]>
Commit | Line | Data |
---|---|---|
30510820 SB |
1 | #!/bin/bash |
2 | ||
3 | # For the license, see the LICENSE file in the root directory. | |
4 | #set -x | |
5 | ||
6 | ROOT=${abs_top_builddir:-$(pwd)/..} | |
7 | TESTDIR=${abs_top_testdir:-$(dirname "$0")} | |
8 | ||
9 | VTPM_NAME="vtpm-test-file-permissions" | |
10 | SWTPM_DEV_NAME="/dev/${VTPM_NAME}" | |
cce7503c | 11 | export TPM_PATH="$(mktemp -d)" || exit 1 |
30510820 SB |
12 | STATE_FILE=${TPM_PATH}/tpm2-00.permall |
13 | VOLATILE_STATE_FILE=${TPM_PATH}/tpm2-00.volatilestate | |
14 | PIDFILE=${TPM_PATH}/swtpm.pid | |
15 | LOGFILE=${TPM_PATH}/swtpm.log | |
16 | PWDFILE=${TPM_PATH}/pwdfile.txt | |
17 | SWTPM_INTERFACE=${SWTPM_INTERFACE:-cuse} | |
18 | SWTPM_SETUP_CONF=${TPM_PATH}/swtpm_setup.conf | |
19 | ||
20 | function cleanup() | |
21 | { | |
22 | if [ -n "${SWTPM_PID}" ]; then | |
23 | kill_quiet -9 "${SWTPM_PID}" | |
24 | fi | |
25 | rm -rf "${TPM_PATH}" | |
26 | } | |
27 | ||
28 | trap "cleanup" EXIT | |
29 | ||
30 | [ "${SWTPM_INTERFACE}" == cuse ] && source ${TESTDIR}/test_cuse | |
31 | source ${TESTDIR}/common | |
32 | ||
33 | cat <<_EOF_ > "${SWTPM_SETUP_CONF}" | |
34 | create_certs_tool=unused | |
35 | create_certs_tool_config=/dev/null | |
36 | create_certs_tool_options=/dev/null | |
37 | _EOF_ | |
38 | ||
39 | # We need to copy swtpm and libswtpm_libtpms.so to the workdir | |
40 | # so that swtpm_setup can access it as TESTUSER | |
41 | if [ -z "$(file "${SWTPM_EXE}" | grep ELF)" ]; then | |
42 | directory="$(dirname "${SWTPM_EXE}")/.libs" | |
43 | if [ -d "${directory}" ]; then | |
44 | cp "${directory}/swtpm" "${TPM_PATH}" | |
94aae1bb | 45 | cp "${directory}"/libswtpm_libtpms.so* "${TPM_PATH}" |
30510820 SB |
46 | else |
47 | echo "Could not find .libs directory to copy swtpm from." | |
48 | exit 77 | |
49 | fi | |
50 | MY_SWTPM_EXE="${TPM_PATH}/swtpm" | |
51 | SWTPM_LD_LIBRARY_PATH="${TPM_PATH}" | |
52 | else | |
53 | MY_SWTPM_EXE="${SWTPM_EXE}" | |
54 | SWTPM_LD_LIBRARY_PATH="" | |
55 | fi | |
56 | ||
57 | # Mininum permissions on directory | |
58 | chmod 0700 "${TPM_PATH}" | |
59 | chown "${TESTUSER}:${TESTGROUP}" "${TPM_PATH}" | |
60 | # empty pid file that swtpm must be able to overwrite | |
61 | touch "${PIDFILE}" | |
62 | # A logfile that swtpm must be able to write to | |
63 | echo "TestTest" > "${LOGFILE}" | |
64 | # minimum permission on state files, pidfile, password file, and logfile | |
65 | cp "${TESTDIR}"/data/tpm2state2/* "${TPM_PATH}" | |
66 | chmod 0600 "${TPM_PATH}"/tpm2-00* "${PIDFILE}" "${PWDFILE}" "${LOGFILE}" "${SWTPM_SETUP_CONF}" | |
67 | chown "${TESTUSER}:${TESTGROUP}" "${TPM_PATH}"/* | |
68 | ||
69 | # Test-execute the swtpm program as $TESTUSER | |
94aae1bb | 70 | tmp=$(su -m "${TESTUSER}" -c "LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" "${MY_SWTPM_EXE}" --help 2>&1") |
30510820 SB |
71 | if [ $? -ne 0 ]; then |
72 | echo "Could not run '${MY_SWTPM_EXE}' as ${TESTUSER}. Skipping swtpm_setup tests." | |
73 | echo "Error: ${tmp}" | |
74 | exit 77 | |
75 | fi | |
76 | ||
77 | ||
78 | logsize=$(get_filesize "${LOGFILE}") | |
79 | ||
80 | run_swtpm ${SWTPM_INTERFACE} \ | |
81 | --pid "file=${PIDFILE}" \ | |
82 | --log "file=${LOGFILE},level=20" \ | |
83 | --runas "${TESTUSER}" \ | |
84 | --tpm2 \ | |
85 | --key "pwdfile=${PWDFILE},kdf=sha512" | |
86 | ||
87 | kill -0 ${SWTPM_PID} | |
88 | if [ $? -ne 0 ]; then | |
89 | echo "Error: ${SWTPM_INTERFACE} TPM did not start." | |
90 | exit 1 | |
91 | fi | |
92 | ||
93 | # Init the TPM | |
94 | run_swtpm_ioctl ${SWTPM_INTERFACE} -i | |
95 | if [ $? -ne 0 ]; then | |
96 | echo "Error: Could not initialize the ${SWTPM_INTERFACE} TPM." | |
97 | exit 1 | |
98 | fi | |
99 | ||
100 | # Volatile state file must be gone now | |
101 | if [ -f "${VOLATILE_STATE_FILE}" ]; then | |
102 | echo "Error: Volatile state file has not been removed." | |
103 | exit 1 | |
104 | fi | |
105 | ||
106 | # There should be a log file now owned by the ${TESTUSER} | |
107 | # Since the CUSE TPM must be started as root root ownership is allowed for log and pid file | |
108 | if [ "${SWTPM_INTERFACE}" != "cuse" ]; then | |
109 | fileowner="$(get_fileowner_names ${LOGFILE})" | |
110 | if [ "${fileowner}" != "${TESTUSER} ${TESTGROUP}" ]; then | |
111 | echo "File ownership for logfile is wrong." | |
112 | echo "Expected: ${TESTUSER} ${TESTGROUP}" | |
113 | echo "Actual : ${fileowner}" | |
114 | fi | |
115 | ||
116 | fileowner="$(get_fileowner_names ${PIDFILE})" | |
117 | if [ "${fileowner}" != "${TESTUSER} ${TESTGROUP}" ]; then | |
118 | echo "File ownership for pidfile is wrong." | |
119 | echo "Expected: ${TESTUSER} ${TESTGROUP}" | |
120 | echo "Actual : ${fileowner}" | |
121 | fi | |
122 | fi | |
123 | ||
124 | # The log file must have grown | |
125 | if [ -z "$(grep "TestTest" ${LOGFILE})" ]; then | |
126 | echo "Error: First line 'TestTest' missing in logfile." | |
127 | exit 1 | |
128 | fi | |
129 | if [ $(get_filesize ${LOGFILE}) -le ${logsize} ]; then | |
130 | echo "Error: Log file did not grow!" | |
131 | exit 1 | |
132 | fi | |
133 | ||
134 | # The PID file must contain the PID | |
135 | if [ "$(cat "${PIDFILE}")" != "${SWTPM_PID}" ]; then | |
136 | echo "Error: PID file does not have the PID!" | |
137 | echo "Expected: ${SWTPM_PID}" | |
138 | echo "Actual : $(cat "${PIDFILE}")" | |
139 | exit 1 | |
140 | fi | |
141 | ||
30510820 SB |
142 | # Read PCR 10 (from pcrextend -ha 10 -ic test) |
143 | RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x04\x00') | |
144 | exp=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 16 00 00 00 01 00 0b 03 00 04 00 00 00 00 01 00 20 f6 85 98 e5 86 8d e6 8b 97 29 99 60 f2 71 7d 17 67 89 a4 2f 9a ae a8 c7 b7 aa 79 a8 62 56 c1 de' | |
145 | if [ "$RES" != "$exp" ]; then | |
146 | echo "Error: (1) Did not get expected result from TPM_PCRRead(10)" | |
147 | echo "expected: $exp" | |
148 | echo "received: $RES" | |
149 | exit 1 | |
150 | fi | |
151 | ||
152 | run_swtpm_ioctl ${SWTPM_INTERFACE} -s | |
153 | if [ $? -ne 0 ]; then | |
154 | echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM." | |
155 | exit 1 | |
156 | fi | |
157 | ||
158 | if wait_process_gone ${SWTPM_PID} 4; then | |
159 | echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore." | |
160 | exit 1 | |
161 | fi | |
162 | ||
163 | if [ -f "${PIDFILE}" ]; then | |
164 | echo "Error: PID file should have been removed." | |
165 | ls -l ${TPM_PATH} | |
166 | exit 1 | |
167 | fi | |
168 | ||
169 | echo "Test 1: OK" | |
170 | ||
171 | logsize=$(get_filesize "${LOGFILE}") | |
172 | statefilehash=$(get_sha1_file "${STATE_FILE}") | |
173 | ||
174 | LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \ | |
175 | --tpm2 \ | |
176 | --tpmstate "${TPM_PATH}" \ | |
177 | --logfile "${LOGFILE}" \ | |
178 | --runas "${TESTUSER}" \ | |
179 | --config "${SWTPM_SETUP_CONF}" \ | |
180 | --tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" | |
181 | ||
182 | if [ $? -eq 0 ]; then | |
183 | echo "Error: ${SWTPM_SETUP} should have refused to overwrite existing state." | |
184 | exit 1 | |
185 | fi | |
186 | ||
187 | LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \ | |
188 | --tpm2 \ | |
189 | --tpmstate "${TPM_PATH}" \ | |
190 | --overwrite \ | |
191 | --logfile "${LOGFILE}" \ | |
192 | --runas "${TESTUSER}" \ | |
193 | --config "${SWTPM_SETUP_CONF}" \ | |
194 | --tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" | |
195 | ||
196 | if [ $? -ne 0 ]; then | |
197 | echo "Error: ${SWTPM_SETUP} could not overwrite existing state. (1)" | |
198 | cat "${LOGFILE}" | |
199 | exit 1 | |
200 | fi | |
201 | if [ ! -f "${STATE_FILE}" ]; then | |
202 | echo "Error: TPM 2 state file doesn't exist." | |
203 | exit 1 | |
204 | fi | |
205 | if [ "$(get_sha1_file "${STATE_FILE}")" = "${statefilehash}" ]; then | |
206 | echo "Error: State file was not changed." | |
207 | exit 1 | |
208 | fi | |
209 | if [ -z "$(grep "TestTest" ${LOGFILE})" ]; then | |
210 | echo "Error: First line 'TestTest' missing in logfile." | |
211 | exit 1 | |
212 | fi | |
213 | if [ $(get_filesize "${LOGFILE}") -le ${logsize} ]; then | |
214 | echo "Error: ${SWTPM_SETUP} did not append to existing log." | |
215 | exit 1 | |
216 | fi | |
217 | ||
218 | echo "Test 2: OK" | |
219 | ||
220 | # Make sure it can access the pwdfile also | |
221 | statefilehash=$(get_sha1_file "${STATE_FILE}") | |
222 | logsize=$(get_filesize "${LOGFILE}") | |
223 | ||
224 | LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \ | |
225 | --tpmstate "${TPM_PATH}" \ | |
226 | --overwrite \ | |
227 | --tpm2 \ | |
228 | --logfile "${LOGFILE}" \ | |
229 | --runas "${TESTUSER}" \ | |
230 | --config "${SWTPM_SETUP_CONF}" \ | |
231 | --tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \ | |
232 | --pwdfile "${PWDFILE}" | |
233 | ||
234 | if [ $? -ne 0 ]; then | |
235 | echo "Error: ${SWTPM_SETUP} could not overwrite existing state." | |
236 | exit 1 | |
237 | fi | |
238 | if [ ! -f "${STATE_FILE}" ]; then | |
239 | echo "Error: TPM 2 state file '${STATE_FILE}' doesn't exist." | |
240 | exit 1 | |
241 | fi | |
242 | if [ "$(get_sha1_file "${STATE_FILE}")" = "${statefilehash}" ]; then | |
243 | echo "Error: State file was not changed." | |
244 | exit 1 | |
245 | fi | |
246 | if [ $(get_filesize "${LOGFILE}") -le ${logsize} ]; then | |
247 | echo "Error: ${SWTPM_SETUP} did not append to existing log." | |
248 | exit 1 | |
249 | fi | |
250 | ||
251 | echo "Test 3: OK" | |
252 | ||
253 | exit 0 |