On 12/19/24 3:12 AM, Gary Lin wrote:
Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
replaced with one 'grub-protect' command to simplify the test script.
Two more NV index test cases are also added to test key sealing and
unsealing with the NV index handle, 0x1000000.
with the NV index handle 0x1000000
Signed-off-by: Gary Lin <g...@suse.com>
---
tests/tpm2_key_protector_test.in | 151 ++++++++++---------------------
1 file changed, 48 insertions(+), 103 deletions(-)
diff --git a/tests/tpm2_key_protector_test.in b/tests/tpm2_key_protector_test.in
index a92e5f498..9e808f019 100644
--- a/tests/tpm2_key_protector_test.in
+++ b/tests/tpm2_key_protector_test.in
@@ -225,112 +225,45 @@ EOF
fi
}
-tpm2_seal_nv () {
- keyfile="$1"
- nv_index="$2"
- pcr_list="$3"
-
- primary_file=${tpm2testdir}/primary.ctx
- session_file=${tpm2testdir}/session.dat
- policy_file=${tpm2testdir}/policy.dat
- keypub_file=${tpm2testdir}/key.pub
- keypriv_file=${tpm2testdir}/key.priv
- name_file=${tpm2testdir}/sealing.name
- sealing_ctx_file=${tpm2testdir}/sealing.ctx
-
- # Since we don't run a resource manager on our swtpm instance, it has
- # to flush the transient handles after tpm2_createprimary, tpm2_create
- # and tpm2_load to avoid the potential out-of-memory (0x902) errors.
- # Ref:
https://github.com/tpm2-software/tpm2-tools/issues/1338#issuecomment-469689398
-
- # Create the primary object
- tpm2_createprimary -Q -C o -g sha256 -G ecc -c "${primary_file}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to create the primary object: ${ret}" >&2
- return 1
- fi
- tpm2_flushcontext -t || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to flush the transient handles: ${ret}" >&2
- return 1
- fi
-
- # Create the policy object
- tpm2_startauthsession -S "${session_file}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to start auth session: ${ret}" >&2
- return 1
- fi
- tpm2_policypcr -Q -S "${session_file}" -l "${pcr_list}" -L
"${policy_file}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to create the policy object: ${ret}" >&2
- return 1
- fi
- tpm2_flushcontext "${session_file}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to flush the transient handles: ${ret}" >&2
- return 1
- fi
+tpm2_seal_unseal_nv() {
+ handle_type="$1"
+ key_type="$2"
- # Seal the key into TPM
- tpm2_create -Q \
- -C "${primary_file}" \
- -u "${keypub_file}" \
- -r "${keypriv_file}" \
- -L "${policy_file}" \
- -i "${keyfile}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to seal \"${keyfile}\": ${ret}" >&2
- return 1
- fi
- tpm2_flushcontext -t || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to flush the transient handles: ${ret}" >&2
- return 1
- fi
+ extra_opt=""
+ extra_grub_opt=""
- tpm2_load -Q \
- -C "${primary_file}" \
- -u "${keypub_file}" \
- -r "${keypriv_file}" \
- -n "${name_file}" \
- -c "${sealing_ctx_file}" || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to load the sealed key into TPM: ${ret}" >&2
- return 1
- fi
- tpm2_flushcontext -t || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to flush the transient handles: ${ret}" >&2
- return 1
+ if [ "$handle_type" == "nvindex" ]; then
+ nv_index="0x1000000"
+ else
+ nv_index="0x81000000"
fi
- tpm2_evictcontrol -Q -C o -c "${sealing_ctx_file}" ${nv_index} || ret=$?
- if [ "${ret}" -ne 0 ]; then
- echo "Failed to store the sealed key into ${nv_index}: ${ret}" >&2
- return 1
+ if [ "$key_type" == "tpm2key" ]; then
+ extra_opt="--tpm2key"
+ else
+ extra_grub_opt="--pcrs=0,1"
fi
- return 0
-}
-
-tpm2_seal_unseal_nv() {
- nv_index="0x81000000"
- pcr_list="sha256:0,1"
-
grub_cfg=${tpm2testdir}/testcase.cfg
# Seal the key into a NV index guarded by PCR 0 and 1
- tpm2_seal_nv "${lukskeyfile}" ${nv_index} ${pcr_list} || ret=$?
+ grub-protect ${extra_opt} \
+ --tpm2-device="${tpm2dev}" \
+ --action=add \
+ --protector=tpm2 \
+ --tpm2-bank=sha256 \
+ --tpm2-pcrs=0,1 \
+ --tpm2-keyfile="${lukskeyfile}" \
+ --tpm2-nvindex="${nv_index}" || ret=$?
if [ "${ret}" -ne 0 ]; then
- echo "Failed to seal the secret key into ${nv_index}" >&2
+ echo "Failed to seal the secret key into ${nv_index}: ${ret}" >&2
return 99
fi
# Write the TPM unsealing script
cat > ${grub_cfg} <<EOF
loopback luks (host)${luksfile}
-tpm2_key_protector_init --mode=nv --nvindex=${nv_index} --pcrs=0,1
+tpm2_key_protector_init --mode=nv --nvindex=${nv_index} ${extra_grub_opt}
if cryptomount -a --protector tpm2; then
cat (crypto0)+1
fi
@@ -340,7 +273,12 @@ EOF
${grubshell} --timeout=${timeout} --emu-opts="-t ${tpm2dev}" < "${grub_cfg}" >
"${testoutput}" || ret=$?
# Remove the object from the NV index
- tpm2_evictcontrol -Q -C o -c "${nv_index}" || :
+ grub-protect \
+ --tpm2-device="${tpm2dev}" \
+ --protector=tpm2 \
+ --action=remove \
+ --tpm2-nvindex=${nv_index} \
+ --tpm2-evict || :
if [ "${ret}" -eq 0 ]; then
if ! grep -q "^${vtext}$" "${testoutput}"; then
@@ -366,24 +304,31 @@ srktests+=("ECC transient fallback_srk")
for i in "${!srktests[@]}"; do
tpm2_seal_unseal ${srktests[$i]} || ret=$?
Hm, due to the || : Once ret was set to '1' here all subsequent test
will indicate failure since ret will never be set to 0 agin.
You probably should do the following if you want to keep on running
tests and not exit ${ret} on first failure.
tpm2_seal_unseal ${srktests[$i]}
ret=$?
if [ "${ret}" -eq 0 ]; then
- echo "TPM2 [${srktests[$i]}]: PASS"
+ echo "TPM2 [SRK][${srktests[$i]}]: PASS"
elif [ "${ret}" -eq 1 ]; then
- echo "TPM2 [${srktests[$i]}]: FAIL"
+ echo "TPM2 [SRK][${srktests[$i]}]: FAIL"
else
echo "Unexpected failure [${srktests[$i]}]" >&2
exit ${ret}
fi
done
-# Testcase for NV index mode
-tpm2_seal_unseal_nv || ret=$?
-if [ "${ret}" -eq 0 ]; then
- echo "TPM2 [NV Index]: PASS"
-elif [ "${ret}" -eq 1 ]; then
- echo "TPM2 [NV Index]: FAIL"
-else
- echo "Unexpected failure [NV index]" >&2
- exit ${ret}
-fi
+# Testcases for NV index mode
+declare -a nvtests=()
+nvtests+=("persistent raw")
+nvtests+=("nvindex raw")
+nvtests+=("nvindex tpm2key")
+
+for i in "${!nvtests[@]}"; do
+ tpm2_seal_unseal_nv ${nvtests[$i]} || ret=$?
same here.
+ if [ "${ret}" -eq 0 ]; then
+ echo "TPM2 [NV Index][${nvtests[$i]}]: PASS"
+ elif [ "${ret}" -eq 1 ]; then
+ echo "TPM2 [NV Index][${nvtests[$i]}]: FAIL"
+ else
+ echo "Unexpected failure [NV index][${nvtests[$i]}]" >&2
+ exit ${ret}
+ fi
+done
exit 0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
