Proxmox-Port/swtpm
1
0
Fork 0
mirror of https://github.com/stefanberger/swtpm.git synced 2026-02-05 05:59:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ec54294d51
swtpm/tests/test_parameters
Stefan Berger 27bf9db67e swtpm: Use tag-length-value blocks to store data in v2 format 
Prepend tag-length-value (tlv) headers in front of all data being stored in
the byte stream following the header. This lets us uniquely identify plain
data (= TPM state), encrypted data (= encrytped TPM state), migration data
(which is wrapped plain or encrytped TPM state), and an HMAC block to
validate the plain data.

We keep support for version 1 for reading the data but convert them to
version 2 when writing them out. This way we loose backwards compatibility
(downgrading of swtpm is not possible), but it allows us to extend the state
in the future by adding addition blocks with tlv headers.

Version 1 of the encryption was prepending the hash on the plaintext data
then encrypting all of it. This method is not so good. In version 2 we now
use Encrypt-then-MAC (EtM) where we encrypt the data and then calculate an
HMAC on the encrypted data.

Files written by the swtpm didn't have a header before. Now they also get a
header. This means that the state written into files and the state retrieved
using the API (swtpm_ioctl --save) have the same format, but still differ
in so far as the API wraps the data in a tlv header for migration, which the
files written out as state would never get.

Adapt a couple of test cases show file sizes and hashes have changed now.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
2018-06-20 10:05:45 -04:00

119 lines
2.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# For the license, see the LICENSE file in the root directory.
DIR=$(dirname "$0")
ROOT=${DIR}/..
PARAMETERS=(
""
"--createek"
"--take-ownership"
"--createek --lock-nvram"
"--take-ownership --lock-nvram"
"--lock-nvram"
"--take-ownership --ownerpass OOO"
"--take-ownership --srkpass SSS"
"--take-ownership --ownerpass OO --srkpass SS"
"--take-ownership --lock-nvram --display"
"--display"
"--lock-nvram --display"
"--take-ownership --srk-well-known"
"--take-ownership --owner-well-known"
"--take-ownership --srk-well-known --owner-well-known"
"--createek --create-ek-cert --create-platform-cert --lock-nvram --config ${DIR}/swtpm_setup.conf --vmid test --display"
"--createek --create-ek-cert --create-platform-cert --lock-nvram --config ${DIR}/swtpm_setup.conf --vmid test --display --keyfile ${DIR}/data/keyfile.txt"
"--createek --create-ek-cert --create-platform-cert --lock-nvram --config ${DIR}/swtpm_setup.conf --vmid test --display --pwdfile ${DIR}/data/pwdfile.txt"
)
FILESIZES=(
1185
1605
2066
1605
2066
1185
2066
2066
2066
2066
1185
1185
2066
2066
2066
1721
1766
1766
)
if [ "$(id -u)" -ne 0 ]; then
echo "Need to be root to run this test."
exit 77
fi
SWTPM=swtpm
SWTPM_EXE=${SWTPM_EXE:-$ROOT/src/swtpm/$SWTPM}
SWTPM_IOCTL=${SWTPM_IOCTL:-$ROOT/src/swtpm_ioctl/swtpm_ioctl}
TCSD=`type -P tcsd`
TPMDIR=`mktemp -d`
SWTPM_SETUP_CONF=$ROOT/etc/swtpm_setup.conf
# filesystem privileges require to run swtpm_setup as root during test
TPMAUTHORING="$ROOT/src/swtpm_setup/swtpm_setup --config ${SWTPM_SETUP_CONF} --runas root"
PATH=${PWD}/${ROOT}/src/swtpm_bios:$PATH
PATH=${PWD}/${ROOT}/src/swtpm_setup:$PATH
source ${DIR}/test_config
trap "cleanup" SIGTERM EXIT
if test "$TCSD" = ""; then
echo "TCSD executable 'tcsd' was not found in path."
exit 1
fi
function cleanup()
{
rm -rf $TPMDIR
}
chown $TSS_USER:$TSS_GROUP $TPMDIR 2>/dev/null
if [ $? -ne 0 ]; then
echo "Could not change ownership of $TPMDIR to $TSS_USER:$TSS_GROUP." \
"You need to be root."
exit 1
fi
# swtpm_setup.conf points to the local create_certs.sh
# For create_certs.sh to be found (with out full path)
# add this directory to the PATH
PATH=$PATH:$PWD
for (( i=0; i<${#PARAMETERS[*]}; i++)); do
rm -rf $TPMDIR/*
echo -n "Test $i: "
$TPMAUTHORING \
--tpm-state $TPMDIR \
--tpm "$SWTPM_EXE socket" \
--swtpm_ioctl "$SWTPM_IOCTL" \
${PARAMETERS[$i]} 2>&1 >/dev/null
if [ $? -ne 0 ]; then
echo "ERROR: Test with parameters '${PARAMETERS[$i]}' failed."
exit 1
elif [ ! -f $TPMDIR/tpm-00.permall ]; then
echo "ERROR: Test with parameters '${PARAMETERS[$i]}' did not
produce file $TPMDIR/tpm-00.permall."
exit 1
fi
FILESIZE=`stat -c%s $TPMDIR/tpm-00.permall`
if [ ${FILESIZE} -ne ${FILESIZES[$i]} ]; then
echo "ERROR: Unexpected file size of $FILESIZE, "\
"expected ${FILESIZES[$i]}. Parameters: ${PARAMETERS[$i]}"
exit 1
fi
echo "SUCCESS with parameters '${PARAMETERS[$i]}'."
done
Reference in New Issue View Git Blame Copy Permalink