| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293 |
- # SPDX-License-Identifier: BSD-3-Clause
- source helpers.sh
- handle_ek=0x81010009
- handle_ak=0x8101000a
- ek_alg=rsa
- ak_alg=rsa
- digestAlg=sha256
- signAlg=rsassa
- akpw=akpass
- ak_ctx=ak.ctx
- output_ek_pub_pem=ekpub.pem
- output_ak_pub_pem=akpub.pem
- output_ak_pub_name=ak.name
- output_quote=quote.out
- output_quotesig=quotesig.out
- output_quotepcr=quotepcr.out
- cleanup() {
- rm -f $output_ek_pub_pem $output_ak_pub_pem $output_ak_pub_name \
- $output_quote $output_quotesig $output_quotepcr rand.out $ak_ctx \
- pcr.bin
- tpm2 pcrreset 16
- tpm2 evictcontrol -C o -c $handle_ek 2>/dev/null || true
- tpm2 evictcontrol -C o -c $handle_ak 2>/dev/null || true
- if [ $(ina "$@" "no-shut-down") -ne 0 ]; then
- shut_down
- echo "shutdown"
- fi
- }
- trap cleanup EXIT
- start_up
- cleanup "no-shut-down"
- getrandom() {
- tpm2 getrandom -o rand.out $1
- local file_size=`ls -l rand.out | awk {'print $5'}`
- loaded_randomness=`cat rand.out | xxd -p -c $file_size`
- }
- # Key generation
- tpm2 createek -c $handle_ek -G $ek_alg -u $output_ek_pub_pem -f pem
- tpm2 createak -C $handle_ek -c $ak_ctx -G $ak_alg -g $digestAlg -s $signAlg \
- -u $output_ak_pub_pem -f pem -n $output_ak_pub_name -p "$akpw"
- tpm2 evictcontrol -Q -c $ak_ctx $handle_ak
- # Quoting
- getrandom 20
- tpm2 quote -c $handle_ak -l sha256:15,16,22 -q $loaded_randomness \
- -m $output_quote -s $output_quotesig -o $output_quotepcr -g $digestAlg -p "$akpw"
- # Verify quote
- tpm2 checkquote -u $output_ak_pub_pem -m $output_quote -s $output_quotesig \
- -f $output_quotepcr -g $digestAlg -q $loaded_randomness
- # Verify EC
- tpm2 createek -G ecc -c ecc.ek
- tpm2 createak -C ecc.ek -c ecc.ak -G ecc -g sha256 -s ecdsa
- tpm2 readpublic -c ecc.ak -f pem -o ecc.ak.pem
- tpm2 getrandom -o nonce.bin 20
- tpm2 quote -c ecc.ak -l sha256:15,16,22 -q nonce.bin -m quote.bin -s quote.sig -o quote.pcr -g sha256
- tpm2 checkquote -u ecc.ak.pem -m quote.bin -s quote.sig -f quote.pcr -g sha256 -q nonce.bin
- # Verify that tss format works
- tpm2 readpublic -c ecc.ak -f tss -o ecc.ak.tss
- tpm2 checkquote -u ecc.ak.tss -m quote.bin -s quote.sig -f quote.pcr -g sha256 -q nonce.bin
- # Verify the tpmt format works
- tpm2 readpublic -c ecc.ak -f tpmt -o ecc.ak.tpmt
- tpm2 checkquote -u ecc.ak.tpmt -m quote.bin -s quote.sig -f quote.pcr -g sha256 -q nonce.bin
- # Verify that the plain tpm2_pcrread output can be passed to the checkquote tool
- tpm2 pcrread sha256:15,16,22 -o pcr.bin
- tpm2 checkquote -u ecc.ak.tpmt -m quote.bin -s quote.sig -g sha256 -q nonce.bin \
- -f pcr.bin -l sha256:15,16,22
- exit 0
|
