trusted-keys.exp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

#!/usr/bin/expect -f
#
# This script test Linux trusted keys support using OP-TEE as a trust
# source. The return code is 0 for success, >0 for error.
#

set timeout 5
set tk_id 0
set ek_id 0
# Wait for next prompt, dealing with key ID, failure message and timeout
proc check_keyctl_result arg {
	expect {
		-re {(\d+)\r} {
			set ::$arg $expect_out(1,string)
			exp_continue
		}
		"add_key: No such device" {
			info [join {"Skipping test due to 'No such device':"
				    "trusted keys are not supported"
				    "(missing driver? CFG_CORE_DYN_SHM=n?)\n"}]
			exit 0
		}
		"FAILED" {
			info "!!! Error\n"
			exit 1
		}
		timeout {
			info "!!! Timeout\n"
			exit 1
		}
		"# "
	}
}
proc run_cmd arg {
	send -- [append arg " || fail\r"]
}
info "Running: keyctl tests...\n"
expect "# "
send -- "function fail { echo FAILED ; }\r"
expect "# "
run_cmd "keyctl add trusted kmk \"new 32\" @u"
check_keyctl_result tk_id
run_cmd "keyctl add encrypted evm \"new trusted:kmk 32\" @u"
check_keyctl_result ek_id
run_cmd "keyctl pipe $tk_id > kmk.blob"
check_keyctl_result tk_id
run_cmd "keyctl pipe $ek_id > evm.blob"
check_keyctl_result ek_id
run_cmd "keyctl revoke $ek_id"
check_keyctl_result ek_id
run_cmd "keyctl revoke $tk_id"
check_keyctl_result tk_id
run_cmd "keyctl add trusted kmk \"load `cat kmk.blob`\" @u"
check_keyctl_result tk_id
run_cmd "keyctl add encrypted evm \"load `cat evm.blob`\" @u"
check_keyctl_result ek_id
run_cmd "keyctl pipe $tk_id > kmk.blob2"
check_keyctl_result tk_id
run_cmd "keyctl pipe $ek_id > evm.blob2"
check_keyctl_result ek_id
run_cmd "diff kmk.blob kmk.blob2"
check_keyctl_result tk_id
run_cmd "diff evm.blob evm.blob2"
check_keyctl_result ek_id
info "Status: keyctl tests successful\n"