nixos/tests/tpm-ek/default.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / tpm-ek / default.nix
at master 2.9 kB view raw
  1import ../make-test-python.nix (
  2  { lib, pkgs, ... }:
  3
  4  let
  5    inherit (pkgs) writeText tpm2-tools openssl;
  6    ek_config = writeText "ek-sign.cnf" ''
  7      [ tpm_policy ]
  8      basicConstraints = CA:FALSE
  9
 10      keyUsage = keyEncipherment
 11      certificatePolicies = 2.23.133.2.1
 12      extendedKeyUsage = 2.23.133.8.1
 13
 14      subjectAltName = ASN1:SEQUENCE:dirname_tpm
 15
 16      [ dirname_tpm ]
 17      seq = EXPLICIT:4,SEQUENCE:dirname_tpm_seq
 18
 19      [ dirname_tpm_seq ]
 20      set = SET:dirname_tpm_set
 21
 22      [ dirname_tpm_set ]
 23      seq.1 = SEQUENCE:dirname_tpm_seq_manufacturer
 24      seq.2 = SEQUENCE:dirname_tpm_seq_model
 25      seq.3 = SEQUENCE:dirname_tpm_seq_version
 26
 27      # We're going to mock up an STM TPM here
 28      [dirname_tpm_seq_manufacturer]
 29      oid = OID:2.23.133.2.1
 30      str = UTF8:"id:53544D20"
 31
 32      [dirname_tpm_seq_model]
 33      oid = OID:2.23.133.2.2
 34      str = UTF8:"ST33HTPHAHD4
 35
 36      [dirname_tpm_seq_version]
 37      oid = OID:2.23.133.2.3
 38      str = UTF8:"id:00010101"
 39    '';
 40  in
 41  {
 42    name = "tpm-ek";
 43
 44    meta = {
 45      maintainers = with lib.maintainers; [ baloo ];
 46    };
 47
 48    nodes.machine =
 49      { pkgs, ... }:
 50      {
 51        environment.systemPackages = [
 52          openssl
 53          tpm2-tools
 54        ];
 55
 56        security.tpm2 = {
 57          enable = true;
 58          tctiEnvironment.enable = true;
 59        };
 60
 61        virtualisation.tpm = {
 62          enable = true;
 63          provisioning = ''
 64            export PATH=${
 65              lib.makeBinPath [
 66                openssl
 67              ]
 68            }:$PATH
 69
 70            tpm2_createek -G rsa -u ek.pub -c ek.ctx -f pem
 71
 72            # Sign a certificate
 73            # Pretend we're an STM TPM
 74            openssl x509 \
 75              -extfile ${ek_config} \
 76              -new -days 365 \
 77              \
 78              -subj "/CN=this.is.required.but.it.should.not/" \
 79              -extensions tpm_policy \
 80              \
 81              -CA ${./ca.crt} -CAkey ${./ca.priv} \
 82              \
 83              -out device.der -outform der \
 84              -force_pubkey ek.pub
 85
 86            # Create a nvram slot for the certificate, and we need the size
 87            # to precisely match the length of the certificate we're going to
 88            # put in.
 89            tpm2_nvdefine 0x01c00002 \
 90              -C o \
 91              -a "ownerread|policyread|policywrite|ownerwrite|authread|authwrite" \
 92              -s "$(wc -c device.der| cut -f 1 -d ' ')"
 93
 94            tpm2_nvwrite 0x01c00002 -C o -i device.der
 95          '';
 96        };
 97      };
 98
 99    testScript = ''
100      start_all()
101      machine.wait_for_unit("multi-user.target")
102
103      machine.succeed('tpm2_nvread 0x01c00002 | openssl x509 -inform der -out /tmp/ek.pem')
104      print(machine.succeed('openssl x509 -in /tmp/ek.pem -text'))
105      machine.succeed('openssl verify -CAfile ${./ca.crt} /tmp/ek.pem')
106    '';
107  }
108)