forked from pool/tpm2.0-tools
Accepting request 989000 from home:aplanas:branches:security
- Add patch to fix leakage of TPM simulator process add_missing_shut_down_call_on_cleanup.patch - Add patch to fix fapi-quote-verify[_ecc].sh test fix_check_of_qualifying_data.patch - Enable test execution by default OBS-URL: https://build.opensuse.org/request/show/989000 OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=93
This commit is contained in:
parent
d946dab0ca
commit
2dec5107b8
70
add_missing_shut_down_call_on_cleanup.patch
Normal file
70
add_missing_shut_down_call_on_cleanup.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From db6aa7ac5094a04168e60256e154786c0c7e7c1c Mon Sep 17 00:00:00 2001
|
||||
From: Alberto Planas <aplanas@suse.com>
|
||||
Date: Wed, 13 Jul 2022 13:35:19 +0200
|
||||
Subject: [PATCH] test: add missing shut_down call on cleanup
|
||||
|
||||
The tests "gettime", "readclock" and "symlink" are not calling
|
||||
"shut_down" during the "cleanup" stage, making the TPM simulator to keep
|
||||
their process during the "make check". Somehow this produces problems
|
||||
when the tests are executed in parallel under certain conditions, with
|
||||
the effect of "make" not ending and waiting to those process to die.
|
||||
|
||||
This commit and the mising call in the "cleanup" stage.
|
||||
|
||||
Fix #3042
|
||||
|
||||
Signed-off-by: Alberto Planas <aplanas@suse.com>
|
||||
---
|
||||
test/integration/tests/gettime.sh | 5 ++++-
|
||||
test/integration/tests/readclock.sh | 5 ++++-
|
||||
test/integration/tests/symlink.sh | 5 ++++-
|
||||
3 files changed, 12 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/test/integration/tests/gettime.sh b/test/integration/tests/gettime.sh
|
||||
index 5a91210a7..054bef864 100644
|
||||
--- a/test/integration/tests/gettime.sh
|
||||
+++ b/test/integration/tests/gettime.sh
|
||||
@@ -3,7 +3,10 @@
|
||||
source helpers.sh
|
||||
|
||||
cleanup() {
|
||||
- rm -f attest.sig attest.data
|
||||
+ rm -f attest.sig attest.data
|
||||
+ if [ "$1" != "no-shut-down" ]; then
|
||||
+ shut_down
|
||||
+ fi
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
diff --git a/test/integration/tests/readclock.sh b/test/integration/tests/readclock.sh
|
||||
index 56a4c8622..2c59dad09 100644
|
||||
--- a/test/integration/tests/readclock.sh
|
||||
+++ b/test/integration/tests/readclock.sh
|
||||
@@ -3,7 +3,10 @@
|
||||
source helpers.sh
|
||||
|
||||
cleanup() {
|
||||
- rm -f clock.yaml
|
||||
+ rm -f clock.yaml
|
||||
+ if [ "$1" != "no-shut-down" ]; then
|
||||
+ shut_down
|
||||
+ fi
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
diff --git a/test/integration/tests/symlink.sh b/test/integration/tests/symlink.sh
|
||||
index d1c800ad0..b61349eef 100644
|
||||
--- a/test/integration/tests/symlink.sh
|
||||
+++ b/test/integration/tests/symlink.sh
|
||||
@@ -4,7 +4,10 @@ source helpers.sh
|
||||
|
||||
TMP="$(mktemp -d)"
|
||||
cleanup() {
|
||||
- rm -rf "$TMP"
|
||||
+ rm -rf "$TMP"
|
||||
+ if [ "$1" != "no-shut-down" ]; then
|
||||
+ shut_down
|
||||
+ fi
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
167
fix_check_of_qualifying_data.patch
Normal file
167
fix_check_of_qualifying_data.patch
Normal file
@ -0,0 +1,167 @@
|
||||
From 3b1f00301350848e9454c7adf0487c1a14738236 Mon Sep 17 00:00:00 2001
|
||||
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
Date: Sat, 8 Jan 2022 13:43:00 +0100
|
||||
Subject: [PATCH] test/fapi/fapi-quote-verify.sh Fix check of qualifying data.
|
||||
|
||||
Because of a bug in Fapi_VerifyQuote the qualifying data was not checked correctly.
|
||||
Errors that were not recognized before occur now.
|
||||
The order of the tests was cleaned up and for every quote and verify quote now
|
||||
the correct combination of the qualifying data and quote info containing the nonce
|
||||
is used.
|
||||
|
||||
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
|
||||
---
|
||||
test/integration/fapi/fapi-quote-verify.sh | 38 ++++++++++++----------
|
||||
1 file changed, 20 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify.sh
|
||||
index ad4ade3a1..497d4337f 100644
|
||||
--- a/test/integration/fapi/fapi-quote-verify.sh
|
||||
+++ b/test/integration/fapi/fapi-quote-verify.sh
|
||||
@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
|
||||
NONCE_FILE=$TEMP_DIR/nonce.file
|
||||
PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
|
||||
QUOTE_INFO=$TEMP_DIR/quote.info
|
||||
+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
|
||||
SIGNATURE_FILE=$TEMP_DIR/signature.file
|
||||
CERTIFICATE_FILE=$TEMP_DIR/certificate.file
|
||||
PCR_LOG=$TEMP_DIR/pcr.log
|
||||
@@ -35,14 +36,32 @@ tss2 provision
|
||||
|
||||
tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
|
||||
|
||||
+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
|
||||
+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
|
||||
+
|
||||
+
|
||||
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
|
||||
--signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
|
||||
--certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
|
||||
|
||||
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
+ --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
|
||||
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
||||
+
|
||||
echo "tss2 quote with EMPTY_FILE" # Expected to succeed
|
||||
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
|
||||
--qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
|
||||
- --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
|
||||
+ --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
|
||||
+
|
||||
+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
|
||||
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
+ --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
|
||||
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
||||
+
|
||||
+# Try with missing qualifyingData
|
||||
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
+ --quoteInfo=$QUOTE_EMPTY_INFO \
|
||||
+ --signature=$SIGNATURE_FILE
|
||||
|
||||
echo "tss2 quote with BIG_FILE" # Expected to fail
|
||||
expect <<EOF
|
||||
@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
|
||||
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
|
||||
-
|
||||
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
- --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
|
||||
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
||||
-
|
||||
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
|
||||
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
- --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
|
||||
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
||||
-
|
||||
echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
|
||||
expect <<EOF
|
||||
spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
|
||||
@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
|
||||
}
|
||||
EOF
|
||||
|
||||
-# Try with missing qualifyingData
|
||||
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
- --quoteInfo=$QUOTE_INFO \
|
||||
- --signature=$SIGNATURE_FILE
|
||||
-
|
||||
exit 0
|
||||
|
||||
diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify_ecc.sh
|
||||
index ad4ade3a1..497d4337f 100644
|
||||
--- a/test/integration/fapi/fapi-quote-verify_ecc.sh
|
||||
+++ b/test/integration/fapi/fapi-quote-verify_ecc.sh
|
||||
@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
|
||||
NONCE_FILE=$TEMP_DIR/nonce.file
|
||||
PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
|
||||
QUOTE_INFO=$TEMP_DIR/quote.info
|
||||
+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
|
||||
SIGNATURE_FILE=$TEMP_DIR/signature.file
|
||||
CERTIFICATE_FILE=$TEMP_DIR/certificate.file
|
||||
PCR_LOG=$TEMP_DIR/pcr.log
|
||||
@@ -35,14 +36,32 @@ tss2 provision
|
||||
|
||||
tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
|
||||
|
||||
+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
|
||||
+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
|
||||
+
|
||||
+
|
||||
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
|
||||
--signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
|
||||
--certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
|
||||
|
||||
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
+ --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
|
||||
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
||||
+
|
||||
echo "tss2 quote with EMPTY_FILE" # Expected to succeed
|
||||
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
|
||||
--qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
|
||||
- --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
|
||||
+ --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
|
||||
+
|
||||
+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
|
||||
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
+ --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
|
||||
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
||||
+
|
||||
+# Try with missing qualifyingData
|
||||
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
+ --quoteInfo=$QUOTE_EMPTY_INFO \
|
||||
+ --signature=$SIGNATURE_FILE
|
||||
|
||||
echo "tss2 quote with BIG_FILE" # Expected to fail
|
||||
expect <<EOF
|
||||
@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
|
||||
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
|
||||
-
|
||||
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
- --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
|
||||
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
||||
-
|
||||
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
|
||||
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
- --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
|
||||
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
|
||||
-
|
||||
echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
|
||||
expect <<EOF
|
||||
spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
|
||||
@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
|
||||
}
|
||||
EOF
|
||||
|
||||
-# Try with missing qualifyingData
|
||||
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
|
||||
- --quoteInfo=$QUOTE_INFO \
|
||||
- --signature=$SIGNATURE_FILE
|
||||
-
|
||||
exit 0
|
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 13 11:50:11 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||
|
||||
- Add patch to fix leakage of TPM simulator process
|
||||
add_missing_shut_down_call_on_cleanup.patch
|
||||
- Add patch to fix fapi-quote-verify[_ecc].sh test
|
||||
fix_check_of_qualifying_data.patch
|
||||
- Enable test execution by default
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 8 07:51:37 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
%define _lto_cflags %{nil}
|
||||
%bcond_with test
|
||||
%bcond_without test
|
||||
Name: tpm2.0-tools
|
||||
Version: 5.2
|
||||
Release: 0
|
||||
@ -32,6 +32,10 @@ Source2: tpm2-tools.keyring
|
||||
Patch0: fix_bogus_warning.patch
|
||||
# PATCH-FIX-UPSTREAM 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch -- based on PR#3041
|
||||
Patch1: 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch
|
||||
# PATCH-FIX-UPSTREAM add_missing_shut_down_call_on_cleanup.patch -- based on PR#3047
|
||||
Patch2: add_missing_shut_down_call_on_cleanup.patch
|
||||
# PATCH-FIX-UPSTREAM fix_check_of_qualifying_data.patch -- already merged
|
||||
Patch3: fix_check_of_qualifying_data.patch
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: libopenssl-devel
|
||||
@ -102,7 +106,7 @@ find %{buildroot} -type f -name "*.la" -delete -print
|
||||
%check
|
||||
# Do the tests sequentially to kill all tpm_server instances
|
||||
# https://github.com/tpm2-software/tpm2-tools/issues/3042
|
||||
%make_build -j1 check
|
||||
%make_build check
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
|
Loading…
Reference in New Issue
Block a user