mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
test: skip --tpm2-device-key= tests with older OpenSSL
--tpm2-device-key= requires OpenSSL >= 3 with KDF-SS, so let's skip the test if we're running with older OpenSSL. + systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs=12:sha256=F5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B /tmp/systemd-cryptsetup-H8y.IMAGE Failed to find TPM2 pcrlock policy file 'pcrlock.json': No such file or directory Allocating context for crypt device /tmp/systemd-cryptsetup-H8y.IMAGE. Trying to open and read device /tmp/systemd-cryptsetup-H8y.IMAGE with direct-io. Trying to open device /tmp/systemd-cryptsetup-H8y.IMAGE without direct-io. Initialising device-mapper backend library. Trying to load LUKS2 crypt type from device /tmp/systemd-cryptsetup-H8y.IMAGE. Crypto backend (OpenSSL 1.1.1k FIPS 25 Mar 2021) initialized in cryptsetup library version 2.3.7. Detected kernel Linux 4.18.0-521.el8.ppc64le ppc64le. ... Failed to find TPM PCR public key file 'tpm2-pcr-public-key.pem': No such file or directory Failed to read TPM2 PCR public key, proceeding without: No such file or directory Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle libtss2-esys too old, does not include Esys_TR_GetTpmHandle. Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle libtss2-esys too old, does not include Esys_TR_GetTpmHandle. PolicyPCR calculated digest: 9a1f511fb94f030eb21d0332ef2739727bf0ead4ec26a204d15b09cdeb4b2555 Calculating sealed object. Calculating encrypted seed for sealed object. Calculating encrypted seed for ECC sealed object. Calculating KDFe(). KDF-SS requires openssl >= 3. Could not calculate KDFe: Operation not supported Could not calculate encrypted seed: Operation not supported Failed to seal to TPM2: Operation not supported
This commit is contained in:
parent
6f510ec8d6
commit
52a09e6230
@ -141,9 +141,12 @@ if tpm_has_pcr sha256 12; then
|
||||
cmp /tmp/srk.pub /run/systemd/tpm2-srk-public-key.tpm2b_public
|
||||
fi
|
||||
|
||||
PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE"
|
||||
systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
|
||||
systemd-cryptsetup detach test-volume
|
||||
# --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS
|
||||
if openssl_supports_kdf SSKDF; then
|
||||
PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE"
|
||||
systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
|
||||
systemd-cryptsetup detach test-volume
|
||||
fi
|
||||
|
||||
rm -f /tmp/pcr.dat /tmp/srk.pub
|
||||
fi
|
||||
@ -195,26 +198,29 @@ PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handl
|
||||
systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
|
||||
systemd-cryptsetup detach test-volume
|
||||
|
||||
# Make sure that --tpm2-device-key= also works with systemd-repart
|
||||
tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
|
||||
mkdir /tmp/dditest
|
||||
cat > /tmp/dditest/50-root.conf <<EOF
|
||||
# --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS
|
||||
if openssl_supports_kdf SSKDF; then
|
||||
# Make sure that --tpm2-device-key= also works with systemd-repart
|
||||
tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
|
||||
mkdir /tmp/dditest
|
||||
cat > /tmp/dditest/50-root.conf <<EOF
|
||||
[Partition]
|
||||
Type=root
|
||||
Format=ext4
|
||||
CopyFiles=/tmp/dditest:/
|
||||
Encrypt=tpm2
|
||||
EOF
|
||||
PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs=
|
||||
DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)"
|
||||
systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes
|
||||
mkdir /tmp/dditest.mnt
|
||||
mount -t ext4 /dev/mapper/dditest /tmp/dditest.mnt
|
||||
cmp /tmp/dditest.mnt/50-root.conf /tmp/dditest/50-root.conf
|
||||
umount /tmp/dditest.mnt
|
||||
rmdir /tmp/dditest.mnt
|
||||
rm /tmp/dditest.raw
|
||||
rm /tmp/dditest/50-root.conf
|
||||
rmdir /tmp/dditest
|
||||
PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs=
|
||||
DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)"
|
||||
systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes
|
||||
mkdir /tmp/dditest.mnt
|
||||
mount -t ext4 /dev/mapper/dditest /tmp/dditest.mnt
|
||||
cmp /tmp/dditest.mnt/50-root.conf /tmp/dditest/50-root.conf
|
||||
umount /tmp/dditest.mnt
|
||||
rmdir /tmp/dditest.mnt
|
||||
rm /tmp/dditest.raw
|
||||
rm /tmp/dditest/50-root.conf
|
||||
rmdir /tmp/dditest
|
||||
fi
|
||||
|
||||
rm -f "$IMAGE" "$PRIMARY"
|
||||
|
@ -189,3 +189,11 @@ tpm_has_pcr() {
|
||||
|
||||
[[ -f "/sys/class/tpm/tpm0/pcr-$algorithm/$pcr" ]]
|
||||
}
|
||||
|
||||
openssl_supports_kdf() {
|
||||
local kdf="${1:?}"
|
||||
|
||||
# The arguments will need to be adjusted to make this work for other KDFs than SSKDF,
|
||||
# but let's do that when/if the need arises
|
||||
openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf"
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user