nixos/tpm2: add test for #489756

2026-06-05 21:03:40 +00:00 · 2026-02-13 22:05:45 -05:00
parent 58eb783654
commit b1fb31f3d2
2 changed files with 73 additions and 0 deletions
--- a/nixos/tests/tpm2/default.nix
+++ b/nixos/tests/tpm2/default.nix
@@ -1,4 +1,5 @@
 { runTest }:
 {
  abrmd = runTest ./tpm2-abrmd.nix;
+  tpmrm = runTest ./tpm2-tpmrm.nix;
 }
--- a/nixos/tests/tpm2/tpm2-tpmrm.nix
+++ b/nixos/tests/tpm2/tpm2-tpmrm.nix
@@ -0,0 +1,72 @@
+{ lib, pkgs, ... }:
+{
+  name = "tpm2-tpmrm";
+
+  nodes.machine =
+    { config, pkgs, ... }:
+    {
+      virtualisation = {
+        mountHostNixStore = true;
+        useEFIBoot = true;
+        tpm.enable = true;
+      };
+
+      users.users = {
+        tss-user = {
+          isNormalUser = true;
+          extraGroups = [ "tss" ];
+        };
+      };
+
+      security.sudo.wheelNeedsPassword = false;
+
+      security.tpm2 = {
+        enable = true;
+        pkcs11.enable = true;
+        tctiEnvironment.enable = true;
+        fapi.ekCertLess = true;
+      };
+
+      environment.systemPackages = [
+        pkgs.tpm2-tools
+        pkgs.openssl
+      ];
+    };
+
+  testScript = ''
+    machine.start()
+    machine.wait_for_unit("multi-user.target")
+
+    with subtest("/dev/tpmrm0 has correct ownership"):
+        machine.succeed('[ `stat -c "%U" /dev/tpmrm0` = "root" ]')
+        machine.succeed('[ `stat -c "%G" /dev/tpmrm0` = "tss" ]')
+
+    with subtest("tpm2 cli works"):
+        machine.succeed('tpm2 createprimary --hierarchy=o --key-algorithm=aes256 --attributes="fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|decrypt" --key-context=owner_root_key.ctx')
+        machine.succeed('tpm2 create --parent-context=owner_root_key.ctx --key-algorithm=ecc256:ecdsa-sha256:null --attributes="fixedtpm|fixedparent|sensitivedataorigin|userwithauth|restricted|sign" --key-context=ecc_sign_key.ctx --creation-ticket=ecc_sign_key-creation_ticket.bin -f pem --output=ecc_sign_key_public.pem')
+        machine.succeed('echo "A very important message." > message.txt')
+        machine.succeed('tpm2 sign --key-context=ecc_sign_key.ctx --hash-algorithm=sha256 -f plain --signature message_signature.bin message.txt')
+        machine.succeed('openssl dgst -verify ecc_sign_key_public.pem -signature message_signature.bin message.txt')
+        machine.succeed('echo "evil addition!" >> message.txt')
+        machine.fail('openssl dgst -verify ecc_sign_key_public.pem -signature message_signature.bin message.txt')
+
+    def format_command(command, user):
+        return f"runuser -u {user} -- bash -c '{command}'"
+    def succeedu(command,user):
+        return machine.succeed(format_command(command,user))
+    def failu(command,user):
+        return machine.fail(format_command(command,user))
+
+    with subtest("tss2 cli works"):
+        machine.succeed('tss2 provision')
+        succeedu('tss2 createkey --path=HS/SRK/sign --type=sign --authValue=""',"tss-user")
+        succeedu('tss2 gettpmblobs --path=HS/SRK/sign --tpm2bPublic=$HOME/sign_key_public.bin',"tss-user")
+        succeedu('tpm2 print -t TPM2B_PUBLIC -f pem $HOME/sign_key_public.bin > $HOME/sign_key_public.pem',"tss-user")
+        succeedu('echo "A very important message." > $HOME/message.txt',"tss-user")
+        succeedu('tpm2 hash --hash-algorithm=sha256 --output=$HOME/message_hash.bin $HOME/message.txt',"tss-user")
+        succeedu('tss2 sign --keyPath=HS/SRK/sign --digest=$HOME/message_hash.bin --signature=$HOME/message_signature.bin',"tss-user")
+        succeedu('openssl dgst -verify $HOME/sign_key_public.pem -signature $HOME/message_signature.bin $HOME/message.txt',"tss-user")
+        succeedu('echo "evil addition!" >> $HOME/message.txt',"tss-user")
+        failu('openssl dgst -verify $HOME/sign_key_public.pem -signature $HOME/message_signature.bin $HOME/message.txt',"tss-user")
+  '';
+}