[PATCH v4 7/7] tests/tpm2_key_protector_test: Add a test for PCR Capping - Gary Lin via Grub-devel

From: Gary Lin via Grub-devel <grub-devel@gnu.org>
To: The development of GNU GRUB <grub-devel@gnu.org>
Cc: Gary Lin <glin@suse.com>, Daniel Kiper <daniel.kiper@oracle.com>,
	mchang@suse.com, patrick.colp@oracle.com,
	Stefan Berger <stefanb@linux.ibm.com>,
	Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Subject: [PATCH v4 7/7] tests/tpm2_key_protector_test: Add a test for PCR Capping
Date: Fri,  3 Oct 2025 11:22:08 +0800	[thread overview]
Message-ID: <20251003032208.16672-8-glin@suse.com> (raw)
In-Reply-To: <20251003032208.16672-1-glin@suse.com>

A test is introduced to cap PCR 1 and track the PCR 1 value before and
after key unsealing.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 tests/tpm2_key_protector_test.in | 65 ++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/tests/tpm2_key_protector_test.in b/tests/tpm2_key_protector_test.in
index 1d80d5d26..5dd86d6ee 100644
--- a/tests/tpm2_key_protector_test.in
+++ b/tests/tpm2_key_protector_test.in
@@ -304,6 +304,58 @@ EOF
     fi
 }
 
+tpm2_seal_unseal_cap() {
+    pcr_bank="sha256"
+
+    original_pcr1="$(tpm2_pcrread ${pcr_bank}:1) | tail -1 | cut -d' ' -f7"
+
+    grub_cfg=${tpm2testdir}/testcase.cfg
+
+    # Seal the password with grub-protect
+    grub-protect \
+	--tpm2-device="${tpm2dev}" \
+	--action=add \
+	--protector=tpm2 \
+	--tpm2key \
+	--tpm2-bank="${pcr_bank}" \
+	--tpm2-pcrs=0,1 \
+	--tpm2-keyfile="${lukskeyfile}" \
+	--tpm2-outfile="${sealedkey}" || ret=$?
+    if [ "${ret}" -ne 0 ]; then
+	echo "Failed to seal the secret key: ${ret}" >&2
+	return 99
+    fi
+
+    # Write the TPM unsealing script and cap PCR 1
+    cat > "${grub_cfg}" <<EOF
+loopback luks (host)${luksfile}
+tpm2_key_protector_init -T (host)${sealedkey} -c 1
+if cryptomount -a --protector tpm2; then
+    cat (crypto0)+1
+fi
+EOF
+
+    # Test TPM unsealing with the same PCR
+    ${grubshell} --timeout=${timeout} --emu-opts="-t ${tpm2dev}" < "${grub_cfg}" > "${testoutput}" || ret=$?
+
+    if [ "${ret}" -eq 0 ]; then
+	if ! grep -q "^${vtext}$" "${testoutput}"; then
+	    echo "error: test not verified [`cat ${testoutput}`]" >&2
+	    return 1
+	fi
+    else
+	echo "grub-emu exited with error: ${ret}" >&2
+	return 99
+    fi
+
+    capped_pcr1="$(tpm2_pcrread ${pcr_bank}:1) | tail -1 | cut -d' ' -f7"
+
+    if [ "${original_pcr1}" = "${capped_pcr1}" ]; then
+	echo "error: PCR 1 not capped" >&2
+	return 1
+    fi
+}
+
 # Testcases for SRK mode
 declare -a srktests=()
 srktests+=("default transient no_fallback_srk sha256")
@@ -357,4 +409,17 @@ for i in "${!nvtests[@]}"; do
     fi
 done
 
+# Testcase for PCR Capping
+tpm2_seal_unseal_cap || ret=$?
+if [ "${ret}" -eq 0 ]; then
+    echo "TPM2 [PCR Capping]: PASS"
+elif [ "${ret}" -eq 1 ]; then
+    echo "TPM2 [PCR Capping]: FAIL"
+    ret=0
+    exit_status=1
+else
+    echo "Unexpected failure [PCR Capping]" >&2
+    exit ${ret}
+fi
+
 exit ${exit_status}
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
