Re: [PATCH v4 10/12] tests/tpm2_key_protector_test: Add more NV index mode tests

Mon, 24 Mar 2025 07:21:17 -0700 


On 3/21/25 3:59 AM, Gary Lin via Grub-devel wrote:

Two more NV index test cases are added to test key sealing and
unsealing with the NV index handle 0x1000000.

Signed-off-by: Gary Lin <g...@suse.com>
---
  tests/tpm2_key_protector_test.in | 55 ++++++++++++++++++++++----------
  1 file changed, 39 insertions(+), 16 deletions(-)

diff --git a/tests/tpm2_key_protector_test.in b/tests/tpm2_key_protector_test.in
index 0d1115e02..1ba70a3d5 100644
--- a/tests/tpm2_key_protector_test.in
+++ b/tests/tpm2_key_protector_test.in
@@ -226,7 +226,23 @@ EOF
  }

  
  tpm2_seal_unseal_nv() {

-    nv_index="0x81000000"
+    handle_type="$1"
+    key_type="$2"
+
+    extra_opt=""
+    extra_grub_opt=""
+
+    if [ "$handle_type" == "nvindex" ]; then


Should be single '='.


+       nv_index="0x1000000"
+    else
+       nv_index="0x81000000"
+    fi
+
+    if [ "$key_type" == "tpm2key" ]; then


Same here.


+       extra_opt="--tpm2key"
+    else
+       extra_grub_opt="--pcrs=0,1"
+    fi

  
      grub_cfg=${tpm2testdir}/testcase.cfg
  
@@ -247,7 +263,7 @@ tpm2_seal_unseal_nv() {

      # Write the TPM unsealing script
      cat > ${grub_cfg} <<EOF
  loopback luks (host)${luksfile}
-tpm2_key_protector_init --mode=nv --nvindex=${nv_index} --pcrs=0,1
+tpm2_key_protector_init --mode=nv --nvindex=${nv_index} ${extra_grub_opt}
  if cryptomount -a --protector tpm2; then
      cat (crypto0)+1
  fi
@@ -288,26 +304,33 @@ srktests+=("ECC transient fallback_srk")
  for i in "${!srktests[@]}"; do
      tpm2_seal_unseal ${srktests[$i]} || ret=$?
      if [ "${ret}" -eq 0 ]; then
-        echo "TPM2 [${srktests[$i]}]: PASS"
+       echo "TPM2 [SRK][${srktests[$i]}]: PASS"
      elif [ "${ret}" -eq 1 ]; then
-        echo "TPM2 [${srktests[$i]}]: FAIL"
+       echo "TPM2 [SRK][${srktests[$i]}]: FAIL"
        ret=0
      else
-       echo "Unexpected failure [${srktests[$i]}]" >&2
+       echo "Unexpected failure [SRK][${srktests[$i]}]" >&2
        exit ${ret}
      fi
  done

  
-# Testcase for NV index mode

-tpm2_seal_unseal_nv || ret=$?
-if [ "${ret}" -eq 0 ]; then
-    echo "TPM2 [NV Index]: PASS"
-elif [ "${ret}" -eq 1 ]; then
-    echo "TPM2 [NV Index]: FAIL"
-    ret=0
-else
-    echo "Unexpected failure [NV index]" >&2
-    exit ${ret}
-fi
+# Testcases for NV index mode
+declare -a nvtests=()
+nvtests+=("persistent raw")
+nvtests+=("nvindex raw")
+nvtests+=("nvindex tpm2key")
+
+for i in "${!nvtests[@]}"; do
+    tpm2_seal_unseal_nv ${nvtests[$i]} || ret=$?
+    if [ "${ret}" -eq 0 ]; then
+       echo "TPM2 [NV Index][${nvtests[$i]}]: PASS"
+    elif [ "${ret}" -eq 1 ]; then
+       echo "TPM2 [NV Index][${nvtests[$i]}]: FAIL"
+       ret=0
+    else
+       echo "Unexpected failure [NV index][${nvtests[$i]}]" >&2
+       exit ${ret}
+    fi
+done

  
  exit 0


With the above 2 fixes:

Reviewed-by: Stefan Berger <stef...@linux.ibm.com>


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel























					Reply via email to