mirror of
https://github.com/stefanberger/swtpm.git
synced 2025-08-22 19:04:35 +00:00
e5155b4fc5
Revert the accidental port change from commit 0194fb22a.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
1359 lines
32 KiB
Bash
Executable File
1359 lines
32 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# For the license, see the LICENSE file in the root directory.
|
|
#set -x
|
|
|
|
if [ ${SWTPM_TEST_IBMTSS2:-0} -eq 0 ]; then
|
|
echo "SWTPM_TEST_IBMTSS2 must be set to run this test."
|
|
exit 77
|
|
fi
|
|
|
|
type -p nvdefinespace startup &>/dev/null
|
|
if [ $? -ne 0 ]; then
|
|
PREFIX=tss
|
|
type -p ${PREFIX}nvdefinespace ${PREFIX}startup
|
|
fi
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not find TPM2 tools (e.g., (tss)startup, (tss)nvdefinespace) in PATH."
|
|
exit 77
|
|
fi
|
|
TOOLSPATH=$(dirname $(type -P ${PREFIX}startup))
|
|
|
|
ROOT=${abs_top_builddir:-$(dirname "$0")/..}
|
|
TESTDIR=${abs_top_testdir:-$(dirname "$0")}
|
|
|
|
SWTPM=swtpm
|
|
SWTPM_EXE=${SWTPM_EXE:-$ROOT/src/swtpm/$SWTPM}
|
|
SWTPM_IOCTL=$ROOT/src/swtpm_ioctl/swtpm_ioctl
|
|
TPMDIR=`mktemp -d`
|
|
PID_FILE=$TPMDIR/${SWTPM}.pid
|
|
SOCK_PATH=$TPMDIR/sock
|
|
CMD_PATH=$TPMDIR/cmd
|
|
RESP_PATH=$TPMDIR/resp
|
|
LOGFILE=$TPMDIR/logfile
|
|
VOLATILESTATE=$TPMDIR/volatile
|
|
TMPFILE=$TPMDIR/tmpfile
|
|
BINFILE=$TPMDIR/binfile
|
|
SIGFILE=$TPMDIR/sigfile
|
|
SIGFILE2=$TPMDIR/sigfile2
|
|
TMP2FILE=$TPMDIR/tmpfile2
|
|
|
|
|
|
HKEYPRIV=${TESTDIR}/data/tpm2state3/hkey.priv
|
|
HKEYPUB=${TESTDIR}/data/tpm2state3/hkey.pub
|
|
|
|
source ${TESTDIR}/test_common
|
|
source ${TESTDIR}/common
|
|
|
|
trap "cleanup" SIGTERM EXIT
|
|
|
|
function cleanup()
|
|
{
|
|
rm -rf $TPMDIR
|
|
# remove files from tss tools
|
|
rm -f h01*.bin nvp*.bin
|
|
if [ -n "$PID" ]; then
|
|
kill_quiet -SIGTERM $PID 2>/dev/null
|
|
fi
|
|
}
|
|
|
|
function test_nvram_state()
|
|
{
|
|
local create="$1"
|
|
local check="$2"
|
|
|
|
local i res rc act exp ody
|
|
|
|
if [ $create -eq 1 ]; then
|
|
# the 1st and 2nd spaces are 'orderly' and will be cleared by reset
|
|
ody="+at ody"
|
|
for ((i=0; i < 10; i++)); do
|
|
printf "Creating NVRAM location 01%06x\n" $i
|
|
# the '+at wd' allows us to only write once
|
|
${TOOLSPATH}/${PREFIX}nvdefinespace \
|
|
-ha $(printf "01%06x" $i) \
|
|
-sz $((100 + i * 10)) \
|
|
-pwdn nnn \
|
|
+at wst \
|
|
+at wd \
|
|
$ody \
|
|
-hi o >/dev/null
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: nvdefinespace failed for i = $i."
|
|
exit 1
|
|
fi
|
|
|
|
if [ $i -eq 1 ]; then
|
|
ody=""
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}nvwrite \
|
|
-ha $(printf "01%06x" $i) \
|
|
-ic "Hello TPM2" \
|
|
-pwdn nnn
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: nwrite failed for i = $i."
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}nvwritelock \
|
|
-ha $(printf "01%06x" $i) \
|
|
-pwdn nnn
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: nwritelock failed for i = $i."
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
# Create a counter space
|
|
echo "Creating NVRAM location 01000010 for counter"
|
|
${TOOLSPATH}/${PREFIX}nvdefinespace \
|
|
-hi o \
|
|
-ha 01000010 \
|
|
-pwdn nnn \
|
|
-ty c >/dev/null
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: nvdefinespace for counter failed."
|
|
exit 1
|
|
fi
|
|
|
|
echo "Incrementing the counter at location 01000010"
|
|
${TOOLSPATH}/${PREFIX}nvincrement \
|
|
-ha 01000010 \
|
|
-pwdn nnn >/dev/null
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: nvincrement failed."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if [ $check -eq 1 ]; then
|
|
local last=0
|
|
|
|
if [ $create -eq 0 ]; then
|
|
last=2
|
|
fi
|
|
|
|
# The orderly indices must not be readable UNLESS they were just
|
|
# created. In the latter case we skip this first loop here.
|
|
for ((i=0; i < last; i++)); do
|
|
printf "Checking orderly NVRAM location 01%06x after reset\n" $i
|
|
${TOOLSPATH}/${PREFIX}nvread \
|
|
-ha $(printf "01%06x" $i) \
|
|
-pwdn nnn \
|
|
-sz 10 > $TMPFILE
|
|
if [ $? -eq 0 ]; then
|
|
echo "Error: nvread succeeded for orderly NVRAM index; i = $i"
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
# test the non-orderly indices OR orderly we just created above
|
|
for ((i=last; i < 10; i++)); do
|
|
printf "Checking NVRAM location 01%06x\n" $i
|
|
${TOOLSPATH}/${PREFIX}nvread \
|
|
-ha $(printf "01%06x" $i) \
|
|
-pwdn nnn \
|
|
-sz 10 > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: nvread failed for i = $i"
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
|
|
# we want one line with xdigits and spaces
|
|
res=$(cat $TMPFILE | \
|
|
grep -E "^[ [:xdigit:]]+$" |
|
|
wc -l)
|
|
if [ $res -ne 1 ]; then
|
|
echo "Error: nvread did not show expected results"
|
|
cat $TMPFILE
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}nvwrite \
|
|
-ha $(printf "01%06x" $i) \
|
|
-ic "Hello TPM2" \
|
|
-pwdn nnn > $TMPFILE
|
|
rc=$?
|
|
if [ $rc -eq 0 ]; then
|
|
echo "Error: nwrite succeeded for i = $i."
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
# Read the counter
|
|
echo "Checking counter value at location 01000010"
|
|
${TOOLSPATH}/${PREFIX}nvread \
|
|
-ha 01000010 \
|
|
-pwdn nnn \
|
|
-sz 8 \
|
|
-of $BINFILE > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: nvread of counter failed."
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
exp=' 00 00 00 00 00 00 00 01'
|
|
act="$(od -t x1 -A n < $BINFILE)"
|
|
if [ "$act" != "$exp" ]; then
|
|
echo "Error: Counter has unexpected value."
|
|
echo " expected: $exp"
|
|
echo " actual : $act"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
function test_primary()
|
|
{
|
|
local create="$1"
|
|
local check="$2"
|
|
# whether we are using previous stored stated that had a different
|
|
# key and we have to use the old signature
|
|
local previousstate="$3"
|
|
|
|
local i res rc
|
|
|
|
if [ $create -eq 1 ]; then
|
|
# Create a permanent primary key that we expecte
|
|
# to again see after the TPM has been restarted
|
|
${TOOLSPATH}/${PREFIX}createprimary -hi o -si > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: createprimary failed."
|
|
exit 1
|
|
fi
|
|
if [ -z "$(grep 80000000 $TMPFILE)" ]; then
|
|
echo "Error: createprimary did not result in expected handle 80000000"
|
|
exit 1
|
|
fi
|
|
${TOOLSPATH}/${PREFIX}evictcontrol -ho 80000000 -hp 81000000 -hi o
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: evictcontrol did not work"
|
|
exit 1
|
|
fi
|
|
${TOOLSPATH}/${PREFIX}flushcontext -ha 80000000
|
|
|
|
echo -n "123" > $BINFILE
|
|
${TOOLSPATH}/${PREFIX}sign -hk 81000000 -if ${BINFILE} -os ${SIGFILE} > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not create signature."
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if [ $check -eq 1 ]; then
|
|
printf "Checking availability of key with perm. handle 0x81000000\n"
|
|
${TOOLSPATH}/${PREFIX}getcapability -cap 1 -pr 0x81000000 >$TMPFILE
|
|
if [ -z "$(grep 81000000 $TMPFILE)" ]; then
|
|
echo "Could not find key with permanent handle 0x81000000"
|
|
exit 1
|
|
fi
|
|
printf "Verifying signature with this key\n"
|
|
echo -n "123" > $BINFILE
|
|
if [ $previousstate -eq 0 ]; then
|
|
${TOOLSPATH}/${PREFIX}verifysignature -hk 81000000 \
|
|
-is ${SIGFILE} \
|
|
-if ${BINFILE} > $TMPFILE
|
|
else
|
|
${TOOLSPATH}/${PREFIX}verifysignature -hk 81000000 \
|
|
-is ${TESTDIR}/data/tpm2state3/signature.bin \
|
|
-if ${BINFILE} > $TMPFILE
|
|
fi
|
|
if [ $? -ne 0 ]; then
|
|
echo "Verifying signature failed."
|
|
exit 1
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# Allocate a SHA256 PCR bank
|
|
# This will prevent shutdown -s (with state)
|
|
function test_pcr_allocation()
|
|
{
|
|
local create="$1"
|
|
local check="$2"
|
|
|
|
local i res rc ha
|
|
|
|
if [ -z "$($TOOLSPATH/${PREFIX}pcrallocate | grep sha512)" ]; then
|
|
echo " Skipping PCR Allocate test since it does not support sha512"
|
|
return 0
|
|
fi
|
|
|
|
if [ $create -eq 1 ]; then
|
|
echo "Allocating SHA256 PCR bank"
|
|
${TOOLSPATH}/${PREFIX}pcrallocate -sha512 +sha256
|
|
|
|
for ((ha = 0; ha < 24; ha++)); do
|
|
${TOOLSPATH}/${PREFIX}pcrread -ha ${ha} -halg sha512 > $TMPFILE
|
|
if [ -z "$(grep "^count 1.*$" $TMPFILE)" ]; then
|
|
echo "Error: PCR ${ha} in SHA512 bank should be available for read before reboot"
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
${TOOLSPATH}/${PREFIX}pcrread -ha ${ha} -halg sha256 > $TMPFILE
|
|
if [ -z "$(grep "^count 1.*$" $TMPFILE)" ]; then
|
|
echo "Error: PCR ${ha} in SHA256 bank should be available for read before reboot"
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
done
|
|
fi
|
|
|
|
if [ $check -eq 1 ]; then
|
|
echo "Checking the PCR Allocation"
|
|
|
|
for ((ha = 0; ha < 24; ha++)); do
|
|
${TOOLSPATH}/${PREFIX}pcrread -ha ${ha} -halg sha512 > $TMPFILE
|
|
if [ -z "$(grep "^count 0.*$" $TMPFILE)" ]; then
|
|
echo "Error: PCR ${ha} in SHA512 bank should be unavailable for read after reboot"
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}pcrread -ha ${ha} -halg sha256 > $TMPFILE
|
|
if [ -z "$(grep "^count 1.*$" $TMPFILE)" ]; then
|
|
echo "Error: PCR ${ha} in SHA256 bank should be available for read after reboot"
|
|
exit 1
|
|
fi
|
|
done
|
|
fi
|
|
}
|
|
|
|
function test_hierarchy()
|
|
{
|
|
local create="$1"
|
|
local check="$2"
|
|
|
|
local hi pwdn pwda
|
|
|
|
if [ $create -eq 1 ]; then
|
|
echo "Setting hierarchy passwords"
|
|
# Change the hierarchy password; the 'p' hierarchy has
|
|
# no effect on permanent RAM, so we won't test that
|
|
for hi in "l" "e" "o"; do
|
|
pwdn="${hi}${hi}${hi}"
|
|
${TOOLSPATH}/${PREFIX}hierarchychangeauth \
|
|
-hi ${hi} \
|
|
-pwdn ${pwdn} > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: hierarchychangeauth failed to set password."
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
done
|
|
fi
|
|
|
|
if [ $check -eq 1 ]; then
|
|
echo "Checking previously set hierarchy passwords"
|
|
for hi in "l" "e" "o"; do
|
|
pwda="${hi}${hi}${hi}"
|
|
pwdn="new-${pwda}"
|
|
|
|
${TOOLSPATH}/${PREFIX}hierarchychangeauth \
|
|
-hi ${hi} \
|
|
-pwda ${pwda} \
|
|
-pwdn ${pwdn} > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: hierarchychangeauth failed to change password."
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
|
|
# change back
|
|
${TOOLSPATH}/${PREFIX}hierarchychangeauth \
|
|
-hi ${hi} \
|
|
-pwda ${pwdn} \
|
|
-pwdn ${pwda} > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: hierarchychangeauth failed to change back password."
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
done
|
|
fi
|
|
}
|
|
|
|
function test_hash_context()
|
|
{
|
|
local create="$1"
|
|
local check="$2"
|
|
|
|
local res tmpfile
|
|
|
|
if [ $create -eq 1 ]; then
|
|
echo -n "123" > ${TMP2FILE}
|
|
|
|
echo "Starting a sha1 sequence"
|
|
res="$(${TOOLSPATH}/${PREFIX}hashsequencestart -halg sha1)"
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not start hash sequence."
|
|
exit 1
|
|
fi
|
|
SHA1_SEQUENCE_HANDLE="$(echo $res | cut -d " " -f3)"
|
|
echo "sha1 sequence handle: $SHA1_SEQUENCE_HANDLE"
|
|
|
|
${TOOLSPATH}/${PREFIX}sequenceupdate \
|
|
-hs ${SHA1_SEQUENCE_HANDLE} \
|
|
-if ${TMP2FILE}
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not updated the sha1 sequence."
|
|
exit 1
|
|
fi
|
|
echo "Updated sha1 sequence."
|
|
|
|
echo "Starting a sha256 sequence"
|
|
res="$(${TOOLSPATH}/${PREFIX}hashsequencestart -halg sha256)"
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not start sha256 sequence."
|
|
exit 1
|
|
fi
|
|
SHA256_SEQUENCE_HANDLE="$(echo $res | cut -d " " -f3)"
|
|
echo "sha256 sequence handle: $SHA256_SEQUENCE_HANDLE"
|
|
|
|
${TOOLSPATH}/${PREFIX}sequenceupdate \
|
|
-hs ${SHA256_SEQUENCE_HANDLE} \
|
|
-if ${TMP2FILE}
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not updated the hash sequence."
|
|
exit 1
|
|
fi
|
|
echo "Updated sha256 sequence."
|
|
|
|
echo "Starting a sha384 sequence"
|
|
res="$(${TOOLSPATH}/${PREFIX}hashsequencestart -halg sha384)"
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not start sha384 sequence."
|
|
exit 1
|
|
fi
|
|
SHA384_SEQUENCE_HANDLE="$(echo $res | cut -d " " -f3)"
|
|
echo "sha384 sequence handle: $SHA384_SEQUENCE_HANDLE"
|
|
|
|
${TOOLSPATH}/${PREFIX}sequenceupdate \
|
|
-hs ${SHA384_SEQUENCE_HANDLE} \
|
|
-if ${TMP2FILE}
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not updated the hash sequence."
|
|
exit 1
|
|
fi
|
|
echo "Updated sha384 sequence."
|
|
fi
|
|
|
|
if [ $check -eq 1 ]; then
|
|
echo -n "456" > ${TMP2FILE}
|
|
|
|
echo "Completing previously started sha1 sequence"
|
|
touch $TPMDIR/h${SHA1_SEQUENCE_HANDLE}.bin
|
|
res=$(${TOOLSPATH}/${PREFIX}sequencecomplete \
|
|
-hs ${SHA1_SEQUENCE_HANDLE} \
|
|
-if ${TMP2FILE} -v |
|
|
tail -n 4 |
|
|
grep " 7c 4a 8d ")
|
|
if [ -z "$res" ]; then
|
|
echo "Error: Did not get expected result from completing sha1 sequence."
|
|
exit 1
|
|
fi
|
|
|
|
echo "Completing previously started sha256 sequence"
|
|
touch $TPMDIR/h${SHA256_SEQUENCE_HANDLE}.bin
|
|
res=$(${TOOLSPATH}/${PREFIX}sequencecomplete \
|
|
-hs ${SHA256_SEQUENCE_HANDLE} \
|
|
-if ${TMP2FILE} -v |
|
|
tail -n 4 |
|
|
grep " 8d 96 9e ")
|
|
if [ -z "$res" ]; then
|
|
echo "Error: Did not get expected result from completing sha256 sequence."
|
|
exit 1
|
|
fi
|
|
|
|
echo "Completing previously started sha384 sequence"
|
|
touch $TPMDIR/h${SHA384_SEQUENCE_HANDLE}.bin
|
|
res=$(${TOOLSPATH}/${PREFIX}sequencecomplete \
|
|
-hs ${SHA384_SEQUENCE_HANDLE} \
|
|
-if ${TMP2FILE} -v |
|
|
tail -n 4 |
|
|
grep " 0a 98 9e ")
|
|
if [ -z "$res" ]; then
|
|
echo "Error: Did not get expected result from completing sha384 sequence."
|
|
exit 1
|
|
fi
|
|
fi
|
|
}
|
|
|
|
function test_session()
|
|
{
|
|
local create="$1"
|
|
local check="$2"
|
|
# whether we are using previous stored stated that had a different
|
|
# key and we have to use the old signature
|
|
local previousstate="$3"
|
|
|
|
local i res rc
|
|
|
|
if [ $create -eq 1 ]; then
|
|
# Create a permanent primary key that we expecte
|
|
# to again see after the TPM has been restarted
|
|
${TOOLSPATH}/${PREFIX}createprimary -hi o -st > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: createprimary for creating storage key failed."
|
|
exit 1
|
|
fi
|
|
if [ -z "$(grep 80000000 $TMPFILE)" ]; then
|
|
echo "Error: createprimary did not result in expected handle 80000000"
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
${TOOLSPATH}/${PREFIX}evictcontrol -ho 80000000 -hp 81000000 -hi o
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: evictcontrol did not work"
|
|
exit 1
|
|
fi
|
|
${TOOLSPATH}/${PREFIX}flushcontext -ha 80000000
|
|
|
|
${TOOLSPATH}/${PREFIX}startauthsession -se h -bi 81000000 > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not start an auth session."
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
AUTHSESSION_HANDLE=$(cat $TMPFILE | sed 's/Handle//')
|
|
if [ -z "${AUTHSESSION_HANDLE}" ]; then
|
|
echo "Error: Could not get auth session handle."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if [ $check -eq 1 ]; then
|
|
echo "Using auth session ${AUTHSESSION_HANDLE} to create a key."
|
|
${TOOLSPATH}/${PREFIX}create \
|
|
-hp 81000000 \
|
|
-st \
|
|
-se0 ${AUTHSESSION_HANDLE} 1
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not create key using authsession"
|
|
exit 1
|
|
fi
|
|
echo "Successfully created key"
|
|
fi
|
|
}
|
|
|
|
function test_hmac_context()
|
|
{
|
|
local create="$1"
|
|
local check="$2"
|
|
# whether we are using previous stored stated that had a different
|
|
# key and we have to use the old signature
|
|
local previousstate="$3"
|
|
|
|
local i res rc
|
|
|
|
if [ $create -eq 1 ]; then
|
|
${TOOLSPATH}/${PREFIX}createprimary -hi o -st > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: createprimary failed."
|
|
exit 1
|
|
fi
|
|
if [ -z "$(grep 80000000 $TMPFILE)" ]; then
|
|
echo "Error: createprimary did not result in expected handle 80000000"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}create -hp 80000000 -kh \
|
|
-opr ${HKEYPRIV} -opu ${HKEYPUB} > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: could not create key for HMAC"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}load -hp 80000000 \
|
|
-ipr ${HKEYPRIV} -ipu ${HKEYPUB} -v > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: could not load key for HMAC"
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
if [ -z "$(grep 80000001 $TMPFILE)" ]; then
|
|
echo "Error: load did not result in expected handle 80000001"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}hmacstart -hk 80000001 > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: could not start HMAC sequence"
|
|
exit 1
|
|
fi
|
|
if [ -z "$(grep 80000002 $TMPFILE)" ]; then
|
|
echo "Error: load did not result in expected handle 80000002"
|
|
exit 1
|
|
fi
|
|
|
|
echo -n "123" > ${TMP2FILE}
|
|
${TOOLSPATH}/${PREFIX}sequenceupdate \
|
|
-hs 80000002 \
|
|
-if ${TMP2FILE}
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not updated the HMAC sequence."
|
|
exit 1
|
|
fi
|
|
echo "Updated HMAC sequence."
|
|
fi
|
|
|
|
if [ $check -eq 1 ]; then
|
|
echo -n "456" > ${TMP2FILE}
|
|
|
|
echo "Completing previously started HMAC sequence"
|
|
touch $TPMDIR/h80000002.bin
|
|
${TOOLSPATH}/${PREFIX}sequencecomplete \
|
|
-hs 80000002 \
|
|
-if ${TMP2FILE} -v |
|
|
tail -n 4 > ${TMPFILE}
|
|
if [ -z "$(grep " 6e 40 33 1a " ${TMPFILE})" ]; then
|
|
echo "Error: Did not get expected result from completing HMAC sequence."
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
fi
|
|
}
|
|
|
|
function test_primary_volatile_load()
|
|
{
|
|
local create="$1"
|
|
local check="$2"
|
|
# whether we are using previous stored stated that had a different
|
|
# key and we have to use the old signature
|
|
local previousstate="$3"
|
|
|
|
local i res rc
|
|
|
|
if [ $create -eq 1 ]; then
|
|
# Create a permanent primary key that we expecte
|
|
# to again see after the TPM has been restarted
|
|
${TOOLSPATH}/${PREFIX}createprimary -hi o -si > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: createprimary failed."
|
|
exit 1
|
|
fi
|
|
if [ -z "$(grep 80000000 $TMPFILE)" ]; then
|
|
echo "Error: createprimary did not result in expected handle 80000000"
|
|
exit 1
|
|
fi
|
|
|
|
echo -n "123" > $BINFILE
|
|
${TOOLSPATH}/${PREFIX}sign -hk 80000000 -if ${BINFILE} -os ${SIGFILE} > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not create signature."
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
|
|
printf "Verifying signature with this key (create phase)\n"
|
|
${TOOLSPATH}/${PREFIX}verifysignature -hk 80000000 \
|
|
-is ${SIGFILE} \
|
|
-if ${BINFILE} > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Verifying signature failed."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
if [ $check -eq 1 ]; then
|
|
local sigfile=${SIGFILE} hash1 hash2
|
|
|
|
if [ $previousstate -ne 0 ]; then
|
|
sigfile=${TESTDIR}/data/tpm2state3d/signature2.bin
|
|
fi
|
|
|
|
printf "Checking availability of key with handle 0x80000000\n"
|
|
${TOOLSPATH}/${PREFIX}getcapability -cap 1 -pr 0x80000000 >$TMPFILE
|
|
if [ -z "$(grep 80000000 $TMPFILE)" ]; then
|
|
echo "Could not find key with handle 0x80000000"
|
|
exit 1
|
|
fi
|
|
|
|
printf "Verifying signature with this key (check phase)\n"
|
|
echo -n "123" > $BINFILE
|
|
${TOOLSPATH}/${PREFIX}verifysignature -hk 80000000 \
|
|
-is ${sigfile} \
|
|
-if ${BINFILE} > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Verifying signature failed."
|
|
exit 1
|
|
fi
|
|
|
|
if [ $previousstate -eq 0 ]; then
|
|
${TOOLSPATH}/${PREFIX}sign -hk 80000000 -if ${BINFILE} -os ${SIGFILE2} > $TMPFILE
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not create signature."
|
|
cat $TMPFILE
|
|
exit 1
|
|
fi
|
|
hash1=$(get_sha1_file ${SIGFILE})
|
|
hash2=$(get_sha1_file ${SIGFILE2})
|
|
if [ "${hash1}" != "${hash2}" ]; then
|
|
echo "Error: hashes of signatures are different. Loaded key may be different."
|
|
exit 1
|
|
fi
|
|
fi
|
|
fi
|
|
}
|
|
|
|
export TPM_SERVER_TYPE=raw
|
|
export TPM_SERVER_NAME=127.0.0.1
|
|
export TPM_INTERFACE_TYPE=socsim
|
|
export TPM_COMMAND_PORT=65533
|
|
export TPM_DATA_DIR=$TPMDIR
|
|
export TPM_SESSION_ENCKEY="807e2bfe898ddaed8fa6310e716a24dc" # for sessions
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (1) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}startup -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_startup clear failed."
|
|
exit 1
|
|
fi
|
|
|
|
test_nvram_state 1 1
|
|
test_primary 1 1 0
|
|
test_pcr_allocation 1 0 # can only check after reboot
|
|
test_hierarchy 1 1
|
|
|
|
${TOOLSPATH}/${PREFIX}shutdown -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_shutdown clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
echo "============================" >> $LOGFILE
|
|
|
|
echo "TPM was shut down"
|
|
|
|
# Store this state for later usage
|
|
# cp $TPMDIR/tpm2-00.permall ${TESTDIR}/data/tpm2state3;
|
|
# cp $SIGFILE ${TESTDIR}/data/tpm2state3/signature.bin
|
|
|
|
#################################################################
|
|
# Run TPM2 with the created state and verify it's the same
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (2) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
echo "TPM re-started"
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}startup -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_startup clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
test_nvram_state 0 1
|
|
test_primary 0 1 0
|
|
test_pcr_allocation 0 1
|
|
test_hierarchy 0 1
|
|
|
|
${TOOLSPATH}/${PREFIX}shutdown -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_shutdown clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
echo "============================" >> $LOGFILE
|
|
|
|
echo "TPM was shut down"
|
|
|
|
#################################################################
|
|
# Run TPM2 with previously saved state and verify it's the same
|
|
|
|
rm -f $TPMDIR/*
|
|
cp -f ${TESTDIR}/data/tpm2state3/tpm2-00.permall $TPMDIR/tpm2-00.permall
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (3) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
echo "TPM started with previously generated state"
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}startup -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_startup clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
test_nvram_state 0 1
|
|
test_primary 0 1 1
|
|
test_pcr_allocation 0 1
|
|
test_hierarchy 0 1
|
|
|
|
${TOOLSPATH}/${PREFIX}shutdown -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_shutdown clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Test 1 OK"
|
|
|
|
#
|
|
#
|
|
# Tests with volatile state
|
|
#
|
|
#
|
|
|
|
rm -f ${TPMDIR}/*
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (3) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}startup -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_startup clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
test_session 1 1
|
|
test_hash_context 1 0
|
|
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}shutdown -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_shutdown clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
#################################################################
|
|
# Run TPM2 with the saved volatile state
|
|
|
|
# create a backup for running the next test...
|
|
# cp $TPMDIR/tpm2-00.permall ${TESTDIR}/data/tpm2state3b/tpm2-00.permall
|
|
# cp $TPMDIR/tpm2-00.volatilestate ${TESTDIR}/data/tpm2state3b/tpm2-00.volatilestate
|
|
# cp $TPMDIR/h02000000.bin ${TESTDIR}/data/tpm2state3b/h02000000.bin
|
|
# cp $TPMDIR/h81000000.bin ${TESTDIR}/data/tpm2state3b/h81000000.bin
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (3) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
cat $LOGFILE
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
test_hash_context 0 1
|
|
test_session 0 1
|
|
|
|
${TOOLSPATH}/${PREFIX}shutdown -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_shutdown clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
#####################################################################
|
|
# Run TPM2 with previously saved (volatile) state and verify it's
|
|
# working as well
|
|
|
|
cp -f ${TESTDIR}/data/tpm2state3b/tpm2-00.permall $TPMDIR/tpm2-00.permall
|
|
cp -f ${TESTDIR}/data/tpm2state3b/tpm2-00.volatilestate $TPMDIR/tpm2-00.volatilestate
|
|
cp -f ${TESTDIR}/data/tpm2state3b/h02000000.bin $TPMDIR/h02000000.bin
|
|
cp -f ${TESTDIR}/data/tpm2state3b/h81000000.bin $TPMDIR/h81000000.bin
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (3) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
echo "TPM started with previously generated state"
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
tail -n 10 $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
test_hash_context 0 1
|
|
test_session 0 1
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Test 2 OK"
|
|
|
|
#
|
|
#
|
|
# Tests with volatile state -- 2nd test
|
|
#
|
|
#
|
|
|
|
rm -f ${TPMDIR}/*
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (3) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}startup -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_startup clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
# we only run this to generate the AES key which is different every time...
|
|
# test_hmac_context 1 0
|
|
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}shutdown -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_shutdown clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
#################################################################
|
|
# Run TPM2 with the saved volatile state
|
|
|
|
# create a backup for running the next test...
|
|
# cp $TPMDIR/tpm2-00.permall ${TESTDIR}/data/tpm2state3c/tpm2-00.permall
|
|
# cp $TPMDIR/tpm2-00.volatilestate ${TESTDIR}/data/tpm2state3c/tpm2-00.volatilestate
|
|
|
|
#echo $TPMDIR
|
|
#ls -l $TPMDIR
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (3) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
cat $LOGFILE
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# since the AES key is different every time, we cannot run
|
|
# the HMAC function that's using it since the result would
|
|
# be different every time
|
|
# test_hmac_context 0 1
|
|
|
|
${TOOLSPATH}/${PREFIX}shutdown -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_shutdown clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
#####################################################################
|
|
# Run TPM2 with previously saved (volatile) state and verify it's
|
|
# working as well
|
|
|
|
cp -f ${TESTDIR}/data/tpm2state3c/tpm2-00.volatilestate $TPMDIR/tpm2-00.volatilestate
|
|
cp -f ${TESTDIR}/data/tpm2state3c/tpm2-00.permall $TPMDIR/tpm2-00.permall
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (3) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
echo "TPM started with previously generated state"
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
test_hmac_context 0 1
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Test 3 OK"
|
|
|
|
|
|
#
|
|
#
|
|
# Tests with volatile state -- 3rd test
|
|
#
|
|
#
|
|
|
|
rm -f ${TPMDIR}/*
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (3) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}startup -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_startup clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
test_primary_volatile_load 1 0 0
|
|
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
${TOOLSPATH}/${PREFIX}shutdown -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_shutdown clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
#################################################################
|
|
# Run TPM2 with the saved volatile state
|
|
|
|
# create a backup for running the next test...
|
|
# cp $TPMDIR/tpm2-00.volatilestate ${TESTDIR}/data/tpm2state3d/tpm2-00.volatilestate
|
|
# cp $TPMDIR/tpm2-00.permall ${TESTDIR}/data/tpm2state3d/tpm2-00.permall
|
|
# cp $SIGFILE ${TESTDIR}/data/tpm2state3d/signature2.bin
|
|
|
|
#echo $TPMDIR
|
|
#ls -l $TPMDIR
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (3) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
cat $LOGFILE
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
test_primary_volatile_load 0 1 0
|
|
|
|
${TOOLSPATH}/${PREFIX}shutdown -c
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: tpm_shutdown clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
#####################################################################
|
|
# Run TPM2 with previously saved (volatile) state and verify it's
|
|
# working as well
|
|
|
|
cp -f ${TESTDIR}/data/tpm2state3d/tpm2-00.permall $TPMDIR/tpm2-00.permall
|
|
cp -f ${TESTDIR}/data/tpm2state3d/tpm2-00.volatilestate $TPMDIR/tpm2-00.volatilestate
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=${TPM_COMMAND_PORT} \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: (3) Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
echo "TPM started with previously generated state"
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
# Send TPM_Init
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
test_primary_volatile_load 0 1 1
|
|
# Create the orderly nv indices and have them cleared (for coverage)
|
|
test_nvram_state 1 1
|
|
|
|
${TOOLSPATH}/${PREFIX}clear -hi p
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: clear failed."
|
|
cat $LOGFILE
|
|
exit 1
|
|
fi
|
|
|
|
# Send Shutdown
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Test 4 OK"
|
|
|
|
exit 0
|