run.sh raw

   1  #!/bin/bash
   2  # Milestone-3.2b verification: SecureClear + SecureLockdown + SecureRekey.
   3  #
   4  # Builds tests/secalloc-clear/main.go and runs the binary. Unlike the
   5  # rotate test, this program must exit CLEANLY — manual lockdown returns
   6  # to the caller instead of delegating to the fatal-signal teardown.
   7  #
   8  # Verifies:
   9  #   - the program exits 0
  10  #   - stdout contains the full marker sequence:
  11  #       BEFORE_CLEAR → CLEARED_OK → LOCKDOWN_1_OK → LOCKDOWN_2_OK →
  12  #       REKEY_OK → EXPLICIT_REKEY_OK → LOCKDOWN_SURVIVED
  13  #   - stderr contains at least 3 MOXIE_SECALLOC_LOCKDOWN markers
  14  #     (one per SecureLockdown call)
  15  #   - the raw secret pattern does NOT appear anywhere
  16  set -euo pipefail
  17  
  18  MOXIEROOT="${MOXIEROOT:-$(cd "$(dirname "$0")/../.." && pwd)}"
  19  MOXIE="${MOXIE:-$MOXIEROOT/moxie}"
  20  TMPDIR=$(mktemp -d)
  21  trap "rm -rf $TMPDIR" EXIT
  22  
  23  export PATH="/usr/lib/llvm19/bin:$PATH"
  24  export MOXIEROOT
  25  
  26  BIN="$TMPDIR/secalloc_clear_test"
  27  
  28  cd "$MOXIEROOT"
  29  
  30  if ! "$MOXIE" build -o "$BIN" ./tests/secalloc-clear 2>"$TMPDIR/build.err"; then
  31      echo "FAIL secalloc-clear: compilation failed"
  32      cat "$TMPDIR/build.err"
  33      exit 1
  34  fi
  35  
  36  set +e
  37  "$BIN" >"$TMPDIR/stdout" 2>"$TMPDIR/stderr"
  38  rc=$?
  39  set -e
  40  
  41  stdout=$(cat "$TMPDIR/stdout")
  42  stderr=$(cat "$TMPDIR/stderr")
  43  
  44  fail=0
  45  
  46  if [ "$rc" -ne 0 ]; then
  47      echo "FAIL secalloc-clear: expected clean exit, got rc=$rc"
  48      fail=1
  49  fi
  50  
  51  for marker in BEFORE_CLEAR CLEARED_OK LOCKDOWN_1_OK LOCKDOWN_2_OK REKEY_OK EXPLICIT_REKEY_OK LOCKDOWN_SURVIVED; do
  52      if ! echo "$stdout" | grep -q "$marker"; then
  53          echo "FAIL secalloc-clear: missing $marker marker on stdout"
  54          fail=1
  55      fi
  56  done
  57  
  58  if ! echo "$stderr" | grep -q "MOXIE_SECALLOC_LOCKDOWN"; then
  59      echo "FAIL secalloc-clear: missing lockdown marker on stderr"
  60      fail=1
  61  fi
  62  
  63  lockdown_count=$(echo "$stderr" | grep -c "MOXIE_SECALLOC_LOCKDOWN" || true)
  64  if [ "$lockdown_count" -lt 3 ]; then
  65      echo "FAIL secalloc-clear: expected at least 3 lockdown markers, got $lockdown_count"
  66      fail=1
  67  fi
  68  
  69  if echo "$stdout$stderr" | grep -q "MOXIE_SECRET_PAYLOAD"; then
  70      echo "FAIL secalloc-clear: raw secret pattern leaked"
  71      fail=1
  72  fi
  73  
  74  if [ "$fail" -eq 0 ]; then
  75      echo "OK   secalloc-clear (manual clear + lockdown + rekey)"
  76      exit 0
  77  fi
  78  
  79  echo "--- stdout ---"
  80  echo "$stdout"
  81  echo "--- stderr ---"
  82  echo "$stderr"
  83  exit 1
  84