Página inicial Explorar Ajuda
Entrar
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
tpm2-tools-5.1
/
test
/
integration
/
tests
/
unseal.sh

unseal.sh 4.7 KB
Link permanente Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161 
  1. # SPDX-License-Identifier: BSD-3-Clause
    2. 

  2. 

  3. source helpers.sh
    4. 

  4. 

  5. alg_primary_obj=sha256
    6. 

  6. alg_primary_key=ecc
    7. 

  7. alg_create_obj=sha256
    8. 

  8. pcr_specification=sha256:0,1,2,3+sha1:0,1,2,3
    9. 

  9. file_pcr_value=pcr.bin
    10. 

  10. file_input_data=secret.data
    11. 

  11. file_policy=policy.data
    12. 

  12. file_primary_key_ctx=context.p_"$alg_primary_obj"_"$alg_primary_key"
    13. 

  13. file_unseal_key_pub=opu_"$alg_create_obj"
    14. 

  14. file_unseal_key_priv=opr_"$alg_create_obj"
    15. 

  15. file_unseal_key_ctx=ctx_load_out_"$alg_primary_obj"_"$alg_primary_key"-\
    16. 

  16. "$alg_create_obj"
    17. 

  17. file_unseal_key_name=name.load_"$alg_primary_obj"_"$alg_primary_key"-\
    18. 

  18. "$alg_create_obj"
    19. 

  19. file_unseal_output_data=usl_"$file_unseal_key_ctx"
    20. 

  20. 

  21. secret="12345678"
    22. 

  22. 

  23. cleanup() {
    24. 

  24.   rm -f $file_input_data $file_primary_key_ctx $file_unseal_key_pub \
    25. 

  25.         $file_unseal_key_priv $file_unseal_key_ctx $file_unseal_key_name \
    26. 

  26.         $file_unseal_output_data $file_pcr_value $file_policy
    27. 

  27. 

  28.   if [ "$1" != "no-shut-down" ]; then
    29. 

  29.     shut_down
    30. 

  30.   fi
    31. 

  31. }
    32. 

  32. trap cleanup EXIT
    33. 

  33. 

  34. start_up
    35. 

  35. 

  36. cleanup "no-shut-down"
    37. 

  37. 

  38. echo $secret > $file_input_data
    39. 

  39. 

  40. tpm2 clear
    41. 

  41. 

  42. tpm2 createprimary -Q -C e -g $alg_primary_obj -G $alg_primary_key \
    43. 

  43. -c $file_primary_key_ctx
    44. 

  44. 

  45. tpm2 create -Q -g $alg_create_obj -u $file_unseal_key_pub \
    46. 

  46. -r $file_unseal_key_priv -i $file_input_data -C $file_primary_key_ctx
    47. 

  47. 

  48. tpm2 load -Q -C $file_primary_key_ctx -u $file_unseal_key_pub \
    49. 

  49. -r $file_unseal_key_priv -n $file_unseal_key_name -c $file_unseal_key_ctx
    50. 

  50. 

  51. tpm2 unseal -Q -c $file_unseal_key_ctx -o $file_unseal_output_data
    52. 

  52. 

  53. cmp -s $file_unseal_output_data $file_input_data
    54. 

  54. 

  55. # Test -i using stdin via pipe
    56. 

  56. 

  57. rm $file_unseal_key_pub $file_unseal_key_priv $file_unseal_key_name \
    58. 

  58. $file_unseal_key_ctx
    59. 

  59. 

  60. cat $file_input_data | tpm2 create -Q -g $alg_create_obj \
    61. 

  61. -u $file_unseal_key_pub -r $file_unseal_key_priv -i- -C $file_primary_key_ctx
    62. 

  62. 

  63. tpm2 load -Q -C $file_primary_key_ctx -u $file_unseal_key_pub \
    64. 

  64. -r $file_unseal_key_priv -n $file_unseal_key_name -c $file_unseal_key_ctx
    65. 

  65. 

  66. tpm2 unseal -Q -c $file_unseal_key_ctx -o $file_unseal_output_data
    67. 

  67. 

  68. cmp -s $file_unseal_output_data $file_input_data
    69. 

  69. 

  70. # Test using a PCR policy for auth and use file based stdin for -i
    71. 

  71. 

  72. rm $file_unseal_key_pub $file_unseal_key_priv $file_unseal_key_name \
    73. 

  73. $file_unseal_key_ctx
    74. 

  74. 

  75. tpm2 pcrread -Q -o $file_pcr_value $pcr_specification
    76. 

  76. 

  77. tpm2 createpolicy -Q --policy-pcr -l $pcr_specification -f $file_pcr_value \
    78. 

  78. -L $file_policy
    79. 

  79. 

  80. tpm2 create -Q -g $alg_create_obj -u $file_unseal_key_pub \
    81. 

  81. -r $file_unseal_key_priv -i- -C $file_primary_key_ctx -L $file_policy \
    82. 

  82. -a 'fixedtpm|fixedparent' <<< $secret
    83. 

  83. 

  84. tpm2 load -Q -C $file_primary_key_ctx -u $file_unseal_key_pub \
    85. 

  85. -r $file_unseal_key_priv -n $file_unseal_key_name -c $file_unseal_key_ctx
    86. 

  86. 

  87. unsealed=`tpm2 unseal -V --object-context $file_unseal_key_ctx \
    88. 

  88. -p pcr:$pcr_specification=$file_pcr_value`
    89. 

  89. 

  90. test "$unsealed" == "$secret"
    91. 

  91. 

  92. # Test that unseal fails if a PCR policy isn't provided
    93. 

  93. 

  94. trap - ERR
    95. 

  95. 

  96. tpm2 unseal -c $file_unseal_key_ctx 2> /dev/null
    97. 

  97. if [ $? != 1 ]; then
    98. 

  98.   echo "tpm2 unseal didn't fail without a PCR policy!"
    99. 

  99.   exit 1
    100. 

  100. fi
    101. 

  101. 

  102. # Test that unseal fails if PCR state isn't the same as the defined PCR policy
    103. 

  103. 

  104. tpm2 pcrextend 0:sha1=6c10289a8da7f774cf67bd2fc8502cd4b585346a
    105. 

  105. 

  106. tpm2 unseal -c $file_unseal_key_ctx -p pcr:$pcr_specification 2> /dev/null
    107. 

  107. if [ $? != 1 ]; then
    108. 

  108.   echo "tpm2 unseal didn't fail with a PCR state different than the policy!"
    109. 

  109.   exit 1
    110. 

  110. fi
    111. 

  111. 

  112. # Test that the object can be unsealed without a policy but a password
    113. 

  113. 

  114. trap onerror ERR
    115. 

  115. 

  116. rm $file_unseal_key_pub $file_unseal_key_priv $file_unseal_key_name \
    117. 

  117. $file_unseal_key_ctx
    118. 

  118. 

  119. tpm2 pcrread -Q -o $file_pcr_value $pcr_specification
    120. 

  120. 

  121. tpm2 createpolicy -Q --policy-pcr -l $pcr_specification -f $file_pcr_value \
    122. 

  122. -L $file_policy
    123. 

  123. 

  124. tpm2 create -Q -g $alg_create_obj -u $file_unseal_key_pub \
    125. 

  125. -r $file_unseal_key_priv -i- -C $file_primary_key_ctx -L $file_policy \
    126. 

  126. -p secretpass <<< $secret
    127. 

  127. 

  128. tpm2 load -Q -C $file_primary_key_ctx -u $file_unseal_key_pub \
    129. 

  129. -r $file_unseal_key_priv -n $file_unseal_key_name -c $file_unseal_key_ctx
    130. 

  130. 

  131. unsealed=`tpm2 unseal -c $file_unseal_key_ctx -p secretpass`
    132. 

  132. 

  133. test "$unsealed" == "$secret"
    134. 

  134. 

  135. # Test that unseal fails when using a wrong password
    136. 

  136. 

  137. trap - ERR
    138. 

  138. 

  139. tpm2 unseal -c $file_unseal_key_ctx -p wrongpass 2> /dev/null
    140. 

  140. if [ $? != 3 ]; then
    141. 

  141.   echo "tpm2 unseal didn't fail when using a wrong object password!"
    142. 

  142.   exit 1
    143. 

  143. fi
    144. 

  144. 

  145. # Test unsealing with encrypted sessions
    146. 

  146. trap onerror ERR
    147. 

  147. 

  148. tpm2 createprimary -Q -C o -c prim.ctx
    149. 

  149. tpm2 startauthsession -S enc_session.ctx --hmac-session -c prim.ctx
    150. 

  150. tpm2 sessionconfig enc_session.ctx --disable-encrypt
    151. 

  151. 

  152. tpm2 create -Q -C prim.ctx -u seal_key.pub -r seal_key.priv -c seal_key.ctx \
    153. 

  153. -p sealkeypass -i- <<< $secret -S enc_session.ctx
    154. 

  154. 

  155. tpm2 sessionconfig enc_session.ctx --enable-encrypt
    156. 

  156. unsealed=`tpm2 unseal -c seal_key.ctx -p sealkeypass -S enc_session.ctx`
    157. 

  157. test "$unsealed" == "$secret"
    158. 

  158. 

  159. tpm2 flushcontext enc_session.ctx
    160. 

  160. 

  161. exit 0
    162.