test: skip --tpm2-device-key= tests with older OpenSSL

--tpm2-device-key= requires OpenSSL >= 3 with KDF-SS, so let's skip the
test if we're running with older OpenSSL.

+ systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs=12:sha256=F5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B /tmp/systemd-cryptsetup-H8y.IMAGE
Failed to find TPM2 pcrlock policy file 'pcrlock.json': No such file or directory
Allocating context for crypt device /tmp/systemd-cryptsetup-H8y.IMAGE.
Trying to open and read device /tmp/systemd-cryptsetup-H8y.IMAGE with direct-io.
Trying to open device /tmp/systemd-cryptsetup-H8y.IMAGE without direct-io.
Initialising device-mapper backend library.
Trying to load LUKS2 crypt type from device /tmp/systemd-cryptsetup-H8y.IMAGE.
Crypto backend (OpenSSL 1.1.1k  FIPS 25 Mar 2021) initialized in cryptsetup library version 2.3.7.
Detected kernel Linux 4.18.0-521.el8.ppc64le ppc64le.
...
Failed to find TPM PCR public key file 'tpm2-pcr-public-key.pem': No such file or directory
Failed to read TPM2 PCR public key, proceeding without: No such file or directory
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
PolicyPCR calculated digest: 9a1f511fb94f030eb21d0332ef2739727bf0ead4ec26a204d15b09cdeb4b2555
Calculating sealed object.
Calculating encrypted seed for sealed object.
Calculating encrypted seed for ECC sealed object.
Calculating KDFe().
KDF-SS requires openssl >= 3.
Could not calculate KDFe: Operation not supported
Could not calculate encrypted seed: Operation not supported
Failed to seal to TPM2: Operation not supported

diff --git a/test/units/testsuite-70.cryptsetup.sh b/test/units/testsuite-70.cryptsetup.sh
index 3501e8eeb3df5fd91c463757e9807d8895abb80e..4cd627fe1a91f50582a6898036b2f3c19cbba0b4 100755 (executable)
--- a/test/units/testsuite-70.cryptsetup.sh
+++ b/test/units/testsuite-70.cryptsetup.sh
@@ -141,9 +141,12 @@ if tpm_has_pcr sha256 12; then
         cmp /tmp/srk.pub /run/systemd/tpm2-srk-public-key.tpm2b_public
     fi
 
-    PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE"
-    systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
-    systemd-cryptsetup detach test-volume
+    # --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS
+    if openssl_supports_kdf SSKDF; then
+        PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE"
+        systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
+        systemd-cryptsetup detach test-volume
+    fi
 
     rm -f /tmp/pcr.dat /tmp/srk.pub
 fi
@@ -195,26 +198,29 @@ PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handl
 systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
 systemd-cryptsetup detach test-volume
 
-# Make sure that --tpm2-device-key= also works with systemd-repart
-tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
-mkdir /tmp/dditest
-cat > /tmp/dditest/50-root.conf <<EOF
+# --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS
+if openssl_supports_kdf SSKDF; then
+    # Make sure that --tpm2-device-key= also works with systemd-repart
+    tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
+    mkdir /tmp/dditest
+    cat > /tmp/dditest/50-root.conf <<EOF
 [Partition]
 Type=root
 Format=ext4
 CopyFiles=/tmp/dditest:/
 Encrypt=tpm2
 EOF
-PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs=
-DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)"
-systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes
-mkdir /tmp/dditest.mnt
-mount -t ext4 /dev/mapper/dditest /tmp/dditest.mnt
-cmp /tmp/dditest.mnt/50-root.conf /tmp/dditest/50-root.conf
-umount /tmp/dditest.mnt
-rmdir /tmp/dditest.mnt
-rm /tmp/dditest.raw
-rm /tmp/dditest/50-root.conf
-rmdir /tmp/dditest
+    PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs=
+    DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)"
+    systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes
+    mkdir /tmp/dditest.mnt
+    mount -t ext4 /dev/mapper/dditest /tmp/dditest.mnt
+    cmp /tmp/dditest.mnt/50-root.conf /tmp/dditest/50-root.conf
+    umount /tmp/dditest.mnt
+    rmdir /tmp/dditest.mnt
+    rm /tmp/dditest.raw
+    rm /tmp/dditest/50-root.conf
+    rmdir /tmp/dditest
+fi
 
 rm -f "$IMAGE" "$PRIMARY"

diff --git a/test/units/util.sh b/test/units/util.sh
index e47d32c2b3b2a855464971acf8f733d5283fa6d3..fdfb91f8c6d181098b54c0793a02ba521ab727a3 100755 (executable)
--- a/test/units/util.sh
+++ b/test/units/util.sh
@@ -189,3 +189,11 @@ tpm_has_pcr() {
 
     [[ -f "/sys/class/tpm/tpm0/pcr-$algorithm/$pcr" ]]
 }
+
+openssl_supports_kdf() {
+    local kdf="${1:?}"
+
+    # The arguments will need to be adjusted to make this work for other KDFs than SSKDF,
+    # but let's do that when/if the need arises
+    openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf"
+}