|
| 1 | +#!/bin/bash -x |
| 2 | +# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: |
| 3 | +# |
| 4 | +# Copyright (c) 2019 Red Hat, Inc. |
| 5 | +# Author: Sergio Correia <scorreia@redhat.com> |
| 6 | +# |
| 7 | +# This program is free software: you can redistribute it and/or modify |
| 8 | +# it under the terms of the GNU General Public License as published by |
| 9 | +# the Free Software Foundation, either version 3 of the License, or |
| 10 | +# (at your option) any later version. |
| 11 | +# |
| 12 | +# This program is distributed in the hope that it will be useful, |
| 13 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 14 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 15 | +# GNU General Public License for more details. |
| 16 | +# |
| 17 | +# You should have received a copy of the GNU General Public License |
| 18 | +# along with this program. If not, see <http://www.gnu.org/licenses/>. |
| 19 | +# |
| 20 | + |
| 21 | +TEST=$(basename "${0}") |
| 22 | + |
| 23 | +# Code to return to mark test as skipped. |
| 24 | +SKIP_RET_CODE=77 |
| 25 | + |
| 26 | +tpm1_available() { |
| 27 | + tpm_version_bin="$(command -v tpm_version || echo /usr/sbin/tpm_version)" |
| 28 | + if ! "$tpm_version_bin" >/dev/null 2>&1; then |
| 29 | + # The tpm_version outputs garbage to stdout on success, so let the |
| 30 | + # tpm_version output the error again cleanly now |
| 31 | + echo "The tpm1 pin requires tcsd daemon (trousers) running:" >&2 |
| 32 | + if [ -x "$tpm_version_bin" ]; then |
| 33 | + ( "$tpm_version_bin" 2>&1 | tr '\0' ' ' ) >&2 |
| 34 | + else |
| 35 | + echo Cannot check, tpm_version from tpm-tools not found >&2 |
| 36 | + fi |
| 37 | + return 1 |
| 38 | + fi |
| 39 | +} |
| 40 | + |
| 41 | +validate_pcrs() { |
| 42 | + local _pcr_bank="${1}" |
| 43 | + local _pcrs="${2}" |
| 44 | + local _pcr |
| 45 | + [ -z "${_pcr_bank}" ] && return 1 |
| 46 | + [ -z "${_pcrs}" ] && return 0 |
| 47 | + |
| 48 | + for _pcr in ${_pcrs//,/ }; do |
| 49 | + [ -f "/sys/class/tpm/tpm0/pcr-${_pcr_bank}/${_pcr}" ] || return 1 |
| 50 | + done |
| 51 | + |
| 52 | + return 0 |
| 53 | +} |
| 54 | + |
| 55 | +# Checking if we can run this test. |
| 56 | +if ! tpm1_available; then |
| 57 | + exit ${SKIP_RET_CODE} |
| 58 | +fi |
| 59 | + |
| 60 | +decode_jwe() { |
| 61 | + local jwe="${1}" |
| 62 | + |
| 63 | + local coded |
| 64 | + if ! coded=$(jose jwe fmt -i- <<< "${jwe}"); then |
| 65 | + return 1 |
| 66 | + fi |
| 67 | + |
| 68 | + coded=$(jose fmt -j- -g protected -u- <<< "${coded}" | tr -d '"') |
| 69 | + jose b64 dec -i- <<< "${coded}" |
| 70 | +} |
| 71 | + |
| 72 | +test_pcr_ids() { |
| 73 | + local orig="${1}" |
| 74 | + local cfg="${2}" |
| 75 | + local expected_pcr_ids="${3}" |
| 76 | + |
| 77 | + local enc |
| 78 | + if ! enc=$(echo "${orig}" | clevis encrypt tpm1 "${cfg}"); then |
| 79 | + echo "${TEST}: encrypt failed for cfg: ${cfg}" >&1 |
| 80 | + return 1 |
| 81 | + fi |
| 82 | + |
| 83 | + local pcr_ids |
| 84 | + pcr_ids=$(decode_jwe "${enc}" \ |
| 85 | + | jose fmt -j- -Og clevis -Og tpm1 -Og pcr_ids -u- 2>/dev/null) |
| 86 | + |
| 87 | + local dec |
| 88 | + dec=$(echo "${enc}" | clevis decrypt) |
| 89 | + |
| 90 | + if [ "${orig}" != "${dec}" ]; then |
| 91 | + echo "${TEST}: decoded text (${dec}) does not match original one (${orig})" >&2 |
| 92 | + return 1 |
| 93 | + fi |
| 94 | + |
| 95 | + if [ "${pcr_ids}" != "${expected_pcr_ids}" ]; then |
| 96 | + echo "${TEST}: pcr_ids (${pcr_ids}) do not match the expected (${expected_pcr_ids}) result." >&2 |
| 97 | + return 1 |
| 98 | + fi |
| 99 | +} |
| 100 | + |
| 101 | +test_enc_dec() { |
| 102 | + local cfg="${1}" |
| 103 | + output=$(echo Working | clevis encrypt tpm1 "${cfg}" | clevis decrypt) |
| 104 | + |
| 105 | + if [ "$output" != "Working" ]; then |
| 106 | + echo "Output after decrypting doesn't match: ${output} != 'Working'" |
| 107 | + return 1 |
| 108 | + fi |
| 109 | +} |
| 110 | + |
| 111 | +test_enc_dec '{}' || exit 1 |
| 112 | +test_pcr_ids "${orig}" '{}' "" || exit 1 |
| 113 | +test_pcr_ids "${orig}" '{ }' "" || exit 1 |
| 114 | + |
| 115 | +# Issue #103: now let's try a few different configs with both strings and |
| 116 | +# arrays and check if we get the expected pcr_ids. |
| 117 | + |
| 118 | +# Let's first make sure this would be a valid configuration. |
| 119 | +_default_pcr_bank="sha1" |
| 120 | +if validate_pcrs "${_default_pcr_bank}" "4,16"; then |
| 121 | + test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1 |
| 122 | + test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1 |
| 123 | + test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1 |
| 124 | + test_pcr_ids "${orig}" '{"pcr_ids": "4,16"}' "4,16" || exit 1 |
| 125 | + test_pcr_ids "${orig}" '{"pcr_ids": ["4,16"]}' "4,16" || exit 1 |
| 126 | + test_pcr_ids "${orig}" '{"pcr_ids": [4,16]}' "4,16" || exit 1 |
| 127 | + test_pcr_ids "${orig}" '{"pcr_ids": [4, 16]}' "4,16" || exit 1 |
| 128 | + test_pcr_ids "${orig}" '{"pcr_ids": ["4","16"]}' "4,16" || exit 1 |
| 129 | + ! test_pcr_ids "${orig}" '{"pcr_ids": ["4","16"]}' "foo bar" || exit 1 |
| 130 | +else |
| 131 | + echo "Skipping tests related to issue#103 because the combination of pcr_bank and PCRs is invalid" >&2 |
| 132 | +fi |
0 commit comments