From 559a1d35d510e3ae637953b1ae9bfab4a124c2f8 Mon Sep 17 00:00:00 2001 From: Jonas Witschel Date: Wed, 25 May 2022 14:06:44 +0200 Subject: [PATCH] cryptsetup: test unlocking using a TPM2 LUKS2 token plugin with a PIN Test the functionality implemented in the previous commit ("cryptsetup: ask for PIN when trying to activate using a LUKS2 token plugin"): when "tpm2-device" is not specified, systemd-cryptsetup calls crypt_activate_by_token_pin() to try to unlock using a LUKS2 token plugin, test whether this is able to obtain the provided PIN. --- test/units/testsuite-70.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh index 877359f4b09..6ebb1c72c95 100755 --- a/test/units/testsuite-70.sh +++ b/test/units/testsuite-70.sh @@ -29,6 +29,17 @@ env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm # Check failure with wrong PIN env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; } +# Check LUKS2 token plugin unlock (i.e. without specifying tpm2-device=auto) +if cryptsetup --help | grep -q 'LUKS2 external token plugin support is compiled-in'; then + env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - headless=1 + /usr/lib/systemd/systemd-cryptsetup detach test-volume + + # Check failure with wrong PIN + env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - headless=1 && { echo 'unexpected success'; exit 1; } +else + echo 'cryptsetup has no LUKS2 token plugin support, skipping' +fi + # Check failure with wrong PCR (and correct PIN) tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000 env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; } -- 2.47.3