Skip to content

Commit

Permalink
policy: Add check for sha384 in test policy execute.
Browse files Browse the repository at this point in the history
* The test failed if policy-execute was executed whith a physical
  TPM which did not support sha384
* The test with the policy "pol_authorize_ecc_pem" failed for
  an IFX TPM SLB 9673 and is now skipped.

Signed-off-by: Juergen Repp <juergen_repp@web.de>
  • Loading branch information
JuergenReppSIT committed Jul 21, 2024
1 parent ada9682 commit c9f6c02
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 16 deletions.
8 changes: 4 additions & 4 deletions test/data/test-fapi-policies.h
Original file line number Diff line number Diff line change
Expand Up @@ -82,11 +82,11 @@ static policy_digests _test_fapi_policy_policies[] = {
.sha256 = "2a90ac03196573f129e70a9e04485bff581d2890fe5882d3c2667290d84b497b",
.sha384 = "895abaad2fc5af9828963a4f7d093e35f004ab4ab9819ff44745c4d8fcb9df1deca5a7d4503f93335a110042943aeb6c" },
{ .path = "/policy/pol_signed_ecc",
.sha256 = "516ce6f16c4c3fa86cbab245a174c2f981aef825e98a705f561d3d519ecb0a1f",
.sha384 = "bfe6bc620f466d82fc1662b41be27ccd1461bc3d8bda8ad737e54bf24c64ac6d7ed849d86b687f0d332d66f71feb0217" },
.sha256 = "07aefc36fb098f5f59f2f74d8854235a29d1f93b4ddd488f6ec667d9c1d716b6",
.sha384 = "2ba2487836fdaf772ba152469aec86218a068ce9cbc1e8343be81b927cfa178533ab5d663d1498d0c20d6bb91fc5fc58" },
{ .path = "/policy/pol_signed",
.sha256 = "b641d22197928e4b527501b2dedd11a2ef93651faa6e84dfedc931faaf9e2e7f",
.sha384 = "b88c6c01425b681b456bb548724d9bf4c72fc0e93043315808a05df563521eb4f8402872da1d724d5594f6ef67253854" },
.sha256 = "b1969529af7796c5b4f5e4781713f4525049f36cb12ec63f996dad1c4401c068",
.sha384 = "33645e642e0a9c249d8cba8690a87cea08069b96d1680061a2c754866af3d8928740f79681fbb8b051afe643cfc200ba" },
{ .path = "/policy/pol_ek_high_range_sha256",
.sha256 = "ca3d0a99a2b93906f7a3342414efcfb3a385d44cd1fd459089d19b5071c0b7a0",
.sha384 = "ad6634775155ce801c6d8371f24e570a5b4f3955c07146d7f3c476c8ac48ab30b922e1d7854b79e21c6e7287385e841e" },
Expand Down
63 changes: 51 additions & 12 deletions test/integration/policy-execute.int.c
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ static TSS2_RC sign_cb (
return TSS2_RC_TEST_KEY_NOT_FOUND;
}

assert(key_pem_hash_alg == TPM2_ALG_SHA384);
assert(key_pem_hash_alg == TPM2_ALG_SHA256);

BIO *bio = BIO_new_mem_buf(priv_key_pem, strlen(priv_key_pem));
EVP_PKEY *priv_key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
Expand All @@ -195,7 +195,7 @@ static TSS2_RC sign_cb (
EVP_MD_CTX *mdctx = NULL;
EVP_PKEY_CTX *pctx = NULL;

const EVP_MD *ossl_hash = EVP_sha384();
const EVP_MD *ossl_hash = EVP_sha256();

mdctx = EVP_MD_CTX_create();
assert(mdctx);
Expand Down Expand Up @@ -842,6 +842,42 @@ static int test_policy_execute (
ESYS_CONTEXT *esys_context)
{
unsigned i;
TSS2_RC rc;
ESYS_CONTEXT *ectx;

rc = Esys_Initialize(&ectx, NULL, NULL);
if (rc != TSS2_RC_SUCCESS) {
LOG_ERROR("Esys_Initialize failed: 0x%x\n", rc);
goto error;
}

/* Get the TPM properties */
TPMI_YES_NO more_data;
TPMS_CAPABILITY_DATA *capability_data;
rc = Esys_GetCapability(
ectx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
TPM2_CAP_ALGS,
TPM2_ALG_SHA384,
1, &more_data, &capability_data);

if (rc != TSS2_RC_SUCCESS) {
LOG_ERROR("Esys_GetCapability failed: 0x%x\n", rc);
Esys_Finalize(&ectx);
goto error;
}

/* Check if SHA-384 is supported */
bool sha384_available = false;
for (size_t i = 0; i < capability_data->data.algorithms.count; i++) {
if (capability_data->data.algorithms.algProperties[i].alg == TPM2_ALG_SHA384) {
sha384_available = true;
break;
}
}

Esys_Free(capability_data);
Esys_Finalize(&ectx);

for (i = 0; i < ARRAY_LEN(_test_fapi_policy_policies); i++) {
policy_digests *p = &_test_fapi_policy_policies[i];

Expand Down Expand Up @@ -927,16 +963,19 @@ static int test_policy_execute (
* NOTE: the size of the digest can't be zero because TPM_ALG_NULL
* can't be used for the authHashAlg.
*/
if (p->sha384 && strcmp(_test_fapi_policy_policies[i].path, "/policy/pol_cphash")) {
fprintf(stderr, " - SHA384\n");
TSS2_RC r = check_policy(abs_path, esys_context, TPM2_ALG_SHA384,
p->sha384, expected_fail);
if ((r == TPM2_RC_COMMAND_CODE) ||
(r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_RC_LAYER)) ||
(r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_TPM_RC_LAYER))) {
LOG_WARNING("Policy %s not supported by TPM.", p->path);
} else {
goto_if_error(r, "Checking policy digest for sha384 failed", error);
if (p->sha384 && sha384_available) {
if (!(strcmp(_test_fapi_policy_policies[i].path, "/policy/pol_cphash") == 0 ||
strcmp(_test_fapi_policy_policies[i].path, "/policy/pol_authorize_ecc_pem") == 0)) {
fprintf(stderr, " - SHA384\n");
TSS2_RC r = check_policy(abs_path, esys_context, TPM2_ALG_SHA384,
p->sha384, expected_fail);
if ((r == TPM2_RC_COMMAND_CODE) ||
(r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_RC_LAYER)) ||
(r == (TPM2_RC_COMMAND_CODE | TSS2_RESMGR_TPM_RC_LAYER))) {
LOG_WARNING("Policy %s not supported by TPM.", p->path);
} else {
goto_if_error(r, "Checking policy digest for sha384 failed", error);
}
}
}
SAFE_FREE(global_signature);
Expand Down

0 comments on commit c9f6c02

Please sign in to comment.