mirror of
https://github.com/stefanberger/swtpm.git
synced 2025-08-26 00:18:38 +00:00
695274e024
Adjust the vtpm proxy test case and others to make use of the new startup options. Make sure that subsequent Startups sent to the TPM fail with the expected error code. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
515 lines
14 KiB
Bash
Executable File
515 lines
14 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# For the license, see the LICENSE file in the root directory.
|
|
|
|
ROOT=${abs_top_builddir:-$(dirname "$0")/..}
|
|
TESTDIR=${abs_top_testdir:-$(dirname "$0")}
|
|
|
|
SWTPM=swtpm
|
|
SWTPM_EXE=${SWTPM_EXE:-$ROOT/src/swtpm/$SWTPM}
|
|
SWTPM_IOCTL=${SWTPM_IOCTL:-$ROOT/src/swtpm_ioctl/swtpm_ioctl}
|
|
TPMDIR=`mktemp -d`
|
|
PID_FILE=$TPMDIR/${SWTPM}.pid
|
|
SOCK_PATH=$TPMDIR/sock
|
|
CMD_PATH=$TPMDIR/cmd
|
|
RESP_PATH=$TPMDIR/resp
|
|
LOGFILE=$TPMDIR/logfile
|
|
VOLATILESTATE=$TPMDIR/volatile
|
|
|
|
source ${TESTDIR}/common
|
|
source ${TESTDIR}/test_common
|
|
|
|
trap "cleanup" SIGTERM EXIT
|
|
|
|
function cleanup()
|
|
{
|
|
rm -rf $TPMDIR
|
|
if [ -n "$PID" ]; then
|
|
kill_quiet -SIGTERM $PID 2>/dev/null
|
|
fi
|
|
}
|
|
|
|
# Test 1: test the control channel on the chardev tpm
|
|
if [ $(id -u) -eq 0 ]; then
|
|
FOWNER=",uid=$(id -u nobody),gid=$(id -G nobody | cut -d" " -f1)"
|
|
FILEOWNER="$(id -u nobody) $(id -G nobody | cut -d" " -f1)"
|
|
fi
|
|
|
|
FILEMODE=621
|
|
# use a pseudo terminal
|
|
exec 100<>/dev/ptmx
|
|
$SWTPM_EXE chardev \
|
|
--fd 100 \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH,mode=${FILEMODE}${FOWNER} \
|
|
--tpm2 \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
PID=$!
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: Chardev TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
validate_pidfile $PID $PID_FILE
|
|
|
|
# Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -c 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_GET_CAPABILITY failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
filemode=$(get_filemode $SOCK_PATH)
|
|
if [ "$filemode" != "$FILEMODE" ]; then
|
|
echo "Filemode bits are wrong"
|
|
echo "Expected: $FILEMODE"
|
|
echo "Actual : $filemode"
|
|
exit 1
|
|
fi
|
|
|
|
fileowner=$(get_fileowner $SOCK_PATH)
|
|
if [ -n "$FILEOWNER" ] && [ "$fileowner" != "$FILEOWNER" ]; then
|
|
echo "File ownership is wrong"
|
|
echo "Expected: $FILEOWNER"
|
|
echo "Actual : $fileowner"
|
|
exit 1
|
|
fi
|
|
|
|
exp="ptm capability is 0x([[:xdigit:]]+)"
|
|
if ! [[ "$act" =~ ^${exp}$ ]]; then
|
|
echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
|
|
exit 1
|
|
fi
|
|
|
|
# Send TPM_Init to the TPM: CMD_INIT = 0x00 00 00 02 + flags
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r $TPMDIR/tpm2-00.volatilestate ]; then
|
|
echo "Error: Socket TPM: Did not write volatile state file"
|
|
exit 1
|
|
fi
|
|
|
|
# Send stop command to the TPM: CMD_STOP = 00 00 00 0e
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0f
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -g 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_GET_CONFIG failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
exp="ptm configuration flags: 0x([[:xdigit:]]+)"
|
|
if ! [[ "$act" =~ ^${exp}$ ]]; then
|
|
echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
|
|
exit 1
|
|
fi
|
|
|
|
# Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
if wait_file_gone $PID_FILE 2; then
|
|
echo "Error: TPM should have removed PID file by now."
|
|
exit 1
|
|
fi
|
|
|
|
if wait_process_gone ${PID} 4; then
|
|
echo "Error: TPM should not be running anymore."
|
|
exit 1
|
|
fi
|
|
|
|
echo "OK"
|
|
|
|
# Test 2: test the control channel on the socket tpm
|
|
|
|
# There are a few more tests here that require sending commands to the TPM
|
|
|
|
# use a pseudo terminal
|
|
$SWTPM_EXE socket \
|
|
--server port=65532,disconnect=true \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--log file=$LOGFILE,level=20 \
|
|
--tpm2 \
|
|
--flags startup-clear \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
PID=$!
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
validate_pidfile $PID $PID_FILE
|
|
|
|
exec 100<>/dev/tcp/localhost/65532
|
|
|
|
# Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -c 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_GET_CAPABILITY failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
exp="ptm capability is 0x([[:xdigit:]]+)"
|
|
if ! [[ "$act" =~ ^${exp}$ ]]; then
|
|
echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
|
|
exit 1
|
|
fi
|
|
|
|
# Startup the TPM; we used --flags startup-clear so expect this to fail now with 0x100
|
|
echo -en '\x80\x01\x00\x00\x00\x0c\x00\x00\x01\x44\x00\x00' >&100
|
|
RES=$(cat <&100 | od -t x1 -A n)
|
|
exp=' 80 01 00 00 00 0a 00 00 01 00'
|
|
if [ "$RES" != "$exp" ]; then
|
|
echo "Error: Did not get expected result from TPM_Startup(SU_Clear)"
|
|
echo "expected: $exp"
|
|
echo "received: $RES"
|
|
exit 1
|
|
fi
|
|
|
|
# Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r $TPMDIR/tpm2-00.volatilestate ]; then
|
|
echo "Error: Socket TPM: Did not write volatile state file"
|
|
exit 1
|
|
fi
|
|
|
|
# 1. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
exp="tpmEstablished is 0"
|
|
if [ "$act" != "$exp" ]; then
|
|
echo "Error: Expected '$exp' but got '$act'."
|
|
exit 1
|
|
fi
|
|
|
|
# 2. Hash the given data
|
|
data="a"
|
|
while [ ${#data} -lt $((0x2000)) ]; do
|
|
data="${data}${data}"
|
|
done
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -h $data 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL data hashing failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# 3. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
exp="tpmEstablished is 1"
|
|
if [ "$act" != "$exp" ]; then
|
|
echo "Error: Expected '$exp' but got '$act'."
|
|
exit 1
|
|
fi
|
|
|
|
# 4. Send command to reset TPM established flag: CMD_RESET_TPMESTABLISHED = 00 00 00 0b 03
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -r 3 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_RESET_TPMESTABLISHED failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# 5. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
exp="tpmEstablished is 0"
|
|
if [ "$act" != "$exp" ]; then
|
|
echo "Error: Expected '$exp' but got '$act'."
|
|
exit 1
|
|
fi
|
|
|
|
# Read PCR 17
|
|
exec 100<>/dev/tcp/localhost/65532
|
|
# length CC count hashalg sz
|
|
echo -en '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x00\x02' >&100
|
|
RES=$(cat <&100 | od -t x1 -A n | tr -d "\n")
|
|
exp=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 19 00 00 00 01 00 0b 03 00 00 02 00 00 00 01 00 20 e5 17 e3 9b 10 a3 5b 3b b7 29 95 79 4b c6 4a 07 f8 bc b0 bd e6 bb 31 ad 35 27 fb 6f 64 f8 4c b9'
|
|
if [ "$RES" != "$exp" ]; then
|
|
echo "Error: (1) Did not get expected result from TPM_PCRRead(17)"
|
|
echo "expected: $exp"
|
|
echo "received: $RES"
|
|
exit 1
|
|
fi
|
|
|
|
# Get the volatile state of the TPM: CMD_GET_STATEBLOB = 00 00 00 0c
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH --save volatile $VOLATILESTATE 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_GET_STATEBLOB failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# Send stop command to the TPM: CMD_STOP = 00 00 00 0e
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# Read PCR 17 -- should fail now
|
|
exec 100<>/dev/tcp/localhost/65532
|
|
# length CC count hashalg sz
|
|
echo -en '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x00\x02' >&100
|
|
RES=$(cat <&100 | od -t x1 -A n | tr -d "\n")
|
|
exp=' 80 01 00 00 00 0a 00 00 01 01'
|
|
if [ "$RES" != "$exp" ]; then
|
|
echo "Error: (1) Did not get expected result from TPM_PCRRead(17)"
|
|
echo "expected: $exp"
|
|
echo "received: $RES"
|
|
exit 1
|
|
fi
|
|
|
|
# Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0f
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -g 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_GET_CONFIG failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
exp="ptm configuration flags: 0x([[:xdigit:]]+)"
|
|
if ! [[ "$act" =~ ^${exp}$ ]]; then
|
|
echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
|
|
exit 1
|
|
fi
|
|
|
|
# Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
if wait_file_gone $PID_FILE 2; then
|
|
echo "Error: TPM should have removed PID file by now."
|
|
exit 1
|
|
fi
|
|
|
|
if wait_process_gone ${PID} 4; then
|
|
echo "Error: TPM should not be running anymore."
|
|
exit 1
|
|
fi
|
|
|
|
echo "OK"
|
|
|
|
# Test 3: test the control channel on the socket tpm: resume encrypted state
|
|
|
|
# copy all the state files
|
|
cp ${TESTDIR}/data/tpm2state2/* ${TPMDIR}
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=65532,disconnect=true \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--key pwdfile=${TESTDIR}/data/tpm2state2/pwdfile.txt,kdf=sha512 \
|
|
--tpm2 \
|
|
--flags not-need-init \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
PID=$!
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
validate_pidfile $PID $PID_FILE
|
|
|
|
# Read PCR 10
|
|
exec 100<>/dev/tcp/localhost/65532
|
|
# length CC count hashalg sz
|
|
echo -en '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x04\x00' >&100
|
|
RES=$(cat <&100 | od -t x1 -A n -w128)
|
|
exp=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 16 00 00 00 01 00 0b 03 00 04 00 00 00 00 01 00 20 f6 85 98 e5 86 8d e6 8b 97 29 99 60 f2 71 7d 17 67 89 a4 2f 9a ae a8 c7 b7 aa 79 a8 62 56 c1 de'
|
|
if [ "$RES" != "$exp" ]; then
|
|
echo "Error: (1) Did not get expected result from TPM2_PCRRead(10)"
|
|
echo "expected: $exp"
|
|
echo "received: $RES"
|
|
exit 1
|
|
fi
|
|
|
|
# Get the volatile state of the TPM: CMD_GET_STATEBLOB = 00 00 00 0c
|
|
rm -f $VOLATILESTATE
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH --save volatile $VOLATILESTATE 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_GET_STATEBLOB failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
if wait_process_gone ${PID} 4; then
|
|
echo "Error: TPM should not be running anymore."
|
|
exit 1
|
|
fi
|
|
|
|
if [ -f $PID_FILE ]; then
|
|
echo "Error: Socket TPM should have removed the PID file."
|
|
exit 1
|
|
fi
|
|
|
|
# remove volatile state
|
|
rm -f $TPMDIR/*.volatilestate
|
|
|
|
$SWTPM_EXE socket \
|
|
--server port=65532,disconnect=true \
|
|
--tpmstate dir=$TPMDIR \
|
|
--pid file=$PID_FILE \
|
|
--ctrl type=unixio,path=$SOCK_PATH \
|
|
--key pwdfile=${TESTDIR}/data/tpm2state2/pwdfile.txt,kdf=sha512 \
|
|
--tpm2 \
|
|
--flags not-need-init \
|
|
${SWTPM_TEST_SECCOMP_OPT} &
|
|
PID=$!
|
|
|
|
if wait_for_file $PID_FILE 3; then
|
|
echo "Error: Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
validate_pidfile $PID $PID_FILE
|
|
|
|
# Read PCR 10 -- this should fail now
|
|
exec 100<>/dev/tcp/localhost/65532
|
|
# length CC count hashalg sz
|
|
echo -en '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x04\x00' >&100
|
|
RES=$(cat <&100 | od -t x1 -A n -w128)
|
|
exp=' 80 01 00 00 00 0a 00 00 01 00'
|
|
if [ "$RES" != "$exp" ]; then
|
|
echo "Error: (1) Did not get expected result from TPM2_PCRRead(10)"
|
|
echo "expected: $exp"
|
|
echo "received: $RES"
|
|
exit 1
|
|
fi
|
|
|
|
# Send stop command to the TPM: CMD_STOP = 00 00 00 0e
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# Send the volatile state to the TPM (while it is stopped)
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH --load volatile $VOLATILESTATE 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SET_STATEBLOB failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# Send init command to the TPM: CMD_INIT = 00 00 00 02
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# Read PCR 10 -- has to return same result as before
|
|
exec 100<>/dev/tcp/localhost/65532
|
|
# length CC count hashalg sz
|
|
echo -en '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x04\x00' >&100
|
|
RES=$(cat <&100 | od -t x1 -A n -w128)
|
|
exp=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 16 00 00 00 01 00 0b 03 00 04 00 00 00 00 01 00 20 f6 85 98 e5 86 8d e6 8b 97 29 99 60 f2 71 7d 17 67 89 a4 2f 9a ae a8 c7 b7 aa 79 a8 62 56 c1 de'
|
|
if [ "$RES" != "$exp" ]; then
|
|
echo "Error: (1) Did not get expected result from TPM2_PCRRead(10)"
|
|
echo "expected: $exp"
|
|
echo "received: $RES"
|
|
exit 1
|
|
fi
|
|
|
|
# Reset PCR 20 while in locality 0 -- should not work
|
|
exec 100<>/dev/tcp/localhost/65532
|
|
echo -en '\x80\x02\x00\x00\x00\x1b\x00\x00\x01\x3d\x00\x00\x00\x14\x00\x00\x00\x09\x40\x00\x00\x09\x00\x00\x00\x00\x00' >&100
|
|
RES=$(cat <&100 | od -t x1 -A n)
|
|
exp=' 80 01 00 00 00 0a 00 00 09 07'
|
|
if [ "$RES" != "$exp" ]; then
|
|
echo "Error: Trying to reset PCR 20 in locality 0 returned unexpected result"
|
|
echo "expected: $exp"
|
|
echo "received: $RES"
|
|
exit 1
|
|
fi
|
|
|
|
# In locality 2 we can reset PCR 20
|
|
# Set the locality on the TPM: CMD_SET_LOCALITY = 00 00 00 05 <locality>
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -l 2 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SET_LOCALITY failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
# Reset PCR 20 while in locality 2 -- has to work
|
|
exec 100<>/dev/tcp/localhost/65532
|
|
echo -en '\x80\x02\x00\x00\x00\x1b\x00\x00\x01\x3d\x00\x00\x00\x14\x00\x00\x00\x09\x40\x00\x00\x09\x00\x00\x00\x00\x00' >&100
|
|
RES=$(cat <&100 | od -t x1 -A n -w512)
|
|
exp=' 80 02 00 00 00 13 00 00 00 00 00 00 00 00 00 00 01 00 00'
|
|
if [ "$RES" != "$exp" ]; then
|
|
echo "Error: Could not reset PCR 20 in locality 2"
|
|
echo "expected: $exp"
|
|
echo "received: $RES"
|
|
exit 1
|
|
fi
|
|
|
|
# Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
|
|
act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
|
|
exit 1
|
|
fi
|
|
|
|
if wait_file_gone $PID_FILE 2; then
|
|
echo "Error: TPM should have removed PID file by now."
|
|
exit 1
|
|
fi
|
|
|
|
if wait_process_gone ${PID} 4; then
|
|
echo "Error: TPM should not be running anymore."
|
|
exit 1
|
|
fi
|
|
|
|
echo "OK"
|
|
|
|
exit 0
|