mirror of
https://github.com/systemd/systemd.git
synced 2024-10-30 14:55:37 +03:00
fd8b924820
Add tests for enrolling and unlocking. Various cases are tested: - Default PCR 7 policy w/o PIN, good and bad cases (wrong PCR) - PCR 7 + PIN policy, good and bad cases (wrong PCR, wrong PIN) - Non-default PCR 0+7 policy w/o PIN, good and bad cases (wrong PCR 0) v2: rename test, fix tss2 library installation, fix CI failures v3: fix ppc64, load module
49 lines
2.1 KiB
Bash
Executable File
49 lines
2.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
set -ex
|
|
|
|
export SYSTEMD_LOG_LEVEL=debug
|
|
|
|
|
|
# Prepare fresh disk image
|
|
img="/var/tmp/test.img"
|
|
dd if=/dev/zero of=$img bs=1024k count=20 status=none
|
|
echo -n passphrase >/tmp/passphrase
|
|
cryptsetup luksFormat -q --use-urandom $img /tmp/passphrase
|
|
|
|
# Enroll unlock with default PCR policy
|
|
env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto $img
|
|
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
|
|
/usr/lib/systemd/systemd-cryptsetup detach test-volume
|
|
|
|
# Check with wrong PCR
|
|
tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
|
|
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
|
|
|
|
# Enroll unlock with PCR+PIN policy
|
|
systemd-cryptenroll --wipe-slot=tpm2 $img
|
|
env PASSWORD=passphrase NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true $img
|
|
env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
|
|
/usr/lib/systemd/systemd-cryptsetup detach test-volume
|
|
|
|
# Check failure with wrong PIN
|
|
env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
|
|
|
|
# Check failure with wrong PCR (and correct PIN)
|
|
tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
|
|
env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
|
|
|
|
# Enroll unlock with PCR 0+7
|
|
systemd-cryptenroll --wipe-slot=tpm2 $img
|
|
env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 $img
|
|
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1
|
|
/usr/lib/systemd/systemd-cryptsetup detach test-volume
|
|
|
|
# Check with wrong PCR 0
|
|
tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000
|
|
/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && exit 1
|
|
|
|
echo OK >/testok
|
|
|
|
exit 0
|