From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Cc: Petr Vorel <pvorel@suse.cz>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Tushar Sugandhi <tusharsu@linux.microsoft.com>,
linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>
Subject: [PATCH v5 4/4] ima_tpm.sh: Fix calculating PCR aggregate
Date: Mon, 14 Dec 2020 23:19:46 +0100 [thread overview]
Message-ID: <20201214221946.6340-5-pvorel@suse.cz> (raw)
In-Reply-To: <20201214221946.6340-1-pvorel@suse.cz>
for TPM 2.0 and support more evmctl versions.
Because exporting PCR registers for TPM 2.0 has not been upstreamed [1],
we use user space code, which requires evmctl >= 1.3.1 and tsspcrread.
Using evmctl allows to test for TPM devices which does not export event
log (/sys/kernel/security/tpm0/binary_bios_measurements).
For TPM 1.2 read tpm0 device's pcrs file from sysfs. (tss1pcrread could
be also used, but it's not yet packaged by distros.)
For old kernels which use SHA1/MD5, any evmctl version is required (evmctl
ima_measurement was introduced in very old v0.7), but
* newer sysctl path /sys/class/tpm/tpm0/device/pcrs requires evmctl 1.1
* using ima_policy=tcb requires 1.3.1 due --ignore-violations
We now support output format of ima_measurement command for various
evmctl versions:
* 1.3: "sha256: TPM PCR-10:" (or other algorithm, e.g. "sha1:")
* 1.1-1.2.1: "HW PCR-10:" (the only previously supported format)
* 0.7-1.0: "PCR-10:"
NOTE: we ignore evmctl failure for evmctl < 1.3.1 (missing --ignore-violations,
also evmctl < 1.1 fails with "PCRAgg does not match PCR-10")
As for previous commit fix testing with TPM 2.0 device which does not
export event log (/sys/kernel/security/tpm0/binary_bios_measurements):
not wrongly assuming TPM-bypass when kernel didn't export other TPM
2.0 files we check in get_tpm_version() but bios boot aggregate is
correct (i.e. not 0x00s). In that case evmctl ima_boot_aggregate can get
boot aggregate even without TPM event log.
[1] https://patchwork.kernel.org/patch/11759729/
Co-developed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Changes v4->v5:
* improved TPM 2.0 detection (e.g. check for /dev/tpmrm0 and /dev/tpm0)
* test2: if evmctl ima_measurement fails, run again with --ignore-violations
* test2: assume TPM 2, if not detected
* print TPM kernel config
* cleanup
.../security/integrity/ima/tests/ima_setup.sh | 14 +-
.../security/integrity/ima/tests/ima_tpm.sh | 176 +++++++++++++-----
2 files changed, 144 insertions(+), 46 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index dbf8a1db4..59a7ffeac 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -93,7 +93,7 @@ require_ima_policy_content()
fi
}
-require_ima_policy_cmdline()
+check_ima_policy_cmdline()
{
local policy="$1"
local i
@@ -101,10 +101,18 @@ require_ima_policy_cmdline()
grep -q "ima_$policy" /proc/cmdline && return
for i in $(cat /proc/cmdline); do
if echo "$i" | grep -q '^ima_policy='; then
- echo "$i" | grep -q -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" && return
+ echo "$i" | grep -q -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" && return 0
fi
done
- tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
+ return 1
+}
+
+require_ima_policy_cmdline()
+{
+ local policy="$1"
+
+ check_ima_policy_cmdline $policy || \
+ tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
}
mount_helper()
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
index 195fcb16c..233fdeed8 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
@@ -7,13 +7,14 @@
# Verify the boot and PCR aggregates.
TST_CNT=2
-TST_NEEDS_CMDS="awk cut"
+TST_NEEDS_CMDS="awk cut tail"
TST_SETUP="setup"
. ima_setup.sh
EVMCTL_REQUIRED='1.3.1'
ERRMSG_EVMCTL="=> install evmctl >= $EVMCTL_REQUIRED"
+ERRMSG_TPM="TPM hardware support not enabled in kernel or no TPM chip found"
setup()
{
@@ -31,7 +32,7 @@ setup()
TPM_VERSION="$(get_tpm_version)"
if [ -z "$TPM_VERSION" ]; then
- tst_res TINFO "TPM hardware support not enabled in kernel or no TPM chip found, testing TPM-bypass"
+ tst_res TINFO "$ERRMSG_TPM, testing TPM-bypass"
else
tst_res TINFO "TMP major version: $TPM_VERSION"
fi
@@ -121,6 +122,93 @@ get_tpm_version()
fi
}
+read_pcr_tpm1()
+{
+ local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
+ local evmctl_required="1.1"
+ local hash pcr
+
+ if [ ! -f "$pcrs_path" ]; then
+ pcrs_path="/sys/class/misc/tpm0/device/pcrs"
+ elif ! check_evmctl $evmctl_required; then
+ echo "evmctl >= $evmctl_required required"
+ return 32
+ fi
+
+ if [ ! -f "$pcrs_path" ]; then
+ echo "missing PCR file $pcrs_path ($ERRMSG_TPM)"
+ return 32
+ fi
+
+ while read line; do
+ pcr="$(echo $line | cut -d':' -f1)"
+ hash="$(echo $line | cut -d':' -f2 | awk '{ gsub (" ", "", $0); print tolower($0) }')"
+ echo "$pcr: $hash"
+ done < $pcrs_path
+
+ return 0
+}
+
+# NOTE: TPM 1.2 would require to use tss1pcrread which is not fully adopted
+# by distros yet.
+read_pcr_tpm2()
+{
+ local pcrmax=23
+ local pcrread="tsspcrread -halg $ALGORITHM"
+ local i pcr
+
+ tst_check_cmds tsspcrread || return 1
+
+ for i in $(seq 0 $pcrmax); do
+ pcr=$($pcrread -ha "$i" -ns)
+ if [ $? -ne 0 ]; then
+ echo "tsspcrread failed: $pcr"
+ return 1
+ fi
+ printf "PCR-%02d: %s\n" $i "$pcr"
+ done
+
+ return 0
+}
+
+get_pcr10_aggregate()
+{
+ local cmd="evmctl -vv ima_measurement $BINARY_MEASUREMENTS"
+ local msg="$ERRMSG_EVMCTL"
+ local res=TCONF
+ local pcr ret
+
+ if [ -z "$MISSING_EVMCTL" ]; then
+ msg=
+ res=TFAIL
+ fi
+
+ $cmd > hash.txt 2>&1
+ ret=$?
+ if [ $ret -ne 0 -a -z "$MISSING_EVMCTL" ]; then
+ tst_res TFAIL "evmctl failed, trying with --ignore-violations"
+ cmd="$cmd --ignore-violations"
+ $cmd > hash.txt 2>&1
+ ret=$?
+ elif [ $ret -ne 0 -a "$MISSING_EVMCTL" = 1 ]; then
+ tst_brk TFAIL "evmctl failed $msg"
+ fi
+
+ [ $ret -ne 0 ] && tst_res TWARN "evmctl failed, trying to continue $msg"
+
+ pcr=$(grep -E "^($ALGORITHM: )*PCRAgg(.*10)*:" hash.txt | tail -1 \
+ | awk '{print $NF}')
+
+ if [ -z "$pcr" ]; then
+ tst_res $res "failed to find aggregate PCR-10 $msg"
+ tst_res TINFO "hash file:"
+ cat hash.txt >&2
+ return
+ fi
+
+ echo "$pcr"
+}
+
test1_tpm_bypass_mode()
{
local zero=$(echo $DIGEST | awk '{gsub(/./, "0")}; {print}')
@@ -139,8 +227,10 @@ test1_hw_tpm()
local cmd="evmctl ima_boot_aggregate -v"
local boot_aggregate
- [ -z "$TPM_VERSION" ] && \
+ if [ -z "$TPM_VERSION" ]; then
tst_res TWARN "TPM-bypass failed, trying to test TPM device (unknown TPM version)"
+ MAYBE_TPM2=1
+ fi
if [ "$MISSING_EVMCTL" = 1 ]; then
if [ ! -f "$tpm_bios" ]; then
@@ -174,57 +264,57 @@ test1()
[ -z "$TPM_VERSION" ] && test1_tpm_bypass_mode || test1_hw_tpm
}
-# Probably cleaner to programmatically read the PCR values directly
-# from the TPM, but that would require a TPM library. For now, use
-# the PCR values from /sys/devices.
-validate_pcr()
+test2()
{
- tst_res TINFO "verify PCR (Process Control Register)"
+ local hash pcr_aggregate out ret
- local dev_pcrs="$1"
- local pcr hash aggregate_pcr
+ tst_res TINFO "verify PCR values"
- aggregate_pcr="$(evmctl -v ima_measurement $BINARY_MEASUREMENTS 2>&1 | \
- grep 'HW PCR-10:' | awk '{print $3}')"
- if [ -z "$aggregate_pcr" ]; then
- tst_res TFAIL "failed to get PCR-10"
- return 1
+ if [ "$MAYBE_TPM2" = 1 ]; then
+ tst_res TINFO "TMP version not detected ($ERRMSG_TPM), assume TPM 2"
+ TPM_VERSION=2
fi
- while read line; do
- pcr="$(echo $line | cut -d':' -f1)"
- if [ "$pcr" = "PCR-10" ]; then
- hash="$(echo $line | cut -d':' -f2 | awk '{ gsub (" ", "", $0); print tolower($0) }')"
- [ "$hash" = "$aggregate_pcr" ]
- return $?
- fi
- done < $dev_pcrs
- return 1
-}
+ if [ -z "$TPM_VERSION" ]; then
+ tst_brk TCONF "TMP version not detected ($ERRMSG_TPM)"
+ fi
-test2()
-{
- tst_res TINFO "verify PCR values"
- tst_check_cmds evmctl || return
+ if [ "$ALGORITHM" = "sha1" -a "$MISSING_EVMCTL" = 1 ]; then
+ tst_check_cmds evmctl || return 1
+ fi
- tst_res TINFO "evmctl version: $(evmctl --version)"
+ out=$(read_pcr_tpm$TPM_VERSION)
+ ret=$?
- local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
- if [ -f "$pcrs_path" ]; then
- tst_res TINFO "new PCRS path, evmctl >= 1.1 required"
- else
- pcrs_path="/sys/class/misc/tpm0/device/pcrs"
+ if [ $ret -ne 0 ]; then
+ case "$ret" in
+ 1) tst_res TFAIL "$out";;
+ 32) tst_res TCONF "$out";;
+ *) tst_brk TBROK "unsupported return type '$1'";;
+ esac
+ return
fi
- if [ -f "$pcrs_path" ]; then
- validate_pcr $pcrs_path
- if [ $? -eq 0 ]; then
- tst_res TPASS "aggregate PCR value matches real PCR value"
- else
- tst_res TFAIL "aggregate PCR value does not match real PCR value"
- fi
+ hash=$(echo "$out" | grep "^PCR-10" | cut -d' ' -f2)
+
+ if [ -z "$out" ]; then
+ tst_res TFAIL "PCR-10 hash not found"
+ return
+ fi
+
+ tst_res TINFO "real PCR-10: '$hash'"
+
+ get_pcr10_aggregate > tmp.txt
+ pcr_aggregate="$(cat tmp.txt)"
+ if [ -z "$pcr_aggregate" ]; then
+ return
+ fi
+ tst_res TINFO "aggregate PCR-10: '$pcr_aggregate'"
+
+ if [ "$hash" = "$pcr_aggregate" ]; then
+ tst_res TPASS "aggregate PCR value matches real PCR value"
else
- tst_res TCONF "TPM Hardware Support not enabled in kernel or no TPM chip found"
+ tst_res TFAIL "aggregate PCR value does not match real PCR value"
fi
}
--
2.29.2
WARNING: multiple messages have this Message-ID (diff)
From: Petr Vorel <pvorel@suse.cz>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH v5 4/4] ima_tpm.sh: Fix calculating PCR aggregate
Date: Mon, 14 Dec 2020 23:19:46 +0100 [thread overview]
Message-ID: <20201214221946.6340-5-pvorel@suse.cz> (raw)
In-Reply-To: <20201214221946.6340-1-pvorel@suse.cz>
for TPM 2.0 and support more evmctl versions.
Because exporting PCR registers for TPM 2.0 has not been upstreamed [1],
we use user space code, which requires evmctl >= 1.3.1 and tsspcrread.
Using evmctl allows to test for TPM devices which does not export event
log (/sys/kernel/security/tpm0/binary_bios_measurements).
For TPM 1.2 read tpm0 device's pcrs file from sysfs. (tss1pcrread could
be also used, but it's not yet packaged by distros.)
For old kernels which use SHA1/MD5, any evmctl version is required (evmctl
ima_measurement was introduced in very old v0.7), but
* newer sysctl path /sys/class/tpm/tpm0/device/pcrs requires evmctl 1.1
* using ima_policy=tcb requires 1.3.1 due --ignore-violations
We now support output format of ima_measurement command for various
evmctl versions:
* 1.3: "sha256: TPM PCR-10:" (or other algorithm, e.g. "sha1:")
* 1.1-1.2.1: "HW PCR-10:" (the only previously supported format)
* 0.7-1.0: "PCR-10:"
NOTE: we ignore evmctl failure for evmctl < 1.3.1 (missing --ignore-violations,
also evmctl < 1.1 fails with "PCRAgg does not match PCR-10")
As for previous commit fix testing with TPM 2.0 device which does not
export event log (/sys/kernel/security/tpm0/binary_bios_measurements):
not wrongly assuming TPM-bypass when kernel didn't export other TPM
2.0 files we check in get_tpm_version() but bios boot aggregate is
correct (i.e. not 0x00s). In that case evmctl ima_boot_aggregate can get
boot aggregate even without TPM event log.
[1] https://patchwork.kernel.org/patch/11759729/
Co-developed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Changes v4->v5:
* improved TPM 2.0 detection (e.g. check for /dev/tpmrm0 and /dev/tpm0)
* test2: if evmctl ima_measurement fails, run again with --ignore-violations
* test2: assume TPM 2, if not detected
* print TPM kernel config
* cleanup
.../security/integrity/ima/tests/ima_setup.sh | 14 +-
.../security/integrity/ima/tests/ima_tpm.sh | 176 +++++++++++++-----
2 files changed, 144 insertions(+), 46 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index dbf8a1db4..59a7ffeac 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -93,7 +93,7 @@ require_ima_policy_content()
fi
}
-require_ima_policy_cmdline()
+check_ima_policy_cmdline()
{
local policy="$1"
local i
@@ -101,10 +101,18 @@ require_ima_policy_cmdline()
grep -q "ima_$policy" /proc/cmdline && return
for i in $(cat /proc/cmdline); do
if echo "$i" | grep -q '^ima_policy='; then
- echo "$i" | grep -q -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" && return
+ echo "$i" | grep -q -e "|[ ]*$policy" -e "$policy[ ]*|" -e "=$policy" && return 0
fi
done
- tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
+ return 1
+}
+
+require_ima_policy_cmdline()
+{
+ local policy="$1"
+
+ check_ima_policy_cmdline $policy || \
+ tst_brk TCONF "IMA measurement tests require builtin IMA $policy policy (e.g. ima_policy=$policy kernel parameter)"
}
mount_helper()
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
index 195fcb16c..233fdeed8 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_tpm.sh
@@ -7,13 +7,14 @@
# Verify the boot and PCR aggregates.
TST_CNT=2
-TST_NEEDS_CMDS="awk cut"
+TST_NEEDS_CMDS="awk cut tail"
TST_SETUP="setup"
. ima_setup.sh
EVMCTL_REQUIRED='1.3.1'
ERRMSG_EVMCTL="=> install evmctl >= $EVMCTL_REQUIRED"
+ERRMSG_TPM="TPM hardware support not enabled in kernel or no TPM chip found"
setup()
{
@@ -31,7 +32,7 @@ setup()
TPM_VERSION="$(get_tpm_version)"
if [ -z "$TPM_VERSION" ]; then
- tst_res TINFO "TPM hardware support not enabled in kernel or no TPM chip found, testing TPM-bypass"
+ tst_res TINFO "$ERRMSG_TPM, testing TPM-bypass"
else
tst_res TINFO "TMP major version: $TPM_VERSION"
fi
@@ -121,6 +122,93 @@ get_tpm_version()
fi
}
+read_pcr_tpm1()
+{
+ local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
+ local evmctl_required="1.1"
+ local hash pcr
+
+ if [ ! -f "$pcrs_path" ]; then
+ pcrs_path="/sys/class/misc/tpm0/device/pcrs"
+ elif ! check_evmctl $evmctl_required; then
+ echo "evmctl >= $evmctl_required required"
+ return 32
+ fi
+
+ if [ ! -f "$pcrs_path" ]; then
+ echo "missing PCR file $pcrs_path ($ERRMSG_TPM)"
+ return 32
+ fi
+
+ while read line; do
+ pcr="$(echo $line | cut -d':' -f1)"
+ hash="$(echo $line | cut -d':' -f2 | awk '{ gsub (" ", "", $0); print tolower($0) }')"
+ echo "$pcr: $hash"
+ done < $pcrs_path
+
+ return 0
+}
+
+# NOTE: TPM 1.2 would require to use tss1pcrread which is not fully adopted
+# by distros yet.
+read_pcr_tpm2()
+{
+ local pcrmax=23
+ local pcrread="tsspcrread -halg $ALGORITHM"
+ local i pcr
+
+ tst_check_cmds tsspcrread || return 1
+
+ for i in $(seq 0 $pcrmax); do
+ pcr=$($pcrread -ha "$i" -ns)
+ if [ $? -ne 0 ]; then
+ echo "tsspcrread failed: $pcr"
+ return 1
+ fi
+ printf "PCR-%02d: %s\n" $i "$pcr"
+ done
+
+ return 0
+}
+
+get_pcr10_aggregate()
+{
+ local cmd="evmctl -vv ima_measurement $BINARY_MEASUREMENTS"
+ local msg="$ERRMSG_EVMCTL"
+ local res=TCONF
+ local pcr ret
+
+ if [ -z "$MISSING_EVMCTL" ]; then
+ msg=
+ res=TFAIL
+ fi
+
+ $cmd > hash.txt 2>&1
+ ret=$?
+ if [ $ret -ne 0 -a -z "$MISSING_EVMCTL" ]; then
+ tst_res TFAIL "evmctl failed, trying with --ignore-violations"
+ cmd="$cmd --ignore-violations"
+ $cmd > hash.txt 2>&1
+ ret=$?
+ elif [ $ret -ne 0 -a "$MISSING_EVMCTL" = 1 ]; then
+ tst_brk TFAIL "evmctl failed $msg"
+ fi
+
+ [ $ret -ne 0 ] && tst_res TWARN "evmctl failed, trying to continue $msg"
+
+ pcr=$(grep -E "^($ALGORITHM: )*PCRAgg(.*10)*:" hash.txt | tail -1 \
+ | awk '{print $NF}')
+
+ if [ -z "$pcr" ]; then
+ tst_res $res "failed to find aggregate PCR-10 $msg"
+ tst_res TINFO "hash file:"
+ cat hash.txt >&2
+ return
+ fi
+
+ echo "$pcr"
+}
+
test1_tpm_bypass_mode()
{
local zero=$(echo $DIGEST | awk '{gsub(/./, "0")}; {print}')
@@ -139,8 +227,10 @@ test1_hw_tpm()
local cmd="evmctl ima_boot_aggregate -v"
local boot_aggregate
- [ -z "$TPM_VERSION" ] && \
+ if [ -z "$TPM_VERSION" ]; then
tst_res TWARN "TPM-bypass failed, trying to test TPM device (unknown TPM version)"
+ MAYBE_TPM2=1
+ fi
if [ "$MISSING_EVMCTL" = 1 ]; then
if [ ! -f "$tpm_bios" ]; then
@@ -174,57 +264,57 @@ test1()
[ -z "$TPM_VERSION" ] && test1_tpm_bypass_mode || test1_hw_tpm
}
-# Probably cleaner to programmatically read the PCR values directly
-# from the TPM, but that would require a TPM library. For now, use
-# the PCR values from /sys/devices.
-validate_pcr()
+test2()
{
- tst_res TINFO "verify PCR (Process Control Register)"
+ local hash pcr_aggregate out ret
- local dev_pcrs="$1"
- local pcr hash aggregate_pcr
+ tst_res TINFO "verify PCR values"
- aggregate_pcr="$(evmctl -v ima_measurement $BINARY_MEASUREMENTS 2>&1 | \
- grep 'HW PCR-10:' | awk '{print $3}')"
- if [ -z "$aggregate_pcr" ]; then
- tst_res TFAIL "failed to get PCR-10"
- return 1
+ if [ "$MAYBE_TPM2" = 1 ]; then
+ tst_res TINFO "TMP version not detected ($ERRMSG_TPM), assume TPM 2"
+ TPM_VERSION=2
fi
- while read line; do
- pcr="$(echo $line | cut -d':' -f1)"
- if [ "$pcr" = "PCR-10" ]; then
- hash="$(echo $line | cut -d':' -f2 | awk '{ gsub (" ", "", $0); print tolower($0) }')"
- [ "$hash" = "$aggregate_pcr" ]
- return $?
- fi
- done < $dev_pcrs
- return 1
-}
+ if [ -z "$TPM_VERSION" ]; then
+ tst_brk TCONF "TMP version not detected ($ERRMSG_TPM)"
+ fi
-test2()
-{
- tst_res TINFO "verify PCR values"
- tst_check_cmds evmctl || return
+ if [ "$ALGORITHM" = "sha1" -a "$MISSING_EVMCTL" = 1 ]; then
+ tst_check_cmds evmctl || return 1
+ fi
- tst_res TINFO "evmctl version: $(evmctl --version)"
+ out=$(read_pcr_tpm$TPM_VERSION)
+ ret=$?
- local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
- if [ -f "$pcrs_path" ]; then
- tst_res TINFO "new PCRS path, evmctl >= 1.1 required"
- else
- pcrs_path="/sys/class/misc/tpm0/device/pcrs"
+ if [ $ret -ne 0 ]; then
+ case "$ret" in
+ 1) tst_res TFAIL "$out";;
+ 32) tst_res TCONF "$out";;
+ *) tst_brk TBROK "unsupported return type '$1'";;
+ esac
+ return
fi
- if [ -f "$pcrs_path" ]; then
- validate_pcr $pcrs_path
- if [ $? -eq 0 ]; then
- tst_res TPASS "aggregate PCR value matches real PCR value"
- else
- tst_res TFAIL "aggregate PCR value does not match real PCR value"
- fi
+ hash=$(echo "$out" | grep "^PCR-10" | cut -d' ' -f2)
+
+ if [ -z "$out" ]; then
+ tst_res TFAIL "PCR-10 hash not found"
+ return
+ fi
+
+ tst_res TINFO "real PCR-10: '$hash'"
+
+ get_pcr10_aggregate > tmp.txt
+ pcr_aggregate="$(cat tmp.txt)"
+ if [ -z "$pcr_aggregate" ]; then
+ return
+ fi
+ tst_res TINFO "aggregate PCR-10: '$pcr_aggregate'"
+
+ if [ "$hash" = "$pcr_aggregate" ]; then
+ tst_res TPASS "aggregate PCR value matches real PCR value"
else
- tst_res TCONF "TPM Hardware Support not enabled in kernel or no TPM chip found"
+ tst_res TFAIL "aggregate PCR value does not match real PCR value"
fi
}
--
2.29.2
next prev parent reply other threads:[~2020-12-14 22:20 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-14 22:19 [PATCH v5 0/4] TPM 2.0 fixes in IMA tests Petr Vorel
2020-12-14 22:19 ` [LTP] " Petr Vorel
2020-12-14 22:19 ` [PATCH v5 1/4] IMA: Move get_algorithm_digest(), set_digest_index() to ima_setup.sh Petr Vorel
2020-12-14 22:19 ` [LTP] " Petr Vorel
2020-12-17 16:56 ` Mimi Zohar
2020-12-17 16:56 ` [LTP] " Mimi Zohar
2020-12-18 11:27 ` Petr Vorel
2020-12-18 11:27 ` [LTP] " Petr Vorel
2020-12-18 12:10 ` Mimi Zohar
2020-12-18 12:10 ` [LTP] " Mimi Zohar
2020-12-14 22:19 ` [PATCH v5 2/4] IMA: Rewrite ima_boot_aggregate.c to new API Petr Vorel
2020-12-14 22:19 ` [LTP] " Petr Vorel
2020-12-14 22:19 ` [PATCH v5 3/4] ima_tpm.sh: Fix calculating boot aggregate Petr Vorel
2020-12-14 22:19 ` [LTP] " Petr Vorel
2020-12-17 18:12 ` Mimi Zohar
2020-12-17 18:12 ` [LTP] " Mimi Zohar
2020-12-17 19:36 ` Petr Vorel
2020-12-17 19:36 ` [LTP] " Petr Vorel
2020-12-14 22:19 ` Petr Vorel [this message]
2020-12-14 22:19 ` [LTP] [PATCH v5 4/4] ima_tpm.sh: Fix calculating PCR aggregate Petr Vorel
2020-12-17 19:16 ` Mimi Zohar
2020-12-17 19:16 ` [LTP] " Mimi Zohar
2020-12-17 5:20 ` [PATCH v5 0/4] TPM 2.0 fixes in IMA tests Mimi Zohar
2020-12-17 5:20 ` [LTP] " Mimi Zohar
2020-12-17 8:33 ` Petr Vorel
2020-12-17 8:33 ` [LTP] " Petr Vorel
2020-12-17 19:23 ` Mimi Zohar
2020-12-17 19:23 ` [LTP] " Mimi Zohar
2020-12-18 11:45 ` Petr Vorel
2020-12-18 11:45 ` [LTP] " Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201214221946.6340-5-pvorel@suse.cz \
--to=pvorel@suse.cz \
--cc=linux-integrity@vger.kernel.org \
--cc=ltp@lists.linux.it \
--cc=nramas@linux.microsoft.com \
--cc=tusharsu@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.