1#!/usr/bin/env bash 2# SPDX-License-Identifier: LGPL-2.1-or-later 3set -ex 4 5export SYSTEMD_LOG_LEVEL=debug 6 7 8# Prepare fresh disk image 9img="/var/tmp/test.img" 10dd if=/dev/zero of=$img bs=1024k count=20 status=none 11echo -n passphrase >/tmp/passphrase 12cryptsetup luksFormat -q --use-urandom $img /tmp/passphrase 13 14# Enroll unlock with default PCR policy 15env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto $img 16/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 17/usr/lib/systemd/systemd-cryptsetup detach test-volume 18 19# Check with wrong PCR 20tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000 21/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; } 22 23# Enroll unlock with PCR+PIN policy 24systemd-cryptenroll --wipe-slot=tpm2 $img 25env PASSWORD=passphrase NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true $img 26env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 27/usr/lib/systemd/systemd-cryptsetup detach test-volume 28 29# Check failure with wrong PIN 30env PIN=123457 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; } 31 32# Check failure with wrong PCR (and correct PIN) 33tpm2_pcrextend 7:sha256=0000000000000000000000000000000000000000000000000000000000000000 34env PIN=123456 /usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && { echo 'unexpected success'; exit 1; } 35 36# Enroll unlock with PCR 0+7 37systemd-cryptenroll --wipe-slot=tpm2 $img 38env PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 $img 39/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 40/usr/lib/systemd/systemd-cryptsetup detach test-volume 41 42# Check with wrong PCR 0 43tpm2_pcrextend 0:sha256=0000000000000000000000000000000000000000000000000000000000000000 44/usr/lib/systemd/systemd-cryptsetup attach test-volume $img - tpm2-device=auto,headless=1 && exit 1 45 46echo OK >/testok 47 48exit 0 49