williamcroberts
commented
6 years ago This looks fixed, with the exception of the errata, anyone with a physical tpm care to comment? @martinezjavier @jiazhang0 @webmeister
Closed martinezjavier closed 6 years ago
williamcroberts
commented
6 years ago This looks fixed, with the exception of the errata, anyone with a physical tpm care to comment? @martinezjavier @jiazhang0 @webmeister
martinezjavier
commented
6 years ago @williamcroberts the only test that still fails on my test machine (Lenovo Thinkpad Carbon X1 4th gen with a Intel PTT firmware TPM2) is the one for the tpm2_pcrextend tool:
$ ./test_tpm2_pcrextend.sh
ERROR: Could not extend pcr index: 0x8, due to error: 0x1D5
tpm2_pcrextend 8:sha1=$sha1hash,sha1=$sha1hash,sha1=$sha1hash on line 69 failed: 1
$ tpm2_rc_decode 0x1D5
error layer
hex: 0x0
identifier: TSS2_TPM_ERROR_LEVEL
description: Error produced by the TPM
format 1 error code
hex: 0x15
identifier: TPM_RC_SIZE
description: structure is the wrong size
parameter
hex: 0x100
identifier: TPM_RC_1
description: (null)I'll dig on that, but probably won't be able to do it before Friday.
With the errata fixups infrastructure from @jiazhang0, anyone who wants to make the tools pass on a given TPM2 chip can add support for the erratas in their firmware version.
jiazhang0
commented
6 years ago @williamcroberts With the errata fixup, all system and unit test cases are passed on Nationz Z32H320TC.
HW spec:
TPM_PT_FAMILY_INDICATOR:
as UINT32: 0x08322e3000
as string: "2.0"
TPM_PT_LEVEL: 0
TPM_PT_REVISION: 1.16
TPM_PT_DAY_OF_YEAR: 0x0000012f
TPM_PT_YEAR: 0x000007de
TPM_PT_MANUFACTURER: 0x4e545a00
TPM_PT_VENDOR_STRING_1:
as UINT32: 0x4e545a00
as string: "NTZ"
TPM_PT_VENDOR_STRING_2:
as UINT32: 0x00000000
as string: ""
TPM_PT_VENDOR_STRING_3:
as UINT32: 0x00000000
as string: ""
TPM_PT_VENDOR_STRING_4:
as UINT32: 0x00000000
as string: ""
TPM_PT_VENDOR_TPM_TYPE: 0x00000011
TPM_PT_FIRMWARE_VERSION_1: 0x00040001
TPM_PT_FIRMWARE_VERSION_2: 0x15041509
TPM_PT_INPUT_BUFFER: 0x00000667
TPM_PT_HR_TRANSIENT_MIN: 0x00000004
TPM_PT_HR_PERSISTENT_MIN: 0x00000007
TPM_PT_HR_LOADED_MIN: 0x00000004
TPM_PT_ACTIVE_SESSIONS_MAX: 0x00000040
TPM_PT_PCR_COUNT: 0x00000018
TPM_PT_PCR_SELECT_MIN: 0x00000003
TPM_PT_CONTEXT_GAP_MAX: 0x0000ffff
TPM_PT_NV_COUNTERS_MAX: 0x00000000
TPM_PT_NV_INDEX_MAX: 0x00000667
TPM_PT_MEMORY: 0x00000004
TPM_PT_CLOCK_UPDATE: 0x003e8000
TPM_PT_CONTEXT_HASH: 0x0000000b
TPM_PT_CONTEXT_SYM: 0x00000006
TPM_PT_CONTEXT_SYM_SIZE: 0x00000080
TPM_PT_ORDERLY_COUNT: 0x000000ff
TPM_PT_MAX_COMMAND_SIZE: 0x000008ac
TPM_PT_MAX_RESPONSE_SIZE: 0x000008ac
TPM_PT_MAX_DIGEST: 0x00000020
TPM_PT_MAX_OBJECT_CONTEXT: 0x000003a0
TPM_PT_MAX_SESSION_CONTEXT: 0x000000f4
TPM_PT_PS_FAMILY_INDICATOR: 0x00000002
TPM_PT_PS_LEVEL: 0x00000000
TPM_PT_PS_REVISION: 0x00000100
TPM_PT_PS_DAY_OF_YEAR: 0x00000000
TPM_PT_PS_YEAR: 0x00000000
TPM_PT_SPLIT_MAX: 0x00000080
TPM_PT_TOTAL_COMMANDS: 0x00000065
TPM_PT_LIBRARY_COMMANDS: 0x00000063
TPM_PT_VENDOR_COMMANDS: 0x00000002
TPM_PT_NV_BUFFER_MAX: 0x00000667Unit test results :
PASS: test/unit/tpm2-rc-decode_unit
PASS: test/unit/tpm2-rc-entry_unit
PASS: test/unit/test_string_bytes
PASS: test/unit/test_files
PASS: test/unit/test_tpm2_header
PASS: test/unit/test_tpm2_nv_util
PASS: test/unit/test_tpm2_alg_util
PASS: test/unit/test_pcr
PASS: test/unit/test_tpm2_password_util
make[3]: Entering directory `/home/qianyue.zj/tss2/tpm2.0-tools'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/home/qianyue.zj/tss2/tpm2.0-tools'
============================================================================
Testsuite summary for tpm2-tools 2.0.0-617-g399f7d2
============================================================================
# TOTAL: 9
# PASS: 9
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================System test results :
$./test.sh
test_output_formats.sh ... PASSED
test_tpm2_activecredential.sh ... PASSED
test_tpm2_akparse.sh ... PASSED
test_tpm2_certify.sh ... PASSED
test_tpm2_createpolicy.sh ... PASSED
test_tpm2_createprimary.sh ... PASSED
test_tpm2_create.sh ... PASSED
test_tpm2_dictionarylockout.sh ... PASSED
test_tpm2_encryptdecrypt.sh ... PASSED
test_tpm2_evictcontrol.sh ... PASSED
test_tpm2_getcap.sh ... PASSED
\WARN: TLS communication with the said TPM manufacturer server setup with SSL_NO_VERIFY!
-WARN: TLS communication with the said TPM manufacturer server setup with SSL_NO_VERIFY!
/WARN: TLS communication with the said TPM manufacturer server setup with SSL_NO_VERIFY!
test_tpm2_getmanufec.sh ... PASSED
test_tpm2_getpubak.sh ... PASSED
test_tpm2_getpubek.sh ... PASSED
test_tpm2_getrandom.sh ... PASSED
test_tpm2_hash.sh ... PASSED
test_tpm2_hmac.sh ... PASSED
test_tpm2_import.sh ... PASSED
test_tpm2_loadexternal.sh ... PASSED
test_tpm2_load.sh ... PASSED
test_tpm2_makecredential.sh ... PASSED
test_tpm2_nv.sh ... PASSED
\Ignore checking sm3_256 algorithm due to unavailable "sm3_256sum" program
test_tpm2_pcrevent.sh ... PASSED
test_tpm2_pcrextend.sh ... PASSED
test_tpm2_pcrlist.sh ... PASSED
test_tpm2_quote.sh ... PASSED
test_tpm2_rc_decode.sh ... PASSED
test_tpm2_readpublic.sh ... PASSED
test_tpm2_rsadecrypt.sh ... PASSED
test_tpm2_rsaencrypt.sh ... PASSED
test_tpm2_send.sh ... PASSED
test_tpm2_sign.sh ... PASSED
test_tpm2_startup.sh ... PASSED
test_tpm2_takeownership.sh ... PASSED
test_tpm2_unseal.sh ... PASSED
test_tpm2_verifysignature.sh ... PASSED
Tests passed: 36
Tests Failed: 0
webmeister
commented
6 years ago @williamcroberts: It's great to see the progress. I'll rerun the tests once I return from the Open Source Summit in Prague (beginning of November).
There might still be an issue with test_tpm2_getmanufec.sh requiring an active internet connection, which is not available in our test environment. But that is not exactly a problem with hardware TPM support.
martinezjavier
commented
6 years ago @williamcroberts the only test that still fails on my test machine (Lenovo Thinkpad Carbon X1 4th gen with a Intel PTT firmware TPM2) is the one for the tpm2_pcrextend tool
@williamcroberts OK, I looked at this now and the problem is that AFAICT the tpm2_pcrextend integration test is wrong.
TPML_DIGEST_VALUES is used to pass a list of digests values and the idea is to be able to update a PCR for all supported banks on a single TPM call.
Since there's no check if the algorithm ID is different for each hash digest used, one could pass different digest values but for the same PCR bank to update the same PCR multiple times. But this isn't a preferred way to use as explained in the TCG spec (Note 3 for section 22.2 - TPM_PCR_Extend in the part 3 of the spec)
NOTE 3
This command allows a list of digests so that PCR in all banks may be updated in a single
command. While the semantics of this command allow multiple extends to a single PCR bank, this is
not the preferred use and the limit on the number of entries in the list make this use somewhat
impractical.The number of banks will vary depending of the hash algorithms support by each TPM2, but the test assumes that 3 hash digests could be passed since that's what the TPM simulator supports (sha1, sha256 and sha384):
#
# To keep things simple, compound specifications are just done with
# sha1, which is guaranteed to be enabled by the TPM2.0 specification.
#
sha1hash=${alg_hashes["sha1"]}
# Do sha1 multiple times in the same spec
tpm2_pcrextend 8:sha1=$sha1hash,sha1=$sha1hash,sha1=$sha1hash
# Do sha1 multiple times in the same spec and separate specs
# with the same pcr.
tpm2_pcrextend 8:sha1=$sha1hash,sha1=$sha1hash,sha1=$sha1hash 9:sha1=$sha1hash,sha1=$sha1hash,sha1=$sha1hash
trap - ERR
# Over-length spec should fail
tpm2_pcrextend 8:sha1=$sha1hash,sha1=$sha1hash,sha1=$sha1hash,sha1=$sha1hash,sha1=$sha1hash,sha1=$sha1hash 2>/dev/nullBut this may not be true for other TPMs (i.e: the Intel PTT fTPM only supports sha1 and sha256). Also the test is extending the same PCR bank multiple times which isn't the preferred way to use the TPM2_PCR_Extend command as explained in the spec, even if the semantics allow it.
So I think the test should be changed to:
If you agree I could modify the test accordingly. With that, I think this issue could be finally closed.
martinezjavier
commented
6 years ago @williamcroberts Ok, I went a proposed a PR #584. Please let me know what you think.
williamcroberts
commented
6 years ago merged #584
webmeister
commented
6 years ago Looks good to me. test_tpm2_getmanufec.sh fails because of the missing internet connection and test_tpm2_pcrevent.sh fails because of the yaml dependency. Everything else passes.
Is it expected to get the output "WARN: More data to be queried: capability: 0x6, property: 0x100" multiple times for most tests? All that text might hide any real issues.
The only remaining problem I have with the tests in general is the way that they expect to be called, i.e. that they assume to be called from the test/system directory. In my case that directory is not writable for the user executing the tests, so they fail to write their output files. But I cannot call them easily from another directory either, because then the references to other files in the directory break.
The tpm2.0-tools tests have been mostly used to avoid regressions by running them on the Travis continuous integration environment each time that a change is proposed.
The tests are ran using the tpm2-abrmd TCTI and the ibmswtpm2 TPM2 simulator.
But it would be good to also make sure that the tests run correctly on real TPM hardware. Most of the tests already do but some were not working and were fixed (e.g: commit 99391407a44e) and some tests are still failing like test_algs_tpm2_quote.sh and test_tpm2_createpolicy.sh
test_tpm2_createpolicy.sh fails because the expected digests that are used for comparison are hardcoded to the values expected by the TPM simulator:
Similarly, test_tpm2_quote.sh fails because the passed qualifying data is hardcoded to a value expected by the TPM simulator: