mirror of
https://github.com/systemd/systemd
synced 2024-10-15 20:45:09 +00:00
cryptenroll: add tests for TPM2 unlocking
Add tests for enrolling and unlocking. Various cases are tested: - Default PCR 7 policy w/o PIN, good and bad cases (wrong PCR) - PCR 7 + PIN policy, good and bad cases (wrong PCR, wrong PIN) - Non-default PCR 0+7 policy w/o PIN, good and bad cases (wrong PCR 0) v2: rename test, fix tss2 library installation, fix CI failures v3: fix ppc64, load module
This commit is contained in:
parent
4005d41ef0
commit
fd8b924820
6
test/TEST-70-TPM2/Makefile
Normal file
6
test/TEST-70-TPM2/Makefile
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||||
|
|
||||||
|
all setup run clean clean-again:
|
||||||
|
@TEST_BASE_DIR=../ ./test.sh --$@
|
||||||
|
|
||||||
|
.PHONY: all setup run clean clean-again
|
40
test/TEST-70-TPM2/test.sh
Executable file
40
test/TEST-70-TPM2/test.sh
Executable file
|
@ -0,0 +1,40 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||||
|
set -e
|
||||||
|
|
||||||
|
TEST_DESCRIPTION="cryptenroll/cryptsetup with TPM2 devices"
|
||||||
|
IMAGE_NAME="tpm2"
|
||||||
|
TEST_NO_NSPAWN=1
|
||||||
|
TEST_REQUIRE_INSTALL_TESTS=0
|
||||||
|
|
||||||
|
# shellcheck source=test/test-functions
|
||||||
|
. "${TEST_BASE_DIR:?}/test-functions"
|
||||||
|
|
||||||
|
command -v swtpm >/dev/null 2>&1 || exit 0
|
||||||
|
command -v tpm2_pcrextend >/dev/null 2>&1 || exit 0
|
||||||
|
|
||||||
|
test_append_files() {
|
||||||
|
(
|
||||||
|
local workspace="${1:?}"
|
||||||
|
|
||||||
|
instmods tpm tpm_tis tpm_ibmvtpm
|
||||||
|
install_dmevent
|
||||||
|
generate_module_dependencies
|
||||||
|
inst_binary tpm2_pcrextend
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
machine="$(uname -m)"
|
||||||
|
tpmdevice="tpm-tis"
|
||||||
|
if [ "$machine" = "ppc64le" ]; then
|
||||||
|
# tpm-spapr support was introduced in qemu 5.0.0. Skip test for old qemu versions.
|
||||||
|
qemu_min_version "5.0.0" || exit 0
|
||||||
|
tpmdevice="tpm-spapr"
|
||||||
|
fi
|
||||||
|
|
||||||
|
tpmstate=$(mktemp -d)
|
||||||
|
swtpm socket --tpm2 --tpmstate dir="$tpmstate" --ctrl type=unixio,path="$tpmstate/sock" &
|
||||||
|
trap 'kill %%; rm -rf $tpmstate' SIGINT EXIT
|
||||||
|
QEMU_OPTIONS="-chardev socket,id=chrtpm,path=$tpmstate/sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device $tpmdevice,tpmdev=tpm0"
|
||||||
|
|
||||||
|
do_test "$@"
|
|
@ -1213,7 +1213,7 @@ install_missing_libraries() {
|
||||||
local lib path
|
local lib path
|
||||||
# A number of dependencies is now optional via dlopen, so the install
|
# A number of dependencies is now optional via dlopen, so the install
|
||||||
# script will not pick them up, since it looks at linkage.
|
# script will not pick them up, since it looks at linkage.
|
||||||
for lib in libcryptsetup libidn libidn2 pwquality libqrencode tss2-esys tss2-rc tss2-mu libfido2 libbpf libelf libdw; do
|
for lib in libcryptsetup libidn libidn2 pwquality libqrencode tss2-esys tss2-rc tss2-mu tss2-tcti-device libfido2 libbpf libelf libdw; do
|
||||||
ddebug "Searching for $lib via pkg-config"
|
ddebug "Searching for $lib via pkg-config"
|
||||||
if pkg-config --exists "$lib"; then
|
if pkg-config --exists "$lib"; then
|
||||||
path="$(pkg-config --variable=libdir "$lib")"
|
path="$(pkg-config --variable=libdir "$lib")"
|
||||||
|
|
7
test/units/testsuite-70.service
Normal file
7
test/units/testsuite-70.service
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||||
|
[Unit]
|
||||||
|
Description=TEST-70-TPM2
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh
|
48
test/units/testsuite-70.sh
Executable file
48
test/units/testsuite-70.sh
Executable file
|
@ -0,0 +1,48 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||||
|
set -ex
|
||||||
|
|
||||||
|
export SYSTEMD_LOG_LEVEL=debug
|
||||||
|
|
||||||
|
|
||||||
|
# Prepare fresh disk image
|
||||||
|
img="/var/tmp/test.img"
|
||||||
|
dd if=/dev/zero of=$img bs=1024k count=20 status=none
|
||||||
|
echo -n passphrase >/tmp/passphrase
|
||||||
|
cryptsetup luksFormat -q --use-urandom $img /tmp/passphrase
|
||||||
|
|
||||||
|
# Enroll unlock with default PCR policy
|
||||||
|
env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto $img
|
||||||
|
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
|
||||||
|
/usr/lib/systemd/systemd-cryptsetup detach test-volume
|
||||||
|
|
||||||
|
# Check with wrong PCR
|
||||||
|
tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
|
||||||
|
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
|
||||||
|
|
||||||
|
# Enroll unlock with PCR+PIN policy
|
||||||
|
systemd-cryptenroll --wipe-slot=tpm2 $img
|
||||||
|
env PASSWORD=passphrase NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true $img
|
||||||
|
env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
|
||||||
|
/usr/lib/systemd/systemd-cryptsetup detach test-volume
|
||||||
|
|
||||||
|
# Check failure with wrong PIN
|
||||||
|
env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
|
||||||
|
|
||||||
|
# Check failure with wrong PCR (and correct PIN)
|
||||||
|
tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
|
||||||
|
env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
|
||||||
|
|
||||||
|
# Enroll unlock with PCR 0+7
|
||||||
|
systemd-cryptenroll --wipe-slot=tpm2 $img
|
||||||
|
env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 $img
|
||||||
|
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
|
||||||
|
/usr/lib/systemd/systemd-cryptsetup detach test-volume
|
||||||
|
|
||||||
|
# Check with wrong PCR 0
|
||||||
|
tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000
|
||||||
|
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && exit 1
|
||||||
|
|
||||||
|
echo OK >/testok
|
||||||
|
|
||||||
|
exit 0
|
Loading…
Reference in a new issue