Loading nixos/modules/security/tpm2.nix +2 −2 Original line number Diff line number Diff line Loading @@ -276,11 +276,11 @@ in services.udev.extraRules = lib.mkIf cfg.applyUdevRules (udevRules cfg.tssUser cfg.tssGroup); # Create the tss user and group only if the default value is used users.users.${cfg.tssUser} = lib.mkIf (cfg.tssUser == "tss") { users.users.tss = lib.mkIf (cfg.tssUser == "tss" || cfg.tssGroup == "tss") { isSystemUser = true; group = "tss"; }; users.groups.${cfg.tssGroup} = lib.mkIf (cfg.tssGroup == "tss") { }; users.groups.tss = lib.mkIf (cfg.tssUser == "tss" || cfg.tssGroup == "tss") { }; environment.variables = lib.mkIf cfg.tctiEnvironment.enable ( lib.attrsets.genAttrs Loading nixos/tests/all-tests.nix +1 −1 Original line number Diff line number Diff line Loading @@ -1638,7 +1638,7 @@ in tomcat = runTest ./tomcat.nix; tor = runTest ./tor.nix; tpm-ek = handleTest ./tpm-ek { }; tpm2 = runTest ./tpm2.nix; tpm2 = import ./tpm2 { inherit runTest; }; traccar = runTest ./traccar.nix; # tracee requires bpf tracee = handleTestOn [ "x86_64-linux" ] ./tracee.nix { }; Loading nixos/tests/tpm2/default.nix 0 → 100644 +5 −0 Original line number Diff line number Diff line { runTest }: { abrmd = runTest ./tpm2-abrmd.nix; tpmrm = runTest ./tpm2-tpmrm.nix; } nixos/tests/tpm2.nix→nixos/tests/tpm2/tpm2-abrmd.nix +4 −0 Original line number Diff line number Diff line Loading @@ -39,6 +39,10 @@ machine.start() machine.wait_for_unit("multi-user.target") with subtest("/dev/tpmrm0 has correct ownership"): machine.succeed('[ `stat -c "%U" /dev/tpmrm0` = "tss" ]') machine.succeed('[ `stat -c "%G" /dev/tpmrm0` = "tss" ]') with subtest("tabrmd service started properly"): machine.succeed('[ `systemctl show tpm2-abrmd.service --property=Result` = "Result=success" ]') machine.succeed('[ `journalctl -b -u tpm2-abrmd.service | grep -c "Starting"` = "1" ]') Loading nixos/tests/tpm2/tpm2-tpmrm.nix 0 → 100644 +72 −0 Original line number Diff line number Diff line { lib, pkgs, ... }: { name = "tpm2-tpmrm"; nodes.machine = { config, pkgs, ... }: { virtualisation = { mountHostNixStore = true; useEFIBoot = true; tpm.enable = true; }; users.users = { tss-user = { isNormalUser = true; extraGroups = [ "tss" ]; }; }; security.sudo.wheelNeedsPassword = false; security.tpm2 = { enable = true; pkcs11.enable = true; tctiEnvironment.enable = true; fapi.ekCertLess = true; }; environment.systemPackages = [ pkgs.tpm2-tools pkgs.openssl ]; }; testScript = '' machine.start() machine.wait_for_unit("multi-user.target") with subtest("/dev/tpmrm0 has correct ownership"): machine.succeed('[ `stat -c "%U" /dev/tpmrm0` = "root" ]') machine.succeed('[ `stat -c "%G" /dev/tpmrm0` = "tss" ]') with subtest("tpm2 cli works"): machine.succeed('tpm2 createprimary --hierarchy=o --key-algorithm=aes256 --attributes="fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt" --key-context=owner_root_key.ctx') machine.succeed('tpm2 create --parent-context=owner_root_key.ctx --key-algorithm=ecc256:ecdsa-sha256:null --attributes="fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|sign" --key-context=ecc_sign_key.ctx --creation-ticket=ecc_sign_key-creation_ticket.bin -f pem --output=ecc_sign_key_public.pem') machine.succeed('echo "A very important message." > message.txt') machine.succeed('tpm2 sign --key-context=ecc_sign_key.ctx --hash-algorithm=sha256 -f plain --signature message_signature.bin message.txt') machine.succeed('openssl dgst -verify ecc_sign_key_public.pem -signature message_signature.bin message.txt') machine.succeed('echo "evil addition!" >> message.txt') machine.fail('openssl dgst -verify ecc_sign_key_public.pem -signature message_signature.bin message.txt') def format_command(command, user): return f"runuser -u {user} -- bash -c '{command}'" def succeedu(command,user): return machine.succeed(format_command(command,user)) def failu(command,user): return machine.fail(format_command(command,user)) with subtest("tss2 cli works"): machine.succeed('tss2 provision') succeedu('tss2 createkey --path=HS/SRK/sign --type=sign --authValue=""',"tss-user") succeedu('tss2 gettpmblobs --path=HS/SRK/sign --tpm2bPublic=$HOME/sign_key_public.bin',"tss-user") succeedu('tpm2 print -t TPM2B_PUBLIC -f pem $HOME/sign_key_public.bin > $HOME/sign_key_public.pem',"tss-user") succeedu('echo "A very important message." > $HOME/message.txt',"tss-user") succeedu('tpm2 hash --hash-algorithm=sha256 --output=$HOME/message_hash.bin $HOME/message.txt',"tss-user") succeedu('tss2 sign --keyPath=HS/SRK/sign --digest=$HOME/message_hash.bin --signature=$HOME/message_signature.bin',"tss-user") succeedu('openssl dgst -verify $HOME/sign_key_public.pem -signature $HOME/message_signature.bin $HOME/message.txt',"tss-user") succeedu('echo "evil addition!" >> $HOME/message.txt',"tss-user") failu('openssl dgst -verify $HOME/sign_key_public.pem -signature $HOME/message_signature.bin $HOME/message.txt',"tss-user") ''; } Loading
nixos/modules/security/tpm2.nix +2 −2 Original line number Diff line number Diff line Loading @@ -276,11 +276,11 @@ in services.udev.extraRules = lib.mkIf cfg.applyUdevRules (udevRules cfg.tssUser cfg.tssGroup); # Create the tss user and group only if the default value is used users.users.${cfg.tssUser} = lib.mkIf (cfg.tssUser == "tss") { users.users.tss = lib.mkIf (cfg.tssUser == "tss" || cfg.tssGroup == "tss") { isSystemUser = true; group = "tss"; }; users.groups.${cfg.tssGroup} = lib.mkIf (cfg.tssGroup == "tss") { }; users.groups.tss = lib.mkIf (cfg.tssUser == "tss" || cfg.tssGroup == "tss") { }; environment.variables = lib.mkIf cfg.tctiEnvironment.enable ( lib.attrsets.genAttrs Loading
nixos/tests/all-tests.nix +1 −1 Original line number Diff line number Diff line Loading @@ -1638,7 +1638,7 @@ in tomcat = runTest ./tomcat.nix; tor = runTest ./tor.nix; tpm-ek = handleTest ./tpm-ek { }; tpm2 = runTest ./tpm2.nix; tpm2 = import ./tpm2 { inherit runTest; }; traccar = runTest ./traccar.nix; # tracee requires bpf tracee = handleTestOn [ "x86_64-linux" ] ./tracee.nix { }; Loading
nixos/tests/tpm2/default.nix 0 → 100644 +5 −0 Original line number Diff line number Diff line { runTest }: { abrmd = runTest ./tpm2-abrmd.nix; tpmrm = runTest ./tpm2-tpmrm.nix; }
nixos/tests/tpm2.nix→nixos/tests/tpm2/tpm2-abrmd.nix +4 −0 Original line number Diff line number Diff line Loading @@ -39,6 +39,10 @@ machine.start() machine.wait_for_unit("multi-user.target") with subtest("/dev/tpmrm0 has correct ownership"): machine.succeed('[ `stat -c "%U" /dev/tpmrm0` = "tss" ]') machine.succeed('[ `stat -c "%G" /dev/tpmrm0` = "tss" ]') with subtest("tabrmd service started properly"): machine.succeed('[ `systemctl show tpm2-abrmd.service --property=Result` = "Result=success" ]') machine.succeed('[ `journalctl -b -u tpm2-abrmd.service | grep -c "Starting"` = "1" ]') Loading
nixos/tests/tpm2/tpm2-tpmrm.nix 0 → 100644 +72 −0 Original line number Diff line number Diff line { lib, pkgs, ... }: { name = "tpm2-tpmrm"; nodes.machine = { config, pkgs, ... }: { virtualisation = { mountHostNixStore = true; useEFIBoot = true; tpm.enable = true; }; users.users = { tss-user = { isNormalUser = true; extraGroups = [ "tss" ]; }; }; security.sudo.wheelNeedsPassword = false; security.tpm2 = { enable = true; pkcs11.enable = true; tctiEnvironment.enable = true; fapi.ekCertLess = true; }; environment.systemPackages = [ pkgs.tpm2-tools pkgs.openssl ]; }; testScript = '' machine.start() machine.wait_for_unit("multi-user.target") with subtest("/dev/tpmrm0 has correct ownership"): machine.succeed('[ `stat -c "%U" /dev/tpmrm0` = "root" ]') machine.succeed('[ `stat -c "%G" /dev/tpmrm0` = "tss" ]') with subtest("tpm2 cli works"): machine.succeed('tpm2 createprimary --hierarchy=o --key-algorithm=aes256 --attributes="fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt" --key-context=owner_root_key.ctx') machine.succeed('tpm2 create --parent-context=owner_root_key.ctx --key-algorithm=ecc256:ecdsa-sha256:null --attributes="fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|sign" --key-context=ecc_sign_key.ctx --creation-ticket=ecc_sign_key-creation_ticket.bin -f pem --output=ecc_sign_key_public.pem') machine.succeed('echo "A very important message." > message.txt') machine.succeed('tpm2 sign --key-context=ecc_sign_key.ctx --hash-algorithm=sha256 -f plain --signature message_signature.bin message.txt') machine.succeed('openssl dgst -verify ecc_sign_key_public.pem -signature message_signature.bin message.txt') machine.succeed('echo "evil addition!" >> message.txt') machine.fail('openssl dgst -verify ecc_sign_key_public.pem -signature message_signature.bin message.txt') def format_command(command, user): return f"runuser -u {user} -- bash -c '{command}'" def succeedu(command,user): return machine.succeed(format_command(command,user)) def failu(command,user): return machine.fail(format_command(command,user)) with subtest("tss2 cli works"): machine.succeed('tss2 provision') succeedu('tss2 createkey --path=HS/SRK/sign --type=sign --authValue=""',"tss-user") succeedu('tss2 gettpmblobs --path=HS/SRK/sign --tpm2bPublic=$HOME/sign_key_public.bin',"tss-user") succeedu('tpm2 print -t TPM2B_PUBLIC -f pem $HOME/sign_key_public.bin > $HOME/sign_key_public.pem',"tss-user") succeedu('echo "A very important message." > $HOME/message.txt',"tss-user") succeedu('tpm2 hash --hash-algorithm=sha256 --output=$HOME/message_hash.bin $HOME/message.txt',"tss-user") succeedu('tss2 sign --keyPath=HS/SRK/sign --digest=$HOME/message_hash.bin --signature=$HOME/message_signature.bin',"tss-user") succeedu('openssl dgst -verify $HOME/sign_key_public.pem -signature $HOME/message_signature.bin $HOME/message.txt',"tss-user") succeedu('echo "evil addition!" >> $HOME/message.txt',"tss-user") failu('openssl dgst -verify $HOME/sign_key_public.pem -signature $HOME/message_signature.bin $HOME/message.txt',"tss-user") ''; }
