tpm2: update TEST-70-TPM2 to test passing PCR value to systemd-cryptenroll

Add tests to use expected, not current, PCR values during sealing.
2026-04-14 00:14:32 +09:00 · 2023-07-13 16:02:37 -04:00
parent 1782b0b88c
commit e85ddd9644
1 changed files with 37 additions and 1 deletions
--- a/test/units/testsuite-70.sh
+++ b/test/units/testsuite-70.sh
@@ -93,7 +93,43 @@ PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 "$img

 # Check with wrong PCR 0
 tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000
-"$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1 && exit 1
+(! "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1)
+
+if tpm_has_pcr sha256 12; then
+    # Enroll using an explict PCR value (that does match current PCR value)
+    systemd-cryptenroll --wipe-slot=tpm2 "$img"
+    EXPECTED_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12)
+    PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="12:sha256=$EXPECTED_PCR_VALUE" "$img"
+    "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1
+    "$SD_CRYPTSETUP" detach test-volume
+
+    # Same as above plus more PCRs without the value or alg specified
+    systemd-cryptenroll --wipe-slot=tpm2 "$img"
+    EXPECTED_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12)
+    PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="1,12:sha256=$EXPECTED_PCR_VALUE,3" "$img"
+    "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1
+    "$SD_CRYPTSETUP" detach test-volume
+
+    # Same as above plus more PCRs with hash alg specified but hash value not specified
+    systemd-cryptenroll --wipe-slot=tpm2 "$img"
+    EXPECTED_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12)
+    PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="1:sha256,12:sha256=$EXPECTED_PCR_VALUE,3" "$img"
+    "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1
+    "$SD_CRYPTSETUP" detach test-volume
+
+    # Now the interesting part, enrolling using a hash value that doesn't match the current PCR value
+    systemd-cryptenroll --wipe-slot=tpm2 "$img"
+    tpm2_pcrread -Q -o /tmp/pcr.dat sha256:12
+    CURRENT_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12)
+    EXPECTED_PCR_VALUE=$(cat /tmp/pcr.dat /tmp/pcr.dat | openssl dgst -sha256 -r | cut -d ' ' -f 1)
+    PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="12:sha256=$EXPECTED_PCR_VALUE" "$img"
+    (! "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1)
+    tpm2_pcrextend "12:sha256=$CURRENT_PCR_VALUE"
+    "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1
+    "$SD_CRYPTSETUP" detach test-volume
+
+    rm -f /tmp/pcr.dat
+fi

 rm -f "${img:?}"