Topics

[PATCH 2/2] check_enhanced_auth.sh: add loop over name algorithm type

James Bottomley
 

This test checks for two things, firstly that we get the policy right
with different name algorithms and secondly that we actually get the
name algorithm correctly specified. This all works because with
policyPCR the hash of the expected policy registers has to be done
with the name algorithm hash, so we'll get a mismatch here if either
the name algorithm is wrong (or the policy parsing fails).

Signed-off-by: James Bottomley <James.Bottomley@...>
---
tests/check_enhanced_auth.sh | 154 +++++++++++++++++---------------
tests/policies/policy_authvalue_pcr.txt | 2 -
tests/policies/policy_pcr_authvalue.txt | 2 -
3 files changed, 83 insertions(+), 75 deletions(-)
delete mode 100644 tests/policies/policy_authvalue_pcr.txt
delete mode 100644 tests/policies/policy_pcr_authvalue.txt

diff --git a/tests/check_enhanced_auth.sh b/tests/check_enhanced_auth.sh
index 7006387..8c25ed3 100755
--- a/tests/check_enhanced_auth.sh
+++ b/tests/check_enhanced_auth.sh
@@ -2,10 +2,12 @@

bindir=${srcdir}/..

-tss_pcrreset_cmd=/usr/bin/tsspcrreset
-tss_pcrextend_cmd=/usr/bin/tsspcrextend
+tss_pcrreset_cmd=tsspcrreset
+tss_pcrextend_cmd=tsspcrextend

-if [ ! -e ${tss_pcrreset_cmd} ] || [ ! -e ${tss_pcrextend_cmd} ]; then
+if which ${tss_pcrreset_cmd} && which ${tss_pcrextend_cmd}; then
+ :
+else
echo "TSS utils not found, please specify the correct path."
exit 1
fi
@@ -20,75 +22,85 @@ a=0; while [ $a -lt 5 ]; do
echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key.tpm -out tmp.msg && exit 1
done

-##
-# test is
-# 1. create TPM internal private key with PolicyAuthValue authorization
-# 2. get the corresponding public key from the engine
-# 3. encode a message using the TPM key
-# 4. verify the message through the public key
-${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_authvalue.txt && \
-openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
-echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
-openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1
+for h in "sha1" "" "sha384"; do
+ echo "Testing Name Parameter: ${h}"
+ if [ -n "${h}" ]; then
+ n="-n ${h}"
+ else
+ n=""
+ fi
+ ##
+ # test is
+ # 1. create TPM internal private key with PolicyAuthValue authorization
+ # 2. get the corresponding public key from the engine
+ # 3. encode a message using the TPM key
+ # 4. verify the message through the public key
+ ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policies/policy_authvalue.txt && \
+ openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
+ echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1

-##
-# test is
-# 1. reset PCR 16
-# 2. extend PCR 16 with 'aaa'
-# 3. create TPM internal private key with PolicyPCR authorization (PCR 16 extended with 'aaa')
-# 4. get the corresponding public key from the engine
-# 5. encode a message using the TPM key
-# 6. verify the message through the public key
-${tss_pcrreset_cmd} -ha 16
-${tss_pcrextend_cmd} -ha 16 -ic aaa
-${bindir}/create_tpm2_key key2.tpm -c policies/policy_pcr.txt && \
-openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \
-echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \
-openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1
+ ##
+ # test is
+ # 1. reset PCR 16
+ # 2. extend PCR 16 with 'aaa'
+ # 3. create TPM internal private key with PolicyPCR authorization (PCR 16 extended with 'aaa')
+ # 4. get the corresponding public key from the engine
+ # 5. encode a message using the TPM key
+ # 6. verify the message through the public key
+ ${tss_pcrreset_cmd} -ha 16
+ ${tss_pcrextend_cmd} -ha 16 -ic aaa
+ ${bindir}/create_tpm2_key ${n} key2.tpm -c policies/policy_pcr${h}.txt && \
+ openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \
+ echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \
+ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1

-##
-# test is
-# 1. reset PCR 16
-# 2. create TPM internal private key with PolicyPCR authorization (should fail because PCR 16 does not have the correct value)
-# 3. get the corresponding public key from the engine
-# 4. encode a message using the TPM key
-# 5. verify the message through the public key
-${tss_pcrreset_cmd} -ha 16
-${bindir}/create_tpm2_key key2.tpm -c policies/policy_pcr.txt
-openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \
-echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \
-openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
-if [ $? -ne 1 ]; then
- echo "TPM key should not be accessible"
- exit 1
-fi
+ ##
+ # test is
+ # 1. reset PCR 16
+ # 2. create TPM internal private key with PolicyPCR authorization (should fail because PCR 16 does not have the correct value)
+ # 3. get the corresponding public key from the engine
+ # 4. encode a message using the TPM key
+ # 5. verify the message through the public key
+ ${tss_pcrreset_cmd} -ha 16
+ ${bindir}/create_tpm2_key ${n} key2.tpm -c policies/policy_pcr${h}.txt
+ openssl rsa -engine tpm2 -inform engine -in key2.tpm -pubout -out key2.pub && \
+ echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -out tmp.msg && \
+ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
+ if [ $? -ne 1 ]; then
+ echo "TPM key should not be accessible"
+ exit 1
+ fi

-##
-# test is
-# 1. reset PCR 16
-# 2. extend PCR 16 with 'aaa'
-# 3. create TPM internal private key with PolicyAuthValue + PolicyPCR authorization
-# 4. get the corresponding public key from the engine
-# 5. encode a message using the TPM key
-# 6. verify the message through the public key
-${tss_pcrreset_cmd} -ha 16
-${tss_pcrextend_cmd} -ha 16 -ic aaa
-${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_authvalue_pcr.txt && \
-openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
-echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
-openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1
+ ##
+ # test is
+ # 1. reset PCR 16
+ # 2. extend PCR 16 with 'aaa'
+ # 3. create TPM internal private key with PolicyAuthValue + PolicyPCR authorization
+ # 4. get the corresponding public key from the engine
+ # 5. encode a message using the TPM key
+ # 6. verify the message through the public key
+ cat policies/policy_authvalue.txt policies/policy_pcr${h}.txt > policy_authvalue_pcr.txt
+ ${tss_pcrreset_cmd} -ha 16
+ ${tss_pcrextend_cmd} -ha 16 -ic aaa
+ ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_authvalue_pcr.txt && \
+ openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
+ echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1

-##
-# test is
-# 1. reset PCR 16
-# 2. extend PCR 16 with 'aaa'
-# 3. create TPM internal private key with PolicyPCR + PolicyAuthValue authorization
-# 4. get the corresponding public key from the engine
-# 5. encode a message using the TPM key
-# 6. verify the message through the public key
-${tss_pcrreset_cmd} -ha 16
-${tss_pcrextend_cmd} -ha 16 -ic aaa
-${bindir}/create_tpm2_key -a -k passw0rd key2.tpm -c policies/policy_pcr_authvalue.txt && \
-openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
-echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
-openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin
+ ##
+ # test is
+ # 1. reset PCR 16
+ # 2. extend PCR 16 with 'aaa'
+ # 3. create TPM internal private key with PolicyPCR + PolicyAuthValue authorization
+ # 4. get the corresponding public key from the engine
+ # 5. encode a message using the TPM key
+ # 6. verify the message through the public key
+ cat policies/policy_pcr${h}.txt policies/policy_authvalue.txt > policy_pcr_authvalue.txt
+ ${tss_pcrreset_cmd} -ha 16
+ ${tss_pcrextend_cmd} -ha 16 -ic aaa
+ ${bindir}/create_tpm2_key ${n} -a -k passw0rd key2.tpm -c policy_pcr_authvalue.txt && \
+ openssl rsa -engine tpm2 -inform engine -passin pass:passw0rd -in key2.tpm -pubout -out key2.pub && \
+ echo "This is a message" | openssl rsautl -sign -engine tpm2 -engine tpm2 -keyform engine -inkey key2.tpm -passin pass:passw0rd -out tmp.msg && \
+ openssl rsautl -verify -in tmp.msg -inkey key2.pub -pubin || exit 1
+done
diff --git a/tests/policies/policy_authvalue_pcr.txt b/tests/policies/policy_authvalue_pcr.txt
deleted file mode 100644
index c5760d7..0000000
--- a/tests/policies/policy_authvalue_pcr.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-0000016b
-0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
diff --git a/tests/policies/policy_pcr_authvalue.txt b/tests/policies/policy_pcr_authvalue.txt
deleted file mode 100644
index cb29f1e..0000000
--- a/tests/policies/policy_pcr_authvalue.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
-0000016b
--
2.16.4