test/units/TEST-70-TPM2.cryptenroll.sh

   1 #!/usr/bin/env bash
   2 # SPDX-License-Identifier: LGPL-2.1-or-later
   3 set -eux
   4 set -o pipefail
   5
   6 cryptenroll_wipe_and_check() {(
   7     set +o pipefail
   8
   9     : >/tmp/cryptenroll.out
  10     systemd-cryptenroll "$@" |& tee /tmp/cryptenroll.out
  11     grep -qE "Wiped slot [[:digit:]]+" /tmp/cryptenroll.out
  12 )}
  13
  14 # There is an external issue with libcryptsetup on ppc64 that hits 95% of Ubuntu ppc64 test runs, so skip it
  15 if [[ "$(uname -m)" == "ppc64le" ]]; then
  16     echo "Skipping systemd-cryptenroll tests on ppc64le, see https://github.com/systemd/systemd/issues/27716"
  17     exit 0
  18 fi
  19
  20 export SYSTEMD_LOG_LEVEL=debug
  21 IMAGE="$(mktemp /tmp/systemd-cryptenroll-XXX.image)"
  22
  23 truncate -s 20M "$IMAGE"
  24 echo -n password >/tmp/password
  25 # Change file mode to avoid "/tmp/password has 0644 mode that is too permissive" messages
  26 chmod 0600 /tmp/password
  27 cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/password
  28
  29 # Enroll additional tokens, keys, and passwords to exercise the list and wipe stuff
  30 systemd-cryptenroll --unlock-key-file=/tmp/password --tpm2-device=auto "$IMAGE"
  31 NEWPASSWORD="" systemd-cryptenroll --unlock-key-file=/tmp/password  --password "$IMAGE"
  32 NEWPASSWORD=foo systemd-cryptenroll --unlock-key-file=/tmp/password  --password "$IMAGE"
  33 for _ in {0..9}; do
  34     systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE"
  35 done
  36 PASSWORD="" NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true "$IMAGE"
  37 # Do some basic checks before we start wiping stuff
  38 systemd-cryptenroll "$IMAGE"
  39 systemd-cryptenroll "$IMAGE" | grep password
  40 systemd-cryptenroll "$IMAGE" | grep recovery
  41 # Let's start wiping
  42 cryptenroll_wipe_and_check "$IMAGE" --wipe=empty
  43 (! cryptenroll_wipe_and_check "$IMAGE" --wipe=empty)
  44 cryptenroll_wipe_and_check "$IMAGE" --wipe=empty,0
  45 PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$IMAGE" --wipe=0,0,empty,0,pkcs11,fido2,000,recovery,password --password
  46 systemd-cryptenroll "$IMAGE" | grep password
  47 (! systemd-cryptenroll "$IMAGE" | grep recovery)
  48 # We shouldn't be able to wipe all keyslots without enrolling a new key first
  49 (! systemd-cryptenroll "$IMAGE" --wipe=all)
  50 PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$IMAGE" --password --wipe=all
  51 # Check if the newly (and only) enrolled password works
  52 (! systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE")
  53 (! PASSWORD="" systemd-cryptenroll --recovery-key "$IMAGE")
  54 PASSWORD=foo systemd-cryptenroll --recovery-key "$IMAGE"
  55
  56 systemd-cryptenroll --fido2-with-client-pin=false "$IMAGE"
  57 systemd-cryptenroll --fido2-with-user-presence=false "$IMAGE"
  58 systemd-cryptenroll --fido2-with-user-verification=false "$IMAGE"
  59 systemd-cryptenroll --tpm2-pcrs=8 "$IMAGE"
  60 systemd-cryptenroll --tpm2-pcrs=boot-loader-code+boot-loader-config "$IMAGE"
  61
  62 # Unlocking using TPM2
  63 PASSWORD=foo systemd-cryptenroll --tpm2-device=auto "$IMAGE"
  64 systemd-cryptenroll --unlock-tpm2-device=auto --recovery-key "$IMAGE"
  65 systemd-cryptenroll --unlock-tpm2-device=auto --tpm2-device=auto --wipe-slot=tpm2 "$IMAGE"
  66
  67 # Add PIN to TPM2 enrollment
  68 NEWPIN=1234 systemd-cryptenroll --unlock-tpm2-device=auto --tpm2-device=auto --tpm2-with-pin=yes "$IMAGE"
  69
  70 # Change PIN on TPM2 enrollment
  71 PIN=1234 NEWPIN=4321 systemd-cryptenroll --unlock-tpm2-device=auto --tpm2-device=auto --tpm2-with-pin=yes "$IMAGE"
  72 PIN=4321 systemd-cryptenroll --unlock-tpm2-device=auto --recovery-key "$IMAGE"
  73
  74 (! systemd-cryptenroll --fido2-with-client-pin=false)
  75 (! systemd-cryptenroll --fido2-with-user-presence=f "$IMAGE" /tmp/foo)
  76 (! systemd-cryptenroll --fido2-with-client-pin=1234 "$IMAGE")
  77 (! systemd-cryptenroll --fido2-with-user-presence=1234 "$IMAGE")
  78 (! systemd-cryptenroll --fido2-with-user-verification=1234 "$IMAGE")
  79 (! systemd-cryptenroll --tpm2-with-pin=1234 "$IMAGE")
  80 (! systemd-cryptenroll --recovery-key --password "$IMAGE")
  81 (! systemd-cryptenroll --password --recovery-key "$IMAGE")
  82 (! systemd-cryptenroll --password --fido2-device=auto "$IMAGE")
  83 (! systemd-cryptenroll --password --pkcs11-token-uri=auto "$IMAGE")
  84 (! systemd-cryptenroll --password --tpm2-device=auto "$IMAGE")
  85 (! systemd-cryptenroll --unlock-fido2-device=auto --unlock-fido2-device=auto "$IMAGE")
  86 (! systemd-cryptenroll --unlock-fido2-device=auto --unlock-key-file=/tmp/unlock "$IMAGE")
  87 (! systemd-cryptenroll --fido2-credential-algorithm=es512 "$IMAGE")
  88 (! systemd-cryptenroll --tpm2-public-key-pcrs=key "$IMAGE")
  89 (! systemd-cryptenroll --tpm2-pcrs=key "$IMAGE")
  90 (! systemd-cryptenroll --tpm2-pcrs=44+8 "$IMAGE")
  91 (! systemd-cryptenroll --tpm2-pcrs=hello "$IMAGE")
  92 (! systemd-cryptenroll --wipe-slot "$IMAGE")
  93 (! systemd-cryptenroll --wipe-slot=10240000 "$IMAGE")
  94 (! systemd-cryptenroll --fido2-device=auto --unlock-fido2-device=auto "$IMAGE")
  95
  96 rm -f "$IMAGE"