morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

ci: add some test for the new nvpcr infra

Browse Source
This commit is contained in:
Lennart Poettering
2025-10-27 12:55:02 +01:00
parent a9d02df0c7
commit 34c687f2b3
2 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
test/units/TEST-65-ANALYZE.sh
View File

@@ -1093,6 +1093,11 @@ systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^usr
systemd-analyze pcrs
systemd-analyze pcrs --json=pretty
systemd-analyze pcrs 14 7 0 ima
if systemd-analyze has-tpm2 -q ; then
systemd-analyze nvpcrs
systemd-analyze nvpcrs --json=pretty
systemd-analyze nvpcrs hardware cryptsetup
fi
systemd-analyze architectures
systemd-analyze architectures --json=pretty

28
test/units/TEST-70-TPM2.pcrextend.sh
View File

@@ -30,6 +30,7 @@ export SYSTEMD_FORCE_MEASURE=1
"$SD_PCREXTEND" --version
"$SD_PCREXTEND" foo
"$SD_PCREXTEND" --machine-id
"$SD_PCREXTEND" --product-id
"$SD_PCREXTEND" --tpm2-device=list
"$SD_PCREXTEND" --tpm2-device=auto foo
"$SD_PCREXTEND" --tpm2-device=/dev/tpm0 foo
@@ -40,6 +41,7 @@ export SYSTEMD_FORCE_MEASURE=1
"$SD_PCREXTEND" --file-system=/
"$SD_PCREXTEND" --file-system=/tmp --file-system=/
"$SD_PCREXTEND" --file-system=/tmp --file-system=/ --pcr=15 --pcr=11
"$SD_PCREXTEND" --nvpcr=hardware foo
if tpm_has_pcr sha1 11; then
"$SD_PCREXTEND" --bank=sha1 --pcr=11 foo
@@ -55,6 +57,7 @@ fi
(! "$SD_PCREXTEND" --pcr=-1 foo)
(! "$SD_PCREXTEND" --pcr=1024 foo)
(! "$SD_PCREXTEND" --foo=bar)
(! "$SD_PCREXTEND" --nvpcr=idontexist foo)
unset SYSTEMD_FORCE_MEASURE
@@ -122,3 +125,28 @@ diff /tmp/newpcr15 \
<(cat /tmp/oldpcr15 <(echo -n "file-system:$FS_WORD" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
rm -f /tmp/oldpcr{11,15} /tmp/newpcr{11,15}
mkdir -p /run/nvpcr
cat >/run/nvpcr/test.nvpcr <<EOF
{"name":"test","algorithm":"sha256","nvIndex":30474762}
EOF
/usr/lib/systemd/systemd-tpm2-setup
test -f /run/systemd/nvpcr/test.anchor
/usr/lib/systemd/systemd-pcrextend --nvpcr=test schrumpel
# To calculate the current value we need the anchor measurement
DIGEST_BASE="$(cat /run/systemd/nvpcr/test.anchor)"
DIGEST_MEASURED="$(echo -n "schrumpel" | openssl dgst -sha256 -binary | xxd -p -c200)"
DIGEST_EXPECTED="$(echo "$DIGEST_BASE$DIGEST_MEASURED" | xxd -r -p | openssl dgst -sha256 -binary | xxd -p -c200)"
DIGEST_ACTUAL="$(systemd-analyze nvpcrs test --json=pretty | jq -r '.[] | select(.name=="test") | .value')"
test "$DIGEST_ACTUAL" = "$DIGEST_EXPECTED"
# Now "destroy" the value via another measurement
/usr/lib/systemd/systemd-pcrextend --nvpcr=test schnurz
DIGEST_ACTUAL2="$(systemd-analyze nvpcrs test --json=pretty | jq -r '.[] | select(.name=="test") | .value')"
test "$DIGEST_ACTUAL2" != "$DIGEST_EXPECTED"
# And calculate the new result
DIGEST_MEASURED2="$(echo -n "schnurz" | openssl dgst -sha256 -binary | xxd -p -c200)"
DIGEST_EXPECTED2="$(echo "$DIGEST_EXPECTED$DIGEST_MEASURED2" | xxd -r -p | openssl dgst -sha256 -binary | xxd -p -c200)"
test "$DIGEST_ACTUAL2" = "$DIGEST_EXPECTED2"