nixpkgs/nixos/tests/tpm-ek/default.nix

import ../make-test-python.nix (
  { lib, pkgs, ... }:

  let
    inherit (pkgs) writeText tpm2-tools openssl;
    ek_config = writeText "ek-sign.cnf" ''
      [ tpm_policy ]
      basicConstraints = CA:FALSE

      keyUsage = keyEncipherment
      certificatePolicies = 2.23.133.2.1
      extendedKeyUsage = 2.23.133.8.1

      subjectAltName = ASN1:SEQUENCE:dirname_tpm

      [ dirname_tpm ]
      seq = EXPLICIT:4,SEQUENCE:dirname_tpm_seq

      [ dirname_tpm_seq ]
      set = SET:dirname_tpm_set

      [ dirname_tpm_set ]
      seq.1 = SEQUENCE:dirname_tpm_seq_manufacturer
      seq.2 = SEQUENCE:dirname_tpm_seq_model
      seq.3 = SEQUENCE:dirname_tpm_seq_version

      # We're going to mock up an STM TPM here
      [dirname_tpm_seq_manufacturer]
      oid = OID:2.23.133.2.1
      str = UTF8:"id:53544D20"

      [dirname_tpm_seq_model]
      oid = OID:2.23.133.2.2
      str = UTF8:"ST33HTPHAHD4

      [dirname_tpm_seq_version]
      oid = OID:2.23.133.2.3
      str = UTF8:"id:00010101"
    '';
  in
  {
    name = "tpm-ek";

    meta = {
      maintainers = with lib.maintainers; [ baloo ];
    };

    nodes.machine =
      { pkgs, ... }:
      {
        environment.systemPackages = [
          openssl
          tpm2-tools
        ];

        security.tpm2 = {
          enable = true;
          tctiEnvironment.enable = true;
        };

        virtualisation.tpm = {
          enable = true;
          provisioning = ''
            export PATH=${
              lib.makeBinPath [
                openssl
              ]
            }:$PATH

            tpm2_createek -G rsa -u ek.pub -c ek.ctx -f pem

            # Sign a certificate
            # Pretend we're an STM TPM
            openssl x509 \
              -extfile ${ek_config} \
              -new -days 365 \
              \
              -subj "/CN=this.is.required.but.it.should.not/" \
              -extensions tpm_policy \
              \
              -CA ${./ca.crt} -CAkey ${./ca.priv} \
              \
              -out device.der -outform der \
              -force_pubkey ek.pub

            # Create a nvram slot for the certificate, and we need the size
            # to precisely match the length of the certificate we're going to
            # put in.
            tpm2_nvdefine 0x01c00002 \
              -C o \
              -a "ownerread|policyread|policywrite|ownerwrite|authread|authwrite" \
              -s "$(wc -c device.der| cut -f 1 -d ' ')"

            tpm2_nvwrite 0x01c00002 -C o -i device.der
          '';
        };
      };

    testScript = ''
      start_all()
      machine.wait_for_unit("multi-user.target")

      machine.succeed('tpm2_nvread 0x01c00002 | openssl x509 -inform der -out /tmp/ek.pem')
      print(machine.succeed('openssl x509 -in /tmp/ek.pem -text'))
      machine.succeed('openssl verify -CAfile ${./ca.crt} /tmp/ek.pem')
    '';
  }
)
nixosTests.tpm-ek: provide EK certificates to tests 2024-12-11 19:09:20 -08:00			`import ../make-test-python.nix (`
			`{ lib, pkgs, ... }:`

			`let`
			`inherit (pkgs) writeText tpm2-tools openssl;`
			`ek_config = writeText "ek-sign.cnf" ''`
			`[ tpm_policy ]`
			`basicConstraints = CA:FALSE`

			`keyUsage = keyEncipherment`
			`certificatePolicies = 2.23.133.2.1`
			`extendedKeyUsage = 2.23.133.8.1`

			`subjectAltName = ASN1:SEQUENCE:dirname_tpm`

			`[ dirname_tpm ]`
			`seq = EXPLICIT:4,SEQUENCE:dirname_tpm_seq`

			`[ dirname_tpm_seq ]`
			`set = SET:dirname_tpm_set`

			`[ dirname_tpm_set ]`
			`seq.1 = SEQUENCE:dirname_tpm_seq_manufacturer`
			`seq.2 = SEQUENCE:dirname_tpm_seq_model`
			`seq.3 = SEQUENCE:dirname_tpm_seq_version`

			`# We're going to mock up an STM TPM here`
			`[dirname_tpm_seq_manufacturer]`
			`oid = OID:2.23.133.2.1`
			`str = UTF8:"id:53544D20"`

			`[dirname_tpm_seq_model]`
			`oid = OID:2.23.133.2.2`
			`str = UTF8:"ST33HTPHAHD4`

			`[dirname_tpm_seq_version]`
			`oid = OID:2.23.133.2.3`
			`str = UTF8:"id:00010101"`
			`'';`
			`in`
			`{`
			`name = "tpm-ek";`

			`meta = {`
			`maintainers = with lib.maintainers; [ baloo ];`
			`};`

			`nodes.machine =`
			`{ pkgs, ... }:`
			`{`
			`environment.systemPackages = [`
			`openssl`
			`tpm2-tools`
			`];`

			`security.tpm2 = {`
			`enable = true;`
			`tctiEnvironment.enable = true;`
			`};`

			`virtualisation.tpm = {`
			`enable = true;`
			`provisioning = ''`
			`export PATH=${`
			`lib.makeBinPath [`
			`openssl`
			`]`
			`}:$PATH`

			`tpm2_createek -G rsa -u ek.pub -c ek.ctx -f pem`

			`# Sign a certificate`
			`# Pretend we're an STM TPM`
			`openssl x509 \`
			`-extfile ${ek_config} \`
			`-new -days 365 \`
			`\`
			`-subj "/CN=this.is.required.but.it.should.not/" \`
			`-extensions tpm_policy \`
			`\`
			`-CA ${./ca.crt} -CAkey ${./ca.priv} \`
			`\`
			`-out device.der -outform der \`
			`-force_pubkey ek.pub`

			`# Create a nvram slot for the certificate, and we need the size`
			`# to precisely match the length of the certificate we're going to`
			`# put in.`
			`tpm2_nvdefine 0x01c00002 \`
			`-C o \`
			`-a "ownerread\|policyread\|policywrite\|ownerwrite\|authread\|authwrite" \`
			`-s "$(wc -c device.der\| cut -f 1 -d ' ')"`

			`tpm2_nvwrite 0x01c00002 -C o -i device.der`
			`'';`
			`};`
			`};`

			`testScript = ''`
			`start_all()`
			`machine.wait_for_unit("multi-user.target")`

			`machine.succeed('tpm2_nvread 0x01c00002 \| openssl x509 -inform der -out /tmp/ek.pem')`
			`print(machine.succeed('openssl x509 -in /tmp/ek.pem -text'))`
			`machine.succeed('openssl verify -CAfile ${./ca.crt} /tmp/ek.pem')`
			`'';`
			`}`
			`)`