Add a few more tests to seal and unseal the key with the SHA384 PCR
bank instead of the default SHA256 PCR bank.
Signed-off-by: Gary Lin <g...@suse.com>
---
tests/tpm2_key_protector_test.in | 34 +++++++++++++++++++++++++++++---
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/tests/tpm2_key_protector_test.in b/tests/tpm2_key_protector_test.in
index fae27f9e4..52753d191 100644
--- a/tests/tpm2_key_protector_test.in
+++ b/tests/tpm2_key_protector_test.in
@@ -136,16 +136,28 @@ done
# Export the TCTI variable for tpm2-tools
export TPM2TOOLS_TCTI="device:${tpm2dev}"
+# Check if the sha384 bank is available
+if [ "$(tpm2_getcap pcrs | grep sha384)" != "" ]; then
+ with_sha384=true
+fi
+
# Extend PCR 0
tpm2_pcrextend 0:sha256=$(echo "test0" | sha256sum | cut -d ' ' -f 1) || exit
99
+if [ "${with_sha384}" = "true" ]; then
+ tpm2_pcrextend 0:sha384=$(echo "test0" | sha384sum | cut -d ' ' -f 1) ||
exit 99
+fi
# Extend PCR 1
tpm2_pcrextend 1:sha256=$(echo "test1" | sha256sum | cut -d ' ' -f 1) || exit
99
+if [ "${with_sha384}" = "true" ]; then
+ tpm2_pcrextend 1:sha384=$(echo "test1" | sha384sum | cut -d ' ' -f 1) ||
exit 99
+fi
tpm2_seal_unseal() {
srk_alg="$1"
handle_type="$2"
srk_test="$3"
+ pcr_bank="$4"
grub_srk_alg=${srk_alg}
@@ -164,13 +176,17 @@ tpm2_seal_unseal() {
extra_opt="${extra_opt} --tpm2-asymmetric=${srk_alg}"
fi
+ if [ "${pcr_bank}" = "" ]; then
+ pcr_bank="sha256"
+ fi
+
# Seal the password with grub-protect
grub-protect ${extra_opt} \
--tpm2-device="${tpm2dev}" \
--action=add \
--protector=tpm2 \
--tpm2key \
- --tpm2-bank=sha256 \
+ --tpm2-bank="${pcr_bank}" \
--tpm2-pcrs=0,1 \
--tpm2-keyfile="${lukskeyfile}" \
--tpm2-outfile="${sealedkey}" || ret=$?
@@ -228,6 +244,7 @@ EOF
tpm2_seal_unseal_nv() {
handle_type="$1"
key_type="$2"
+ pcr_bank="$3"
extra_opt=""
extra_grub_opt=""
@@ -238,10 +255,14 @@ tpm2_seal_unseal_nv() {
nv_index="0x81000000"
fi
+ if [ "${pcr_bank}" = "" ]; then
+ pcr_bank="sha256"
+ fi
+
if [ "$key_type" = "tpm2key" ]; then
extra_opt="--tpm2key"
else
- extra_grub_opt="--pcrs=0,1"
+ extra_grub_opt="--pcrs=0,1 -b ${pcr_bank}"
fi
grub_cfg=${tpm2testdir}/testcase.cfg
@@ -251,7 +272,7 @@ tpm2_seal_unseal_nv() {
--tpm2-device="${tpm2dev}" \
--action=add \
--protector=tpm2 \
- --tpm2-bank=sha256 \
+ --tpm2-bank="${pcr_bank}" \
--tpm2-pcrs=0,1 \
--tpm2-keyfile="${lukskeyfile}" \
--tpm2-nvindex="${nv_index}" || ret=$?
@@ -300,6 +321,9 @@ srktests+=("RSA persistent no_fallback_srk")
srktests+=("ECC persistent no_fallback_srk")
srktests+=("RSA transient fallback_srk")
srktests+=("ECC transient fallback_srk")
+if [ "${with_sha384}" = "true" ]; then
+ srktests+=("default transient no_fallback_srk sha384")
+fi
exit_status=0
@@ -322,6 +346,10 @@ declare -a nvtests=()
nvtests+=("persistent raw")
nvtests+=("nvindex raw")
nvtests+=("nvindex tpm2key")
+if [ "${with_sha384}" = "true" ]; then
+ nvtests+=("persistent raw sha384")
+ nvtests+=("nvindex tpm2key sha384")
+fi
for i in "${!nvtests[@]}"; do
tpm2_seal_unseal_nv ${nvtests[$i]} || ret=$?
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
