diff --git a/.github/workflows/integrations.yml b/.github/workflows/integrations.yml index a9c22e27f9f..27a4c269391 100644 --- a/.github/workflows/integrations.yml +++ b/.github/workflows/integrations.yml @@ -20,6 +20,16 @@ jobs: - name: Run integration build run: | ./tests/ci/integration/run_haproxy_integration.sh + tpm2-tss: + runs-on: ubuntu-latest + steps: + - name: Install OS Dependencies + run: | + sudo apt-get update && sudo apt-get -y --no-install-recommends install cmake gcc ninja-build golang make + - uses: actions/checkout@v3 + - name: Run integration build + run: | + ./tests/ci/integration/run_tpm2_tss_integration.sh grpc: env: DEBIAN_FRONTEND: noninteractive diff --git a/tests/ci/integration/run_tpm2_tss_integration.sh b/tests/ci/integration/run_tpm2_tss_integration.sh new file mode 100755 index 00000000000..058745935ac --- /dev/null +++ b/tests/ci/integration/run_tpm2_tss_integration.sh @@ -0,0 +1,73 @@ +#!/bin/bash -exu +# +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 OR ISC +# + +source tests/ci/common_posix_setup.sh + +# Set up environment. + +# SYS_ROOT +# | +# - SRC_ROOT(aws-lc) +# | +# - SCRATCH_FOLDER +# | +# - tpm2_tss_patch +# - AWS_LC_BUILD_FOLDER +# - AWS_LC_INSTALL_FOLDER +# - CURL_BUILD_FOLDER +# - CURL_INSTALL_FOLDER + +# Assumes script is executed from the root of aws-lc directory +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +SCRATCH_FOLDER=${SYS_ROOT}/"TPM2_TSS_SCRATCH" +TPM2_TSS_SRC_FOLDER="${SCRATCH_FOLDER}/tpm2-tss" +AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build" +AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install" +CURL_SRC_FOLDER="${SCRATCH_FOLDER}/curl" +CURL_BUILD_FOLDER="${SCRATCH_FOLDER}/curl-build" +CURL_INSTALL_FOLDER="${SCRATCH_FOLDER}/curl-install" + +mkdir -p "${SCRATCH_FOLDER}" +rm -rf "${SCRATCH_FOLDER:?}"/* + +pushd "${SCRATCH_FOLDER}" + +function curl_build() { + cmake -DCMAKE_DEBUG_POSTFIX='' -DCMAKE_BUILD_TYPE=Debug -DCMAKE_PREFIX_PATH="${AWS_LC_INSTALL_FOLDER}" -DCMAKE_INSTALL_PREFIX="${CURL_INSTALL_FOLDER}" -B "${CURL_BUILD_FOLDER}" -S "${CURL_SRC_FOLDER}" + cmake --build "${CURL_BUILD_FOLDER}" --target install -j "${NUM_CPU_THREADS}" + ldd "${CURL_INSTALL_FOLDER}/lib/libcurl.so" | grep "${AWS_LC_INSTALL_FOLDER}/lib/libcrypto.so" || exit 1 +} + +function tpm2_tss_build() { + git apply "${SCRIPT_DIR}/tpm2_tss_patch/aws-lc-tpm2-tss.patch" + export PKG_CONFIG_PATH="${AWS_LC_INSTALL_FOLDER}/lib/pkgconfig:${CURL_INSTALL_FOLDER}/lib/pkgconfig" + /bin/sh ./bootstrap + ./configure --enable-unit --with-crypto=ossl CFLAGS="-g -ggdb -O0 -I\"${AWS_LC_INSTALL_FOLDER}\"/include -I\"${CURL_INSTALL_FOLDER}\"/include -L\"${AWS_LC_INSTALL_FOLDER}\"/lib -L\"${CURL_INSTALL_FOLDER}\"/lib" LT_SYS_LIBRARY_PATH="${LD_LIBRARY_PATH}" + make -j "${NUM_CPU_THREADS}" all VERBOSE=1 + make -j "${NUM_CPU_THREADS}" check VERBOSE=1 + ldd "${TPM2_TSS_SRC_FOLDER}/test/unit/.libs/fapi-get-web-cert" | grep "${AWS_LC_INSTALL_FOLDER}/lib/libcrypto.so" || exit 1 +} + +# Get latest curl and tpm2-tss +git clone https://github.com/curl/curl.git "${CURL_SRC_FOLDER}" +git clone https://github.com/tpm2-software/tpm2-tss.git "${TPM2_TSS_SRC_FOLDER}" +mkdir -p "${AWS_LC_BUILD_FOLDER}" "${AWS_LC_INSTALL_FOLDER}" "${CURL_BUILD_FOLDER}" "${CURL_INSTALL_FOLDER}" +ls + +aws_lc_build "${SRC_ROOT}" "${AWS_LC_BUILD_FOLDER}" "${AWS_LC_INSTALL_FOLDER}" -DBUILD_TESTING=OFF -DBUILD_SHARED_LIBS=1 -DCMAKE_BUILD_TYPE=RelWithDebInfo +export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:-}:${AWS_LC_INSTALL_FOLDER}/lib/" + +curl_build + +export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:-}:${CURL_INSTALL_FOLDER}/lib/" + +pushd "${TPM2_TSS_SRC_FOLDER}" +tpm2_tss_build +popd + +popd + + diff --git a/tests/ci/integration/tpm2_tss_patch/aws-lc-tpm2-tss.patch b/tests/ci/integration/tpm2_tss_patch/aws-lc-tpm2-tss.patch new file mode 100644 index 00000000000..a190d91d5e7 --- /dev/null +++ b/tests/ci/integration/tpm2_tss_patch/aws-lc-tpm2-tss.patch @@ -0,0 +1,122 @@ +From 582d4fe349c89fd2cfbd66957c472b7c687eb429 Mon Sep 17 00:00:00 2001 +From: Justin W Smith <103147162+justsmth@users.noreply.github.com> +Date: Fri, 15 Dec 2023 15:27:22 -0500 +Subject: [PATCH] Minor fixes for AWS-LC + +--- + src/tss2-esys/esys_crypto_ossl.c | 4 +++- + src/tss2-fapi/ifapi_curl.c | 6 +++--- + src/tss2-fapi/ifapi_get_web_cert.c | 1 + + test/unit/fapi-eventlog.c | 8 +++++--- + 4 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c +index 1620788c..2924638a 100644 +--- a/src/tss2-esys/esys_crypto_ossl.c ++++ b/src/tss2-esys/esys_crypto_ossl.c +@@ -8,6 +8,8 @@ + #include + #endif + ++#include ++#include + #include + #include + #include +@@ -751,7 +753,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key, + "Could not duplicate OAEP label", cleanup); + } + +- if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, label_copy, strlen(label_copy)+1)) { ++ if (1 != EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, (uint8_t*)label_copy, strlen(label_copy)+1)) { + OPENSSL_free(label_copy); + goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, + "Could not set RSA label.", cleanup); +diff --git a/src/tss2-fapi/ifapi_curl.c b/src/tss2-fapi/ifapi_curl.c +index ca4c95e7..b9ee5523 100644 +--- a/src/tss2-fapi/ifapi_curl.c ++++ b/src/tss2-fapi/ifapi_curl.c +@@ -77,13 +77,13 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl) + int curl_rc; + + *crl = NULL; +- for (int i = 0; i < sk_DIST_POINT_num(dist_points); i++) ++ for (size_t i = 0; i < sk_DIST_POINT_num(dist_points); i++) + { + DIST_POINT *dp = sk_DIST_POINT_value(dist_points, i); + DIST_POINT_NAME *distpoint = dp->distpoint; + if (distpoint->type==0) + { +- for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) ++ for (size_t j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) + { + GENERAL_NAME *gen_name = sk_GENERAL_NAME_value(distpoint->name.fullname, j); + ASN1_IA5STRING *asn1_str = gen_name->d.uniformResourceIdentifier; +@@ -147,7 +147,7 @@ ifapi_curl_verify_ek_cert( + X509_STORE_CTX *ctx = NULL; + X509_CRL *crl_intermed = NULL; + X509_CRL *crl_ek = NULL; +- int i; ++ size_t i; + size_t ui; + AUTHORITY_INFO_ACCESS *info = NULL; + ASN1_IA5STRING *uri = NULL; +diff --git a/src/tss2-fapi/ifapi_get_web_cert.c b/src/tss2-fapi/ifapi_get_web_cert.c +index d06e8d81..b03dbf6e 100644 +--- a/src/tss2-fapi/ifapi_get_web_cert.c ++++ b/src/tss2-fapi/ifapi_get_web_cert.c +@@ -10,6 +10,7 @@ + #include + + #include ++#include + #include + #include + #include +diff --git a/test/unit/fapi-eventlog.c b/test/unit/fapi-eventlog.c +index 1063eecd..7ce7db40 100644 +--- a/test/unit/fapi-eventlog.c ++++ b/test/unit/fapi-eventlog.c +@@ -138,6 +138,7 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size, + uint8_t *eventlog; + size_t size; + json_object *json_event_list = NULL; ++#if HAVE_EVP_SM3 + size_t n_pcrs; + IFAPI_PCR_REG pcrs[TPM2_MAX_PCRS]; + +@@ -158,19 +159,20 @@ check_eventlog_pcr0(const char *file, uint32_t *pcr_list, size_t pcr_list_size, + .buffer = { 0x15, 0xf4, 0xe6, 0xca, 0x45, 0x7d, 0x1a, 0xf6, 0xbc, 0x49, + 0x51, 0x1a, 0x93, 0xba, 0x35, 0x00, 0xad, 0x69, 0xac, 0xc5 }, + }; +- ++#endif + /* Read file to get file size for comparison. */ + eventlog = file_to_buffer(file, &size); + assert_non_null(eventlog); + + r = ifapi_get_tcg_firmware_event_list(file, pcr_list, pcr_list_size, &json_event_list); + assert_int_equal (r, TSS2_RC_SUCCESS); +- ++#if HAVE_EVP_SM3 + r = ifapi_calculate_pcrs(json_event_list, &pcr_selection, &pcrs[0], &n_pcrs); + assert_int_equal (r, TSS2_RC_SUCCESS); + + /* Compare with the pcr0 value got from system with HCRTM events */ + assert_true(!memcmp(&expected_pcr0.buffer[0], &pcrs[0].value.buffer[0], 20)); ++#endif + + json_object_put(json_event_list); + SAFE_FREE(eventlog); +@@ -180,7 +182,7 @@ static void + check_bios_hcrtm(void **state) + { + +-#ifdef __FreeBSD__ ++#ifndef HAVE_EVP_SM3 + /* Free BSD does not support SM3 hashalg */ + skip(); + #endif +-- +2.39.2 (Apple Git-143) +