tests/_test_migration_key

   1 #!/bin/bash
   2
   3 # For the license, see the LICENSE file in the root directory.
   4 # set -x
   5
   6 ROOT=${abs_top_builddir:-$(pwd)/..}
   7 TESTDIR=${abs_top_testdir:-$(dirname "$0")}
   8
   9 VTPM_NAME="${VTPM_NAME:-vtpm-test-migration-key}"
  10 SWTPM_DEV_NAME="/dev/${VTPM_NAME}"
  11 MIGRATION_PASSWORD="migration"
  12 VOLATILESTATE=${TESTDIR}/data/migkey1/volatilestate.bin
  13
  14 tpmstatedir="$(mktemp -d)"
  15 if [ -z "$tpmstatedir" ]; then
  16         echo "Could not create temporary directory."
  17         exit 1
  18 fi
  19
  20 migpwdfile="$(mktemp)"
  21 if [ -z "$migpwdfile" ]; then
  22         echo "Could not create temporary file."
  23         exit 1
  24 fi
  25 echo -n "$MIGRATION_PASSWORD" > $migpwdfile
  26
  27 volatilestatefile="$(mktemp)"
  28 if [ -z "$volatilestatefile" ]; then
  29         echo "Could not create temporary file."
  30         exit 1
  31 fi
  32
  33 SWTPM_CMD_UNIX_PATH=${tpmstatedir}/unix-cmd.sock
  34 SWTPM_CTRL_UNIX_PATH=${tpmstatedir}/unix-ctrl.sock
  35 SWTPM_INTERFACE=${SWTPM_INTERFACE:-cuse}
  36
  37 function cleanup()
  38 {
  39         pid=${SWTPM_PID}
  40         if [ -n "$pid" ]; then
  41                 kill_quiet -9 $pid
  42         fi
  43         rm -rf $migpwdfile $volatilestatefile $tpmstatedir
  44 }
  45
  46 trap "cleanup" EXIT
  47
  48 [ "${SWTPM_INTERFACE}" == cuse ] && source ${TESTDIR}/test_cuse
  49 source ${TESTDIR}/common
  50
  51 # make a backup of the volatile state
  52 export TPM_PATH=$tpmstatedir
  53 cp ${TESTDIR}/data/tpmstate1/* $TPM_PATH
  54
  55 run_swtpm ${SWTPM_INTERFACE} \
  56         --migration-key pwdfile=$migpwdfile,remove=false,kdf=sha512
  57
  58 display_processes_by_name "$SWTPM"
  59
  60 kill_quiet -0 ${SWTPM_PID}
  61 if [ $? -ne 0 ]; then
  62         echo "Error: ${SWTPM_INTERFACE} TPM did not start."
  63         exit 1
  64 fi
  65
  66 # Init the TPM
  67 run_swtpm_ioctl ${SWTPM_INTERFACE} -i
  68 if [ $? -ne 0 ]; then
  69         echo "Error: Initializing the ${SWTPM_INTERFACE} TPM failed."
  70         exit 1
  71 fi
  72
  73 kill_quiet -0 ${SWTPM_PID} 2>/dev/null
  74 if [ $? -ne 0 ]; then
  75         echo "Error: ${SWTPM_INTERFACE} TPM not running anymore after INIT."
  76         exit 1
  77 fi
  78
  79 # Read PCR 10
  80 RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a')
  81 exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5'
  82 if [ "$RES" != "$exp" ]; then
  83         echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
  84         echo "expected: $exp"
  85         echo "received: $RES"
  86         exit 1
  87 fi
  88
  89 # Assert physical presence
  90 RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x00\xC1\x00\x00\x00\x0C\x40\x00\x00\x0A\x00\x20')
  91 exp=' 00 c4 00 00 00 0a 00 00 00 00'
  92 if [ "$RES" != "$exp" ]; then
  93         echo "Error: (1) Did not get expected result from TSC_PhysicalPresence(ENABLE)"
  94         echo "expected: $exp"
  95         echo "received: $RES"
  96         exit 1
  97 fi
  98
  99 # Create a big NVRAM Area with 4000 bytes (0xfa0)
 100 tmp='\x00\xC1\x00\x00\x00\x65\x00\x00\x00\xcc\x00\x18\x00\x00\x00\x01'
 101 tmp+='\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
 102 tmp+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01'
 103 tmp+='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
 104 tmp+='\x00\x00\x00\x00\x00\x17\x00\x01\x00\x01\x00\x00\x00\x00\x00\x0f'
 105 tmp+='\xa0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
 106 tmp+='\x00\x00\x00\x00\x00'
 107 RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} $tmp)
 108 exp=' 00 c4 00 00 00 0a 00 00 00 00'
 109 if [ "$RES" != "$exp" ]; then
 110         echo "Error: (1) Did not get expected result from TPM_NVDefineSpace()"
 111         echo "expected: $exp"
 112         echo "received: $RES"
 113         exit 1
 114 fi
 115
 116 # Save the volatile state into a file
 117 run_swtpm_ioctl ${SWTPM_INTERFACE} --save volatile $volatilestatefile
 118 if [ $? -ne 0 ]; then
 119         echo "Error: Could not save the volatile state to ${volatilestatefile}."
 120         exit 1
 121 fi
 122 if [ ! -r $volatilestatefile ]; then
 123         echo "Error: Volatile state file $volatilestatefile does not exist."
 124         exit 1
 125 fi
 126
 127 #ls -l $volatilestatefile
 128 size=$(get_filesize $volatilestatefile)
 129 expsize=1324
 130 if [ $size -ne $expsize ]; then
 131         echo "Error: Unexpected size of volatile state file."
 132         echo "       Expected file with size of $expsize, found $size bytes."
 133         exit 1
 134 fi
 135
 136 tmp=$(run_swtpm_ioctl ${SWTPM_INTERFACE} -g | cut -d":" -f2)
 137 if [ $? -ne 0 ]; then
 138         echo "Error: Could not get the configration flags of the ${SWTPM_INTERFACE} TPM."
 139         exit 1
 140 fi
 141
 142 if [ "$tmp" != " 0x2" ]; then
 143         echo "Error: Unexpected configuration flags: $tmp; expected 0x2."
 144         exit 1
 145 fi
 146
 147 # Shut the TPM down
 148 exec 100>&-
 149 run_swtpm_ioctl ${SWTPM_INTERFACE} -s
 150
 151 echo "Test 1: Ok"
 152
 153 # Start the vTPM again and load the encrypted volatile state into it
 154 run_swtpm ${SWTPM_INTERFACE} \
 155         --migration-key pwdfile=$migpwdfile,remove=false,kdf=sha512
 156
 157 display_processes_by_name "$SWTPM"
 158
 159 kill_quiet -0 ${SWTPM_PID}
 160 if [ $? -ne 0 ]; then
 161         echo "Error: ${SWTPM_INTERFACE} TPM did not start."
 162         exit 1
 163 fi
 164
 165 # Do NOT init the TPM now; first load volatile state
 166
 167 # load the encrypted volatile state into it
 168 run_swtpm_ioctl ${SWTPM_INTERFACE} --load volatile $volatilestatefile
 169 if [ $? -ne 0 ]; then
 170         echo "Error: Could not load encrypted volatile state into TPM."
 171         exit 1
 172 fi
 173
 174 # Now init the TPM
 175 run_swtpm_ioctl ${SWTPM_INTERFACE} -i
 176 if [ $? -ne 0 ]; then
 177         echo "Error: Initializing the ${SWTPM_INTERFACE} TPM failed."
 178         exit 1
 179 fi
 180
 181 # Read PCR 10
 182 RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a')
 183 exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5'
 184 if [ "$RES" != "$exp" ]; then
 185         echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
 186         echo "expected: $exp"
 187         echo "received: $RES"
 188         exit 1
 189 fi
 190
 191 # Shut the TPM down
 192 exec 100>&-
 193 run_swtpm_ioctl ${SWTPM_INTERFACE} -s
 194 if [ $? -ne 0 ]; then
 195         echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM."
 196         exit 1
 197 fi
 198
 199 echo "Test 2: Ok"
 200
 201
 202 # Start the vTPM again and load the encrypted volatile state into it
 203 # This time we make this fail since we don't provide the migration key
 204 run_swtpm ${SWTPM_INTERFACE}
 205
 206 display_processes_by_name "$SWTPM"
 207
 208 kill_quiet -0 ${SWTPM_PID}
 209 if [ $? -ne 0 ]; then
 210         echo "Error: ${SWTPM_INTERFACE} TPM did not start."
 211         exit 1
 212 fi
 213
 214 # Do NOT init the TPM now; first load volatile state
 215
 216 # load the encrypted volatile state into it
 217 # This will not work; the TPM writes the data into the volatile state file
 218 # and validates it
 219 ERR=$(run_swtpm_ioctl ${SWTPM_INTERFACE} --load volatile $volatilestatefile 2>&1)
 220 if [ $? -eq 0 ]; then
 221         echo "Error: Could load encrypted volatile state into TPM."
 222         exit 1
 223 fi
 224 exp="TPM result from PTM_SET_STATEBLOB: 0xd"
 225 if [ "$ERR" != "$exp" ]; then
 226         echo "Error: Unexpected error message"
 227         echo "Received: $ERR"
 228         echo "Expected: $exp"
 229         exit 1
 230 fi
 231
 232 run_swtpm_ioctl ${SWTPM_INTERFACE} -s
 233 if [ $? -ne 0 ]; then
 234         echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM."
 235         exit 1
 236 fi
 237
 238 echo "Test 3: Ok"
 239
 240 # In this test we now feed it an encrypted volatile state
 241
 242 # Start the vTPM again and load the encrypted volatile state into it
 243 run_swtpm ${SWTPM_INTERFACE} \
 244         --migration-key pwdfile=$migpwdfile,remove=true,kdf=sha512
 245
 246 display_processes_by_name "$SWTPM"
 247
 248 kill_quiet -0 ${SWTPM_PID}
 249 if [ $? -ne 0 ]; then
 250         echo "Error: ${SWTPM_INTERFACE} TPM did not start."
 251         exit 1
 252 fi
 253
 254 # load the encrypted volatile state into it
 255 run_swtpm_ioctl ${SWTPM_INTERFACE} --load volatile $VOLATILESTATE
 256 if [ $? -ne 0 ]; then
 257         echo "Error: Could not load encrypted volatile state into TPM."
 258         exit 1
 259 fi
 260
 261 # Now init the TPM; this must work
 262 run_swtpm_ioctl ${SWTPM_INTERFACE} -i
 263 if [ $? -ne 0 ]; then
 264         echo "Error: Could not initialize the ${SWTPM_INTERFACE} TPM."
 265         exit 1
 266 fi
 267
 268 # Read PCR 10
 269 RES=$(swtpm_cmd_tx ${SWTPM_INTERFACE} '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a')
 270 exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5'
 271 if [ "$RES" != "$exp" ]; then
 272         echo "Error: (1) Did not get expected result from TPM_PCRRead(10)"
 273         echo "expected: $exp"
 274         echo "received: $RES"
 275         exit 1
 276 fi
 277
 278 # Shut the TPM down
 279 exec 100>&-
 280 run_swtpm_ioctl ${SWTPM_INTERFACE} -s
 281 if [ $? -ne 0 ]; then
 282         echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM."
 283         exit 1
 284 fi
 285
 286 echo "Test 4: Ok"