From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Sun, 3 May 2026 15:23:41 +0000 (+0100)
Subject: test: make TEST-70-TPM2 robust against reruns
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2fc008b9e437065c5e33b98cc7410dc91f555564;p=thirdparty%2Fsystemd.git

test: make TEST-70-TPM2 robust against reruns

The test leaves a lot of state around, and when the test is re-run,
for example due to the qemu bug that makes a VM reboot instead of
shutting down, it fails.

Do more cleanups in the traps.

[  162.642175] TEST-70-TPM2.sh[2815]: Calculated public key name: 000b2b66edc3a466e81059286aaf38d09ea42a7a9dcdf6ba3b664c62f0cae4ce4f66
[  162.642628] TEST-70-TPM2.sh[2815]: PolicyAuthorize calculated digest: 2caa740101f65734d50395d6abc64fa46015d40d1f5de239434578544e592a92
[  162.643681] TEST-70-TPM2.sh[2815]: Calculated NV index name: 000b439cfa1534815bbe8d33b80c56f5a8d17d36fe94a7782b23a37b50def5fc5eaa
[  162.645111] TEST-70-TPM2.sh[2815]: PolicyAuthorizeNV calculated digest: 69ee0e89fafe6b9df2cd6a5defbf74aa46cf6d92703e645d463549da4ba5e1a4
[  162.645407] TEST-70-TPM2.sh[2815]: Combined signed PCR policies and pcrlock policies cannot be calculated offline, currently.
[  162.649576] TEST-70-TPM2.sh[2815]: Releasing crypt device /dev/loop0 context.
[  162.652433] TEST-70-TPM2.sh[2815]: Releasing device-mapper backend.
[  162.653518] TEST-70-TPM2.sh[2815]: Closing read only fd for /dev/loop0.
[  162.654359] TEST-70-TPM2.sh[2815]: Closing read write fd for /dev/loop0.
[  162.654786] TEST-70-TPM2.sh[2815]: Failed to encrypt device: Operation not supported

Fixes https://github.com/systemd/systemd/issues/38241
---

diff --git a/test/units/TEST-70-TPM2.creds.sh b/test/units/TEST-70-TPM2.creds.sh
index 15899d10578..53ff862e18c 100755
--- a/test/units/TEST-70-TPM2.creds.sh
+++ b/test/units/TEST-70-TPM2.creds.sh
@@ -5,6 +5,12 @@ set -o pipefail
 
 export SYSTEMD_LOG_LEVEL=debug
 
+at_exit() {
+	rm -f /tmp/testdata /tmp/testdata.encrypted
+}
+
+trap at_exit EXIT
+
 # Ensure that sandboxing doesn't stop creds from being accessible
 echo "test" >/tmp/testdata
 systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2
@@ -12,5 +18,3 @@ systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2
 systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
 # SetCredentialEncrypted
 systemd-run -p PrivateDevices=yes -p SetCredentialEncrypted=testdata.encrypted:"$(cat /tmp/testdata.encrypted)" --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata
-
-rm -f /tmp/testdata
diff --git a/test/units/TEST-70-TPM2.cryptenroll.sh b/test/units/TEST-70-TPM2.cryptenroll.sh
index d09f7020936..07309429d74 100755
--- a/test/units/TEST-70-TPM2.cryptenroll.sh
+++ b/test/units/TEST-70-TPM2.cryptenroll.sh
@@ -11,6 +11,12 @@ cryptenroll_wipe_and_check() {(
     grep -qE "Wiped slot [[:digit:]]+" /tmp/cryptenroll.out
 )}
 
+at_exit() {
+    rm -f "${IMAGE:-}" /tmp/cryptenroll.out /tmp/password
+}
+
+trap at_exit EXIT
+
 # There is an external issue with libcryptsetup on ppc64 that hits 95% of Ubuntu ppc64 test runs, so skip it
 if [[ "$(uname -m)" == "ppc64le" ]]; then
     echo "Skipping systemd-cryptenroll tests on ppc64le, see https://github.com/systemd/systemd/issues/27716"
diff --git a/test/units/TEST-70-TPM2.cryptsetup.sh b/test/units/TEST-70-TPM2.cryptsetup.sh
index 24c87d0f249..5a7f0facfcc 100755
--- a/test/units/TEST-70-TPM2.cryptsetup.sh
+++ b/test/units/TEST-70-TPM2.cryptsetup.sh
@@ -31,10 +31,23 @@ tpm_check_failure_with_wrong_pin() {
 }
 
 at_exit() {
+    set +e
+
+    umount /tmp/dditest.mnt
+    systemd-cryptsetup detach test-volume
+    systemd-cryptsetup detach dditest
+
     # Evict the TPM primary key that we persisted
     if [[ -n "${PERSISTENT_HANDLE:-}" ]]; then
         tpm2_evictcontrol -c "$PERSISTENT_HANDLE"
     fi
+
+    if [[ -n "${DEVICE:-}" ]]; then
+        systemd-dissect --detach "$DEVICE"
+    fi
+
+    rm -rf /tmp/dditest /tmp/dditest.mnt
+    rm -f /tmp/dditest.raw "${IMAGE:-}" "${PRIMARY:-}" /tmp/passphrase /tmp/pcr.dat /tmp/srk.pub /tmp/srk2.pub
 }
 
 trap at_exit EXIT
diff --git a/test/units/TEST-70-TPM2.measure.sh b/test/units/TEST-70-TPM2.measure.sh
index 30fa51e5213..90d6390da09 100755
--- a/test/units/TEST-70-TPM2.measure.sh
+++ b/test/units/TEST-70-TPM2.measure.sh
@@ -14,6 +14,31 @@ if [[ ! -x "${SD_MEASURE:?}" ]]; then
     exit 0
 fi
 
+at_exit() {
+    set +e
+
+    systemd-cryptsetup detach test-volume2
+    rm -f "${IMAGE:-}" \
+        /tmp/passphrase \
+        /tmp/pcrsign-private.pem \
+        /tmp/pcrsign-public.pem \
+        /tmp/pcrsign.sig \
+        /tmp/pcrsign.sig2 \
+        /tmp/pcrsign.sig3 \
+        /tmp/pcrsign.sig4 \
+        /tmp/pcrsign.sig5 \
+        /tmp/pcrsign.sig6 \
+        /tmp/pcrsign.sig7 \
+        /tmp/pcrtestdata \
+        /tmp/pcrtestdata.encrypted \
+        /tmp/result \
+        /tmp/result.json \
+        /tmp/tpmdata1 \
+        /tmp/tpmdata2
+}
+
+trap at_exit EXIT
+
 IMAGE="$(mktemp /tmp/systemd-measure-XXX.image)"
 
 echo HALLO >/tmp/tpmdata1
diff --git a/test/units/TEST-70-TPM2.nvpcr.sh b/test/units/TEST-70-TPM2.nvpcr.sh
index 29319e601ac..571b3eea770 100755
--- a/test/units/TEST-70-TPM2.nvpcr.sh
+++ b/test/units/TEST-70-TPM2.nvpcr.sh
@@ -21,7 +21,7 @@ at_exit() {
     fi
 
     rm -rf /run/nvpcr /tmp/nvpcr
-    rm -f /var/tmp/nvpcr.raw /run/verity.d/test-79-nvpcr.crt
+    rm -f /var/tmp/nvpcr.raw /run/verity.d/test-70-nvpcr.crt /run/systemd/nvpcr/test.anchor
 }
 
 trap at_exit EXIT
diff --git a/test/units/TEST-70-TPM2.pcrextend.sh b/test/units/TEST-70-TPM2.pcrextend.sh
index 14808f07637..ec330576b25 100755
--- a/test/units/TEST-70-TPM2.pcrextend.sh
+++ b/test/units/TEST-70-TPM2.pcrextend.sh
@@ -19,6 +19,16 @@ at_exit() {
         # Dump the event log on fail, to make debugging a bit easier
         jq --seq --slurp </run/log/systemd/tpm2-measure.log
     fi
+
+    set +e
+
+    if [[ -e /etc/machine-id.save ]]; then
+        mv /etc/machine-id.save /etc/machine-id
+    fi
+
+    rm -rf /run/systemd/system/systemd-pcrextend.socket.d
+    systemctl daemon-reload
+    rm -f /tmp/oldpcr16 /tmp/oldpcr15 /tmp/newpcr16 /tmp/newpcr15
 }
 
 trap at_exit EXIT
diff --git a/test/units/TEST-70-TPM2.pcrlock.sh b/test/units/TEST-70-TPM2.pcrlock.sh
index 71f2ac53d75..8701d60119c 100755
--- a/test/units/TEST-70-TPM2.pcrlock.sh
+++ b/test/units/TEST-70-TPM2.pcrlock.sh
@@ -23,7 +23,26 @@ at_exit() {
         [[ -e /run/log/systemd/tpm2-measure.log ]] && jq --seq --slurp </run/log/systemd/tpm2-measure.log
     fi
 
-    return 0
+    set +e
+
+    systemd-cryptsetup detach pcrlock
+
+    if [[ -x "${SD_PCRLOCK:-}" ]]; then
+        "$SD_PCRLOCK" remove-policy
+        "$SD_PCRLOCK" unlock-firmware-config
+        "$SD_PCRLOCK" unlock-gpt
+        "$SD_PCRLOCK" unlock-machine-id
+        "$SD_PCRLOCK" unlock-file-system
+        "$SD_PCRLOCK" unlock-raw --pcrlock=/var/lib/pcrlock.d/910-test70.pcrlock
+        "$SD_PCRLOCK" unlock-raw --pcrlock=/var/lib/pcrlock.d/920-test70.pcrlock
+    fi
+
+    rm -rf /tmp/fakexbootldr /var/lib/pcrlock.d/123-empty.pcrlock.d /run/systemd/system/systemd-pcrlock.socket.d
+    if [[ -n "${img:-}" ]]; then
+        rm -f "$img" "$img".private.pem "$img".public.pem "$img".pcrsign
+    fi
+    rm -f /tmp/borked /tmp/pcrlockpwd /var/lib/systemd/pcrlock.json /var/lib/systemd/pcrlock.json.gone
+    systemctl daemon-reload
 }
 
 trap at_exit EXIT