File: _test_tpm2_avoid_da_lockout

package info (click to toggle)
swtpm 0.10.1%2Bds-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 3,008 kB
  • sloc: ansic: 20,787; sh: 14,667; makefile: 760; python: 173
file content (169 lines) | stat: -rwxr-xr-x 5,666 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#!/bin/bash

# For the license, see the LICENSE file in the root directory.
#set -x

ROOT=${abs_top_builddir:-$(pwd)/..}
TESTDIR=${abs_top_testdir:-$(dirname "$0")}

VTPM_NAME="vtpm-test-tpm2-avoid-da-lockout"
SWTPM_DEV_NAME="/dev/${VTPM_NAME}"
TPM_PATH="$(mktemp -d)" || exit 1
LOG_FILE=$TPM_PATH/tpm-00.log
SWTPM_CMD_UNIX_PATH=${TPM_PATH}/unix-cmd.sock
SWTPM_CTRL_UNIX_PATH=${TPM_PATH}/unix-ctrl.sock

function cleanup()
{
	pid=${SWTPM_PID}
	if [ -n "$pid" ]; then
		kill_quiet -9 "$pid"
	fi
	rm -rf "$TPM_PATH"
}

trap "cleanup" EXIT

source "${TESTDIR}/common"
source "${TESTDIR}/test_common"
[ "${SWTPM_INTERFACE}" == "cuse" ] && source "${TESTDIR}/test_cuse"

TPM_PATH=$TPM_PATH run_swtpm "${SWTPM_INTERFACE}" \
	--tpm2 \
	--log "file=$LOG_FILE,level=20" \
	--flags not-need-init,startup-clear

if ! kill_quiet -0 "${SWTPM_PID}"; then
	echo "Error: ${SWTPM_INTERFACE} TPM did not start."
	exit 1
fi

# Define password-protected NV space with DA attribute set: tssnvdefinespace -ha 01000000 -hi o -pwdn test -sz 1 -at da
cmd='\x80\x02\x00\x00\x00\x31\x00\x00\x01\x2a\x40\x00\x00\x01\x00\x00\x00\x09\x40\x00\x00\x09\x00\x00\x00\x00\x00\x00\x04\x74\x65\x73\x74\x00\x0e\x01\x00\x00\x00\x00\x0b\x00\x04\x00\x04\x00\x00\x00\x01'
RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
exp=' 80 02 00 00 00 13 00 00 00 00 00 00 00 00 00 00 01 00 00'
if [ "$RES" != "$exp" ]; then
	echo "Error: Did not get expected result from TPM2_NV_DefineSpace"
	echo "expected: $exp"
	echo "received: $RES"
	exit 1
fi

# Write to NV space without password: tssnvwrite -ha 01000000 -ic A
cmd='\x80\x02\x00\x00\x00\x24\x00\x00\x01\x37\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09\x40\x00\x00\x09\x00\x00\x00\x00\x00\x00\x01\x41\x00\x00'
RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
exp=' 80 01 00 00 00 0a 00 00 09 22'
if [ "$RES" == "$exp" ]; then
	# 0x922 : retry command
	RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
fi
exp=' 80 01 00 00 00 0a 00 00 09 8e'
if [ "$RES" != "$exp" ]; then
	echo "Error: Did not get expected result from TPM2_NV_Write"
	echo "expected: $exp"
	echo "received: $RES"
	exit 1
fi

# The TPM_PT_LOCKOUT_COUNTER must be 0 now: tssgetcapability -cap 6 -pr 0x20e -pc 1
cmd='\x80\x01\x00\x00\x00\x16\x00\x00\x01\x7a\x00\x00\x00\x06\x00\x00\x02\x0e\x00\x00\x00\x01'
RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00 00 00 01'
if [ "$RES" != "$exp" ]; then
	echo "Error: Did not get expected result from 1st TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
	echo "expected: $exp"
	echo "received: $RES"
	exit 1
fi

# Abruptly init the TPM: swtpm will internally send TPM2_Shutdown()
if ! run_swtpm_ioctl "${SWTPM_INTERFACE}" -i; then
	echo "Error: Could not initialize the ${SWTPM_INTERFACE} TPM."
	exit 1
fi

# send TPM2_Startup(SU_CLEAR)
cmd='\x80\x01\x00\x00\x00\x0c\x00\x00\x01\x44\x00\x00'
RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
exp=' 80 01 00 00 00 0a 00 00 00 00'
if [ "$RES" != "$exp" ]; then
	echo "Error: Did not get expected result from TPM2_Startup(SU_CLEAR)"
	echo "expected: $exp"
	echo "received: $RES"
	exit 1
fi

# The TPM_PT_LOCKOUT_COUNTER must still be '0' now: tssgetcapability -cap 6 -pr 0x20e -pc 1
# Without swtpm sending TPM2_Shutdown, it would be '1' now
cmd='\x80\x01\x00\x00\x00\x16\x00\x00\x01\x7a\x00\x00\x00\x06\x00\x00\x02\x0e\x00\x00\x00\x01'
RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00 00 00 01'
if [ "$RES" != "$exp" ]; then
	echo "Error: Did not get expected result from 2nd TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
	echo "expected: $exp"
	echo "received: $RES"
	exit 1
fi

# Again write to NV space without password: tssnvwrite -ha 01000000 -ic A
cmd='\x80\x02\x00\x00\x00\x24\x00\x00\x01\x37\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09\x40\x00\x00\x09\x00\x00\x00\x00\x00\x00\x01\x41\x00\x00'
RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
exp=' 80 01 00 00 00 0a 00 00 09 22'
if [ "$RES" == "$exp" ]; then
	# 0x922 : retry command
	RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
fi
exp=' 80 01 00 00 00 0a 00 00 09 8e'
if [ "$RES" != "$exp" ]; then
	echo "Error: Did not get expected result from TPM2_NV_Write"
	echo "expected: $exp"
	echo "received: $RES"
	exit 1
fi

# CMD_STOP: swtpm will internally send TPM2_Shutdown()
if ! run_swtpm_ioctl "${SWTPM_INTERFACE}" -s; then
	echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM."
	exit 1
fi

if wait_process_gone "${SWTPM_PID}" 4; then
	echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore."
	exit 1
fi

TPM_PATH=$TPM_PATH run_swtpm "${SWTPM_INTERFACE}" \
	--tpm2 \
	--log "file=$LOG_FILE,level=20" \
	--flags not-need-init,startup-clear

if ! kill_quiet -0 "${SWTPM_PID}"; then
	echo "Error: ${SWTPM_INTERFACE} TPM did not start."
	exit 1
fi

# The TPM_PT_LOCKOUT_COUNTER must still be '0' now: tssgetcapability -cap 6 -pr 0x20e -pc 1
# Without swtpm sending TPM2_Shutdown, it would be '2' now
cmd='\x80\x01\x00\x00\x00\x16\x00\x00\x01\x7a\x00\x00\x00\x06\x00\x00\x02\x0e\x00\x00\x00\x01'
RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00 00 00 02'
if [ "$RES" != "$exp" ]; then
	echo "Error: Did not get expected result from 3rd TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
	echo "expected: $exp"
	echo "received: $RES"
	exit 1
fi

if ! run_swtpm_ioctl "${SWTPM_INTERFACE}" -s; then
	echo "Error: Could not shut down the ${SWTPM_INTERFACE} TPM."
	exit 1
fi

if wait_process_gone "${SWTPM_PID}" 4; then
	echo "Error: ${SWTPM_INTERFACE} TPM should not be running anymore."
	exit 1
fi

echo "OK"

exit 0