Implement full coverage for TPM 1.2 tests. (#7)

* Generate and store a fake EK certificate in TPM 1.2 test setup.

* Fix run of gen_ekcert.go

* Write out NVRAM cert header when generating ek cert

* Remove build flag gating tpm12 tests.

attest/attest_tpm12_test.go

@@ -12,8 +12,6 @@
 // License for the specific language governing permissions and limitations under
 // the License.
 
-// +build tpm12
-
 package attest
 
 import (

ci/gen_ekcert.go

@@ -0,0 +1,104 @@
+package main
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/binary"
+	"encoding/hex"
+	"flag"
+	"fmt"
+	"math/big"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+)
+
+var simulatorStatePath = flag.String("state_path", "/tmp/sim/NVRAM/00.permall", "Path to ibmswtpm state file")
+
+func ekPub() *rsa.PublicKey {
+	out, err := exec.Command("tpm_getpubek", "-z").Output()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+
+	spl := strings.Split(string(out), "Public Key:")
+	hexKey := strings.NewReplacer(" ", "", "\n", "", "\r", "", "\t", "").Replace(spl[1])
+
+	modBytes, err := hex.DecodeString(hexKey)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+	return &rsa.PublicKey{
+		N: new(big.Int).SetBytes(modBytes),
+		E: 65537,
+	}
+}
+
+func generateCertificate(pub *rsa.PublicKey) []byte {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"Acme Co"},
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().AddDate(1, 0, 0),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+	return derBytes
+}
+
+func main() {
+	flag.Parse()
+	certBytes := generateCertificate(ekPub())
+
+	f, err := os.OpenFile("/tmp/ekcert", os.O_RDWR|os.O_TRUNC|os.O_CREATE, 0755)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Write the header as documented in: TCG PC Specific Implementation
+	// Specification, section 7.3.2.
+	f.Write([]byte{0x10, 0x01, 0x00})
+	certLength := make([]byte, 2)
+	binary.BigEndian.PutUint16(certLength, uint16(len(certBytes)))
+	f.Write(certLength)
+
+	f.Write(certBytes)
+	f.Close()
+
+	cmd := exec.Command("tpm_nvwrite", "-z", "-i", "268496896", "-f", "/tmp/ekcert")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+
+}

ci/setup_tpm12_simulator.sh

@@ -26,6 +26,7 @@ if [[ "${1}" == "" ]]; then
   exit 1
 fi
 
+PROJECT_ROOT=$(pwd)
 BUILD_BASE="${1%/}" # Trim any trailing slash.
 SIMULATOR_SRC="${BUILD_BASE}/simulator"
 
@@ -86,8 +87,6 @@ setup_tpm () {
   ${SIMULATOR_SRC}/libtpm/utils/tpminit
   echo "Starting the TPM..."
   ${SIMULATOR_SRC}/libtpm/utils/tpmbios -cs
-  echo "Allocating NVRAM..."
-  ${SIMULATOR_SRC}/libtpm/utils/nv_definespace -in 1000f000 -sz 3200
 
   ${SIMULATOR_SRC}/libtpm/utils/tpminit
   ${SIMULATOR_SRC}/libtpm/utils/tpmbios -cs
@@ -102,6 +101,8 @@ run_tcsd () {
   sleep 1
   tpm_createek
   tpm_takeownership -yz
+  tpm_nvdefine -i 268496896 -z -s 3800 -p OWNERWRITE
+  go run -v "${PROJECT_ROOT}/ci/gen_ekcert.go"
   sleep 1
 }