[swtpm.git] / tests / _test_tpm2_file_permissions

#!/bin/bash

# For the license, see the LICENSE file in the root directory.
#set -x

ROOT=${abs_top_builddir:-$(pwd)/..}
TESTDIR=${abs_top_testdir:-$(dirname "$0")}

VTPM_NAME="vtpm-test-file-permissions"
SWTPM_DEV_NAME="/dev/${VTPM_NAME}"
export TPM_PATH="$(mktemp -d)" || exit 1
STATE_FILE=${TPM_PATH}/tpm2-00.permall
VOLATILE_STATE_FILE=${TPM_PATH}/tpm2-00.volatilestate
PIDFILE=${TPM_PATH}/swtpm.pid
LOGFILE=${TPM_PATH}/swtpm.log
PWDFILE=${TPM_PATH}/pwdfile.txt
SWTPM_INTERFACE=${SWTPM_INTERFACE:-cuse}
SWTPM_SETUP_CONF=${TPM_PATH}/swtpm_setup.conf

function cleanup()
{
	if [ -n "${SWTPM_PID}" ]; then
		kill_quiet -9 "${SWTPM_PID}"
	fi
	rm -rf "${TPM_PATH}"
}

trap "cleanup" EXIT

[ "${SWTPM_INTERFACE}" == cuse ] && source ${TESTDIR}/test_cuse
source ${TESTDIR}/common

cat <<_EOF_ > "${SWTPM_SETUP_CONF}"
create_certs_tool=unused
create_certs_tool_config=/dev/null
create_certs_tool_options=/dev/null
_EOF_

# We need to copy swtpm and libswtpm_libtpms.so to the workdir
# so that swtpm_setup can access it as TESTUSER
if [ -z "$(file "${SWTPM_EXE}" | grep ELF)" ]; then
	directory="$(dirname "${SWTPM_EXE}")/.libs"
	if [ -d "${directory}" ]; then
		cp "${directory}/swtpm" "${TPM_PATH}"
		cp "${directory}"/libswtpm_libtpms.so* "${TPM_PATH}"
	else
		echo "Could not find .libs directory to copy swtpm from."
		exit 77
	fi
	MY_SWTPM_EXE="${TPM_PATH}/swtpm"
	SWTPM_LD_LIBRARY_PATH="${TPM_PATH}"
else
	MY_SWTPM_EXE="${SWTPM_EXE}"
	SWTPM_LD_LIBRARY_PATH=""
fi

# Mininum permissions on directory
chmod 0700 "${TPM_PATH}"
chown "${TESTUSER}:${TESTGROUP}" "${TPM_PATH}"
# empty pid file that swtpm must be able to overwrite
touch "${PIDFILE}"
# A logfile that swtpm must be able to write to
echo "TestTest" > "${LOGFILE}"
# minimum permission on state files, pidfile, password file, and logfile
cp "${TESTDIR}"/data/tpm2state2/* "${TPM_PATH}"
chmod 0600 "${TPM_PATH}"/tpm2-00* "${PIDFILE}" "${PWDFILE}" "${LOGFILE}" "${SWTPM_SETUP_CONF}"
chown "${TESTUSER}:${TESTGROUP}" "${TPM_PATH}"/*

# Test-execute the swtpm program as $TESTUSER
tmp=$(su -m "${TESTUSER}" -c "LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" "${MY_SWTPM_EXE}" --help 2>&1")
if [ $? -ne 0 ]; then
	echo "Could not run '${MY_SWTPM_EXE}' as ${TESTUSER}. Skipping swtpm_setup tests."
	echo "Error: ${tmp}"
	exit 77
fi


logsize=$(get_filesize "${LOGFILE}")

run_swtpm ${SWTPM_INTERFACE} \
	--pid "file=${PIDFILE}" \
	--log "file=${LOGFILE},level=20" \
	--runas "${TESTUSER}" \
	--tpm2 \
	--key "pwdfile=${PWDFILE},kdf=sha512"

kill -0 ${SWTPM_PID}
if [ $? -ne 0 ]; then
	echo "Error: ${SWTPM_INTERFACE} TPM did not start."
	exit 1
fi

# Init the TPM
run_swtpm_ioctl ${SWTPM_INTERFACE} -i
if [ $? -ne 0 ]; then
	echo "Error: Could not initialize the ${SWTPM_INTERFACE} TPM."
	exit 1
fi

# Volatile state file must be gone now
if [ -f "${VOLATILE_STATE_FILE}" ]; then
	echo "Error: Volatile state file has not been removed."
	exit 1
fi

# There should be a log file now owned by the ${TESTUSER}
# Since the CUSE TPM must be started as root root ownership is allowed for log and pid file
if [ "${SWTPM_INTERFACE}" != "cuse" ]; then
	fileowner="$(get_fileowner_names ${LOGFILE})"
	if [ "${fileowner}" != "${TESTUSER} ${TESTGROUP}" ]; then
		echo "File ownership for logfile is wrong."
		echo "Expected: ${TESTUSER} ${TESTGROUP}"
		echo "Actual  : ${fileowner}"
	fi

	fileowner="$(get_fileowner_names ${PIDFILE})"
	if [ "${fileowner}" != "${TESTUSER} ${TESTGROUP}" ]; then
		echo "File ownership for pidfile is wrong."
		echo "Expected: ${TESTUSER} ${TESTGROUP}"
		echo "Actual  : ${fileowner}"
	fi
fi

# The log file must have grown
if [ -z "$(grep "TestTest" ${LOGFILE})" ]; then
	echo "Error: First line 'TestTest' missing in logfile."
	exit 1
fi
if [ $(get_filesize ${LOGFILE}) -le ${logsize} ]; then
	echo "Error: Log file did not grow!"
	exit 1
fi

# The PID file must contain the PID
if [ "$(cat "${PIDFILE}")" != "${SWTPM_PID}" ]; then
	echo "Error: PID file does not have the PID!"
	echo "Expected: ${SWTPM_PID}"
	echo "Actual  : $(cat "${PIDFILE}")"
	exit 1
fi

# Read PCR 10 (from pcrextend -ha 10 -ic test)
RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x04\x00')
exp=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 16 00 00 00 01 00 0b 03 00 04 00 00 00 00 01 00 20 f6 85 98 e5 86 8d e6 8b 97 29 99 60 f2 71 7d 17 67 89 a4 2f 9a ae a8 c7 b7 aa 79 a8 62 56 c1 de'
if [ "$RES" != "$exp" ]; then
	echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
	echo "expected: $exp"
	echo "received: $RES"
	exit 1
fi

run_swtpm_ioctl ${SWTPM_INTERFACE} -s
if [ $? -ne 0 ]; then
	echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM."
	exit 1
fi

if wait_process_gone ${SWTPM_PID} 4; then
	echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore."
	exit 1
fi

if [ -f "${PIDFILE}" ]; then
	echo "Error: PID file should have been removed."
	ls -l ${TPM_PATH}
	exit 1
fi

echo "Test 1: OK"

logsize=$(get_filesize "${LOGFILE}")
statefilehash=$(get_sha1_file "${STATE_FILE}")

LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \
	--tpm2 \
	--tpmstate "${TPM_PATH}" \
	--logfile "${LOGFILE}" \
	--runas "${TESTUSER}" \
	--config "${SWTPM_SETUP_CONF}" \
	--tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}"

if [ $? -eq 0 ]; then
	echo "Error: ${SWTPM_SETUP} should have refused to overwrite existing state."
	exit 1
fi

LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \
	--tpm2 \
	--tpmstate "${TPM_PATH}" \
	--overwrite \
	--logfile "${LOGFILE}" \
	--runas "${TESTUSER}" \
	--config "${SWTPM_SETUP_CONF}" \
	--tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}"

if [ $? -ne 0 ]; then
	echo "Error: ${SWTPM_SETUP} could not overwrite existing state. (1)"
	cat "${LOGFILE}"
	exit 1
fi
if [ ! -f "${STATE_FILE}" ]; then
	echo "Error: TPM 2 state file doesn't exist."
	exit 1
fi
if [ "$(get_sha1_file "${STATE_FILE}")" = "${statefilehash}" ]; then
	echo "Error: State file was not changed."
	exit 1
fi
if [ -z "$(grep "TestTest" ${LOGFILE})" ]; then
	echo "Error: First line 'TestTest' missing in logfile."
	exit 1
fi
if [ $(get_filesize "${LOGFILE}") -le ${logsize} ]; then
	echo "Error: ${SWTPM_SETUP} did not append to existing log."
	exit 1
fi

echo "Test 2: OK"

# Make sure it can access the pwdfile also
statefilehash=$(get_sha1_file "${STATE_FILE}")
logsize=$(get_filesize "${LOGFILE}")

LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \
	--tpmstate "${TPM_PATH}" \
	--overwrite \
	--tpm2 \
	--logfile "${LOGFILE}" \
	--runas "${TESTUSER}" \
	--config "${SWTPM_SETUP_CONF}" \
	--tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
	--pwdfile "${PWDFILE}"

if [ $? -ne 0 ]; then
	echo "Error: ${SWTPM_SETUP} could not overwrite existing state."
	exit 1
fi
if [ ! -f "${STATE_FILE}" ]; then
	echo "Error: TPM 2 state file '${STATE_FILE}' doesn't exist."
	exit 1
fi
if [ "$(get_sha1_file "${STATE_FILE}")" = "${statefilehash}" ]; then
	echo "Error: State file was not changed."
	exit 1
fi
if [ $(get_filesize "${LOGFILE}") -le ${logsize} ]; then
	echo "Error: ${SWTPM_SETUP} did not append to existing log."
	exit 1
fi

echo "Test 3: OK"

exit 0
Commit	Line	Data
30510820 SB	1	#!/bin/bash
	2
	3	# For the license, see the LICENSE file in the root directory.
	4	#set -x
	5
	6	ROOT=${abs_top_builddir:-$(pwd)/..}
	7	TESTDIR=${abs_top_testdir:-$(dirname "$0")}
	8
	9	VTPM_NAME="vtpm-test-file-permissions"
	10	SWTPM_DEV_NAME="/dev/${VTPM_NAME}"
cce7503c	11	export TPM_PATH="$(mktemp -d)" \|\| exit 1
30510820 SB	12	STATE_FILE=${TPM_PATH}/tpm2-00.permall
	13	VOLATILE_STATE_FILE=${TPM_PATH}/tpm2-00.volatilestate
	14	PIDFILE=${TPM_PATH}/swtpm.pid
	15	LOGFILE=${TPM_PATH}/swtpm.log
	16	PWDFILE=${TPM_PATH}/pwdfile.txt
	17	SWTPM_INTERFACE=${SWTPM_INTERFACE:-cuse}
	18	SWTPM_SETUP_CONF=${TPM_PATH}/swtpm_setup.conf
	19
	20	function cleanup()
	21	{
	22	if [ -n "${SWTPM_PID}" ]; then
	23	kill_quiet -9 "${SWTPM_PID}"
	24	fi
	25	rm -rf "${TPM_PATH}"
	26	}
	27
	28	trap "cleanup" EXIT
	29
	30	[ "${SWTPM_INTERFACE}" == cuse ] && source ${TESTDIR}/test_cuse
	31	source ${TESTDIR}/common
	32
	33	cat <<_EOF_ > "${SWTPM_SETUP_CONF}"
	34	create_certs_tool=unused
	35	create_certs_tool_config=/dev/null
	36	create_certs_tool_options=/dev/null
	37	_EOF_
	38
	39	# We need to copy swtpm and libswtpm_libtpms.so to the workdir
	40	# so that swtpm_setup can access it as TESTUSER
	41	if [ -z "$(file "${SWTPM_EXE}" \| grep ELF)" ]; then
	42	directory="$(dirname "${SWTPM_EXE}")/.libs"
	43	if [ -d "${directory}" ]; then
	44	cp "${directory}/swtpm" "${TPM_PATH}"
94aae1bb	45	cp "${directory}"/libswtpm_libtpms.so* "${TPM_PATH}"
30510820 SB	46	else
	47	echo "Could not find .libs directory to copy swtpm from."
	48	exit 77
	49	fi
	50	MY_SWTPM_EXE="${TPM_PATH}/swtpm"
	51	SWTPM_LD_LIBRARY_PATH="${TPM_PATH}"
	52	else
	53	MY_SWTPM_EXE="${SWTPM_EXE}"
	54	SWTPM_LD_LIBRARY_PATH=""
	55	fi
	56
	57	# Mininum permissions on directory
	58	chmod 0700 "${TPM_PATH}"
	59	chown "${TESTUSER}:${TESTGROUP}" "${TPM_PATH}"
	60	# empty pid file that swtpm must be able to overwrite
	61	touch "${PIDFILE}"
	62	# A logfile that swtpm must be able to write to
	63	echo "TestTest" > "${LOGFILE}"
	64	# minimum permission on state files, pidfile, password file, and logfile
	65	cp "${TESTDIR}"/data/tpm2state2/* "${TPM_PATH}"
	66	chmod 0600 "${TPM_PATH}"/tpm2-00* "${PIDFILE}" "${PWDFILE}" "${LOGFILE}" "${SWTPM_SETUP_CONF}"
	67	chown "${TESTUSER}:${TESTGROUP}" "${TPM_PATH}"/*
	68
	69	# Test-execute the swtpm program as $TESTUSER
94aae1bb	70	tmp=$(su -m "${TESTUSER}" -c "LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" "${MY_SWTPM_EXE}" --help 2>&1")
30510820 SB	71	if [ $? -ne 0 ]; then
	72	echo "Could not run '${MY_SWTPM_EXE}' as ${TESTUSER}. Skipping swtpm_setup tests."
	73	echo "Error: ${tmp}"
	74	exit 77
	75	fi
	76
	77
	78	logsize=$(get_filesize "${LOGFILE}")
	79
	80	run_swtpm ${SWTPM_INTERFACE} \
	81	--pid "file=${PIDFILE}" \
	82	--log "file=${LOGFILE},level=20" \
	83	--runas "${TESTUSER}" \
	84	--tpm2 \
	85	--key "pwdfile=${PWDFILE},kdf=sha512"
	86
	87	kill -0 ${SWTPM_PID}
	88	if [ $? -ne 0 ]; then
	89	echo "Error: ${SWTPM_INTERFACE} TPM did not start."
	90	exit 1
	91	fi
	92
	93	# Init the TPM
	94	run_swtpm_ioctl ${SWTPM_INTERFACE} -i
	95	if [ $? -ne 0 ]; then
	96	echo "Error: Could not initialize the ${SWTPM_INTERFACE} TPM."
	97	exit 1
	98	fi
	99
	100	# Volatile state file must be gone now
	101	if [ -f "${VOLATILE_STATE_FILE}" ]; then
	102	echo "Error: Volatile state file has not been removed."
	103	exit 1
	104	fi
	105
	106	# There should be a log file now owned by the ${TESTUSER}
	107	# Since the CUSE TPM must be started as root root ownership is allowed for log and pid file
	108	if [ "${SWTPM_INTERFACE}" != "cuse" ]; then
	109	fileowner="$(get_fileowner_names ${LOGFILE})"
	110	if [ "${fileowner}" != "${TESTUSER} ${TESTGROUP}" ]; then
	111	echo "File ownership for logfile is wrong."
	112	echo "Expected: ${TESTUSER} ${TESTGROUP}"
	113	echo "Actual : ${fileowner}"
	114	fi
	115
	116	fileowner="$(get_fileowner_names ${PIDFILE})"
	117	if [ "${fileowner}" != "${TESTUSER} ${TESTGROUP}" ]; then
	118	echo "File ownership for pidfile is wrong."
	119	echo "Expected: ${TESTUSER} ${TESTGROUP}"
	120	echo "Actual : ${fileowner}"
	121	fi
	122	fi
	123
	124	# The log file must have grown
	125	if [ -z "$(grep "TestTest" ${LOGFILE})" ]; then
	126	echo "Error: First line 'TestTest' missing in logfile."
	127	exit 1
	128	fi
	129	if [ $(get_filesize ${LOGFILE}) -le ${logsize} ]; then
	130	echo "Error: Log file did not grow!"
	131	exit 1
	132	fi
	133
	134	# The PID file must contain the PID
135	if [ "$(cat "${PIDFILE}")" != "${SWTPM_PID}" ]; then
136	echo "Error: PID file does not have the PID!"
137	echo "Expected: ${SWTPM_PID}"
138	echo "Actual : $(cat "${PIDFILE}")"
139	exit 1
140	fi
141
30510820 SB	142	# Read PCR 10 (from pcrextend -ha 10 -ic test)
	143	RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x04\x00')
	144	exp=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 16 00 00 00 01 00 0b 03 00 04 00 00 00 00 01 00 20 f6 85 98 e5 86 8d e6 8b 97 29 99 60 f2 71 7d 17 67 89 a4 2f 9a ae a8 c7 b7 aa 79 a8 62 56 c1 de'
	145	if [ "$RES" != "$exp" ]; then
	146	echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
	147	echo "expected: $exp"
	148	echo "received: $RES"
	149	exit 1
	150	fi
	151
	152	run_swtpm_ioctl ${SWTPM_INTERFACE} -s
	153	if [ $? -ne 0 ]; then
	154	echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM."
	155	exit 1
	156	fi
	157
	158	if wait_process_gone ${SWTPM_PID} 4; then
	159	echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore."
	160	exit 1
	161	fi
	162
	163	if [ -f "${PIDFILE}" ]; then
	164	echo "Error: PID file should have been removed."
	165	ls -l ${TPM_PATH}
	166	exit 1
	167	fi
	168
	169	echo "Test 1: OK"
	170
	171	logsize=$(get_filesize "${LOGFILE}")
	172	statefilehash=$(get_sha1_file "${STATE_FILE}")
	173
	174	LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \
	175	--tpm2 \
	176	--tpmstate "${TPM_PATH}" \
	177	--logfile "${LOGFILE}" \
	178	--runas "${TESTUSER}" \
	179	--config "${SWTPM_SETUP_CONF}" \
	180	--tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}"
	181
	182	if [ $? -eq 0 ]; then
	183	echo "Error: ${SWTPM_SETUP} should have refused to overwrite existing state."
	184	exit 1
	185	fi
	186
	187	LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \
	188	--tpm2 \
	189	--tpmstate "${TPM_PATH}" \
	190	--overwrite \
	191	--logfile "${LOGFILE}" \
	192	--runas "${TESTUSER}" \
	193	--config "${SWTPM_SETUP_CONF}" \
	194	--tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}"
	195
	196	if [ $? -ne 0 ]; then
	197	echo "Error: ${SWTPM_SETUP} could not overwrite existing state. (1)"
	198	cat "${LOGFILE}"
	199	exit 1
	200	fi
	201	if [ ! -f "${STATE_FILE}" ]; then
	202	echo "Error: TPM 2 state file doesn't exist."
	203	exit 1
	204	fi
	205	if [ "$(get_sha1_file "${STATE_FILE}")" = "${statefilehash}" ]; then
206	echo "Error: State file was not changed."
207	exit 1
208	fi
209	if [ -z "$(grep "TestTest" ${LOGFILE})" ]; then
210	echo "Error: First line 'TestTest' missing in logfile."
211	exit 1
212	fi
213	if [ $(get_filesize "${LOGFILE}") -le ${logsize} ]; then
214	echo "Error: ${SWTPM_SETUP} did not append to existing log."
215	exit 1
216	fi
217
218	echo "Test 2: OK"
219
220	# Make sure it can access the pwdfile also
221	statefilehash=$(get_sha1_file "${STATE_FILE}")
222	logsize=$(get_filesize "${LOGFILE}")
223
224	LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \
225	--tpmstate "${TPM_PATH}" \
226	--overwrite \
227	--tpm2 \
228	--logfile "${LOGFILE}" \
229	--runas "${TESTUSER}" \
230	--config "${SWTPM_SETUP_CONF}" \
231	--tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
232	--pwdfile "${PWDFILE}"
233
234	if [ $? -ne 0 ]; then
235	echo "Error: ${SWTPM_SETUP} could not overwrite existing state."
236	exit 1
237	fi
238	if [ ! -f "${STATE_FILE}" ]; then
239	echo "Error: TPM 2 state file '${STATE_FILE}' doesn't exist."
240	exit 1
241	fi
242	if [ "$(get_sha1_file "${STATE_FILE}")" = "${statefilehash}" ]; then
243	echo "Error: State file was not changed."
244	exit 1
245	fi
246	if [ $(get_filesize "${LOGFILE}") -le ${logsize} ]; then
247	echo "Error: ${SWTPM_SETUP} did not append to existing log."
248	exit 1
249	fi
250
251	echo "Test 3: OK"
252
253	exit 0