Message ID | 1571944467-13097-1-git-send-email-zohar@linux.ibm.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | [v1] selftest/trustedkeys: TPM 1.2 trusted keys test | expand |
Hi Jarkko, Please note that I'm seeing "add_key: Timer expired" frequently. This is something new. I have no idea if this is a new TPM or keys regression. Mimi On Thu, 2019-10-24 at 15:14 -0400, Mimi Zohar wrote: > Create, save and load trusted keys test > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > Change log v1: > - Replace the directions for using Trousers to take ownership of the TPM > with directions for using the IBM TSS. > - Differentiate between different types of errors. Recent bug is causing > "add_key: Timer expired". > --- > tools/testing/selftests/tpm2/Makefile | 2 +- > tools/testing/selftests/tpm2/test_trustedkeys.sh | 109 +++++++++++++++++++++++ > 2 files changed, 110 insertions(+), 1 deletion(-) > create mode 100755 tools/testing/selftests/tpm2/test_trustedkeys.sh > > diff --git a/tools/testing/selftests/tpm2/Makefile b/tools/testing/selftests/tpm2/Makefile > index 1a5db1eb8ed5..055bf62510b5 100644 > --- a/tools/testing/selftests/tpm2/Makefile > +++ b/tools/testing/selftests/tpm2/Makefile > @@ -1,5 +1,5 @@ > # SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause) > include ../lib.mk > > -TEST_PROGS := test_smoke.sh test_space.sh > +TEST_PROGS := test_smoke.sh test_space.sh test_trustedkey.sh > TEST_PROGS_EXTENDED := tpm2.py tpm2_tests.py > diff --git a/tools/testing/selftests/tpm2/test_trustedkeys.sh b/tools/testing/selftests/tpm2/test_trustedkeys.sh > new file mode 100755 > index 000000000000..dc7df7467670 > --- /dev/null > +++ b/tools/testing/selftests/tpm2/test_trustedkeys.sh > @@ -0,0 +1,109 @@ > +#!/bin/sh > + > +VERBOSE="${VERBOSE:-1}" > +TRUSTEDKEY1="$(mktemp -u XXXX).blob" > +TRUSTEDKEY2="$(mktemp -u XXXX).blob" > +ERRMSG="$(mktemp -u XXXX)" > +trap "echo PRETRAP" SIGINT SIGTERM SIGTSTP > +trap "{ rm -f $TRUSTEDKEY1 $TRUSTEDKEY2 $ERRMSG; }" EXIT > + > +log_info() > +{ > + [ $VERBOSE -ne 0 ] && echo "[INFO] $1" > +} > + > +# The ksefltest framework requirement returns 0 for PASS. > +log_pass() > +{ > + [ $VERBOSE -ne 0 ] && echo "$1 [PASS]" > + exit 0 > +} > + > +# The ksefltest framework requirement returns 1 for FAIL. > +log_fail() > +{ > + [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]" > + exit 1 > +} > + > +# The ksefltest framework requirement returns 4 for SKIP. > +log_skip() > +{ > + [ $VERBOSE -ne 0 ] && echo "$1" > + exit 4 > +} > + > +is_tpm1() > +{ > + local pcrs_path="/sys/class/tpm/tpm0/device/pcrs" > + if [ ! -f "$pcrs_path" ]; then > + pcrs_path="/sys/class/misc/tpm0/device/pcrs" > + fi > + > + if [ ! -f "$pcrs_path" ]; then > + log_skip "TPM 1.2 chip not found" > + fi > +} > + > +takeownership_info() > +{ > + log_info "creating trusted key failed, probably requires taking TPM ownership:" > + which tss1oiap > /dev/null 2>&1 || \ > + log_info " tss1oiap not found, install IBM TSS" > + > + log_info " export TPM_DEVICE=/dev/tpm0" > + log_info " export TPM_ENCRYPT_SESSIONS=0" > + > + log_info " OIAP=\$(tss1oiap | cut -d' ' -f 2)" > + log_info " tss1takeownership -se0 \$OIAP 0" > + log_fail "creating trusted key" > +} > + > +test_trustedkey() > +{ > + #local keyid="$(keyctl add trusted kmk-test "new 64" @u)" &> $ERRMSG > + local keyid="$(keyctl add trusted kmk-test "new 64" @u 2> $ERRMSG)" > + > + grep -E -q "add_key: Operation not permitted" $ERRMSG > + if [ $? -eq 0 ]; then > + takeownership_info > + fi > + > + grep -E -q "add_key: " $ERRMSG > + if [ $? -eq 0 ]; then > + log_info "`cat ${ERRMSG}`" > + log_fail "creating trusted key" > + fi > + > + if [ -z "$keyid" ]; then > + log_fail "creating trusted key failed" > + fi > + log_info "creating trusted key succeeded" > + > + # save newly created trusted key and remove from keyring > + keyctl pipe "$keyid" > "$TRUSTEDKEY1" > + keyctl unlink "$keyid" &> /dev/null > + > + keyid=$(keyctl add trusted kmk-test "load `cat $TRUSTEDKEY1`" @u) > + if [ $? -eq 0 ]; then > + log_info "loading trusted key succeeded" > + else > + log_fail "loading trusted key failed" > + fi > + > + # save loaded trusted key and remove from keyring again > + keyctl pipe "$keyid" > "$TRUSTEDKEY2" > + keyctl unlink "$keyid" &> /dev/null > + > + # compare trusted keys > + diff "$TRUSTEDKEY1" "$TRUSTEDKEY2" &> /dev/null > + ret=$? > + if [ $ret -eq 0 ]; then > + log_pass "trusted key test succeeded" > + else > + log_fail "trusted key test failed" > + fi > +} > + > +is_tpm1 > +test_trustedkey
On Thu, Oct 24, 2019 at 03:14:27PM -0400, Mimi Zohar wrote: > Create, save and load trusted keys test > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > Change log v1: > - Replace the directions for using Trousers to take ownership of the TPM > with directions for using the IBM TSS. > - Differentiate between different types of errors. Recent bug is causing > "add_key: Timer expired". > --- Is not really usable as a selftest because of 3rd party dependencies. /Jarkko
On Thu, Oct 24, 2019 at 03:24:06PM -0400, Mimi Zohar wrote: > Hi Jarkko, > > Please note that I'm seeing "add_key: Timer expired" frequently. This > is something new. I have no idea if this is a new TPM or keys > regression. Is it possible to bisect this? I cannot run the test script that you made at the moment because of dependencies. I'll try to work on image with BuildRoot that would have TrouSerS. I recall it had recipe for it. So probably late this week or early next week I'll be able to help finding the root cause. /Jarkko
On Mon, Oct 28, 2019 at 10:30:14PM +0200, Jarkko Sakkinen wrote: > On Thu, Oct 24, 2019 at 03:14:27PM -0400, Mimi Zohar wrote: > > Create, save and load trusted keys test > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > > > Change log v1: > > - Replace the directions for using Trousers to take ownership of the TPM > > with directions for using the IBM TSS. > > - Differentiate between different types of errors. Recent bug is causing > > "add_key: Timer expired". > > --- > > Is not really usable as a selftest because of 3rd party dependencies. For TPM 2.0 I did write a smoke test for TPM2 trusted keys: https://github.com/jsakkine-intel/tpm2-scripts What you need to do is to make a lightweight library for TPM 1.x e.g. tpm1.py, and use that to implement the test. For TPM 2.0 I would peek at the tpm2-pcr-policy and keyctl-smoke.sh on how to implement the without 3rd party deps. /Jarkko
On Mon, 2019-10-28 at 22:30 +0200, Jarkko Sakkinen wrote: > On Thu, Oct 24, 2019 at 03:14:27PM -0400, Mimi Zohar wrote: > > Create, save and load trusted keys test > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > > > Change log v1: > > - Replace the directions for using Trousers to take ownership of the TPM > > with directions for using the IBM TSS. > > - Differentiate between different types of errors. Recent bug is causing > > "add_key: Timer expired". > > --- > > Is not really usable as a selftest because of 3rd party dependencies. As part of diagnosing trusted keys failure, there is some hints/directions as to how to take TPM 1.2 ownership, but it does not take ownership. The previous version included directions for using Trousers. This version provides directions for using the IBM TSS. Feel free to include additional hints/directions. Mimi
On Mon, Oct 28, 2019 at 04:45:13PM -0400, Mimi Zohar wrote: > On Mon, 2019-10-28 at 22:30 +0200, Jarkko Sakkinen wrote: > > On Thu, Oct 24, 2019 at 03:14:27PM -0400, Mimi Zohar wrote: > > > Create, save and load trusted keys test > > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > > Change log v1: > > > - Replace the directions for using Trousers to take ownership of the TPM > > > with directions for using the IBM TSS. > > > - Differentiate between different types of errors. Recent bug is causing > > > "add_key: Timer expired". > > > --- > > > > Is not really usable as a selftest because of 3rd party dependencies. > > As part of diagnosing trusted keys failure, there is some > hints/directions as to how to take TPM 1.2 ownership, but it does not > take ownership. The previous version included directions for using > Trousers. This version provides directions for using the IBM TSS. > Feel free to include additional hints/directions. You must write your own minimal user space that can be included to the kernel. Otherwise, we cannot take it. /Jarkko
On Tue, Oct 29, 2019 at 11:15:35AM +0200, Jarkko Sakkinen wrote: > On Mon, Oct 28, 2019 at 04:45:13PM -0400, Mimi Zohar wrote: > > On Mon, 2019-10-28 at 22:30 +0200, Jarkko Sakkinen wrote: > > > On Thu, Oct 24, 2019 at 03:14:27PM -0400, Mimi Zohar wrote: > > > > Create, save and load trusted keys test > > > > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > > > > Change log v1: > > > > - Replace the directions for using Trousers to take ownership of the TPM > > > > with directions for using the IBM TSS. > > > > - Differentiate between different types of errors. Recent bug is causing > > > > "add_key: Timer expired". > > > > --- > > > > > > Is not really usable as a selftest because of 3rd party dependencies. > > > > As part of diagnosing trusted keys failure, there is some > > hints/directions as to how to take TPM 1.2 ownership, but it does not > > take ownership. The previous version included directions for using > > Trousers. This version provides directions for using the IBM TSS. > > Feel free to include additional hints/directions. > > You must write your own minimal user space that can be included > to the kernel. Otherwise, we cannot take it. I'll anyway try to setup user space with TrouSerS so that I can try it out. BuildRoot has recipe for that but not for IBM TSS 2.0 so I'll skip that and use my own test script for TPM2 trusted keys. /Jarkko
On Tue, Oct 29, 2019 at 11:25:16AM +0200, Jarkko Sakkinen wrote: > I'll anyway try to setup user space with TrouSerS so that I can try > it out. BuildRoot has recipe for that but not for IBM TSS 2.0 so I'll > skip that and use my own test script for TPM2 trusted keys. Busybox version of mktemp gives this error message: mktemp: Invalid argument I get that three times. Then I get non-existent directory error from line 65 but it is probably consequence of the previous errors. This the help for mktemp: " Usage: mktemp [-dt] [-p DIR] [TEMPLATE] Create a temporary file with name based on TEMPLATE and print its name. TEMPLATE must end with XXXXXX (e.g. [/dir/]nameXXXXXX). Without TEMPLATE, -t tmp.XXXXXX is assumed. -d Make directory, not file -q Fail silently on errors -t Prepend base directory name to TEMPLATE -p DIR Use DIR as a base directory (implies -t) -u Do not create anything; print a name Base directory is: -p DIR, else $TMPDIR, else /tmp " Use total six X's seems to fix the problem. /Jarkko
On Tue, Oct 29, 2019 at 01:45:35PM +0200, Jarkko Sakkinen wrote: > On Tue, Oct 29, 2019 at 11:25:16AM +0200, Jarkko Sakkinen wrote: > > I'll anyway try to setup user space with TrouSerS so that I can try > > it out. BuildRoot has recipe for that but not for IBM TSS 2.0 so I'll > > skip that and use my own test script for TPM2 trusted keys. > > Busybox version of mktemp gives this error message: > > mktemp: Invalid argument > > I get that three times. > > Then I get non-existent directory error from line 65 but it is probably > consequence of the previous errors. > > This the help for mktemp: > > " > Usage: mktemp [-dt] [-p DIR] [TEMPLATE] > > Create a temporary file with name based on TEMPLATE and print its name. > TEMPLATE must end with XXXXXX (e.g. [/dir/]nameXXXXXX). > Without TEMPLATE, -t tmp.XXXXXX is assumed. > > -d Make directory, not file > -q Fail silently on errors > -t Prepend base directory name to TEMPLATE > -p DIR Use DIR as a base directory (implies -t) > -u Do not create anything; print a name > > Base directory is: -p DIR, else $TMPDIR, else /tmp > " > > Use total six X's seems to fix the problem. OK, I fixes that issue and then I end up with: [INFO] add_key: No such device Anyway, got further. /Jarkko
diff --git a/tools/testing/selftests/tpm2/Makefile b/tools/testing/selftests/tpm2/Makefile index 1a5db1eb8ed5..055bf62510b5 100644 --- a/tools/testing/selftests/tpm2/Makefile +++ b/tools/testing/selftests/tpm2/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause) include ../lib.mk -TEST_PROGS := test_smoke.sh test_space.sh +TEST_PROGS := test_smoke.sh test_space.sh test_trustedkey.sh TEST_PROGS_EXTENDED := tpm2.py tpm2_tests.py diff --git a/tools/testing/selftests/tpm2/test_trustedkeys.sh b/tools/testing/selftests/tpm2/test_trustedkeys.sh new file mode 100755 index 000000000000..dc7df7467670 --- /dev/null +++ b/tools/testing/selftests/tpm2/test_trustedkeys.sh @@ -0,0 +1,109 @@ +#!/bin/sh + +VERBOSE="${VERBOSE:-1}" +TRUSTEDKEY1="$(mktemp -u XXXX).blob" +TRUSTEDKEY2="$(mktemp -u XXXX).blob" +ERRMSG="$(mktemp -u XXXX)" +trap "echo PRETRAP" SIGINT SIGTERM SIGTSTP +trap "{ rm -f $TRUSTEDKEY1 $TRUSTEDKEY2 $ERRMSG; }" EXIT + +log_info() +{ + [ $VERBOSE -ne 0 ] && echo "[INFO] $1" +} + +# The ksefltest framework requirement returns 0 for PASS. +log_pass() +{ + [ $VERBOSE -ne 0 ] && echo "$1 [PASS]" + exit 0 +} + +# The ksefltest framework requirement returns 1 for FAIL. +log_fail() +{ + [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]" + exit 1 +} + +# The ksefltest framework requirement returns 4 for SKIP. +log_skip() +{ + [ $VERBOSE -ne 0 ] && echo "$1" + exit 4 +} + +is_tpm1() +{ + local pcrs_path="/sys/class/tpm/tpm0/device/pcrs" + if [ ! -f "$pcrs_path" ]; then + pcrs_path="/sys/class/misc/tpm0/device/pcrs" + fi + + if [ ! -f "$pcrs_path" ]; then + log_skip "TPM 1.2 chip not found" + fi +} + +takeownership_info() +{ + log_info "creating trusted key failed, probably requires taking TPM ownership:" + which tss1oiap > /dev/null 2>&1 || \ + log_info " tss1oiap not found, install IBM TSS" + + log_info " export TPM_DEVICE=/dev/tpm0" + log_info " export TPM_ENCRYPT_SESSIONS=0" + + log_info " OIAP=\$(tss1oiap | cut -d' ' -f 2)" + log_info " tss1takeownership -se0 \$OIAP 0" + log_fail "creating trusted key" +} + +test_trustedkey() +{ + #local keyid="$(keyctl add trusted kmk-test "new 64" @u)" &> $ERRMSG + local keyid="$(keyctl add trusted kmk-test "new 64" @u 2> $ERRMSG)" + + grep -E -q "add_key: Operation not permitted" $ERRMSG + if [ $? -eq 0 ]; then + takeownership_info + fi + + grep -E -q "add_key: " $ERRMSG + if [ $? -eq 0 ]; then + log_info "`cat ${ERRMSG}`" + log_fail "creating trusted key" + fi + + if [ -z "$keyid" ]; then + log_fail "creating trusted key failed" + fi + log_info "creating trusted key succeeded" + + # save newly created trusted key and remove from keyring + keyctl pipe "$keyid" > "$TRUSTEDKEY1" + keyctl unlink "$keyid" &> /dev/null + + keyid=$(keyctl add trusted kmk-test "load `cat $TRUSTEDKEY1`" @u) + if [ $? -eq 0 ]; then + log_info "loading trusted key succeeded" + else + log_fail "loading trusted key failed" + fi + + # save loaded trusted key and remove from keyring again + keyctl pipe "$keyid" > "$TRUSTEDKEY2" + keyctl unlink "$keyid" &> /dev/null + + # compare trusted keys + diff "$TRUSTEDKEY1" "$TRUSTEDKEY2" &> /dev/null + ret=$? + if [ $ret -eq 0 ]; then + log_pass "trusted key test succeeded" + else + log_fail "trusted key test failed" + fi +} + +is_tpm1 +test_trustedkey
Create, save and load trusted keys test Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Change log v1: - Replace the directions for using Trousers to take ownership of the TPM with directions for using the IBM TSS. - Differentiate between different types of errors. Recent bug is causing "add_key: Timer expired". --- tools/testing/selftests/tpm2/Makefile | 2 +- tools/testing/selftests/tpm2/test_trustedkeys.sh | 109 +++++++++++++++++++++++ 2 files changed, 110 insertions(+), 1 deletion(-) create mode 100755 tools/testing/selftests/tpm2/test_trustedkeys.sh