3 # For the license, see the LICENSE file in the root directory.
6 if [ ${SWTPM_TEST_IBMTSS2:-0} -eq 0 ]; then
7 echo "SWTPM_TEST_IBMTSS2 must be set to run this test."
11 type -p nvdefinespace startup
&>/dev
/null
14 type -p ${PREFIX}nvdefinespace
${PREFIX}startup
17 echo "Could not find TPM2 tools (e.g., (tss)startup, (tss)nvdefinespace) in PATH."
20 TOOLSPATH
=$
(dirname $
(type -P ${PREFIX}startup
))
22 ROOT
=${abs_top_builddir:-$(dirname "$0")/..}
23 TESTDIR
=${abs_top_testdir:-$(dirname "$0")}
26 SWTPM_EXE
=${SWTPM_EXE:-$ROOT/src/swtpm/$SWTPM}
27 SWTPM_IOCTL
=$ROOT/src
/swtpm_ioctl
/swtpm_ioctl
28 TPMDIR
="$(mktemp -d)" ||
exit 1
29 PID_FILE
=$TPMDIR/${SWTPM}.pid
30 SOCK_PATH
=$TPMDIR/sock
32 RESP_PATH
=$TPMDIR/resp
33 LOGFILE
=$TPMDIR/logfile
34 VOLATILESTATE
=$TPMDIR/volatile
35 TMPFILE
=$TPMDIR/tmpfile
36 BINFILE
=$TPMDIR/binfile
37 SIGFILE
=$TPMDIR/sigfile
38 SIGFILE2
=$TPMDIR/sigfile2
39 TMP2FILE
=$TPMDIR/tmpfile2
40 PRIVKEY
=$TPMDIR/privkey.pem
41 PUBKEY
=$TPMDIR/pubkey.pem
42 PUBKEYCONTEXT
=$TPMDIR/pubkey.context
44 HKEYPRIV
=${TESTDIR}/data
/tpm2state
3/hkey.priv
45 HKEYPUB
=${TESTDIR}/data
/tpm2state
3/hkey.pub
47 source ${TESTDIR}/test_common
48 source ${TESTDIR}/common
49 skip_test_no_tpm20
"${SWTPM_EXE}"
52 trap "cleanup" SIGTERM EXIT
57 # remove files from tss tools
58 rm -f h01
*.bin nvp
*.bin
59 if [ -n "$PID" ]; then
60 kill_quiet
-SIGTERM $PID 2>/dev
/null
64 function test_nvram_state
()
69 local i res rc act exp ody
71 if [ $create -eq 1 ]; then
72 # the 1st and 2nd spaces are 'orderly' and will be cleared by reset
74 for ((i
=0; i
< 10; i
++)); do
75 printf "Creating NVRAM location 01%06x\n" $i
76 # the '+at wd' allows us to only write once
77 ${TOOLSPATH}/${PREFIX}nvdefinespace \
78 -ha $
(printf "01%06x" $i) \
79 -sz $
((100 + i
* 10)) \
86 echo "Error: nvdefinespace failed for i = $i."
94 ${TOOLSPATH}/${PREFIX}nvwrite \
95 -ha $
(printf "01%06x" $i) \
99 echo "Error: nwrite failed for i = $i."
103 ${TOOLSPATH}/${PREFIX}nvwritelock \
104 -ha $
(printf "01%06x" $i) \
106 if [ $?
-ne 0 ]; then
107 echo "Error: nwritelock failed for i = $i."
112 # Create a counter space
113 echo "Creating NVRAM location 01000010 for counter"
114 ${TOOLSPATH}/${PREFIX}nvdefinespace \
119 if [ $?
-ne 0 ]; then
120 echo "Error: nvdefinespace for counter failed."
124 echo "Incrementing the counter at location 01000010"
125 ${TOOLSPATH}/${PREFIX}nvincrement \
128 if [ $?
-ne 0 ]; then
129 echo "Error: nvincrement failed."
134 if [ $check -eq 1 ]; then
137 if [ $create -eq 0 ]; then
141 # The orderly indices must not be readable UNLESS they were just
142 # created. In the latter case we skip this first loop here.
143 for ((i
=0; i
< last
; i
++)); do
144 printf "Checking orderly NVRAM location 01%06x after reset\n" $i
145 ${TOOLSPATH}/${PREFIX}nvread \
146 -ha $
(printf "01%06x" $i) \
149 if [ $?
-eq 0 ]; then
150 echo "Error: nvread succeeded for orderly NVRAM index; i = $i"
156 # test the non-orderly indices OR orderly we just created above
157 for ((i
=last
; i
< 10; i
++)); do
158 printf "Checking NVRAM location 01%06x\n" $i
159 ${TOOLSPATH}/${PREFIX}nvread \
160 -ha $
(printf "01%06x" $i) \
163 if [ $?
-ne 0 ]; then
164 echo "Error: nvread failed for i = $i"
169 # we want one line with xdigits and spaces
170 res
=$
(cat $TMPFILE | \
171 grep -E "^[ [:xdigit:]]+$" |
173 if [ $res -ne 1 ]; then
174 echo "Error: nvread did not show expected results"
178 ${TOOLSPATH}/${PREFIX}nvwrite \
179 -ha $
(printf "01%06x" $i) \
183 if [ $rc -eq 0 ]; then
184 echo "Error: nwrite succeeded for i = $i."
190 echo "Checking counter value at location 01000010"
191 ${TOOLSPATH}/${PREFIX}nvread \
195 -of $BINFILE > $TMPFILE
196 if [ $?
-ne 0 ]; then
197 echo "Error: nvread of counter failed."
201 exp
=' 00 00 00 00 00 00 00 01'
202 act
="$(od -t x1 -A n < $BINFILE)"
203 if [ "$act" != "$exp" ]; then
204 echo "Error: Counter has unexpected value."
205 echo " expected: $exp"
206 echo " actual : $act"
211 function test_primary
()
215 # whether we are using previous stored stated that had a different
216 # key and we have to use the old signature
217 local previousstate
="$3"
221 if [ $create -eq 1 ]; then
222 # Create a permanent primary key that we expecte
223 # to again see after the TPM has been restarted
224 ${TOOLSPATH}/${PREFIX}createprimary
-hi o
-si > $TMPFILE
225 if [ $?
-ne 0 ]; then
226 echo "Error: createprimary failed."
229 if [ -z "$(grep 80000000 $TMPFILE)" ]; then
230 echo "Error: createprimary did not result in expected handle 80000000"
233 ${TOOLSPATH}/${PREFIX}evictcontrol
-ho 80000000 -hp 81000000 -hi o
234 if [ $?
-ne 0 ]; then
235 echo "Error: evictcontrol did not work"
238 ${TOOLSPATH}/${PREFIX}flushcontext
-ha 80000000
240 echo -n "123" > $BINFILE
241 ${TOOLSPATH}/${PREFIX}sign -hk 81000000 -if ${BINFILE} -os ${SIGFILE} > $TMPFILE
242 if [ $?
-ne 0 ]; then
243 echo "Error: Could not create signature."
249 if [ $check -eq 1 ]; then
250 printf "Checking availability of key with perm. handle 0x81000000\n"
251 ${TOOLSPATH}/${PREFIX}getcapability
-cap 1 -pr 0x81000000 >$TMPFILE
252 if [ -z "$(grep 81000000 $TMPFILE)" ]; then
253 echo "Could not find key with permanent handle 0x81000000"
256 printf "Verifying signature with this key\n"
257 echo -n "123" > $BINFILE
258 if [ $previousstate -eq 0 ]; then
259 ${TOOLSPATH}/${PREFIX}verifysignature
-hk 81000000 \
261 -if ${BINFILE} > $TMPFILE
263 ${TOOLSPATH}/${PREFIX}verifysignature
-hk 81000000 \
264 -is ${TESTDIR}/data
/tpm2state
3/signature.bin \
265 -if ${BINFILE} > $TMPFILE
267 if [ $?
-ne 0 ]; then
268 echo "Verifying signature failed."
274 # Allocate a SHA256 PCR bank
275 # This will prevent shutdown -s (with state)
276 function test_pcr_allocation
()
283 if [ -z "$($TOOLSPATH/${PREFIX}pcrallocate | grep sha512)" ]; then
284 echo " Skipping PCR Allocate test since it does not support sha512"
288 if [ $create -eq 1 ]; then
289 echo "Allocating SHA256 PCR bank"
290 ${TOOLSPATH}/${PREFIX}pcrallocate
-sha512 +sha256
292 for ((ha
= 0; ha
< 24; ha
++)); do
293 ${TOOLSPATH}/${PREFIX}pcrread -ha ${ha} -halg sha512
> $TMPFILE
294 if [ -z "$(grep "^count
1.
*$
" $TMPFILE)" ]; then
295 echo "Error: PCR ${ha} in SHA512 bank should be available for read before reboot"
299 ${TOOLSPATH}/${PREFIX}pcrread -ha ${ha} -halg sha256
> $TMPFILE
300 if [ -z "$(grep "^count
1.
*$
" $TMPFILE)" ]; then
301 echo "Error: PCR ${ha} in SHA256 bank should be available for read before reboot"
308 if [ $check -eq 1 ]; then
309 echo "Checking the PCR Allocation"
311 for ((ha
= 0; ha
< 24; ha
++)); do
312 ${TOOLSPATH}/${PREFIX}pcrread -ha ${ha} -halg sha512
> $TMPFILE
313 if [ -z "$(grep "^count
0.
*$
" $TMPFILE)" ]; then
314 echo "Error: PCR ${ha} in SHA512 bank should be unavailable for read after reboot"
319 ${TOOLSPATH}/${PREFIX}pcrread -ha ${ha} -halg sha256
> $TMPFILE
320 if [ -z "$(grep "^count
1.
*$
" $TMPFILE)" ]; then
321 echo "Error: PCR ${ha} in SHA256 bank should be available for read after reboot"
328 function test_hierarchy
()
335 if [ $create -eq 1 ]; then
336 echo "Setting hierarchy passwords"
337 # Change the hierarchy password; the 'p' hierarchy has
338 # no effect on permanent RAM, so we won't test that
339 for hi
in "l" "e" "o"; do
340 pwdn
="${hi}${hi}${hi}"
341 ${TOOLSPATH}/${PREFIX}hierarchychangeauth \
343 -pwdn ${pwdn} > $TMPFILE
344 if [ $?
-ne 0 ]; then
345 echo "Error: hierarchychangeauth failed to set password."
352 if [ $check -eq 1 ]; then
353 echo "Checking previously set hierarchy passwords"
354 for hi
in "l" "e" "o"; do
355 pwda
="${hi}${hi}${hi}"
358 ${TOOLSPATH}/${PREFIX}hierarchychangeauth \
361 -pwdn ${pwdn} > $TMPFILE
362 if [ $?
-ne 0 ]; then
363 echo "Error: hierarchychangeauth failed to change password."
369 ${TOOLSPATH}/${PREFIX}hierarchychangeauth \
372 -pwdn ${pwda} > $TMPFILE
373 if [ $?
-ne 0 ]; then
374 echo "Error: hierarchychangeauth failed to change back password."
382 function test_hash_context
()
389 if [ $create -eq 1 ]; then
390 echo -n "123" > ${TMP2FILE}
392 echo "Starting a sha1 sequence"
393 res
="$(${TOOLSPATH}/${PREFIX}hashsequencestart -halg sha1)"
394 if [ $?
-ne 0 ]; then
395 echo "Error: Could not start hash sequence."
398 SHA1_SEQUENCE_HANDLE
="$(echo $res | cut -d " " -f3)"
399 echo "sha1 sequence handle: $SHA1_SEQUENCE_HANDLE"
401 ${TOOLSPATH}/${PREFIX}sequenceupdate \
402 -hs ${SHA1_SEQUENCE_HANDLE} \
404 if [ $?
-ne 0 ]; then
405 echo "Error: Could not updated the sha1 sequence."
408 echo "Updated sha1 sequence."
410 echo "Starting a sha256 sequence"
411 res
="$(${TOOLSPATH}/${PREFIX}hashsequencestart -halg sha256)"
412 if [ $?
-ne 0 ]; then
413 echo "Error: Could not start sha256 sequence."
416 SHA256_SEQUENCE_HANDLE
="$(echo $res | cut -d " " -f3)"
417 echo "sha256 sequence handle: $SHA256_SEQUENCE_HANDLE"
419 ${TOOLSPATH}/${PREFIX}sequenceupdate \
420 -hs ${SHA256_SEQUENCE_HANDLE} \
422 if [ $?
-ne 0 ]; then
423 echo "Error: Could not updated the hash sequence."
426 echo "Updated sha256 sequence."
428 echo "Starting a sha384 sequence"
429 res
="$(${TOOLSPATH}/${PREFIX}hashsequencestart -halg sha384)"
430 if [ $?
-ne 0 ]; then
431 echo "Error: Could not start sha384 sequence."
434 SHA384_SEQUENCE_HANDLE
="$(echo $res | cut -d " " -f3)"
435 echo "sha384 sequence handle: $SHA384_SEQUENCE_HANDLE"
437 ${TOOLSPATH}/${PREFIX}sequenceupdate \
438 -hs ${SHA384_SEQUENCE_HANDLE} \
440 if [ $?
-ne 0 ]; then
441 echo "Error: Could not updated the hash sequence."
444 echo "Updated sha384 sequence."
447 if [ $check -eq 1 ]; then
448 echo -n "456" > ${TMP2FILE}
450 echo "Completing previously started sha1 sequence"
451 touch $TPMDIR/h
${SHA1_SEQUENCE_HANDLE}.bin
452 res
=$
(${TOOLSPATH}/${PREFIX}sequencecomplete \
453 -hs ${SHA1_SEQUENCE_HANDLE} \
457 if [ -z "$res" ]; then
458 echo "Error: Did not get expected result from completing sha1 sequence."
462 echo "Completing previously started sha256 sequence"
463 touch $TPMDIR/h
${SHA256_SEQUENCE_HANDLE}.bin
464 res
=$
(${TOOLSPATH}/${PREFIX}sequencecomplete \
465 -hs ${SHA256_SEQUENCE_HANDLE} \
469 if [ -z "$res" ]; then
470 echo "Error: Did not get expected result from completing sha256 sequence."
474 echo "Completing previously started sha384 sequence"
475 touch $TPMDIR/h
${SHA384_SEQUENCE_HANDLE}.bin
476 res
=$
(${TOOLSPATH}/${PREFIX}sequencecomplete \
477 -hs ${SHA384_SEQUENCE_HANDLE} \
481 if [ -z "$res" ]; then
482 echo "Error: Did not get expected result from completing sha384 sequence."
488 function test_session
()
492 # whether we are using previous stored stated that had a different
493 # key and we have to use the old signature
494 local previousstate
="$3"
498 if [ $create -eq 1 ]; then
499 # Create a permanent primary key that we expecte
500 # to again see after the TPM has been restarted
501 ${TOOLSPATH}/${PREFIX}createprimary
-hi o
-st > $TMPFILE
502 if [ $?
-ne 0 ]; then
503 echo "Error: createprimary for creating storage key failed."
506 if [ -z "$(grep 80000000 $TMPFILE)" ]; then
507 echo "Error: createprimary did not result in expected handle 80000000"
511 ${TOOLSPATH}/${PREFIX}evictcontrol
-ho 80000000 -hp 81000000 -hi o
512 if [ $?
-ne 0 ]; then
513 echo "Error: evictcontrol did not work"
516 ${TOOLSPATH}/${PREFIX}flushcontext
-ha 80000000
518 ${TOOLSPATH}/${PREFIX}startauthsession
-se h
-bi 81000000 > $TMPFILE
519 if [ $?
-ne 0 ]; then
520 echo "Error: Could not start an auth session."
524 AUTHSESSION_HANDLE
=$
(cat $TMPFILE |
sed 's/Handle//')
525 if [ -z "${AUTHSESSION_HANDLE}" ]; then
526 echo "Error: Could not get auth session handle."
531 if [ $check -eq 1 ]; then
532 echo "Using auth session ${AUTHSESSION_HANDLE} to create a key."
533 ${TOOLSPATH}/${PREFIX}create \
536 -se0 ${AUTHSESSION_HANDLE} 1
537 if [ $?
-ne 0 ]; then
538 echo "Error: Could not create key using authsession"
541 echo "Successfully created key"
545 function test_hmac_context
()
549 # whether we are using previous stored stated that had a different
550 # key and we have to use the old signature
551 local previousstate
="$3"
555 if [ $create -eq 1 ]; then
556 ${TOOLSPATH}/${PREFIX}createprimary
-hi o
-st > $TMPFILE
557 if [ $?
-ne 0 ]; then
558 echo "Error: createprimary failed."
561 if [ -z "$(grep 80000000 $TMPFILE)" ]; then
562 echo "Error: createprimary did not result in expected handle 80000000"
566 ${TOOLSPATH}/${PREFIX}create
-hp 80000000 -kh \
567 -opr ${HKEYPRIV} -opu ${HKEYPUB} > $TMPFILE
568 if [ $?
-ne 0 ]; then
569 echo "Error: could not create key for HMAC"
573 ${TOOLSPATH}/${PREFIX}load
-hp 80000000 \
574 -ipr ${HKEYPRIV} -ipu ${HKEYPUB} -v > $TMPFILE
575 if [ $?
-ne 0 ]; then
576 echo "Error: could not load key for HMAC"
580 if [ -z "$(grep 80000001 $TMPFILE)" ]; then
581 echo "Error: load did not result in expected handle 80000001"
585 ${TOOLSPATH}/${PREFIX}hmacstart
-hk 80000001 > $TMPFILE
586 if [ $?
-ne 0 ]; then
587 echo "Error: could not start HMAC sequence"
590 if [ -z "$(grep 80000002 $TMPFILE)" ]; then
591 echo "Error: load did not result in expected handle 80000002"
595 echo -n "123" > ${TMP2FILE}
596 ${TOOLSPATH}/${PREFIX}sequenceupdate \
599 if [ $?
-ne 0 ]; then
600 echo "Error: Could not updated the HMAC sequence."
603 echo "Updated HMAC sequence."
606 if [ $check -eq 1 ]; then
607 echo -n "456" > ${TMP2FILE}
609 echo "Completing previously started HMAC sequence"
610 touch $TPMDIR/h80000002.bin
611 ${TOOLSPATH}/${PREFIX}sequencecomplete \
614 tail -n 4 > ${TMPFILE}
615 if [ -z "$(grep " 6e
40 33 1a
" ${TMPFILE})" ]; then
616 echo "Error: Did not get expected result from completing HMAC sequence."
623 function test_primary_volatile_load
()
627 # whether we are using previous stored stated that had a different
628 # key and we have to use the old signature
629 local previousstate
="$3"
633 if [ $create -eq 1 ]; then
634 # Create a permanent primary key that we expecte
635 # to again see after the TPM has been restarted
636 ${TOOLSPATH}/${PREFIX}createprimary
-hi o
-si > $TMPFILE
637 if [ $?
-ne 0 ]; then
638 echo "Error: createprimary failed."
641 if [ -z "$(grep 80000000 $TMPFILE)" ]; then
642 echo "Error: createprimary did not result in expected handle 80000000"
646 echo -n "123" > $BINFILE
647 ${TOOLSPATH}/${PREFIX}sign -hk 80000000 -if ${BINFILE} -os ${SIGFILE} > $TMPFILE
648 if [ $?
-ne 0 ]; then
649 echo "Error: Could not create signature."
654 printf "Verifying signature with this key (create phase)\n"
655 ${TOOLSPATH}/${PREFIX}verifysignature
-hk 80000000 \
657 -if ${BINFILE} > $TMPFILE
658 if [ $?
-ne 0 ]; then
659 echo "Verifying signature failed."
664 if [ $check -eq 1 ]; then
665 local sigfile
=${SIGFILE} hash1 hash2
667 if [ $previousstate -ne 0 ]; then
668 sigfile
=${TESTDIR}/data
/tpm2state3d
/signature2.bin
671 printf "Checking availability of key with handle 0x80000000\n"
672 ${TOOLSPATH}/${PREFIX}getcapability
-cap 1 -pr 0x80000000 >$TMPFILE
673 if [ -z "$(grep 80000000 $TMPFILE)" ]; then
674 echo "Could not find key with handle 0x80000000"
678 printf "Verifying signature with this key (check phase)\n"
679 echo -n "123" > $BINFILE
680 ${TOOLSPATH}/${PREFIX}verifysignature
-hk 80000000 \
682 -if ${BINFILE} > $TMPFILE
683 if [ $?
-ne 0 ]; then
684 echo "Verifying signature failed."
688 if [ $previousstate -eq 0 ]; then
689 ${TOOLSPATH}/${PREFIX}sign -hk 80000000 -if ${BINFILE} -os ${SIGFILE2} > $TMPFILE
690 if [ $?
-ne 0 ]; then
691 echo "Error: Could not create signature."
695 hash1
=$
(get_sha1_file
${SIGFILE})
696 hash2
=$
(get_sha1_file
${SIGFILE2})
697 if [ "${hash1}" != "${hash2}" ]; then
698 echo "Error: hashes of signatures are different. Loaded key may be different."
705 # libtpms issue #195: Create an external key and load it into the TPM 2
706 # and do a context save/load cycle
707 function test_external_key
()
712 if [ $create -eq 1 ]; then
713 ${CERTTOOL} --generate-privkey --bits 2048 --outfile ${PRIVKEY} &>/dev
/null
714 ${CERTTOOL} --pubkey-info --load-privkey ${PRIVKEY} > ${PUBKEY}
715 $TOOLSPATH/${PREFIX}loadexternal
-hi o
-ipem ${PUBKEY} > $TMPFILE
716 if [ $?
-ne 0 ]; then
717 echo "Error: loadexternal failed."
720 if [ -z "$(grep 80000001 $TMPFILE)" ]; then
721 echo "Error: loadexternal did not result in expected handle 80000001"
726 if [ $check -eq 1 ]; then
727 $TOOLSPATH/${PREFIX}contextsave
-ha 80000001 -of ${PUBKEYCONTEXT}
728 if [ $?
-ne 0 ]; then
729 echo "Error: contextsave on loaded public key failed."
732 $TOOLSPATH/${PREFIX}flushcontext
-ha 80000001
733 $TOOLSPATH/${PREFIX}contextload
-if ${PUBKEYCONTEXT} > $TMPFILE
734 if [ $?
-ne 0 ]; then
735 echo "Error: contextload on context of public key failed."
738 if [ -z "$(grep 80000001 $TMPFILE)" ]; then
739 echo "Error: contextload did not result in expected handle 80000001"
745 export TPM_SERVER_TYPE
=raw
746 export TPM_SERVER_NAME
=127.0.0.1
747 export TPM_INTERFACE_TYPE
=socsim
748 export TPM_COMMAND_PORT
=65533
749 export TPM_DATA_DIR
=$TPMDIR
750 export TPM_SESSION_ENCKEY
="807e2bfe898ddaed8fa6310e716a24dc" # for sessions
753 --server port
=${TPM_COMMAND_PORT} \
754 --tpmstate dir
=$TPMDIR \
755 --pid file=$PID_FILE \
756 --ctrl type=unixio
,path
=$SOCK_PATH \
757 --log file=$LOGFILE,level
=20 \
759 ${SWTPM_TEST_SECCOMP_OPT} &
761 if wait_for_file
$PID_FILE 3; then
762 echo "Error: (1) Socket TPM did not write pidfile."
766 PID
="$(cat $PID_FILE)"
769 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
770 if [ $?
-ne 0 ]; then
771 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
775 ${TOOLSPATH}/${PREFIX}startup
-c
776 if [ $?
-ne 0 ]; then
777 echo "Error: tpm_startup clear failed."
783 test_pcr_allocation
1 0 # can only check after reboot
786 ${TOOLSPATH}/${PREFIX}shutdown
-c
787 if [ $?
-ne 0 ]; then
788 echo "Error: tpm_shutdown clear failed."
794 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
795 if [ $?
-ne 0 ]; then
796 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
800 echo "============================" >> $LOGFILE
802 echo "TPM was shut down"
804 # Store this state for later usage
805 # cp $TPMDIR/tpm2-00.permall ${TESTDIR}/data/tpm2state3;
806 # cp $SIGFILE ${TESTDIR}/data/tpm2state3/signature.bin
808 #################################################################
809 # Run TPM2 with the created state and verify it's the same
812 --server port
=${TPM_COMMAND_PORT} \
813 --tpmstate dir
=$TPMDIR \
814 --pid file=$PID_FILE \
815 --ctrl type=unixio
,path
=$SOCK_PATH \
816 --log file=$LOGFILE,level
=20 \
818 ${SWTPM_TEST_SECCOMP_OPT} &
820 if wait_for_file
$PID_FILE 3; then
821 echo "Error: (2) Socket TPM did not write pidfile."
825 echo "TPM re-started"
827 PID
="$(cat $PID_FILE)"
830 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
831 if [ $?
-ne 0 ]; then
832 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
836 ${TOOLSPATH}/${PREFIX}startup
-c
837 if [ $?
-ne 0 ]; then
838 echo "Error: tpm_startup clear failed."
845 test_pcr_allocation
0 1
848 ${TOOLSPATH}/${PREFIX}shutdown
-c
849 if [ $?
-ne 0 ]; then
850 echo "Error: tpm_shutdown clear failed."
856 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
857 if [ $?
-ne 0 ]; then
858 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
862 echo "============================" >> $LOGFILE
864 echo "TPM was shut down"
866 #################################################################
867 # Run TPM2 with previously saved state and verify it's the same
870 cp -f ${TESTDIR}/data
/tpm2state
3/tpm2-00.permall
$TPMDIR/tpm2-00.permall
873 --server port
=${TPM_COMMAND_PORT} \
874 --tpmstate dir
=$TPMDIR \
875 --pid file=$PID_FILE \
876 --ctrl type=unixio
,path
=$SOCK_PATH \
877 --log file=$LOGFILE,level
=20 \
879 ${SWTPM_TEST_SECCOMP_OPT} &
881 if wait_for_file
$PID_FILE 3; then
882 echo "Error: (3) Socket TPM did not write pidfile."
886 echo "TPM started with previously generated state"
888 PID
="$(cat $PID_FILE)"
891 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
892 if [ $?
-ne 0 ]; then
893 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
897 ${TOOLSPATH}/${PREFIX}startup
-c
898 if [ $?
-ne 0 ]; then
899 echo "Error: tpm_startup clear failed."
906 test_pcr_allocation
0 1
909 ${TOOLSPATH}/${PREFIX}shutdown
-c
910 if [ $?
-ne 0 ]; then
911 echo "Error: tpm_shutdown clear failed."
917 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
918 if [ $?
-ne 0 ]; then
919 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
927 # Tests with volatile state
934 --server port
=${TPM_COMMAND_PORT} \
935 --tpmstate dir
=$TPMDIR \
936 --pid file=$PID_FILE \
937 --ctrl type=unixio
,path
=$SOCK_PATH \
938 --log file=$LOGFILE,level
=20 \
940 ${SWTPM_TEST_SECCOMP_OPT} &
942 if wait_for_file
$PID_FILE 3; then
943 echo "Error: (3) Socket TPM did not write pidfile."
947 PID
="$(cat $PID_FILE)"
950 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
951 if [ $?
-ne 0 ]; then
952 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
956 ${TOOLSPATH}/${PREFIX}startup
-c
957 if [ $?
-ne 0 ]; then
958 echo "Error: tpm_startup clear failed."
964 test_hash_context
1 0
966 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
967 if [ $?
-ne 0 ]; then
968 echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
972 ${TOOLSPATH}/${PREFIX}shutdown
-c
973 if [ $?
-ne 0 ]; then
974 echo "Error: tpm_shutdown clear failed."
980 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
981 if [ $?
-ne 0 ]; then
982 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
986 #################################################################
987 # Run TPM2 with the saved volatile state
989 # create a backup for running the next test...
990 # cp $TPMDIR/tpm2-00.permall ${TESTDIR}/data/tpm2state3b/tpm2-00.permall
991 # cp $TPMDIR/tpm2-00.volatilestate ${TESTDIR}/data/tpm2state3b/tpm2-00.volatilestate
992 # cp $TPMDIR/h02000000.bin ${TESTDIR}/data/tpm2state3b/h02000000.bin
993 # cp $TPMDIR/h81000000.bin ${TESTDIR}/data/tpm2state3b/h81000000.bin
996 --server port
=${TPM_COMMAND_PORT} \
997 --tpmstate dir
=$TPMDIR \
998 --pid file=$PID_FILE \
999 --ctrl type=unixio
,path
=$SOCK_PATH \
1000 --log file=$LOGFILE,level
=20 \
1002 ${SWTPM_TEST_SECCOMP_OPT} &
1004 if wait_for_file
$PID_FILE 3; then
1005 echo "Error: (3) Socket TPM did not write pidfile."
1009 PID
="$(cat $PID_FILE)"
1012 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
1013 if [ $?
-ne 0 ]; then
1015 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
1019 test_hash_context
0 1
1022 ${TOOLSPATH}/${PREFIX}shutdown
-c
1023 if [ $?
-ne 0 ]; then
1024 echo "Error: tpm_shutdown clear failed."
1030 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
1031 if [ $?
-ne 0 ]; then
1032 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
1036 #####################################################################
1037 # Run TPM2 with previously saved (volatile) state and verify it's
1040 cp -f ${TESTDIR}/data
/tpm2state3b
/tpm2-00.permall
$TPMDIR/tpm2-00.permall
1041 cp -f ${TESTDIR}/data
/tpm2state3b
/tpm2-00.volatilestate
$TPMDIR/tpm2-00.volatilestate
1042 cp -f ${TESTDIR}/data
/tpm2state3b
/h02000000.bin
$TPMDIR/h02000000.bin
1043 cp -f ${TESTDIR}/data
/tpm2state3b
/h81000000.bin
$TPMDIR/h81000000.bin
1046 --server port
=${TPM_COMMAND_PORT} \
1047 --tpmstate dir
=$TPMDIR \
1048 --pid file=$PID_FILE \
1049 --ctrl type=unixio
,path
=$SOCK_PATH \
1050 --log file=$LOGFILE,level
=20 \
1052 ${SWTPM_TEST_SECCOMP_OPT} &
1054 if wait_for_file
$PID_FILE 3; then
1055 echo "Error: (3) Socket TPM did not write pidfile."
1059 echo "TPM started with previously generated state"
1061 PID
="$(cat $PID_FILE)"
1064 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
1065 if [ $?
-ne 0 ]; then
1066 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
1071 test_hash_context
0 1
1075 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
1076 if [ $?
-ne 0 ]; then
1077 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
1085 # Tests with volatile state -- 2nd test
1092 --server port
=${TPM_COMMAND_PORT} \
1093 --tpmstate dir
=$TPMDIR \
1094 --pid file=$PID_FILE \
1095 --ctrl type=unixio
,path
=$SOCK_PATH \
1096 --log file=$LOGFILE,level
=20 \
1098 ${SWTPM_TEST_SECCOMP_OPT} &
1100 if wait_for_file
$PID_FILE 3; then
1101 echo "Error: (3) Socket TPM did not write pidfile."
1105 PID
="$(cat $PID_FILE)"
1108 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
1109 if [ $?
-ne 0 ]; then
1110 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
1114 ${TOOLSPATH}/${PREFIX}startup
-c
1115 if [ $?
-ne 0 ]; then
1116 echo "Error: tpm_startup clear failed."
1121 # we only run this to generate the AES key which is different every time...
1122 # test_hmac_context 1 0
1124 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
1125 if [ $?
-ne 0 ]; then
1126 echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
1130 ${TOOLSPATH}/${PREFIX}shutdown
-c
1131 if [ $?
-ne 0 ]; then
1132 echo "Error: tpm_shutdown clear failed."
1138 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
1139 if [ $?
-ne 0 ]; then
1140 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
1144 #################################################################
1145 # Run TPM2 with the saved volatile state
1147 # create a backup for running the next test...
1148 # cp $TPMDIR/tpm2-00.permall ${TESTDIR}/data/tpm2state3c/tpm2-00.permall
1149 # cp $TPMDIR/tpm2-00.volatilestate ${TESTDIR}/data/tpm2state3c/tpm2-00.volatilestate
1154 --server port
=${TPM_COMMAND_PORT} \
1155 --tpmstate dir
=$TPMDIR \
1156 --pid file=$PID_FILE \
1157 --ctrl type=unixio
,path
=$SOCK_PATH \
1158 --log file=$LOGFILE,level
=20 \
1160 ${SWTPM_TEST_SECCOMP_OPT} &
1162 if wait_for_file
$PID_FILE 3; then
1163 echo "Error: (3) Socket TPM did not write pidfile."
1167 PID
="$(cat $PID_FILE)"
1170 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
1171 if [ $?
-ne 0 ]; then
1173 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
1177 # since the AES key is different every time, we cannot run
1178 # the HMAC function that's using it since the result would
1179 # be different every time
1180 # test_hmac_context 0 1
1182 ${TOOLSPATH}/${PREFIX}shutdown
-c
1183 if [ $?
-ne 0 ]; then
1184 echo "Error: tpm_shutdown clear failed."
1190 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
1191 if [ $?
-ne 0 ]; then
1192 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
1196 #####################################################################
1197 # Run TPM2 with previously saved (volatile) state and verify it's
1200 cp -f ${TESTDIR}/data
/tpm2state3c
/tpm2-00.volatilestate
$TPMDIR/tpm2-00.volatilestate
1201 cp -f ${TESTDIR}/data
/tpm2state3c
/tpm2-00.permall
$TPMDIR/tpm2-00.permall
1204 --server port
=${TPM_COMMAND_PORT} \
1205 --tpmstate dir
=$TPMDIR \
1206 --pid file=$PID_FILE \
1207 --ctrl type=unixio
,path
=$SOCK_PATH \
1208 --log file=$LOGFILE,level
=20 \
1210 ${SWTPM_TEST_SECCOMP_OPT} &
1212 if wait_for_file
$PID_FILE 3; then
1213 echo "Error: (3) Socket TPM did not write pidfile."
1217 echo "TPM started with previously generated state"
1219 PID
="$(cat $PID_FILE)"
1222 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
1223 if [ $?
-ne 0 ]; then
1224 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
1228 test_hmac_context
0 1
1231 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
1232 if [ $?
-ne 0 ]; then
1233 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
1242 # Tests with volatile state -- 3rd test
1249 --server port
=${TPM_COMMAND_PORT} \
1250 --tpmstate dir
=$TPMDIR \
1251 --pid file=$PID_FILE \
1252 --ctrl type=unixio
,path
=$SOCK_PATH \
1253 --log file=$LOGFILE,level
=20 \
1255 ${SWTPM_TEST_SECCOMP_OPT} &
1257 if wait_for_file
$PID_FILE 3; then
1258 echo "Error: (3) Socket TPM did not write pidfile."
1262 PID
="$(cat $PID_FILE)"
1265 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
1266 if [ $?
-ne 0 ]; then
1267 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
1271 ${TOOLSPATH}/${PREFIX}startup
-c
1272 if [ $?
-ne 0 ]; then
1273 echo "Error: tpm_startup clear failed."
1278 test_primary_volatile_load
1 0 0
1279 test_external_key
1 1
1281 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1)
1282 if [ $?
-ne 0 ]; then
1283 echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act"
1287 ${TOOLSPATH}/${PREFIX}shutdown
-c
1288 if [ $?
-ne 0 ]; then
1289 echo "Error: tpm_shutdown clear failed."
1295 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
1296 if [ $?
-ne 0 ]; then
1297 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
1301 #################################################################
1302 # Run TPM2 with the saved volatile state
1304 # create a backup for running the next test...
1305 # cp $TPMDIR/tpm2-00.volatilestate ${TESTDIR}/data/tpm2state3d/tpm2-00.volatilestate
1306 # cp $TPMDIR/tpm2-00.permall ${TESTDIR}/data/tpm2state3d/tpm2-00.permall
1307 # cp $SIGFILE ${TESTDIR}/data/tpm2state3d/signature2.bin
1312 --server port
=${TPM_COMMAND_PORT} \
1313 --tpmstate dir
=$TPMDIR \
1314 --pid file=$PID_FILE \
1315 --ctrl type=unixio
,path
=$SOCK_PATH \
1316 --log file=$LOGFILE,level
=20 \
1318 ${SWTPM_TEST_SECCOMP_OPT} &
1320 if wait_for_file
$PID_FILE 3; then
1321 echo "Error: (3) Socket TPM did not write pidfile."
1325 PID
="$(cat $PID_FILE)"
1328 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
1329 if [ $?
-ne 0 ]; then
1331 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
1335 test_primary_volatile_load
0 1 0
1336 test_external_key
0 1
1338 ${TOOLSPATH}/${PREFIX}shutdown
-c
1339 if [ $?
-ne 0 ]; then
1340 echo "Error: tpm_shutdown clear failed."
1346 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
1347 if [ $?
-ne 0 ]; then
1348 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"
1352 #####################################################################
1353 # Run TPM2 with previously saved (volatile) state and verify it's
1356 cp -f ${TESTDIR}/data
/tpm2state3d
/tpm2-00.permall
$TPMDIR/tpm2-00.permall
1357 cp -f ${TESTDIR}/data
/tpm2state3d
/tpm2-00.volatilestate
$TPMDIR/tpm2-00.volatilestate
1360 --server port
=${TPM_COMMAND_PORT} \
1361 --tpmstate dir
=$TPMDIR \
1362 --pid file=$PID_FILE \
1363 --ctrl type=unixio
,path
=$SOCK_PATH \
1364 --log file=$LOGFILE,level
=20 \
1366 ${SWTPM_TEST_SECCOMP_OPT} &
1368 if wait_for_file
$PID_FILE 3; then
1369 echo "Error: (3) Socket TPM did not write pidfile."
1373 echo "TPM started with previously generated state"
1375 PID
="$(cat $PID_FILE)"
1378 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1)
1379 if [ $?
-ne 0 ]; then
1380 echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act"
1384 test_primary_volatile_load
0 1 1
1385 test_external_key
0 1
1386 # Create the orderly nv indices and have them cleared (for coverage)
1387 test_nvram_state
1 1
1389 ${TOOLSPATH}/${PREFIX}clear -hi p
1390 if [ $?
-ne 0 ]; then
1391 echo "Error: clear failed."
1397 act
=$
($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1)
1398 if [ $?
-ne 0 ]; then
1399 echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act"