Description of problem: (Found by hardware tier1 automatic test suite for RHEL-8.3.0-20200609.1.) Commands tpm2_pcrlist and tpm2_nvlist, used by the kernel/tpm test, are not available after installing tpm2-tools package, causing the test to fail. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Install tpm2-tools package. 2. 3. Actual results: Among the many commands it installs, tpm2_pcrlist and tpm2_nvlist are missing. Expected results: Either these commands should be installed, or, if they are obsolete, the test needs to be updated. Additional info:
Can you point me to the test? It will need to be updated. tpm2_pcrlist is now tpm2_pcrread, and tpm2_nvlist was renamed tpm2_nvreadpublic. This was due to a necessary package update for RHELPLAN-37821.
An initial look at it, looks like this should solve it: diff --git a/crypto/tpm/tpm2-tools/runtest.sh b/crypto/tpm/tpm2-tools/runtest.sh index 0a9eb2db146f..70e1435f216f 100755 --- a/crypto/tpm/tpm2-tools/runtest.sh +++ b/crypto/tpm/tpm2-tools/runtest.sh @@ -44,21 +44,21 @@ rlJournalStart rlPhaseEnd rlPhaseStart FAIL "Presence" - rlRun "tpm2_pcrlist" - COUNT=`tpm2_pcrlist | grep '^ \+[0-9]\+ \+: ' | wc -l` + rlRun "tpm2_pcrread -T tabrmd" + COUNT=`tpm2_pcrread -T tabrmd | grep '^ \+[0-9]\+ \+: ' | wc -l` rlAssertGreaterOrEqual "24 PCRS" "$COUNT" 24 rlAssertExists "/dev/tpm0" rlPhaseEnd rlPhaseStart FAIL "Functionality" - rlRun "tpm2_nvlist" + rlRun "tpm2_nvreadpublic -T tabrmd" DATA=`mktemp` - rlRun "tpm2_getrandom -o $DATA 20" 0 "random number generator" + rlRun "tpm2_getrandom -T tabrmd -o $DATA 20" 0 "random number generator" COUNT=`wc -c "$DATA" | cut -d\ -f1` rlAssertEquals "random number count" "$COUNT" 20 HASHED=`mktemp -u` TICKET=`mktemp -u` - rlRun "tpm2_hash -H n -g 0x0004 -o $HASHED -t $TICKET $DATA" 0 "hashing" + rlRun "tpm2_hash -T tabrmd -C n -g 0x0004 -o $HASHED -t $TICKET $DATA" 0 "hashing" rm -f $DATA $HASHED $TICKET # need to define persistent objects first @@ -66,13 +66,13 @@ rlJournalStart #COUNT=`tpm2_listpersistent | grep key-alg | wc -l` #rlAssertGreater "persistent objects defined" "$COUNT" 0 - ORIGINAL=`tpm2_pcrlist | grep ' 4 :' | head -n 1` - rlRun "tpm2_pcrextend 4:sha1=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" 0 "extending PCR" - MODIFIED=`tpm2_pcrlist | grep ' 4 :' | head -n 1` + ORIGINAL=`tpm2_pcrread -T tabrmd | grep ' 4 :' | head -n 1` + rlRun "tpm2_pcrextend -T tabrmd 4:sha1=f1d2d2f924e986ac86fdf7b36c94bcdf32beec15" 0 "extending PCR" + MODIFIED=`tpm2_pcrread -T tabrmd | grep ' 4 :' | head -n 1` rlAssertNotEquals "PCR value changed" "$ORIGINAL" "$MODIFIED" - COUNT=`tpm2_rc_decode 0x9a2 | grep BAD_AUTH | wc -l` - rlAssertEquals "tpm2_rc_decode 0x9a2 -> BAD_AUTH" "$COUNT" 1 + COUNT=`tpm2_rc_decode 0x9a2 | grep "authorization failure" | wc -l` + rlAssertEquals "tpm2_rc_decode 0x9a2 -> authorization failure" "$COUNT" 1 rlPhaseEnd rlPhaseStart FAIL "Data RW"
Thanks a lot! I will try! :-)
Note: it seems that the tpm2_hash command is also slightly wrong in the test as it complains that the "-H" switch has no meaning...
Hi Jiri, In the patch in comment #2 I changed the tpm2_hash line, replacing -H with -C: - rlRun "tpm2_hash -H n -g 0x0004 -o $HASHED -t $TICKET $DATA" 0 "hashing" + rlRun "tpm2_hash -T tabrmd -C n -g 0x0004 -o $HASHED -t $TICKET $DATA" 0 "hashing" Can you double check that the above line doesn't work? Thanks
Jiri, did the above work for you? I'm not sure if I can submit patches against the QE repo or not. Vilem do you have a patch queued up for this already? IIRC you hit the issue as well.
Hi Jerry, I used your patch, with a few modifications. It was already too good to be ignored :-) Just need to do a proper RHEL detection, and then push & pull requests on the 3rd version of our Git workflow, to make the code public. How fast do you need it?
As long as things are good for you all I'm in no rush and we can just close this when your patch lands.
Patch applied to the main test suite; will mark this VERIFIED as soon as the testing run finishes. Thanks to everyone! (also for your patience...)
Hi Jiri, just to clarify you have applied the version Vilem has? He modified it some more from the sounds of it.
excellent question :-) it seems I have duplicated some work - will compare the results with vilem and update if necessary.
Almost forgot to mark this VERIFIED - the new commands work. :-) Thanks everyone involved!