#!/usr/bin/env bash # For the license, see the LICENSE file in the root directory. if [ -e /run/lock/sbuild ]; then echo "building in sbuild, avoid potential (unshare) problematic test" exit 77 fi ROOT=${abs_top_builddir:-$(dirname "$0")/..} TESTDIR=${abs_top_testdir:-$(dirname "$0")} SWTPM=swtpm SWTPM_EXE=${SWTPM_EXE:-$ROOT/src/swtpm/$SWTPM} SWTPM_IOCTL=${SWTPM_IOCTL:-$ROOT/src/swtpm_ioctl/swtpm_ioctl} TPMDIR="$(mktemp -d)" || exit 1 PID_FILE=$TPMDIR/${SWTPM}.pid SOCK_PATH=$TPMDIR/sock CMD_PATH=$TPMDIR/cmd RESP_PATH=$TPMDIR/resp VOLATILESTATE=$TPMDIR/volatile source ${TESTDIR}/common skip_test_no_chardev "${SWTPM_EXE}" skip_test_no_tpm12 "${SWTPM_EXE}" trap "cleanup" SIGTERM EXIT function cleanup() { rm -rf $TPMDIR if [ -n "$PID" ]; then kill_quiet -SIGTERM $PID 2>/dev/null fi } # Test 1: test the control channel on the chardev tpm # use a pseudo terminal exec 100<>/dev/ptmx $SWTPM_EXE chardev \ --fd 100 \ --tpmstate dir=$TPMDIR \ --pid file=$PID_FILE \ --ctrl type=unixio,path=$SOCK_PATH \ --daemon \ ${SWTPM_TEST_SECCOMP_OPT} if [ ! -f $PID_FILE ]; then echo "Error: Chardev TPM did not write pidfile." exit 1 fi PID=$(cat "$PID_FILE") # Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01 act=$($SWTPM_IOCTL --unix $SOCK_PATH -c 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_GET_CAPABILITY failed: $act" exit 1 fi exp="ptm capability is 0x([[:xdigit:]]+)" if ! [[ "$act" =~ ^${exp}$ ]]; then echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'." exit 1 fi # Send TPM_Init to the TPM: CMD_INIT = 0x00 00 00 02 + flags act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act" exit 1 fi # Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a act=$($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act" exit 1 fi if [ ! -r $TPMDIR/tpm-00.volatilestate ]; then echo "Error: Socket TPM: Did not write volatile state file" exit 1 fi # Send stop command to the TPM: CMD_STOP = 00 00 00 0e act=$($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act" exit 1 fi # Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0f act=$($SWTPM_IOCTL --unix $SOCK_PATH -g 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_GET_CONFIG failed: $act" exit 1 fi exp="ptm configuration flags: 0x([[:xdigit:]]+)" if ! [[ "$act" =~ ^${exp}$ ]]; then echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'." exit 1 fi # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03 act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act" exit 1 fi if wait_file_gone $PID_FILE 2; then echo "Error: TPM should have removed PID file by now." exit 1 fi if wait_process_gone ${PID} 4; then echo "Error: TPM should not be running anymore." exit 1 fi echo "OK" # Test 2: test the control channel on the socket tpm # There are a few more tests here that require sending commands to the TPM BINDADDR="127.0.0.1" case $(uname -s) in Linux*) # make sure IPv6 is available ip -6 addr show lo | grep -q " ::1/128" && BINDADDR="::1" ;; esac # use a pseudo terminal $SWTPM_EXE socket \ --server port=65431,disconnect=true,bindaddr=$BINDADDR \ --tpmstate dir=$TPMDIR \ --pid file=$PID_FILE \ --ctrl type=unixio,path=$SOCK_PATH \ ${SWTPM_TEST_SECCOMP_OPT} & PID=$! if wait_for_file $PID_FILE 3; then echo "Error: Socket TPM did not write pidfile." exit 1 fi validate_pidfile $PID $PID_FILE # Get the capability bits: CMD_GET_CAPABILITY = 0x00 00 00 01 act=$($SWTPM_IOCTL --unix $SOCK_PATH -c 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_GET_CAPABILITY failed: $act" exit 1 fi exp="ptm capability is 0x([[:xdigit:]]+)" if ! [[ "$act" =~ ^${exp}$ ]]; then echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'." exit 1 fi # Send TPM_Init to the TPM: CMD_INIT = 0x00 00 00 02 + flags act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act" exit 1 fi # Startup the TPM msg=$($SWTPM_BIOS --tcp ${BINDADDR}:65431 -o 2>&1) if [ $? -ne 0 ]; then echo "Error: Failed to startup TPM: $msg" exit 1 fi # Save the volatile state: CMD_STORE_VOLATILE = 0x00 00 00 0a act=$($SWTPM_IOCTL --unix $SOCK_PATH -v 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_STORE_VOLATILE failed: $act" exit 1 fi if [ ! -r $TPMDIR/tpm-00.volatilestate ]; then echo "Error: Socket TPM: Did not write volatile state file" exit 1 fi # 1. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04 act=$($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act" exit 1 fi exp="tpmEstablished is 0" if [ "$act" != "$exp" ]; then echo "Error: Expected '$exp' but got '$act'." exit 1 fi # 2. Hash the given data data="a" while [ ${#data} -lt $((0x2000)) ]; do data="${data}${data}" done act=$($SWTPM_IOCTL --unix $SOCK_PATH -h $data 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL data hashing failed: $act" exit 1 fi # 3. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04 act=$($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act" exit 1 fi exp="tpmEstablished is 1" if [ "$act" != "$exp" ]; then echo "Error: Expected '$exp' but got '$act'." exit 1 fi # 4. Send command to reset TPM established flag: CMD_RESET_TPMESTABLISHED = 00 00 00 0b 03 act=$($SWTPM_IOCTL --unix $SOCK_PATH -r 3 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_RESET_TPMESTABLISHED failed: $act" exit 1 fi # 5. Send command to get TPM established flag: CMD_GET_TPMESTABLISHED = 00 00 00 04 act=$($SWTPM_IOCTL --unix $SOCK_PATH -e 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_GET_TPMESTABLISHED failed: $act" exit 1 fi exp="tpmEstablished is 0" if [ "$act" != "$exp" ]; then echo "Error: Expected '$exp' but got '$act'." exit 1 fi # Read PCR 17 exec 100<>/dev/tcp/${BINDADDR}/65431 echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x11' >&100 RES=$(cat <&100 | od -t x1 -A n | tr -d "\n") exp=' 00 c4 00 00 00 1e 00 00 00 00 f9 87 3e 96 6b 9e 46 c8 45 46 2d 1f f2 52 eb cc c1 9b df fd' if [ "$RES" != "$exp" ]; then echo "Error: (1) Did not get expected result from TPM_PCRRead(17)" echo "expected: $exp" echo "received: $RES" exit 1 fi # Get the volatile state of the TPM: CMD_GET_STATEBLOB = 00 00 00 0c act=$($SWTPM_IOCTL --unix $SOCK_PATH --save volatile $VOLATILESTATE 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_GET_STATEBLOB failed: $act" exit 1 fi # Send stop command to the TPM: CMD_STOP = 00 00 00 0e act=$($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act" exit 1 fi # Read PCR 17 -- should fail now exec 100<>/dev/tcp/${BINDADDR}/65431 echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x11' >&100 RES=$(cat <&100 | od -t x1 -A n | tr -d "\n") exp=' 00 c4 00 00 00 0a 00 00 00 09' if [ "$RES" != "$exp" ]; then echo "Error: (1) Did not get expected result from TPM_PCRRead(17)" echo "expected: $exp" echo "received: $RES" exit 1 fi # Send get config command to the TPM: CMD_GET_CONFIG = 00 00 00 0f act=$($SWTPM_IOCTL --unix $SOCK_PATH -g 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_GET_CONFIG failed: $act" exit 1 fi exp="ptm configuration flags: 0x([[:xdigit:]]+)" if ! [[ "$act" =~ ^${exp}$ ]]; then echo "Error: Expected string following regular expression '$exp' from ioctl tool but got '$act'." exit 1 fi # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03 act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act" exit 1 fi if wait_file_gone $PID_FILE 2; then echo "Error: TPM should have removed PID file by now." exit 1 fi if wait_process_gone ${PID} 4; then echo "Error: Socket TPM should not be running anymore." exit 1 fi echo "OK" # Test 3: test the control channel on the socket tpm: resume encrypted state # copy all the state files cp ${TESTDIR}/data/tpmstate2/* ${TPMDIR} $SWTPM_EXE socket \ --server port=65431,disconnect=true \ --tpmstate dir=$TPMDIR \ --pid file=$PID_FILE \ --ctrl type=unixio,path=$SOCK_PATH \ --key pwdfile=${TESTDIR}/data/tpmstate2/pwdfile.txt,kdf=sha512 \ --flags not-need-init \ ${SWTPM_TEST_SECCOMP_OPT} & PID=$! if wait_for_file $PID_FILE 3; then echo "Error: Socket TPM did not write pidfile." exit 1 fi validate_pidfile $PID $PID_FILE # Read PCR 10 exec 100<>/dev/tcp/localhost/65431 echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100 RES=$(cat <&100 | od -t x1 -A n -w128) exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5' if [ "$RES" != "$exp" ]; then echo "Error: (1) Did not get expected result from TPM_PCRRead(10)" echo "expected: $exp" echo "received: $RES" exit 1 fi # Get the volatile state of the TPM: CMD_GET_STATEBLOB = 00 00 00 0c rm -f $VOLATILESTATE act=$($SWTPM_IOCTL --unix $SOCK_PATH --save volatile $VOLATILESTATE 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_GET_STATEBLOB failed: $act" exit 1 fi # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03 act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act" exit 1 fi if wait_file_gone $PID_FILE 2; then echo "Error: TPM should have removed PID file by now." exit 1 fi if wait_process_gone ${PID} 4; then echo "Error: Socket TPM should not be running anymore." exit 1 fi # remove volatile state rm -f $TPMDIR/*.volatilestate $SWTPM_EXE socket \ --server port=65431,disconnect=true \ --tpmstate dir=$TPMDIR \ --pid file=$PID_FILE \ --ctrl type=unixio,path=$SOCK_PATH \ --key pwdfile=${TESTDIR}/data/tpmstate2/pwdfile.txt,kdf=sha512 \ --flags not-need-init \ ${SWTPM_TEST_SECCOMP_OPT} & PID=$! if wait_for_file $PID_FILE 3; then echo "Error: Socket TPM did not write pidfile." exit 1 fi validate_pidfile $PID $PID_FILE # Read PCR 10 -- this should fail now exec 100<>/dev/tcp/localhost/65431 echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100 RES=$(cat <&100 | od -t x1 -A n -w128) exp=' 00 c4 00 00 00 0a 00 00 00 26' if [ "$RES" != "$exp" ]; then echo "Error: (1) Did not get expected result from TPM_PCRRead(10)" echo "expected: $exp" echo "received: $RES" exit 1 fi # Send stop command to the TPM: CMD_STOP = 00 00 00 0e act=$($SWTPM_IOCTL --unix $SOCK_PATH --stop 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_STOP failed: $act" exit 1 fi # Send the volatile state to the TPM (while it is stopped) $SWTPM_IOCTL --unix $SOCK_PATH --load volatile $VOLATILESTATE #act=$($SWTPM_IOCTL --unix $SOCK_PATH --load volatile $VOLATILESTATE 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_SET_STATEBLOB failed: $act" exit 1 fi # Send init command to the TPM: CMD_INIT = 00 00 00 02 act=$($SWTPM_IOCTL --unix $SOCK_PATH -i 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_INIT failed: $act" exit 1 fi # Read PCR 10 -- has to return same result as before exec 100<>/dev/tcp/localhost/65431 echo -en '\x00\xC1\x00\x00\x00\x0E\x00\x00\x00\x15\x00\x00\x00\x0a' >&100 RES=$(cat <&100 | od -t x1 -A n -w128) exp=' 00 c4 00 00 00 1e 00 00 00 00 c7 8a 6e 94 c7 3c 4d 7f c3 05 c8 a6 6b bf 15 45 f4 ed b7 a5' if [ "$RES" != "$exp" ]; then echo "Error: (1) Did not get expected result from TPM_PCRRead(10)" echo "expected: $exp" echo "received: $RES" exit 1 fi # Reset PCR 20 while in locality 0 -- should not work exec 100<>/dev/tcp/localhost/65431 echo -en '\x00\xC1\x00\x00\x00\x0F\x00\x00\x00\xC8\x00\x03\x00\x00\x10' >&100 RES=$(cat <&100 | od -t x1 -A n) exp=' 00 c4 00 00 00 0a 00 00 00 33' if [ "$RES" != "$exp" ]; then echo "Error: Trying to reset PCR 20 in locality 0 returned unexpected result" echo "expected: $exp" echo "received: $RES" exit 1 fi # In locality 2 we can reset PCR 20 # Set the locality on the TPM: CMD_SET_LOCALITY = 00 00 00 05 act=$($SWTPM_IOCTL --unix $SOCK_PATH -l 2 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_SET_LOCALITY failed: $act" exit 1 fi # Reset PCR 20 while in locality 2 -- has to work exec 100<>/dev/tcp/localhost/65431 echo -en '\x00\xC1\x00\x00\x00\x0F\x00\x00\x00\xC8\x00\x03\x00\x00\x10' >&100 RES=$(cat <&100 | od -t x1 -A n) exp=' 00 c4 00 00 00 0a 00 00 00 00' if [ "$RES" != "$exp" ]; then echo "Error: Could not reset PCR 20 in locality 2" echo "expected: $exp" echo "received: $RES" exit 1 fi # Send shutdown command to the TPM: CMD_SHUTDOWN = 00 00 00 03 act=$($SWTPM_IOCTL --unix $SOCK_PATH -s 2>&1) if [ $? -ne 0 ]; then echo "Error: $SWTPM_IOCTL CMD_SHUTDOWN failed: $act" exit 1 fi if wait_file_gone $PID_FILE 2; then echo "Error: TPM should have removed PID file by now." exit 1 fi if wait_process_gone ${PID} 4; then echo "Error: Socket TPM should not be running anymore." exit 1 fi echo "OK" exit 0