On Sat, Mar 15, 2025 at 03:45:14AM -0500, Glenn Washburn wrote:
> On Mon, 13 Jan 2025 11:07:12 +0800
> Gary Lin via Grub-devel <grub-devel@gnu.org> wrote:
>
> > Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
> > replaced with one 'grub-protect' command to simplify the test script.
> >
> > Two more NV index test cases are also added to test key sealing and
> > unsealing with the NV index handle 0x1000000.
> >
> > Also, there is a minor fix to reset 'ret' to 0 when a test case fails so
> > that the other test cases could continue.
>
> I missed the original patch for this test, so this should have been
> said earlier. This patch goes a long way in removing external
> dependencies for this test, but it doesn't remove all of them. Please
> document all debian packages needed to be installed to run this test in
> the INSTALL file and note that they are needed for the tpm test (as
> done for other documented packages). This should go under the section
> "Prerequisites for make-check".
>
Sure. I'll add swtpm and tpm2-tools to the INSTALL file.
Thanks,
Gary Lin
> Thanks,
> Glenn
>
> >
> > Signed-off-by: Gary Lin <g...@suse.com>
> > Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
> > ---
> > tests/tpm2_key_protector_test.in | 155 ++++++++++---------------------
> > 1 file changed, 51 insertions(+), 104 deletions(-)
> >
> > diff --git a/tests/tpm2_key_protector_test.in
> > b/tests/tpm2_key_protector_test.in
> > index a92e5f498..1ba70a3d5 100644
> > --- a/tests/tpm2_key_protector_test.in
> > +++ b/tests/tpm2_key_protector_test.in
> > @@ -225,112 +225,45 @@ EOF
> > fi
> > }
> >
> > -tpm2_seal_nv () {
> > - keyfile="$1"
> > - nv_index="$2"
> > - pcr_list="$3"
> > -
> > - primary_file=${tpm2testdir}/primary.ctx
> > - session_file=${tpm2testdir}/session.dat
> > - policy_file=${tpm2testdir}/policy.dat
> > - keypub_file=${tpm2testdir}/key.pub
> > - keypriv_file=${tpm2testdir}/key.priv
> > - name_file=${tpm2testdir}/sealing.name
> > - sealing_ctx_file=${tpm2testdir}/sealing.ctx
> > -
> > - # Since we don't run a resource manager on our swtpm instance, it has
> > - # to flush the transient handles after tpm2_createprimary, tpm2_create
> > - # and tpm2_load to avoid the potential out-of-memory (0x902) errors.
> > - # Ref:
> > https://github.com/tpm2-software/tpm2-tools/issues/1338#issuecomment-469689398
> > -
> > - # Create the primary object
> > - tpm2_createprimary -Q -C o -g sha256 -G ecc -c "${primary_file}" ||
> > ret=$?
> > - if [ "${ret}" -ne 0 ]; then
> > - echo "Failed to create the primary object: ${ret}" >&2
> > - return 1
> > - fi
> > - tpm2_flushcontext -t || ret=$?
> > - if [ "${ret}" -ne 0 ]; then
> > - echo "Failed to flush the transient handles: ${ret}" >&2
> > - return 1
> > - fi
> > -
> > - # Create the policy object
> > - tpm2_startauthsession -S "${session_file}" || ret=$?
> > - if [ "${ret}" -ne 0 ]; then
> > - echo "Failed to start auth session: ${ret}" >&2
> > - return 1
> > - fi
> > - tpm2_policypcr -Q -S "${session_file}" -l "${pcr_list}" -L
> > "${policy_file}" || ret=$?
> > - if [ "${ret}" -ne 0 ]; then
> > - echo "Failed to create the policy object: ${ret}" >&2
> > - return 1
> > - fi
> > - tpm2_flushcontext "${session_file}" || ret=$?
> > - if [ "${ret}" -ne 0 ]; then
> > - echo "Failed to flush the transient handles: ${ret}" >&2
> > - return 1
> > - fi
> > +tpm2_seal_unseal_nv() {
> > + handle_type="$1"
> > + key_type="$2"
> >
> > - # Seal the key into TPM
> > - tpm2_create -Q \
> > - -C "${primary_file}" \
> > - -u "${keypub_file}" \
> > - -r "${keypriv_file}" \
> > - -L "${policy_file}" \
> > - -i "${keyfile}" || ret=$?
> > - if [ "${ret}" -ne 0 ]; then
> > - echo "Failed to seal \"${keyfile}\": ${ret}" >&2
> > - return 1
> > - fi
> > - tpm2_flushcontext -t || ret=$?
> > - if [ "${ret}" -ne 0 ]; then
> > - echo "Failed to flush the transient handles: ${ret}" >&2
> > - return 1
> > - fi
> > + extra_opt=""
> > + extra_grub_opt=""
> >
> > - tpm2_load -Q \
> > - -C "${primary_file}" \
> > - -u "${keypub_file}" \
> > - -r "${keypriv_file}" \
> > - -n "${name_file}" \
> > - -c "${sealing_ctx_file}" || ret=$?
> > - if [ "${ret}" -ne 0 ]; then
> > - echo "Failed to load the sealed key into TPM: ${ret}" >&2
> > - return 1
> > - fi
> > - tpm2_flushcontext -t || ret=$?
> > - if [ "${ret}" -ne 0 ]; then
> > - echo "Failed to flush the transient handles: ${ret}" >&2
> > - return 1
> > + if [ "$handle_type" == "nvindex" ]; then
> > + nv_index="0x1000000"
> > + else
> > + nv_index="0x81000000"
> > fi
> >
> > - tpm2_evictcontrol -Q -C o -c "${sealing_ctx_file}" ${nv_index} ||
> > ret=$?
> > - if [ "${ret}" -ne 0 ]; then
> > - echo "Failed to store the sealed key into ${nv_index}: ${ret}" >&2
> > - return 1
> > + if [ "$key_type" == "tpm2key" ]; then
> > + extra_opt="--tpm2key"
> > + else
> > + extra_grub_opt="--pcrs=0,1"
> > fi
> >
> > - return 0
> > -}
> > -
> > -tpm2_seal_unseal_nv() {
> > - nv_index="0x81000000"
> > - pcr_list="sha256:0,1"
> > -
> > grub_cfg=${tpm2testdir}/testcase.cfg
> >
> > # Seal the key into a NV index guarded by PCR 0 and 1
> > - tpm2_seal_nv "${lukskeyfile}" ${nv_index} ${pcr_list} || ret=$?
> > + grub-protect ${extra_opt} \
> > + --tpm2-device="${tpm2dev}" \
> > + --action=add \
> > + --protector=tpm2 \
> > + --tpm2-bank=sha256 \
> > + --tpm2-pcrs=0,1 \
> > + --tpm2-keyfile="${lukskeyfile}" \
> > + --tpm2-nvindex="${nv_index}" || ret=$?
> > if [ "${ret}" -ne 0 ]; then
> > - echo "Failed to seal the secret key into ${nv_index}" >&2
> > + echo "Failed to seal the secret key into ${nv_index}: ${ret}" >&2
> > return 99
> > fi
> >
> > # Write the TPM unsealing script
> > cat > ${grub_cfg} <<EOF
> > loopback luks (host)${luksfile}
> > -tpm2_key_protector_init --mode=nv --nvindex=${nv_index} --pcrs=0,1
> > +tpm2_key_protector_init --mode=nv --nvindex=${nv_index} ${extra_grub_opt}
> > if cryptomount -a --protector tpm2; then
> > cat (crypto0)+1
> > fi
> > @@ -340,7 +273,12 @@ EOF
> > ${grubshell} --timeout=${timeout} --emu-opts="-t ${tpm2dev}" <
> > "${grub_cfg}" > "${testoutput}" || ret=$?
> >
> > # Remove the object from the NV index
> > - tpm2_evictcontrol -Q -C o -c "${nv_index}" || :
> > + grub-protect \
> > + --tpm2-device="${tpm2dev}" \
> > + --protector=tpm2 \
> > + --action=remove \
> > + --tpm2-nvindex=${nv_index} \
> > + --tpm2-evict || :
> >
> > if [ "${ret}" -eq 0 ]; then
> > if ! grep -q "^${vtext}$" "${testoutput}"; then
> > @@ -366,24 +304,33 @@ srktests+=("ECC transient fallback_srk")
> > for i in "${!srktests[@]}"; do
> > tpm2_seal_unseal ${srktests[$i]} || ret=$?
> > if [ "${ret}" -eq 0 ]; then
> > - echo "TPM2 [${srktests[$i]}]: PASS"
> > + echo "TPM2 [SRK][${srktests[$i]}]: PASS"
> > elif [ "${ret}" -eq 1 ]; then
> > - echo "TPM2 [${srktests[$i]}]: FAIL"
> > + echo "TPM2 [SRK][${srktests[$i]}]: FAIL"
> > + ret=0
> > else
> > - echo "Unexpected failure [${srktests[$i]}]" >&2
> > + echo "Unexpected failure [SRK][${srktests[$i]}]" >&2
> > exit ${ret}
> > fi
> > done
> >
> > -# Testcase for NV index mode
> > -tpm2_seal_unseal_nv || ret=$?
> > -if [ "${ret}" -eq 0 ]; then
> > - echo "TPM2 [NV Index]: PASS"
> > -elif [ "${ret}" -eq 1 ]; then
> > - echo "TPM2 [NV Index]: FAIL"
> > -else
> > - echo "Unexpected failure [NV index]" >&2
> > - exit ${ret}
> > -fi
> > +# Testcases for NV index mode
> > +declare -a nvtests=()
> > +nvtests+=("persistent raw")
> > +nvtests+=("nvindex raw")
> > +nvtests+=("nvindex tpm2key")
> > +
> > +for i in "${!nvtests[@]}"; do
> > + tpm2_seal_unseal_nv ${nvtests[$i]} || ret=$?
> > + if [ "${ret}" -eq 0 ]; then
> > + echo "TPM2 [NV Index][${nvtests[$i]}]: PASS"
> > + elif [ "${ret}" -eq 1 ]; then
> > + echo "TPM2 [NV Index][${nvtests[$i]}]: FAIL"
> > + ret=0
> > + else
> > + echo "Unexpected failure [NV index][${nvtests[$i]}]" >&2
> > + exit ${ret}
> > + fi
> > +done
> >
> > exit 0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
