1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

test: skip --tpm2-device-key= tests with older OpenSSL

--tpm2-device-key= requires OpenSSL >= 3 with KDF-SS, so let's skip the
test if we're running with older OpenSSL.

+ systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs=12:sha256=F5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B /tmp/systemd-cryptsetup-H8y.IMAGE
Failed to find TPM2 pcrlock policy file 'pcrlock.json': No such file or directory
Allocating context for crypt device /tmp/systemd-cryptsetup-H8y.IMAGE.
Trying to open and read device /tmp/systemd-cryptsetup-H8y.IMAGE with direct-io.
Trying to open device /tmp/systemd-cryptsetup-H8y.IMAGE without direct-io.
Initialising device-mapper backend library.
Trying to load LUKS2 crypt type from device /tmp/systemd-cryptsetup-H8y.IMAGE.
Crypto backend (OpenSSL 1.1.1k  FIPS 25 Mar 2021) initialized in cryptsetup library version 2.3.7.
Detected kernel Linux 4.18.0-521.el8.ppc64le ppc64le.
...
Failed to find TPM PCR public key file 'tpm2-pcr-public-key.pem': No such file or directory
Failed to read TPM2 PCR public key, proceeding without: No such file or directory
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
PolicyPCR calculated digest: 9a1f511fb94f030eb21d0332ef2739727bf0ead4ec26a204d15b09cdeb4b2555
Calculating sealed object.
Calculating encrypted seed for sealed object.
Calculating encrypted seed for ECC sealed object.
Calculating KDFe().
KDF-SS requires openssl >= 3.
Could not calculate KDFe: Operation not supported
Could not calculate encrypted seed: Operation not supported
Failed to seal to TPM2: Operation not supported
This commit is contained in:
Frantisek Sumsal 2023-11-13 20:35:29 +01:00
parent 6f510ec8d6
commit 52a09e6230
2 changed files with 32 additions and 18 deletions

View File

@ -141,9 +141,12 @@ if tpm_has_pcr sha256 12; then
cmp /tmp/srk.pub /run/systemd/tpm2-srk-public-key.tpm2b_public
fi
PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE"
systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
systemd-cryptsetup detach test-volume
# --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS
if openssl_supports_kdf SSKDF; then
PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE"
systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
systemd-cryptsetup detach test-volume
fi
rm -f /tmp/pcr.dat /tmp/srk.pub
fi
@ -195,26 +198,29 @@ PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handl
systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
systemd-cryptsetup detach test-volume
# Make sure that --tpm2-device-key= also works with systemd-repart
tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
mkdir /tmp/dditest
cat > /tmp/dditest/50-root.conf <<EOF
# --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS
if openssl_supports_kdf SSKDF; then
# Make sure that --tpm2-device-key= also works with systemd-repart
tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
mkdir /tmp/dditest
cat > /tmp/dditest/50-root.conf <<EOF
[Partition]
Type=root
Format=ext4
CopyFiles=/tmp/dditest:/
Encrypt=tpm2
EOF
PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs=
DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)"
systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes
mkdir /tmp/dditest.mnt
mount -t ext4 /dev/mapper/dditest /tmp/dditest.mnt
cmp /tmp/dditest.mnt/50-root.conf /tmp/dditest/50-root.conf
umount /tmp/dditest.mnt
rmdir /tmp/dditest.mnt
rm /tmp/dditest.raw
rm /tmp/dditest/50-root.conf
rmdir /tmp/dditest
PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs=
DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)"
systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes
mkdir /tmp/dditest.mnt
mount -t ext4 /dev/mapper/dditest /tmp/dditest.mnt
cmp /tmp/dditest.mnt/50-root.conf /tmp/dditest/50-root.conf
umount /tmp/dditest.mnt
rmdir /tmp/dditest.mnt
rm /tmp/dditest.raw
rm /tmp/dditest/50-root.conf
rmdir /tmp/dditest
fi
rm -f "$IMAGE" "$PRIMARY"

View File

@ -189,3 +189,11 @@ tpm_has_pcr() {
[[ -f "/sys/class/tpm/tpm0/pcr-$algorithm/$pcr" ]]
}
openssl_supports_kdf() {
local kdf="${1:?}"
# The arguments will need to be adjusted to make this work for other KDFs than SSKDF,
# but let's do that when/if the need arises
openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf"
}