Test: Add pre and post check for PCR16 to be empty

The test harness for integration tests now check before and after every integration test invocation if PCR16 is empty to begin but also after the test. Signed-off-by: Andreas Fuchs <[email protected]>
tpm2-software · Jul 31, 2024 · 37c2c1e · 37c2c1e
1 parent cc18b1a
commit 37c2c1e
Showing 1 changed file with 80 additions and 1 deletion.
diff --git a/test/integration/test-common.c b/test/integration/test-common.c
@@ -4,6 +4,8 @@
  *
  * All rights reserved.
  ***********************************************************************/
+#include "tss2_sys.h"
+
 #ifdef HAVE_CONFIG_H
 #include "config.h" // IWYU pragma: keep
 #endif
@@ -44,7 +46,7 @@ struct {
 };
 
 struct tpm_state {
-    TPMS_CAPABILITY_DATA capabilities[7];
+    TPMS_CAPABILITY_DATA capabilities[sizeof(capabilities_to_dump) / sizeof(capabilities_to_dump[0])];
 };
 
 /** Define a proxy tcti that returns yielded on every second invocation
@@ -235,6 +237,40 @@ transient_empty(TSS2_SYS_CONTEXT *sys_ctx)
     return EXIT_SUCCESS;
 }
 
+int
+pcr16_empty(TSS2_SYS_CONTEXT *sys_ctx)
+{
+    TSS2_RC rc;
+    TPML_DIGEST pcr_values = { 0 };
+    TPML_PCR_SELECTION pcr_selection = { .count=1, .pcrSelections = { { .hash = TPM2_ALG_SHA256, .sizeofSelect = 3, .pcrSelect = { 0 } } } };
+    pcr_selection.pcrSelections[0].pcrSelect[(16 / 8)] = 1 << (16 % 8);
+
+    do {
+        rc = Tss2_Sys_PCR_Read(sys_ctx, NULL,
+                               &pcr_selection, NULL, NULL,
+                               &pcr_values,
+                               NULL);
+    } while (rc == TPM2_RC_YIELDED); // TODO also for other cmds?
+    if (rc != TSS2_RC_SUCCESS) {
+        LOG_ERROR("TPM2_PCR_Read failed: 0x%" PRIx32, rc);
+        return EXIT_ERROR;
+    }
+
+    if (pcr_values.count != 1) {
+        LOG_ERROR("TPM2_PCR_Read for PCR 16 in SHA256 did not return a value");
+    }
+
+    for (UINT16 i = 0; i < pcr_values.digests[0].size; i++) {
+        if (pcr_values.digests[0].buffer[i] != 0x00) {
+            LOGBLOB_ERROR(&pcr_values.digests[0].buffer[0], pcr_values.digests[0].size,
+                          "PCR 16 in SHA256 is not 0x000..000");
+            return EXIT_ERROR;
+        }
+    }
+
+    return EXIT_SUCCESS;
+}
+
 int
 dumpstate(TSS2_SYS_CONTEXT *sys_ctx, tpm_state *state_first, bool compare)
 {
@@ -390,6 +426,13 @@ test_sys_checks_pre(TSS2_TEST_SYS_CONTEXT *test_ctx)
         return ret;
     }
 
+    LOG_DEBUG("Running System API pre-test checks: pcr16 empty");
+    ret = pcr16_empty(test_ctx->sys_ctx);
+    if (ret != EXIT_SUCCESS) {
+        LOG_ERROR("PCR16 is not empty");
+        return ret;
+    }
+
     return EXIT_SUCCESS;
 }
 
@@ -398,13 +441,27 @@ test_sys_checks_post(TSS2_TEST_SYS_CONTEXT *test_ctx)
 {
     int ret;
 
+    LOG_DEBUG("Running System API pre-test checks: transient handles empty");
+    ret = transient_empty(test_ctx->sys_ctx);
+    if (ret != EXIT_SUCCESS) {
+        LOG_ERROR("TPM contains transient objects.");
+        return ret;
+    }
+
     LOG_DEBUG("Running System API post-test checks: dump capabilities");
     ret = dumpstate(test_ctx->sys_ctx, test_ctx->tpm_state, 1);
     if (ret != EXIT_SUCCESS) {
         LOG_ERROR("Error while performing TPM state checks.");
         return ret;
     }
 
+    LOG_DEBUG("Running System API post-test checks: pcr16 empty");
+    ret = pcr16_empty(test_ctx->sys_ctx);
+    if (ret != EXIT_SUCCESS) {
+        LOG_ERROR("PCR16 is not empty");
+        return ret;
+    }
+
     return EXIT_SUCCESS;
 }
 
@@ -533,6 +590,13 @@ test_esys_checks_pre(TSS2_TEST_ESYS_CONTEXT *test_ctx)
         return ret;
     }
 
+    LOG_DEBUG("Running System API pre-test checks: pcr16 empty");
+    ret = pcr16_empty(sys_context);
+    if (ret != EXIT_SUCCESS) {
+        LOG_ERROR("PCR16 is not empty");
+        return ret;
+    }
+
     return EXIT_SUCCESS;
 }
 
@@ -549,13 +613,27 @@ test_esys_checks_post(TSS2_TEST_ESYS_CONTEXT *test_ctx)
         return EXIT_ERROR;
     }
 
+    LOG_DEBUG("Running System API pre-test checks: transient handles empty");
+    ret = transient_empty(sys_context);
+    if (ret != EXIT_SUCCESS) {
+        LOG_ERROR("TPM contains transient objects.");
+        return ret;
+    }
+
     LOG_DEBUG("Running System API post-test checks: dump capabilities");
     ret = dumpstate(sys_context, test_ctx->tpm_state, 1);
     if (ret != EXIT_SUCCESS) {
         LOG_ERROR("Error while performing TPM state checks.");
         return ret;
     }
 
+    LOG_DEBUG("Running System API pre-test checks: pcr16 empty");
+    ret = pcr16_empty(sys_context);
+    if (ret != EXIT_SUCCESS) {
+        LOG_ERROR("PCR16 is not empty");
+        return ret;
+    }
+
     return EXIT_SUCCESS;
 }
 
@@ -587,3 +665,4 @@ test_fapi_checks_post(TSS2_TEST_FAPI_CONTEXT *test_ctx)
     return test_esys_checks_post(&test_ctx->test_esys_ctx);
 }
 #endif /* TEST_FAPI */
+