From 28d8cc199d0c528107d97d26ded1bc8d789644a7 Mon Sep 17 00:00:00 2001 From: chench Date: Sat, 12 Oct 2024 11:39:20 +0800 Subject: [PATCH] add tcm ecc encrypt/decrypt commands and add hygon tpm/tcm test cases --- ...dd-ecc-encrypt-decrypt-commands-supp.patch | 908 ++++++++++++++++++ Hygon-add-tcm-test-cases.patch | 826 ++++++++++++++++ Hygon-add-tpm-test-cases.patch | 833 ++++++++++++++++ tpm2-tools.spec | 12 +- 4 files changed, 2578 insertions(+), 1 deletion(-) create mode 100644 Hygon-add-ecc-encrypt-decrypt-commands-supp.patch create mode 100644 Hygon-add-tcm-test-cases.patch create mode 100644 Hygon-add-tpm-test-cases.patch diff --git a/Hygon-add-ecc-encrypt-decrypt-commands-supp.patch b/Hygon-add-ecc-encrypt-decrypt-commands-supp.patch new file mode 100644 index 0000000..28af110 --- /dev/null +++ b/Hygon-add-ecc-encrypt-decrypt-commands-supp.patch @@ -0,0 +1,908 @@ +From 63cb698013ea79f324af4aec69574424274be716 Mon Sep 17 00:00:00 2001 +From: mayuanchen +Date: Tue, 9 May 2023 20:35:00 -0400 +Subject: [PATCH 1/4] newfeature: tpm: add ecc encrypt/decrypt commands + support. + +Change-Id: I5efa3311728bfc981206faffe2bd2a5eae7b456c +--- + Makefile.am | 2 + + .../tpm2-tools/tpm2_completion.bash | 103 ++++- + lib/tpm2.c | 76 ++++ + lib/tpm2.h | 11 + + lib/tpm2_alg_util.c | 42 +++ + lib/tpm2_alg_util.h | 12 + + tools/tpm2_eccdecrypt.c | 354 ++++++++++++++++++ + tools/tpm2_eccencrypt.c | 200 ++++++++++ + 8 files changed, 799 insertions(+), 1 deletion(-) + create mode 100644 tools/tpm2_eccdecrypt.c + create mode 100644 tools/tpm2_eccencrypt.c + +diff --git a/Makefile.am b/Makefile.am +index 5e53f62..3c81ff3 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -126,6 +126,8 @@ tpm2_tools = \ + tools/tpm2_duplicate.c \ + tools/tpm2_getcap.c \ + tools/tpm2_gettestresult.c \ ++ tools/tpm2_eccdecrypt.c \ ++ tools/tpm2_eccencrypt.c \ + tools/tpm2_encryptdecrypt.c \ + tools/tpm2_evictcontrol.c \ + tools/tpm2_flushcontext.c \ +diff --git a/dist/bash-completion/tpm2-tools/tpm2_completion.bash b/dist/bash-completion/tpm2-tools/tpm2_completion.bash +index 3bbe814..b87d98d 100644 +--- a/dist/bash-completion/tpm2-tools/tpm2_completion.bash ++++ b/dist/bash-completion/tpm2-tools/tpm2_completion.bash +@@ -1100,6 +1100,107 @@ _tpm2_duplicate() + } && + complete -F _tpm2_duplicate tpm2_duplicate + # ex: filetype=sh ++# bash completion for tpm2_eccdecrypt -*- shell-script -*- ++_tpm2_eccdecrypt() ++ { ++ local auth_methods=(str: hex: file: file:- session: pcr:) ++ ++ local hash_methods=(sha1 sha256 sha384 sha512) ++ ++ local format_methods=(tss plain) ++ ++ local signing_scheme=(rsassa rsapss ecdsa ecdaa sm2 ecshnorr hmac) ++ ++ local key_object=(rsa ecc aes camellia hmac xor keyedhash) ++ ++ local key_attributes=(\| fixedtpm stclear fixedparent \ ++ sensitivedataorigin userwithauth adminwithpolicy noda \ ++ encrypteddupplication restricted decrypt sign) ++ ++ local nv_attributes=(\| ppwrite ownerwrite authwrite policywrite \ ++ policydelete writelocked writeall writedefine write_stclear \ ++ globallock ppread ownerread authread policyread no_da orderly \ ++ clear_stclear readlocked written platformcreate read_stclear) ++ ++ local cur prev words cword split ++ _init_completion -s || return ++ case $prev in ++ -h | --help) ++ COMPREPLY=( $(compgen -W "man no-man" -- "$cur") ) ++ return;; ++ -T | --tcti) ++ COMPREPLY=( $(compgen -W "tabrmd mssim device none" -- "$cur") ) ++ return;; ++ -c | --key-context) ++ _filedir ++ return;; ++ -p | --auth) ++ COMPREPLY=($(compgen -W "${auth_methods[*]}" -- "$cur")) ++ return;; ++ -o | --output) ++ _filedir ++ return;; ++ -s | --scheme) ++ COMPREPLY=($(compgen -W "${signing_scheme[*]}" -- "$cur")) ++ return;; ++ esac ++ ++ COMPREPLY=($(compgen -W "-h --help -v --version -V --verbose -Q --quiet \ ++ -Z --enable-erata -T --tcti \ ++ -c -p -o -s --key-context --auth --output --scheme --shared-data1 --shared-data2 --cphash " \ ++ -- "$cur")) ++ } && ++ complete -F _tpm2_eccdecrypt tpm2_eccdecrypt ++# ex: filetype=sh ++# bash completion for tpm2_eccencrypt -*- shell-script -*- ++_tpm2_eccencrypt() ++ { ++ local auth_methods=(str: hex: file: file:- session: pcr:) ++ ++ local hash_methods=(sha1 sha256 sha384 sha512) ++ ++ local format_methods=(tss plain) ++ ++ local signing_scheme=(rsassa rsapss ecdsa ecdaa sm2 ecshnorr hmac) ++ ++ local key_object=(rsa ecc aes camellia hmac xor keyedhash) ++ ++ local key_attributes=(\| fixedtpm stclear fixedparent \ ++ sensitivedataorigin userwithauth adminwithpolicy noda \ ++ encrypteddupplication restricted decrypt sign) ++ ++ local nv_attributes=(\| ppwrite ownerwrite authwrite policywrite \ ++ policydelete writelocked writeall writedefine write_stclear \ ++ globallock ppread ownerread authread policyread no_da orderly \ ++ clear_stclear readlocked written platformcreate read_stclear) ++ ++ local cur prev words cword split ++ _init_completion -s || return ++ case $prev in ++ -h | --help) ++ COMPREPLY=( $(compgen -W "man no-man" -- "$cur") ) ++ return;; ++ -T | --tcti) ++ COMPREPLY=( $(compgen -W "tabrmd mssim device none" -- "$cur") ) ++ return;; ++ -c | --key-context) ++ _filedir ++ return;; ++ -o | --output) ++ _filedir ++ return;; ++ -s | --scheme) ++ COMPREPLY=($(compgen -W "${signing_scheme[*]}" -- "$cur")) ++ return;; ++ esac ++ ++ COMPREPLY=($(compgen -W "-h --help -v --version -V --verbose -Q --quiet \ ++ -Z --enable-erata -T --tcti \ ++ -c -o -s --key-context --output --scheme --shared-data1 --shared-data2" \ ++ -- "$cur")) ++ } && ++ complete -F _tpm2_eccencrypt tpm2_eccencrypt ++# ex: filetype=sh + # bash completion for tpm2_ecdhkeygen -*- shell-script -*- + _tpm2_ecdhkeygen() + { +@@ -5092,7 +5193,7 @@ _tpm2() { + _init_completion -s || return + + if ((cword == 1)); then +- COMPREPLY=($(compgen -W "activatecredential certify certifyX509certutil certifycreation changeauth changeeps changepps checkquote clear clearcontrol clockrateadjust commit create createak createek createpolicy createprimary dictionarylockout duplicate ecdhkeygen ecdhzgen ecephemeral encryptdecrypt eventlog evictcontrol flushcontext getcap getcommandauditdigest geteccparameters getekcertificate getrandom getsessionauditdigest gettestresult gettime hash hierarchycontrol hmac import incrementalselftest load loadexternal makecredential nvcertify nvdefine nvextend nvincrement nvread nvreadlock nvreadpublic nvsetbits nvundefine nvwrite nvwritelock pcrallocate pcrevent pcrextend pcrread pcrreset policyauthorize policyauthorizenv policyauthvalue policycommandcode policycountertimer policycphash policyduplicationselect policylocality policynamehash policynv policynvwritten policyor policypassword policypcr policyrestart policysecret policysigned policytemplate policyticket print quote rc_decode readclock readpublic rsadecrypt rsaencrypt selftest send setclock setcommandauditstatus setprimarypolicy shutdown sign startauthsession startup stirrandom testparms unseal verifysignature zgen2phase " -- "$cur")) ++ COMPREPLY=($(compgen -W "activatecredential certify certifyX509certutil certifycreation changeauth changeeps changepps checkquote clear clearcontrol clockrateadjust commit create createak createek createpolicy createprimary dictionarylockout duplicate eccdecrypt eccencrypt ecdhkeygen ecdhzgen ecephemeral encryptdecrypt eventlog evictcontrol flushcontext getcap getcommandauditdigest geteccparameters getekcertificate getrandom getsessionauditdigest gettestresult gettime hash hierarchycontrol hmac import incrementalselftest load loadexternal makecredential nvcertify nvdefine nvextend nvincrement nvread nvreadlock nvreadpublic nvsetbits nvundefine nvwrite nvwritelock pcrallocate pcrevent pcrextend pcrread pcrreset policyauthorize policyauthorizenv policyauthvalue policycommandcode policycountertimer policycphash policyduplicationselect policylocality policynamehash policynv policynvwritten policyor policypassword policypcr policyrestart policysecret policysigned policytemplate policyticket print quote rc_decode readclock readpublic rsadecrypt rsaencrypt selftest send setclock setcommandauditstatus setprimarypolicy shutdown sign startauthsession startup stirrandom testparms unseal verifysignature zgen2phase " -- "$cur")) + else + tpmcommand=_tpm2_$prev + type $tpmcommand &>/dev/null && $tpmcommand +diff --git a/lib/tpm2.c b/lib/tpm2.c +index 93b2322..14de540 100644 +--- a/lib/tpm2.c ++++ b/lib/tpm2.c +@@ -2484,6 +2484,82 @@ tool_rc tpm2_rsa_encrypt(ESYS_CONTEXT *ectx, tpm2_loaded_object *keyobj, + return tool_rc_success; + } + ++tool_rc tpm2_ecc_decrypt(ESYS_CONTEXT *ectx, tpm2_loaded_object *keyobj, ++ const TPM2B_MAX_BUFFER *cipher_text, const TPMT_ECC_DECRYPT *in_scheme, ++ const TPM2B_DATA *shared_data1, const TPM2B_DATA *shared_data2, ++ TPM2B_MAX_BUFFER **message, TPM2B_DIGEST *cp_hash, ++ TPMI_ALG_HASH parameter_hash_algorithm) { ++ ++ ESYS_TR keyobj_session_handle = ESYS_TR_NONE; ++ tool_rc rc = tpm2_auth_util_get_shandle(ectx, keyobj->tr_handle, ++ keyobj->session, &keyobj_session_handle); ++ if (rc != tool_rc_success) { ++ return rc; ++ } ++ ++ if (cp_hash && cp_hash->size) { ++ /* ++ * Need sys_context to be able to calculate CpHash ++ */ ++ TSS2_SYS_CONTEXT *sys_context = 0; ++ rc = tpm2_getsapicontext(ectx, &sys_context); ++ if(rc != tool_rc_success) { ++ LOG_ERR("Failed to acquire SAPI context."); ++ return rc; ++ } ++ ++ TSS2_RC rval = Tss2_Sys_ECC_Decrypt_Prepare(sys_context, keyobj->handle, ++ in_scheme, cipher_text, shared_data1, shared_data2); ++ if (rval != TPM2_RC_SUCCESS) { ++ LOG_PERR(Tss2_Sys_ECC_Decrypt_Prepare, rval); ++ return tool_rc_general_error; ++ } ++ ++ TPM2B_NAME *name1 = 0; ++ rc = tpm2_tr_get_name(ectx, keyobj->tr_handle, &name1); ++ if (rc != tool_rc_success) { ++ goto tpm2_eccdecrypt_free_name1; ++ } ++ ++ rc = tpm2_sapi_getcphash(sys_context, name1, 0, 0, ++ parameter_hash_algorithm, cp_hash); ++ ++ /* ++ * Exit here without making the ESYS call since we just need the cpHash ++ */ ++tpm2_eccdecrypt_free_name1: ++ Esys_Free(name1); ++ goto tpm2_eccdecrypt_skip_esapi_call; ++ } ++ ++ TSS2_RC rval = Esys_ECC_Decrypt(ectx, keyobj->tr_handle, ++ keyobj_session_handle, ESYS_TR_NONE, ESYS_TR_NONE, in_scheme, ++ cipher_text, shared_data1, shared_data2, message); ++ if (rval != TPM2_RC_SUCCESS) { ++ LOG_PERR(Esys_ECC_Decrypt, rval); ++ return tool_rc_from_tpm(rval); ++ } ++ ++tpm2_eccdecrypt_skip_esapi_call: ++ return rc; ++} ++ ++tool_rc tpm2_ecc_encrypt(ESYS_CONTEXT *ectx, tpm2_loaded_object *keyobj, ++ const TPM2B_MAX_BUFFER *message, const TPMT_ECC_DECRYPT *scheme, ++ const TPM2B_DATA *shared_data1, const TPM2B_DATA *shared_data2, ++ TPM2B_MAX_BUFFER **cipher_text) { ++ ++ TSS2_RC rval = Esys_ECC_Encrypt(ectx, keyobj->tr_handle, ++ ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, scheme, message, ++ shared_data1, shared_data2, cipher_text); ++ if (rval != TPM2_RC_SUCCESS) { ++ LOG_PERR(Esys_ECC_Encrypt, rval); ++ return tool_rc_from_tpm(rval); ++ } ++ ++ return tool_rc_success; ++} ++ + tool_rc tpm2_load(ESYS_CONTEXT *esys_context, tpm2_loaded_object *parentobj, + const TPM2B_PRIVATE *in_private, const TPM2B_PUBLIC *in_public, + ESYS_TR *object_handle, TPM2B_DIGEST *cp_hash, +diff --git a/lib/tpm2.h b/lib/tpm2.h +index 52a8956..9aed2a7 100644 +--- a/lib/tpm2.h ++++ b/lib/tpm2.h +@@ -252,6 +252,17 @@ tool_rc tpm2_rsa_encrypt(ESYS_CONTEXT *ectx, tpm2_loaded_object *keyobj, + const TPM2B_PUBLIC_KEY_RSA *message, const TPMT_RSA_DECRYPT *scheme, + const TPM2B_DATA *label, TPM2B_PUBLIC_KEY_RSA **cipher_text); + ++tool_rc tpm2_ecc_decrypt(ESYS_CONTEXT *ectx, tpm2_loaded_object *keyobj, ++ const TPM2B_MAX_BUFFER *cipher_text, const TPMT_ECC_DECRYPT *in_scheme, ++ const TPM2B_DATA *shared_data1, const TPM2B_DATA *shared_data2, ++ TPM2B_MAX_BUFFER **message, TPM2B_DIGEST *cp_hash, ++ TPMI_ALG_HASH parameter_hash_algorithm); ++ ++tool_rc tpm2_ecc_encrypt(ESYS_CONTEXT *ectx, tpm2_loaded_object *keyobj, ++ const TPM2B_MAX_BUFFER *message, const TPMT_ECC_DECRYPT *scheme, ++ const TPM2B_DATA *shared_data1, const TPM2B_DATA *shared_data2, ++ TPM2B_MAX_BUFFER **cipher_text); ++ + tool_rc tpm2_load(ESYS_CONTEXT *esys_context, tpm2_loaded_object *parentobj, + const TPM2B_PRIVATE *in_private, const TPM2B_PUBLIC *in_public, + ESYS_TR *object_handle, TPM2B_DIGEST *cp_hash, +diff --git a/lib/tpm2_alg_util.c b/lib/tpm2_alg_util.c +index 65739fc..19fdf25 100644 +--- a/lib/tpm2_alg_util.c ++++ b/lib/tpm2_alg_util.c +@@ -660,6 +660,48 @@ tool_rc tpm2_alg_util_handle_rsa_ext_alg(const char *alg_spec, + return result ? tool_rc_success : tool_rc_general_error; + } + ++tool_rc tpm2_alg_util_handle_ecc_ext_alg(const char *alg_spec, ++ TPM2B_PUBLIC *public) { ++ ++ char *ext_alg_str = calloc(1, strlen(alg_spec) + strlen("ecc") + ++ strlen("_nist_p256:") + 1); ++ if (ext_alg_str == NULL) { ++ LOG_ERR("oom"); ++ return tool_rc_general_error; ++ } ++ ++ strcat(ext_alg_str, "ecc"); ++ switch(public->publicArea.parameters.eccDetail.curveID) { ++ case TPM2_ECC_NIST_P192: ++ strcat(ext_alg_str, "_nist_p192:"); ++ break; ++ case TPM2_ECC_NIST_P224: ++ strcat(ext_alg_str, "_nist_p224:"); ++ break; ++ case TPM2_ECC_NIST_P256: ++ strcat(ext_alg_str, "_nist_p256:"); ++ break; ++ case TPM2_ECC_NIST_P384: ++ strcat(ext_alg_str, "_nist_p384:"); ++ break; ++ case TPM2_ECC_NIST_P521: ++ strcat(ext_alg_str, "_nist_p521:"); ++ break; ++ case TPM2_ECC_SM2_P256: ++ strcat(ext_alg_str, "_sm2:"); ++ break; ++ default: ++ strcat(ext_alg_str, "_nist_p256:"); ++ break; ++ }; ++ strcat(ext_alg_str, alg_spec); ++ ++ bool result = tpm2_alg_util_handle_ext_alg(ext_alg_str, public); ++ free(ext_alg_str); ++ ++ return result ? tool_rc_success : tool_rc_general_error; ++} ++ + static alg_iter_res find_match(TPM2_ALG_ID id, const char *name, + tpm2_alg_util_flags flags, void *userdata) { + +diff --git a/lib/tpm2_alg_util.h b/lib/tpm2_alg_util.h +index ae5e3fb..a9cff56 100644 +--- a/lib/tpm2_alg_util.h ++++ b/lib/tpm2_alg_util.h +@@ -184,6 +184,18 @@ bool tpm2_alg_util_handle_ext_alg(const char *alg_spec, TPM2B_PUBLIC *public); + tool_rc tpm2_alg_util_handle_rsa_ext_alg(const char *alg_spec, + TPM2B_PUBLIC *public); + ++/** ++ * Retrieves the scheme information for an ECC key to be used in ++ * TPM2_CC_ECC_Encrypt or TPM2_CC_ECC_Decrypt ++ * @param alg_spec ++ * Friendly specification of the ECC scheme (sm2-sm3_256) ++ * @param public ++ * Public structure which will contain relevant information about ++ * specified algorithm ++ */ ++tool_rc tpm2_alg_util_handle_ecc_ext_alg(const char *alg_spec, ++ TPM2B_PUBLIC *public); ++ + /** + * + * @param alg_details +diff --git a/tools/tpm2_eccdecrypt.c b/tools/tpm2_eccdecrypt.c +new file mode 100644 +index 0000000..d6ee2d4 +--- /dev/null ++++ b/tools/tpm2_eccdecrypt.c +@@ -0,0 +1,354 @@ ++/* SPDX-License-Identifier: BSD-3-Clause */ ++ ++#include ++ ++#include "files.h" ++#include "log.h" ++#include "tpm2.h" ++#include "tpm2_tool.h" ++#include "tpm2_alg_util.h" ++#include "tpm2_options.h" ++ ++#define MAX_SESSIONS 3 ++typedef struct tpm_eccdecrypt_ctx tpm_eccdecrypt_ctx; ++struct tpm_eccdecrypt_ctx { ++ /* ++ * Inputs ++ */ ++ struct { ++ const char *ctx_path; ++ const char *auth_str; ++ tpm2_loaded_object object; ++ } key; ++ ++ TPM2B_DATA shared_data1; ++ TPM2B_DATA shared_data2; ++ char *data1_path; ++ char *data2_path; ++ TPM2B_MAX_BUFFER cipher_text; ++ char *input_path; ++ ++ TPMT_ECC_DECRYPT scheme; ++ const char *scheme_str; ++ ++ /* ++ * Outputs ++ */ ++ char *output_file_path; ++ TPM2B_MAX_BUFFER *message; ++ FILE *foutput; ++ ++ /* ++ * Parameter hashes ++ */ ++ const char *cp_hash_path; ++ TPM2B_DIGEST cp_hash; ++ bool is_command_dispatch; ++ TPMI_ALG_HASH parameter_hash_algorithm; ++}; ++ ++static tpm_eccdecrypt_ctx ctx = { ++ .scheme = { ++ .scheme = TPM2_ALG_SM2, ++ .details = { ++ .anySig = {.hashAlg = TPM2_ALG_SM3_256} ++ } ++ }, ++ .parameter_hash_algorithm = TPM2_ALG_ERROR, ++}; ++ ++static tool_rc ecc_decrypt(ESYS_CONTEXT *ectx) { ++ ++ return tpm2_ecc_decrypt(ectx, &ctx.key.object, &ctx.cipher_text, ++ &ctx.scheme, &ctx.shared_data1, &ctx.shared_data2, &ctx.message, ++ &ctx.cp_hash, ctx.parameter_hash_algorithm); ++} ++ ++static tool_rc process_output(ESYS_CONTEXT *ectx) { ++ ++ UNUSED(ectx); ++ /* ++ * 1. Outputs that do not require TPM2_CC_ dispatch ++ */ ++ bool is_file_op_success = true; ++ if (ctx.cp_hash_path) { ++ is_file_op_success = files_save_digest(&ctx.cp_hash, ctx.cp_hash_path); ++ ++ if (!is_file_op_success) { ++ return tool_rc_general_error; ++ } ++ } ++ ++ tool_rc rc = tool_rc_success; ++ if (!ctx.is_command_dispatch) { ++ return rc; ++ } ++ ++ /* ++ * 2. Outputs generated after TPM2_CC_ dispatch ++ */ ++ is_file_op_success = files_write_bytes(ctx.foutput, ctx.message->buffer, ++ ctx.message->size); ++ if (ctx.foutput != stdout) { ++ fclose(ctx.foutput); ++ } ++ ++ return is_file_op_success ? tool_rc_success : tool_rc_general_error; ++} ++ ++static tool_rc process_inputs(ESYS_CONTEXT *ectx) { ++ ++ UNUSED(ectx); ++ /* ++ * 1. Object and auth initializations ++ */ ++ ++ /* ++ * 1.a Add the new-auth values to be set for the object. ++ */ ++ ++ /* ++ * 1.b Add object names and their auth sessions ++ */ ++ tool_rc rc = tpm2_util_object_load_auth(ectx, ctx.key.ctx_path, ++ ctx.key.auth_str, &ctx.key.object, false, ++ TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT); ++ if (rc != tool_rc_success) { ++ return rc; ++ } ++ ++ /* ++ * 2. Restore auxiliary sessions ++ */ ++ ++ /* ++ * 3. Command specific initializations ++ */ ++ ++ ctx.foutput = ctx.output_file_path ? ++ fopen(ctx.output_file_path, "wb+") : stdout; ++ if (!ctx.foutput) { ++ return tool_rc_general_error; ++ } ++ ++ TPM2B_PUBLIC *key_public_info = 0; ++ rc = tpm2_readpublic(ectx, ctx.key.object.tr_handle, &key_public_info, ++ 0, 0); ++ if (rc != tool_rc_success) { ++ goto out; ++ } ++ ++ if (key_public_info->publicArea.type != TPM2_ALG_ECC) { ++ LOG_ERR("Unsupported key type for ECC decryption."); ++ rc = tool_rc_general_error; ++ goto out; ++ } ++ ++ /* ++ * Get scheme information ++ */ ++ if (ctx.scheme_str) { ++ rc = tpm2_alg_util_handle_ecc_ext_alg(ctx.scheme_str, key_public_info); ++ ctx.scheme.scheme = ++ key_public_info->publicArea.parameters.eccDetail.scheme.scheme; ++ ctx.scheme.details.anySig.hashAlg = ++ key_public_info->publicArea.parameters.eccDetail.scheme.details.anySig.hashAlg; ++ ++ if (rc != tool_rc_success) { ++ goto out; ++ } ++ } ++ ++ /* ++ * Get enc data blob ++ */ ++ ctx.cipher_text.size = BUFFER_SIZE(TPM2B_MAX_BUFFER, buffer); ++ bool result = files_load_bytes_from_buffer_or_file_or_stdin(0, ++ ctx.input_path, &ctx.cipher_text.size, ctx.cipher_text.buffer); ++ if (!result) { ++ rc = tool_rc_general_error; ++ } ++ ++ /* ++ * Get shared data blob ++ */ ++ if (ctx.data1_path) { ++ ctx.shared_data1.size = BUFFER_SIZE(TPM2B_DATA, buffer); ++ bool ret = files_load_bytes_from_buffer_or_file_or_stdin(0, ++ ctx.data1_path, &ctx.shared_data1.size, ctx.shared_data1.buffer); ++ if (!ret) { ++ rc = tool_rc_general_error; ++ } ++ } ++ ++ if (ctx.data2_path) { ++ ctx.shared_data2.size = BUFFER_SIZE(TPM2B_DATA, buffer); ++ bool ret = files_load_bytes_from_buffer_or_file_or_stdin(0, ++ ctx.data2_path, &ctx.shared_data2.size, ctx.shared_data2.buffer); ++ if (!ret) { ++ rc = tool_rc_general_error; ++ } ++ } ++ ++ /* ++ * 4. Configuration for calculating the pHash ++ */ ++ ++ /* ++ * 4.a Determine pHash length and alg ++ */ ++ tpm2_session *all_sessions[MAX_SESSIONS] = { ++ ctx.key.object.session, ++ 0, ++ 0 ++ }; ++ ++ const char **cphash_path = ctx.cp_hash_path ? &ctx.cp_hash_path : 0; ++ ++ ctx.parameter_hash_algorithm = tpm2_util_calculate_phash_algorithm(ectx, ++ cphash_path, &ctx.cp_hash, 0, 0, all_sessions); ++ ++ /* ++ * 4.b Determine if TPM2_CC_ is to be dispatched ++ */ ++ ctx.is_command_dispatch = ctx.cp_hash_path ? false : true; ++ ++out: ++ Esys_Free(key_public_info); ++ return rc; ++} ++ ++static tool_rc check_options(ESYS_CONTEXT *ectx) { ++ ++ UNUSED(ectx); ++ ++ if (!ctx.key.ctx_path) { ++ LOG_ERR("Expected argument -c."); ++ return tool_rc_option_error; ++ } ++ ++ if (ctx.output_file_path && ctx.cp_hash_path) { ++ LOG_ERR("Cannout decrypt when calculating cphash"); ++ return tool_rc_option_error; ++ } ++ ++ return tool_rc_success; ++} ++ ++static bool on_option(char key, char *value) { ++ ++ switch (key) { ++ case 'c': ++ ctx.key.ctx_path = value; ++ break; ++ case 'p': ++ ctx.key.auth_str = value; ++ break; ++ case 'o': { ++ ctx.output_file_path = value; ++ break; ++ } ++ case 's': ++ ctx.scheme_str = value; ++ break; ++ case 0: ++ ctx.cp_hash_path = value; ++ break; ++ case 1: ++ ctx.data1_path = value; ++ break; ++ case 2: ++ ctx.data2_path = value; ++ break; ++ } ++ return true; ++} ++ ++static bool on_args(int argc, char **argv) { ++ ++ if (argc > 1) { ++ LOG_ERR("Only supports one input file, got: %d", argc); ++ return false; ++ } ++ ++ ctx.input_path = argv[0]; ++ ++ return true; ++} ++ ++static bool tpm2_tool_onstart(tpm2_options **opts) { ++ ++ static struct option topts[] = { ++ { "auth", required_argument, 0, 'p' }, ++ { "output", required_argument, 0, 'o' }, ++ { "key-context", required_argument, 0, 'c' }, ++ { "scheme", required_argument, 0, 's' }, ++ { "cphash", required_argument, 0, 0 }, ++ { "shared-data1",required_argument, 0, 1 }, ++ { "shared-data2",required_argument, 0, 2 }, ++ }; ++ ++ *opts = tpm2_options_new("p:o:c:s:", ARRAY_LEN(topts), topts, on_option, ++ on_args, 0); ++ ++ return *opts != 0; ++} ++ ++static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *ectx, tpm2_option_flags flags) { ++ ++ UNUSED(flags); ++ ++ /* ++ * 1. Process options ++ */ ++ tool_rc rc = check_options(ectx); ++ if (rc != tool_rc_success) { ++ return rc; ++ } ++ ++ /* ++ * 2. Process inputs ++ */ ++ rc = process_inputs(ectx); ++ if (rc != tool_rc_success) { ++ return rc; ++ } ++ ++ /* ++ * 3. TPM2_CC_ call ++ */ ++ rc = ecc_decrypt(ectx); ++ if (rc != tool_rc_success) { ++ return rc; ++ } ++ ++ /* ++ * 4. Process outputs ++ */ ++ return process_output(ectx); ++} ++ ++static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) { ++ ++ UNUSED(ectx); ++ ++ /* ++ * 1. Free objects ++ */ ++ free(ctx.message); ++ ++ /* ++ * 2. Close authorization sessions ++ */ ++ tool_rc rc = tpm2_session_close(&ctx.key.object.session); ++ ++ /* ++ * 3. Close auxiliary sessions ++ */ ++ ++ return rc; ++} ++ ++// Register this tool with tpm2_tool.c ++TPM2_TOOL_REGISTER("eccdecrypt", tpm2_tool_onstart, tpm2_tool_onrun, ++ tpm2_tool_onstop, 0) +diff --git a/tools/tpm2_eccencrypt.c b/tools/tpm2_eccencrypt.c +new file mode 100644 +index 0000000..d7fd022 +--- /dev/null ++++ b/tools/tpm2_eccencrypt.c +@@ -0,0 +1,200 @@ ++/* SPDX-License-Identifier: BSD-3-Clause */ ++ ++#include ++#include ++ ++#include "files.h" ++#include "log.h" ++#include "object.h" ++#include "tpm2.h" ++#include "tpm2_tool.h" ++#include "tpm2_alg_util.h" ++#include "tpm2_options.h" ++ ++typedef struct tpm_eccencrypt_ctx tpm_eccencrypt_ctx; ++struct tpm_eccencrypt_ctx { ++ const char *context_arg; ++ tpm2_loaded_object key_context; ++ TPM2B_MAX_BUFFER message; ++ char *output_path; ++ char *input_path; ++ TPMT_ECC_DECRYPT scheme; ++ const char *scheme_str; ++ TPM2B_DATA shared_data1; ++ TPM2B_DATA shared_data2; ++ char *data1_path; ++ char *data2_path; ++}; ++ ++static tpm_eccencrypt_ctx ctx = { ++ .context_arg = NULL, ++ .scheme = { ++ .scheme = TPM2_ALG_SM2, ++ .details = { ++ .anySig = {.hashAlg = TPM2_ALG_SM3_256} ++ } ++ } ++}; ++ ++static tool_rc ecc_encrypt_and_save(ESYS_CONTEXT *context) { ++ ++ bool ret = false; ++ TPM2B_MAX_BUFFER *out_data = NULL; ++ ++ tool_rc rc = tpm2_ecc_encrypt(context, &ctx.key_context, ++ &ctx.message, &ctx.scheme, &ctx.shared_data1, ++ &ctx.shared_data2, &out_data); ++ if (rc != tool_rc_success) { ++ return rc; ++ } ++ ++ FILE *f = ctx.output_path ? fopen(ctx.output_path, "wb+") : stdout; ++ if (!f) { ++ goto out; ++ } ++ ++ ret = files_write_bytes(f, out_data->buffer, out_data->size); ++ if (f != stdout) { ++ fclose(f); ++ } ++ ++out: ++ free(out_data); ++ return ret ? tool_rc_success : tool_rc_general_error; ++} ++ ++static bool on_option(char key, char *value) { ++ ++ switch (key) { ++ case 'c': ++ ctx.context_arg = value; ++ break; ++ case 'o': ++ ctx.output_path = value; ++ break; ++ case 's': ++ ctx.scheme_str = value; ++ break; ++ case 1: ++ ctx.data1_path = value; ++ break; ++ case 2: ++ ctx.data2_path = value; ++ break; ++ } ++ return true; ++} ++ ++static bool on_args(int argc, char **argv) { ++ ++ if (argc > 1) { ++ LOG_ERR("Only supports one input file, got: %d", argc); ++ return false; ++ } ++ ++ ctx.input_path = argv[0]; ++ ++ return true; ++} ++ ++static bool tpm2_tool_onstart(tpm2_options **opts) { ++ ++ static const struct option topts[] = { ++ {"output", required_argument, NULL, 'o'}, ++ {"key-context", required_argument, NULL, 'c'}, ++ {"scheme", required_argument, NULL, 's'}, ++ {"shared-data1",required_argument, NULL, 1 }, ++ {"shared-data2",required_argument, NULL, 2 }, ++ }; ++ ++ *opts = tpm2_options_new("o:c:s:", ARRAY_LEN(topts), topts, on_option, ++ on_args, 0); ++ ++ return *opts != NULL; ++} ++ ++static tool_rc init(ESYS_CONTEXT *context) { ++ ++ if (!ctx.context_arg) { ++ LOG_ERR("Expected option c"); ++ return tool_rc_option_error; ++ } ++ ++ ctx.message.size = BUFFER_SIZE(TPM2B_MAX_BUFFER, buffer); ++ bool result = files_load_bytes_from_buffer_or_file_or_stdin(NULL, ++ ctx.input_path, &ctx.message.size, ctx.message.buffer); ++ if (!result) { ++ return tool_rc_general_error; ++ } ++ ++ if (ctx.data1_path) { ++ ctx.shared_data1.size = BUFFER_SIZE(TPM2B_DATA, buffer); ++ bool ret = files_load_bytes_from_buffer_or_file_or_stdin(NULL, ++ ctx.data1_path, &ctx.shared_data1.size, ctx.shared_data1.buffer); ++ if (!ret) { ++ return tool_rc_general_error; ++ } ++ } ++ ++ if (ctx.data2_path) { ++ ctx.shared_data2.size = BUFFER_SIZE(TPM2B_DATA, buffer); ++ bool ret = files_load_bytes_from_buffer_or_file_or_stdin(NULL, ++ ctx.data2_path, &ctx.shared_data2.size, ctx.shared_data2.buffer); ++ if (!ret) { ++ return tool_rc_general_error; ++ } ++ } ++ ++ /* ++ * Load the decryption key ++ */ ++ tool_rc rc = tpm2_util_object_load(context, ctx.context_arg, &ctx.key_context, ++ TPM2_HANDLES_FLAGS_TRANSIENT|TPM2_HANDLES_FLAGS_PERSISTENT); ++ if (rc != tool_rc_success) { ++ return rc; ++ } ++ ++ TPM2B_PUBLIC *key_public_info = 0; ++ rc = tpm2_readpublic(context, ctx.key_context.tr_handle, &key_public_info, ++ NULL, NULL); ++ if (rc != tool_rc_success) { ++ goto out; ++ } ++ ++ if (key_public_info->publicArea.type != TPM2_ALG_ECC) { ++ LOG_ERR("Unsupported key type for ECC encryption."); ++ rc = tool_rc_general_error; ++ goto out; ++ } ++ ++ /* ++ * Get scheme information ++ */ ++ if (ctx.scheme_str) { ++ rc = tpm2_alg_util_handle_ecc_ext_alg(ctx.scheme_str, key_public_info); ++ ctx.scheme.scheme = ++ key_public_info->publicArea.parameters.eccDetail.scheme.scheme; ++ ctx.scheme.details.anySig.hashAlg = ++ key_public_info->publicArea.parameters.eccDetail.scheme.details.anySig.hashAlg; ++ } ++ ++out: ++ Esys_Free(key_public_info); ++ ++ return rc; ++} ++ ++static tool_rc tpm2_tool_onrun(ESYS_CONTEXT *context, tpm2_option_flags flags) { ++ ++ UNUSED(flags); ++ ++ tool_rc rc = init(context); ++ if (rc != tool_rc_success) { ++ return rc; ++ } ++ ++ return ecc_encrypt_and_save(context); ++} ++ ++// Register this tool with tpm2_tool.c ++TPM2_TOOL_REGISTER("eccencrypt", tpm2_tool_onstart, tpm2_tool_onrun, NULL, NULL) +-- +2.17.1 + diff --git a/Hygon-add-tcm-test-cases.patch b/Hygon-add-tcm-test-cases.patch new file mode 100644 index 0000000..a05caf1 --- /dev/null +++ b/Hygon-add-tcm-test-cases.patch @@ -0,0 +1,826 @@ +From 2b0728d9ef8dcff66ac1b13b7da179f2755e16f8 Mon Sep 17 00:00:00 2001 +From: chench +Date: Wed, 17 May 2023 15:17:04 +0800 +Subject: [PATCH 1/3] [newfeature][tpm] add tcm test cases + +Change-Id: Ic85a27c84a47ce887b85df04a12687f1b2d325e3 +--- + test/integration/tests_tcm/test.sh | 150 ++++++++++++++++++ + .../tests_tcm/test_tcm2_activatecredential.sh | 33 ++++ + .../integration/tests_tcm/test_tcm2_attest.sh | 58 +++++++ + .../tests_tcm/test_tcm2_capability.sh | 51 ++++++ + .../tests_tcm/test_tcm2_changeauth.sh | 33 ++++ + test/integration/tests_tcm/test_tcm2_ecc.sh | 39 +++++ + .../tests_tcm/test_tcm2_eccencryptdecrypt.sh | 37 +++++ + .../tests_tcm/test_tcm2_encryptdecrypt.sh | 26 +++ + test/integration/tests_tcm/test_tcm2_hash.sh | 24 +++ + test/integration/tests_tcm/test_tcm2_nv.sh | 58 +++++++ + test/integration/tests_tcm/test_tcm2_pcr.sh | 22 +++ + .../integration/tests_tcm/test_tcm2_policy.sh | 105 ++++++++++++ + .../integration/tests_tcm/test_tcm2_random.sh | 21 +++ + .../tests_tcm/test_tcm2_selftest.sh | 13 ++ + test/integration/tests_tcm/test_tcm2_sign.sh | 24 +++ + 15 files changed, 694 insertions(+) + create mode 100755 test/integration/tests_tcm/test.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_activatecredential.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_attest.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_capability.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_changeauth.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_ecc.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_eccencryptdecrypt.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_encryptdecrypt.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_hash.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_nv.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_pcr.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_policy.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_random.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_selftest.sh + create mode 100755 test/integration/tests_tcm/test_tcm2_sign.sh + +diff --git a/test/integration/tests_tcm/test.sh b/test/integration/tests_tcm/test.sh +new file mode 100755 +index 00000000..2765c2a2 +--- /dev/null ++++ b/test/integration/tests_tcm/test.sh +@@ -0,0 +1,150 @@ ++#!/bin/bash ++#;**********************************************************************; ++# ++# Copyright (c) 2016, Intel Corporation ++# All rights reserved. ++# ++# Redistribution and use in source and binary forms, with or without ++# modification, are permitted provided that the following conditions are met: ++# ++# 1. Redistributions of source code must retain the above copyright notice, ++# this list of conditions and the following disclaimer. ++# ++# 2. Redistributions in binary form must reproduce the above copyright notice, ++# this list of conditions and the following disclaimer in the documentation ++# and/or other materials provided with the distribution. ++# ++# 3. Neither the name of Intel Corporation nor the names of its contributors ++# may be used to endorse or promote products derived from this software without ++# specific prior written permission. ++# ++# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE ++# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF ++# THE POSSIBILITY OF SUCH DAMAGE. ++#;**********************************************************************; ++ ++# We Assume that the tests are run from the test/integration/tests_tcm location. ++ ++SRC_DIR=`realpath ../../../tools/` ++PATH=$SRC_DIR:$PATH ++ ++# Some test helpers are in the test directory ++# and might be needed on PATH ++TEST_DIR=`realpath .` ++PATH=$TEST_DIR:$PATH ++ ++# Keep track of failures and successes for reporting ++pass=0 ++fail=0 ++ ++# Keep track of failed test scripts. ++fail_summary="" ++ ++red=$'\e[1;31m' ++grn=$'\e[1;32m' ++yel=$'\e[1;33m' ++blu=$'\e[1;34m' ++mag=$'\e[1;35m' ++cyn=$'\e[1;36m' ++end=$'\e[0m' ++ ++# Set the default to print in a prety output ++PRETTY=true ++ ++clear_colors() { ++ red='' ++ grn='' ++ yel='' ++ blu='' ++ mag='' ++ cyn='' ++ end='' ++} ++ ++test_wrapper() { ++ ++ ./$1 & ++ # Process Id of the previous running command ++ pid=$! ++ spin='-\|/' ++ i=0 ++ while kill -0 $pid 2>/dev/null; do ++ if [ "$PRETTY" == true ]; then ++ i=$(( (i+1) %4 )) ++ printf "\r${yel}${spin:$i:1}${end}" ++ sleep .1 ++ fi ++ done ++ ++ wait $pid ++ rc=$? ++ ++ failed_checks=0 ++ ++ # check for persistent handles ++ leftovers=`tpm2 getcap handles-persistent` ++ if [ "$leftovers" != "" ]; then ++ printf "Test left peristent objects loaded, found: %s\n" "$leftovers" ++ failed_checks=1 ++ fi ++ ++ if [ $failed_checks -ne 0 ]; then ++ # set the $? variable to not be 0! ++ false ++ fi ++ ++ if [ $rc -eq 0 ]; then ++ printf "\r${grn}$1 ... PASSED${end}\n" ++ let "pass++" ++ else ++ printf "\r${red}$1 ... FAILED${end}\n" ++ let "fail++" ++ fail_summary="$fail_summary"$'\n'"$1" ++ fi ++} ++ ++# Get a list of test scripts, all tests should begin with test_tcm2_ and ++# be a shell script. ++tests=`ls test_tcm2_*.sh` ++ ++while true; do ++ case "$1" in ++ -p | --plain ) PRETTY=false; shift ;; ++ -- ) shift; break ;; ++ * ) break ;; ++ esac ++done ++ ++# If command line arguments are provided, assume it is ++# the test suite to execute. ++# IE: test_tcm2_getrandom.sh ++if [ "$#" -gt 0 ]; then ++ tests="$@" ++fi ++ ++if [ "$PRETTY" != true ]; then ++ clear_colors ++fi ++ ++for t in $tests; do ++ test_wrapper $t; ++done; ++ ++# Report the status of the tests ++printf "${grn}Tests passed: $pass${end}\n" ++printf "${red}Tests Failed: $fail${end}\n" ++ ++if [ $fail -gt 0 ]; then ++ echo "Fail summary:" ++ echo "$fail_summary" ++fi ++ ++exit $fail +diff --git a/test/integration/tests_tcm/test_tcm2_activatecredential.sh b/test/integration/tests_tcm/test_tcm2_activatecredential.sh +new file mode 100755 +index 00000000..f3f50460 +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_activatecredential.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++context_load_file=/tmp/context_load ++pub_file=/tmp/pub ++priv_file=/tmp/priv ++input_file=/tmp/input ++name_file=/tmp/name ++password=123456 ++mkcred_file=/tmp/mkcred ++actcred_file=/tmp/actcred ++pub_key_file=/tmp/pub_key ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${context_load_file} ${pub_file} ${priv_file} ${input_file} ${name_file} ${mkcred_file} ${actcred_file} ${pub_key_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${context_file} -p ${password} -o ${pub_key_file} ++tpm2 create ${quiet} -C ${context_file} -g sm3_256 -G "ecc_sm2:sm2-sm3_256:null" -u ${pub_file} -r ${priv_file} -P ${password} -p ${password} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 load ${quiet} -C ${context_file} -u ${pub_file} -r ${priv_file} -c ${context_load_file} -P ${password} -n ${name_file} ++loaded_key_name=`cat ${name_file} | xxd -p -c $(ls -l ${name_file} | awk {'print $5'})` ++tpm2 makecredential ${quiet} -e ${pub_key_file} -s ${input_file} -n ${loaded_key_name} -o ${mkcred_file} ++tpm2 activatecredential ${quiet} -c ${context_load_file} -C ${context_file} -i ${mkcred_file} -o ${actcred_file} -p ${password} -P ${password} ++ +diff --git a/test/integration/tests_tcm/test_tcm2_attest.sh b/test/integration/tests_tcm/test_tcm2_attest.sh +new file mode 100755 +index 00000000..87467d29 +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_attest.sh +@@ -0,0 +1,58 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++context_load_file=/tmp/context_load ++input_file=/tmp/input ++context_attest_file=/tmp/context.att ++context_sig_file=/tmp/context.sig ++attest_file=/tmp/attest ++ticket_file=/tmp/ticket ++creation_hash_file=/tmp/creation_hash ++sig_file=/tmp/sig ++pcr_file=/tmp/pcr ++digest_file=/tmp/digest ++ ++password=123456 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_attest_file} ${context_sig_file} ${attest_file} ${sig_file} ${ticket_file} ${creation_hash_file} ${pem_pri_file} ${pem_pub_file} ${pcr_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G hmac:sm3_256 -c ${context_attest_file} -p ${password} -t ${ticket_file} -d ${creation_hash_file} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G "ecc_sm2:sm2-sm3_256:null" -c ${context_sig_file} -p ${password} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++ ++tpm2 certify ${quiet} -c ${context_attest_file} -C ${context_sig_file} -p ${password} -P ${password} -g sm3_256 -o ${attest_file} -s ${sig_file} --scheme sm2 ++tpm2 hash -g sm3_256 -o ${digest_file} ${attest_file} ++tpm2 verifysignature ${quiet} -s ${sig_file} -d ${digest_file} -c ${context_sig_file} ++ ++tpm2 gettime ${quiet} -p ${password} -g sm3_256 -s sm2 -o ${sig_file} -c ${context_sig_file} --attestation ${input_file} ++tpm2 hash -g sm3_256 -o ${digest_file} ${input_file} ++tpm2 verifysignature ${quiet} -d ${digest_file} -s ${sig_file} -c ${context_sig_file} ++ ++tpm2 certifycreation ${quiet} -C ${context_sig_file} -c ${context_attest_file} -P ${password} -g sm3_256 -s sm2 -d ${creation_hash_file} -t ${ticket_file} -o ${sig_file} --attestation ${attest_file} ++tpm2 hash -g sm3_256 -o ${digest_file} ${attest_file} ++tpm2 verifysignature ${quiet} -d ${digest_file} -s ${sig_file} -c ${context_sig_file} ++ ++tpm2 quote ${quiet} -c ${context_sig_file} -p ${password} -l sm3_256:1,2,3,4,5 -s ${sig_file} -m ${attest_file} -o ${pcr_file} -g sm3_256 --scheme sm2 ++tpm2 hash -g sm3_256 -o ${digest_file} ${attest_file} ++tpm2 verifysignature ${quiet} -d ${digest_file} -s ${sig_file} -c ${context_sig_file} ++ ++pem_pri_file=/tmp/private.ecc.pem ++pem_pub_file=/tmp/public.ecc.pem ++pcr_file=/tmp/pcr ++echo -n "01234567890123456789012345678901" >${input_file} ++openssl ecparam -name SM2 -genkey -out ${pem_pri_file} 2>/dev/null ++openssl ec -in ${pem_pri_file} -pubout -out ${pem_pub_file} 2>/dev/null ++tpm2 loadexternal ${quiet} -G ecc -g sm3_256 -r ${pem_pri_file} -c ${context_load_file} ++tpm2 quote ${quiet} -c ${context_load_file} -l sm3_256:1,2,3,4,5 -s ${sig_file} -m ${attest_file} -o ${pcr_file} -q ${input_file} -g sm3_256 --scheme sm2 ++tpm2 checkquote ${quiet} -g sm3_256 -m ${attest_file} -s ${sig_file} -u ${pem_pub_file} -q ${input_file} -f ${pcr_file} ++ +diff --git a/test/integration/tests_tcm/test_tcm2_capability.sh b/test/integration/tests_tcm/test_tcm2_capability.sh +new file mode 100755 +index 00000000..4f0f6dd8 +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_capability.sh +@@ -0,0 +1,51 @@ ++#!/bin/bash ++ ++quiet=-Q ++alg_id_file=/tmp/alg_id_support ++alg_id_get_file=/tmp/alg_id_get ++command_code_file=/tmp/command_code_support ++command_code_get_file=/tmp/command_code_get ++pcr_file=/tmp/pcr_support ++pcr_get_file=/tmp/pcr_get ++ecc_curve_file=/tmp/ecc_curve_support ++ecc_curve_get_file=/tmp/ecc_curve_get ++spec_family_file=/tmp/spec_family_support ++spec_family_get_file=/tmp/spec_family_get ++spec_year_file=/tmp/spec_year_support ++spec_year_get_file=/tmp/spec_year_get ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${alg_id_file} ${alg_id_get_file} ${command_code_file} ${command_code_get_file} ${pcr_file} ${pcr_get_file} ${ecc_curve_file} ${ecc_curve_get_file} ${spec_family_file} ${spec_family_get_file} ${spec_year_file} ${spec_year_get_file} ++} ++trap cleanup EXIT ++ ++echo -e "0x5\n0x8\n0x12\n0x13\n0x1A\n0x1B\n0x20\n0x22\n0x23\n0x25\n0x43" > ${alg_id_file} ++tpm2 getcap algorithms |grep "value"|awk -F ' ' '{print $NF}' > ${alg_id_get_file} ++diff ${alg_id_file} ${alg_id_get_file} ++ ++echo -e "0x120\n0x121\n0x122\n0x126\n0x127\n0x129\n0x12a\n0x12d\n0x12e\n0x131\n0x132\n0x134\n0x135\n0x136\n0x137\n0x138\n0x139\n0x13a\n0x13b\n0x13d\n0x13e\n0x142\n0x143\n0x144\n0x145\n0x146\n0x147\n0x148\n0x14a\n0x14b\n0x14c\n0x14e\n0x14f\n0x150\n0x151\n0x152\n0x153\n0x154\n0x155\n0x156\n0x157\n0x158\n0x15b\n0x15c\n0x15d\n0x15e\n0x160\n0x161\n0x162\n0x163\n0x165\n0x167\n0x168\n0x169\n0x16b\n0x16c\n0x16e\n0x171\n0x172\n0x173\n0x176\n0x177\n0x17a\n0x17b\n0x17c\n0x17d\n0x17e\n0x17f\n0x180\n0x182\n0x186\n0x187\n0x189\n0x18a\n0x18b\n0x18c\n0x18d\n0x18e\n0x193\n0x199\n0x19a\n0x0" > ${command_code_file} ++tpm2 getcap commands |grep "commandIndex"|awk -F ' ' '{print $NF}' > ${command_code_get_file} ++diff ${command_code_file} ${command_code_get_file} ++ ++echo "sm3_256" > ${pcr_file} ++tpm2 getcap pcrs |tail -n +2 |awk -F ' ' '{print $2}'|awk -F ':' '{print $1}' > ${pcr_get_file} ++diff ${pcr_file} ${pcr_get_file} ++ ++echo -e "0x20" > ${ecc_curve_file} ++tpm2 getcap ecc-curves |awk -F ' ' '{print $NF}' > ${ecc_curve_get_file} ++diff ${ecc_curve_file} ${ecc_curve_get_file} ++ ++echo -e "0x322E3000" > ${spec_family_file} ++tpm2 getcap properties-fixed |grep -A 1 "FAMILY"|grep "raw"|awk -F ' ' '{print $NF}'|head -n 1 > ${spec_family_get_file} ++diff ${spec_family_file} ${spec_family_get_file} ++ ++echo -e "0x7E4" > ${spec_year_file} ++tpm2 getcap properties-fixed |grep -A 1 "YEAR"|grep "raw"|awk -F ' ' '{print $NF}'|head -n 1 > ${spec_year_get_file} ++diff ${spec_year_file} ${spec_year_get_file} ++ +diff --git a/test/integration/tests_tcm/test_tcm2_changeauth.sh b/test/integration/tests_tcm/test_tcm2_changeauth.sh +new file mode 100755 +index 00000000..1437d593 +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_changeauth.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++context_load_file=/tmp/context_load ++pub_file=/tmp/pub ++priv_file=/tmp/priv ++input_file=/tmp/input ++ ++password=123456 ++pass_change1=123 ++pass_change2=789 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${context_load_file} ${pub_file} ${priv_file} ${input_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${context_file} -p ${password} ++tpm2 create ${quiet} -g sm3_256 -u ${pub_file} -r ${priv_file} -C ${context_file} -i ${input_file} -P ${password} -p ${pass_change1} ++tpm2 load ${quiet} -C ${context_file} -u ${pub_file} -r ${priv_file} -c ${context_load_file} -P ${password} ++ ++tpm2 changeauth ${quiet} -p ${pass_change1} -c ${context_load_file} -C ${context_file} -r ${priv_file} ${pass_change2} ++tpm2 load ${quiet} -C ${context_file} -u ${pub_file} -r ${priv_file} -c ${context_load_file} -P ${password} ++tpm2 changeauth ${quiet} -p ${pass_change2} -c ${context_load_file} -C ${context_file} -r ${priv_file} ${pass_change1} ++ +diff --git a/test/integration/tests_tcm/test_tcm2_ecc.sh b/test/integration/tests_tcm/test_tcm2_ecc.sh +new file mode 100755 +index 00000000..26c6e2da +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_ecc.sh +@@ -0,0 +1,39 @@ ++#!/bin/bash ++ ++quiet=-Q ++eccpara=/tmp/eccpara ++eccpub1=/tmp/eccpub1 ++eccctr1=/tmp/eccctr1 ++context_file=/tmp/context ++ecdh_ctx=/tmp/ecdh_context ++ecdh_pub=/tmp/ecdh_pub ++ecdh_priv=/tmp/ecdh_priv ++ecdh_keygenpub=/tmp/ecdh_keygenpub ++ecdh_z1=/tmp/ecdh_z1 ++ecdh_z2=/tmp/ecdh_z2 ++name_file=/tmp/name ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${eccpara} ${eccpub1} ${eccctr1} ${context_file} ${ecdh_ctx} ${ecdh_pub} ${ecdh_priv} ${ecdh_keygenpub} ${ecdh_z1} ${ecdh_z2} ++} ++trap cleanup EXIT ++ ++tpm2 ecephemeral ${quiet} -u ${eccpub1} -t ${eccctr1} ecc_sm2 ++ ++tpm2 createprimary ${quiet} -C o -c ${context_file} -g sm3_256 -G ecc_sm2:null:sm4128cfb ++ ++tpm2 create ${quiet} -C ${context_file} -u ${ecdh_pub} -r ${ecdh_priv} -G ecc_sm2:null -g sm3_256 ++ ++tpm2 load ${quiet} -C ${context_file} -u ${ecdh_pub} -r ${ecdh_priv} -c ${ecdh_ctx} -n ${name_file} ++ ++tpm2 ecdhkeygen ${quiet} -u ${ecdh_keygenpub} -o ${ecdh_z1} -c ${ecdh_ctx} ++ ++tpm2 ecdhzgen ${quiet} -u ${ecdh_keygenpub} -o ${ecdh_z2} -c ${ecdh_ctx} ++ ++diff ${ecdh_z1} ${ecdh_z2} +diff --git a/test/integration/tests_tcm/test_tcm2_eccencryptdecrypt.sh b/test/integration/tests_tcm/test_tcm2_eccencryptdecrypt.sh +new file mode 100755 +index 00000000..c38ea95c +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_eccencryptdecrypt.sh +@@ -0,0 +1,37 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++input_file=/tmp/input ++key_pub=/tmp/key_pub ++key_priv=/tmp/key_priv ++load_context=/tmp/load_context ++cipher_text=/tmp/cipher_text ++message=/tmp/message ++password=123456 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${input_file} ${key_pub} ${key_priv} ${load_context} ${cipher_text} ${message} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++ ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G "ecc_sm2:null:sm4128cfb" -c ${context_file} -p ${password} ++ ++tpm2 create ${quiet} -g sm3_256 -G "ecc_sm2:null:null" -u ${key_pub} -r ${key_priv} -C ${context_file} -P ${password} ++ ++tpm2 load ${quiet} -C ${context_file} -u ${key_pub} -r ${key_priv} -c ${load_context} -P ${password} ++ ++tpm2 eccencrypt ${quiet} -c ${load_context} -s sm2-sm3_256 -o ${cipher_text} ${input_file} ++ ++tpm2 eccdecrypt ${quiet} -c ${load_context} -s sm2-sm3_256 -o ${message} ${cipher_text} ++ ++diff ${message} ${input_file} ++ +diff --git a/test/integration/tests_tcm/test_tcm2_encryptdecrypt.sh b/test/integration/tests_tcm/test_tcm2_encryptdecrypt.sh +new file mode 100755 +index 00000000..2694eca3 +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_encryptdecrypt.sh +@@ -0,0 +1,26 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++input_file=/tmp/input ++input_raw=/tmp/input_raw ++output_file=/tmp/output ++password=123456 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${input_file} ${input_raw} ${output_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G sm4128cfb -c ${context_file} -p ${password} -a "sign|decrypt|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 encryptdecrypt ${quiet} -p ${password} -c ${context_file} -o ${output_file} ${input_file} 2>/dev/null ++tpm2 encryptdecrypt ${quiet} -p ${password} -c ${context_file} -o ${input_raw} -d ${output_file} 2>/dev/null ++diff ${input_file} ${input_raw} ++ +diff --git a/test/integration/tests_tcm/test_tcm2_hash.sh b/test/integration/tests_tcm/test_tcm2_hash.sh +new file mode 100755 +index 00000000..0d886180 +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_hash.sh +@@ -0,0 +1,24 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++input_file=/tmp/input ++output_file=/tmp/output ++password=123456 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${input_file} ${output_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G hmac:sm3_256 -c ${context_file} -p ${password} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 hmac ${quiet} -p ${password} -g sm3_256 -c ${context_file} -o ${output_file} ${input_file} ++tpm2 hash ${quiet} -g sm3_256 -o ${output_file} ${input_file} ++ +diff --git a/test/integration/tests_tcm/test_tcm2_nv.sh b/test/integration/tests_tcm/test_tcm2_nv.sh +new file mode 100755 +index 00000000..229bf06c +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_nv.sh +@@ -0,0 +1,58 @@ ++#!/bin/bash ++ ++quiet=-Q ++input_file=/tmp/input ++output_file=/tmp/output ++context_sig_file=/tmp/context.sig ++attest_file=/tmp/attest ++sig_file=/tmp/sig ++digest_file=/tmp/digest ++password=123456 ++nv_index=0x01500001 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${input_file} ${output_file} ${context_sig_file} ${attest_file} ${sig_file} ++ tpm2 nvundefine ${quiet} -C o ${nv_index} 2>/dev/null || true ++ ++} ++trap cleanup EXIT ++ ++cleanup ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 nvdefine ${quiet} -C o -p ${password} -a "authread|authwrite" -s 32 -g sm3_256 ${nv_index} ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++tpm2 nvdefine ${quiet} ${nv_index} -C o -s 32 -a "policyread|policywrite|authread|authwrite|ownerwrite|ownerread|read_stclear|writedefine" -p ${password} -g sm3_256 ++tpm2 nvreadpublic ${quiet} ${nv_index} > ${output_file} ++tpm2 nvwrite ${quiet} ${nv_index} -P ${password} -i ${input_file} ++tpm2 nvread ${quiet} -P ${password} ${nv_index} -o ${output_file} ++tpm2 nvreadlock ${quiet} -C o ${nv_index} ++tpm2 nvwritelock ${quiet} -C o ${nv_index} ++tpm2 nvwrite ${quiet} ${nv_index} -P ${password} -i ${input_file} 2>/dev/null || true ++tpm2 nvread ${quiet} -P ${password} ${nv_index} 2>/dev/null || true ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++ ++tpm2 nvdefine ${quiet} -C o -a "nt=extend|ownerread|policywrite|ownerwrite" ${nv_index} -g sm3_256 ++echo -n "01234567890123456789012345678901" | tpm2 nvextend ${quiet} -C o -i- ${nv_index} ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++ ++tpm2 nvdefine ${quiet} -C o -P "" -a "nt=counter|authread|authwrite|ownerread|ownerwrite|writedefine" ${nv_index} -g sm3_256 ++tpm2 nvincrement ${quiet} -C o -P "" ${nv_index} ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++ ++bits=0xbadc0de ++tpm2 nvdefine ${quiet} -C o -P "" -a "nt=bits|ownerread|policywrite|ownerwrite|writedefine" ${nv_index} -g sm3_256 ++tpm2 nvsetbits ${quiet} -C o -P "" -i ${bits} ${nv_index} ++check=$(tpm2 nvread -C o -P "" ${nv_index} | xxd -p | sed s/'^0*'/0x/) ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++if [ "${check}" != "${bits}" ];then ++ echo "tpm2_nvsetbits fail" ++ exit 1 ++fi ++ +diff --git a/test/integration/tests_tcm/test_tcm2_pcr.sh b/test/integration/tests_tcm/test_tcm2_pcr.sh +new file mode 100755 +index 00000000..0fb715d9 +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_pcr.sh +@@ -0,0 +1,22 @@ ++#!/bin/bash ++ ++quiet=-Q ++input_file=/tmp/input ++pcrs_file=/tmp/pcrs ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${input_file} ${pcrs_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 pcrreset ${quiet} 16 23 ++tpm2 pcrread ${quiet} sm3_256:0,1,8,9 -o ${pcrs_file} ++tpm2 pcrextend ${quiet} 16:sm3_256="2b14a1fc49869413b0beb707069cffc0c6b0a51f3fedb9ce072c80709652b3ae" ++ +diff --git a/test/integration/tests_tcm/test_tcm2_policy.sh b/test/integration/tests_tcm/test_tcm2_policy.sh +new file mode 100755 +index 00000000..dc112a30 +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_policy.sh +@@ -0,0 +1,105 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++context_load_file=/tmp/context_load ++pub_file=/tmp/pub ++priv_file=/tmp/priv ++input_file=/tmp/input ++policy_digest_file=/tmp/policy_digest ++digest_file=/tmp/digest ++session_file=/tmp/session ++sig_file=/tmp/sig ++name_file=/tmp/name ++timeout_file=/tmp/timeout ++ticket_file=/tmp/ticket ++new_parent_file=/tmp/new_parent ++source_parent_file=/tmp/source_parent ++new_parent_name_file=/tmp/new_parent_name ++duplicable_file=/tmp/duplicable ++duplicable_name_file=/tmp/duplicable_name ++duplicated_seed_file=/tmp/duplicated_seed ++digest_file=/tmp/digest ++nv_index=0x01500001 ++password=123456 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${context_load_file} ${pub_file} ${priv_file} ${input_file} ${policy_digest_file} ${digest_file} ${session_file} ${sig_file} ${name_file} ${timeout_file} ${ticket_file} ${new_parent_file} ${source_parent_file} ${new_parent_name_file} ${duplicable_file} ${duplicable_name_file} ${duplicated_seed_file} ++ tpm2 nvundefine ${quiet} -C o ${nv_index} 2>/dev/null || true ++} ++trap cleanup EXIT ++ ++cleanup ++ ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${context_file} ++tpm2 startauthsession ${quiet} --policy-session -c ${context_file} -g sm3_256 -G sm4 -S ${session_file} ++tpm2 policypcr ${quiet} -l sm3_256:0,1,8,9 -S ${session_file} -L ${policy_digest_file} ++tpm2 setprimarypolicy ${quiet} -C o -P "" -L ${policy_digest_file} -g sm3_256 ++tpm2 setprimarypolicy ${quiet} -C o -P session:${session_file} -L ${policy_digest_file} -g sm3_256 ++tpm2 flushcontext ${session_file} ++ ++tpm2 startauthsession ${quiet} --policy-session -g sm3_256 -S ${session_file} ++tpm2 policypcr ${quiet} -l sm3_256:0,1,8,9 -S ${session_file} -L ${policy_digest_file} ++tpm2 policyor ${quiet} -L ${digest_file} -S ${session_file} -l sm3_256:${policy_digest_file},${policy_digest_file} ++tpm2 policypassword ${quiet} -S ${session_file} -L ${policy_digest_file} ++tpm2 policycommandcode ${quiet} -S ${session_file} -L ${policy_digest_file} TPM2_CC_PCR_Reset ++tpm2 policyrestart ${quiet} -S ${session_file} ++tpm2 flushcontext ${session_file} ++ ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G "ecc_sm2:sm2-sm3_256:null" -c ${context_file} -p ${password} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 startauthsession ${quiet} --policy-session -g sm3_256 -S ${session_file} ++tpm2 policysigned ${quiet} -S ${session_file} -c ${context_file} --raw-data ${input_file} ++tpm2 hash -g sm3_256 -o ${digest_file} ${input_file} ++tpm2 sign ${quiet} -p ${password} -g sm3_256 -c ${context_file} -o ${sig_file} -s sm2 -d ${digest_file} ++tpm2 policysigned ${quiet} -S ${session_file} -g sm3_256 -c ${context_file} -s ${sig_file} -L ${policy_digest_file} ++tpm2 flushcontext ${session_file} ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${context_file} -p ${password} ++tpm2 create ${quiet} -g sm3_256 -u ${pub_file} -r ${priv_file} -C ${context_file} -i ${input_file} -P ${password} ++tpm2 load ${quiet} -C ${context_file} -u ${pub_file} -r ${priv_file} -c ${context_load_file} -P ${password} -n ${name_file} ++tpm2 startauthsession ${quiet} --policy-session -g sm3_256 -S ${session_file} ++tpm2 policysecret ${quiet} -L ${policy_digest_file} -S ${session_file} -c ${context_load_file} --ticket ${ticket_file} --timeout ${timeout_file} -t -1000000 ++tpm2 policyticket ${quiet} -L ${policy_digest_file} -S ${session_file} -n ${name_file} --ticket ${ticket_file} --timeout ${timeout_file} ++tpm2 policyrestart ${quiet} -S ${session_file} ++tpm2 flushcontext ${session_file} ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 nvdefine ${quiet} -C o -p ${password} ${nv_index} -a "authread|authwrite" -s 34 -g sm3_256 ++tpm2 startauthsession ${quiet} -S ${session_file} -g sm3_256 ++tpm2 policypcr ${quiet} -S ${session_file} -l sm3_256:0,1,8,9 -L ${policy_digest_file} ++tpm2 flushcontext ${session_file} ++echo "0012" | xxd -p -r | cat - ${policy_digest_file} | tpm2 nvwrite ${quiet} -C ${nv_index} -P ${password} ${nv_index} -i- #0012 is sm3_256 ++tpm2 startauthsession ${quiet} -S ${session_file} --policy-session -g sm3_256 ++tpm2 policypcr ${quiet} -S ${session_file} -l sm3_256:0,1,8,9 -L ${policy_digest_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${context_file} -p ${password} ++tpm2 create ${quiet} -g sm3_256 -u ${pub_file} -r ${priv_file} -C ${context_file} -i ${input_file} -P ${password} -L ${policy_digest_file} ++tpm2 load ${quiet} -C ${context_file} -u ${pub_file} -r ${priv_file} -c ${context_load_file} -P ${password} -n ${name_file} ++tpm2 unseal ${quiet} -c ${context_load_file} -p session:${session_file} >/dev/null ++tpm2 evictcontrol ${quiet} -c ${context_load_file} 0x81010003 ++tpm2 evictcontrol ${quiet} -c 0x81010003 0x81010003 ++tpm2 flushcontext ${session_file} ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++ ++ ++tpm2 startauthsession ${quiet} -S ${session_file} -g sm3_256 ++tpm2 policycommandcode ${quiet} -S ${session_file} -L ${policy_digest_file} TPM2_CC_Duplicate ++tpm2 flushcontext ${session_file} ++ ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${source_parent_file} ++tpm2 create ${quiet} -C ${source_parent_file} -g sm3_256 -G ecc_sm2:sm2-sm3_256:null -u ${pub_file} -r ${priv_file} -L ${policy_digest_file} -a "sensitivedataorigin|sign" ++tpm2 load ${quiet} -C ${source_parent_file} -u ${pub_file} -r ${priv_file} -c ${duplicable_file} ++ ++tpm2 createprimary ${quiet} -C n -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${new_parent_file} ++ ++tpm2 startauthsession ${quiet} --policy-session -S ${session_file} -g sm3_256 ++tpm2 policycommandcode ${quiet} -S ${session_file} -L ${policy_digest_file} TPM2_CC_Duplicate ++tpm2 duplicate ${quiet} -C ${new_parent_file} -c ${duplicable_file} -G null -p session:${session_file} -r ${priv_file} -s ${duplicated_seed_file} ++tpm2 flushcontext ${session_file} ++ +diff --git a/test/integration/tests_tcm/test_tcm2_random.sh b/test/integration/tests_tcm/test_tcm2_random.sh +new file mode 100755 +index 00000000..0ce461ee +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_random.sh +@@ -0,0 +1,21 @@ ++#!/bin/bash ++ ++quiet=-Q ++input_file=/tmp/input ++output_file=/tmp/output ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${input_file} ${output_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 stirrandom ${quiet} ${input_file} ++tpm2 getrandom ${quiet} -f 32 -o ${output_file} ++ +diff --git a/test/integration/tests_tcm/test_tcm2_selftest.sh b/test/integration/tests_tcm/test_tcm2_selftest.sh +new file mode 100755 +index 00000000..d7a9c67a +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_selftest.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++ ++quiet=-Q ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++tpm2 selftest ${quiet} -f ++tpm2 incrementalselftest ${quiet} sm2 sm3_256 sm4 ++tpm2 gettestresult ${quiet} +diff --git a/test/integration/tests_tcm/test_tcm2_sign.sh b/test/integration/tests_tcm/test_tcm2_sign.sh +new file mode 100755 +index 00000000..09911e5c +--- /dev/null ++++ b/test/integration/tests_tcm/test_tcm2_sign.sh +@@ -0,0 +1,24 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++input_file=/tmp/input ++sig_file=/tmp/sig ++password=123456 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${input_file} ${sig_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G "ecc_sm2:sm2-sm3_256:null" -c ${context_file} -p ${password} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 sign ${quiet} -p ${password} -g sm3_256 -c ${context_file} -o ${sig_file} -s sm2 ${input_file} ++tpm2 verifysignature ${quiet} -g sm3_256 -s ${sig_file} -c ${context_file} -m ${input_file} ++ +-- +2.17.1 + diff --git a/Hygon-add-tpm-test-cases.patch b/Hygon-add-tpm-test-cases.patch new file mode 100644 index 0000000..f1147ce --- /dev/null +++ b/Hygon-add-tpm-test-cases.patch @@ -0,0 +1,833 @@ +From 9e301011a9b06b21843e55c9a2f88f3f429b9898 Mon Sep 17 00:00:00 2001 +From: chench +Date: Thu, 18 Apr 2024 15:51:08 +0800 +Subject: [PATCH 2/3] [newfeature][tpm] add tpm test case. + +add SM2, SM3, SM4 test case. + +Change-Id: If91deaa3973bccb9e4e41a037c333826e5fae666 +--- + test/integration/tests_gm/test.sh | 150 ++++++++++++++ + .../tests_gm/test_tpm2_activatecredential.sh | 33 ++++ + test/integration/tests_gm/test_tpm2_attest.sh | 58 ++++++ + .../tests_gm/test_tpm2_changeauth.sh | 33 ++++ + test/integration/tests_gm/test_tpm2_clock.sh | 11 ++ + test/integration/tests_gm/test_tpm2_ecc.sh | 37 ++++ + .../tests_gm/test_tpm2_encryptdecrypt.sh | 26 +++ + test/integration/tests_gm/test_tpm2_hash.sh | 24 +++ + test/integration/tests_gm/test_tpm2_nv.sh | 67 +++++++ + test/integration/tests_gm/test_tpm2_pcr.sh | 23 +++ + test/integration/tests_gm/test_tpm2_policy.sh | 187 ++++++++++++++++++ + test/integration/tests_gm/test_tpm2_random.sh | 21 ++ + .../tests_gm/test_tpm2_selftest.sh | 13 ++ + test/integration/tests_gm/test_tpm2_sign.sh | 24 +++ + 14 files changed, 707 insertions(+) + create mode 100755 test/integration/tests_gm/test.sh + create mode 100755 test/integration/tests_gm/test_tpm2_activatecredential.sh + create mode 100755 test/integration/tests_gm/test_tpm2_attest.sh + create mode 100755 test/integration/tests_gm/test_tpm2_changeauth.sh + create mode 100755 test/integration/tests_gm/test_tpm2_clock.sh + create mode 100755 test/integration/tests_gm/test_tpm2_ecc.sh + create mode 100755 test/integration/tests_gm/test_tpm2_encryptdecrypt.sh + create mode 100755 test/integration/tests_gm/test_tpm2_hash.sh + create mode 100755 test/integration/tests_gm/test_tpm2_nv.sh + create mode 100755 test/integration/tests_gm/test_tpm2_pcr.sh + create mode 100755 test/integration/tests_gm/test_tpm2_policy.sh + create mode 100755 test/integration/tests_gm/test_tpm2_random.sh + create mode 100755 test/integration/tests_gm/test_tpm2_selftest.sh + create mode 100755 test/integration/tests_gm/test_tpm2_sign.sh + +diff --git a/test/integration/tests_gm/test.sh b/test/integration/tests_gm/test.sh +new file mode 100755 +index 00000000..63cb5fa5 +--- /dev/null ++++ b/test/integration/tests_gm/test.sh +@@ -0,0 +1,150 @@ ++#!/bin/bash ++#;**********************************************************************; ++# ++# Copyright (c) 2016, Intel Corporation ++# All rights reserved. ++# ++# Redistribution and use in source and binary forms, with or without ++# modification, are permitted provided that the following conditions are met: ++# ++# 1. Redistributions of source code must retain the above copyright notice, ++# this list of conditions and the following disclaimer. ++# ++# 2. Redistributions in binary form must reproduce the above copyright notice, ++# this list of conditions and the following disclaimer in the documentation ++# and/or other materials provided with the distribution. ++# ++# 3. Neither the name of Intel Corporation nor the names of its contributors ++# may be used to endorse or promote products derived from this software without ++# specific prior written permission. ++# ++# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE ++# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF ++# THE POSSIBILITY OF SUCH DAMAGE. ++#;**********************************************************************; ++ ++# We Assume that the tests are run from the test/integration/tests_gm location. ++ ++SRC_DIR=`realpath ../../../tools/` ++PATH=$SRC_DIR:$PATH ++ ++# Some test helpers are in the test directory ++# and might be needed on PATH ++TEST_DIR=`realpath .` ++PATH=$TEST_DIR:$PATH ++ ++# Keep track of failures and successes for reporting ++pass=0 ++fail=0 ++ ++# Keep track of failed test scripts. ++fail_summary="" ++ ++red=$'\e[1;31m' ++grn=$'\e[1;32m' ++yel=$'\e[1;33m' ++blu=$'\e[1;34m' ++mag=$'\e[1;35m' ++cyn=$'\e[1;36m' ++end=$'\e[0m' ++ ++# Set the default to print in a prety output ++PRETTY=true ++ ++clear_colors() { ++ red='' ++ grn='' ++ yel='' ++ blu='' ++ mag='' ++ cyn='' ++ end='' ++} ++ ++test_wrapper() { ++ ++ ./$1 & ++ # Process Id of the previous running command ++ pid=$! ++ spin='-\|/' ++ i=0 ++ while kill -0 $pid 2>/dev/null; do ++ if [ "$PRETTY" == true ]; then ++ i=$(( (i+1) %4 )) ++ printf "\r${yel}${spin:$i:1}${end}" ++ sleep .1 ++ fi ++ done ++ ++ wait $pid ++ rc=$? ++ ++ failed_checks=0 ++ ++ # check for persistent handles ++ leftovers=`tpm2 getcap handles-persistent` ++ if [ "$leftovers" != "" ]; then ++ printf "Test left peristent objects loaded, found: %s\n" "$leftovers" ++ failed_checks=1 ++ fi ++ ++ if [ $failed_checks -ne 0 ]; then ++ # set the $? variable to not be 0! ++ false ++ fi ++ ++ if [ $rc -eq 0 ]; then ++ printf "\r${grn}$1 ... PASSED${end}\n" ++ let "pass++" ++ else ++ printf "\r${red}$1 ... FAILED${end}\n" ++ let "fail++" ++ fail_summary="$fail_summary"$'\n'"$1" ++ fi ++} ++ ++# Get a list of test scripts, all tests should begin with test_tpm2_ and ++# be a shell script. ++tests=`ls test_tpm2_*.sh` ++ ++while true; do ++ case "$1" in ++ -p | --plain ) PRETTY=false; shift ;; ++ -- ) shift; break ;; ++ * ) break ;; ++ esac ++done ++ ++# If command line arguments are provided, assume it is ++# the test suite to execute. ++# IE: test_tpm2_getrandom.sh ++if [ "$#" -gt 0 ]; then ++ tests="$@" ++fi ++ ++if [ "$PRETTY" != true ]; then ++ clear_colors ++fi ++ ++for t in $tests; do ++ test_wrapper $t; ++done; ++ ++# Report the status of the tests ++printf "${grn}Tests passed: $pass${end}\n" ++printf "${red}Tests Failed: $fail${end}\n" ++ ++if [ $fail -gt 0 ]; then ++ echo "Fail summary:" ++ echo "$fail_summary" ++fi ++ ++exit $fail +diff --git a/test/integration/tests_gm/test_tpm2_activatecredential.sh b/test/integration/tests_gm/test_tpm2_activatecredential.sh +new file mode 100755 +index 00000000..f3f50460 +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_activatecredential.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++context_load_file=/tmp/context_load ++pub_file=/tmp/pub ++priv_file=/tmp/priv ++input_file=/tmp/input ++name_file=/tmp/name ++password=123456 ++mkcred_file=/tmp/mkcred ++actcred_file=/tmp/actcred ++pub_key_file=/tmp/pub_key ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${context_load_file} ${pub_file} ${priv_file} ${input_file} ${name_file} ${mkcred_file} ${actcred_file} ${pub_key_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${context_file} -p ${password} -o ${pub_key_file} ++tpm2 create ${quiet} -C ${context_file} -g sm3_256 -G "ecc_sm2:sm2-sm3_256:null" -u ${pub_file} -r ${priv_file} -P ${password} -p ${password} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 load ${quiet} -C ${context_file} -u ${pub_file} -r ${priv_file} -c ${context_load_file} -P ${password} -n ${name_file} ++loaded_key_name=`cat ${name_file} | xxd -p -c $(ls -l ${name_file} | awk {'print $5'})` ++tpm2 makecredential ${quiet} -e ${pub_key_file} -s ${input_file} -n ${loaded_key_name} -o ${mkcred_file} ++tpm2 activatecredential ${quiet} -c ${context_load_file} -C ${context_file} -i ${mkcred_file} -o ${actcred_file} -p ${password} -P ${password} ++ +diff --git a/test/integration/tests_gm/test_tpm2_attest.sh b/test/integration/tests_gm/test_tpm2_attest.sh +new file mode 100755 +index 00000000..87467d29 +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_attest.sh +@@ -0,0 +1,58 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++context_load_file=/tmp/context_load ++input_file=/tmp/input ++context_attest_file=/tmp/context.att ++context_sig_file=/tmp/context.sig ++attest_file=/tmp/attest ++ticket_file=/tmp/ticket ++creation_hash_file=/tmp/creation_hash ++sig_file=/tmp/sig ++pcr_file=/tmp/pcr ++digest_file=/tmp/digest ++ ++password=123456 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_attest_file} ${context_sig_file} ${attest_file} ${sig_file} ${ticket_file} ${creation_hash_file} ${pem_pri_file} ${pem_pub_file} ${pcr_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G hmac:sm3_256 -c ${context_attest_file} -p ${password} -t ${ticket_file} -d ${creation_hash_file} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G "ecc_sm2:sm2-sm3_256:null" -c ${context_sig_file} -p ${password} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++ ++tpm2 certify ${quiet} -c ${context_attest_file} -C ${context_sig_file} -p ${password} -P ${password} -g sm3_256 -o ${attest_file} -s ${sig_file} --scheme sm2 ++tpm2 hash -g sm3_256 -o ${digest_file} ${attest_file} ++tpm2 verifysignature ${quiet} -s ${sig_file} -d ${digest_file} -c ${context_sig_file} ++ ++tpm2 gettime ${quiet} -p ${password} -g sm3_256 -s sm2 -o ${sig_file} -c ${context_sig_file} --attestation ${input_file} ++tpm2 hash -g sm3_256 -o ${digest_file} ${input_file} ++tpm2 verifysignature ${quiet} -d ${digest_file} -s ${sig_file} -c ${context_sig_file} ++ ++tpm2 certifycreation ${quiet} -C ${context_sig_file} -c ${context_attest_file} -P ${password} -g sm3_256 -s sm2 -d ${creation_hash_file} -t ${ticket_file} -o ${sig_file} --attestation ${attest_file} ++tpm2 hash -g sm3_256 -o ${digest_file} ${attest_file} ++tpm2 verifysignature ${quiet} -d ${digest_file} -s ${sig_file} -c ${context_sig_file} ++ ++tpm2 quote ${quiet} -c ${context_sig_file} -p ${password} -l sm3_256:1,2,3,4,5 -s ${sig_file} -m ${attest_file} -o ${pcr_file} -g sm3_256 --scheme sm2 ++tpm2 hash -g sm3_256 -o ${digest_file} ${attest_file} ++tpm2 verifysignature ${quiet} -d ${digest_file} -s ${sig_file} -c ${context_sig_file} ++ ++pem_pri_file=/tmp/private.ecc.pem ++pem_pub_file=/tmp/public.ecc.pem ++pcr_file=/tmp/pcr ++echo -n "01234567890123456789012345678901" >${input_file} ++openssl ecparam -name SM2 -genkey -out ${pem_pri_file} 2>/dev/null ++openssl ec -in ${pem_pri_file} -pubout -out ${pem_pub_file} 2>/dev/null ++tpm2 loadexternal ${quiet} -G ecc -g sm3_256 -r ${pem_pri_file} -c ${context_load_file} ++tpm2 quote ${quiet} -c ${context_load_file} -l sm3_256:1,2,3,4,5 -s ${sig_file} -m ${attest_file} -o ${pcr_file} -q ${input_file} -g sm3_256 --scheme sm2 ++tpm2 checkquote ${quiet} -g sm3_256 -m ${attest_file} -s ${sig_file} -u ${pem_pub_file} -q ${input_file} -f ${pcr_file} ++ +diff --git a/test/integration/tests_gm/test_tpm2_changeauth.sh b/test/integration/tests_gm/test_tpm2_changeauth.sh +new file mode 100755 +index 00000000..1437d593 +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_changeauth.sh +@@ -0,0 +1,33 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++context_load_file=/tmp/context_load ++pub_file=/tmp/pub ++priv_file=/tmp/priv ++input_file=/tmp/input ++ ++password=123456 ++pass_change1=123 ++pass_change2=789 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${context_load_file} ${pub_file} ${priv_file} ${input_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${context_file} -p ${password} ++tpm2 create ${quiet} -g sm3_256 -u ${pub_file} -r ${priv_file} -C ${context_file} -i ${input_file} -P ${password} -p ${pass_change1} ++tpm2 load ${quiet} -C ${context_file} -u ${pub_file} -r ${priv_file} -c ${context_load_file} -P ${password} ++ ++tpm2 changeauth ${quiet} -p ${pass_change1} -c ${context_load_file} -C ${context_file} -r ${priv_file} ${pass_change2} ++tpm2 load ${quiet} -C ${context_file} -u ${pub_file} -r ${priv_file} -c ${context_load_file} -P ${password} ++tpm2 changeauth ${quiet} -p ${pass_change2} -c ${context_load_file} -C ${context_file} -r ${priv_file} ${pass_change1} ++ +diff --git a/test/integration/tests_gm/test_tpm2_clock.sh b/test/integration/tests_gm/test_tpm2_clock.sh +new file mode 100755 +index 00000000..c1b2e79e +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_clock.sh +@@ -0,0 +1,11 @@ ++#!/bin/bash ++ ++quiet=-Q ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++tpm2 clockrateadjust ${quiet} -c o fff +diff --git a/test/integration/tests_gm/test_tpm2_ecc.sh b/test/integration/tests_gm/test_tpm2_ecc.sh +new file mode 100755 +index 00000000..31c564dc +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_ecc.sh +@@ -0,0 +1,37 @@ ++#!/bin/bash ++ ++quiet=-Q ++eccpara=/tmp/eccpara ++eccpub1=/tmp/eccpub1 ++eccctr1=/tmp/eccctr1 ++context_file=/tmp/context ++ecdh_ctx=/tmp/ecdh_context ++ecdh_pub=/tmp/ecdh_pub ++ecdh_priv=/tmp/ecdh_priv ++ecdh_keygenpub=/tmp/ecdh_keygenpub ++ecdh_z1=/tmp/ecdh_z1 ++ecdh_z2=/tmp/ecdh_z2 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${eccpara} ${eccpub1} ${eccctr1} ${context_file} ${ecdh_ctx} ${ecdh_pub} ${ecdh_priv} ${ecdh_keygenpub} ${ecdh_z1} ${ecdh_z2} ++} ++trap cleanup EXIT ++ ++tpm2 geteccparameters ecc_sm2 ${quiet} -o ${eccpara} ++tpm2 ecephemeral ${quiet} -u ${eccpub1} -t ${eccctr1} ecc_sm2 ++ ++tpm2 createprimary ${quiet} -C o -c ${context_file} -g sm3_256 -G ecc_sm2:null:sm4128cfb ++ ++tpm2 create ${quiet} -C ${context_file} -c ${ecdh_ctx} -u ${ecdh_pub} -r ${ecdh_priv} -G ecc_sm2:ecdh-sm3_256 -g sm3_256 ++ ++tpm2 ecdhkeygen ${quiet} -u ${ecdh_keygenpub} -o ${ecdh_z1} -c ${ecdh_ctx} ++ ++tpm2 ecdhzgen ${quiet} -u ${ecdh_keygenpub} -o ${ecdh_z2} -c ${ecdh_ctx} ++ ++diff ${ecdh_z1} ${ecdh_z2} +diff --git a/test/integration/tests_gm/test_tpm2_encryptdecrypt.sh b/test/integration/tests_gm/test_tpm2_encryptdecrypt.sh +new file mode 100755 +index 00000000..ca1477b1 +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_encryptdecrypt.sh +@@ -0,0 +1,26 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++input_file=/tmp/input ++input_raw=/tmp/input_raw ++output_file=/tmp/output ++password=123456 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${input_file} ${input_raw} ${output_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G sm4128cbc -c ${context_file} -p ${password} -a "sign|decrypt|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 encryptdecrypt ${quiet} -p ${password} -c ${context_file} -o ${output_file} ${input_file} 2>/dev/null ++tpm2 encryptdecrypt ${quiet} -p ${password} -c ${context_file} -o ${input_raw} -d ${output_file} 2>/dev/null ++diff ${input_file} ${input_raw} ++ +diff --git a/test/integration/tests_gm/test_tpm2_hash.sh b/test/integration/tests_gm/test_tpm2_hash.sh +new file mode 100755 +index 00000000..0d886180 +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_hash.sh +@@ -0,0 +1,24 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++input_file=/tmp/input ++output_file=/tmp/output ++password=123456 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${input_file} ${output_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G hmac:sm3_256 -c ${context_file} -p ${password} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 hmac ${quiet} -p ${password} -g sm3_256 -c ${context_file} -o ${output_file} ${input_file} ++tpm2 hash ${quiet} -g sm3_256 -o ${output_file} ${input_file} ++ +diff --git a/test/integration/tests_gm/test_tpm2_nv.sh b/test/integration/tests_gm/test_tpm2_nv.sh +new file mode 100755 +index 00000000..c4888f5a +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_nv.sh +@@ -0,0 +1,67 @@ ++#!/bin/bash ++ ++quiet=-Q ++input_file=/tmp/input ++output_file=/tmp/output ++context_sig_file=/tmp/context.sig ++attest_file=/tmp/attest ++sig_file=/tmp/sig ++digest_file=/tmp/digest ++password=123456 ++nv_index=0x01500001 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${input_file} ${output_file} ${context_sig_file} ${attest_file} ${sig_file} ++ tpm2 nvundefine ${quiet} -C o ${nv_index} 2>/dev/null || true ++ ++} ++trap cleanup EXIT ++ ++cleanup ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 nvdefine ${quiet} -C o -p ${password} -a "authread|authwrite" -s 32 -g sm3_256 ${nv_index} ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++tpm2 nvdefine ${quiet} ${nv_index} -C o -s 32 -a "policyread|policywrite|authread|authwrite|ownerwrite|ownerread|read_stclear|writedefine" -p ${password} -g sm3_256 ++tpm2 nvreadpublic ${quiet} ${nv_index} > ${output_file} ++tpm2 nvwrite ${quiet} ${nv_index} -P ${password} -i ${input_file} ++tpm2 nvread ${quiet} -P ${password} ${nv_index} -o ${output_file} ++tpm2 nvreadlock ${quiet} -C o ${nv_index} ++tpm2 nvwritelock ${quiet} -C o ${nv_index} ++tpm2 nvwrite ${quiet} ${nv_index} -P ${password} -i ${input_file} 2>/dev/null || true ++tpm2 nvread ${quiet} -P ${password} ${nv_index} 2>/dev/null || true ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++ ++tpm2 nvdefine ${quiet} -C o -a "nt=extend|ownerread|policywrite|ownerwrite" ${nv_index} -g sm3_256 ++echo -n "01234567890123456789012345678901" | tpm2 nvextend ${quiet} -C o -i- ${nv_index} ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++ ++tpm2 nvdefine ${quiet} -C o -P "" -a "nt=counter|authread|authwrite|ownerread|ownerwrite|writedefine" ${nv_index} -g sm3_256 ++tpm2 nvincrement ${quiet} -C o -P "" ${nv_index} ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++ ++bits=0xbadc0de ++tpm2 nvdefine ${quiet} -C o -P "" -a "nt=bits|ownerread|policywrite|ownerwrite|writedefine" ${nv_index} -g sm3_256 ++tpm2 nvsetbits ${quiet} -C o -P "" -i ${bits} ${nv_index} ++check=$(tpm2 nvread -C o -P "" ${nv_index} | xxd -p | sed s/'^0*'/0x/) ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++if [ "${check}" != "${bits}" ];then ++ echo "tpm2_nvsetbits fail" ++ exit 1 ++fi ++ ++tpm2 nvdefine ${quiet} ${nv_index} -C o -s 32 -a "authread|authwrite|ownerwrite|ownerread" -p ${password} -g sm3_256 -s 32 ++dd if=/dev/urandom bs=1 count=32 status=none| tpm2 nvwrite ${quiet} -P ${password} -i- ${nv_index} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G "ecc_sm2:sm2-sm3_256:null" -c ${context_sig_file} -p ${password} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++ ++tpm2 nvcertify ${quiet} -C ${context_sig_file} -c ${nv_index} -p ${password} -P ${password} -g sm3_256 --attestation ${attest_file} -o ${sig_file} -s sm2 ${nv_index} ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++tpm2 hash -g sm3_256 -o ${digest_file} ${attest_file} ++tpm2 verifysignature ${quiet} -d ${digest_file} -s ${sig_file} -c ${context_sig_file} ++ +diff --git a/test/integration/tests_gm/test_tpm2_pcr.sh b/test/integration/tests_gm/test_tpm2_pcr.sh +new file mode 100755 +index 00000000..02d5c745 +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_pcr.sh +@@ -0,0 +1,23 @@ ++#!/bin/bash ++ ++quiet=-Q ++input_file=/tmp/input ++pcrs_file=/tmp/pcrs ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${input_file} ${pcrs_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 pcrreset ${quiet} 16 23 ++tpm2 pcrread ${quiet} sm3_256:0,1,8,9 -o ${pcrs_file} ++tpm2 pcrevent ${quiet} ${input_file} ++tpm2 pcrextend ${quiet} 16:sm3_256="2b14a1fc49869413b0beb707069cffc0c6b0a51f3fedb9ce072c80709652b3ae" ++ +diff --git a/test/integration/tests_gm/test_tpm2_policy.sh b/test/integration/tests_gm/test_tpm2_policy.sh +new file mode 100755 +index 00000000..155e986e +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_policy.sh +@@ -0,0 +1,187 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++context_load_file=/tmp/context_load ++pub_file=/tmp/pub ++priv_file=/tmp/priv ++input_file=/tmp/input ++policy_digest_file=/tmp/policy_digest ++digest_file=/tmp/digest ++session_file=/tmp/session ++sig_file=/tmp/sig ++name_file=/tmp/name ++timeout_file=/tmp/timeout ++ticket_file=/tmp/ticket ++new_parent_file=/tmp/new_parent ++source_parent_file=/tmp/source_parent ++new_parent_name_file=/tmp/new_parent_name ++duplicable_file=/tmp/duplicable ++duplicable_name_file=/tmp/duplicable_name ++duplicated_seed_file=/tmp/duplicated_seed ++digest_file=/tmp/digest ++nv_index=0x01500001 ++password=123456 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${context_load_file} ${pub_file} ${priv_file} ${input_file} ${policy_digest_file} ${digest_file} ${session_file} ${sig_file} ${name_file} ${timeout_file} ${ticket_file} ${new_parent_file} ${source_parent_file} ${new_parent_name_file} ${duplicable_file} ${duplicable_name_file} ${duplicated_seed_file} ++ tpm2 nvundefine ${quiet} -C o ${nv_index} 2>/dev/null || true ++} ++trap cleanup EXIT ++ ++cleanup ++ ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${context_file} ++tpm2 startauthsession ${quiet} --policy-session -c ${context_file} -g sm3_256 -G sm4 -S ${session_file} ++tpm2 policypcr ${quiet} -l sm3_256:0,1,8,9 -S ${session_file} -L ${policy_digest_file} ++tpm2 setprimarypolicy ${quiet} -C o -P "" -L ${policy_digest_file} -g sm3_256 ++tpm2 setprimarypolicy ${quiet} -C o -P session:${session_file} -L ${policy_digest_file} -g sm3_256 ++tpm2 flushcontext ${session_file} ++ ++tpm2 startauthsession ${quiet} --policy-session -g sm3_256 -S ${session_file} ++tpm2 policypcr ${quiet} -l sm3_256:0,1,8,9 -S ${session_file} -L ${policy_digest_file} ++tpm2 policyor ${quiet} -L ${digest_file} -S ${session_file} -l sm3_256:${policy_digest_file},${policy_digest_file} ++tpm2 policypassword ${quiet} -S ${session_file} -L ${policy_digest_file} ++tpm2 policycommandcode ${quiet} -S ${session_file} -L ${policy_digest_file} TPM2_CC_PCR_Reset ++tpm2 policyrestart ${quiet} -S ${session_file} ++tpm2 policytemplate ${quiet} -L ${digest_file} -S ${session_file} --template-hash ${policy_digest_file} ++tpm2 policylocality ${quiet} -S ${session_file} -L ${policy_digest_file} 1 ++tpm2 flushcontext ${session_file} ++ ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G "ecc_sm2:sm2-sm3_256:null" -c ${context_file} -p ${password} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 startauthsession ${quiet} --policy-session -g sm3_256 -S ${session_file} ++tpm2 policysigned ${quiet} -S ${session_file} -c ${context_file} --raw-data ${input_file} ++tpm2 hash -g sm3_256 -o ${digest_file} ${input_file} ++tpm2 sign ${quiet} -p ${password} -g sm3_256 -c ${context_file} -o ${sig_file} -s sm2 -d ${digest_file} ++tpm2 policysigned ${quiet} -S ${session_file} -g sm3_256 -c ${context_file} -s ${sig_file} -L ${policy_digest_file} ++tpm2 flushcontext ${session_file} ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${context_file} -p ${password} ++tpm2 create ${quiet} -g sm3_256 -u ${pub_file} -r ${priv_file} -C ${context_file} -i ${input_file} -P ${password} ++tpm2 load ${quiet} -C ${context_file} -u ${pub_file} -r ${priv_file} -c ${context_load_file} -P ${password} -n ${name_file} ++tpm2 startauthsession ${quiet} --policy-session -g sm3_256 -S ${session_file} ++tpm2 policysecret ${quiet} -L ${policy_digest_file} -S ${session_file} -c ${context_load_file} --ticket ${ticket_file} --timeout ${timeout_file} -t -1000000 ++tpm2 policyticket ${quiet} -L ${policy_digest_file} -S ${session_file} -n ${name_file} --ticket ${ticket_file} --timeout ${timeout_file} ++tpm2 policyrestart ${quiet} -S ${session_file} ++tpm2 flushcontext ${session_file} ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 startauthsession ${quiet} --policy-session -g sm3_256 -S ${session_file} ++tpm2 policynamehash ${quiet} -L ${policy_digest_file} -S ${session_file} -n ${input_file} ++tpm2 flushcontext ${session_file} ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 nvdefine ${quiet} -C o -p ${password} ${nv_index} -a "authread|authwrite" -s 34 -g sm3_256 ++tpm2 startauthsession ${quiet} -S ${session_file} -g sm3_256 ++tpm2 policypcr ${quiet} -S ${session_file} -l sm3_256:0,1,8,9 -L ${policy_digest_file} ++tpm2 flushcontext ${session_file} ++echo "0012" | xxd -p -r | cat - ${policy_digest_file} | tpm2 nvwrite ${quiet} -C ${nv_index} -P ${password} ${nv_index} -i- #0012 is sm3_256 ++tpm2 startauthsession ${quiet} -S ${session_file} --policy-session -g sm3_256 ++tpm2 policypcr ${quiet} -S ${session_file} -l sm3_256:0,1,8,9 -L ${policy_digest_file} ++tpm2 policyauthorizenv ${quiet} -S ${session_file} -C ${nv_index} -P ${password} ${nv_index} -L ${policy_digest_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${context_file} -p ${password} ++tpm2 create ${quiet} -g sm3_256 -u ${pub_file} -r ${priv_file} -C ${context_file} -i ${input_file} -P ${password} -L ${policy_digest_file} ++tpm2 load ${quiet} -C ${context_file} -u ${pub_file} -r ${priv_file} -c ${context_load_file} -P ${password} -n ${name_file} ++tpm2 unseal ${quiet} -c ${context_load_file} -p session:${session_file} >/dev/null ++tpm2 evictcontrol ${quiet} -c ${context_load_file} 0x81010003 ++tpm2 evictcontrol ${quiet} -c 0x81010003 0x81010003 ++tpm2 flushcontext ${session_file} ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++ ++policynv_test_case() { ++ tpm2 startauthsession ${quiet} -S ${session_file} --policy-session -g sm3_256 ++ echo $operandB | xxd -r -p | tpm2 policynv ${quiet} -S ${session_file} -i- -P ${password} ${nv_index} $1 ++ tpm2 flushcontext ${session_file} ++} ++ ++operandA=0x81 ++tpm2 nvdefine ${quiet} -C o -p ${password} ${nv_index} -a "authread|authwrite" -s 2 -g sm3_256 ++echo $operandA | xxd -r -p | tpm2 nvwrite ${quiet} -P ${password} -i- ${nv_index} ++ ++# Perform comparison operation "eq" ++operandB=0x81 ++policynv_test_case eq ++ ++# Perform comparison operation "neq" ++operandB=0x80 ++policynv_test_case neq ++ ++# Perform comparison operation "sgt" ++operandB=0x82 ++policynv_test_case sgt ++ ++# Perform comparison operation "ugt" ++operandB=0x80 ++policynv_test_case ugt ++ ++# Perform comparison operation "slt" ++operandB=0x80 ++policynv_test_case slt ++ ++# Perform comparison operation "ult" ++operandB=0x82 ++policynv_test_case ult ++ ++# Perform comparison operation "sge" ++operandB=0x82 ++policynv_test_case sge ++operandB=0x81 ++policynv_test_case sge ++ ++# Perform comparison operation "uge" ++operandB=0x80 ++policynv_test_case uge ++operandB=0x81 ++policynv_test_case uge ++ ++# Perform comparison operation "sle" ++operandB=0x80 ++policynv_test_case sle ++operandB=0x81 ++policynv_test_case sle ++ ++# Perform comparison operation "ule" ++operandB=0x82 ++policynv_test_case ule ++operandB=0x81 ++policynv_test_case ule ++ ++# Perform comparison operation "bs" ++operandB=0x81 ++policynv_test_case bs ++ ++# Perform comparison operation "bc" ++operandB=0x7E ++policynv_test_case bc ++ ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++ ++tpm2 startauthsession ${quiet} -g sm3_256 -S ${session_file} --policy-session ++tpm2 policycommandcode ${quiet} -S $session_file TPM2_CC_NV_Write ++tpm2 policynvwritten ${quiet} -S ${session_file} -L ${policy_digest_file} c ++tpm2 nvdefine ${quiet} -s 1 -a "authread|policywrite" -p ${password} -L ${policy_digest_file} -g sm3_256 ${nv_index} ++echo 0xAA | xxd -r -p | tpm2 nvwrite ${quiet} ${nv_index} -i- -P session:${session_file} ++echo 0xAA | xxd -r -p | tpm2 nvwrite ${quiet} ${nv_index} -i- -P session:${session_file} 2>/dev/null || true ++tpm2 flushcontext ${session_file} ++tpm2 nvundefine ${quiet} -C o ${nv_index} ++ ++tpm2 createprimary ${quiet} -C n -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${new_parent_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G ecc_sm2:null:sm4128cfb -c ${source_parent_file} ++tpm2 readpublic ${quiet} -c ${new_parent_file} -n ${new_parent_name_file} ++tpm2 startauthsession ${quiet} -S ${session_file} -g sm3_256 ++tpm2 policyduplicationselect ${quiet} -S ${session_file} -N ${new_parent_name_file} -L ${policy_digest_file} ++tpm2 flushcontext ${session_file} ++tpm2 create ${quiet} -C ${source_parent_file} -g sm3_256 -G ecc_sm2:sm2-sm3_256:null -u ${pub_file} -r ${priv_file} -L ${policy_digest_file} -a "sensitivedataorigin|sign" -c ${duplicable_file} ++tpm2 readpublic ${quiet} -c ${duplicable_file} -n ${duplicable_name_file} ++tpm2 startauthsession ${quiet} -S ${session_file} --policy-session -g sm3_256 ++tpm2 policyduplicationselect ${quiet} -S ${session_file} -N ${new_parent_name_file} -n ${duplicable_name_file} ++tpm2 duplicate ${quiet} -C ${new_parent_file} -c ${duplicable_file} -G null -p session:${session_file} -r ${priv_file} -s ${duplicated_seed_file} ++tpm2 flushcontext ${session_file} ++ +diff --git a/test/integration/tests_gm/test_tpm2_random.sh b/test/integration/tests_gm/test_tpm2_random.sh +new file mode 100755 +index 00000000..0ce461ee +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_random.sh +@@ -0,0 +1,21 @@ ++#!/bin/bash ++ ++quiet=-Q ++input_file=/tmp/input ++output_file=/tmp/output ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${input_file} ${output_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 stirrandom ${quiet} ${input_file} ++tpm2 getrandom ${quiet} -f 32 -o ${output_file} ++ +diff --git a/test/integration/tests_gm/test_tpm2_selftest.sh b/test/integration/tests_gm/test_tpm2_selftest.sh +new file mode 100755 +index 00000000..d7a9c67a +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_selftest.sh +@@ -0,0 +1,13 @@ ++#!/bin/bash ++ ++quiet=-Q ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++tpm2 selftest ${quiet} -f ++tpm2 incrementalselftest ${quiet} sm2 sm3_256 sm4 ++tpm2 gettestresult ${quiet} +diff --git a/test/integration/tests_gm/test_tpm2_sign.sh b/test/integration/tests_gm/test_tpm2_sign.sh +new file mode 100755 +index 00000000..09911e5c +--- /dev/null ++++ b/test/integration/tests_gm/test_tpm2_sign.sh +@@ -0,0 +1,24 @@ ++#!/bin/bash ++ ++quiet=-Q ++context_file=/tmp/context ++input_file=/tmp/input ++sig_file=/tmp/sig ++password=123456 ++ ++onerror() { ++ echo "$BASH_COMMAND on line ${BASH_LINENO[0]} failed: $?" ++ exit 1 ++} ++trap onerror ERR ++ ++cleanup() { ++ rm -f ${context_file} ${input_file} ${sig_file} ++} ++trap cleanup EXIT ++ ++echo -n "01234567890123456789012345678901" >${input_file} ++tpm2 createprimary ${quiet} -C o -g sm3_256 -G "ecc_sm2:sm2-sm3_256:null" -c ${context_file} -p ${password} -a "sign|noda|sensitivedataorigin|userwithauth|fixedtpm|fixedparent" ++tpm2 sign ${quiet} -p ${password} -g sm3_256 -c ${context_file} -o ${sig_file} -s sm2 ${input_file} ++tpm2 verifysignature ${quiet} -g sm3_256 -s ${sig_file} -c ${context_file} -m ${input_file} ++ +-- +2.17.1 + diff --git a/tpm2-tools.spec b/tpm2-tools.spec index a3dde8b..6387ea4 100644 --- a/tpm2-tools.spec +++ b/tpm2-tools.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 Name: tpm2-tools Version: 5.7 @@ -9,6 +9,10 @@ License: BSD URL: https://github.com/tpm2-software/tpm2-tools Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch0: Hygon-add-ecc-encrypt-decrypt-commands-supp.patch +Patch1: Hygon-add-tpm-test-cases.patch +Patch2: Hygon-add-tcm-test-cases.patch + BuildRequires: make BuildRequires: gcc-c++ BuildRequires: libtool @@ -39,6 +43,7 @@ Doc files for %{name} %autosetup -p1 -n %{name}-%{version} %build +autoreconf -vif %configure --prefix=/usr --disable-static --disable-silent-rules %make_build @@ -61,6 +66,11 @@ Doc files for %{name} %doc docs/README.md docs/CHANGELOG.md %changelog +* Sat Oct 12 2024 chench -5.7-2 +- add tcm ecc encrypt/decrypt commands support +- add tcm test cases +- add tpm test cases + * Thu Aug 01 2024 Kaiqiang Wang - 5.7-1 - update to 5.7 - fix CVE-2024-29039 -- Gitee