Skip to content

Commit

Permalink
dasharo-security/tpm-support.robot: Refactor TPM version and support …
Browse files Browse the repository at this point in the history 
…tests

This commit introduces two new variables, EXPECTED_TPM_CHIP and
EXPECTED_TPM_VERSION. Additionally, refactor few keywords and tests
within tpm-support.robot

Signed-off-by: Sebastian Czapla <[email protected]>
  • Loading branch information
@SebastianCzapla
SebastianCzapla committed Dec 18, 2024
1 parent 24d631c commit 765f7ba
Show file tree
Hide file tree
Showing 10 changed files with 67 additions and 26 deletions.
76 changes: 50 additions & 26 deletions dasharo-security/tpm-support.robot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,16 +26,18 @@ Suite Teardown Run Keyword

*** Test Cases ***
TPM001.001 TPM Support (firmware)
[Documentation] This test aims to verify that the TPM is initialized
... correctly and the PCRs can be accessed from the firmware.
[Documentation] This test aims to verify that the TPM is initialized,
... detected and logged correctly by FW via cbmem, directly in Ubuntu
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM001.001 not supported
Power On
Boot System Or From Connected Disk ubuntu
Login To Linux
Switch To Root User
Get Cbmem From Cloud
${out}= Execute Command In Terminal cbmem -L
Should Contain Any ${out} TPM2 log TCPA log
${result}= Run Keyword And Ignore Error Validate Expected TPM Via Cbmem Chip
IF '${result}[0]' == 'FAIL'
Log To Console \nChip detection failed, attempting cbmem log detection\n
Validate Expected TPM Via Cbmem Log
END

TPM001.002 TPM Support (Ubuntu)
[Documentation] Check whether the TPM is initialized correctly and the
Expand All @@ -45,7 +47,7 @@ TPM001.002 TPM Support (Ubuntu)
Boot System Or From Connected Disk ubuntu
Login To Linux
Switch To Root User
Validate Any TPM
Get Any PCRs Via Sysfs

TPM001.003 TPM Support (Windows)
[Documentation] Check whether the TPM is initialized correctly and the
Expand All @@ -69,9 +71,11 @@ TPM002.001 Verify TPM version (firmware)
Boot System Or From Connected Disk ubuntu
Login To Linux
Switch To Root User
Get Cbmem From Cloud
${out}= Execute Command In Terminal cbmem -L
Should Contain Any ${out} TPM2 log TCPA log
${result}= Run Keyword And Ignore Error Validate Expected TPM Via Cbmem Chip
IF '${result}[0]' == 'FAIL'
Log To Console \nChip detection failed, attempting cbmem log detection\n
Validate Expected TPM Via Cbmem Log
END

TPM002.002 Verify TPM version (Ubuntu)
[Documentation] This test aims to verify that the TPM version is
Expand All @@ -82,9 +86,7 @@ TPM002.002 Verify TPM version (Ubuntu)
Boot System Or From Connected Disk ubuntu
Login To Linux
Switch To Root User
${out}= Execute Command In Terminal cat /sys/class/tpm/tpm0/tpm_version_major
# TPM 2.0 and 1.2
Should Contain Any ${out} 1 2
Validate Expected TPM Via Sysfs

TPM002.003 Verify TPM version (Windows)
[Documentation] This test aims to verify that the TPM version is
Expand All @@ -98,7 +100,8 @@ TPM002.003 Verify TPM version (Windows)

TPM003.001 Check TPM Physical Presence Interface (firmware)
[Documentation] This test aims to verify that the TPM Physical Presence
... Interface is supported by the firmware.
... Interface is supported by the firmware and the log can be detected
... with cbmem within Ubuntu
Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM003.001 not supported
Power On
Boot System Or From Connected Disk ubuntu
Expand All @@ -118,7 +121,13 @@ TPM003.002 Check TPM Physical Presence Interface (Ubuntu)
Login To Linux
Switch To Root User
${out}= Execute Command In Terminal cat /sys/class/tpm/tpm0/ppi/version
Should Contain Any ${out} 1.2 1.3
IF '${TPM_EXPECTED_VERSION}' == '1'
Should Contain ${out} 1.2
ELSE IF '${TPM_EXPECTED_VERSION}' == '2'
Should Contain ${out} 1.3
ELSE
Fail Invalid expected version, please verify config
END

TPM003.003 Check TPM Physical Presence Interface (Windows)
[Documentation] This test aims to verify that the TPM Physical Presence
Expand All @@ -138,18 +147,33 @@ TPM003.003 Check TPM Physical Presence Interface (Windows)


*** Keywords ***
Validate Any TPM
[Documentation] Checks for TPM major version, and validates it.
Get Any PCRs Via Sysfs
[Documentation] Check sysfs interface for presence of PCRs
${pcr_state}= Execute Command In Terminal ls /sys/class/tpm/tpm0/pcr-sha* &>/dev/null && echo "Found PCRs"
Should Contain ${pcr_state} Found PCRs

Validate Expected TPM Via Sysfs
[Documentation] Checks if detected major TPM version matches the expected
... value.
${tpm_ver}= Execute Command In Terminal cat /sys/class/tpm/tpm0/tpm_version_major
IF '${tpm_ver}' == '2'
Detect Or Install Package tpm2-tools
${out}= Execute Command In Terminal tpm2_pcrread
Should Contain ${out} sha1:
Should Contain ${out} sha256:
ELSE IF '${tpm_ver}' == '1'
Detect Or Install Package tpm-tools
${out}= Execute Command In Terminal tpm_selftest
Should Contain ${out} TPM Test Results:
IF '${TPM_EXPECTED_VERSION}' != '${tpm_ver}'
Fail Platform TPM version mismatch
END

Validate Expected TPM Via Cbmem Chip
[Documentation] Check that correct TPM chip is found while FW boots
Get Cbmem From Cloud
${tpm_chip_found}= Execute Command In Terminal cbmem -1 | grep -i "Found TPM"
Should Contain ${tpm_chip_found} ${TPM_EXPECTED_CHIP}

Validate Expected TPM Via Cbmem Log
[Documentation] Check if appropriate log is created by FW
Get Cbmem From Cloud
${out}= Execute Command In Terminal cbmem -L
IF '${TPM_EXPECTED_VERSION}' == '1'
Should Contain ${out} TCPA log
ELSE IF '${TPM_EXPECTED_VERSION}' == '2'
Should Contain ${out} TPM2 log
ELSE
Fail No valid TPM version available.
Fail Invalid expected version, please verify config
END
1 change: 1 addition & 0 deletions platform-configs/include/msi-z690-common.robot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ ${POWER_CTRL}= sonoff
${FLASH_VERIFY_METHOD}= none
${WIFI_CARD}= ${TBD}
${MAX_CPU_TEMP}= 80
${TPM_EXPECTED_VERSION}= 2

${DMIDECODE_MANUFACTURER}= Micro-Star International Co., Ltd.
${DMIDECODE_VENDOR}= 3mdeb
Expand Down
2 changes: 2 additions & 0 deletions platform-configs/include/novacustom-common.robot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ ${FLASH_VERIFY_METHOD}= none
${MAX_CPU_TEMP}= 82
${AUTO_BOOT_TIME_OUT_DEFAULT_VALUE}= 6
${FLASHING_METHOD}= internal
${TPM_EXPECTED_VERSION}= 2

${DMIDECODE_SERIAL_NUMBER}= N/A
${DMIDECODE_MANUFACTURER}= Notebook
Expand Down Expand Up @@ -114,6 +115,7 @@ ${WIFI_BLUETOOTH_CARD_SWITCH_SUPPORT}= ${TRUE}
${CAMERA_SWITCH_SUPPORT}= ${TRUE}
${EARLY_BOOT_DMA_SUPPORT}= ${TRUE}
${UEFI_PASSWORD_SUPPORT}= ${TRUE}
${TPM_EXPECTED_CHIP}= N/A

# Test module: dasharo-performance
${SERIAL_BOOT_MEASURE}= ${TRUE}
Expand Down
2 changes: 2 additions & 0 deletions platform-configs/include/optiplex-common.robot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ ${SETUP_MENU_KEY}= ${F2}
${IPXE_BOOT_ENTRY}= Network Boot and Utilities
${POWER_CTRL}= sonoff
${MAX_CPU_TEMP}= 80
${TPM_EXPECTED_VERSION}= 1

${DMIDECODE_VENDOR}= 3mdeb
${DMIDECODE_FAMILY}= N/A
Expand Down Expand Up @@ -72,6 +73,7 @@ ${SECURE_BOOT_SUPPORT}= ${TRUE}
${USB_MASS_STORAGE_SUPPORT}= ${TRUE}
${TCG_OPAL_DISK_PASSWORD_SUPPORT}= ${TRUE}
${UEFI_PASSWORD_SUPPORT}= ${TRUE}
${TPM_EXPECTED_CHIP}= N/A

# Test module: dasharo-performance
${SERIAL_BOOT_MEASURE}= ${TRUE}
Expand Down
4 changes: 4 additions & 0 deletions platform-configs/include/pcengines.robot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ ${DMIDECODE_FAMILY}= N/A
${DMIDECODE_TYPE}= Desktop
${INTERNAL_PROGRAMMER_CHIPNAME}= W25Q64BV/W25Q64CV/W25Q64FV

# TPM
${TPM_EXPECTED_VERSION}= 2

# Supported test environments
${TESTS_IN_FIRMWARE_SUPPORT}= ${TRUE}
${TESTS_IN_UBUNTU_SUPPORT}= ${TRUE}
Expand Down Expand Up @@ -90,6 +93,7 @@ ${MEASURED_BOOT_SUPPORT}= ${TRUE}
${SECURE_BOOT_SUPPORT}= ${TRUE}
${SECURE_BOOT_DEFAULT_STATE}= Disabled
${UEFI_PASSWORD_SUPPORT}= ${TRUE}
${TPM_EXPECTED_CHIP}= N/A

# Test module: dasharo-performance
${SERIAL_BOOT_MEASURE}= ${TRUE}
Expand Down
2 changes: 2 additions & 0 deletions platform-configs/include/protectli-common.robot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ ${CPU}= ${TBD}
${POWER_CTRL}= RteCtrl
${FLASH_VERIFY_METHOD}= tianocore-shell
${FLASH_VERIFY_OPTION}= UEFI Shell
${TPM_EXPECTED_VERSION}= 2

${DMIDECODE_SERIAL_NUMBER}= N/A
${DMIDECODE_MANUFACTURER}= Protectli
Expand Down Expand Up @@ -82,6 +83,7 @@ ${SECURE_BOOT_SUPPORT}= ${TRUE}
${SECURE_BOOT_DEFAULT_STATE}= Disabled
${USB_STACK_SUPPORT}= ${TRUE}
${USB_MASS_STORAGE_SUPPORT}= ${TRUE}
${TPM_EXPECTED_CHIP}= N/A

# Test module: dasharo-performance
${SERIAL_BOOT_MEASURE}= ${TRUE}
Expand Down
2 changes: 2 additions & 0 deletions platform-configs/novacustom-nv41pz.robot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,5 @@ ${POWER_CTRL}= none

${USB_STACK_SUPPORT}= ${TRUE}
${TESTS_IN_WINDOWS_SUPPORT}= ${FALSE}

${TPM_EXPECTED_CHIP}= SLB9670
1 change: 1 addition & 0 deletions platform-configs/novacustom-v540tnd.robot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,4 @@ ${CLEVO_USB_C_HUB}= Thunderbolt 4 Dock
${DOCKING_STATION_USB_C_CHARGING_SUPPORT}= ${TRUE}
${DOCKING_STATION_AUDIO_SUPPORT}= ${TRUE}
${VERIFIED_BOOT_SUPPORT}= ${TRUE}
${TPM_EXPECTED_CHIP}= SLB9672
1 change: 1 addition & 0 deletions platform-configs/protectli-vp3230.robot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,4 @@ ${DEVICE_AUDIO1_WIN}= High Definition Audio Controller

${DEVICE_NVME_DISK}= N/A
${CLEVO_DISK}= N/A
${TPM_EXPECTED_CHIP}= SLB9670
2 changes: 2 additions & 0 deletions platform-configs/protectli-vp4650.robot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,5 @@ ${DMIDECODE_PRODUCT_NAME}= VP4650

${CPU_MAX_FREQUENCY}= 4300
${CPU_MIN_FREQUENCY}= 300

${TPM_EXPECTED_CHIP}= SLB9665

0 comments on commit 765f7ba

Please sign in to comment.