summaryrefslogtreecommitdiffstats
path: root/test/units/TEST-70-TPM2.cryptenroll.sh
blob: f18ef020a75e9a4499a0e353dc26b27e44dcaa09 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -eux
set -o pipefail

cryptenroll_wipe_and_check() {(
    set +o pipefail

    : >/tmp/cryptenroll.out
    systemd-cryptenroll "$@" |& tee /tmp/cryptenroll.out
    grep -qE "Wiped slot [[:digit:]]+" /tmp/cryptenroll.out
)}

# There is an external issue with libcryptsetup on ppc64 that hits 95% of Ubuntu ppc64 test runs, so skip it
if [[ "$(uname -m)" == "ppc64le" ]]; then
    echo "Skipping systemd-cryptenroll tests on ppc64le, see https://github.com/systemd/systemd/issues/27716"
    exit 0
fi

export SYSTEMD_LOG_LEVEL=debug
IMAGE="$(mktemp /tmp/systemd-cryptenroll-XXX.image)"

truncate -s 20M "$IMAGE"
echo -n password >/tmp/password
# Change file mode to avoid "/tmp/password has 0644 mode that is too permissive" messages
chmod 0600 /tmp/password
cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/password

# Enroll additional tokens, keys, and passwords to exercise the list and wipe stuff
systemd-cryptenroll --unlock-key-file=/tmp/password --tpm2-device=auto "$IMAGE"
NEWPASSWORD="" systemd-cryptenroll --unlock-key-file=/tmp/password  --password "$IMAGE"
NEWPASSWORD=foo systemd-cryptenroll --unlock-key-file=/tmp/password  --password "$IMAGE"
for _ in {0..9}; do
    systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE"
done
PASSWORD="" NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true "$IMAGE"
# Do some basic checks before we start wiping stuff
systemd-cryptenroll "$IMAGE"
systemd-cryptenroll "$IMAGE" | grep password
systemd-cryptenroll "$IMAGE" | grep recovery
# Let's start wiping
cryptenroll_wipe_and_check "$IMAGE" --wipe=empty
(! cryptenroll_wipe_and_check "$IMAGE" --wipe=empty)
cryptenroll_wipe_and_check "$IMAGE" --wipe=empty,0
PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$IMAGE" --wipe=0,0,empty,0,pkcs11,fido2,000,recovery,password --password
systemd-cryptenroll "$IMAGE" | grep password
(! systemd-cryptenroll "$IMAGE" | grep recovery)
# We shouldn't be able to wipe all keyslots without enrolling a new key first
(! systemd-cryptenroll "$IMAGE" --wipe=all)
PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$IMAGE" --password --wipe=all
# Check if the newly (and only) enrolled password works
(! systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE")
(! PASSWORD="" systemd-cryptenroll --recovery-key "$IMAGE")
PASSWORD=foo systemd-cryptenroll --recovery-key "$IMAGE"

systemd-cryptenroll --fido2-with-client-pin=false "$IMAGE"
systemd-cryptenroll --fido2-with-user-presence=false "$IMAGE"
systemd-cryptenroll --fido2-with-user-verification=false "$IMAGE"
systemd-cryptenroll --tpm2-pcrs=8 "$IMAGE"
systemd-cryptenroll --tpm2-pcrs=boot-loader-code+boot-loader-config "$IMAGE"

# Unlocking using TPM2
PASSWORD=foo systemd-cryptenroll --tpm2-device=auto "$IMAGE"
systemd-cryptenroll --unlock-tpm2-device=auto --recovery-key "$IMAGE"
systemd-cryptenroll --unlock-tpm2-device=auto --tpm2-device=auto --wipe-slot=tpm2 "$IMAGE"

# Add PIN to TPM2 enrollment
NEWPIN=1234 systemd-cryptenroll --unlock-tpm2-device=auto --tpm2-device=auto --tpm2-with-pin=yes "$IMAGE"

# Change PIN on TPM2 enrollment
PIN=1234 NEWPIN=4321 systemd-cryptenroll --unlock-tpm2-device=auto --tpm2-device=auto --tpm2-with-pin=yes "$IMAGE"
PIN=4321 systemd-cryptenroll --unlock-tpm2-device=auto --recovery-key "$IMAGE"

(! systemd-cryptenroll --fido2-with-client-pin=false)
(! systemd-cryptenroll --fido2-with-user-presence=f "$IMAGE" /tmp/foo)
(! systemd-cryptenroll --fido2-with-client-pin=1234 "$IMAGE")
(! systemd-cryptenroll --fido2-with-user-presence=1234 "$IMAGE")
(! systemd-cryptenroll --fido2-with-user-verification=1234 "$IMAGE")
(! systemd-cryptenroll --tpm2-with-pin=1234 "$IMAGE")
(! systemd-cryptenroll --recovery-key --password "$IMAGE")
(! systemd-cryptenroll --password --recovery-key "$IMAGE")
(! systemd-cryptenroll --password --fido2-device=auto "$IMAGE")
(! systemd-cryptenroll --password --pkcs11-token-uri=auto "$IMAGE")
(! systemd-cryptenroll --password --tpm2-device=auto "$IMAGE")
(! systemd-cryptenroll --unlock-fido2-device=auto --unlock-fido2-device=auto "$IMAGE")
(! systemd-cryptenroll --unlock-fido2-device=auto --unlock-key-file=/tmp/unlock "$IMAGE")
(! systemd-cryptenroll --fido2-credential-algorithm=es512 "$IMAGE")
(! systemd-cryptenroll --tpm2-public-key-pcrs=key "$IMAGE")
(! systemd-cryptenroll --tpm2-pcrs=key "$IMAGE")
(! systemd-cryptenroll --tpm2-pcrs=44+8 "$IMAGE")
(! systemd-cryptenroll --tpm2-pcrs=hello "$IMAGE")
(! systemd-cryptenroll --wipe-slot "$IMAGE")
(! systemd-cryptenroll --wipe-slot=10240000 "$IMAGE")
(! systemd-cryptenroll --fido2-device=auto --unlock-fido2-device=auto "$IMAGE")

rm -f "$IMAGE"