summaryrefslogtreecommitdiffstats
path: root/test/units/testsuite-70.pcrlock.sh
diff options
context:
space:
mode:
Diffstat (limited to 'test/units/testsuite-70.pcrlock.sh')
-rwxr-xr-xtest/units/testsuite-70.pcrlock.sh146
1 files changed, 0 insertions, 146 deletions
diff --git a/test/units/testsuite-70.pcrlock.sh b/test/units/testsuite-70.pcrlock.sh
deleted file mode 100755
index 3da9926..0000000
--- a/test/units/testsuite-70.pcrlock.sh
+++ /dev/null
@@ -1,146 +0,0 @@
-#!/usr/bin/env bash
-# SPDX-License-Identifier: LGPL-2.1-or-later
-set -eux
-set -o pipefail
-
-# shellcheck source=test/units/util.sh
-. "$(dirname "$0")"/util.sh
-
-export SYSTEMD_LOG_LEVEL=debug
-export PAGER=
-SD_PCREXTEND="/usr/lib/systemd/systemd-pcrextend"
-SD_PCRLOCK="/usr/lib/systemd/systemd-pcrlock"
-
-if [[ ! -x "${SD_PCREXTEND:?}" ]] || [[ ! -x "${SD_PCRLOCK:?}" ]] ; then
- echo "$SD_PCREXTEND or $SD_PCRLOCK not found, skipping pcrlock tests"
- exit 0
-fi
-
-at_exit() {
- if [[ $? -ne 0 ]]; then
- # Dump the event log on fail, to make debugging a bit easier
- [[ -e /run/log/systemd/tpm2-measure.log ]] && jq --seq --slurp </run/log/systemd/tpm2-measure.log
- fi
-
- return 0
-}
-
-trap at_exit EXIT
-
-# Temporarily override sd-pcrextend's sanity checks
-export SYSTEMD_FORCE_MEASURE=1
-
-# The PCRs we are going to lock to. We exclude the various PCRs we touched
-# above where no event log record was written, because we cannot analyze
-# things without event log. We include debug PCR 16, see below.
-PCRS="1+2+3+4+5+16"
-
-# Remove the old measurement log, as it contains all kinds of nonsense from the
-# previous test, which will fail our consistency checks. Removing the file also
-# means we'll fail consistency check, but at least we'll fail them consistently
-# (as the PCR values simply won't match the log).
-rm -f /run/log/systemd/tpm2-measure.log
-
-# Ensure a truncated log doesn't crash pcrlock
-echo -n -e \\x1e >/tmp/borked
-set +e
-SYSTEMD_MEASURE_LOG_USERSPACE=/tmp/borked "$SD_PCRLOCK" cel --no-pager --json=pretty
-ret=$?
-set -e
-# If it crashes the exit code will be 149
-test $ret -eq 1
-
-SYSTEMD_COLORS=256 "$SD_PCRLOCK"
-"$SD_PCRLOCK" cel --no-pager --json=pretty
-"$SD_PCRLOCK" log --pcr="$PCRS"
-"$SD_PCRLOCK" log --json=pretty --pcr="$PCRS"
-"$SD_PCRLOCK" list-components
-"$SD_PCRLOCK" list-components --location=250-
-"$SD_PCRLOCK" list-components --location=250-:350-
-"$SD_PCRLOCK" lock-firmware-config
-"$SD_PCRLOCK" lock-gpt
-"$SD_PCRLOCK" lock-machine-id
-"$SD_PCRLOCK" lock-file-system
-"$SD_PCRLOCK" lock-file-system /
-"$SD_PCRLOCK" predict --pcr="$PCRS"
-"$SD_PCRLOCK" predict --pcr="0x1+0x3+4"
-"$SD_PCRLOCK" predict --json=pretty --pcr="$PCRS"
-
-SD_STUB="$(find /usr/lib/systemd/boot/efi/ -name "systemd-boot*.efi" | head -n1)"
-if [[ -n "$SD_STUB" ]]; then
- "$SD_PCRLOCK" lock-pe "$SD_STUB"
- "$SD_PCRLOCK" lock-pe <"$SD_STUB"
- "$SD_PCRLOCK" lock-uki "$SD_STUB"
- "$SD_PCRLOCK" lock-uki <"$SD_STUB"
-fi
-
-PIN=huhu "$SD_PCRLOCK" make-policy --pcr="$PCRS" --recovery-pin=yes
-# Repeat immediately (this call will have to reuse the nvindex, rather than create it)
-"$SD_PCRLOCK" make-policy --pcr="$PCRS"
-"$SD_PCRLOCK" make-policy --pcr="$PCRS" --force
-
-img="/tmp/pcrlock.img"
-truncate -s 20M "$img"
-echo -n hoho >/tmp/pcrlockpwd
-chmod 0600 /tmp/pcrlockpwd
-cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$img" /tmp/pcrlockpwd
-
-systemd-cryptenroll --unlock-key-file=/tmp/pcrlockpwd --tpm2-device=auto --tpm2-pcrlock=/var/lib/systemd/pcrlock.json --tpm2-public-key= --wipe-slot=tpm2 "$img"
-systemd-cryptsetup attach pcrlock "$img" - tpm2-device=auto,tpm2-pcrlock=/var/lib/systemd/pcrlock.json,headless
-systemd-cryptsetup detach pcrlock
-
-# Measure something into PCR 16 (the "debug" PCR), which should make the activation fail
-"$SD_PCREXTEND" --pcr=16 test70
-
-"$SD_PCRLOCK" cel --json=pretty
-
-(! systemd-cryptsetup attach pcrlock "$img" - tpm2-device=auto,tpm2-pcrlock=/var/lib/systemd/pcrlock.json,headless )
-
-# Now add a component for it, rebuild policy and it should work (we'll rebuild
-# once like that, but don't provide the recovery pin. This should fail, since
-# the PCR is hosed after all. But then we'll use recovery pin, and it should
-# work.
-echo -n test70 | "$SD_PCRLOCK" lock-raw --pcrlock=/var/lib/pcrlock.d/910-test70.pcrlock --pcr=16
-(! "$SD_PCRLOCK" make-policy --pcr="$PCRS")
-PIN=huhu "$SD_PCRLOCK" make-policy --pcr="$PCRS" --recovery-pin=yes
-
-systemd-cryptsetup attach pcrlock "$img" - tpm2-device=auto,tpm2-pcrlock=/var/lib/systemd/pcrlock.json,headless
-systemd-cryptsetup detach pcrlock
-
-# And now let's do it the clean way, and generate the right policy ahead of time.
-echo -n test70-take-two | "$SD_PCRLOCK" lock-raw --pcrlock=/var/lib/pcrlock.d/920-test70.pcrlock --pcr=16
-"$SD_PCRLOCK" make-policy --pcr="$PCRS"
-
-"$SD_PCREXTEND" --pcr=16 test70-take-two
-
-"$SD_PCRLOCK" cel --json=pretty
-
-systemd-cryptsetup attach pcrlock "$img" - tpm2-device=auto,tpm2-pcrlock=/var/lib/systemd/pcrlock.json,headless
-systemd-cryptsetup detach pcrlock
-
-"$SD_PCRLOCK" remove-policy
-
-"$SD_PCRLOCK" unlock-firmware-config
-"$SD_PCRLOCK" unlock-gpt
-"$SD_PCRLOCK" unlock-machine-id
-"$SD_PCRLOCK" unlock-file-system
-"$SD_PCRLOCK" unlock-raw --pcrlock=/var/lib/pcrlock.d/910-test70.pcrlock
-"$SD_PCRLOCK" unlock-raw --pcrlock=/var/lib/pcrlock.d/920-test70.pcrlock
-
-(! "$SD_PCRLOCK" "")
-(! "$SD_PCRLOCK" predict --pcr=-1)
-(! "$SD_PCRLOCK" predict --pcr=foo)
-(! "$SD_PCRLOCK" predict --pcr=1+1)
-(! "$SD_PCRLOCK" predict --pcr=1+++++1)
-(! "$SD_PCRLOCK" make-policy --nv-index=0)
-(! "$SD_PCRLOCK" make-policy --nv-index=foo)
-(! "$SD_PCRLOCK" list-components --location=:)
-(! "$SD_PCRLOCK" lock-gpt "")
-(! "$SD_PCRLOCK" lock-gpt /dev/sr0)
-(! "$SD_PCRLOCK" lock-pe /dev/full)
-(! "$SD_PCRLOCK" lock-pe /bin/true)
-(! "$SD_PCRLOCK" lock-uki /dev/full)
-(! "$SD_PCRLOCK" lock-uki /bin/true)
-(! "$SD_PCRLOCK" lock-file-system "")
-
-rm "$img" /tmp/pcrlockpwd