Add some example binaries #55
Conversation
This adds some example binaries which are useful for manual testing: - activate-volume: An example that makes use of ActivateVolumeWithTPMSealedKey and ActivateVolumeWithRecoveryKey. - change-pin: An example that makes use of ChangePIN. - provision-status: An example that makes use of ProvisionStatus. - provision-tpm: An example that makes use of ProvistionTPM. - seal-key: An example that makes use of SealKeyToTPM to seal a key to PCR7 on Ubuntu classic systems. - unseal-key: An example that makes use of SealedKeyObject.UnsealFromTPM.
chrisccoulson
force-pushed
the
add-examples
branch
from
4904e98 to
22485bd
Compare
There was a problem hiding this comment.
Thanks Chris. It's always nice to have examples for the most important operations. I left a few notes and comments but all the example files are functional and accomplish their goals (even if the fprintf/return 1 pattern feels a bit C-ish). There's also a question about the expected value of the provisioning status after a TPM clear since my Lenovo machine and swtpm behave differently in this situation.
| "github.com/snapcore/secboot" | ||
| ) | ||
|
|
||
| func run() int { |
There was a problem hiding this comment.
I think it would be more idiomatic to return an error instead of the OS error code directly, printing the error message and exiting with the appropriate code in main().
| recoveryTries := 1 | ||
| var activateOptions []string | ||
|
|
||
| if len(args) >= 5 && args[4] != "" && args[4] != "-" && args[4] != "none" { |
There was a problem hiding this comment.
This command line argument parsing looks familiar, possibly the same one used in the old unlock utility? :)
| authReader = f | ||
| } | ||
|
|
||
| if !forceRecovery { |
There was a problem hiding this comment.
Instead of the if/else we could invert the test, process the forced recovery and exit, leaving the non-forced in the normal execution flow.
| fmt.Println("** ERROR: TPM does not have a valid EK **") | ||
| } | ||
|
|
||
| if status&secboot.AttrDAParamsOK > 0 { |
There was a problem hiding this comment.
I noticed that on my Lenovo test machine the DA parameters stay configured after clearing the TPM, or at least its status attribute is the only one that remains enabled. Is that a normal/expected TPM behavior? In swtpm all attributes are unset.
| args := flag.Args() | ||
|
|
||
| if requestClear { | ||
| if err := secboot.RequestTPMClearUsingPPI(); err != nil { |
There was a problem hiding this comment.
In the Lenovo test machine we see a "Press F12 to clear the TPM" message in the next boot. I wonder how embedded headless systems handle this request.
This adds some example binaries which are useful for manual testing:
and ActivateVolumeWithRecoveryKey.
on Ubuntu classic systems.