Re: [PATCH 7/7] tests/tpm2_key_protector_test: Add a test for PCR Capping

Thu, 10 Jul 2025 08:31:07 -0700 


> On 8 Jul 2025, at 2:01 PM, Gary Lin via Grub-devel <grub-devel@gnu.org> wrote:
> 
> A test is introduced to cap PCR 1 and track the PCR 1 value before and
> after key unsealing.
> 
> Signed-off-by: Gary Lin <g...@suse.com>
> ---

Reviewed-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>


> tests/tpm2_key_protector_test.in | 65 ++++++++++++++++++++++++++++++++
> 1 file changed, 65 insertions(+)
> 
> diff --git a/tests/tpm2_key_protector_test.in 
> b/tests/tpm2_key_protector_test.in
> index 1d80d5d26..5dd86d6ee 100644
> --- a/tests/tpm2_key_protector_test.in
> +++ b/tests/tpm2_key_protector_test.in
> @@ -304,6 +304,58 @@ EOF
>     fi
> }
> 
> +tpm2_seal_unseal_cap() {
> +    pcr_bank="sha256"
> +
> +    original_pcr1="$(tpm2_pcrread ${pcr_bank}:1) | tail -1 | cut -d' ' -f7"
> +
> +    grub_cfg=${tpm2testdir}/testcase.cfg
> +
> +    # Seal the password with grub-protect
> +    grub-protect \
> +     --tpm2-device="${tpm2dev}" \
> +     --action=add \
> +     --protector=tpm2 \
> +     --tpm2key \
> +     --tpm2-bank="${pcr_bank}" \
> +     --tpm2-pcrs=0,1 \
> +     --tpm2-keyfile="${lukskeyfile}" \
> +     --tpm2-outfile="${sealedkey}" || ret=$?
> +    if [ "${ret}" -ne 0 ]; then
> +     echo "Failed to seal the secret key: ${ret}" >&2
> +     return 99
> +    fi
> +
> +    # Write the TPM unsealing script and cap PCR 1
> +    cat > "${grub_cfg}" <<EOF
> +loopback luks (host)${luksfile}
> +tpm2_key_protector_init -T (host)${sealedkey} -c 1
> +if cryptomount -a --protector tpm2; then
> +    cat (crypto0)+1
> +fi
> +EOF
> +
> +    # Test TPM unsealing with the same PCR
> +    ${grubshell} --timeout=${timeout} --emu-opts="-t ${tpm2dev}" < 
> "${grub_cfg}" > "${testoutput}" || ret=$?
> +
> +    if [ "${ret}" -eq 0 ]; then
> +     if ! grep -q "^${vtext}$" "${testoutput}"; then
> +         echo "error: test not verified [`cat ${testoutput}`]" >&2
> +         return 1
> +     fi
> +    else
> +     echo "grub-emu exited with error: ${ret}" >&2
> +     return 99
> +    fi
> +
> +    capped_pcr1="$(tpm2_pcrread ${pcr_bank}:1) | tail -1 | cut -d' ' -f7"
> +
> +    if [ "${original_pcr1}" = "${capped_pcr1}" ]; then
> +     echo "error: PCR 1 not capped" >&2
> +     return 1
> +    fi
> +}
> +
> # Testcases for SRK mode
> declare -a srktests=()
> srktests+=("default transient no_fallback_srk sha256")
> @@ -357,4 +409,17 @@ for i in "${!nvtests[@]}"; do
>     fi
> done
> 
> +# Testcase for PCR Capping
> +tpm2_seal_unseal_cap || ret=$?
> +if [ "${ret}" -eq 0 ]; then
> +    echo "TPM2 [PCR Capping]: PASS"
> +elif [ "${ret}" -eq 1 ]; then
> +    echo "TPM2 [PCR Capping]: FAIL"
> +    ret=0
> +    exit_status=1
> +else
> +    echo "Unexpected failure [PCR Capping]" >&2
> +    exit ${ret}
> +fi
> +
> exit ${exit_status}
> -- 
> 2.43.0
> 
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to