Use libtpms v0.6.6 and recreate the TPM 2 state file with header.
Start swtpm with the existing state files and have it rewrite the
volatiles state (swtpm_ioctl -v) and permanent state (tssnvdefine
+ tssnvundefine) files so that the header is on the files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Recreate TPM 2 state files that didn't have a header. Use latest
version of libtpms from the stable-0.6.0 branch to create the
state that more recent version have to be able to read.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Recreate a TPM 1.2 state file with header.
The state of the TPM 1.2 must be initialized with Startup(ST_CLEAR)
and then saved so that the proper error code appears as a result
when running this test.
The PCR values was originally created by extending PCR 10 with
sha1("test"). This was recreated using this sequence:
s=$(echo -en test | sha1sum | cut -d " " -f1 | sed -n 's/\([a-f0-9]\{2\}\)/\\x\1/pg')
echo -en $s > input
tss1extend -ha 10 -if input
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Recreate TPM 1.2 state files with similar content but with the state
file header. The older versions of the state files were created before
the header was introduced in v0.1. The goal is to be able to get rid
of code supporting pre-v0.1 files that had no header.
The PCR values was originally created by extending PCR 10 with
sha1("test"). This was recreated using this sequence:
s=$(echo -en test | sha1sum | cut -d " " -f1 | sed -n 's/\([a-f0-9]\{2\}\)/\\x\1/pg')
echo -en $s > input
tss1extend -ha 10 -if input
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
This patch adds a test case for testing the fix for libtpms
issue 195: https://github.com/stefanberger/libtpms/issues/195
This patch now requires that the latest TPM version from master or the
branches is installed.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a test case that fills up the NVRAM area with as many persisted keys
as possible and then fills up the rest with an NVRAM index so that all
space is occupied. We have to be able to load this state again into the
NVRAM once the OBJECT's size increases due to RSA keys size increase,
which must have us increase the total size of NVRAM in libtpm's TPM profile.
The state in tests/data/tpm2state5/tpm2-00.permall was created using
libtpms 0.6.0, where only 2048 bit keys were supported and total NVRAM size
was 128kb. This state file should never be changed and always be loadable
into a current libtpms. In its USER NVRAM it holds 64 persisted 2048 bit
keys and an NVRAM index with 236 bytes. For this to stay the reference
NVRAM, we need to make sure that it fits exactly to the byte.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Modify the test_tpm2_save_load_state_3 to create 2 orderly NVRAM indices
in the first two locations. Those indices will be cleared by a reset
of the TPM and therefore cannot be read once the TPM 2 restarts after
the reset. This also provides better test coverage.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow passing signing key and parent key via files and file descriptors
and environment variables. Adapt a test case to exercise this new
functionality.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend the existing key derivation test case for TPM 2 with test cases
that use a newer TPM 2 state where we now exercise the new
CryptAdjustPrimeCandidate algorithm that produces the same results on
big and little enidan 32 bit and 64 bit machines. This newer algorithm
is available in libtpms with revision 155 of the TPM 2 code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Test that a key written to volatile state is properly loaded again
and produces the same signature as before.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Check the TPM2 state using the TPM2 utilities, if available.
Create persistent state and check it, then shut down the TPM 2 and
restart it, and check the persistent state again.
Use previously created state and have the TPM 2 start with it
and check the persistent state. The persistent state must be
readable on little and big endian machines.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Provide support for creating certificates for TPM2 ECC type of keys.
Extend the test cases and the man pages.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Update the test case test_swtpm_cert to have its issuercert signed
by a created root CA so that we have the Authority Key Id in the cert.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
For being able to test the transfer of larger state blobs, extend the existing
test case with creating a large NVRAM location that becomes part of the permanent
state.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
The migration key ensures that TPM state blobs, when retrieved using the
ioctl for getting state blobs, are always encrypted with this key.
When the state is later on loaded back into the TPM using the ioctl
to set the state blobs, the migration key is used to decrypt them.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Integrity protect the TPM state when it is written in entrypted form.
libtpms state (for TPM1.2) is also integrity protecting the blobs, but
we better determine the integrity of the decrypted data on the layer
above it.
