mirror of
https://github.com/stefanberger/swtpm.git
synced 2026-01-25 00:55:54 +00:00
b5fbddbcf1
Deactivate the code around resetting the TPM established bit since its implementation currently requires libtpms 0.6. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
440 lines
12 KiB
Bash
Executable File
440 lines
12 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# For the license, see the LICENSE file in the root directory.
|
|
|
|
DIR=$(dirname "$0")
|
|
ROOT=${DIR}/..
|
|
SWTPM=swtpm
|
|
SWTPM_EXE=$ROOT/src/swtpm/$SWTPM
|
|
TPMDIR=`mktemp -d`
|
|
PID_FILE=$TPMDIR/${SWTPM}.pid
|
|
SOCK_PATH=$TPMDIR/sock
|
|
CMD_PATH=$TPMDIR/cmd
|
|
RESP_PATH=$TPMDIR/resp
|
|
|
|
trap "cleanup" SIGTERM EXIT
|
|
|
|
function cleanup()
|
|
{
|
|
rm -rf $TPMDIR
|
|
if [ -n "$PID" ]; then
|
|
kill -SIGTERM $PID 2>/dev/null
|
|
fi
|
|
}
|
|
|
|
# Test 1: test the control channel on the chardev tpm
|
|
|
|
# use a pseudo terminal
|
|
exec 100<>/dev/ptmx
|
|
$SWTPM_EXE chardev --fd 100 --tpmstate dir=$TPMDIR --pid file=$PID_FILE --ctrl type=unixio,path=$SOCK_PATH &
|
|
sleep 0.5
|
|
|
|
if [ ! -r $PID_FILE ]; then
|
|
echo "Error: Chardev TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
|
|
# Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01
|
|
echo -en '\x00\x00\x00\x01' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CLIENT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00 00 00 04 77"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Unexpected response from CMD_GET_CAPABILITY:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
# Send TPM_Init to the TPM: CMD_INIT = 0x00 00 00 02 + flags
|
|
echo -en '\x00\x00\x00\x02\x00\x00\x00\x00' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Unexpected response from CMD_INIT:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
# Send unknown command to the TPM
|
|
echo -en '\x00\x00\xff\xff' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 0a"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Unexpected response from sending unsupported command:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
# Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a
|
|
/bin/echo -en '\x00\x00\x00\x0a' >$CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CLIENT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Unexpected response from CMD_STORE_VOLATILE:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r $TPMDIR/tpm-00.volatilestate ]; then
|
|
echo "Error: Socket TPM: Did not write volatile state file"
|
|
exit 1
|
|
fi
|
|
|
|
# Send stop command to the TPM: CMD_STOP = 00 00 00 0d
|
|
echo -en '\x00\x00\x00\x0d' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from CMD_STOP:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
# Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0e
|
|
echo -en '\x00\x00\x00\x0e' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from CMD_GET_CONFIG:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
# Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
|
|
echo -en '\x00\x00\x00\x03' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Unexpected response from CMD_SHUTDOWN:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
sleep 0.2
|
|
kill -0 $PID 2>/dev/null
|
|
if [ $? -eq 0 ]; then
|
|
echo "Error: TPM should not be running anymore."
|
|
exit 1
|
|
fi
|
|
|
|
if [ -f $PID_FILE ]; then
|
|
echo "Error: TPM should have removed the PID file."
|
|
exit 1
|
|
fi
|
|
|
|
echo "OK"
|
|
|
|
|
|
# Test 2: test the control channel on the socket tpm
|
|
|
|
# There are a few more tests here that require sending commands to the TPM
|
|
|
|
# use a pseudo terminal
|
|
$SWTPM_EXE socket --server port=65530,disconnect=true --tpmstate dir=$TPMDIR --pid file=$PID_FILE --ctrl type=unixio,path=$SOCK_PATH &
|
|
sleep 0.5
|
|
|
|
if [ ! -r $PID_FILE ]; then
|
|
echo "Error: Socket TPM did not write pidfile."
|
|
exit 1
|
|
fi
|
|
|
|
PID="$(cat $PID_FILE)"
|
|
|
|
exec 100<>/dev/tcp/localhost/65530
|
|
|
|
# Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01
|
|
echo -en '\x00\x00\x00\x01' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CLIENT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00 00 00 04 77"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from CMD_GET_CAPABILITY:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
# Send TPM_Init to the TPM: CMD_INIT = 0x00 00 00 02 + flags
|
|
echo -en '\x00\x00\x00\x02\x00\x00\x00\x00' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from CMD_INIT:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
# Send unknown command to the TPM
|
|
echo -en '\x00\x00\xff\xff' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 0a"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from sending unsupported command:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
# Startup the TPM
|
|
/bin/echo -en '\x00\xC1\x00\x00\x00\x0C\x00\x00\x00\x99\x00\x01' >&100
|
|
RES=$(cat <&100 | od -t x1 -A n)
|
|
exp=' 00 c4 00 00 00 0a 00 00 00 00'
|
|
if [ "$RES" != "$exp" ]; then
|
|
echo "Error: Did not get expected result from TPM_Startup(ST_Clear)"
|
|
echo "expected: $exp"
|
|
echo "received: $RES"
|
|
exit 1
|
|
fi
|
|
|
|
# Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a
|
|
/bin/echo -en '\x00\x00\x00\x0a' >$CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CLIENT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from CMD_STORE_VOLATILE:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -r $TPMDIR/tpm-00.volatilestate ]; then
|
|
echo "Error: Socket TPM: Did not write volatile state file"
|
|
exit 1
|
|
fi
|
|
|
|
# 1. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
|
|
echo -en '\x00\x00\x00\x04' > $CMD_PATH
|
|
cat $RESP_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from sending CMD_GET_TPMESTABLISHED command:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
# 2. Send command to start HASH : CMD_HASH_START = 00 00 00 06
|
|
echo -en '\x00\x00\x00\x06' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from sending CMD_HASH_START command:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
# 2.1. Send command to hash data : CMD_HASH_DATA = 00 00 00 07 uint32(length) data
|
|
# We send 0x100 null bytes
|
|
echo -en '\x00\x00\x00\x07\x00\x00\x20\x00' > $CMD_PATH
|
|
dd if=/dev/zero count=$((0x2000)) bs=1 >> $CMD_PATH 2>/dev/null
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from sending CMD_HASH_DATA command:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
# 3. Send command to end HASH : CMD_HASH_END = 00 00 00 08
|
|
echo -en '\x00\x00\x00\x08' > $CMD_PATH
|
|
cat $RESP_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from sending CMD_HASH_END command:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
# 4. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
|
|
echo -en '\x00\x00\x00\x04' > $CMD_PATH
|
|
cat $RESP_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00 01 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from sending CMD_GET_TPMESTABLISHED command:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
# 5. Send command to reset TPM established flag: CMD_RESET_TPMESTABLISHED = 00 00 00 0b 03
|
|
#echo -en '\x00\x00\x00\x0b\x03' > $CMD_PATH
|
|
#cat $RESP_PATH
|
|
#socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
# sed -n '/^ /p' | \
|
|
# tail -n1 > $RESP_PATH
|
|
#res="$(cat $RESP_PATH)"
|
|
#exp=" 00 00 00 00"
|
|
#if [ "$res" != "$exp" ]; then
|
|
# echo "Error: Socket TPM: Unexpected response from sending CMD_GET_TPMESTABLISHED command:"
|
|
# echo " actual : $res"
|
|
# echo " expected: $exp"
|
|
# exit 1
|
|
#fi
|
|
|
|
# 6. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
|
|
#echo -en '\x00\x00\x00\x04' > $CMD_PATH
|
|
#cat $RESP_PATH
|
|
#socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
# sed -n '/^ /p' | \
|
|
# tail -n1 > $RESP_PATH
|
|
#res="$(cat $RESP_PATH)"
|
|
#exp=" 00 00 00 00 00 00 00 00"
|
|
#if [ "$res" != "$exp" ]; then
|
|
# echo "Error: Socket TPM: Unexpected response from sending CMD_GET_TPMESTABLISHED command:"
|
|
# echo " actual : $res"
|
|
# echo " expected: $exp"
|
|
# exit 1
|
|
#fi
|
|
|
|
# Read PCR 17
|
|
exec 100<>/dev/tcp/localhost/65530
|
|
echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x11' >&100
|
|
RES=$(cat <&100 | od -t x1 -A n | tr -d "\n")
|
|
exp=' 00 c4 00 00 00 1e 00 00 00 00 c4 e1 e1 c9 81 c0 cd b1 e0 43 df 97 20 72 f9 5d a9 ff 06 ff'
|
|
if [ "$RES" != "$exp" ]; then
|
|
echo "Error: (1) Did not get expected result from TPM_PCRRead(17)"
|
|
echo "expected: $exp"
|
|
echo "received: $RES"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
|
|
# Send stop command to the TPM: CMD_STOP = 00 00 00 0d
|
|
echo -en '\x00\x00\x00\x0d' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from CMD_STOP:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
# Read PCR 17 -- should fail now
|
|
exec 100<>/dev/tcp/localhost/65530
|
|
echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x11' >&100
|
|
RES=$(cat <&100 | od -t x1 -A n | tr -d "\n")
|
|
exp=' 00 c4 00 00 00 0a 00 00 00 09'
|
|
if [ "$RES" != "$exp" ]; then
|
|
echo "Error: (1) Did not get expected result from TPM_PCRRead(17)"
|
|
echo "expected: $exp"
|
|
echo "received: $RES"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
# Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0e
|
|
echo -en '\x00\x00\x00\x0e' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from CMD_GET_CONFIG:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
# Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
|
|
echo -en '\x00\x00\x00\x03' > $CMD_PATH
|
|
socat -x -t10 FILE:$CMD_PATH,rdonly UNIX-CONNECT:$SOCK_PATH 2>&1 | \
|
|
sed -n '/^ /p' | \
|
|
tail -n1 > $RESP_PATH
|
|
res="$(cat $RESP_PATH)"
|
|
exp=" 00 00 00 00"
|
|
if [ "$res" != "$exp" ]; then
|
|
echo "Error: Socket TPM: Unexpected response from CMD_SHUTDOWN:"
|
|
echo " actual : $res"
|
|
echo " expected: $exp"
|
|
exit 1
|
|
fi
|
|
|
|
sleep 0.2
|
|
kill -0 $PID 2>/dev/null
|
|
if [ $? -eq 0 ]; then
|
|
echo "Error: Socket TPM should not be running anymore."
|
|
exit 1
|
|
fi
|
|
|
|
if [ -f $PID_FILE ]; then
|
|
echo "Error: Socket TPM should have removed the PID file."
|
|
exit 1
|
|
fi
|
|
|
|
echo "OK"
|
|
|
|
exit 0
|