lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1571945046.11756.5.camel@linux.ibm.com>
Date:   Thu, 24 Oct 2019 15:24:06 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc:     David Howells <dhowells@...hat.com>, Petr Vorel <pvorel@...e.cz>,
        shuah <shuah@...nel.org>,
        James Bottomley <James.Bottomley@...senPartnership.com>,
        linux-integrity@...r.kernel.org, linux-kselftest@...r.kernel.org,
        linux-kernel@...r.kernel.org, Eric Biggers <ebiggers@...nel.org>
Subject: Re: [PATCH v1] selftest/trustedkeys: TPM 1.2 trusted keys test

Hi Jarkko,

Please note that I'm seeing "add_key: Timer expired" frequently.  This
is something new.  I have no idea if this is a new TPM or keys
regression.

Mimi


On Thu, 2019-10-24 at 15:14 -0400, Mimi Zohar wrote:
> Create, save and load trusted keys test
> 
> Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com>
> 
> Change log v1:
> - Replace the directions for using Trousers to take ownership of the TPM
> with directions for using the IBM TSS.
> - Differentiate between different types of errors.  Recent bug is causing
> "add_key: Timer expired".
> ---
>  tools/testing/selftests/tpm2/Makefile            |   2 +-
>  tools/testing/selftests/tpm2/test_trustedkeys.sh | 109 +++++++++++++++++++++++
>  2 files changed, 110 insertions(+), 1 deletion(-)
>  create mode 100755 tools/testing/selftests/tpm2/test_trustedkeys.sh
> 
> diff --git a/tools/testing/selftests/tpm2/Makefile b/tools/testing/selftests/tpm2/Makefile
> index 1a5db1eb8ed5..055bf62510b5 100644
> --- a/tools/testing/selftests/tpm2/Makefile
> +++ b/tools/testing/selftests/tpm2/Makefile
> @@ -1,5 +1,5 @@
>  # SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
>  include ../lib.mk
>  
> -TEST_PROGS := test_smoke.sh test_space.sh
> +TEST_PROGS := test_smoke.sh test_space.sh test_trustedkey.sh
>  TEST_PROGS_EXTENDED := tpm2.py tpm2_tests.py
> diff --git a/tools/testing/selftests/tpm2/test_trustedkeys.sh b/tools/testing/selftests/tpm2/test_trustedkeys.sh
> new file mode 100755
> index 000000000000..dc7df7467670
> --- /dev/null
> +++ b/tools/testing/selftests/tpm2/test_trustedkeys.sh
> @@ -0,0 +1,109 @@
> +#!/bin/sh
> +
> +VERBOSE="${VERBOSE:-1}"
> +TRUSTEDKEY1="$(mktemp -u XXXX).blob"
> +TRUSTEDKEY2="$(mktemp -u XXXX).blob"
> +ERRMSG="$(mktemp -u XXXX)"
> +trap "echo PRETRAP" SIGINT SIGTERM SIGTSTP
> +trap "{ rm -f $TRUSTEDKEY1 $TRUSTEDKEY2 $ERRMSG; }" EXIT
> +
> +log_info()
> +{
> +        [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
> +}
> +
> +# The ksefltest framework requirement returns 0 for PASS.
> +log_pass()
> +{
> +        [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
> +        exit 0
> +}
> +
> +# The ksefltest framework requirement returns 1 for FAIL.
> +log_fail()
> +{
> +        [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
> +        exit 1
> +}
> +
> +# The ksefltest framework requirement returns 4 for SKIP.
> +log_skip()
> +{
> +        [ $VERBOSE -ne 0 ] && echo "$1"
> +        exit 4
> +}
> +
> +is_tpm1()
> +{
> +	local pcrs_path="/sys/class/tpm/tpm0/device/pcrs"
> +	if [ ! -f "$pcrs_path" ]; then
> +		pcrs_path="/sys/class/misc/tpm0/device/pcrs"
> +	fi
> +
> +	if [ ! -f "$pcrs_path" ]; then
> +		log_skip "TPM 1.2 chip not found"
> +	fi
> +}
> +
> +takeownership_info()
> +{
> +	log_info "creating trusted key failed, probably requires taking TPM ownership:"
> +	which tss1oiap > /dev/null 2>&1 || \
> +		log_info "    tss1oiap not found, install IBM TSS"
> +
> +	log_info "    export TPM_DEVICE=/dev/tpm0"
> +	log_info "    export TPM_ENCRYPT_SESSIONS=0"
> +
> +	log_info "    OIAP=\$(tss1oiap | cut -d' ' -f 2)"
> +	log_info "    tss1takeownership -se0 \$OIAP 0"
> +	log_fail "creating trusted key"
> +}
> +
> +test_trustedkey()
> +{
> +	#local keyid="$(keyctl add trusted kmk-test "new 64" @u)" &> $ERRMSG
> +	local keyid="$(keyctl add trusted kmk-test "new 64" @u 2> $ERRMSG)"
> +
> +	grep -E -q "add_key: Operation not permitted" $ERRMSG
> +	if [ $? -eq 0 ]; then
> +		takeownership_info
> +	fi
> +
> +	grep -E -q "add_key: " $ERRMSG
> +	if [ $? -eq 0 ]; then
> +		log_info "`cat ${ERRMSG}`"
> +		log_fail "creating trusted key"
> +	fi
> +	
> +	if [ -z "$keyid" ]; then
> +		log_fail "creating trusted key failed"
> +	fi
> +	log_info "creating trusted key succeeded"
> +
> +	# save newly created trusted key and remove from keyring
> +	keyctl pipe "$keyid" > "$TRUSTEDKEY1"
> +	keyctl unlink "$keyid" &> /dev/null
> +
> +	keyid=$(keyctl add trusted kmk-test "load `cat $TRUSTEDKEY1`" @u)
> +	if [ $? -eq 0 ]; then
> +		log_info "loading trusted key succeeded"
> +	else
> +		log_fail "loading trusted key failed"
> +	fi
> +
> +	# save loaded trusted key and remove from keyring again
> +	keyctl pipe "$keyid" > "$TRUSTEDKEY2"
> +	keyctl unlink "$keyid" &> /dev/null
> +
> +	# compare trusted keys
> +	diff "$TRUSTEDKEY1" "$TRUSTEDKEY2" &> /dev/null
> +	ret=$?
> +	if [ $ret -eq 0 ]; then
> +		log_pass "trusted key test succeeded"
> +	else
> +		log_fail "trusted key test failed"
> +	fi
> +}
> +
> +is_tpm1
> +test_trustedkey

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ