +openssl dgst -verify sslpub.pem -keyform pem -sha256 -signature signature.bin \ |
995 | +attestation.bin |
996 | + |
997 | +exit 0 |
998 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/changeauth.sh b/data/tpm2-tools-4.1.1/integration/tests/changeauth.sh |
999 | new file mode 100755 |
1000 | index 0000000..175e141 |
1001 | --- /dev/null |
1002 | +++ b/data/tpm2-tools-4.1.1/integration/tests/changeauth.sh |
1003 | @@ -0,0 +1,55 @@ |
1004 | +# SPDX-License-Identifier: BSD-3-Clause |
1005 | + |
1006 | +source helpers.sh |
1007 | + |
1008 | +cleanup() { |
1009 | + rm key.ctx key.pub key.priv primary.ctx |
1010 | + |
1011 | + shut_down |
1012 | +} |
1013 | +trap cleanup EXIT |
1014 | + |
1015 | +start_up |
1016 | + |
1017 | +ownerPasswd=abc123 |
1018 | +endorsePasswd=abc123 |
1019 | +lockPasswd=abc123 |
1020 | +new_ownerPasswd=newpswd |
1021 | +new_endorsePasswd=newpswd |
1022 | +new_lockPasswd=newpswd |
1023 | + |
1024 | +tpm2_clear |
1025 | + |
1026 | +tpm2_changeauth -c o $ownerPasswd |
1027 | +tpm2_changeauth -c e $endorsePasswd |
1028 | +tpm2_changeauth -c l $lockPasswd |
1029 | + |
1030 | +tpm2_changeauth -c o -p $ownerPasswd $new_ownerPasswd |
1031 | +tpm2_changeauth -c e -p $endorsePasswd $new_endorsePasswd |
1032 | +tpm2_changeauth -c l -p $lockPasswd $new_lockPasswd |
1033 | + |
1034 | +tpm2_clear $new_lockPasswd |
1035 | + |
1036 | +tpm2_changeauth -c o $ownerPasswd |
1037 | +tpm2_changeauth -c e $endorsePasswd |
1038 | +tpm2_changeauth -c l $lockPasswd |
1039 | + |
1040 | +tpm2_clear $lockPasswd |
1041 | + |
1042 | +# Test changing an objects auth |
1043 | +tpm2_createprimary -Q -C o -c primary.ctx |
1044 | +tpm2_create -Q -C primary.ctx -p foo -u key.pub -r key.priv |
1045 | +tpm2_load -Q -C primary.ctx -u key.pub -r key.priv -c key.ctx |
1046 | +tpm2_changeauth -C primary.ctx -p foo -c key.ctx -r new.priv bar |
1047 | + |
1048 | +# Test changing an NV index auth |
1049 | +tpm2_startauthsession -S session.ctx |
1050 | +tpm2_policycommandcode -S session.ctx -L policy.nvchange TPM2_CC_NV_ChangeAuth |
1051 | +tpm2_flushcontext session.ctx |
1052 | +NVIndex=0x1500015 |
1053 | +tpm2_nvdefine $NVIndex -C o -s 32 -a "authread|authwrite" -L policy.nvchange |
1054 | +tpm2_startauthsession --policy-session -S session.ctx |
1055 | +tpm2_policycommandcode -S session.ctx -L policy.nvchange TPM2_CC_NV_ChangeAuth |
1056 | +tpm2_changeauth -p session:session.ctx -c $NVIndex newindexauth |
1057 | + |
1058 | +exit 0 |
1059 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/checkquote.sh b/data/tpm2-tools-4.1.1/integration/tests/checkquote.sh |
1060 | new file mode 100755 |
1061 | index 0000000..401c028 |
1062 | --- /dev/null |
1063 | +++ b/data/tpm2-tools-4.1.1/integration/tests/checkquote.sh |
1064 | @@ -0,0 +1,62 @@ |
1065 | +# SPDX-License-Identifier: BSD-3-Clause |
1066 | + |
1067 | +source helpers.sh |
1068 | + |
1069 | +handle_ek=0x81010009 |
1070 | +handle_ak=0x8101000a |
1071 | +ek_alg=rsa |
1072 | +ak_alg=rsa |
1073 | +digestAlg=sha256 |
1074 | +signAlg=rsassa |
1075 | +akpw=akpass |
1076 | +ak_ctx=ak.ctx |
1077 | + |
1078 | +output_ek_pub_pem=ekpub.pem |
1079 | +output_ak_pub_pem=akpub.pem |
1080 | +output_ak_pub_name=ak.name |
1081 | +output_quote=quote.out |
1082 | +output_quotesig=quotesig.out |
1083 | +output_quotepcr=quotepcr.out |
1084 | + |
1085 | +cleanup() { |
1086 | + rm -f $output_ek_pub_pem $output_ak_pub_pem $output_ak_pub_name \ |
1087 | + $output_quote $output_quotesig $output_quotepcr rand.out $ak_ctx |
1088 | + |
1089 | + tpm2_pcrreset 16 |
1090 | + tpm2_evictcontrol -C o -c $handle_ek 2>/dev/null || true |
1091 | + tpm2_evictcontrol -C o -c $handle_ak 2>/dev/null || true |
1092 | + |
1093 | + if [ $(ina "$@" "no-shut-down") -ne 0 ]; then |
1094 | + shut_down |
1095 | + echo "shutdown" |
1096 | + fi |
1097 | +} |
1098 | +trap cleanup EXIT |
1099 | + |
1100 | +start_up |
1101 | + |
1102 | +cleanup "no-shut-down" |
1103 | + |
1104 | +getrandom() { |
1105 | + tpm2_getrandom -o rand.out $1 |
1106 | + local file_size=`ls -l rand.out | awk {'print $5'}` |
1107 | + loaded_randomness=`cat rand.out | xxd -p -c $file_size` |
1108 | +} |
1109 | + |
1110 | +# Key generation |
1111 | +tpm2_createek -c $handle_ek -G $ek_alg -u $output_ek_pub_pem -f pem |
1112 | + |
1113 | +tpm2_createak -C $handle_ek -c $ak_ctx -G $ak_alg -g $digestAlg -s $signAlg \ |
1114 | +-u $output_ak_pub_pem -f pem -n $output_ak_pub_name -p "$akpw" |
1115 | +tpm2_evictcontrol -Q -c $ak_ctx $handle_ak |
1116 | + |
1117 | +# Quoting |
1118 | +getrandom 20 |
1119 | +tpm2_quote -c $handle_ak -l sha256:15,16,22 -q $loaded_randomness \ |
1120 | +-m $output_quote -s $output_quotesig -o $output_quotepcr -g $digestAlg -p "$akpw" |
1121 | + |
1122 | +# Verify quote |
1123 | +tpm2_checkquote -u $output_ak_pub_pem -m $output_quote -s $output_quotesig \ |
1124 | +-f $output_quotepcr -g $digestAlg -q $loaded_randomness |
1125 | + |
1126 | +exit 0 |
1127 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/clear.sh b/data/tpm2-tools-4.1.1/integration/tests/clear.sh |
1128 | new file mode 100755 |
1129 | index 0000000..bf7ba76 |
1130 | --- /dev/null |
1131 | +++ b/data/tpm2-tools-4.1.1/integration/tests/clear.sh |
1132 | @@ -0,0 +1,37 @@ |
1133 | +# SPDX-License-Identifier: BSD-3-Clause |
1134 | + |
1135 | +source helpers.sh |
1136 | + |
1137 | +cleanup() { |
1138 | + |
1139 | + shut_down |
1140 | +} |
1141 | +trap cleanup EXIT |
1142 | + |
1143 | +start_up |
1144 | + |
1145 | +lockPasswd=lockoutpass |
1146 | +platPasswd=platformpass |
1147 | + |
1148 | +#Test tpm2_clear works with blank lockout auth as default |
1149 | +tpm2_clear |
1150 | + |
1151 | +#Test tpm2_clear works with non-empy lockout auth as default |
1152 | +tpm2_changeauth -c l $lockPasswd |
1153 | +tpm2_clear $lockPasswd |
1154 | + |
1155 | +#Test tpm2_clear works with non-empy lockout auth and specified auth hierarchy |
1156 | +tpm2_changeauth -c l $lockPasswd |
1157 | +tpm2_clear -c l $lockPasswd |
1158 | + |
1159 | +# XXX non-empy platform auth does not work with 4.1.1 (S. PINEAU 20/04/17) |
1160 | +exit 0 |
1161 | + |
1162 | +#Test tpm2_clear works with non-empy platform auth and specified auth hierarchy |
1163 | +tpm2_changeauth -c p $platPasswd |
1164 | +tpm2_clear -c p $platPasswd |
1165 | + |
1166 | +#Undo change of platform auth |
1167 | +tpm2_changeauth -c p -p $platPasswd |
1168 | + |
1169 | +exit 0 |
1170 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/clockrateadjust.sh b/data/tpm2-tools-4.1.1/integration/tests/clockrateadjust.sh |
1171 | new file mode 100755 |
1172 | index 0000000..d8bc6cb |
1173 | --- /dev/null |
1174 | +++ b/data/tpm2-tools-4.1.1/integration/tests/clockrateadjust.sh |
1175 | @@ -0,0 +1,60 @@ |
1176 | +# SPDX-License-Identifier: BSD-3-Clause |
1177 | + |
1178 | +source helpers.sh |
1179 | + |
1180 | +cleanup() { |
1181 | + tpm2_changeauth -c o -p newowner 2>/dev/null || true |
1182 | + tpm2_changeauth -c p -p newplatform 2>/dev/null || true |
1183 | + |
1184 | + rm -f clock.yaml |
1185 | + |
1186 | + if [ "$1" != "no-shut-down" ]; then |
1187 | + shut_down |
1188 | + fi |
1189 | +} |
1190 | +trap cleanup EXIT |
1191 | + |
1192 | +start_up |
1193 | + |
1194 | +tpm2_clockrateadjust s |
1195 | +tpm2_clockrateadjust ss |
1196 | +tpm2_clockrateadjust sss |
1197 | + |
1198 | +tpm2_clockrateadjust f |
1199 | +tpm2_clockrateadjust ff |
1200 | +tpm2_clockrateadjust fff |
1201 | + |
1202 | +# validate hierarchies and passwords |
1203 | +tpm2_changeauth -c o newowner |
1204 | +# XXX tpm2_changeauth -c p newplatform |
1205 | + |
1206 | +tpm2_clockrateadjust -c o -p newowner ss |
1207 | +# XXX tpm2_clockrateadjust -c p -p newplatform ff |
1208 | + |
1209 | +trap - err |
1210 | + |
1211 | +tpm2_clockrateadjust -c o -p newowner ssss |
1212 | +if [ $? -eq 0 ]; then |
1213 | + echo "expected ssss to fail" |
1214 | + exit 1 |
1215 | +fi |
1216 | + |
1217 | +tpm2_clockrateadjust -c o -p newowner sfss |
1218 | +if [ $? -eq 0 ]; then |
1219 | + echo "expected ssss to fail" |
1220 | + exit 1 |
1221 | +fi |
1222 | + |
1223 | +tpm2_clockrateadjust -c o -p newowner sfs |
1224 | +if [ $? -eq 0 ]; then |
1225 | + echo "expected sfs to fail" |
1226 | + exit 1 |
1227 | +fi |
1228 | + |
1229 | +tpm2_clockrateadjust -c o -p newowner qqq |
1230 | +if [ $? -eq 0 ]; then |
1231 | + echo "expected qqq to fail" |
1232 | + exit 1 |
1233 | +fi |
1234 | + |
1235 | +exit 0 |
1236 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/create.sh b/data/tpm2-tools-4.1.1/integration/tests/create.sh |
1237 | new file mode 100755 |
1238 | index 0000000..f41e660 |
1239 | --- /dev/null |
1240 | +++ b/data/tpm2-tools-4.1.1/integration/tests/create.sh |
1241 | @@ -0,0 +1,107 @@ |
1242 | +# SPDX-License-Identifier: BSD-3-Clause |
1243 | + |
1244 | +source helpers.sh |
1245 | + |
1246 | +cleanup() { |
1247 | + rm -f key.pub key.priv policy.bin out.pub key.ctx |
1248 | + |
1249 | + if [ $(ina "$@" "keep-context") -ne 0 ]; then |
1250 | + rm -f context.out |
1251 | + fi |
1252 | + |
1253 | + rm -f key*.ctx out.yaml |
1254 | + |
1255 | + if [ $(ina "$@" "no-shut-down") -ne 0 ]; then |
1256 | + shut_down |
1257 | + fi |
1258 | +} |
1259 | +trap cleanup EXIT |
1260 | + |
1261 | +start_up |
1262 | + |
1263 | +cleanup "no-shut-down" |
1264 | + |
1265 | +tpm2_createprimary -Q -C o -g sha1 -G rsa -c context.out |
1266 | + |
1267 | +# Keep the algorithm specifiers mixed to test friendly and raw |
1268 | +# values. |
1269 | +for gAlg in `populate_hash_algs`; do |
1270 | + for GAlg in rsa keyedhash ecc aes; do |
1271 | + echo "tpm2_create -Q -C context.out -g $gAlg -G $GAlg -u key.pub \ |
1272 | + -r key.priv" |
1273 | + tpm2_create -Q -C context.out -g $gAlg -G $GAlg -u key.pub -r key.priv |
1274 | + cleanup "keep-context" "no-shut-down" |
1275 | + done |
1276 | +done |
1277 | + |
1278 | +cleanup "keep-context" "no-shut-down" |
1279 | + |
1280 | +policy_orig=f28230c080bbe417141199e36d18978228d8948fc10a6a24921b9eba6bb1d988 |
1281 | +echo "$policy_orig" | xxd -r -p > policy.bin |
1282 | + |
1283 | +tpm2_create -C context.out -g sha256 -G rsa -L policy.bin -u key.pub \ |
1284 | +-r key.priv -a 'sign|fixedtpm|fixedparent|sensitivedataorigin' > out.pub |
1285 | + |
1286 | +policy_new=$(yaml_get_kv out.pub "authorization policy") |
1287 | + |
1288 | +test "$policy_orig" == "$policy_new" |
1289 | + |
1290 | +# |
1291 | +# Test the extended format specifiers |
1292 | +# |
1293 | +# aes128cfb (mandatory for PCClient TPMs) |
1294 | +tpm2_create -Q -C context.out -g sha256 -G aes128cfb -u key.pub -r key.priv |
1295 | +tpm2_load -Q -C context.out -u key.pub -r key.priv -c key1.ctx |
1296 | +tpm2_readpublic -c key1.ctx > out.yaml |
1297 | +keybits=$(yaml_get_kv out.yaml "sym-keybits") |
1298 | +mode=$(yaml_get_kv out.yaml "sym-mode" "value") |
1299 | +test "$keybits" -eq "128" |
1300 | +test "$mode" == "cfb" |
1301 | + |
1302 | +# aes256ofb (if supported) |
1303 | +if is_alg_supported aes256ofb; then |
1304 | + mode="$(populate_alg_modes $strongest_aes | head -n1)" # e.g. aes128ecb |
1305 | + tpm2_create -Q -C context.out -g sha256 -G aes256ofb -u key.pub -r key.priv |
1306 | + tpm2_load -Q -C context.out -u key.pub -r key.priv -c key2.ctx |
1307 | + tpm2_readpublic -c key2.ctx > out.yaml |
1308 | + keybits=$(yaml_get_kv out.yaml "sym-keybits") |
1309 | + mode=$(yaml_get_kv out.yaml "sym-mode" "value") |
1310 | + test "$keybits" -eq "256" |
1311 | + test "$mode" == "ofb" |
1312 | +fi |
1313 | + |
1314 | +exit 0 |
1315 | + |
1316 | +# |
1317 | +# Test scheme support |
1318 | +# |
1319 | + |
1320 | +for alg in "rsa1024:rsaes" "ecc384:ecdaa4-sha256"; do |
1321 | + if is_alg_supported $alg; then |
1322 | + tpm2_create -Q -C context.out -g sha256 -G "$alg" -u key.pub -r key.priv |
1323 | + fi |
1324 | +done |
1325 | + |
1326 | +# Test createloaded support |
1327 | +tpm2_create -C context.out -u key.pub -r key.priv -c key.ctx |
1328 | +tpm2_readpublic -c key.ctx 2>/dev/null |
1329 | + |
1330 | +# Test that creation data has the specified outside info |
1331 | +tpm2_createprimary -C o -c prim.ctx -Q |
1332 | + |
1333 | +dd if=/dev/urandom of=outside.info bs=1 count=32 |
1334 | +tpm2_create -C prim.ctx -u key.pub -r key.priv --creation-data creation.data \ |
1335 | +-q outside.info -Q |
1336 | + |
1337 | +xxd -p creation.data | tr -d '\n' | grep `xxd -p outside.info | tr -d '\n'` |
1338 | + |
1339 | +# Test that selected pcrs digest is present in the creation data |
1340 | +tpm2_pcrread sha256:0 -o pcr_data.bin |
1341 | + |
1342 | +tpm2_create -C prim.ctx -u key.pub -r key.priv --creation-data creation.data \ |
1343 | +-l sha256:0 -Q |
1344 | + |
1345 | +xxd -p creation.data | tr -d '\n' | \ |
1346 | +grep `cat pcr_data.bin | openssl dgst -sha256 -binary | xxd -p | tr -d '\n'` |
1347 | + |
1348 | +exit 0 |
1349 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/createak.sh b/data/tpm2-tools-4.1.1/integration/tests/createak.sh |
1350 | new file mode 100755 |
1351 | index 0000000..7e922c7 |
1352 | --- /dev/null |
1353 | +++ b/data/tpm2-tools-4.1.1/integration/tests/createak.sh |
1354 | @@ -0,0 +1,44 @@ |
1355 | +# SPDX-License-Identifier: BSD-3-Clause |
1356 | + |
1357 | +source helpers.sh |
1358 | + |
1359 | +cleanup() { |
1360 | + rm -f ek.pub ak.pub ak.name ak.name ak.log |
1361 | + |
1362 | + # Evict persistent handles, we want them to always succeed and never trip |
1363 | + # the onerror trap. |
1364 | + tpm2_evictcontrol -Q -C o -c 0x8101000b 2>/dev/null || true |
1365 | + tpm2_evictcontrol -Q -C o -c 0x8101000c 2>/dev/null || true |
1366 | + |
1367 | + # clear tpm state |
1368 | + tpm2_clear |
1369 | + |
1370 | + if [ "$1" != "no-shut-down" ]; then |
1371 | + shut_down |
1372 | + fi |
1373 | +} |
1374 | +trap cleanup EXIT |
1375 | + |
1376 | +start_up |
1377 | + |
1378 | +cleanup "no-shut-down" |
1379 | + |
1380 | +tpm2_createek -Q -c 0x8101000b -G rsa -u ek.pub |
1381 | + |
1382 | +tpm2_createak -Q -C 0x8101000b -c ak.ctx -G rsa -g sha256 -s rsassa -u ak.pub \ |
1383 | +-n ak.name |
1384 | + |
1385 | +# Find a vacant persistent handle |
1386 | +tpm2_createak -C 0x8101000b -c ak.ctx -G rsa -g sha256 -s rsassa -u ak.pub \ |
1387 | +-n ak.name |
1388 | +tpm2_evictcontrol -c ak.ctx > ak.log |
1389 | +phandle=`yaml_get_kv ak.log "persistent-handle"` |
1390 | +tpm2_evictcontrol -Q -C o -c $phandle |
1391 | + |
1392 | +# Test tpm2_createak with endorsement password |
1393 | +cleanup "no-shut-down" |
1394 | +tpm2_changeauth -c e endauth |
1395 | +tpm2_createek -Q -P endauth -c 0x8101000b -G rsa -u ek.pub |
1396 | +tpm2_createak -Q -P endauth -C 0x8101000b -c ak.ctx -G rsa -u ak.pub -n ak.name |
1397 | + |
1398 | +exit 0 |
1399 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/createek.sh b/data/tpm2-tools-4.1.1/integration/tests/createek.sh |
1400 | new file mode 100755 |
1401 | index 0000000..b632216 |
1402 | --- /dev/null |
1403 | +++ b/data/tpm2-tools-4.1.1/integration/tests/createek.sh |
1404 | @@ -0,0 +1,56 @@ |
1405 | +# SPDX-License-Identifier: BSD-3-Clause |
1406 | + |
1407 | +source helpers.sh |
1408 | + |
1409 | +cleanup() { |
1410 | + rm -f ek.pub ek.log ek.template ek.nonce ek.ctx |
1411 | + |
1412 | + # Evict persistent handles, we want them to always succeed and never trip |
1413 | + # the onerror trap. |
1414 | + tpm2_evictcontrol -Q -C o -c 0x81010005 2>/dev/null || true |
1415 | + |
1416 | + if [ "$1" != "no-shut-down" ]; then |
1417 | + shut_down |
1418 | + fi |
1419 | +} |
1420 | +trap cleanup EXIT |
1421 | + |
1422 | +start_up |
1423 | + |
1424 | +cleanup "no-shut-down" |
1425 | + |
1426 | +tpm2_createek -c 0x81010005 -G rsa -u ek.pub |
1427 | + |
1428 | +cleanup "no-shut-down" |
1429 | + |
1430 | +tpm2_createek -c - -G rsa -u ek.pub > ek.log |
1431 | +phandle=`yaml_get_kv ek.log "persistent-handle"` |
1432 | +tpm2_evictcontrol -Q -C o -c $phandle |
1433 | + |
1434 | +cleanup "no-shut-down" |
1435 | + |
1436 | +tpm2_createek -G rsa -u ek.pub -c ek.ctx |
1437 | + |
1438 | +cleanup "no-shut-down" |
1439 | + |
1440 | +ek_nonce_index=0x01c00003 |
1441 | +ek_template_index=0x01c00004 |
1442 | + |
1443 | +# Define RSA EK template |
1444 | +nbytes=$(wc -c $TPM2_TOOLS_TEST_FIXTURES/ek-template-default.bin | awk {'print $1'}) |
1445 | +tpm2_nvdefine -Q $ek_template_index -C o -s $nbytes \ |
1446 | +-a "ownerread|policywrite|ownerwrite" |
1447 | +tpm2_nvwrite -Q $ek_template_index -C o \ |
1448 | +-i $TPM2_TOOLS_TEST_FIXTURES/ek-template-default.bin |
1449 | + |
1450 | +# Define RSA EK nonce |
1451 | +echo -n -e '\0' > ek.nonce |
1452 | +tpm2_nvdefine -Q $ek_nonce_index -C o -s 1 \ |
1453 | +-a "ownerread|policywrite|ownerwrite" |
1454 | +tpm2_nvwrite -Q $ek_nonce_index -C o -i ek.nonce |
1455 | + |
1456 | +tpm2_createek -t -G rsa -u ek.pub -c ek.ctx |
1457 | + |
1458 | +cleanup "no-shut-down" |
1459 | + |
1460 | +exit 0 |
1461 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/createpolicy.sh b/data/tpm2-tools-4.1.1/integration/tests/createpolicy.sh |
1462 | new file mode 100755 |
1463 | index 0000000..7828dd0 |
1464 | --- /dev/null |
1465 | +++ b/data/tpm2-tools-4.1.1/integration/tests/createpolicy.sh |
1466 | @@ -0,0 +1,48 @@ |
1467 | +# SPDX-License-Identifier: BSD-3-Clause |
1468 | + |
1469 | +source helpers.sh |
1470 | + |
1471 | +###this script use for test the implementation tpm2_createpolicy |
1472 | + |
1473 | +cleanup() { |
1474 | + rm -f pcr.in policy.out |
1475 | + |
1476 | + if [ "$1" != "no-shut-down" ]; then |
1477 | + shut_down |
1478 | + fi |
1479 | +} |
1480 | +trap cleanup EXIT |
1481 | + |
1482 | +start_up |
1483 | + |
1484 | +declare -A digestlengths=\ |
1485 | +([sha1]=20 |
1486 | + [sha256]=32) |
1487 | +declare -A expected_policy_digest=\ |
1488 | +([sha1]=f28230c080bbe417141199e36d18978228d8948fc10a6a24921b9eba6bb1d988 |
1489 | + [sha256]=33e36e786c878632494217c3f490e74ca0a3a122a8a4f3c5302500df3b32b3b8) |
1490 | + |
1491 | +tpm2_pcrread -V sha1 |
1492 | + |
1493 | +for halg in ${!digestlengths[@]} |
1494 | +do |
1495 | + cleanup "no-shut-down" |
1496 | + |
1497 | + # Create file containing expected PCR value |
1498 | + head -c $((${digestlengths[$halg]} - 1)) /dev/zero > pcr.in |
1499 | + echo -n -e '\x03' >> pcr.in |
1500 | + |
1501 | + tpm2_createpolicy --policy-pcr -l $halg:0 -f pcr.in -L policy.out |
1502 | + |
1503 | + # Test the policy creation hashes against expected |
1504 | + if [ $(xxd -p policy.out | tr -d '\n' ) != \ |
1505 | + "${expected_policy_digest[${halg}]}" ]; then |
1506 | + echo "Failure: Creating Policy Digest with PCR policy for index 0 and \ |
1507 | + ${halg} pcr index hash" |
1508 | + echo "Got: $(xxd -p policy.out | tr -d '\n')" |
1509 | + echo "Expected: ${expected_policy_digest[${halg}]}" |
1510 | + exit 1 |
1511 | + fi |
1512 | +done |
1513 | + |
1514 | +exit 0 |
1515 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/createprimary.sh b/data/tpm2-tools-4.1.1/integration/tests/createprimary.sh |
1516 | new file mode 100755 |
1517 | index 0000000..fc268e5 |
1518 | --- /dev/null |
1519 | +++ b/data/tpm2-tools-4.1.1/integration/tests/createprimary.sh |
1520 | @@ -0,0 +1,90 @@ |
1521 | +# SPDX-License-Identifier: BSD-3-Clause |
1522 | + |
1523 | +source helpers.sh |
1524 | + |
1525 | +start_up |
1526 | + |
1527 | +cleanup() { |
1528 | + |
1529 | + rm -f policy.bin obj.pub pub.out primary.ctx |
1530 | + |
1531 | + if [ $(ina "$@" "keep-context") -ne 0 ]; then |
1532 | + rm -f context.out |
1533 | + fi |
1534 | + |
1535 | + if [ $(ina "$@" "no-shut-down") -ne 0 ]; then |
1536 | + shut_down |
1537 | + fi |
1538 | +} |
1539 | +trap cleanup EXIT |
1540 | + |
1541 | +cleanup "no-shut-down" |
1542 | + |
1543 | +# Keep the algorithm specifiers mixed to test friendly and raw |
1544 | +# values. |
1545 | +for gAlg in `populate_hash_algs 'and alg != "keyedhash"'`; do |
1546 | + for GAlg in rsa xor ecc aes; do |
1547 | + echo tpm2_createprimary -Q -g $gAlg -G $GAlg -c context.out |
1548 | + tpm2_createprimary -Q -g $gAlg -G $GAlg -c context.out |
1549 | + cleanup "no-shut-down" "keep-context" |
1550 | + for Atype in o e n; do |
1551 | + tpm2_createprimary -Q -C $Atype -g $gAlg -G $GAlg -c context.out |
1552 | + cleanup "no-shut-down" "keep-context" |
1553 | + done |
1554 | + done |
1555 | +done |
1556 | + |
1557 | +policy_orig=f28230c080bbe417141199e36d18978228d8948fc10a6a24921b9eba6bb1d988 |
1558 | + |
1559 | +#test for createprimary objects with policy authorization structures |
1560 | +echo -n "$policy_orig" | xxd -r -p > policy.bin |
1561 | + |
1562 | +tpm2_createprimary -Q -C o -G rsa -g sha256 -c context.out -L policy.bin \ |
1563 | + -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin' |
1564 | + |
1565 | +tpm2_readpublic -c context.out > pub.out |
1566 | + |
1567 | +policy_new=$(yaml_get_kv pub.out "authorization policy") |
1568 | + |
1569 | +test "$policy_orig" == "$policy_new" |
1570 | + |
1571 | +# Test that -u can be specified to pass a TPMU_PUBLIC_ID union |
1572 | +# in this case TPM2B_PUBLIC_KEY_RSA (256 bytes of zero) |
1573 | +printf '\x00\x01' > ud.1 |
1574 | +dd if=/dev/zero bs=256 count=1 of=ud.2 |
1575 | +cat ud.1 ud.2 > unique.dat |
1576 | +tpm2_createprimary -C o -G rsa2048:aes128cfb -g sha256 -c prim.ctx \ |
1577 | +-a "restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|\ |
1578 | +noda" -u unique.dat |
1579 | +test -f prim.ctx |
1580 | + |
1581 | +# Test that -g/-G do not need to be specified. |
1582 | +tpm2_createprimary -Q -c context.out |
1583 | + |
1584 | +# Test that -o does not need to be specified. |
1585 | +tpm2_createprimary -Q |
1586 | + |
1587 | +# Test that creation data has the specified outside info |
1588 | +dd if=/dev/urandom of=outside.info bs=1 count=32 |
1589 | + |
1590 | +tpm2_createprimary -C o -c context.out --creation-data creation.data \ |
1591 | +-q outside.info |
1592 | + |
1593 | +xxd -p creation.data | tr -d '\n' | grep `xxd -p outside.info | tr -d '\n'` |
1594 | + |
1595 | +# Test that selected pcrs digest is present in the creation data |
1596 | +tpm2_pcrread sha256:0 -o pcr_data.bin |
1597 | + |
1598 | +tpm2_createprimary -C o -c context.out --creation-data creation.data \ |
1599 | +-l sha256:0 |
1600 | + |
1601 | +xxd -p creation.data | tr -d '\n' | \ |
1602 | +grep `cat pcr_data.bin | openssl dgst -sha256 -binary | xxd -p | tr -d '\n'` |
1603 | + |
1604 | +# Test for session leaks |
1605 | +BEFORE=$(tpm2_getcap handles-loaded-session; tpm2_getcap handles-saved-session) |
1606 | +tpm2_createprimary -Q |
1607 | +AFTER=$(tpm2_getcap handles-loaded-session; tpm2_getcap handles-saved-session) |
1608 | +test "${BEFORE}" = "${AFTER}" |
1609 | + |
1610 | +exit 0 |
1611 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/dictionarylockout.sh b/data/tpm2-tools-4.1.1/integration/tests/dictionarylockout.sh |
1612 | new file mode 100755 |
1613 | index 0000000..f8e7b98 |
1614 | --- /dev/null |
1615 | +++ b/data/tpm2-tools-4.1.1/integration/tests/dictionarylockout.sh |
1616 | @@ -0,0 +1,42 @@ |
1617 | +# SPDX-License-Identifier: BSD-3-Clause |
1618 | + |
1619 | +###this script use for test the implementation tpm2_dictionarylockout |
1620 | + |
1621 | +source helpers.sh |
1622 | + |
1623 | +out=out.yaml |
1624 | + |
1625 | +cleanup() { |
1626 | + rm -f $out |
1627 | + shut_down |
1628 | +} |
1629 | +trap cleanup EXIT |
1630 | + |
1631 | +start_up |
1632 | + |
1633 | +tpm2_dictionarylockout -Q -V -c &>/dev/null |
1634 | + |
1635 | +tpm2_dictionarylockout -s -n 5 -t 6 -l 7 |
1636 | + |
1637 | +tpm2_getcap properties-variable > $out |
1638 | +v=$(yaml_get_kv "$out" "TPM2_PT_MAX_AUTH_FAIL") |
1639 | +if [ $v -ne 5 ];then |
1640 | + echo "Failure: setting up the number of allowed tries in the lockout \ |
1641 | + parameters" |
1642 | + exit 1 |
1643 | +fi |
1644 | + |
1645 | +v=$(yaml_get_kv "$out" "TPM2_PT_LOCKOUT_INTERVAL") |
1646 | +if [ $v -ne 6 ];then |
1647 | + echo "Failure: setting up the lockout period in the lockout parameters" |
1648 | + exit 1 |
1649 | +fi |
1650 | + |
1651 | +v=$(yaml_get_kv "$out" "TPM2_PT_LOCKOUT_RECOVERY") |
1652 | +if [ $v -ne 7 ];then |
1653 | + echo "Failure: setting up the lockout recovery period in the lockout \ |
1654 | + parameters" |
1655 | + exit 1 |
1656 | +fi |
1657 | + |
1658 | +exit 0 |
1659 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/duplicate.sh b/data/tpm2-tools-4.1.1/integration/tests/duplicate.sh |
1660 | new file mode 100755 |
1661 | index 0000000..67becd6 |
1662 | --- /dev/null |
1663 | +++ b/data/tpm2-tools-4.1.1/integration/tests/duplicate.sh |
1664 | @@ -0,0 +1,125 @@ |
1665 | +# SPDX-License-Identifier: BSD-3-Clause |
1666 | + |
1667 | +source helpers.sh |
1668 | + |
1669 | +cleanup() { |
1670 | + rm -f primary.ctx new_parent.prv new_parent.pub new_parent.ctx policy.dat \ |
1671 | + session.dat key.prv key.pub key.ctx duppriv.bin dupseed.dat key2.prv \ |
1672 | + key2.pub key2.ctx sym_key_in.bin |
1673 | + |
1674 | + if [ "$1" != "no-shut-down" ]; then |
1675 | + shut_down |
1676 | + fi |
1677 | +} |
1678 | +trap cleanup EXIT |
1679 | + |
1680 | +start_up |
1681 | + |
1682 | +create_duplication_policy() { |
1683 | + tpm2_startauthsession -Q -S session.dat |
1684 | + tpm2_policycommandcode -Q -S session.dat -L policy.dat TPM2_CC_Duplicate |
1685 | + tpm2_flushcontext -Q session.dat |
1686 | + rm session.dat |
1687 | +} |
1688 | + |
1689 | +start_duplication_session() { |
1690 | + tpm2_startauthsession -Q --policy-session -S session.dat |
1691 | + tpm2_policycommandcode -Q -S session.dat -L policy.dat TPM2_CC_Duplicate |
1692 | +} |
1693 | + |
1694 | +end_duplication_session() { |
1695 | + tpm2_flushcontext -Q session.dat |
1696 | + rm session.dat |
1697 | +} |
1698 | + |
1699 | +dump_duplication_session() { |
1700 | + rm session.dat |
1701 | +} |
1702 | + |
1703 | +dd if=/dev/urandom of=sym_key_in.bin bs=1 count=16 status=none |
1704 | + |
1705 | +tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx |
1706 | + |
1707 | +# Create a new parent, we will only use the public portion |
1708 | +tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r new_parent.prv \ |
1709 | +-u new_parent.pub -a "decrypt|fixedparent|fixedtpm|restricted|\ |
1710 | +sensitivedataorigin" |
1711 | + |
1712 | +# Create the key we want to duplicate |
1713 | +create_duplication_policy |
1714 | +tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r key.prv -u key.pub \ |
1715 | +-L policy.dat -a "sensitivedataorigin|sign|decrypt" |
1716 | +tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx |
1717 | + |
1718 | +tpm2_loadexternal -Q -C o -u new_parent.pub -c new_parent.ctx |
1719 | + |
1720 | +## Null parent, Null Sym Alg |
1721 | +start_duplication_session |
1722 | +tpm2_duplicate -Q -C null -c key.ctx -G null -p "session:session.dat" \ |
1723 | +-r dupprv.bin -s dupseed.dat |
1724 | +end_duplication_session |
1725 | + |
1726 | +## Null Sym Alg |
1727 | +start_duplication_session |
1728 | +tpm2_duplicate -Q -C new_parent.ctx -c key.ctx -G null \ |
1729 | +-p "session:session.dat" -r dupprv.bin -s dupseed.dat |
1730 | +end_duplication_session |
1731 | + |
1732 | +## Null parent |
1733 | +start_duplication_session |
1734 | +tpm2_duplicate -Q -C null -c key.ctx -G aes -i sym_key_in.bin \ |
1735 | +-p "session:session.dat" -r dupprv.bin -s dupseed.dat |
1736 | +end_duplication_session |
1737 | + |
1738 | +## AES Sym Alg, user supplied key |
1739 | +start_duplication_session |
1740 | +tpm2_duplicate -Q -C new_parent.ctx -c key.ctx -G aes -i sym_key_in.bin \ |
1741 | +-p "session:session.dat" -r dupprv.bin -s dupseed.dat |
1742 | +end_duplication_session |
1743 | + |
1744 | +## AES Sym Alg, no user supplied key |
1745 | +start_duplication_session |
1746 | +tpm2_duplicate -Q -C new_parent.ctx -c key.ctx -G aes -o sym_key_out.bin \ |
1747 | +-p "session:session.dat" -r dupprv.bin -s dupseed.dat |
1748 | +end_duplication_session |
1749 | + |
1750 | +## Repeat the tests with a key that requires encrypted duplication |
1751 | +tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r key2.prv -u key2.pub \ |
1752 | +-L policy.dat -a "sensitivedataorigin|sign|decrypt|encryptedduplication" |
1753 | +tpm2_load -Q -C primary.ctx -r key2.prv -u key2.pub -c key2.ctx |
1754 | + |
1755 | +## AES Sym Alg, user supplied key |
1756 | +start_duplication_session |
1757 | +tpm2_duplicate -Q -C new_parent.ctx -c key2.ctx -G aes -i sym_key_in.bin \ |
1758 | +-p "session:session.dat" -r dupprv.bin -s dupseed.dat |
1759 | +end_duplication_session |
1760 | + |
1761 | +## AES Sym Alg, no user supplied key |
1762 | +start_duplication_session |
1763 | +tpm2_duplicate -Q -C new_parent.ctx -c key2.ctx -G aes -o sym_key_out.bin \ |
1764 | +-p "session:session.dat" -r dupprv.bin -s dupseed.dat |
1765 | +end_duplication_session |
1766 | + |
1767 | +trap - ERR |
1768 | + |
1769 | +## Null parent - should fail (TPM_RC_HIERARCHY) |
1770 | +start_duplication_session |
1771 | +tpm2_duplicate -Q -C null -c key2.ctx -G aes -i sym_key_in.bin \ |
1772 | +-p "session:session.dat" -r dupprv.bin -s dupseed.dat |
1773 | +if [ $? -eq 0 ]; then |
1774 | + echo "Expected \"tpm2_duplicate -C null \" to fail." |
1775 | + exit 1 |
1776 | +fi |
1777 | +dump_duplication_session |
1778 | + |
1779 | +## Null Sym Alg - should fail (TPM_RC_SYMMETRIC) |
1780 | +start_duplication_session |
1781 | +tpm2_duplicate -Q -C new_parent.ctx -c key2.ctx -G null \ |
1782 | +-p "session:session.dat" -r dupprv.bin -s dupseed.dat |
1783 | +if [ $? -eq 0 ]; then |
1784 | + echo "Expected \"tpm2_duplicate -G null \" to fail." |
1785 | + exit 1 |
1786 | +fi |
1787 | +dump_duplication_session |
1788 | + |
1789 | +exit 0 |
1790 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/evictcontrol.sh b/data/tpm2-tools-4.1.1/integration/tests/evictcontrol.sh |
1791 | new file mode 100755 |
1792 | index 0000000..46023b2 |
1793 | --- /dev/null |
1794 | +++ b/data/tpm2-tools-4.1.1/integration/tests/evictcontrol.sh |
1795 | @@ -0,0 +1,55 @@ |
1796 | +# SPDX-License-Identifier: BSD-3-Clause |
1797 | + |
1798 | +source helpers.sh |
1799 | + |
1800 | +cleanup() { |
1801 | + rm -f primary.ctx decrypt.ctx key.pub key.priv key.name decrypt.out \ |
1802 | + encrypt.out secret.dat key.dat evict.log primary.ctx key.ctx |
1803 | + |
1804 | + if [ "$1" != "no-shut-down" ]; then |
1805 | + shut_down |
1806 | + fi |
1807 | +} |
1808 | +trap cleanup EXIT |
1809 | + |
1810 | +start_up |
1811 | + |
1812 | +cleanup "no-shut-down" |
1813 | + |
1814 | +tpm2_clear -Q |
1815 | + |
1816 | +tpm2_createprimary -Q -C e -g sha256 -G rsa -c primary.ctx |
1817 | + |
1818 | +tpm2_create -Q -g sha256 -G aes -u key.pub -r key.priv -C primary.ctx |
1819 | + |
1820 | +tpm2_load -Q -C primary.ctx -u key.pub -r key.priv -n key.name -c key.dat |
1821 | + |
1822 | +# Load the context into a specific handle, delete it |
1823 | +tpm2_evictcontrol -Q -c key.dat 0x81010003 |
1824 | + |
1825 | +tpm2_evictcontrol -Q -c 0x81010003 0x81010003 |
1826 | + |
1827 | +# Load the context into a specific handle, delete it without an explicit -p |
1828 | +tpm2_evictcontrol -Q -C o -c key.dat 0x81010003 |
1829 | + |
1830 | +tpm2_evictcontrol -Q -C o -c 0x81010003 |
1831 | + |
1832 | +# Load the context into an available handle, delete it |
1833 | +tpm2_evictcontrol -C o -c key.dat > evict.log |
1834 | +phandle=$(yaml_get_kv evict.log "persistent-handle") |
1835 | +tpm2_evictcontrol -Q -C o -c $phandle |
1836 | + |
1837 | +yaml_verify evict.log |
1838 | + |
1839 | +# XXX platform hierarchy does not work (S. PINEAU 20/04/17) |
1840 | +exit 0 |
1841 | + |
1842 | +# verify that platform hierarchy auto selection for persistent handle works |
1843 | +tpm2_createprimary -C p -c primary.ctx |
1844 | +tpm2_create -C primary.ctx -c key.ctx |
1845 | +tpm2_evictcontrol -C p -c key.ctx > evict.log |
1846 | + |
1847 | +phandle=$(yaml_get_kv evict.log persistent-handle) |
1848 | +tpm2_evictcontrol -C p -c $phandle |
1849 | + |
1850 | +exit 0 |
1851 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/flushcontext.sh b/data/tpm2-tools-4.1.1/integration/tests/flushcontext.sh |
1852 | new file mode 100755 |
1853 | index 0000000..1a6d7f0 |
1854 | --- /dev/null |
1855 | +++ b/data/tpm2-tools-4.1.1/integration/tests/flushcontext.sh |
1856 | @@ -0,0 +1,37 @@ |
1857 | +# SPDX-License-Identifier: BSD-3-Clause |
1858 | + |
1859 | +source helpers.sh |
1860 | + |
1861 | +start_up |
1862 | + |
1863 | +cleanup() { |
1864 | + rm -f saved_session.ctx |
1865 | + |
1866 | + if [ "$1" != "no-shut-down" ]; then |
1867 | + shut_down |
1868 | + fi |
1869 | +} |
1870 | +trap cleanup EXIT |
1871 | + |
1872 | +cleanup "no-shut-down" |
1873 | +tpm2_clear |
1874 | + |
1875 | +# Test for flushing the specified handle |
1876 | +tpm2_createprimary -Q -C o -g sha256 -G rsa |
1877 | +# tpm2-abrmd may save the transient object and restore it when using |
1878 | +res=`tpm2_getcap handles-transient` |
1879 | +if [ -n "$res" ]; then |
1880 | + tpm2_flushcontext -Q -c 0x80000000 |
1881 | +fi |
1882 | + |
1883 | +# Test for flushing a transient object |
1884 | +tpm2_createprimary -Q -C o -g sha256 -G rsa |
1885 | +tpm2_flushcontext -Q -t |
1886 | + |
1887 | +# Test for flushing a loaded session |
1888 | +tpm2_createpolicy -Q --policy-session --policy-pcr -l sha256:0 |
1889 | +tpm2_flushcontext -Q -l |
1890 | + |
1891 | +cleanup "no-shut-down" |
1892 | + |
1893 | +exit 0 |
1894 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/getcap.sh b/data/tpm2-tools-4.1.1/integration/tests/getcap.sh |
1895 | new file mode 100755 |
1896 | index 0000000..03a8ba2 |
1897 | --- /dev/null |
1898 | +++ b/data/tpm2-tools-4.1.1/integration/tests/getcap.sh |
1899 | @@ -0,0 +1,52 @@ |
1900 | +# SPDX-License-Identifier: BSD-3-Clause |
1901 | + |
1902 | +source helpers.sh |
1903 | + |
1904 | +start_up |
1905 | + |
1906 | +out=out.yaml |
1907 | + |
1908 | +cleanup() { |
1909 | + rm -f $out |
1910 | + |
1911 | + shut_down |
1912 | +} |
1913 | +trap cleanup EXIT |
1914 | + |
1915 | +function yaml_to_list() { |
1916 | + |
1917 | +python3 << pyscript |
1918 | +from __future__ import print_function |
1919 | + |
1920 | +import sys |
1921 | +import yaml |
1922 | + |
1923 | +with open("$1") as f: |
1924 | + try: |
1925 | + y = yaml.safe_load(f) |
1926 | + print(' '.join(y)) |
1927 | + except yaml.YAMLError as exc: |
1928 | + sys.exit(exc) |
1929 | +pyscript |
1930 | +} |
1931 | + |
1932 | +tpm2_getcap -l > $out |
1933 | + |
1934 | +caplist=$(yaml_to_list $out) |
1935 | + |
1936 | +for c in $caplist; do |
1937 | + tpm2_getcap "$c" > $out |
1938 | + yaml_verify $out |
1939 | +done; |
1940 | + |
1941 | +# negative tests |
1942 | +trap - ERR |
1943 | + |
1944 | +# Regression test, ensure that getcap -c never accepts prefix matches |
1945 | +tpm2_getcap -Q --capability="comma" 2>/dev/null |
1946 | +if [ $? -eq -1 ]; then |
1947 | + echo "Expected \"tpm2_getcap -Q --capability=\"comma\"\" to fail." |
1948 | + exit 1 |
1949 | +fi |
1950 | + |
1951 | +exit 0 |
1952 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/getekcertificate.sh b/data/tpm2-tools-4.1.1/integration/tests/getekcertificate.sh |
1953 | new file mode 100755 |
1954 | index 0000000..33f4f8b |
1955 | --- /dev/null |
1956 | +++ b/data/tpm2-tools-4.1.1/integration/tests/getekcertificate.sh |
1957 | @@ -0,0 +1,58 @@ |
1958 | +# SPDX-License-Identifier: BSD-3-Clause |
1959 | + |
1960 | +source helpers.sh |
1961 | + |
1962 | +handle=0x81000000 |
1963 | +opass=abc123 |
1964 | +epass=abc123 |
1965 | + |
1966 | +cleanup() { |
1967 | + rm -f test_ek.pub ECcert.bin ECcert2.bin |
1968 | + |
1969 | + shut_down |
1970 | +} |
1971 | +trap cleanup EXIT |
1972 | + |
1973 | +start_up |
1974 | + |
1975 | +# Sample ek public from a real platform |
1976 | +echo "013a0001000b000300b20020837197674484b3f81a90cc8d46a5d724fd52 |
1977 | +d76e06520b64f2a1da1b331469aa00060080004300100800000000000100 |
1978 | +c320e2f244a8601aacf3e01d26c665249935562de1da197e9e7f076c4696 |
1979 | +13cfb653e98ec2c386fc1d133f2c8c6cc338b732f0b208bd838a877a3e5b |
1980 | +bc3e1d4084e835c7c8906a1c05b4d2d30fdbebc1dbad950fa6b165bd4b6a |
1981 | +864603146164c0c4f59d489011ef1f928deea6e90061f3d375e564627315 |
1982 | +1ef622252098be1a4ab01dc0a12227c609fdaceb115af408d4693a6f4991 |
1983 | +9774695b0c12bc18a1ff7120a7337b2fb5f1951d8bb7f094d5b554c11c95 |
1984 | +23b30729fe64787d0a13b9e630488dab4dfd86634a5270ec72fcc5a44dc6 |
1985 | +79a8f32938dd8197e29dae839f5b4ca0f5de27c9522c23c54e1c2ce57859 |
1986 | +525118bd4470b18180eef78ae4267bcd" | xxd -r -p > test_ek.pub |
1987 | + |
1988 | +if [ -z "$(curl -V 2>/dev/null)" ]; then |
1989 | + echo "curl is not not installed. Skipping connection check." |
1990 | +else |
1991 | + if [ "$(curl --silent --output /dev/null --write-out %{http_code} \ |
1992 | + 'https://ekop.intel.com/')" != '200' ]; then |
1993 | + echo 'No connection to https://ekop.intel.com/' |
1994 | + exit 77 |
1995 | + fi |
1996 | +fi |
1997 | + |
1998 | +tpm2_getekcertificate -u test_ek.pub -x -X -o ECcert.bin \ |
1999 | +https://ekop.intel.com/ekcertservice/ |
2000 | + |
2001 | +# Test that stdoutput is the same |
2002 | +tpm2_getekcertificate -u test_ek.pub -x https://ekop.intel.com/ekcertservice/ \ |
2003 | +-X > ECcert2.bin |
2004 | + |
2005 | +# stdout file should match -E file. |
2006 | +cmp ECcert.bin ECcert2.bin |
2007 | + |
2008 | +# Retrieved certificate should be valid |
2009 | +if [ $(md5sum ECcert.bin| awk '{ print $1 }') != \ |
2010 | +"56af9eb8a271bbf7ac41b780acd91ff5" ]; then |
2011 | + echo "Failed: retrieving endorsement certificate" |
2012 | + exit 1 |
2013 | +fi |
2014 | + |
2015 | +exit 0 |
2016 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/getrandom.sh b/data/tpm2-tools-4.1.1/integration/tests/getrandom.sh |
2017 | new file mode 100755 |
2018 | index 0000000..8d81e8d |
2019 | --- /dev/null |
2020 | +++ b/data/tpm2-tools-4.1.1/integration/tests/getrandom.sh |
2021 | @@ -0,0 +1,52 @@ |
2022 | +# SPDX-License-Identifier: BSD-3-Clause |
2023 | + |
2024 | +source helpers.sh |
2025 | + |
2026 | +cleanup() { |
2027 | + rm -f random.out |
2028 | + |
2029 | + if [ "$1" != "no-shut-down" ]; then |
2030 | + shut_down |
2031 | + fi |
2032 | +} |
2033 | +trap cleanup EXIT |
2034 | + |
2035 | +start_up |
2036 | + |
2037 | +cleanup "no-shut-down" |
2038 | + |
2039 | +# test file output |
2040 | +tpm2_getrandom -o random.out 32 |
2041 | +s=`ls -l random.out | awk {'print $5'}` |
2042 | +test $s -eq 32 |
2043 | + |
2044 | +#test stdout |
2045 | +tpm2_getrandom --hex 4 > random.out |
2046 | +s=`ls -l random.out | awk {'print $5'}` |
2047 | +test $s -eq 8 |
2048 | + |
2049 | +yaml_verify random.out |
2050 | + |
2051 | +# test stdout and -Q |
2052 | +tpm2_getrandom -Q --hex 4 > random.out |
2053 | +s=`ls -l random.out | awk {'print $5'}` |
2054 | +test $s -eq 0 |
2055 | + |
2056 | +# negative tests |
2057 | +trap - ERR |
2058 | + |
2059 | +# larger than any known hash size should fail |
2060 | +tpm2_getrandom 2000 &> /dev/null |
2061 | +if [ $? -eq 0 ]; then |
2062 | + echo "tpm2_getrandom should fail with too big of request" |
2063 | + exit 1 |
2064 | +fi |
2065 | + |
2066 | +# verify that tpm2_getrandom requires a TCTI |
2067 | +./tools/tpm2_getrandom -T none &> /dev/null |
2068 | +if [ $? -eq 0 ]; then |
2069 | + echo "tpm2_getrandom should fail with tcti: \"none\"" |
2070 | + exit 1 |
2071 | +fi |
2072 | + |
2073 | +exit 0 |
2074 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/gettestresult.sh b/data/tpm2-tools-4.1.1/integration/tests/gettestresult.sh |
2075 | new file mode 100755 |
2076 | index 0000000..9c9b399 |
2077 | --- /dev/null |
2078 | +++ b/data/tpm2-tools-4.1.1/integration/tests/gettestresult.sh |
2079 | @@ -0,0 +1,22 @@ |
2080 | +# SPDX-License-Identifier: BSD-3-Clause |
2081 | + |
2082 | +source helpers.sh |
2083 | + |
2084 | +cleanup() { |
2085 | + if [ "$1" != "no-shut-down" ]; then |
2086 | + shut_down |
2087 | + fi |
2088 | +} |
2089 | +trap cleanup EXIT |
2090 | + |
2091 | +start_up |
2092 | + |
2093 | +cleanup "no-shut-down" |
2094 | + |
2095 | +tempfile=$(mktemp) |
2096 | + |
2097 | +# Verify that tests have succeeded |
2098 | +tpm2_gettestresult > "${tempfile}" |
2099 | +yaml_get_kv "${tempfile}" "status" | grep "success" |
2100 | + |
2101 | +exit 0 |
2102 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/gettime.sh b/data/tpm2-tools-4.1.1/integration/tests/gettime.sh |
2103 | new file mode 100755 |
2104 | index 0000000..da668d0 |
2105 | --- /dev/null |
2106 | +++ b/data/tpm2-tools-4.1.1/integration/tests/gettime.sh |
2107 | @@ -0,0 +1,20 @@ |
2108 | +# SPDX-License-Identifier: BSD-3-Clause |
2109 | + |
2110 | +source helpers.sh |
2111 | + |
2112 | +cleanup() { |
2113 | + rm -f attest.sig attest.data |
2114 | +} |
2115 | +trap cleanup EXIT |
2116 | + |
2117 | +start_up |
2118 | + |
2119 | +tpm2_createprimary -C e -c primary.ctx |
2120 | + |
2121 | +tpm2_create -G rsa -u rsa.pub -r rsa.priv -C primary.ctx |
2122 | + |
2123 | +tpm2_load -C primary.ctx -u rsa.pub -r rsa.priv -c rsa.ctx |
2124 | + |
2125 | +tpm2_gettime -c rsa.ctx -o attest.sig --attestation attest.data |
2126 | + |
2127 | +exit 0 |
2128 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/hash.sh b/data/tpm2-tools-4.1.1/integration/tests/hash.sh |
2129 | new file mode 100755 |
2130 | index 0000000..d181760 |
2131 | --- /dev/null |
2132 | +++ b/data/tpm2-tools-4.1.1/integration/tests/hash.sh |
2133 | @@ -0,0 +1,75 @@ |
2134 | +# SPDX-License-Identifier: BSD-3-Clause |
2135 | + |
2136 | +#this script is for hash case testing |
2137 | + |
2138 | +source helpers.sh |
2139 | + |
2140 | +ticket_file=ticket.out |
2141 | +hash_out_file=hash.out |
2142 | +hash_in_file=hash.in |
2143 | +out=out.yaml |
2144 | + |
2145 | +cleanup() { |
2146 | + rm -f $ticket_file $hash_out_file $hash_in_file $out |
2147 | + |
2148 | + if [ "$1" != "no-shut-down" ]; then |
2149 | + shut_down |
2150 | + fi |
2151 | +} |
2152 | +trap cleanup EXIT |
2153 | + |
2154 | +start_up |
2155 | + |
2156 | +cleanup "no-shut-down" |
2157 | + |
2158 | +echo "T0naX0u123abc" > $hash_in_file |
2159 | + |
2160 | +# Test with ticket and hash output files (binary) and verify that the output |
2161 | +# hash is correct. Ticket is not stable and changes run to run, don't verify it. |
2162 | +tpm2_hash -C e -g sha1 -o $hash_out_file -t $ticket_file $hash_in_file |
2163 | + |
2164 | +expected=`shasum -a 1 $hash_in_file | awk '{print $1}'` |
2165 | +actual=`cat $hash_out_file | xxd -p -c 20` |
2166 | + |
2167 | +test "$expected" == "$actual" |
2168 | + |
2169 | +cleanup "no-shut-down" |
2170 | + |
2171 | +# Test platform hierarchy with multiple files & verify output against sha256sum |
2172 | +# Test a file redirection as well. Output files are binary. |
2173 | +echo "T0naX0u123abc" > $hash_in_file |
2174 | +tpm2_hash -C p -g sha256 -o $hash_out_file -t $ticket_file < $hash_in_file |
2175 | + |
2176 | +expected=`shasum -a 256 $hash_in_file | awk '{print $1}'` |
2177 | +actual=`cat $hash_out_file | xxd -p -c 32` |
2178 | + |
2179 | +test "$expected" == "$actual" |
2180 | + |
2181 | +cleanup "no-shut-down" |
2182 | + |
2183 | +# Test stdout output as well as no options. |
2184 | +# Validate that hash outputs are in hex as expected. |
2185 | +tpm_hash_val=`echo 1234 | tpm2_hash -C n --hex` |
2186 | +sha1sum_val=`echo 1234 | shasum -a 1 | cut -d\ -f 1-2 | tr -d '[:space:]'` |
2187 | +if [ "$tpm_hash_val" != "$sha1sum_val" ]; then |
2188 | + echo "Expected tpm and sha1sum to produce same hashes." |
2189 | + echo "Got:" |
2190 | + echo " tpm2_hash: $tpm_hash_val" |
2191 | + echo " sha1sum: $sha1sum_val" |
2192 | + exit 1 |
2193 | +fi |
2194 | + |
2195 | +# Test a file that cannot be done in 1 update call. |
2196 | +# The tpm works on a 1024 block size. |
2197 | +dd if=/dev/urandom of=$hash_in_file bs=2093 count=1 2>/dev/null |
2198 | +tpm_hash_val=`tpm2_hash --hex $hash_in_file` |
2199 | +sha1sum_val=`shasum -a 1 $hash_in_file | cut -d\ -f 1-2 | tr -d '[:space:]'` |
2200 | +if [ "$tpm_hash_val" != "$sha1sum_val" ]; then |
2201 | + echo "Expected tpm and sha1sum to produce same hashes" |
2202 | + echo "Got:" |
2203 | + echo " tpm2_hash: $tpm_hash_val" |
2204 | + echo " sha1sum: $sha1sum_val" |
2205 | + exit 1 |
2206 | +fi |
2207 | + |
2208 | +exit 0 |
2209 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/hmac.sh b/data/tpm2-tools-4.1.1/integration/tests/hmac.sh |
2210 | new file mode 100755 |
2211 | index 0000000..6504faf |
2212 | --- /dev/null |
2213 | +++ b/data/tpm2-tools-4.1.1/integration/tests/hmac.sh |
2214 | @@ -0,0 +1,103 @@ |
2215 | +# SPDX-License-Identifier: BSD-3-Clause |
2216 | + |
2217 | +source helpers.sh |
2218 | + |
2219 | +alg_primary_obj=sha256 |
2220 | +alg_primary_key=rsa |
2221 | +alg_create_key=hmac |
2222 | + |
2223 | +handle_hmac_key=0x81010013 |
2224 | + |
2225 | +file_primary_key_ctx=primary.ctx |
2226 | +file_hmac_key_pub=key.pub |
2227 | +file_hmac_key_priv=key.priv |
2228 | +file_hmac_key_name=name.dat |
2229 | +file_hmac_key_ctx=key.ctx |
2230 | +file_hmac_output=hmac.out |
2231 | +file_hmac_key_handle=key.handle |
2232 | + |
2233 | +file_input_data=secret.data |
2234 | + |
2235 | +cleanup() { |
2236 | + rm -f $file_primary_key_ctx $file_hmac_key_pub $file_hmac_key_priv \ |
2237 | + $file_hmac_key_name $file_hmac_output ticket.out |
2238 | + |
2239 | + if [ $(ina "$@" "keep-context") -ne 0 ]; then |
2240 | + rm -f $file_hmac_key_ctx $file_input_data |
2241 | + # attempt to evict the hmac persistent key handle, but don't cause failures |
2242 | + # if this fails as it may not be loaded. |
2243 | + tpm2_evictcontrol -c $file_hmac_key_handle 2>/dev/null || true |
2244 | + fi |
2245 | + |
2246 | + if [ $(ina "$@" "no-shut-down") -ne 0 ]; then |
2247 | + shut_down |
2248 | + fi |
2249 | +} |
2250 | +trap cleanup EXIT |
2251 | + |
2252 | +start_up |
2253 | + |
2254 | +cleanup "no-shut-down" |
2255 | + |
2256 | +echo "12345678" > $file_input_data |
2257 | + |
2258 | +tpm2_clear |
2259 | + |
2260 | +tpm2_createprimary -Q -C e -g $alg_primary_obj -G $alg_primary_key \ |
2261 | +-c $file_primary_key_ctx |
2262 | + |
2263 | +tpm2_create -Q -G $alg_create_key -u $file_hmac_key_pub -r $file_hmac_key_priv \ |
2264 | +-C $file_primary_key_ctx |
2265 | + |
2266 | +tpm2_load -Q -C $file_primary_key_ctx -u $file_hmac_key_pub \ |
2267 | +-r $file_hmac_key_priv -n $file_hmac_key_name -c $file_hmac_key_ctx |
2268 | + |
2269 | +# verify that persistent object can be used via a serialized handle |
2270 | +tpm2_evictcontrol -C o -c $file_hmac_key_ctx -o $file_hmac_key_handle |
2271 | + |
2272 | +cat $file_input_data | tpm2_hmac -Q -c $file_hmac_key_handle \ |
2273 | +-o $file_hmac_output |
2274 | + |
2275 | +cleanup "keep-context" "no-shut-down" |
2276 | + |
2277 | +# Test large file, ie sequence hmac'ing. |
2278 | +dd if=/dev/urandom of=$file_input_data bs=2093 count=1 2>/dev/null |
2279 | +tpm2_hmac -Q -c $file_hmac_key_ctx -o $file_hmac_output $file_input_data |
2280 | + |
2281 | +####handle test |
2282 | +rm -f $file_hmac_output |
2283 | + |
2284 | +cleanup "no-shut-down" |
2285 | + |
2286 | +# Test stdin |
2287 | +echo "12345678" > $file_input_data |
2288 | + |
2289 | +tpm2_clear |
2290 | + |
2291 | +tpm2_createprimary -Q -C e -g $alg_primary_obj -G $alg_primary_key \ |
2292 | +-c $file_primary_key_ctx |
2293 | + |
2294 | +tpm2_create -Q -G $alg_create_key -u $file_hmac_key_pub -r $file_hmac_key_priv \ |
2295 | +-C $file_primary_key_ctx |
2296 | + |
2297 | +tpm2_load -Q -C $file_primary_key_ctx -u $file_hmac_key_pub \ |
2298 | +-r $file_hmac_key_priv -n $file_hmac_key_name -c $file_hmac_key_ctx |
2299 | + |
2300 | +cat $file_input_data | tpm2_hmac -Q -c $file_hmac_key_ctx -o $file_hmac_output |
2301 | + |
2302 | +# test ticket option |
2303 | +cat $file_input_data | tpm2_hmac -Q -c $file_hmac_key_ctx -o $file_hmac_output \ |
2304 | +-t ticket.out |
2305 | +test -f ticket.out |
2306 | + |
2307 | +# test no output file |
2308 | +cat $file_input_data | tpm2_hmac -c $file_hmac_key_ctx 1>/dev/null |
2309 | + |
2310 | +# verify that silent is indeed silent |
2311 | +stdout=`cat $file_input_data | tpm2_hmac -Q -c $file_hmac_key_ctx` |
2312 | +if [ -n "$stdout" ]; then |
2313 | + echo "Expected no output when run in quiet mode, got\"$stdout\"" |
2314 | + exit 1 |
2315 | +fi |
2316 | + |
2317 | +exit 0 |
2318 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/import.sh b/data/tpm2-tools-4.1.1/integration/tests/import.sh |
2319 | new file mode 100755 |
2320 | index 0000000..0f7b900 |
2321 | --- /dev/null |
2322 | +++ b/data/tpm2-tools-4.1.1/integration/tests/import.sh |
2323 | @@ -0,0 +1,234 @@ |
2324 | +# SPDX-License-Identifier: BSD-3-Clause |
2325 | + |
2326 | +source helpers.sh |
2327 | + |
2328 | +cleanup() { |
2329 | + rm -f import_key.ctx import_key.name import_key.priv import_key.pub \ |
2330 | + parent.ctx plain.dec.ssl plain.enc plain.txt sym.key import_rsa_key.pub \ |
2331 | + import_rsa_key.priv import_rsa_key.ctx import_rsa_key.name private.pem \ |
2332 | + public.pem plain.rsa.enc plain.rsa.dec public.pem data.in.raw \ |
2333 | + data.in.digest data.out.signed ticket.out ecc.pub ecc.priv ecc.name \ |
2334 | + ecc.ctx private.ecc.pem public.ecc.pem passfile aes.key policy.dat \ |
2335 | + aes.priv aes.pub |
2336 | + |
2337 | + if [ "$1" != "no-shut-down" ]; then |
2338 | + shut_down |
2339 | + fi |
2340 | +} |
2341 | +trap cleanup EXIT |
2342 | + |
2343 | +start_up |
2344 | + |
2345 | +run_aes_import_test() { |
2346 | + |
2347 | + dd if=/dev/urandom of=sym.key bs=1 count=$3 2>/dev/null |
2348 | + |
2349 | + #Symmetric Key Import Test |
2350 | + echo "tpm2_import -Q -G aes -g "$name_alg" -i sym.key -C $1 \ |
2351 | + -u import_key.pub -r import_key.priv" |
2352 | + |
2353 | + tpm2_import -Q -G aes -g "$name_alg" -i sym.key -C $1 -u import_key.pub \ |
2354 | + -r import_key.priv |
2355 | + |
2356 | + tpm2_load -Q -C $1 -u import_key.pub -r import_key.priv -n import_key.name \ |
2357 | + -c import_key.ctx |
2358 | + |
2359 | + echo "plaintext" > "plain.txt" |
2360 | + |
2361 | + if is_cmd_supported "EncryptDecrypt"; then |
2362 | + tpm2_encryptdecrypt -c import_key.ctx -o plain.enc plain.txt |
2363 | + |
2364 | + openssl enc -in plain.enc -out plain.dec.ssl -d -K `xxd -c 256 -p sym.key` \ |
2365 | + -iv 0 -$2 |
2366 | + |
2367 | + diff plain.txt plain.dec.ssl |
2368 | + else |
2369 | + tpm2_readpublic -c import_key.ctx >out.pub |
2370 | + alg=$(yaml_get_kv out.pub "sym-alg" "value") |
2371 | + if [ "$alg" != "aes" ]; then |
2372 | + echo "Algorithm parsed from tpm2_readpublic is '$alg' but should be \ |
2373 | + 'aes'" |
2374 | + exit 1 |
2375 | + fi |
2376 | + rm out.pub |
2377 | + fi |
2378 | + |
2379 | + rm import_key.ctx |
2380 | +} |
2381 | + |
2382 | +run_rsa_import_test() { |
2383 | + |
2384 | + #Asymmetric Key Import Test |
2385 | + openssl genrsa -out private.pem $2 |
2386 | + openssl rsa -in private.pem -pubout > public.pem |
2387 | + |
2388 | + # Test an import without the parent public info data to force a readpublic |
2389 | + tpm2_import -Q -G rsa -g "$name_alg" -i private.pem -C $1 \ |
2390 | + -u import_rsa_key.pub -r import_rsa_key.priv |
2391 | + |
2392 | + tpm2_load -Q -C $1 -u import_rsa_key.pub -r import_rsa_key.priv \ |
2393 | + -n import_rsa_key.name -c import_rsa_key.ctx |
2394 | + |
2395 | + openssl rsa -in private.pem -out public.pem -outform PEM -pubout |
2396 | + openssl rsautl -encrypt -inkey public.pem -pubin -in plain.txt \ |
2397 | + -out plain.rsa.enc |
2398 | + |
2399 | + tpm2_rsadecrypt -c import_rsa_key.ctx -o plain.rsa.dec plain.rsa.enc |
2400 | + |
2401 | + diff plain.txt plain.rsa.dec |
2402 | + |
2403 | + # test verifying a sigature with the imported key, ie sign in tpm and |
2404 | + # verify with openssl |
2405 | + echo "data to sign" > data.in.raw |
2406 | + |
2407 | + shasum -a 256 data.in.raw | awk '{ print "000000 " $1 }' | xxd -r -c 32 > \ |
2408 | + data.in.digest |
2409 | + |
2410 | + tpm2_sign -Q -c import_rsa_key.ctx -g sha256 -d -f plain \ |
2411 | + -o data.out.signed data.in.digest |
2412 | + |
2413 | + openssl dgst -verify public.pem -keyform pem -sha256 -signature \ |
2414 | + data.out.signed data.in.raw |
2415 | + |
2416 | + # Sign with openssl and verify with TPM |
2417 | + openssl dgst -sha256 -sign private.pem -out data.out.signed data.in.raw |
2418 | + |
2419 | + # Verify with the TPM |
2420 | + tpm2_verifysignature -Q -c import_rsa_key.ctx -g sha256 -m data.in.raw \ |
2421 | + -f rsassa -s data.out.signed -t ticket.out |
2422 | + |
2423 | + rm import_rsa_key.ctx |
2424 | +} |
2425 | + |
2426 | +run_ecc_import_test() { |
2427 | + # |
2428 | + # Test loading an OSSL PEM format ECC key, and verifying a signature |
2429 | + # external to the TPM |
2430 | + # |
2431 | + |
2432 | + # |
2433 | + # Generate a Private and Public ECC pem file |
2434 | + # |
2435 | + openssl ecparam -name $2 -genkey -noout -out private.ecc.pem |
2436 | + openssl ec -in private.ecc.pem -out public.ecc.pem -pubout |
2437 | + |
2438 | + # Generate a hash to sign |
2439 | + echo "data to sign" > data.in.raw |
2440 | + shasum -a 256 data.in.raw | awk '{ print "000000 " $1 }' | xxd -r -c 32 > \ |
2441 | + data.in.digest |
2442 | + |
2443 | + tpm2_import -Q -G ecc -g "$name_alg" -i private.ecc.pem -C $1 -u ecc.pub \ |
2444 | + -r ecc.priv |
2445 | + |
2446 | + tpm2_load -Q -C $1 -u ecc.pub -r ecc.priv -n ecc.name -c ecc.ctx |
2447 | + |
2448 | + # Sign in the TPM and verify with OSSL |
2449 | + tpm2_sign -Q -c ecc.ctx -g sha256 -d -f plain -o data.out.signed \ |
2450 | + data.in.digest |
2451 | + openssl dgst -verify public.ecc.pem -keyform pem -sha256 \ |
2452 | + -signature data.out.signed data.in.raw |
2453 | + |
2454 | + # Sign with openssl and verify with TPM. |
2455 | + openssl dgst -sha256 -sign private.ecc.pem -out data.out.signed data.in.raw |
2456 | + tpm2_verifysignature -Q -c ecc.ctx -g sha256 -m data.in.raw -f ecdsa \ |
2457 | + -s data.out.signed |
2458 | + |
2459 | + rm ecc.ctx |
2460 | +} |
2461 | + |
2462 | +run_rsa_import_passin_test() { |
2463 | + |
2464 | + if [ "$3" != "stdin" ]; then |
2465 | + tpm2_import -Q -G rsa -i "$2" -C "$1" \ |
2466 | + -u "import_rsa_key.pub" -r "import_rsa_key.priv" \ |
2467 | + --passin "$3" |
2468 | + else |
2469 | + tpm2_import -Q -G rsa -i "$2" -C "$1" \ |
2470 | + -u "import_rsa_key.pub" -r "import_rsa_key.priv" \ |
2471 | + --passin "$3" < "$4" |
2472 | + fi; |
2473 | +} |
2474 | + |
2475 | +run_aes_policy_import_test() { |
2476 | + |
2477 | + dd if=/dev/urandom of=aes.key bs=16 count=1 |
2478 | + dd if=/dev/urandom of=policy.dat bs=32 count=1 |
2479 | + |
2480 | + tpm2_import -C "$1" -G aes -i aes.key -L policy.dat -u aes.pub -r aes.priv |
2481 | + |
2482 | + tpm2_load -C "$1" -u aes.priv -u aes.pub -r aes.priv -c aes.ctx |
2483 | + |
2484 | + trap - ERR |
2485 | + echo 'foo' | tpm2_encryptdecrypt -c aes.ctx -o plain.rsa.dec plain.rsa.enc |
2486 | + if [ $? -eq 0 ]; then |
2487 | + echo "expected tpm2_encryptdecrypt to fail" |
2488 | + exit 1 |
2489 | + fi |
2490 | + trap onerror ERR |
2491 | +} |
2492 | + |
2493 | +run_test() { |
2494 | + |
2495 | + cleanup "no-shut-down" |
2496 | + |
2497 | + parent_alg=$1 |
2498 | + name_alg=$2 |
2499 | + |
2500 | + tpm2_createprimary -Q -G "$parent_alg" -g "$name_alg" -C o -c parent.ctx |
2501 | + |
2502 | + # 128 bit AES is 16 bytes |
2503 | + if is_alg_supported aes128; then |
2504 | + run_aes_import_test parent.ctx aes-128-cfb 16 |
2505 | + fi |
2506 | + # 256 bit AES is 32 bytes |
2507 | + if is_alg_supported aes256; then |
2508 | + run_aes_import_test parent.ctx aes-256-cfb 32 |
2509 | + fi |
2510 | + |
2511 | + run_rsa_import_test parent.ctx 1024 |
2512 | + run_rsa_import_test parent.ctx 2048 |
2513 | + |
2514 | + run_ecc_import_test parent.ctx prime256v1 |
2515 | +} |
2516 | + |
2517 | +# |
2518 | +# Run the tests against: |
2519 | +# - RSA2048 with AES CFB 128 and 256 bit parents |
2520 | +# - SHA256 object (not parent) name algorithms |
2521 | +# |
2522 | +parent_algs=("rsa2048:aes128cfb" "rsa2048:aes256cfb" "ecc256:aes128cfb") |
2523 | +halgs=`populate_hash_algs 'and alg != "sha1"'` |
2524 | +echo "halgs: $halgs" |
2525 | +for pa in "${parent_algs[@]}"; do |
2526 | + for name in $halgs; do |
2527 | + if is_alg_supported $pa; then |
2528 | + echo "$pa - $name" |
2529 | + run_test "$pa" "$name" |
2530 | + fi |
2531 | + done; |
2532 | +done; |
2533 | + |
2534 | +# |
2535 | +# Test the passin options |
2536 | +# |
2537 | + |
2538 | +tpm2_createprimary -Q -c parent.ctx |
2539 | + |
2540 | +openssl genrsa -aes128 -passout "pass:mypassword" -out "private.pem" 1024 |
2541 | + |
2542 | +run_rsa_import_passin_test "parent.ctx" "private.pem" "pass:mypassword" |
2543 | + |
2544 | +export envvar="mypassword" |
2545 | +run_rsa_import_passin_test "parent.ctx" "private.pem" "env:envvar" |
2546 | + |
2547 | +echo -n "mypassword" > "passfile" |
2548 | +run_rsa_import_passin_test "parent.ctx" "private.pem" "file:passfile" |
2549 | + |
2550 | +exec 42<> passfile |
2551 | +run_rsa_import_passin_test "parent.ctx" "private.pem" "fd:42" |
2552 | + |
2553 | +run_rsa_import_passin_test "parent.ctx" "private.pem" "stdin" "passfile" |
2554 | + |
2555 | +run_aes_policy_import_test "parent.ctx" |
2556 | + |
2557 | +exit 0 |
2558 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/import_tpm.sh b/data/tpm2-tools-4.1.1/integration/tests/import_tpm.sh |
2559 | new file mode 100755 |
2560 | index 0000000..ff48185 |
2561 | --- /dev/null |
2562 | +++ b/data/tpm2-tools-4.1.1/integration/tests/import_tpm.sh |
2563 | @@ -0,0 +1,146 @@ |
2564 | +# SPDX-License-Identifier: BSD-3-Clause |
2565 | + |
2566 | +source helpers.sh |
2567 | + |
2568 | +cleanup() { |
2569 | +rm -f primary.ctx \ |
2570 | + new_parent.prv new_parent.pub new_parent.ctx \ |
2571 | + ipolicy.dat dpolicy.dat session.dat \ |
2572 | + key.prv key.pub key.ctx \ |
2573 | + dup.prv dup.pub dup.seed \ |
2574 | + key2.prv key2.pub key2.ctx \ |
2575 | + sym_key_in.bin \ |
2576 | + dup.ctx |
2577 | + |
2578 | + if [ "$1" != "no-shut-down" ]; then |
2579 | + shut_down |
2580 | + fi |
2581 | +} |
2582 | +trap cleanup EXIT |
2583 | + |
2584 | +start_up |
2585 | + |
2586 | +create_policy() { |
2587 | + tpm2_startauthsession -Q -S session.dat |
2588 | + tpm2_policycommandcode -Q -S session.dat -L $1 $2 |
2589 | + tpm2_flushcontext -Q session.dat |
2590 | + rm session.dat |
2591 | +} |
2592 | + |
2593 | +start_session() { |
2594 | + tpm2_startauthsession -Q --policy-session -S session.dat |
2595 | + tpm2_policycommandcode -Q -S session.dat -L $1 $2 |
2596 | +} |
2597 | + |
2598 | +end_session() { |
2599 | + tpm2_flushcontext -Q session.dat |
2600 | + rm session.dat |
2601 | +} |
2602 | + |
2603 | +create_load_new_parent() { |
2604 | + # Create new parent |
2605 | + tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r new_parent.prv \ |
2606 | + -u new_parent.pub -a "restricted|sensitivedataorigin|decrypt|userwithauth" |
2607 | + # Load new parent key, only the public part |
2608 | + tpm2_loadexternal -Q -C o -u new_parent.pub -c new_parent.ctx |
2609 | +} |
2610 | + |
2611 | +load_new_parent() { |
2612 | + # Load new parent key, public & private parts |
2613 | + tpm2_load -Q -C primary.ctx -r new_parent.prv -u new_parent.pub \ |
2614 | + -c new_parent.ctx |
2615 | +} |
2616 | + |
2617 | +create_load_duplicatee() { |
2618 | + # Create the key we want to duplicate |
2619 | + create_policy dpolicy.dat TPM2_CC_Duplicate |
2620 | + tpm2_create -Q -C primary.ctx -g sha256 -G $1 -p foo -r key.prv -u key.pub \ |
2621 | + -L dpolicy.dat -a "sensitivedataorigin|decrypt|userwithauth" |
2622 | + # Load the key |
2623 | + tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx |
2624 | + # Extract the public part for import later |
2625 | + tpm2_readpublic -Q -c key.ctx -o dup.pub |
2626 | +} |
2627 | + |
2628 | +do_duplication() { |
2629 | + start_session dpolicy.dat TPM2_CC_Duplicate |
2630 | + if [ "$2" = "aes" ] |
2631 | + then |
2632 | + tpm2_duplicate -Q -C new_parent.ctx -c key.ctx -G aes -o sym.key \ |
2633 | + -p "session:session.dat" -r dup.dup -s dup.seed |
2634 | + else |
2635 | + tpm2_duplicate -Q -C new_parent.ctx -c key.ctx -G null \ |
2636 | + -p "session:session.dat" -r dup.dup -s dup.seed |
2637 | + fi |
2638 | + end_session |
2639 | +} |
2640 | + |
2641 | +do_import_load() { |
2642 | + if [ "$2" = "aes" ] |
2643 | + then |
2644 | + tpm2_import -Q -C new_parent.ctx -k sym.key -u dup.pub -i dup.dup \ |
2645 | + -r dup.prv -s dup.seed -L dpolicy.dat |
2646 | + else |
2647 | + tpm2_import -Q -C new_parent.ctx -u dup.pub -i dup.dup -r dup.prv \ |
2648 | + -s dup.seed -L dpolicy.dat |
2649 | + fi |
2650 | + tpm2_load -Q -C new_parent.ctx -r dup.prv -u dup.pub -c dup.ctx |
2651 | +} |
2652 | + |
2653 | +test() { |
2654 | + # New parent ... |
2655 | + create_load_new_parent |
2656 | + # Key to be duplicated |
2657 | + create_load_duplicatee $1 |
2658 | + # Duplicate the key |
2659 | + do_duplication $2 |
2660 | + # Remove, we're done with it |
2661 | + rm new_parent.ctx |
2662 | + # Load the full thing this time |
2663 | + load_new_parent |
2664 | + # Import & load the duplicate |
2665 | + do_import_load $2 |
2666 | +} |
2667 | + |
2668 | +# Part 1 : Duplicate 3 varieties of key (aes, rsa or ecc) |
2669 | +# and protect them using sym_alg null or aes, verify they |
2670 | +# can be imported & loaded |
2671 | +for dup_key_type in aes rsa ecc; do |
2672 | + for sym_key_type in aes null; do |
2673 | + tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx |
2674 | + test $dup_key_type $sym_key_type |
2675 | + cleanup "no-shut-down" |
2676 | + done |
2677 | +done |
2678 | + |
2679 | +# Part 2 : |
2680 | +# Create a rsa key (Kd) |
2681 | +# Encrypt a message using Kd |
2682 | +# Duplicate Kd |
2683 | +# Import & Load Kd |
2684 | +# Decrypt the message and verify |
2685 | +tpm2_createprimary -Q -C o -g sha256 -G rsa -c primary.ctx |
2686 | +# New parent ... |
2687 | +create_load_new_parent |
2688 | +# Key to be duplicated |
2689 | +create_load_duplicatee rsa |
2690 | +# Encrypt a secret message |
2691 | +echo "Mary had a little lamb ..." > plain.txt |
2692 | +tpm2_rsaencrypt -Q -c key.ctx -o cipher.txt plain.txt |
2693 | +# Duplicate the key |
2694 | +do_duplication null |
2695 | +# Remove, we're done with it |
2696 | +rm new_parent.ctx |
2697 | +# Load the full thing this time |
2698 | +load_new_parent |
2699 | +# Import & load the duplicate |
2700 | +do_import_load null |
2701 | +# Decrypt the secret message using duplicated key |
2702 | +tpm2_rsadecrypt -Q -p foo -c dup.ctx -o recovered.txt cipher.txt |
2703 | +# Check we got it right ... |
2704 | +diff recovered.txt plain.txt |
2705 | +# Cleanup |
2706 | +rm plain.txt recovered.txt cipher.txt |
2707 | +cleanup "no-shut-down" |
2708 | + |
2709 | +exit 0 |
2710 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/incrementalselftest.sh b/data/tpm2-tools-4.1.1/integration/tests/incrementalselftest.sh |
2711 | new file mode 100755 |
2712 | index 0000000..c6c59b7 |
2713 | --- /dev/null |
2714 | +++ b/data/tpm2-tools-4.1.1/integration/tests/incrementalselftest.sh |
2715 | @@ -0,0 +1,71 @@ |
2716 | +# SPDX-License-Identifier: BSD-3-Clause |
2717 | + |
2718 | +source helpers.sh |
2719 | + |
2720 | +cleanup() { |
2721 | + if [ "$1" != "no-shut-down" ]; then |
2722 | + shut_down |
2723 | + fi |
2724 | +} |
2725 | + |
2726 | +trap cleanup EXIT |
2727 | + |
2728 | +start_up |
2729 | + |
2730 | +cleanup "no-shut-down" |
2731 | + |
2732 | +# Get the list of remaining algs to be tested |
2733 | +temp=$(mktemp) |
2734 | +tpm2_incrementalselftest > "${temp}" |
2735 | +cat ${temp} |
2736 | +alglist="$(yaml_get_kv "${temp}" "remaining" || true)" |
2737 | +rm -f "${temp}" |
2738 | + |
2739 | +# If the list of remaining algs is not empty, we can test |
2740 | +# the behaviour of tpm2_incrementalselftest and see |
2741 | +# each alg become scheduled and tested. If there are |
2742 | +# some leftovers, just print them |
2743 | +if [ -n "${alglist}" ]; then |
2744 | + for i in ${alglist}; do |
2745 | + if ! tpm2_incrementalselftest "${i}" ; then |
2746 | + echo "${i} failed to be tested." |
2747 | + exit 1 |
2748 | + fi |
2749 | + done |
2750 | + localtmp=$(mktemp) |
2751 | + tpm2_incrementalselftest > "${localtmp}" |
2752 | + alglist="$(yaml_get_kv "${localtmp}" "remaining" || true)" |
2753 | + rm -f "${localtmp}" |
2754 | + |
2755 | + if [ -n "${alglist}" ]; then |
2756 | + echo "Algorithm suite remaning : ${alglist}" |
2757 | + else |
2758 | + true |
2759 | + fi |
2760 | +fi |
2761 | + |
2762 | +# Finally just verify that every algorithm are |
2763 | +# effectively being already tested |
2764 | +aesmodes="$(populate_algs "details['encrypting'] and details['symmetric']")" |
2765 | +hashalgs="$(populate_algs "details['hash'] and not details['method'] \ |
2766 | + and not details['signing'] \ |
2767 | + and not details['symmetric'] \ |
2768 | + and alg is not None")" |
2769 | +eccmethods="$(populate_algs "details['signing'] and not details['hash'] \ |
2770 | +and \"ec\" in alg")" |
2771 | +rsamethods="$(populate_algs "details['signing'] and not details['hash'] \ |
2772 | +and \"rsa\" in alg")" |
2773 | + |
2774 | +# Check testing of AES modes |
2775 | +tpm2_incrementalselftest ${aesmodes} | grep -q "complete" |
2776 | + |
2777 | +# Check testing of Hash algorithms |
2778 | +tpm2_incrementalselftest ${hashalgs} | grep -q "complete" |
2779 | + |
2780 | +# Check testing of ECC methods |
2781 | +tpm2_incrementalselftest ${eccmethods} | grep -q "complete" |
2782 | + |
2783 | +# Check testing of RSA methods |
2784 | +tpm2_incrementalselftest ${rsamethods} | grep -q "complete" |
2785 | + |
2786 | +exit 0 |
2787 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/load.sh b/data/tpm2-tools-4.1.1/integration/tests/load.sh |
2788 | new file mode 100755 |
2789 | index 0000000..5669612 |
2790 | --- /dev/null |
2791 | +++ b/data/tpm2-tools-4.1.1/integration/tests/load.sh |
2792 | @@ -0,0 +1,70 @@ |
2793 | +# SPDX-License-Identifier: BSD-3-Clause |
2794 | + |
2795 | +source helpers.sh |
2796 | + |
2797 | +start_up |
2798 | + |
2799 | +alg_primary_obj=sha256 |
2800 | +alg_primary_key=rsa |
2801 | +alg_create_obj=sha256 |
2802 | +alg_create_key=hmac |
2803 | + |
2804 | +alg_load=sha1 |
2805 | + |
2806 | +file_primary_key_ctx=context.p_"$alg_primary_obj"_"$alg_primary_key" |
2807 | +file_load_key_pub=opu_"$alg_create_obj"_"$alg_create_key" |
2808 | +file_load_key_priv=opr_"$alg_create_obj"_"$alg_create_key" |
2809 | +file_load_key_name=name.load_"$alg_primary_obj"_"$alg_primary_key"-\ |
2810 | +"$alg_create_obj"_"$alg_create_key" |
2811 | +file_load_key_ctx=ctx_load_out_"$alg_primary_obj"_"$alg_primary_key"-\ |
2812 | +"$alg_create_obj"_"$alg_create_key" |
2813 | +file_load_output=load_"$file_load_key_ctx" |
2814 | + |
2815 | +Handle_parent=0x81010018 |
2816 | +Handle_ek_load=0x81010017 |
2817 | + |
2818 | +cleanup() { |
2819 | + |
2820 | + rm -f $file_load_key_pub $file_load_key_priv $file_load_key_name \ |
2821 | + $file_load_key_ctx |
2822 | + |
2823 | + tpm2_evictcontrol -Q -Co -c $Handle_parent 2>/dev/null || true |
2824 | + |
2825 | + if [ $(ina "$@" "keep_ctx") -ne 0 ]; then |
2826 | + rm -f $file_primary_key_ctx |
2827 | + fi |
2828 | + |
2829 | + if [ $(ina "$@" "no-shut-down") -ne 0 ]; then |
2830 | + shut_down |
2831 | + fi |
2832 | +} |
2833 | +trap cleanup EXIT |
2834 | + |
2835 | +cleanup "no-shut-down" |
2836 | + |
2837 | +tpm2_clear |
2838 | + |
2839 | +#####file test |
2840 | + |
2841 | +tpm2_createprimary -Q -C e -g $alg_primary_obj -G $alg_primary_key \ |
2842 | +-c $file_primary_key_ctx |
2843 | + |
2844 | +tpm2_create -Q -g $alg_create_obj -G $alg_create_key -u $file_load_key_pub \ |
2845 | +-r $file_load_key_priv -C $file_primary_key_ctx |
2846 | + |
2847 | +tpm2_load -Q -C $file_primary_key_ctx -u $file_load_key_pub \ |
2848 | +-r $file_load_key_priv -n $file_load_key_name -c $file_load_key_ctx |
2849 | + |
2850 | +#####handle test |
2851 | + |
2852 | +cleanup "keep_ctx" "no-shut-down" |
2853 | + |
2854 | +tpm2_evictcontrol -Q -C o -c $file_primary_key_ctx $Handle_parent |
2855 | + |
2856 | +tpm2_create -Q -C $Handle_parent -g $alg_create_obj -G $alg_create_key \ |
2857 | +-u $file_load_key_pub -r $file_load_key_priv |
2858 | + |
2859 | +tpm2_load -Q -C $Handle_parent -u $file_load_key_pub -r $file_load_key_priv \ |
2860 | +-n $file_load_key_name -c $file_load_key_ctx |
2861 | + |
2862 | +exit 0 |
2863 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/loadexternal.sh b/data/tpm2-tools-4.1.1/integration/tests/loadexternal.sh |
2864 | new file mode 100755 |
2865 | index 0000000..b4acbed |
2866 | --- /dev/null |
2867 | +++ b/data/tpm2-tools-4.1.1/integration/tests/loadexternal.sh |
2868 | @@ -0,0 +1,239 @@ |
2869 | +# SPDX-License-Identifier: BSD-3-Clause |
2870 | + |
2871 | +source helpers.sh |
2872 | + |
2873 | +alg_primary_obj=sha256 |
2874 | +alg_primary_key=rsa |
2875 | +alg_create_obj=sha256 |
2876 | +alg_create_key=hmac |
2877 | + |
2878 | +file_primary_key_ctx=context.p_"$alg_primary_obj"_"$alg_primary_key" |
2879 | +file_loadexternal_key_pub=opu_"$alg_create_obj"_"$alg_create_key" |
2880 | +file_loadexternal_key_priv=opr_"$alg_create_obj"_"$alg_create_key" |
2881 | +file_loadexternal_key_name=name.loadexternal_"$alg_primary_obj"_\ |
2882 | +"$alg_primary_key"-"$alg_create_obj"_"$alg_create_key" |
2883 | +file_loadexternal_key_ctx=ctx_loadexternal_out_"$alg_primary_obj"_\ |
2884 | +"$alg_primary_key"-"$alg_create_obj"_"$alg_create_key" |
2885 | +file_loadexternal_output=loadexternal_"$file_loadexternal_key_ctx" |
2886 | + |
2887 | +Handle_parent=0x81010019 |
2888 | + |
2889 | +cleanup() { |
2890 | + rm -f $file_primary_key_ctx $file_loadexternal_key_pub \ |
2891 | + $file_loadexternal_key_priv $file_loadexternal_key_name \ |
2892 | + $file_loadexternal_key_ctx $file_loadexternal_output private.pem public.pem \ |
2893 | + plain.txt plain.rsa.dec key.ctx public.ecc.pem private.ecc.pem \ |
2894 | + data.in.digest data.out.signed ticket.out name.bin stdout.yaml passfile \ |
2895 | + private.pem |
2896 | + |
2897 | + if [ $(ina "$@" "keep_handle") -ne 0 ]; then |
2898 | + tpm2_evictcontrol -Q -Co -c $Handle_parent 2>/dev/null || true |
2899 | + fi |
2900 | + |
2901 | + if [ $(ina "$@" "no-shut-down") -ne 0 ]; then |
2902 | + shut_down |
2903 | + fi |
2904 | +} |
2905 | +trap cleanup EXIT |
2906 | + |
2907 | +start_up |
2908 | + |
2909 | +cleanup "no-shut-down" |
2910 | + |
2911 | +tpm2_clear |
2912 | + |
2913 | +run_tss_test() { |
2914 | + |
2915 | + tpm2_createprimary -Q -C e -g $alg_primary_obj -G $alg_primary_key \ |
2916 | + -c $file_primary_key_ctx |
2917 | + |
2918 | + tpm2_create -Q -g $alg_create_obj -G $alg_create_key \ |
2919 | + -u $file_loadexternal_key_pub -r $file_loadexternal_key_priv \ |
2920 | + -C $file_primary_key_ctx |
2921 | + |
2922 | + tpm2_loadexternal -Q -C n -u $file_loadexternal_key_pub \ |
2923 | + -c $file_loadexternal_key_ctx |
2924 | + |
2925 | + tpm2_evictcontrol -Q -C o -c $file_primary_key_ctx $Handle_parent |
2926 | + |
2927 | + # Test with Handle |
2928 | + cleanup "keep_handle" "no-shut-down" |
2929 | + |
2930 | + tpm2_create -Q -C $Handle_parent -g $alg_create_obj -G $alg_create_key \ |
2931 | + -u $file_loadexternal_key_pub -r $file_loadexternal_key_priv |
2932 | + |
2933 | + tpm2_loadexternal -Q -C n -u $file_loadexternal_key_pub \ |
2934 | + -c $file_loadexternal_key_ctx |
2935 | + |
2936 | + # Test with default hierarchy (and handle) |
2937 | + cleanup "keep_handle" "no-shut-down" |
2938 | + |
2939 | + tpm2_create -Q -C $Handle_parent -g $alg_create_obj -G $alg_create_key \ |
2940 | + -u $file_loadexternal_key_pub -r $file_loadexternal_key_priv |
2941 | + |
2942 | + tpm2_loadexternal -Q -u $file_loadexternal_key_pub \ |
2943 | + -c $file_loadexternal_key_ctx |
2944 | + |
2945 | + cleanup "no-shut-down" |
2946 | +} |
2947 | + |
2948 | +# Test loading an OSSL generated private key with a password |
2949 | +run_rsa_test() { |
2950 | + |
2951 | + openssl genrsa -out private.pem $1 |
2952 | + openssl rsa -in private.pem -out public.pem -outform PEM -pubout |
2953 | + |
2954 | + echo "hello world" > plain.txt |
2955 | + openssl rsautl -encrypt -inkey public.pem -pubin -in plain.txt \ |
2956 | + -out plain.rsa.enc |
2957 | + |
2958 | + tpm2_loadexternal -G rsa -C n -p foo -r private.pem -c key.ctx |
2959 | + |
2960 | + tpm2_rsadecrypt -c key.ctx -p foo -o plain.rsa.dec plain.rsa.enc |
2961 | + |
2962 | + diff plain.txt plain.rsa.dec |
2963 | + |
2964 | + # try encrypting with the public key and decrypting with the private |
2965 | + tpm2_loadexternal -G rsa -C n -p foo -u public.pem -c key.ctx |
2966 | + |
2967 | + tpm2_rsaencrypt -c key.ctx plain.txt -o plain.rsa.enc |
2968 | + |
2969 | + openssl rsautl -decrypt -inkey private.pem -in plain.rsa.enc \ |
2970 | + -out plain.rsa.dec |
2971 | + |
2972 | + diff plain.txt plain.rsa.dec |
2973 | + |
2974 | + cleanup "no-shut-down" |
2975 | +} |
2976 | + |
2977 | +# |
2978 | +# Verify loading an external AES key. |
2979 | +# |
2980 | +# Paramter 1: The AES keysize to create in bytes. |
2981 | +# |
2982 | +# Notes: Also tests that name output and YAML output are valid. |
2983 | +# |
2984 | +run_aes_test() { |
2985 | + |
2986 | + dd if=/dev/urandom of=sym.key bs=1 count=$(($1 / 8)) 2>/dev/null |
2987 | + |
2988 | + tpm2_loadexternal -G aes -r sym.key -n name.bin -c key.ctx > stdout.yaml |
2989 | + |
2990 | + local name1=$(yaml_get_kv "stdout.yaml" "name") |
2991 | + local name2="$(xxd -c 256 -p name.bin)" |
2992 | + |
2993 | + test "$name1" == "$name2" |
2994 | + |
2995 | + echo "plaintext" > "plain.txt" |
2996 | + |
2997 | + if is_cmd_supported "EncryptDecrypt"; then |
2998 | + tpm2_encryptdecrypt -c key.ctx -o plain.enc plain.txt |
2999 | + |
3000 | + openssl enc -in plain.enc -out plain.dec.ssl -d -K `xxd -c 256 -p sym.key` \ |
3001 | + -iv 0 -aes-$1-cfb |
3002 | + |
3003 | + diff plain.txt plain.dec.ssl |
3004 | + else |
3005 | + tpm2_readpublic -c key.ctx >out.pub |
3006 | + alg=$(yaml_get_kv out.pub "sym-alg" "value") |
3007 | + len=$(yaml_get_kv out.pub "sym-keybits") |
3008 | + if [ "$alg$len" != "aes$1" ]; then |
3009 | + echo "Algorithm parsed from tpm2_readpublic is '$alg$len' but \ |
3010 | + should be 'aes$1'" |
3011 | + exit 1 |
3012 | + fi |
3013 | + rm out.pub |
3014 | + fi |
3015 | + |
3016 | + cleanup "no-shut-down" |
3017 | +} |
3018 | + |
3019 | +run_ecc_test() { |
3020 | + # |
3021 | + # Test loading an OSSL PEM format ECC key, and verifying a signature |
3022 | + # external to the TPM |
3023 | + # |
3024 | + |
3025 | + # |
3026 | + # Generate a NIST P256 Private and Public ECC pem file |
3027 | + # |
3028 | + openssl ecparam -name $1 -genkey -noout -out private.ecc.pem |
3029 | + openssl ec -in private.ecc.pem -out public.ecc.pem -pubout |
3030 | + |
3031 | + # Generate a hash to sign |
3032 | + echo "data to sign" > data.in.raw |
3033 | + shasum -a 256 data.in.raw | awk '{ print "000000 " $1 }' | xxd -r -c 32 > \ |
3034 | + data.in.digest |
3035 | + |
3036 | + # Load the private key for signing |
3037 | + tpm2_loadexternal -Q -G ecc -r private.ecc.pem -c key.ctx |
3038 | + |
3039 | + # Sign in the TPM and verify with OSSL |
3040 | + tpm2_sign -Q -c key.ctx -g sha256 -d -f plain -o data.out.signed \ |
3041 | + data.in.digest |
3042 | + openssl dgst -verify public.ecc.pem -keyform pem -sha256 -signature \ |
3043 | + data.out.signed data.in.raw |
3044 | + |
3045 | + # Sign with openssl and verify with TPM but only with the public portion of |
3046 | + # an object loaded |
3047 | + tpm2_loadexternal -Q -G ecc -u public.ecc.pem -c key.ctx |
3048 | + openssl dgst -sha256 -sign private.ecc.pem -out data.out.signed data.in.raw |
3049 | + tpm2_verifysignature -Q -c key.ctx -g sha256 -m data.in.raw -f ecdsa \ |
3050 | + -s data.out.signed |
3051 | + |
3052 | + cleanup "no-shut-down" |
3053 | +} |
3054 | + |
3055 | +run_rsa_passin_test() { |
3056 | + |
3057 | + openssl genrsa -aes128 -passout "pass:mypassword" -out "private.pem" 1024 |
3058 | + |
3059 | + if [ "$2" != "stdin" ]; then |
3060 | + cmd="tpm2_loadexternal -Q -G rsa -r $1 -c key.ctx --passin $2" |
3061 | + else |
3062 | + cmd="tpm2_loadexternal -Q -G rsa -r $1 -c key.ctx --passin $2 < $3" |
3063 | + fi; |
3064 | + |
3065 | + eval $cmd |
3066 | + |
3067 | + cleanup "no-shut-down" |
3068 | +} |
3069 | + |
3070 | +run_tss_test |
3071 | + |
3072 | +for len in "1024 2048"; do |
3073 | + if is_alg_supported "rsa$len"; then |
3074 | + run_rsa_test $len |
3075 | + fi |
3076 | +done |
3077 | + |
3078 | +for len in "128 256"; do |
3079 | + if is_alg_supported "aes$len"; then |
3080 | + run_aes_test $len |
3081 | + fi |
3082 | +done |
3083 | + |
3084 | +if is_alg_supported "ecc256"; then |
3085 | + run_ecc_test prime256v1 |
3086 | +fi |
3087 | + |
3088 | +# |
3089 | +# Test loadexternal passin option |
3090 | +# |
3091 | +run_rsa_passin_test "private.pem" "pass:mypassword" |
3092 | + |
3093 | +export envvar="mypassword" |
3094 | +run_rsa_passin_test "private.pem" "env:envvar" |
3095 | + |
3096 | +echo -n "mypassword" > "passfile" |
3097 | +run_rsa_passin_test "private.pem" "file:passfile" |
3098 | + |
3099 | +echo -n "mypassword" > "passfile" |
3100 | +exec 42<> passfile |
3101 | +run_rsa_passin_test "private.pem" "fd:42" |
3102 | + |
3103 | +echo -n "mypassword" > "passfile" |
3104 | +run_rsa_passin_test "private.pem" "stdin" "passfile" |
3105 | + |
3106 | + |
3107 | +exit 0 |
3108 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/makecredential.sh b/data/tpm2-tools-4.1.1/integration/tests/makecredential.sh |
3109 | new file mode 100755 |
3110 | index 0000000..228749a |
3111 | --- /dev/null |
3112 | +++ b/data/tpm2-tools-4.1.1/integration/tests/makecredential.sh |
3113 | @@ -0,0 +1,52 @@ |
3114 | +# SPDX-License-Identifier: BSD-3-Clause |
3115 | + |
3116 | +source helpers.sh |
3117 | + |
3118 | +handle_ek=0x81010007 |
3119 | +ak_ctx=ak.ctx |
3120 | +ek_alg=rsa |
3121 | +ak_alg=rsa |
3122 | +digestAlg=sha256 |
3123 | +signAlg=rsassa |
3124 | + |
3125 | +file_input_data=secret.data |
3126 | +output_ek_pub=ek_pub.out |
3127 | +output_ak_pub=ak_pub.out |
3128 | +output_ak_pub_name=ak_name_pub.out |
3129 | +output_mkcredential=mkcredential.out |
3130 | + |
3131 | +cleanup() { |
3132 | + rm -f $output_ek_pub $output_ak_pub $output_ak_pub_name \ |
3133 | + $output_mkcredential $file_input_data output_ak grep.txt $ak_ctx |
3134 | + |
3135 | + tpm2_evictcontrol -Q -Co -c $handle_ek 2>/dev/null || true |
3136 | + |
3137 | + if [ "$1" != "no-shut-down" ]; then |
3138 | + shut_down |
3139 | + fi |
3140 | +} |
3141 | +trap cleanup EXIT |
3142 | + |
3143 | +start_up |
3144 | + |
3145 | +cleanup "no-shut-down" |
3146 | + |
3147 | +echo "12345678" > $file_input_data |
3148 | + |
3149 | +tpm2_createek -Q -c $handle_ek -G $ek_alg -u $output_ek_pub |
3150 | + |
3151 | +tpm2_createak -Q -C $handle_ek -c $ak_ctx -G $ak_alg -g $digestAlg -s $signAlg \ |
3152 | +-u $output_ak_pub -n $output_ak_pub_name |
3153 | + |
3154 | +# Use -c in xxd so there is no line wrapping |
3155 | +file_size=`ls -l $output_ak_pub_name | awk {'print $5'}` |
3156 | +Loadkeyname=`cat $output_ak_pub_name | xxd -p -c $file_size` |
3157 | + |
3158 | +tpm2_makecredential -Q -e $output_ek_pub -s $file_input_data -n $Loadkeyname \ |
3159 | +-o $output_mkcredential |
3160 | + |
3161 | +# use no tpm backend |
3162 | +tpm2_makecredential -T none -Q -e $output_ek_pub -s $file_input_data \ |
3163 | +-n $Loadkeyname -o $output_mkcredential |
3164 | + |
3165 | +exit 0 |
3166 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/nv.sh b/data/tpm2-tools-4.1.1/integration/tests/nv.sh |
3167 | new file mode 100755 |
3168 | index 0000000..13bb1d1 |
3169 | --- /dev/null |
3170 | +++ b/data/tpm2-tools-4.1.1/integration/tests/nv.sh |
3171 | @@ -0,0 +1,288 @@ |
3172 | +# SPDX-License-Identifier: BSD-3-Clause |
3173 | + |
3174 | +source helpers.sh |
3175 | + |
3176 | +nv_test_index=0x1500018 |
3177 | + |
3178 | +large_file_name="nv.test_large_w" |
3179 | +large_file_read_name="nv.test_large_r" |
3180 | + |
3181 | +pcr_specification=sha256:0,1,2,3+sha1:0,1,2,3 |
3182 | +file_pcr_value=pcr.bin |
3183 | +file_policy=policy.data |
3184 | + |
3185 | +cleanup() { |
3186 | + tpm2_nvundefine -Q $nv_test_index -C o 2>/dev/null || true |
3187 | + tpm2_nvundefine -Q 0x1500016 -C 0x40000001 2>/dev/null || true |
3188 | + tpm2_nvundefine -Q 0x1500015 -C 0x40000001 -P owner 2>/dev/null || true |
3189 | + |
3190 | + rm -f policy.bin test.bin nv.test_w $large_file_name $large_file_read_name \ |
3191 | + nv.readlock foo.dat cmp.dat $file_pcr_value $file_policy nv.out cap.out yaml.out |
3192 | + |
3193 | + if [ "$1" != "no-shut-down" ]; then |
3194 | + shut_down |
3195 | + fi |
3196 | +} |
3197 | +trap cleanup EXIT |
3198 | + |
3199 | +start_up |
3200 | + |
3201 | +cleanup "no-shut-down" |
3202 | + |
3203 | +tpm2_clear |
3204 | + |
3205 | +#Test nvdefine with no options |
3206 | +tpm2_nvdefine > yaml.out |
3207 | +tpm2_nvundefine $(yaml_get_kv yaml.out "nv-index") |
3208 | + |
3209 | +#Test default values for the hierarchy "-a" parameter |
3210 | +tpm2_nvdefine -Q $nv_test_index -s 32 -a "ownerread|policywrite|ownerwrite" |
3211 | +tpm2_nvundefine -Q $nv_test_index |
3212 | + |
3213 | +#Test writing and reading |
3214 | +tpm2_nvdefine -Q $nv_test_index -C o -s 32 \ |
3215 | +-a "ownerread|policywrite|ownerwrite" |
3216 | + |
3217 | +echo "please123abc" > nv.test_w |
3218 | + |
3219 | +tpm2_nvwrite -Q $nv_test_index -C o -i nv.test_w |
3220 | + |
3221 | +tpm2_nvread -Q $nv_test_index -C o -s 32 -o 0 |
3222 | + |
3223 | +tpm2_nvreadpublic > nv.out |
3224 | +yaml_get_kv nv.out "$nv_test_index" > /dev/null |
3225 | +yaml_get_kv nv.out "$nv_test_index" "name" > /dev/null |
3226 | + |
3227 | + |
3228 | +# Test writing to and reading from an offset by: |
3229 | +# 1. writing "foo" into the nv file at an offset |
3230 | +# 2. writing to the same offset in the nv index |
3231 | +# 3. reading back the index |
3232 | +# 4. comparing the result. |
3233 | + |
3234 | +echo -n "foo" > foo.dat |
3235 | + |
3236 | +dd if=foo.dat of=nv.test_w bs=1 seek=4 conv=notrunc 2>/dev/null |
3237 | + |
3238 | +# XXX following test segfault (S. PINEAU 20/04/17) |
3239 | +## Test a pipe input |
3240 | +#cat foo.dat | tpm2_nvwrite -Q $nv_test_index -C o --offset 4 -i - |
3241 | +tpm2_nvwrite -Q $nv_test_index -C o --offset 4 -i foo.dat |
3242 | + |
3243 | +tpm2_nvread $nv_test_index -C o -s 13 > cmp.dat |
3244 | + |
3245 | +cmp nv.test_w cmp.dat |
3246 | + |
3247 | +# Writing at an offset and data size too big shouldn't result in a change |
3248 | +# to the index value. |
3249 | + |
3250 | +trap - ERR |
3251 | + |
3252 | +tpm2_nvwrite -Q $nv_test_index -C o -o 30 -i foo.dat 2>/dev/null |
3253 | +if [ $? -eq 0 ]; then |
3254 | + echo "Writing past the public size shouldn't work!" |
3255 | + exit 1 |
3256 | +fi |
3257 | +trap onerror ERR |
3258 | + |
3259 | +tpm2_nvread $nv_test_index -C o -s 13 > cmp.dat |
3260 | + |
3261 | +cmp nv.test_w cmp.dat |
3262 | + |
3263 | +tpm2_nvundefine $nv_test_index -C o |
3264 | + |
3265 | +tpm2_pcrread -Q -o $file_pcr_value $pcr_specification |
3266 | + |
3267 | +tpm2_createpolicy -Q --policy-pcr -l $pcr_specification -f $file_pcr_value \ |
3268 | +-L $file_policy |
3269 | + |
3270 | +tpm2_nvdefine -Q 0x1500016 -C 0x40000001 -s 32 -L $file_policy \ |
3271 | +-a "policyread|policywrite" |
3272 | + |
3273 | +# Write with index authorization for now, since tpm2_nvwrite does not support |
3274 | +# pcr policy. |
3275 | +echo -n "policy locked" | tpm2_nvwrite -Q 0x1500016 -C 0x1500016 \ |
3276 | +-P pcr:$pcr_specification=$file_pcr_value -i - |
3277 | + |
3278 | +str=`tpm2_nvread 0x1500016 -C 0x1500016 \ |
3279 | +-P pcr:$pcr_specification=$file_pcr_value -s 13` |
3280 | + |
3281 | +test "policy locked" == "$str" |
3282 | + |
3283 | +# this should fail because authread is not allowed |
3284 | +trap - ERR |
3285 | +tpm2_nvread 0x1500016 -C 0x1500016 -P "index" 2>/dev/null |
3286 | +trap onerror ERR |
3287 | + |
3288 | +tpm2_nvundefine -Q 0x1500016 -C 0x40000001 |
3289 | + |
3290 | +# |
3291 | +# Test large writes |
3292 | +# |
3293 | + |
3294 | +tpm2_getcap properties-fixed > cap.out |
3295 | +large_file_size=`yaml_get_kv cap.out "TPM2_PT_NV_INDEX_MAX" "raw"` |
3296 | +nv_test_index=0x1000000 |
3297 | + |
3298 | +# Create an nv space with attributes 1010 = TPMA_NV_PPWRITE and |
3299 | +# TPMA_NV_AUTHWRITE |
3300 | +tpm2_nvdefine -Q $nv_test_index -C o -s $large_file_size -a 0x2000A |
3301 | + |
3302 | +base64 /dev/urandom | head -c $(($large_file_size)) > $large_file_name |
3303 | + |
3304 | +# XXX following test segfault (S. PINEAU 20/04/17) |
3305 | +## Test file input redirection |
3306 | +#tpm2_nvwrite -Q $nv_test_index -C o -i -< $large_file_name |
3307 | +# |
3308 | +#tpm2_nvread $nv_test_index -C o > $large_file_read_name |
3309 | +# |
3310 | +#cmp -s $large_file_read_name $large_file_name |
3311 | + |
3312 | +# test per-index readpublic |
3313 | +tpm2_nvreadpublic "$nv_test_index" > nv.out |
3314 | +yaml_get_kv nv.out "$nv_test_index" > /dev/null |
3315 | + |
3316 | +tpm2_nvundefine -Q $nv_test_index -C o |
3317 | + |
3318 | +# |
3319 | +# Test NV access locked |
3320 | +# |
3321 | +tpm2_nvdefine -Q $nv_test_index -C o -s 32 \ |
3322 | +-a "ownerread|policywrite|ownerwrite|read_stclear|writedefine" |
3323 | + |
3324 | +echo "foobar" > nv.readlock |
3325 | + |
3326 | +tpm2_nvwrite -Q $nv_test_index -C o -i nv.readlock |
3327 | + |
3328 | +tpm2_nvread -Q $nv_test_index -C o -s 6 -o 0 |
3329 | + |
3330 | +tpm2_nvreadlock -Q $nv_test_index -C o |
3331 | + |
3332 | +# Reset ERR signal handler to test for expected nvread error |
3333 | +trap - ERR |
3334 | + |
3335 | +tpm2_nvread -Q $nv_test_index -C o -s 6 -o 0 2> /dev/null |
3336 | +if [ $? != 1 ];then |
3337 | + echo "nvread didn't fail!" |
3338 | + exit 1 |
3339 | +fi |
3340 | + |
3341 | +trap onerror ERR |
3342 | + |
3343 | +# Test that write lock works |
3344 | +tpm2_nvwritelock -C o $nv_test_index |
3345 | + |
3346 | +trap - ERR |
3347 | + |
3348 | +tpm2_nvwrite $nv_test_index -C o -i nv.readlock |
3349 | +if [ $? != 1 ];then |
3350 | + echo "nvwrite didn't fail!" |
3351 | + exit 1 |
3352 | +fi |
3353 | + |
3354 | +tpm2_nvundefine -C o $nv_test_index |
3355 | + |
3356 | +trap onerror ERR |
3357 | + |
3358 | +# |
3359 | +# Test that owner and index passwords work by |
3360 | +# 1. Setting up the owner password |
3361 | +# 2. Defining an nv index that can be satisfied by an: |
3362 | +# a. Owner authorization |
3363 | +# b. Index authorization |
3364 | +# 3. Using index and owner based auth during write/read operations |
3365 | +# 4. Testing that auth is needed or a failure occurs. |
3366 | +# |
3367 | + |
3368 | +tpm2_changeauth -c o owner |
3369 | + |
3370 | +tpm2_nvdefine 0x1500015 -C 0x40000001 -s 32 \ |
3371 | + -a "policyread|policywrite|authread|authwrite|ownerwrite|ownerread" \ |
3372 | + -p "index" -P "owner" |
3373 | + |
3374 | +# Use index password write/read, implicit -a |
3375 | +tpm2_nvwrite -Q 0x1500015 -P "index" -i nv.test_w |
3376 | +tpm2_nvread -Q 0x1500015 -P "index" |
3377 | + |
3378 | +# Use index password write/read, explicit -a |
3379 | +tpm2_nvwrite -Q 0x1500015 -C 0x1500015 -P "index" -i nv.test_w |
3380 | +tpm2_nvread -Q 0x1500015 -C 0x1500015 -P "index" |
3381 | + |
3382 | +# use owner password |
3383 | +tpm2_nvwrite -Q 0x1500015 -C 0x40000001 -P "owner" -i nv.test_w |
3384 | +tpm2_nvread -Q 0x1500015 -C 0x40000001 -P "owner" |
3385 | + |
3386 | +# Check a bad password fails |
3387 | +trap - ERR |
3388 | +tpm2_nvwrite -Q 0x1500015 -C 0x1500015 -P "wrong" -i nv.test_w 2>/dev/null |
3389 | +if [ $? -eq 0 ];then |
3390 | + echo "nvwrite with bad password should fail!" |
3391 | + exit 1 |
3392 | +fi |
3393 | + |
3394 | +# Check using authorisation with tpm2_nvundefine |
3395 | +trap onerror ERR |
3396 | + |
3397 | +tpm2_nvundefine 0x1500015 -C 0x40000001 -P "owner" |
3398 | + |
3399 | +# Check nv index can be specified simply as an offset |
3400 | +tpm2_nvdefine -Q -C o -s 32 -a "ownerread|ownerwrite" 1 -P "owner" |
3401 | +tpm2_nvundefine 0x01000001 -C o -P "owner" |
3402 | + |
3403 | +# Test setbits |
3404 | +tpm2_nvdefine -C o -P "owner" -a "nt=bits|ownerread|policywrite|ownerwrite|writedefine" $nv_test_index |
3405 | +tpm2_nvsetbits -C o -P "owner" -i 0xbadc0de $nv_test_index |
3406 | +check=$(tpm2_nvread -C o -P "owner" $nv_test_index | xxd -p | sed s/'^0*'/0x/) |
3407 | +if [ "$check" != "0xbadc0de" ]; then |
3408 | + echo "Expected setbits read value of 0xbadc0de, got \"$check\"" |
3409 | + exit 1 |
3410 | +fi |
3411 | + |
3412 | +# Test global writelock |
3413 | +if is_cmd_supported "NV_GlobalWriteLock"; then |
3414 | + tpm2_nvdefine -C o -P "owner" -s 32 -a "ownerread|ownerwrite|globallock" 42 |
3415 | + tpm2_nvdefine -C o -P "owner" -s 32 -a "ownerread|ownerwrite|globallock" 43 |
3416 | + tpm2_nvdefine -C o -P "owner" -s 32 -a "ownerread|ownerwrite|globallock" 44 |
3417 | + |
3418 | + echo foo | tpm2_nvwrite -C o -P "owner" -i- 42 |
3419 | + echo foo | tpm2_nvwrite -C o -P "owner" -i- 43 |
3420 | + echo foo | tpm2_nvwrite -C o -P "owner" -i- 44 |
3421 | + |
3422 | + tpm2_nvwritelock -Co -P owner --global |
3423 | + |
3424 | + # These writes should fail now that its in a writelocked state |
3425 | + trap - ERR |
3426 | + echo foo | tpm2_nvwrite -C o -P "owner" -i- 42 |
3427 | + if [ $? -eq 0 ]; then |
3428 | + echo "Expected tpm2_nvwrite to fail after globalwritelock of index 42" |
3429 | + exit 1 |
3430 | + fi |
3431 | + |
3432 | + echo foo | tpm2_nvwrite -C o -P "owner" -i- 43 |
3433 | + if [ $? -eq 0 ]; then |
3434 | + echo "Expected tpm2_nvwrite to fail after globalwritelock of index 43" |
3435 | + exit 1 |
3436 | + fi |
3437 | + |
3438 | + echo foo | tpm2_nvwrite -C o -P "owner" -i- 44 |
3439 | + if [ $? -eq 0 ]; then |
3440 | + echo "Expected tpm2_nvwrite to fail after globalwritelock of index 44" |
3441 | + exit 1 |
3442 | + fi |
3443 | +fi |
3444 | + |
3445 | +trap onerror ERR |
3446 | + |
3447 | +tpm2_nvundefine -C o -P "owner" $nv_test_index |
3448 | + |
3449 | +# Test extend |
3450 | +tpm2_nvdefine -C o -P "owner" -a "nt=extend|ownerread|policywrite|ownerwrite" $nv_test_index |
3451 | +echo "foo" | tpm2_nvextend -C o -P "owner" -i- $nv_test_index |
3452 | +check=$(tpm2_nvread -C o -P "owner" $nv_test_index | xxd -p -c 64 | sed s/'^0*'//) |
3453 | +expected="1c8457de84bb43c18d5e1d75c43e393bdaa7bca8d25967eedd580c912db65e3e" |
3454 | +if [ "$check" != "$expected" ]; then |
3455 | + echo "Expected setbits read value of \"$expected\", got \"$check\"" |
3456 | + exit 1 |
3457 | +fi |
3458 | + |
3459 | +exit 0 |
3460 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/nvcertify.sh b/data/tpm2-tools-4.1.1/integration/tests/nvcertify.sh |
3461 | new file mode 100755 |
3462 | index 0000000..fe6d861 |
3463 | --- /dev/null |
3464 | +++ b/data/tpm2-tools-4.1.1/integration/tests/nvcertify.sh |
3465 | @@ -0,0 +1,54 @@ |
3466 | +# SPDX-License-Identifier: BSD-3-Clause |
3467 | + |
3468 | +source helpers.sh |
3469 | + |
3470 | +cleanup() { |
3471 | + rm -f primary.ctx signing_key.pub signing_key.priv signature.bin attestation.bin \ |
3472 | + sslpub.pem signing_key.ctx qual.dat |
3473 | + |
3474 | + if [ "$1" != "no-shut-down" ]; then |
3475 | + shut_down |
3476 | + fi |
3477 | +} |
3478 | +trap cleanup EXIT |
3479 | + |
3480 | +start_up |
3481 | + |
3482 | +cleanup "no-shut-down" |
3483 | + |
3484 | +tpm2_clear -Q |
3485 | + |
3486 | +tpm2_createprimary -C o -c primary.ctx -Q |
3487 | + |
3488 | +tpm2_create -G rsa -u signing_key.pub -r signing_key.priv -C primary.ctx \ |
3489 | +-c signing_key.ctx -Q |
3490 | + |
3491 | +tpm2_readpublic -c signing_key.ctx -f pem -o sslpub.pem -Q |
3492 | + |
3493 | +tpm2_nvdefine -s 32 -a "authread|authwrite" 1 |
3494 | + |
3495 | +dd if=/dev/urandom bs=1 count=32 status=none| tpm2_nvwrite 1 -i- |
3496 | + |
3497 | +tpm2_nvcertify -C signing_key.ctx -g sha256 -f plain -s rsassa \ |
3498 | +-o signature.bin --attestation attestation.bin --size 32 1 |
3499 | + |
3500 | +openssl dgst -verify sslpub.pem -keyform pem -sha256 -signature signature.bin \ |
3501 | +attestation.bin |
3502 | + |
3503 | +# |
3504 | +# Test with qualifier data |
3505 | +# |
3506 | +dd if=/dev/urandom of=qual.dat bs=1 count=32 |
3507 | + |
3508 | +tpm2_nvcertify -C signing_key.ctx -g sha256 -f plain -s rsassa \ |
3509 | +-o signature.bin --attestation attestation.bin --size 32 -q qual.dat 1 |
3510 | + |
3511 | +openssl dgst -verify sslpub.pem -keyform pem -sha256 -signature signature.bin \ |
3512 | +attestation.bin |
3513 | + |
3514 | +# |
3515 | +# Test if qualifier data was present in the attestation |
3516 | +# |
3517 | +xxd -p attestation.bin | tr -d '\n' | grep `xxd -p qual.dat | tr -d '\n'` |
3518 | + |
3519 | +exit 0 |
3520 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/nvinc.sh b/data/tpm2-tools-4.1.1/integration/tests/nvinc.sh |
3521 | new file mode 100755 |
3522 | index 0000000..d99f681 |
3523 | --- /dev/null |
3524 | +++ b/data/tpm2-tools-4.1.1/integration/tests/nvinc.sh |
3525 | @@ -0,0 +1,152 @@ |
3526 | +# SPDX-License-Identifier: BSD-3-Clause |
3527 | +#;**********************************************************************; |
3528 | + |
3529 | +source helpers.sh |
3530 | + |
3531 | +nv_test_index=0x1500018 |
3532 | + |
3533 | +pcr_specification=sha256:0,1,2,3+sha1:0,1,2,3 |
3534 | +file_pcr_value=pcr.bin |
3535 | +file_policy=policy.data |
3536 | + |
3537 | +cleanup() { |
3538 | + tpm2_nvundefine -Q $nv_test_index -C o 2>/dev/null || true |
3539 | + tpm2_nvundefine -Q 0x1500016 -C 0x40000001 2>/dev/null || true |
3540 | + tpm2_nvundefine -Q 0x1500015 -C 0x40000001 -P owner 2>/dev/null || true |
3541 | + |
3542 | + rm -f policy.bin test.bin nv.readlock foo.dat $file_pcr_value $file_policy \ |
3543 | + nv.out cap.out |
3544 | + |
3545 | + if [ "$1" != "no-shut-down" ]; then |
3546 | + shut_down |
3547 | + fi |
3548 | +} |
3549 | +trap cleanup EXIT |
3550 | + |
3551 | +start_up |
3552 | + |
3553 | +cleanup "no-shut-down" |
3554 | + |
3555 | +tpm2_clear |
3556 | + |
3557 | +tpm2_nvdefine -Q $nv_test_index -C o -s 8 \ |
3558 | +-a "ownerread|policywrite|ownerwrite|nt=1" |
3559 | + |
3560 | +tpm2_nvincrement -Q $nv_test_index -C o |
3561 | + |
3562 | +a=0x$(tpm2_nvread $nv_test_index -C o -s 8 | xxd -p) |
3563 | + |
3564 | +tpm2_nvreadpublic > nv.out |
3565 | +yaml_get_kv nv.out "$nv_test_index" > /dev/null |
3566 | + |
3567 | +# Test writing to and reading from an offset by: |
3568 | +# 1. incrementing the nv counter |
3569 | +# 2. reading back the index |
3570 | +# 3. comparing the result. |
3571 | + |
3572 | +tpm2_nvincrement -Q $nv_test_index -C o |
3573 | + |
3574 | +b=0x$(tpm2_nvread $nv_test_index -C o -s 8 | xxd -p) |
3575 | + |
3576 | +if [ $(($a+1)) -ne $(($b)) ]; then |
3577 | + echo "Failed to increment: $(($a)) -> $(($b))." |
3578 | + exit 1 |
3579 | +fi |
3580 | + |
3581 | +tpm2_nvundefine $nv_test_index -C o |
3582 | + |
3583 | + |
3584 | +tpm2_pcrread -Q -o $file_pcr_value $pcr_specification |
3585 | + |
3586 | +tpm2_createpolicy -Q --policy-pcr -l $pcr_specification \ |
3587 | +-f $file_pcr_value -L $file_policy |
3588 | + |
3589 | +tpm2_nvdefine -Q 0x1500016 -C 0x40000001 -s 8 -L $file_policy \ |
3590 | +-a "policyread|policywrite|nt=1" |
3591 | + |
3592 | +# Increment with index authorization for now, since tpm2_nvincrement does not |
3593 | +# support pcr policy. |
3594 | +# Counter is initialised to highest value previously seen (in this case 2) then |
3595 | +# incremented |
3596 | +tpm2_nvincrement -Q 0x1500016 -C 0x1500016 \ |
3597 | +-P pcr:$pcr_specification=$file_pcr_value |
3598 | + |
3599 | +c=0x$(tpm2_nvread 0x1500016 -C 0x1500016 -P pcr:$pcr_specification=$file_pcr_value -s 8 | xxd -p) |
3600 | + |
3601 | +if [ $(($b+1)) -ne $(($c)) ]; then |
3602 | + echo "Failed to increment: $(($b)) -> $(($c))." |
3603 | + exit 1 |
3604 | +fi |
3605 | + |
3606 | +# this should fail because authread is not allowed |
3607 | +trap - ERR |
3608 | +tpm2_nvread 0x1500016 -C 0x1500016 -P "index" 2>/dev/null |
3609 | +trap onerror ERR |
3610 | + |
3611 | +tpm2_nvundefine -Q 0x1500016 -C 0x40000001 |
3612 | + |
3613 | + |
3614 | +# |
3615 | +# Test NV access locked |
3616 | +# |
3617 | +tpm2_nvdefine -Q $nv_test_index -C o -s 8 \ |
3618 | +-a "ownerread|policywrite|ownerwrite|read_stclear|nt=1" |
3619 | + |
3620 | +tpm2_nvincrement -Q $nv_test_index -C o |
3621 | + |
3622 | +tpm2_nvread -Q $nv_test_index -C o -s 8 |
3623 | + |
3624 | +tpm2_nvreadlock -Q $nv_test_index -C o |
3625 | + |
3626 | +# Reset ERR signal handler to test for expected nvread error |
3627 | +trap - ERR |
3628 | + |
3629 | +tpm2_nvread -Q $nv_test_index -C o -s 8 2> /dev/null |
3630 | +if [ $? != 1 ];then |
3631 | + echo "nvread didn't fail!" |
3632 | + exit 1 |
3633 | +fi |
3634 | + |
3635 | +# |
3636 | +# Test that owner and index passwords work by |
3637 | +# 1. Setting up the owner password |
3638 | +# 2. Defining an nv index that can be satisfied by an: |
3639 | +# a. Owner authorization |
3640 | +# b. Index authorization |
3641 | +# 3. Using index and owner based auth during write/read operations |
3642 | +# 4. Testing that auth is needed or a failure occurs. |
3643 | +# |
3644 | +trap onerror ERR |
3645 | + |
3646 | +tpm2_changeauth -c o owner |
3647 | + |
3648 | +tpm2_nvdefine 0x1500015 -C 0x40000001 -s 8 \ |
3649 | + -a "policyread|policywrite|authread|authwrite|ownerwrite|ownerread|nt=1" \ |
3650 | + -p "index" -P "owner" |
3651 | + |
3652 | +# Use index password write/read, implicit -C |
3653 | +tpm2_nvincrement -Q 0x1500015 -P "index" |
3654 | +tpm2_nvread -Q 0x1500015 -P "index" |
3655 | + |
3656 | +# Use index password write/read, explicit -C |
3657 | +tpm2_nvincrement -Q 0x1500015 -C 0x1500015 -P "index" |
3658 | +tpm2_nvread -Q 0x1500015 -C 0x1500015 -P "index" |
3659 | + |
3660 | +# use owner password |
3661 | +tpm2_nvincrement -Q 0x1500015 -C 0x40000001 -P "owner" |
3662 | +tpm2_nvread -Q 0x1500015 -C 0x40000001 -P "owner" |
3663 | + |
3664 | +# Check a bad password fails |
3665 | +trap - ERR |
3666 | +tpm2_nvincrement -Q 0x1500015 -C 0x1500015 -P "wrong" 2>/dev/null |
3667 | +if [ $? -eq 0 ];then |
3668 | + echo "nvincrement with bad password should fail!" |
3669 | + exit 1 |
3670 | +fi |
3671 | + |
3672 | +# Check using authorisation with tpm2_nvundefine |
3673 | +trap onerror ERR |
3674 | + |
3675 | +tpm2_nvundefine 0x1500015 -C 0x40000001 -P "owner" |
3676 | + |
3677 | +exit 0 |
3678 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/output_formats.sh b/data/tpm2-tools-4.1.1/integration/tests/output_formats.sh |
3679 | new file mode 100755 |
3680 | index 0000000..4214498 |
3681 | --- /dev/null |
3682 | +++ b/data/tpm2-tools-4.1.1/integration/tests/output_formats.sh |
3683 | @@ -0,0 +1,118 @@ |
3684 | +# SPDX-License-Identifier: BSD-3-Clause |
3685 | + |
3686 | +source helpers.sh |
3687 | + |
3688 | +# Purpose of this test is to cover the additional code paths that come into |
3689 | +# play when non-default output formats for public keys or signatures are used |
3690 | +# in the various tools. |
3691 | +# |
3692 | +# The test covers all available output formats, makes sure the tools |
3693 | +# successfully run in these cases and checks the output files by feeding them |
3694 | +# to OpenSSL as appropriate. |
3695 | + |
3696 | +alg_ek=rsa |
3697 | +file_pubek_base=ek_${alg_ek} |
3698 | +file_pubek_orig=${file_pubek_base}.tss.orig |
3699 | +handle_ek=0x81010014 |
3700 | + |
3701 | +alg_ak=rsa |
3702 | +file_pubak_name="ak.${alg_ak}.name" |
3703 | +file_pubak_tss="ak.${alg_ak}.tss" |
3704 | +file_pubak_pem="ak.${alg_ak}.pem" |
3705 | +handle_ak=0x81010016 |
3706 | +handle_ak_file=ak.handle |
3707 | +ak_ctx=ak.ctx |
3708 | + |
3709 | +file_hash_input="hash.in" |
3710 | +file_hash_ticket=hash.ticket |
3711 | +file_hash_result=hash.result |
3712 | +file_sig_base=hash.sig |
3713 | +alg_hash=sha256 |
3714 | + |
3715 | +file_quote_msg=quote.msg |
3716 | +file_quote_sig_base=quote.sig |
3717 | + |
3718 | +cleanup() { |
3719 | + rm -f "$file_pubek_base".* |
3720 | + rm -f "$file_pubak_tss" "$file_pubak_name" "$file_pubak_pem" |
3721 | + rm -f "$file_hash_ticket" "$file_hash_result" "$file_sig_base".* |
3722 | + rm -f "$file_quote_msg" "$file_quote_sig_base".* $file_hash_input |
3723 | + rm -f primary.ctx ecc.ctx ecc.pub ecc.priv ecc.fmt.pub $ak_ctx |
3724 | + |
3725 | + # Evict persistent handles, we want them to always succeed and never trip |
3726 | + # the onerror trap. |
3727 | + for handle in $handle_ek $handle_ak; do |
3728 | + tpm2_evictcontrol -Q -C o -c $handle 2>/dev/null || true |
3729 | + done |
3730 | + |
3731 | + shut_down |
3732 | +} |
3733 | +trap cleanup EXIT |
3734 | + |
3735 | +start_up |
3736 | + |
3737 | +head -c 4096 /dev/urandom > $file_hash_input |
3738 | + |
3739 | +tpm2_createek -Q -G $alg_ek -u "$file_pubek_orig" -c $handle_ek |
3740 | + |
3741 | +for fmt in tss pem der; do |
3742 | + |
3743 | + this_key="${file_pubek_base}.${fmt}" |
3744 | + |
3745 | + tpm2_readpublic -Q -c $handle_ek -f "$fmt" -o "$this_key" |
3746 | + |
3747 | + if [ "$fmt" = tss ]; then |
3748 | + diff "$file_pubek_orig" "$this_key" > /dev/null |
3749 | + else |
3750 | + openssl rsa -pubin -inform "$fmt" -text -in "$this_key" &> /dev/null |
3751 | + fi |
3752 | + |
3753 | +done |
3754 | + |
3755 | +tpm2_createak -Q -G $alg_ak -C $handle_ek -c $ak_ctx -u "$file_pubak_tss" \ |
3756 | +-n "$file_pubak_name" |
3757 | +echo "tpm2_evictcontrol -Q -c $ak_ctx -o $handle_ak_file" $handle_ak |
3758 | +tpm2_evictcontrol -Q -c $ak_ctx -o $handle_ak_file $handle_ak |
3759 | + |
3760 | +tpm2_readpublic -Q -c $handle_ak_file -f "pem" -o "$file_pubak_pem" |
3761 | + |
3762 | +tpm2_hash -Q -C e -g $alg_hash -t "$file_hash_ticket" -o "$file_hash_result" \ |
3763 | +"$file_hash_input" |
3764 | + |
3765 | +for fmt in tss plain; do |
3766 | + this_sig="${file_sig_base}.${fmt}" |
3767 | + tpm2_sign -Q -c $handle_ak -g $alg_hash -f $fmt -o "${this_sig}" \ |
3768 | + -t "${file_hash_ticket}" "${file_hash_input}" |
3769 | + |
3770 | + if [ "$fmt" = plain ]; then |
3771 | + openssl dgst -verify "$file_pubak_pem" -keyform pem -${alg_hash} \ |
3772 | + -signature "$this_sig" "$file_hash_input" > /dev/null |
3773 | + fi |
3774 | +done |
3775 | + |
3776 | +for fmt in tss plain; do |
3777 | + this_sig="${file_quote_sig_base}.${fmt}" |
3778 | + tpm2_quote -Q -c $handle_ak -l "$alg_hash":0 -f $fmt -m "$file_quote_msg" \ |
3779 | + -s "$this_sig" |
3780 | + |
3781 | + if [ "$fmt" = plain ]; then |
3782 | + openssl dgst -verify "$file_pubak_pem" -keyform pem -${alg_hash} \ |
3783 | + -signature "$this_sig" "$file_quote_msg" > /dev/null |
3784 | + fi |
3785 | +done |
3786 | + |
3787 | +# |
3788 | +# Test ECC keys |
3789 | +# |
3790 | +tpm2_createprimary -c primary.ctx |
3791 | +tpm2_create -Q -C primary.ctx -G ecc -u ecc.pub -r ecc.priv |
3792 | +tpm2_load -C primary.ctx -u ecc.pub -r ecc.priv -c ecc.ctx |
3793 | + |
3794 | +for fmt in pem der; do |
3795 | + |
3796 | + tpm2_readpublic -Q -c ecc.ctx -f "$fmt" -o ecc.fmt.pub |
3797 | + |
3798 | + openssl ec -pubin -inform "$fmt" -text -in ecc.fmt.pub &> /dev/null |
3799 | +done |
3800 | + |
3801 | +exit 0 |
3802 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/pcrallocate.sh b/data/tpm2-tools-4.1.1/integration/tests/pcrallocate.sh |
3803 | new file mode 100755 |
3804 | index 0000000..cbdf6e1 |
3805 | --- /dev/null |
3806 | +++ b/data/tpm2-tools-4.1.1/integration/tests/pcrallocate.sh |
3807 | @@ -0,0 +1,36 @@ |
3808 | +# SPDX-License-Identifier: BSD-3-Clause |
3809 | + |
3810 | +source helpers.sh |
3811 | + |
3812 | +cleanup() { |
3813 | + rm -f pcrs.out |
3814 | + |
3815 | + if [ "$1" != "no-shut-down" ]; then |
3816 | + shut_down |
3817 | + fi |
3818 | +} |
3819 | +trap cleanup EXIT |
3820 | + |
3821 | +start_up |
3822 | + |
3823 | +cleanup "no-shut-down" |
3824 | + |
3825 | +# Store the old banks because e.g. some TPM-simuators don't support SHA512 |
3826 | +OLDBANKS=$(tpm2_getcap pcrs | grep bank | sed 's/.*bank\: \(.*\)/+\1:all/' | \ |
3827 | +tr -d "\n") |
3828 | + |
3829 | +echo "OLDBANKS: $OLDBANKS" |
3830 | + |
3831 | +tpm2_pcrallocate -P "" sha1:7,8,9,10,16,17,18,19+sha256:all \ |
3832 | + | tee out.yml |
3833 | +yaml_verify out.yml |
3834 | + |
3835 | +tpm2_pcrallocate sha1:all+sha256:all | tee out.yml |
3836 | +yaml_verify out.yml |
3837 | + |
3838 | +tpm2_pcrallocate ${OLDBANKS:1} |
3839 | + |
3840 | +#Note: We cannot check if the allocations were performed by the TPM, since they |
3841 | +# will only take effect once the TPM reboots. |
3842 | + |
3843 | +exit 0 |
3844 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/pcrevent.sh b/data/tpm2-tools-4.1.1/integration/tests/pcrevent.sh |
3845 | new file mode 100755 |
3846 | index 0000000..4bc4b18 |
3847 | --- /dev/null |
3848 | +++ b/data/tpm2-tools-4.1.1/integration/tests/pcrevent.sh |
3849 | @@ -0,0 +1,74 @@ |
3850 | +# SPDX-License-Identifier: BSD-3-Clause |
3851 | + |
3852 | +#this script is for hash case testing |
3853 | + |
3854 | +source helpers.sh |
3855 | + |
3856 | +hash_out_file=hash.out |
3857 | +hash_in_file=hash.in |
3858 | +yaml_out_file=pcr_list.yaml |
3859 | + |
3860 | +cleanup() { |
3861 | + rm -f $hash_in_file $hash_out_file $yaml_out_file |
3862 | + |
3863 | + shut_down |
3864 | +} |
3865 | +trap cleanup EXIT |
3866 | + |
3867 | +start_up |
3868 | + |
3869 | +echo "T0naX0u123abc" > $hash_in_file |
3870 | + |
3871 | +# Run FILE and stdin as FILE |
3872 | +tpm2_pcrevent -Q $hash_in_file |
3873 | +tpm2_pcrevent -Q < $hash_in_file |
3874 | + |
3875 | +# Test that fifo stdin works |
3876 | +cat $hash_in_file | tpm2_pcrevent > $hash_out_file |
3877 | + |
3878 | +yaml_verify $hash_out_file |
3879 | + |
3880 | +# Verify output as expected. |
3881 | +while IFS='' read -r l || [[ -n "$l" ]]; do |
3882 | + |
3883 | + alg=`echo -n $l | cut -d\: -f 1-1` |
3884 | + if ! which "$alg"sum >/dev/null 2>&1; then |
3885 | + echo "Ignore checking $alg algorithm due to unavailable \"${alg}sum\" program" |
3886 | + continue |
3887 | + fi |
3888 | + |
3889 | + hash=`echo -n $l | awk {'print $2'}` |
3890 | + check=`"$alg"sum $hash_in_file | cut -d' ' -f 1-1` |
3891 | + if [ "$check" != "$hash" ]; then |
3892 | + echo "Hash check failed for alg \"$alg\", got \"$hash\", expected \"$check\"" |
3893 | + exit 1 |
3894 | + fi |
3895 | +done < $hash_out_file |
3896 | + |
3897 | +tpm2_pcrread sha1:9 > $yaml_out_file |
3898 | +old_pcr_value=`yaml_get_kv $yaml_out_file "sha1" "9"` |
3899 | + |
3900 | +# Verify that extend works, and test large files |
3901 | +dd if=/dev/urandom of=$hash_in_file count=1 bs=2093 2> /dev/null |
3902 | +tpm2_pcrevent -Q 9 $hash_in_file |
3903 | + |
3904 | +tpm2_pcrread sha1:9 > $yaml_out_file |
3905 | +new_pcr_value=`yaml_get_kv $yaml_out_file "sha1" "9"` |
3906 | + |
3907 | +if [ "$new_pcr_value" == "$old_pcr_value" ]; then |
3908 | + echo "Expected PCR value to change after pcrevent with index 9." |
3909 | + echo "Got the same hash as before: "$new_pcr_value"". |
3910 | + exit 1; |
3911 | +fi |
3912 | + |
3913 | +# verify that specifying -P without -i fails |
3914 | +trap - ERR |
3915 | + |
3916 | +cmd="tpm2_pcrevent -Q -P foo $hash_in_file 2> /dev/null" |
3917 | +eval "$cmd" |
3918 | +if [ $? -eq 0 ]; then |
3919 | + echo "Expected $cmd to fail, passed." |
3920 | + exit 1; |
3921 | +fi |
3922 | + |
3923 | +exit 0 |
3924 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/pcrextend.sh b/data/tpm2-tools-4.1.1/integration/tests/pcrextend.sh |
3925 | new file mode 100755 |
3926 | index 0000000..04bc3b8 |
3927 | --- /dev/null |
3928 | +++ b/data/tpm2-tools-4.1.1/integration/tests/pcrextend.sh |
3929 | @@ -0,0 +1,49 @@ |
3930 | +# SPDX-License-Identifier: BSD-3-Clause |
3931 | + |
3932 | +source helpers.sh |
3933 | + |
3934 | +start_up |
3935 | + |
3936 | +declare -A alg_hashes=( |
3937 | + ["sha1"]="f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" |
3938 | + ["sha256"]="6ea40aa7267bb71251c1de1c3605a3df759b86b22fa9f62aa298d4197cd88a38" |
3939 | + ["sha384"]="ecf669bad80a9b2b267d8671bd7d012d92e8cd30fd28d88dcdbcc2ddffbb995c7f226011ac24ae92dcfb493e0a5ecf89" |
3940 | + ["sha512"]="18b7381f36cdf5dd7c0b64835e0bf5041a52a38e3c3f4cbabcc4099d52590bf9916808138de511fb172cb64fcc11601f07d114f03e95e3d5ceacb330ce0f856a" |
3941 | + ["sm3_256"]="2b14a1fc49869413b0beb707069cffc0c6b0a51f3fedb9ce072c80709652b3ae" |
3942 | +) |
3943 | + |
3944 | +digests="" |
3945 | +# test a single algorithm based on what is supported |
3946 | +for alg in `tpm2_getcap pcrs | grep sha |awk {'print $2'} | awk -F: {'print $1'}`; do |
3947 | + |
3948 | + hash=${alg_hashes[$alg]} |
3949 | + |
3950 | + if [ ! -z $digests ]; then |
3951 | + digests="$digests," |
3952 | + fi |
3953 | + |
3954 | + digests="$digests$alg=$hash" |
3955 | + |
3956 | + tpm2_pcrextend 9:$alg=$hash |
3957 | + |
3958 | +done; |
3959 | + |
3960 | +# |
3961 | +# To keep things simple, compound specifications are just done with |
3962 | +# the supported sha1 algorithms to guarantee the command to succeed. |
3963 | +# |
3964 | +tpm2_pcrextend 8:$digests |
3965 | + |
3966 | +# Extend a PCR for all supported banks like in the previous test but |
3967 | +# try extending two PCR in the same command. |
3968 | +tpm2_pcrextend 8:$digests 9:$digests |
3969 | + |
3970 | +# Over-length hash should fail |
3971 | +if tpm2_pcrextend 8:$digests,sha1=${alg_hashes["sha256"]}; then |
3972 | + echo "tpm2_pcrextend with over-length hash didn't fail!" |
3973 | + exit 1 |
3974 | +else |
3975 | + true |
3976 | +fi |
3977 | + |
3978 | +exit 0 |
3979 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/pcrlist.sh b/data/tpm2-tools-4.1.1/integration/tests/pcrlist.sh |
3980 | new file mode 100755 |
3981 | index 0000000..fccf6db |
3982 | --- /dev/null |
3983 | +++ b/data/tpm2-tools-4.1.1/integration/tests/pcrlist.sh |
3984 | @@ -0,0 +1,29 @@ |
3985 | +# SPDX-License-Identifier: BSD-3-Clause |
3986 | + |
3987 | +source helpers.sh |
3988 | + |
3989 | +cleanup() { |
3990 | + rm -f pcrs.out |
3991 | + |
3992 | + if [ "$1" != "no-shut-down" ]; then |
3993 | + shut_down |
3994 | + fi |
3995 | +} |
3996 | +trap cleanup EXIT |
3997 | + |
3998 | +start_up |
3999 | + |
4000 | +cleanup "no-shut-down" |
4001 | + |
4002 | +tpm2_pcrread > pcrs.out |
4003 | +yaml_verify pcrs.out |
4004 | + |
4005 | +tpm2_pcrread -Q 0x04 |
4006 | + |
4007 | +tpm2_pcrread -Q -o pcrs.out 0x04:17,18,19+sha256:0,17,18,19 |
4008 | + |
4009 | +test -e pcrs.out |
4010 | + |
4011 | +tpm2_pcrread -Q |
4012 | + |
4013 | +exit 0 |
4014 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/pcrreset.sh b/data/tpm2-tools-4.1.1/integration/tests/pcrreset.sh |
4015 | new file mode 100755 |
4016 | index 0000000..471b3f1 |
4017 | --- /dev/null |
4018 | +++ b/data/tpm2-tools-4.1.1/integration/tests/pcrreset.sh |
4019 | @@ -0,0 +1,31 @@ |
4020 | +# SPDX-License-Identifier: BSD-3-Clause |
4021 | + |
4022 | +source helpers.sh |
4023 | + |
4024 | +cleanup() { |
4025 | + if [ "$1" != "no-shut-down" ]; then |
4026 | + shut_down |
4027 | + fi |
4028 | +} |
4029 | +trap cleanup EXIT |
4030 | + |
4031 | +start_up |
4032 | + |
4033 | +cleanup "no-shut-down" |
4034 | + |
4035 | +# Reset a resettable PCR |
4036 | +tpm2_pcrreset 23 |
4037 | + |
4038 | +# Reset more than one resettable PCR |
4039 | +tpm2_pcrreset 16 23 |
4040 | + |
4041 | +trap - ERR |
4042 | + |
4043 | +# Get PCR_Reset bad locality error |
4044 | +tpm2_pcrreset 0 |
4045 | +if [ $? -eq 0 ]; then |
4046 | + echo "Expected PCR reset of 0 to induce bad locality error" |
4047 | + exit 1 |
4048 | +fi |
4049 | + |
4050 | +exit 0 |
4051 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/print.sh b/data/tpm2-tools-4.1.1/integration/tests/print.sh |
4052 | new file mode 100755 |
4053 | index 0000000..ebbfb28 |
4054 | --- /dev/null |
4055 | +++ b/data/tpm2-tools-4.1.1/integration/tests/print.sh |
4056 | @@ -0,0 +1,75 @@ |
4057 | +# SPDX-License-Identifier: BSD-3-Clause |
4058 | + |
4059 | +source helpers.sh |
4060 | + |
4061 | +ak_ctx=ak.ctx |
4062 | +ek_handle=0x81010017 |
4063 | + |
4064 | +ak_name_file=ak.name |
4065 | +ak_pubkey_file=ak.pub |
4066 | + |
4067 | +quote_file=quote.bin |
4068 | +print_file=quote.yaml |
4069 | + |
4070 | +cleanup() { |
4071 | + rm -f $ak_name_file $ak_pubkey_file \ |
4072 | + $quote_file $print_file $ak_ctx |
4073 | + |
4074 | + if [ "$1" != "no-shut-down" ]; then |
4075 | + shut_down |
4076 | + fi |
4077 | +} |
4078 | +trap cleanup EXIT |
4079 | + |
4080 | +start_up |
4081 | + |
4082 | +cleanup "no-shut-down" |
4083 | + |
4084 | +tpm2_clear |
4085 | + |
4086 | +# Create signing key |
4087 | +tpm2_createek -Q -G rsa -c $ek_handle |
4088 | +tpm2_createak -Q -G rsa -g sha256 -s rsassa -C $ek_handle -c $ak_ctx\ |
4089 | + -u $ak_pubkey_file -n $ak_name_file |
4090 | + |
4091 | +# Take PCR quote |
4092 | +tpm2_quote -Q -c $ak_ctx -l "sha256:0,2,4,9,10,11,12,17" -q "0f8beb45ac" \ |
4093 | +-m $quote_file |
4094 | + |
4095 | +# Print TPM's quote file |
4096 | +tpm2_print -t TPMS_ATTEST $quote_file > $print_file |
4097 | + |
4098 | +# Check printed yaml |
4099 | +python3 << pyscript |
4100 | +from __future__ import print_function |
4101 | + |
4102 | +import sys |
4103 | +import re |
4104 | +import yaml |
4105 | + |
4106 | +with open("$print_file") as fd: |
4107 | + yaml = yaml.safe_load(fd) |
4108 | + |
4109 | + assert(yaml["magic"] == "ff544347") |
4110 | + assert(yaml["type"] == 8018) |
4111 | + assert(yaml["extraData"] == "0f8beb45ac") |
4112 | + |
4113 | + quote = yaml["attested"]["quote"] |
4114 | + |
4115 | + # there should be only one pcr selection |
4116 | + assert(quote["pcrSelect"]["count"] == 1) |
4117 | + |
4118 | + pcr_select = quote["pcrSelect"]["pcrSelections"][0] |
4119 | + |
4120 | + # pcr selection should match above options |
4121 | + assert(pcr_select["hash"] == "11 (sha256)") |
4122 | + assert(pcr_select["sizeofSelect"] == 3) |
4123 | + assert(pcr_select["pcrSelect"] == "151e02") |
4124 | + |
4125 | + # pcrDigest should be lowercase hex encoded sha256sum per above options |
4126 | + assert(re.match('^[0-9a-f]{64}$', quote["pcrDigest"])) |
4127 | + |
4128 | + print("OK") |
4129 | +pyscript |
4130 | + |
4131 | +exit 0 |
4132 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/quote.sh b/data/tpm2-tools-4.1.1/integration/tests/quote.sh |
4133 | new file mode 100755 |
4134 | index 0000000..492600b |
4135 | --- /dev/null |
4136 | +++ b/data/tpm2-tools-4.1.1/integration/tests/quote.sh |
4137 | @@ -0,0 +1,96 @@ |
4138 | +# SPDX-License-Identifier: BSD-3-Clause |
4139 | + |
4140 | +source helpers.sh |
4141 | + |
4142 | +alg_primary_obj=sha256 |
4143 | +alg_primary_key=rsa |
4144 | +alg_create_obj=0x000B |
4145 | +alg_create_key=hmac |
4146 | + |
4147 | +alg_quote=0x0004 |
4148 | +alg_quote1=0x000b |
4149 | + |
4150 | +file_primary_key_ctx=context.p_"$alg_primary_obj"_"$alg_primary_key" |
4151 | +file_quote_key_pub=opu_"$alg_create_obj"_"$alg_create_key" |
4152 | +file_quote_key_priv=opr_"$alg_create_obj"_"$alg_create_key" |
4153 | +file_quote_key_name=name.load_"$alg_primary_obj"_"$alg_primary_key"-\ |
4154 | +"$alg_create_obj"_"$alg_create_key" |
4155 | +file_quote_key_ctx=ctx_load_out_"$alg_primary_obj"_"$alg_primary_key"-\ |
4156 | +"$alg_create_obj"_"$alg_create_key" |
4157 | + |
4158 | +Handle_ak_quote=0x81010016 |
4159 | +Handle_ek_quote=0x81010017 |
4160 | +Handle_ak_quote2=0x81010018 |
4161 | +ak2_ctx=ak2.ctx |
4162 | + |
4163 | +out=out.yaml |
4164 | +toss_out=junk.out |
4165 | + |
4166 | +cleanup() { |
4167 | + rm -f $file_primary_key_ctx $file_quote_key_pub $file_quote_key_priv \ |
4168 | + $file_quote_key_name $file_quote_key_ ak.pub2 ak.name_2 \ |
4169 | + $out $toss_out $ak2_ctx |
4170 | + |
4171 | + tpm2_evictcontrol -Q -Co -c $Handle_ek_quote 2>/dev/null || true |
4172 | + tpm2_evictcontrol -Q -Co -c $Handle_ak_quote 2>/dev/null || true |
4173 | + tpm2_evictcontrol -Q -Co -c $Handle_ak_quote2 2>/dev/null || true |
4174 | + |
4175 | + if [ "$1" != "no-shut-down" ]; then |
4176 | + shut_down |
4177 | + fi |
4178 | +} |
4179 | +trap cleanup EXIT |
4180 | + |
4181 | +start_up |
4182 | + |
4183 | +tpm2_getcap properties-fixed | tr -dc '[[:print:]]\r\n' > $out |
4184 | +maxdigest=$(yaml_get_kv $out "TPM2_PT_MAX_DIGEST" "raw") |
4185 | +if ! [[ "$maxdigest" =~ ^(0x)*[0-9]+$ ]] ; then |
4186 | + echo "error: not a number, got: \"$maxdigest\"" >&2 |
4187 | + exit 1 |
4188 | +fi |
4189 | + |
4190 | +nonce=12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde |
4191 | +nonce=${nonce:0:2*$maxdigest} |
4192 | + |
4193 | +cleanup "no-shut-down" |
4194 | + |
4195 | +tpm2_clear |
4196 | + |
4197 | +tpm2_createprimary -Q -C e -g $alg_primary_obj -G $alg_primary_key \ |
4198 | +-c $file_primary_key_ctx |
4199 | + |
4200 | +tpm2_create -Q -g $alg_create_obj -G $alg_create_key -u $file_quote_key_pub \ |
4201 | +-r $file_quote_key_priv -C $file_primary_key_ctx |
4202 | + |
4203 | +tpm2_load -Q -C $file_primary_key_ctx -u $file_quote_key_pub \ |
4204 | +-r $file_quote_key_priv -n $file_quote_key_name -c $file_quote_key_ctx |
4205 | + |
4206 | +tpm2_quote -c $file_quote_key_ctx -l $alg_quote:16,17,18 -q $nonce \ |
4207 | +-m $toss_out -s $toss_out -o $toss_out -g $alg_primary_obj > $out |
4208 | + |
4209 | +yaml_verify $out |
4210 | + |
4211 | +tpm2_quote -Q -c $file_quote_key_ctx \ |
4212 | +-l $alg_quote:16,17,18+$alg_quote1:16,17,18 -q $nonce -m $toss_out \ |
4213 | +-s $toss_out -o $toss_out -g $alg_primary_obj |
4214 | + |
4215 | +#####handle testing |
4216 | +tpm2_evictcontrol -Q -C o -c $file_quote_key_ctx $Handle_ak_quote |
4217 | + |
4218 | +tpm2_quote -Q -c $Handle_ak_quote -l $alg_quote:16,17,18 -q $nonce \ |
4219 | +-m $toss_out -s $toss_out -o $toss_out -g $alg_primary_obj |
4220 | + |
4221 | +tpm2_quote -Q -c $Handle_ak_quote -l $alg_quote:16,17,18+$alg_quote1:16,17,18 \ |
4222 | +-q $nonce -m $toss_out -s $toss_out -o $toss_out -g $alg_primary_obj |
4223 | + |
4224 | +#####AK |
4225 | +tpm2_createek -Q -c $Handle_ek_quote -G 0x01 |
4226 | + |
4227 | +tpm2_createak -Q -C $Handle_ek_quote -c $ak2_ctx -u ak.pub2 -n ak.name_2 |
4228 | +tpm2_evictcontrol -Q -C o -c $ak2_ctx $Handle_ak_quote2 |
4229 | + |
4230 | +tpm2_quote -Q -c $Handle_ak_quote -l $alg_quote:16,17,18 -q $nonce \ |
4231 | +-m $toss_out -s $toss_out -o $toss_out -g $alg_primary_obj |
4232 | + |
4233 | +exit 0 |
4234 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/rc_decode.sh b/data/tpm2-tools-4.1.1/integration/tests/rc_decode.sh |
4235 | new file mode 100755 |
4236 | index 0000000..9ced1e2 |
4237 | --- /dev/null |
4238 | +++ b/data/tpm2-tools-4.1.1/integration/tests/rc_decode.sh |
4239 | @@ -0,0 +1,78 @@ |
4240 | +# SPDX-License-Identifier: BSD-3-Clause |
4241 | + |
4242 | +source helpers.sh |
4243 | + |
4244 | +# We don't need a TPM for this test, so unset the EXIT handler. |
4245 | +trap - EXIT |
4246 | + |
4247 | +# Since this only tests rc_decode tool it on FreeBSD |
4248 | +if [ "$OS" == "FreeBSD" ]; then |
4249 | + exit 0 |
4250 | +fi |
4251 | + |
4252 | +# |
4253 | +# codes was generated from the TPM2_RC constants in: |
4254 | +# https://github.com/tpm2-software/tpm2-tss/blob/master/include/sapi/tss2_tpm2_types.h#L68 |
4255 | +# Some of these may not be used correctly, which is OK, as tpm2_rc_decode never |
4256 | +# fails and should attempt to decode it or print some unknown status. This gives |
4257 | +# us coverage for both known and unknown/malformed inputs. |
4258 | +# |
4259 | +# Details on error code encoding can be found at: |
4260 | +# Section 6.6.2 of t "Trusted Platform Module Library Part 2: Structures Family “2.0” Level 00 Revision 01.38" |
4261 | +# - https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf |
4262 | +# |
4263 | +declare -A codes |
4264 | + |
4265 | +tss2_tpm2_types='' |
4266 | +for dir in "$(pkg-config --variable includedir tss2-esys)" \ |
4267 | +/usr/local/include /usr/include; do |
4268 | + if [ -f "$dir/tss2/tss2_tpm2_types.h" ]; then |
4269 | + tss2_tpm2_types="$dir/tss2/tss2_tpm2_types.h" |
4270 | + break |
4271 | + fi |
4272 | +done |
4273 | + |
4274 | +if [ -z "$tss2_tpm2_types" ]; then |
4275 | + echo "Could not find TSS2 headers" |
4276 | + exit 1 |
4277 | +fi |
4278 | + |
4279 | +# Populate the main TPM2_RC values |
4280 | +eval $(grep -Po "^#define \K(TPM2_RC.*)" "$tss2_tpm2_types" \ |
4281 | + | grep -v '+' \ |
4282 | + | sed "s%/*[^/]*/$%%g" \ |
4283 | + | sed "s%[[:space:]]*((TPM2_RC)[[:space:]]*%=%g" \ |
4284 | + | sed "s%)%%g") |
4285 | + |
4286 | +# Generate the TPM2_RC array based on TSS2 header |
4287 | +varlist="$(sed -rn "s%^#define (TPM2_RC_[^[:space:]]*)[[:space:]]*\(\(TPM2_RC\) \((TPM2_RC[^\)]*)[^/]*/\* ([^\*]*) \*/%\1=\$\(\(\2\)\):\3%p" "$tss2_tpm2_types")" |
4288 | +while IFS='=' read key value; do |
4289 | + codes[${key}]="${value}" |
4290 | +done <<< "${varlist}" |
4291 | + |
4292 | +fail=0 |
4293 | + |
4294 | +for key in "${!codes[@]}"; do |
4295 | + value="$(printf '0x%03x' "$(eval echo ${codes[$key]%%:*})")" |
4296 | + expected_msg="${codes[$key]##*:}" |
4297 | + received_msg="$(tpm2_rc_decode ${value} | cut -d':' -f3)" |
4298 | + |
4299 | + if ! grep -iq "${received_msg# }" <<< "${expected_msg}"; then |
4300 | + echo "$value raised an invalid error message" |
4301 | + echo " - Expected : ${expected_msg}" |
4302 | + echo " - Seen : ${received_msg# }" |
4303 | + fail=1 |
4304 | + fi |
4305 | +done |
4306 | + |
4307 | +# |
4308 | +# Negative tests |
4309 | +# |
4310 | +if tpm2_rc_decode 0x6666329840938498293849238 &>/dev/null; then |
4311 | + echo "Expected \"$cmd\" to fail." |
4312 | + fail=1 |
4313 | +else |
4314 | + true |
4315 | +fi |
4316 | + |
4317 | +exit "$fail" |
4318 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/readclock.sh b/data/tpm2-tools-4.1.1/integration/tests/readclock.sh |
4319 | new file mode 100755 |
4320 | index 0000000..decbcc7 |
4321 | --- /dev/null |
4322 | +++ b/data/tpm2-tools-4.1.1/integration/tests/readclock.sh |
4323 | @@ -0,0 +1,21 @@ |
4324 | +# SPDX-License-Identifier: BSD-3-Clause |
4325 | + |
4326 | +source helpers.sh |
4327 | + |
4328 | +cleanup() { |
4329 | + rm -f clock.yaml |
4330 | +} |
4331 | +trap cleanup EXIT |
4332 | + |
4333 | +start_up |
4334 | + |
4335 | +tpm2_readclock > clock.yaml |
4336 | + |
4337 | +# validate we can get each portion of the YAML file |
4338 | +yaml_get_kv clock.yaml time |
4339 | +yaml_get_kv clock.yaml clock_info clock |
4340 | +yaml_get_kv clock.yaml clock_info reset_count |
4341 | +yaml_get_kv clock.yaml clock_info restart_count |
4342 | +yaml_get_kv clock.yaml clock_info safe |
4343 | + |
4344 | +exit 0 |
4345 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/readpublic.sh b/data/tpm2-tools-4.1.1/integration/tests/readpublic.sh |
4346 | new file mode 100755 |
4347 | index 0000000..e39e562 |
4348 | --- /dev/null |
4349 | +++ b/data/tpm2-tools-4.1.1/integration/tests/readpublic.sh |
4350 | @@ -0,0 +1,55 @@ |
4351 | +# SPDX-License-Identifier: BSD-3-Clause |
4352 | + |
4353 | +source helpers.sh |
4354 | + |
4355 | +alg_primary_obj=sha256 |
4356 | +alg_primary_key=rsa |
4357 | +alg_create_obj=sha256 |
4358 | +alg_create_key=hmac |
4359 | + |
4360 | +file_primary_key_ctx=context.p_"$alg_primary_obj"_"$alg_primary_key" |
4361 | +file_readpub_key_pub=opu_"$alg_create_obj"_"$alg_create_key" |
4362 | +file_readpub_key_priv=opr_"$alg_create_obj"_"$alg_create_key" |
4363 | +file_readpub_key_name=name.load_"$alg_primary_obj"_"$alg_primary_key"-\ |
4364 | +"$alg_create_obj"_"$alg_create_key" |
4365 | +file_readpub_key_ctx=ctx_load_out_"$alg_primary_obj"_"$alg_primary_key"-\ |
4366 | +"$alg_create_obj"_"$alg_create_key" |
4367 | +file_readpub_output=readpub_"$file_readpub_key_ctx" |
4368 | + |
4369 | +Handle_readpub=0x81010014 |
4370 | + |
4371 | +cleanup() { |
4372 | + rm -f $file_primary_key_ctx $file_readpub_key_pub $file_readpub_key_priv \ |
4373 | + $file_readpub_key_name $file_readpub_key_ctx $file_readpub_output |
4374 | + |
4375 | + tpm2_evictcontrol -Q -C o -c $Handle_readpub 2>/dev/null || true |
4376 | + |
4377 | + if [ "$1" != "no-shut-down" ]; then |
4378 | + shut_down |
4379 | + fi |
4380 | +} |
4381 | +trap cleanup EXIT |
4382 | + |
4383 | +start_up |
4384 | + |
4385 | +cleanup "no-shut-down" |
4386 | + |
4387 | +tpm2_clear |
4388 | + |
4389 | +tpm2_createprimary -Q -C e -g $alg_primary_obj -G $alg_primary_key \ |
4390 | +-c $file_primary_key_ctx |
4391 | + |
4392 | +tpm2_create -Q -g $alg_create_obj -G $alg_create_key -u $file_readpub_key_pub \ |
4393 | +-r $file_readpub_key_priv -C $file_primary_key_ctx |
4394 | + |
4395 | +tpm2_load -Q -C $file_primary_key_ctx -u $file_readpub_key_pub \ |
4396 | +-r $file_readpub_key_priv -n $file_readpub_key_name -c $file_readpub_key_ctx |
4397 | + |
4398 | +tpm2_readpublic -Q -c $file_readpub_key_ctx -o $file_readpub_output |
4399 | + |
4400 | +tpm2_evictcontrol -Q -C o -c $file_readpub_key_ctx $Handle_readpub |
4401 | + |
4402 | +rm -f $file_readpub_output |
4403 | +tpm2_readpublic -Q -c $Handle_readpub -o $file_readpub_output |
4404 | + |
4405 | +exit 0 |
4406 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/rsadecrypt.sh b/data/tpm2-tools-4.1.1/integration/tests/rsadecrypt.sh |
4407 | new file mode 100755 |
4408 | index 0000000..e86a795 |
4409 | --- /dev/null |
4410 | +++ b/data/tpm2-tools-4.1.1/integration/tests/rsadecrypt.sh |
4411 | @@ -0,0 +1,102 @@ |
4412 | +# SPDX-License-Identifier: BSD-3-Clause |
4413 | + |
4414 | +source helpers.sh |
4415 | + |
4416 | +file_primary_key_ctx=context.p_B1 |
4417 | +file_rsaencrypt_key_pub=opuB1_B8 |
4418 | +file_rsaencrypt_key_priv=oprB1_B8 |
4419 | +file_rsaencrypt_key_ctx=context_loadext_out_B1_B8 |
4420 | +file_rsadecrypt_key_ctx=context_load_out_B1_B8 |
4421 | +file_rsaencrypt_key_name=name.load.B1_B8 |
4422 | + |
4423 | +file_rsa_en_output_data=rsa_en.out |
4424 | +file_rsa_de_output_data=rsa_de.out |
4425 | +file_input_data=secret.data |
4426 | + |
4427 | +alg_hash=sha256 |
4428 | +alg_primary_key=rsa |
4429 | +alg_rsaencrypt_key=rsa |
4430 | + |
4431 | +cleanup() { |
4432 | + rm -f $file_input_data $file_primary_key_ctx $file_rsaencrypt_key_pub \ |
4433 | + $file_rsaencrypt_key_priv $file_rsaencrypt_key_ctx \ |
4434 | + $file_rsaencrypt_key_name $file_output_data $file_rsa_en_output_data \ |
4435 | + $file_rsa_de_output_data $file_rsadecrypt_key_ctx label.dat |
4436 | + |
4437 | + if [ "$1" != "no-shut-down" ]; then |
4438 | + shut_down |
4439 | + fi |
4440 | +} |
4441 | +trap cleanup EXIT |
4442 | + |
4443 | +start_up |
4444 | + |
4445 | +cleanup "no-shut-down" |
4446 | + |
4447 | +echo "12345678" > $file_input_data |
4448 | + |
4449 | +tpm2_clear |
4450 | + |
4451 | +tpm2_createprimary -Q -C e -g $alg_hash -G $alg_primary_key \ |
4452 | +-c $file_primary_key_ctx |
4453 | + |
4454 | +tpm2_create -Q -g $alg_hash -p foo -G $alg_rsaencrypt_key \ |
4455 | +-u $file_rsaencrypt_key_pub -r $file_rsaencrypt_key_priv \ |
4456 | +-C $file_primary_key_ctx |
4457 | + |
4458 | +tpm2_loadexternal -Q -C n -u $file_rsaencrypt_key_pub \ |
4459 | +-c $file_rsaencrypt_key_ctx |
4460 | + |
4461 | +tpm2_rsaencrypt -Q -c $file_rsaencrypt_key_ctx -o $file_rsa_en_output_data < \ |
4462 | +$file_input_data |
4463 | + |
4464 | +tpm2_load -Q -C $file_primary_key_ctx -u $file_rsaencrypt_key_pub \ |
4465 | +-r $file_rsaencrypt_key_priv -n $file_rsaencrypt_key_name \ |
4466 | +-c $file_rsadecrypt_key_ctx |
4467 | + |
4468 | +tpm2_rsadecrypt -Q -c $file_rsadecrypt_key_ctx -p foo -o \ |
4469 | +$file_rsa_de_output_data $file_rsa_en_output_data |
4470 | + |
4471 | +# Test the diffeent padding schemes ... |
4472 | + |
4473 | +tpm2_rsaencrypt -Q -c $file_rsaencrypt_key_ctx -o $file_rsa_en_output_data \ |
4474 | +-s rsaes < $file_input_data |
4475 | +tpm2_rsadecrypt -Q -c $file_rsadecrypt_key_ctx -p foo -o \ |
4476 | +$file_rsa_de_output_data -s rsaes $file_rsa_en_output_data |
4477 | + |
4478 | +tpm2_rsaencrypt -Q -c $file_rsaencrypt_key_ctx -o $file_rsa_en_output_data \ |
4479 | +-s null < $file_input_data |
4480 | +tpm2_rsadecrypt -Q -c $file_rsadecrypt_key_ctx -p foo -o \ |
4481 | +$file_rsa_de_output_data -s null $file_rsa_en_output_data |
4482 | + |
4483 | +# Test the label option with a string |
4484 | +tpm2_rsaencrypt -Q -c $file_rsaencrypt_key_ctx -l mylabel \ |
4485 | +-o $file_rsa_en_output_data < $file_input_data |
4486 | +tpm2_rsadecrypt -Q -c $file_rsadecrypt_key_ctx -l mylabel -p foo \ |
4487 | +-o $file_rsa_de_output_data $file_rsa_en_output_data |
4488 | + |
4489 | +# Test the label option with a file |
4490 | +echo "my file label" > label.dat |
4491 | +tpm2_rsaencrypt -Q -c $file_rsaencrypt_key_ctx -l label.dat \ |
4492 | +-o $file_rsa_en_output_data < $file_input_data |
4493 | +tpm2_rsadecrypt -Q -c $file_rsadecrypt_key_ctx -l label.dat -p foo \ |
4494 | +-o $file_rsa_de_output_data $file_rsa_en_output_data |
4495 | + |
4496 | +trap - ERR |
4497 | +tpm2_rsaencrypt -Q -c $file_rsaencrypt_key_ctx -o $file_rsa_en_output_data \ |
4498 | +-s oaep < $file_input_data |
4499 | +if [ $? -eq 0 ]; then |
4500 | + echo "tpm2_rsaencrypt should fail with 'hash algorithm not supported or not\ |
4501 | + appropriate'" |
4502 | + exit 1 |
4503 | +fi |
4504 | + |
4505 | +tpm2_rsadecrypt -Q -c $file_rsadecrypt_key_ctx -p foo -o \ |
4506 | +$file_rsa_de_output_data -s oaep $file_rsa_en_output_data |
4507 | +if [ $? -eq 0 ]; then |
4508 | + echo "tpm2_rsadecrypt should fail with 'hash algorithm not supported or not |
4509 | + appropriate'" |
4510 | + exit 1 |
4511 | +fi |
4512 | + |
4513 | +exit 0 |
4514 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/rsaencrypt.sh b/data/tpm2-tools-4.1.1/integration/tests/rsaencrypt.sh |
4515 | new file mode 100755 |
4516 | index 0000000..8836cfd |
4517 | --- /dev/null |
4518 | +++ b/data/tpm2-tools-4.1.1/integration/tests/rsaencrypt.sh |
4519 | @@ -0,0 +1,53 @@ |
4520 | +# SPDX-License-Identifier: BSD-3-Clause |
4521 | + |
4522 | +source helpers.sh |
4523 | + |
4524 | +file_primary_key_ctx=context.p_B1 |
4525 | +file_rsaencrypt_key_pub=opuB1_B8 |
4526 | +file_rsaencrypt_key_priv=oprB1_B8 |
4527 | +file_rsaencrypt_key_ctx=context_load_out_B1_B8 |
4528 | +file_rsaencrypt_key_name=name.load.B1_B8 |
4529 | + |
4530 | +file_rsa_en_output_data=rsa_en.out |
4531 | +file_input_data=secret.data |
4532 | + |
4533 | +alg_hash=sha256 |
4534 | +alg_primary_key=rsa |
4535 | +alg_rsaencrypt_key=rsa |
4536 | + |
4537 | +cleanup() { |
4538 | + rm -f $file_input_data $file_primary_key_ctx $file_rsaencrypt_key_pub \ |
4539 | + $file_rsaencrypt_key_priv $file_rsaencrypt_key_ctx \ |
4540 | + $file_rsaencrypt_key_name $file_rsa_en_output_data |
4541 | + |
4542 | + if [ "$1" != "no-shut-down" ]; then |
4543 | + shut_down |
4544 | + fi |
4545 | +} |
4546 | +trap cleanup EXIT |
4547 | + |
4548 | +start_up |
4549 | + |
4550 | +cleanup "no-shut-down" |
4551 | + |
4552 | +echo "12345678" > $file_input_data |
4553 | + |
4554 | +tpm2_clear |
4555 | + |
4556 | +tpm2_createprimary -Q -C e -g $alg_hash -G $alg_primary_key \ |
4557 | +-c $file_primary_key_ctx |
4558 | + |
4559 | +tpm2_create -Q -g $alg_hash -G $alg_rsaencrypt_key -u $file_rsaencrypt_key_pub \ |
4560 | +-r $file_rsaencrypt_key_priv -C $file_primary_key_ctx |
4561 | + |
4562 | +tpm2_loadexternal -Q -C n -u $file_rsaencrypt_key_pub \ |
4563 | +-c $file_rsaencrypt_key_ctx |
4564 | + |
4565 | +#./tpm2_rsaencrypt -c context_loadexternal_out6.out -I secret.data -o rsa_en.out |
4566 | +tpm2_rsaencrypt -Q -c $file_rsaencrypt_key_ctx -o $file_rsa_en_output_data \ |
4567 | +$file_input_data |
4568 | + |
4569 | +# Test stdout output and test that stdin pipe works as well. |
4570 | +cat $file_input_data | tpm2_rsaencrypt -c $file_rsaencrypt_key_ctx > /dev/null |
4571 | + |
4572 | +exit 0 |
4573 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/selftest.sh b/data/tpm2-tools-4.1.1/integration/tests/selftest.sh |
4574 | new file mode 100755 |
4575 | index 0000000..772f3e3 |
4576 | --- /dev/null |
4577 | +++ b/data/tpm2-tools-4.1.1/integration/tests/selftest.sh |
4578 | @@ -0,0 +1,22 @@ |
4579 | +# SPDX-License-Identifier: BSD-3-Clause |
4580 | + |
4581 | +source helpers.sh |
4582 | + |
4583 | +cleanup() { |
4584 | + if [ "$1" != "no-shut-down" ]; then |
4585 | + shut_down |
4586 | + fi |
4587 | +} |
4588 | +trap cleanup EXIT |
4589 | + |
4590 | +start_up |
4591 | + |
4592 | +cleanup "no-shut-down" |
4593 | + |
4594 | +# Perform simple selftest |
4595 | +tpm2_selftest |
4596 | + |
4597 | +# Perform full selftest |
4598 | +tpm2_selftest --fulltest |
4599 | + |
4600 | +exit 0 |
4601 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/send.sh b/data/tpm2-tools-4.1.1/integration/tests/send.sh |
4602 | new file mode 100755 |
4603 | index 0000000..6598155 |
4604 | --- /dev/null |
4605 | +++ b/data/tpm2-tools-4.1.1/integration/tests/send.sh |
4606 | @@ -0,0 +1,24 @@ |
4607 | +# SPDX-License-Identifier: BSD-3-Clause |
4608 | + |
4609 | +source helpers.sh |
4610 | + |
4611 | +# assume this script is run from the test/ directory |
4612 | +TPM2_COMMAND_FILE="$TPM2_TOOLS_TEST_FIXTURES/get-capability-tpm-prop-fixed.bin" |
4613 | + |
4614 | +start_up |
4615 | + |
4616 | +if [ ! -f "${TPM2_COMMAND_FILE}" ]; then |
4617 | + echo "No TPM2 command file, cannot run $0" |
4618 | + exit 1 |
4619 | +fi |
4620 | + |
4621 | +# check default stdin(file fd)/stdout |
4622 | +tpm2_send < "${TPM2_COMMAND_FILE}" > /dev/null |
4623 | + |
4624 | +# check default stdin(pipe fd) with output file |
4625 | +cat ${TPM2_COMMAND_FILE} | tpm2_send -o /dev/null |
4626 | + |
4627 | +# check -o out and argument file input |
4628 | +tpm2_send -o /dev/null "${TPM2_COMMAND_FILE}" |
4629 | + |
4630 | +exit 0 |
4631 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/setclock.sh b/data/tpm2-tools-4.1.1/integration/tests/setclock.sh |
4632 | new file mode 100755 |
4633 | index 0000000..748e282 |
4634 | --- /dev/null |
4635 | +++ b/data/tpm2-tools-4.1.1/integration/tests/setclock.sh |
4636 | @@ -0,0 +1,38 @@ |
4637 | +# SPDX-License-Identifier: BSD-3-Clause |
4638 | + |
4639 | +source helpers.sh |
4640 | + |
4641 | +get_new_clock() { |
4642 | + tpm2_readclock > clock.yaml |
4643 | + local clock=$(yaml_get_kv clock.yaml clock_info clock) |
4644 | + |
4645 | + # the magic number is enough time where where setting the clock to a point |
4646 | + # in the future from where we read it. |
4647 | + clock=$(($clock + 100000)) |
4648 | + echo -n $clock |
4649 | +} |
4650 | + |
4651 | +cleanup() { |
4652 | + tpm2_changeauth -c o -p newowner 2>/dev/null || true |
4653 | + # XXX tpm2_changeauth -c p -p newplatform 2>/dev/null || true |
4654 | + |
4655 | + rm -f clock.yaml |
4656 | + |
4657 | + if [ "$1" != "no-shut-down" ]; then |
4658 | + shut_down |
4659 | + fi |
4660 | +} |
4661 | +trap cleanup EXIT |
4662 | + |
4663 | +start_up |
4664 | + |
4665 | +tpm2_setclock $(get_new_clock) |
4666 | + |
4667 | +# validate hierarchies and passwords |
4668 | +tpm2_changeauth -c o newowner |
4669 | +# XXX tpm2_changeauth -c p newplatform |
4670 | + |
4671 | +tpm2_setclock -c o -p newowner $(get_new_clock) |
4672 | +# XXX tpm2_setclock -c p -p newplatform $(get_new_clock) |
4673 | + |
4674 | +exit 0 |
4675 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/setprimarypolicy.sh b/data/tpm2-tools-4.1.1/integration/tests/setprimarypolicy.sh |
4676 | new file mode 100755 |
4677 | index 0000000..72b5a0b |
4678 | --- /dev/null |
4679 | +++ b/data/tpm2-tools-4.1.1/integration/tests/setprimarypolicy.sh |
4680 | @@ -0,0 +1,44 @@ |
4681 | +# SPDX-License-Identifier: BSD-3-Clause |
4682 | + |
4683 | +source helpers.sh |
4684 | + |
4685 | +cleanup() { |
4686 | + |
4687 | + tpm2_flushcontext session.ctx 2>/dev/null || true |
4688 | + |
4689 | + rm -f session.ctx policy.pcr primary.ctx |
4690 | + |
4691 | + if [ "${1}" != "no-shutdown" ]; then |
4692 | + shut_down |
4693 | + fi |
4694 | +} |
4695 | +trap cleanup EXIT |
4696 | + |
4697 | +start_up |
4698 | + |
4699 | +cleanup "no-shutdown" |
4700 | + |
4701 | +tpm2_clear |
4702 | + |
4703 | +tpm2_changeauth -c e endorsementpassword |
4704 | + |
4705 | +tpm2_startauthsession -S session.ctx |
4706 | +tpm2_policypcr -l sha256:0 -L policy.pcr -S session.ctx |
4707 | +tpm2_flushcontext session.ctx |
4708 | + |
4709 | +tpm2_setprimarypolicy -C e -L policy.pcr -g sha256 -P endorsementpassword |
4710 | + |
4711 | +# |
4712 | +# Try changing the endorsement hierarchy password with the policy |
4713 | +# |
4714 | +tpm2_startauthsession -S session.ctx --policy-session |
4715 | +tpm2_policypcr -l sha256:0 -S session.ctx |
4716 | +tpm2_changeauth -c e -p session:session.ctx newendorsementpassword |
4717 | +tpm2_flushcontext session.ctx |
4718 | + |
4719 | +# |
4720 | +# Use the new password to create a primary key |
4721 | +# |
4722 | +tpm2_createprimary -C e -c primary.ctx -P newendorsementpassword |
4723 | + |
4724 | +exit 0 |
4725 | diff --git a/data/tpm2-tools-4.1.1/integration/tests/sign.sh b/data/tpm2-tools-4.1.1/integration/tests/sign.sh |
4726 | new file mode 100755 |
4727 | index 0000000..9f3141d |
4728 | --- /dev/null |
4729 | +++ b/data/tpm2-tools-4.1.1/integration/tests/sign.sh |
4730 | @@ -0,0 +1,294 @@ |
4731 | +# SPDX-License-Identifier: BSD-3-Clause |
4732 | + |
4733 | +source helpers.sh |
4734 | + |
4735 | +file_primary_key_ctx=context.p_B1 |
4736 | +file_signing_key_pub=opuB1_B8 |
4737 | +file_signing_key_priv=oprB1_B8 |
4738 | +file_signing_key_ctx=context_load_out_B1_B8 |
4739 | +file_signing_key_name=name.load.B1_B8 |
4740 | +file_signing_key_pub_pem=oppB1_B8 |
4741 | +file_input_data=secret.data |
4742 | +file_input_digest=secret.digest |
4743 | +file_output_data=sig.4 |
4744 | +file_output_ticket=secret.ticket |
4745 | +file_output_hash=secret.hash |
4746 | +rsa_key_type=rsa2048 |
4747 | +ecc_key_type=ecc256 |
4748 | + |
4749 | +handle_signing_key=0x81010005 |
4750 | + |
4751 | +alg_hash=sha256 |
4752 | +alg_primary_key=rsa |
4753 | + |
4754 | +cleanup() { |
4755 | + rm -f $file_input_data $file_primary_key_ctx $file_signing_key_pub \ |
4756 | + $file_signing_key_priv $file_signing_key_ctx $file_signing_key_name \ |
4757 | + $file_output_data $file_input_digest $file_output_ticket \ |
4758 | + $file_output_hash $file_signing_key_pub_pem |
4759 | + |
4760 | + tpm2_evictcontrol -Q -Co -c $handle_signing_key 2>/dev/null || true |
4761 | + |
4762 | + if [ "$1" != "no-shut-down" ]; then |
4763 | + shut_down |
4764 | + fi |
4765 | +} |
4766 | +trap cleanup EXIT |
4767 | + |
4768 | +test_symmetric() { |
4769 | + local alg_signing_key=$1 |
4770 | + |
4771 | + echo "12345678" > $file_input_data |
4772 | + |
4773 | + tpm2_clear |
4774 | + |
4775 | + tpm2_createprimary -Q -C e -g $alg_hash -G $alg_primary_key \ |
4776 | + -c $file_primary_key_ctx |
4777 | + |
4778 | + tpm2_create -Q -g $alg_hash -G $alg_signing_key -u $file_signing_key_pub \ |
4779 | + -r $file_signing_key_priv -C $file_primary_key_ctx |
4780 | + |
4781 | + tpm2_load -Q -C $file_primary_key_ctx -u $file_signing_key_pub \ |
4782 | + -r $file_signing_key_priv -n $file_signing_key_name -c $file_signing_key_ctx |
4783 | + |
4784 | + tpm2_sign -Q -c $file_signing_key_ctx -g $alg_hash \ |
4785 | + -o $file_output_data $file_input_data |
4786 | + |
4787 | + rm -f $file_output_data |
4788 | + |
4789 | + tpm2_evictcontrol -Q -C o -c $file_signing_key_ctx $handle_signing_key |
4790 | + |
4791 | + tpm2_sign -Q -c $handle_signing_key -g $alg_hash -o $file_output_data \ |
4792 | + $file_input_data |
4793 | + |
4794 | + rm -f $file_output_data |
4795 | + |
4796 | + # generate hash and test validation |
4797 | + |
4798 | + tpm2_hash -Q -C e -g $alg_hash -o $file_output_hash -t $file_output_ticket \ |
4799 | + $file_input_data |
4800 | + |
4801 | + tpm2_sign -Q -c $handle_signing_key -g $alg_hash -o $file_output_data \ |
4802 | + -t $file_output_ticket $file_input_data |
4803 | + |
4804 | + rm -f $file_output_data |
4805 | + |
4806 | + # test with digest, no validation |
4807 | + |
4808 | + shasum -a 256 $file_input_data | awk '{ print "000000 " $1 }' | xxd -r -c 32 > \ |
4809 | + $file_input_digest |
4810 | + |
4811 | + tpm2_sign -Q -c $handle_signing_key -g $alg_hash -d -o $file_output_data \ |
4812 | + $file_input_digest |
4813 | + |
4814 | + rm -f $file_output_data |
4815 | +} |
4816 | + |
4817 | +create_signature() { |
4818 | + local sign_scheme=$1 |
4819 | + if [ "$sign_scheme" = "" ]; then |
4820 | + tpm2_sign -Q -c $file_signing_key_ctx -g $alg_hash -f plain \ |
4821 | + -o $file_output_data $file_input_data |
4822 | + else |
4823 | + tpm2_sign -Q -c $file_signing_key_ctx -g $alg_hash -s $sign_scheme \ |
4824 | + -f plain -o $file_output_data $file_input_data |
4825 | + fi |
4826 | +} |
4827 | + |
4828 | +get_openssl_version_number() { |
4829 | + # Ubuntu 14.04, 16.04, 18.04 and 19.04: |
4830 | + # "OpenSSL 1.0.1f 6 Jan 2014" |
4831 | + # "OpenSSL 1.0.2g 1 Mar 2016" |
4832 | + # "OpenSSL 1.1.0g 2 Nov 2017" |
4833 | + # "OpenSSL 1.1.1b 26 Feb 2019" |
4834 | + if [ -z "$1" ]; then |
4835 | + local openssl_version=$(openssl version -v) |
4836 | + else |
4837 | + local openssl_version="$1" |
4838 | + fi |
4839 | + local openssl_version_parsed=$(echo "$openssl_version" | sed -r 's/^OpenSSL ([0-9]+)\.([0-9]+)\.([0-9]+).*$/\1 \2 \3/') |
4840 | + local openssl_v1=$(echo $openssl_version_parsed | cut -d ' ' -f 1) |
4841 | + local openssl_v2=$(echo $openssl_version_parsed | cut -d ' ' -f 2) |
4842 | + local openssl_v3=$(echo $openssl_version_parsed | cut -d ' ' -f 3) |
4843 | + local openssl_version_num=$(("$openssl_v1"<<16 + "$openssl_v2"<<8 + "$openssl_v3")) |
4844 | + echo "$openssl_version_num" |
4845 | +} |
4846 | + |
4847 | +verify_signature() { |
4848 | + local sign_scheme=$1 |
4849 | + |
4850 | + if [ "$sign_scheme" = "rsapss" ] ; then |
4851 | + # Explanation: |
4852 | + |
4853 | + # RSA-PSS has a parameter called salt length. |
4854 | + # You need to know what value of salt length was used to create the |
4855 | + # signature in order to verify the signature. |
4856 | + # OpenSSL can actually automatically determine the correct value, so |
4857 | + # strictly speaking we could just let it and simplify this test a lot. |
4858 | + # But, if you want to verify the signature using some other API, |
4859 | + # you might need to know the salt length used by the TPM to produce the |
4860 | + # signature. |
4861 | + # It can be either "digest" or "max". You can use openssl the check |
4862 | + # whether it's "digest", and if it's not then it's "max". |
4863 | + |
4864 | + # From TCG TPM 2.0, Part 1: Architecture, Appendix B.7 |
4865 | + # "... the random salt length will be the largest size allowed by the |
4866 | + # key size and message digest size." |
4867 | + |
4868 | + # From NIST FIPS PUB 186-4, Section 5.5 |
4869 | + # "... the length (in bytes) of the salt (sLen) shall satisfy |
4870 | + # 0 <= sLen <= hLen, where hLen is the length of the hash function |
4871 | + # output block (in bytes)." |
4872 | + |
4873 | + # From TCG FIPS 140-2 Guidance for TPM 2.0, Section 5.2.1.3 |
4874 | + # "If the TPM implementation is required to be compliant with FIPS 186-4, |
4875 | + # then the random salt length will be the largest size allowed by that |
4876 | + # specification." |
4877 | + |
4878 | + # Thus, if the TPM is in "FIPS mode", PSS salt length is "digest", |
4879 | + # otherwise PSS salt length is "max". |
4880 | + # Either one is accepted by this test. |
4881 | + # The IBM TPM software emulator (at least the version in ibmtpm1332.tar.gz) |
4882 | + # uses "digest". |
4883 | + |
4884 | + local openssl_current_version_num=$(get_openssl_version_number) |
4885 | + local openssl_1_1_1_version_num=$(get_openssl_version_number "OpenSSL 1.1.1") |
4886 | + |
4887 | + # Explanation: |
4888 | + # In version 1.1.1, openssl switched from "-1","-2" (meaning "digest" and |
4889 | + # "auto" correspondingly) to "digest", "max" and "auto". |
4890 | + # See section "rsa_pss_saltlen:len" in |
4891 | + # https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/doc/man1/pkeyutl.pod |
4892 | + # and same section in |
4893 | + # https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/doc/apps/pkeyutl.pod |
4894 | + if [ "$openssl_current_version_num" -ge "$openssl_1_1_1_version_num" ] ; then |
4895 | + local pss_salt_len_arg_digest="digest" |
4896 | + local pss_salt_len_arg_max="max" |
4897 | + local pss_salt_len_arg_auto="auto" |
4898 | + else |
4899 | + local pss_salt_len_arg_digest="-1" |
4900 | + local pss_salt_len_arg_auto="-2" |
4901 | + fi |
4902 | + |
4903 | + openssl pkeyutl -verify \ |
4904 | + -in $file_input_digest \ |
4905 | + -sigfile $file_output_data \ |
4906 | + -pubin \ |
4907 | + -inkey $file_signing_key_pub_pem \ |
4908 | + -keyform pem \ |
4909 | + -pkeyopt digest:$alg_hash \ |
4910 | + -pkeyopt rsa_padding_mode:pss \ |
4911 | + -pkeyopt rsa_pss_saltlen:$pss_salt_len_arg_digest \ |
4912 | + |& grep -q '^Signature Verified Successfully' \ |
4913 | + || \ |
4914 | + openssl pkeyutl -verify \ |
4915 | + -in $file_input_digest \ |
4916 | + -sigfile $file_output_data \ |
4917 | + -pubin \ |
4918 | + -inkey $file_signing_key_pub_pem \ |
4919 | + -keyform pem \ |
4920 | + -pkeyopt digest:$alg_hash \ |
4921 | + -pkeyopt rsa_padding_mode:pss \ |
4922 | + -pkeyopt rsa_pss_saltlen:$pss_salt_len_arg_auto \ |
4923 | + |& grep -q '^Signature Verified Successfully' |
4924 | + else |
4925 | + openssl pkeyutl -verify \ |
4926 | + -in $file_input_digest \ |
4927 | + -sigfile $file_output_data \ |
4928 | + -pubin \ |
4929 | + -inkey $file_signing_key_pub_pem \ |
4930 | + -keyform pem \ |
4931 | + -pkeyopt digest:$alg_hash \ |
4932 | + |& grep -q '^Signature Verified Successfully' |
4933 | + fi |
4934 | +} |
4935 | + |
4936 | +test_asymmetric() { |
4937 | + local alg_signing_key=$1 |
4938 | + |
4939 | + head -c30 /dev/urandom > $file_input_data |
4940 | + |
4941 | + shasum -a 256 $file_input_data | awk '{ print "000000 " $1 }' | \ |
4942 | + xxd -r -c 32 > $file_input_digest |
4943 | + |
4944 | + tpm2_clear |
4945 | + |
4946 | + tpm2_createprimary -Q -C e -g $alg_hash -G $alg_primary_key \ |
4947 | + -c $file_primary_key_ctx |
4948 | + |
4949 | + tpm2_create -Q -g $alg_hash -G $alg_signing_key -u $file_signing_key_pub \ |
4950 | + -r $file_signing_key_priv -C $file_primary_key_ctx |
4951 | + |
4952 | + tpm2_load -Q -C $file_primary_key_ctx -u $file_signing_key_pub \ |
4953 | + -r $file_signing_key_priv -n $file_signing_key_name -c $file_signing_key_ctx |
4954 | + |
4955 | + tpm2_readpublic -Q -c $file_signing_key_ctx --format=pem \ |
4956 | + -o $file_signing_key_pub_pem |
4957 | + |
4958 | + local sign_scheme |
4959 | + |
4960 | + if [ "$alg_signing_key" = "$rsa_key_type" ] ; then |
4961 | + for sign_scheme in "" "rsassa" "rsapss" |
4962 | + do |
4963 | + create_signature $sign_scheme |
4964 | + verify_signature $sign_scheme |
4965 | + |
4966 | + rm -f $file_output_data |
4967 | + done |
4968 | + fi |
4969 | + |
4970 | + if [ "$alg_signing_key" = "$ecc_key_type" ]; then |
4971 | + for sign_scheme in "" "ecdsa" |
4972 | + do |
4973 | + create_signature $sign_scheme |
4974 | + verify_signature $sign_scheme |
4975 | + |
4976 | + rm -f $file_output_data |
4977 | + done |
4978 | + fi |
4979 | +} |
4980 | + |
4981 | +start_up |
4982 | + |
4983 | +cleanup "no-shut-down" |
4984 | + |
4985 | +# make sure commands failing inside the function will cause the script to fail! |
4986 | +( |
4987 | + set -e |
4988 | + test_symmetric "hmac" |
4989 | + cleanup "no-shut-down" |
4990 | +) |
4991 | + |
4992 | +for key_type in $rsa_key_type $ecc_key_type |
4993 | +do |
4994 | + # make sure commands failing inside the function will cause the script |
4995 | + # to fail! |
4996 | + ( |
4997 | + set -e |
4998 | + test_asymmetric $key_type |
4999 | + cleanup "no-shut-down" |
5000 | + ) |
The diff has been truncated for viewing.
Thanks for the hard work on this, it will be great to have them available.
One question that shouldn't stop this landing; I wonder if there are any test plans that are used across bionic and focal releases that would want for the appropriate set of tests to be automatically selected (i.e. can just include the appropriate nested plan)?