Re: [PATCH v10 20/20] tests: Add tpm2_test

[Gary Lin]

On Fri, Apr 12, 2024 at 12:09:36PM -0400, Stefan Berger wrote:
> 
> 
> On 4/9/24 04:30, Gary Lin via Grub-devel wrote:
> > For the tpm2 module, the TCG2 command submission function is the only
> > difference between the a QEMU instance and grub-emu. To test TPM key
> > unsealing with a QEMU instance, it requires an extra OS image to invoke
> > grub-protect to seal the LUKS key, rather than a simple grub-shell rescue
> > CD image. On the other hand, grub-emu can share the emulated TPM device
> > with the host, so that we can seal the LUKS key on host and test key
> > unsealing with grub-emu.
> > 
> > This test script firstly creates a simple LUKS image to be loaded as a
> > loopback device in grub-emu. Then an emulated TPM device is created by
> > swtpm_cuse and PCR 0 and 1 are extended.
> 
> My concern here would be that distros for example don't build swtpm with the
> CUSE interface but build it with the socket and chardev interfaces. If you
> don't want users to have to build their own version of swtpm then I would
> suggest to use either 'swtpm chardev' with the vtpm_proxy module (it is
> quite commonly available on recent distros) or 'swtpm socket'.
> 
> The chardev usage is for example described here and should be least involved
> to convert to:
> 
> https://github.com/stefanberger/swtpm/wiki/Using-the-Intel-TSS-with-swtpm#character-device-using-tpm_vtpm_proxy
> 
> You could start it like this with UnixIO control port (needs adjustment to
> swtpm_ioctl in your code).
> 
> swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl
> type=unixio,path=/tmp/myvtpm/ctrl --flags startup-clear --daemon > logfile
> 
> No need to run 'swtpm_ioctl -i' and tpm2_startup with the startup-clear
> passed.
> 
> One of my test cases determines the created device (/dev/tpmXYZ) like this:
> 
> for ((i = 0; i < 200; i ++)); do
>         if [ -z "${TPM_DEVICE}" ]; then
>                 TPM_DEVICE=$(sed -n 's,.*\(/dev/tpm[0-9]\+\).*,\1,p'
> "logfile")
>                 if [ -n "${TPM_DEVICE}" ]; then
>                         echo "Using ${TPM_DEVICE}."
>                 fi
>         fi
>         if [ -n "${TPM_DEVICE}" ]; then
>                 [ -c "${TPM_DEVICE}" ] && break
>         fi
>         sleep 0.1
> done
> 
> shutdown: sudo swtpm_ioctl -s --unix /tmp/myvtpm/ctrl
> 
> 
> Otherwise you could use the socket version described here:
> 
> https://github.com/stefanberger/swtpm/wiki/Using-the-Intel-TSS-with-swtpm#socket-interface
> 
> It needs the swtpm tcti as a dependency, though.
> 
Thanks for the suggestion. Using 'swtpm socket' requires additional changes
to grub-emu and grub-protect. To minimize the impact, I'd convert the test
script to use 'swtpm chardev'.

Gary Lin

>    Stefan
> 
> > 
> > There are several test cases in the script to test various settings. Each
> > test case uses grub-protect to seal the LUKS password against PCR 0 and
> > PCR 1. Then grub-emu is launched to load the LUKS image, try to mount
> > the image with tpm2_key_protector_init and cryptomount, and verify the
> > result.
> > 
> > Based on the idea from Michael Chang.
> > 
> > Cc: Michael Chang <mchang@suse.com>
> > Signed-off-by: Gary Lin <glin@suse.com>