From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 10 Dec 2025 02:57:56 +0000 (+0900)
Subject: test: prefer tests with PCR 16 over PCR 11
X-Git-Tag: v259~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64b5c5f593c8863316323568268e3d07f4f7cac7;p=thirdparty%2Fsystemd.git

test: prefer tests with PCR 16 over PCR 11

PCR 16 is intended for debugging purposes, and is the only PCR that can
be reset by software. Let's prefer that for testing.

PCR 11 has a purpose (i.e. kernel is measured there on UKI systems, as
are the boot phases), hence let's not use that for testing.

That should remove any interference of boot time ordering and testing
our tpm code, as we will write to PCR 16 only, and reset it before we
rely on it.

This likely, kind of fixes #39582, but the issue mixes two things, PCR
11 issues on real-life hardware, and PCR 11 isues in our artificial
tests. Only the latter is addressed by this PR, the other issue needs
more debugging, but without logs we cannot do much.
---

diff --git a/test/units/TEST-70-TPM2.pcrextend.sh b/test/units/TEST-70-TPM2.pcrextend.sh
index d40cd703705..fbb6b30a122 100755
--- a/test/units/TEST-70-TPM2.pcrextend.sh
+++ b/test/units/TEST-70-TPM2.pcrextend.sh
@@ -9,7 +9,7 @@ set -o pipefail
 export SYSTEMD_LOG_LEVEL=debug
 SD_PCREXTEND="/usr/lib/systemd/systemd-pcrextend"
 
-if [[ ! -x "${SD_PCREXTEND:?}" ]] || ! tpm_has_pcr sha256 11 || ! tpm_has_pcr sha256 15; then
+if [[ ! -x "${SD_PCREXTEND:?}" ]] || ! tpm_has_pcr sha256 16 || ! tpm_has_pcr sha256 15; then
     echo "$SD_PCREXTEND or PCR sysfs files not found, skipping PCR extension tests"
     exit 0
 fi
@@ -28,23 +28,23 @@ export SYSTEMD_FORCE_MEASURE=1
 
 "$SD_PCREXTEND" --help
 "$SD_PCREXTEND" --version
-"$SD_PCREXTEND" foo
+"$SD_PCREXTEND" --pcr=16 foo
 "$SD_PCREXTEND" --machine-id
 "$SD_PCREXTEND" --product-id
 "$SD_PCREXTEND" --tpm2-device=list
-"$SD_PCREXTEND" --tpm2-device=auto foo
-"$SD_PCREXTEND" --tpm2-device=/dev/tpm0 foo
-"$SD_PCREXTEND" --bank=sha256 foo
-"$SD_PCREXTEND" --bank=sha256 --bank=sha256 foo
-"$SD_PCREXTEND" --graceful foo
+"$SD_PCREXTEND" --tpm2-device=auto --pcr=16 foo
+"$SD_PCREXTEND" --tpm2-device=/dev/tpm0 --pcr=16 foo
+"$SD_PCREXTEND" --bank=sha256 --pcr=16 foo
+"$SD_PCREXTEND" --bank=sha256 --bank=sha256 --pcr=16 foo
+"$SD_PCREXTEND" --graceful --pcr=16 foo
 "$SD_PCREXTEND" --pcr=15 foo
 "$SD_PCREXTEND" --file-system=/
 "$SD_PCREXTEND" --file-system=/tmp --file-system=/
-"$SD_PCREXTEND" --file-system=/tmp --file-system=/ --pcr=15 --pcr=11
+"$SD_PCREXTEND" --file-system=/tmp --file-system=/ --pcr=15 --pcr=16
 "$SD_PCREXTEND" --nvpcr=hardware foo
 
-if tpm_has_pcr sha1 11; then
-    "$SD_PCREXTEND" --bank=sha1 --pcr=11 foo
+if tpm_has_pcr sha1 16; then
+    "$SD_PCREXTEND" --bank=sha1 --pcr=16 foo
 fi
 
 (! "$SD_PCREXTEND")
@@ -88,9 +88,9 @@ DIGEST_CURRENT="$(jq --seq --slurp --raw-output ".[$RECORD_COUNT].digests[] | se
 test "$DIGEST_EXPECTED" == "$DIGEST_CURRENT"
 
 RECORD_COUNT=$((RECORD_COUNT + 1))
-# And similar for the boot phase measurement into PCR 11
-tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11
-# Do the equivalent of 'SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" foobar' via Varlink, just to test the Varlink logic (but first we need to patch out the conditionalization...)
+# And similar for a string measurement into PCR 16
+tpm2_pcrread sha256:16 -Q -o /tmp/oldpcr16
+# Do the equivalent of 'SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" --pcr=16 foobar' via Varlink, just to test the Varlink logic (but first we need to patch out the conditionalization...)
 mkdir -p /run/systemd/system/systemd-pcrextend.socket.d
 cat >/run/systemd/system/systemd-pcrextend.socket.d/50-no-condition.conf <<EOF
 [Unit]
@@ -99,14 +99,14 @@ ConditionSecurity=
 EOF
 systemctl daemon-reload
 systemctl restart systemd-pcrextend.socket
-varlinkctl call /run/systemd/io.systemd.PCRExtend io.systemd.PCRExtend.Extend '{"pcr":11,"text":"foobar"}'
-tpm2_pcrread sha256:11 -Q -o /tmp/newpcr11
+varlinkctl call /run/systemd/io.systemd.PCRExtend io.systemd.PCRExtend.Extend '{"pcr":16,"text":"foobar"}'
+tpm2_pcrread sha256:16 -Q -o /tmp/newpcr16
 
-diff /tmp/newpcr11 \
-    <(cat /tmp/oldpcr11 <(echo -n "foobar" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
+diff /tmp/newpcr16 \
+    <(cat /tmp/oldpcr16 <(echo -n "foobar" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
 
 # Check the event log for the 2nd new record since $RECORD_COUNT
-test "$(jq --seq --slurp ".[$RECORD_COUNT].pcr" </run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e11')"
+test "$(jq --seq --slurp ".[$RECORD_COUNT].pcr" </run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e16')"
 DIGEST_EXPECTED="$(echo -n "foobar" | openssl dgst -hex -sha256 -r)"
 DIGEST_CURRENT="$(jq --seq --slurp --raw-output ".[$RECORD_COUNT].digests[] | select(.hashAlg == \"sha256\").digest" </run/log/systemd/tpm2-measure.log) *stdin"
 test "$DIGEST_EXPECTED" == "$DIGEST_CURRENT"
@@ -124,4 +124,4 @@ tpm2_pcrread sha256:15 -Q -o /tmp/newpcr15
 diff /tmp/newpcr15 \
      <(cat /tmp/oldpcr15 <(echo -n "file-system:$FS_WORD" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
 
-rm -f /tmp/oldpcr{11,15} /tmp/newpcr{11,15}
+rm -f /tmp/oldpcr{16,15} /tmp/newpcr{16,15}
diff --git a/test/units/TEST-70-TPM2.pcrlock.sh b/test/units/TEST-70-TPM2.pcrlock.sh
index 5fea226c108..d90b4bc99fd 100755
--- a/test/units/TEST-70-TPM2.pcrlock.sh
+++ b/test/units/TEST-70-TPM2.pcrlock.sh
@@ -42,6 +42,9 @@ PCRS="1+2+3+4+5+16"
 # (as the PCR values simply won't match the log).
 rm -f /run/log/systemd/tpm2-measure.log
 
+# Reset TPM PCR 16 ("debug") explicitly, so that we can use it in a known good state
+tpm2_pcrreset 16
+
 # Ensure a truncated log doesn't crash pcrlock
 echo -n -e \\x1e >/tmp/borked
 set +e