[PATCH v1] selftest/trustedkeys: TPM 1.2 trusted keys test

From: Mimi Zohar
Date: Thu Oct 24 2019 - 15:14:46 EST


Create, save and load trusted keys test

Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>

Change log v1:
- Replace the directions for using Trousers to take ownership of the TPM
with directions for using the IBM TSS.
- Differentiate between different types of errors. Recent bug is causing
"add_key: Timer expired".
---
tools/testing/selftests/tpm2/Makefile | 2 +-
tools/testing/selftests/tpm2/test_trustedkeys.sh | 109 +++++++++++++++++++++++
2 files changed, 110 insertions(+), 1 deletion(-)
create mode 100755 tools/testing/selftests/tpm2/test_trustedkeys.sh

diff --git a/tools/testing/selftests/tpm2/Makefile b/tools/testing/selftests/tpm2/Makefile
index 1a5db1eb8ed5..055bf62510b5 100644
--- a/tools/testing/selftests/tpm2/Makefile
+++ b/tools/testing/selftests/tpm2/Makefile
@@ -1,5 +1,5 @@
# SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
include ../lib.mk

-TEST_PROGS := test_smoke.sh test_space.sh
+TEST_PROGS := test_smoke.sh test_space.sh test_trustedkey.sh
TEST_PROGS_EXTENDED := tpm2.py tpm2_tests.py
diff --git a/tools/testing/selftests/tpm2/test_trustedkeys.sh b/tools/testing/selftests/tpm2/test_trustedkeys.sh
new file mode 100755
index 000000000000..dc7df7467670
--- /dev/null
+++ b/tools/testing/selftests/tpm2/test_trustedkeys.sh
@@ -0,0 +1,109 @@
+#!/bin/sh
+
+VERBOSE="${VERBOSE:-1}"
+TRUSTEDKEY1="$(mktemp -u XXXX).blob"
+TRUSTEDKEY2="$(mktemp -u XXXX).blob"
+ERRMSG="$(mktemp -u XXXX)"
+trap "echo PRETRAP" SIGINT SIGTERM SIGTSTP
+trap "{ rm -f $TRUSTEDKEY1 $TRUSTEDKEY2 $ERRMSG; }" EXIT
+
+log_info()
+{
+ [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
+}
+
+# The ksefltest framework requirement returns 0 for PASS.
+log_pass()
+{
+ [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
+ exit 0
+}
+
+# The ksefltest framework requirement returns 1 for FAIL.
+log_fail()
+{
+ [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
+ exit 1
+}
+
+# The ksefltest framework requirement returns 4 for SKIP.
+log_skip()
+{
+ [ $VERBOSE -ne 0 ] && echo "$1"
+ exit 4
+}
+
+is_tpm1()
+{
+ local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
+ if [ ! -f "$pcrs_path" ]; then
+ pcrs_path="/sys/class/misc/tpm0/device/pcrs"
+ fi
+
+ if [ ! -f "$pcrs_path" ]; then
+ log_skip "TPM 1.2 chip not found"
+ fi
+}
+
+takeownership_info()
+{
+ log_info "creating trusted key failed, probably requires taking TPM ownership:"
+ which tss1oiap > /dev/null 2>&1 || \
+ log_info " tss1oiap not found, install IBM TSS"
+
+ log_info " export TPM_DEVICE=/dev/tpm0"
+ log_info " export TPM_ENCRYPT_SESSIONS=0"
+
+ log_info " OIAP=\$(tss1oiap | cut -d' ' -f 2)"
+ log_info " tss1takeownership -se0 \$OIAP 0"
+ log_fail "creating trusted key"
+}
+
+test_trustedkey()
+{
+ #local keyid="$(keyctl add trusted kmk-test "new 64" @u)" &> $ERRMSG
+ local keyid="$(keyctl add trusted kmk-test "new 64" @u 2> $ERRMSG)"
+
+ grep -E -q "add_key: Operation not permitted" $ERRMSG
+ if [ $? -eq 0 ]; then
+ takeownership_info
+ fi
+
+ grep -E -q "add_key: " $ERRMSG
+ if [ $? -eq 0 ]; then
+ log_info "`cat ${ERRMSG}`"
+ log_fail "creating trusted key"
+ fi
+
+ if [ -z "$keyid" ]; then
+ log_fail "creating trusted key failed"
+ fi
+ log_info "creating trusted key succeeded"
+
+ # save newly created trusted key and remove from keyring
+ keyctl pipe "$keyid" > "$TRUSTEDKEY1"
+ keyctl unlink "$keyid" &> /dev/null
+
+ keyid=$(keyctl add trusted kmk-test "load `cat $TRUSTEDKEY1`" @u)
+ if [ $? -eq 0 ]; then
+ log_info "loading trusted key succeeded"
+ else
+ log_fail "loading trusted key failed"
+ fi
+
+ # save loaded trusted key and remove from keyring again
+ keyctl pipe "$keyid" > "$TRUSTEDKEY2"
+ keyctl unlink "$keyid" &> /dev/null
+
+ # compare trusted keys
+ diff "$TRUSTEDKEY1" "$TRUSTEDKEY2" &> /dev/null
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ log_pass "trusted key test succeeded"
+ else
+ log_fail "trusted key test failed"
+ fi
+}
+
+is_tpm1
+test_trustedkey
--
2.7.5