[PATCH 8/8] tests: add tests for attest_tpm2_primary

James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> · Fri, 2 Aug 2024 16:26:06 -0400

Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
---
 tests/attestation.sh       | 30 ++++++++++++++++++++++++++++++
 tests/check_importable.sh  |  3 +--
 tests/engine/Makefile.am   |  3 ++-
 tests/provider/Makefile.am |  3 ++-
 tests/seal_unseal.sh       |  3 +--
 tests/start_sw_tpm.sh      |  2 ++
 6 files changed, 38 insertions(+), 6 deletions(-)
 create mode 100755 tests/attestation.sh

diff --git a/tests/attestation.sh b/tests/attestation.sh
new file mode 100755
index 0000000..bd927fa
--- /dev/null
+++ b/tests/attestation.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+set -x
+
+##
+# We already created eksign.name and null.name, so check them first
+##
+${bindir}/attest_tpm2_primary --eksign --name ${testdir}/eksign.name || exit 1
+${bindir}/attest_tpm2_primary --eksign --name ${testdir}/null.name && exit 1
+${bindir}/attest_tpm2_primary --certify null --name ${testdir}/eksign.name ${testdir}/null.name || exit 1
+##
+# Run through certification of all the keys (already done null above
+##
+for h in owner endorsement platform; do
+    rm -f tmp.name
+    ${bindir}/attest_tpm2_primary -C ${h} -n ${testdir}/eksign.name -o > tmp.name || exit 1
+    ${bindir}/attest_tpm2_primary -C ${h} -n ${testdir}/eksign.name tmp.name || exit 1
+    ${bindir}/attest_tpm2_primary -C ${h} -n ${testdir}/eksign.name null.name && exit 1
+done
+##
+# attestation tests
+# 1. create both P-256 and RSA2048 attestation certs
+##
+openssl genrsa 2048 > ca.key || exit 1
+# several EK templates exist, so try RSA and EC for each
+for high in "" "-high"; do
+    for alg in "-rsa 2048" "-ecc nistp256"; do
+	tsscreateekcert ${high} ${alg} -cakey ca.key -of cert.der || exit 1
+	${bindir}/attest_tpm2_primary --attest cert.der --name ${testdir}/eksign.name || exit 1
+    done
+done
diff --git a/tests/check_importable.sh b/tests/check_importable.sh
index eeafe03..ee84f16 100755
--- a/tests/check_importable.sh
+++ b/tests/check_importable.sh
@@ -2,8 +2,7 @@
 
 
 # export the parent key as a EC and RSA public key
-prim=$(tsscreateprimary -ecc nistp256 -hi o -opem srk.pub | sed 's/Handle //') || exit 1
-tssflushcontext -ha ${prim} || exit 1
+${bindir}/attest_tpm2_primary --certify owner --name ${testdir}/eksign.name --file srk.pub || exit 1
 prim=$(tsscreateprimary -rsa 2048 -hi o -opem srkrsa.pub | sed 's/Handle //') || exit 1
 tssflushcontext -ha ${prim} || exit 1
 
diff --git a/tests/engine/Makefile.am b/tests/engine/Makefile.am
index ec6f321..7bade2b 100644
--- a/tests/engine/Makefile.am
+++ b/tests/engine/Makefile.am
@@ -30,6 +30,7 @@ TESTS += ../check_curves.sh \
 	../check_locality.sh \
 	../check_secret_policies.sh \
 	../dynamic_engine.sh \
+	../attestation.sh \
 	../stop_sw_tpm.sh
 
 fail_connect.sh: tpm_server_found
@@ -53,6 +54,6 @@ AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; export TPM_INTERFACE_TYPE; \
 
 TEST_EXTENSIONS = .sh
 
-CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.* fifo tss2.*
+CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.* fifo tss2.* *.name
 clean-local:
 	rm -fr testdir
diff --git a/tests/provider/Makefile.am b/tests/provider/Makefile.am
index 1080036..05bbee1 100644
--- a/tests/provider/Makefile.am
+++ b/tests/provider/Makefile.am
@@ -31,6 +31,7 @@ TESTS += ../check_curves.sh \
 	../check_signed_policies.sh \
 	../check_locality.sh \
 	../check_secret_policies.sh \
+	../attestation.sh \
 	../stop_sw_tpm.sh
 
 fail_connect.sh: tpm_server_found
@@ -56,7 +57,7 @@ endif
 
 TEST_EXTENSIONS = .sh
 
-CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.* fifo tss2.*
+CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.* fifo tss2.* *.name
 clean-local:
 	rm -fr testdir
 
diff --git a/tests/seal_unseal.sh b/tests/seal_unseal.sh
index 6d05a4c..2df3aa8 100755
--- a/tests/seal_unseal.sh
+++ b/tests/seal_unseal.sh
@@ -48,8 +48,7 @@ for n in sha1 sha256 sha384; do
     else
 	POLICYFILE="${testdir}/policies/policy_pcr${n}.txt"
     fi
-    prim=$(tsscreateprimary -hi o -st -ecc nistp256 -opem srk.pub | sed 's/Handle //') || exit 1
-    tssflushcontext -ha $prim
+    ${bindir}/attest_tpm2_primary -C owner -n ${testdir}/eksign.name -f srk.pub || exit 1
     TPM_INTERFACE_TYPE= echo $DATA | ${bindir}/seal_tpm2_data -n ${n} -a -k ${AUTH} --import srk.pub seal.tpm || exit 1;
     ${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
     rm seal.tpm
diff --git a/tests/start_sw_tpm.sh b/tests/start_sw_tpm.sh
index 5f249a5..1e0e4db 100755
--- a/tests/start_sw_tpm.sh
+++ b/tests/start_sw_tpm.sh
@@ -56,3 +56,5 @@ key=$(tsscreateprimary -hi o -st -rsa|sed 's/Handle //') && \
 tssevictcontrol -hi o -ho ${key} -hp 81000001 && \
 tssflushcontext -ha ${key}
 
+${bindir}/attest_tpm2_primary --ek > ${testdir}/eksign.name || exit 1
+${bindir}/attest_tpm2_primary --certify null --outname --name ${testdir}/eksign.name > ${testdir}/null.name || exit 1
-- 
2.35.3








