FAPI TEST: Rework the execution of FAPI integration tests

.ci/docker.run

@@ -24,6 +24,11 @@ if [ -z "$WITH_CRYPTO" ]; then
     export WITH_CRYPTO="ossl"
 fi
 
+little_endian=$(echo -n I | od -to2 | awk 'FNR==1{ print substr($2,6,1)}')
+if [ $little_endian -eq 0 ]; then
+    export CONFIGURE_OPTIONS="$CONFIGURE_OPTIONS --with-integrationtcti=libtpms"
+fi
+
 if [ "$WITH_CRYPTO" != "ossl" ]; then
     export CONFIGURE_OPTIONS="$CONFIGURE_OPTIONS --disable-fapi --disable-policy"
 fi
@@ -69,7 +74,9 @@ if [[ "$CC" == "gcc" && "$ENABLE_COVERAGE" == "true" ]]; then
 fi
 
 if ldconfig -p 2>/dev/null| grep libasan > /dev/null && ldconfig -p 2>/dev/null| grep libubsan > /dev/null; then
-  SANITIZER_OPTION="--with-sanitizer=undefined,address"
+  if [ $little_endian -eq 1 ]; then
+    SANITIZER_OPTION="--with-sanitizer=undefined,address"
+  fi
 fi
 
 if [ "$SCANBUILD" == "yes" ]; then

Makefile-test.am

@@ -21,6 +21,7 @@ EXTRA_DIST += $(srcdir)/script/int-log-compiler.sh \
               $(srcdir)/script/fint-log-compiler.sh \
               $(srcdir)/script/int-log-compiler-common.sh \
               $(srcdir)/script/ekca/create_ca.sh \
+              $(srcdir)/script/ekca/init_ca.sh \
               $(srcdir)/script/ekca/ek.cnf \
               $(srcdir)/script/ekca/intermed-ca.cnf \
               $(srcdir)/script/ekca/root-ca.cnf
@@ -43,39 +44,6 @@ test_helper_tpm_cmd_tcti_dummy_LDFLAGS = $(TESTS_LDFLAGS)
 test_helper_tpm_cmd_tcti_dummy_LDADD = $(TESTS_LDADD)
 endif #UNIT
 
-if ENABLE_INTEGRATION
-check_PROGRAMS += test/helper/tpm_startup
-test_helper_tpm_startup_CFLAGS = $(TESTS_CFLAGS) -I$(srcdir)/test/integration
-test_helper_tpm_startup_LDFLAGS = $(TESTS_LDFLAGS)
-test_helper_tpm_startup_LDADD = $(TESTS_LDADD)
-
-check_PROGRAMS += test/helper/tpm_transientempty
-test_helper_tpm_transientempty_CFLAGS = $(TESTS_CFLAGS) -I$(srcdir)/test/integration
-test_helper_tpm_transientempty_LDFLAGS = $(TESTS_LDFLAGS)
-test_helper_tpm_transientempty_LDADD = $(TESTS_LDADD)
-
-check_PROGRAMS += test/helper/tpm_dumpstate
-test_helper_tpm_dumpstate_CFLAGS = $(TESTS_CFLAGS) -I$(srcdir)/test/integration
-test_helper_tpm_dumpstate_LDFLAGS = $(TESTS_LDFLAGS)
-test_helper_tpm_dumpstate_LDADD = $(TESTS_LDADD)
-
-check_PROGRAMS += test/helper/tpm_getek
-test_helper_tpm_getek_CFLAGS = $(TESTS_CFLAGS) -I$(srcdir)/test/integration
-test_helper_tpm_getek_LDFLAGS = $(TESTS_LDFLAGS) -lcrypto
-test_helper_tpm_getek_LDADD = $(TESTS_LDADD)
-
-check_PROGRAMS += test/helper/tpm_getek_ecc
-test_helper_tpm_getek_ecc_CFLAGS = $(TESTS_CFLAGS) -I$(srcdir)/test/integration
-test_helper_tpm_getek_ecc_LDFLAGS = $(TESTS_LDFLAGS) -lcrypto
-test_helper_tpm_getek_ecc_LDADD = $(TESTS_LDADD)
-
-
-check_PROGRAMS += test/helper/tpm_writeekcert
-test_helper_tpm_writeekcert_CFLAGS = $(TESTS_CFLAGS) -I$(srcdir)/test/integration
-test_helper_tpm_writeekcert_LDFLAGS = $(TESTS_LDFLAGS)
-test_helper_tpm_writeekcert_LDADD = $(TESTS_LDADD)
-endif #ENABLE_INTEGRATION
-
 ### Rules to enerate binary test files for FAPI from b64 files.
 
 if FAPI
@@ -472,13 +440,15 @@ CLEANFILES += \
     test/integration/*.crt \
     test/integration/*.crl \
     test/integration/*.fint_state* \
+    test/integration/*.fint.* \
     test/integration/*.int_state* \
     test/integration/*.log \
     test/integration/*.fint_ek* \
     test/integration/*.fint_*-ca.pem \
     test/tpmclient/*.int_state* \
     test/tpmclient/*.log \
-    test/unit/*.log
+    test/unit/*.log \
+    NVChip
 
 if UNIT
 if ENABLE_TCTI_DEVICE
@@ -1999,7 +1969,7 @@ test_integration_sys_policy_authorizeNV_int_SOURCES = test/integration/main-sys.
 
 if FAPI
 test_integration_dlopen_fapi_get_random_fint_CFLAGS  = $(TESTS_CFLAGS) \
-    -DENABLE_WARN=1
+    -DENABLE_WARN=1 -DDLOPEN=1
 test_integration_dlopen_fapi_get_random_fint_LDADD   = $(TESTS_LDADD) $(LIBADD_DL)
 test_integration_dlopen_fapi_get_random_fint_LDFLAGS = $(TESTS_LDFLAGS)
 test_integration_dlopen_fapi_get_random_fint_SOURCES = \

Makefile.am

@@ -966,11 +966,25 @@ install-data-hook: install-dirs
 	fi
 
 uninstall-local:
+	-rm -r -f $(top_builddir)/ca
 	-rm $(DESTDIR)$(udevrulesdir)/$(udevrulesprefix)tpm-udev.rules
 	cd $(DESTDIR)$(man3dir) && \
 		[ -L Tss2_TctiLdr_Initialize_Ex.3 ] && \
 			rm -f Tss2_TctiLdr_Initialize_Ex.3 || true
 
+clean-hook:
+	-rm -r -f $(top_builddir)/ca
+
+check-hook:
+	-rm -r -f $(top_builddir)/ca
+
+prepare-check:
+if INIT_CA
+	$(top_srcdir)/script/ekca/init_ca.sh $(top_builddir)
+endif
+
+check: prepare-check
+
 EXTRA_DIST += \
     doc/doxygen.dox \
     doc/coding_standard_c.md \

configure.ac

@@ -29,6 +29,7 @@ AC_PROG_CC
 AC_PROG_CXX
 AC_PROG_LN_S
 AC_USE_SYSTEM_EXTENSIONS
+AC_C_BIGENDIAN
 LT_INIT()
 LT_LIB_DLLOAD
 PKG_INSTALLDIR()
@@ -411,13 +412,8 @@ dnl ---------  Physical TPM device for testing -----------------------
 
 AC_ARG_WITH([device],
             [AS_HELP_STRING([--with-device=<device>],[TPM device for testing])],
-            [AS_IF([test -w "$with_device" && test -r "$with_device"],
-                   [AC_MSG_RESULT([success])
-                    AX_NORMALIZE_PATH([with_device])
-                    with_device_set=yes],
-                   [AC_MSG_ERROR([TPM device provided does not exist or is not writable])])],
+            [with_device_set=yes],
             [with_device_set=no])
-AM_CONDITIONAL([TESTDEVICE],[test "x$with_device_set" = xyes])
 
 AC_ARG_WITH([devicetests],
             [AS_HELP_STRING([--with-devicetests=<case>],[Comma-separated values of possible tests: destructive,mandatory,optional] default is mandatory)],
@@ -445,6 +441,27 @@ AM_CONDITIONAL([DEVICEMANDATORY],[test "x$enable_device_mandatory" = "xyes"])
 #
 # enable integration tests and check for simulator binary
 #
+
+AC_ARG_WITH([integrationtcti],
+            [AS_HELP_STRING([--with-integrationtcti=<tcti>],[TCTI used for testing])],
+            [AS_IF([test x"$with_device_set" = "xyes"],
+                   [AC_MSG_ERROR([with-device defines already the used TCTI"])],
+                   [AS_IF([test "xdevice:" = x$(echo $with_integrationtcti | sed 's/\(device:\).*/\1/') ],
+                          [ with_device=$(echo $with_integrationtcti | sed 's/^device\://')
+                            with_device_set=yes
+                            integration_tcti=$with_integrationtcti],
+                          [ integration_tcti=$with_integrationtcti])])],
+            [integration_tcti=none])
+
+AM_CONDITIONAL([TESTDEVICE],[test "x$with_device_set" = xyes])
+
+AS_IF([test "xyes" = x"$with_device_set"],
+      [ AS_IF([test -w "$with_device" && test -r "$with_device"],
+            [AC_MSG_RESULT([success])
+                     AX_NORMALIZE_PATH([with_device])
+                     w th_device_set=yes],
+            [AC_MSG_ERROR([TPM device provided does not exist or is not writable])]) ])
+
 AC_ARG_ENABLE([integration],
     [AS_HELP_STRING([--enable-integration],
         [build and execute integration tests])],,
@@ -473,7 +490,6 @@ AS_IF([test "x$enable_integration" = "xyes"],
        AC_CHECK_HEADER(uthash.h, [], [AC_MSG_ERROR([Can not find uthash.h. Please install uthash-dev])])
 
        # choose tcti for testing and look for TPM simulator binary
-       integration_tcti="none"
        AS_IF([test "x$with_device_set" = xyes],
              [# use device if --with-device was passed
               integration_tcti=device:$with_device
@@ -624,6 +640,8 @@ AS_IF([test "x$enable_self_generated_certificate" = xyes],
 	[AC_DEFINE([SELF_GENERATED_CERTIFICATE], [1], [Allow usage of self generated root certificate])],
 	[AS_IF([test "x$integration_tcti" != "xdevice"], [AC_DEFINE([FAPI_TEST_EK_CERT_LESS], [1], [Perform integration tests without EK certificate verification])])])
 
+AM_CONDITIONAL([INIT_CA], [test "x$enable_self_generated_certificate" == xyes])
+
 AS_IF([test "x$enable_integration" = "xyes" && test "x$enable_self_generated_certificate" != "xyes" && test "x$integration_tcti" != "xdevice"],
       [AC_MSG_WARN([Running integration tests without EK certificate verification, use --enable-self-generated-certificate for full test coverage])])
 

script/ekca/init_ca.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+
+#set -x
+
+#set -euf
+OS=$(uname)
+DATE_FMT_BEFORE=""
+DATE_FMT_AFTER=""
+SED_CMD=""
+
+if [ "$OS" == "Linux" ]; then
+    DATE_FMT_BEFORE="+%y%m%d000000Z -u -d -1day"
+    DATE_FMT_AFTER="+%y%m%d000000Z -u -d +10years+1day"
+    SED_CMD="sed -i"
+elif [ "$OS" == "FreeBSD" ]; then
+    DATE_FMT_BEFORE="-u -v-1d +%y%m%d000000Z"
+    DATE_FMT_AFTER="-u -v+10y +%y%m%d000000Z"
+    SED_CMD="sed -i '' -e"
+fi
+
+EKCADIR="$(dirname $(realpath ${0}))/"
+CA_DIR="${1-.}/ca"
+
+if test -e $CA_DIR; then
+    exit
+fi
+mkdir -p $CA_DIR
+
+pushd "$CA_DIR"
+
+mkdir root-ca
+pushd root-ca
+
+mkdir certreqs certs crl newcerts private
+touch root-ca.index
+echo 00 > root-ca.crlnum
+echo 1000 > root-ca.serial
+echo "123456" > pass.txt
+
+cp "${EKCADIR}/root-ca.cnf" ./
+export OPENSSL_CONF=./root-ca.cnf
+ROOT_URL="file:$ROOTCRT"
+${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
+ROOT_URL="file:$ROOTCRL"
+${SED_CMD} "s|ROOTCRL|$ROOT_URL|g" $OPENSSL_CONF
+openssl req -new -out root-ca.req.pem -passout file:pass.txt
+
+#
+# Create self signed root certificate
+#
+
+openssl ca -selfsign \
+    -in root-ca.req.pem \
+    -out root-ca.cert.pem \
+    -extensions root-ca_ext \
+    -startdate `date ${DATE_FMT_BEFORE}` \
+    -enddate `date ${DATE_FMT_AFTER}` \
+    -passin file:pass.txt -batch
+
+openssl x509 -outform der -in  root-ca.cert.pem -out root-ca.cert.crt
+
+openssl verify -verbose -CAfile root-ca.cert.pem \
+        root-ca.cert.pem
+
+openssl ca -gencrl  -cert root-ca.cert.pem \
+        -out root-ca.cert.crl.pem -passin file:pass.txt
+openssl crl -in root-ca.cert.crl.pem -outform DER -out root-ca.cert.crl
+
+popd #root-ca
+
+#
+# Create intermediate certificate
+#
+mkdir intermed-ca
+pushd intermed-ca
+
+mkdir certreqs certs crl newcerts private
+touch intermed-ca.index
+echo 00 > intermed-ca.crlnum
+echo 2000 > intermed-ca.serial
+echo "abcdef" > pass.txt
+
+cp "${EKCADIR}/intermed-ca.cnf" ./
+export OPENSSL_CONF=./intermed-ca.cnf
+
+# Adapt CRT URL to current test directory
+${SED_CMD} "s|ROOTCRT|$ROOT_URL|g" $OPENSSL_CONF
+
+openssl req -new -out intermed-ca.req.pem -passout file:pass.txt
+
+openssl rsa -inform PEM -in private/intermed-ca.key.pem \
+        -outform DER -out private/intermed-ca.key.der -passin file:pass.txt
+
+cp intermed-ca.req.pem  \
+   ../root-ca/certreqs/
+
+INTERMED_URL="file:$INTERMEDCRT"
+${SED_CMD} "s|INTERMEDCRT|$INTERMED_URL|g" $OPENSSL_CONF
+
+pushd ../root-ca
+export OPENSSL_CONF=./root-ca.cnf
+
+openssl ca \
+    -in certreqs/intermed-ca.req.pem \
+    -out certs/intermed-ca.cert.pem \
+    -extensions intermed-ca_ext \
+    -startdate `date ${DATE_FMT_BEFORE}` \
+    -enddate `date ${DATE_FMT_AFTER}` \
+    -passin file:pass.txt -batch
+
+openssl x509 -outform der -in certs/intermed-ca.cert.pem \
+        -out certs/intermed-ca.cert.crt
+
+openssl verify -verbose -CAfile root-ca.cert.pem \
+        certs/intermed-ca.cert.pem
+
+cp certs/intermed-ca.cert.pem \
+   ../intermed-ca
+
+cp certs/intermed-ca.cert.crt \
+   ../intermed-ca
+
+popd #root-ca
+
+export OPENSSL_CONF=./intermed-ca.cnf
+openssl ca -gencrl  -cert ../root-ca/certs/intermed-ca.cert.pem \
+        -out intermed-ca.crl.pem -passin file:pass.txt
+openssl crl -in intermed-ca.crl.pem -outform DER -out intermed-ca.crl
+
+popd #intermed-ca