[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v10 20/20] tests: Add tpm2_test
From: |
Gary Lin |
Subject: |
Re: [PATCH v10 20/20] tests: Add tpm2_test |
Date: |
Mon, 15 Apr 2024 14:42:49 +0800 |
On Fri, Apr 12, 2024 at 12:09:36PM -0400, Stefan Berger wrote:
>
>
> On 4/9/24 04:30, Gary Lin via Grub-devel wrote:
> > For the tpm2 module, the TCG2 command submission function is the only
> > difference between the a QEMU instance and grub-emu. To test TPM key
> > unsealing with a QEMU instance, it requires an extra OS image to invoke
> > grub-protect to seal the LUKS key, rather than a simple grub-shell rescue
> > CD image. On the other hand, grub-emu can share the emulated TPM device
> > with the host, so that we can seal the LUKS key on host and test key
> > unsealing with grub-emu.
> >
> > This test script firstly creates a simple LUKS image to be loaded as a
> > loopback device in grub-emu. Then an emulated TPM device is created by
> > swtpm_cuse and PCR 0 and 1 are extended.
>
> My concern here would be that distros for example don't build swtpm with the
> CUSE interface but build it with the socket and chardev interfaces. If you
> don't want users to have to build their own version of swtpm then I would
> suggest to use either 'swtpm chardev' with the vtpm_proxy module (it is
> quite commonly available on recent distros) or 'swtpm socket'.
>
> The chardev usage is for example described here and should be least involved
> to convert to:
>
> https://github.com/stefanberger/swtpm/wiki/Using-the-Intel-TSS-with-swtpm#character-device-using-tpm_vtpm_proxy
>
> You could start it like this with UnixIO control port (needs adjustment to
> swtpm_ioctl in your code).
>
> swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl
> type=unixio,path=/tmp/myvtpm/ctrl --flags startup-clear --daemon > logfile
>
> No need to run 'swtpm_ioctl -i' and tpm2_startup with the startup-clear
> passed.
>
> One of my test cases determines the created device (/dev/tpmXYZ) like this:
>
> for ((i = 0; i < 200; i ++)); do
> if [ -z "${TPM_DEVICE}" ]; then
> TPM_DEVICE=$(sed -n 's,.*\(/dev/tpm[0-9]\+\).*,\1,p'
> "logfile")
> if [ -n "${TPM_DEVICE}" ]; then
> echo "Using ${TPM_DEVICE}."
> fi
> fi
> if [ -n "${TPM_DEVICE}" ]; then
> [ -c "${TPM_DEVICE}" ] && break
> fi
> sleep 0.1
> done
>
> shutdown: sudo swtpm_ioctl -s --unix /tmp/myvtpm/ctrl
>
>
> Otherwise you could use the socket version described here:
>
> https://github.com/stefanberger/swtpm/wiki/Using-the-Intel-TSS-with-swtpm#socket-interface
>
> It needs the swtpm tcti as a dependency, though.
>
Thanks for the suggestion. Using 'swtpm socket' requires additional changes
to grub-emu and grub-protect. To minimize the impact, I'd convert the test
script to use 'swtpm chardev'.
Gary Lin
> Stefan
>
> >
> > There are several test cases in the script to test various settings. Each
> > test case uses grub-protect to seal the LUKS password against PCR 0 and
> > PCR 1. Then grub-emu is launched to load the LUKS image, try to mount
> > the image with tpm2_key_protector_init and cryptomount, and verify the
> > result.
> >
> > Based on the idea from Michael Chang.
> >
> > Cc: Michael Chang <mchang@suse.com>
> > Signed-off-by: Gary Lin <glin@suse.com>
- [PATCH v10 12/20] cryptodisk: Support key protectors, (continued)
- [PATCH v10 12/20] cryptodisk: Support key protectors, Gary Lin, 2024/04/09
- [PATCH v10 13/20] util/grub-protect: Add new tool, Gary Lin, 2024/04/09
- [PATCH v10 15/20] tpm2: Implement NV index, Gary Lin, 2024/04/09
- [PATCH v10 14/20] tpm2: Support authorized policy, Gary Lin, 2024/04/09
- [PATCH v10 16/20] cryptodisk: Fallback to passphrase, Gary Lin, 2024/04/09
- [PATCH v10 18/20] diskfilter: look up cryptodisk devices first, Gary Lin, 2024/04/09
- [PATCH v10 17/20] cryptodisk: wipe out the cached keys from protectors, Gary Lin, 2024/04/09
- [PATCH v10 19/20] tpm2: Enable tpm2 module for grub-emu, Gary Lin, 2024/04/09
- [PATCH v10 20/20] tests: Add tpm2_test, Gary Lin, 2024/04/09
- Re: [PATCH v10 00/20] Automatic Disk Unlock with TPM2, Gary Lin, 2024/04/12