3 # For the license, see the LICENSE file in the root directory.
5 TOPBUILD
=${abs_top_builddir:-$(dirname "$0")/..}
6 TOPSRC
=${abs_top_srcdir:-$(dirname "$0")/..}
7 ROOT
=${abs_top_builddir:-$(dirname "$0")/..}
8 TESTDIR
=${abs_top_testdir:-$(dirname "$0")}
10 source ${TESTDIR}/common
11 skip_test_no_tpm20
"${SWTPM_EXE}"
13 SWTPM_LOCALCA
=${TOPBUILD}/src
/swtpm_localca
/swtpm_localca
15 workdir
="$(mktemp -d "/tmp
/path with spaces.XXXXXX
")" ||
exit 1
17 SIGNINGKEY
=${workdir}/signingkey.pem
18 ISSUERCERT
=${workdir}/issuercert.pem
19 CERTSERIAL
=${workdir}/certserial
20 USER_CERTSDIR
=${workdir}/mycerts
21 mkdir
-p "${USER_CERTSDIR}"
23 PATH
=${TOPBUILD}/src
/swtpm_bios
:$PATH
25 trap "cleanup" SIGTERM EXIT
32 # We want swtpm_cert to use the local CA and see that the
33 # local CA script automatically creates a signingkey and
34 # self-signed certificate
36 cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
38 signingkey = ${SIGNINGKEY}
39 issuercert = ${ISSUERCERT}
40 certserial = ${CERTSERIAL}
43 cat <<_EOF_ > "${workdir}/swtpm-localca.options"
44 --tpm-manufacturer IBM
45 --tpm-model swtpm-libtpms
47 --platform-manufacturer "Fedora XYZ"
48 --platform-version 2.1
49 --platform-model "QEMU A.B"
52 export MY_SWTPM_LOCALCA
="${SWTPM_LOCALCA}"
54 cat <<_EOF_ > "${workdir}/swtpm_setup.conf"
55 create_certs_tool=\${MY_SWTPM_LOCALCA}
56 create_certs_tool_config=${workdir}/swtpm-localca.conf
57 create_certs_tool_options=${workdir}/swtpm-localca.options
60 # We need to adapt the PATH so the correct swtpm_cert is picked
61 export PATH
=${TOPBUILD}/src
/swtpm_cert
:${PATH}
64 if [ -n "$($SWTPM_SETUP --tpm2 --print-capabilities |
65 grep tpm2-rsa-keysize-3072 )" ]; then
69 for keysize
in $
(echo $keysizes); do
70 echo "Testing with RSA keysize $keysize"
71 # we need to create at least one cert: --create-ek-cert
75 --tpm-state "${workdir}" \
77 --create-platform-cert \
78 --config "${workdir}/swtpm_setup.conf" \
79 --logfile "${workdir}/logfile" \
80 --tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
81 --rsa-keysize ${keysize} \
83 --write-ek-cert-files "${USER_CERTSDIR}"
86 echo "Error: Could not run $SWTPM_SETUP."
87 echo "Logfile output:"
88 cat "${workdir}/logfile"
92 if [ ! -r "${SIGNINGKEY}" ]; then
93 echo "Error: Signingkey file ${SIGNINGKEY} was not created."
97 if [ ! -r "${ISSUERCERT}" ]; then
98 echo "Error: Issuer cert file ${ISSUERCERT} was not created."
102 if [ ! -r "${CERTSERIAL}" ]; then
103 echo "Error: Cert serial number file ${CERTSERIAL} was not created."
107 certfile
="${USER_CERTSDIR}/ek-rsa${keysize}.crt"
108 if [ ! -f "${certfile}" ]; then
109 echo "Error: EK file '${certfile}' was not written."
110 ls -l "${USER_CERTSDIR}"
114 if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "${keysize} bits
")" ]; then
115 echo "Error: EK file '${certfile}' is not an RSA ${keysize} bit key."
116 $CERTTOOL --inder --infile "${certfile}" -i
120 rm -rf "${SIGNINGKEY}" "${ISSUERCERT}" "${CERTSERIAL}" ${USER_CERTSDIR}/ek-*.crt
125 function swtpm_setup_reconfigure() {
129 # Reconfigure the active PCR banks a few times; the size of the state
130 # file must not change but its content (hash) must change every time
131 # since activating the PCR banks changes a few bits in the permanent
132 # state, also when the state is not encrypted.
133 local PERMALL_FILE="${workdir}/tpm2-00.permall
"
134 local permall_size=$(get_filesize "${PERMALL_FILE}")
136 for pcrbanks in "sha1
" "sha1
,sha256
" "sha1
,sha256
,sha384
,sha512
"; do
137 # hash must change between before and after
138 permall_hash=$(get_sha1_file "${PERMALL_FILE}")
142 --tpm-state "${workdir}" \
143 --config "${workdir}/swtpm_setup.conf
" \
144 --logfile "${workdir}/logfile
" \
145 --tpm "${SWTPM_EXE} socket
${SWTPM_TEST_SECCOMP_OPT}" \
146 --pcr-banks "${pcrbanks}" \
148 ${pwdfile:+--pwdfile "${pwdfile}"}
149 if [ $? -ne 0 ]; then
150 echo "Error
: Could not run
$SWTPM_SETUP --reconfigure.
"
151 echo "Logfile output
:"
152 cat "${workdir}/logfile
"
156 local newhash=$(get_sha1_file "${PERMALL_FILE}")
157 if [ "${newhash}" = "${permall_hash}" ]; then
158 echo "Error
: The
hash of the permanent state did not change.
"
162 local newsize=$(get_filesize "${PERMALL_FILE}")
163 if [ "${newsize}" != "${permall_size}" ]; then
164 echo "Error
: The size of the permanent state
file changed.
"
165 echo "Actual
: ${tmp}"
166 echo "Expected
: ${permall_size}"
168 echo "Filesize
: ${newsize}; hash: ${newhash}; pwdfile: ${pwdfile}"
172 # Create with certificates with and without encryption enabled and reconfigure
174 PWDFILE="${workdir}/pwd"
175 echo -n "password
" > "${PWDFILE}"
176 rm -f "${workdir}/logfile
"
178 for pwdfile in "" "${PWDFILE}"; do
182 --tpm-state "${workdir}" \
184 --create-platform-cert \
185 --config "${workdir}/swtpm_setup.conf
" \
186 --logfile "${workdir}/logfile
" \
187 --tpm "${SWTPM_EXE} socket
${SWTPM_TEST_SECCOMP_OPT}" \
189 --write-ek-cert-files "${workdir}" \
190 ${pwdfile:+--pwdfile "${pwdfile}"}
192 if [ $? -ne 0 ]; then
193 echo "Error
: Could not run
$SWTPM_SETUP.
"
194 echo "Logfile output
:"
195 cat "${workdir}/logfile
"
199 if [ ! -r "${SIGNINGKEY}" ]; then
200 echo "Error
: Signingkey
file ${SIGNINGKEY} was not created.
"
204 if [ ! -r "${ISSUERCERT}" ]; then
205 echo "Error
: Issuer cert
file ${ISSUERCERT} was not created.
"
209 if [ ! -r "${CERTSERIAL}" ]; then
210 echo "Error
: Cert serial number
file ${CERTSERIAL} was not created.
"
214 certfile="${workdir}/ek-secp384r1.crt
"
215 if [ ! -f "${certfile}" ]; then
216 echo "Error
: EK
file '${certfile}' was not written.
"
221 if [ -z "$
($CERTTOOL --inder --infile "${certfile}" -i |
grep "384 bits")" ]; then
222 echo "Error
: EK
file '${certfile}' is not an ECC
384 bit key.
"
223 $CERTTOOL --inder --infile "${certfile}" -i
227 swtpm_setup_reconfigure "${workdir}" "${pwdfile}"