Hi Jarkko,
Please note that I'm seeing "add_key: Timer expired" frequently. This is something new. I have no idea if this is a new TPM or keys regression.
Mimi
On Thu, 2019-10-24 at 15:14 -0400, Mimi Zohar wrote:
Create, save and load trusted keys test
Signed-off-by: Mimi Zohar zohar@linux.ibm.com
Change log v1:
- Replace the directions for using Trousers to take ownership of the TPM
with directions for using the IBM TSS.
- Differentiate between different types of errors. Recent bug is causing
"add_key: Timer expired".
tools/testing/selftests/tpm2/Makefile | 2 +- tools/testing/selftests/tpm2/test_trustedkeys.sh | 109 +++++++++++++++++++++++ 2 files changed, 110 insertions(+), 1 deletion(-) create mode 100755 tools/testing/selftests/tpm2/test_trustedkeys.sh
diff --git a/tools/testing/selftests/tpm2/Makefile b/tools/testing/selftests/tpm2/Makefile index 1a5db1eb8ed5..055bf62510b5 100644 --- a/tools/testing/selftests/tpm2/Makefile +++ b/tools/testing/selftests/tpm2/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause) include ../lib.mk -TEST_PROGS := test_smoke.sh test_space.sh +TEST_PROGS := test_smoke.sh test_space.sh test_trustedkey.sh TEST_PROGS_EXTENDED := tpm2.py tpm2_tests.py diff --git a/tools/testing/selftests/tpm2/test_trustedkeys.sh b/tools/testing/selftests/tpm2/test_trustedkeys.sh new file mode 100755 index 000000000000..dc7df7467670 --- /dev/null +++ b/tools/testing/selftests/tpm2/test_trustedkeys.sh @@ -0,0 +1,109 @@ +#!/bin/sh
+VERBOSE="${VERBOSE:-1}" +TRUSTEDKEY1="$(mktemp -u XXXX).blob" +TRUSTEDKEY2="$(mktemp -u XXXX).blob" +ERRMSG="$(mktemp -u XXXX)" +trap "echo PRETRAP" SIGINT SIGTERM SIGTSTP +trap "{ rm -f $TRUSTEDKEY1 $TRUSTEDKEY2 $ERRMSG; }" EXIT
+log_info() +{
[ $VERBOSE -ne 0 ] && echo "[INFO] $1"
+}
+# The ksefltest framework requirement returns 0 for PASS. +log_pass() +{
[ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
exit 0
+}
+# The ksefltest framework requirement returns 1 for FAIL. +log_fail() +{
[ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
exit 1
+}
+# The ksefltest framework requirement returns 4 for SKIP. +log_skip() +{
[ $VERBOSE -ne 0 ] && echo "$1"
exit 4
+}
+is_tpm1() +{
- local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
- if [ ! -f "$pcrs_path" ]; then
pcrs_path="/sys/class/misc/tpm0/device/pcrs"
- fi
- if [ ! -f "$pcrs_path" ]; then
log_skip "TPM 1.2 chip not found"
- fi
+}
+takeownership_info() +{
- log_info "creating trusted key failed, probably requires taking TPM ownership:"
- which tss1oiap > /dev/null 2>&1 || \
log_info " tss1oiap not found, install IBM TSS"
- log_info " export TPM_DEVICE=/dev/tpm0"
- log_info " export TPM_ENCRYPT_SESSIONS=0"
- log_info " OIAP=$(tss1oiap | cut -d' ' -f 2)"
- log_info " tss1takeownership -se0 $OIAP 0"
- log_fail "creating trusted key"
+}
+test_trustedkey() +{
- #local keyid="$(keyctl add trusted kmk-test "new 64" @u)" &> $ERRMSG
- local keyid="$(keyctl add trusted kmk-test "new 64" @u 2> $ERRMSG)"
- grep -E -q "add_key: Operation not permitted" $ERRMSG
- if [ $? -eq 0 ]; then
takeownership_info
- fi
- grep -E -q "add_key: " $ERRMSG
- if [ $? -eq 0 ]; then
log_info "`cat ${ERRMSG}`"
log_fail "creating trusted key"
- fi
- if [ -z "$keyid" ]; then
log_fail "creating trusted key failed"
- fi
- log_info "creating trusted key succeeded"
- # save newly created trusted key and remove from keyring
- keyctl pipe "$keyid" > "$TRUSTEDKEY1"
- keyctl unlink "$keyid" &> /dev/null
- keyid=$(keyctl add trusted kmk-test "load `cat $TRUSTEDKEY1`" @u)
- if [ $? -eq 0 ]; then
log_info "loading trusted key succeeded"
- else
log_fail "loading trusted key failed"
- fi
- # save loaded trusted key and remove from keyring again
- keyctl pipe "$keyid" > "$TRUSTEDKEY2"
- keyctl unlink "$keyid" &> /dev/null
- # compare trusted keys
- diff "$TRUSTEDKEY1" "$TRUSTEDKEY2" &> /dev/null
- ret=$?
- if [ $ret -eq 0 ]; then
log_pass "trusted key test succeeded"
- else
log_fail "trusted key test failed"
- fi
+}
+is_tpm1 +test_trustedkey