123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177 |
- #!/bin/bash -x
- # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
- #
- # Copyright (c) 2019 Red Hat, Inc.
- # Author: Sergio Correia <scorreia@redhat.com>
- #
- # This program is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation, either version 3 of the License, or
- # (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
- #
- TEST=$(basename "${0}")
- # Code to return to mark test as skipped.
- SKIP_RET_CODE=77
- tpm2_available() {
- # Old environment variables for tpm2-tools 3.0
- export TPM2TOOLS_TCTI_NAME=device
- export TPM2TOOLS_DEVICE_FILE=
- for dev in /dev/tpmrm?; do
- [ -e "${dev}" ] || continue
- TPM2TOOLS_DEVICE_FILE="${dev}"
- break
- done
- # New environment variable for tpm2-tools >= 3.1
- export TPM2TOOLS_TCTI="${TPM2TOOLS_TCTI_NAME}:${TPM2TOOLS_DEVICE_FILE}"
- if [ -z "${TPM2TOOLS_DEVICE_FILE}" ]; then
- echo "A TPM2 device with the in-kernel resource manager is needed!" >&2
- return 1
- fi
- if ! [[ -r "${TPM2TOOLS_DEVICE_FILE}" \
- && -w "${TPM2TOOLS_DEVICE_FILE}" ]]; then
- echo "The ${TPM2TOOLS_DEVICE_FILE} device must be readable and writable!" >&2
- return 1
- fi
- }
- # Checking if we can run this test.
- if ! tpm2_available; then
- exit ${SKIP_RET_CODE}
- fi
- decode_jwe() {
- local jwe="${1}"
- local coded
- if ! coded=$(jose jwe fmt -i- <<< "${jwe}"); then
- return 1
- fi
- coded=$(jose fmt -j- -g protected -u- <<< "${coded}" | tr -d '"')
- jose b64 dec -i- <<< "${coded}"
- }
- test_pcr_ids() {
- local orig="${1}"
- local cfg="${2}"
- local expected_pcr_ids="${3}"
- local enc
- if ! enc=$(echo "${orig}" | clevis encrypt tpm2 "${cfg}"); then
- echo "${TEST}: encrypt failed for cfg: ${cfg}" >&1
- return 1
- fi
- local pcr_ids
- pcr_ids=$(decode_jwe "${enc}" \
- | jose fmt -j- -Og clevis -Og tpm2 -Og pcr_ids -u- 2>/dev/null)
- local dec
- dec=$(echo "${enc}" | clevis decrypt)
- if [ "${orig}" != "${dec}" ]; then
- echo "${TEST}: decoded text (${dec}) does not match original one (${orig})" >&2
- return 1
- fi
- if [ "${pcr_ids}" != "${expected_pcr_ids}" ]; then
- echo "${TEST}: pcr_ids (${pcr_ids}) do not match the expected (${expected_pcr_ids}) result." >&2
- return 1
- fi
- }
- test_enc_dec() {
- local cfg="${1}"
- output=$(echo Working | clevis encrypt tpm2 "${cfg}" | clevis decrypt)
- if [ "$output" != "Working" ]; then
- echo "Output after decrypting doesn't match: ${output} != 'Working'"
- return 1
- fi
- }
- test_enc_dec '{}' || exit 1
- test_pcr_ids "${orig}" '{}' "" || exit 1
- test_pcr_ids "${orig}" '{ }' "" || exit 1
- test_pcr_ids "${orig}" '{"key": "ecc"}' "" || exit 1
- # Issue #103: now let's try a few different configs with both strings and
- # arrays and check if we get the expected pcr_ids.
- test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1
- test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1
- test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1
- test_pcr_ids "${orig}" '{"pcr_ids": "4,16"}' "4,16" || exit 1
- test_pcr_ids "${orig}" '{"pcr_ids": ["4,16"]}' "4,16" || exit 1
- test_pcr_ids "${orig}" '{"pcr_ids": [4,16]}' "4,16" || exit 1
- test_pcr_ids "${orig}" '{"pcr_ids": [4, 16]}' "4,16" || exit 1
- test_pcr_ids "${orig}" '{"pcr_ids": ["4","16"]}' "4,16" || exit 1
- ! test_pcr_ids "${orig}" '{"pcr_ids": ["4","16"]}' "foo bar" || exit 1
- # Test with policies if we have the PIN rewrite available
- if ! $(which clevis-pin-tpm2 >/dev/null 2>&1);
- then
- echo "No PIN rewrite available"
- exit 0
- fi
- if ! $(which clevis-pin-tpm2-signtool >/dev/null 2>&1);
- then
- echo "No policy signtool available"
- exit 0
- fi
- function on_exit() {
- popd
- if [ ! -d "$TMP" ] || ! rm -rf "$TMP"; then
- echo "Delete temporary files failed!" >&2
- echo "You need to clean up: $TMP" >&2
- exit 1
- fi
- }
- if ! TMP="$(mktemp -d)"; then
- echo "Creating a temporary dir for TPM files failed!" >&2
- exit 1
- fi
- trap 'on_exit' EXIT
- pushd $TMP
- clevis-pin-tpm2-signtool >policy_working.json << EOP
- ---
- - policy_ref:
- steps:
- - PCRs:
- hash_algorithm: sha256
- selection:
- - pcr_id: 21
- value: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- - pcr_id: 22
- value: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- EOP
- clevis-pin-tpm2-signtool >policy_broken.json << EOP
- ---
- - policy_ref:
- steps:
- - PCRs:
- hash_algorithm: sha256
- selection:
- - pcr_id: 21
- value: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE"
- - pcr_id: 22
- value: "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
- EOP
- test_enc_dec '{"policy_pubkey_path":"./publickey.json", "policy_ref": "", "policy_path": "./policy_working.json"}' || exit 1
- ! test_enc_dec '{"policy_pubkey_path":"./publickey.json", "policy_ref": "", "policy_path": "./policy_broken.json"}' || exit 1
|