#!/usr/bin/env bash # For the license, see the LICENSE file in the root directory. TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..} TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..} ROOT=${abs_top_builddir:-$(dirname "$0")/..} TESTDIR=${abs_top_testdir:-$(dirname "$0")} source ${TESTDIR}/common skip_test_no_tpm20 "${SWTPM_EXE}" SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca workdir="$(mktemp -d "/tmp/path with spaces.XXXXXX")" || exit 1 SIGNINGKEY=${workdir}/signingkey.pem ISSUERCERT=${workdir}/issuercert.pem CERTSERIAL=${workdir}/certserial USER_CERTSDIR=${workdir}/mycerts mkdir -p "${USER_CERTSDIR}" PATH=${TOPBUILD}/src/swtpm_bios:$PATH trap "cleanup" SIGTERM EXIT function cleanup() { rm -rf "${workdir}" } # We want swtpm_cert to use the local CA and see that the # local CA script automatically creates a signingkey and # self-signed certificate cat <<_EOF_ > "${workdir}/swtpm-localca.conf" statedir=${workdir} signingkey = ${SIGNINGKEY} issuercert = ${ISSUERCERT} certserial = ${CERTSERIAL} _EOF_ cat <<_EOF_ > "${workdir}/swtpm-localca.options" --tpm-manufacturer IBM --tpm-model swtpm-libtpms --tpm-version 2 --platform-manufacturer "Fedora XYZ" --platform-version 2.1 --platform-model "QEMU A.B" _EOF_ export MY_SWTPM_LOCALCA="${SWTPM_LOCALCA}" cat <<_EOF_ > "${workdir}/swtpm_setup.conf" create_certs_tool=\${MY_SWTPM_LOCALCA} create_certs_tool_config=${workdir}/swtpm-localca.conf create_certs_tool_options=${workdir}/swtpm-localca.options _EOF_ # We need to adapt the PATH so the correct swtpm_cert is picked export PATH=${TOPBUILD}/src/swtpm_cert:${PATH} keysizes="2048" if [ -n "$($SWTPM_SETUP --tpm2 --print-capabilities | grep tpm2-rsa-keysize-3072 )" ]; then keysizes+=" 3072" fi for keysize in $(echo $keysizes); do echo "Testing with RSA keysize $keysize" # we need to create at least one cert: --create-ek-cert $SWTPM_SETUP \ --tpm2 \ --allow-signing \ --tpm-state "${workdir}" \ --create-ek-cert \ --create-platform-cert \ --config "${workdir}/swtpm_setup.conf" \ --logfile "${workdir}/logfile" \ --tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \ --rsa-keysize ${keysize} \ --overwrite \ --write-ek-cert-files "${USER_CERTSDIR}" if [ $? -ne 0 ]; then echo "Error: Could not run $SWTPM_SETUP." echo "Logfile output:" cat "${workdir}/logfile" exit 1 fi if [ ! -r "${SIGNINGKEY}" ]; then echo "Error: Signingkey file ${SIGNINGKEY} was not created." exit 1 fi if [ ! -r "${ISSUERCERT}" ]; then echo "Error: Issuer cert file ${ISSUERCERT} was not created." exit 1 fi if [ ! -r "${CERTSERIAL}" ]; then echo "Error: Cert serial number file ${CERTSERIAL} was not created." exit 1 fi certfile="${USER_CERTSDIR}/ek-rsa${keysize}.crt" if [ ! -f "${certfile}" ]; then echo "Error: EK file '${certfile}' was not written." ls -l "${USER_CERTSDIR}" exit 1 fi if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "${keysize} bits")" ]; then echo "Error: EK file '${certfile}' is not an RSA ${keysize} bit key." $CERTTOOL --inder --infile "${certfile}" -i exit 1 fi rm -rf "${SIGNINGKEY}" "${ISSUERCERT}" "${CERTSERIAL}" ${USER_CERTSDIR}/ek-*.crt done echo "Test 1: OK" function swtpm_setup_reconfigure() { local workdir="$1" local pwdfile="$2" # Reconfigure the active PCR banks a few times; the size of the state # file must not change but its content (hash) must change every time # since activating the PCR banks changes a few bits in the permanent # state, also when the state is not encrypted. local PERMALL_FILE="${workdir}/tpm2-00.permall" local permall_size=$(get_filesize "${PERMALL_FILE}") for pcrbanks in "sha256" "sha256,sha384" "sha256,sha384,sha512"; do # hash must change between before and after permall_hash=$(get_sha1_file "${PERMALL_FILE}") $SWTPM_SETUP \ --tpm2 \ --tpm-state "${workdir}" \ --config "${workdir}/swtpm_setup.conf" \ --logfile "${workdir}/logfile" \ --tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \ --pcr-banks "${pcrbanks}" \ --reconfigure \ ${pwdfile:+--pwdfile "${pwdfile}"} if [ $? -ne 0 ]; then echo "Error: Could not run $SWTPM_SETUP --reconfigure." echo "Logfile output:" cat "${workdir}/logfile" exit 1 fi local newhash=$(get_sha1_file "${PERMALL_FILE}") if [ "${newhash}" = "${permall_hash}" ]; then echo "Error: The hash of the permanent state did not change." exit 1 fi local newsize=$(get_filesize "${PERMALL_FILE}") if [ "${newsize}" != "${permall_size}" ]; then echo "Error: The size of the permanent state file changed." echo "Actual : ${tmp}" echo "Expected: ${permall_size}" fi echo "Filesize: ${newsize}; hash: ${newhash}; pwdfile: ${pwdfile}" done } # Create with certificates with and without encryption enabled and reconfigure # the PCR banks PWDFILE="${workdir}/pwd" echo -n "password" > "${PWDFILE}" rm -f "${workdir}/logfile" for pwdfile in "" "${PWDFILE}"; do $SWTPM_SETUP \ --tpm2 \ --ecc \ --tpm-state "${workdir}" \ --create-ek-cert \ --create-platform-cert \ --config "${workdir}/swtpm_setup.conf" \ --logfile "${workdir}/logfile" \ --tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \ --overwrite \ --write-ek-cert-files "${workdir}" \ ${pwdfile:+--pwdfile "${pwdfile}"} if [ $? -ne 0 ]; then echo "Error: Could not run $SWTPM_SETUP." echo "Logfile output:" cat "${workdir}/logfile" exit 1 fi if [ ! -r "${SIGNINGKEY}" ]; then echo "Error: Signingkey file ${SIGNINGKEY} was not created." exit 1 fi if [ ! -r "${ISSUERCERT}" ]; then echo "Error: Issuer cert file ${ISSUERCERT} was not created." exit 1 fi if [ ! -r "${CERTSERIAL}" ]; then echo "Error: Cert serial number file ${CERTSERIAL} was not created." exit 1 fi certfile="${workdir}/ek-secp384r1.crt" if [ ! -f "${certfile}" ]; then echo "Error: EK file '${certfile}' was not written." ls -l "${workdir}" exit 1 fi if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "384 bits")" ]; then echo "Error: EK file '${certfile}' is not an ECC 384 bit key." $CERTTOOL --inder --infile "${certfile}" -i exit 1 fi swtpm_setup_reconfigure "${workdir}" "${pwdfile}" done echo "Test 2: OK" exit 0