tpm2-pcr-validate: test various attestation failures

Signed-off-by: Trammell hudson <[email protected]>
nlfx · Jul 15, 2020 · db1905b · db1905b
1 parent 510b7cd
commit db1905b
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 3 deletions.
diff --git a/sbin/tpm2-pcr-validate b/sbin/tpm2-pcr-validate
@@ -26,7 +26,7 @@ with open(sys.argv[1]) as f:
 	pcrs = load(f, Loader=Loader)["pcrs"][alg]
 
 fail = False
-verbose = True
+verbose = False
 pcr_list = []
 
 for pcr in pcrs:
@@ -38,8 +38,10 @@ for pcr in pcrs:
 
 pcr_list = "%s:%s" % (alg, ",".join(pcr_list))
 
-for filename in sys.argv[2:0]:
-	with open(sys.argv[2]) as f:
+for filename in sys.argv[2:]:
+	with open(filename) as f:
+		if verbose:
+			print("%s: Reading PCRs" % (filename))
 		quote = load(f, Loader=Loader)["pcrs"][alg]
 
 	for pcr in pcrs:
@@ -50,6 +52,8 @@ for filename in sys.argv[2:0]:
 		elif good_pcr != quote[pcr]:
 			print("%s: PCR%d mismatch %x" % (filename, pcr, quote[pcr]), file=sys.stderr)
 			fail = True
+		elif verbose:
+			print("%s: PCR%d: %s matches %s" % (filename, pcr, quote[pcr], good_pcr))
 
 if fail:
 	print("%s: FAILED VALIDATION" % (pcr_list), file=sys.stderr)

diff --git a/tests/pcrs-t490.txt b/tests/pcrs-t490.txt
@@ -0,0 +1,6 @@
+pcrs:
+  sha256:
+    0 : 0x3FBF10A9DD919CD821C71C71B203F3839233120537798917F53714F1EFF7F036
+    1 : 0x6BAD0D93219F5B1E3BA7031BAB290ECA4D973AE6468145847A49D44BCC0905BD
+    2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
+    4 : 0xC28F2726BA0A11B9FBA161419FF95BE3DA6CA9ADDC286D5FA1E1E9EC0B79DC35
diff --git a/tests/quote-t490.tgz b/tests/quote-t490.tgz
diff --git a/tests/test-verify.sh b/tests/test-verify.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+# Verify that the quote verification works
+set -e -o pipefail
+export LC_ALL=C
+
+die() { echo "$@" >&2 ; exit 1 ; }
+warn() { echo "$@" >&2 ; }
+
+DIR="`dirname $0`"
+export PATH="$DIR/../sbin:$DIR/../bin:$PATH"
+
+warn "----- Good test -----"
+tpm2-attest verify \
+	"$DIR/quote-t490.tgz" \
+	"$DIR/pcrs-t490.txt" \
+	abcdef \
+	"$DIR/../certs" \
+> /tmp/attest-good.log \
+|| die "attestion verification failed"
+
+
+warn "--- Wrong nonce (should fail)"
+tpm2-attest verify \
+	"$DIR/quote-t490.tgz" \
+	"$DIR/pcrs-t490.txt" \
+	12345678 \
+	"$DIR/../certs" \
+> /tmp/attest-fail.log \
+&& die "wrong nonce: attestion verification should have failed"
+
+warn "--- Wrong PCRs (should fail)"
+sed -e 's/0xC/0xD/' < "$DIR/pcrs-t490.txt" > /tmp/bad-pcrs.txt
+tpm2-attest verify \
+	"$DIR/quote-t490.tgz" \
+	"/tmp/bad-pcrs.txt" \
+	abcdef \
+	"$DIR/../certs" \
+>> /tmp/attest-fail.log \
+&& die "wrong PCRs: attestion verification should have failed"
+
+warn "--- Missing PCR (should fail)"
+( cat "$DIR/pcrs-t490.txt" ; echo "    5 : 0xC28F2726BA0A11B9FBA161419FF95BE3DA6CA9ADDC286D5FA1E1E9EC0B79DC35" ) > /tmp/bad-pcrs.txt
+tpm2-attest verify \
+	"$DIR/quote-t490.tgz" \
+	"/tmp/bad-pcrs.txt" \
+	abcdef \
+	"$DIR/../certs" \
+>> /tmp/attest-fail.log \
+&& die "missing PCR: attestion verification should have failed"
+