File: createprimary.sh

package info (click to toggle)
tpm2-tools 5.7-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 5,988 kB
  • sloc: ansic: 45,737; sh: 14,915; xml: 8,342; makefile: 610; python: 51
file content (124 lines) | stat: -rw-r--r-- 4,086 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
 
# SPDX-License-Identifier: BSD-3-Clause

source helpers.sh

start_up

cleanup() {

  rm -f policy.bin obj.pub pub.out primary.ctx

  if [ $(ina "$@" "keep-context") -ne 0 ]; then
    rm -f context.out
  fi

  if [ $(ina "$@" "no-shut-down") -ne 0 ]; then
    shut_down
  fi
}
trap cleanup EXIT

cleanup "no-shut-down"

# Keep the algorithm specifiers mixed to test friendly and raw
# values.
for gAlg in `populate_hash_algs 'and alg != "keyedhash"'`; do
    for GAlg in rsa xor ecc aes; do
        echo tpm2 createprimary -Q -g $gAlg -G $GAlg -c context.out
        tpm2 createprimary -Q -g $gAlg -G $GAlg -c context.out
        cleanup "no-shut-down" "keep-context"
        for Atype in o e n; do
            tpm2 createprimary -Q -C $Atype -g $gAlg -G $GAlg -c context.out
            cleanup "no-shut-down" "keep-context"
        done
    done
done

policy_orig=f28230c080bbe417141199e36d18978228d8948fc10a6a24921b9eba6bb1d988

#test for createprimary objects with policy authorization structures
echo -n "$policy_orig" | xxd -r -p > policy.bin

tpm2 createprimary -Q -C o -G rsa -g sha256 -c context.out -L policy.bin \
  -a 'restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin'

tpm2 readpublic -c context.out > pub.out

policy_new=$(yaml_get_kv pub.out "authorization policy")

test "$policy_orig" == "$policy_new"

#
# Test that -u can be specified to pass a TPMU_PUBLIC_ID union
#
# in this case TPM2B_PUBLIC_KEY_RSA (256 bytes of zero)
printf '\x00\x01' > ud.1
dd if=/dev/zero bs=256 count=1 of=ud.2
cat ud.1 ud.2 > unique.dat
tpm2 createprimary -C o -G rsa2048:aes128cfb -g sha256 -c prim.ctx \
-a "restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|\
noda" -u unique.dat
test -f prim.ctx
rm -f prim.ctx
# test the case with ECC key type with MAX_ECC_KEY_BITS=256
printf '\x20\x00' > ecc_param_buf_size
dd if=/dev/urandom bs=32 count=1 of=ecc_param_buf
cat ecc_param_buf_size ecc_param_buf ecc_param_buf_size ecc_param_buf > unique.dat
tpm2 createprimary -C o -G ecc -g sha256 -c prim.ctx -u unique.dat \
-a "restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda"
test -f prim.ctx
rm -f prim.ctx
# test the case with RSA and unique data specified via stdin
dd if=/dev/urandom bs=256 count=1 status=none | \
tpm2 createprimary -C o -G rsa -g sha256 -c prim.ctx -u - \
-a "restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda"
test -f prim.ctx
rm -f prim.ctx
# test the case with ECC and unique data specified via stdin
dd if=/dev/urandom bs=96 count=1 status=none | \
tpm2 createprimary -C o -G ecc -g sha256 -c prim.ctx -u - \
-a "restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda"
test -f prim.ctx
rm -f prim.ctx

# Test that -g/-G do not need to be specified.
tpm2 createprimary -Q -c context.out

# Test that -o does not need to be specified.
tpm2 createprimary -Q

# Test that creation data has the specified outside info
dd if=/dev/urandom of=outside.info bs=1 count=32

tpm2 createprimary -C o -c context.out --creation-data creation.data \
-q outside.info

xxd -p creation.data | tr -d '\n' | grep `xxd -p outside.info | tr -d '\n'`

# Test that selected pcrs digest is present in the creation data
tpm2 pcrread sha256:0 -o pcr_data.bin

tpm2 createprimary -C o -c context.out --creation-data creation.data \
-l sha256:0

xxd -p creation.data | tr -d '\n' | \
grep `cat pcr_data.bin | openssl dgst -sha256 -binary | xxd -p | tr -d '\n'`

# Test for session leaks
BEFORE=$(tpm2 getcap handles-loaded-session; tpm2 getcap handles-saved-session)
tpm2 createprimary -Q
AFTER=$(tpm2 getcap handles-loaded-session; tpm2 getcap handles-saved-session)
test "${BEFORE}" = "${AFTER}"

# Test pem key
tpm2 createprimary -f pem -o public.pem
openssl rsa -noout -text -inform PEM -in public.pem -pubin

#
# Test policy from hash
#
expected_dgst="fdb1c1e5ba81e95f2db8db6ed7627e9b01658e80df7f33220bd3638f98ad2d5f"
got_digest="$(tpm2 createprimary -L $expected_dgst -c primary.ctx | grep 'authorization policy' | cut -d ' ' -f3-)"
test "$expected_dgst" == "$got_digest"

exit 0