dasharo-security/tpm-support.robot: Refactor TPM version and support …

dasharo-security/tpm-support.robot

@@ -26,16 +26,18 @@ Suite Teardown      Run Keyword
 
 *** Test Cases ***
 TPM001.001 TPM Support (firmware)
-    [Documentation]    This test aims to verify that the TPM is initialized
-    ...    correctly and the PCRs can be accessed from the firmware.
+    [Documentation]    This test aims to verify that the TPM is initialized,
+    ...    detected and logged correctly by FW via cbmem, directly in Ubuntu
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    TPM001.001 not supported
     Power On
     Boot System Or From Connected Disk    ubuntu
     Login To Linux
     Switch To Root User
-    Get Cbmem From Cloud
-    ${out}=    Execute Command In Terminal    cbmem -L
-    Should Contain Any    ${out}    TPM2 log    TCPA log
+    ${result}=    Run Keyword And Ignore Error    Validate Expected TPM Via Cbmem Chip
+    IF    '${result}[0]' == 'FAIL'
+        Log To Console    \nChip detection failed, attempting cbmem log detection\n
+        Validate Expected TPM Via Cbmem Log
+    END
 
 TPM001.002 TPM Support (Ubuntu)
     [Documentation]    Check whether the TPM is initialized correctly and the
@@ -45,7 +47,7 @@ TPM001.002 TPM Support (Ubuntu)
     Boot System Or From Connected Disk    ubuntu
     Login To Linux
     Switch To Root User
-    Validate Any TPM
+    Get Any PCRs Via Sysfs
 
 TPM001.003 TPM Support (Windows)
     [Documentation]    Check whether the TPM is initialized correctly and the
@@ -69,9 +71,11 @@ TPM002.001 Verify TPM version (firmware)
     Boot System Or From Connected Disk    ubuntu
     Login To Linux
     Switch To Root User
-    Get Cbmem From Cloud
-    ${out}=    Execute Command In Terminal    cbmem -L
-    Should Contain Any    ${out}    TPM2 log    TCPA log
+    ${result}=    Run Keyword And Ignore Error    Validate Expected TPM Via Cbmem Chip
+    IF    '${result}[0]' == 'FAIL'
+        Log To Console    \nChip detection failed, attempting cbmem log detection\n
+        Validate Expected TPM Via Cbmem Log
+    END
 
 TPM002.002 Verify TPM version (Ubuntu)
     [Documentation]    This test aims to verify that the TPM version is
@@ -82,9 +86,7 @@ TPM002.002 Verify TPM version (Ubuntu)
     Boot System Or From Connected Disk    ubuntu
     Login To Linux
     Switch To Root User
-    ${out}=    Execute Command In Terminal    cat /sys/class/tpm/tpm0/tpm_version_major
-    # TPM 2.0 and 1.2
-    Should Contain Any    ${out}    1    2
+    Validate Expected TPM Via Sysfs
 
 TPM002.003 Verify TPM version (Windows)
     [Documentation]    This test aims to verify that the TPM version is
@@ -98,7 +100,8 @@ TPM002.003 Verify TPM version (Windows)
 
 TPM003.001 Check TPM Physical Presence Interface (firmware)
     [Documentation]    This test aims to verify that the TPM Physical Presence
-    ...    Interface is supported by the firmware.
+    ...    Interface is supported by the firmware and the log can be detected
+    ...    with cbmem within Ubuntu
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    TPM003.001 not supported
     Power On
     Boot System Or From Connected Disk    ubuntu
@@ -118,7 +121,13 @@ TPM003.002 Check TPM Physical Presence Interface (Ubuntu)
     Login To Linux
     Switch To Root User
     ${out}=    Execute Command In Terminal    cat /sys/class/tpm/tpm0/ppi/version
-    Should Contain Any    ${out}    1.2    1.3
+    IF    '${TPM_EXPECTED_VERSION}' == '1'
+        Should Contain    ${out}    1.2
+    ELSE IF    '${TPM_EXPECTED_VERSION}' == '2'
+        Should Contain    ${out}    1.3
+    ELSE
+        Fail    Invalid expected version, please verify config
+    END
 
 TPM003.003 Check TPM Physical Presence Interface (Windows)
     [Documentation]    This test aims to verify that the TPM Physical Presence
@@ -138,18 +147,33 @@ TPM003.003 Check TPM Physical Presence Interface (Windows)
 
 
 *** Keywords ***
-Validate Any TPM
-    [Documentation]    Checks for TPM major version, and validates it.
+Get Any PCRs Via Sysfs
+    [Documentation]    Check sysfs interface for presence of PCRs
+    ${pcr_state}=    Execute Command In Terminal    ls /sys/class/tpm/tpm0/pcr-sha* &>/dev/null && echo "Found PCRs"
+    Should Contain    ${pcr_state}    Found PCRs
+
+Validate Expected TPM Via Sysfs
+    [Documentation]    Checks if detected major TPM version matches the expected
+    ...    value.
     ${tpm_ver}=    Execute Command In Terminal    cat /sys/class/tpm/tpm0/tpm_version_major
-    IF    '${tpm_ver}' == '2'
-        Detect Or Install Package    tpm2-tools
-        ${out}=    Execute Command In Terminal    tpm2_pcrread
-        Should Contain    ${out}    sha1:
-        Should Contain    ${out}    sha256:
-    ELSE IF    '${tpm_ver}' == '1'
-        Detect Or Install Package    tpm-tools
-        ${out}=    Execute Command In Terminal    tpm_selftest
-        Should Contain    ${out}    TPM Test Results:
+    IF    '${TPM_EXPECTED_VERSION}' != '${tpm_ver}'
+        Fail    Platform TPM version mismatch
+    END
+
+Validate Expected TPM Via Cbmem Chip
+    [Documentation]    Check that correct TPM chip is found while FW boots
+    Get Cbmem From Cloud
+    ${tpm_chip_found}=    Execute Command In Terminal    cbmem -1 | grep -i "Found TPM"
+    Should Contain    ${tpm_chip_found}    ${TPM_EXPECTED_CHIP}
+
+Validate Expected TPM Via Cbmem Log
+    [Documentation]    Check if appropriate log is created by FW
+    Get Cbmem From Cloud
+    ${out}=    Execute Command In Terminal    cbmem -L
+    IF    '${TPM_EXPECTED_VERSION}' == '1'
+        Should Contain    ${out}    TCPA log
+    ELSE IF    '${TPM_EXPECTED_VERSION}' == '2'
+        Should Contain    ${out}    TPM2 log
     ELSE
-        Fail    No valid TPM version available.
+        Fail    Invalid expected version, please verify config
     END

platform-configs/include/msi-z690-common.robot

@@ -25,6 +25,7 @@ ${POWER_CTRL}=                                  sonoff
 ${FLASH_VERIFY_METHOD}=                         none
 ${WIFI_CARD}=                                   ${TBD}
 ${MAX_CPU_TEMP}=                                80
+${TPM_EXPECTED_VERSION}=                        2
 
 ${DMIDECODE_MANUFACTURER}=                      Micro-Star International Co., Ltd.
 ${DMIDECODE_VENDOR}=                            3mdeb

platform-configs/include/novacustom-common.robot

@@ -24,6 +24,7 @@ ${FLASH_VERIFY_METHOD}=                             none
 ${MAX_CPU_TEMP}=                                    82
 ${AUTO_BOOT_TIME_OUT_DEFAULT_VALUE}=                6
 ${FLASHING_METHOD}=                                 internal
+${TPM_EXPECTED_VERSION}=                            2
 
 ${DMIDECODE_SERIAL_NUMBER}=                         N/A
 ${DMIDECODE_MANUFACTURER}=                          Notebook
@@ -114,6 +115,7 @@ ${WIFI_BLUETOOTH_CARD_SWITCH_SUPPORT}=              ${TRUE}
 ${CAMERA_SWITCH_SUPPORT}=                           ${TRUE}
 ${EARLY_BOOT_DMA_SUPPORT}=                          ${TRUE}
 ${UEFI_PASSWORD_SUPPORT}=                           ${TRUE}
+${TPM_EXPECTED_CHIP}=                               N/A
 
 # Test module: dasharo-performance
 ${SERIAL_BOOT_MEASURE}=                             ${TRUE}

platform-configs/include/optiplex-common.robot

@@ -16,6 +16,7 @@ ${SETUP_MENU_KEY}=                              ${F2}
 ${IPXE_BOOT_ENTRY}=                             Network Boot and Utilities
 ${POWER_CTRL}=                                  sonoff
 ${MAX_CPU_TEMP}=                                80
+${TPM_EXPECTED_VERSION}=                        1
 
 ${DMIDECODE_VENDOR}=                            3mdeb
 ${DMIDECODE_FAMILY}=                            N/A
@@ -72,6 +73,7 @@ ${SECURE_BOOT_SUPPORT}=                         ${TRUE}
 ${USB_MASS_STORAGE_SUPPORT}=                    ${TRUE}
 ${TCG_OPAL_DISK_PASSWORD_SUPPORT}=              ${TRUE}
 ${UEFI_PASSWORD_SUPPORT}=                       ${TRUE}
+${TPM_EXPECTED_CHIP}=                           N/A
 
 # Test module: dasharo-performance
 ${SERIAL_BOOT_MEASURE}=                         ${TRUE}

platform-configs/include/pcengines.robot

@@ -40,6 +40,9 @@ ${DMIDECODE_FAMILY}=                        N/A
 ${DMIDECODE_TYPE}=                          Desktop
 ${INTERNAL_PROGRAMMER_CHIPNAME}=            W25Q64BV/W25Q64CV/W25Q64FV
 
+# TPM
+${TPM_EXPECTED_VERSION}=                    2
+
 # Supported test environments
 ${TESTS_IN_FIRMWARE_SUPPORT}=               ${TRUE}
 ${TESTS_IN_UBUNTU_SUPPORT}=                 ${TRUE}
@@ -90,6 +93,7 @@ ${MEASURED_BOOT_SUPPORT}=                   ${TRUE}
 ${SECURE_BOOT_SUPPORT}=                     ${TRUE}
 ${SECURE_BOOT_DEFAULT_STATE}=               Disabled
 ${UEFI_PASSWORD_SUPPORT}=                   ${TRUE}
+${TPM_EXPECTED_CHIP}=                       N/A
 
 # Test module: dasharo-performance
 ${SERIAL_BOOT_MEASURE}=                     ${TRUE}

platform-configs/include/protectli-common.robot

@@ -20,6 +20,7 @@ ${CPU}=                                         ${TBD}
 ${POWER_CTRL}=                                  RteCtrl
 ${FLASH_VERIFY_METHOD}=                         tianocore-shell
 ${FLASH_VERIFY_OPTION}=                         UEFI Shell
+${TPM_EXPECTED_VERSION}=                        2
 
 ${DMIDECODE_SERIAL_NUMBER}=                     N/A
 ${DMIDECODE_MANUFACTURER}=                      Protectli
@@ -82,6 +83,7 @@ ${SECURE_BOOT_SUPPORT}=                         ${TRUE}
 ${SECURE_BOOT_DEFAULT_STATE}=                   Disabled
 ${USB_STACK_SUPPORT}=                           ${TRUE}
 ${USB_MASS_STORAGE_SUPPORT}=                    ${TRUE}
+${TPM_EXPECTED_CHIP}=                           N/A
 
 # Test module: dasharo-performance
 ${SERIAL_BOOT_MEASURE}=                         ${TRUE}

platform-configs/novacustom-nv41pz.robot

@@ -27,3 +27,5 @@ ${POWER_CTRL}=                  none
 
 ${USB_STACK_SUPPORT}=           ${TRUE}
 ${TESTS_IN_WINDOWS_SUPPORT}=    ${FALSE}
+
+${TPM_EXPECTED_CHIP}=           SLB9670

platform-configs/novacustom-v540tnd.robot

@@ -35,3 +35,4 @@ ${CLEVO_USB_C_HUB}=                             Thunderbolt 4 Dock
 ${DOCKING_STATION_USB_C_CHARGING_SUPPORT}=      ${TRUE}
 ${DOCKING_STATION_AUDIO_SUPPORT}=               ${TRUE}
 ${VERIFIED_BOOT_SUPPORT}=                       ${TRUE}
+${TPM_EXPECTED_CHIP}=                           SLB9672

platform-configs/protectli-vp3230.robot

@@ -40,3 +40,4 @@ ${DEVICE_AUDIO1_WIN}=               High Definition Audio Controller
 
 ${DEVICE_NVME_DISK}=                N/A
 ${CLEVO_DISK}=                      N/A
+${TPM_EXPECTED_CHIP}=               SLB9670

platform-configs/protectli-vp4650.robot

@@ -20,3 +20,5 @@ ${DMIDECODE_PRODUCT_NAME}=      VP4650
 
 ${CPU_MAX_FREQUENCY}=           4300
 ${CPU_MIN_FREQUENCY}=           300
+
+${TPM_EXPECTED_CHIP}=           SLB9665