summaryrefslogtreecommitdiffstats
path: root/test/units/testsuite-70.cryptenroll.sh
diff options
context:
space:
mode:
Diffstat (limited to 'test/units/testsuite-70.cryptenroll.sh')
-rwxr-xr-xtest/units/testsuite-70.cryptenroll.sh84
1 files changed, 84 insertions, 0 deletions
diff --git a/test/units/testsuite-70.cryptenroll.sh b/test/units/testsuite-70.cryptenroll.sh
new file mode 100755
index 0000000..3f8c14e
--- /dev/null
+++ b/test/units/testsuite-70.cryptenroll.sh
@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+cryptenroll_wipe_and_check() {(
+ set +o pipefail
+
+ : >/tmp/cryptenroll.out
+ systemd-cryptenroll "$@" |& tee /tmp/cryptenroll.out
+ grep -qE "Wiped slot [[:digit:]]+" /tmp/cryptenroll.out
+)}
+
+# There is an external issue with libcryptsetup on ppc64 that hits 95% of Ubuntu ppc64 test runs, so skip it
+if [[ "$(uname -m)" == "ppc64le" ]]; then
+ echo "Skipping systemd-cryptenroll tests on ppc64le, see https://github.com/systemd/systemd/issues/27716"
+ exit 0
+fi
+
+export SYSTEMD_LOG_LEVEL=debug
+IMAGE="$(mktemp /tmp/systemd-cryptenroll-XXX.image)"
+
+truncate -s 20M "$IMAGE"
+echo -n password >/tmp/password
+# Change file mode to avoid "/tmp/password has 0644 mode that is too permissive" messages
+chmod 0600 /tmp/password
+cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/password
+
+# Enroll additional tokens, keys, and passwords to exercise the list and wipe stuff
+systemd-cryptenroll --unlock-key-file=/tmp/password --tpm2-device=auto "$IMAGE"
+NEWPASSWORD="" systemd-cryptenroll --unlock-key-file=/tmp/password --password "$IMAGE"
+NEWPASSWORD=foo systemd-cryptenroll --unlock-key-file=/tmp/password --password "$IMAGE"
+for _ in {0..9}; do
+ systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE"
+done
+PASSWORD="" NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true "$IMAGE"
+# Do some basic checks before we start wiping stuff
+systemd-cryptenroll "$IMAGE"
+systemd-cryptenroll "$IMAGE" | grep password
+systemd-cryptenroll "$IMAGE" | grep recovery
+# Let's start wiping
+cryptenroll_wipe_and_check "$IMAGE" --wipe=empty
+(! cryptenroll_wipe_and_check "$IMAGE" --wipe=empty)
+cryptenroll_wipe_and_check "$IMAGE" --wipe=empty,0
+PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$IMAGE" --wipe=0,0,empty,0,pkcs11,fido2,000,recovery,password --password
+systemd-cryptenroll "$IMAGE" | grep password
+(! systemd-cryptenroll "$IMAGE" | grep recovery)
+# We shouldn't be able to wipe all keyslots without enrolling a new key first
+(! systemd-cryptenroll "$IMAGE" --wipe=all)
+PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$IMAGE" --password --wipe=all
+# Check if the newly (and only) enrolled password works
+(! systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE")
+(! PASSWORD="" systemd-cryptenroll --recovery-key "$IMAGE")
+PASSWORD=foo systemd-cryptenroll --recovery-key "$IMAGE"
+
+systemd-cryptenroll --fido2-with-client-pin=false "$IMAGE"
+systemd-cryptenroll --fido2-with-user-presence=false "$IMAGE"
+systemd-cryptenroll --fido2-with-user-verification=false "$IMAGE"
+systemd-cryptenroll --tpm2-pcrs=8 "$IMAGE"
+systemd-cryptenroll --tpm2-pcrs=boot-loader-code+boot-loader-config "$IMAGE"
+
+(! systemd-cryptenroll --fido2-with-client-pin=false)
+(! systemd-cryptenroll --fido2-with-user-presence=f "$IMAGE" /tmp/foo)
+(! systemd-cryptenroll --fido2-with-client-pin=1234 "$IMAGE")
+(! systemd-cryptenroll --fido2-with-user-presence=1234 "$IMAGE")
+(! systemd-cryptenroll --fido2-with-user-verification=1234 "$IMAGE")
+(! systemd-cryptenroll --tpm2-with-pin=1234 "$IMAGE")
+(! systemd-cryptenroll --recovery-key --password "$IMAGE")
+(! systemd-cryptenroll --password --recovery-key "$IMAGE")
+(! systemd-cryptenroll --password --fido2-device=auto "$IMAGE")
+(! systemd-cryptenroll --password --pkcs11-token-uri=auto "$IMAGE")
+(! systemd-cryptenroll --password --tpm2-device=auto "$IMAGE")
+(! systemd-cryptenroll --unlock-fido2-device=auto --unlock-fido2-device=auto "$IMAGE")
+(! systemd-cryptenroll --unlock-fido2-device=auto --unlock-key-file=/tmp/unlock "$IMAGE")
+(! systemd-cryptenroll --fido2-credential-algorithm=es512 "$IMAGE")
+(! systemd-cryptenroll --tpm2-public-key-pcrs=key "$IMAGE")
+(! systemd-cryptenroll --tpm2-pcrs=key "$IMAGE")
+(! systemd-cryptenroll --tpm2-pcrs=44+8 "$IMAGE")
+(! systemd-cryptenroll --tpm2-pcrs=hello "$IMAGE")
+(! systemd-cryptenroll --wipe-slot "$IMAGE")
+(! systemd-cryptenroll --wipe-slot=10240000 "$IMAGE")
+(! systemd-cryptenroll --fido2-device=auto --unlock-fido2-device=auto "$IMAGE")
+
+rm -f "$IMAGE"