diff mbox series

[v4,1/2] selftests: tpm2: Determine available PCR bank

Message ID 20211128041052.1395504-2-stefanb@linux.vnet.ibm.com (mailing list archive)
State Accepted
Commit 0d060f230fa06c32d91e67978a3088be9635848e
Headers show
Series selftests: tpm2: Determine available PCR bank | expand

Commit Message

Stefan Berger Nov. 28, 2021, 4:10 a.m. UTC
From: Stefan Berger <stefanb@linux.ibm.com>

Determine an available PCR bank to be used by a test case by querying the
capability TPM2_GET_CAP. The TPM2 returns TPML_PCR_SELECTIONS that
contains an array of TPMS_PCR_SELECTIONs indicating available PCR banks
and the bitmasks that show which PCRs are enabled in each bank. Collect
the data in a dictionary. From the dictionary determine the PCR bank that
has the PCRs enabled that the test needs. This avoids test failures with
TPM2's that either to not have a SHA-1 bank or whose SHA-1 bank is
disabled.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 tools/testing/selftests/tpm2/tpm2.py       | 31 ++++++++++++++++++++++
 tools/testing/selftests/tpm2/tpm2_tests.py | 29 ++++++++++++++------
 2 files changed, 52 insertions(+), 8 deletions(-)

Comments

Jarkko Sakkinen Nov. 29, 2021, 11:39 p.m. UTC | #1
On Sat, Nov 27, 2021 at 11:10:51PM -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
> 
> Determine an available PCR bank to be used by a test case by querying the
> capability TPM2_GET_CAP. The TPM2 returns TPML_PCR_SELECTIONS that
> contains an array of TPMS_PCR_SELECTIONs indicating available PCR banks
> and the bitmasks that show which PCRs are enabled in each bank. Collect
> the data in a dictionary. From the dictionary determine the PCR bank that
> has the PCRs enabled that the test needs. This avoids test failures with
> TPM2's that either to not have a SHA-1 bank or whose SHA-1 bank is
> disabled.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Acked-by: Jarkko Sakkinen <jarkko@kernel.org>

/Jarkko
Stefan Berger Dec. 24, 2021, 1:12 a.m. UTC | #2
Shuah,

   are you going to take this fix here - only 1/2 ?

https://lore.kernel.org/lkml/20211128041052.1395504-1-stefanb@linux.vnet.ibm.com/T/#m21209a978c237368499ce5f082f3c0fc03bcbbeb

   Stefan

On 11/29/21 18:39, Jarkko Sakkinen wrote:
> On Sat, Nov 27, 2021 at 11:10:51PM -0500, Stefan Berger wrote:
>> From: Stefan Berger <stefanb@linux.ibm.com>
>>
>> Determine an available PCR bank to be used by a test case by querying the
>> capability TPM2_GET_CAP. The TPM2 returns TPML_PCR_SELECTIONS that
>> contains an array of TPMS_PCR_SELECTIONs indicating available PCR banks
>> and the bitmasks that show which PCRs are enabled in each bank. Collect
>> the data in a dictionary. From the dictionary determine the PCR bank that
>> has the PCRs enabled that the test needs. This avoids test failures with
>> TPM2's that either to not have a SHA-1 bank or whose SHA-1 bank is
>> disabled.
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
>
> /Jarkko
Stefan Berger Jan. 13, 2022, 6:04 p.m. UTC | #3
Jarkko,

   can you take this patch 1/2?

  https://lore.kernel.org/lkml/20211128041052.1395504-1-stefanb@linux.vnet.ibm.com/T/#m21209a978c237368499ce5f082f3c0fc03bcbbeb

   Stefan


On 12/23/21 20:12, Stefan Berger wrote:
> Shuah,
>
>   are you going to take this fix here - only 1/2 ?
>
> https://lore.kernel.org/lkml/20211128041052.1395504-1-stefanb@linux.vnet.ibm.com/T/#m21209a978c237368499ce5f082f3c0fc03bcbbeb 
>
>
>   Stefan
>
> On 11/29/21 18:39, Jarkko Sakkinen wrote:
>> On Sat, Nov 27, 2021 at 11:10:51PM -0500, Stefan Berger wrote:
>>> From: Stefan Berger <stefanb@linux.ibm.com>
>>>
>>> Determine an available PCR bank to be used by a test case by 
>>> querying the
>>> capability TPM2_GET_CAP. The TPM2 returns TPML_PCR_SELECTIONS that
>>> contains an array of TPMS_PCR_SELECTIONs indicating available PCR banks
>>> and the bitmasks that show which PCRs are enabled in each bank. Collect
>>> the data in a dictionary. From the dictionary determine the PCR bank 
>>> that
>>> has the PCRs enabled that the test needs. This avoids test failures 
>>> with
>>> TPM2's that either to not have a SHA-1 bank or whose SHA-1 bank is
>>> disabled.
>>>
>>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
>>
>> /Jarkko
Jarkko Sakkinen Jan. 15, 2022, 3:53 p.m. UTC | #4
On Thu, Jan 13, 2022 at 01:04:03PM -0500, Stefan Berger wrote:
> Jarkko,
> 
>   can you take this patch 1/2?
> 
>  https://lore.kernel.org/lkml/20211128041052.1395504-1-stefanb@linux.vnet.ibm.com/T/#m21209a978c237368499ce5f082f3c0fc03bcbbeb
> 
>   Stefan

Oops. Sorry, I missed your request at 23rd.

Yes, we can for sure take that. I now tested by with SHA256 only
configuration so:

Tested-by: Jarkko Sakkinen <jarkko@kernel.org>

I'm considering 5.17-rc2 pull rquest but want to leave the final
decision to the time when it can be sent. If I'll make rc2 PR in
the first place, I'll include this to the pull request.

/Jarkko
Jarkko Sakkinen Jan. 15, 2022, 5:02 p.m. UTC | #5
On Sat, Jan 15, 2022 at 05:53:18PM +0200, Jarkko Sakkinen wrote:
> On Thu, Jan 13, 2022 at 01:04:03PM -0500, Stefan Berger wrote:
> > Jarkko,
> > 
> >   can you take this patch 1/2?
> > 
> >  https://lore.kernel.org/lkml/20211128041052.1395504-1-stefanb@linux.vnet.ibm.com/T/#m21209a978c237368499ce5f082f3c0fc03bcbbeb
> > 
> >   Stefan
> 
> Oops. Sorry, I missed your request at 23rd.
> 
> Yes, we can for sure take that. I now tested by with SHA256 only
> configuration so:
> 
> Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
> 
> I'm considering 5.17-rc2 pull rquest but want to leave the final
> decision to the time when it can be sent. If I'll make rc2 PR in
> the first place, I'll include this to the pull request.

OK, it's now applied, thank you.

BR, Jarkko
diff mbox series

Patch

diff --git a/tools/testing/selftests/tpm2/tpm2.py b/tools/testing/selftests/tpm2/tpm2.py
index f34486cd7342..057a4f49c79d 100644
--- a/tools/testing/selftests/tpm2/tpm2.py
+++ b/tools/testing/selftests/tpm2/tpm2.py
@@ -56,6 +56,7 @@  TSS2_RESMGR_TPM_RC_LAYER = (11 << TSS2_RC_LAYER_SHIFT)
 
 TPM2_CAP_HANDLES = 0x00000001
 TPM2_CAP_COMMANDS = 0x00000002
+TPM2_CAP_PCRS = 0x00000005
 TPM2_CAP_TPM_PROPERTIES = 0x00000006
 
 TPM2_PT_FIXED = 0x100
@@ -712,3 +713,33 @@  class Client:
             pt += 1
 
         return handles
+
+    def get_cap_pcrs(self):
+        pcr_banks = {}
+
+        fmt = '>HII III'
+
+        cmd = struct.pack(fmt,
+                          TPM2_ST_NO_SESSIONS,
+                          struct.calcsize(fmt),
+                          TPM2_CC_GET_CAPABILITY,
+                          TPM2_CAP_PCRS, 0, 1)
+        rsp = self.send_cmd(cmd)[10:]
+        _, _, cnt = struct.unpack('>BII', rsp[:9])
+        rsp = rsp[9:]
+
+        # items are TPMS_PCR_SELECTION's
+        for i in range(0, cnt):
+              hash, sizeOfSelect = struct.unpack('>HB', rsp[:3])
+              rsp = rsp[3:]
+
+              pcrSelect = 0
+              if sizeOfSelect > 0:
+                  pcrSelect, = struct.unpack('%ds' % sizeOfSelect,
+                                             rsp[:sizeOfSelect])
+                  rsp = rsp[sizeOfSelect:]
+                  pcrSelect = int.from_bytes(pcrSelect, byteorder='big')
+
+              pcr_banks[hash] = pcrSelect
+
+        return pcr_banks
diff --git a/tools/testing/selftests/tpm2/tpm2_tests.py b/tools/testing/selftests/tpm2/tpm2_tests.py
index 9d764306887b..e63a37819978 100644
--- a/tools/testing/selftests/tpm2/tpm2_tests.py
+++ b/tools/testing/selftests/tpm2/tpm2_tests.py
@@ -27,7 +27,17 @@  class SmokeTest(unittest.TestCase):
         result = self.client.unseal(self.root_key, blob, auth, None)
         self.assertEqual(data, result)
 
+    def determine_bank_alg(self, mask):
+        pcr_banks = self.client.get_cap_pcrs()
+        for bank_alg, pcrSelection in pcr_banks.items():
+            if pcrSelection & mask == mask:
+                return bank_alg
+        return None
+
     def test_seal_with_policy(self):
+        bank_alg = self.determine_bank_alg(1 << 16)
+        self.assertIsNotNone(bank_alg)
+
         handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
 
         data = ('X' * 64).encode()
@@ -35,7 +45,7 @@  class SmokeTest(unittest.TestCase):
         pcrs = [16]
 
         try:
-            self.client.policy_pcr(handle, pcrs)
+            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
             self.client.policy_password(handle)
 
             policy_dig = self.client.get_policy_digest(handle)
@@ -47,7 +57,7 @@  class SmokeTest(unittest.TestCase):
         handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
 
         try:
-            self.client.policy_pcr(handle, pcrs)
+            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
             self.client.policy_password(handle)
 
             result = self.client.unseal(self.root_key, blob, auth, handle)
@@ -72,6 +82,9 @@  class SmokeTest(unittest.TestCase):
         self.assertEqual(rc, tpm2.TPM2_RC_AUTH_FAIL)
 
     def test_unseal_with_wrong_policy(self):
+        bank_alg = self.determine_bank_alg(1 << 16 | 1 << 1)
+        self.assertIsNotNone(bank_alg)
+
         handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
 
         data = ('X' * 64).encode()
@@ -79,7 +92,7 @@  class SmokeTest(unittest.TestCase):
         pcrs = [16]
 
         try:
-            self.client.policy_pcr(handle, pcrs)
+            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
             self.client.policy_password(handle)
 
             policy_dig = self.client.get_policy_digest(handle)
@@ -91,13 +104,13 @@  class SmokeTest(unittest.TestCase):
         # Extend first a PCR that is not part of the policy and try to unseal.
         # This should succeed.
 
-        ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
-        self.client.extend_pcr(1, ('X' * ds).encode())
+        ds = tpm2.get_digest_size(bank_alg)
+        self.client.extend_pcr(1, ('X' * ds).encode(), bank_alg=bank_alg)
 
         handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
 
         try:
-            self.client.policy_pcr(handle, pcrs)
+            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
             self.client.policy_password(handle)
 
             result = self.client.unseal(self.root_key, blob, auth, handle)
@@ -109,14 +122,14 @@  class SmokeTest(unittest.TestCase):
 
         # Then, extend a PCR that is part of the policy and try to unseal.
         # This should fail.
-        self.client.extend_pcr(16, ('X' * ds).encode())
+        self.client.extend_pcr(16, ('X' * ds).encode(), bank_alg=bank_alg)
 
         handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
 
         rc = 0
 
         try:
-            self.client.policy_pcr(handle, pcrs)
+            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
             self.client.policy_password(handle)
 
             result = self.client.unseal(self.root_key, blob, auth, handle)