From 6a78aa7094eb97ce679638c433bcf0b727767467 Mon Sep 17 00:00:00 2001 From: Andreas Fuchs Date: Wed, 31 Jul 2024 11:28:42 +0200 Subject: [PATCH] Test: Add pre and post check for PCR16 to be empty The test harness for integration tests now check before and after every integration test invocation if PCR16 is empty to begin but also after the test. Signed-off-by: Andreas Fuchs --- test/integration/test-common.c | 80 +++++++++++++++++++++++++++++++++- 1 file changed, 79 insertions(+), 1 deletion(-) diff --git a/test/integration/test-common.c b/test/integration/test-common.c index bc459569a..8b87737a2 100644 --- a/test/integration/test-common.c +++ b/test/integration/test-common.c @@ -4,6 +4,8 @@ * * All rights reserved. ***********************************************************************/ +#include "tss2_sys.h" + #ifdef HAVE_CONFIG_H #include "config.h" // IWYU pragma: keep #endif @@ -44,7 +46,7 @@ struct { }; struct tpm_state { - TPMS_CAPABILITY_DATA capabilities[7]; + TPMS_CAPABILITY_DATA capabilities[sizeof(capabilities_to_dump) / sizeof(capabilities_to_dump[0])]; }; /** Define a proxy tcti that returns yielded on every second invocation @@ -235,6 +237,40 @@ transient_empty(TSS2_SYS_CONTEXT *sys_ctx) return EXIT_SUCCESS; } +int +pcr16_empty(TSS2_SYS_CONTEXT *sys_ctx) +{ + TSS2_RC rc; + TPML_DIGEST pcr_values = { 0 }; + TPML_PCR_SELECTION pcr_selection = { .count=1, .pcrSelections = { { .hash = TPM2_ALG_SHA256, .sizeofSelect = 3, .pcrSelect = { 0 } } } }; + pcr_selection.pcrSelections[0].pcrSelect[(16 / 8)] = 1 << (16 % 8); + + do { + rc = Tss2_Sys_PCR_Read(sys_ctx, NULL, + &pcr_selection, NULL, NULL, + &pcr_values, + NULL); + } while (rc == TPM2_RC_YIELDED); // TODO also for other cmds? + if (rc != TSS2_RC_SUCCESS) { + LOG_ERROR("TPM2_PCR_Read failed: 0x%" PRIx32, rc); + return EXIT_ERROR; + } + + if (pcr_values.count != 1) { + LOG_ERROR("TPM2_PCR_Read for PCR 16 in SHA256 did not return a value"); + } + + for (UINT16 i = 0; i < pcr_values.digests[0].size; i++) { + if (pcr_values.digests[0].buffer[i] != 0x00) { + LOGBLOB_ERROR(&pcr_values.digests[0].buffer[0], pcr_values.digests[0].size, + "PCR 16 in SHA256 is not 0x000..000"); + return EXIT_ERROR; + } + } + + return EXIT_SUCCESS; +} + int dumpstate(TSS2_SYS_CONTEXT *sys_ctx, tpm_state *state_first, bool compare) { @@ -390,6 +426,13 @@ test_sys_checks_pre(TSS2_TEST_SYS_CONTEXT *test_ctx) return ret; } + LOG_DEBUG("Running System API pre-test checks: pcr16 empty"); + ret = pcr16_empty(test_ctx->sys_ctx); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("PCR16 is not empty"); + return ret; + } + return EXIT_SUCCESS; } @@ -398,6 +441,13 @@ test_sys_checks_post(TSS2_TEST_SYS_CONTEXT *test_ctx) { int ret; + LOG_DEBUG("Running System API pre-test checks: transient handles empty"); + ret = transient_empty(test_ctx->sys_ctx); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("TPM contains transient objects."); + return ret; + } + LOG_DEBUG("Running System API post-test checks: dump capabilities"); ret = dumpstate(test_ctx->sys_ctx, test_ctx->tpm_state, 1); if (ret != EXIT_SUCCESS) { @@ -405,6 +455,13 @@ test_sys_checks_post(TSS2_TEST_SYS_CONTEXT *test_ctx) return ret; } + LOG_DEBUG("Running System API post-test checks: pcr16 empty"); + ret = pcr16_empty(test_ctx->sys_ctx); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("PCR16 is not empty"); + return ret; + } + return EXIT_SUCCESS; } @@ -533,6 +590,13 @@ test_esys_checks_pre(TSS2_TEST_ESYS_CONTEXT *test_ctx) return ret; } + LOG_DEBUG("Running System API pre-test checks: pcr16 empty"); + ret = pcr16_empty(sys_context); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("PCR16 is not empty"); + return ret; + } + return EXIT_SUCCESS; } @@ -549,6 +613,13 @@ test_esys_checks_post(TSS2_TEST_ESYS_CONTEXT *test_ctx) return EXIT_ERROR; } + LOG_DEBUG("Running System API pre-test checks: transient handles empty"); + ret = transient_empty(sys_context); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("TPM contains transient objects."); + return ret; + } + LOG_DEBUG("Running System API post-test checks: dump capabilities"); ret = dumpstate(sys_context, test_ctx->tpm_state, 1); if (ret != EXIT_SUCCESS) { @@ -556,6 +627,13 @@ test_esys_checks_post(TSS2_TEST_ESYS_CONTEXT *test_ctx) return ret; } + LOG_DEBUG("Running System API pre-test checks: pcr16 empty"); + ret = pcr16_empty(sys_context); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("PCR16 is not empty"); + return ret; + } + return EXIT_SUCCESS; }