| // Copyright 2022 The ChromiumOS Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include <cstdint> |
| #include <optional> |
| |
| #include <gtest/gtest.h> |
| #include <libhwsec-foundation/error/testing_helper.h> |
| #include <tpm_manager/proto_bindings/tpm_manager.pb.h> |
| #include <tpm_manager-client-test/tpm_manager/dbus-proxy-mocks.h> |
| #include <trunks/cr50_headers/u2f.h> |
| #include <trunks/mock_tpm_utility.h> |
| |
| #include "libhwsec/backend/tpm2/backend_test_base.h" |
| |
| using hwsec_foundation::error::testing::IsOk; |
| using hwsec_foundation::error::testing::IsOkAnd; |
| using hwsec_foundation::error::testing::IsOkAndHolds; |
| using hwsec_foundation::error::testing::NotOk; |
| using hwsec_foundation::error::testing::NotOkAnd; |
| using hwsec_foundation::error::testing::NotOkWith; |
| using testing::_; |
| using testing::DoAll; |
| using testing::Eq; |
| using testing::Optional; |
| using testing::Return; |
| using testing::SetArgPointee; |
| using testing::SizeIs; |
| |
| namespace hwsec { |
| |
| namespace { |
| |
| constexpr uint32_t kCr50StatusNotAllowed = 0x507; |
| constexpr uint32_t kCr50StatusPasswordRequired = 0x50a; |
| |
| brillo::Blob GetStubBlob() { |
| return brillo::Blob(10, 10); |
| } |
| |
| brillo::SecureBlob GetStubSecureBlob() { |
| return brillo::SecureBlob(20, 20); |
| } |
| |
| brillo::Blob GetValidAppId() { |
| return brillo::Blob(U2F_APPID_SIZE, 30); |
| } |
| |
| brillo::SecureBlob GetValidUserSecret() { |
| return brillo::SecureBlob(U2F_USER_SECRET_SIZE, 40); |
| } |
| |
| brillo::Blob GetValidPublicKey() { |
| return brillo::Blob(U2F_EC_POINT_SIZE, 50); |
| } |
| |
| brillo::Blob GetValidKeyHandle() { |
| return brillo::Blob(U2F_V0_KH_SIZE, 60); |
| } |
| |
| brillo::Blob GetValidVersionedKeyHandle() { |
| return brillo::Blob(U2F_V1_KH_SIZE + SHA256_DIGEST_SIZE, 30); |
| } |
| |
| brillo::Blob GetValidAuthTimeSecretHash() { |
| return brillo::Blob(SHA256_DIGEST_SIZE, 30); |
| } |
| |
| brillo::Blob GetValidG2fChallenge() { |
| return brillo::Blob(U2F_CHAL_SIZE, 70); |
| } |
| |
| brillo::Blob GetValidCorpChallenge() { |
| return brillo::Blob(CORP_CHAL_SIZE, 80); |
| } |
| |
| brillo::Blob GetValidSalt() { |
| return brillo::Blob(CORP_SALT_SIZE, 90); |
| } |
| |
| MATCHER_P(RetryAction, matcher, "") { |
| if (arg.ok()) { |
| return false; |
| } |
| return ExplainMatchResult(matcher, arg->ToTPMRetryAction(), result_listener); |
| } |
| |
| } // namespace |
| |
| using BackendU2fTpm2Test = BackendTpm2TestBase; |
| |
| TEST_F(BackendU2fTpm2Test, IsEnabledCr50) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), IsGsc).WillOnce(Return(true)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().IsEnabled(), IsOkAndHolds(true)); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, IsEnabledOthers) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), IsGsc).WillOnce(Return(false)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().IsEnabled(), IsOkAndHolds(false)); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, GenerateUpOnly) { |
| const brillo::Blob kPublicKey(65, 1); |
| const brillo::Blob kKeyHandle(32, 2); |
| |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fGenerate(0, _, _, _, _, Eq(std::nullopt), _, _)) |
| .WillOnce(DoAll(SetArgPointee<6>(kPublicKey), |
| SetArgPointee<7>(kKeyHandle), |
| Return(trunks::TPM_RC_SUCCESS))); |
| |
| auto result = backend_->GetU2fTpm2().GenerateUserPresenceOnly( |
| GetStubBlob(), GetStubSecureBlob(), u2f::ConsumeMode::kNoConsume, |
| u2f::UserPresenceMode::kNotRequired); |
| ASSERT_OK(result); |
| EXPECT_EQ(result->public_key->raw(), kPublicKey); |
| EXPECT_EQ(result->key_handle, kKeyHandle); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, GenerateUpOnlyFailed) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fGenerate(0, _, _, _, _, Eq(std::nullopt), _, _)) |
| .WillOnce(Return(trunks::TPM_RC_FAILURE)); |
| |
| EXPECT_THAT( |
| backend_->GetU2fTpm2().GenerateUserPresenceOnly( |
| GetStubBlob(), GetStubSecureBlob(), u2f::ConsumeMode::kNoConsume, |
| u2f::UserPresenceMode::kNotRequired), |
| NotOkAnd(RetryAction(Eq(TPMRetryAction::kNoRetry)))); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, GenerateUpOnlyMissingUp) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fGenerate(0, _, _, _, _, Eq(std::nullopt), _, _)) |
| .WillOnce(Return(kCr50StatusNotAllowed)); |
| |
| EXPECT_THAT( |
| backend_->GetU2fTpm2().GenerateUserPresenceOnly( |
| GetStubBlob(), GetStubSecureBlob(), u2f::ConsumeMode::kNoConsume, |
| u2f::UserPresenceMode::kNotRequired), |
| NotOkAnd(RetryAction(Eq(TPMRetryAction::kUserPresence)))); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, Generate) { |
| const brillo::Blob kPublicKey(65, 1); |
| const brillo::Blob kKeyHandle(U2F_V1_KH_SIZE, 2); |
| |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fGenerate(1, _, _, _, _, Optional(_), _, _)) |
| .WillOnce(DoAll(SetArgPointee<6>(kPublicKey), |
| SetArgPointee<7>(kKeyHandle), |
| Return(trunks::TPM_RC_SUCCESS))); |
| |
| auto result = backend_->GetU2fTpm2().Generate( |
| GetStubBlob(), GetStubSecureBlob(), u2f::ConsumeMode::kNoConsume, |
| u2f::UserPresenceMode::kNotRequired, GetValidAuthTimeSecretHash()); |
| ASSERT_OK(result); |
| EXPECT_EQ(result->public_key->raw(), kPublicKey); |
| EXPECT_EQ(result->key_handle.size(), U2F_V1_KH_SIZE + SHA256_DIGEST_SIZE); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, GenerateFailed) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fGenerate(1, _, _, _, _, Optional(_), _, _)) |
| .WillOnce(Return(trunks::TPM_RC_FAILURE)); |
| |
| EXPECT_THAT( |
| backend_->GetU2fTpm2().Generate( |
| GetStubBlob(), GetStubSecureBlob(), u2f::ConsumeMode::kNoConsume, |
| u2f::UserPresenceMode::kNotRequired, GetStubBlob()), |
| NotOkAnd(RetryAction(Eq(TPMRetryAction::kNoRetry)))); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, GenerateFailedMissingUp) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fGenerate(1, _, _, _, _, Optional(_), _, _)) |
| .WillOnce(Return(kCr50StatusNotAllowed)); |
| |
| EXPECT_THAT( |
| backend_->GetU2fTpm2().Generate( |
| GetStubBlob(), GetStubSecureBlob(), u2f::ConsumeMode::kConsume, |
| u2f::UserPresenceMode::kRequired, GetStubBlob()), |
| NotOkAnd(RetryAction(Eq(TPMRetryAction::kUserPresence)))); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, GenerateFailedInvalidKeyHandle) { |
| const brillo::Blob kPublicKey(65, 1); |
| const brillo::Blob kKeyHandle(32, 2); |
| |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fGenerate(1, _, _, _, _, Optional(_), _, _)) |
| .WillOnce(DoAll(SetArgPointee<6>(kPublicKey), |
| SetArgPointee<7>(kKeyHandle), |
| Return(trunks::TPM_RC_SUCCESS))); |
| |
| EXPECT_THAT( |
| backend_->GetU2fTpm2().Generate( |
| GetStubBlob(), GetStubSecureBlob(), u2f::ConsumeMode::kNoConsume, |
| u2f::UserPresenceMode::kNotRequired, GetStubBlob()), |
| NotOkWith("Invalid U2F key handle is generated")); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, SignUpOnly) { |
| const brillo::Blob kSigR(32, 1); |
| const brillo::Blob kSigS(32, 2); |
| |
| EXPECT_CALL( |
| proxy_->GetMockTpmUtility(), |
| U2fSign(0, _, _, Eq(std::nullopt), Optional(_), false, _, _, _, _, _)) |
| .WillOnce(DoAll(SetArgPointee<9>(kSigR), SetArgPointee<10>(kSigS), |
| Return(trunks::TPM_RC_SUCCESS))); |
| |
| auto result = backend_->GetU2fTpm2().SignUserPresenceOnly( |
| GetStubBlob(), GetStubSecureBlob(), GetStubBlob(), |
| u2f::ConsumeMode::kNoConsume, u2f::UserPresenceMode::kNotRequired, |
| GetStubBlob()); |
| ASSERT_OK(result); |
| EXPECT_EQ(result->r, kSigR); |
| EXPECT_EQ(result->s, kSigS); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, SignUpOnlyFailed) { |
| EXPECT_CALL( |
| proxy_->GetMockTpmUtility(), |
| U2fSign(0, _, _, Eq(std::nullopt), Optional(_), false, _, _, _, _, _)) |
| .WillOnce(Return(trunks::TPM_RC_FAILURE)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().SignUserPresenceOnly( |
| GetStubBlob(), GetStubSecureBlob(), GetStubBlob(), |
| u2f::ConsumeMode::kNoConsume, |
| u2f::UserPresenceMode::kNotRequired, GetStubBlob()), |
| NotOkAnd(RetryAction(Eq(TPMRetryAction::kNoRetry)))); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, SignUpOnlyFailedIncorrectAuth) { |
| EXPECT_CALL( |
| proxy_->GetMockTpmUtility(), |
| U2fSign(0, _, _, Eq(std::nullopt), Optional(_), false, _, _, _, _, _)) |
| .WillOnce(Return(kCr50StatusPasswordRequired)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().SignUserPresenceOnly( |
| GetStubBlob(), GetStubSecureBlob(), GetStubBlob(), |
| u2f::ConsumeMode::kNoConsume, |
| u2f::UserPresenceMode::kNotRequired, GetStubBlob()), |
| NotOkAnd(RetryAction(Eq(TPMRetryAction::kUserAuth)))); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, Sign) { |
| const brillo::Blob kSigR(32, 1); |
| const brillo::Blob kSigS(32, 2); |
| |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fSign(1, _, _, Optional(_), Optional(_), false, _, _, _, _, _)) |
| .WillOnce(DoAll(SetArgPointee<9>(kSigR), SetArgPointee<10>(kSigS), |
| Return(trunks::TPM_RC_SUCCESS))); |
| |
| auto result = backend_->GetU2fTpm2().Sign( |
| GetStubBlob(), GetStubSecureBlob(), GetStubSecureBlob(), GetStubBlob(), |
| u2f::ConsumeMode::kNoConsume, u2f::UserPresenceMode::kNotRequired, |
| GetValidVersionedKeyHandle()); |
| ASSERT_OK(result); |
| EXPECT_EQ(result->r, kSigR); |
| EXPECT_EQ(result->s, kSigS); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, SignFailed) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fSign(1, _, _, Optional(_), Optional(_), false, _, _, _, _, _)) |
| .WillOnce(Return(trunks::TPM_RC_FAILURE)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().Sign(GetStubBlob(), GetStubSecureBlob(), |
| GetStubSecureBlob(), GetStubBlob(), |
| u2f::ConsumeMode::kNoConsume, |
| u2f::UserPresenceMode::kNotRequired, |
| GetValidVersionedKeyHandle()), |
| NotOkAnd(RetryAction(Eq(TPMRetryAction::kNoRetry)))); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, SignFailedInvalidKeyHandle) { |
| EXPECT_THAT(backend_->GetU2fTpm2().Sign( |
| GetStubBlob(), GetStubSecureBlob(), GetStubSecureBlob(), |
| GetStubBlob(), u2f::ConsumeMode::kNoConsume, |
| u2f::UserPresenceMode::kNotRequired, GetStubBlob()), |
| NotOkWith("Invalid U2F key handle")); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, SignFailedIncorrectAuth) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fSign(1, _, _, Optional(_), Optional(_), false, _, _, _, _, _)) |
| .WillOnce(Return(kCr50StatusPasswordRequired)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().Sign(GetStubBlob(), GetStubSecureBlob(), |
| GetStubSecureBlob(), GetStubBlob(), |
| u2f::ConsumeMode::kNoConsume, |
| u2f::UserPresenceMode::kNotRequired, |
| GetValidVersionedKeyHandle()), |
| NotOkAnd(RetryAction(Eq(TPMRetryAction::kUserAuth)))); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, Check) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fSign(0, _, _, Eq(std::nullopt), Eq(std::nullopt), true, false, |
| false, _, _, _)) |
| .WillOnce(Return(trunks::TPM_RC_SUCCESS)); |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fSign(1, _, _, Eq(std::nullopt), Eq(std::nullopt), true, false, |
| false, _, _, _)) |
| .WillOnce(Return(trunks::TPM_RC_SUCCESS)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().CheckUserPresenceOnly( |
| GetStubBlob(), GetStubSecureBlob(), GetStubBlob()), |
| IsOk()); |
| EXPECT_THAT(backend_->GetU2fTpm2().Check(GetStubBlob(), GetStubSecureBlob(), |
| GetValidVersionedKeyHandle()), |
| IsOk()); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, CheckFailed) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fSign(0, _, _, Eq(std::nullopt), Eq(std::nullopt), true, false, |
| false, _, _, _)) |
| .WillOnce(Return(trunks::TPM_RC_FAILURE)); |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fSign(1, _, _, Eq(std::nullopt), Eq(std::nullopt), true, false, |
| false, _, _, _)) |
| .WillOnce(Return(trunks::TPM_RC_FAILURE)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().CheckUserPresenceOnly( |
| GetStubBlob(), GetStubSecureBlob(), GetStubBlob()), |
| NotOk()); |
| EXPECT_THAT(backend_->GetU2fTpm2().Check(GetStubBlob(), GetStubSecureBlob(), |
| GetValidVersionedKeyHandle()), |
| NotOk()); |
| EXPECT_THAT(backend_->GetU2fTpm2().Check(GetStubBlob(), GetStubSecureBlob(), |
| GetStubBlob()), |
| NotOkWith("Invalid U2F key handle")); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, G2fAttest) { |
| const brillo::Blob kSigR(32, 1); |
| const brillo::Blob kSigS(32, 2); |
| |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fAttest(_, U2F_ATTEST_FORMAT_REG_RESP, |
| SizeIs(sizeof(g2f_register_msg_v0)), _, _)) |
| .WillOnce(DoAll(SetArgPointee<3>(kSigR), SetArgPointee<4>(kSigS), |
| Return(trunks::TPM_RC_SUCCESS))); |
| |
| auto result = backend_->GetU2fTpm2().G2fAttest( |
| GetValidAppId(), GetValidUserSecret(), GetValidG2fChallenge(), |
| GetValidKeyHandle(), GetValidPublicKey()); |
| ASSERT_OK(result); |
| EXPECT_EQ(result->r, kSigR); |
| EXPECT_EQ(result->s, kSigS); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, G2fAttestInvalidParams) { |
| EXPECT_THAT(backend_->GetU2fTpm2().G2fAttest( |
| GetStubBlob(), GetValidUserSecret(), GetValidG2fChallenge(), |
| GetValidKeyHandle(), GetValidPublicKey()), |
| NotOkWith("Invalid parameters")); |
| EXPECT_THAT(backend_->GetU2fTpm2().G2fAttest( |
| GetValidAppId(), GetStubSecureBlob(), GetValidG2fChallenge(), |
| GetValidKeyHandle(), GetValidPublicKey()), |
| NotOkWith("Invalid parameters")); |
| EXPECT_THAT(backend_->GetU2fTpm2().G2fAttest( |
| GetValidAppId(), GetValidUserSecret(), GetStubBlob(), |
| GetValidKeyHandle(), GetValidPublicKey()), |
| NotOkWith("Invalid parameters")); |
| EXPECT_THAT(backend_->GetU2fTpm2().G2fAttest( |
| GetValidAppId(), GetValidUserSecret(), GetValidG2fChallenge(), |
| GetStubBlob(), GetValidPublicKey()), |
| NotOkWith("Invalid parameters")); |
| EXPECT_THAT(backend_->GetU2fTpm2().G2fAttest( |
| GetValidAppId(), GetValidUserSecret(), GetValidG2fChallenge(), |
| GetValidKeyHandle(), GetStubBlob()), |
| NotOkWith("Invalid parameters")); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, G2fAttestFailed) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fAttest(_, U2F_ATTEST_FORMAT_REG_RESP, |
| SizeIs(sizeof(g2f_register_msg_v0)), _, _)) |
| .WillOnce(Return(trunks::TPM_RC_FAILURE)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().G2fAttest( |
| GetValidAppId(), GetValidUserSecret(), GetValidG2fChallenge(), |
| GetValidKeyHandle(), GetValidPublicKey()), |
| NotOk()); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, GetG2fAttestData) { |
| EXPECT_THAT(backend_->GetU2fTpm2().GetG2fAttestData( |
| GetValidAppId(), GetValidG2fChallenge(), GetValidKeyHandle(), |
| GetValidPublicKey()), |
| IsOkAnd(SizeIs(sizeof(g2f_register_msg_v0)))); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, CorpAttest) { |
| const brillo::Blob kSigR(32, 1); |
| const brillo::Blob kSigS(32, 2); |
| |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fAttest(_, CORP_ATTEST_FORMAT_REG_RESP, |
| SizeIs(sizeof(corp_register_msg_v0)), _, _)) |
| .WillOnce(DoAll(SetArgPointee<3>(kSigR), SetArgPointee<4>(kSigS), |
| Return(trunks::TPM_RC_SUCCESS))); |
| |
| auto result = backend_->GetU2fTpm2().CorpAttest( |
| GetValidAppId(), GetValidUserSecret(), GetValidCorpChallenge(), |
| GetValidKeyHandle(), GetValidPublicKey(), GetValidSalt()); |
| ASSERT_OK(result); |
| EXPECT_EQ(result->r, kSigR); |
| EXPECT_EQ(result->s, kSigS); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, CorpAttestInvalidParams) { |
| EXPECT_THAT(backend_->GetU2fTpm2().CorpAttest( |
| GetStubBlob(), GetValidUserSecret(), GetValidG2fChallenge(), |
| GetValidKeyHandle(), GetValidPublicKey(), GetValidSalt()), |
| NotOkWith("Invalid parameters")); |
| EXPECT_THAT(backend_->GetU2fTpm2().CorpAttest( |
| GetValidAppId(), GetStubSecureBlob(), GetValidG2fChallenge(), |
| GetValidKeyHandle(), GetValidPublicKey(), GetValidSalt()), |
| NotOkWith("Invalid parameters")); |
| EXPECT_THAT(backend_->GetU2fTpm2().CorpAttest( |
| GetValidAppId(), GetValidUserSecret(), GetStubBlob(), |
| GetValidKeyHandle(), GetValidPublicKey(), GetValidSalt()), |
| NotOkWith("Invalid parameters")); |
| EXPECT_THAT(backend_->GetU2fTpm2().CorpAttest( |
| GetValidAppId(), GetValidUserSecret(), GetValidG2fChallenge(), |
| GetStubBlob(), GetValidPublicKey(), GetValidSalt()), |
| NotOkWith("Invalid parameters")); |
| EXPECT_THAT(backend_->GetU2fTpm2().CorpAttest( |
| GetValidAppId(), GetValidUserSecret(), GetValidG2fChallenge(), |
| GetValidKeyHandle(), GetStubBlob(), GetValidSalt()), |
| NotOkWith("Invalid parameters")); |
| EXPECT_THAT(backend_->GetU2fTpm2().CorpAttest( |
| GetValidAppId(), GetValidUserSecret(), GetValidG2fChallenge(), |
| GetValidKeyHandle(), GetValidPublicKey(), GetStubBlob()), |
| NotOkWith("Invalid parameters")); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, CorpAttestFailed) { |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), |
| U2fAttest(_, CORP_ATTEST_FORMAT_REG_RESP, |
| SizeIs(sizeof(corp_register_msg_v0)), _, _)) |
| .WillOnce(Return(trunks::TPM_RC_FAILURE)); |
| |
| EXPECT_THAT( |
| backend_->GetU2fTpm2().CorpAttest( |
| GetValidAppId(), GetValidUserSecret(), GetValidCorpChallenge(), |
| GetValidKeyHandle(), GetValidPublicKey(), GetValidSalt()), |
| NotOk()); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, GetFipsInfoTi50) { |
| tpm_manager::GetVersionInfoReply version_info; |
| version_info.set_gsc_version(tpm_manager::GSC_VERSION_TI50); |
| EXPECT_CALL(proxy_->GetMockTpmManagerProxy(), GetVersionInfo(_, _, _, _)) |
| .WillOnce(DoAll(SetArgPointee<1>(version_info), Return(true))); |
| |
| auto info = backend_->GetU2fTpm2().GetFipsInfo(); |
| ASSERT_OK(info); |
| EXPECT_EQ(info->activation_status, u2f::FipsStatus::kActive); |
| auto level = info->certification_level; |
| ASSERT_TRUE(level.has_value()); |
| EXPECT_EQ(level->physical_certification_status, |
| u2f::FipsCertificationStatus::kNotCertified); |
| EXPECT_EQ(level->logical_certification_status, |
| u2f::FipsCertificationStatus::kNotCertified); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, GetFipsInfoCr50Active) { |
| tpm_manager::GetVersionInfoReply version_info; |
| version_info.set_gsc_version(tpm_manager::GSC_VERSION_CR50); |
| EXPECT_CALL(proxy_->GetMockTpmManagerProxy(), GetVersionInfo(_, _, _, _)) |
| .WillOnce(DoAll(SetArgPointee<1>(version_info), Return(true))); |
| |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), U2fGetFipsStatus(_)) |
| .WillOnce(DoAll(SetArgPointee<0>(true), Return(trunks::TPM_RC_SUCCESS))); |
| |
| auto info = backend_->GetU2fTpm2().GetFipsInfo(); |
| ASSERT_OK(info); |
| EXPECT_EQ(info->activation_status, u2f::FipsStatus::kActive); |
| auto level = info->certification_level; |
| ASSERT_TRUE(level.has_value()); |
| EXPECT_EQ(level->physical_certification_status, |
| u2f::FipsCertificationStatus::kLevel3); |
| EXPECT_EQ(level->logical_certification_status, |
| u2f::FipsCertificationStatus::kLevel1); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, GetFipsInfoInactive) { |
| tpm_manager::GetVersionInfoReply version_info; |
| version_info.set_gsc_version(tpm_manager::GSC_VERSION_CR50); |
| EXPECT_CALL(proxy_->GetMockTpmManagerProxy(), GetVersionInfo(_, _, _, _)) |
| .WillOnce(DoAll(SetArgPointee<1>(version_info), Return(true))); |
| |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), U2fGetFipsStatus(_)) |
| .WillOnce(DoAll(SetArgPointee<0>(false), Return(trunks::TPM_RC_SUCCESS))); |
| |
| auto info = backend_->GetU2fTpm2().GetFipsInfo(); |
| ASSERT_OK(info); |
| EXPECT_EQ(info->activation_status, u2f::FipsStatus::kNotActive); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, GetFipsInfoError) { |
| tpm_manager::GetVersionInfoReply version_info; |
| version_info.set_gsc_version(tpm_manager::GSC_VERSION_CR50); |
| EXPECT_CALL(proxy_->GetMockTpmManagerProxy(), GetVersionInfo(_, _, _, _)) |
| .WillOnce(DoAll(SetArgPointee<1>(version_info), Return(true))); |
| |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), U2fGetFipsStatus(_)) |
| .WillOnce(Return(trunks::TPM_RC_FAILURE)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().GetFipsInfo(), |
| NotOkAnd(RetryAction(Eq(TPMRetryAction::kNoRetry)))); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, ActivateFipsTi50) { |
| tpm_manager::GetVersionInfoReply version_info; |
| version_info.set_gsc_version(tpm_manager::GSC_VERSION_TI50); |
| EXPECT_CALL(proxy_->GetMockTpmManagerProxy(), GetVersionInfo(_, _, _, _)) |
| .WillOnce(DoAll(SetArgPointee<1>(version_info), Return(true))); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().ActivateFips(), IsOk()); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, ActivateFipsSuccess) { |
| tpm_manager::GetVersionInfoReply version_info; |
| version_info.set_gsc_version(tpm_manager::GSC_VERSION_CR50); |
| EXPECT_CALL(proxy_->GetMockTpmManagerProxy(), GetVersionInfo(_, _, _, _)) |
| .WillOnce(DoAll(SetArgPointee<1>(version_info), Return(true))); |
| |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), ActivateFips()) |
| .WillOnce(Return(trunks::TPM_RC_SUCCESS)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().ActivateFips(), IsOk()); |
| auto info = backend_->GetU2fTpm2().GetFipsInfo(); |
| ASSERT_OK(info); |
| EXPECT_EQ(info->activation_status, u2f::FipsStatus::kActive); |
| } |
| |
| TEST_F(BackendU2fTpm2Test, ActivateFipsError) { |
| tpm_manager::GetVersionInfoReply version_info; |
| version_info.set_gsc_version(tpm_manager::GSC_VERSION_CR50); |
| EXPECT_CALL(proxy_->GetMockTpmManagerProxy(), GetVersionInfo(_, _, _, _)) |
| .WillOnce(DoAll(SetArgPointee<1>(version_info), Return(true))); |
| |
| EXPECT_CALL(proxy_->GetMockTpmUtility(), ActivateFips()) |
| .WillOnce(Return(trunks::TPM_RC_FAILURE)); |
| |
| EXPECT_THAT(backend_->GetU2fTpm2().ActivateFips(), |
| NotOkAnd(RetryAction(Eq(TPMRetryAction::kNoRetry)))); |
| } |
| |
| } // namespace hwsec |
