From 2a5e74113b7e5ab66dc23b5f356904cfcf67ba80 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 30 Aug 2024 08:02:39 -0700 Subject: [PATCH 1/2] Fix and test for no filesystem. --- .github/workflows/make-test-swtpm.yml | 14 ++++++++++++++ examples/attestation/make_credential.c | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index b1125e71..75e68090 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -188,6 +188,20 @@ jobs: make check WOLFSSL_PATH=./wolfssl WOLFCRYPT_DEFAULT=1 ./examples/run_examples.sh +# test with no filesystem / threading + - name: wolfssl no filesystem + working-directory: ./wolfssl + run: | + ./configure --enable-wolftpm --disable-filesystem --enable-singlethreaded + make + sudo make install + - name: wolftpm no filesystem + run: | + ./configure --enable-swtpm + make + make check + WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh + # capture logs on failure - name: Upload failure logs if: failure() diff --git a/examples/attestation/make_credential.c b/examples/attestation/make_credential.c index 1b4ea64a..bf534e20 100644 --- a/examples/attestation/make_credential.c +++ b/examples/attestation/make_credential.c @@ -134,9 +134,9 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[]) } printf("Public key for encryption loaded\n"); handle.hndl = loadExtOut.objectHandle; + XMEMSET(&name, 0, sizeof(name)); #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) /* Load AK Name digest */ - XMEMSET(&name, 0, sizeof(name)); fp = XFOPEN("ak.name", "rb"); if (fp != XBADFILE) { size_t nameReadSz = XFREAD((BYTE*)&name, 1, sizeof(name), fp); From 1603cfdaaf9a7e4b93458dc0bdf9e66140740e65 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 30 Aug 2024 09:24:35 -0700 Subject: [PATCH 2/2] More fixes for no filesystem. --- .github/workflows/make-test-swtpm.yml | 2 +- examples/pkcs7/pkcs7.c | 2 + examples/run_examples.sh | 133 ++++++++++++++------------ examples/tpm_test_keys.c | 1 + 4 files changed, 74 insertions(+), 64 deletions(-) diff --git a/.github/workflows/make-test-swtpm.yml b/.github/workflows/make-test-swtpm.yml index 75e68090..c2679be2 100644 --- a/.github/workflows/make-test-swtpm.yml +++ b/.github/workflows/make-test-swtpm.yml @@ -200,7 +200,7 @@ jobs: ./configure --enable-swtpm make make check - WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh + WOLFSSL_PATH=./wolfssl NO_FILESYSTEM=1 ./examples/run_examples.sh # capture logs on failure - name: Upload failure logs diff --git a/examples/pkcs7/pkcs7.c b/examples/pkcs7/pkcs7.c index 8dff06d8..9adfb62b 100644 --- a/examples/pkcs7/pkcs7.c +++ b/examples/pkcs7/pkcs7.c @@ -290,6 +290,8 @@ static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, rc = -1; goto exit; } } +#else + (void)outFile; #endif /* Test verify with TPM */ diff --git a/examples/run_examples.sh b/examples/run_examples.sh index 13725981..93524699 100755 --- a/examples/run_examples.sh +++ b/examples/run_examples.sh @@ -10,6 +10,9 @@ fi if [ -z "$WOLFCRYPT_ENABLE" ]; then WOLFCRYPT_ENABLE=1 fi +if [ -z "$NO_FILESYSTEM" ]; then + NO_FILESYSTEM=0 +fi if [ -z "$WOLFCRYPT_DEFAULT" ]; then WOLFCRYPT_DEFAULT=0 fi @@ -250,52 +253,54 @@ fi # NV Tests echo -e "NV Tests" -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/nvram/store -xor >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store param enc xorfailed! $RESULT" && exit 1 - ./examples/nvram/read -xor >> run.out 2>&1 - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read param enc xor failed! $RESULT" && exit 1 - - if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then - ./examples/nvram/store -aes >> run.out 2>&1 +if [ $NO_FILESYSTEM -eq 0 ]; then + if [ $WOLFCRYPT_ENABLE -eq 1 ]; then + ./examples/nvram/store -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store param enc aes failed! $RESULT" && exit 1 - ./examples/nvram/read -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "nv store param enc xorfailed! $RESULT" && exit 1 + ./examples/nvram/read -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read param enc aes failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "nv read param enc xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/nvram/store -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv store param enc aes failed! $RESULT" && exit 1 + ./examples/nvram/read -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv read param enc aes failed! $RESULT" && exit 1 + fi fi -fi -./examples/nvram/store -priv >> run.out 2>&1 -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "nv store priv only failed! $RESULT" && exit 1 -./examples/nvram/read -priv >> run.out 2>&1 -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "nv read priv only failed! $RESULT" && exit 1 -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then - ./examples/nvram/store -priv -xor >> run.out 2>&1 + ./examples/nvram/store -priv >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc xor failed! $RESULT" && exit 1 - ./examples/nvram/read -priv -xor >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "nv store priv only failed! $RESULT" && exit 1 + ./examples/nvram/read -priv >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc xor failed! $RESULT" && exit 1 - - if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then - ./examples/nvram/store -priv -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "nv read priv only failed! $RESULT" && exit 1 + if [ $WOLFCRYPT_ENABLE -eq 1 ]; then + ./examples/nvram/store -priv -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc aes failed! $RESULT" && exit 1 - ./examples/nvram/read -priv -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc xor failed! $RESULT" && exit 1 + ./examples/nvram/read -priv -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc aes failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/nvram/store -priv -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc aes failed! $RESULT" && exit 1 + ./examples/nvram/read -priv -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc aes failed! $RESULT" && exit 1 + fi fi + ./examples/nvram/store -pub >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv store pub only failed! $RESULT" && exit 1 + ./examples/nvram/read -pub >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "nv read pub only failed! $RESULT" && exit 1 fi -./examples/nvram/store -pub >> run.out 2>&1 -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "nv store pub only failed! $RESULT" && exit 1 -./examples/nvram/read -pub >> run.out 2>&1 -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "nv read pub only failed! $RESULT" && exit 1 ./examples/nvram/policy_nv >> run.out 2>&1 RESULT=$? @@ -313,7 +318,7 @@ RESULT=$? RESULT=$? [ $RESULT -ne 0 ] && echo -e "keygen ecc test for csr failed! $RESULT" && exit 1 -if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ]; then ./examples/csr/csr -cert >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "cert self-signed failed! $RESULT" && exit 1 @@ -332,7 +337,7 @@ fi # PKCS7 Tests echo -e "PKCS7 tests" -if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ]; then ./examples/pkcs7/pkcs7 >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1 @@ -387,7 +392,7 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs] [tlsversi popd >> run.out 2>&1 } -if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ]; then if [ $WOLFCRYPT_RSA -eq 1 ]; then # TLS client/server RSA TLS v1.2 and v1.2 Crypto callbacks run_tpm_tls_client "rsa" "" "3" @@ -464,7 +469,7 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then [ $RESULT -ne 0 ] && echo -e "signed_timestamp ecc param enc failed! $RESULT" && exit 1 fi -if [ $WOLFCRYPT_ENABLE -eq 1 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $NO_FILESYSTEM -eq 0 ]; then ./examples/keygen/keygen keyblob.bin -rsa >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "keygen rsa failed! $RESULT" && exit 1 @@ -550,7 +555,7 @@ fi # Secure Boot ROT echo -e "Secure Boot ROT (Root of Trust) test" -if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ]; then ./examples/boot/secure_rot -nvindex=0x1400200 -authstr=test -write=./certs/example-ecc256-key-pub.der >> run.out 2>&1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "secure rot write ecc256! $RESULT" && exit 1 @@ -586,37 +591,39 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then fi # Seal/Unseal (PCR Policy) -echo -e "Seal/Unseal (PCR policy)" -./examples/seal/seal sealedkeyblob.bin mySecretMessage >> run.out 2>&1 -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "seal failed! $RESULT" && exit 1 -./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out 2>&1 -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "unseal failed! $RESULT" && exit 1 -rm -f sealedkeyblob.bin - -if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_RSA -eq 1 ]; then - ./examples/seal/seal sealedkeyblob.bin mySecretMessage -xor >> run.out 2>&1 +if [ $NO_FILESYSTEM -eq 0 ]; then + echo -e "Seal/Unseal (PCR policy)" + ./examples/seal/seal sealedkeyblob.bin mySecretMessage >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "seal xor failed! $RESULT" && exit 1 - ./examples/seal/unseal message.raw sealedkeyblob.bin -xor >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "seal failed! $RESULT" && exit 1 + ./examples/seal/unseal message.raw sealedkeyblob.bin >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "unseal xor failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "unseal failed! $RESULT" && exit 1 + rm -f sealedkeyblob.bin - if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then - ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1 + if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_RSA -eq 1 ]; then + ./examples/seal/seal sealedkeyblob.bin mySecretMessage -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1 - ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1 + [ $RESULT -ne 0 ] && echo -e "seal xor failed! $RESULT" && exit 1 + ./examples/seal/unseal message.raw sealedkeyblob.bin -xor >> run.out 2>&1 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1 + [ $RESULT -ne 0 ] && echo -e "unseal xor failed! $RESULT" && exit 1 + + if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then + ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1 + ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1 + fi + rm -f sealedkeyblob.bin fi - rm -f sealedkeyblob.bin fi # Seal/Unseal (Policy auth) echo -e "Seal/Unseal (Policy auth)" -if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then +if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ] && [ $NO_FILESYSTEM -eq 0 ]; then # Extend "aaa" to test PCR 16 echo aaa > aaa.bin ./examples/pcr/reset 16 >> run.out 2>&1 diff --git a/examples/tpm_test_keys.c b/examples/tpm_test_keys.c index db6c633b..df044b83 100644 --- a/examples/tpm_test_keys.c +++ b/examples/tpm_test_keys.c @@ -244,6 +244,7 @@ int readKeyBlob(const char* filename, WOLFTPM2_KEYBLOB* key) #else (void)filename; (void)key; + rc = NOT_COMPILED_IN; #endif /* !NO_FILESYSTEM && !NO_WRITE_TEMP_FILES */ return rc; }