]>
Commit | Line | Data |
---|---|---|
75d33931 SB |
1 | #!/bin/bash |
2 | ||
3 | # For the license, see the LICENSE file in the root directory. | |
4 | #set -x | |
5 | ||
313cf75c SB |
6 | ROOT=${abs_top_builddir:-$(pwd)/..} |
7 | TESTDIR=${abs_top_testdir:-$(dirname "$0")} | |
8 | ||
75d33931 SB |
9 | VTPM_NAME="${VTPM_NAME:-vtpm-test-tpm2-save-load-encrypted-state}" |
10 | SWTPM_DEV_NAME="/dev/${VTPM_NAME}" | |
11 | export TPM_PATH=$(mktemp -d) | |
12 | STATE_FILE=$TPM_PATH/tpm2-00.permall | |
13 | VOLATILE_STATE_FILE=$TPM_PATH/tpm2-00.volatilestate | |
14 | KEY=1234567890abcdef1234567890abcdef | |
15 | MY_VOLATILE_STATE_FILE=$TPM_PATH/my.volatilestate | |
16 | MY_PERMANENT_STATE_FILE=$TPM_PATH/my.permanent | |
17 | SWTPM_INTERFACE=${SWTPM_INTERFACE:-cuse} | |
18 | SWTPM_CMD_UNIX_PATH=${TPM_PATH}/unix-cmd.sock | |
19 | SWTPM_CTRL_UNIX_PATH=${TPM_PATH}/unix-ctrl.sock | |
20 | ||
21 | keyfile=$(mktemp) | |
22 | logfile=$(mktemp) | |
23 | echo "$KEY" > $keyfile | |
24 | ||
25 | function cleanup() | |
26 | { | |
27 | pid=${SWTPM_PID} | |
28 | if [ -n "$pid" ]; then | |
47c7ea77 | 29 | kill_quiet -9 $pid |
75d33931 SB |
30 | fi |
31 | rm -f $keyfile $logfile | |
32 | rm -rf $TPM_PATH | |
33 | } | |
34 | ||
35 | trap "cleanup" EXIT | |
36 | ||
313cf75c SB |
37 | [ "${SWTPM_INTERFACE}" == "cuse" ] && source ${TESTDIR}/test_cuse |
38 | source ${TESTDIR}/common | |
75d33931 SB |
39 | |
40 | rm -f $STATE_FILE $VOLATILE_STATE_FILE 2>/dev/null | |
41 | ||
42 | run_swtpm ${SWTPM_INTERFACE} \ | |
43 | --key file=$keyfile,mode=aes-cbc,format=hex \ | |
44 | --log file=$logfile \ | |
45 | --tpm2 | |
46 | ||
100317d5 | 47 | display_processes_by_name "$SWTPM" |
75d33931 | 48 | |
47c7ea77 | 49 | kill_quiet -0 ${SWTPM_PID} |
75d33931 SB |
50 | if [ $? -ne 0 ]; then |
51 | echo "Error: ${SWTPM_INTERFACE} TPM did not start." | |
52 | echo "TPM Logfile:" | |
53 | cat $logfile | |
54 | exit 1 | |
55 | fi | |
56 | ||
57 | # Init the TPM | |
58 | run_swtpm_ioctl ${SWTPM_INTERFACE} -i | |
59 | if [ $? -ne 0 ]; then | |
60 | echo "Error: ${SWTPM_INTERFACE} TPM initialization failed." | |
61 | echo "TPM Logfile:" | |
62 | cat $logfile | |
63 | exit 1 | |
64 | fi | |
65 | ||
47c7ea77 | 66 | kill_quiet -0 ${SWTPM_PID} 2>/dev/null |
75d33931 SB |
67 | if [ $? -ne 0 ]; then |
68 | echo "Error: ${SWTPM_INTERFACE} TPM not running anymore after INIT." | |
69 | echo "TPM Logfile:" | |
70 | cat $logfile | |
71 | exit 1 | |
72 | fi | |
73 | ||
74 | # Startup the TPM (SU_CLEAR) | |
75 | swtpm_open_cmddev ${SWTPM_INTERFACE} 100 | |
76 | RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x80\x01\x00\x00\x00\x0c\x00\x00\x01\x44\x00\x00') | |
77 | exp=' 80 01 00 00 00 0a 00 00 00 00' | |
78 | if [ "$RES" != "$exp" ]; then | |
79 | echo "Error: Did not get expected result from TPM2_Startup(SU_Clear)" | |
80 | echo "expected: $exp" | |
81 | echo "received: $RES" | |
82 | exit 1 | |
83 | fi | |
84 | ||
85 | run_swtpm_ioctl ${SWTPM_INTERFACE} -h 1234 | |
86 | if [ $? -ne 0 ]; then | |
87 | echo "Error: Could not hash the data." | |
88 | echo "TPM Logfile:" | |
89 | cat $logfile | |
90 | exit 1 | |
91 | fi | |
92 | ||
93 | # Read PCR 17 | |
94 | swtpm_open_cmddev ${SWTPM_INTERFACE} 100 | |
95 | RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x00\x02') | |
497febc2 | 96 | exp=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 18 00 00 00 01 00 0b 03 00 00 02 00 00 00 01 00 20 fc a5 d6 49 bf b0 c9 22 fd 33 0f 79 b2 00 43 28 9d af d6 0d 01 a4 c4 37 3c f2 8a db 56 c9 b4 54' |
75d33931 SB |
97 | if [ "$RES" != "$exp" ]; then |
98 | echo "Error: (1) Did not get expected result from TPM2_PCRRead(17)" | |
99 | echo "expected: $exp" | |
100 | echo "received: $RES" | |
101 | exit 1 | |
102 | fi | |
103 | ||
104 | run_swtpm_ioctl ${SWTPM_INTERFACE} --save permanent $MY_PERMANENT_STATE_FILE | |
105 | if [ $? -ne 0 ]; then | |
106 | echo "Error: Could not write permanent state file $MY_PERMANENT_STATE_FILE." | |
107 | echo "TPM Logfile:" | |
108 | cat $logfile | |
109 | exit 1 | |
110 | fi | |
111 | if [ ! -r $MY_PERMANENT_STATE_FILE ]; then | |
112 | echo "Error: Permanent state file $MY_PERMANENT_STATE_FILE does not exist." | |
113 | echo "TPM Logfile:" | |
114 | cat $logfile | |
115 | exit 1 | |
116 | fi | |
117 | echo "Saved permanent state." | |
118 | ||
119 | run_swtpm_ioctl ${SWTPM_INTERFACE} --save volatile $MY_VOLATILE_STATE_FILE | |
120 | if [ $? -ne 0 ]; then | |
121 | echo "Error: Could not write volatile state file $MY_PERMANENT_STATE_FILE." | |
122 | echo "TPM Logfile:" | |
123 | cat $logfile | |
124 | exit 1 | |
125 | fi | |
126 | if [ ! -r $MY_VOLATILE_STATE_FILE ]; then | |
127 | echo "Error: Volatile state file $MY_VOLATILE_STATE_FILE does not exist." | |
128 | echo "TPM Logfile:" | |
129 | cat $logfile | |
130 | exit 1 | |
131 | fi | |
132 | echo "Saved volatile state." | |
133 | ||
f759520c SB |
134 | #ls -l $(dirname $MY_VOLATILE_STATE_FILE)/* |
135 | #sha1sum $(dirname $MY_VOLATILE_STATE_FILE)/* | |
75d33931 SB |
136 | |
137 | # we will use our own volatile state | |
138 | rm -f $VOLATILE_STATE_FILE $STATE_FILE | |
139 | ||
140 | # Stop the TPM; this will not shut it down | |
141 | exec 100>&- | |
142 | run_swtpm_ioctl ${SWTPM_INTERFACE} --stop | |
143 | ||
47c7ea77 | 144 | kill_quiet -0 ${SWTPM_PID} |
75d33931 SB |
145 | if [ $? -ne 0 ]; then |
146 | echo "Error (2): ${SWTPM_INTERFACE} TPM is not running anymore." | |
147 | echo "TPM Logfile:" | |
148 | cat $logfile | |
149 | exit 1 | |
150 | fi | |
151 | ||
152 | # load state into the TPM | |
153 | run_swtpm_ioctl ${SWTPM_INTERFACE} --load permanent $MY_PERMANENT_STATE_FILE | |
154 | if [ $? -ne 0 ]; then | |
155 | echo "Could not load permanent state into vTPM" | |
156 | echo "TPM Logfile:" | |
157 | cat $logfile | |
158 | exit 1 | |
159 | fi | |
160 | echo "Loaded permanent state." | |
161 | ||
162 | run_swtpm_ioctl ${SWTPM_INTERFACE} --load volatile $MY_VOLATILE_STATE_FILE | |
163 | if [ $? -ne 0 ]; then | |
164 | echo "Could not load volatile state into vTPM" | |
165 | echo "TPM Logfile:" | |
166 | cat $logfile | |
167 | exit 1 | |
168 | fi | |
169 | echo "Loaded volatile state." | |
170 | ||
171 | #ls -l $(dirname $MY_VOLATILE_STATE_FILE)/* | |
172 | #sha1sum $(dirname $MY_VOLATILE_STATE_FILE)/* | |
173 | ||
174 | # Init the TPM | |
175 | run_swtpm_ioctl ${SWTPM_INTERFACE} -i | |
176 | if [ $? -ne 0 ]; then | |
177 | echo "TPM Init failed." | |
178 | echo "TPM Logfile:" | |
179 | cat $logfile | |
180 | exit 1 | |
181 | fi | |
182 | ||
183 | # Volatile state must have been removed by TPM now | |
184 | if [ -r $VOLATILE_STATE_FILE ]; then | |
185 | echo "Error: Volatile state file $VOLATILE_STATE_FILE still exists." | |
186 | echo "TPM Logfile:" | |
187 | cat $logfile | |
188 | exit 1 | |
189 | fi | |
190 | ||
191 | # Read the PCR again ... | |
192 | swtpm_open_cmddev ${SWTPM_INTERFACE} 100 | |
193 | RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x00\x02') | |
497febc2 | 194 | exp=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 18 00 00 00 01 00 0b 03 00 00 02 00 00 00 01 00 20 fc a5 d6 49 bf b0 c9 22 fd 33 0f 79 b2 00 43 28 9d af d6 0d 01 a4 c4 37 3c f2 8a db 56 c9 b4 54' |
75d33931 SB |
195 | if [ "$RES" != "$exp" ]; then |
196 | echo "Error: (2) Did not get expected result from TPM2_PCRRead(17)" | |
197 | echo "expected: $exp" | |
198 | echo "received: $RES" | |
199 | exit 1 | |
200 | fi | |
201 | ||
202 | # Save the volatile state again | |
203 | run_swtpm_ioctl ${SWTPM_INTERFACE} -v | |
204 | if [ $? -ne 0 ]; then | |
205 | echo "Error: Could not have the ${SWTPM_INTERFACE} TPM write the volatile state to a file." | |
206 | echo "TPM Logfile:" | |
207 | cat $logfile | |
208 | exit 1 | |
209 | fi | |
210 | if [ ! -r $VOLATILE_STATE_FILE ]; then | |
211 | echo "Error: Volatile state file $VOLATILE_STATE_FILE does not exist." | |
212 | echo "TPM Logfile:" | |
213 | cat $logfile | |
214 | exit 1 | |
215 | fi | |
216 | ||
217 | # Send a new TPM_Init | |
218 | run_swtpm_ioctl ${SWTPM_INTERFACE} -i | |
219 | if [ $? -ne 0 ]; then | |
220 | echo "Error: ${SWTPM_INTERFACE} TPM initialization failed." | |
221 | echo "TPM Logfile:" | |
222 | cat $logfile | |
223 | exit 1 | |
224 | fi | |
225 | ||
226 | # Volatile state must have been removed by TPM now | |
227 | if [ -r $VOLATILE_STATE_FILE ]; then | |
228 | echo "Error: Volatile state file $VOLATILE_STATE_FILE still exists." | |
229 | echo "TPM Logfile:" | |
230 | cat $logfile | |
231 | exit 1 | |
232 | fi | |
233 | ||
234 | # Read the PCR again ... | |
235 | swtpm_open_cmddev ${SWTPM_INTERFACE} 100 | |
236 | RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x00\x02') | |
497febc2 | 237 | exp=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 18 00 00 00 01 00 0b 03 00 00 02 00 00 00 01 00 20 fc a5 d6 49 bf b0 c9 22 fd 33 0f 79 b2 00 43 28 9d af d6 0d 01 a4 c4 37 3c f2 8a db 56 c9 b4 54' |
75d33931 SB |
238 | if [ "$RES" != "$exp" ]; then |
239 | echo "Error: (2) Did not get expected result from TPM_PCRRead(17)" | |
240 | echo "expected: $exp" | |
241 | echo "received: $RES" | |
242 | exit 1 | |
243 | fi | |
244 | ||
245 | run_swtpm_ioctl ${SWTPM_INTERFACE} -s | |
246 | if [ $? -ne 0 ]; then | |
247 | echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM." | |
248 | echo "TPM Logfile:" | |
249 | cat $logfile | |
250 | exit 1 | |
251 | fi | |
75d33931 | 252 | |
45d2d092 | 253 | if wait_process_gone ${SWTPM_PID} 4; then |
75d33931 SB |
254 | echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore." |
255 | echo "TPM Logfile:" | |
256 | cat $logfile | |
257 | exit 1 | |
258 | fi | |
259 | ||
260 | echo "Test 1: Ok" | |
261 | ||
262 | # This time start we start the TPM with a wrong state encryption key | |
263 | # (key used as password) and try to start it. It has to fail and | |
264 | # the state must not have been modified. | |
265 | ||
266 | # volatile state file does not exist | |
267 | sha1_volatile=$(get_sha1_file "${VOLATILE_STATE_FILE}") | |
268 | sha1_permanent=$(get_sha1_file "${STATE_FILE}") | |
f759520c SB |
269 | echo "sha1(volatile) : $sha1_volatile" |
270 | echo "sha1(permanent): $sha1_permanent" | |
75d33931 SB |
271 | |
272 | run_swtpm ${SWTPM_INTERFACE} \ | |
273 | --key pwdfile=$keyfile \ | |
274 | --log file=$logfile \ | |
275 | --tpm2 | |
276 | ||
100317d5 | 277 | display_processes_by_name "$SWTPM" |
75d33931 | 278 | |
47c7ea77 | 279 | kill_quiet -0 ${SWTPM_PID} |
75d33931 SB |
280 | if [ $? -ne 0 ]; then |
281 | echo "Error: ${SWTPM_INTERFACE} TPM did not start." | |
282 | echo "TPM Logfile:" | |
283 | cat $logfile | |
284 | exit 1 | |
285 | fi | |
286 | ||
287 | # Init the TPM | |
f759520c | 288 | ERR="$(run_swtpm_ioctl ${SWTPM_INTERFACE} -i 2>&1)" |
75d33931 SB |
289 | if [ $? -eq 0 ]; then |
290 | echo "Error: ${SWTPM_INTERFACE} TPM initialization should have failed." | |
291 | echo "TPM Logfile:" | |
292 | cat $logfile | |
293 | exit 1 | |
294 | fi | |
f759520c SB |
295 | exp="TPM result from PTM_INIT: 0x101" |
296 | if [ "$ERR" != "$exp" ]; then | |
297 | echo "Error: Unexpected error message" | |
298 | echo "Received: $ERR" | |
299 | echo "Expected: $exp" | |
300 | exit 1 | |
301 | fi | |
75d33931 | 302 | |
47c7ea77 | 303 | kill_quiet -0 ${SWTPM_PID} 2>/dev/null |
75d33931 SB |
304 | if [ $? -ne 0 ]; then |
305 | echo "Error: ${SWTPM_INTERFACE} TPM not running anymore after failed INIT." | |
306 | echo "TPM Logfile:" | |
307 | cat $logfile | |
308 | exit 1 | |
309 | fi | |
310 | ||
311 | if [ "${sha1_volatile}" != "$(get_sha1_file "${VOLATILE_STATE_FILE}")" ]; then | |
312 | echo "Error: Volatile state file was modified during failed init." | |
313 | exit 1 | |
314 | fi | |
315 | ||
316 | if [ "${sha1_permanent}" != "$(get_sha1_file "${STATE_FILE}")" ]; then | |
317 | echo "Error: Permanent state file was modified during failed init." | |
318 | exit 1 | |
319 | fi | |
320 | ||
71d9581a SB |
321 | run_swtpm_ioctl ${SWTPM_INTERFACE} -s |
322 | if [ $? -ne 0 ]; then | |
323 | echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM." | |
324 | echo "TPM Logfile:" | |
325 | cat $logfile | |
326 | exit 1 | |
327 | fi | |
328 | ||
45d2d092 | 329 | if wait_process_gone ${SWTPM_PID} 4; then |
71d9581a SB |
330 | echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore." |
331 | echo "TPM Logfile:" | |
332 | cat $logfile | |
333 | exit 1 | |
334 | fi | |
335 | ||
336 | # shut it down | |
337 | ||
75d33931 SB |
338 | echo "Test 2: Ok" |
339 | ||
71d9581a SB |
340 | # This time start we start the TPM with a wrong state encryption key |
341 | # (key used as password) and try to start it. It has to fail and | |
342 | # the state must not have been modified. | |
343 | ||
344 | # volatile state file does not exist | |
345 | sha1_volatile=$(get_sha1_file "${VOLATILE_STATE_FILE}") | |
346 | sha1_permanent=$(get_sha1_file "${STATE_FILE}") | |
f759520c SB |
347 | echo "sha1(volatile) : $sha1_volatile" |
348 | echo "sha1(permanent): $sha1_permanent" | |
71d9581a SB |
349 | |
350 | # we need a 256bit key | |
351 | echo "${KEY}${KEY}" > $keyfile | |
352 | ||
353 | run_swtpm ${SWTPM_INTERFACE} \ | |
354 | --key pwdfile=$keyfile,mode=aes-256-cbc \ | |
355 | --log file=$logfile \ | |
356 | --tpm2 | |
357 | ||
100317d5 | 358 | display_processes_by_name "$SWTPM" |
71d9581a SB |
359 | |
360 | kill_quiet -0 ${SWTPM_PID} | |
361 | if [ $? -ne 0 ]; then | |
362 | echo "Error: ${SWTPM_INTERFACE} TPM did not start." | |
363 | echo "TPM Logfile:" | |
364 | cat $logfile | |
365 | exit 1 | |
366 | fi | |
367 | ||
368 | # Init the TPM | |
369 | run_swtpm_ioctl ${SWTPM_INTERFACE} -i | |
370 | if [ $? -eq 0 ]; then | |
371 | echo "Error: ${SWTPM_INTERFACE} TPM initialization should have failed." | |
372 | echo "TPM Logfile:" | |
373 | cat $logfile | |
374 | exit 1 | |
375 | fi | |
376 | ||
45d2d092 | 377 | if ! wait_process_gone ${SWTPM_PID} 4; then |
71d9581a SB |
378 | echo "Error: ${SWTPM_INTERFACE} TPM not running anymore after failed INIT." |
379 | echo "TPM Logfile:" | |
380 | cat $logfile | |
381 | exit 1 | |
382 | fi | |
383 | ||
384 | if [ "${sha1_volatile}" != "$(get_sha1_file "${VOLATILE_STATE_FILE}")" ]; then | |
385 | echo "Error: Volatile state file was modified during failed init." | |
386 | exit 1 | |
387 | fi | |
388 | ||
389 | if [ "${sha1_permanent}" != "$(get_sha1_file "${STATE_FILE}")" ]; then | |
390 | echo "Error: Permanent state file was modified during failed init." | |
391 | exit 1 | |
392 | fi | |
393 | ||
394 | echo "Test 3: Ok" | |
395 | ||
75d33931 SB |
396 | # Final shut down |
397 | exec 100>&- | |
398 | run_swtpm_ioctl ${SWTPM_INTERFACE} -s | |
399 | if [ $? -ne 0 ]; then | |
400 | echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM." | |
401 | echo "TPM Logfile:" | |
402 | cat $logfile | |
403 | exit 1 | |
404 | fi | |
75d33931 | 405 | |
45d2d092 | 406 | if wait_process_gone ${SWTPM_PID} 4; then |
75d33931 SB |
407 | echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore." |
408 | echo "TPM Logfile:" | |
409 | cat $logfile | |
410 | exit 1 | |
411 | fi | |
412 | ||
413 | if [ ! -e $STATE_FILE ]; then | |
414 | echo "Error: TPM state file $STATE_FILE does not exist." | |
415 | echo "TPM Logfile:" | |
416 | cat $logfile | |
417 | exit 1 | |
418 | fi | |
419 | ||
420 | echo "OK" | |
421 | ||
422 | exit 0 |