2021-11-25 00:40:39

by Stefan Berger

[permalink] [raw]
Subject: [PATCH v3 1/3] selftests: tpm2: Probe for available PCR bank

From: Stefan Berger <[email protected]>

Probe for an available PCR bank to accommodate devices that do not have a
SHA-1 PCR bank or whose SHA-1 bank is deactivated. Use the bank that can
be used for the TPM2 commands, such as the SHA-256 bank.

Signed-off-by: Stefan Berger <[email protected]>
---
tools/testing/selftests/tpm2/tpm2_tests.py | 35 +++++++++++++++++-----
1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/tools/testing/selftests/tpm2/tpm2_tests.py b/tools/testing/selftests/tpm2/tpm2_tests.py
index 9d764306887b..6b88ff0e47b9 100644
--- a/tools/testing/selftests/tpm2/tpm2_tests.py
+++ b/tools/testing/selftests/tpm2/tpm2_tests.py
@@ -27,7 +27,23 @@ class SmokeTest(unittest.TestCase):
result = self.client.unseal(self.root_key, blob, auth, None)
self.assertEqual(data, result)

+ def determine_bank_alg(self):
+ # Probe for available PCR bank
+ for bank_alg in [tpm2.TPM2_ALG_SHA1, tpm2.TPM2_ALG_SHA256]:
+ try:
+ handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
+ self.client.policy_pcr(handle, [17], bank_alg=bank_alg)
+ return bank_alg
+ except tpm2.UnknownPCRBankError:
+ pass
+ finally:
+ self.client.flush_context(handle)
+ return None
+
def test_seal_with_policy(self):
+ bank_alg = self.determine_bank_alg()
+ self.assertIsNotNone(bank_alg)
+
handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)

data = ('X' * 64).encode()
@@ -35,7 +51,7 @@ class SmokeTest(unittest.TestCase):
pcrs = [16]

try:
- self.client.policy_pcr(handle, pcrs)
+ self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
self.client.policy_password(handle)

policy_dig = self.client.get_policy_digest(handle)
@@ -47,7 +63,7 @@ class SmokeTest(unittest.TestCase):
handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)

try:
- self.client.policy_pcr(handle, pcrs)
+ self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
self.client.policy_password(handle)

result = self.client.unseal(self.root_key, blob, auth, handle)
@@ -72,6 +88,9 @@ class SmokeTest(unittest.TestCase):
self.assertEqual(rc, tpm2.TPM2_RC_AUTH_FAIL)

def test_unseal_with_wrong_policy(self):
+ bank_alg = self.determine_bank_alg()
+ self.assertIsNotNone(bank_alg)
+
handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)

data = ('X' * 64).encode()
@@ -79,7 +98,7 @@ class SmokeTest(unittest.TestCase):
pcrs = [16]

try:
- self.client.policy_pcr(handle, pcrs)
+ self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
self.client.policy_password(handle)

policy_dig = self.client.get_policy_digest(handle)
@@ -91,13 +110,13 @@ class SmokeTest(unittest.TestCase):
# Extend first a PCR that is not part of the policy and try to unseal.
# This should succeed.

- ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
- self.client.extend_pcr(1, ('X' * ds).encode())
+ ds = tpm2.get_digest_size(bank_alg)
+ self.client.extend_pcr(1, ('X' * ds).encode(), bank_alg=bank_alg)

handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)

try:
- self.client.policy_pcr(handle, pcrs)
+ self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
self.client.policy_password(handle)

result = self.client.unseal(self.root_key, blob, auth, handle)
@@ -109,14 +128,14 @@ class SmokeTest(unittest.TestCase):

# Then, extend a PCR that is part of the policy and try to unseal.
# This should fail.
- self.client.extend_pcr(16, ('X' * ds).encode())
+ self.client.extend_pcr(16, ('X' * ds).encode(), bank_alg=bank_alg)

handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)

rc = 0

try:
- self.client.policy_pcr(handle, pcrs)
+ self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
self.client.policy_password(handle)

result = self.client.unseal(self.root_key, blob, auth, handle)
--
2.31.1



2021-11-27 00:31:12

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v3 1/3] selftests: tpm2: Probe for available PCR bank

On Wed, 2021-11-24 at 19:38 -0500, Stefan Berger wrote:
> From: Stefan Berger <[email protected]>
>
> Probe for an available PCR bank to accommodate devices that do not have a

What does "probing for an vailable PCR bank" even mean?

> SHA-1 PCR bank or whose SHA-1 bank is deactivated. Use the bank that can
> be used for the TPM2 commands, such as the SHA-256 bank.

This is incorrect, as the patch does not have code to query
available hash algorithms.

What the code does, and only does that, is to use SHA-256 as 
a fallback when SHA-1 is not enabled.

/Jarkko


>
> Signed-off-by: Stefan Berger <[email protected]>
> ---
>  tools/testing/selftests/tpm2/tpm2_tests.py | 35 +++++++++++++++++-----
>  1 file changed, 27 insertions(+), 8 deletions(-)
>
> diff --git a/tools/testing/selftests/tpm2/tpm2_tests.py b/tools/testing/selftests/tpm2/tpm2_tests.py
> index 9d764306887b..6b88ff0e47b9 100644
> --- a/tools/testing/selftests/tpm2/tpm2_tests.py
> +++ b/tools/testing/selftests/tpm2/tpm2_tests.py
> @@ -27,7 +27,23 @@ class SmokeTest(unittest.TestCase):
>          result = self.client.unseal(self.root_key, blob, auth, None)
>          self.assertEqual(data, result)
>  
> +    def determine_bank_alg(self):
> +        # Probe for available PCR bank
> +        for bank_alg in [tpm2.TPM2_ALG_SHA1, tpm2.TPM2_ALG_SHA256]:
> +            try:
> +                handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
> +                self.client.policy_pcr(handle, [17], bank_alg=bank_alg)
> +                return bank_alg
> +            except tpm2.UnknownPCRBankError:
> +                pass
> +            finally:
> +                self.client.flush_context(handle)
> +        return None
> +
>      def test_seal_with_policy(self):
> +        bank_alg = self.determine_bank_alg()
> +        self.assertIsNotNone(bank_alg)
> +
>          handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
>  
>          data = ('X' * 64).encode()
> @@ -35,7 +51,7 @@ class SmokeTest(unittest.TestCase):
>          pcrs = [16]
>  
>          try:
> -            self.client.policy_pcr(handle, pcrs)
> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>              self.client.policy_password(handle)
>  
>              policy_dig = self.client.get_policy_digest(handle)
> @@ -47,7 +63,7 @@ class SmokeTest(unittest.TestCase):
>          handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
>  
>          try:
> -            self.client.policy_pcr(handle, p"Use SHA-256 as a fallback crs)
> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>              self.client.policy_password(handle)
>  
>              result = self.client.unseal(self.root_key, blob, auth, handle)
> @@ -72,6 +88,9 @@ class SmokeTest(unittest.TestCase):
>          self.assertEqual(rc, tpm2.TPM2_RC_AUTH_FAIL)
>  
>      def test_unseal_with_wrong_policy(self):
> +        bank_alg = self.determine_bank_alg()
> +        self.assertIsNotNone(bank_alg)
> +
>          handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
>  
>          data = ('X' * 64).encode()
> @@ -79,7 +98,7 @@ class SmokeTest(unittest.TestCase):
>          pcrs = [16]
>  
>          try:
> -            self.client.policy_pcr(handle, pcrs)
> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>              self.client.policy_password(handle)
>  
>              policy_dig = self.client.get_policy_digest(handle)
> @@ -91,13 +110,13 @@ class SmokeTest(unittest.TestCase):
>          # Extend first a PCR that is not part of the policy and try to unseal.
>          # This should succeed.
>  
> -        ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
> -        self.client.extend_pcr(1, ('X' * ds).encode())
> +        ds = tpm2.get_digest_size(bank_alg)
> +        self.client.extend_pcr(1, ('X' * ds).encode(), bank_alg=bank_alg)
>  
>          handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
>  
>          try:
> -            self.client.policy_pcr(handle, pcrs)
> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>              self.client.policy_password(handle)
>  
>              result = self.client.unseal(self.root_key, blob, auth, handle)
> @@ -109,14 +128,14 @@ class SmokeTest(unittest.TestCase):
>  
>          # Then, extend a PCR that is part of the policy and try to unseal.
>          # This should fail.
> -        self.client.extend_pcr(16, ('X' * ds).encode())
> +        self.client.extend_pcr(16, ('X' * ds).encode(), bank_alg=bank_alg)
>  
>          handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
>  
>          rc = 0
>  
>          try:
> -            self.client.policy_pcr(handle, pcrs)
> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>              self.client.policy_password(handle)
>  
>              result = self.client.unseal(self.root_key, blob, auth, handle)

2021-11-27 03:45:50

by Stefan Berger

[permalink] [raw]
Subject: Re: [PATCH v3 1/3] selftests: tpm2: Probe for available PCR bank


On 11/26/21 19:29, Jarkko Sakkinen wrote:
> On Wed, 2021-11-24 at 19:38 -0500, Stefan Berger wrote:
>> From: Stefan Berger <[email protected]>
>>
>> Probe for an available PCR bank to accommodate devices that do not have a
> What does "probing for an vailable PCR bank" even mean?

Checking ? Testing ? What's the difference to those words?


>
>> SHA-1 PCR bank or whose SHA-1 bank is deactivated. Use the bank that can
>> be used for the TPM2 commands, such as the SHA-256 bank.
> This is incorrect, as the patch does not have code to query
> available hash algorithms.

I am not sure I understand. The new function determines which PCR banks
(SHA-1 or SHA-256) the subsequent tests can use. It tries to execute the
policy_pcr command with the given hash bank algorithm (SHA-256 or SHA-1)
and if it returns an UnknowPcrBankError it tries the next one in the
list. It doesn't need to query available hash algorithms. A TPM 2 may
support SHA 256 and yet its SHA 256 bank may be deactivate.

> What the code does, and only does that, is to use SHA-256 as
> a fallback when SHA-1 is not enabled.
>
> /Jarkko
>
>
>> Signed-off-by: Stefan Berger <[email protected]>
>> ---
>>  tools/testing/selftests/tpm2/tpm2_tests.py | 35 +++++++++++++++++-----
>>  1 file changed, 27 insertions(+), 8 deletions(-)
>>
>> diff --git a/tools/testing/selftests/tpm2/tpm2_tests.py b/tools/testing/selftests/tpm2/tpm2_tests.py
>> index 9d764306887b..6b88ff0e47b9 100644
>> --- a/tools/testing/selftests/tpm2/tpm2_tests.py
>> +++ b/tools/testing/selftests/tpm2/tpm2_tests.py
>> @@ -27,7 +27,23 @@ class SmokeTest(unittest.TestCase):
>>          result = self.client.unseal(self.root_key, blob, auth, None)
>>          self.assertEqual(data, result)
>>
>> +    def determine_bank_alg(self):
>> +        # Probe for available PCR bank
>> +        for bank_alg in [tpm2.TPM2_ALG_SHA1, tpm2.TPM2_ALG_SHA256]:
>> +            try:
>> +                handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
>> +                self.client.policy_pcr(handle, [17], bank_alg=bank_alg)
>> +                return bank_alg
>> +            except tpm2.UnknownPCRBankError:
>> +                pass
>> +            finally:
>> +                self.client.flush_context(handle)
>> +        return None
>> +
>>      def test_seal_with_policy(self):
>> +        bank_alg = self.determine_bank_alg()
>> +        self.assertIsNotNone(bank_alg)
>> +
>>          handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
>>
>>          data = ('X' * 64).encode()
>> @@ -35,7 +51,7 @@ class SmokeTest(unittest.TestCase):
>>          pcrs = [16]
>>
>>          try:
>> -            self.client.policy_pcr(handle, pcrs)
>> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>>              self.client.policy_password(handle)
>>
>>              policy_dig = self.client.get_policy_digest(handle)
>> @@ -47,7 +63,7 @@ class SmokeTest(unittest.TestCase):
>>          handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
>>
>>          try:
>> -            self.client.policy_pcr(handle, p"Use SHA-256 as a fallback crs)
>> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>>              self.client.policy_password(handle)
>>
>>              result = self.client.unseal(self.root_key, blob, auth, handle)
>> @@ -72,6 +88,9 @@ class SmokeTest(unittest.TestCase):
>>          self.assertEqual(rc, tpm2.TPM2_RC_AUTH_FAIL)
>>
>>      def test_unseal_with_wrong_policy(self):
>> +        bank_alg = self.determine_bank_alg()
>> +        self.assertIsNotNone(bank_alg)
>> +
>>          handle = self.client.start_auth_session(tpm2.TPM2_SE_TRIAL)
>>
>>          data = ('X' * 64).encode()
>> @@ -79,7 +98,7 @@ class SmokeTest(unittest.TestCase):
>>          pcrs = [16]
>>
>>          try:
>> -            self.client.policy_pcr(handle, pcrs)
>> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>>              self.client.policy_password(handle)
>>
>>              policy_dig = self.client.get_policy_digest(handle)
>> @@ -91,13 +110,13 @@ class SmokeTest(unittest.TestCase):
>>          # Extend first a PCR that is not part of the policy and try to unseal.
>>          # This should succeed.
>>
>> -        ds = tpm2.get_digest_size(tpm2.TPM2_ALG_SHA1)
>> -        self.client.extend_pcr(1, ('X' * ds).encode())
>> +        ds = tpm2.get_digest_size(bank_alg)
>> +        self.client.extend_pcr(1, ('X' * ds).encode(), bank_alg=bank_alg)
>>
>>          handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
>>
>>          try:
>> -            self.client.policy_pcr(handle, pcrs)
>> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>>              self.client.policy_password(handle)
>>
>>              result = self.client.unseal(self.root_key, blob, auth, handle)
>> @@ -109,14 +128,14 @@ class SmokeTest(unittest.TestCase):
>>
>>          # Then, extend a PCR that is part of the policy and try to unseal.
>>          # This should fail.
>> -        self.client.extend_pcr(16, ('X' * ds).encode())
>> +        self.client.extend_pcr(16, ('X' * ds).encode(), bank_alg=bank_alg)
>>
>>          handle = self.client.start_auth_session(tpm2.TPM2_SE_POLICY)
>>
>>          rc = 0
>>
>>          try:
>> -            self.client.policy_pcr(handle, pcrs)
>> +            self.client.policy_pcr(handle, pcrs, bank_alg=bank_alg)
>>              self.client.policy_password(handle)
>>
>>              result = self.client.unseal(self.root_key, blob, auth, handle)

2021-11-29 23:37:30

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH v3 1/3] selftests: tpm2: Probe for available PCR bank

On Fri, Nov 26, 2021 at 10:43:42PM -0500, Stefan Berger wrote:
>
> On 11/26/21 19:29, Jarkko Sakkinen wrote:
> > On Wed, 2021-11-24 at 19:38 -0500, Stefan Berger wrote:
> > > From: Stefan Berger <[email protected]>
> > >
> > > Probe for an available PCR bank to accommodate devices that do not have a
> > What does "probing for an vailable PCR bank" even mean?
>
> Checking ? Testing ? What's the difference to those words?

This would an exact description:

"Some devices do not have SHA1 bank available. Try to use SHA256 as a
fallback when this occurs."

It does not leave any open territory what the patch does. It does exactly
this, not more or less.

/Jarkko