mirror of
https://github.com/stefanberger/swtpm.git
synced 2025-08-22 19:04:35 +00:00
25d4ac2d3a
Add support for --reconfigure option for the swtpm_setup to be able to change the active PCR banks. This option only works with --tpm2 and does not allow to pass several other options such --create-ek or --create-ek-cert or --create-platform-cert that would alter the state of the TPM 2 in other ways. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
233 lines
6.1 KiB
Bash
Executable File
233 lines
6.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# For the license, see the LICENSE file in the root directory.
|
|
|
|
TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
|
|
TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
|
|
ROOT=${abs_top_builddir:-$(dirname "$0")/..}
|
|
TESTDIR=${abs_top_testdir:-$(dirname "$0")}
|
|
|
|
source ${TESTDIR}/common
|
|
skip_test_no_tpm20 "${SWTPM_EXE}"
|
|
|
|
SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca
|
|
|
|
workdir="$(mktemp -d "/tmp/path with spaces.XXXXXX")" || exit 1
|
|
|
|
SIGNINGKEY=${workdir}/signingkey.pem
|
|
ISSUERCERT=${workdir}/issuercert.pem
|
|
CERTSERIAL=${workdir}/certserial
|
|
USER_CERTSDIR=${workdir}/mycerts
|
|
mkdir -p "${USER_CERTSDIR}"
|
|
|
|
PATH=${TOPBUILD}/src/swtpm_bios:$PATH
|
|
|
|
trap "cleanup" SIGTERM EXIT
|
|
|
|
function cleanup()
|
|
{
|
|
rm -rf "${workdir}"
|
|
}
|
|
|
|
# We want swtpm_cert to use the local CA and see that the
|
|
# local CA script automatically creates a signingkey and
|
|
# self-signed certificate
|
|
|
|
cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
|
|
statedir=${workdir}
|
|
signingkey = ${SIGNINGKEY}
|
|
issuercert = ${ISSUERCERT}
|
|
certserial = ${CERTSERIAL}
|
|
_EOF_
|
|
|
|
cat <<_EOF_ > "${workdir}/swtpm-localca.options"
|
|
--tpm-manufacturer IBM
|
|
--tpm-model swtpm-libtpms
|
|
--tpm-version 2
|
|
--platform-manufacturer "Fedora XYZ"
|
|
--platform-version 2.1
|
|
--platform-model "QEMU A.B"
|
|
_EOF_
|
|
|
|
export MY_SWTPM_LOCALCA="${SWTPM_LOCALCA}"
|
|
|
|
cat <<_EOF_ > "${workdir}/swtpm_setup.conf"
|
|
create_certs_tool=\${MY_SWTPM_LOCALCA}
|
|
create_certs_tool_config=${workdir}/swtpm-localca.conf
|
|
create_certs_tool_options=${workdir}/swtpm-localca.options
|
|
_EOF_
|
|
|
|
# We need to adapt the PATH so the correct swtpm_cert is picked
|
|
export PATH=${TOPBUILD}/src/swtpm_cert:${PATH}
|
|
|
|
keysizes="2048"
|
|
if [ -n "$($SWTPM_SETUP --tpm2 --print-capabilities |
|
|
grep tpm2-rsa-keysize-3072 )" ]; then
|
|
keysizes+=" 3072"
|
|
fi
|
|
|
|
for keysize in $(echo $keysizes); do
|
|
echo "Testing with RSA keysize $keysize"
|
|
# we need to create at least one cert: --create-ek-cert
|
|
$SWTPM_SETUP \
|
|
--tpm2 \
|
|
--allow-signing \
|
|
--tpm-state "${workdir}" \
|
|
--create-ek-cert \
|
|
--create-platform-cert \
|
|
--config "${workdir}/swtpm_setup.conf" \
|
|
--logfile "${workdir}/logfile" \
|
|
--tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
|
|
--rsa-keysize ${keysize} \
|
|
--overwrite \
|
|
--write-ek-cert-files "${USER_CERTSDIR}"
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not run $SWTPM_SETUP."
|
|
echo "Logfile output:"
|
|
cat "${workdir}/logfile"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${SIGNINGKEY}" ]; then
|
|
echo "Error: Signingkey file ${SIGNINGKEY} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${ISSUERCERT}" ]; then
|
|
echo "Error: Issuer cert file ${ISSUERCERT} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${CERTSERIAL}" ]; then
|
|
echo "Error: Cert serial number file ${CERTSERIAL} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
certfile="${USER_CERTSDIR}/ek-rsa${keysize}.crt"
|
|
if [ ! -f "${certfile}" ]; then
|
|
echo "Error: EK file '${certfile}' was not written."
|
|
ls -l "${USER_CERTSDIR}"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "${keysize} bits")" ]; then
|
|
echo "Error: EK file '${certfile}' is not an RSA ${keysize} bit key."
|
|
$CERTTOOL --inder --infile "${certfile}" -i
|
|
exit 1
|
|
fi
|
|
|
|
rm -rf "${SIGNINGKEY}" "${ISSUERCERT}" "${CERTSERIAL}" ${USER_CERTSDIR}/ek-*.crt
|
|
done
|
|
|
|
echo "Test 1: OK"
|
|
|
|
function swtpm_setup_reconfigure() {
|
|
local workdir="$1"
|
|
local pwdfile="$2"
|
|
|
|
# Reconfigure the active PCR banks a few times; the size of the state
|
|
# file must not change but its content (hash) must change every time
|
|
# since activating the PCR banks changes a few bits in the permanent
|
|
# state, also when the state is not encrypted.
|
|
local PERMALL_FILE="${workdir}/tpm2-00.permall"
|
|
local permall_size=$(get_filesize "${PERMALL_FILE}")
|
|
|
|
for pcrbanks in "sha1" "sha1,sha256" "sha1,sha256,sha384,sha512"; do
|
|
# hash must change between before and after
|
|
permall_hash=$(get_sha1_file "${PERMALL_FILE}")
|
|
|
|
$SWTPM_SETUP \
|
|
--tpm2 \
|
|
--tpm-state "${workdir}" \
|
|
--config "${workdir}/swtpm_setup.conf" \
|
|
--logfile "${workdir}/logfile" \
|
|
--tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
|
|
--pcr-banks "${pcrbanks}" \
|
|
--reconfigure \
|
|
${pwdfile:+--pwdfile "${pwdfile}"}
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not run $SWTPM_SETUP --reconfigure."
|
|
echo "Logfile output:"
|
|
cat "${workdir}/logfile"
|
|
exit 1
|
|
fi
|
|
|
|
local newhash=$(get_sha1_file "${PERMALL_FILE}")
|
|
if [ "${newhash}" = "${permall_hash}" ]; then
|
|
echo "Error: The hash of the permanent state did not change."
|
|
exit 1
|
|
fi
|
|
|
|
local newsize=$(get_filesize "${PERMALL_FILE}")
|
|
if [ "${newsize}" != "${permall_size}" ]; then
|
|
echo "Error: The size of the permanent state file changed."
|
|
echo "Actual : ${tmp}"
|
|
echo "Expected: ${permall_size}"
|
|
fi
|
|
echo "Filesize: ${newsize}; hash: ${newhash}; pwdfile: ${pwdfile}"
|
|
done
|
|
}
|
|
|
|
# Create with certificates with and without encryption enabled and reconfigure
|
|
# the PCR banks
|
|
PWDFILE="${workdir}/pwd"
|
|
echo -n "password" > "${PWDFILE}"
|
|
rm -f "${workdir}/logfile"
|
|
|
|
for pwdfile in "" "${PWDFILE}"; do
|
|
$SWTPM_SETUP \
|
|
--tpm2 \
|
|
--ecc \
|
|
--tpm-state "${workdir}" \
|
|
--create-ek-cert \
|
|
--create-platform-cert \
|
|
--config "${workdir}/swtpm_setup.conf" \
|
|
--logfile "${workdir}/logfile" \
|
|
--tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
|
|
--overwrite \
|
|
--write-ek-cert-files "${workdir}" \
|
|
${pwdfile:+--pwdfile "${pwdfile}"}
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Could not run $SWTPM_SETUP."
|
|
echo "Logfile output:"
|
|
cat "${workdir}/logfile"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${SIGNINGKEY}" ]; then
|
|
echo "Error: Signingkey file ${SIGNINGKEY} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${ISSUERCERT}" ]; then
|
|
echo "Error: Issuer cert file ${ISSUERCERT} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r "${CERTSERIAL}" ]; then
|
|
echo "Error: Cert serial number file ${CERTSERIAL} was not created."
|
|
exit 1
|
|
fi
|
|
|
|
certfile="${workdir}/ek-secp384r1.crt"
|
|
if [ ! -f "${certfile}" ]; then
|
|
echo "Error: EK file '${certfile}' was not written."
|
|
ls -l "${workdir}"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "384 bits")" ]; then
|
|
echo "Error: EK file '${certfile}' is not an ECC 384 bit key."
|
|
$CERTTOOL --inder --infile "${certfile}" -i
|
|
exit 1
|
|
fi
|
|
|
|
swtpm_setup_reconfigure "${workdir}" "${pwdfile}"
|
|
done
|
|
|
|
echo "Test 2: OK"
|
|
|
|
exit 0
|