git.ipfire.org Git - thirdparty/grub.git/commit

author	Gary Lin <glin@suse.com>
	Fri, 15 Nov 2024 07:35:00 +0000 (15:35 +0800)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Thu, 28 Nov 2024 20:50:56 +0000 (21:50 +0100)
commit	f898440cc1eec6e280ca149b3bea1334f28662e6
tree	b0705c34011f97cfaeda7c8ae2f67e070a6662e0	tree \| snapshot
parent	76a2bcb99754ee5b4159c35f66042e392139b815	commit \| diff

tests: Add tpm2_key_protector_test

For the tpm2_key_protector module, the TCG2 command submission function
is the only difference between a QEMU instance and grub-emu. To test
TPM2 key unsealing with a QEMU instance, it requires an extra OS image
to invoke grub-protect to seal the LUKS key, rather than a simple
grub-shell rescue CD image. On the other hand, grub-emu can share the
emulated TPM2 device with the host, so that we can seal the LUKS key on
host and test key unsealing with grub-emu.

This test script firstly creates a simple LUKS image to be loaded as a
loopback device in grub-emu. Then an emulated TPM2 device is created by
"swtpm chardev" and PCR 0 and 1 are extended.

There are several test cases in the script to test various settings. Each
test case uses grub-protect or tpm2-tools to seal the LUKS password
with PCR 0 and PCR 1. Then grub-emu is launched to load the LUKS image,
try to mount the image with tpm2_key_protector_init and cryptomount, and
verify the result.

Based on the idea from Michael Chang.

Cc: Michael Chang <mchang@suse.com>
Cc: Stefan Berger <stefanb@linux.ibm.com>
Cc: Glenn Washburn <development@efficientek.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>

Makefile.util.def		diff \| blob \| blame \| history
tests/tpm2_key_protector_test.in	[new file with mode: 0644]	blob
tests/util/grub-shell.in		diff \| blob \| blame \| history