The test leaves a lot of state around, and when the test is re-run,
for example due to the qemu bug that makes a VM reboot instead of
shutting down, it fails.
Do more cleanups in the traps.
[ 162.642175] TEST-70-TPM2.sh[2815]: Calculated public key name: 000b2b66edc3a466e81059286aaf38d09ea42a7a9dcdf6ba3b664c62f0cae4ce4f66
[ 162.642628] TEST-70-TPM2.sh[2815]: PolicyAuthorize calculated digest:
2caa740101f65734d50395d6abc64fa46015d40d1f5de239434578544e592a92
[ 162.643681] TEST-70-TPM2.sh[2815]: Calculated NV index name: 000b439cfa1534815bbe8d33b80c56f5a8d17d36fe94a7782b23a37b50def5fc5eaa
[ 162.645111] TEST-70-TPM2.sh[2815]: PolicyAuthorizeNV calculated digest:
69ee0e89fafe6b9df2cd6a5defbf74aa46cf6d92703e645d463549da4ba5e1a4
[ 162.645407] TEST-70-TPM2.sh[2815]: Combined signed PCR policies and pcrlock policies cannot be calculated offline, currently.
[ 162.649576] TEST-70-TPM2.sh[2815]: Releasing crypt device /dev/loop0 context.
[ 162.652433] TEST-70-TPM2.sh[2815]: Releasing device-mapper backend.
[ 162.653518] TEST-70-TPM2.sh[2815]: Closing read only fd for /dev/loop0.
[ 162.654359] TEST-70-TPM2.sh[2815]: Closing read write fd for /dev/loop0.
[ 162.654786] TEST-70-TPM2.sh[2815]: Failed to encrypt device: Operation not supported
Fixes https://github.com/systemd/systemd/issues/38241
export SYSTEMD_LOG_LEVEL=debug
+at_exit() {
+ rm -f /tmp/testdata /tmp/testdata.encrypted
+}
+
+trap at_exit EXIT
+
# Ensure that sandboxing doesn't stop creds from being accessible
echo "test" >/tmp/testdata
systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2
systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
# SetCredentialEncrypted
systemd-run -p PrivateDevices=yes -p SetCredentialEncrypted=testdata.encrypted:"$(cat /tmp/testdata.encrypted)" --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
-
-rm -f /tmp/testdata
grep -qE "Wiped slot [[:digit:]]+" /tmp/cryptenroll.out
)}
+at_exit() {
+ rm -f "${IMAGE:-}" /tmp/cryptenroll.out /tmp/password
+}
+
+trap at_exit EXIT
+
# There is an external issue with libcryptsetup on ppc64 that hits 95% of Ubuntu ppc64 test runs, so skip it
if [[ "$(uname -m)" == "ppc64le" ]]; then
echo "Skipping systemd-cryptenroll tests on ppc64le, see https://github.com/systemd/systemd/issues/27716"
}
at_exit() {
+ set +e
+
+ umount /tmp/dditest.mnt
+ systemd-cryptsetup detach test-volume
+ systemd-cryptsetup detach dditest
+
# Evict the TPM primary key that we persisted
if [[ -n "${PERSISTENT_HANDLE:-}" ]]; then
tpm2_evictcontrol -c "$PERSISTENT_HANDLE"
fi
+
+ if [[ -n "${DEVICE:-}" ]]; then
+ systemd-dissect --detach "$DEVICE"
+ fi
+
+ rm -rf /tmp/dditest /tmp/dditest.mnt
+ rm -f /tmp/dditest.raw "${IMAGE:-}" "${PRIMARY:-}" /tmp/passphrase /tmp/pcr.dat /tmp/srk.pub /tmp/srk2.pub
}
trap at_exit EXIT
exit 0
fi
+at_exit() {
+ set +e
+
+ systemd-cryptsetup detach test-volume2
+ rm -f "${IMAGE:-}" \
+ /tmp/passphrase \
+ /tmp/pcrsign-private.pem \
+ /tmp/pcrsign-public.pem \
+ /tmp/pcrsign.sig \
+ /tmp/pcrsign.sig2 \
+ /tmp/pcrsign.sig3 \
+ /tmp/pcrsign.sig4 \
+ /tmp/pcrsign.sig5 \
+ /tmp/pcrsign.sig6 \
+ /tmp/pcrsign.sig7 \
+ /tmp/pcrtestdata \
+ /tmp/pcrtestdata.encrypted \
+ /tmp/result \
+ /tmp/result.json \
+ /tmp/tpmdata1 \
+ /tmp/tpmdata2
+}
+
+trap at_exit EXIT
+
IMAGE="$(mktemp /tmp/systemd-measure-XXX.image)"
echo HALLO >/tmp/tpmdata1
fi
rm -rf /run/nvpcr /tmp/nvpcr
- rm -f /var/tmp/nvpcr.raw /run/verity.d/test-79-nvpcr.crt
+ rm -f /var/tmp/nvpcr.raw /run/verity.d/test-70-nvpcr.crt /run/systemd/nvpcr/test.anchor
}
trap at_exit EXIT
# Dump the event log on fail, to make debugging a bit easier
jq --seq --slurp </run/log/systemd/tpm2-measure.log
fi
+
+ set +e
+
+ if [[ -e /etc/machine-id.save ]]; then
+ mv /etc/machine-id.save /etc/machine-id
+ fi
+
+ rm -rf /run/systemd/system/systemd-pcrextend.socket.d
+ systemctl daemon-reload
+ rm -f /tmp/oldpcr16 /tmp/oldpcr15 /tmp/newpcr16 /tmp/newpcr15
}
trap at_exit EXIT
[[ -e /run/log/systemd/tpm2-measure.log ]] && jq --seq --slurp </run/log/systemd/tpm2-measure.log
fi
- return 0
+ set +e
+
+ systemd-cryptsetup detach pcrlock
+
+ if [[ -x "${SD_PCRLOCK:-}" ]]; then
+ "$SD_PCRLOCK" remove-policy
+ "$SD_PCRLOCK" unlock-firmware-config
+ "$SD_PCRLOCK" unlock-gpt
+ "$SD_PCRLOCK" unlock-machine-id
+ "$SD_PCRLOCK" unlock-file-system
+ "$SD_PCRLOCK" unlock-raw --pcrlock=/var/lib/pcrlock.d/910-test70.pcrlock
+ "$SD_PCRLOCK" unlock-raw --pcrlock=/var/lib/pcrlock.d/920-test70.pcrlock
+ fi
+
+ rm -rf /tmp/fakexbootldr /var/lib/pcrlock.d/123-empty.pcrlock.d /run/systemd/system/systemd-pcrlock.socket.d
+ if [[ -n "${img:-}" ]]; then
+ rm -f "$img" "$img".private.pem "$img".public.pem "$img".pcrsign
+ fi
+ rm -f /tmp/borked /tmp/pcrlockpwd /var/lib/systemd/pcrlock.json /var/lib/systemd/pcrlock.json.gone
+ systemctl daemon-reload
}
trap at_exit EXIT
projects / thirdparty / systemd.git / commitdiff
