4 # For the license, see the LICENSE file in the root directory.
6 if [ "$(id -u)" -ne 0 ]; then
7 echo "Need to be root to run this test."
11 # tpmtool is not packaged everywhere ...
12 if [ -z "$(type -P tpmtool)" ]; then
13 echo "Could not find tpmtool in PATH"
17 ROOT
=${abs_top_builddir:-$(dirname "$0")/..}
18 TESTDIR
=${abs_top_testdir:=$(dirname "$0")}
19 SRCDIR
=${abs_top_srcdir:-$(dirname "$0")/..}
21 PATH
=$ROOT/src
/swtpm
:$PATH
23 source ${abs_top_builddir:-$(dirname "$0")/..}/tests
/test_config
25 SWTPM_SETUP
=${ROOT}/src
/swtpm_setup
/swtpm_setup
26 SWTPM_CREATE_TPMCA
=${SRCDIR}/samples
/swtpm-create-tpmca
27 SWTPM_LOCALCA
=${ROOT}/src
/swtpm_localca
/swtpm_localca
28 SWTPM
=${ROOT}/src
/swtpm
/swtpm
29 SWTPM_IOCTL
=${ROOT}/src
/swtpm_ioctl
/swtpm_ioctl
31 SWTPM_INTERFACE
=socket
+socket
32 SWTPM_SERVER_NAME
=localhost
33 SWTPM_SERVER_PORT
=65434
36 TCSD_LISTEN_PORT
=65436
43 TCSD_CONF
=${workdir}/tcsd.conf
44 TCSD_SYSTEM_PS_FILE
=${workdir}/system_ps_file
45 TCSD_PIDFILE
=${workdir}/tcsd.pid
46 SWTPM_LOCALCA_DIR
="${workdir}/my localca"
47 SWTPM_LOCALCA_CONF
="${workdir}/my localca/swtpm-localca.conf"
49 # Captured TCSD file when using a SRK_PASSWORD=srk
50 TCSD_FILE
="AQEAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAABLwEAAAAAAwAAAAAAAAAAAAAA
51 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
52 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
53 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
54 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
55 AAAAAAAAAAAAAAAAAAAAAAAAAQEAAAARAAAAAAEAAAABAAMAAQAAAAwAAAgAAAAAAgAAAAAAAAAA
56 AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
57 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
58 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
59 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
60 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
64 if [ -n "${TCSD_PID}" ]; then
65 kill_quiet
-15 ${TCSD_PID}
67 if [ -n "${SWTPM_PID}" ]; then
68 kill_quiet
-9 ${SWTPM_PID}
70 if [ -n "${BASH_PID}" ]; then
71 kill_quiet
-9 ${BASH_PID}
76 trap "cleanup" SIGTERM EXIT
77 source ${TESTDIR}/common
79 PATH
=${ROOT}/src/swtpm_bios:${ROOT}/src/swtpm_cert:${PATH}
81 # run the test with the given owner and SRK passwords
82 # @param1: owner password; empty means to use well known password
83 # @param2: SRK password; empty means to use well known password
84 # @param3: vTPM is a TPM 2.0
86 local owner_password
="$1"
87 local srk_password
="$2"
88 local vtpm_is_tpm2
="$3"
90 local params certinfo regex regexs fil i skip
94 cat <<_EOF_ > "${workdir}/swtpm_setup.conf"
95 create_certs_tool=${SWTPM_LOCALCA}
96 create_certs_tool_config=${workdir}/swtpm-localca.conf
97 create_certs_tool_options=/dev/null
101 if [ -n "${owner_password}" ]; then
102 params
="${params} --ownerpass ${owner_password}"
104 params
="${params} --owner-well-known"
106 params
="${params} --srkpass ${srk_password}"
108 # First setup the TPM and take ownership of it and set SRK password
111 --tpm-state "${workdir}" \
112 --logfile "${workdir}/logfile" \
113 --config "${workdir}/swtpm_setup.conf" \
114 --tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
118 if [ $?
-ne 0 ]; then
119 echo "Error: Could not run $SWTPM_SETUP."
120 echo "Setup Logfile:"
121 cat ${workdir}/logfile
125 echo "Successfully took ownership of TPM and set owner and SRK passwords."
127 run_swtpm
${SWTPM_INTERFACE} \
128 --flags not-need-init \
129 --tpmstate "dir=${workdir}"
131 swtpm_open_cmddev
${SWTPM_INTERFACE} 100
134 res
="$(swtpm_cmd_tx "${SWTPM_INTERFACE}" '\x00\xC1\x00\x00\x00\x0C\x00\x00\x00\x99\x00\x01')"
135 exp
=' 00 c4 00 00 00 0a 00 00 00 00'
136 if [ "$res" != "$exp" ]; then
137 echo "Error: Did not get expected result from TPM_Startup(ST_Clear)"
138 echo "expected: $exp"
139 echo "received: $res"
143 echo "$TCSD_FILE" | base64
-d > "${TCSD_SYSTEM_PS_FILE}"
145 # Setup the TCSD config file and start TCSD with it
146 cat <<_EOF_ > "${TCSD_CONF}"
147 port = ${TCSD_LISTEN_PORT}
148 system_ps_file = ${TCSD_SYSTEM_PS_FILE}
151 # Due to recent changes in tcsd we have to try with TSS_USER=tss and TSS_USER=root
152 # Before the following worked:
153 # - tss:tss 0600 for TSS_USER=tss and TSS_GROUP=tss
154 # - root:tss 0640 for TSS_USER=root and TSS_GROUP=tss
156 # - root:tss 0640 for TSS_USER=tss and TSS_GROUP=tss
158 chown
${TSS_USER}:${TSS_GROUP} "${TCSD_CONF}"
159 if [ "${TSS_USER}" == "${TSS_GROUP}" ]; then
160 chmod 0600 "${TCSD_CONF}"
162 chmod 0640 "${TCSD_CONF}"
165 bash -c "TCSD_USE_TCP_DEVICE
=1 TCSD_TCP_DEVICE_PORT
=${SWTPM_SERVER_PORT} tcsd -c "${TCSD_CONF}" -e -f &>/dev/null & echo \$! > "${TCSD_PIDFILE}"; wait" &
168 if wait_for_file
"${TCSD_PIDFILE}" 3; then
169 echo "Error: Could not get TCSD's PID file"
173 # wait for PID to be written
175 TCSD_PID
=$
(cat "${TCSD_PIDFILE}")
176 kill_quiet
-0 "${TCSD_PID}"
177 if [ $?
-ne 0 ]; then
178 # Try again with root unless we already tried
179 if [ "$TSS_USER" != "root" ]; then
183 echo "Error: TCSD with pid ${TCSD_PID} must have terminated"
189 ${SWTPM_CREATE_TPMCA} \
190 --dir "${SWTPM_LOCALCA_DIR}" \
191 --srk-password "${srk_password}" \
193 --group "${TSS_GROUP}" \
194 --tss-tcsd-port "${TCSD_LISTEN_PORT}" \
195 --outfile "${SWTPM_LOCALCA_CONF}" &>/dev
/null
197 if [ $?
-ne 0 ]; then
198 echo "Error: Could not create TPM CA"
203 swtpm-localca-rootca-cert.pem \
204 swtpm-localca-rootca-privkey.pem \
205 swtpm-localca-tpmca-cert.pem \
206 swtpm-localca-tpmca-pubkey.pem
; do
207 if [ ! -r "${SWTPM_LOCALCA_DIR}/${fil}" ]; then
208 echo "Error: TPM CA tool did not create file ${fil}."
214 if [ -n "${srk_password}" ]; then
215 params
="^parentkey_password ="
223 "^TSS_TCSD_HOSTNAME = " \
224 "^TSS_TCSD_PORT = " \
226 if [ -n "${regex}" ] && \
227 [ -z "$(grep -E "${regex}" "${SWTPM_LOCALCA_CONF}")" ]; then
228 echo "Error: Could not find regex '${line}' in CA config file."
229 cat "${SWTPM_LOCALCA_CONF}"
235 if [ ${vtpm_is_tpm2} -ne 0 ]; then
239 skip
=7 # header in cert
242 # make sure we can actually sign with this new certificate
245 --ek x
=739192d8f1004283957a7b1568d610b41c637ccc114aadcac4908c20456468fa
,y
=59f63ac06f8011f6fdd1460c6bc8e3e0a2d090d4fc188c7e04870e06795ce8ae \
246 --dir "${workdir}" --vmid test \
248 --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 00 \
249 --tpm-model swtpm
--tpm-version 20170101 --tpm-manufacturer IBM \
250 --configfile "${SWTPM_LOCALCA_CONF}" \
252 if [ $?
-ne 0 ]; then
253 echo "Error: The CA could not sign with the new certificate"
256 if [ ! -f "${workdir}/ek.cert" ]; then
257 echo "Error: The CA did not produce a certificate"
260 # cert was for example 541 bytes long
261 if [ $
(get_filesize
"${workdir}/ek.cert") -lt 500 ]; then
262 echo "Error: The certificate's size is dubious"
263 ls -l "${workdir}/ek.cert"
267 # Check the contents of the certificate
268 certinfo
=$
(dd "if=${workdir}/ek.cert" bs
=1 "skip=$skip" status
=none | \
269 "$CERTTOOL" -i --inder)
270 regexs
=('^[[:space:]]+2.23.133.8.1$'
271 '^[[:space:]]+directoryName:.*(,)?2.23.133.2.3=.*'
272 '^[[:space:]]+directoryName:.*(,)?2.23.133.2.2=.*'
273 '^[[:space:]]+directoryName:.*(,)?2.23.133.2.1=.*'
274 '^[[:space:]]+Certificate Authority \(CA\): FALSE$'
275 '^[[:space:]]+Unknown extension 2.5.29.9 \(not critical\):$'
276 '^[[:space:]]+Hexdump: 3019301706056781050210310e300c0c03322e3002010002020092$')
277 if [ ${vtpm_is_tpm2} -ne 0 ]; then
278 # TPM 2.0; due to ecc: Key agreement
279 regexs
+=('^[[:space:]]+Key agreement\.$'
280 '^[[:space:]]+Signature Algorithm: RSA-SHA256$')
282 regexs
+=('^[[:space:]]+Key encipherment\.$'
283 '^[[:space:]]+Signature Algorithm: RSA-SHA1$')
286 for ((i
=0; i
< ${#regexs}; i
++)); do \
287 if [ -n "${regexs[$i]}" ] && \
288 [ -z "$(echo "${certinfo}" | grep -E "${regexs[$i]}")" ]; then
289 echo "Error: Could not match regex '${regexs[$i]}' with certificate info:"
295 # Send SIGTERM to TCSD
296 kill_quiet
-15 "${TCSD_PID}"
299 run_swtpm_ioctl
"${SWTPM_INTERFACE}" -s
300 if [ $?
-ne 0 ]; then
301 echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM."
305 if wait_process_gone
"${SWTPM_PID}" 4; then
306 echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore."
310 if wait_process_gone
"${SWTPM_PID}" 4; then
311 echo "Error: tcsd should not be running anymore."
316 run_test
"${OWNER_PASSWORD}" "${SRK_PASSWORD}" 1
319 run_test
"${OWNER_PASSWORD}" "${SRK_PASSWORD}" 0
322 run_test
"" "${SRK_PASSWORD}" 1
325 run_test
"" "${SRK_PASSWORD}" 0