tpm2_key_protector_test: Amend the NV index mode test

Glenn Washburn Sat, 15 Mar 2025 01:46:20 -0700

On Mon, 13 Jan 2025 11:07:12 +0800
Gary Lin via Grub-devel <grub-devel@gnu.org> wrote:


> Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
> replaced with one 'grub-protect' command to simplify the test script.
> 
> Two more NV index test cases are also added to test key sealing and
> unsealing with the NV index handle 0x1000000.
> 
> Also, there is a minor fix to reset 'ret' to 0 when a test case fails so
> that the other test cases could continue.

I missed the original patch for this test, so this should have been
said earlier. This patch goes a long way in removing external
dependencies for this test, but it doesn't remove all of them. Please
document all debian packages needed to be installed to run this test in
the INSTALL file and note that they are needed for the tpm test (as
done for other documented packages). This should go under the section
"Prerequisites for make-check".

Thanks,
Glenn

> 
> Signed-off-by: Gary Lin <g...@suse.com>
> Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
> ---
>  tests/tpm2_key_protector_test.in | 155 ++++++++++---------------------
>  1 file changed, 51 insertions(+), 104 deletions(-)
> 
> diff --git a/tests/tpm2_key_protector_test.in 
> b/tests/tpm2_key_protector_test.in
> index a92e5f498..1ba70a3d5 100644
> --- a/tests/tpm2_key_protector_test.in
> +++ b/tests/tpm2_key_protector_test.in
> @@ -225,112 +225,45 @@ EOF
>      fi
>  }
>  
> -tpm2_seal_nv () {
> -    keyfile="$1"
> -    nv_index="$2"
> -    pcr_list="$3"
> -
> -    primary_file=${tpm2testdir}/primary.ctx
> -    session_file=${tpm2testdir}/session.dat
> -    policy_file=${tpm2testdir}/policy.dat
> -    keypub_file=${tpm2testdir}/key.pub
> -    keypriv_file=${tpm2testdir}/key.priv
> -    name_file=${tpm2testdir}/sealing.name
> -    sealing_ctx_file=${tpm2testdir}/sealing.ctx
> -
> -    # Since we don't run a resource manager on our swtpm instance, it has
> -    # to flush the transient handles after tpm2_createprimary, tpm2_create
> -    # and tpm2_load to avoid the potential out-of-memory (0x902) errors.
> -    # Ref: 
> https://github.com/tpm2-software/tpm2-tools/issues/1338#issuecomment-469689398
> -
> -    # Create the primary object
> -    tpm2_createprimary -Q -C o -g sha256 -G ecc -c "${primary_file}" || 
> ret=$?
> -    if [ "${ret}" -ne 0 ]; then
> -     echo "Failed to create the primary object: ${ret}" >&2
> -     return 1
> -    fi
> -    tpm2_flushcontext -t || ret=$?
> -    if [ "${ret}" -ne 0 ]; then
> -     echo "Failed to flush the transient handles: ${ret}" >&2
> -     return 1
> -    fi
> -
> -    # Create the policy object
> -    tpm2_startauthsession -S "${session_file}" || ret=$?
> -    if [ "${ret}" -ne 0 ]; then
> -     echo "Failed to start auth session: ${ret}" >&2
> -     return 1
> -    fi
> -    tpm2_policypcr -Q -S "${session_file}" -l "${pcr_list}" -L 
> "${policy_file}" || ret=$?
> -    if [ "${ret}" -ne 0 ]; then
> -     echo "Failed to create the policy object: ${ret}" >&2
> -     return 1
> -    fi
> -    tpm2_flushcontext "${session_file}" || ret=$?
> -    if [ "${ret}" -ne 0 ]; then
> -     echo "Failed to flush the transient handles: ${ret}" >&2
> -     return 1
> -    fi
> +tpm2_seal_unseal_nv() {
> +    handle_type="$1"
> +    key_type="$2"
>  
> -    # Seal the key into TPM
> -    tpm2_create -Q \
> -     -C "${primary_file}" \
> -     -u "${keypub_file}" \
> -     -r "${keypriv_file}" \
> -     -L "${policy_file}" \
> -     -i "${keyfile}" || ret=$?
> -    if [ "${ret}" -ne 0 ]; then
> -     echo "Failed to seal \"${keyfile}\": ${ret}" >&2
> -     return 1
> -    fi
> -    tpm2_flushcontext -t || ret=$?
> -    if [ "${ret}" -ne 0 ]; then
> -     echo "Failed to flush the transient handles: ${ret}" >&2
> -     return 1
> -    fi
> +    extra_opt=""
> +    extra_grub_opt=""
>  
> -    tpm2_load -Q \
> -     -C "${primary_file}" \
> -     -u "${keypub_file}" \
> -     -r "${keypriv_file}" \
> -     -n "${name_file}" \
> -     -c "${sealing_ctx_file}" || ret=$?
> -    if [ "${ret}" -ne 0 ]; then
> -     echo "Failed to load the sealed key into TPM: ${ret}" >&2
> -     return 1
> -    fi
> -    tpm2_flushcontext -t || ret=$?
> -    if [ "${ret}" -ne 0 ]; then
> -     echo "Failed to flush the transient handles: ${ret}" >&2
> -     return 1
> +    if [ "$handle_type" == "nvindex" ]; then
> +     nv_index="0x1000000"
> +    else
> +     nv_index="0x81000000"
>      fi
>  
> -    tpm2_evictcontrol -Q -C o -c "${sealing_ctx_file}" ${nv_index} || ret=$?
> -    if [ "${ret}" -ne 0 ]; then
> -     echo "Failed to store the sealed key into ${nv_index}: ${ret}" >&2
> -     return 1
> +    if [ "$key_type" == "tpm2key" ]; then
> +     extra_opt="--tpm2key"
> +    else
> +     extra_grub_opt="--pcrs=0,1"
>      fi
>  
> -    return 0
> -}
> -
> -tpm2_seal_unseal_nv() {
> -    nv_index="0x81000000"
> -    pcr_list="sha256:0,1"
> -
>      grub_cfg=${tpm2testdir}/testcase.cfg
>  
>      # Seal the key into a NV index guarded by PCR 0 and 1
> -    tpm2_seal_nv "${lukskeyfile}" ${nv_index} ${pcr_list} || ret=$?
> +    grub-protect ${extra_opt} \
> +     --tpm2-device="${tpm2dev}" \
> +     --action=add \
> +     --protector=tpm2 \
> +     --tpm2-bank=sha256 \
> +     --tpm2-pcrs=0,1 \
> +     --tpm2-keyfile="${lukskeyfile}" \
> +     --tpm2-nvindex="${nv_index}" || ret=$?
>      if [ "${ret}" -ne 0 ]; then
> -     echo "Failed to seal the secret key into ${nv_index}" >&2
> +     echo "Failed to seal the secret key into ${nv_index}: ${ret}" >&2
>       return 99
>      fi
>  
>      # Write the TPM unsealing script
>      cat > ${grub_cfg} <<EOF
>  loopback luks (host)${luksfile}
> -tpm2_key_protector_init --mode=nv --nvindex=${nv_index} --pcrs=0,1
> +tpm2_key_protector_init --mode=nv --nvindex=${nv_index} ${extra_grub_opt}
>  if cryptomount -a --protector tpm2; then
>      cat (crypto0)+1
>  fi
> @@ -340,7 +273,12 @@ EOF
>      ${grubshell} --timeout=${timeout} --emu-opts="-t ${tpm2dev}" < 
> "${grub_cfg}" > "${testoutput}" || ret=$?
>  
>      # Remove the object from the NV index
> -    tpm2_evictcontrol -Q -C o -c "${nv_index}" || :
> +    grub-protect \
> +     --tpm2-device="${tpm2dev}" \
> +     --protector=tpm2 \
> +     --action=remove \
> +     --tpm2-nvindex=${nv_index} \
> +     --tpm2-evict || :
>  
>      if [ "${ret}" -eq 0 ]; then
>       if ! grep -q "^${vtext}$" "${testoutput}"; then
> @@ -366,24 +304,33 @@ srktests+=("ECC transient fallback_srk")
>  for i in "${!srktests[@]}"; do
>      tpm2_seal_unseal ${srktests[$i]} || ret=$?
>      if [ "${ret}" -eq 0 ]; then
> -        echo "TPM2 [${srktests[$i]}]: PASS"
> +     echo "TPM2 [SRK][${srktests[$i]}]: PASS"
>      elif [ "${ret}" -eq 1 ]; then
> -        echo "TPM2 [${srktests[$i]}]: FAIL"
> +     echo "TPM2 [SRK][${srktests[$i]}]: FAIL"
> +     ret=0
>      else
> -     echo "Unexpected failure [${srktests[$i]}]" >&2
> +     echo "Unexpected failure [SRK][${srktests[$i]}]" >&2
>       exit ${ret}
>      fi
>  done
>  
> -# Testcase for NV index mode
> -tpm2_seal_unseal_nv || ret=$?
> -if [ "${ret}" -eq 0 ]; then
> -    echo "TPM2 [NV Index]: PASS"
> -elif [ "${ret}" -eq 1 ]; then
> -    echo "TPM2 [NV Index]: FAIL"
> -else
> -    echo "Unexpected failure [NV index]" >&2
> -    exit ${ret}
> -fi
> +# Testcases for NV index mode
> +declare -a nvtests=()
> +nvtests+=("persistent raw")
> +nvtests+=("nvindex raw")
> +nvtests+=("nvindex tpm2key")
> +
> +for i in "${!nvtests[@]}"; do
> +    tpm2_seal_unseal_nv ${nvtests[$i]} || ret=$?
> +    if [ "${ret}" -eq 0 ]; then
> +     echo "TPM2 [NV Index][${nvtests[$i]}]: PASS"
> +    elif [ "${ret}" -eq 1 ]; then
> +     echo "TPM2 [NV Index][${nvtests[$i]}]: FAIL"
> +     ret=0
> +    else
> +     echo "Unexpected failure [NV index][${nvtests[$i]}]" >&2
> +     exit ${ret}
> +    fi
> +done
>  
>  exit 0

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH v3 09/10] tests/tpm2_key_protector_test: Amend the NV index mode test

Reply via email to