regtest: Add userWithAuth CLEAR to unseal tests

The samples should clear userWithAuth when a policy is used, since that's a more likely use case. When using a policy, typically a password session should fail. Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
kgoldman · Feb 5, 2024 · c270b7c · c270b7c
1 parent ba86327
commit c270b7c
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 10 deletions.
diff --git a/utils/regtests/testunseal.bat b/utils/regtests/testunseal.bat
@@ -4,7 +4,7 @@ REM #			TPM2 regression test					#
 REM #			     Written by Ken Goldman				#
 REM #		       IBM Thomas J. Watson Research Center			#
 REM #										#
-REM # (c) Copyright IBM Corporation 2015 - 2023					#
+REM # (c) Copyright IBM Corporation 2015 - 2024					#
 REM # 										#
 REM # All rights reserved.							#
 REM # 										#
@@ -117,7 +117,7 @@ IF !ERRORLEVEL! NEQ 0 (
 )
 
 echo "Create a sealed data object with policysecret platform auth under primary key"
-%TPM_EXE_PATH%create -hp 80000000 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policysecretp.bin > run.out
+%TPM_EXE_PATH%create -hp 80000000 -bl -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policysecretp.bin > run.out
 IF !ERRORLEVEL! NEQ 0 (
     exit /B 1
 )
@@ -229,7 +229,7 @@ echo ""
 for %%H in (%ITERATE_ALGS%) do (
 
     echo "Create a sealed data object %%H"
-    %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr16aaa%%H.bin > run.out
+    %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr16aaa%%H.bin > run.out
     IF !ERRORLEVEL! NEQ 0 (
         exit /B 1
     )
@@ -378,7 +378,7 @@ echo ""
 for %%H in (%ITERATE_ALGS%) do (
 
     echo "Create a sealed data object %%H"
-    %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr1623aaa%%H.bin > run.out
+    %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr1623aaa%%H.bin > run.out
     IF !ERRORLEVEL! NEQ 0 (
         exit /B 1
     )
@@ -541,7 +541,7 @@ for %%H in (%ITERATE_ALGS%) do (
     REM # with Name of authorizing key
 
     echo "Create a sealed data object %%H"
-    %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -if msg.bin -pol policies/policyauthorize%%H.bin > run.out
+    %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto -if msg.bin -pol policies/policyauthorize%%H.bin > run.out
     IF !ERRORLEVEL! NEQ 0 (
         exit /B 1
     )
@@ -625,6 +625,12 @@ for %%H in (%ITERATE_ALGS%) do (
         exit /B 1
     )
 
+    echo "Unseal the data blob using a password session, userWithAuth CLEAR, should fail"
+    %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin > run.out
+    IF !ERRORLEVEL! EQU 0 (
+        exit /B 1
+    )
+
     echo "Unseal the data blob using the policy session"
     %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
     IF !ERRORLEVEL! NEQ 0 (

diff --git a/utils/regtests/testunseal.sh b/utils/regtests/testunseal.sh
@@ -7,7 +7,7 @@
 #			     Written by Ken Goldman				#
 #		       IBM Thomas J. Watson Research Center			#
 #										#
-# (c) Copyright IBM Corporation 2015 - 2020					#
+# (c) Copyright IBM Corporation 2015 - 2024					#
 # 										#
 # All rights reserved.								#
 # 										#
@@ -102,7 +102,7 @@ ${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
 checkSuccess $?
 
 echo "Create a sealed data object with policysecret platform auth under primary key"
-${PREFIX}create -hp 80000000 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policysecretp.bin > run.out
+${PREFIX}create -hp 80000000 -bl -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policysecretp.bin > run.out
 checkSuccess $?
 
 echo "Load the sealed data object under primary key"
@@ -195,7 +195,7 @@ for HALG in ${ITERATE_ALGS}
 do
 
     echo "Create a sealed data object ${HALG}"
-    ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr16aaa${HALG}.bin > run.out
+    ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr16aaa${HALG}.bin > run.out
     checkSuccess $?
 
     echo "Load the sealed data object"
@@ -317,7 +317,7 @@ for HALG in ${ITERATE_ALGS}
 do
 
     echo "Create a sealed data object ${HALG}"
-    ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr1623aaa${HALG}.bin > run.out
+    ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr1623aaa${HALG}.bin > run.out
     checkSuccess $?
 
     echo "Load the sealed data object"
@@ -456,7 +456,7 @@ do
     # with Name of authorizing key
 
     echo "Create a sealed data object ${HALG}"
-    ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -if msg.bin -pol policies/policyauthorize${HALG}.bin > run.out
+    ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto -if msg.bin -pol policies/policyauthorize${HALG}.bin > run.out
     checkSuccess $?
 
     # Once per new PCR approved values, authorizing PCRs in policy${HALG}.bin
@@ -516,6 +516,10 @@ do
     ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
     checkSuccess $?
 
+    echo "Unseal the data blob using a password session, userWithAuth CLEAR, should fail"
+    ${PREFIX}unseal -ha 80000001 -of tmp.bin > run.out
+    checkFailure $?
+
     echo "Unseal the data blob using the policy session"
     ${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
     checkSuccess $?