[PATCH GnuPG 0/9] Fix TPM support tests

Tue Jun 20 04:32:33 CEST 2023

On Mon, 2023-06-19 at 18:22 +0200, Maxime Ripard wrote:
> On Mon, Jun 19, 2023 at 11:49:15AM -0400, James Bottomley wrote:
> > On Sun, 2023-06-18 at 16:36 +0200, Maxime Ripard wrote:
> > 
> > > [...]
> > > > > This series fixes some of the issues, but the tests still do
> > > > > not
> > > > > runproperly with the following error:
> > > > > 
> > > > > Making check in tpm2dtests
> > > > > make[2]: Entering directory '/var/home/max/gnupg2/gnupg-
> > > > > 2.4.2/tests/tpm2dtests'
> > > > > LC_ALL=C EXEEXT=
> > > > > PATH="../gpgscm:/var/home/max/.cache/cabal//bin:/var/home/max
> > > > > /.lo
> > > > > cal/
> > > > > share/cargo/bin:/var/home/max/.local/bin:/var/home/max/.local
> > > > > /sha
> > > > > re/f
> > > > > latpak/exports/bin:/var/lib/flatpak/exports/bin:/usr/local/sb
> > > > > in:/
> > > > > usr/
> > > > > local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
> > > > > abs_top_srcdir="/var/home/max/gnupg2/gnupg-2.4.2"
> > > > > objdir="/var/home/max/gnupg2/gnupg-2.4.2" TSS2_LOG=all+DEBUG
> > > > > TSS2_LOGFILE=tss2.log TPMSERVER="" SWTPM="/bin/swtpm"
> > > > > SWTPM_IOCTL=""
> > > > > GNUPG_BUILD_ROOT="/var/home/max/gnupg2/gnupg-2.4.2"
> > > > > GNUPG_IN_TEST_SUITE=fact
> > > > > GPGSCM_PATH="/var/home/max/gnupg2/gnupg-
> > > > > 2.4.2/tests/gpgscm"
> > > > > TPM2TOOLS_TCTI="swtpm:host=localhost,port=2321"
> > > > > /var/home/max/gnupg2/gnupg-2.4.2/tests/gpgscm/gpgscm \
> > > > >   /var/home/max/gnupg2/gnupg-2.4.2/tests/tpm2dtests/run-
> > > > > tests.scm  
> > > > 
> > > > But now I try to run it with make -C tests/tpm2dtests, it fails
> > > > with:
> > > > 
> > > > make: Entering directory
> > > > '/home/jejb/git/gnupg/tests/tpm2dtests'
> > > > LC_ALL=C EXEEXT=
> > > > PATH="../gpgscm:/home/jejb/.cargo/bin:/home/jejb/bin:/usr/local
> > > > /bin
> > > > :/bi
> > > > n:/usr/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/etc:/etc:/home/
> > > > jejb
> > > > /and
> > > > roid/android-sdk-linux_x86/platform-
> > > > tools:/home/jejb/android/android-
> > > > sdk-linux_x86/tools" abs_top_srcdir="/home/jejb/git/gnupg"
> > > > objdir="/home/jejb/git/gnupg"
> > > > TPMSERVER="/usr/lib/ibmtss/tpm_server"
> > > > SWTPM="" SWTPM_IOCTL=""
> > > > GNUPG_BUILD_ROOT="/home/jejb/git/gnupg/tests"
> > > > GNUPG_IN_TEST_SUITE=fact
> > > > GPGSCM_PATH="/home/jejb/git/gnupg/tests/gpgscm"
> > > > /home/jejb/git/gnupg/tests/gpgscm/gpgscm \
> > > >   /home/jejb/git/gnupg/tests/tpm2dtests/run-tests.scm  
> > > > /home/jejb/git/gnupg/tests/tpm2dtests/run-tests.scm:30: not
> > > > enough
> > > > arguments, missing: (path . args)
> > > 
> > > The patches in this series should solve this.
> > 
> > Even with the patches, I'm now getting a different error:
> > 
> > jejb at lingrow:~/git/gnupg> make -C tests/tpm2dtests check
> > make: Entering directory '/home/jejb/git/gnupg/tests/tpm2dtests'
> > LC_ALL=C EXEEXT=
> > PATH="../gpgscm:/home/jejb/.cargo/bin:/home/jejb/bin:/usr/local/bin
> > :/bi
> > n:/usr/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/etc:/etc:/home/jejb
> > /and
> > roid/android-sdk-linux_x86/platform-
> > tools:/home/jejb/android/android-
> > sdk-linux_x86/tools" abs_top_srcdir="/home/jejb/git/gnupg"
> > objdir="/home/jejb/git/gnupg"
> > TPMSERVER="/usr/lib/ibmtss/tpm_server"
> > SWTPM="" SWTPM_IOCTL=""
> > GNUPG_BUILD_ROOT="/home/jejb/git/gnupg/tests"
> > GNUPG_IN_TEST_SUITE=fact
> > GPGSCM_PATH="/home/jejb/git/gnupg/tests/gpgscm"
> > /home/jejb/git/gnupg/tests/gpgscm/gpgscm \
> >   /home/jejb/git/gnupg/tests/tpm2dtests/run-tests.scm  
> > 
> > 0: tests.scm:121: (throw (:stderr result))
> > 1: defs.scm:148: (call-popen `(,(tool-hardcoded 'gpgconf) ,@(if
> > *win32*
> > (list '--build-prefix (getenv "objdir")) '()) , at args) input)
> > 2: defs.scm:146: (gpg-conf' "" args)
> > 3: #<CLOSURE>
> > 4: defs.scm:189: (apply gpg-conf '(--list-components))
> > FAIL: tests/openpgp/setup.scm 
> > Setup failed. 
> > make: *** [Makefile:632: xcheck] Error 1
> > make: Leaving directory '/home/jejb/git/gnupg/tests/tpm2dtests'
> > 
> > I know this means something is missing from the setup, but I can't
> > figure out what.
> 
> I got it to build and run on a Fedora 38 system using:
> 
> ./autogen.sh
> ./configure --sysconfdir=/etc --enable-maintainer-mode
> make
> make -C tests/tpm2dtests check

Oh, right, you alter a Makefile.am so I have to re-run autoreconf.  I
think I'm getting a different failure now, but it's actually because
keytotpm really isn't working in gpg current (so the tests are
correctly failing).  The problem is this commit: 2783b786a ("agent: Do
not overwrite a key file by a shadow key file.") because the KEYTOTPM
agent command relies on overwriting the real key with a shadowed TPM
key.  This is my hack to fix it and now I have all the TPM tests
passing (still using the ibmswtpm2 because the other one isn't building
on opensuse).  I think the hack is actually the best way because the
corresponding KEYTOCARD would delete the key as well before rescanning
the card.

James

---

diff --git a/agent/divert-tpm2.c b/agent/divert-tpm2.c
index b2f884f93..2a4d0a352 100644
--- a/agent/divert-tpm2.c
+++ b/agent/divert-tpm2.c
@@ -40,11 +40,18 @@ agent_write_tpm2_shadow_key (ctrl_t ctrl, const unsigned char *grip,
   gcry_sexp_sprint (s_pkey, GCRYSEXP_FMT_CANON, pkbuf, len);
   gcry_sexp_release (s_pkey);
 
+  err = agent_delete_key (ctrl, NULL, grip, 1, 0);
+  if (err)
+    {
+      log_error ("failed to delete unshadowed key: %s\n", gpg_strerror (err));
+      /* try to overwrite anyway */
+    }
+
   err = agent_shadow_key_type (pkbuf, shadow_info, "tpm2-v1", &shdkey);
   xfree (pkbuf);
   if (err)
     {
-      log_error ("shadowing the key failed: %s\n", gpg_strerror (err));
+      log_error ("shadowing the tpm key failed: %s\n", gpg_strerror (err));
       return err;
     }
 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20230619/9d038e11/attachment.sig>
