]> git.proxmox.com Git - swtpm.git/blob - tests/test_tpm2_swtpm_setup_create_cert
projects / swtpm.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
swtpm_setup: Add support for --reconfigure flag to change active PCR banks
[swtpm.git] / tests / test_tpm2_swtpm_setup_create_cert
1 #!/usr/bin/env bash
2
3 # For the license, see the LICENSE file in the root directory.
4
5 TOPBUILD=${abs_top_builddir:-$(dirname "$0")/..}
6 TOPSRC=${abs_top_srcdir:-$(dirname "$0")/..}
7 ROOT=${abs_top_builddir:-$(dirname "$0")/..}
8 TESTDIR=${abs_top_testdir:-$(dirname "$0")}
9
10 source ${TESTDIR}/common
11 skip_test_no_tpm20 "${SWTPM_EXE}"
12
13 SWTPM_LOCALCA=${TOPBUILD}/src/swtpm_localca/swtpm_localca
14
15 workdir="$(mktemp -d "/tmp/path with spaces.XXXXXX")" || exit 1
16
17 SIGNINGKEY=${workdir}/signingkey.pem
18 ISSUERCERT=${workdir}/issuercert.pem
19 CERTSERIAL=${workdir}/certserial
20 USER_CERTSDIR=${workdir}/mycerts
21 mkdir -p "${USER_CERTSDIR}"
22
23 PATH=${TOPBUILD}/src/swtpm_bios:$PATH
24
25 trap "cleanup" SIGTERM EXIT
26
27 function cleanup()
28 {
29 rm -rf "${workdir}"
30 }
31
32 # We want swtpm_cert to use the local CA and see that the
33 # local CA script automatically creates a signingkey and
34 # self-signed certificate
35
36 cat <<_EOF_ > "${workdir}/swtpm-localca.conf"
37 statedir=${workdir}
38 signingkey = ${SIGNINGKEY}
39 issuercert = ${ISSUERCERT}
40 certserial = ${CERTSERIAL}
41 _EOF_
42
43 cat <<_EOF_ > "${workdir}/swtpm-localca.options"
44 --tpm-manufacturer IBM
45 --tpm-model swtpm-libtpms
46 --tpm-version 2
47 --platform-manufacturer "Fedora XYZ"
48 --platform-version 2.1
49 --platform-model "QEMU A.B"
50 _EOF_
51
52 export MY_SWTPM_LOCALCA="${SWTPM_LOCALCA}"
53
54 cat <<_EOF_ > "${workdir}/swtpm_setup.conf"
55 create_certs_tool=\${MY_SWTPM_LOCALCA}
56 create_certs_tool_config=${workdir}/swtpm-localca.conf
57 create_certs_tool_options=${workdir}/swtpm-localca.options
58 _EOF_
59
60 # We need to adapt the PATH so the correct swtpm_cert is picked
61 export PATH=${TOPBUILD}/src/swtpm_cert:${PATH}
62
63 keysizes="2048"
64 if [ -n "$($SWTPM_SETUP --tpm2 --print-capabilities |
65 grep tpm2-rsa-keysize-3072 )" ]; then
66 keysizes+=" 3072"
67 fi
68
69 for keysize in $(echo $keysizes); do
70 echo "Testing with RSA keysize $keysize"
71 # we need to create at least one cert: --create-ek-cert
72 $SWTPM_SETUP \
73 --tpm2 \
74 --allow-signing \
75 --tpm-state "${workdir}" \
76 --create-ek-cert \
77 --create-platform-cert \
78 --config "${workdir}/swtpm_setup.conf" \
79 --logfile "${workdir}/logfile" \
80 --tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
81 --rsa-keysize ${keysize} \
82 --overwrite \
83 --write-ek-cert-files "${USER_CERTSDIR}"
84
85 if [ $? -ne 0 ]; then
86 echo "Error: Could not run $SWTPM_SETUP."
87 echo "Logfile output:"
88 cat "${workdir}/logfile"
89 exit 1
90 fi
91
92 if [ ! -r "${SIGNINGKEY}" ]; then
93 echo "Error: Signingkey file ${SIGNINGKEY} was not created."
94 exit 1
95 fi
96
97 if [ ! -r "${ISSUERCERT}" ]; then
98 echo "Error: Issuer cert file ${ISSUERCERT} was not created."
99 exit 1
100 fi
101
102 if [ ! -r "${CERTSERIAL}" ]; then
103 echo "Error: Cert serial number file ${CERTSERIAL} was not created."
104 exit 1
105 fi
106
107 certfile="${USER_CERTSDIR}/ek-rsa${keysize}.crt"
108 if [ ! -f "${certfile}" ]; then
109 echo "Error: EK file '${certfile}' was not written."
110 ls -l "${USER_CERTSDIR}"
111 exit 1
112 fi
113
114 if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "${keysize} bits")" ]; then
115 echo "Error: EK file '${certfile}' is not an RSA ${keysize} bit key."
116 $CERTTOOL --inder --infile "${certfile}" -i
117 exit 1
118 fi
119
120 rm -rf "${SIGNINGKEY}" "${ISSUERCERT}" "${CERTSERIAL}" ${USER_CERTSDIR}/ek-*.crt
121 done
122
123 echo "Test 1: OK"
124
125 function swtpm_setup_reconfigure() {
126 local workdir="$1"
127 local pwdfile="$2"
128
129 # Reconfigure the active PCR banks a few times; the size of the state
130 # file must not change but its content (hash) must change every time
131 # since activating the PCR banks changes a few bits in the permanent
132 # state, also when the state is not encrypted.
133 local PERMALL_FILE="${workdir}/tpm2-00.permall"
134 local permall_size=$(get_filesize "${PERMALL_FILE}")
135
136 for pcrbanks in "sha1" "sha1,sha256" "sha1,sha256,sha384,sha512"; do
137 # hash must change between before and after
138 permall_hash=$(get_sha1_file "${PERMALL_FILE}")
139
140 $SWTPM_SETUP \
141 --tpm2 \
142 --tpm-state "${workdir}" \
143 --config "${workdir}/swtpm_setup.conf" \
144 --logfile "${workdir}/logfile" \
145 --tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
146 --pcr-banks "${pcrbanks}" \
147 --reconfigure \
148 ${pwdfile:+--pwdfile "${pwdfile}"}
149 if [ $? -ne 0 ]; then
150 echo "Error: Could not run $SWTPM_SETUP --reconfigure."
151 echo "Logfile output:"
152 cat "${workdir}/logfile"
153 exit 1
154 fi
155
156 local newhash=$(get_sha1_file "${PERMALL_FILE}")
157 if [ "${newhash}" = "${permall_hash}" ]; then
158 echo "Error: The hash of the permanent state did not change."
159 exit 1
160 fi
161
162 local newsize=$(get_filesize "${PERMALL_FILE}")
163 if [ "${newsize}" != "${permall_size}" ]; then
164 echo "Error: The size of the permanent state file changed."
165 echo "Actual : ${tmp}"
166 echo "Expected: ${permall_size}"
167 fi
168 echo "Filesize: ${newsize}; hash: ${newhash}; pwdfile: ${pwdfile}"
169 done
170 }
171
172 # Create with certificates with and without encryption enabled and reconfigure
173 # the PCR banks
174 PWDFILE="${workdir}/pwd"
175 echo -n "password" > "${PWDFILE}"
176 rm -f "${workdir}/logfile"
177
178 for pwdfile in "" "${PWDFILE}"; do
179 $SWTPM_SETUP \
180 --tpm2 \
181 --ecc \
182 --tpm-state "${workdir}" \
183 --create-ek-cert \
184 --create-platform-cert \
185 --config "${workdir}/swtpm_setup.conf" \
186 --logfile "${workdir}/logfile" \
187 --tpm "${SWTPM_EXE} socket ${SWTPM_TEST_SECCOMP_OPT}" \
188 --overwrite \
189 --write-ek-cert-files "${workdir}" \
190 ${pwdfile:+--pwdfile "${pwdfile}"}
191
192 if [ $? -ne 0 ]; then
193 echo "Error: Could not run $SWTPM_SETUP."
194 echo "Logfile output:"
195 cat "${workdir}/logfile"
196 exit 1
197 fi
198
199 if [ ! -r "${SIGNINGKEY}" ]; then
200 echo "Error: Signingkey file ${SIGNINGKEY} was not created."
201 exit 1
202 fi
203
204 if [ ! -r "${ISSUERCERT}" ]; then
205 echo "Error: Issuer cert file ${ISSUERCERT} was not created."
206 exit 1
207 fi
208
209 if [ ! -r "${CERTSERIAL}" ]; then
210 echo "Error: Cert serial number file ${CERTSERIAL} was not created."
211 exit 1
212 fi
213
214 certfile="${workdir}/ek-secp384r1.crt"
215 if [ ! -f "${certfile}" ]; then
216 echo "Error: EK file '${certfile}' was not written."
217 ls -l "${workdir}"
218 exit 1
219 fi
220
221 if [ -z "$($CERTTOOL --inder --infile "${certfile}" -i | grep "384 bits")" ]; then
222 echo "Error: EK file '${certfile}' is not an ECC 384 bit key."
223 $CERTTOOL --inder --infile "${certfile}" -i
224 exit 1
225 fi
226
227 swtpm_setup_reconfigure "${workdir}" "${pwdfile}"
228 done
229
230 echo "Test 2: OK"
231
232 exit 0
Software TPM used for PVE's Virtual Machines