From 790d3ba1491261e59c781d0364df5f5e7b532135 Mon Sep 17 00:00:00 2001 From: Tom D <40675700+twitchy-jsonp@users.noreply.github.com> Date: Wed, 3 Apr 2019 12:19:25 -0700 Subject: [PATCH] Script setup of fake filesystem objects for tpm12 tests, fix build of tpm12 tests. (#5) --- attest/attest_simulated_tpm20_test.go | 6 +-- attest/attest_tpm12_test.go | 5 +- ci/setup_tests_fs.sh | 78 +++++++++++++++++++++++++++ 3 files changed, 84 insertions(+), 5 deletions(-) create mode 100755 ci/setup_tests_fs.sh diff --git a/attest/attest_simulated_tpm20_test.go b/attest/attest_simulated_tpm20_test.go index 8ddd627..c4bc691 100644 --- a/attest/attest_simulated_tpm20_test.go +++ b/attest/attest_simulated_tpm20_test.go @@ -99,8 +99,8 @@ func TestAIKCreateAndLoad(t *testing.T) { } } -// chooseEK selects the EK public which will be activated against. -func chooseEK(t *testing.T, eks []PlatformEK) crypto.PublicKey { +// chooseEKPub selects the EK public which will be activated against. +func chooseEKPub(t *testing.T, eks []PlatformEK) crypto.PublicKey { t.Helper() for _, ek := range eks { @@ -129,7 +129,7 @@ func TestActivateCredentialTPM20(t *testing.T) { if err != nil { t.Fatalf("EKs() failed: %v", err) } - ek := chooseEK(t, EKs) + ek := chooseEKPub(t, EKs) att, err := tpm2.DecodeAttestationData(aik.CreateAttestation) if err != nil { diff --git a/attest/attest_tpm12_test.go b/attest/attest_tpm12_test.go index dbbdf60..e69beb5 100644 --- a/attest/attest_tpm12_test.go +++ b/attest/attest_tpm12_test.go @@ -150,7 +150,8 @@ func TestTPMQuote(t *testing.T) { t.Logf("Quote{version: %v, quote: %x, signature: %x}\n", quote.Version, quote.Quote, quote.Signature) } -func chooseEK(t *testing.T, eks []PlatformEK) []byte { +// chooseEKCertRaw selects the EK cert which will be activated against. +func chooseEKCertRaw(t *testing.T, eks []PlatformEK) []byte { t.Helper() for _, ek := range eks { @@ -186,7 +187,7 @@ func TestTPMActivateCredential(t *testing.T) { if err != nil { t.Fatalf("failed to read EKs: %v", err) } - ekcert := chooseEK(t, EKs) + ekcert := chooseEKCertRaw(t, EKs) challenge.Credential, challenge.Secret, err = verification.GenerateChallenge(ekcert, aik.Public, nonce) if err != nil { diff --git a/ci/setup_tests_fs.sh b/ci/setup_tests_fs.sh new file mode 100755 index 0000000..479a933 --- /dev/null +++ b/ci/setup_tests_fs.sh @@ -0,0 +1,78 @@ +#!/bin/bash +# +############################################################################### +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################################ +# +# Sets up a root filesystem with files that symbolize the presence of a fake +# hardware VM. This filesystem can be chrooted into to run tests. +# USAGE: ./setup_tests_fs.sh +set -e + +BASE_DIR="${1%/}" # Trim any trailing slash. + +setup_base () { + if [[ ! -d "${BASE_DIR}" ]] && [[ -e "${BASE_DIR}" ]]; then + >&2 echo "Error: '${BASE_DIR}' is not a directory." + exit 1 + fi + if [[ ! -e "${BASE_DIR}" ]]; then + mkdir -pv "${BASE_DIR}" + else + sudo umount ${BASE_DIR}/* || true + rm -rfv ${BASE_DIR}/* + fi +} + +setup_mounts () { + mkdir -v "${BASE_DIR}/bin" + sudo mount --bind /bin "${BASE_DIR}/bin" + mkdir -v "${BASE_DIR}/usr" + sudo mount --bind /usr "${BASE_DIR}/usr" + mkdir -v "${BASE_DIR}/var" + sudo mount --bind /var "${BASE_DIR}/var" + mkdir -v "${BASE_DIR}/tmp" + sudo mount --bind /tmp "${BASE_DIR}/tmp" + mkdir -v "${BASE_DIR}/lib" + sudo mount --bind /lib "${BASE_DIR}/lib" + mkdir -v "${BASE_DIR}/lib64" + sudo mount --bind /lib64 "${BASE_DIR}/lib64" + mkdir -v "${BASE_DIR}/dev" + sudo mount --bind /dev "${BASE_DIR}/dev" + mkdir -v "${BASE_DIR}/etc" + sudo mount --bind /etc "${BASE_DIR}/etc" + mkdir -v "${BASE_DIR}/opt" + sudo mount --bind /opt "${BASE_DIR}/opt" + mkdir -v "${BASE_DIR}/proc" + sudo mount --bind /proc "${BASE_DIR}/proc" + mkdir -v "${BASE_DIR}/root" + sudo mount --bind /root "${BASE_DIR}/root" + mkdir -v "${BASE_DIR}/run" + sudo mount --bind /run "${BASE_DIR}/run" + mkdir -v "${BASE_DIR}/home" + sudo mount --bind /home "${BASE_DIR}/home" + + if [[ -d "/tmpfs" ]]; then + mkdir -v "${BASE_DIR}/tmpfs" + sudo mount --bind /tmpfs "${BASE_DIR}/tmpfs" + fi +} + +setup_sys_overlay () { + mkdir -pv "${BASE_DIR}/sys/class/tpm/tpm0" + touch "${BASE_DIR}/sys/class/tpm/tpm0/caps" +} + +setup_base +setup_mounts +setup_sys_overlay