systemd-stable/test/units/testsuite-70.sh

#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -ex

export SYSTEMD_LOG_LEVEL=debug


# Prepare fresh disk image
img="/var/tmp/test.img"
dd if=/dev/zero of=$img bs=1024k count=20 status=none
echo -n passphrase >/tmp/passphrase
cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom $img /tmp/passphrase

# Enroll unlock with default PCR policy
env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto $img
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
/usr/lib/systemd/systemd-cryptsetup detach test-volume

# Check with wrong PCR
tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }

# Enroll unlock with PCR+PIN policy
systemd-cryptenroll --wipe-slot=tpm2 $img
env PASSWORD=passphrase NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true $img
env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
/usr/lib/systemd/systemd-cryptsetup detach test-volume

# Check failure with wrong PIN
env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }

# Check failure with wrong PCR (and correct PIN)
tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }

# Enroll unlock with PCR 0+7
systemd-cryptenroll --wipe-slot=tpm2 $img
env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 $img
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
/usr/lib/systemd/systemd-cryptsetup detach test-volume

# Check with wrong PCR 0
tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && exit 1

echo OK >/testok

exit 0
cryptenroll: add tests for TPM2 unlocking Add tests for enrolling and unlocking. Various cases are tested: - Default PCR 7 policy w/o PIN, good and bad cases (wrong PCR) - PCR 7 + PIN policy, good and bad cases (wrong PCR, wrong PIN) - Non-default PCR 0+7 policy w/o PIN, good and bad cases (wrong PCR 0) v2: rename test, fix tss2 library installation, fix CI failures v3: fix ppc64, load module 2022-02-24 01:28:29 +01:00			`#!/usr/bin/env bash`
			`# SPDX-License-Identifier: LGPL-2.1-or-later`
			`set -ex`

			`export SYSTEMD_LOG_LEVEL=debug`


			`# Prepare fresh disk image`
			`img="/var/tmp/test.img"`
			`dd if=/dev/zero of=$img bs=1024k count=20 status=none`
			`echo -n passphrase >/tmp/passphrase`
test: use PBKDF2 with capped iterations instead of Argon2 to reduce the amount of resources the test needs (similarly to TEST-24 where we do the same thing). (cherry picked from commit 8fec14a7d397f52b93024bf3417de8f77b0d85e6) 2022-07-07 17:16:31 +02:00			`cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom $img /tmp/passphrase`
cryptenroll: add tests for TPM2 unlocking Add tests for enrolling and unlocking. Various cases are tested: - Default PCR 7 policy w/o PIN, good and bad cases (wrong PCR) - PCR 7 + PIN policy, good and bad cases (wrong PCR, wrong PIN) - Non-default PCR 0+7 policy w/o PIN, good and bad cases (wrong PCR 0) v2: rename test, fix tss2 library installation, fix CI failures v3: fix ppc64, load module 2022-02-24 01:28:29 +01:00
			`# Enroll unlock with default PCR policy`
			`env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto $img`
			`/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1`
			`/usr/lib/systemd/systemd-cryptsetup detach test-volume`

			`# Check with wrong PCR`
			`tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000`
			`/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }`

			`# Enroll unlock with PCR+PIN policy`
			`systemd-cryptenroll --wipe-slot=tpm2 $img`
			`env PASSWORD=passphrase NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true $img`
			`env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1`
			`/usr/lib/systemd/systemd-cryptsetup detach test-volume`

			`# Check failure with wrong PIN`
			`env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }`

			`# Check failure with wrong PCR (and correct PIN)`
			`tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000`
			`env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }`

			`# Enroll unlock with PCR 0+7`
			`systemd-cryptenroll --wipe-slot=tpm2 $img`
			`env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 $img`
			`/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1`
			`/usr/lib/systemd/systemd-cryptsetup detach test-volume`

			`# Check with wrong PCR 0`
			`tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000`
			`/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && exit 1`

			`echo OK >/testok`

			`exit 0`