]> git.proxmox.com Git - swtpm.git/blob - tests/test_tpm2_save_load_state_2
projects / swtpm.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: Set test-check local user.name and user.email before git am
[swtpm.git] / tests / test_tpm2_save_load_state_2
1 #!/usr/bin/env bash
2
3 # For the license, see the LICENSE file in the root directory.
4 #set -x
5
6 if [ ${SWTPM_TEST_IBMTSS2:-0} -eq 0 ]; then
7 echo "SWTPM_TEST_IBMTSS2 must be set to run this test."
8 exit 77
9 fi
10
11 type -p nvdefinespace startup &>/dev/null
12 if [ $? -ne 0 ]; then
13 PREFIX=tss
14 type -p ${PREFIX}nvdefinespace ${PREFIX}startup
15 fi
16 if [ $? -ne 0 ]; then
17 echo "Could not find TPM2 tools (e.g., (tss)startup, (tss)nvdefinespace) in PATH."
18 exit 77
19 fi
20 TOOLSPATH=$(dirname $(type -P ${PREFIX}startup))
21
22 ROOT=${abs_top_builddir:-$(dirname "$0")/..}
23 TESTDIR=${abs_top_testdir:-$(dirname "$0")}
24
25 SWTPM=swtpm
26 SWTPM_EXE=${SWTPM_EXE:-$ROOT/src/swtpm/$SWTPM}
27 SWTPM_IOCTL=$ROOT/src/swtpm_ioctl/swtpm_ioctl
28 TPMDIR=`mktemp -d`
29 PID_FILE=$TPMDIR/${SWTPM}.pid
30 SOCK_PATH=$TPMDIR/sock
31 CMD_PATH=$TPMDIR/cmd
32 RESP_PATH=$TPMDIR/resp
33 LOGFILE=$TPMDIR/logfile
34 TMPFILE=$TPMDIR/tmpfile
35 BINFILE=$TPMDIR/binfile
36 SIGFILE=$TPMDIR/sigfile
37
38 source ${TESTDIR}/test_common
39 source ${TESTDIR}/common
40
41 trap "cleanup" SIGTERM EXIT
42
43 function cleanup()
44 {
45 rm -rf $TPMDIR
46 # remove files from tss tools
47 rm -f h01*.bin nvp*.bin
48 if [ -n "$PID" ]; then
49 kill_quiet -SIGTERM $PID 2>/dev/null
50 fi
51 }
52
53 # Fill up the NVRAM space with 2048 bit signing keys and then an NVRAM area that
54 # fills it up to the last byte. We want to make sure that the OBJECTs that the
55 # RSA keys are creating in NVRAM can be loaded into the NVRAM again when the size
56 # of the OBJECT increases when for example the size of the RSA keys increases.
57 # This may force us to increase the NVRAM memory space in libtpms then.
58 function fillup_nvram()
59 {
60 local create="$1"
61 local check="$2"
62
63 local i sz
64
65 if [ $create -eq 1 ]; then
66 # Fill up the NVRAM space with RSA 2048 keys;
67 # exactly 65 have to fit
68 ${TOOLSPATH}/${PREFIX}createprimary -hi o -si > $TMPFILE
69 if [ $? -ne 0 ]; then
70 echo "Error: createprimary failed."
71 exit 1
72 fi
73 if [ -z "$(grep 80000000 $TMPFILE)" ]; then
74 echo "Error: createprimary did not result in expected handle 80000000"
75 exit 1
76 fi
77 for ((i = 0x81000000; i < 0x81000100; i++)); do
78 ${TOOLSPATH}/${PREFIX}evictcontrol \
79 -hi o \
80 -ho 80000000 \
81 -hp $(printf "%x" $i) &>$TMPFILE || break
82 done
83 ${TOOLSPATH}/${PREFIX}getcapability -cap 1 -pr 81000000 -pc 80 > $TMPFILE
84 # We need know we need to see '65 Handles' for state created with
85 # libtpms-0.6.0 and 128kb NVRAM size
86 grep -i "65 Handles" $TMPFILE
87 if [ $? -ne 0 ]; then
88 echo "Error: Did not find '65 Handles' keyword in output"
89 cat $TMPFILE
90 exit 1
91 fi
92
93 # Fill up the rest of the NVRAM with a single NVRAM index whose size
94 # we now have to find;
95 # for reference: libtpms v0.6.0 allowed 236 bytes
96 for ((sz = 0; ; sz++)); do
97 ${TOOLSPATH}/${PREFIX}nvdefinespace \
98 -hi o \
99 -ha 01000000 \
100 -sz ${sz} > ${TMPFILE} || break
101 # this worked, so lets remove it and try the next size
102 #echo "NVRAM space of size $sz could be created"
103 ${TOOLSPATH}/${PREFIX}nvundefinespace \
104 -hi o \
105 -ha 01000000 > ${TMPFILE}
106 done
107 if [ $sz -gt 0 ]; then
108 sz=$((sz - 1))
109 echo "Creating final space of size ${sz}"
110 ${TOOLSPATH}/${PREFIX}nvdefinespace \
111 -hi o \
112 -ha 01000000 \
113 -sz ${sz} > ${TMPFILE}
114 if [ $? -ne 0 ]; then
115 echo "Error: Could not create final NVRAM space."
116 cat ${TMPFILE}
117 exit 1
118 fi
119 fi
120 if [ $sz -eq 0 ]; then
121 echo "Error: NVRAM space could not be created at all; not enough space!"
122 exit 1
123 elif [ $sz -lt 236 ]; then
124 echo "Error: Insufficient NVRAM memory. Needed to create an NVRAM index with size 236 bytes."
125 exit 1
126 elif [ $sz -gt 236 ]; then
127 echo "Error: The NVRAM index is too large. Only needed 236 bytes but got $sz bytes."
128 exit 1
129 else
130 echo "The NVRAM index is exactly of the right size (236 bytes)."
131 fi
132
133 echo -n "123" > $BINFILE
134 ${TOOLSPATH}/${PREFIX}sign \
135 -hk 81000000 \
136 -if ${BINFILE} \
137 -os ${SIGFILE} > $TMPFILE
138 if [ $? -ne 0 ]; then
139 echo "Error: Could not create signature."
140 cat $TMPFILE
141 exit 1
142 fi
143 fi
144
145 if [ $check -eq 1 ]; then
146 ${TOOLSPATH}/${PREFIX}getcapability -cap 1 -pr 81000000 -pc 80 > $TMPFILE
147 # We need know we need to see '65 Handles' for state created with
148 # libtpms-0.6.0 and 128kb NVRAM size
149 grep -i "65 Handles" $TMPFILE
150 if [ $? -ne 0 ]; then
151 echo "Error: Did not find '65 Handles' keyword in output"
152 cat $TMPFILE
153 exit 1
154 fi
155
156 printf "Verifying signature with all the persisted keys\n"
157 echo -n "123" > $BINFILE
158 for ((i = 0x81000000; i < 0x81000040; i++)); do
159 ${TOOLSPATH}/${PREFIX}verifysignature \
160 -hk $(printf "%x" $i) \
161 -is ${SIGFILE} \
162 -if ${BINFILE} > $TMPFILE
163 if [ $? -ne 0 ]; then
164 echo "Verifying signature failed for handle $(printf "%x" $i)."
165 exit 1
166 fi
167 done
168 fi
169 }
170
171 export TPM_SERVER_TYPE=raw
172 export TPM_SERVER_NAME=127.0.0.1
173 export TPM_INTERFACE_TYPE=socsim
174 export TPM_COMMAND_PORT=65446
175 export TPM_DATA_DIR=$TPMDIR
176 export TPM_SESSION_ENCKEY="807e2bfe898ddaed8fa6310e716a24dc" # for sessions
177
178 $SWTPM_EXE socket \
179 --server port=${TPM_COMMAND_PORT} \
180 --tpmstate dir=$TPMDIR \
181 --pid file=$PID_FILE \
182 --ctrl type=unixio,path=$SOCK_PATH \
183 --log file=$LOGFILE,level=20 \
184 --tpm2 \
185 ${SWTPM_TEST_SECCOMP_OPT} &
186
187 if wait_for_file $PID_FILE 3; then
188 echo "Error: (1) Socket TPM did not write pidfile."
189 exit 1
190 fi
191
192 PID="$(cat $PID_FILE)"
193
194 # Send TPM_Init
195 act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
196 if [ $? -ne 0 ]; then
197 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
198 exit 1
199 fi
200
201 ${TOOLSPATH}/${PREFIX}startup -c
202 if [ $? -ne 0 ]; then
203 echo "Error: tpm_startup clear failed."
204 exit 1
205 fi
206
207 fillup_nvram 1 1
208
209 # Send Shutdown
210 act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
211 if [ $? -ne 0 ]; then
212 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
213 exit 1
214 fi
215
216 if wait_process_gone ${PID} 4; then
217 echo "Error: swtpm did not shut down"
218 exit 1
219 fi
220
221 echo "============================" >> $LOGFILE
222
223 echo "TPM was shut down"
224
225 # Store this state for later usage; use a really old version of libtpms: 0.6.0
226 #cp $TPMDIR/tpm2-00.permall ${TESTDIR}/data/tpm2state5;
227 #cp $SIGFILE ${TESTDIR}/data/tpm2state5/signature.bin
228
229 #################################################################
230 # Run TPM2 with the created state and verify it's the same
231
232 $SWTPM_EXE socket \
233 --server port=${TPM_COMMAND_PORT} \
234 --tpmstate dir=$TPMDIR \
235 --pid file=$PID_FILE \
236 --ctrl type=unixio,path=$SOCK_PATH \
237 --log file=$LOGFILE,level=20 \
238 --tpm2 \
239 ${SWTPM_TEST_SECCOMP_OPT} &
240
241 if wait_for_file $PID_FILE 3; then
242 echo "Error: (2) Socket TPM did not write pidfile."
243 exit 1
244 fi
245
246 echo "TPM re-started"
247
248 PID="$(cat $PID_FILE)"
249
250 # Send TPM_Init
251 act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
252 if [ $? -ne 0 ]; then
253 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
254 cat $LOGFILE
255 exit 1
256 fi
257
258 ${TOOLSPATH}/${PREFIX}startup -c
259 if [ $? -ne 0 ]; then
260 echo "Error: tpm_startup clear failed."
261 cat $LOGFILE
262 exit 1
263 fi
264
265 fillup_nvram 0 1
266
267 ${TOOLSPATH}/${PREFIX}shutdown -c
268 if [ $? -ne 0 ]; then
269 echo "Error: tpm_shutdown clear failed."
270 cat $LOGFILE
271 exit 1
272 fi
273
274 # Send Shutdown
275 act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
276 if [ $? -ne 0 ]; then
277 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
278 exit 1
279 fi
280
281 echo "============================" >> $LOGFILE
282
283 echo "TPM was shut down"
284
285 #################################################################
286 # Run TPM2 with previously saved state and verify it's the same
287
288 rm -f $TPMDIR/*
289 cp -f ${TESTDIR}/data/tpm2state5/tpm2-00.permall $TPMDIR/tpm2-00.permall
290 cp ${TESTDIR}/data/tpm2state5/signature.bin $SIGFILE
291
292 $SWTPM_EXE socket \
293 --server port=${TPM_COMMAND_PORT} \
294 --tpmstate dir=$TPMDIR \
295 --pid file=$PID_FILE \
296 --ctrl type=unixio,path=$SOCK_PATH \
297 --log file=$LOGFILE,level=20 \
298 --tpm2 \
299 ${SWTPM_TEST_SECCOMP_OPT} &
300
301 if wait_for_file $PID_FILE 3; then
302 echo "Error: (3) Socket TPM did not write pidfile."
303 exit 1
304 fi
305
306 echo "TPM started with previously generated state"
307
308 PID="$(cat $PID_FILE)"
309
310 # Send TPM_Init
311 act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
312 if [ $? -ne 0 ]; then
313 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
314 exit 1
315 fi
316
317 ${TOOLSPATH}/${PREFIX}startup -c
318 if [ $? -ne 0 ]; then
319 echo "Error: tpm_startup clear failed."
320 cat $LOGFILE
321 exit 1
322 fi
323
324 fillup_nvram 0 1
325
326 ${TOOLSPATH}/${PREFIX}shutdown -c
327 if [ $? -ne 0 ]; then
328 echo "Error: tpm_shutdown clear failed."
329 cat $LOGFILE
330 exit 1
331 fi
332
333 # Send Shutdown
334 act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
335 if [ $? -ne 0 ]; then
336 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
337 exit 1
338 fi
339
340 echo "Test 1 OK"
Software TPM used for PVE's Virtual Machines