mirror of
https://github.com/stefanberger/swtpm.git
synced 2025-08-23 03:25:38 +00:00
969f50f9c6
Extend swtpm_setup to create IAK and IDevID keys and certificates. Use the same CA for signing the IAK and IDevID certificates as used for the EK and platform certificates since all these certificates are issued at the same time anyway. Add documentation to the man page. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
93 lines
2.7 KiB
Bash
Executable File
93 lines
2.7 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# For the license, see the LICENSE file in the root directory.
|
|
#set -x
|
|
|
|
ROOT=${abs_top_builddir:-$(pwd)/..}
|
|
TESTDIR=${abs_top_testdir:-$(dirname "$0")}
|
|
|
|
PATH=$ROOT/src/swtpm:$PATH
|
|
|
|
source "${TESTDIR}/common"
|
|
[ "${SWTPM_IFACE}" == "cuse" ] && source "${TESTDIR}/test_cuse"
|
|
|
|
if ! msg="$(${SWTPM_EXE} "${SWTPM_IFACE}" --print-capabilities 2>&1)"; then
|
|
echo "Error: Could not pass --print-capabilities"
|
|
echo "${msg}"
|
|
exit 1
|
|
fi
|
|
|
|
if has_seccomp_support "${SWTPM_EXE}"; then
|
|
seccomp='"cmdarg-seccomp", '
|
|
fi
|
|
if [ "${SWTPM_IFACE}" != "cuse" ]; then
|
|
noncuse='"tpm-send-command-header", '
|
|
fi
|
|
|
|
exp='\{ "type": "swtpm", '\
|
|
'"features": \[ "tpm-1.2",( "tpm-2.0",)? '${noncuse}'"flags-opt-startup", '\
|
|
'"flags-opt-disable-auto-shutdown", "ctrl-opt-terminate", '${seccomp}'"cmdarg-key-fd", '\
|
|
'"cmdarg-pwd-fd", "cmdarg-print-states", "cmdarg-chroot", "cmdarg-migration", '\
|
|
'"nvram-backend-dir", "nvram-backend-file", "cmdarg-print-info", '\
|
|
'"tpmstate-opt-lock" \], '\
|
|
'"profiles": \{ \}, '\
|
|
'"version": "[^"]*" \}'
|
|
if ! [[ ${msg} =~ ${exp} ]]; then
|
|
echo "Unexpected response from ${SWTPM_IFACE} TPM to --print-capabilities:"
|
|
echo "Actual : ${msg}"
|
|
echo "Expected : ${exp}"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Test 1: OK"
|
|
|
|
if ! msg="$(${SWTPM_SETUP} --print-capabilities 2>&1)"; then
|
|
echo "Error: Could not pass --print-capabilities"
|
|
echo "${msg}"
|
|
exit 1
|
|
fi
|
|
|
|
# The are some variable parameters at the end, use regex
|
|
exp='\{ "type": "swtpm_setup", '\
|
|
'"features": \[ "tpm-1.2",( "tpm-2.0",)? "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", '\
|
|
'"tpm12-not-need-root", "cmdarg-write-ek-cert-files", "cmdarg-create-config-files", '\
|
|
'"cmdarg-reconfigure-pcr-banks"'\
|
|
'(, "tpm2-rsa-keysize-2048")?(, "tpm2-rsa-keysize-3072")?, "cmdarg-profile", '\
|
|
'"cmdarg-profile-remove-disabled", "cmdarg-no-iak" \], '\
|
|
'"profiles": \[ [^]]*\], '\
|
|
'"version": "[^"]*" \}'
|
|
if ! [[ ${msg} =~ ${exp} ]]; then
|
|
echo "Unexpected response from ${SWTPM_SETUP} to --print-capabilities:"
|
|
echo "Actual : ${msg}"
|
|
echo "Expected : ${exp}"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Test 2: OK"
|
|
|
|
# SWTPM_CERT may be run by valgrind
|
|
if [ -x "$(type -P "$(echo "${SWTPM_CERT}" | cut -d" " -f1)" )" ]; then
|
|
if ! msg="$(${SWTPM_CERT} --print-capabilities 2>&1)"; then
|
|
echo "Error: Could not pass --print-capabilities to ${SWTPM_CERT}"
|
|
echo "${msg}"
|
|
exit 1
|
|
fi
|
|
|
|
exp='\{ "type": "swtpm_cert", "features": '\
|
|
'\[ "cmdarg-signkey-pwd", "cmdarg-parentkey-pwd", "cmdarg-tpm-serial-num", '\
|
|
'"supports-iak-idevid" \], '\
|
|
'"version": "[^"]*" \}'
|
|
if ! [[ "${msg}" =~ ${exp} ]]; then
|
|
echo "Unexpected response from ${SWTPM_CERT} to --print-capabilities:"
|
|
echo "Actual : ${msg}"
|
|
echo "Expected : ${exp}"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Test 3: OK"
|
|
else
|
|
echo "Test 3: SKIP -- ${SWTPM_CERT} not found or not an executable"
|
|
fi
|
|
|
|
exit 0
|