diff --git a/test/integration/esys-event-sequence-complete.int.c b/test/integration/esys-event-sequence-complete.int.c index 91ee9525c..66e075d4e 100644 --- a/test/integration/esys-event-sequence-complete.int.c +++ b/test/integration/esys-event-sequence-complete.int.c @@ -82,6 +82,14 @@ test_esys_event_sequence_complete(ESYS_CONTEXT * esys_context) &results); goto_if_error(r, "Error: EventSequenceComplete", error); + r = Esys_PCR_Reset( + esys_context, + pcrHandle_handle, + ESYS_TR_PASSWORD, + ESYS_TR_NONE, + ESYS_TR_NONE); + goto_if_error(r, "Error: PCR_Reset", error); + Esys_Free(results); return EXIT_SUCCESS; diff --git a/test/integration/esys-pcr-basic.int.c b/test/integration/esys-pcr-basic.int.c index 38fa5ef36..14e9afc6f 100644 --- a/test/integration/esys-pcr-basic.int.c +++ b/test/integration/esys-pcr-basic.int.c @@ -112,7 +112,14 @@ test_esys_pcr_basic(ESYS_CONTEXT * esys_context) ESYS_TR_NONE, &eventData, &digestsEvent); + goto_if_error(r, "Error: PCR_Reset", error); + r = Esys_PCR_Reset( + esys_context, + pcrHandle_handle, + ESYS_TR_PASSWORD, + ESYS_TR_NONE, + ESYS_TR_NONE); goto_if_error(r, "Error: PCR_Reset", error); TPMI_YES_NO allocationSuccess; diff --git a/test/integration/fapi-quote-destructive-eventlog.int.c b/test/integration/fapi-quote-destructive-eventlog.int.c index 3e5da1085..b6a9ad930 100644 --- a/test/integration/fapi-quote-destructive-eventlog.int.c +++ b/test/integration/fapi-quote-destructive-eventlog.int.c @@ -1043,9 +1043,6 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) 0x00, 0x00, }; - r = pcr_reset(context, 16); - goto_if_error(r, "Error pcr_reset", error); - r = Fapi_PcrExtend(context, 16, data, EVENT_SIZE, "{ \"test\": \"myfile\" }"); goto_if_error(r, "Error Fapi_PcrExtend", error); @@ -1118,6 +1115,9 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) ASSERT(pathlist != NULL); ASSERT(strlen(pathlist) > ASSERT_SIZE); + r = pcr_reset(context, 16); + goto_if_error(r, "Error pcr_reset", error); + r = Fapi_Delete(context, "/"); goto_if_error(r, "Error Fapi_Delete", error); @@ -1136,6 +1136,7 @@ test_fapi_quote_destructive(FAPI_CONTEXT *context) return EXIT_SUCCESS; error: + pcr_reset(context, 16); Fapi_Delete(context, "/"); SAFE_FREE(pubkey_pem); SAFE_FREE(signature); diff --git a/test/integration/fapi-quote-with-primary.int.c b/test/integration/fapi-quote-with-primary.int.c index 468376d31..93529b6f1 100644 --- a/test/integration/fapi-quote-with-primary.int.c +++ b/test/integration/fapi-quote-with-primary.int.c @@ -80,9 +80,6 @@ test_fapi_quote(FAPI_CONTEXT *context) 0x00, 0x00, }; - r = pcr_reset(context, 16); - goto_if_error(r, "Error pcr_reset", error); - r = Fapi_PcrExtend(context, 16, data, EVENT_SIZE, "{ \"test\": \"myfile\" }"); goto_if_error(r, "Error Fapi_PcrExtend", error); @@ -289,6 +286,9 @@ test_fapi_quote(FAPI_CONTEXT *context) ASSERT(strlen(pathlist) > ASSERT_SIZE); LOG_INFO("\nPathlist: %s\n", pathlist); + r = pcr_reset(context, 16); + goto_if_error(r, "Error pcr_reset", error); + r = Fapi_Delete(context, "/"); goto_if_error(r, "Error Fapi_Delete", error); @@ -305,6 +305,7 @@ test_fapi_quote(FAPI_CONTEXT *context) return EXIT_SUCCESS; error: + pcr_reset(context, 16); Fapi_Delete(context, "/"); if (jso) json_object_put(jso); diff --git a/test/integration/fapi-quote.int.c b/test/integration/fapi-quote.int.c index b112c669e..44e7bfefd 100644 --- a/test/integration/fapi-quote.int.c +++ b/test/integration/fapi-quote.int.c @@ -81,9 +81,6 @@ test_fapi_quote(FAPI_CONTEXT *context) 0x00, 0x00, }; - r = pcr_reset(context, 16); - goto_if_error(r, "Error pcr_reset", error); - r = Fapi_PcrExtend(context, 16, data, EVENT_SIZE, "{ \"test\": \"myfile\" }"); goto_if_error(r, "Error Fapi_PcrExtend", error); @@ -341,6 +338,9 @@ test_fapi_quote(FAPI_CONTEXT *context) goto error; } + r = pcr_reset(context, 16); + goto_if_error(r, "Error pcr_reset", error); + r = Fapi_Delete(context, "/"); goto_if_error(r, "Error Fapi_Delete", error); @@ -357,6 +357,7 @@ test_fapi_quote(FAPI_CONTEXT *context) return EXIT_SUCCESS; error: + pcr_reset(context, 16); Fapi_Delete(context, "/"); if (jso) json_object_put(jso); diff --git a/test/integration/test-common.c b/test/integration/test-common.c index bc459569a..8b87737a2 100644 --- a/test/integration/test-common.c +++ b/test/integration/test-common.c @@ -4,6 +4,8 @@ * * All rights reserved. ***********************************************************************/ +#include "tss2_sys.h" + #ifdef HAVE_CONFIG_H #include "config.h" // IWYU pragma: keep #endif @@ -44,7 +46,7 @@ struct { }; struct tpm_state { - TPMS_CAPABILITY_DATA capabilities[7]; + TPMS_CAPABILITY_DATA capabilities[sizeof(capabilities_to_dump) / sizeof(capabilities_to_dump[0])]; }; /** Define a proxy tcti that returns yielded on every second invocation @@ -235,6 +237,40 @@ transient_empty(TSS2_SYS_CONTEXT *sys_ctx) return EXIT_SUCCESS; } +int +pcr16_empty(TSS2_SYS_CONTEXT *sys_ctx) +{ + TSS2_RC rc; + TPML_DIGEST pcr_values = { 0 }; + TPML_PCR_SELECTION pcr_selection = { .count=1, .pcrSelections = { { .hash = TPM2_ALG_SHA256, .sizeofSelect = 3, .pcrSelect = { 0 } } } }; + pcr_selection.pcrSelections[0].pcrSelect[(16 / 8)] = 1 << (16 % 8); + + do { + rc = Tss2_Sys_PCR_Read(sys_ctx, NULL, + &pcr_selection, NULL, NULL, + &pcr_values, + NULL); + } while (rc == TPM2_RC_YIELDED); // TODO also for other cmds? + if (rc != TSS2_RC_SUCCESS) { + LOG_ERROR("TPM2_PCR_Read failed: 0x%" PRIx32, rc); + return EXIT_ERROR; + } + + if (pcr_values.count != 1) { + LOG_ERROR("TPM2_PCR_Read for PCR 16 in SHA256 did not return a value"); + } + + for (UINT16 i = 0; i < pcr_values.digests[0].size; i++) { + if (pcr_values.digests[0].buffer[i] != 0x00) { + LOGBLOB_ERROR(&pcr_values.digests[0].buffer[0], pcr_values.digests[0].size, + "PCR 16 in SHA256 is not 0x000..000"); + return EXIT_ERROR; + } + } + + return EXIT_SUCCESS; +} + int dumpstate(TSS2_SYS_CONTEXT *sys_ctx, tpm_state *state_first, bool compare) { @@ -390,6 +426,13 @@ test_sys_checks_pre(TSS2_TEST_SYS_CONTEXT *test_ctx) return ret; } + LOG_DEBUG("Running System API pre-test checks: pcr16 empty"); + ret = pcr16_empty(test_ctx->sys_ctx); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("PCR16 is not empty"); + return ret; + } + return EXIT_SUCCESS; } @@ -398,6 +441,13 @@ test_sys_checks_post(TSS2_TEST_SYS_CONTEXT *test_ctx) { int ret; + LOG_DEBUG("Running System API pre-test checks: transient handles empty"); + ret = transient_empty(test_ctx->sys_ctx); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("TPM contains transient objects."); + return ret; + } + LOG_DEBUG("Running System API post-test checks: dump capabilities"); ret = dumpstate(test_ctx->sys_ctx, test_ctx->tpm_state, 1); if (ret != EXIT_SUCCESS) { @@ -405,6 +455,13 @@ test_sys_checks_post(TSS2_TEST_SYS_CONTEXT *test_ctx) return ret; } + LOG_DEBUG("Running System API post-test checks: pcr16 empty"); + ret = pcr16_empty(test_ctx->sys_ctx); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("PCR16 is not empty"); + return ret; + } + return EXIT_SUCCESS; } @@ -533,6 +590,13 @@ test_esys_checks_pre(TSS2_TEST_ESYS_CONTEXT *test_ctx) return ret; } + LOG_DEBUG("Running System API pre-test checks: pcr16 empty"); + ret = pcr16_empty(sys_context); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("PCR16 is not empty"); + return ret; + } + return EXIT_SUCCESS; } @@ -549,6 +613,13 @@ test_esys_checks_post(TSS2_TEST_ESYS_CONTEXT *test_ctx) return EXIT_ERROR; } + LOG_DEBUG("Running System API pre-test checks: transient handles empty"); + ret = transient_empty(sys_context); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("TPM contains transient objects."); + return ret; + } + LOG_DEBUG("Running System API post-test checks: dump capabilities"); ret = dumpstate(sys_context, test_ctx->tpm_state, 1); if (ret != EXIT_SUCCESS) { @@ -556,6 +627,13 @@ test_esys_checks_post(TSS2_TEST_ESYS_CONTEXT *test_ctx) return ret; } + LOG_DEBUG("Running System API pre-test checks: pcr16 empty"); + ret = pcr16_empty(sys_context); + if (ret != EXIT_SUCCESS) { + LOG_ERROR("PCR16 is not empty"); + return ret; + } + return EXIT_SUCCESS; }