SHA256
1
0
forked from pool/tpm2.0-tools

Accepting request 989000 from home:aplanas:branches:security

- Add patch to fix leakage of TPM simulator process
  add_missing_shut_down_call_on_cleanup.patch
- Add patch to fix fapi-quote-verify[_ecc].sh test
  fix_check_of_qualifying_data.patch
- Enable test execution by default

OBS-URL: https://build.opensuse.org/request/show/989000
OBS-URL: https://build.opensuse.org/package/show/security/tpm2.0-tools?expand=0&rev=93
This commit is contained in:
Alberto Planas 2022-07-13 12:35:56 +00:00 committed by Git OBS Bridge
parent d946dab0ca
commit 2dec5107b8
4 changed files with 252 additions and 2 deletions

View File

@ -0,0 +1,70 @@
From db6aa7ac5094a04168e60256e154786c0c7e7c1c Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Wed, 13 Jul 2022 13:35:19 +0200
Subject: [PATCH] test: add missing shut_down call on cleanup
The tests "gettime", "readclock" and "symlink" are not calling
"shut_down" during the "cleanup" stage, making the TPM simulator to keep
their process during the "make check". Somehow this produces problems
when the tests are executed in parallel under certain conditions, with
the effect of "make" not ending and waiting to those process to die.
This commit and the mising call in the "cleanup" stage.
Fix #3042
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
test/integration/tests/gettime.sh | 5 ++++-
test/integration/tests/readclock.sh | 5 ++++-
test/integration/tests/symlink.sh | 5 ++++-
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/test/integration/tests/gettime.sh b/test/integration/tests/gettime.sh
index 5a91210a7..054bef864 100644
--- a/test/integration/tests/gettime.sh
+++ b/test/integration/tests/gettime.sh
@@ -3,7 +3,10 @@
source helpers.sh
cleanup() {
- rm -f attest.sig attest.data
+ rm -f attest.sig attest.data
+ if [ "$1" != "no-shut-down" ]; then
+ shut_down
+ fi
}
trap cleanup EXIT
diff --git a/test/integration/tests/readclock.sh b/test/integration/tests/readclock.sh
index 56a4c8622..2c59dad09 100644
--- a/test/integration/tests/readclock.sh
+++ b/test/integration/tests/readclock.sh
@@ -3,7 +3,10 @@
source helpers.sh
cleanup() {
- rm -f clock.yaml
+ rm -f clock.yaml
+ if [ "$1" != "no-shut-down" ]; then
+ shut_down
+ fi
}
trap cleanup EXIT
diff --git a/test/integration/tests/symlink.sh b/test/integration/tests/symlink.sh
index d1c800ad0..b61349eef 100644
--- a/test/integration/tests/symlink.sh
+++ b/test/integration/tests/symlink.sh
@@ -4,7 +4,10 @@ source helpers.sh
TMP="$(mktemp -d)"
cleanup() {
- rm -rf "$TMP"
+ rm -rf "$TMP"
+ if [ "$1" != "no-shut-down" ]; then
+ shut_down
+ fi
}
trap cleanup EXIT

View File

@ -0,0 +1,167 @@
From 3b1f00301350848e9454c7adf0487c1a14738236 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Sat, 8 Jan 2022 13:43:00 +0100
Subject: [PATCH] test/fapi/fapi-quote-verify.sh Fix check of qualifying data.
Because of a bug in Fapi_VerifyQuote the qualifying data was not checked correctly.
Errors that were not recognized before occur now.
The order of the tests was cleaned up and for every quote and verify quote now
the correct combination of the qualifying data and quote info containing the nonce
is used.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
test/integration/fapi/fapi-quote-verify.sh | 38 ++++++++++++----------
1 file changed, 20 insertions(+), 18 deletions(-)
diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify.sh
index ad4ade3a1..497d4337f 100644
--- a/test/integration/fapi/fapi-quote-verify.sh
+++ b/test/integration/fapi/fapi-quote-verify.sh
@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
NONCE_FILE=$TEMP_DIR/nonce.file
PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
QUOTE_INFO=$TEMP_DIR/quote.info
+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
SIGNATURE_FILE=$TEMP_DIR/signature.file
CERTIFICATE_FILE=$TEMP_DIR/certificate.file
PCR_LOG=$TEMP_DIR/pcr.log
@@ -35,14 +36,32 @@ tss2 provision
tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
+
+
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
--signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
--certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
echo "tss2 quote with EMPTY_FILE" # Expected to succeed
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
--qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
- --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+ --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
+
+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
+# Try with missing qualifyingData
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --quoteInfo=$QUOTE_EMPTY_INFO \
+ --signature=$SIGNATURE_FILE
echo "tss2 quote with BIG_FILE" # Expected to fail
expect <<EOF
@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
exit 1
fi
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
-
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
expect <<EOF
spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
}
EOF
-# Try with missing qualifyingData
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE
-
exit 0
diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify_ecc.sh
index ad4ade3a1..497d4337f 100644
--- a/test/integration/fapi/fapi-quote-verify_ecc.sh
+++ b/test/integration/fapi/fapi-quote-verify_ecc.sh
@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
NONCE_FILE=$TEMP_DIR/nonce.file
PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
QUOTE_INFO=$TEMP_DIR/quote.info
+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
SIGNATURE_FILE=$TEMP_DIR/signature.file
CERTIFICATE_FILE=$TEMP_DIR/certificate.file
PCR_LOG=$TEMP_DIR/pcr.log
@@ -35,14 +36,32 @@ tss2 provision
tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
+
+
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
--signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
--certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
echo "tss2 quote with EMPTY_FILE" # Expected to succeed
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
--qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
- --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+ --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
+
+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
+# Try with missing qualifyingData
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --quoteInfo=$QUOTE_EMPTY_INFO \
+ --signature=$SIGNATURE_FILE
echo "tss2 quote with BIG_FILE" # Expected to fail
expect <<EOF
@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
exit 1
fi
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
-
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
expect <<EOF
spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
}
EOF
-# Try with missing qualifyingData
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE
-
exit 0

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Wed Jul 13 11:50:11 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Add patch to fix leakage of TPM simulator process
add_missing_shut_down_call_on_cleanup.patch
- Add patch to fix fapi-quote-verify[_ecc].sh test
fix_check_of_qualifying_data.patch
- Enable test execution by default
-------------------------------------------------------------------
Fri Jul 8 07:51:37 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>

View File

@ -17,7 +17,7 @@
%define _lto_cflags %{nil}
%bcond_with test
%bcond_without test
Name: tpm2.0-tools
Version: 5.2
Release: 0
@ -32,6 +32,10 @@ Source2: tpm2-tools.keyring
Patch0: fix_bogus_warning.patch
# PATCH-FIX-UPSTREAM 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch -- based on PR#3041
Patch1: 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch
# PATCH-FIX-UPSTREAM add_missing_shut_down_call_on_cleanup.patch -- based on PR#3047
Patch2: add_missing_shut_down_call_on_cleanup.patch
# PATCH-FIX-UPSTREAM fix_check_of_qualifying_data.patch -- already merged
Patch3: fix_check_of_qualifying_data.patch
BuildRequires: gcc-c++
BuildRequires: libcurl-devel
BuildRequires: libopenssl-devel
@ -102,7 +106,7 @@ find %{buildroot} -type f -name "*.la" -delete -print
%check
# Do the tests sequentially to kill all tpm_server instances
# https://github.com/tpm2-software/tpm2-tools/issues/3042
%make_build -j1 check
%make_build check
%endif
%changelog