From: Mimi Zohar <zohar@linux.ibm.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: David Howells <dhowells@redhat.com>, Petr Vorel <pvorel@suse.cz>,
shuah <shuah@kernel.org>,
James Bottomley <James.Bottomley@HansenPartnership.com>,
linux-integrity@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-kernel@vger.kernel.org, Eric Biggers <ebiggers@kernel.org>
Subject: Re: [PATCH v1] selftest/trustedkeys: TPM 1.2 trusted keys test
Date: Thu, 24 Oct 2019 15:24:06 -0400 [thread overview]
Message-ID: <1571945046.11756.5.camel@linux.ibm.com> (raw)
In-Reply-To: <1571944467-13097-1-git-send-email-zohar@linux.ibm.com>
Hi Jarkko,
Please note that I'm seeing "add_key: Timer expired" frequently. This
is something new. I have no idea if this is a new TPM or keys
regression.
Mimi
On Thu, 2019-10-24 at 15:14 -0400, Mimi Zohar wrote:
> Create, save and load trusted keys test
>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
>
> Change log v1:
> - Replace the directions for using Trousers to take ownership of the TPM
> with directions for using the IBM TSS.
> - Differentiate between different types of errors. Recent bug is causing
> "add_key: Timer expired".
> ---
> tools/testing/selftests/tpm2/Makefile | 2 +-
> tools/testing/selftests/tpm2/test_trustedkeys.sh | 109 +++++++++++++++++++++++
> 2 files changed, 110 insertions(+), 1 deletion(-)
> create mode 100755 tools/testing/selftests/tpm2/test_trustedkeys.sh
>
> diff --git a/tools/testing/selftests/tpm2/Makefile b/tools/testing/selftests/tpm2/Makefile
> index 1a5db1eb8ed5..055bf62510b5 100644
> --- a/tools/testing/selftests/tpm2/Makefile
> +++ b/tools/testing/selftests/tpm2/Makefile
> @@ -1,5 +1,5 @@
> # SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
> include ../lib.mk
>
> -TEST_PROGS := test_smoke.sh test_space.sh
> +TEST_PROGS := test_smoke.sh test_space.sh test_trustedkey.sh
> TEST_PROGS_EXTENDED := tpm2.py tpm2_tests.py
> diff --git a/tools/testing/selftests/tpm2/test_trustedkeys.sh b/tools/testing/selftests/tpm2/test_trustedkeys.sh
> new file mode 100755
> index 000000000000..dc7df7467670
> --- /dev/null
> +++ b/tools/testing/selftests/tpm2/test_trustedkeys.sh
> @@ -0,0 +1,109 @@
> +#!/bin/sh
> +
> +VERBOSE="${VERBOSE:-1}"
> +TRUSTEDKEY1="$(mktemp -u XXXX).blob"
> +TRUSTEDKEY2="$(mktemp -u XXXX).blob"
> +ERRMSG="$(mktemp -u XXXX)"
> +trap "echo PRETRAP" SIGINT SIGTERM SIGTSTP
> +trap "{ rm -f $TRUSTEDKEY1 $TRUSTEDKEY2 $ERRMSG; }" EXIT
> +
> +log_info()
> +{
> + [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
> +}
> +
> +# The ksefltest framework requirement returns 0 for PASS.
> +log_pass()
> +{
> + [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
> + exit 0
> +}
> +
> +# The ksefltest framework requirement returns 1 for FAIL.
> +log_fail()
> +{
> + [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
> + exit 1
> +}
> +
> +# The ksefltest framework requirement returns 4 for SKIP.
> +log_skip()
> +{
> + [ $VERBOSE -ne 0 ] && echo "$1"
> + exit 4
> +}
> +
> +is_tpm1()
> +{
> + local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
> + if [ ! -f "$pcrs_path" ]; then
> + pcrs_path="/sys/class/misc/tpm0/device/pcrs"
> + fi
> +
> + if [ ! -f "$pcrs_path" ]; then
> + log_skip "TPM 1.2 chip not found"
> + fi
> +}
> +
> +takeownership_info()
> +{
> + log_info "creating trusted key failed, probably requires taking TPM ownership:"
> + which tss1oiap > /dev/null 2>&1 || \
> + log_info " tss1oiap not found, install IBM TSS"
> +
> + log_info " export TPM_DEVICE=/dev/tpm0"
> + log_info " export TPM_ENCRYPT_SESSIONS=0"
> +
> + log_info " OIAP=\$(tss1oiap | cut -d' ' -f 2)"
> + log_info " tss1takeownership -se0 \$OIAP 0"
> + log_fail "creating trusted key"
> +}
> +
> +test_trustedkey()
> +{
> + #local keyid="$(keyctl add trusted kmk-test "new 64" @u)" &> $ERRMSG
> + local keyid="$(keyctl add trusted kmk-test "new 64" @u 2> $ERRMSG)"
> +
> + grep -E -q "add_key: Operation not permitted" $ERRMSG
> + if [ $? -eq 0 ]; then
> + takeownership_info
> + fi
> +
> + grep -E -q "add_key: " $ERRMSG
> + if [ $? -eq 0 ]; then
> + log_info "`cat ${ERRMSG}`"
> + log_fail "creating trusted key"
> + fi
> +
> + if [ -z "$keyid" ]; then
> + log_fail "creating trusted key failed"
> + fi
> + log_info "creating trusted key succeeded"
> +
> + # save newly created trusted key and remove from keyring
> + keyctl pipe "$keyid" > "$TRUSTEDKEY1"
> + keyctl unlink "$keyid" &> /dev/null
> +
> + keyid=$(keyctl add trusted kmk-test "load `cat $TRUSTEDKEY1`" @u)
> + if [ $? -eq 0 ]; then
> + log_info "loading trusted key succeeded"
> + else
> + log_fail "loading trusted key failed"
> + fi
> +
> + # save loaded trusted key and remove from keyring again
> + keyctl pipe "$keyid" > "$TRUSTEDKEY2"
> + keyctl unlink "$keyid" &> /dev/null
> +
> + # compare trusted keys
> + diff "$TRUSTEDKEY1" "$TRUSTEDKEY2" &> /dev/null
> + ret=$?
> + if [ $ret -eq 0 ]; then
> + log_pass "trusted key test succeeded"
> + else
> + log_fail "trusted key test failed"
> + fi
> +}
> +
> +is_tpm1
> +test_trustedkey
next prev parent reply other threads:[~2019-10-24 19:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-24 19:14 [PATCH v1] selftest/trustedkeys: TPM 1.2 trusted keys test Mimi Zohar
2019-10-24 19:24 ` Mimi Zohar [this message]
2019-10-28 20:35 ` Jarkko Sakkinen
2019-10-28 20:30 ` Jarkko Sakkinen
2019-10-28 20:40 ` Jarkko Sakkinen
2019-10-28 20:45 ` Mimi Zohar
2019-10-29 9:15 ` Jarkko Sakkinen
2019-10-29 9:25 ` Jarkko Sakkinen
2019-10-29 11:45 ` Jarkko Sakkinen
2019-10-29 11:49 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1571945046.11756.5.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=ebiggers@kernel.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).