]>
Commit | Line | Data |
---|---|---|
fd8b9248 GG |
1 | #!/usr/bin/env bash |
2 | # SPDX-License-Identifier: LGPL-2.1-or-later | |
3 | set -ex | |
be06a84c | 4 | set -o pipefail |
fd8b9248 GG |
5 | |
6 | export SYSTEMD_LOG_LEVEL=debug | |
7 | ||
fd8b9248 GG |
8 | # Prepare fresh disk image |
9 | img="/var/tmp/test.img" | |
d8776eed | 10 | truncate -s 20M $img |
fd8b9248 | 11 | echo -n passphrase >/tmp/passphrase |
8fec14a7 | 12 | cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom $img /tmp/passphrase |
fd8b9248 | 13 | |
7fd55538 J |
14 | # Unlocking via keyfile |
15 | systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto $img | |
16 | ||
fd8b9248 GG |
17 | # Enroll unlock with default PCR policy |
18 | env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto $img | |
19 | /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 | |
20 | /usr/lib/systemd/systemd-cryptsetup detach test-volume | |
21 | ||
22 | # Check with wrong PCR | |
23 | tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000 | |
24 | /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; } | |
25 | ||
26 | # Enroll unlock with PCR+PIN policy | |
27 | systemd-cryptenroll --wipe-slot=tpm2 $img | |
28 | env PASSWORD=passphrase NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true $img | |
29 | env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 | |
30 | /usr/lib/systemd/systemd-cryptsetup detach test-volume | |
31 | ||
32 | # Check failure with wrong PIN | |
33 | env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; } | |
34 | ||
559a1d35 | 35 | # Check LUKS2 token plugin unlock (i.e. without specifying tpm2-device=auto) |
8e3b2ec5 LB |
36 | if cryptsetup --help | grep -q 'LUKS2 external token plugin support is compiled-in' && \ |
37 | [ -f "$(cryptsetup --help | sed -n -r 's/.*LUKS2 external token plugin path: (.*)\./\1/p')/libcryptsetup-token-systemd-tpm2.so" ]; then | |
559a1d35 JW |
38 | env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - headless=1 |
39 | /usr/lib/systemd/systemd-cryptsetup detach test-volume | |
40 | ||
41 | # Check failure with wrong PIN | |
42 | env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - headless=1 && { echo 'unexpected success'; exit 1; } | |
43 | else | |
44 | echo 'cryptsetup has no LUKS2 token plugin support, skipping' | |
45 | fi | |
46 | ||
fd8b9248 GG |
47 | # Check failure with wrong PCR (and correct PIN) |
48 | tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000 | |
49 | env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; } | |
50 | ||
51 | # Enroll unlock with PCR 0+7 | |
52 | systemd-cryptenroll --wipe-slot=tpm2 $img | |
53 | env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 $img | |
54 | /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 | |
55 | /usr/lib/systemd/systemd-cryptsetup detach test-volume | |
56 | ||
57 | # Check with wrong PCR 0 | |
58 | tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000 | |
59 | /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && exit 1 | |
60 | ||
7c46b197 LP |
61 | rm $img |
62 | ||
be06a84c | 63 | if [[ -e /usr/lib/systemd/systemd-measure ]]; then |
7a17e41d ZJS |
64 | echo HALLO >/tmp/tpmdata1 |
65 | echo foobar >/tmp/tpmdata2 | |
a552061e FS |
66 | |
67 | cat >/tmp/result <<EOF | |
be06a84c LP |
68 | 11:sha1=5177e4ad69db92192c10e5f80402bf81bfec8a81 |
69 | 11:sha256=37b48bd0b222394dbe3cceff2fca4660c4b0a90ae9369ec90b42f14489989c13 | |
70 | 11:sha384=5573f9b2caf55b1d0a6a701f890662d682af961899f0419cf1e2d5ea4a6a68c1f25bd4f5b8a0865eeee82af90f5cb087 | |
71 | 11:sha512=961305d7e9981d6606d1ce97b3a9a1f92610cac033e9c39064895f0e306abc1680463d55767bd98e751eae115bdef3675a9ee1d29ed37da7885b1db45bb2555b | |
984638cd | 72 | EOF |
6ca00163 | 73 | /usr/lib/systemd/systemd-measure calculate --linux=/tmp/tpmdata1 --initrd=/tmp/tpmdata2 --bank=sha1 --bank=sha256 --bank=sha384 --bank=sha512 --phase=: | cmp - /tmp/result |
7c46b197 LP |
74 | |
75 | cat >/tmp/result.json <<EOF | |
76 | {"sha1":[{"pcr":11,"hash":"5177e4ad69db92192c10e5f80402bf81bfec8a81"}],"sha256":[{"pcr":11,"hash":"37b48bd0b222394dbe3cceff2fca4660c4b0a90ae9369ec90b42f14489989c13"}],"sha384":[{"pcr":11,"hash":"5573f9b2caf55b1d0a6a701f890662d682af961899f0419cf1e2d5ea4a6a68c1f25bd4f5b8a0865eeee82af90f5cb087"}],"sha512":[{"pcr":11,"hash":"961305d7e9981d6606d1ce97b3a9a1f92610cac033e9c39064895f0e306abc1680463d55767bd98e751eae115bdef3675a9ee1d29ed37da7885b1db45bb2555b"}]} | |
77 | EOF | |
6ca00163 LP |
78 | /usr/lib/systemd/systemd-measure calculate --linux=/tmp/tpmdata1 --initrd=/tmp/tpmdata2 --bank=sha1 --bank=sha256 --bank=sha384 --bank=sha512 --phase=: -j | diff -u - /tmp/result.json |
79 | ||
80 | cat >/tmp/result <<EOF | |
81 | 11:sha1=6765ee305db063040c454d32697d922b3d4f232b | |
82 | 11:sha256=21c49c1242042649e09c156546fd7d425ccc3c67359f840507b30be4e0f6f699 | |
83 | 11:sha384=08d0b003a134878eee552070d51d58abe942f457ca85704131dd36f73728e7327ca837594bc9d5ac7de818d02a3d5dd2 | |
84 | 11:sha512=65120f6ebc04b156421c6f3d543b2fad545363d9ca61c514205459e9c0e0b22e09c23605eae5853e38458ef3ca54e087168af8d8a882a98d220d9391e48be6d0 | |
85 | EOF | |
86 | /usr/lib/systemd/systemd-measure calculate --linux=/tmp/tpmdata1 --initrd=/tmp/tpmdata2 --bank=sha1 --bank=sha256 --bank=sha384 --bank=sha512 --phase=foo | cmp - /tmp/result | |
87 | ||
88 | cat >/tmp/result.json <<EOF | |
89 | {"sha1":[{"phase":"foo","pcr":11,"hash":"6765ee305db063040c454d32697d922b3d4f232b"}],"sha256":[{"phase":"foo","pcr":11,"hash":"21c49c1242042649e09c156546fd7d425ccc3c67359f840507b30be4e0f6f699"}],"sha384":[{"phase":"foo","pcr":11,"hash":"08d0b003a134878eee552070d51d58abe942f457ca85704131dd36f73728e7327ca837594bc9d5ac7de818d02a3d5dd2"}],"sha512":[{"phase":"foo","pcr":11,"hash":"65120f6ebc04b156421c6f3d543b2fad545363d9ca61c514205459e9c0e0b22e09c23605eae5853e38458ef3ca54e087168af8d8a882a98d220d9391e48be6d0"}]} | |
90 | EOF | |
91 | /usr/lib/systemd/systemd-measure calculate --linux=/tmp/tpmdata1 --initrd=/tmp/tpmdata2 --bank=sha1 --bank=sha256 --bank=sha384 --bank=sha512 --phase=foo -j | diff -u - /tmp/result.json | |
7c46b197 | 92 | |
6ca00163 | 93 | rm /tmp/result /tmp/result.json |
7c46b197 LP |
94 | else |
95 | echo "/usr/lib/systemd/systemd-measure not found, skipping PCR policy test case" | |
96 | fi | |
97 | ||
98 | if [ -e /usr/lib/systemd/systemd-measure ] && \ | |
99 | [ -f /sys/class/tpm/tpm0/pcr-sha1/11 ] && \ | |
100 | [ -f /sys/class/tpm/tpm0/pcr-sha256/11 ]; then | |
101 | # Generate key pair | |
102 | openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "/tmp/pcrsign-private.pem" | |
103 | openssl rsa -pubout -in "/tmp/pcrsign-private.pem" -out "/tmp/pcrsign-public.pem" | |
104 | ||
d19e5540 FS |
105 | MEASURE_BANKS=("--bank=sha256") |
106 | # Check if SHA1 signatures are supported | |
107 | # | |
108 | # Some distros have started phasing out SHA1, so make sure the SHA1 | |
109 | # signatures are supported before trying to use them. | |
110 | if echo hello | openssl dgst -sign /tmp/pcrsign-private.pem -sha1 >/dev/null; then | |
111 | MEASURE_BANKS+=("--bank=sha1") | |
112 | fi | |
113 | ||
7c46b197 | 114 | # Sign current PCR state with it |
d19e5540 | 115 | /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig" |
7c46b197 LP |
116 | dd if=/dev/urandom of=/tmp/pcrtestdata bs=1024 count=64 |
117 | systemd-creds encrypt /tmp/pcrtestdata /tmp/pcrtestdata.encrypted --with-key=host+tpm2-with-public-key --tpm2-public-key="/tmp/pcrsign-public.pem" | |
118 | systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" | cmp - /tmp/pcrtestdata | |
119 | ||
120 | # Invalidate PCR, decrypting should fail now | |
121 | tpm2_pcrextend 11:sha256=0000000000000000000000000000000000000000000000000000000000000000 | |
7a17e41d | 122 | systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" >/dev/null && { echo 'unexpected success'; exit 1; } |
7c46b197 LP |
123 | |
124 | # Sign new PCR state, decrypting should work now. | |
7a17e41d | 125 | /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: >"/tmp/pcrsign.sig2" |
7c46b197 LP |
126 | systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig2" | cmp - /tmp/pcrtestdata |
127 | ||
128 | # Now, do the same, but with a cryptsetup binding | |
129 | truncate -s 20M $img | |
130 | cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom $img /tmp/passphrase | |
b0fc23fa LB |
131 | # Ensure that an unrelated signature, when not requested, is not used |
132 | touch /run/systemd/tpm2-pcr-signature.json | |
133 | systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" $img | |
134 | # Reset and use the signature now | |
135 | rm -f /run/systemd/tpm2-pcr-signature.json | |
136 | systemd-cryptenroll --wipe-slot=tpm2 $img | |
7c46b197 LP |
137 | systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" --tpm2-signature="/tmp/pcrsign.sig2" $img |
138 | ||
139 | # Check if we can activate that (without the token module stuff) | |
140 | SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 | |
141 | SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup detach test-volume2 | |
142 | ||
0b75493d | 143 | # Check if we can activate that (and a second time with the token module stuff enabled) |
7c46b197 LP |
144 | SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 |
145 | SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup detach test-volume2 | |
146 | ||
147 | # After extending the PCR things should fail | |
148 | tpm2_pcrextend 11:sha256=0000000000000000000000000000000000000000000000000000000000000000 | |
149 | SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 && { echo 'unexpected success'; exit 1; } | |
150 | SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 && { echo 'unexpected success'; exit 1; } | |
151 | ||
152 | # But once we sign the current PCRs, we should be able to unlock again | |
7a17e41d | 153 | /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: >"/tmp/pcrsign.sig3" |
7c46b197 LP |
154 | SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1 |
155 | /usr/lib/systemd/systemd-cryptsetup detach test-volume2 | |
156 | SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1 | |
157 | /usr/lib/systemd/systemd-cryptsetup detach test-volume2 | |
158 | ||
6b41e025 | 159 | # Test --append mode and de-duplication. With the same parameters signing should not add a new entry |
7a17e41d | 160 | /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: --append="/tmp/pcrsign.sig3" >"/tmp/pcrsign.sig4" |
6b41e025 LP |
161 | cmp "/tmp/pcrsign.sig3" "/tmp/pcrsign.sig4" |
162 | ||
163 | # Sign one more phase, this should | |
7a17e41d | 164 | /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=quux:waldo --append="/tmp/pcrsign.sig4" >"/tmp/pcrsign.sig5" |
6b41e025 LP |
165 | ( ! cmp "/tmp/pcrsign.sig4" "/tmp/pcrsign.sig5" ) |
166 | ||
167 | # Should still be good to unlock, given the old entry still exists | |
168 | SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig5",headless=1 | |
169 | /usr/lib/systemd/systemd-cryptsetup detach test-volume2 | |
170 | ||
0b92fbba | 171 | # Adding both signatures once more should not change anything, due to the deduplication |
7a17e41d ZJS |
172 | /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: --append="/tmp/pcrsign.sig5" >"/tmp/pcrsign.sig6" |
173 | /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=quux:waldo --append="/tmp/pcrsign.sig6" >"/tmp/pcrsign.sig7" | |
6b41e025 LP |
174 | cmp "/tmp/pcrsign.sig5" "/tmp/pcrsign.sig7" |
175 | ||
7c46b197 | 176 | rm $img |
a552061e | 177 | else |
7c46b197 | 178 | echo "/usr/lib/systemd/systemd-measure or PCR sysfs files not found, skipping signed PCR policy test case" |
a552061e | 179 | fi |
984638cd | 180 | |
f44ed151 LP |
181 | if [ -e /usr/lib/systemd/systemd-pcrphase ] && \ |
182 | [ -f /sys/class/tpm/tpm0/pcr-sha256/11 ]; then | |
183 | ||
184 | # Let's measure the machine ID | |
185 | tpm2_pcrread sha256:15 -Q -o /tmp/oldpcr15 | |
186 | mv /etc/machine-id /etc/machine-id.save | |
187 | echo 994013bf23864ee7992eab39a96dd3bb >/etc/machine-id | |
188 | SYSTEMD_FORCE_MEASURE=1 /usr/lib/systemd/systemd-pcrphase --machine-id | |
189 | mv /etc/machine-id.save /etc/machine-id | |
190 | tpm2_pcrread sha256:15 -Q -o /tmp/newpcr15 | |
191 | ||
192 | # And check it matches expectations | |
193 | ( cat /tmp/oldpcr15 ; | |
194 | echo -n "machine-id:994013bf23864ee7992eab39a96dd3bb" | openssl dgst -binary -sha256 ) | openssl dgst -binary -sha256 | cmp - /tmp/newpcr15 | |
195 | ||
196 | rm /tmp/oldpcr15 /tmp/newpcr15 | |
197 | ||
198 | # And similar for the boot phase measurement into PCR 11 | |
199 | tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11 | |
200 | SYSTEMD_FORCE_MEASURE=1 /usr/lib/systemd/systemd-pcrphase foobar | |
201 | tpm2_pcrread sha256:11 -Q -o /tmp/newpcr11 | |
202 | ||
203 | ( cat /tmp/oldpcr11 ; | |
204 | echo -n "foobar" | openssl dgst -binary -sha256 ) | openssl dgst -binary -sha256 | cmp - /tmp/newpcr11 | |
205 | ||
206 | rm /tmp/oldpcr11 /tmp/newpcr11 | |
207 | else | |
208 | echo "/usr/lib/systemd/systemd-pcrphase or PCR sysfs files not found, skipping PCR extension test case" | |
209 | fi | |
210 | ||
398dc7d3 LB |
211 | # Ensure that sandboxing doesn't stop creds from being accessible |
212 | echo "test" > /tmp/testdata | |
213 | systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2 | |
d5902569 | 214 | # LoadCredentialEncrypted |
398dc7d3 | 215 | systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata |
d5902569 AD |
216 | # SetCredentialEncrypted |
217 | systemd-run -p PrivateDevices=yes -p SetCredentialEncrypted=testdata.encrypted:"$(cat /tmp/testdata.encrypted)" --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata | |
398dc7d3 LB |
218 | rm /tmp/testdata |
219 | ||
e2a4411a OJ |
220 | # negative tests for cryptenroll |
221 | ||
222 | # Prepare a new disk image | |
223 | img_2="/var/tmp/file_enroll.txt" | |
224 | truncate -s 20M $img_2 | |
225 | echo -n password >/tmp/password | |
226 | cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom $img_2 /tmp/password | |
227 | ||
228 | #boolean_arguments | |
27d45db3 | 229 | systemd-cryptenroll --fido2-with-client-pin=false && { echo 'unexpected success'; exit 1; } |
e2a4411a | 230 | |
27d45db3 | 231 | systemd-cryptenroll --fido2-with-user-presence=f $img_2 /tmp/foo && { echo 'unexpected success'; exit 1; } |
e2a4411a | 232 | |
27d45db3 | 233 | systemd-cryptenroll --fido2-with-client-pin=1234 $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a OJ |
234 | |
235 | systemd-cryptenroll --fido2-with-client-pin=false $img_2 | |
236 | ||
27d45db3 | 237 | systemd-cryptenroll --fido2-with-user-presence=1234 $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a OJ |
238 | |
239 | systemd-cryptenroll --fido2-with-user-presence=false $img_2 | |
240 | ||
27d45db3 | 241 | systemd-cryptenroll --fido2-with-user-verification=1234 $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a | 242 | |
27d45db3 | 243 | systemd-cryptenroll --tpm2-with-pin=1234 $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a OJ |
244 | |
245 | systemd-cryptenroll --fido2-with-user-verification=false $img_2 | |
246 | ||
247 | #arg_enroll_type | |
27d45db3 | 248 | systemd-cryptenroll --recovery-key --password $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a | 249 | |
27d45db3 | 250 | systemd-cryptenroll --password --recovery-key $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a | 251 | |
27d45db3 | 252 | systemd-cryptenroll --password --fido2-device=auto $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a | 253 | |
27d45db3 | 254 | systemd-cryptenroll --password --pkcs11-token-uri=auto $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a | 255 | |
27d45db3 | 256 | systemd-cryptenroll --password --tpm2-device=auto $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a OJ |
257 | |
258 | #arg_unlock_type | |
27d45db3 | 259 | systemd-cryptenroll --unlock-fido2-device=auto --unlock-fido2-device=auto $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a | 260 | |
27d45db3 | 261 | systemd-cryptenroll --unlock-fido2-device=auto --unlock-key-file=/tmp/unlock $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a | 262 | |
27d45db3 OJ |
263 | #fido2_cred_algorithm |
264 | systemd-cryptenroll --fido2-credential-algorithm=es512 $img_2 && { echo 'unexpected success'; exit 1; } | |
e2a4411a OJ |
265 | |
266 | #tpm2_errors | |
27d45db3 | 267 | systemd-cryptenroll --tpm2-public-key-pcrs=key $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a | 268 | |
27d45db3 | 269 | systemd-cryptenroll --tpm2-pcrs=key $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a OJ |
270 | |
271 | #wipe_slots | |
27d45db3 | 272 | systemd-cryptenroll --wipe-slot $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a | 273 | |
27d45db3 | 274 | systemd-cryptenroll --wipe-slot=10240000 $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a OJ |
275 | |
276 | #fido2_multiple_auto | |
27d45db3 | 277 | systemd-cryptenroll --fido2-device=auto --unlock-fido2-device=auto $img_2 && { echo 'unexpected success'; exit 1; } |
e2a4411a | 278 | |
fd8b9248 GG |
279 | echo OK >/testok |
280 | ||
281 | exit 0 |