new file mode 100755
@@ -0,0 +1,30 @@
+#!/bin/bash
+set -x
+
+##
+# We already created eksign.name and null.name, so check them first
+##
+${bindir}/attest_tpm2_primary --eksign --name ${testdir}/eksign.name || exit 1
+${bindir}/attest_tpm2_primary --eksign --name ${testdir}/null.name && exit 1
+${bindir}/attest_tpm2_primary --certify null --name ${testdir}/eksign.name ${testdir}/null.name || exit 1
+##
+# Run through certification of all the keys (already done null above
+##
+for h in owner endorsement platform; do
+ rm -f tmp.name
+ ${bindir}/attest_tpm2_primary -C ${h} -n ${testdir}/eksign.name -o > tmp.name || exit 1
+ ${bindir}/attest_tpm2_primary -C ${h} -n ${testdir}/eksign.name tmp.name || exit 1
+ ${bindir}/attest_tpm2_primary -C ${h} -n ${testdir}/eksign.name null.name && exit 1
+done
+##
+# attestation tests
+# 1. create both P-256 and RSA2048 attestation certs
+##
+openssl genrsa 2048 > ca.key || exit 1
+# several EK templates exist, so try RSA and EC for each
+for high in "" "-high"; do
+ for alg in "-rsa 2048" "-ecc nistp256"; do
+ tsscreateekcert ${high} ${alg} -cakey ca.key -of cert.der || exit 1
+ ${bindir}/attest_tpm2_primary --attest cert.der --name ${testdir}/eksign.name || exit 1
+ done
+done
@@ -2,8 +2,7 @@
# export the parent key as a EC and RSA public key
-prim=$(tsscreateprimary -ecc nistp256 -hi o -opem srk.pub | sed 's/Handle //') || exit 1
-tssflushcontext -ha ${prim} || exit 1
+${bindir}/attest_tpm2_primary --certify owner --name ${testdir}/eksign.name --file srk.pub || exit 1
prim=$(tsscreateprimary -rsa 2048 -hi o -opem srkrsa.pub | sed 's/Handle //') || exit 1
tssflushcontext -ha ${prim} || exit 1
@@ -30,6 +30,7 @@ TESTS += ../check_curves.sh \
../check_locality.sh \
../check_secret_policies.sh \
../dynamic_engine.sh \
+ ../attestation.sh \
../stop_sw_tpm.sh
fail_connect.sh: tpm_server_found
@@ -53,6 +54,6 @@ AM_TESTS_ENVIRONMENT = TPM_INTERFACE_TYPE=socsim; export TPM_INTERFACE_TYPE; \
TEST_EXTENSIONS = .sh
-CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.* fifo tss2.*
+CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.* fifo tss2.* *.name
clean-local:
rm -fr testdir
@@ -31,6 +31,7 @@ TESTS += ../check_curves.sh \
../check_signed_policies.sh \
../check_locality.sh \
../check_secret_policies.sh \
+ ../attestation.sh \
../stop_sw_tpm.sh
fail_connect.sh: tpm_server_found
@@ -56,7 +57,7 @@ endif
TEST_EXTENSIONS = .sh
-CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.* fifo tss2.*
+CLEANFILES = key*.tpm key*.pub key*.priv tmp.* NVChip h*.bin key*.der seal.* fifo tss2.* *.name
clean-local:
rm -fr testdir
@@ -48,8 +48,7 @@ for n in sha1 sha256 sha384; do
else
POLICYFILE="${testdir}/policies/policy_pcr${n}.txt"
fi
- prim=$(tsscreateprimary -hi o -st -ecc nistp256 -opem srk.pub | sed 's/Handle //') || exit 1
- tssflushcontext -ha $prim
+ ${bindir}/attest_tpm2_primary -C owner -n ${testdir}/eksign.name -f srk.pub || exit 1
TPM_INTERFACE_TYPE= echo $DATA | ${bindir}/seal_tpm2_data -n ${n} -a -k ${AUTH} --import srk.pub seal.tpm || exit 1;
${bindir}/unseal_tpm2_data -k ${AUTH} seal.tpm | grep -q "${DATA}" || exit 1;
rm seal.tpm
@@ -56,3 +56,5 @@ key=$(tsscreateprimary -hi o -st -rsa|sed 's/Handle //') && \
tssevictcontrol -hi o -ho ${key} -hp 81000001 && \
tssflushcontext -ha ${key}
+${bindir}/attest_tpm2_primary --ek > ${testdir}/eksign.name || exit 1
+${bindir}/attest_tpm2_primary --certify null --outname --name ${testdir}/eksign.name > ${testdir}/null.name || exit 1
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> --- tests/attestation.sh | 30 ++++++++++++++++++++++++++++++ tests/check_importable.sh | 3 +-- tests/engine/Makefile.am | 3 ++- tests/provider/Makefile.am | 3 ++- tests/seal_unseal.sh | 3 +-- tests/start_sw_tpm.sh | 2 ++ 6 files changed, 38 insertions(+), 6 deletions(-) create mode 100755 tests/attestation.sh