Proxmox-Port/swtpm
1
0
Fork 0
mirror of https://github.com/stefanberger/swtpm.git synced 2026-01-15 05:33:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
22fda83bf9
swtpm/tests/test_migration_key
Stefan Berger bd98690a4a Add ioctl to get configuration flags about keys in use 
Add an ioctl that lets an application retrieve which keys are in use by the
TPM, i.e., file encryption or migration key

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
2015-05-26 07:30:38 -04:00

295 lines
7.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# For the license, see the LICENSE file in the root directory.
# set -x
if [ "$(id -u)" -ne 0 ]; then
echo "Need to be root to run this test."
exit 77
fi
DIR=$(dirname "$0")
ROOT=${DIR}/..
SWTPM=swtpm_cuse
SWTPM_EXE=$ROOT/src/swtpm/$SWTPM
CUSE_TPM_IOCTL=$ROOT/src/swtpm_ioctl/swtpm_ioctl
VTPM_NAME="vtpm-test-migration-key"
MIGRATION_PASSWORD="migration"
VOLATILESTATE=${PWD}/${DIR}/data/migkey1/volatilestate.bin
tpmstatedir=$(mktemp -d)
if [ -z "$tpmstatedir" ]; then
echo "Could not create temporary directory."
exit 1
fi
migpwdfile=$(mktemp)
if [ -z "$migpwdfile" ]; then
echo "Could not create temporary file."
exit 1
fi
echo -n "$MIGRATION_PASSWORD" > $migpwdfile
volatilestatefile=$(mktemp)
if [ -z "$volatilestatefile" ]; then
echo "Could not create temporary file."
exit 1
fi
function cleanup()
{
pid=$(ps aux | grep $SWTPM | grep $VTPM_NAME | gawk '{print $2}')
if [ -n "$pid" ]; then
kill -9 $pid
fi
rm -rf $migpwdfile $volatilestatefile $tpmstatedir
}
trap "cleanup" EXIT
modprobe cuse
if [ $? -ne 0 ]; then
exit 1
fi
# make a backup of the volatile state
export TPM_PATH=$tpmstatedir
cp ${PWD}/${DIR}/data/tpmstate1/* $TPM_PATH
$SWTPM_EXE --migration-key pwdfile=$migpwdfile,remove=false -n $VTPM_NAME
sleep 0.5
PID=$(ps aux | grep $SWTPM | grep $VTPM_NAME | gawk '{print $2}')
ps aux | grep $SWTPM | grep -v grep
kill -0 $PID
if [ $? -ne 0 ]; then
echo "Error: CUSE TPM did not start."
exit 1
fi
# Init the TPM
$CUSE_TPM_IOCTL -i /dev/$VTPM_NAME
if [ $? -ne 0 ]; then
echo "Error: Initializing the CUSE TPM failed."
exit 1
fi
sleep 0.5
kill -0 $PID 2>/dev/null
if [ $? -ne 0 ]; then
echo "Error: CUSE TPM not running anymore after INIT."
exit 1
fi
exec 100<>/dev/$VTPM_NAME
ECHO=$(which echo)
if [ -z "$ECHO" ]; then
echo "Could not find NON-bash builtin echo tool."
exit 1
fi
# Read PCR 10
$ECHO -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100
RES=$(dd if=/proc/self/fd/100 2>/dev/null | od -t x1 -A n -w128)
exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5'
if [ "$RES" != "$exp" ]; then
echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
echo "expected: $exp"
echo "received: $RES"
exit 1
fi
# We have the CUSE TPM write the state
$CUSE_TPM_IOCTL -v /dev/$VTPM_NAME
if [ $? -ne 0 ]; then
echo "Error: Storing the TPM's volatile state failed."
exit 1
fi
# Save the volatile state into a file
$CUSE_TPM_IOCTL --save volatile $volatilestatefile /dev/$VTPM_NAME
if [ ! -r $volatilestatefile ]; then
echo "Error: Volatile state file $volatilestatefile does not exist."
exit 1
fi
#ls -l $volatilestatefile
size=$(stat -c%s $volatilestatefile)
expsize=1274
if [ $size -ne $expsize ]; then
echo "Error: Unexpected size of volatile state file."
echo " Expected file with size of $expsize, found $size bytes."
exit 1
fi
hash=$(sha1sum $volatilestatefile | cut -f1 -d" ")
exphash="39e016fd0c772c6480bf222457f5ce91f384bdc2"
if [ "$hash" != "$exphash" ]; then
echo "Error: The checksum of the volatile state file is wrong."
echo " Calculated: $hash"
echo " Expected : $exphash"
exit 1
fi
tmp=$($CUSE_TPM_IOCTL -g /dev/$VTPM_NAME | cut -d":" -f2)
if [ $? -ne 0 ]; then
echo "Error: Could not get the configration flags of the CUSE TPM."
exit 1
fi
if [ "$tmp" != " 0x2" ]; then
echo "Error: Unexpected configuration flags: $tmp; expected 0x2."
exit 1
fi
# Shut the TPM down
exec 100>&-
$CUSE_TPM_IOCTL -s /dev/$VTPM_NAME
echo "Test 1: Ok"
# Start the vTPM again and load the encrypted volatile state into it
$SWTPM_EXE --migration-key pwdfile=$migpwdfile,remove=false -n $VTPM_NAME
sleep 0.5
PID=$(ps aux | grep $SWTPM | grep $VTPM_NAME | gawk '{print $2}')
ps aux | grep $SWTPM | grep -v grep
kill -0 $PID
if [ $? -ne 0 ]; then
echo "Error: CUSE TPM did not start."
exit 1
fi
# Do NOT init the TPM now; first load volatile state
# load the encrypted volatile state into it
$CUSE_TPM_IOCTL --load volatile $volatilestatefile /dev/$VTPM_NAME
if [ $? -ne 0 ]; then
echo "Error: Could not load encrypted volatile state into TPM."
exit 1
fi
# Now init the TPM
$CUSE_TPM_IOCTL -i /dev/$VTPM_NAME
if [ $? -ne 0 ]; then
echo "Error: Initializing the CUSE TPM failed."
exit 1
fi
exec 100<>/dev/$VTPM_NAME
# Read PCR 10
$ECHO -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100
RES=$(dd if=/proc/self/fd/100 2>/dev/null | od -t x1 -A n -w128)
exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5'
if [ "$RES" != "$exp" ]; then
echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
echo "expected: $exp"
echo "received: $RES"
exit 1
fi
# Shut the TPM down
exec 100>&-
$CUSE_TPM_IOCTL -s /dev/$VTPM_NAME
echo "Test 2: Ok"
# Start the vTPM again and load the encrypted volatile state into it
# This time we make this fail since we don't provide the migration key
$SWTPM_EXE -n $VTPM_NAME
sleep 0.5
PID=$(ps aux | grep $SWTPM | grep $VTPM_NAME | gawk '{print $2}')
ps aux | grep $SWTPM | grep -v grep
kill -0 $PID
if [ $? -ne 0 ]; then
echo "Error: CUSE TPM did not start."
exit 1
fi
# Do NOT init the TPM now; first load volatile state
# load the encrypted volatile state into it
# This will work; the TPM writes the data into the volatile state file
# but doesn't vaidate it
$CUSE_TPM_IOCTL --load volatile $volatilestatefile /dev/$VTPM_NAME
if [ $? -ne 0 ]; then
echo "Error: Could not load encrypted volatile state into TPM."
exit 1
fi
# Now init the TPM; this must fail since the volatile state does not
# match with the integrity hash it is expecting to find
$CUSE_TPM_IOCTL -i /dev/$VTPM_NAME
if [ $? -eq 0 ]; then
echo "Error: Initializing the CUSE TPM should have failed."
exit 1
fi
$CUSE_TPM_IOCTL -s /dev/$VTPM_NAME
if [ $? -ne 0 ]; then
echo "Error: Could not shut down the CUSE TPM."
exit 1
fi
echo "Test 3: Ok"
# In this test we now feed it an encrypted volatile state
# Start the vTPM again and load the encrypted volatile state into it
$SWTPM_EXE --migration-key pwdfile=$migpwdfile,remove=true -n $VTPM_NAME
sleep 0.5
PID=$(ps aux | grep $SWTPM | grep $VTPM_NAME | gawk '{print $2}')
ps aux | grep $SWTPM | grep -v grep
kill -0 $PID
if [ $? -ne 0 ]; then
echo "Error: CUSE TPM did not start."
exit 1
fi
# load the encrypted volatile state into it
$CUSE_TPM_IOCTL --load volatile $VOLATILESTATE /dev/$VTPM_NAME
if [ $? -ne 0 ]; then
echo "Error: Could not load encrypted volatile state into TPM."
exit 1
fi
# Now init the TPM; this must work
$CUSE_TPM_IOCTL -i /dev/$VTPM_NAME
if [ $? -ne 0 ]; then
echo "Error: Could not initialize the CUSE TPM."
exit 1
fi
exec 100<>/dev/$VTPM_NAME
# Read PCR 10
$ECHO -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100
RES=$(dd if=/proc/self/fd/100 2>/dev/null | od -t x1 -A n -w128)
exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5'
if [ "$RES" != "$exp" ]; then
echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
echo "expected: $exp"
echo "received: $RES"
exit 1
fi
# Shut the TPM down
exec 100>&-
$CUSE_TPM_IOCTL -s /dev/$VTPM_NAME
echo "Test 4: Ok"
Reference in New Issue View Git Blame Copy Permalink