csu3_am335x/EVSE/GPL/tpm2-tools-5.1/test/integration/tests/sessionaudit.sh

# SPDX-License-Identifier: BSD-3-Clause

source helpers.sh

cleanup() {

    rm -f \
    prim.ctx signing_key.ctx signing_key.pub signing_key.priv \
    att.data att.sig cp.hash rp.hash cphash.bin rphash.bin zero.bin

    if [ "${1}" != "no-shutdown" ]; then
        shut_down
    fi
}
trap cleanup EXIT

start_up

cleanup "no-shutdown"

#
# Get audit digest for a TPM command TPM2_GetRandom using and audit session
#
tpm2 clear

tpm2 createprimary -Q -C e -c prim.ctx

tpm2 create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2 startauthsession -S session.ctx --audit-session

tpm2 getrandom 8 -S session.ctx --cphash cp.hash --rphash rp.hash

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

tpm2 flushcontext session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )

#
# Get audit digest for a TPM command TPM2_CC_Create in an audit session
#
tpm2 clear

tpm2 createprimary -Q -C e -c prim.ctx

tpm2 create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2 startauthsession -S session.ctx --audit-session

tpm2 create -Q -C prim.ctx -u key.pub -r key.priv --cphash cp.hash \
--rphash rp.hash -S session.ctx

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )

#
# Get audit digest for a TPM command TPM2_CC_Create in an audit session
#
tpm2 clear

tpm2 createprimary -Q -C e -c prim.ctx

tpm2 create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2 createprimary -C o -c prim.ctx -G rsa
tpm2 readpublic -c prim.ctx -o prim.pub
tpm2 create -C prim.ctx -u key.pub -r key.priv -c key.ctx
tpm2 readpublic -c key.ctx -n key.name
echo "plaintext" > plain.txt
tpm2 makecredential -u prim.pub  -s plain.txt -n `xxd -p -c 34 key.name` \
-o cred.secret

tpm2 startauthsession -S session.ctx --audit-session

tpm2 activatecredential -c key.ctx -C prim.ctx -i cred.secret \
-o act_cred.secret -S session.ctx --cphash cp.hash --rphash rp.hash

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )

#
# Get audit digest for a TPM command TPM2_CC_Certify in an audit session
#
tpm2 clear -Q

tpm2 createprimary -Q -C e -g sha256 -G rsa -c primary.ctx

tpm2 create -Q -C primary.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2 create -Q -g sha256 -G rsa -u certify.pub -r certify.priv -C primary.ctx

tpm2 load -Q -C primary.ctx -u certify.pub -r certify.priv -n certify.name \
-c certify.ctx

tpm2 startauthsession -S session.ctx --audit-session

tpm2 certify -Q -c primary.ctx -C certify.ctx -g sha256 -o attest.out -s sig.out \
--cphash cp.hash --rphash rp.hash -S session.ctx

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )

#
# Get audit digest for a TPM command TPM2_CC_CertifyCreation in an audit session
#
tpm2 clear -Q

tpm2 createprimary -Q -C e -g sha256 -G rsa -c prim.ctx \
-d create.dig -t create.ticket

tpm2 create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2 create -G rsa -u rsa.pub -r rsa.priv -C prim.ctx -c certsigningkey.ctx

tpm2 startauthsession -S session.ctx --audit-session

tpm2 certifycreation -C certsigningkey.ctx -c prim.ctx -d create.dig \
-t create.ticket -g sha256 -f plain -s rsassa \
--cphash cp.hash --rphash rp.hash -S session.ctx

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )

#
# Get audit digest: TPM command TPM2_CC_HierarchyChangeauth in an audit session
#
tpm2 clear -Q

tpm2 createprimary -Q -C e -g sha256 -G rsa -c prim.ctx \
-d create.dig -t create.ticket

tpm2 create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2 startauthsession -S session.ctx --audit-session

tpm2 changeauth -c o ownerpassword --cphash cp.hash --rphash rp.hash \
-S session.ctx

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )

#
# Get audit digest: TPM command TPM2_CC_ObjectChangeauth in an audit session
#
tpm2 clear -Q

tpm2 createprimary -Q -C e -g sha256 -G rsa -c prim.ctx \
-d create.dig -t create.ticket

tpm2 create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2 create -Q -C prim.ctx -p foo -u key.pub -r key.priv -c key.ctx

tpm2 startauthsession -S session.ctx --audit-session

tpm2 changeauth -C prim.ctx -p foo -c key.ctx -r new.priv bar \
--cphash cp.hash --rphash rp.hash -S session.ctx

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )

#
# Get audit digest: TPM command TPM2_CC_ChangeEPS in an audit session
#
tpm2 clear -Q

tpm2 startauthsession -S session.ctx --audit-session

tpm2 changeeps --cphash cp.hash --rphash rp.hash -S session.ctx

tpm2 createprimary -Q -C e -g sha256 -G rsa -c prim.ctx

tpm2 create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )

#
# Get audit digest: TPM command TPM2_CC_ChangePPS in an audit session
#
tpm2 clear -Q

tpm2 startauthsession -S session.ctx --audit-session

tpm2 changepps --cphash cp.hash --rphash rp.hash -S session.ctx

tpm2 createprimary -Q -C e -g sha256 -G rsa -c prim.ctx

tpm2 create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )

#
# Get audit digest: TPM command TPM2_CC_NV_Define in an audit session
#
tpm2 clear -Q

tpm2 startauthsession -S session.ctx --audit-session

tpm2 nvdefine 0x1500016 -C o -s 32 -a "ownerread|ownerwrite" \
--cphash cp.hash --rphash rp.hash -S session.ctx

tpm2 createprimary -Q -C e -g sha256 -G rsa -c prim.ctx

tpm2 create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )

#
# Get audit digest: TPM command TPM2_CC_NV_Extend in an audit session
#
tpm2 clear -Q

tpm2 nvdefine -C o -a "nt=extend|ownerread|policywrite|ownerwrite|writedefine" 1

tpm2 startauthsession -S session.ctx --audit-session

echo 'my data' | tpm2 nvextend -C o -i- 1 -S session.ctx \
--cphash cp.hash --rphash rp.hash

tpm2 createprimary -Q -C e -g sha256 -G rsa -c prim.ctx

tpm2 create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )


#
# Get audit digest: TPM command TPM2_CC_Unseal in an audit session
#
tpm2 clear -Q

tpm2 createprimary -Q -C e -g sha256 -G rsa -c prim.ctx

tpm2 create -Q -C prim.ctx -c signing_key.ctx -u signing_key.pub \
-r signing_key.priv

echo "plaintext" | \
tpm2 create -C prim.ctx -c key.ctx -u key.pub -r key.priv -i-

tpm2 startauthsession -S session.ctx --audit-session

tpm2 unseal -c key.ctx --cphash cp.hash --rphash rp.hash -S session.ctx

tpm2 getsessionauditdigest -c signing_key.ctx -m att.data -s att.sig \
-S session.ctx

dd if=/dev/zero bs=1 count=32 status=none of=zero.bin
dd if=cp.hash skip=2 bs=1 count=32 status=none of=cphash.bin
dd if=rp.hash skip=2 bs=1 count=32 status=none of=rphash.bin

diff \
<( cat zero.bin cphash.bin rphash.bin | openssl dgst -sha256 -binary ) \
<( tail -c 32 att.data )

#
# End
#
exit 0