diff --git a/Library/test-helpers/lib.sh b/Library/test-helpers/lib.sh index 8b30ebc2..d7dcb120 100644 --- a/Library/test-helpers/lib.sh +++ b/Library/test-helpers/lib.sh @@ -2382,7 +2382,7 @@ limeconRunAgent() { PUBLISH_PORTS="-P" fi - local EXTRA_ARGS="--privileged $ADD_PORT $ADD_REV_PORT $PUBLISH_PORTS --volume=/sys/kernel/security/:/sys/kernel/security/:ro --volume=$TESTDIR:$TESTDIR -e RUST_LOG=keylime_agent=trace -e TCTI=device:/dev/tpmrm${limeTPMDevNo}" + local EXTRA_ARGS="--privileged $ADD_PORT $ADD_REV_PORT $PUBLISH_PORTS --volume=/sys/kernel/security/:/sys/kernel/security/:ro --volume=$TESTDIR:$TESTDIR -e RUST_LOG=keylime_agent=trace,keylime=trace -e TCTI=device:/dev/tpmrm${limeTPMDevNo}" if [ -n "$CONFDIR" ]; then EXTRA_ARGS="--volume=${CONFDIR}:/etc/keylime/:z $EXTRA_ARGS" diff --git a/functional/iak-idevid-register-with-certificates/main.fmf b/functional/iak-idevid-register-with-certificates/main.fmf index 5484c145..82d96aca 100644 --- a/functional/iak-idevid-register-with-certificates/main.fmf +++ b/functional/iak-idevid-register-with-certificates/main.fmf @@ -11,9 +11,10 @@ framework: beakerlib require: - yum - tpm2-tools - - xxd + - /usr/bin/xxd recommend: - keylime + - tpm2-openssl duration: 5m enabled: true adjust: diff --git a/functional/iak-idevid-register-with-certificates/test.sh b/functional/iak-idevid-register-with-certificates/test.sh index 134f9163..69e47ccf 100755 --- a/functional/iak-idevid-register-with-certificates/test.sh +++ b/functional/iak-idevid-register-with-certificates/test.sh @@ -28,21 +28,28 @@ rlJournalStart rlRun "limeWaitForTPMEmulator" rlRun "limeCondStartAbrmd" fi + # start verifier so it generates TLS certs for the registrar + if [ ! -d /var/lib/keylime/cv_ca ]; then + rlRun "limeStartVerifier" + rlRun "limeWaitForVerifier" + rlRun "limeStopVerifier" + fi rlPhaseEnd - rlPhaseStartSetup "Install tpm2-openssl to generate csrs with TPM keys" - rlRun "dnf -y install autoconf automake libtool m4 autoconf-archive openssl-devel tpm2-tss-devel" - rlRun "wget -c ${TPM2_OPENSSL} -q -O - | tar -xz" - rlRun "cd tpm2-openssl-1.2.0" - rlRun "./configure" - rlRun "make" - rlRun "make install" - #rlRun "make check" - rlRun "cd .." - rlPhaseEnd + if ! rpm -q tpm2-openssl; then + rlPhaseStartSetup "Build and install tpm2-openssl to generate csrs with TPM keys" + rlRun "dnf -y install autoconf automake libtool m4 autoconf-archive openssl-devel tpm2-tss-devel" + rlRun "wget -c ${TPM2_OPENSSL} -q -O - | tar -xz" + rlRun "cd tpm2-openssl-1.2.0" + rlRun "./configure" + rlRun "make" + rlRun "make install" + #rlRun "make check" + rlRun "cd .." + rlPhaseEnd + fi rlPhaseStartSetup "Create CA" - rlRun "mkdir -p ca/intermediate && cp ${TESTDIR}/root.cnf ca/ && cp ${TESTDIR}/intermediate.cnf ca/intermediate/" # Update config files with correct path rlRun "sed -i \"/dir = ca/c dir = ${TMPDIR}/ca\" ca/root.cnf" @@ -130,11 +137,12 @@ rlJournalStart rlPhaseStartTest "Successful registration - IDevID and IAK certs verified, and IAK verifies AK" # Add CA to store + rlRun "mkdir -p $TPM_CERTS" rlRun "cp ./ca/certs/klca-chain.cert.pem $TPM_CERTS/" rlRun "limeStartAgent" # Agent can now register with IDevID and IAK getting verified rlRun "limeWaitForAgentRegistration ${AGENT_ID}" - rlAssertGrep "IDevID created" "$(limeAgentLogfile)" + rlAssertGrep "(IDevID created|Recreating IDevID)" "$(limeAgentLogfile)" -E rlAssertGrep "AK certified with IAK" "$(limeAgentLogfile)" # Check the registrar used the IDevID and IAK code block rlAssertGrep "INFO - IDevID and IAK received" "$(limeRegistrarLogfile)" diff --git a/regression/CVE-2023-3674/test.sh b/regression/CVE-2023-3674/test.sh index a2a3948d..32708d1a 100755 --- a/regression/CVE-2023-3674/test.sh +++ b/regression/CVE-2023-3674/test.sh @@ -79,7 +79,7 @@ rlJournalStart rlRun "cat malformed_quote > $ATTESTATION_FILE" rlRun -s "keylime_attest" 1 rlAssertGrep "ERROR - Error verifying quote" "$rlRun_LOG" - rlAssertGrep "raise InvalidSignature" "$rlRun_LOG" + rlAssertGrep "(raise InvalidSignature|cryptography.exceptions.InvalidSignature)" "$rlRun_LOG" -E rlAssertGrep "The following agents failed attestation" "$rlRun_LOG" rlPhaseEnd diff --git a/setup/install_rust_keylime_from_copr/test.sh b/setup/install_rust_keylime_from_copr/test.sh index 94134a6f..18d0d6b7 100755 --- a/setup/install_rust_keylime_from_copr/test.sh +++ b/setup/install_rust_keylime_from_copr/test.sh @@ -32,7 +32,7 @@ _EOF' rlRun "mkdir -p /etc/keylime/agent.conf.d" rlRun "cat > /etc/systemd/system/keylime_agent.service.d/20-rust_log_trace.conf <<_EOF [Service] -Environment=\"RUST_LOG=keylime_agent=trace\" +Environment=\"RUST_LOG=keylime_agent=trace,keylime=trace\" _EOF" # If the TPM_BINARY_MEASUREMENTS env var is set, set the binary # measurements location for the service diff --git a/setup/install_upstream_rust_keylime/test.sh b/setup/install_upstream_rust_keylime/test.sh index d7b639c8..18d02608 100755 --- a/setup/install_upstream_rust_keylime/test.sh +++ b/setup/install_upstream_rust_keylime/test.sh @@ -71,7 +71,7 @@ _EOF' rlRun "mkdir -p /etc/systemd/system/keylime_agent.service.d" rlRun "cat > /etc/systemd/system/keylime_agent.service.d/20-rust_log_trace.conf <<_EOF [Service] -Environment=\"RUST_LOG=keylime_agent=trace\" +Environment=\"RUST_LOG=keylime_agent=trace,keylime=trace\" _EOF" # If the TPM_BINARY_MEASUREMENTS env var is set, set the binary