diff --git a/man/man8/swtpm_setup.pod b/man/man8/swtpm_setup.pod index 636e35d02..5ebbe18ed 100644 --- a/man/man8/swtpm_setup.pod +++ b/man/man8/swtpm_setup.pod @@ -205,7 +205,8 @@ The output may contain the following: "cmdarg-pwdfile-fd", "cmdarg-write-ek-cert-files", "cmdarg-create-config-files", - "cmdarg-reconfigure-pcr-banks", + "cmdarg-reconfigure-pcr-banks", + "creates-iak-idevid", "tpm2-rsa-keysize-2048", "tpm2-rsa-keysize-3072", "tpm12-not-need-root", @@ -242,6 +243,11 @@ The I<--create-config-files> option is supported. The I<--reconfigure> option is supported and allows the reconfiguration of the active PCR banks. +=item B (since v0.9) + +If I<--create-ek-cert> is given then it also creates IAK and IDevID +keys and certificates. + =item B (since v0.4) The shown RSA key sizes are supported for a TPM 2's EK key. If none of the @@ -311,6 +317,10 @@ systems this may be the case when a user is part of the 'tss' group. In this case it is recommended that the user replace the swtpm-localca.conf created with this command with a symbolic link to /etc/swtpm-localca.conf. +=item <--no-iak> (since v0.9) + +Do not create IAK and IDevID keys and certificates. + =item B<--help, -h> Display the help screen diff --git a/src/swtpm_setup/swtpm.c b/src/swtpm_setup/swtpm.c index 822215e86..d99a9ab40 100644 --- a/src/swtpm_setup/swtpm.c +++ b/src/swtpm_setup/swtpm.c @@ -385,6 +385,7 @@ static const struct swtpm_cops swtpm_cops = { #define TPM2_ALG_SHA3_512 0x0029 #define TPM2_ALG_NULL 0x0010 #define TPM2_ALG_SM3 0x0012 +#define TPM2_ALG_ECDSA 0x0018 #define TPM2_ALG_ECC 0x0023 #define TPM2_ALG_CFB 0x0043 @@ -414,6 +415,9 @@ static const struct swtpm_cops swtpm_cops = { #define TPM2_NV_INDEX_ECC_SECP384R1_HI_EKCERT 0x01c00016 #define TPM2_NV_INDEX_ECC_SECP384R1_HI_EKTEMPLATE 0x01c00017 +#define TPM2_NV_INDEX_IDEVID_SHA384 0x01c90011 +#define TPM2_NV_INDEX_IAK_SHA384 0x01c90019 + #define TPM2_EK_RSA_HANDLE 0x81010001 #define TPM2_EK_RSA3072_HANDLE 0x8101001c #define TPM2_EK_ECC_SECP384R1_HANDLE 0x81010016 @@ -1011,6 +1015,17 @@ static int swtpm_tpm2_createprimary_ecc(struct swtpm *self, uint32_t primaryhand tpmresp, &tpmresp_len, TPM2_DURATION_LONG); if (ret != 0) return 1; +#if 0 + { + size_t x; + for (x = 0; x < tpmresp_len; x++) { + if (x % 0x10 == 0) + printf("\n"); + printf("%02x ", tpmresp[x]); + } + printf("\n"); + } +#endif if (curr_handle) { if (tpmresp_len < 10 + sizeof(*curr_handle)) goto err_too_short; @@ -1083,6 +1098,83 @@ static int swtpm_tpm2_createprimary_spk_ecc_nist_p384(struct swtpm *self, NULL, 0, NULL, NULL); } +static int createprimary_iak_idevid_ecc_nist_p384(struct swtpm *self, + unsigned int keyflags, + const unsigned char *authpolicy, size_t authpolicy_len, + const unsigned char *id, size_t id_len, + size_t off, uint32_t *curr_handle, + gchar **keyparam, const gchar **key_description) +{ + const unsigned char symkeydata[] = {AS2BE(TPM2_ALG_NULL)}; + size_t symkeydata_len = sizeof(symkeydata); + const unsigned char schemedata[] = { + /* TPMS_ECC_PARAMS: TPMT_ECC_SCHEME .. TPMT_KDF_SCHEME */ + AS2BE(TPM2_ALG_ECDSA), + AS2BE(TPM2_ALG_SHA384), // hashAlg + AS2BE(TPM2_ECC_NIST_P384), // curveID + AS2BE(TPM2_ALG_NULL), // kdf->scheme + }; + size_t schemedata_len = sizeof(schemedata); + + return swtpm_tpm2_createprimary_ecc(self, TPM2_RH_ENDORSEMENT, keyflags, + symkeydata, symkeydata_len, + authpolicy, authpolicy_len, + schemedata, schemedata_len, + TPM2_ECC_NIST_P384, TPM2_ALG_SHA384, + id, id_len, off, curr_handle, + NULL, 0, keyparam, key_description); +} + +static int +swtpm_tpm2_createprimary_idevid_ecc_nist_p384(struct swtpm *self, + uint32_t *curr_handle, + gchar **keyparam, + const gchar **key_description) +{ + const unsigned char authpolicy[48] = { + /* table 19: signing */ + 0x4d, 0xb1, 0xaa, 0x83, 0x6d, 0x0b, 0x56, 0x15, 0xdf, 0x6e, 0xe5, 0x3a, + 0x40, 0xef, 0x70, 0xc6, 0x1c, 0x21, 0x7f, 0x43, 0x03, 0xd4, 0x46, 0x95, + 0x92, 0x59, 0x72, 0xbc, 0x92, 0x70, 0x06, 0xcf, 0xa5, 0xcb, 0xdf, 0x6d, + 0xc1, 0x8c, 0x4d, 0xbe, 0x32, 0x9b, 0x2f, 0x15, 0x42, 0xc3, 0xdd, 0x33 + }; + size_t authpolicy_len = sizeof(authpolicy); + // 7.3.4.1 keyflags: fixedTPM, fixedParent, sensitiveDataOrigin, userWithAuth, + // adminWithPolicy, sign + unsigned int keyflags = 0x000400f2; + const char id[2 + 6] = {AS2BE(6), 0x49, 0x44, 0x45, 0x56, 0x49, 0x44}; /* 7.3.1 Table 2*/ + size_t off = 0x58; + + return createprimary_iak_idevid_ecc_nist_p384(self, keyflags, authpolicy, authpolicy_len, + (const unsigned char *)id, sizeof(id), + off, curr_handle, keyparam, key_description); +} + +static int +swtpm_tpm2_createprimary_iak_ecc_nist_p384(struct swtpm *self, + uint32_t *curr_handle, + gchar **keyparam, + const gchar **key_description) +{ + const unsigned char authpolicy[48] = { + /* table 19: attestation */ + 0x12, 0x9d, 0x94, 0xeb, 0xf8, 0x45, 0x56, 0x65, 0x2c, 0x6e, 0xef, 0x43, + 0xbb, 0xb7, 0x57, 0x51, 0x2a, 0xc8, 0x7e, 0x52, 0xbe, 0x7b, 0x34, 0x9c, + 0xa6, 0xce, 0x4d, 0x82, 0x6f, 0x74, 0x9f, 0xcf, 0x67, 0x2f, 0x51, 0x71, + 0x6c, 0x5c, 0xbb, 0x60, 0x5f, 0x31, 0x3b, 0xf3, 0x45, 0xaa, 0xb3, 0x12 + }; + size_t authpolicy_len = sizeof(authpolicy); + // 7.3.4.1 keyflags: fixedTPM, fixedParent, sensitiveDataOrigin, userWithAuth, + // adminWithPolicy, restricted, sign + unsigned int keyflags = 0x000500f2; + const char id[2 + 3] = {AS2BE(3), 0x49, 0x41, 0x4b}; /* 7.3.1 Table 2 */ + size_t off = 0x58; + + return createprimary_iak_idevid_ecc_nist_p384(self, keyflags, authpolicy, authpolicy_len, + (const unsigned char *)id, sizeof(id), + off, curr_handle, keyparam, key_description); +} + static int swtpm_tpm2_createprimary_spk_rsa(struct swtpm *self, unsigned int rsa_keysize, uint32_t *curr_handle) { @@ -1138,6 +1230,35 @@ static int swtpm_tpm2_create_spk(struct swtpm *self, gboolean isecc, unsigned in return ret; } +static int swtpm_tpm2_create_iak(struct swtpm *self, gchar **ekparam, + const gchar **key_description) +{ + uint32_t curr_handle; + int ret; + + ret = swtpm_tpm2_createprimary_iak_ecc_nist_p384(self, &curr_handle, ekparam, + key_description); + if (ret != 0) + return 1; + + return swtpm_tpm2_flushcontext(self, curr_handle); +} + +static int swtpm_tpm2_create_idevid(struct swtpm *self, gchar **ekparam, + const gchar **key_description) +{ + uint32_t curr_handle; + int ret; + + ret = swtpm_tpm2_createprimary_idevid_ecc_nist_p384(self, &curr_handle, ekparam, + key_description); + if (ret != 0) + return 1; + + return swtpm_tpm2_flushcontext(self, curr_handle); +} + + /* Create an ECC EK key that may be allowed to sign and/or decrypt */ static int swtpm_tpm2_createprimary_ek_ecc_nist_p384(struct swtpm *self, gboolean allowsigning, gboolean decryption, uint32_t *curr_handle, @@ -1464,14 +1585,50 @@ static int swtpm_tpm2_write_platform_cert_nvram(struct swtpm *self, gboolean loc lock_nvram, "", "platform certificate"); } +static int swtpm_tpm2_write_iak_cert_nvram(struct swtpm *self, gboolean lock_nvram, + const unsigned char *data, size_t data_len) +{ + uint32_t nvindex = TPM2_NV_INDEX_IAK_SHA384; + uint32_t nvindexattrs = TPMA_NV_PLATFORMCREATE | + TPMA_NV_AUTHREAD | + TPMA_NV_OWNERREAD | + TPMA_NV_PPREAD | + TPMA_NV_PPWRITE | + TPMA_NV_NO_DA | + TPMA_NV_WRITEDEFINE; // FIXME: fix flags? + + return swtpm_tpm2_write_cert_nvram(self, nvindex, nvindexattrs, data, data_len, + lock_nvram, "", "IAK certificate"); +} + +static int swtpm_tpm2_write_idevid_cert_nvram(struct swtpm *self, gboolean lock_nvram, + const unsigned char *data, size_t data_len) +{ + uint32_t nvindex = TPM2_NV_INDEX_IDEVID_SHA384; + uint32_t nvindexattrs = TPMA_NV_PLATFORMCREATE | + TPMA_NV_AUTHREAD | + TPMA_NV_OWNERREAD | + TPMA_NV_PPREAD | + TPMA_NV_PPWRITE | + TPMA_NV_NO_DA | + TPMA_NV_WRITEDEFINE; // FIXME: fix flags? + + return swtpm_tpm2_write_cert_nvram(self, nvindex, nvindexattrs, data, data_len, + lock_nvram, "", "IDevID certificate"); +} + static const struct swtpm2_ops swtpm_tpm2_ops = { .shutdown = swtpm_tpm2_shutdown, + .create_iak = swtpm_tpm2_create_iak, + .create_idevid = swtpm_tpm2_create_idevid, .create_spk = swtpm_tpm2_create_spk, .create_ek = swtpm_tpm2_create_ek, .get_all_pcr_banks = swtpm_tpm2_get_all_pcr_banks, .set_active_pcr_banks = swtpm_tpm2_set_active_pcr_banks, .write_ek_cert_nvram = swtpm_tpm2_write_ek_cert_nvram, .write_platform_cert_nvram = swtpm_tpm2_write_platform_cert_nvram, + .write_iak_cert_nvram = swtpm_tpm2_write_iak_cert_nvram, + .write_idevid_cert_nvram = swtpm_tpm2_write_idevid_cert_nvram, }; /* diff --git a/src/swtpm_setup/swtpm.h b/src/swtpm_setup/swtpm.h index 2f81dce47..d1ce7cfcf 100644 --- a/src/swtpm_setup/swtpm.h +++ b/src/swtpm_setup/swtpm.h @@ -45,6 +45,8 @@ struct swtpm12_ops { /* TPM 2 specific ops */ struct swtpm2_ops { int (*shutdown)(struct swtpm *); + int (*create_iak)(struct swtpm *self, gchar **ekparam, const gchar **key_description); + int (*create_idevid)(struct swtpm *self, gchar **ekparam, const gchar **key_description); int (*create_spk)(struct swtpm *self, gboolean isecc, unsigned int rsa_keysize); int (*create_ek)(struct swtpm *self, gboolean isecc, unsigned int rsa_keysize, gboolean allowsigning, gboolean decryption, gboolean lock_nvram, @@ -56,6 +58,10 @@ struct swtpm2_ops { gboolean lock_nvram, const unsigned char *data, size_t data_len); int (*write_platform_cert_nvram)(struct swtpm *self, gboolean lock_nvram, const unsigned char *data, size_t data_len); + int (*write_iak_cert_nvram)(struct swtpm *self, gboolean lock_nvram, + const unsigned char *data, size_t data_len); + int (*write_idevid_cert_nvram)(struct swtpm *self, gboolean lock_nvram, + const unsigned char *data, size_t data_len); }; /* common structure for swtpm object */ diff --git a/src/swtpm_setup/swtpm_setup.c b/src/swtpm_setup/swtpm_setup.c index 895a09c2c..e9586c572 100644 --- a/src/swtpm_setup/swtpm_setup.c +++ b/src/swtpm_setup/swtpm_setup.c @@ -60,6 +60,8 @@ #define SETUP_DECRYPTION_F (1 << 14) #define SETUP_WRITE_EK_CERT_FILES_F (1 << 15) #define SETUP_RECONFIGURE_F (1 << 16) +#define SETUP_IAK_F (1 << 17) +#define SETUP_IDEVID_F (1 << 18) /* default configuration file */ #define SWTPM_SETUP_CONF "swtpm_setup.conf" @@ -77,6 +79,8 @@ static const struct flag_to_certfile { } flags_to_certfiles[] = { {.flag = SETUP_EK_CERT_F , .filename = "ek.cert", .type = "ek" }, {.flag = SETUP_PLATFORM_CERT_F, .filename = "platform.cert", .type = "platform" }, + {.flag = SETUP_IAK_F, .filename = "iak.cert", .type = "iak" }, + {.flag = SETUP_IDEVID_F, .filename = "idevid.cert", .type = "idevid" }, {.flag = 0, .filename = NULL, .type = NULL}, }; @@ -177,7 +181,8 @@ static int tpm_get_specs_and_attributes(struct swtpm *swtpm, gchar ***params) /* Call an external tool to create the certificates */ static int call_create_certs(unsigned long flags, unsigned int cert_flags, const gchar *configfile, const gchar *certsdir, - const gchar *ekparam, const gchar *vmid, struct swtpm *swtpm) + const gchar *key_params, const gchar *vmid, + const gchar *tpm_serial_num, struct swtpm *swtpm) { gchar **config_file_lines = NULL; /* must free */ g_autofree gchar *create_certs_tool = NULL; @@ -186,6 +191,7 @@ static int call_create_certs(unsigned long flags, unsigned int cert_flags, g_autofree gchar **cmd = NULL; gchar **params = NULL; /* must free */ g_autofree gchar *prgname = NULL; + const char *key_opt = "--key"; gboolean success; gint exit_status; size_t idx, j; @@ -221,10 +227,15 @@ static int call_create_certs(unsigned long flags, unsigned int cert_flags, NULL }, TRUE); } + + /* use the old --ek option when the ek is passed */ + if (cert_flags & (SETUP_EK_CERT_F | SETUP_PLATFORM_CERT_F)) + key_opt = "--ek"; + cmd = concat_arrays((gchar*[]) { create_certs_tool_path, "--type", "_", /* '_' must be at index '2' ! */ - "--ek", (gchar *)ekparam, + (gchar *)key_opt, (gchar *)key_params, "--dir", (gchar *)certsdir, NULL }, NULL, FALSE); @@ -237,6 +248,8 @@ static int call_create_certs(unsigned long flags, unsigned int cert_flags, cmd = concat_arrays(cmd, (gchar*[]){"--configfile", create_certs_tool_config, NULL}, TRUE); if (create_certs_tool_options != NULL) cmd = concat_arrays(cmd, (gchar*[]){"--optsfile", create_certs_tool_options, NULL}, TRUE); + if (tpm_serial_num) /* required for IAK & IDevID */ + cmd = concat_arrays(cmd, (gchar*[]){"--tpm-serial-num", (gchar *)tpm_serial_num, NULL}, TRUE); s = g_strrstr(create_certs_tool, G_DIR_SEPARATOR_S); if (s) @@ -370,6 +383,7 @@ static int tpm2_persist_certificate(unsigned long flags, const gchar *certsdir, g_autofree gchar *filecontent = NULL; g_autofree gchar *certfile = NULL; size_t filecontent_len; + gboolean preserve; int ret; ret = read_certificate_file(certsdir, ftc->filename, @@ -377,7 +391,15 @@ static int tpm2_persist_certificate(unsigned long flags, const gchar *certsdir, if (ret != 0) goto error_unlink; - if (ftc->flag == SETUP_EK_CERT_F) { + if (ftc->flag == SETUP_IAK_F) { + ret = swtpm2->ops->write_iak_cert_nvram(&swtpm2->swtpm, + !!(flags & SETUP_LOCK_NVRAM_F), + (const unsigned char*)filecontent, filecontent_len); + } else if (ftc->flag == SETUP_IDEVID_F) { + ret = swtpm2->ops->write_idevid_cert_nvram(&swtpm2->swtpm, + !!(flags & SETUP_LOCK_NVRAM_F), + (const unsigned char *)filecontent, filecontent_len); + } else if (ftc->flag == SETUP_EK_CERT_F) { ret = swtpm2->ops->write_ek_cert_nvram(&swtpm2->swtpm, !!(flags & SETUP_TPM2_ECC_F), rsa_keysize, !!(flags & SETUP_LOCK_NVRAM_F), @@ -391,7 +413,9 @@ static int tpm2_persist_certificate(unsigned long flags, const gchar *certsdir, if (ret != 0) goto error_unlink; - return certfile_move_or_delete(flags, !!(ftc->flag & SETUP_EK_CERT_F), + preserve = !!(ftc->flag & (SETUP_EK_CERT_F | SETUP_IAK_F | SETUP_IDEVID_F)); + + return certfile_move_or_delete(flags, preserve, certfile, user_certsdir, key_type, key_description); @@ -406,7 +430,7 @@ static int tpm2_create_ek_and_cert(unsigned long flags, const gchar *config_file unsigned int rsa_keysize, struct swtpm2 *swtpm2, const gchar *user_certsdir) { - g_autofree gchar *ekparam = NULL; + g_autofree gchar *key_params = NULL; const char *key_description; unsigned long cert_flags; const gchar *key_type; @@ -418,7 +442,7 @@ static int tpm2_create_ek_and_cert(unsigned long flags, const gchar *config_file !!(flags & SETUP_ALLOW_SIGNING_F), !!(flags & SETUP_DECRYPTION_F), !!(flags & SETUP_LOCK_NVRAM_F), - &ekparam, &key_description); + &key_params, &key_description); if (ret != 0) return 1; } @@ -426,8 +450,8 @@ static int tpm2_create_ek_and_cert(unsigned long flags, const gchar *config_file /* Only look at ek and platform certs here */ cert_flags = flags & (SETUP_EK_CERT_F | SETUP_PLATFORM_CERT_F); if (cert_flags) { - ret = call_create_certs(flags, cert_flags, config_file, certsdir, ekparam, - vmid, &swtpm2->swtpm); + ret = call_create_certs(flags, cert_flags, config_file, certsdir, key_params, + vmid, NULL, &swtpm2->swtpm); if (ret != 0) return 1; @@ -468,6 +492,54 @@ static int tpm2_create_eks_and_certs(unsigned long flags, const gchar *config_fi user_certsdir); } +/* Create the IAK and cert */ +static int tpm2_create_iak_idevid_and_certs(unsigned long flags, const gchar *config_file, + const gchar *certsdir, const char *vmid, + struct swtpm2 *swtpm2, const gchar *user_certsdir) +{ + g_autofree gchar *key_params = NULL; + const char *key_description; + const char *key_type = NULL; + unsigned long cert_flags; + size_t idx; + int ret; + + /* Only look at IAK and IDevID certs here */ + cert_flags = flags & (SETUP_IAK_F | SETUP_IDEVID_F); + if (!cert_flags) + return 0; + + for (idx = 0; flags_to_certfiles[idx].filename; idx++) { + if (cert_flags & flags_to_certfiles[idx].flag) { + + SWTPM_G_FREE(key_params); + + if (flags_to_certfiles[idx].flag == SETUP_IAK_F) { + key_type = "iak"; + ret = swtpm2->ops->create_iak(&swtpm2->swtpm, &key_params, &key_description); + } else if (flags_to_certfiles[idx].flag == SETUP_IDEVID_F) { + key_type = "idevid"; + ret = swtpm2->ops->create_idevid(&swtpm2->swtpm, &key_params, &key_description); + } + if (ret != 0) + return 1; + + ret = call_create_certs(flags, flags_to_certfiles[idx].flag, config_file, + certsdir, key_params, vmid, "TEST", &swtpm2->swtpm); + if (ret != 0) + return 1; + + ret = tpm2_persist_certificate(flags, certsdir, &flags_to_certfiles[idx], + 0, swtpm2, user_certsdir, + key_type, key_description); + if (ret) + return 1; + } + } + + return 0; +} + /* Get the default PCR banks from the config file and if nothing can be found there use the DEFAULT_PCR_BANKS #define. */ @@ -560,6 +632,11 @@ static int init_tpm2(unsigned long flags, gchar **swtpm_prg_l, const gchar *conf user_certsdir); if (ret != 0) goto destroy; + + ret = tpm2_create_iak_idevid_and_certs(flags, config_file, certsdir, vmid, + swtpm2, user_certsdir); + if (ret != 0) + goto destroy; } ret = tpm2_activate_pcr_banks(swtpm2, pcr_banks); @@ -652,7 +729,7 @@ static int tpm12_create_certs(unsigned long flags, const gchar *config_file, cert_flags = flags & (SETUP_EK_CERT_F | SETUP_PLATFORM_CERT_F); ret = call_create_certs(flags, cert_flags, config_file, certsdir, ekparam, - vmid, &swtpm12->swtpm); + vmid, NULL, &swtpm12->swtpm); if (ret != 0) return 1; @@ -961,6 +1038,8 @@ static void usage(const char *prgname, const char *default_config_file) " The active PCR banks can be changed but no new keys will\n" " be created.\n" "\n" + "--no-iak : Do not create IAK and IDevID keys and related certificates.\n" + "\n" "--version : Display version and exit\n" "\n" "--help,-h : Display this help screen\n\n", @@ -1104,7 +1183,7 @@ static int print_capabilities(char **swtpm_prg_l, gboolean swtpm_has_tpm12, printf("{ \"type\": \"swtpm_setup\", " "\"features\": [ %s%s\"cmdarg-keyfile-fd\", \"cmdarg-pwdfile-fd\", \"tpm12-not-need-root\"" ", \"cmdarg-write-ek-cert-files\", \"cmdarg-create-config-files\"" - ", \"cmdarg-reconfigure-pcr-banks\"" + ", \"cmdarg-reconfigure-pcr-banks\", \"cmdarg-no-iak\", \"creates-iak-idevid\"" "%s ], " "\"version\": \"" VERSION "\" " "}\n", @@ -1227,6 +1306,7 @@ int main(int argc, char *argv[]) {"version", no_argument, NULL, '1'}, {"print-capabilities", no_argument, NULL, 'y'}, {"reconfigure", no_argument, NULL, 'R'}, + {"no-iak", no_argument, NULL, 'n'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0} }; @@ -1267,6 +1347,7 @@ int main(int argc, char *argv[]) int fds_to_pass[1] = { -1 }; unsigned n_fds_to_pass = 0; char tmpbuffer[200]; + gboolean no_iak = FALSE; time_t now; struct tm *tm; int ret = 1; @@ -1438,6 +1519,9 @@ int main(int argc, char *argv[]) case 'R': /* --reconfigure */ flags |= SETUP_RECONFIGURE_F; break; + case 'n': /* --no-iak */ + no_iak = TRUE; + break; case '?': case 'h': /* --help */ usage(argv[0], config_file); @@ -1684,6 +1768,8 @@ int main(int argc, char *argv[]) error->message); goto error; } + if (!no_iak) + flags |= SETUP_IAK_F | SETUP_IDEVID_F; } if ((flags & SETUP_TPM2_F) == 0) { diff --git a/tests/_test_print_capabilities b/tests/_test_print_capabilities index cbf827097..d7cc00446 100755 --- a/tests/_test_print_capabilities +++ b/tests/_test_print_capabilities @@ -49,7 +49,7 @@ fi exp='\{ "type": "swtpm_setup", '\ '"features": \[ "tpm-1.2",( "tpm-2.0",)? "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", '\ '"tpm12-not-need-root", "cmdarg-write-ek-cert-files", "cmdarg-create-config-files", '\ -'"cmdarg-reconfigure-pcr-banks"'\ +'"cmdarg-reconfigure-pcr-banks", "cmdarg-no-iak", "creates-iak-idevid"'\ '(, "tpm2-rsa-keysize-2048")?(, "tpm2-rsa-keysize-3072")? \], '\ '"version": "[^"]*" \}' if ! [[ ${msg} =~ ${exp} ]]; then diff --git a/tests/_test_tpm2_print_capabilities b/tests/_test_tpm2_print_capabilities index caf322446..f289d961a 100755 --- a/tests/_test_tpm2_print_capabilities +++ b/tests/_test_tpm2_print_capabilities @@ -51,7 +51,8 @@ fi exp='\{ "type": "swtpm_setup", '\ '"features": \[( "tpm-1.2",)? "tpm-2.0", "cmdarg-keyfile-fd", "cmdarg-pwdfile-fd", '\ '"tpm12-not-need-root", "cmdarg-write-ek-cert-files", "cmdarg-create-config-files", '\ -'"cmdarg-reconfigure-pcr-banks"(, "tpm2-rsa-keysize-2048")?(, "tpm2-rsa-keysize-3072")?'\ +'"cmdarg-reconfigure-pcr-banks", "cmdarg-no-iak", "creates-iak-idevid"'\ +'(, "tpm2-rsa-keysize-2048")?(, "tpm2-rsa-keysize-3072")?'\ ' \], '\ '"version": "[^"]*" \}' if ! [[ ${msg} =~ ${exp} ]]; then diff --git a/tests/create_certs.sh b/tests/create_certs.sh index c3069d98a..9a87666b1 100755 --- a/tests/create_certs.sh +++ b/tests/create_certs.sh @@ -37,6 +37,12 @@ main() { platform) echo -n "platform" > ${dir}/platform.cert ;; + iak) + echo -n "iak" > ${dir}/iak.cert + ;; + idevid) + echo -n "idevid" > ${dir}/idevid.cert + ;; esac } diff --git a/tests/test_tpm2_swtpm_setup_create_cert b/tests/test_tpm2_swtpm_setup_create_cert index 323318451..f445598de 100755 --- a/tests/test_tpm2_swtpm_setup_create_cert +++ b/tests/test_tpm2_swtpm_setup_create_cert @@ -222,18 +222,22 @@ for pwdfile in "" "${PWDFILE}"; do exit 1 fi - certfile="${workdir}/ek-secp384r1.crt" - if [ ! -f "${certfile}" ]; then - echo "Error: EK file '${certfile}' was not written." - ls -l "${workdir}" - exit 1 - fi + for certfile in \ + "${workdir}/ek-secp384r1.crt" \ + "${workdir}/iak-secp384r1.crt" \ + "${workdir}/idevid-secp384r1.crt"; do + if [ ! -f "${certfile}" ]; then + echo "Error: Certificate file '${certfile}' was not written." + ls -l "${workdir}" + exit 1 + fi - if ! $CERTTOOL --inder --infile "${certfile}" -i | grep -q "384 bits"; then - echo "Error: EK file '${certfile}' is not an ECC 384 bit key." - $CERTTOOL --inder --infile "${certfile}" -i - exit 1 - fi + if ! $CERTTOOL --inder --infile "${certfile}" -i | grep -q "384 bits"; then + echo "Error: Certificate file '${certfile}' is not an ECC 384 bit key." + $CERTTOOL --inder --infile "${certfile}" -i + exit 1 + fi + done swtpm_setup_reconfigure "${workdir}" "${pwdfile}" done