shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-02-25 21:57:32 +03:00
Code

test: Add DA lockout handling to TEST-70-TPM2

Browse Source 
Since this test intentionally provides an incorrect PIN, the DA lockout counter
is incremented; the test needs to reset it so there is no DA lockout.
This commit is contained in:
Dan Streetman 2023-07-07 13:37:28 -04:00 committed by Luca Boccassi
parent 538f9bafc5
commit 9071d6b1a3
2 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
test/TEST-70-TPM2/test.sh
View File

@ -11,7 +11,7 @@ TEST_REQUIRE_INSTALL_TESTS=0
# shellcheck source=test/test-functions
. "${TEST_BASE_DIR:?}/test-functions"
test_require_bin swtpm tpm2_pcrextend
test_require_bin swtpm tpm2_pcrextend tpm2_dictionarylockout
test_append_files() {
local workspace="${1:?}"
@ -19,6 +19,7 @@ test_append_files() {
instmods tpm tpm_tis tpm_ibmvtpm
install_dmevent
generate_module_dependencies
inst_binary tpm2_dictionarylockout
inst_binary tpm2_pcrextend
inst_binary tpm2_pcrread
inst_binary openssl

25
test/units/testsuite-70.sh
View File

@ -22,6 +22,21 @@ tpm_has_pcr() {
[[ -f "/sys/class/tpm/tpm0/pcr-$algorithm/$pcr" ]]
}
tpm_check_failure_with_wrong_pin() {
local testimg="${1:?}"
local badpin="${2:?}"
local goodpin="${3:?}"
# We need to be careful not to trigger DA lockout; allow 2 failures
tpm2_dictionarylockout -s -n 2
(! PIN=$badpin "$SD_CRYPTSETUP" attach test-volume "$testimg" - tpm2-device=auto,headless=1)
# Verify the correct PIN works, to be sure the failure wasn't a DA lockout
PIN=$goodpin "$SD_CRYPTSETUP" attach test-volume "$testimg" - tpm2-device=auto,headless=1
"$SD_CRYPTSETUP" detach test-volume
# Clear/reset the DA lockout counter
tpm2_dictionarylockout -c
}
# Prepare a fresh disk image
img="/tmp/test.img"
truncate -s 20M "$img"
@ -46,8 +61,10 @@ PASSWORD=passphrase NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-
PIN=123456 "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1
"$SD_CRYPTSETUP" detach test-volume
# Check failure with wrong PIN
(! PIN=123457 "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1)
# Check failure with wrong PIN; try a few times to make sure we avoid DA lockout
for _ in {0..3}; do
tpm_check_failure_with_wrong_pin "$img" 123457 123456
done
# Check LUKS2 token plugin unlock (i.e. without specifying tpm2-device=auto)
if cryptsetup_has_token_plugin_support; then
@ -55,7 +72,9 @@ if cryptsetup_has_token_plugin_support; then
"$SD_CRYPTSETUP" detach test-volume
# Check failure with wrong PIN
(! PIN=123457 "$SD_CRYPTSETUP" attach test-volume "$img" - headless=1)
for _ in {0..3}; do
tpm_check_failure_with_wrong_pin "$img" 123457 123456
done
else
echo 'cryptsetup has no LUKS2 token plugin support, skipping'
fi