Halaman utama Jelajahi Bantuan
Masuk
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Cabang: master
Ranting Tag
csu3_am335x
/
EVSE
/
GPL
/
tpm2-tools-5.1
/
test
/
integration
/
tests
/
nv.sh

nv.sh 8.4 KB
Permalink Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312 
  1. # SPDX-License-Identifier: BSD-3-Clause
    2. 

  2. 

  3. if [ "`uname`" == "FreeBSD" ]; then
    4. 

  4.         exit 77
    5. 

  5. fi
    6. 

  6. 

  7. source helpers.sh
    8. 

  8. 

  9. nv_test_index=0x1500018
    10. 

  10. 

  11. large_file_name="nv.test_large_w"
    12. 

  12. large_file_read_name="nv.test_large_r"
    13. 

  13. 

  14. pcr_specification=sha256:0,1,2,3+sha1:0,1,2,3
    15. 

  15. file_pcr_value=pcr.bin
    16. 

  16. file_policy=policy.data
    17. 

  17. 

  18. cleanup() {
    19. 

  19.   tpm2 nvundefine -Q   $nv_test_index -C o 2>/dev/null || true
    20. 

  20.   tpm2 nvundefine -Q   0x1500016 -C o 2>/dev/null || true
    21. 

  21.   tpm2 nvundefine -Q   0x1500015 -C o -P owner 2>/dev/null || true
    22. 

  22. 

  23.   rm -f policy.bin test.bin nv.test_w $large_file_name $large_file_read_name \
    24. 

  24.   nv.readlock foo.dat cmp.dat $file_pcr_value $file_policy nv.out cap.out yaml.out
    25. 

  25. 

  26.   if [ "$1" != "no-shut-down" ]; then
    27. 

  27.      shut_down
    28. 

  28.   fi
    29. 

  29. }
    30. 

  30. trap cleanup EXIT
    31. 

  31. 

  32. start_up
    33. 

  33. 

  34. cleanup "no-shut-down"
    35. 

  35. 

  36. tpm2 clear
    37. 

  37. 

  38. #Test nvdefine with no options
    39. 

  39. tpm2 nvdefine > yaml.out
    40. 

  40. tpm2 nvundefine $(yaml_get_kv yaml.out "nv-index")
    41. 

  41. 

  42. #Test default values for the hierarchy "-a" parameter
    43. 

  43. tpm2 nvdefine -Q   $nv_test_index -s 32 -a "ownerread|policywrite|ownerwrite"
    44. 

  44. tpm2 nvundefine -Q   $nv_test_index
    45. 

  45. 

  46. #Test writing and reading
    47. 

  47. tpm2 nvdefine -Q   $nv_test_index -C o -s 32 \
    48. 

  48. -a "ownerread|policywrite|ownerwrite"
    49. 

  49. 

  50. echo "please123abc" > nv.test_w
    51. 

  51. 

  52. tpm2 nvwrite -Q   $nv_test_index -C o -i nv.test_w
    53. 

  53. 

  54. tpm2 nvread -Q   $nv_test_index -C o -s 32 -o 0
    55. 

  55. 

  56. tpm2 nvreadpublic > nv.out
    57. 

  57. yaml_get_kv nv.out "$nv_test_index" > /dev/null
    58. 

  58. yaml_get_kv nv.out "$nv_test_index" "name" > /dev/null
    59. 

  59. 

  60. 

  61. # Test writing to and reading from an offset by:
    62. 

  62. # 1. writing "foo" into the nv file at an offset
    63. 

  63. # 2. writing to the same offset in the nv index
    64. 

  64. # 3. reading back the index
    65. 

  65. # 4. comparing the result.
    66. 

  66. 

  67. echo -n "foo" > foo.dat
    68. 

  68. 

  69. dd if=foo.dat of=nv.test_w bs=1 seek=4 conv=notrunc 2>/dev/null
    70. 

  70. 

  71. # Test a pipe input
    72. 

  72. cat foo.dat | tpm2 nvwrite -Q   $nv_test_index -C o --offset 4 -i -
    73. 

  73. 

  74. tpm2 nvread   $nv_test_index -C o -s 13 > cmp.dat
    75. 

  75. 

  76. cmp nv.test_w cmp.dat
    77. 

  77. 

  78. # Writing at an offset and data size too big shouldn't result in a change
    79. 

  79. # to the index value.
    80. 

  80. 

  81. trap - ERR
    82. 

  82. 

  83. tpm2 nvwrite -Q   $nv_test_index -C o -o 30 -i foo.dat 2>/dev/null
    84. 

  84. if [ $? -eq 0 ]; then
    85. 

  85.   echo "Writing past the public size shouldn't work!"
    86. 

  86.   exit 1
    87. 

  87. fi
    88. 

  88. trap onerror ERR
    89. 

  89. 

  90. tpm2 nvread   $nv_test_index -C o -s 13 > cmp.dat
    91. 

  91. 

  92. cmp nv.test_w cmp.dat
    93. 

  93. 

  94. tpm2 nvundefine   $nv_test_index -C o
    95. 

  95. 

  96. tpm2 pcrread -Q -o $file_pcr_value $pcr_specification
    97. 

  97. 

  98. tpm2 createpolicy -Q --policy-pcr -l $pcr_specification -f $file_pcr_value \
    99. 

  99. -L $file_policy
    100. 

  100. 

  101. tpm2 nvdefine -Q   0x1500016 -C o -s 32 -L $file_policy \
    102. 

  102. -a "policyread|policywrite"
    103. 

  103. 

  104. # Write with index authorization for now, since tpm2 nvwrite does not support
    105. 

  105. # pcr policy.
    106. 

  106. echo -n "policy locked" | tpm2 nvwrite -Q   0x1500016 -C 0x1500016 \
    107. 

  107. -P pcr:$pcr_specification=$file_pcr_value -i -
    108. 

  108. 

  109. str=`tpm2 nvread   0x1500016 -C 0x1500016 \
    110. 

  110. -P pcr:$pcr_specification=$file_pcr_value -s 13`
    111. 

  111. 

  112. test "policy locked" == "$str"
    113. 

  113. 

  114. # this should fail because authread is not allowed
    115. 

  115. trap - ERR
    116. 

  116. tpm2 nvread   0x1500016 -C 0x1500016 -P "index" 2>/dev/null
    117. 

  117. trap onerror ERR
    118. 

  118. 

  119. tpm2 nvundefine -Q   0x1500016 -C o
    120. 

  120. 

  121. #
    122. 

  122. # Test large writes
    123. 

  123. #
    124. 

  124. 

  125. tpm2 getcap properties-fixed > cap.out
    126. 

  126. large_file_size=`yaml_get_kv cap.out "TPM2_PT_NV_INDEX_MAX" "raw"`
    127. 

  127. nv_test_index=0x1000000
    128. 

  128. 

  129. # Create an nv space with attributes 1010 = TPMA_NV_PPWRITE and
    130. 

  130. # TPMA_NV_AUTHWRITE
    131. 

  131. tpm2 nvdefine -Q   $nv_test_index -C o -s $large_file_size -a 0x2000A
    132. 

  132. 

  133. base64 /dev/urandom | head -c $(($large_file_size)) > $large_file_name
    134. 

  134. 

  135. # Test file input redirection
    136. 

  136. tpm2 nvwrite -Q   $nv_test_index -C o -i -< $large_file_name
    137. 

  137. 

  138. tpm2 nvread   $nv_test_index -C o > $large_file_read_name
    139. 

  139. 

  140. cmp -s $large_file_read_name $large_file_name
    141. 

  141. 

  142. # test per-index readpublic
    143. 

  143. tpm2 nvreadpublic "$nv_test_index" > nv.out
    144. 

  144. yaml_get_kv nv.out "$nv_test_index" > /dev/null
    145. 

  145. 

  146. tpm2 nvundefine -Q   $nv_test_index -C o
    147. 

  147. 

  148. #
    149. 

  149. # Test NV access locked
    150. 

  150. #
    151. 

  151. tpm2 nvdefine -Q   $nv_test_index -C o -s 32 \
    152. 

  152. -a "ownerread|policywrite|ownerwrite|read_stclear|writedefine"
    153. 

  153. 

  154. echo "foobar" > nv.readlock
    155. 

  155. 

  156. tpm2 nvwrite -Q   $nv_test_index -C o -i nv.readlock
    157. 

  157. 

  158. tpm2 nvread -Q   $nv_test_index -C o -s 6 -o 0
    159. 

  159. 

  160. tpm2 nvreadlock -Q   $nv_test_index -C o
    161. 

  161. 

  162. # Reset ERR signal handler to test for expected nvread error
    163. 

  163. trap - ERR
    164. 

  164. 

  165. tpm2 nvread -Q   $nv_test_index -C o -s 6 -o 0 2> /dev/null
    166. 

  166. if [ $? != 1 ];then
    167. 

  167.  echo "nvread didn't fail!"
    168. 

  168.  exit 1
    169. 

  169. fi
    170. 

  170. 

  171. trap onerror ERR
    172. 

  172. 

  173. # Test that write lock works
    174. 

  174. tpm2 nvwritelock -C o $nv_test_index
    175. 

  175. 

  176. trap - ERR
    177. 

  177. 

  178. tpm2 nvwrite  $nv_test_index -C o -i nv.readlock
    179. 

  179. if [ $? != 1 ];then
    180. 

  180.  echo "nvwrite didn't fail!"
    181. 

  181.  exit 1
    182. 

  182. fi
    183. 

  183. 

  184. tpm2 nvundefine -C o $nv_test_index
    185. 

  185. 

  186. trap onerror ERR
    187. 

  187. 

  188. #
    189. 

  189. # Test that owner and index passwords work by
    190. 

  190. # 1. Setting up the owner password
    191. 

  191. # 2. Defining an nv index that can be satisfied by an:
    192. 

  192. #   a. Owner authorization
    193. 

  193. #   b. Index authorization
    194. 

  194. # 3. Using index and owner based auth during write/read operations
    195. 

  195. # 4. Testing that auth is needed or a failure occurs.
    196. 

  196. #
    197. 

  197. 

  198. tpm2 changeauth -c o owner
    199. 

  199. 

  200. tpm2 nvdefine   0x1500015 -C o -s 32 \
    201. 

  201.   -a "policyread|policywrite|authread|authwrite|ownerwrite|ownerread" \
    202. 

  202.   -p "index" -P "owner"
    203. 

  203. 

  204. # Use index password write/read, implicit -a
    205. 

  205. tpm2 nvwrite -Q   0x1500015 -P "index" -i nv.test_w
    206. 

  206. tpm2 nvread -Q   0x1500015 -P "index"
    207. 

  207. 

  208. # Use index password write/read, explicit -a
    209. 

  209. tpm2 nvwrite -Q   0x1500015 -C 0x1500015 -P "index" -i nv.test_w
    210. 

  210. tpm2 nvread -Q   0x1500015 -C 0x1500015 -P "index"
    211. 

  211. 

  212. # use owner password
    213. 

  213. tpm2 nvwrite -Q   0x1500015 -C o -P "owner" -i nv.test_w
    214. 

  214. tpm2 nvread -Q   0x1500015 -C o -P "owner"
    215. 

  215. 

  216. # Check a bad password fails
    217. 

  217. trap - ERR
    218. 

  218. tpm2 nvwrite -Q   0x1500015 -C 0x1500015 -P "wrong" -i nv.test_w 2>/dev/null
    219. 

  219. if [ $? -eq 0 ];then
    220. 

  220.  echo "nvwrite with bad password should fail!"
    221. 

  221.  exit 1
    222. 

  222. fi
    223. 

  223. 

  224. # Check using authorisation with tpm2 nvundefine
    225. 

  225. trap onerror ERR
    226. 

  226. 

  227. tpm2 nvundefine   0x1500015 -C o -P "owner"
    228. 

  228. 

  229. # Check nv index can be specified simply as an offset
    230. 

  230. tpm2 nvdefine -Q -C o -s 32 -a "ownerread|ownerwrite" 1 -P "owner"
    231. 

  231. tpm2 nvundefine   0x01000001 -C o -P "owner"
    232. 

  232. 

  233. # Test setbits
    234. 

  234. tpm2 nvdefine -C o -P "owner" -a "nt=bits|ownerread|policywrite|ownerwrite|writedefine" $nv_test_index
    235. 

  235. tpm2 nvsetbits -C o -P "owner" -i 0xbadc0de $nv_test_index
    236. 

  236. check=$(tpm2 nvread -C o -P "owner" $nv_test_index | xxd -p | sed s/'^0*'/0x/)
    237. 

  237. if [ "$check" != "0xbadc0de" ]; then
    238. 

  238. 	echo "Expected setbits read value of 0xbadc0de, got \"$check\""
    239. 

  239. 	exit 1
    240. 

  240. fi
    241. 

  241. 

  242. # Test global writelock
    243. 

  243. if is_cmd_supported "NV_GlobalWriteLock"; then
    244. 

  244.   tpm2 nvdefine -C o -P "owner" -s 32 -a "ownerread|ownerwrite|globallock" 42
    245. 

  245.   tpm2 nvdefine -C o -P "owner" -s 32 -a "ownerread|ownerwrite|globallock" 43
    246. 

  246.   tpm2 nvdefine -C o -P "owner" -s 32 -a "ownerread|ownerwrite|globallock" 44
    247. 

  247. 

  248.   echo foo | tpm2 nvwrite -C o -P "owner" -i- 42
    249. 

  249.   echo foo | tpm2 nvwrite -C o -P "owner" -i- 43
    250. 

  250.   echo foo | tpm2 nvwrite -C o -P "owner" -i- 44
    251. 

  251. 

  252.   tpm2 nvwritelock -Co -P owner --global
    253. 

  253. 

  254.   # These writes should fail now that its in a writelocked state
    255. 

  255.   trap - ERR
    256. 

  256.   echo foo | tpm2 nvwrite -C o -P "owner" -i- 42
    257. 

  257.   if [ $? -eq 0 ]; then
    258. 

  258.     echo "Expected tpm2 nvwrite to fail after globalwritelock of index 42"
    259. 

  259.     exit 1
    260. 

  260.   fi
    261. 

  261. 

  262.   echo foo | tpm2 nvwrite -C o -P "owner" -i- 43
    263. 

  263.   if [ $? -eq 0 ]; then
    264. 

  264.     echo "Expected tpm2 nvwrite to fail after globalwritelock of index 43"
    265. 

  265.     exit 1
    266. 

  266.   fi
    267. 

  267. 

  268.   echo foo | tpm2 nvwrite -C o -P "owner" -i- 44
    269. 

  269.   if [ $? -eq 0 ]; then
    270. 

  270.     echo "Expected tpm2 nvwrite to fail after globalwritelock of index 44"
    271. 

  271.     exit 1
    272. 

  272.   fi
    273. 

  273. fi
    274. 

  274. 

  275. trap onerror ERR
    276. 

  276. 

  277. tpm2 nvundefine -C o -P "owner" $nv_test_index
    278. 

  278. 

  279. # Test extend
    280. 

  280. tpm2 nvdefine -C o -P "owner" -a "nt=extend|ownerread|policywrite|ownerwrite" $nv_test_index
    281. 

  281. echo "foo" | tpm2 nvextend -C o -P "owner" -i- $nv_test_index
    282. 

  282. check=$(tpm2 nvread -C o -P "owner" $nv_test_index | xxd -p -c 64 | sed s/'^0*'//)
    283. 

  283. expected="1c8457de84bb43c18d5e1d75c43e393bdaa7bca8d25967eedd580c912db65e3e"
    284. 

  284. if [ "$check" != "$expected" ]; then
    285. 

  285. 	echo "Expected setbits read value of \"$expected\", got \"$check\""
    286. 

  286. 	exit 1
    287. 

  287. fi
    288. 

  288. 

  289. # Test nvextend and nvdefine with aux sessions
    290. 

  290. tpm2 clear
    291. 

  291. 

  292. tpm2 createprimary -C o -c prim.ctx
    293. 

  293. tpm2 startauthsession -S enc_session.ctx --hmac-session -c prim.ctx
    294. 

  294. 

  295. tpm2 changeauth -c o owner
    296. 

  296. tpm2 nvdefine -C o -P owner -a "nt=extend|ownerread|policywrite|ownerwrite" \
    297. 

  297. $nv_test_index -p nvindexauth -S enc_session.ctx
    298. 

  298. 

  299. echo "foo" | tpm2 nvextend -C o -P owner -i- $nv_test_index -S enc_session.ctx
    300. 

  300. 

  301. tpm2 flushcontext enc_session.ctx
    302. 

  302. rm enc_session.ctx
    303. 

  303. rm prim.ctx
    304. 

  304. 

  305. check=$(tpm2 nvread -C o -P owner $nv_test_index | xxd -p -c 64 | sed s/'^0*'//)
    306. 

  306. expected="1c8457de84bb43c18d5e1d75c43e393bdaa7bca8d25967eedd580c912db65e3e"
    307. 

  307. if [ "$check" != "$expected" ]; then
    308. 

  308. 	echo "Expected setbits read value of \"$expected\", got \"$check\""
    309. 

  309. 	exit 1
    310. 

  310. fi
    311. 

  311. 

  312. exit 0
    313.