tests/test_tpm2_samples_create_tpmca.test

   1 #!/usr/bin/env bash
   2 #set -x
   3
   4 # For the license, see the LICENSE file in the root directory.
   5
   6 if [ "$(id -u)" -ne 0 ]; then
   7         echo "Need to be root to run this test."
   8         exit 77
   9 fi
  10
  11 tmp="$(getenforce 2>&1)"
  12 if [ "${tmp}" = "Enforcing" ]; then
  13         echo "Test may not work with SELinux in enforcing mode."
  14         exit 77
  15 fi
  16
  17 # tpm2_ptool may not be packaged everywhere ...
  18 if [ -z "$(type -P tpm2_ptool)" ]; then
  19         echo "Could not find tpm2_ptool in PATH"
  20         exit 77
  21 fi
  22
  23 if [ -z "$(tpm2_ptool | grep ",config,")" ]; then
  24         echo "tpm2_ptool does not support the config command"
  25         exit 77
  26 fi
  27
  28 if [ -z "$(type -P tpm2-abrmd)" ]; then
  29         echo "Could not find tpm2-abrmd in PATH"
  30         exit 77
  31 fi
  32
  33 if [ ! -r /usr/lib64/pkcs11/libtpm2_pkcs11.so ]; then
  34         echo "/usr/lib64/pkcs11/libtpm2_pkcs11.so is missing"
  35         echo "tpm2-pkcs11 package may not be installed."
  36         exit 77
  37 fi
  38
  39 ROOT=${abs_top_builddir:-$(dirname "$0")/..}
  40 TESTDIR=${abs_top_testdir:=$(dirname "$0")}
  41 SRCDIR=${abs_top_srcdir:-$(dirname "$0")/..}
  42
  43 SWTPM_SETUP=${ROOT}/src/swtpm_setup/swtpm_setup
  44 SWTPM_CREATE_TPMCA=${SRCDIR}/samples/swtpm-create-tpmca
  45 SWTPM_LOCALCA=${ROOT}/src/swtpm_localca/swtpm_localca
  46 SWTPM=${ROOT}/src/swtpm/swtpm
  47 SWTPM_IOCTL=${ROOT}/src/swtpm_ioctl/swtpm_ioctl
  48
  49 SWTPM_INTERFACE=socket+socket
  50 SWTPM_SERVER_NAME=localhost
  51 SWTPM_SERVER_PORT=65455
  52 SWTPM_CTRL_PORT=65454
  53 SWTPM_FAKE_CTRL_PORT=65456
  54
  55 workdir="$(mktemp -d)" || exit 1
  56
  57 SWTPM_LOCALCA_DIR="${workdir}/my localca"
  58 SWTPM_LOCALCA_CONF="${workdir}/my localca/swtpm-localca.conf"
  59 export TPM2_PKCS11_STORE="${workdir}"
  60 TPM2_ABRMD_PIDFILE="${workdir}/tpm2-abrmd.pid"
  61
  62 PID="" # primary object id returned by tpm2_ptool
  63 TPM2_ABRMD_PID=""
  64
  65 function cleanup()
  66 {
  67         if [ -n "${PID}" ]; then
  68                 echo "y" | tpm2_ptool destroy ${PID} &>/dev/null
  69         fi
  70         if [ -n "${TPM2_ABRMD_PID}" ]; then
  71                 kill_quiet -9 ${TPM2_ABRMD_PID}
  72         fi
  73         if [ -n "${SWTPM_PID}" ]; then
  74                 kill_quiet -9 ${SWTPM_PID}
  75         fi
  76         if [ -n "${BASH_PID}" ]; then
  77                 kill_quiet -9 ${BASH_PID}
  78         fi
  79         if [ -n "${NCAT_PID}" ]; then
  80                 kill_quiet -9 ${NCAT_PID}
  81         fi
  82         rm -rf "${workdir}"
  83 }
  84
  85 trap "cleanup" SIGTERM EXIT
  86 source ${TESTDIR}/common
  87
  88 PATH=${ROOT}/src/swtpm_bios:${ROOT}/src/swtpm_cert:${PATH}
  89
  90 # Run the tests
  91 # @param1: The vTPM for which the certificate is created is a TPM 2
  92 function run_test() {
  93         local vtpm_is_tpm2="$1"
  94
  95         local tmp params certinfo regex regexs fil i skip
  96
  97         rm -rf "${workdir}"/*
  98
  99         cat <<_EOF_ > "${workdir}/swtpm_setup.conf"
 100 create_certs_tool=${SWTPM_LOCALCA}
 101 create_certs_tool_config=${workdir}/swtpm-localca.conf
 102 create_certs_tool_options=/dev/null
 103 _EOF_
 104
 105         $SWTPM_SETUP \
 106                 --tpm-state "${workdir}" \
 107                 --logfile "${workdir}/logfile" \
 108                 --config "${workdir}/swtpm_setup.conf" \
 109                 --tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
 110                 --swtpm_ioctl "${SWTPM_IOCTL}" \
 111                 --tpm2 > /dev/null
 112
 113         if [ $? -ne 0 ]; then
 114                 echo "Error: Could not run $SWTPM_SETUP."
 115                 echo "Setup Logfile:"
 116                 cat ${workdir}/logfile
 117                 exit 1
 118         fi
 119
 120         SWTPM_SERVER_NO_DISCONNECT=1 run_swtpm ${SWTPM_INTERFACE} \
 121                 --tpm2 \
 122                 --flags not-need-init \
 123                 --tpmstate "dir=${workdir}" \
 124                 --log level=0
 125
 126         ncat -l ${SWTPM_FAKE_CTRL_PORT} \
 127                 -k -c "xargs --null -n1 printf '\x00\x00\x00\x00' 2>/dev/null" &
 128         if [ $? -ne 0 ]; then
 129                 echo "Could not start ncat"
 130                 exit 1
 131         fi
 132         NCAT_PID=$!
 133         kill_quiet -0 ${NCAT_PID}
 134         if [ $? -ne 0 ]; then
 135                 echo "ncat must have terminated"
 136                 exit 1
 137         fi
 138
 139         bash -c "tpm2-abrmd --tcti=mssim:host=127.0.0.1,port=${SWTPM_SERVER_PORT} --allow-root & echo \$! > "${TPM2_ABRMD_PIDFILE}"; wait" &
 140         BASH_PID=$!
 141
 142         if wait_for_file "${TPM2_ABRMD_PIDFILE}" 3; then
 143                 echo "Error: Could not get tpm2-abrmd's PID file"
 144                 exit 1
 145         fi
 146
 147         TPM2_ABRMD_PID=$(cat "${TPM2_ABRMD_PIDFILE}")
 148         kill_quiet -0 "${TPM2_ABRMD_PID}"
 149         if [ $? -ne 0 ]; then
 150                 echo "Error: tpm2-abrmd with pid ${TPM2_ABRMD_PID} must have terminated"
 151                 exit 1
 152         fi
 153
 154         tmp="$(tpm2_ptool init 2>&1)"
 155         if [ $? -ne 0 ]; then
 156                 echo "tpm2_ptool init failed:"
 157                 echo "${tmp}"
 158                 exit 1
 159         fi
 160         PID="$(echo "${tmp}" | grep -E "^id:" |cut -d ":" -f2 | tr -d " ")"
 161         if [ -z "${PID}" ]; then
 162                 echo "Could not grep the pid from the tpm2_ptool output"
 163                 echo "${tmp}"
 164                 exit 1
 165         fi
 166
 167         tmp="$(SWTPM_PKCS11_PIN="mypin 123" SWTPM_PKCS11_SO_PIN="123" ${SWTPM_CREATE_TPMCA} \
 168                 --dir "${SWTPM_LOCALCA_DIR}" \
 169                 --overwrite \
 170                 --outfile "${SWTPM_LOCALCA_CONF}" \
 171                 --group tss \
 172                 --tpm2 \
 173                 --pid "${PID}" 2>&1)"
 174
 175         if [ $? -ne 0 ]; then
 176                 echo "Error: Could not create TPM CA"
 177                 echo "${tmp}"
 178                 exit 1
 179         fi
 180
 181         for fil in \
 182                 swtpm-localca-rootca-cert.pem \
 183                 swtpm-localca-rootca-privkey.pem \
 184                 swtpm-localca-tpmca-cert.pem \
 185                 swtpm-localca-tpmca-pubkey.pem; do
 186                 if [ ! -r "${SWTPM_LOCALCA_DIR}/${fil}" ]; then
 187                         echo "Error: TPM CA tool did not create file ${fil}."
 188                         exit 1
 189                 fi
 190         done
 191
 192         for regex in \
 193                 "^statedir = " \
 194                 "^signingkey = " \
 195                 "^issuercert = " \
 196                 "^certserial = " \
 197                 "^SWTPM_PKCS11_PIN = mypin 123"; do
 198                 if [ -n "${regex}" ] && \
 199                    [ -z "$(grep -E "${regex}" "${SWTPM_LOCALCA_CONF}")" ]; then
 200                         echo "Error: Could not find regex '${line}' in CA config file."
 201                         cat "${SWTPM_LOCALCA_CONF}"
 202                         exit 1
 203                 fi
 204         done
 205
 206         params=""
 207         if [ ${vtpm_is_tpm2} -ne 0 ]; then
 208                 params="--tpm2"
 209                 skip=0
 210         else
 211                 skip=7 # header in cert
 212         fi
 213
 214         # make sure we can actually sign with this new certificate
 215         ${SWTPM_LOCALCA} \
 216                 --type ek \
 217                 --ek x=739192d8f1004283957a7b1568d610b41c637ccc114aadcac4908c20456468fa,y=59f63ac06f8011f6fdd1460c6bc8e3e0a2d090d4fc188c7e04870e06795ce8ae \
 218                 --dir "${workdir}" --vmid test \
 219                 ${params} \
 220                 --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 00 \
 221                 --tpm-model swtpm --tpm-version 20170101 --tpm-manufacturer IBM \
 222                 --configfile "${SWTPM_LOCALCA_CONF}" \
 223                 --optsfile /dev/null
 224         if [ $? -ne 0 ]; then
 225                 echo "Error: The CA could not sign with the new certificate"
 226                 exit 1
 227         fi
 228         if [ ! -f "${workdir}/ek.cert" ]; then
 229                 echo "Error: The CA did not produce a certificate"
 230                 exit 1
 231         fi
 232         #  cert was for example 541 bytes long
 233         if [ $(get_filesize "${workdir}/ek.cert") -lt 500 ]; then
 234                 echo "Error: The certificate's size is dubious"
 235                 ls -l "${workdir}/ek.cert"
 236                 exit 1
 237         fi
 238
 239         # Check the contents of the certificate
 240         certinfo=$(dd "if=${workdir}/ek.cert" bs=1 "skip=$skip" status=none | \
 241                    "$CERTTOOL" -i --inder)
 242         regexs=('^[[:space:]]+2.23.133.8.1$'
 243                 '^[[:space:]]+directoryName:.*(,)?2.23.133.2.3=.*'
 244                 '^[[:space:]]+directoryName:.*(,)?2.23.133.2.2=.*'
 245                 '^[[:space:]]+directoryName:.*(,)?2.23.133.2.1=.*'
 246                 '^[[:space:]]+Certificate Authority \(CA\): FALSE$'
 247                 '^[[:space:]]+Unknown extension 2.5.29.9 \(not critical\):$'
 248                 '^[[:space:]]+Hexdump: 3019301706056781050210310e300c0c03322e3002010002020092$')
 249         if [ ${vtpm_is_tpm2} -ne 0 ]; then
 250                 # TPM 2.0; due to ecc: Key agreement
 251                 regexs+=('^[[:space:]]+Key agreement\.$'
 252                          '^[[:space:]]+Signature Algorithm: RSA-SHA256$')
 253         else
 254                 regexs+=('^[[:space:]]+Key encipherment\.$'
 255                          '^[[:space:]]+Signature Algorithm: RSA-SHA1$')
 256         fi
 257
 258         for ((i=0; i < ${#regexs}; i++)); do \
 259                 if [ -n "${regexs[$i]}" ] && \
 260                    [ -z "$(echo "${certinfo}" | grep -E "${regexs[$i]}")" ]; then
 261                         echo "Error: Could not match regex '${regexs[$i]}' with certificate info:"
 262                         echo "${certinfo}"
 263                         exit 1
 264                 fi
 265         done
 266
 267         # Send SIGTERM to tpm2-abrmd
 268         kill_quiet -15 "${TPM2_ABRMD_PID}"
 269         TPM2_ABRMD_PID=""
 270
 271         kill_quiet -9 "${NCAT_PID}"
 272         NCAT_PID=""
 273
 274         # Shut down TPM
 275         run_swtpm_ioctl "${SWTPM_INTERFACE}" -s
 276         if [ $? -ne 0 ]; then
 277                 echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM."
 278                 exit 1
 279         fi
 280
 281         if wait_process_gone "${SWTPM_PID}" 4; then
 282                 echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore."
 283                 exit 1
 284         fi
 285
 286         if wait_process_gone "${SWTPM_PID}" 4; then
 287                 echo "Error: tcsd should not be running anymore."
 288                 exit 1
 289         fi
 290         SWTPM_PID=""
 291 } # run_test
 292
 293 run_test 1
 294 echo "Test 1: OK"
 295
 296 run_test 0
 297 echo "Test 2: OK"
 298
 299 exit 0