xref: /linux/tools/testing/selftests/tpm2/tpm2_tests.py (revision 4745dc8abb0a0a9851c07265eea01d844886d5c8)
1# SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)
2
3from argparse import ArgumentParser
4from argparse import FileType
5import os
6import sys
7import tpm2
8from tpm2 import ProtocolError
9import unittest
10import logging
11import struct
12
13class SmokeTest(unittest.TestCase):
14    def setUp(self):
15        self.client = tpm2.Client()
16        self.root_key = self.client.create_root_key()
17
18    def tearDown(self):
19        self.client.flush_context(self.root_key)
20        self.client.close()
21
22    def test_seal_with_auth(self):
23        data = 'X' * 64
24        auth = 'A' * 15
25
26        blob = self.client.seal(self.root_key, data, auth, None)
27        result = self.client.unseal(self.root_key, blob, auth, None)
28        self.assertEqual(data, result)
29
30    def test_seal_with_policy(self):
31        handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
32
33        data = 'X' * 64
34        auth = 'A' * 15
35        pcrs = [16]
36
37        try:
38            self.client.policy_pcr(handle, pcrs)
39            self.client.policy_password(handle)
40
41            policy_dig = self.client.get_policy_digest(handle)
42        finally:
43            self.client.flush_context(handle)
44
45        blob = self.client.seal(self.root_key, data, auth, policy_dig)
46
47        handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
48
49        try:
50            self.client.policy_pcr(handle, pcrs)
51            self.client.policy_password(handle)
52
53            result = self.client.unseal(self.root_key, blob, auth, handle)
54        except:
55            self.client.flush_context(handle)
56            raise
57
58        self.assertEqual(data, result)
59
60    def test_unseal_with_wrong_auth(self):
61        data = 'X' * 64
62        auth = 'A' * 20
63        rc = 0
64
65        blob = self.client.seal(self.root_key, data, auth, None)
66        try:
67            result = self.client.unseal(self.root_key, blob, auth[:-1] + 'B', None)
68        except ProtocolError, e:
69            rc = e.rc
70
71        self.assertEqual(rc, tpm2.TPM2_RC_AUTH_FAIL)
72
73    def test_unseal_with_wrong_policy(self):
74        handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
75
76        data = 'X' * 64
77        auth = 'A' * 17
78        pcrs = [16]
79
80        try:
81            self.client.policy_pcr(handle, pcrs)
82            self.client.policy_password(handle)
83
84            policy_dig = self.client.get_policy_digest(handle)
85        finally:
86            self.client.flush_context(handle)
87
88        blob = self.client.seal(self.root_key, data, auth, policy_dig)
89
90        # Extend first a PCR that is not part of the policy and try to unseal.
91        # This should succeed.
92
93        ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
94        self.client.extend_pcr(1, 'X' * ds)
95
96        handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
97
98        try:
99            self.client.policy_pcr(handle, pcrs)
100            self.client.policy_password(handle)
101
102            result = self.client.unseal(self.root_key, blob, auth, handle)
103        except:
104            self.client.flush_context(handle)
105            raise
106
107        self.assertEqual(data, result)
108
109        # Then, extend a PCR that is part of the policy and try to unseal.
110        # This should fail.
111        self.client.extend_pcr(16, 'X' * ds)
112
113        handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
114
115        rc = 0
116
117        try:
118            self.client.policy_pcr(handle, pcrs)
119            self.client.policy_password(handle)
120
121            result = self.client.unseal(self.root_key, blob, auth, handle)
122        except ProtocolError, e:
123            rc = e.rc
124            self.client.flush_context(handle)
125        except:
126            self.client.flush_context(handle)
127            raise
128
129        self.assertEqual(rc, tpm2.TPM2_RC_POLICY_FAIL)
130
131    def test_seal_with_too_long_auth(self):
132        ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
133        data = 'X' * 64
134        auth = 'A' * (ds + 1)
135
136        rc = 0
137        try:
138            blob = self.client.seal(self.root_key, data, auth, None)
139        except ProtocolError, e:
140            rc = e.rc
141
142        self.assertEqual(rc, tpm2.TPM2_RC_SIZE)
143
144    def test_too_short_cmd(self):
145        rejected = False
146        try:
147            fmt = '>HIII'
148            cmd = struct.pack(fmt,
149                              tpm2.TPM2_ST_NO_SESSIONS,
150                              struct.calcsize(fmt) + 1,
151                              tpm2.TPM2_CC_FLUSH_CONTEXT,
152                              0xDEADBEEF)
153
154            self.client.send_cmd(cmd)
155        except IOError, e:
156            rejected = True
157        except:
158            pass
159        self.assertEqual(rejected, True)
160
161    def test_read_partial_resp(self):
162        try:
163            fmt = '>HIIH'
164            cmd = struct.pack(fmt,
165                              tpm2.TPM2_ST_NO_SESSIONS,
166                              struct.calcsize(fmt),
167                              tpm2.TPM2_CC_GET_RANDOM,
168                              0x20)
169            self.client.tpm.write(cmd)
170            hdr = self.client.tpm.read(10)
171            sz = struct.unpack('>I', hdr[2:6])[0]
172            rsp = self.client.tpm.read()
173        except:
174            pass
175        self.assertEqual(sz, 10 + 2 + 32)
176        self.assertEqual(len(rsp), 2 + 32)
177
178    def test_read_partial_overwrite(self):
179        try:
180            fmt = '>HIIH'
181            cmd = struct.pack(fmt,
182                              tpm2.TPM2_ST_NO_SESSIONS,
183                              struct.calcsize(fmt),
184                              tpm2.TPM2_CC_GET_RANDOM,
185                              0x20)
186            self.client.tpm.write(cmd)
187            # Read part of the respone
188            rsp1 = self.client.tpm.read(15)
189
190            # Send a new cmd
191            self.client.tpm.write(cmd)
192
193            # Read the whole respone
194            rsp2 = self.client.tpm.read()
195        except:
196            pass
197        self.assertEqual(len(rsp1), 15)
198        self.assertEqual(len(rsp2), 10 + 2 + 32)
199
200    def test_send_two_cmds(self):
201        rejected = False
202        try:
203            fmt = '>HIIH'
204            cmd = struct.pack(fmt,
205                              tpm2.TPM2_ST_NO_SESSIONS,
206                              struct.calcsize(fmt),
207                              tpm2.TPM2_CC_GET_RANDOM,
208                              0x20)
209            self.client.tpm.write(cmd)
210
211            # expect the second one to raise -EBUSY error
212            self.client.tpm.write(cmd)
213            rsp = self.client.tpm.read()
214
215        except IOError, e:
216            # read the response
217            rsp = self.client.tpm.read()
218            rejected = True
219            pass
220        except:
221            pass
222        self.assertEqual(rejected, True)
223
224class SpaceTest(unittest.TestCase):
225    def setUp(self):
226        logging.basicConfig(filename='SpaceTest.log', level=logging.DEBUG)
227
228    def test_make_two_spaces(self):
229        log = logging.getLogger(__name__)
230        log.debug("test_make_two_spaces")
231
232        space1 = tpm2.Client(tpm2.Client.FLAG_SPACE)
233        root1 = space1.create_root_key()
234        space2 = tpm2.Client(tpm2.Client.FLAG_SPACE)
235        root2 = space2.create_root_key()
236        root3 = space2.create_root_key()
237
238        log.debug("%08x" % (root1))
239        log.debug("%08x" % (root2))
240        log.debug("%08x" % (root3))
241
242    def test_flush_context(self):
243        log = logging.getLogger(__name__)
244        log.debug("test_flush_context")
245
246        space1 = tpm2.Client(tpm2.Client.FLAG_SPACE)
247        root1 = space1.create_root_key()
248        log.debug("%08x" % (root1))
249
250        space1.flush_context(root1)
251
252    def test_get_handles(self):
253        log = logging.getLogger(__name__)
254        log.debug("test_get_handles")
255
256        space1 = tpm2.Client(tpm2.Client.FLAG_SPACE)
257        space1.create_root_key()
258        space2 = tpm2.Client(tpm2.Client.FLAG_SPACE)
259        space2.create_root_key()
260        space2.create_root_key()
261
262        handles = space2.get_cap(tpm2.TPM2_CAP_HANDLES, tpm2.HR_TRANSIENT)
263
264        self.assertEqual(len(handles), 2)
265
266        log.debug("%08x" % (handles[0]))
267        log.debug("%08x" % (handles[1]))
268
269    def test_invalid_cc(self):
270        log = logging.getLogger(__name__)
271        log.debug(sys._getframe().f_code.co_name)
272
273        TPM2_CC_INVALID = tpm2.TPM2_CC_FIRST - 1
274
275        space1 = tpm2.Client(tpm2.Client.FLAG_SPACE)
276        root1 = space1.create_root_key()
277        log.debug("%08x" % (root1))
278
279        fmt = '>HII'
280        cmd = struct.pack(fmt, tpm2.TPM2_ST_NO_SESSIONS, struct.calcsize(fmt),
281                          TPM2_CC_INVALID)
282
283        rc = 0
284        try:
285            space1.send_cmd(cmd)
286        except ProtocolError, e:
287            rc = e.rc
288
289        self.assertEqual(rc, tpm2.TPM2_RC_COMMAND_CODE |
290                         tpm2.TSS2_RESMGR_TPM_RC_LAYER)
291