Skip to content

fix: correct policy test flows and policysigned auth session handling#27

Merged
hyperfinitism merged 2 commits intomainfrom
fix/policy-tests-and-policysigned-auth
Apr 6, 2026
Merged

fix: correct policy test flows and policysigned auth session handling#27
hyperfinitism merged 2 commits intomainfrom
fix/policy-tests-and-policysigned-auth

Conversation

@hyperfinitism
Copy link
Copy Markdown
Owner

@hyperfinitism hyperfinitism commented Apr 5, 2026
edited
Loading

This pull request introduces several new integration tests improving robustness and test coverage.

To work around a bug present in the upstream tss-esapi, this PR also modifies the PolicySigned command to use raw Esys FFI calls directly. I have already submitted a pull request with a fix to the upstream. Once this patch is merged into the upstream, one can safely remove the workaround and use the wrapper again.

Test Coverage

Of the 106 subcommands, 95 are tested. Test coverage is measured using llvm-cov v0.8.5:

cargo llvm-cov
  • Function: 43.61% (280/642)
  • Line: 63.74% (3616/5673)
  • Region: 59.25% (6398/10799)

@hyperfinitism @claude
test: reorganize tests on policy workflows and enhance coverage
60c4fc6 
- Delete policy_workflows.rs and redistribute its tests:
  - Move policynv tests (eq, neq, ult variants) into session_policy.rs
  - Move parameter encryption tests into new parameter_encryption.rs
  - Remove comments on unimplemented tests for getsessionauditdigest
- Add missing policy subcommand tests to session_policy.rs:
  - policycphash (trial session with cpHash digest)
  - policynamehash (trial session with nameHash digest)
  - policytemplate (trial session with templateHash digest)
  - policyduplicationselect (trial session with synthetic TPM names)
  - policyauthorizenv (policy session with NV-stored policy)
  - policyauthorize (full workflow: sign policy, verify, authorize)
  - policysigned (trial session with signing key)
- Add new test files for previously untested subcommands:
  - context.rs: contextsave/contextload roundtrip and readpublic verification
  - sequence.rs: hashsequencestart/hmacsequencestart/sequenceupdate/
    sequencecomplete with single-shot hash/hmac comparison
  - duplicate_import.rs: verify duplicate fails on fixedTPM/fixedParent keys

- Extend hierarchy.rs with setcommandauditstatus and pcrallocate tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Takuma IMAMURA <209989118+hyperfinitism@users.noreply.github.com>
@hyperfinitism hyperfinitism requested a review from Copilot April 5, 2026 16:14
@hyperfinitism hyperfinitism self-assigned this Apr 5, 2026
@hyperfinitism hyperfinitism added bug Something isn't working enhancement New feature or request ci/cd CI/CD related items labels Apr 5, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Apr 5, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the policysigned command to utilize raw ESYS FFI calls via RawEsysContext and significantly expands the integration test suite, adding coverage for context management, hierarchy control, parameter encryption, and numerous policy subcommands. Review feedback identifies the use of unstable 'let chains' and potential memory leaks if I/O operations fail before allocated ESYS pointers are freed. Additionally, it is noted that input data for TPM buffers is currently subject to silent truncation, which should be addressed with proper length validation.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Apr 5, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b7b4e41600

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 5, 2026
View reviewed changes
src/cmd/policysigned.rs
if let Some(ref path) = self.ticket_out
&& !ticket_ptr.is_null()
{
let ticket = &*ticket_ptr;

Check failure

Code scanning / CodeQL

Access of invalid pointer High

This operation dereferences a pointer that may be
invalid
Loading
.

Copilot Autofix

AI 6 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

Copilot AI reviewed Apr 5, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves the integration-test coverage for TPM session/policy and related command flows, and updates the policysigned CLI command to use raw ESYS FFI calls as a workaround for an upstream tss-esapi issue.

Changes:

  • Expanded and reorganized integration tests for policy subcommands (including policysigned), plus added new test modules for sequences, context save/load, parameter encryption, and duplicate/import failure cases.
  • Added new hierarchy/admin integration tests (setcommandauditstatus, pcrallocate).
  • Reimplemented PolicySigned command execution using raw ESYS FFI via RawEsysContext.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
tests/session_policy.rs Adds many policy subcommand integration tests and updates the module doc coverage list.
tests/sequence.rs New integration tests for hash/HMAC sequence start/update/complete flows.
tests/policy_workflows.rs Removes the previous combined workflow tests (content moved/split into other files).
tests/parameter_encryption.rs New integration tests for encrypted HMAC sessions (getrandom + nvwrite/nvread).
tests/hierarchy.rs Adds integration tests for command audit status and PCR allocation.
tests/duplicate_import.rs New negative tests ensuring duplicate fails on non-duplicatable keys.
tests/context.rs New integration tests for contextsave/contextload roundtrips.
src/cmd/policysigned.rs Switches PolicySigned implementation from tss-esapi wrapper to raw ESYS FFI calls.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 6, 2026
View reviewed changes
src/cmd/policysigned.rs

info!("policy signed succeeded");
let timeout_data = if !timeout_ptr.is_null() {
let t = &*timeout_ptr;

Check failure

Code scanning / CodeQL

Access of invalid pointer High

This operation dereferences a pointer that may be
invalid
Loading
.

Copilot Autofix

AI 6 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

src/cmd/policysigned.rs
anyhow::bail!("Esys_PolicyGetDigest failed: 0x{rc:08x}");
}
let data = if !digest_ptr.is_null() {
let d = &*digest_ptr;

Check failure

Code scanning / CodeQL

Access of invalid pointer High

This operation dereferences a pointer that may be
invalid
Loading
.

Copilot Autofix

AI 6 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

@hyperfinitism hyperfinitism force-pushed the fix/policy-tests-and-policysigned-auth branch from e572fba to fc6abb2 Compare April 6, 2026 12:28
@hyperfinitism
fix(policysigned): use raw ESYS FFI to avoid an upstream bug
35c3fb2 
The tss-esapi wrapper's policy_signed() calls required_session_1() which
forces callers to set an auth session. Otherwise, the wrapper returns an
error before calling the underlying ESYS function Esys_PolicySigned().

This violates the TCG TSS 2.0 ESAPI specification which defines all
three session handles of Esys_PolicySigned() to be optional.

For a workaround, this commit bypasses the tss-esapi wrapper and calls the
raw ESYS FFI function directly. Once the patch is merged upstream, we can
remove the workaround and use the wrapper again.

Signed-off-by: Takuma IMAMURA <209989118+hyperfinitism@users.noreply.github.com>
@hyperfinitism hyperfinitism force-pushed the fix/policy-tests-and-policysigned-auth branch from fc6abb2 to 35c3fb2 Compare April 6, 2026 12:30
@hyperfinitism hyperfinitism merged commit e155f6e into main Apr 6, 2026
24 of 25 checks passed
@hyperfinitism hyperfinitism deleted the fix/policy-tests-and-policysigned-auth branch April 6, 2026 12:49
@hyperfinitism hyperfinitism mentioned this pull request Apr 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@hyperfinitism hyperfinitism

Labels

bug Something isn't working ci/cd CI/CD related items enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hyperfinitism @github-advanced-security