4 # For the license, see the LICENSE file in the root directory.
6 if [ "$(id -u)" -ne 0 ]; then
7 echo "Need to be root to run this test."
11 tmp
="$(getenforce 2>&1)"
12 if [ "${tmp}" = "Enforcing" ]; then
13 echo "Test may not work with SELinux in enforcing mode."
17 # tpm2_ptool may not be packaged everywhere ...
18 if [ -z "$(type -P tpm2_ptool)" ]; then
19 echo "Could not find tpm2_ptool in PATH"
23 if [ -z "$(tpm2_ptool | grep ",config
,")" ]; then
24 echo "tpm2_ptool does not support the config command"
28 if [ -z "$(type -P tpm2-abrmd)" ]; then
29 echo "Could not find tpm2-abrmd in PATH"
33 if [ ! -r /usr
/lib64
/pkcs11
/libtpm2_pkcs11.so
]; then
34 echo "/usr/lib64/pkcs11/libtpm2_pkcs11.so is missing"
35 echo "tpm2-pkcs11 package may not be installed."
39 ROOT
=${abs_top_builddir:-$(dirname "$0")/..}
40 TESTDIR
=${abs_top_testdir:=$(dirname "$0")}
41 SRCDIR
=${abs_top_srcdir:-$(dirname "$0")/..}
43 SWTPM_SETUP
=${ROOT}/src
/swtpm_setup
/swtpm_setup
44 SWTPM_CREATE_TPMCA
=${SRCDIR}/samples
/swtpm-create-tpmca
45 SWTPM_LOCALCA
=${ROOT}/src
/swtpm_localca
/swtpm_localca
46 SWTPM
=${ROOT}/src
/swtpm
/swtpm
47 SWTPM_IOCTL
=${ROOT}/src
/swtpm_ioctl
/swtpm_ioctl
49 SWTPM_INTERFACE
=socket
+socket
50 SWTPM_SERVER_NAME
=localhost
51 SWTPM_SERVER_PORT
=65455
53 SWTPM_FAKE_CTRL_PORT
=65456
55 workdir
="$(mktemp -d)" ||
exit 1
57 SWTPM_LOCALCA_DIR
="${workdir}/my localca"
58 SWTPM_LOCALCA_CONF
="${workdir}/my localca/swtpm-localca.conf"
59 export TPM2_PKCS11_STORE
="${workdir}"
60 TPM2_ABRMD_PIDFILE
="${workdir}/tpm2-abrmd.pid"
62 PID
="" # primary object id returned by tpm2_ptool
67 if [ -n "${PID}" ]; then
68 echo "y" | tpm2_ptool destroy
${PID} &>/dev
/null
70 if [ -n "${TPM2_ABRMD_PID}" ]; then
71 kill_quiet
-9 ${TPM2_ABRMD_PID}
73 if [ -n "${SWTPM_PID}" ]; then
74 kill_quiet
-9 ${SWTPM_PID}
76 if [ -n "${BASH_PID}" ]; then
77 kill_quiet
-9 ${BASH_PID}
79 if [ -n "${NCAT_PID}" ]; then
80 kill_quiet
-9 ${NCAT_PID}
85 trap "cleanup" SIGTERM EXIT
86 source ${TESTDIR}/common
88 PATH
=${ROOT}/src/swtpm_bios:${ROOT}/src/swtpm_cert:${PATH}
91 # @param1: The vTPM for which the certificate is created is a TPM 2
93 local vtpm_is_tpm2
="$1"
95 local tmp params certinfo regex regexs fil i skip
99 cat <<_EOF_ > "${workdir}/swtpm_setup.conf"
100 create_certs_tool=${SWTPM_LOCALCA}
101 create_certs_tool_config=${workdir}/swtpm-localca.conf
102 create_certs_tool_options=/dev/null
106 --tpm-state "${workdir}" \
107 --logfile "${workdir}/logfile" \
108 --config "${workdir}/swtpm_setup.conf" \
109 --tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
110 --swtpm_ioctl "${SWTPM_IOCTL}" \
113 if [ $?
-ne 0 ]; then
114 echo "Error: Could not run $SWTPM_SETUP."
115 echo "Setup Logfile:"
116 cat ${workdir}/logfile
120 SWTPM_SERVER_NO_DISCONNECT
=1 run_swtpm
${SWTPM_INTERFACE} \
122 --flags not-need-init \
123 --tpmstate "dir=${workdir}" \
126 ncat
-l ${SWTPM_FAKE_CTRL_PORT} \
127 -k -c "xargs --null -n1 printf '\x00\x00\x00\x00' 2>/dev/null" &
128 if [ $?
-ne 0 ]; then
129 echo "Could not start ncat"
133 kill_quiet
-0 ${NCAT_PID}
134 if [ $?
-ne 0 ]; then
135 echo "ncat must have terminated"
139 bash
-c "tpm2-abrmd --tcti=mssim:host=127.0.0.1,port=${SWTPM_SERVER_PORT} --allow-root & echo \$! > "${TPM2_ABRMD_PIDFILE}"; wait" &
142 if wait_for_file
"${TPM2_ABRMD_PIDFILE}" 3; then
143 echo "Error: Could not get tpm2-abrmd's PID file"
147 TPM2_ABRMD_PID
=$
(cat "${TPM2_ABRMD_PIDFILE}")
148 kill_quiet
-0 "${TPM2_ABRMD_PID}"
149 if [ $?
-ne 0 ]; then
150 echo "Error: tpm2-abrmd with pid ${TPM2_ABRMD_PID} must have terminated"
154 tmp
="$(tpm2_ptool init 2>&1)"
155 if [ $?
-ne 0 ]; then
156 echo "tpm2_ptool init failed:"
160 PID
="$(echo "${tmp}" | grep -E "^id
:" |cut -d ":" -f2 | tr -d " ")"
161 if [ -z "${PID}" ]; then
162 echo "Could not grep the pid from the tpm2_ptool output"
167 tmp
="$(SWTPM_PKCS11_PIN="mypin
123" SWTPM_PKCS11_SO_PIN="123" ${SWTPM_CREATE_TPMCA} \
168 --dir "${SWTPM_LOCALCA_DIR}" \
170 --outfile "${SWTPM_LOCALCA_CONF}" \
173 --pid "${PID}" 2>&1)"
175 if [ $?
-ne 0 ]; then
176 echo "Error: Could not create TPM CA"
182 swtpm-localca-rootca-cert.pem \
183 swtpm-localca-rootca-privkey.pem \
184 swtpm-localca-tpmca-cert.pem \
185 swtpm-localca-tpmca-pubkey.pem
; do
186 if [ ! -r "${SWTPM_LOCALCA_DIR}/${fil}" ]; then
187 echo "Error: TPM CA tool did not create file ${fil}."
197 "^SWTPM_PKCS11_PIN = mypin 123"; do
198 if [ -n "${regex}" ] && \
199 [ -z "$(grep -E "${regex}" "${SWTPM_LOCALCA_CONF}")" ]; then
200 echo "Error: Could not find regex '${line}' in CA config file."
201 cat "${SWTPM_LOCALCA_CONF}"
207 if [ ${vtpm_is_tpm2} -ne 0 ]; then
211 skip
=7 # header in cert
214 # make sure we can actually sign with this new certificate
217 --ek x
=739192d8f1004283957a7b1568d610b41c637ccc114aadcac4908c20456468fa
,y
=59f63ac06f8011f6fdd1460c6bc8e3e0a2d090d4fc188c7e04870e06795ce8ae \
218 --dir "${workdir}" --vmid test \
220 --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 00 \
221 --tpm-model swtpm
--tpm-version 20170101 --tpm-manufacturer IBM \
222 --configfile "${SWTPM_LOCALCA_CONF}" \
224 if [ $?
-ne 0 ]; then
225 echo "Error: The CA could not sign with the new certificate"
228 if [ ! -f "${workdir}/ek.cert" ]; then
229 echo "Error: The CA did not produce a certificate"
232 # cert was for example 541 bytes long
233 if [ $
(get_filesize
"${workdir}/ek.cert") -lt 500 ]; then
234 echo "Error: The certificate's size is dubious"
235 ls -l "${workdir}/ek.cert"
239 # Check the contents of the certificate
240 certinfo
=$
(dd "if=${workdir}/ek.cert" bs
=1 "skip=$skip" status
=none | \
241 "$CERTTOOL" -i --inder)
242 regexs
=('^[[:space:]]+2.23.133.8.1$'
243 '^[[:space:]]+directoryName:.*(,)?2.23.133.2.3=.*'
244 '^[[:space:]]+directoryName:.*(,)?2.23.133.2.2=.*'
245 '^[[:space:]]+directoryName:.*(,)?2.23.133.2.1=.*'
246 '^[[:space:]]+Certificate Authority \(CA\): FALSE$'
247 '^[[:space:]]+Unknown extension 2.5.29.9 \(not critical\):$'
248 '^[[:space:]]+Hexdump: 3019301706056781050210310e300c0c03322e3002010002020092$')
249 if [ ${vtpm_is_tpm2} -ne 0 ]; then
250 # TPM 2.0; due to ecc: Key agreement
251 regexs
+=('^[[:space:]]+Key agreement\.$'
252 '^[[:space:]]+Signature Algorithm: RSA-SHA256$')
254 regexs
+=('^[[:space:]]+Key encipherment\.$'
255 '^[[:space:]]+Signature Algorithm: RSA-SHA1$')
258 for ((i
=0; i
< ${#regexs}; i
++)); do \
259 if [ -n "${regexs[$i]}" ] && \
260 [ -z "$(echo "${certinfo}" | grep -E "${regexs[$i]}")" ]; then
261 echo "Error: Could not match regex '${regexs[$i]}' with certificate info:"
267 # Send SIGTERM to tpm2-abrmd
268 kill_quiet
-15 "${TPM2_ABRMD_PID}"
271 kill_quiet
-9 "${NCAT_PID}"
275 run_swtpm_ioctl
"${SWTPM_INTERFACE}" -s
276 if [ $?
-ne 0 ]; then
277 echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM."
281 if wait_process_gone
"${SWTPM_PID}" 4; then
282 echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore."
286 if wait_process_gone
"${SWTPM_PID}" 4; then
287 echo "Error: tcsd should not be running anymore."