]>
git.proxmox.com Git - swtpm.git/blob - tests/test_tpm2_ctrlchannel2
3 # For the license, see the LICENSE file in the root directory.
5 ROOT
=${abs_top_builddir:-$(dirname "$0")/..}
6 TESTDIR
=${abs_top_testdir:-$(dirname "$0")}
9 SWTPM_EXE
=${SWTPM_EXE:-$ROOT/src/swtpm/$SWTPM}
10 SWTPM_IOCTL
=${SWTPM_IOCTL:-$ROOT/src/swtpm_ioctl/swtpm_ioctl}
12 PID_FILE
=$TPMDIR/${SWTPM}.pid
13 SOCK_PATH
=$TPMDIR/sock
15 RESP_PATH
=$TPMDIR/resp
16 LOGFILE
=$TPMDIR/logfile
17 VOLATILESTATE
=$TPMDIR/volatile
19 source ${TESTDIR}/common
20 source ${TESTDIR}/test_common
22 trap "cleanup" SIGTERM EXIT
27 if [ -n "$PID" ]; then
28 kill_quiet
-SIGTERM $PID 2>/dev
/null
32 # Test 1: test the control channel on the chardev tpm
33 if [ $
(id
-u) -eq 0 ]; then
34 FOWNER
=",uid=$(id -u nobody),gid=$(id -G nobody | cut -d" " -f1)"
35 FILEOWNER
="$(id -u nobody) $(id -G nobody | cut -d" " -f1)"
38 # make sure --print-capabiities exits with '0'
39 msg
=$
($SWTPM_EXE chardev
--print-capabilities 2>&1)
41 echo "Error: swtpm chardev --print-capabilities failed"
47 # use a pseudo terminal
51 --tpmstate dir
=$TPMDIR \
52 --pid file=$PID_FILE \
53 --ctrl type=unixio
,path
=$SOCK_PATH,mode
=${FILEMODE}${FOWNER} \
55 ${SWTPM_TEST_SECCOMP_OPT} &
58 if wait_for_file
$PID_FILE 3; then
59 echo "Error: Chardev TPM did not write pidfile."
63 validate_pidfile
$PID $PID_FILE
65 # Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01
66 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -c 2>&1)
68 echo "Error: $SWTPM_IOCTL CMD_GET_CAPABILITY failed: $act"
72 filemode
=$
(get_filemode
$SOCK_PATH)
73 if [ "$filemode" != "$FILEMODE" ]; then
74 echo "Filemode bits are wrong"
75 echo "Expected: $FILEMODE"
76 echo "Actual : $filemode"
80 fileowner
=$
(get_fileowner
$SOCK_PATH)
81 if [ -n "$FILEOWNER" ] && [ "$fileowner" != "$FILEOWNER" ]; then
82 echo "File ownership is wrong"
83 echo "Expected: $FILEOWNER"
84 echo "Actual : $fileowner"
88 exp
="ptm capability is 0x([[:xdigit:]]+)"
89 if ! [[ "$act" =~ ^
${exp}$
]]; then
90 echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
94 # Send TPM_Init to the TPM: CMD_INIT = 0x00 00 00 02 + flags
95 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
97 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
101 # Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a
102 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
103 if [ $?
-ne 0 ]; then
104 echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
108 if [ ! -r $TPMDIR/tpm2-00.volatilestate
]; then
109 echo "Error: Socket TPM: Did not write volatile state file"
113 # Send stop command to the TPM: CMD_STOP = 00 00 00 0e
114 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1)
115 if [ $?
-ne 0 ]; then
116 echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act"
120 # Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0f
121 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -g 2>&1)
122 if [ $?
-ne 0 ]; then
123 echo "Error: $SWTPM_IOCTL CMD_GET_CONFIG failed: $act"
127 exp
="ptm configuration flags: 0x([[:xdigit:]]+)"
128 if ! [[ "$act" =~ ^
${exp}$
]]; then
129 echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
133 # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
134 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
135 if [ $?
-ne 0 ]; then
136 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
140 if wait_file_gone
$PID_FILE 2; then
141 echo "Error: TPM should have removed PID file by now."
145 if wait_process_gone
${PID} 4; then
146 echo "Error: TPM should not be running anymore."
152 # Test 2: test the control channel on the socket tpm
154 # There are a few more tests here that require sending commands to the TPM
156 # use a pseudo terminal
158 --server port
=65532,disconnect
=true \
159 --tpmstate dir
=$TPMDIR \
160 --pid file=$PID_FILE \
161 --ctrl type=unixio
,path
=$SOCK_PATH \
162 --log file=$LOGFILE,level
=20 \
164 --flags startup-clear \
165 ${SWTPM_TEST_SECCOMP_OPT} &
168 if wait_for_file
$PID_FILE 3; then
169 echo "Error: Socket TPM did not write pidfile."
173 validate_pidfile
$PID $PID_FILE
175 exec 100<>/dev
/tcp
/localhost
/65532
177 # Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01
178 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -c 2>&1)
179 if [ $?
-ne 0 ]; then
180 echo "Error: $SWTPM_IOCTL CMD_GET_CAPABILITY failed: $act"
184 exp
="ptm capability is 0x([[:xdigit:]]+)"
185 if ! [[ "$act" =~ ^
${exp}$
]]; then
186 echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
190 # Startup the TPM; we used --flags startup-clear so expect this to fail now with 0x100
191 echo -en '\x80\x01\x00\x00\x00\x0c\x00\x00\x01\x44\x00\x00' >&100
192 RES
=$
(cat <&100 |
od -t x1
-A n
)
193 exp
=' 80 01 00 00 00 0a 00 00 01 00'
194 if [ "$RES" != "$exp" ]; then
195 echo "Error: Did not get expected result from TPM_Startup(SU_Clear)"
196 echo "expected: $exp"
197 echo "received: $RES"
201 # Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a
202 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
203 if [ $?
-ne 0 ]; then
204 echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
208 if [ ! -r $TPMDIR/tpm2-00.volatilestate
]; then
209 echo "Error: Socket TPM: Did not write volatile state file"
213 # 1. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
214 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1)
215 if [ $?
-ne 0 ]; then
216 echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act"
220 exp
="tpmEstablished is 0"
221 if [ "$act" != "$exp" ]; then
222 echo "Error: Expected '$exp' but got '$act'."
226 # 2. Hash the given data
228 while [ ${#data} -lt $
((0x2000)) ]; do
229 data
="${data}${data}"
231 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -h $data 2>&1)
232 if [ $?
-ne 0 ]; then
233 echo "Error: $SWTPM_IOCTL data hashing failed: $act"
237 # 3. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
238 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1)
239 if [ $?
-ne 0 ]; then
240 echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act"
244 exp
="tpmEstablished is 1"
245 if [ "$act" != "$exp" ]; then
246 echo "Error: Expected '$exp' but got '$act'."
250 # 4. Send command to reset TPM established flag: CMD_RESET_TPMESTABLISHED = 00 00 00 0b 03
251 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -r 3 2>&1)
252 if [ $?
-ne 0 ]; then
253 echo "Error: $SWTPM_IOCTL CMD_RESET_TPMESTABLISHED failed: $act"
257 # 5. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04
258 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1)
259 if [ $?
-ne 0 ]; then
260 echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act"
264 exp
="tpmEstablished is 0"
265 if [ "$act" != "$exp" ]; then
266 echo "Error: Expected '$exp' but got '$act'."
271 exec 100<>/dev
/tcp
/localhost
/65532
272 # length CC count hashalg sz
273 echo -en '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x00\x02' >&100
274 RES
=$
(cat <&100 |
od -t x1
-A n |
tr -d "\n")
275 exp
=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 18 00 00 00 01 00 0b 03 00 00 02 00 00 00 01 00 20 e5 17 e3 9b 10 a3 5b 3b b7 29 95 79 4b c6 4a 07 f8 bc b0 bd e6 bb 31 ad 35 27 fb 6f 64 f8 4c b9'
276 if [ "$RES" != "$exp" ]; then
277 echo "Error: (1) Did not get expected result from TPM_PCRRead(17)"
278 echo "expected: $exp"
279 echo "received: $RES"
283 # Get the volatile state of the TPM: CMD_GET_STATEBLOB = 00 00 00 0c
284 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH --save volatile
$VOLATILESTATE 2>&1)
285 if [ $?
-ne 0 ]; then
286 echo "Error: $SWTPM_IOCTL CMD_GET_STATEBLOB failed: $act"
290 # Send stop command to the TPM: CMD_STOP = 00 00 00 0e
291 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1)
292 if [ $?
-ne 0 ]; then
293 echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act"
297 # Read PCR 17 -- should fail now
298 exec 100<>/dev
/tcp
/localhost
/65532
299 # length CC count hashalg sz
300 echo -en '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x00\x02' >&100
301 RES
=$
(cat <&100 |
od -t x1
-A n |
tr -d "\n")
302 exp
=' 80 01 00 00 00 0a 00 00 01 01'
303 if [ "$RES" != "$exp" ]; then
304 echo "Error: (1) Did not get expected result from TPM_PCRRead(17)"
305 echo "expected: $exp"
306 echo "received: $RES"
310 # Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0f
311 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -g 2>&1)
312 if [ $?
-ne 0 ]; then
313 echo "Error: $SWTPM_IOCTL CMD_GET_CONFIG failed: $act"
317 exp
="ptm configuration flags: 0x([[:xdigit:]]+)"
318 if ! [[ "$act" =~ ^
${exp}$
]]; then
319 echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'."
323 # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
324 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
325 if [ $?
-ne 0 ]; then
326 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
330 if wait_file_gone
$PID_FILE 2; then
331 echo "Error: TPM should have removed PID file by now."
335 if wait_process_gone
${PID} 4; then
336 echo "Error: TPM should not be running anymore."
342 # Test 3: test the control channel on the socket tpm: resume encrypted state
344 # copy all the state files
345 cp ${TESTDIR}/data
/tpm2state
2/* ${TPMDIR}
348 --server port
=65532,disconnect
=true \
349 --tpmstate dir
=$TPMDIR \
350 --pid file=$PID_FILE \
351 --ctrl type=unixio
,path
=$SOCK_PATH \
352 --key pwdfile
=${TESTDIR}/data
/tpm2state
2/pwdfile.txt
,kdf
=sha512 \
354 --flags not-need-init \
355 ${SWTPM_TEST_SECCOMP_OPT} &
358 if wait_for_file
$PID_FILE 3; then
359 echo "Error: Socket TPM did not write pidfile."
363 validate_pidfile
$PID $PID_FILE
366 exec 100<>/dev
/tcp
/localhost
/65532
367 # length CC count hashalg sz
368 echo -en '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x04\x00' >&100
369 RES
=$
(cat <&100 |
od -t x1
-A n
-w128)
370 exp
=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 16 00 00 00 01 00 0b 03 00 04 00 00 00 00 01 00 20 f6 85 98 e5 86 8d e6 8b 97 29 99 60 f2 71 7d 17 67 89 a4 2f 9a ae a8 c7 b7 aa 79 a8 62 56 c1 de'
371 if [ "$RES" != "$exp" ]; then
372 echo "Error: (1) Did not get expected result from TPM2_PCRRead(10)"
373 echo "expected: $exp"
374 echo "received: $RES"
378 # Get the volatile state of the TPM: CMD_GET_STATEBLOB = 00 00 00 0c
380 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH --save volatile
$VOLATILESTATE 2>&1)
381 if [ $?
-ne 0 ]; then
382 echo "Error: $SWTPM_IOCTL CMD_GET_STATEBLOB failed: $act"
386 # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
387 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
388 if [ $?
-ne 0 ]; then
389 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
393 if wait_process_gone
${PID} 4; then
394 echo "Error: TPM should not be running anymore."
398 if [ -f $PID_FILE ]; then
399 echo "Error: Socket TPM should have removed the PID file."
403 # remove volatile state
404 rm -f $TPMDIR/*.volatilestate
407 --server port
=65532,disconnect
=true \
408 --tpmstate dir
=$TPMDIR \
409 --pid file=$PID_FILE \
410 --ctrl type=unixio
,path
=$SOCK_PATH \
411 --key pwdfile
=${TESTDIR}/data
/tpm2state
2/pwdfile.txt
,kdf
=sha512 \
413 --flags not-need-init \
414 ${SWTPM_TEST_SECCOMP_OPT} &
417 if wait_for_file
$PID_FILE 3; then
418 echo "Error: Socket TPM did not write pidfile."
422 validate_pidfile
$PID $PID_FILE
424 # Read PCR 10 -- this should fail now
425 exec 100<>/dev
/tcp
/localhost
/65532
426 # length CC count hashalg sz
427 echo -en '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x04\x00' >&100
428 RES
=$
(cat <&100 |
od -t x1
-A n
-w128)
429 exp
=' 80 01 00 00 00 0a 00 00 01 00'
430 if [ "$RES" != "$exp" ]; then
431 echo "Error: (1) Did not get expected result from TPM2_PCRRead(10)"
432 echo "expected: $exp"
433 echo "received: $RES"
437 # Send stop command to the TPM: CMD_STOP = 00 00 00 0e
438 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1)
439 if [ $?
-ne 0 ]; then
440 echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act"
444 # Send the volatile state to the TPM (while it is stopped)
445 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH --load volatile
$VOLATILESTATE 2>&1)
446 if [ $?
-ne 0 ]; then
447 echo "Error: $SWTPM_IOCTL CMD_SET_STATEBLOB failed: $act"
451 # Send init command to the TPM: CMD_INIT = 00 00 00 02
452 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
453 if [ $?
-ne 0 ]; then
454 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
458 # Read PCR 10 -- has to return same result as before
459 exec 100<>/dev
/tcp
/localhost
/65532
460 # length CC count hashalg sz
461 echo -en '\x80\x01\x00\x00\x00\x14\x00\x00\x01\x7e\x00\x00\x00\x01\x00\x0b\x03\x00\x04\x00' >&100
462 RES
=$
(cat <&100 |
od -t x1
-A n
-w128)
463 exp
=' 80 01 00 00 00 3e 00 00 00 00 00 00 00 16 00 00 00 01 00 0b 03 00 04 00 00 00 00 01 00 20 f6 85 98 e5 86 8d e6 8b 97 29 99 60 f2 71 7d 17 67 89 a4 2f 9a ae a8 c7 b7 aa 79 a8 62 56 c1 de'
464 if [ "$RES" != "$exp" ]; then
465 echo "Error: (1) Did not get expected result from TPM2_PCRRead(10)"
466 echo "expected: $exp"
467 echo "received: $RES"
471 # Reset PCR 20 while in locality 0 -- should not work
472 exec 100<>/dev
/tcp
/localhost
/65532
473 echo -en '\x80\x02\x00\x00\x00\x1b\x00\x00\x01\x3d\x00\x00\x00\x14\x00\x00\x00\x09\x40\x00\x00\x09\x00\x00\x00\x00\x00' >&100
474 RES
=$
(cat <&100 |
od -t x1
-A n
)
475 exp
=' 80 01 00 00 00 0a 00 00 09 07'
476 if [ "$RES" != "$exp" ]; then
477 echo "Error: Trying to reset PCR 20 in locality 0 returned unexpected result"
478 echo "expected: $exp"
479 echo "received: $RES"
483 # In locality 2 we can reset PCR 20
484 # Set the locality on the TPM: CMD_SET_LOCALITY = 00 00 00 05 <locality>
485 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -l 2 2>&1)
486 if [ $?
-ne 0 ]; then
487 echo "Error: $SWTPM_IOCTL CMD_SET_LOCALITY failed: $act"
491 # Reset PCR 20 while in locality 2 -- has to work
492 exec 100<>/dev
/tcp
/localhost
/65532
493 echo -en '\x80\x02\x00\x00\x00\x1b\x00\x00\x01\x3d\x00\x00\x00\x14\x00\x00\x00\x09\x40\x00\x00\x09\x00\x00\x00\x00\x00' >&100
494 RES
=$
(cat <&100 |
od -t x1
-A n
-w512)
495 exp
=' 80 02 00 00 00 13 00 00 00 00 00 00 00 00 00 00 01 00 00'
496 if [ "$RES" != "$exp" ]; then
497 echo "Error: Could not reset PCR 20 in locality 2"
498 echo "expected: $exp"
499 echo "received: $RES"
503 # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03
504 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
505 if [ $?
-ne 0 ]; then
506 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
510 if wait_file_gone
$PID_FILE 2; then
511 echo "Error: TPM should have removed PID file by now."
515 if wait_process_gone
${PID} 4; then
516 echo "Error: TPM should not be running anymore."