Skip to content

Commit

Permalink
test_case: update tpm cmd test case
Browse files Browse the repository at this point in the history 
1, add non-active test case about platform auth
2, remove some case that requires platform auth

Signed-off-by: Ceping Sun <[email protected]>
  • Loading branch information
@sunceping
sunceping committed Jul 11, 2024
1 parent d2ec464 commit a045075
Showing 1 changed file with 57 additions and 50 deletions.
107 changes: 57 additions & 50 deletions sh_script/integration_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1816,17 +1816,40 @@ def test_stress_test_reset_user_td():

ctx.terminate_all_tds()

def test_non_active_tpm_cmd_case():
# Platform Auth is not allowed in OS
# run a tpm cmd with platform auth (not unique)
cmd_non_active_platform_auth = [
f'tpm2_clear -c p', ## platform auth is not allowed in OS, should return TPM Error.
f'tpm2_changeeps', ## this command requires platform auth, platform auth is not allowed in OS.
f'tpm2_changepps' ## this command requires platform auth, platform auth is not allowed in OS.
]

with vtpm_context() as ctx:
ctx.start_vtpm_td()
ctx.execute_qmp()
ctx.start_user_td(with_guest_kernel=True)
ctx.connect_ssh()
for cmd in cmd_non_active_platform_auth:
LOG.debug(cmd)
runner = ctx.exec_ssh_command(cmd,encodingtype='ISO-8859-1')
print(cmd)
if runner[1] != "":
if "TPM Error" not in runner[1]:
assert False
ctx.terminate_all_tds()

def test_tpm_cmd_with_vtpm():
"""
1. Create TDVM with vTPM device - vTPM TD and user TD should be running
2. Run all tpm commands (Tpm2 Command Coverage 91/99 ~ 91.9%):
tpm2_activatecredential
tpm2_activatecredential --> Already tested, not test in this case
tpm2_certify
tpm2_certifycreation
tpm2_certifyX509certutil --> not test in this case
tpm2_changeauth
tpm2_changeeps
tpm2_changepps
tpm2_changeeps --> premission denied, platform auth is not allowed in os.
tpm2_changepps --> premission denied, platform auth is not allowed in os..
tpm2_checkquote
tpm2_clear
tpm2_clearcontrol
Expand All @@ -1843,7 +1866,7 @@ def test_tpm_cmd_with_vtpm():
tpm2_ecdhzgen
tpm2_ecephemeral
tpm2_encryptdecrypt
tpm2_eventlog --> not test in this case
tpm2_eventlog --> Already tested, not test in this case
tpm2_evictcontrol
tpm2_flushcontext
tpm2_getcap
Expand All @@ -1861,19 +1884,19 @@ def test_tpm_cmd_with_vtpm():
tpm2_incrementalselftest
tpm2_load
tpm2_loadexternal
tpm2_makecredential
tpm2_makecredential --> Already tested, not test in this case
tpm2_nvcertify
tpm2_nvdefine
tpm2_nvextend
tpm2_nvincrement
tpm2_nvread
tpm2_nvreadlock
tpm2_nvreadpublic
tpm2_nvreadpublic --> Already tested, not test in this case
tpm2_nvsetbits
tpm2_nvundefine
tpm2_nvwrite
tpm2_nvwritelock
tpm2_pcrallocate
tpm2_pcrallocate --> premission denied, platform auth is not allowed in os.
tpm2_pcrevent
tpm2_pcrextend
tpm2_pcrread
Expand All @@ -1893,13 +1916,13 @@ def test_tpm_cmd_with_vtpm():
tpm2_policypassword
tpm2_policypcr
tpm2_policyrestart
tpm2_policysecret
tpm2_policysecret --> Already tested, not test in this case
tpm2_policysigned
tpm2_policytemplate
tpm2_policyticket --> not ready
tpm2_print
tpm2_quote
tpm2_rc_decode --> not test in this case
tpm2_rc_decode --> not ready
tpm2_readclock
tpm2_readpublic
tpm2_rsadecrypt
Expand Down Expand Up @@ -1940,20 +1963,6 @@ def test_tpm_cmd_with_vtpm():
f'tpm2_dictionarylockout --setup-parameters --max-tries=4294967295 --clear-lockout'
]

## can use tpm2_getcap properties-variable to check the value
cmd_set_and_clear_authorization_list = [
f'tpm2_changeauth -c owner newpass',
f'tpm2_clockrateadjust -p newpass ss',
f'tpm2_changeauth -c endorsement newpass',
f'tpm2_changeauth -c lockout newpass',
f'tpm2_clear -c p'
]

cmd_change_seed_list = [
f'tpm2_changeeps',
f'tpm2_changepps'
]

cmd_checkquote_list = [
f'tpm2_createek -c 0x81010001 -G rsa -u ekpub.pem -f pem',
f'tpm2_createak -C 0x81010001 -c ak.ctx -G rsa -s rsassa -g sha256 \
Expand All @@ -1965,8 +1974,8 @@ def test_tpm_cmd_with_vtpm():

## can use tpm2_getcap properties-variable to check the "disableClear"
cmd_clearcontrl_list = [
f'tpm2_clearcontrol -C l s',
f'tpm2_clearcontrol -C p c'
f'tpm2_clearcontrol -C l s'
# f'tpm2_clearcontrol -C p c'## platform auth is not allowed in OS
]

cmd_commit_list = [
Expand Down Expand Up @@ -2038,13 +2047,6 @@ def test_tpm_cmd_with_vtpm():
f'tpm2_hash -C e -g sha256 -o hash.bin -t ticket.bin data.txt'
]

cmd_hierarchycontrol_list = [
f'tpm2_hierarchycontrol -C p shEnable clear',
f'tpm2_getcap properties-variable', ##check the value 'shEnable'
f'tpm2_hierarchycontrol -C p shEnable set',
f'tpm2_getcap properties-variable'
]

cmd_hmac_list = [
f'tpm2_createprimary -c primary.ctx',
f'tpm2_create -C primary.ctx -G hmac -c hmac.key',
Expand Down Expand Up @@ -2125,13 +2127,8 @@ def test_tpm_cmd_with_vtpm():
]

cmd_pcr_list = [
f'tpm2_pcrallocate sha256:all',
f'tpm2_pcrread sha256',
f'tpm2_pcrextend 23:sha256=b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c ',#pcr 23 no-empty
f'tpm2_pcrreset 23',#pcr 23 empty , can only reset pcr 16 and 23
f'echo "foo" > data',
f'tpm2_pcrevent 8 data',
f'tpm2_pcrread sha256:8'
f'tpm2_pcrreset 23'#pcr 23 empty , can only reset pcr 16 and 23
]


Expand Down Expand Up @@ -2310,13 +2307,6 @@ def test_tpm_cmd_with_vtpm():
f'tpm2_print -t ESYS_TR primary.tr'
]

cmd_tpm2_clock_list = [
f'tpm2_changeauth -c owner newpass',
f'tpm2_setclock -p newpass 13673142',
f'tpm2_readclock',
f'tpm2_clear -c p'
]

cmd_tpm2_rsaencrypt_decrypt_list = [
f'tpm2_createprimary -c primary.ctx',
f'tpm2_create -C primary.ctx -Grsa2048 -u key.pub -r key.priv',
Expand Down Expand Up @@ -2382,15 +2372,32 @@ def test_tpm_cmd_with_vtpm():
f'tpm2_import -C parent.ctx -G ecc -i private.ecc.pem -u key.pub -r key.priv'
]

cmd_tpm2_clock_list = [
f'tpm2_changeauth -c owner newpass',
f'tpm2_setclock -p newpass 13673142',
f'tpm2_readclock'
]

## can use tpm2_getcap properties-variable to check the value
cmd_set_and_clear_authorization_list = [
f'tpm2_changeauth -c owner newpass',
f'tpm2_clockrateadjust -p newpass ss',
f'tpm2_clear -c l'
]

cmd_hierarchycontrol_list = [
f'tpm2_hierarchycontrol -C o shEnable clear -P newpass',##
f'tpm2_getcap properties-variable' ##check the value 'shEnable'
# f'tpm2_hierarchycontrol -C o shEnable set',## Only platform hierarchy handle can be specified for SET 'shEnable' bit
# f'tpm2_getcap properties-variable' ##
]

cmd_list = [
cmd_policyauthorize_nv_list,
cmd_certify_list,
cmd_certifycreation_list,
cmd_tpm2_dictionarylockout_list,
cmd_set_and_clear_authorization_list,
cmd_change_seed_list,
cmd_checkquote_list,
cmd_clearcontrl_list,
cmd_commit_list,
Expand All @@ -2401,7 +2408,6 @@ def test_tpm_cmd_with_vtpm():
cmd_get_data_list,
cmd_getsessionauditdigest_list,
cmd_gettime_list,
cmd_hierarchycontrol_list,
cmd_hmac_list,
cmd_tpm_test_list,
cmd_loadexternal_list,
Expand All @@ -2428,7 +2434,6 @@ def test_tpm_cmd_with_vtpm():
cmd_policysigned_list,
cmd_tpm2_policytemplate_list,
cmd_tpm2_print_list,
cmd_tpm2_clock_list,
cmd_tpm2_rsaencrypt_decrypt_list,
cmd_tpm2_sessionconfig_list,
cmd_tpm2_setcommandauditstatus_list,
Expand All @@ -2437,7 +2442,9 @@ def test_tpm_cmd_with_vtpm():
cmd_unsea_list,
cmd_tpm2_sign_list,
cmd_tpm2_send_list,
cmd_tpm2_import_list
cmd_tpm2_import_list,
cmd_tpm2_clock_list,
cmd_hierarchycontrol_list
]

cmd_mktest = f'rm -rf test_tpm_cmd && mkdir test_tpm_cmd && pushd test_tpm_cmd'
Expand Down Expand Up @@ -2466,4 +2473,4 @@ def test_tpm_cmd_with_vtpm():
assert False
ctx.exec_ssh_command(cmd_clear_file)
ctx.execute_qmp(is_create=False)
ctx.terminate_all_tds()
ctx.terminate_all_tds()

0 comments on commit a045075

Please sign in to comment.