From 4820d57eeec98385c25a47e427826f466590360a Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov Date: Thu, 30 Apr 2026 16:44:45 +0200 Subject: [PATCH] TEST-70-TPM2: Test the key_file + tpm2-device= combo When key_file is passed along with tpm2-device= to systemd-cryptsetup, the logic is to try the blob as a TPM blob first, and then fall back to trying the file as a regular key file. Check that this fallback works. --- test/units/TEST-70-TPM2.cryptsetup.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/test/units/TEST-70-TPM2.cryptsetup.sh b/test/units/TEST-70-TPM2.cryptsetup.sh index 5a7f0facfcc..a40f7396892 100755 --- a/test/units/TEST-70-TPM2.cryptsetup.sh +++ b/test/units/TEST-70-TPM2.cryptsetup.sh @@ -57,8 +57,9 @@ IMAGE="$(mktemp /tmp/systemd-cryptsetup-XXX.IMAGE)" truncate -s 20M "$IMAGE" echo -n passphrase >/tmp/passphrase +echo -n wrong_passphrase >/tmp/wrong_passphrase # Change file mode to avoid "/tmp/passphrase has 0644 mode that is too permissive" messages -chmod 0600 /tmp/passphrase +chmod 0600 /tmp/passphrase /tmp/wrong_passphrase cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/passphrase # Unlocking via keyfile @@ -237,4 +238,11 @@ EOF rmdir /tmp/dditest fi -rm -f "$IMAGE" "$PRIMARY" +# Key file can contain a TPM blob but in case it doesn't fallback should also work. +systemd-cryptsetup attach test-volume "$IMAGE" /tmp/passphrase tpm2-device=auto,headless=1 +systemd-cryptsetup detach test-volume + +# Negative test: invalid passphrase should not work. +(! systemd-cryptsetup attach test-volume "$IMAGE" /tmp/wrong_passphrase tpm2-device=auto,headless=1) + +rm -f "$IMAGE" "$PRIMARY" /tmp/passphrase /tmp/wrong_passphrase -- 2.47.3