# shellcheck source=test/test-functions
. "${TEST_BASE_DIR:?}/test-functions"
-test_require_bin swtpm tpm2_pcrextend
+test_require_bin swtpm tpm2_pcrextend tpm2_dictionarylockout
test_append_files() {
local workspace="${1:?}"
instmods tpm tpm_tis tpm_ibmvtpm
install_dmevent
generate_module_dependencies
+ inst_binary tpm2_dictionarylockout
inst_binary tpm2_pcrextend
inst_binary tpm2_pcrread
inst_binary openssl
[[ -f "/sys/class/tpm/tpm0/pcr-$algorithm/$pcr" ]]
}
+tpm_check_failure_with_wrong_pin() {
+ local testimg="${1:?}"
+ local badpin="${2:?}"
+ local goodpin="${3:?}"
+
+ # We need to be careful not to trigger DA lockout; allow 2 failures
+ tpm2_dictionarylockout -s -n 2
+ (! PIN=$badpin "$SD_CRYPTSETUP" attach test-volume "$testimg" - tpm2-device=auto,headless=1)
+ # Verify the correct PIN works, to be sure the failure wasn't a DA lockout
+ PIN=$goodpin "$SD_CRYPTSETUP" attach test-volume "$testimg" - tpm2-device=auto,headless=1
+ "$SD_CRYPTSETUP" detach test-volume
+ # Clear/reset the DA lockout counter
+ tpm2_dictionarylockout -c
+}
+
# Prepare a fresh disk image
img="/tmp/test.img"
truncate -s 20M "$img"
PIN=123456 "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1
"$SD_CRYPTSETUP" detach test-volume
-# Check failure with wrong PIN
-(! PIN=123457 "$SD_CRYPTSETUP" attach test-volume "$img" - tpm2-device=auto,headless=1)
+# Check failure with wrong PIN; try a few times to make sure we avoid DA lockout
+for _ in {0..3}; do
+ tpm_check_failure_with_wrong_pin "$img" 123457 123456
+done
# Check LUKS2 token plugin unlock (i.e. without specifying tpm2-device=auto)
if cryptsetup_has_token_plugin_support; then
"$SD_CRYPTSETUP" detach test-volume
# Check failure with wrong PIN
- (! PIN=123457 "$SD_CRYPTSETUP" attach test-volume "$img" - headless=1)
+ for _ in {0..3}; do
+ tpm_check_failure_with_wrong_pin "$img" 123457 123456
+ done
else
echo 'cryptsetup has no LUKS2 token plugin support, skipping'
fi
projects / thirdparty / systemd.git / commitdiff
