Backport: f/agent-registration-with-non-default-tpm-algorithms

functional/agent-registration-with-non-default-tpm-algorithms/main.fmf

@@ -0,0 +1,94 @@
+summary: Tests agent registration with non-default TPM algorithms
+description: |
+    Running all services on localhost.
+    Uses certificates generated by keylime.
+    Configures tenant and agent to use non-default TPM algorithms
+    Starts verifier, registrar, agent.
+    Registers agent and verifies successful registration.
+contact: Karel Srot <ksrot@redhat.com>
+component:
+  - keylime
+test: ./test.sh
+framework: beakerlib
+tag:
+  - CI-Tier-1
+require:
+  - yum
+recommend:
+  - keylime
+duration: 5m
+enabled: true
+
+adjust+:
+  # we require SWTPM
+  - when: swtpm == no
+    enabled: false
+
+# As of now (Keylime tip of tree being e558fe3b425c6e79419ede5ecd8427ce06ef4dd6):
+# For attestation:
+# - ECC is supported with ECDSA
+# - RSA is supported with RSASSA
+# Missing support:
+# - schnorr is not supported by OpenSSL (and hence not by python-cryptography either)
+#   > https://github.com/pyca/cryptography/issues/8202
+#   > https://github.com/openssl/openssl/issues/8440
+# - RSAPSS support is missing, but may be implemented in the future
+
+
+# this is not a complete set possible variants
+# RSA with RSASSA - should be supported for both registration and attestation.
+/rsa2048-rsassa:
+  summary: Tests agent registration with rsa2048-rsassa TPM algorithms
+  environment:
+    TPM_ENCRYPTION_ALG: rsa2048
+    TPM_SIGNING_ALG: rsassa
+
+/rsa3072-rsassa:
+  summary: Tests agent registration with rsa3072-rsassa TPM algorithms
+  environment:
+    TPM_ENCRYPTION_ALG: rsa3072
+    TPM_SIGNING_ALG: rsassa
+
+# RSAPSS is missing support in the server side, so it will only work for
+# registration, not attestation.
+/rsa3072-rsapss:
+  summary: Tests agent registration with rsa3072-rsapss TPM algorithms
+  environment:
+    TPM_ENCRYPTION_ALG: rsa3072
+    TPM_SIGNING_ALG: rsapss
+    SKIP_ATTESTATION: yes
+
+# ECC with ECDSA should work for both registration and attestation.
+/ecc256-ecdsa:
+  summary: Tests agent registration with ecc256-ecdsa TPM algorithms
+  environment:
+    TPM_ENCRYPTION_ALG: ecc256
+    TPM_SIGNING_ALG: ecdsa
+
+/ecc384-ecdsa:
+  summary: Tests agent registration with ecc384-ecdsa TPM algorithms
+  environment:
+    TPM_ENCRYPTION_ALG: ecc384
+    TPM_SIGNING_ALG: ecdsa
+
+/ecc521-ecdsa:
+  summary: Tests agent registration with ecc521-ecdsa TPM algorithms
+  environment:
+    TPM_ENCRYPTION_ALG: ecc521
+    TPM_SIGNING_ALG: ecdsa
+
+# schnorr is not supported by either OpenSSL or python-cryptography, so
+# only registration works here.
+/ecc256-ecschnorr:
+  summary: Tests agent registration with ecc256-ecschnorr TPM algorithms
+  environment:
+    TPM_ENCRYPTION_ALG: ecc256
+    TPM_SIGNING_ALG: ecschnorr
+    SKIP_ATTESTATION: yes
+
+/ecc384-ecschnorr:
+  summary: Tests agent registration with ecc384-ecschnorr TPM algorithms
+  environment:
+    TPM_ENCRYPTION_ALG: ecc384
+    TPM_SIGNING_ALG: ecschnorr
+    SKIP_ATTESTATION: yes

functional/agent-registration-with-non-default-tpm-algorithms/test.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+# these 2 variables should be set from the outside
+#TPM_ENCRYPTION_ALG=ecc
+#TPM_SIGNING_ALG=ecschnorr
+SKIP_ATTESTATION="${SKIP_ATTESTATION:-}"
+
+AGENT_ID="d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
+
+rlJournalStart
+
+    rlPhaseStartSetup "Do the keylime setup"
+        [ -n "${TPM_ENCRYPTION_ALG}" ] || rlDie "TPM_ENCRYPTION_ALG variable is not set"
+        [ -n "${TPM_SIGNING_ALG}" ] || rlDie "TPM_SIGNING_ALG variable is not set"
+        rlRun 'rlImport "./test-helpers"' || rlDie "cannot import keylime-tests/test-helpers library"
+        rlAssertRpm keylime
+        # update /etc/keylime.conf
+        limeBackupConfig
+        # verifier
+        rlRun "limeUpdateConf revocations enabled_revocation_notifications '[]'"
+        # tenant
+        rlRun "limeUpdateConf tenant require_ek_cert False"
+        rlRun "limeUpdateConf tenant accept_tpm_encryption_algs [\\'${TPM_ENCRYPTION_ALG}\\']"
+        rlRun "limeUpdateConf tenant accept_tpm_signing_algs [\\'${TPM_SIGNING_ALG}\\']"
+        # agent
+        rlRun "limeUpdateConf agent enable_revocation_notifications false"
+        rlRun "limeUpdateConf agent tpm_encryption_alg \\\"${TPM_ENCRYPTION_ALG}\\\""
+        rlRun "limeUpdateConf agent tpm_signing_alg \\\"${TPM_SIGNING_ALG}\\\""
+        # if TPM emulator is present
+        if limeTPMEmulated; then
+            # start tpm emulator
+            rlRun "limeStartTPMEmulator"
+            rlRun "limeWaitForTPMEmulator"
+            rlRun "limeCondStartAbrmd"
+            # start ima emulator
+            rlRun "limeInstallIMAConfig"
+            rlRun "limeStartIMAEmulator"
+        fi
+        sleep 5
+        # start keylime_verifier
+        rlRun "limeStartVerifier"
+        rlRun "limeWaitForVerifier"
+        rlRun "limeStartRegistrar"
+        rlRun "limeWaitForRegistrar"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Register keylime agent"
+        rlRun "rm -f /var/lib/keylime/agent_data.json"
+        rlRun "limeStartAgent"
+        rlRun "limeWaitForAgentRegistration ${AGENT_ID}"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Attestation by the verifier"
+        if [ -n "${SKIP_ATTESTATION}" ]; then
+            rlLogInfo "Skipping attestation for combination of alg/sig (${TPM_ENCRYPTION_ALG} / ${TPM_SIGNING_ALG})"
+        else
+            rlRun "limeCreateTestPolicy"
+            rlRun "keylime_tenant -v 127.0.0.1 -t 127.0.0.1 -u $AGENT_ID --runtime-policy policy.json -c add"
+            rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'"
+        fi
+    rlPhaseEnd
+
+    rlPhaseStartCleanup "Do the keylime cleanup"
+        rlRun "limeStopAgent"
+        rlRun "limeStopRegistrar"
+        rlRun "limeStopVerifier"
+        rlAssertNotGrep "Traceback" "$(limeRegistrarLogfile)"
+        rlAssertNotGrep "Traceback" "$(limeVerifierLogfile)"
+        if limeTPMEmulated; then
+            rlRun "limeStopIMAEmulator"
+            rlRun "limeStopTPMEmulator"
+            rlRun "limeCondStopAbrmd"
+        fi
+        limeSubmitCommonLogs
+        limeClearData
+        limeRestoreConfig
+    rlPhaseEnd
+
+rlJournalEnd

functional/agent-registration-with-non-default-tpm-algorithms/tpm_support_detection.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+rlJournalStart
+
+    rlPhaseStartSetup "Do the keylime setup"
+        rlRun 'rlImport "./test-helpers"' || rlDie "cannot import keylime-tests/test-helpers library"
+        # if TPM emulator is present
+        if limeTPMEmulated; then
+            # start tpm emulator
+            rlRun "limeStartTPMEmulator"
+            rlRun "limeWaitForTPMEmulator"
+            rlRun "limeCondStartAbrmd"
+        fi
+        sleep 5
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Survey TPM ECC and RSA curve/key support for EK creation"
+        if limeTPMEmulated; then
+            rlLogInfo "Querying TPM for advertised ECC curve support:"
+            rlRun "tpm2_getcap ecc-curves | tee '${TmpDir}'/tpm_ecc_curves.txt"
+
+            rlLogInfo "Querying TPM for advertised RSA key size support:"
+            rlRun "tpm2_getcap algorithms | grep -i rsa | tee '${TmpDir}'/tpm_rsa_algs.txt"
+
+            rlLogInfo "Testing which ECC curves actually work for EK creation:"
+            SUPPORTED_ECC=""
+            for curve in ecc192 ecc224 ecc256 ecc384 ecc521; do
+                rlLog "Testing $curve..."
+                if tpm2_createek -c "${TmpDir}"/test_${curve}.ctx \
+                                 -G ${curve} -u "${TmpDir}"/test_${curve}.pub \
+                                 >"${TmpDir}"/ek_test_${curve}.log 2>&1; then
+                    rlLogInfo "EK creation with $curve: SUCCESS"
+                    SUPPORTED_ECC="${SUPPORTED_ECC} ${curve}"
+                    rm -f "${TmpDir}"/test_${curve}.ctx \
+                          "${TmpDir}"/test_${curve}.pub
+                else
+                    rlLogInfo "EK creation with $curve: FAILED"
+                    cat "${TmpDir}"/ek_test_${curve}.log
+                fi
+            done
+
+            rlLogInfo "Testing which RSA key sizes actually work for EK creation:"
+            SUPPORTED_RSA=""
+            for rsa in rsa1024 rsa2048 rsa3072 rsa4096; do
+                rlLog "Testing $rsa..."
+                if tpm2_createek -c "${TmpDir}"/test_${rsa}.ctx \
+                                 -G ${rsa} -u "${TmpDir}"/test_${rsa}.pub \
+                                 >"${TmpDir}"/ek_test_${rsa}.log 2>&1; then
+                    rlLogInfo "EK creation with $rsa: SUCCESS"
+                    SUPPORTED_RSA="${SUPPORTED_RSA} ${rsa}"
+                    rm -f "${TmpDir}"/test_${rsa}.ctx "${TmpDir}"/test_${rsa}.pub
+                else
+                    rlLogInfo "EK creation with $rsa: FAILED"
+                    cat "${TmpDir}"/ek_test_${rsa}.log
+                fi
+            done
+
+            rlLogInfo "========================================="
+            rlLogInfo "Supported algorithms for EK creation:"
+            rlLogInfo "  ECC curves:${SUPPORTED_ECC}"
+            rlLogInfo "  RSA sizes:${SUPPORTED_RSA}"
+            rlLogInfo "========================================="
+            rlRun "limeSubmitCommonLogs" 0,1
+        fi
+    rlPhaseEnd
+
+    rlPhaseStartCleanup "Cleanup"
+        if limeTPMEmulated; then
+            rlRun "limeStopTPMEmulator"
+            rlRun "limeCondStopAbrmd"
+        fi
+        limeSubmitCommonLogs
+        rlRun "rm -r ${TmpDir}" 0 "Removing tmp directory"
+    rlPhaseEnd
+
+rlJournalEnd

setup/configure_swtpm_device/test.sh

@@ -69,7 +69,7 @@ Description=swtpm TPM Software emulator
 
 [Service]
 Type=simple
-ExecStartPre=/usr/bin/swtpm_setup --tpm-state ${SWTPM_DIR} --createek --decryption --create-ek-cert --create-platform-cert --lock-nvram --overwrite --display --tpm2 --pcr-banks sha256
+ExecStartPre=/usr/bin/swtpm_setup --tpm-state ${SWTPM_DIR} --createek --decryption --create-ek-cert --lock-nvram --overwrite --display --tpm2 --pcr-banks sha256
 ExecStart=/usr/bin/swtpm chardev --vtpm-proxy --tpmstate dir=${SWTPM_DIR} --tpm2
 
 [Install]

setup/configure_tpm_emulator/test.sh

@@ -63,7 +63,7 @@ Description=swtpm TPM Software emulator
 [Service]
 Type=simple
 ExecStartPre=/usr/bin/mkdir -p ${TPM_RUNTIME_TOPDIR}/swtpm
-ExecStartPre=/usr/bin/swtpm_setup --tpm-state ${TPM_RUNTIME_TOPDIR}/swtpm --createek --decryption --create-ek-cert --create-platform-cert --lock-nvram --overwrite --display --tpm2 --pcr-banks sha256
+ExecStartPre=/usr/bin/swtpm_setup --tpm-state ${TPM_RUNTIME_TOPDIR}/swtpm --createek --decryption --create-ek-cert --lock-nvram --overwrite --display --tpm2 --pcr-banks sha256
 ExecStart=/usr/bin/swtpm socket --tpmstate dir=${TPM_RUNTIME_TOPDIR}/swtpm --log level=1 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags startup-clear --tpm2
 
 [Install]