|
Packit Service |
087331 |
#!/bin/bash
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
#
|
|
Packit Service |
087331 |
# Calculate the boot_aggregate for each TPM bank, verifying that the
|
|
Packit Service |
087331 |
# boot_aggregate in the IMA measurement list matches one of them.
|
|
Packit Service |
087331 |
#
|
|
Packit Service |
087331 |
# A software TPM may be used to verify the boot_aggregate. If a
|
|
Packit Service |
087331 |
# software TPM is not already running on the system, this test
|
|
Packit Service |
087331 |
# starts one and initializes the TPM PCR banks by walking the sample
|
|
Packit Service |
087331 |
# binary_bios_measurements event log, included in this directory, and
|
|
Packit Service |
087331 |
# extending the TPM PCRs. The associated ascii_runtime_measurements
|
|
Packit Service |
087331 |
# for verifying the calculated boot_aggregate is included in this
|
|
Packit Service |
087331 |
# directory as well.
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
trap cleanup SIGINT SIGTERM EXIT
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
# Base VERBOSE on the environment variable, if set.
|
|
Packit Service |
087331 |
VERBOSE="${VERBOSE:-0}"
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
cd "$(dirname "$0")"
|
|
Packit Service |
087331 |
export PATH=../src:$PATH
|
|
Packit Service |
087331 |
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH
|
|
Packit Service |
087331 |
. ./functions.sh
|
|
Packit Service |
087331 |
_require evmctl
|
|
Packit Service |
087331 |
TSSDIR="$(dirname -- "$(which tssstartup)")"
|
|
Packit Service |
087331 |
PCRFILE="/sys/class/tpm/tpm0/device/pcrs"
|
|
Packit Service |
087331 |
MISC_PCRFILE="/sys/class/misc/tpm0/device/pcrs"
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
# Only stop this test's software TPM
|
|
Packit Service |
087331 |
cleanup() {
|
|
Packit Service |
087331 |
if [ -n "${SWTPM_PID}" ]; then
|
|
Packit Service |
087331 |
kill -SIGTERM "${SWTPM_PID}"
|
|
Packit Service |
087331 |
elif [ -n "${TPMSERVER_PID}" ]; then
|
|
Packit Service |
087331 |
"${TSSDIR}/tsstpmcmd" -stop
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
# Try to start a software TPM if needed.
|
|
Packit Service |
087331 |
swtpm_start() {
|
|
Packit Service |
087331 |
local tpm_server swtpm
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
tpm_server="$(which tpm_server)"
|
|
Packit Service |
087331 |
swtpm="$(which swtpm)"
|
|
Packit Service |
087331 |
if [ -z "${tpm_server}" ] && [ -z "${swtpm}" ]; then
|
|
Packit Service |
087331 |
echo "${CYAN}SKIP: Software TPM (tpm_server and swtpm) not found${NORM}"
|
|
Packit Service |
087331 |
return "$SKIP"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if [ -n "${swtpm}" ]; then
|
|
Packit Service |
087331 |
pgrep swtpm
|
|
Packit Service |
087331 |
if [ $? -eq 0 ]; then
|
|
Packit Service |
087331 |
echo "INFO: Software TPM (swtpm) already running"
|
|
Packit Service |
087331 |
return 114
|
|
Packit Service |
087331 |
else
|
|
Packit Service |
087331 |
echo "INFO: Starting software TPM: ${swtpm}"
|
|
Packit Service |
087331 |
mkdir -p ./myvtpm
|
|
Packit Service |
087331 |
${swtpm} socket --tpmstate dir=./myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init > /dev/null 2>&1 &
|
|
Packit Service |
087331 |
SWTPM_PID=$!
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
elif [ -n "${tpm_server}" ]; then
|
|
Packit Service |
087331 |
# tpm_server uses the Microsoft simulator encapsulated packet format
|
|
Packit Service |
087331 |
export TPM_SERVER_TYPE="mssim"
|
|
Packit Service |
087331 |
pgrep tpm_server
|
|
Packit Service |
087331 |
if [ $? -eq 0 ]; then
|
|
Packit Service |
087331 |
echo "INFO: Software TPM (tpm_server) already running"
|
|
Packit Service |
087331 |
return 114
|
|
Packit Service |
087331 |
else
|
|
Packit Service |
087331 |
echo "INFO: Starting software TPM: ${tpm_server}"
|
|
Packit Service |
087331 |
${tpm_server} > /dev/null 2>&1 &
|
|
Packit Service |
087331 |
TPMSERVER_PID=$!
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
return 0
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
# Initialize the software TPM using the sample binary_bios_measurements log.
|
|
Packit Service |
087331 |
swtpm_init() {
|
|
Packit Service |
087331 |
if [ ! -f "${TSSDIR}/tssstartup" ] || [ ! -f "${TSSDIR}/tsseventextend" ]; then
|
|
Packit Service |
087331 |
echo "${CYAN}SKIP: tssstartup and tsseventextend needed for test${NORM}"
|
|
Packit Service |
087331 |
return "$SKIP"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
echo "INFO: Sending software TPM startup"
|
|
Packit Service |
087331 |
"${TSSDIR}/tssstartup"
|
|
Packit Service |
087331 |
if [ $? -ne 0 ]; then
|
|
Packit Service |
087331 |
echo "INFO: Retry sending software TPM startup"
|
|
Packit Service |
087331 |
sleep 1
|
|
Packit Service |
087331 |
"${TSSDIR}/tssstartup"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if [ $? -ne 0 ]; then
|
|
Packit Service |
087331 |
echo "INFO: Software TPM startup failed"
|
|
Packit Service |
087331 |
return "$SKIP"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
echo "INFO: Walking ${BINARY_BIOS_MEASUREMENTS} initializing the software TPM"
|
|
Packit Service |
087331 |
# $(${TSSDIR}/tsseventextend -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v) 2>&1 > /dev/null
|
|
Packit Service |
087331 |
"${TSSDIR}/tsseventextend" -tpm -if "${BINARY_BIOS_MEASUREMENTS}" -v > /dev/null 2>&1
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
# In VERBOSE mode, display the calculated TPM PCRs for the different banks.
|
|
Packit Service |
087331 |
display_pcrs() {
|
|
Packit Service |
087331 |
local PCRMAX=9
|
|
Packit Service |
087331 |
local banks=("sha1" "sha256")
|
|
Packit Service |
087331 |
local i;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
for bank in "${banks[@]}"; do
|
|
Packit Service |
087331 |
echo "INFO: Displaying ${bank} TPM bank (PCRs 0 - 9)"
|
|
Packit Service |
087331 |
for i in $(seq 0 $PCRMAX); do
|
|
Packit Service |
087331 |
rc=0
|
|
Packit Service |
087331 |
pcr=$("${TSSDIR}/tsspcrread" -halg "${bank}" -ha "${i}" -ns)
|
|
Packit Service |
087331 |
if [ $rc -ne 0 ]; then
|
|
Packit Service |
087331 |
echo "INFO: tsspcrread failed: $pcr"
|
|
Packit Service |
087331 |
break
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
echo "$i: $pcr"
|
|
Packit Service |
087331 |
done
|
|
Packit Service |
087331 |
done
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
# The first entry in the IMA measurement list is the "boot_aggregate".
|
|
Packit Service |
087331 |
# For each kexec, an additional "boot_aggregate" will appear in the
|
|
Packit Service |
087331 |
# measurement list, assuming the previous measurement list is carried
|
|
Packit Service |
087331 |
# across the kexec.
|
|
Packit Service |
087331 |
#
|
|
Packit Service |
087331 |
# Verify that the last "boot_aggregate" record in the IMA measurement
|
|
Packit Service |
087331 |
# list matches.
|
|
Packit Service |
087331 |
check() {
|
|
Packit Service |
087331 |
echo "INFO: Calculating the boot_aggregate (PCRs 0 - 9) for multiple banks"
|
|
Packit Service |
087331 |
bootaggr=$(evmctl ima_boot_aggregate)
|
|
Packit Service |
087331 |
if [ $? -ne 0 ]; then
|
|
Packit Service |
087331 |
echo "${CYAN}SKIP: evmctl ima_boot_aggregate: $bootaggr${NORM}"
|
|
Packit Service |
087331 |
exit "$SKIP"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
boot_aggr=( $bootaggr )
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
echo "INFO: Searching for the boot_aggregate in ${ASCII_RUNTIME_MEASUREMENTS}"
|
|
Packit Service |
087331 |
for hash in "${boot_aggr[@]}"; do
|
|
Packit Service |
087331 |
if [ "$VERBOSE" != "0" ]; then
|
|
Packit Service |
087331 |
echo "$hash"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
if grep -e " boot_aggregate$" -e " boot_aggregate.$" "${ASCII_RUNTIME_MEASUREMENTS}" | tail -n 1 | grep -q "${hash}"; then
|
|
Packit Service |
087331 |
echo "${GREEN}SUCCESS: boot_aggregate ${hash} found${NORM}"
|
|
Packit Service |
087331 |
return "$OK"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
done
|
|
Packit Service |
087331 |
echo "${RED}FAILURE: boot_aggregate not found${NORM}"
|
|
Packit Service |
087331 |
echo "$bootaggr"
|
|
Packit Service |
087331 |
return "$FAIL"
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if [ "$(id -u)" = 0 ] && [ -c "/dev/tpm0" ]; then
|
|
Packit Service |
087331 |
ASCII_RUNTIME_MEASUREMENTS="/sys/kernel/security/ima/ascii_runtime_measurements"
|
|
Packit Service |
087331 |
if [ ! -d "/sys/kernel/security/ima" ]; then
|
|
Packit Service |
087331 |
echo "${CYAN}SKIP: CONFIG_IMA not enabled${NORM}"
|
|
Packit Service |
087331 |
exit "$SKIP"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
else
|
|
Packit Service |
087331 |
BINARY_BIOS_MEASUREMENTS="./sample-binary_bios_measurements-pcrs-8-9"
|
|
Packit Service |
087331 |
ASCII_RUNTIME_MEASUREMENTS="./sample-ascii_runtime_measurements-pcrs-8-9"
|
|
Packit Service |
087331 |
export TPM_INTERFACE_TYPE="socsim"
|
|
Packit Service |
087331 |
export TPM_COMMAND_PORT=2321
|
|
Packit Service |
087331 |
export TPM_PLATFORM_PORT=2322
|
|
Packit Service |
087331 |
export TPM_SERVER_NAME="localhost"
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
# swtpm uses the raw, unencapsulated packet format
|
|
Packit Service |
087331 |
export TPM_SERVER_TYPE="raw"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
# Start and initialize a software TPM as needed
|
|
Packit Service |
087331 |
if [ "$(id -u)" != 0 ] || [ ! -c "/dev/tpm0" ]; then
|
|
Packit Service |
087331 |
if [ -f "$PCRFILE" ] || [ -f "$MISC_PCRFILE" ]; then
|
|
Packit Service |
087331 |
echo "${CYAN}SKIP: system has discrete TPM 1.2, sample TPM 2.0 event log test not supported.${NORM}"
|
|
Packit Service |
087331 |
exit "$SKIP"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
swtpm_start
|
|
Packit Service |
087331 |
error=$?
|
|
Packit Service |
087331 |
if [ $error -eq "$SKIP" ]; then
|
|
Packit Service |
087331 |
echo "skip: swtpm not installed"
|
|
Packit Service |
087331 |
exit "$SKIP"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if [ $error -eq 0 ]; then
|
|
Packit Service |
087331 |
swtpm_init
|
|
Packit Service |
087331 |
if [ $? -eq "$SKIP" ]; then
|
|
Packit Service |
087331 |
echo "testing boot_aggregate without entries"
|
|
Packit Service |
087331 |
exit "$SKIP"
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
if [ "$VERBOSE" != "0" ]; then
|
|
Packit Service |
087331 |
display_pcrs
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
fi
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
expect_pass check
|