From 70733e919aaa72aa03cccf6cd453bbe0da752de1 Mon Sep 17 00:00:00 2001 From: jetwhiz Date: Tue, 9 Apr 2019 17:57:36 -0400 Subject: [PATCH] Add attestation test, which ensures full attestation process works Signed-off-by: jetwhiz --- test/system/test_attestation.sh | 125 ++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100755 test/system/test_attestation.sh diff --git a/test/system/test_attestation.sh b/test/system/test_attestation.sh new file mode 100755 index 00000000000..ea9da13a419 --- /dev/null +++ b/test/system/test_attestation.sh @@ -0,0 +1,125 @@ +#!/bin/bash +#;**********************************************************************; +# +# Copyright (c) 2019 Massachusetts Institute of Technology. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# 3. Neither the name of Intel Corporation nor the names of its contributors +# may be used to endorse or promote products derived from this software without +# specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE +# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF +# THE POSSIBILITY OF SUCH DAMAGE. +#;**********************************************************************; + +source test_helpers.sh + +handle_ek=0x81010007 +handle_ak=0x81010008 +handle_nv=0x1500018 +handle_hier=0x40000001 +ek_alg=rsa +ak_alg=rsa +digestAlg=sha256 +signAlg=rsassa +ownerpw=ownerpass +endorsepw=endorsepass +ekpw=ekpass +akpw=akpass + +file_input_data=secret.data +file_input_key=nv.data +output_ek_pub_pem=ekpub.pem +output_ek_pub=ek.pub +output_ak_pub_pem=akpub.pem +output_ak_pub=ak.pub +output_ak_priv=ak.priv +output_ak_pub_name=ak.name +output_mkcredential=mkcred.out +output_actcredential=actcred.out +output_quote=quote.out +output_quotesig=quotesig.out +output_quotepcr=quotepcr.out + +cleanup() { + rm -f $output_ak_priv \ + $file_input_data $file_input_key $output_ek_pub $output_ek_pub_pem $output_ak_pub \ + $output_ak_pub_pem $output_ak_pub_name $output_mkcredential \ + $output_actcredential $output_quote $output_quotesig $output_quotepcr rand.out + + tpm2_pcrreset 16 + tpm2_evictcontrol -Q -Ao -c $handle_ek 2>/dev/null || true + tpm2_evictcontrol -Q -Ao -c $handle_ak 2>/dev/null || true + + tpm2_nvrelease -Q -x $handle_nv -a $handle_hier -P "$ownerpw" 2>/dev/null || true + + tpm2_takeownership -c 2>/dev/null || true +} +trap cleanup EXIT + + +cleanup + +echo "12345678" > $file_input_data +echo "1234567890123456789012345678901" > $file_input_key + +getrandom() { + tpm2_getrandom -Q -o rand.out $1 + local file_size=`stat --printf="%s" rand.out` + loaded_randomness=`cat rand.out | xxd -p -c $file_size` +} + + +tpm2_takeownership -o "$ownerpw" -e "$endorsepw" + +# Key generation +tpm2_getpubek -Q -H $handle_ek -g $ek_alg -f $output_ek_pub -P "$ekpw" -o "$ownerpw" -e "$endorsepw" +tpm2_readpublic -Q -H $handle_ek -o $output_ek_pub_pem -f pem +tpm2_getpubak -Q -E $handle_ek -k $handle_ak -g $ak_alg -D $digestAlg -s $signAlg -f $output_ak_pub -n $output_ak_pub_name -e "$endorsepw" -P "$akpw" -o "$ownerpw" +tpm2_readpublic -Q -H $handle_ak -o $output_ak_pub_pem -f pem + +# Validate keys (registrar) +file_size=`stat --printf="%s" $output_ak_pub_name` +loaded_key_name=`cat $output_ak_pub_name | xxd -p -c $file_size` +tpm2_makecredential -Q -T none -e $output_ek_pub -s $file_input_data -n $loaded_key_name -o $output_mkcredential +tpm2_activatecredential -Q -H $handle_ak -k $handle_ek -f $output_mkcredential -o $output_actcredential -P "$akpw" -e "$endorsepw" +diff $file_input_data $output_actcredential + + +# Quoting +tpm2_pcrreset -Q 16 +tpm2_pcrextend -Q 16:sha256=6ea40aa7267bb71251c1de1c3605a3df759b86b22fa9f62aa298d4197cd88a38 +tpm2_pcrlist -Q +getrandom 20 +tpm2_quote -Q -k $handle_ak -L $digestAlg:15,16,22 -q $loaded_randomness -m $output_quote -s $output_quotesig -p $output_quotepcr -G $digestAlg -P "$akpw" + + +# Verify quote +tpm2_checkquote -Q -c $output_ak_pub_pem -m $output_quote -s $output_quotesig -p $output_quotepcr -G $digestAlg -q $loaded_randomness + + +# Save U key from verifier +tpm2_nvdefine -Q -x $handle_nv -a $handle_hier -s 32 -t "ownerread|policywrite|ownerwrite" -I "indexpass" -P "$ownerpw" +tpm2_nvwrite -Q -x $handle_nv -a $handle_hier -P "$ownerpw" $file_input_key +tpm2_nvread -Q -x $handle_nv -a $handle_hier -s 32 -P "$ownerpw" + +exit 0 -- 2.21.0