]> git.proxmox.com Git - swtpm.git/blame - tests/_test_tpm2_file_permissions
packaging: track dbgsym package for swtpm-libs and swtpm-tools
[swtpm.git] / tests / _test_tpm2_file_permissions
CommitLineData
30510820
SB
1#!/bin/bash
2
3# For the license, see the LICENSE file in the root directory.
4#set -x
5
6ROOT=${abs_top_builddir:-$(pwd)/..}
7TESTDIR=${abs_top_testdir:-$(dirname "$0")}
8
9VTPM_NAME="vtpm-test-file-permissions"
10SWTPM_DEV_NAME="/dev/${VTPM_NAME}"
cce7503c 11export TPM_PATH="$(mktemp -d)" || exit 1
30510820
SB
12STATE_FILE=${TPM_PATH}/tpm2-00.permall
13VOLATILE_STATE_FILE=${TPM_PATH}/tpm2-00.volatilestate
14PIDFILE=${TPM_PATH}/swtpm.pid
15LOGFILE=${TPM_PATH}/swtpm.log
16PWDFILE=${TPM_PATH}/pwdfile.txt
17SWTPM_INTERFACE=${SWTPM_INTERFACE:-cuse}
18SWTPM_SETUP_CONF=${TPM_PATH}/swtpm_setup.conf
19
20function cleanup()
21{
22 if [ -n "${SWTPM_PID}" ]; then
23 kill_quiet -9 "${SWTPM_PID}"
24 fi
25 rm -rf "${TPM_PATH}"
26}
27
28trap "cleanup" EXIT
29
30[ "${SWTPM_INTERFACE}" == cuse ] && source ${TESTDIR}/test_cuse
31source ${TESTDIR}/common
32
33cat <<_EOF_ > "${SWTPM_SETUP_CONF}"
34create_certs_tool=unused
35create_certs_tool_config=/dev/null
36create_certs_tool_options=/dev/null
37_EOF_
38
39# We need to copy swtpm and libswtpm_libtpms.so to the workdir
40# so that swtpm_setup can access it as TESTUSER
41if [ -z "$(file "${SWTPM_EXE}" | grep ELF)" ]; then
42 directory="$(dirname "${SWTPM_EXE}")/.libs"
43 if [ -d "${directory}" ]; then
44 cp "${directory}/swtpm" "${TPM_PATH}"
94aae1bb 45 cp "${directory}"/libswtpm_libtpms.so* "${TPM_PATH}"
30510820
SB
46 else
47 echo "Could not find .libs directory to copy swtpm from."
48 exit 77
49 fi
50 MY_SWTPM_EXE="${TPM_PATH}/swtpm"
51 SWTPM_LD_LIBRARY_PATH="${TPM_PATH}"
52else
53 MY_SWTPM_EXE="${SWTPM_EXE}"
54 SWTPM_LD_LIBRARY_PATH=""
55fi
56
57# Mininum permissions on directory
58chmod 0700 "${TPM_PATH}"
59chown "${TESTUSER}:${TESTGROUP}" "${TPM_PATH}"
60# empty pid file that swtpm must be able to overwrite
61touch "${PIDFILE}"
62# A logfile that swtpm must be able to write to
63echo "TestTest" > "${LOGFILE}"
64# minimum permission on state files, pidfile, password file, and logfile
65cp "${TESTDIR}"/data/tpm2state2/* "${TPM_PATH}"
66chmod 0600 "${TPM_PATH}"/tpm2-00* "${PIDFILE}" "${PWDFILE}" "${LOGFILE}" "${SWTPM_SETUP_CONF}"
67chown "${TESTUSER}:${TESTGROUP}" "${TPM_PATH}"/*
68
69# Test-execute the swtpm program as $TESTUSER
94aae1bb 70tmp=$(su -m "${TESTUSER}" -c "LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" "${MY_SWTPM_EXE}" --help 2>&1")
30510820
SB
71if [ $? -ne 0 ]; then
72 echo "Could not run '${MY_SWTPM_EXE}' as ${TESTUSER}. Skipping swtpm_setup tests."
73 echo "Error: ${tmp}"
74 exit 77
75fi
76
77
78logsize=$(get_filesize "${LOGFILE}")
79
80run_swtpm ${SWTPM_INTERFACE} \
81 --pid "file=${PIDFILE}" \
82 --log "file=${LOGFILE},level=20" \
83 --runas "${TESTUSER}" \
84 --tpm2 \
85 --key "pwdfile=${PWDFILE},kdf=sha512"
86
87kill -0 ${SWTPM_PID}
88if [ $? -ne 0 ]; then
89 echo "Error: ${SWTPM_INTERFACE} TPM did not start."
90 exit 1
91fi
92
93# Init the TPM
94run_swtpm_ioctl ${SWTPM_INTERFACE} -i
95if [ $? -ne 0 ]; then
96 echo "Error: Could not initialize the ${SWTPM_INTERFACE} TPM."
97 exit 1
98fi
99
100# Volatile state file must be gone now
101if [ -f "${VOLATILE_STATE_FILE}" ]; then
102 echo "Error: Volatile state file has not been removed."
103 exit 1
104fi
105
106# There should be a log file now owned by the ${TESTUSER}
107# Since the CUSE TPM must be started as root root ownership is allowed for log and pid file
108if [ "${SWTPM_INTERFACE}" != "cuse" ]; then
109 fileowner="$(get_fileowner_names ${LOGFILE})"
110 if [ "${fileowner}" != "${TESTUSER} ${TESTGROUP}" ]; then
111 echo "File ownership for logfile is wrong."
112 echo "Expected: ${TESTUSER} ${TESTGROUP}"
113 echo "Actual : ${fileowner}"
114 fi
115
116 fileowner="$(get_fileowner_names ${PIDFILE})"
117 if [ "${fileowner}" != "${TESTUSER} ${TESTGROUP}" ]; then
118 echo "File ownership for pidfile is wrong."
119 echo "Expected: ${TESTUSER} ${TESTGROUP}"
120 echo "Actual : ${fileowner}"
121 fi
122fi
123
124# The log file must have grown
125if [ -z "$(grep "TestTest" ${LOGFILE})" ]; then
126 echo "Error: First line 'TestTest' missing in logfile."
127 exit 1
128fi
129if [ $(get_filesize ${LOGFILE}) -le ${logsize} ]; then
130 echo "Error: Log file did not grow!"
131 exit 1
132fi
133
134# The PID file must contain the PID
135if [ "$(cat "${PIDFILE}")" != "${SWTPM_PID}" ]; then
136 echo "Error: PID file does not have the PID!"
137 echo "Expected: ${SWTPM_PID}"
138 echo "Actual : $(cat "${PIDFILE}")"
139 exit 1
140fi
141
30510820
SB
142# Read PCR 10 (from pcrextend -ha 10 -ic test)
143RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x04\x00')
144exp=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 16 00 00 00 01 00 0b 03 00 04 00 00 00 00 01 00 20 f6 85 98 e5 86 8d e6 8b 97 29 99 60 f2 71 7d 17 67 89 a4 2f 9a ae a8 c7 b7 aa 79 a8 62 56 c1 de'
145if [ "$RES" != "$exp" ]; then
146 echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
147 echo "expected: $exp"
148 echo "received: $RES"
149 exit 1
150fi
151
152run_swtpm_ioctl ${SWTPM_INTERFACE} -s
153if [ $? -ne 0 ]; then
154 echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM."
155 exit 1
156fi
157
158if wait_process_gone ${SWTPM_PID} 4; then
159 echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore."
160 exit 1
161fi
162
163if [ -f "${PIDFILE}" ]; then
164 echo "Error: PID file should have been removed."
165 ls -l ${TPM_PATH}
166 exit 1
167fi
168
169echo "Test 1: OK"
170
171logsize=$(get_filesize "${LOGFILE}")
172statefilehash=$(get_sha1_file "${STATE_FILE}")
173
174LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \
175 --tpm2 \
176 --tpmstate "${TPM_PATH}" \
177 --logfile "${LOGFILE}" \
178 --runas "${TESTUSER}" \
179 --config "${SWTPM_SETUP_CONF}" \
180 --tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}"
181
182if [ $? -eq 0 ]; then
183 echo "Error: ${SWTPM_SETUP} should have refused to overwrite existing state."
184 exit 1
185fi
186
187LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \
188 --tpm2 \
189 --tpmstate "${TPM_PATH}" \
190 --overwrite \
191 --logfile "${LOGFILE}" \
192 --runas "${TESTUSER}" \
193 --config "${SWTPM_SETUP_CONF}" \
194 --tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}"
195
196if [ $? -ne 0 ]; then
197 echo "Error: ${SWTPM_SETUP} could not overwrite existing state. (1)"
198 cat "${LOGFILE}"
199 exit 1
200fi
201if [ ! -f "${STATE_FILE}" ]; then
202 echo "Error: TPM 2 state file doesn't exist."
203 exit 1
204fi
205if [ "$(get_sha1_file "${STATE_FILE}")" = "${statefilehash}" ]; then
206 echo "Error: State file was not changed."
207 exit 1
208fi
209if [ -z "$(grep "TestTest" ${LOGFILE})" ]; then
210 echo "Error: First line 'TestTest' missing in logfile."
211 exit 1
212fi
213if [ $(get_filesize "${LOGFILE}") -le ${logsize} ]; then
214 echo "Error: ${SWTPM_SETUP} did not append to existing log."
215 exit 1
216fi
217
218echo "Test 2: OK"
219
220# Make sure it can access the pwdfile also
221statefilehash=$(get_sha1_file "${STATE_FILE}")
222logsize=$(get_filesize "${LOGFILE}")
223
224LD_LIBRARY_PATH="${SWTPM_LD_LIBRARY_PATH}" ${SWTPM_SETUP} \
225 --tpmstate "${TPM_PATH}" \
226 --overwrite \
227 --tpm2 \
228 --logfile "${LOGFILE}" \
229 --runas "${TESTUSER}" \
230 --config "${SWTPM_SETUP_CONF}" \
231 --tpm "${MY_SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
232 --pwdfile "${PWDFILE}"
233
234if [ $? -ne 0 ]; then
235 echo "Error: ${SWTPM_SETUP} could not overwrite existing state."
236 exit 1
237fi
238if [ ! -f "${STATE_FILE}" ]; then
239 echo "Error: TPM 2 state file '${STATE_FILE}' doesn't exist."
240 exit 1
241fi
242if [ "$(get_sha1_file "${STATE_FILE}")" = "${statefilehash}" ]; then
243 echo "Error: State file was not changed."
244 exit 1
245fi
246if [ $(get_filesize "${LOGFILE}") -le ${logsize} ]; then
247 echo "Error: ${SWTPM_SETUP} did not append to existing log."
248 exit 1
249fi
250
251echo "Test 3: OK"
252
253exit 0