Message ID | 20211128041052.1395504-2-stefanb@linux.vnet.ibm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | selftests: tpm2: Determine available PCR bank | expand |
On Sat, Nov 27, 2021 at 11:10:51PM -0500, Stefan Berger wrote: > From: Stefan Berger <stefanb@linux.ibm.com> > > Determine an available PCR bank to be used by a test case by querying the > capability TPM2_GET_CAP. The TPM2 returns TPML_PCR_SELECTIONS that > contains an array of TPMS_PCR_SELECTIONs indicating available PCR banks > and the bitmasks that show which PCRs are enabled in each bank. Collect > the data in a dictionary. From the dictionary determine the PCR bank that > has the PCRs enabled that the test needs. This avoids test failures with > TPM2's that either to not have a SHA-1 bank or whose SHA-1 bank is > disabled. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Jarkko Sakkinen <jarkko@kernel.org> /Jarkko
Shuah, are you going to take this fix here - only 1/2 ? https://lore.kernel.org/lkml/20211128041052.1395504-1-stefanb@linux.vnet.ibm.com/T/#m21209a978c237368499ce5f082f3c0fc03bcbbeb Stefan On 11/29/21 18:39, Jarkko Sakkinen wrote: > On Sat, Nov 27, 2021 at 11:10:51PM -0500, Stefan Berger wrote: >> From: Stefan Berger <stefanb@linux.ibm.com> >> >> Determine an available PCR bank to be used by a test case by querying the >> capability TPM2_GET_CAP. The TPM2 returns TPML_PCR_SELECTIONS that >> contains an array of TPMS_PCR_SELECTIONs indicating available PCR banks >> and the bitmasks that show which PCRs are enabled in each bank. Collect >> the data in a dictionary. From the dictionary determine the PCR bank that >> has the PCRs enabled that the test needs. This avoids test failures with >> TPM2's that either to not have a SHA-1 bank or whose SHA-1 bank is >> disabled. >> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > Acked-by: Jarkko Sakkinen <jarkko@kernel.org> > > /Jarkko
Jarkko, can you take this patch 1/2? https://lore.kernel.org/lkml/20211128041052.1395504-1-stefanb@linux.vnet.ibm.com/T/#m21209a978c237368499ce5f082f3c0fc03bcbbeb Stefan On 12/23/21 20:12, Stefan Berger wrote: > Shuah, > > are you going to take this fix here - only 1/2 ? > > https://lore.kernel.org/lkml/20211128041052.1395504-1-stefanb@linux.vnet.ibm.com/T/#m21209a978c237368499ce5f082f3c0fc03bcbbeb > > > Stefan > > On 11/29/21 18:39, Jarkko Sakkinen wrote: >> On Sat, Nov 27, 2021 at 11:10:51PM -0500, Stefan Berger wrote: >>> From: Stefan Berger <stefanb@linux.ibm.com> >>> >>> Determine an available PCR bank to be used by a test case by >>> querying the >>> capability TPM2_GET_CAP. The TPM2 returns TPML_PCR_SELECTIONS that >>> contains an array of TPMS_PCR_SELECTIONs indicating available PCR banks >>> and the bitmasks that show which PCRs are enabled in each bank. Collect >>> the data in a dictionary. From the dictionary determine the PCR bank >>> that >>> has the PCRs enabled that the test needs. This avoids test failures >>> with >>> TPM2's that either to not have a SHA-1 bank or whose SHA-1 bank is >>> disabled. >>> >>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> Acked-by: Jarkko Sakkinen <jarkko@kernel.org> >> >> /Jarkko
On Thu, Jan 13, 2022 at 01:04:03PM -0500, Stefan Berger wrote: > Jarkko, > > can you take this patch 1/2? > > https://lore.kernel.org/lkml/20211128041052.1395504-1-stefanb@linux.vnet.ibm.com/T/#m21209a978c237368499ce5f082f3c0fc03bcbbeb > > Stefan Oops. Sorry, I missed your request at 23rd. Yes, we can for sure take that. I now tested by with SHA256 only configuration so: Tested-by: Jarkko Sakkinen <jarkko@kernel.org> I'm considering 5.17-rc2 pull rquest but want to leave the final decision to the time when it can be sent. If I'll make rc2 PR in the first place, I'll include this to the pull request. /Jarkko
On Sat, Jan 15, 2022 at 05:53:18PM +0200, Jarkko Sakkinen wrote: > On Thu, Jan 13, 2022 at 01:04:03PM -0500, Stefan Berger wrote: > > Jarkko, > > > > can you take this patch 1/2? > > > > https://lore.kernel.org/lkml/20211128041052.1395504-1-stefanb@linux.vnet.ibm.com/T/#m21209a978c237368499ce5f082f3c0fc03bcbbeb > > > > Stefan > > Oops. Sorry, I missed your request at 23rd. > > Yes, we can for sure take that. I now tested by with SHA256 only > configuration so: > > Tested-by: Jarkko Sakkinen <jarkko@kernel.org> > > I'm considering 5.17-rc2 pull rquest but want to leave the final > decision to the time when it can be sent. If I'll make rc2 PR in > the first place, I'll include this to the pull request. OK, it's now applied, thank you. BR, Jarkko
diff --git a/tools/testing/selftests/tpm2/tpm2.py b/tools/testing/selftests/tpm2/tpm2.py index f34486cd7342..057a4f49c79d 100644 --- a/tools/testing/selftests/tpm2/tpm2.py +++ b/tools/testing/selftests/tpm2/tpm2.py @@ -56,6 +56,7 @@ TSS2_RESMGR_TPM_RC_LAYER = (11 << TSS2_RC_LAYER_SHIFT) TPM2_CAP_HANDLES = 0x00000001 TPM2_CAP_COMMANDS = 0x00000002 +TPM2_CAP_PCRS = 0x00000005 TPM2_CAP_TPM_PROPERTIES = 0x00000006 TPM2_PT_FIXED = 0x100 @@ -712,3 +713,33 @@ class Client: pt += 1 return handles + + def get_cap_pcrs(self): + pcr_banks = {} + + fmt = '>HII III' + + cmd = struct.pack(fmt, + TPM2_ST_NO_SESSIONS, + struct.calcsize(fmt), + TPM2_CC_GET_CAPABILITY, + TPM2_CAP_PCRS, 0, 1) + rsp = self.send_cmd(cmd)[10:] + _, _, cnt = struct.unpack('>BII', rsp[:9]) + rsp = rsp[9:] + + # items are TPMS_PCR_SELECTION's + for i in range(0, cnt): + hash, sizeOfSelect = struct.unpack('>HB', rsp[:3]) + rsp = rsp[3:] + + pcrSelect = 0 + if sizeOfSelect > 0: + pcrSelect, = struct.unpack('%ds' % sizeOfSelect, + rsp[:sizeOfSelect]) + rsp = rsp[sizeOfSelect:] + pcrSelect = int.from_bytes(pcrSelect, byteorder='big') + + pcr_banks[hash] = pcrSelect + + return pcr_banks diff --git a/tools/testing/selftests/tpm2/tpm2_tests.py b/tools/testing/selftests/tpm2/tpm2_tests.py index 9d764306887b..e63a37819978 100644 --- a/tools/testing/selftests/tpm2/tpm2_tests.py +++ b/tools/testing/selftests/tpm2/tpm2_tests.py @@ -27,7 +27,17 @@ class SmokeTest(unittest.TestCase): result = self.client.unseal(self.root_key, blob, auth, None) self.assertEqual(data, result) + def determine_bank_alg(self, mask): + pcr_banks = self.client.get_cap_pcrs() + for bank_alg, pcrSelection in pcr_banks.items(): + if pcrSelection & mask == mask: + return bank_alg + return None + def test_seal_with_policy(self): + bank_alg = self.determine_bank_alg(1 << 16) + self.assertIsNotNone(bank_alg) + handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL) data = ('X' * 64).encode() @@ -35,7 +45,7 @@ class SmokeTest(unittest.TestCase): pcrs = [16] try: - self.client.policy_pcr(handle, pcrs) + self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg) self.client.policy_password(handle) policy_dig = self.client.get_policy_digest(handle) @@ -47,7 +57,7 @@ class SmokeTest(unittest.TestCase): handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY) try: - self.client.policy_pcr(handle, pcrs) + self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg) self.client.policy_password(handle) result = self.client.unseal(self.root_key, blob, auth, handle) @@ -72,6 +82,9 @@ class SmokeTest(unittest.TestCase): self.assertEqual(rc, tpm2.TPM2_RC_AUTH_FAIL) def test_unseal_with_wrong_policy(self): + bank_alg = self.determine_bank_alg(1 << 16 | 1 << 1) + self.assertIsNotNone(bank_alg) + handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL) data = ('X' * 64).encode() @@ -79,7 +92,7 @@ class SmokeTest(unittest.TestCase): pcrs = [16] try: - self.client.policy_pcr(handle, pcrs) + self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg) self.client.policy_password(handle) policy_dig = self.client.get_policy_digest(handle) @@ -91,13 +104,13 @@ class SmokeTest(unittest.TestCase): # Extend first a PCR that is not part of the policy and try to unseal. # This should succeed. - ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1) - self.client.extend_pcr(1, ('X' * ds).encode()) + ds = tpm2.get_digest_size(bank_alg) + self.client.extend_pcr(1, ('X' * ds).encode(), bank_alg=bank_alg) handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY) try: - self.client.policy_pcr(handle, pcrs) + self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg) self.client.policy_password(handle) result = self.client.unseal(self.root_key, blob, auth, handle) @@ -109,14 +122,14 @@ class SmokeTest(unittest.TestCase): # Then, extend a PCR that is part of the policy and try to unseal. # This should fail. - self.client.extend_pcr(16, ('X' * ds).encode()) + self.client.extend_pcr(16, ('X' * ds).encode(), bank_alg=bank_alg) handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY) rc = 0 try: - self.client.policy_pcr(handle, pcrs) + self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg) self.client.policy_password(handle) result = self.client.unseal(self.root_key, blob, auth, handle)