SHA256
1
0
forked from pool/tpm2.0-tools
Dominique Leuenberger 2022-07-14 14:33:27 +00:00 committed by Git OBS Bridge
commit 6a84e87ec4
4 changed files with 261 additions and 1 deletions

View File

@ -0,0 +1,70 @@
From db6aa7ac5094a04168e60256e154786c0c7e7c1c Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Wed, 13 Jul 2022 13:35:19 +0200
Subject: [PATCH] test: add missing shut_down call on cleanup
The tests "gettime", "readclock" and "symlink" are not calling
"shut_down" during the "cleanup" stage, making the TPM simulator to keep
their process during the "make check". Somehow this produces problems
when the tests are executed in parallel under certain conditions, with
the effect of "make" not ending and waiting to those process to die.
This commit and the mising call in the "cleanup" stage.
Fix #3042
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
test/integration/tests/gettime.sh | 5 ++++-
test/integration/tests/readclock.sh | 5 ++++-
test/integration/tests/symlink.sh | 5 ++++-
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/test/integration/tests/gettime.sh b/test/integration/tests/gettime.sh
index 5a91210a7..054bef864 100644
--- a/test/integration/tests/gettime.sh
+++ b/test/integration/tests/gettime.sh
@@ -3,7 +3,10 @@
source helpers.sh
cleanup() {
- rm -f attest.sig attest.data
+ rm -f attest.sig attest.data
+ if [ "$1" != "no-shut-down" ]; then
+ shut_down
+ fi
}
trap cleanup EXIT
diff --git a/test/integration/tests/readclock.sh b/test/integration/tests/readclock.sh
index 56a4c8622..2c59dad09 100644
--- a/test/integration/tests/readclock.sh
+++ b/test/integration/tests/readclock.sh
@@ -3,7 +3,10 @@
source helpers.sh
cleanup() {
- rm -f clock.yaml
+ rm -f clock.yaml
+ if [ "$1" != "no-shut-down" ]; then
+ shut_down
+ fi
}
trap cleanup EXIT
diff --git a/test/integration/tests/symlink.sh b/test/integration/tests/symlink.sh
index d1c800ad0..b61349eef 100644
--- a/test/integration/tests/symlink.sh
+++ b/test/integration/tests/symlink.sh
@@ -4,7 +4,10 @@ source helpers.sh
TMP="$(mktemp -d)"
cleanup() {
- rm -rf "$TMP"
+ rm -rf "$TMP"
+ if [ "$1" != "no-shut-down" ]; then
+ shut_down
+ fi
}
trap cleanup EXIT

View File

@ -0,0 +1,167 @@
From 3b1f00301350848e9454c7adf0487c1a14738236 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Sat, 8 Jan 2022 13:43:00 +0100
Subject: [PATCH] test/fapi/fapi-quote-verify.sh Fix check of qualifying data.
Because of a bug in Fapi_VerifyQuote the qualifying data was not checked correctly.
Errors that were not recognized before occur now.
The order of the tests was cleaned up and for every quote and verify quote now
the correct combination of the qualifying data and quote info containing the nonce
is used.
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
test/integration/fapi/fapi-quote-verify.sh | 38 ++++++++++++----------
1 file changed, 20 insertions(+), 18 deletions(-)
diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify.sh
index ad4ade3a1..497d4337f 100644
--- a/test/integration/fapi/fapi-quote-verify.sh
+++ b/test/integration/fapi/fapi-quote-verify.sh
@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
NONCE_FILE=$TEMP_DIR/nonce.file
PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
QUOTE_INFO=$TEMP_DIR/quote.info
+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
SIGNATURE_FILE=$TEMP_DIR/signature.file
CERTIFICATE_FILE=$TEMP_DIR/certificate.file
PCR_LOG=$TEMP_DIR/pcr.log
@@ -35,14 +36,32 @@ tss2 provision
tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
+
+
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
--signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
--certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
echo "tss2 quote with EMPTY_FILE" # Expected to succeed
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
--qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
- --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+ --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
+
+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
+# Try with missing qualifyingData
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --quoteInfo=$QUOTE_EMPTY_INFO \
+ --signature=$SIGNATURE_FILE
echo "tss2 quote with BIG_FILE" # Expected to fail
expect <<EOF
@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
exit 1
fi
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
-
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
expect <<EOF
spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
}
EOF
-# Try with missing qualifyingData
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE
-
exit 0
diff --git a/test/integration/fapi/fapi-quote-verify.sh b/test/integration/fapi/fapi-quote-verify_ecc.sh
index ad4ade3a1..497d4337f 100644
--- a/test/integration/fapi/fapi-quote-verify_ecc.sh
+++ b/test/integration/fapi/fapi-quote-verify_ecc.sh
@@ -18,6 +18,7 @@ KEY_PATH=HS/SRK/quotekey
NONCE_FILE=$TEMP_DIR/nonce.file
PUBLIC_QUOTE_KEY=$TEMP_DIR/public_quote.key
QUOTE_INFO=$TEMP_DIR/quote.info
+QUOTE_EMPTY_INFO=$TEMP_DIR/quote_empty.info
SIGNATURE_FILE=$TEMP_DIR/signature.file
CERTIFICATE_FILE=$TEMP_DIR/certificate.file
PCR_LOG=$TEMP_DIR/pcr.log
@@ -35,14 +36,32 @@ tss2 provision
tss2 createkey --path=$KEY_PATH --type="noDa, restricted, sign" --authValue=""
+tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
+tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
+
+
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" --qualifyingData=$NONCE_FILE \
--signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
--certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
echo "tss2 quote with EMPTY_FILE" # Expected to succeed
tss2 quote --keyPath=$KEY_PATH --pcrList="11, 12, 13, 14, 15, 16" \
--qualifyingData=$EMPTY_FILE --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG \
- --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_INFO --force
+ --certificate=$CERTIFICATE_FILE --quoteInfo=$QUOTE_EMPTY_INFO --force
+
+echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_EMPTY_INFO \
+ --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
+
+# Try with missing qualifyingData
+tss2 verifyquote --publicKeyPath="ext/myNewParent" \
+ --quoteInfo=$QUOTE_EMPTY_INFO \
+ --signature=$SIGNATURE_FILE
echo "tss2 quote with BIG_FILE" # Expected to fail
expect <<EOF
@@ -65,18 +84,6 @@ if [[ "`cat $LOG_FILE`" == $SANITIZER_FILTER ]]; then
exit 1
fi
-tss2 exportkey --pathOfKeyToDuplicate=$KEY_PATH --exportedData=$PUBLIC_QUOTE_KEY --force
-tss2 import --path="ext/myNewParent" --importData=$PUBLIC_QUOTE_KEY
-
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --qualifyingData=$NONCE_FILE --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
-echo "tss2 verifyquote with EMPTY_FILE qualifyingData" # Expected to succeed
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --qualifyingData=$EMPTY_FILE --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE --pcrLog=$PCR_LOG
-
echo "tss2 verifyquote with BIG_FILE qualifyingData" # Expected to fail
expect <<EOF
spawn sh -c "tss2 verifyquote --publicKeyPath=\"ext/myNewParent\" \
@@ -537,9 +544,4 @@ if {[lindex \$ret 2] || [lindex \$ret 3] != 1} {
}
EOF
-# Try with missing qualifyingData
-tss2 verifyquote --publicKeyPath="ext/myNewParent" \
- --quoteInfo=$QUOTE_INFO \
- --signature=$SIGNATURE_FILE
-
exit 0

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Thu Jul 14 09:49:39 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Disable tests in some architectures (ppc, ppc64, s390x)
-------------------------------------------------------------------
Wed Jul 13 11:50:11 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Add patch to fix leakage of TPM simulator process
add_missing_shut_down_call_on_cleanup.patch
- Add patch to fix fapi-quote-verify[_ecc].sh test
fix_check_of_qualifying_data.patch
- Enable test execution by default
-------------------------------------------------------------------
Fri Jul 8 07:51:37 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>

View File

@ -17,7 +17,12 @@
%define _lto_cflags %{nil}
%ifarch %{ix86} x86_64 aarch64 %{arm} ppc64le
%bcond_without test
%else
# ppc ppc64 s390x
%bcond_with test
%endif
Name: tpm2.0-tools
Version: 5.2
Release: 0
@ -32,6 +37,10 @@ Source2: tpm2-tools.keyring
Patch0: fix_bogus_warning.patch
# PATCH-FIX-UPSTREAM 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch -- based on PR#3041
Patch1: 0001-tests-getekcertificate.sh-Skip-the-test-if-curl-is-n.patch
# PATCH-FIX-UPSTREAM add_missing_shut_down_call_on_cleanup.patch -- based on PR#3047
Patch2: add_missing_shut_down_call_on_cleanup.patch
# PATCH-FIX-UPSTREAM fix_check_of_qualifying_data.patch -- already merged
Patch3: fix_check_of_qualifying_data.patch
BuildRequires: gcc-c++
BuildRequires: libcurl-devel
BuildRequires: libopenssl-devel
@ -102,7 +111,7 @@ find %{buildroot} -type f -name "*.la" -delete -print
%check
# Do the tests sequentially to kill all tpm_server instances
# https://github.com/tpm2-software/tpm2-tools/issues/3042
%make_build -j1 check
%make_build check
%endif
%changelog