#!/bin/sh
# Copyright (C) 2018 IBM Corporation
#
# Author: Stefan Berger
#
# This file is part of GnuTLS.
#
# GnuTLS is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GnuTLS is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
srcdir="${srcdir:-.}"
CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}"
TPMTOOL="${TPMTOOL:-../src/tpmtool${EXEEXT}}"
if [ "$(id -u)" -ne 0 ]; then
echo "Need to be root to run this test."
exit 77
fi
if [ -z "$(which swtpm 2>/dev/null)" ]; then
echo "Need swtpm package to run this test."
exit 77
fi
if [ -z "$(which tcsd 2>/dev/null)" ]; then
echo "Need tcsd (TrouSerS) package to run this test."
exit 77
fi
if [ -z "$(which tpm_createek 2>/dev/null)" ]; then
echo "Need tpm_createek from tpm-tools package to run this test."
exit 77
fi
if [ -z "$(which ncat 2>/dev/null)" ]; then
echo "Need ncat from nmap-ncat package to run this test."
exit 77
fi
if [ -z "$(which expect 2>/dev/null)" ]; then
echo "Need expect from expect package to run this test."
exit 77
fi
$TPMTOOL --help >/dev/null
if [ $? -ne 0 ]; then
echo "tpmtool cannot show help screen (TPMTOOL=$TPMTOOL)."
exit 77
fi
$CERTTOOL --help >/dev/null
if [ $? -ne 0 ]; then
echo "certtool cannot show help screen (CERTTOOL=$CERTTOOL)."
exit 77
fi
. "${srcdir}/scripts/common.sh"
workdir=$(mktemp -d)
SWTPM_SERVER_PORT=12345
SWTPM_CTRL_PORT=$((SWTPM_SERVER_PORT + 1))
SWTPM_PIDFILE=${workdir}/swtpm.pid
TCSD_LISTEN_PORT=12347
export TSS_TCSD_PORT=$TCSD_LISTEN_PORT
cleanup()
{
stop_tcsd
if [ -n "$workdir" ]; then
rm -rf $workdir
fi
}
start_swtpm()
{
local workdir="$1"
local res
swtpm socket \
--flags not-need-init \
--pid file=$SWTPM_PIDFILE \
--tpmstate dir=$workdir \
--server type=tcp,port=$SWTPM_SERVER_PORT,disconnect \
--ctrl type=tcp,port=$SWTPM_CTRL_PORT &
if wait_for_file $SWTPM_PIDFILE 3; then
echo "Starting the swtpm failed"
return 1
fi
SWTPM_PID=$(cat $SWTPM_PIDFILE)
kill -0 ${SWTPM_PID}
if [ $? -ne 0 ]; then
echo "swtpm must have terminated"
return 1
fi
# Send TPM_Startup to TPM
res="$(/bin/echo -en '\x00\xC1\x00\x00\x00\x0C\x00\x00\x00\x99\x00\x01' |
ncat localhost ${SWTPM_SERVER_PORT} | od -tx1 -An)"
exp=' 00 c4 00 00 00 0a 00 00 00 00'
if [ "$res" != "$exp" ]; then
echo "Did not get expected response from TPM_Startup(ST_CLEAR)"
echo "expected: $exp"
echo "received: $res"
return 1
fi
return 0
}
stop_swtpm()
{
if [ -n "$SWTPM_PID" ]; then
terminate_proc $SWTPM_PID
unset SWTPM_PID
fi
}
start_tcsd()
{
local workdir="$1"
local tcsd_conf=$workdir/tcsd.conf
local tcsd_system_ps_file=$workdir/system_ps_file
local tcsd_pidfile=$workdir/tcsd.pid
start_swtpm "$workdir"
[ $? -ne 0 ] && return 1
cat <<_EOF_ > $tcsd_conf
port = $TCSD_LISTEN_PORT
system_ps_file = $tcsd_system_ps_file
_EOF_
chown tss:tss $tcsd_conf
chmod 0600 $tcsd_conf
bash -c "TCSD_USE_TCP_DEVICE=1 TCSD_TCP_DEVICE_PORT=$SWTPM_SERVER_PORT tcsd -c $tcsd_conf -e -f &>/dev/null & echo \$! > $tcsd_pidfile; wait" &
BASH_PID=$!
if wait_for_file $tcsd_pidfile 3; then
echo "Could not get TCSD's PID file"
return 1
fi
TCSD_PID=$(cat $tcsd_pidfile)
return 0
}
stop_tcsd()
{
if [ -n "$TCSD_PID" ]; then
terminate_proc $TCSD_PID
unset TCSD_PID
fi
stop_swtpm
}
run_tpm_takeownership()
{
local owner_password="$1"
local srk_password="$2"
local prg out rc
local parm_z=""
if [ -z "$srk_password" ]; then
parm_z="--srk-well-known"
fi
prg="set parm_z \"$parm_z\"
spawn tpm_takeownership \$parm_z
expect {
\"Enter owner password:\"
{ send \"$owner_password\n\" }
}
expect {
\"Confirm password:\"
{ send \"$owner_password\n\" }
}
if { \$parm_z == \"\" } {
expect {
\"Enter SRK password:\"
{ send \"$srk_password\n\" }
}
expect {
\"Confirm password:\"
{ send \"$srk_password\n\" }
}
}
expect {
eof
}
catch wait result
exit [lindex \$result 3]
"
out=$(expect -c "$prg")
rc=$?
echo "$out"
return $rc
}
setup_tcsd()
{
local workdir="$1"
local owner_password="$2"
local srk_password="$3"
local msg
start_tcsd "$workdir"
[ $? -ne 0 ] && return 1
tpm_createek
[ $? -ne 0 ] && {
echo "Could not create EK"
return 1
}
msg="$(run_tpm_takeownership "$owner_password" "$srk_password")"
[ $? -ne 0 ] && {
echo "Could not take ownership of TPM"
echo "$msg"
return 1
}
return 0
}
run_tpmtool()
{
local srk_password="$1"
local key_password="$2"
shift 2
local prg out rc
prg="spawn $TPMTOOL $@
expect {
\"Enter SRK password:\" {
send \"$srk_password\n\"
exp_continue
}
\"Enter key password:\" {
send \"$key_password\n\"
exp_continue
}
\"tpmkey:\" {
exp_continue
}
eof
}
catch wait result
exit [lindex \$result 3]
"
out=$(expect -c "$prg")
rc=$?
echo "$out"
return $rc
}
tpmtool_test()
{
local workdir="$1"
local owner_password="$2"
local srk_password="$3"
local key_password="$4"
local register=$5 # whether to --register the key
local params msg tpmkeyurl
local tpmpubkey=${workdir}/tpmpubkey.pem
local tpmca=${workdir}/tpmca.pem
local template=${workdir}/template
local tpmkey=${workdir}/tpmkey.pem # if --register is not used
setup_tcsd "$workdir" "$owner_password" "$srk_password"
[ $? -ne 0 ] && return 1
if [ -z "$srk_password" ]; then
params="--srk-well-known"
unset GNUTLS_PIN
else
export GNUTLS_PIN="$srk_password"
fi
if [ $register -ne 0 ]; then
# --register key
msg="$(run_tpmtool "$srk_password" "$key_password" \
$params --register --generate-rsa --signing)"
[ $? -ne 0 ] && {
echo "Could not create TPM signing key"
echo "$msg"
return 1
}
tpmkeyurl=$(echo "$msg" | sed -n 's/\(tpmkey:uuid=[^;]*\);.*/\1/p')
[ -z "$tpmkeyurl" ] && {
echo "Could not get TPM key URL"
return 1
}
else
msg="$(run_tpmtool "$srk_password" "$key_password" \
$params --generate-rsa --signing --outfile ${tpmkey})"
[ $? -ne 0 ] && {
echo "Could not create TPM signing key"
echo "$msg"
return 1
}
tpmkeyurl="tpmkey:file=${tpmkey}"
fi
if [ $register -ne 0 ]; then
msg=$(run_tpmtool "$srk_password" "$key_password" \
$params --test-sign $tpmkeyurl)
[ $? -ne 0 ] && {
echo "Could not test sign with key $tpmkeyurl"
echo "$msg"
return 1
}
fi
msg=$(run_tpmtool "$srk_password" "$key_password" \
$params --pubkey "$tpmkeyurl" --outfile "$tpmpubkey")
[ $? -ne 0 ] && {
echo "Could not get TPM key's public key"
echo "$msg"
return 1
}
cat <<_EOF_ >${template}
cn = test
ca
cert_signing_key
expiration_days = 1
_EOF_
msg=$($CERTTOOL \
--generate-self-signed \
--template ${template} \
--outfile ${tpmca} \
--load-privkey ${tpmkeyurl} \
--load-pubkey ${tpmpubkey} 2>&1)
[ $? -ne 0 ] && {
echo "Could not create self-signed certificate"
echo "$msg"
return 1
}
echo "Successfully created TPM root CA cert using key $tpmkeyurl"
if [ $register -ne 0 ]; then
if [ -z "$($TPMTOOL --list | grep "${tpmkeyurl}")" ]; then
echo "TPM key '${tpmkeyurl}' was not found in list of TPM keys"
return 1
fi
msg=$(run_tpmtool "$srk_password" "$key_password" \
$params --delete $tpmkeyurl)
[ $? -ne 0 ] && {
echo "Could not delete TPM key ${tpmkeyurl}"
echo "$msg"
return 1
}
if [ -n "$($TPMTOOL --list | grep "$tpmkeyurl")" ]; then
echo "TPM key '$tpmkeyurl' was not properly deleted"
return 1
fi
fi
stop_tcsd
}
run_tests()
{
local workdir="$1"
[ -z "$workdir" ] && {
echo "No workdir"
return 1
}
local srk_password key_password
local owner_password="owner"
local register
register=1
# Test with --register; key password is not needed
for srk_password in "" "s"; do
tpmtool_test "$workdir" "$owner_password" "$srk_password" "" "$register"
[ $? -ne 0 ] && return 1
stop_tcsd
rm ${workdir}/*
done
# Test without --register; the key needs a password, but it has to be the same as the
# srk_password due to a bug in TrouSerS
register=0
for srk_password in "s"; do
key_password=$srk_password
tpmtool_test "$workdir" "$owner_password" "$srk_password" "$key_password" "$register"
[ $? -ne 0 ] && return 1
stop_tcsd
rm ${workdir}/*
done
echo "Ok"
return 0
}
trap "cleanup" EXIT QUIT
run_tests "$workdir"
exit $?