LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 0/2] selftests: tpm2: Probe for available PCR bank
@ 2021-11-22 19:17 Stefan Berger
  2021-11-22 19:17 ` [PATCH 1/2] selftests: tpm: " Stefan Berger
  2021-11-22 19:17 ` [PATCH 2/2] selftests: tpm2: Reset the dictionary attack lock Stefan Berger
  0 siblings, 2 replies; 6+ messages in thread
From: Stefan Berger @ 2021-11-22 19:17 UTC (permalink / raw)
  To: jarkko, linux-integrity; +Cc: peterhuewe, linux-kernel, Stefan Berger

This series of patches fixes two issues with TPM2 selftest.
- Probes for available PCR banks
- Resets DA lock on TPM2 to avoid subsequent test failures

  Stefan

Stefan Berger (2):
  selftests: tpm: Probe for available PCR bank
  selftests: tpm2: Reset the dictionary attack lock

 tools/testing/selftests/tpm2/tpm2_tests.py | 32 ++++++++++++++++------
 1 file changed, 24 insertions(+), 8 deletions(-)

-- 
2.31.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 1/2] selftests: tpm: Probe for available PCR bank
  2021-11-22 19:17 [PATCH 0/2] selftests: tpm2: Probe for available PCR bank Stefan Berger
@ 2021-11-22 19:17 ` Stefan Berger
  2021-11-23  8:13   ` Marc-André Lureau
  2021-11-24  7:28   ` Jarkko Sakkinen
  2021-11-22 19:17 ` [PATCH 2/2] selftests: tpm2: Reset the dictionary attack lock Stefan Berger
  1 sibling, 2 replies; 6+ messages in thread
From: Stefan Berger @ 2021-11-22 19:17 UTC (permalink / raw)
  To: jarkko, linux-integrity; +Cc: peterhuewe, linux-kernel, Stefan Berger

Probe for an available PCR bank to accommodate devices that do not have a
SHA-1 PCR bank or whose SHA-1 bank is deactivated.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 tools/testing/selftests/tpm2/tpm2_tests.py | 31 ++++++++++++++++------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/tools/testing/selftests/tpm2/tpm2_tests.py b/tools/testing/selftests/tpm2/tpm2_tests.py
index 9d764306887b..a569c8d0db08 100644
--- a/tools/testing/selftests/tpm2/tpm2_tests.py
+++ b/tools/testing/selftests/tpm2/tpm2_tests.py
@@ -27,7 +27,21 @@ class SmokeTest(unittest.TestCase):
         result = self.client.unseal(self.root_key, blob, auth, None)
         self.assertEqual(data, result)
 
+    def determine_bank_alg(self):
+        # Probe for available PCR bank
+        for bank_alg in [tpm2.TPM2_ALG_SHA1, tpm2.TPM2_ALG_SHA256]:
+            try:
+                handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
+                self.client.policy_pcr(handle, [17], bank_alg=bank_alg)
+                break
+            except tpm2.UnknownPCRBankError:
+                pass
+            finally:
+                self.client.flush_context(handle)
+        return bank_alg
+
     def test_seal_with_policy(self):
+        bank_alg = self.determine_bank_alg()
         handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
 
         data = ('X' * 64).encode()
@@ -35,7 +49,7 @@ class SmokeTest(unittest.TestCase):
         pcrs = [16]
 
         try:
-            self.client.policy_pcr(handle, pcrs)
+            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
             self.client.policy_password(handle)
 
             policy_dig = self.client.get_policy_digest(handle)
@@ -47,7 +61,7 @@ class SmokeTest(unittest.TestCase):
         handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
 
         try:
-            self.client.policy_pcr(handle, pcrs)
+            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
             self.client.policy_password(handle)
 
             result = self.client.unseal(self.root_key, blob, auth, handle)
@@ -72,6 +86,7 @@ class SmokeTest(unittest.TestCase):
         self.assertEqual(rc, tpm2.TPM2_RC_AUTH_FAIL)
 
     def test_unseal_with_wrong_policy(self):
+        bank_alg = self.determine_bank_alg()
         handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
 
         data = ('X' * 64).encode()
@@ -79,7 +94,7 @@ class SmokeTest(unittest.TestCase):
         pcrs = [16]
 
         try:
-            self.client.policy_pcr(handle, pcrs)
+            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
             self.client.policy_password(handle)
 
             policy_dig = self.client.get_policy_digest(handle)
@@ -91,13 +106,13 @@ class SmokeTest(unittest.TestCase):
         # Extend first a PCR that is not part of the policy and try to unseal.
         # This should succeed.
 
-        ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
-        self.client.extend_pcr(1, ('X' * ds).encode())
+        ds = tpm2.get_digest_size(bank_alg)
+        self.client.extend_pcr(1, ('X' * ds).encode(), bank_alg=bank_alg)
 
         handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
 
         try:
-            self.client.policy_pcr(handle, pcrs)
+            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
             self.client.policy_password(handle)
 
             result = self.client.unseal(self.root_key, blob, auth, handle)
@@ -109,14 +124,14 @@ class SmokeTest(unittest.TestCase):
 
         # Then, extend a PCR that is part of the policy and try to unseal.
         # This should fail.
-        self.client.extend_pcr(16, ('X' * ds).encode())
+        self.client.extend_pcr(16, ('X' * ds).encode(), bank_alg=bank_alg)
 
         handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
 
         rc = 0
 
         try:
-            self.client.policy_pcr(handle, pcrs)
+            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
             self.client.policy_password(handle)
 
             result = self.client.unseal(self.root_key, blob, auth, handle)
-- 
2.31.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 2/2] selftests: tpm2: Reset the dictionary attack lock
  2021-11-22 19:17 [PATCH 0/2] selftests: tpm2: Probe for available PCR bank Stefan Berger
  2021-11-22 19:17 ` [PATCH 1/2] selftests: tpm: " Stefan Berger
@ 2021-11-22 19:17 ` Stefan Berger
  2021-11-23  8:13   ` Marc-André Lureau
  1 sibling, 1 reply; 6+ messages in thread
From: Stefan Berger @ 2021-11-22 19:17 UTC (permalink / raw)
  To: jarkko, linux-integrity; +Cc: peterhuewe, linux-kernel, Stefan Berger

Reset the dictionary attack lock to avoid the following types of test
failures after running the test 2 times:

======================================================================
ERROR: test_unseal_with_wrong_policy (tpm2_tests.SmokeTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/linux-ima-namespaces/tools/testing/selftests/tpm2/tpm2_tests.py", line 105, in test_unseal_with_wrong_policy
    blob = self.client.seal(self.root_key, data, auth, policy_dig)
  File "/root/linux-ima-namespaces/tools/testing/selftests/tpm2/tpm2.py", line 620, in seal
    rsp = self.send_cmd(cmd)
  File "/root/linux-ima-namespaces/tools/testing/selftests/tpm2/tpm2.py", line 397, in send_cmd
    raise ProtocolError(cc, rc)
tpm2.ProtocolError: TPM_RC_LOCKOUT: cc=0x00000153, rc=0x00000921

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 tools/testing/selftests/tpm2/tpm2_tests.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/testing/selftests/tpm2/tpm2_tests.py b/tools/testing/selftests/tpm2/tpm2_tests.py
index a569c8d0db08..109ffd736c73 100644
--- a/tools/testing/selftests/tpm2/tpm2_tests.py
+++ b/tools/testing/selftests/tpm2/tpm2_tests.py
@@ -100,6 +100,7 @@ class SmokeTest(unittest.TestCase):
             policy_dig = self.client.get_policy_digest(handle)
         finally:
             self.client.flush_context(handle)
+            self.client.reset_da_lock()
 
         blob = self.client.seal(self.root_key, data, auth, policy_dig)
 
-- 
2.31.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] selftests: tpm: Probe for available PCR bank
  2021-11-22 19:17 ` [PATCH 1/2] selftests: tpm: " Stefan Berger
@ 2021-11-23  8:13   ` Marc-André Lureau
  2021-11-24  7:28   ` Jarkko Sakkinen
  1 sibling, 0 replies; 6+ messages in thread
From: Marc-André Lureau @ 2021-11-23  8:13 UTC (permalink / raw)
  To: Stefan Berger
  Cc: jarkko, linux-integrity, peterhuewe, Linux Kernel Mailing List

On Mon, Nov 22, 2021 at 11:18 PM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> Probe for an available PCR bank to accommodate devices that do not have a
> SHA-1 PCR bank or whose SHA-1 bank is deactivated.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>

> ---
>  tools/testing/selftests/tpm2/tpm2_tests.py | 31 ++++++++++++++++------
>  1 file changed, 23 insertions(+), 8 deletions(-)
>
> diff --git a/tools/testing/selftests/tpm2/tpm2_tests.py b/tools/testing/selftests/tpm2/tpm2_tests.py
> index 9d764306887b..a569c8d0db08 100644
> --- a/tools/testing/selftests/tpm2/tpm2_tests.py
> +++ b/tools/testing/selftests/tpm2/tpm2_tests.py
> @@ -27,7 +27,21 @@ class SmokeTest(unittest.TestCase):
>          result = self.client.unseal(self.root_key, blob, auth, None)
>          self.assertEqual(data, result)
>
> +    def determine_bank_alg(self):
> +        # Probe for available PCR bank
> +        for bank_alg in [tpm2.TPM2_ALG_SHA1, tpm2.TPM2_ALG_SHA256]:
> +            try:
> +                handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
> +                self.client.policy_pcr(handle, [17], bank_alg=bank_alg)
> +                break
> +            except tpm2.UnknownPCRBankError:
> +                pass
> +            finally:
> +                self.client.flush_context(handle)
> +        return bank_alg
> +
>      def test_seal_with_policy(self):
> +        bank_alg = self.determine_bank_alg()
>          handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
>
>          data = ('X' * 64).encode()
> @@ -35,7 +49,7 @@ class SmokeTest(unittest.TestCase):
>          pcrs = [16]
>
>          try:
> -            self.client.policy_pcr(handle, pcrs)
> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>              self.client.policy_password(handle)
>
>              policy_dig = self.client.get_policy_digest(handle)
> @@ -47,7 +61,7 @@ class SmokeTest(unittest.TestCase):
>          handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
>
>          try:
> -            self.client.policy_pcr(handle, pcrs)
> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>              self.client.policy_password(handle)
>
>              result = self.client.unseal(self.root_key, blob, auth, handle)
> @@ -72,6 +86,7 @@ class SmokeTest(unittest.TestCase):
>          self.assertEqual(rc, tpm2.TPM2_RC_AUTH_FAIL)
>
>      def test_unseal_with_wrong_policy(self):
> +        bank_alg = self.determine_bank_alg()
>          handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
>
>          data = ('X' * 64).encode()
> @@ -79,7 +94,7 @@ class SmokeTest(unittest.TestCase):
>          pcrs = [16]
>
>          try:
> -            self.client.policy_pcr(handle, pcrs)
> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>              self.client.policy_password(handle)
>
>              policy_dig = self.client.get_policy_digest(handle)
> @@ -91,13 +106,13 @@ class SmokeTest(unittest.TestCase):
>          # Extend first a PCR that is not part of the policy and try to unseal.
>          # This should succeed.
>
> -        ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
> -        self.client.extend_pcr(1, ('X' * ds).encode())
> +        ds = tpm2.get_digest_size(bank_alg)
> +        self.client.extend_pcr(1, ('X' * ds).encode(), bank_alg=bank_alg)
>
>          handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
>
>          try:
> -            self.client.policy_pcr(handle, pcrs)
> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>              self.client.policy_password(handle)
>
>              result = self.client.unseal(self.root_key, blob, auth, handle)
> @@ -109,14 +124,14 @@ class SmokeTest(unittest.TestCase):
>
>          # Then, extend a PCR that is part of the policy and try to unseal.
>          # This should fail.
> -        self.client.extend_pcr(16, ('X' * ds).encode())
> +        self.client.extend_pcr(16, ('X' * ds).encode(), bank_alg=bank_alg)
>
>          handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
>
>          rc = 0
>
>          try:
> -            self.client.policy_pcr(handle, pcrs)
> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>              self.client.policy_password(handle)
>
>              result = self.client.unseal(self.root_key, blob, auth, handle)
> --
> 2.31.1
>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 2/2] selftests: tpm2: Reset the dictionary attack lock
  2021-11-22 19:17 ` [PATCH 2/2] selftests: tpm2: Reset the dictionary attack lock Stefan Berger
@ 2021-11-23  8:13   ` Marc-André Lureau
  0 siblings, 0 replies; 6+ messages in thread
From: Marc-André Lureau @ 2021-11-23  8:13 UTC (permalink / raw)
  To: Stefan Berger
  Cc: jarkko, linux-integrity, peterhuewe, Linux Kernel Mailing List

On Mon, Nov 22, 2021 at 11:18 PM Stefan Berger <stefanb@linux.ibm.com> wrote:
>
> Reset the dictionary attack lock to avoid the following types of test
> failures after running the test 2 times:
>
> ======================================================================
> ERROR: test_unseal_with_wrong_policy (tpm2_tests.SmokeTest)
> ----------------------------------------------------------------------
> Traceback (most recent call last):
>   File "/root/linux-ima-namespaces/tools/testing/selftests/tpm2/tpm2_tests.py", line 105, in test_unseal_with_wrong_policy
>     blob = self.client.seal(self.root_key, data, auth, policy_dig)
>   File "/root/linux-ima-namespaces/tools/testing/selftests/tpm2/tpm2.py", line 620, in seal
>     rsp = self.send_cmd(cmd)
>   File "/root/linux-ima-namespaces/tools/testing/selftests/tpm2/tpm2.py", line 397, in send_cmd
>     raise ProtocolError(cc, rc)
> tpm2.ProtocolError: TPM_RC_LOCKOUT: cc=0x00000153, rc=0x00000921
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>


> ---
>  tools/testing/selftests/tpm2/tpm2_tests.py | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/tools/testing/selftests/tpm2/tpm2_tests.py b/tools/testing/selftests/tpm2/tpm2_tests.py
> index a569c8d0db08..109ffd736c73 100644
> --- a/tools/testing/selftests/tpm2/tpm2_tests.py
> +++ b/tools/testing/selftests/tpm2/tpm2_tests.py
> @@ -100,6 +100,7 @@ class SmokeTest(unittest.TestCase):
>              policy_dig = self.client.get_policy_digest(handle)
>          finally:
>              self.client.flush_context(handle)
> +            self.client.reset_da_lock()
>
>          blob = self.client.seal(self.root_key, data, auth, policy_dig)
>
> --
> 2.31.1
>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/2] selftests: tpm: Probe for available PCR bank
  2021-11-22 19:17 ` [PATCH 1/2] selftests: tpm: " Stefan Berger
  2021-11-23  8:13   ` Marc-André Lureau
@ 2021-11-24  7:28   ` Jarkko Sakkinen
  1 sibling, 0 replies; 6+ messages in thread
From: Jarkko Sakkinen @ 2021-11-24  7:28 UTC (permalink / raw)
  To: Stefan Berger, linux-integrity; +Cc: peterhuewe, linux-kernel

On Mon, 2021-11-22 at 14:17 -0500, Stefan Berger wrote:
> Probe for an available PCR bank to accommodate devices that do not have a
> SHA-1 PCR bank or whose SHA-1 bank is deactivated.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

1. I don't understand what the patch does by reading this description.
2. linux-kselftest missing.

/Jarkko

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-11-24  7:28 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-22 19:17 [PATCH 0/2] selftests: tpm2: Probe for available PCR bank Stefan Berger
2021-11-22 19:17 ` [PATCH 1/2] selftests: tpm: " Stefan Berger
2021-11-23  8:13   ` Marc-André Lureau
2021-11-24  7:28   ` Jarkko Sakkinen
2021-11-22 19:17 ` [PATCH 2/2] selftests: tpm2: Reset the dictionary attack lock Stefan Berger
2021-11-23  8:13   ` Marc-André Lureau

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).