mirror of
https://github.com/systemd/systemd
synced 2024-10-15 12:34:37 +00:00
test: Add DA lockout handling to TEST-70-TPM2
Since this test intentionally provides an incorrect PIN, the DA lockout counter is incremented; the test needs to reset it so there is no DA lockout.
This commit is contained in:
parent
538f9bafc5
commit
9071d6b1a3
|
@ -11,7 +11,7 @@ TEST_REQUIRE_INSTALL_TESTS=0
|
||||||
# shellcheck source=test/test-functions
|
# shellcheck source=test/test-functions
|
||||||
. "${TEST_BASE_DIR:?}/test-functions"
|
. "${TEST_BASE_DIR:?}/test-functions"
|
||||||
|
|
||||||
test_require_bin swtpm tpm2_pcrextend
|
test_require_bin swtpm tpm2_pcrextend tpm2_dictionarylockout
|
||||||
|
|
||||||
test_append_files() {
|
test_append_files() {
|
||||||
local workspace="${1:?}"
|
local workspace="${1:?}"
|
||||||
|
@ -19,6 +19,7 @@ test_append_files() {
|
||||||
instmods tpm tpm_tis tpm_ibmvtpm
|
instmods tpm tpm_tis tpm_ibmvtpm
|
||||||
install_dmevent
|
install_dmevent
|
||||||
generate_module_dependencies
|
generate_module_dependencies
|
||||||
|
inst_binary tpm2_dictionarylockout
|
||||||
inst_binary tpm2_pcrextend
|
inst_binary tpm2_pcrextend
|
||||||
inst_binary tpm2_pcrread
|
inst_binary tpm2_pcrread
|
||||||
inst_binary openssl
|
inst_binary openssl
|
||||||
|
|
|
@ -22,6 +22,21 @@ tpm_has_pcr() {
|
||||||
[[ -f "/sys/class/tpm/tpm0/pcr-$algorithm/$pcr" ]]
|
[[ -f "/sys/class/tpm/tpm0/pcr-$algorithm/$pcr" ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
tpm_check_failure_with_wrong_pin() {
|
||||||
|
local testimg="${1:?}"
|
||||||
|
local badpin="${2:?}"
|
||||||
|
local goodpin="${3:?}"
|
||||||
|
|
||||||
|
# We need to be careful not to trigger DA lockout; allow 2 failures
|
||||||
|
tpm2_dictionarylockout -s -n 2
|
||||||
|
(! PIN=$badpin "$SD_CRYPTSETUP" attach test-volume "$testimg" - tpm2-device=auto,headless=1)
|
||||||
|
# Verify the correct PIN works, to be sure the failure wasn't a DA lockout
|
||||||
|
PIN=$goodpin "$SD_CRYPTSETUP" attach test-volume "$testimg" - tpm2-device=auto,headless=1
|
||||||
|
"$SD_CRYPTSETUP" detach test-volume
|
||||||
|
# Clear/reset the DA lockout counter
|
||||||
|
tpm2_dictionarylockout -c
|
||||||
|
}
|
||||||
|
|
||||||
# Prepare a fresh disk image
|
# Prepare a fresh disk image
|
||||||
img="/tmp/test.img"
|
img="/tmp/test.img"
|
||||||
truncate -s 20M "$img"
|
truncate -s 20M "$img"
|
||||||
|
@ -46,8 +61,10 @@ PASSWORD=passphrase NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-
|
||||||
PIN=123456 "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1
|
PIN=123456 "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1
|
||||||
"$SD_CRYPTSETUP" detach test-volume
|
"$SD_CRYPTSETUP" detach test-volume
|
||||||
|
|
||||||
# Check failure with wrong PIN
|
# Check failure with wrong PIN; try a few times to make sure we avoid DA lockout
|
||||||
(! PIN=123457 "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1)
|
for _ in {0..3}; do
|
||||||
|
tpm_check_failure_with_wrong_pin "$img" 123457 123456
|
||||||
|
done
|
||||||
|
|
||||||
# Check LUKS2 token plugin unlock (i.e. without specifying tpm2-device=auto)
|
# Check LUKS2 token plugin unlock (i.e. without specifying tpm2-device=auto)
|
||||||
if cryptsetup_has_token_plugin_support; then
|
if cryptsetup_has_token_plugin_support; then
|
||||||
|
@ -55,7 +72,9 @@ if cryptsetup_has_token_plugin_support; then
|
||||||
"$SD_CRYPTSETUP" detach test-volume
|
"$SD_CRYPTSETUP" detach test-volume
|
||||||
|
|
||||||
# Check failure with wrong PIN
|
# Check failure with wrong PIN
|
||||||
(! PIN=123457 "$SD_CRYPTSETUP" attach test-volume "$img" - headless=1)
|
for _ in {0..3}; do
|
||||||
|
tpm_check_failure_with_wrong_pin "$img" 123457 123456
|
||||||
|
done
|
||||||
else
|
else
|
||||||
echo 'cryptsetup has no LUKS2 token plugin support, skipping'
|
echo 'cryptsetup has no LUKS2 token plugin support, skipping'
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in a new issue