FAPI: Addapt tests to usage of P_RSA3072 profile without sha1 bank.

* The test were a sha1 bank is needed are skippd. * Policy usuage is adapted. Signed-off-by: Juergen Repp <juergen_repp@web.de>
tpm2-software · Feb 13, 2024 · d98ea00 · d98ea00
1 parent 0a6e05d
commit d98ea00
Show file tree

Hide file tree

Showing 13 changed files with 190 additions and 14 deletions.
diff --git a/test/data/fapi/P_RSA3072.json b/test/data/fapi/P_RSA3072.json
@@ -0,0 +1,107 @@
+{
+    "type": "TPM2_ALG_RSA",
+    "nameAlg":"TPM2_ALG_SHA384",
+    "srk_template": "system,restricted,decrypt,0x81000001",
+    "srk_description": "Storage root key SRK",
+    "srk_persistent": 1,
+    "ek_template":  "system,restricted,decrypt,user",
+    "ek_description": "Endorsement key EK",
+    "rsa_signing_scheme": {
+        "scheme":"TPM2_ALG_RSAPSS",
+        "details":{
+            "hashAlg":"TPM2_ALG_SHA384"
+        }
+    },
+    "rsa_decrypt_scheme": {
+        "scheme":"TPM2_ALG_OAEP",
+        "details":{
+            "hashAlg":"TPM2_ALG_SHA384"
+        }
+    },
+    "sym_mode":"TPM2_ALG_CFB",
+    "sym_parameters": {
+        "algorithm":"TPM2_ALG_AES",
+        "keyBits":"256",
+        "mode":"TPM2_ALG_CFB"
+    },
+    "sym_block_size": 16,
+    "pcr_selection": [
+        { "hash": "TPM2_ALG_SHA1",
+          "pcrSelect": [ ]
+        },
+        { "hash": "TPM2_ALG_SHA256",
+          "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
+        }
+    ],
+    "exponent": 0,
+    "keyBits": 3072,
+    "session_symmetric":{
+        "algorithm":"TPM2_ALG_AES",
+        "keyBits":"256",
+        "mode":"TPM2_ALG_CFB"
+    },
+    "ek_policy": {
+        "description": "Endorsement hierarchy used for policy secret.",
+        "policy":[
+            {
+                "type": "PolicyOR",
+                "branches": [
+                    {
+                        "name": "A",
+                        "description": "",
+                        "policy": [
+                            {
+                                "type":"POLICYSECRET",
+                                "objectName": "4000000b"
+                            }
+                        ]
+                    },
+                    {
+                        "name": "B",
+                        "description": "",
+                        "policy": [
+                            {
+                                "type":"AUTHORIZENV",
+                                "nvPublic": {
+				    "size": 60,
+				    "nvPublic": {
+                                        "nvIndex": 29392642,
+                                        "nameAlg":"SHA384",
+                                        "attributes":{
+                                          "PPWRITE":0,
+                                          "OWNERWRITE":0,
+                                          "AUTHWRITE":0,
+                                          "POLICYWRITE":1,
+                                          "POLICY_DELETE":0,
+                                          "WRITELOCKED":0,
+                                          "WRITEALL":1,
+                                          "WRITEDEFINE":0,
+                                          "WRITE_STCLEAR":0,
+                                          "GLOBALLOCK":0,
+                                          "PPREAD":1,
+                                          "OWNERREAD":1,
+                                          "AUTHREAD":1,
+                                          "POLICYREAD":1,
+                                          "NO_DA":1,
+                                          "ORDERLY":0,
+                                          "CLEAR_STCLEAR":0,
+                                          "READLOCKED":0,
+                                          "WRITTEN":1,
+                                          "PLATFORMCREATE":0,
+                                          "READ_STCLEAR":0,
+                                          "TPM2_NT":"ORDINARY"
+                                        },
+                                        "authPolicy":"8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53",
+                                        "dataSize":50
+				    }
+	                        }
+
+                           }
+		        ]
+                    }
+                ]
+            }
+        ]
+    }
+
+}
diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c
@@ -96,9 +96,11 @@ signatureCallback(
     UNUSED(publicKey);
     UNUSED(publicKeyHint);
     uint8_t *aux_signature = NULL;
+    size_t profile_len = strlen(FAPI_PROFILE);
 
-    if (strcmp(objectPath, "P_RSA/HS/SRK/myRsaCryptKey") != 0) {
-        return_error(TSS2_FAPI_RC_BAD_VALUE, "Unexpected path");
+    if (strcmp(objectPath + profile_len, "/HS/SRK/myRsaCryptKey") ||
+        strncmp(objectPath, "P_RSA", 5))
+        return_error(TSS2_FAPI_RC_BAD_VALUE, "Unexpected path") {
     }
 
     if (userData != userDataTest) {

diff --git a/test/integration/fapi-get-esys-blobs.int.c b/test/integration/fapi-get-esys-blobs.int.c
@@ -72,6 +72,7 @@ auth_callback(
  * @param[in,out] context The FAPI_CONTEXT.
  * @retval EXIT_FAILURE
  * @retval EXIT_SUCCESS
+ * @retval EXIT_SKIP
  */
 int
 test_fapi_get_esys_blobs(FAPI_CONTEXT *context)
@@ -90,6 +91,11 @@ test_fapi_get_esys_blobs(FAPI_CONTEXT *context)
     ESYS_TR        esys_handle;
     uint8_t        type;
 
+    if (strncmp(FAPI_PROFILE,"P_ECC", 5)) {
+        LOG_WARNING("Profile %s is no ECC profile.", FAPI_PROFILE);
+        return EXIT_SKIP;
+    }
+
     /* We need to reset the passwords again, in order to not brick physical TPMs */
     r = Fapi_Provision(context, NULL, NULL, NULL);
     goto_if_error(r, "Error Fapi_Provision", error);

diff --git a/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c b/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c
@@ -141,7 +141,7 @@ test_fapi_key_create_policy_authorize_nv(FAPI_CONTEXT *context)
         return EXIT_SKIP;
     }
 
-    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) {
+    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) {
         if (snprintf(&extended_name[0], 1023, "%s_sha384", POLICY_AUTHORIZE_NV) < 0) {
             LOG_ERROR("snprint failed");
             return EXIT_FAILURE;
@@ -158,7 +158,7 @@ test_fapi_key_create_policy_authorize_nv(FAPI_CONTEXT *context)
 
      if (strcmp(FAPI_PROFILE, "P_ECC") == 0) {
         policy_nv_auth_size = 34;
-    } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) {
+    } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) {
         policy_nv_auth_size = 50;
     } else {
         LOG_ERROR("No appropriate policy file exists!");

diff --git a/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c b/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c
@@ -69,12 +69,12 @@ test_fapi_key_create_policy_authorize_pem_sign(FAPI_CONTEXT *context)
     if (strcmp(FAPI_PROFILE, "P_ECC") == 0) {
         policy_file_authorize = TOP_SOURCEDIR "/test/data/fapi/policy/pol_authorize_ecc_pem.json";
         policy_file_pcr = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0_ecc_authorized.json";
-    } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) {
+    } else if (strcmp(FAPI_PROFILE, "P_ECC384" ) == 0) {
         policy_file_authorize = TOP_SOURCEDIR "/test/data/fapi/policy/pol_authorize_ecc_pem_sha384.json";
         policy_file_pcr = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0_ecc_authorized_sha384.json";
     } else {
-        LOG_ERROR("Invalid profile for ECC test: %s", FAPI_PROFILE);
-        return EXIT_FAILURE;
+        LOG_ERROR("Profule can't be used for test: %s", FAPI_PROFILE);
+        return EXIT_SKIP;
     }
 #else
     policy_file_pcr = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0_rsa_authorized.json";

diff --git a/test/integration/fapi-key-create-policy-pcr-sign.int.c b/test/integration/fapi-key-create-policy-pcr-sign.int.c
@@ -281,7 +281,7 @@ test_fapi_key_create_policy_pcr_sign(FAPI_CONTEXT *context)
     ASSERT(policy != NULL);
     LOG_INFO("\nTEST_JSON\nPolicy_sha256:\n%s\nEND_JSON", policy);
 
-    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) {
+    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) {
         CHECK_JSON(policy, policy_sha384_check, error);
     } else {
         CHECK_JSON(policy, policy_sha256_check, error);
@@ -296,7 +296,7 @@ test_fapi_key_create_policy_pcr_sign(FAPI_CONTEXT *context)
     goto_if_error(r, "Error Fapi_ExportPolicy", error);
     ASSERT(policy != NULL);
     LOG_INFO("\nTEST_JSON\nPolicy export1:\n%s\nEND_JSON", policy);
-    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) {
+    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) {
         CHECK_JSON(policy, policy_sha384_export_check, error)
     } else {
         CHECK_JSON(policy, policy_sha256_export_check, error)
@@ -427,7 +427,7 @@ test_fapi_key_create_policy_pcr_sign(FAPI_CONTEXT *context)
     goto_if_error(r, "Error Fapi_ExportPolicy", error);
     ASSERT(policy != NULL);
 
-    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) {
+        if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0){
         CHECK_JSON(policy, policy_sha384_check, error);
     } else {
         CHECK_JSON(policy, policy_sha256_check, error);

diff --git a/test/integration/fapi-key-create-policy-signed-keyedhash.int.c b/test/integration/fapi-key-create-policy-signed-keyedhash.int.c
@@ -206,7 +206,7 @@ test_fapi_key_create_policy_signed(FAPI_CONTEXT *context)
     char    *publicKey = NULL;
     char    *certificate = NULL;
 
-    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) {
+    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) {
 	policy_name = "/policy/pol_signed_keyedhash_sha384";
         policy_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_signed_keyedhash_sha384.json";
     } else {

diff --git a/test/integration/fapi-nv-authorizenv-cphash.int.c b/test/integration/fapi-nv-authorizenv-cphash.int.c
@@ -96,7 +96,7 @@ test_fapi_nv_authorizenv_cphash(FAPI_CONTEXT *context)
     r = Fapi_Provision(context, NULL, NULL, NULL);
     goto_if_error(r, "Error Fapi_Provision", error);
 
-    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) {
+    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) {
         policy2_name = "/policy/pol_cphash_sha384";
         policy2_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_cphash_sha384.json";
         policy_nv_auth_size = 50;

diff --git a/test/integration/fapi-nv-extend.int.c b/test/integration/fapi-nv-extend.int.c
@@ -91,7 +91,7 @@ test_fapi_nv_extend(FAPI_CONTEXT *context)
     LOG_INFO("\nTEST_JSON\nLog:\n%s\nEND_JSON", log);
     char *fields_log1[] =  { "0", "digests", "0", "digest" };
 
-    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) {
+    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) {
         CHECK_JSON_FIELDS(log, fields_log1,
                           "c8ffec7d7d70c61b16adaab88925a1759b94cf6b50669b04aef1a8427fabb131eafbf9a21e3b8bddd9c5d5e7",
                           error);
@@ -120,7 +120,7 @@ test_fapi_nv_extend(FAPI_CONTEXT *context)
     LOG_INFO("\nTEST_JSON\nLog:\n%s\nEND_JSON", log);
     char *fields_log2[] =  { "1", "digests", "0", "digest" };
 
-    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) {
+    if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) {
         CHECK_JSON_FIELDS(log, fields_log2,
                           "c8ffec7d7d70c61b16adaab88925a1759b94cf6b50669b04aef1a8427fabb131eafbf9a21e3b8bddd9c5d5e7",
                           error);

diff --git a/test/integration/fapi-quote-destructive-eventlog.int.c b/test/integration/fapi-quote-destructive-eventlog.int.c
@@ -1001,6 +1001,7 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context)
     size_t i;
     json_object *jso_log = NULL;
     json_object *jso_log2 = NULL;
+    bool sha1_bank_exists;
 
     uint8_t data[EVENT_SIZE] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9};
     size_t signatureSize = 0;
@@ -1010,6 +1011,13 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context)
     return EXIT_SKIP;
     #endif
 
+    r = pcr_bank_sha1_exists(context, &sha1_bank_exists);
+    goto_if_error(r, "Test sha1 bank", error);
+
+    if (!sha1_bank_exists) {
+        return EXIT_SKIP;
+    }
+
     r = Fapi_Provision(context, NULL, NULL, NULL);
 
     goto_if_error(r, "Error Fapi_Provision", error);

diff --git a/test/integration/fapi-second-provisioning.int.c b/test/integration/fapi-second-provisioning.int.c
@@ -63,6 +63,11 @@ test_fapi_test_second_provisioning(FAPI_CONTEXT *context)
 {
     TSS2_RC r;
 
+    if (strncmp(FAPI_PROFILE, "P_RSA", 5) == 0) {
+        LOG_WARNING("Default ECC profile needed for this test %s is used", FAPI_PROFILE);
+        return EXIT_SKIP;
+    }
+
     /* We need to reset the passwords again, in order to not brick physical TPMs */
     r = Fapi_Provision(context, PASSWORD, PASSWORD, NULL);
     goto_if_error(r, "Error Fapi_Provision", error);
@@ -149,6 +154,8 @@ test_fapi_test_second_provisioning(FAPI_CONTEXT *context)
         rc = init_fapi("P_ECC", &context);
     } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) {
         rc = init_fapi("P_ECC384", &context);
+    } else if (strcmp(FAPI_PROFILE, "P_RSA3072") == 0) {
+        rc = init_fapi("P_ECC384", &context);
     } else {
         LOG_ERROR("Profile %s not supported for this test!", FAPI_PROFILE);
     }

diff --git a/test/integration/main-fapi.c b/test/integration/main-fapi.c
@@ -216,6 +216,49 @@ pcr_reset(FAPI_CONTEXT *context, UINT32 pcr)
     return r;
 }
 
+TSS2_RC
+pcr_bank_sha1_exists(FAPI_CONTEXT *context, bool *exists)
+{
+    TSS2_RC r;
+    TSS2_TCTI_CONTEXT *tcti;
+    ESYS_CONTEXT *esys;
+    TPML_PCR_SELECTION pcrSelectionIn = {
+        .count = 1,
+        .pcrSelections = {
+            { .hash = TPM2_ALG_SHA1,
+              .sizeofSelect = 3,
+              .pcrSelect = { 1, 0, 0}
+            },
+        }
+    };
+    UINT32 pcrUpdateCounter;
+    TPML_PCR_SELECTION *pcrSelectionOut = NULL;
+    TPML_DIGEST *pcrValues = NULL;
+
+    r = Fapi_GetTcti(context, &tcti);
+    goto_if_error(r, "Error Fapi_GetTcti", error);
+
+    r = Esys_Initialize(&esys, tcti, NULL);
+    goto_if_error(r, "Error Fapi_GetTcti", error);
+
+    r = Esys_PCR_Read(esys, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+        &pcrSelectionIn, &pcrUpdateCounter, &pcrSelectionOut, &pcrValues);
+    goto_if_error(r, "Error: PCR_Read", error);
+    if (!pcrSelectionOut->pcrSelections[0].pcrSelect[0]) {
+        *exists = false;
+    } else {
+        *exists = true;
+    }
+    Esys_Finalize(&esys);
+    goto_if_error(r, "Error Eys_PCR_Reset", error);
+
+error:
+    SAFE_FREE(pcrSelectionOut);
+    SAFE_FREE(pcrValues);
+    return r;
+}
+
+
 TSS2_RC
 pcr_extend(FAPI_CONTEXT *context, UINT32 pcr, TPML_DIGEST_VALUES *digest_values)
 {

diff --git a/test/integration/test-fapi.h b/test/integration/test-fapi.h
@@ -139,6 +139,9 @@ extern char *fapi_profile;
 TSS2_RC
 pcr_extend(FAPI_CONTEXT *context, UINT32 pcr, TPML_DIGEST_VALUES *digest_values);
 
+TSS2_RC
+pcr_bank_sha1_exists(FAPI_CONTEXT *context, bool *exists);
+
 TSS2_RC
 pcr_reset(FAPI_CONTEXT *context, UINT32 pcr);
-Original file line number
+Diff line change
@@ Expand Up / @@ -139,6 +139,9 @@ extern char *fapi_profile; @@
     TSS2_RC
     pcr_extend(FAPI_CONTEXT *context, UINT32 pcr, TPML_DIGEST_VALUES *digest_values);
+    TSS2_RC
+    pcr_bank_sha1_exists(FAPI_CONTEXT *context, bool *exists);
     TSS2_RC
     pcr_reset(FAPI_CONTEXT *context, UINT32 pcr);
@@ Expand Down @@