From d98ea00ae3b5c47d70d94ce41991efd4c23bc40e Mon Sep 17 00:00:00 2001 From: Juergen Repp Date: Mon, 12 Feb 2024 20:14:03 +0100 Subject: [PATCH] FAPI: Addapt tests to usage of P_RSA3072 profile without sha1 bank. * The test were a sha1 bank is needed are skippd. * Policy usuage is adapted. Signed-off-by: Juergen Repp --- test/data/fapi/P_RSA3072.json | 107 ++++++++++++++++++ test/integration/fapi-data-crypt.int.c | 6 +- test/integration/fapi-get-esys-blobs.int.c | 6 + ...-key-create-policy-authorize-nv-sign.int.c | 4 +- ...key-create-policy-authorize-pem-sign.int.c | 6 +- .../fapi-key-create-policy-pcr-sign.int.c | 6 +- ...i-key-create-policy-signed-keyedhash.int.c | 2 +- .../fapi-nv-authorizenv-cphash.int.c | 2 +- test/integration/fapi-nv-extend.int.c | 4 +- .../fapi-quote-destructive-eventlog.int.c | 8 ++ .../fapi-second-provisioning.int.c | 7 ++ test/integration/main-fapi.c | 43 +++++++ test/integration/test-fapi.h | 3 + 13 files changed, 190 insertions(+), 14 deletions(-) create mode 100644 test/data/fapi/P_RSA3072.json diff --git a/test/data/fapi/P_RSA3072.json b/test/data/fapi/P_RSA3072.json new file mode 100644 index 000000000..50486c4c2 --- /dev/null +++ b/test/data/fapi/P_RSA3072.json @@ -0,0 +1,107 @@ +{ + "type": "TPM2_ALG_RSA", + "nameAlg":"TPM2_ALG_SHA384", + "srk_template": "system,restricted,decrypt,0x81000001", + "srk_description": "Storage root key SRK", + "srk_persistent": 1, + "ek_template": "system,restricted,decrypt,user", + "ek_description": "Endorsement key EK", + "rsa_signing_scheme": { + "scheme":"TPM2_ALG_RSAPSS", + "details":{ + "hashAlg":"TPM2_ALG_SHA384" + } + }, + "rsa_decrypt_scheme": { + "scheme":"TPM2_ALG_OAEP", + "details":{ + "hashAlg":"TPM2_ALG_SHA384" + } + }, + "sym_mode":"TPM2_ALG_CFB", + "sym_parameters": { + "algorithm":"TPM2_ALG_AES", + "keyBits":"256", + "mode":"TPM2_ALG_CFB" + }, + "sym_block_size": 16, + "pcr_selection": [ + { "hash": "TPM2_ALG_SHA1", + "pcrSelect": [ ] + }, + { "hash": "TPM2_ALG_SHA256", + "pcrSelect": [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] + } + ], + "exponent": 0, + "keyBits": 3072, + "session_symmetric":{ + "algorithm":"TPM2_ALG_AES", + "keyBits":"256", + "mode":"TPM2_ALG_CFB" + }, + "ek_policy": { + "description": "Endorsement hierarchy used for policy secret.", + "policy":[ + { + "type": "PolicyOR", + "branches": [ + { + "name": "A", + "description": "", + "policy": [ + { + "type":"POLICYSECRET", + "objectName": "4000000b" + } + ] + }, + { + "name": "B", + "description": "", + "policy": [ + { + "type":"AUTHORIZENV", + "nvPublic": { + "size": 60, + "nvPublic": { + "nvIndex": 29392642, + "nameAlg":"SHA384", + "attributes":{ + "PPWRITE":0, + "OWNERWRITE":0, + "AUTHWRITE":0, + "POLICYWRITE":1, + "POLICY_DELETE":0, + "WRITELOCKED":0, + "WRITEALL":1, + "WRITEDEFINE":0, + "WRITE_STCLEAR":0, + "GLOBALLOCK":0, + "PPREAD":1, + "OWNERREAD":1, + "AUTHREAD":1, + "POLICYREAD":1, + "NO_DA":1, + "ORDERLY":0, + "CLEAR_STCLEAR":0, + "READLOCKED":0, + "WRITTEN":1, + "PLATFORMCREATE":0, + "READ_STCLEAR":0, + "TPM2_NT":"ORDINARY" + }, + "authPolicy":"8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53", + "dataSize":50 + } + } + + } + ] + } + ] + } + ] + } + +} diff --git a/test/integration/fapi-data-crypt.int.c b/test/integration/fapi-data-crypt.int.c index 439e3522a..07437b62d 100644 --- a/test/integration/fapi-data-crypt.int.c +++ b/test/integration/fapi-data-crypt.int.c @@ -96,9 +96,11 @@ signatureCallback( UNUSED(publicKey); UNUSED(publicKeyHint); uint8_t *aux_signature = NULL; + size_t profile_len = strlen(FAPI_PROFILE); - if (strcmp(objectPath, "P_RSA/HS/SRK/myRsaCryptKey") != 0) { - return_error(TSS2_FAPI_RC_BAD_VALUE, "Unexpected path"); + if (strcmp(objectPath + profile_len, "/HS/SRK/myRsaCryptKey") || + strncmp(objectPath, "P_RSA", 5)) + return_error(TSS2_FAPI_RC_BAD_VALUE, "Unexpected path") { } if (userData != userDataTest) { diff --git a/test/integration/fapi-get-esys-blobs.int.c b/test/integration/fapi-get-esys-blobs.int.c index 77903f8c6..ef7f12c1f 100644 --- a/test/integration/fapi-get-esys-blobs.int.c +++ b/test/integration/fapi-get-esys-blobs.int.c @@ -72,6 +72,7 @@ auth_callback( * @param[in,out] context The FAPI_CONTEXT. * @retval EXIT_FAILURE * @retval EXIT_SUCCESS + * @retval EXIT_SKIP */ int test_fapi_get_esys_blobs(FAPI_CONTEXT *context) @@ -90,6 +91,11 @@ test_fapi_get_esys_blobs(FAPI_CONTEXT *context) ESYS_TR esys_handle; uint8_t type; + if (strncmp(FAPI_PROFILE,"P_ECC", 5)) { + LOG_WARNING("Profile %s is no ECC profile.", FAPI_PROFILE); + return EXIT_SKIP; + } + /* We need to reset the passwords again, in order to not brick physical TPMs */ r = Fapi_Provision(context, NULL, NULL, NULL); goto_if_error(r, "Error Fapi_Provision", error); diff --git a/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c b/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c index d31e1190a..47a131646 100644 --- a/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c +++ b/test/integration/fapi-key-create-policy-authorize-nv-sign.int.c @@ -141,7 +141,7 @@ test_fapi_key_create_policy_authorize_nv(FAPI_CONTEXT *context) return EXIT_SKIP; } - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { if (snprintf(&extended_name[0], 1023, "%s_sha384", POLICY_AUTHORIZE_NV) < 0) { LOG_ERROR("snprint failed"); return EXIT_FAILURE; @@ -158,7 +158,7 @@ test_fapi_key_create_policy_authorize_nv(FAPI_CONTEXT *context) if (strcmp(FAPI_PROFILE, "P_ECC") == 0) { policy_nv_auth_size = 34; - } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { policy_nv_auth_size = 50; } else { LOG_ERROR("No appropriate policy file exists!"); diff --git a/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c b/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c index 87238e073..b17bf8e8c 100644 --- a/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c +++ b/test/integration/fapi-key-create-policy-authorize-pem-sign.int.c @@ -69,12 +69,12 @@ test_fapi_key_create_policy_authorize_pem_sign(FAPI_CONTEXT *context) if (strcmp(FAPI_PROFILE, "P_ECC") == 0) { policy_file_authorize = TOP_SOURCEDIR "/test/data/fapi/policy/pol_authorize_ecc_pem.json"; policy_file_pcr = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0_ecc_authorized.json"; - } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + } else if (strcmp(FAPI_PROFILE, "P_ECC384" ) == 0) { policy_file_authorize = TOP_SOURCEDIR "/test/data/fapi/policy/pol_authorize_ecc_pem_sha384.json"; policy_file_pcr = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0_ecc_authorized_sha384.json"; } else { - LOG_ERROR("Invalid profile for ECC test: %s", FAPI_PROFILE); - return EXIT_FAILURE; + LOG_ERROR("Profule can't be used for test: %s", FAPI_PROFILE); + return EXIT_SKIP; } #else policy_file_pcr = TOP_SOURCEDIR "/test/data/fapi/policy/pol_pcr16_0_rsa_authorized.json"; diff --git a/test/integration/fapi-key-create-policy-pcr-sign.int.c b/test/integration/fapi-key-create-policy-pcr-sign.int.c index a74fef120..74eae0297 100644 --- a/test/integration/fapi-key-create-policy-pcr-sign.int.c +++ b/test/integration/fapi-key-create-policy-pcr-sign.int.c @@ -281,7 +281,7 @@ test_fapi_key_create_policy_pcr_sign(FAPI_CONTEXT *context) ASSERT(policy != NULL); LOG_INFO("\nTEST_JSON\nPolicy_sha256:\n%s\nEND_JSON", policy); - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { CHECK_JSON(policy, policy_sha384_check, error); } else { CHECK_JSON(policy, policy_sha256_check, error); @@ -296,7 +296,7 @@ test_fapi_key_create_policy_pcr_sign(FAPI_CONTEXT *context) goto_if_error(r, "Error Fapi_ExportPolicy", error); ASSERT(policy != NULL); LOG_INFO("\nTEST_JSON\nPolicy export1:\n%s\nEND_JSON", policy); - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { CHECK_JSON(policy, policy_sha384_export_check, error) } else { CHECK_JSON(policy, policy_sha256_export_check, error) @@ -427,7 +427,7 @@ test_fapi_key_create_policy_pcr_sign(FAPI_CONTEXT *context) goto_if_error(r, "Error Fapi_ExportPolicy", error); ASSERT(policy != NULL); - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0){ CHECK_JSON(policy, policy_sha384_check, error); } else { CHECK_JSON(policy, policy_sha256_check, error); diff --git a/test/integration/fapi-key-create-policy-signed-keyedhash.int.c b/test/integration/fapi-key-create-policy-signed-keyedhash.int.c index d38fed128..f9f4131d7 100644 --- a/test/integration/fapi-key-create-policy-signed-keyedhash.int.c +++ b/test/integration/fapi-key-create-policy-signed-keyedhash.int.c @@ -206,7 +206,7 @@ test_fapi_key_create_policy_signed(FAPI_CONTEXT *context) char *publicKey = NULL; char *certificate = NULL; - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { policy_name = "/policy/pol_signed_keyedhash_sha384"; policy_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_signed_keyedhash_sha384.json"; } else { diff --git a/test/integration/fapi-nv-authorizenv-cphash.int.c b/test/integration/fapi-nv-authorizenv-cphash.int.c index 4a297f34e..8ecb660b0 100644 --- a/test/integration/fapi-nv-authorizenv-cphash.int.c +++ b/test/integration/fapi-nv-authorizenv-cphash.int.c @@ -96,7 +96,7 @@ test_fapi_nv_authorizenv_cphash(FAPI_CONTEXT *context) r = Fapi_Provision(context, NULL, NULL, NULL); goto_if_error(r, "Error Fapi_Provision", error); - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { policy2_name = "/policy/pol_cphash_sha384"; policy2_file = TOP_SOURCEDIR "/test/data/fapi/policy/pol_cphash_sha384.json"; policy_nv_auth_size = 50; diff --git a/test/integration/fapi-nv-extend.int.c b/test/integration/fapi-nv-extend.int.c index dfe864682..04488d245 100644 --- a/test/integration/fapi-nv-extend.int.c +++ b/test/integration/fapi-nv-extend.int.c @@ -91,7 +91,7 @@ test_fapi_nv_extend(FAPI_CONTEXT *context) LOG_INFO("\nTEST_JSON\nLog:\n%s\nEND_JSON", log); char *fields_log1[] = { "0", "digests", "0", "digest" }; - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { CHECK_JSON_FIELDS(log, fields_log1, "c8ffec7d7d70c61b16adaab88925a1759b94cf6b50669b04aef1a8427fabb131eafbf9a21e3b8bddd9c5d5e7", error); @@ -120,7 +120,7 @@ test_fapi_nv_extend(FAPI_CONTEXT *context) LOG_INFO("\nTEST_JSON\nLog:\n%s\nEND_JSON", log); char *fields_log2[] = { "1", "digests", "0", "digest" }; - if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { + if (strcmp(FAPI_PROFILE, "P_ECC384") == 0 || strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { CHECK_JSON_FIELDS(log, fields_log2, "c8ffec7d7d70c61b16adaab88925a1759b94cf6b50669b04aef1a8427fabb131eafbf9a21e3b8bddd9c5d5e7", error); diff --git a/test/integration/fapi-quote-destructive-eventlog.int.c b/test/integration/fapi-quote-destructive-eventlog.int.c index 172234227..8ecd12c15 100644 --- a/test/integration/fapi-quote-destructive-eventlog.int.c +++ b/test/integration/fapi-quote-destructive-eventlog.int.c @@ -1001,6 +1001,7 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) size_t i; json_object *jso_log = NULL; json_object *jso_log2 = NULL; + bool sha1_bank_exists; uint8_t data[EVENT_SIZE] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; size_t signatureSize = 0; @@ -1010,6 +1011,13 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) return EXIT_SKIP; #endif + r = pcr_bank_sha1_exists(context, &sha1_bank_exists); + goto_if_error(r, "Test sha1 bank", error); + + if (!sha1_bank_exists) { + return EXIT_SKIP; + } + r = Fapi_Provision(context, NULL, NULL, NULL); goto_if_error(r, "Error Fapi_Provision", error); diff --git a/test/integration/fapi-second-provisioning.int.c b/test/integration/fapi-second-provisioning.int.c index 8651a26d4..fbc7d2b43 100644 --- a/test/integration/fapi-second-provisioning.int.c +++ b/test/integration/fapi-second-provisioning.int.c @@ -63,6 +63,11 @@ test_fapi_test_second_provisioning(FAPI_CONTEXT *context) { TSS2_RC r; + if (strncmp(FAPI_PROFILE, "P_RSA", 5) == 0) { + LOG_WARNING("Default ECC profile needed for this test %s is used", FAPI_PROFILE); + return EXIT_SKIP; + } + /* We need to reset the passwords again, in order to not brick physical TPMs */ r = Fapi_Provision(context, PASSWORD, PASSWORD, NULL); goto_if_error(r, "Error Fapi_Provision", error); @@ -149,6 +154,8 @@ test_fapi_test_second_provisioning(FAPI_CONTEXT *context) rc = init_fapi("P_ECC", &context); } else if (strcmp(FAPI_PROFILE, "P_ECC384") == 0) { rc = init_fapi("P_ECC384", &context); + } else if (strcmp(FAPI_PROFILE, "P_RSA3072") == 0) { + rc = init_fapi("P_ECC384", &context); } else { LOG_ERROR("Profile %s not supported for this test!", FAPI_PROFILE); } diff --git a/test/integration/main-fapi.c b/test/integration/main-fapi.c index a0926f631..59b1913cd 100644 --- a/test/integration/main-fapi.c +++ b/test/integration/main-fapi.c @@ -216,6 +216,49 @@ pcr_reset(FAPI_CONTEXT *context, UINT32 pcr) return r; } +TSS2_RC +pcr_bank_sha1_exists(FAPI_CONTEXT *context, bool *exists) +{ + TSS2_RC r; + TSS2_TCTI_CONTEXT *tcti; + ESYS_CONTEXT *esys; + TPML_PCR_SELECTION pcrSelectionIn = { + .count = 1, + .pcrSelections = { + { .hash = TPM2_ALG_SHA1, + .sizeofSelect = 3, + .pcrSelect = { 1, 0, 0} + }, + } + }; + UINT32 pcrUpdateCounter; + TPML_PCR_SELECTION *pcrSelectionOut = NULL; + TPML_DIGEST *pcrValues = NULL; + + r = Fapi_GetTcti(context, &tcti); + goto_if_error(r, "Error Fapi_GetTcti", error); + + r = Esys_Initialize(&esys, tcti, NULL); + goto_if_error(r, "Error Fapi_GetTcti", error); + + r = Esys_PCR_Read(esys, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, + &pcrSelectionIn, &pcrUpdateCounter, &pcrSelectionOut, &pcrValues); + goto_if_error(r, "Error: PCR_Read", error); + if (!pcrSelectionOut->pcrSelections[0].pcrSelect[0]) { + *exists = false; + } else { + *exists = true; + } + Esys_Finalize(&esys); + goto_if_error(r, "Error Eys_PCR_Reset", error); + +error: + SAFE_FREE(pcrSelectionOut); + SAFE_FREE(pcrValues); + return r; +} + + TSS2_RC pcr_extend(FAPI_CONTEXT *context, UINT32 pcr, TPML_DIGEST_VALUES *digest_values) { diff --git a/test/integration/test-fapi.h b/test/integration/test-fapi.h index 64fd972a0..69253fba4 100644 --- a/test/integration/test-fapi.h +++ b/test/integration/test-fapi.h @@ -139,6 +139,9 @@ extern char *fapi_profile; TSS2_RC pcr_extend(FAPI_CONTEXT *context, UINT32 pcr, TPML_DIGEST_VALUES *digest_values); +TSS2_RC +pcr_bank_sha1_exists(FAPI_CONTEXT *context, bool *exists); + TSS2_RC pcr_reset(FAPI_CONTEXT *context, UINT32 pcr);