Proxmox-Port/swtpm
1
0
Fork 0
mirror of https://github.com/stefanberger/swtpm.git synced 2025-08-22 19:04:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
stable-0.6-next
swtpm/tests/test_ctrlchannel2
Stefan Berger 930c7ba16e tests: Allow seccomp override w/ SWTPM_TEST_SECCOMP_OPT env var 
The Ubuntu (PPA) build system executes the build on an environment that
has problems with seccomp profiles. It does not allow us to run the test
suite with swtpm applying its seccomp profile since it fails with a
'bad system call' error. To work around this we introduce the env. variable
SWTPM_TEST_SECCOMP_OPT that we can set to "--seccomp action=none" to avoid
having swtpm apply it seccomp profile.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
2020-01-15 15:49:51 -05:00

492 lines
13 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# For the license, see the LICENSE file in the root directory.
ROOT=${abs_top_builddir:-$(dirname "$0")/..}
TESTDIR=${abs_top_testdir:-$(dirname "$0")}
SWTPM=swtpm
SWTPM_EXE=${SWTPM_EXE:-$ROOT/src/swtpm/$SWTPM}
SWTPM_IOCTL=${SWTPM_IOCTL:-$ROOT/src/swtpm_ioctl/swtpm_ioctl}
TPMDIR=`mktemp -d`
PID_FILE=$TPMDIR/${SWTPM}.pid
SOCK_PATH=$TPMDIR/sock
CMD_PATH=$TPMDIR/cmd
RESP_PATH=$TPMDIR/resp
VOLATILESTATE=$TPMDIR/volatile
source ${TESTDIR}/common
trap "cleanup" SIGTERM EXIT
function cleanup()
{
rm -rf $TPMDIR
if [ -n "$PID" ]; then
kill_quiet -SIGTERM $PID 2>/dev/null
fi
}
# Test 1: test the control channel on the chardev tpm
# use a pseudo terminal
exec 100<>/dev/ptmx
$SWTPM_EXE chardev \
--fd 100 \
--tpmstate dir=$TPMDIR \
--pid file=$PID_FILE \
--ctrl type=unixio,path=$SOCK_PATH \
${SWTPM_TEST_SECCOMP_OPT} &
PID=$!
if wait_for_file $PID_FILE 3; then
echo "Error: Chardev TPM did not write pidfile."
exit 1
fi
validate_pidfile $PID $PID_FILE
# Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01
act=$($SWTPM_IOCTL --unix $SOCK_PATH -c 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_GET_CAPABILITY failed: $act"
exit 1
fi
exp="ptm capability is 0x([[:xdigit:]]+)"
if ! [[ "$act" =~ ^${exp}$ ]]; then
echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
exit 1
fi
# Send TPM_Init to the TPM: CMD_INIT = 0x00 00 00 02 + flags
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
exit 1
fi
# Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a
act=$($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
exit 1
fi
if [ ! -r $TPMDIR/tpm-00.volatilestate ]; then
echo "Error: Socket TPM: Did not write volatile state file"
exit 1
fi
# Send stop command to the TPM: CMD_STOP = 00 00 00 0e
act=$($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act"
exit 1
fi
# Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0f
act=$($SWTPM_IOCTL --unix $SOCK_PATH -g 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_GET_CONFIG failed: $act"
exit 1
fi
exp="ptm configuration flags: 0x([[:xdigit:]]+)"
if ! [[ "$act" =~ ^${exp}$ ]]; then
echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
exit 1
fi
# Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
exit 1
fi
if wait_file_gone $PID_FILE 2; then
echo "Error: TPM should have removed PID file by now."
exit 1
fi
if wait_process_gone ${PID} 4; then
echo "Error: TPM should not be running anymore."
exit 1
fi
echo "OK"
# Test 2: test the control channel on the socket tpm
# There are a few more tests here that require sending commands to the TPM
BINDADDR="127.0.0.1"
case $(uname -s) in
Linux*)
# make sure IPv6 is available
ip -6 addr show lo | grep -q " ::1/128" && BINDADDR="::1"
;;
esac
# use a pseudo terminal
$SWTPM_EXE socket \
--server port=65431,disconnect=true,bindaddr=$BINDADDR \
--tpmstate dir=$TPMDIR \
--pid file=$PID_FILE \
--ctrl type=unixio,path=$SOCK_PATH \
${SWTPM_TEST_SECCOMP_OPT} &
PID=$!
if wait_for_file $PID_FILE 3; then
echo "Error: Socket TPM did not write pidfile."
exit 1
fi
validate_pidfile $PID $PID_FILE
# Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01
act=$($SWTPM_IOCTL --unix $SOCK_PATH -c 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_GET_CAPABILITY failed: $act"
exit 1
fi
exp="ptm capability is 0x([[:xdigit:]]+)"
if ! [[ "$act" =~ ^${exp}$ ]]; then
echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
exit 1
fi
# Send TPM_Init to the TPM: CMD_INIT = 0x00 00 00 02 + flags
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
exit 1
fi
# Startup the TPM
msg=$($SWTPM_BIOS --tcp ${BINDADDR}:65431 -o 2>&1)
if [ $? -ne 0 ]; then
echo "Error: Failed to startup TPM: $msg"
exit 1
fi
# Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a
act=$($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
exit 1
fi
if [ ! -r $TPMDIR/tpm-00.volatilestate ]; then
echo "Error: Socket TPM: Did not write volatile state file"
exit 1
fi
# 1. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
act=$($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act"
exit 1
fi
exp="tpmEstablished is 0"
if [ "$act" != "$exp" ]; then
echo "Error: Expected '$exp' but got '$act'."
exit 1
fi
# 2. Hash the given data
data="a"
while [ ${#data} -lt $((0x2000)) ]; do
data="${data}${data}"
done
act=$($SWTPM_IOCTL --unix $SOCK_PATH -h $data 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL data hashing failed: $act"
exit 1
fi
# 3. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
act=$($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act"
exit 1
fi
exp="tpmEstablished is 1"
if [ "$act" != "$exp" ]; then
echo "Error: Expected '$exp' but got '$act'."
exit 1
fi
# 4. Send command to reset TPM established flag: CMD_RESET_TPMESTABLISHED = 00 00 00 0b 03
act=$($SWTPM_IOCTL --unix $SOCK_PATH -r 3 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_RESET_TPMESTABLISHED failed: $act"
exit 1
fi
# 5. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
act=$($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act"
exit 1
fi
exp="tpmEstablished is 0"
if [ "$act" != "$exp" ]; then
echo "Error: Expected '$exp' but got '$act'."
exit 1
fi
# Read PCR 17
exec 100<>/dev/tcp/${BINDADDR}/65431
echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x11' >&100
RES=$(cat <&100 | od -t x1 -A n | tr -d "\n")
exp=' 00 c4 00 00 00 1e 00 00 00 00 f9 87 3e 96 6b 9e 46 c8 45 46 2d 1f f2 52 eb cc c1 9b df fd'
if [ "$RES" != "$exp" ]; then
echo "Error: (1) Did not get expected result from TPM_PCRRead(17)"
echo "expected: $exp"
echo "received: $RES"
exit 1
fi
# Get the volatile state of the TPM: CMD_GET_STATEBLOB = 00 00 00 0c
act=$($SWTPM_IOCTL --unix $SOCK_PATH --save volatile $VOLATILESTATE 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_GET_STATEBLOB failed: $act"
exit 1
fi
# Send stop command to the TPM: CMD_STOP = 00 00 00 0e
act=$($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act"
exit 1
fi
# Read PCR 17 -- should fail now
exec 100<>/dev/tcp/${BINDADDR}/65431
echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x11' >&100
RES=$(cat <&100 | od -t x1 -A n | tr -d "\n")
exp=' 00 c4 00 00 00 0a 00 00 00 09'
if [ "$RES" != "$exp" ]; then
echo "Error: (1) Did not get expected result from TPM_PCRRead(17)"
echo "expected: $exp"
echo "received: $RES"
exit 1
fi
# Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0f
act=$($SWTPM_IOCTL --unix $SOCK_PATH -g 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_GET_CONFIG failed: $act"
exit 1
fi
exp="ptm configuration flags: 0x([[:xdigit:]]+)"
if ! [[ "$act" =~ ^${exp}$ ]]; then
echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
exit 1
fi
# Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
exit 1
fi
if wait_file_gone $PID_FILE 2; then
echo "Error: TPM should have removed PID file by now."
exit 1
fi
if wait_process_gone ${PID} 4; then
echo "Error: Socket TPM should not be running anymore."
exit 1
fi
echo "OK"
# Test 3: test the control channel on the socket tpm: resume encrypted state
# copy all the state files
cp ${TESTDIR}/data/tpmstate2/* ${TPMDIR}
$SWTPM_EXE socket \
--server port=65431,disconnect=true \
--tpmstate dir=$TPMDIR \
--pid file=$PID_FILE \
--ctrl type=unixio,path=$SOCK_PATH \
--key pwdfile=${TESTDIR}/data/tpmstate2/pwdfile.txt,kdf=sha512 \
--flags not-need-init \
${SWTPM_TEST_SECCOMP_OPT} &
PID=$!
if wait_for_file $PID_FILE 3; then
echo "Error: Socket TPM did not write pidfile."
exit 1
fi
validate_pidfile $PID $PID_FILE
# Read PCR 10
exec 100<>/dev/tcp/localhost/65431
echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100
RES=$(cat <&100 | od -t x1 -A n -w128)
exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5'
if [ "$RES" != "$exp" ]; then
echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
echo "expected: $exp"
echo "received: $RES"
exit 1
fi
# Get the volatile state of the TPM: CMD_GET_STATEBLOB = 00 00 00 0c
rm -f $VOLATILESTATE
act=$($SWTPM_IOCTL --unix $SOCK_PATH --save volatile $VOLATILESTATE 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_GET_STATEBLOB failed: $act"
exit 1
fi
# Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
exit 1
fi
if wait_file_gone $PID_FILE 2; then
echo "Error: TPM should have removed PID file by now."
exit 1
fi
if wait_process_gone ${PID} 4; then
echo "Error: Socket TPM should not be running anymore."
exit 1
fi
# remove volatile state
rm -f $TPMDIR/*.volatilestate
$SWTPM_EXE socket \
--server port=65431,disconnect=true \
--tpmstate dir=$TPMDIR \
--pid file=$PID_FILE \
--ctrl type=unixio,path=$SOCK_PATH \
--key pwdfile=${TESTDIR}/data/tpmstate2/pwdfile.txt,kdf=sha512 \
--flags not-need-init \
${SWTPM_TEST_SECCOMP_OPT} &
PID=$!
if wait_for_file $PID_FILE 3; then
echo "Error: Socket TPM did not write pidfile."
exit 1
fi
validate_pidfile $PID $PID_FILE
# Read PCR 10 -- this should fail now
exec 100<>/dev/tcp/localhost/65431
echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100
RES=$(cat <&100 | od -t x1 -A n -w128)
exp=' 00 c4 00 00 00 0a 00 00 00 26'
if [ "$RES" != "$exp" ]; then
echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
echo "expected: $exp"
echo "received: $RES"
exit 1
fi
# Send stop command to the TPM: CMD_STOP = 00 00 00 0e
act=$($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act"
exit 1
fi
# Send the volatile state to the TPM (while it is stopped)
$SWTPM_IOCTL --unix $SOCK_PATH --load volatile $VOLATILESTATE
#act=$($SWTPM_IOCTL --unix $SOCK_PATH --load volatile $VOLATILESTATE 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_SET_STATEBLOB failed: $act"
exit 1
fi
# Send init command to the TPM: CMD_INIT = 00 00 00 02
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
exit 1
fi
# Read PCR 10 -- has to return same result as before
exec 100<>/dev/tcp/localhost/65431
echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100
RES=$(cat <&100 | od -t x1 -A n -w128)
exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5'
if [ "$RES" != "$exp" ]; then
echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
echo "expected: $exp"
echo "received: $RES"
exit 1
fi
# Reset PCR 20 while in locality 0 -- should not work
exec 100<>/dev/tcp/localhost/65431
echo -en '\x00\xC1\x00\x00\x00\x0F\x00\x00\x00\xC8\x00\x03\x00\x00\x10' >&100
RES=$(cat <&100 | od -t x1 -A n)
exp=' 00 c4 00 00 00 0a 00 00 00 33'
if [ "$RES" != "$exp" ]; then
echo "Error: Trying to reset PCR 20 in locality 0 returned unexpected result"
echo "expected: $exp"
echo "received: $RES"
exit 1
fi
# In locality 2 we can reset PCR 20
# Set the locality on the TPM: CMD_SET_LOCALITY = 00 00 00 05 <locality>
act=$($SWTPM_IOCTL --unix $SOCK_PATH -l 2 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_SET_LOCALITY failed: $act"
exit 1
fi
# Reset PCR 20 while in locality 2 -- has to work
exec 100<>/dev/tcp/localhost/65431
echo -en '\x00\xC1\x00\x00\x00\x0F\x00\x00\x00\xC8\x00\x03\x00\x00\x10' >&100
RES=$(cat <&100 | od -t x1 -A n)
exp=' 00 c4 00 00 00 0a 00 00 00 00'
if [ "$RES" != "$exp" ]; then
echo "Error: Could not reset PCR 20 in locality 2"
echo "expected: $exp"
echo "received: $RES"
exit 1
fi
# Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
if [ $? -ne 0 ]; then
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
exit 1
fi
if wait_file_gone $PID_FILE 2; then
echo "Error: TPM should have removed PID file by now."
exit 1
fi
if wait_process_gone ${PID} 4; then
echo "Error: Socket TPM should not be running anymore."
exit 1
fi
echo "OK"
exit 0
Reference in New Issue View Git Blame Copy Permalink