rpms
/
systemd
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '62747260fa'
${ noResults }
systemd/SOURCES/0579-tpm2-update-TEST-70-TP...

65 lines
3.3 KiB
Raw Normal View History Unescape

import systemd-252-32.el9_4
6 months ago
From 256cdef442be3b5d1faffaccd7ed7684b68109e0 Mon Sep 17 00:00:00 2001
From: Dan Streetman <ddstreet@ieee.org>
Date: Thu, 13 Jul 2023 16:02:37 -0400
Subject: [PATCH] tpm2: update TEST-70-TPM2 to test passing PCR value to
systemd-cryptenroll
Add tests to use expected, not current, PCR values during sealing.
(cherry picked from commit e85ddd96446abec938ef75d4e3c256b170920575)
Related: RHEL-16182
---
test/units/testsuite-70.sh | 38 +++++++++++++++++++++++++++++++++++++-
1 file changed, 37 insertions(+), 1 deletion(-)
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
index 5d4b155286..91f31cd169 100755
--- a/test/units/testsuite-70.sh
+++ b/test/units/testsuite-70.sh
@@ -56,7 +56,43 @@ env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 $
# Check with wrong PCR 0
tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000
-/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && exit 1
+(! /usr/lib/systemd/systemd-cryptsetup attach test-volume "$img" - tpm2-device=auto,headless=1)
+
+if tpm_has_pcr sha256 12; then
+ # Enroll using an explict PCR value (that does match current PCR value)
+ systemd-cryptenroll --wipe-slot=tpm2 "$img"
+ EXPECTED_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12)
+ PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="12:sha256=$EXPECTED_PCR_VALUE" "$img"
+ /usr/lib/systemd/systemd-cryptsetup attach test-volume "$img" - tpm2-device=auto,headless=1
+ /usr/lib/systemd/systemd-cryptsetup detach test-volume
+
+ # Same as above plus more PCRs without the value or alg specified
+ systemd-cryptenroll --wipe-slot=tpm2 "$img"
+ EXPECTED_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12)
+ PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="1,12:sha256=$EXPECTED_PCR_VALUE,3" "$img"
+ /usr/lib/systemd/systemd-cryptsetup attach test-volume "$img" - tpm2-device=auto,headless=1
+ /usr/lib/systemd/systemd-cryptsetup detach test-volume
+
+ # Same as above plus more PCRs with hash alg specified but hash value not specified
+ systemd-cryptenroll --wipe-slot=tpm2 "$img"
+ EXPECTED_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12)
+ PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="1:sha256,12:sha256=$EXPECTED_PCR_VALUE,3" "$img"
+ /usr/lib/systemd/systemd-cryptsetup attach test-volume "$img" - tpm2-device=auto,headless=1
+ /usr/lib/systemd/systemd-cryptsetup detach test-volume
+
+ # Now the interesting part, enrolling using a hash value that doesn't match the current PCR value
+ systemd-cryptenroll --wipe-slot=tpm2 "$img"
+ tpm2_pcrread -Q -o /tmp/pcr.dat sha256:12
+ CURRENT_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12)
+ EXPECTED_PCR_VALUE=$(cat /tmp/pcr.dat /tmp/pcr.dat | openssl dgst -sha256 -r | cut -d ' ' -f 1)
+ PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="12:sha256=$EXPECTED_PCR_VALUE" "$img"
+ (! /usr/lib/systemd/systemd-cryptsetup attach test-volume "$img" - tpm2-device=auto,headless=1)
+ tpm2_pcrextend "12:sha256=$CURRENT_PCR_VALUE"
+ /usr/lib/systemd/systemd-cryptsetup attach test-volume "$img" - tpm2-device=auto,headless=1
+ /usr/lib/systemd/systemd-cryptsetup detach test-volume
+
+ rm -f /tmp/pcr.dat
+fi
rm $img