[v1] selftest/trustedkeys: TPM 1.2 trusted keys test
diff mbox series

Message ID 1571944467-13097-1-git-send-email-zohar@linux.ibm.com
State New
Headers show
Series
  • [v1] selftest/trustedkeys: TPM 1.2 trusted keys test
Related show

Commit Message

Mimi Zohar Oct. 24, 2019, 7:14 p.m. UTC
Create, save and load trusted keys test

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Change log v1:
- Replace the directions for using Trousers to take ownership of the TPM
with directions for using the IBM TSS.
- Differentiate between different types of errors.  Recent bug is causing
"add_key: Timer expired".
---
 tools/testing/selftests/tpm2/Makefile            |   2 +-
 tools/testing/selftests/tpm2/test_trustedkeys.sh | 109 +++++++++++++++++++++++
 2 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100755 tools/testing/selftests/tpm2/test_trustedkeys.sh

Comments

Mimi Zohar Oct. 24, 2019, 7:24 p.m. UTC | #1
Hi Jarkko,

Please note that I'm seeing "add_key: Timer expired" frequently.  This
is something new.  I have no idea if this is a new TPM or keys
regression.

Mimi


On Thu, 2019-10-24 at 15:14 -0400, Mimi Zohar wrote:
> Create, save and load trusted keys test
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> Change log v1:
> - Replace the directions for using Trousers to take ownership of the TPM
> with directions for using the IBM TSS.
> - Differentiate between different types of errors.  Recent bug is causing
> "add_key: Timer expired".
> ---
>  tools/testing/selftests/tpm2/Makefile            |   2 +-
>  tools/testing/selftests/tpm2/test_trustedkeys.sh | 109 +++++++++++++++++++++++
>  2 files changed, 110 insertions(+), 1 deletion(-)
>  create mode 100755 tools/testing/selftests/tpm2/test_trustedkeys.sh
> 
> diff --git a/tools/testing/selftests/tpm2/Makefile b/tools/testing/selftests/tpm2/Makefile
> index 1a5db1eb8ed5..055bf62510b5 100644
> --- a/tools/testing/selftests/tpm2/Makefile
> +++ b/tools/testing/selftests/tpm2/Makefile
> @@ -1,5 +1,5 @@
>  # SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
>  include ../lib.mk
>  
> -TEST_PROGS := test_smoke.sh test_space.sh
> +TEST_PROGS := test_smoke.sh test_space.sh test_trustedkey.sh
>  TEST_PROGS_EXTENDED := tpm2.py tpm2_tests.py
> diff --git a/tools/testing/selftests/tpm2/test_trustedkeys.sh b/tools/testing/selftests/tpm2/test_trustedkeys.sh
> new file mode 100755
> index 000000000000..dc7df7467670
> --- /dev/null
> +++ b/tools/testing/selftests/tpm2/test_trustedkeys.sh
> @@ -0,0 +1,109 @@
> +#!/bin/sh
> +
> +VERBOSE="${VERBOSE:-1}"
> +TRUSTEDKEY1="$(mktemp -u XXXX).blob"
> +TRUSTEDKEY2="$(mktemp -u XXXX).blob"
> +ERRMSG="$(mktemp -u XXXX)"
> +trap "echo PRETRAP" SIGINT SIGTERM SIGTSTP
> +trap "{ rm -f $TRUSTEDKEY1 $TRUSTEDKEY2 $ERRMSG; }" EXIT
> +
> +log_info()
> +{
> +        [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
> +}
> +
> +# The ksefltest framework requirement returns 0 for PASS.
> +log_pass()
> +{
> +        [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
> +        exit 0
> +}
> +
> +# The ksefltest framework requirement returns 1 for FAIL.
> +log_fail()
> +{
> +        [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
> +        exit 1
> +}
> +
> +# The ksefltest framework requirement returns 4 for SKIP.
> +log_skip()
> +{
> +        [ $VERBOSE -ne 0 ] && echo "$1"
> +        exit 4
> +}
> +
> +is_tpm1()
> +{
> +	local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
> +	if [ ! -f "$pcrs_path" ]; then
> +		pcrs_path="/sys/class/misc/tpm0/device/pcrs"
> +	fi
> +
> +	if [ ! -f "$pcrs_path" ]; then
> +		log_skip "TPM 1.2 chip not found"
> +	fi
> +}
> +
> +takeownership_info()
> +{
> +	log_info "creating trusted key failed, probably requires taking TPM ownership:"
> +	which tss1oiap > /dev/null 2>&1 || \
> +		log_info "    tss1oiap not found, install IBM TSS"
> +
> +	log_info "    export TPM_DEVICE=/dev/tpm0"
> +	log_info "    export TPM_ENCRYPT_SESSIONS=0"
> +
> +	log_info "    OIAP=\$(tss1oiap | cut -d' ' -f 2)"
> +	log_info "    tss1takeownership -se0 \$OIAP 0"
> +	log_fail "creating trusted key"
> +}
> +
> +test_trustedkey()
> +{
> +	#local keyid="$(keyctl add trusted kmk-test "new 64" @u)" &> $ERRMSG
> +	local keyid="$(keyctl add trusted kmk-test "new 64" @u 2> $ERRMSG)"
> +
> +	grep -E -q "add_key: Operation not permitted" $ERRMSG
> +	if [ $? -eq 0 ]; then
> +		takeownership_info
> +	fi
> +
> +	grep -E -q "add_key: " $ERRMSG
> +	if [ $? -eq 0 ]; then
> +		log_info "`cat ${ERRMSG}`"
> +		log_fail "creating trusted key"
> +	fi
> +	
> +	if [ -z "$keyid" ]; then
> +		log_fail "creating trusted key failed"
> +	fi
> +	log_info "creating trusted key succeeded"
> +
> +	# save newly created trusted key and remove from keyring
> +	keyctl pipe "$keyid" > "$TRUSTEDKEY1"
> +	keyctl unlink "$keyid" &> /dev/null
> +
> +	keyid=$(keyctl add trusted kmk-test "load `cat $TRUSTEDKEY1`" @u)
> +	if [ $? -eq 0 ]; then
> +		log_info "loading trusted key succeeded"
> +	else
> +		log_fail "loading trusted key failed"
> +	fi
> +
> +	# save loaded trusted key and remove from keyring again
> +	keyctl pipe "$keyid" > "$TRUSTEDKEY2"
> +	keyctl unlink "$keyid" &> /dev/null
> +
> +	# compare trusted keys
> +	diff "$TRUSTEDKEY1" "$TRUSTEDKEY2" &> /dev/null
> +	ret=$?
> +	if [ $ret -eq 0 ]; then
> +		log_pass "trusted key test succeeded"
> +	else
> +		log_fail "trusted key test failed"
> +	fi
> +}
> +
> +is_tpm1
> +test_trustedkey
Jarkko Sakkinen Oct. 28, 2019, 8:30 p.m. UTC | #2
On Thu, Oct 24, 2019 at 03:14:27PM -0400, Mimi Zohar wrote:
> Create, save and load trusted keys test
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> Change log v1:
> - Replace the directions for using Trousers to take ownership of the TPM
> with directions for using the IBM TSS.
> - Differentiate between different types of errors.  Recent bug is causing
> "add_key: Timer expired".
> ---

Is not really usable as a selftest because of 3rd party dependencies.

/Jarkko
Jarkko Sakkinen Oct. 28, 2019, 8:35 p.m. UTC | #3
On Thu, Oct 24, 2019 at 03:24:06PM -0400, Mimi Zohar wrote:
> Hi Jarkko,
> 
> Please note that I'm seeing "add_key: Timer expired" frequently.  This
> is something new.  I have no idea if this is a new TPM or keys
> regression.

Is it possible to bisect this? I cannot run the test script that you
made at the moment because of dependencies.

I'll try to work on image with BuildRoot that would have TrouSerS.
I recall it had recipe for it. So probably late this week or early
next week I'll be able to help finding the root cause.

/Jarkko
Jarkko Sakkinen Oct. 28, 2019, 8:40 p.m. UTC | #4
On Mon, Oct 28, 2019 at 10:30:14PM +0200, Jarkko Sakkinen wrote:
> On Thu, Oct 24, 2019 at 03:14:27PM -0400, Mimi Zohar wrote:
> > Create, save and load trusted keys test
> > 
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > 
> > Change log v1:
> > - Replace the directions for using Trousers to take ownership of the TPM
> > with directions for using the IBM TSS.
> > - Differentiate between different types of errors.  Recent bug is causing
> > "add_key: Timer expired".
> > ---
> 
> Is not really usable as a selftest because of 3rd party dependencies.

For TPM 2.0 I did write a smoke test for TPM2 trusted keys:

https://github.com/jsakkine-intel/tpm2-scripts

What you need to do is to make a lightweight library for TPM 1.x e.g.
tpm1.py, and use that to implement the test.

For TPM 2.0 I would peek at the tpm2-pcr-policy and keyctl-smoke.sh on
how to implement the without 3rd party deps.

/Jarkko
Mimi Zohar Oct. 28, 2019, 8:45 p.m. UTC | #5
On Mon, 2019-10-28 at 22:30 +0200, Jarkko Sakkinen wrote:
> On Thu, Oct 24, 2019 at 03:14:27PM -0400, Mimi Zohar wrote:
> > Create, save and load trusted keys test
> > 
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > 
> > Change log v1:
> > - Replace the directions for using Trousers to take ownership of the TPM
> > with directions for using the IBM TSS.
> > - Differentiate between different types of errors.  Recent bug is causing
> > "add_key: Timer expired".
> > ---
> 
> Is not really usable as a selftest because of 3rd party dependencies.

As part of diagnosing trusted keys failure, there is some
hints/directions as to how to take TPM 1.2 ownership, but it does not
take ownership.  The previous version included directions for using
Trousers.  This version provides directions for using the IBM TSS.
 Feel free to include additional hints/directions.

Mimi
Jarkko Sakkinen Oct. 29, 2019, 9:15 a.m. UTC | #6
On Mon, Oct 28, 2019 at 04:45:13PM -0400, Mimi Zohar wrote:
> On Mon, 2019-10-28 at 22:30 +0200, Jarkko Sakkinen wrote:
> > On Thu, Oct 24, 2019 at 03:14:27PM -0400, Mimi Zohar wrote:
> > > Create, save and load trusted keys test
> > > 
> > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > > 
> > > Change log v1:
> > > - Replace the directions for using Trousers to take ownership of the TPM
> > > with directions for using the IBM TSS.
> > > - Differentiate between different types of errors.  Recent bug is causing
> > > "add_key: Timer expired".
> > > ---
> > 
> > Is not really usable as a selftest because of 3rd party dependencies.
> 
> As part of diagnosing trusted keys failure, there is some
> hints/directions as to how to take TPM 1.2 ownership, but it does not
> take ownership.  The previous version included directions for using
> Trousers.  This version provides directions for using the IBM TSS.
>  Feel free to include additional hints/directions.

You must write your own minimal user space that can be included
to the kernel. Otherwise, we cannot take it.

/Jarkko
Jarkko Sakkinen Oct. 29, 2019, 9:25 a.m. UTC | #7
On Tue, Oct 29, 2019 at 11:15:35AM +0200, Jarkko Sakkinen wrote:
> On Mon, Oct 28, 2019 at 04:45:13PM -0400, Mimi Zohar wrote:
> > On Mon, 2019-10-28 at 22:30 +0200, Jarkko Sakkinen wrote:
> > > On Thu, Oct 24, 2019 at 03:14:27PM -0400, Mimi Zohar wrote:
> > > > Create, save and load trusted keys test
> > > > 
> > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > > > 
> > > > Change log v1:
> > > > - Replace the directions for using Trousers to take ownership of the TPM
> > > > with directions for using the IBM TSS.
> > > > - Differentiate between different types of errors.  Recent bug is causing
> > > > "add_key: Timer expired".
> > > > ---
> > > 
> > > Is not really usable as a selftest because of 3rd party dependencies.
> > 
> > As part of diagnosing trusted keys failure, there is some
> > hints/directions as to how to take TPM 1.2 ownership, but it does not
> > take ownership.  The previous version included directions for using
> > Trousers.  This version provides directions for using the IBM TSS.
> >  Feel free to include additional hints/directions.
> 
> You must write your own minimal user space that can be included
> to the kernel. Otherwise, we cannot take it.

I'll anyway try to setup user space with TrouSerS so that I can try
it out. BuildRoot has recipe for that but not for IBM TSS 2.0 so I'll
skip that and use my own test script for TPM2 trusted keys.

/Jarkko
Jarkko Sakkinen Oct. 29, 2019, 11:45 a.m. UTC | #8
On Tue, Oct 29, 2019 at 11:25:16AM +0200, Jarkko Sakkinen wrote:
> I'll anyway try to setup user space with TrouSerS so that I can try
> it out. BuildRoot has recipe for that but not for IBM TSS 2.0 so I'll
> skip that and use my own test script for TPM2 trusted keys.

Busybox version of mktemp gives this error message:

  mktemp: Invalid argument

I get that three times.

Then I get non-existent directory error from line 65 but it is probably
consequence of the previous errors.

This the help for mktemp:

"
Usage: mktemp [-dt] [-p DIR] [TEMPLATE]

Create a temporary file with name based on TEMPLATE and print its name.
TEMPLATE must end with XXXXXX (e.g. [/dir/]nameXXXXXX).
Without TEMPLATE, -t tmp.XXXXXX is assumed.

	-d	Make directory, not file
	-q	Fail silently on errors
	-t	Prepend base directory name to TEMPLATE
	-p DIR	Use DIR as a base directory (implies -t)
	-u	Do not create anything; print a name

Base directory is: -p DIR, else $TMPDIR, else /tmp
"

Use total six X's seems to fix the problem.

/Jarkko
Jarkko Sakkinen Oct. 29, 2019, 11:49 a.m. UTC | #9
On Tue, Oct 29, 2019 at 01:45:35PM +0200, Jarkko Sakkinen wrote:
> On Tue, Oct 29, 2019 at 11:25:16AM +0200, Jarkko Sakkinen wrote:
> > I'll anyway try to setup user space with TrouSerS so that I can try
> > it out. BuildRoot has recipe for that but not for IBM TSS 2.0 so I'll
> > skip that and use my own test script for TPM2 trusted keys.
> 
> Busybox version of mktemp gives this error message:
> 
>   mktemp: Invalid argument
> 
> I get that three times.
> 
> Then I get non-existent directory error from line 65 but it is probably
> consequence of the previous errors.
> 
> This the help for mktemp:
> 
> "
> Usage: mktemp [-dt] [-p DIR] [TEMPLATE]
> 
> Create a temporary file with name based on TEMPLATE and print its name.
> TEMPLATE must end with XXXXXX (e.g. [/dir/]nameXXXXXX).
> Without TEMPLATE, -t tmp.XXXXXX is assumed.
> 
> 	-d	Make directory, not file
> 	-q	Fail silently on errors
> 	-t	Prepend base directory name to TEMPLATE
> 	-p DIR	Use DIR as a base directory (implies -t)
> 	-u	Do not create anything; print a name
> 
> Base directory is: -p DIR, else $TMPDIR, else /tmp
> "
> 
> Use total six X's seems to fix the problem.

OK, I fixes that issue and then I end up with:

  [INFO] add_key: No such device

Anyway, got further.

/Jarkko

Patch
diff mbox series

diff --git a/tools/testing/selftests/tpm2/Makefile b/tools/testing/selftests/tpm2/Makefile
index 1a5db1eb8ed5..055bf62510b5 100644
--- a/tools/testing/selftests/tpm2/Makefile
+++ b/tools/testing/selftests/tpm2/Makefile
@@ -1,5 +1,5 @@ 
 # SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
 include ../lib.mk
 
-TEST_PROGS := test_smoke.sh test_space.sh
+TEST_PROGS := test_smoke.sh test_space.sh test_trustedkey.sh
 TEST_PROGS_EXTENDED := tpm2.py tpm2_tests.py
diff --git a/tools/testing/selftests/tpm2/test_trustedkeys.sh b/tools/testing/selftests/tpm2/test_trustedkeys.sh
new file mode 100755
index 000000000000..dc7df7467670
--- /dev/null
+++ b/tools/testing/selftests/tpm2/test_trustedkeys.sh
@@ -0,0 +1,109 @@ 
+#!/bin/sh
+
+VERBOSE="${VERBOSE:-1}"
+TRUSTEDKEY1="$(mktemp -u XXXX).blob"
+TRUSTEDKEY2="$(mktemp -u XXXX).blob"
+ERRMSG="$(mktemp -u XXXX)"
+trap "echo PRETRAP" SIGINT SIGTERM SIGTSTP
+trap "{ rm -f $TRUSTEDKEY1 $TRUSTEDKEY2 $ERRMSG; }" EXIT
+
+log_info()
+{
+        [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
+}
+
+# The ksefltest framework requirement returns 0 for PASS.
+log_pass()
+{
+        [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
+        exit 0
+}
+
+# The ksefltest framework requirement returns 1 for FAIL.
+log_fail()
+{
+        [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
+        exit 1
+}
+
+# The ksefltest framework requirement returns 4 for SKIP.
+log_skip()
+{
+        [ $VERBOSE -ne 0 ] && echo "$1"
+        exit 4
+}
+
+is_tpm1()
+{
+	local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
+	if [ ! -f "$pcrs_path" ]; then
+		pcrs_path="/sys/class/misc/tpm0/device/pcrs"
+	fi
+
+	if [ ! -f "$pcrs_path" ]; then
+		log_skip "TPM 1.2 chip not found"
+	fi
+}
+
+takeownership_info()
+{
+	log_info "creating trusted key failed, probably requires taking TPM ownership:"
+	which tss1oiap > /dev/null 2>&1 || \
+		log_info "    tss1oiap not found, install IBM TSS"
+
+	log_info "    export TPM_DEVICE=/dev/tpm0"
+	log_info "    export TPM_ENCRYPT_SESSIONS=0"
+
+	log_info "    OIAP=\$(tss1oiap | cut -d' ' -f 2)"
+	log_info "    tss1takeownership -se0 \$OIAP 0"
+	log_fail "creating trusted key"
+}
+
+test_trustedkey()
+{
+	#local keyid="$(keyctl add trusted kmk-test "new 64" @u)" &> $ERRMSG
+	local keyid="$(keyctl add trusted kmk-test "new 64" @u 2> $ERRMSG)"
+
+	grep -E -q "add_key: Operation not permitted" $ERRMSG
+	if [ $? -eq 0 ]; then
+		takeownership_info
+	fi
+
+	grep -E -q "add_key: " $ERRMSG
+	if [ $? -eq 0 ]; then
+		log_info "`cat ${ERRMSG}`"
+		log_fail "creating trusted key"
+	fi
+	
+	if [ -z "$keyid" ]; then
+		log_fail "creating trusted key failed"
+	fi
+	log_info "creating trusted key succeeded"
+
+	# save newly created trusted key and remove from keyring
+	keyctl pipe "$keyid" > "$TRUSTEDKEY1"
+	keyctl unlink "$keyid" &> /dev/null
+
+	keyid=$(keyctl add trusted kmk-test "load `cat $TRUSTEDKEY1`" @u)
+	if [ $? -eq 0 ]; then
+		log_info "loading trusted key succeeded"
+	else
+		log_fail "loading trusted key failed"
+	fi
+
+	# save loaded trusted key and remove from keyring again
+	keyctl pipe "$keyid" > "$TRUSTEDKEY2"
+	keyctl unlink "$keyid" &> /dev/null
+
+	# compare trusted keys
+	diff "$TRUSTEDKEY1" "$TRUSTEDKEY2" &> /dev/null
+	ret=$?
+	if [ $ret -eq 0 ]; then
+		log_pass "trusted key test succeeded"
+	else
+		log_fail "trusted key test failed"
+	fi
+}
+
+is_tpm1
+test_trustedkey