cryptsetup: test unlocking using a TPM2 LUKS2 token plugin with a PIN

Test the functionality implemented in the previous commit ("cryptsetup: ask for
PIN when trying to activate using a LUKS2 token plugin"): when "tpm2-device" is
not specified, systemd-cryptsetup calls crypt_activate_by_token_pin() to try to
unlock using a LUKS2 token plugin, test whether this is able to obtain the
provided PIN.

diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh
index 877359f4b0960d337d7b6a613632c41ba16afd72..6ebb1c72c959df391e9a7a5da50773b04f36b8cf 100755 (executable)
--- a/test/units/testsuite-70.sh
+++ b/test/units/testsuite-70.sh
@@ -29,6 +29,17 @@ env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm
 # Check failure with wrong PIN
 env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }
 
+# Check LUKS2 token plugin unlock (i.e. without specifying tpm2-device=auto)
+if cryptsetup --help | grep -q 'LUKS2 external token plugin support is compiled-in'; then
+    env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - headless=1
+    /usr/lib/systemd/systemd-cryptsetup detach test-volume
+
+    # Check failure with wrong PIN
+    env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - headless=1 && { echo 'unexpected success'; exit 1; }
+else
+    echo 'cryptsetup has no LUKS2 token plugin support, skipping'
+fi
+
 # Check failure with wrong PCR (and correct PIN)
 tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000
 env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; }