diff --git a/Library/test-helpers/lib.sh b/Library/test-helpers/lib.sh index e29b8011..ff4bfe49 100644 --- a/Library/test-helpers/lib.sh +++ b/Library/test-helpers/lib.sh @@ -455,6 +455,11 @@ __limeGetLogName() { local NAME=$1 local LOGSUFFIX local TPMSUFFIX + + if [[ "$NAME" == "push_model_agent" ]]; then + NAME="agent" + fi + [ -n "$2" ] && LOGSUFFIX="$2" || LOGSUFFIX=$( echo "$NAME" | sed 's/.*/\u&/' ) # just uppercase first letter local LOGNAME=__INTERNAL_limeLog${LOGSUFFIX} if [ "$NAME" == "ima_emulator" ] && [ "$limeTPMDevNo" != "0" ]; then @@ -1653,7 +1658,7 @@ and the suffix is specified by the SUFFIX parameter. limeInstallIMAKeys IMA certificate is signed by IMA CA key which is autogenerated if it is not present on a test -system already. See +system already. See https://ima-doc.readthedocs.io/en/latest/ima-utilities.html#ima-ca-key-and-certificate for details and how to import IMA CA key to MOK. @@ -2135,7 +2140,7 @@ limeRegistrarLogfile() { true <<'=cut' =pod -=head2 limeAgentrLogfile +=head2 limeAgentLogfile Prints to STDOUT filepath to a log file containing Agent logs @@ -2250,6 +2255,7 @@ limeSubmitCommonLogs() { [ -f $(limeVerifierLogfile) ] && limeLogfileSubmit $(limeVerifierLogfile) [ -f $(limeRegistrarLogfile) ] && limeLogfileSubmit $(limeRegistrarLogfile) [ -f $(limeAgentLogfile) ] && limeLogfileSubmit $(limeAgentLogfile) + [ -f $(limePushAgentLogfile) ] && limeLogfileSubmit $(limePushAgentLogfile) if limeTPMEmulated && [ -f $(limeIMAEmulatorLogfile) ]; then limeLogfileSubmit $(limeIMAEmulatorLogfile) fi @@ -2826,7 +2832,7 @@ limeconRunTenant() { if [ -d cv_ca ]; then MOUNT_TENANT="$PWD/cv_ca:/var/lib/keylime/cv_ca/:z $MOUNT_TENANT" fi - + echo -e "\nRunning podman:\npodman run --volume $MOUNT_DIR --volume $MOUNT_TENANT --rm --name $NAME --entrypoint= --net $NETWORK --ip $IP $TAG keylime_tenant $TENANT_CMD" podman run --volume $MOUNT_DIR --volume $MOUNT_TENANT --rm --name $NAME --entrypoint= --net $NETWORK --ip $IP $TAG keylime_tenant $TENANT_CMD @@ -3109,13 +3115,13 @@ set -m # Purge log files for a new test. It is therefore important to rlImport # the library before changing CWD to a different location. -touch $__INTERNAL_limeLogCurrentTest -if ! grep -q "^$PWD\$" $__INTERNAL_limeLogCurrentTest; then - echo "$PWD" > $__INTERNAL_limeLogCurrentTest - [ -f $__INTERNAL_limeLogVerifier ] && > $__INTERNAL_limeLogVerifier - [ -f $l__INTERNAL_imeLogRegistrar ] && > $__INTERNAL_limeLogRegistrar - [ -f $__INTERNAL_limeLogAgent ] && > $__INTERNAL_limeLogAgent - [ -f $__INTERNAL_limeLogIMAEmulator ] && > $__INTERNAL_limeLogIMAEmulator && rm -f "${__INTERNAL_limeLogIMAEmulator}.tpm"* +touch "$__INTERNAL_limeLogCurrentTest" +if ! grep -q "^$PWD\$" "$__INTERNAL_limeLogCurrentTest"; then + echo "$PWD" > "$__INTERNAL_limeLogCurrentTest" + [ -f "$__INTERNAL_limeLogVerifier" ] && true > "$__INTERNAL_limeLogVerifier" + [ -f "$__INTERNAL_limeLogRegistrar" ] && true > "$__INTERNAL_limeLogRegistrar" + [ -f "$__INTERNAL_limeLogAgent" ] && true > "$__INTERNAL_limeLogAgent" + [ -f "$__INTERNAL_limeLogIMAEmulator" ] && true > "$__INTERNAL_limeLogIMAEmulator" && rm -f "${__INTERNAL_limeLogIMAEmulator}.tpm"* fi # prepare coveragerc file @@ -3148,6 +3154,88 @@ fi # delete previously existing TPM data rm -f "${__INTERNAL_limeTPMDetails}" +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# Push Attestation Functions +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +true <<'=cut' +=pod + +=head2 limeStartPushAgent + +Start the keylime push attestation agent, either using rlServiceStart or directly. + + limeStartPushAgent + +=over + +=back + +Returns 0 when the start was successful, non-zero otherwise. + +=cut +limeStartPushAgent() { + + # save TPM details + date >> ${__INTERNAL_limeTPMDetails} + echo -e "\n# tpm2_getcap properties-fixed" >> ${__INTERNAL_limeTPMDetails} + tpm2_getcap properties-fixed >> ${__INTERNAL_limeTPMDetails} + echo -e "\n# tpm2_getcap algorithms" >> ${__INTERNAL_limeTPMDetails} + tpm2_getcap algorithms >> ${__INTERNAL_limeTPMDetails} + echo -e "\n# tpm2_getcap pcrs" >> ${__INTERNAL_limeTPMDetails} + tpm2_getcap pcrs >> ${__INTERNAL_limeTPMDetails} + echo >> ${__INTERNAL_limeTPMDetails} + + limeStopPushAgent + __limeStartKeylimeService push_model_agent + +} + +true <<'=cut' +=pod + +=head2 limeStopPushAgent + +Stop the keylime push attestation agent, either using rlServiceStart or directly. + + limeStopPushAgent + +=over + +=back + +Returns 0 when the stop was successful, non-zero otherwise. + +=cut +limeStopPushAgent() { + + __limeStopKeylimeService push_model_agent + +} + +true <<'=cut' +=pod + +=head2 limePushAgentLogfile + +Prints to STDOUT filepath to a log file containing Agent logs + + limePushAgentLogfile + +=over + +=back + +Returns 0. + +=cut + +limePushAgentLogfile() { + + __limeServiceLogfile push_model_agent + +} + # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Verification # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/functional/measured-boot-swtpm-sanity/main.fmf b/functional/measured-boot-swtpm-sanity/main.fmf index 96e5b80a..8633fb30 100644 --- a/functional/measured-boot-swtpm-sanity/main.fmf +++ b/functional/measured-boot-swtpm-sanity/main.fmf @@ -27,7 +27,6 @@ recommend: - efivar-libs duration: 5m enabled: true -extra-nitrate: TC#0613892 adjust: - when: swtpm is not defined or swtpm != yes enabled: false @@ -46,4 +45,11 @@ adjust: enabled: false because: For Rust agent we are not able to fake measuredboot log during runtime -id: a416a48b-3fd6-447f-82a7-6a305b6f7bc6 + +/push: + environment: + AGENT_SERVICE: PushAgent +/pull: + environment: + AGENT_SERVICE: Agent + id: a416a48b-3fd6-447f-82a7-6a305b6f7bc6 diff --git a/functional/measured-boot-swtpm-sanity/test.sh b/functional/measured-boot-swtpm-sanity/test.sh index e3eae290..4c6ac5c3 100755 --- a/functional/measured-boot-swtpm-sanity/test.sh +++ b/functional/measured-boot-swtpm-sanity/test.sh @@ -3,6 +3,8 @@ . /usr/share/beakerlib/beakerlib.sh || exit 1 AGENT_ID="d432fbb3-d2f1-4a97-9ef7-75bd81c00000" +TENANT_ARGS="" +[ "${AGENT_SERVICE}" == "PushAgent" ] && TENANT_ARGS="--push-model" rlJournalStart @@ -38,12 +40,20 @@ rlJournalStart rlRun "limeUpdateConf verifier measured_boot_policy_name accept-all" rlRun "limeUpdateConf revocations enabled_revocation_notifications '[]'" rlRun "limeUpdateConf agent enable_revocation_notifications false" + + # configure push attestation + if [ "${AGENT_SERVICE}" == "PushAgent" ]; then + # Set the verifier to run in PUSH mode + rlRun "limeUpdateConf verifier mode 'push'" + rlRun "limeUpdateConf verifier challenge_lifetime 1800" + fi + # start keylime_verifier rlRun "limeStartVerifier" rlRun "limeWaitForVerifier" rlRun "limeStartRegistrar" rlRun "limeWaitForRegistrar" - rlRun "limeStartAgent" + rlRun "limeStart${AGENT_SERVICE}" rlRun "limeWaitForAgentRegistration ${AGENT_ID}" # create allowlist and excludelist limeCreateTestPolicy @@ -52,12 +62,12 @@ rlJournalStart rlPhaseStartTest "Try adding agent with PRC15 configured in tpm_policy" TPM_POLICY='{"15":["0000000000000000000000000000000000000000","0000000000000000000000000000000000000000000000000000000000000000","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"]}' rlRun "echo '{}' > mb_refstate.txt" - rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '${TPM_POLICY}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt" 1 + rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '${TPM_POLICY}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt ${TENANT_ARGS}" 1 rlAssertGrep 'ERROR - WARNING: PCR 15 is specified in "tpm_policy", but will in fact be used by measured boot. Please remove it from policy' $rlRun_LOG rlPhaseEnd rlPhaseStartTest "Add agent with empty tpm_policy" - rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt" + rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate.txt ${TENANT_ARGS}" rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'" rlRun -s "keylime_tenant -c cvlist" rlAssertGrep "{'code': 200, 'status': 'Success', 'results': {'uuids':.*'$AGENT_ID'" $rlRun_LOG -E @@ -66,13 +76,13 @@ rlJournalStart rlPhaseStartTest "Configure verifier to use elchecking/example measured boot policy, restart and re-register agent" rlRun "keylime_tenant -u $AGENT_ID -c delete" rlRun "keylime_tenant -u $AGENT_ID -c regdelete" - rlRun "limeStopAgent" + rlRun "limeStop${AGENT_SERVICE}" rlRun "limeStopVerifier" sleep 5 rlRun "limeUpdateConf verifier measured_boot_policy_name example" rlRun "limeStartVerifier" rlRun "limeWaitForVerifier" - rlRun "limeStartAgent" + rlRun "limeStart${AGENT_SERVICE}" rlRun "limeWaitForAgentRegistration ${AGENT_ID}" rlPhaseEnd @@ -87,7 +97,7 @@ rlJournalStart rlPhaseEnd rlPhaseStartTest "Add agent with tpm_policy generated by create_mb_refstate script and incorrect PCR banks" - rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate2.txt" 1 + rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy mb_refstate2.txt ${TENANT_ARGS}" 1 rlRun "limeWaitForAgentStatus $AGENT_ID 'Tenant Quote Failed'" rlAssertGrep "keylime.tpm - ERROR - For PCR 0 and hash sha256 the boot event log has value '.*' but the agent .*returned '.*'" $(limeVerifierLogfile) -E rlPhaseEnd @@ -100,17 +110,17 @@ rlJournalStart rlPhaseStartTest "Restart services and re-register agent" rlRun "keylime_tenant -u $AGENT_ID -c delete" rlRun "keylime_tenant -u $AGENT_ID -c regdelete" - rlRun "limeStopAgent" + rlRun "limeStop${AGENT_SERVICE}" rlRun "limeStopVerifier" sleep 5 rlRun "limeStartVerifier" rlRun "limeWaitForVerifier" - rlRun "limeStartAgent" + rlRun "limeStart${AGENT_SERVICE}" rlRun "limeWaitForAgentRegistration ${AGENT_ID}" rlPhaseEnd rlPhaseStartTest "Add agent with tpm_policy generated by different tools and correct PCR banks" - rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy $mb_policy" + rlRun -s "keylime_tenant -u $AGENT_ID --verify --tpm_policy '{}' --runtime-policy policy.json -f /etc/hostname -c add --mb-policy $mb_policy ${TENANT_ARGS}" rlRun "limeWaitForAgentStatus $AGENT_ID 'Get Quote'" rlPhaseEnd done @@ -151,7 +161,7 @@ rlJournalStart rlPhaseStartTest "Add an agent with a mbpolicy but without a name and verify UUID as the name of the policy in mbpolicy DB." rlRun "keylime_tenant -u $AGENT_ID -c delete" sleep 5 - rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy mb_refstate.txt" + rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy mb_refstate.txt ${TENANT_ARGS}" rlRun -s "keylime_tenant -c showmbpolicy --mb-policy-name $AGENT_ID" rlAssertGrep "{'code': 200, 'status': 'Success', 'results': {'name': '$AGENT_ID', 'mb_policy': '{}'}}" "$rlRun_LOG" rlPhaseEnd @@ -187,12 +197,12 @@ rlJournalStart rlPhaseEnd rlPhaseStartTest "Add an agent with a non-existing named mbpolicy." - rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy-name non_existing_policy" 1 + rlRun -s "keylime_tenant -u $AGENT_ID -f /etc/hostname -c add --mb-policy-name non_existing_policy ${TENANT_ARGS}" 1 rlAssertGrep "{\"code\": 404, \"status\": \"Could not find mb_policy with name non_existing_policy!\", \"results\": {}}" "$rlRun_LOG" rlPhaseEnd rlPhaseStartCleanup "Do the keylime cleanup" - rlRun "limeStopAgent" + rlRun "limeStop${AGENT_SERVICE}" rlRun "limeStopRegistrar" rlRun "limeStopVerifier" rlRun "limeStopIMAEmulator" diff --git a/functional/push-attestation-on-localhost/main.fmf b/functional/push-attestation-on-localhost/main.fmf new file mode 100644 index 00000000..8d630f35 --- /dev/null +++ b/functional/push-attestation-on-localhost/main.fmf @@ -0,0 +1,25 @@ +summary: Basic push attestation test on localhost +description: | + Test basic push model attestation functionality + Running all services on localhost. + Uses certificates generated by keylime. + + Enrolls agent using simple runtime policy. + Verifiers that system passed attestation. + Make changes on the system and verifies that the attestation fails. +contact: Anderson Sasaki +component: + - keylime +test: ./test.sh +framework: beakerlib +tag: + - CI-Tier-1 +require: + - yum + - expect +recommend: + - keylime + - python3-tomli +duration: 10m +enabled: true +id: 77f1f100-a165-477b-b81d-40540f9c2762 diff --git a/functional/push-attestation-on-localhost/test.sh b/functional/push-attestation-on-localhost/test.sh new file mode 100755 index 00000000..43eb0257 --- /dev/null +++ b/functional/push-attestation-on-localhost/test.sh @@ -0,0 +1,106 @@ +#!/bin/bash +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +AGENT_ID="d432fbb3-d2f1-4a97-9ef7-75bd81c00000" + +rlJournalStart + rlPhaseStartSetup "Setup push attestation environment" + rlRun 'rlImport "./test-helpers"' || rlDie "cannot import keylime-tests/test-helpers library" + rlAssertRpm keylime + + # Backup original configuration + limeBackupConfig + + # Set the verifier to run in PUSH mode + rlRun "limeUpdateConf verifier mode 'push'" + rlRun "limeUpdateConf verifier challenge_lifetime 1800" + + # Disable EK certificate verification on the tenant + rlRun "limeUpdateConf tenant require_ek_cert False" + + # Configure TPM emulator if needed + if limeTPMEmulated; then + rlRun "limeStartTPMEmulator" + rlRun "limeWaitForTPMEmulator" + rlRun "limeCondStartAbrmd" + rlRun "limeInstallIMAConfig" + rlRun "limeStartIMAEmulator" + fi + + sleep 5 + + # Start keylime services with push support + rlRun "limeStartVerifier" + rlRun "limeWaitForVerifier" + rlRun "limeStartRegistrar" + rlRun "limeWaitForRegistrar" + # Start push-attestaton agent + rlRun "limeStartPushAgent" + rlRun "limeWaitForAgentRegistration ${AGENT_ID}" + + # create some scripts + TESTDIR=$(limeCreateTestDir) + rlRun "echo -e '#!/bin/bash\necho This is good-script1' > $TESTDIR/good-script1.sh && chmod a+x $TESTDIR/good-script1.sh" + rlRun "echo -e '#!/bin/bash\necho This is good-script2' > $TESTDIR/good-script2.sh && chmod a+x $TESTDIR/good-script2.sh" + + # create allowlist and excludelist + rlRun "limeCreateTestPolicy ${TESTDIR}/*" + rlPhaseEnd + + rlPhaseStartTest "Add keylime agent" + rlRun "keylime_tenant -v 127.0.0.1 -t 127.0.0.1 -u $AGENT_ID --runtime-policy policy.json -c add --push-model" + # Check that agent appears in verifier's agent list + rlRun -s "keylime_tenant -c cvlist" + # shellcheck disable=SC2154 # rlRun_LOG is set by BeakerLib's rlRun -s + rlAssertGrep "$AGENT_ID" "$rlRun_LOG" + + # TODO: For now the agent dies after starting because it tries to send + # measurements and fails. Restart the agent. + rlRun "limeStartPushAgent" + rlRun "limeWaitForAgentRegistration ${AGENT_ID}" + + rlAssertGrep "Attestation [0-9]+ for agent .${AGENT_ID}. " "$(limeVerifierLogfile)" -E + + # Store the index of the first attestation + INDEX=$(grep -oE "Attestation [0-9]+ for agent .${AGENT_ID}. successfully passed verification" "$(limeVerifierLogfile)" | tail -1 | grep -oE "Attestation [0-9]+" | grep -oE "[0-9]+") + rlPhaseEnd + + rlPhaseStartTest "Running allowed scripts should not affect attestation" + rlRun "${TESTDIR}/good-script1.sh" + rlRun "${TESTDIR}/good-script2.sh" + rlRun "tail /sys/kernel/security/ima/ascii_runtime_measurements | grep good-script1.sh" + rlRun "tail /sys/kernel/security/ima/ascii_runtime_measurements | grep good-script2.sh" + rlRun "sleep 5" + + rlRun "rlWaitForCmd 'grep -qE \"Attestation $((INDEX + 1)) for agent .${AGENT_ID}. successfully passed verification\" \$(limeVerifierLogfile)' -m 120 -d 1" + rlPhaseEnd + + rlPhaseStartTest "Fail keylime agent" + rlRun "echo -e '#!/bin/bash\necho boom' > $TESTDIR/bad-script.sh && chmod a+x $TESTDIR/bad-script.sh" + rlRun "$TESTDIR/bad-script.sh" + + rlRun "rlWaitForCmd 'grep -qE \"Attestation [0-9]+ for agent .${AGENT_ID}. failed verification\" \$(limeVerifierLogfile)' -m 120 -d 1" + rlAssertGrep "File not found in allowlist: $TESTDIR/bad-script.sh" "$(limeVerifierLogfile)" + rlPhaseEnd + + rlPhaseStartCleanup "Cleanup push attestation test" + # Stop push agent + rlRun "limeStopPushAgent" + + # Stop keylime services + rlRun "limeStopRegistrar" + rlRun "limeStopVerifier" + + # Stop TPM emulator if used + if limeTPMEmulated; then + rlRun "limeStopIMAEmulator" + rlRun "limeStopTPMEmulator" + rlRun "limeCondStopAbrmd" + fi + + limeSubmitCommonLogs + limeClearData + limeRestoreConfig + limeExtendNextExcludelist "$TESTDIR" + rlPhaseEnd +rlJournalEnd diff --git a/plans/main.fmf b/plans/main.fmf index eb722b89..6d8196dc 100644 --- a/plans/main.fmf +++ b/plans/main.fmf @@ -5,8 +5,10 @@ context: # modify defaults below to point upstream keylime URL to a different repo and branch environment: - KEYLIME_UPSTREAM_URL: "https://github.com/keylime/keylime.git" - KEYLIME_UPSTREAM_BRANCH: "master" + #KEYLIME_UPSTREAM_URL: "https://github.com/keylime/keylime.git" + #KEYLIME_UPSTREAM_BRANCH: "master" + KEYLIME_UPSTREAM_URL: https://github.com/sarroutbi-test-organization/keylime-oss.git + KEYLIME_UPSTREAM_BRANCH: push-attestation # variables below impact only plans that use /setup/install_upstream_rust_keylime # task, not plans using /setup/install_rust_keylime_from_copr RUST_KEYLIME_UPSTREAM_URL: "https://github.com/keylime/rust-keylime.git" diff --git a/plans/upstream-keylime-all-tests.fmf b/plans/upstream-keylime-all-tests.fmf index 23b0d947..7ebced20 100644 --- a/plans/upstream-keylime-all-tests.fmf +++ b/plans/upstream-keylime-all-tests.fmf @@ -13,22 +13,10 @@ discover: - /setup/install_upstream_keylime - /setup/install_upstream_rust_keylime #- /setup/enable_keylime_debug_messages - - /setup/enable_keylime_coverage # change IMA policy to simple and run one attestation scenario # this is to utilize also a different parser - - /setup/configure_kernel_ima_module/ima_policy_simple - - /functional/basic-attestation-on-localhost - # now change IMA policy to signing and run all tests - /setup/configure_kernel_ima_module/ima_policy_signing - - "^/functional/.*" - - "^/compatibility/.*" - - "^/regression/.*" - - /update/basic-attestation-on-localhost/all - - "/sanity/.*" - # run upstream test suite - - /upstream/run_keylime_tests - - /setup/generate_coverage_report - - /setup/generate_upstream_rust_keylime_code_coverage + - "^/functional/measured.*" execute: how: tmt diff --git a/setup/configure_tpm_emulator/test.sh b/setup/configure_tpm_emulator/test.sh index cc12e45b..c30c72be 100755 --- a/setup/configure_tpm_emulator/test.sh +++ b/setup/configure_tpm_emulator/test.sh @@ -124,9 +124,11 @@ User=tss [Install] WantedBy=multi-user.target _EOF" - # also add drop-in update for eventual keylime_agent unit file - rlRun "mkdir -p /etc/systemd/system/keylime_agent.service.d" - rlRun "cat > /etc/systemd/system/keylime_agent.service.d/10-tcti.conf <<_EOF + + # also add drop-in update for eventual keylime_agent unit files + for AGENT_DIR in keylime_agent.service.d keylime_push_model_agent.service.d; do + rlRun "mkdir -p /etc/systemd/system/${AGENT_DIR}" + rlRun "cat > /etc/systemd/system/${AGENT_DIR}/10-tcti.conf <<_EOF [Unit] # we want to unset this since there is no /dev/tmp0 ConditionPathExistsGlob= @@ -134,6 +136,7 @@ ConditionPathExistsGlob= Environment=\"TPM2TOOLS_TCTI=${TPM2TOOLS_TCTI}\" Environment=\"TCTI=${TPM2TOOLS_TCTI}\" _EOF" + done rlRun "systemctl daemon-reload" if [ "${TPM_EMULATOR}" = "swtpm" ]; then diff --git a/setup/install_upstream_rust_keylime/test.sh b/setup/install_upstream_rust_keylime/test.sh index 1b2165b1..7d4db29c 100755 --- a/setup/install_upstream_rust_keylime/test.sh +++ b/setup/install_upstream_rust_keylime/test.sh @@ -68,6 +68,13 @@ _EOF' rlRun "cat > /etc/systemd/system/keylime_agent.service.d/20-rust_log_trace.conf <<_EOF [Service] Environment=\"RUST_LOG=keylime_agent=trace,keylime=trace\" +_EOF" + + # Add drop-in unit file updates for push-attestation agent + rlRun "mkdir -p /etc/systemd/system/keylime_push_model_agent.service.d" + rlRun "cat > /etc/systemd/system/keylime_push_model_agent.service.d/20-rust_log_trace.conf <<_EOF +[Service] +Environment=\"RUST_LOG=keylime_push_model_agent=trace,keylime=trace\" _EOF" # If the TPM_BINARY_MEASUREMENTS env var is set, set the binary @@ -76,6 +83,10 @@ _EOF" rlRun "cat > /etc/systemd/system/keylime_agent.service.d/30-measured_boot_location.conf <<_EOF [Service] Environment=\"TPM_BINARY_MEASUREMENTS=${TPM_BINARY_MEASUREMENTS}\" +_EOF" + rlRun "cat > /etc/systemd/system/keylime_push_model_agent.service.d/30-measured_boot_location.conf <<_EOF +[Service] +Environment=\"TPM_BINARY_MEASUREMENTS=${TPM_BINARY_MEASUREMENTS}\" _EOF" fi @@ -96,6 +107,14 @@ Environment=\"LLVM_PROFILE_FILE=${__INTERNAL_limeCoverageDir}/rust_keylime_codec # we need to change WorkingDirectory since .profraw* files will be stored there WorkingDirectory=${__INTERNAL_limeCoverageDir}/ ExecStopPost=sh ${__INTERNAL_limeCoverageDir}/coverage-script-stop.sh +_EOF" + rlRun "cat > /etc/systemd/system/keylime_push_model_agent.service.d/15-coverage.conf <<_EOF +[Service] +# set variable containing name of the currently running test +Environment=\"LLVM_PROFILE_FILE=${__INTERNAL_limeCoverageDir}/rust_keylime_codecoverage.profraw\" +# we need to change WorkingDirectory since .profraw* files will be stored there +WorkingDirectory=${__INTERNAL_limeCoverageDir}/ +ExecStopPost=sh ${__INTERNAL_limeCoverageDir}/coverage-script-stop.sh _EOF" #IMA emulator coverage, graceful shutdown of IMA emulator, allow SIGINT kill rlRun "touch $__INTERNAL_limeCoverageDir/enabled" @@ -105,6 +124,7 @@ _EOF" rlPhaseStartTest "Test installed binaries" rlRun "keylime_agent --help" 0,1 + rlRun "keylime_push_model_agent --help" 0,1 rlPhaseEnd rlJournalEnd