test: update TEST-70 with systemd-cryptenroll calculated TPM2 enrollment

Update test to check systemd-cryptenroll --tpm2-device-key= enrollment.

2 files changed, 11 insertions, 2 deletions

diff --git a/test/TEST-70-TPM2/test.sh b/test/TEST-70-TPM2/test.sh
index 3b3cce9154..c33e71cc06 100755
--- a/test/TEST-70-TPM2/test.sh
+++ b/test/TEST-70-TPM2/test.sh
@@ -11,7 +11,7 @@ TEST_REQUIRE_INSTALL_TESTS=0
 # shellcheck source=test/test-functions
 . "${TEST_BASE_DIR:?}/test-functions"
 
-test_require_bin openssl swtpm tpm2_createprimary tpm2_dictionarylockout tpm2_evictcontrol tpm2_flushcontext tpm2_pcrextend tpm2_pcrread
+test_require_bin openssl swtpm tpm2_createprimary tpm2_dictionarylockout tpm2_evictcontrol tpm2_flushcontext tpm2_pcrextend tpm2_pcrread tpm2_readpublic
 
 test_append_files() {
     local workspace="${1:?}"
@@ -31,6 +31,7 @@ test_append_files() {
     inst_binary tpm2_flushcontext
     inst_binary tpm2_pcrextend
     inst_binary tpm2_pcrread
+    inst_binary tpm2_readpublic
 }
 
 do_test "$@"
diff --git a/test/units/testsuite-70.cryptsetup.sh b/test/units/testsuite-70.cryptsetup.sh
index 3c09bd73b6..a1c6035e45 100755
--- a/test/units/testsuite-70.cryptsetup.sh
+++ b/test/units/testsuite-70.cryptsetup.sh
@@ -131,7 +131,15 @@ if tpm_has_pcr sha256 12; then
     systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
     systemd-cryptsetup detach test-volume
 
-    rm -f /tmp/pcr.dat
+    # enroll TPM using device key instead of direct access, then verify unlock using TPM
+    tpm2_pcrread -Q -o /tmp/pcr.dat sha256:12
+    CURRENT_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12)
+    tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub
+    PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE"
+    systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1
+    systemd-cryptsetup detach test-volume
+
+    rm -f /tmp/pcr.dat /tmp/srk.pub
 fi
 
 # Use default (0) seal key handle