diff --git a/functional/agent-registration-with-non-default-tpm-algorithms/main.fmf b/functional/agent-registration-with-non-default-tpm-algorithms/main.fmf new file mode 100644 index 00000000..73c7a99a --- /dev/null +++ b/functional/agent-registration-with-non-default-tpm-algorithms/main.fmf @@ -0,0 +1,94 @@ +summary: Tests agent registration with non-default TPM algorithms +description: | + Running all services on localhost. + Uses certificates generated by keylime. + Configures tenant and agent to use non-default TPM algorithms + Starts verifier, registrar, agent. + Registers agent and verifies successful registration. +contact: Karel Srot +component: + - keylime +test: ./test.sh +framework: beakerlib +tag: + - CI-Tier-1 +require: + - yum +recommend: + - keylime +duration: 5m +enabled: true + +adjust+: + # we require SWTPM + - when: swtpm == no + enabled: false + +# As of now (Keylime tip of tree being e558fe3b425c6e79419ede5ecd8427ce06ef4dd6): +# For attestation: +# - ECC is supported with ECDSA +# - RSA is supported with RSASSA +# Missing support: +# - schnorr is not supported by OpenSSL (and hence not by python-cryptography either) +# > https://github.com/pyca/cryptography/issues/8202 +# > https://github.com/openssl/openssl/issues/8440 +# - RSAPSS support is missing, but may be implemented in the future + + +# this is not a complete set possible variants +# RSA with RSASSA - should be supported for both registration and attestation. +/rsa2048-rsassa: + summary: Tests agent registration with rsa2048-rsassa TPM algorithms + environment: + TPM_ENCRYPTION_ALG: rsa2048 + TPM_SIGNING_ALG: rsassa + +/rsa3072-rsassa: + summary: Tests agent registration with rsa3072-rsassa TPM algorithms + environment: + TPM_ENCRYPTION_ALG: rsa3072 + TPM_SIGNING_ALG: rsassa + +# RSAPSS is missing support in the server side, so it will only work for +# registration, not attestation. +/rsa3072-rsapss: + summary: Tests agent registration with rsa3072-rsapss TPM algorithms + environment: + TPM_ENCRYPTION_ALG: rsa3072 + TPM_SIGNING_ALG: rsapss + SKIP_ATTESTATION: yes + +# ECC with ECDSA should work for both registration and attestation. +/ecc256-ecdsa: + summary: Tests agent registration with ecc256-ecdsa TPM algorithms + environment: + TPM_ENCRYPTION_ALG: ecc256 + TPM_SIGNING_ALG: ecdsa + +/ecc384-ecdsa: + summary: Tests agent registration with ecc384-ecdsa TPM algorithms + environment: + TPM_ENCRYPTION_ALG: ecc384 + TPM_SIGNING_ALG: ecdsa + +/ecc521-ecdsa: + summary: Tests agent registration with ecc521-ecdsa TPM algorithms + environment: + TPM_ENCRYPTION_ALG: ecc521 + TPM_SIGNING_ALG: ecdsa + +# schnorr is not supported by either OpenSSL or python-cryptography, so +# only registration works here. +/ecc256-ecschnorr: + summary: Tests agent registration with ecc256-ecschnorr TPM algorithms + environment: + TPM_ENCRYPTION_ALG: ecc256 + TPM_SIGNING_ALG: ecschnorr + SKIP_ATTESTATION: yes + +/ecc384-ecschnorr: + summary: Tests agent registration with ecc384-ecschnorr TPM algorithms + environment: + TPM_ENCRYPTION_ALG: ecc384 + TPM_SIGNING_ALG: ecschnorr + SKIP_ATTESTATION: yes diff --git a/functional/agent-registration-with-non-default-tpm-algorithms/test.sh b/functional/agent-registration-with-non-default-tpm-algorithms/test.sh new file mode 100755 index 00000000..a0bc858b --- /dev/null +++ b/functional/agent-registration-with-non-default-tpm-algorithms/test.sh @@ -0,0 +1,81 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +# these 2 variables should be set from the outside +#TPM_ENCRYPTION_ALG=ecc +#TPM_SIGNING_ALG=ecschnorr +SKIP_ATTESTATION="${SKIP_ATTESTATION:-}" + +AGENT_ID="d432fbb3-d2f1-4a97-9ef7-75bd81c00000" + +rlJournalStart + + rlPhaseStartSetup "Do the keylime setup" + [ -n "${TPM_ENCRYPTION_ALG}" ] || rlDie "TPM_ENCRYPTION_ALG variable is not set" + [ -n "${TPM_SIGNING_ALG}" ] || rlDie "TPM_SIGNING_ALG variable is not set" + rlRun 'rlImport "./test-helpers"' || rlDie "cannot import keylime-tests/test-helpers library" + rlAssertRpm keylime + # update /etc/keylime.conf + limeBackupConfig + # verifier + rlRun "limeUpdateConf revocations enabled_revocation_notifications '[]'" + # tenant + rlRun "limeUpdateConf tenant require_ek_cert False" + rlRun "limeUpdateConf tenant accept_tpm_encryption_algs [\\'${TPM_ENCRYPTION_ALG}\\']" + rlRun "limeUpdateConf tenant accept_tpm_signing_algs [\\'${TPM_SIGNING_ALG}\\']" + # agent + rlRun "limeUpdateConf agent enable_revocation_notifications false" + rlRun "limeUpdateConf agent tpm_encryption_alg \\\"${TPM_ENCRYPTION_ALG}\\\"" + rlRun "limeUpdateConf agent tpm_signing_alg \\\"${TPM_SIGNING_ALG}\\\"" + # if TPM emulator is present + if limeTPMEmulated; then + # start tpm emulator + rlRun "limeStartTPMEmulator" + rlRun "limeWaitForTPMEmulator" + rlRun "limeCondStartAbrmd" + # start ima emulator + rlRun "limeInstallIMAConfig" + rlRun "limeStartIMAEmulator" + fi + sleep 5 + # start keylime_verifier + rlRun "limeStartVerifier" + rlRun "limeWaitForVerifier" + rlRun "limeStartRegistrar" + rlRun "limeWaitForRegistrar" + rlPhaseEnd + + rlPhaseStartTest "Register keylime agent" + rlRun "rm -f /var/lib/keylime/agent_data.json" + rlRun "limeStartAgent" + rlRun "limeWaitForAgentRegistration ${AGENT_ID}" + rlPhaseEnd + + rlPhaseStartTest "Attestation by the verifier" + if [ -n "${SKIP_ATTESTATION}" ]; then + rlLogInfo "Skipping attestation for combination of alg/sig (${TPM_ENCRYPTION_ALG} / ${TPM_SIGNING_ALG})" + else + rlRun "limeCreateTestPolicy" + rlRun "keylime_tenant -v 127.0.0.1 -t 127.0.0.1 -u $AGENT_ID --runtime-policy policy.json -c add" + rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'" + fi + rlPhaseEnd + + rlPhaseStartCleanup "Do the keylime cleanup" + rlRun "limeStopAgent" + rlRun "limeStopRegistrar" + rlRun "limeStopVerifier" + rlAssertNotGrep "Traceback" "$(limeRegistrarLogfile)" + rlAssertNotGrep "Traceback" "$(limeVerifierLogfile)" + if limeTPMEmulated; then + rlRun "limeStopIMAEmulator" + rlRun "limeStopTPMEmulator" + rlRun "limeCondStopAbrmd" + fi + limeSubmitCommonLogs + limeClearData + limeRestoreConfig + rlPhaseEnd + +rlJournalEnd diff --git a/functional/agent-registration-with-non-default-tpm-algorithms/tpm_support_detection.sh b/functional/agent-registration-with-non-default-tpm-algorithms/tpm_support_detection.sh new file mode 100755 index 00000000..d078dbbf --- /dev/null +++ b/functional/agent-registration-with-non-default-tpm-algorithms/tpm_support_detection.sh @@ -0,0 +1,79 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +rlJournalStart + + rlPhaseStartSetup "Do the keylime setup" + rlRun 'rlImport "./test-helpers"' || rlDie "cannot import keylime-tests/test-helpers library" + # if TPM emulator is present + if limeTPMEmulated; then + # start tpm emulator + rlRun "limeStartTPMEmulator" + rlRun "limeWaitForTPMEmulator" + rlRun "limeCondStartAbrmd" + fi + sleep 5 + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlPhaseEnd + + rlPhaseStartTest "Survey TPM ECC and RSA curve/key support for EK creation" + if limeTPMEmulated; then + rlLogInfo "Querying TPM for advertised ECC curve support:" + rlRun "tpm2_getcap ecc-curves | tee '${TmpDir}'/tpm_ecc_curves.txt" + + rlLogInfo "Querying TPM for advertised RSA key size support:" + rlRun "tpm2_getcap algorithms | grep -i rsa | tee '${TmpDir}'/tpm_rsa_algs.txt" + + rlLogInfo "Testing which ECC curves actually work for EK creation:" + SUPPORTED_ECC="" + for curve in ecc192 ecc224 ecc256 ecc384 ecc521; do + rlLog "Testing $curve..." + if tpm2_createek -c "${TmpDir}"/test_${curve}.ctx \ + -G ${curve} -u "${TmpDir}"/test_${curve}.pub \ + >"${TmpDir}"/ek_test_${curve}.log 2>&1; then + rlLogInfo "EK creation with $curve: SUCCESS" + SUPPORTED_ECC="${SUPPORTED_ECC} ${curve}" + rm -f "${TmpDir}"/test_${curve}.ctx \ + "${TmpDir}"/test_${curve}.pub + else + rlLogInfo "EK creation with $curve: FAILED" + cat "${TmpDir}"/ek_test_${curve}.log + fi + done + + rlLogInfo "Testing which RSA key sizes actually work for EK creation:" + SUPPORTED_RSA="" + for rsa in rsa1024 rsa2048 rsa3072 rsa4096; do + rlLog "Testing $rsa..." + if tpm2_createek -c "${TmpDir}"/test_${rsa}.ctx \ + -G ${rsa} -u "${TmpDir}"/test_${rsa}.pub \ + >"${TmpDir}"/ek_test_${rsa}.log 2>&1; then + rlLogInfo "EK creation with $rsa: SUCCESS" + SUPPORTED_RSA="${SUPPORTED_RSA} ${rsa}" + rm -f "${TmpDir}"/test_${rsa}.ctx "${TmpDir}"/test_${rsa}.pub + else + rlLogInfo "EK creation with $rsa: FAILED" + cat "${TmpDir}"/ek_test_${rsa}.log + fi + done + + rlLogInfo "=========================================" + rlLogInfo "Supported algorithms for EK creation:" + rlLogInfo " ECC curves:${SUPPORTED_ECC}" + rlLogInfo " RSA sizes:${SUPPORTED_RSA}" + rlLogInfo "=========================================" + rlRun "limeSubmitCommonLogs" 0,1 + fi + rlPhaseEnd + + rlPhaseStartCleanup "Cleanup" + if limeTPMEmulated; then + rlRun "limeStopTPMEmulator" + rlRun "limeCondStopAbrmd" + fi + limeSubmitCommonLogs + rlRun "rm -r ${TmpDir}" 0 "Removing tmp directory" + rlPhaseEnd + +rlJournalEnd diff --git a/setup/configure_swtpm_device/test.sh b/setup/configure_swtpm_device/test.sh index a763efd2..14ea5cfe 100755 --- a/setup/configure_swtpm_device/test.sh +++ b/setup/configure_swtpm_device/test.sh @@ -69,7 +69,7 @@ Description=swtpm TPM Software emulator [Service] Type=simple -ExecStartPre=/usr/bin/swtpm_setup --tpm-state ${SWTPM_DIR} --createek --decryption --create-ek-cert --create-platform-cert --lock-nvram --overwrite --display --tpm2 --pcr-banks sha256 +ExecStartPre=/usr/bin/swtpm_setup --tpm-state ${SWTPM_DIR} --createek --decryption --create-ek-cert --lock-nvram --overwrite --display --tpm2 --pcr-banks sha256 ExecStart=/usr/bin/swtpm chardev --vtpm-proxy --tpmstate dir=${SWTPM_DIR} --tpm2 [Install] diff --git a/setup/configure_tpm_emulator/test.sh b/setup/configure_tpm_emulator/test.sh index 3499b64e..cc12e45b 100755 --- a/setup/configure_tpm_emulator/test.sh +++ b/setup/configure_tpm_emulator/test.sh @@ -63,7 +63,7 @@ Description=swtpm TPM Software emulator [Service] Type=simple ExecStartPre=/usr/bin/mkdir -p ${TPM_RUNTIME_TOPDIR}/swtpm -ExecStartPre=/usr/bin/swtpm_setup --tpm-state ${TPM_RUNTIME_TOPDIR}/swtpm --createek --decryption --create-ek-cert --create-platform-cert --lock-nvram --overwrite --display --tpm2 --pcr-banks sha256 +ExecStartPre=/usr/bin/swtpm_setup --tpm-state ${TPM_RUNTIME_TOPDIR}/swtpm --createek --decryption --create-ek-cert --lock-nvram --overwrite --display --tpm2 --pcr-banks sha256 ExecStart=/usr/bin/swtpm socket --tpmstate dir=${TPM_RUNTIME_TOPDIR}/swtpm --log level=1 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags startup-clear --tpm2 [Install]