From 62ff978ce8eb23397447e5fa8ee7524967118c5c Mon Sep 17 00:00:00 2001 From: Sebastian Czapla Date: Wed, 4 Sep 2024 11:38:27 +0200 Subject: [PATCH] dasharo-security/tpm-support.robot: Refactor TPM version and support tests This commit introduces two new variables, EXPECTED_TPM_CHIP and EXPECTED_TPM_VERSION. Additionally, refactor few keywords and tests within tpm-support.robot Signed-off-by: Sebastian Czapla --- dasharo-security/tpm-support.robot | 76 ++++++++++++------- .../include/msi-z690-common.robot | 1 + .../include/novacustom-common.robot | 2 + .../include/optiplex-common.robot | 2 + platform-configs/include/pcengines.robot | 4 + .../include/protectli-common.robot | 2 + platform-configs/novacustom-nv41pz.robot | 2 + platform-configs/novacustom-v540tnd.robot | 1 + platform-configs/protectli-vp3230.robot | 1 + platform-configs/protectli-vp4650.robot | 2 + 10 files changed, 67 insertions(+), 26 deletions(-) diff --git a/dasharo-security/tpm-support.robot b/dasharo-security/tpm-support.robot index 67cb70b75..5566e1cc9 100644 --- a/dasharo-security/tpm-support.robot +++ b/dasharo-security/tpm-support.robot @@ -26,16 +26,18 @@ Suite Teardown Run Keyword *** Test Cases *** TPM001.001 TPM Support (firmware) - [Documentation] This test aims to verify that the TPM is initialized - ... correctly and the PCRs can be accessed from the firmware. + [Documentation] This test aims to verify that the TPM is initialized, + ... detected and logged correctly by FW via cbmem, directly in Ubuntu Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM001.001 not supported Power On Boot System Or From Connected Disk ubuntu Login To Linux Switch To Root User - Get Cbmem From Cloud - ${out}= Execute Command In Terminal cbmem -L - Should Contain Any ${out} TPM2 log TCPA log + ${result}= Run Keyword And Ignore Error Validate Expected TPM Via Cbmem Chip + IF '${result}[0]' == 'FAIL' + Log To Console \nChip detection failed, attempting cbmem log detection\n + Validate Expected TPM Via Cbmem Log + END TPM001.002 TPM Support (Ubuntu) [Documentation] Check whether the TPM is initialized correctly and the @@ -45,7 +47,7 @@ TPM001.002 TPM Support (Ubuntu) Boot System Or From Connected Disk ubuntu Login To Linux Switch To Root User - Validate Any TPM + Get Any PCRs Via Sysfs TPM001.003 TPM Support (Windows) [Documentation] Check whether the TPM is initialized correctly and the @@ -69,9 +71,11 @@ TPM002.001 Verify TPM version (firmware) Boot System Or From Connected Disk ubuntu Login To Linux Switch To Root User - Get Cbmem From Cloud - ${out}= Execute Command In Terminal cbmem -L - Should Contain Any ${out} TPM2 log TCPA log + ${result}= Run Keyword And Ignore Error Validate Expected TPM Via Cbmem Chip + IF '${result}[0]' == 'FAIL' + Log To Console \nChip detection failed, attempting cbmem log detection\n + Validate Expected TPM Via Cbmem Log + END TPM002.002 Verify TPM version (Ubuntu) [Documentation] This test aims to verify that the TPM version is @@ -82,9 +86,7 @@ TPM002.002 Verify TPM version (Ubuntu) Boot System Or From Connected Disk ubuntu Login To Linux Switch To Root User - ${out}= Execute Command In Terminal cat /sys/class/tpm/tpm0/tpm_version_major - # TPM 2.0 and 1.2 - Should Contain Any ${out} 1 2 + Validate Expected TPM Via Sysfs TPM002.003 Verify TPM version (Windows) [Documentation] This test aims to verify that the TPM version is @@ -98,7 +100,8 @@ TPM002.003 Verify TPM version (Windows) TPM003.001 Check TPM Physical Presence Interface (firmware) [Documentation] This test aims to verify that the TPM Physical Presence - ... Interface is supported by the firmware. + ... Interface is supported by the firmware and the log can be detected + ... with cbmem within Ubuntu Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM003.001 not supported Power On Boot System Or From Connected Disk ubuntu @@ -118,7 +121,13 @@ TPM003.002 Check TPM Physical Presence Interface (Ubuntu) Login To Linux Switch To Root User ${out}= Execute Command In Terminal cat /sys/class/tpm/tpm0/ppi/version - Should Contain Any ${out} 1.2 1.3 + IF '${TPM_EXPECTED_VERSION}' == '1' + Should Contain ${out} 1.2 + ELSE IF '${TPM_EXPECTED_VERSION}' == '2' + Should Contain ${out} 1.3 + ELSE + Fail Invalid expected version, please verify config + END TPM003.003 Check TPM Physical Presence Interface (Windows) [Documentation] This test aims to verify that the TPM Physical Presence @@ -138,18 +147,33 @@ TPM003.003 Check TPM Physical Presence Interface (Windows) *** Keywords *** -Validate Any TPM - [Documentation] Checks for TPM major version, and validates it. +Get Any PCRs Via Sysfs + [Documentation] Check sysfs interface for presence of PCRs + ${pcr_state}= Execute Command In Terminal ls /sys/class/tpm/tpm0/pcr-sha* &>/dev/null && echo "Found PCRs" + Should Contain ${pcr_state} Found PCRs + +Validate Expected TPM Via Sysfs + [Documentation] Checks if detected major TPM version matches the expected + ... value. ${tpm_ver}= Execute Command In Terminal cat /sys/class/tpm/tpm0/tpm_version_major - IF '${tpm_ver}' == '2' - Detect Or Install Package tpm2-tools - ${out}= Execute Command In Terminal tpm2_pcrread - Should Contain ${out} sha1: - Should Contain ${out} sha256: - ELSE IF '${tpm_ver}' == '1' - Detect Or Install Package tpm-tools - ${out}= Execute Command In Terminal tpm_selftest - Should Contain ${out} TPM Test Results: + IF '${TPM_EXPECTED_VERSION}' != '${tpm_ver}' + Fail Platform TPM version mismatch + END + +Validate Expected TPM Via Cbmem Chip + [Documentation] Check that correct TPM chip is found while FW boots + Get Cbmem From Cloud + ${tpm_chip_found}= Execute Command In Terminal cbmem -1 | grep -i "Found TPM" + Should Contain ${tpm_chip_found} ${TPM_EXPECTED_CHIP} + +Validate Expected TPM Via Cbmem Log + [Documentation] Check if appropriate log is created by FW + Get Cbmem From Cloud + ${out}= Execute Command In Terminal cbmem -L + IF '${TPM_EXPECTED_VERSION}' == '1' + Should Contain ${out} TCPA log + ELSE IF '${TPM_EXPECTED_VERSION}' == '2' + Should Contain ${out} TPM2 log ELSE - Fail No valid TPM version available. + Fail Invalid expected version, please verify config END diff --git a/platform-configs/include/msi-z690-common.robot b/platform-configs/include/msi-z690-common.robot index d7dcc8378..d0ffb875f 100644 --- a/platform-configs/include/msi-z690-common.robot +++ b/platform-configs/include/msi-z690-common.robot @@ -25,6 +25,7 @@ ${POWER_CTRL}= sonoff ${FLASH_VERIFY_METHOD}= none ${WIFI_CARD}= ${TBD} ${MAX_CPU_TEMP}= 80 +${TPM_EXPECTED_VERSION}= 2 ${DMIDECODE_MANUFACTURER}= Micro-Star International Co., Ltd. ${DMIDECODE_VENDOR}= 3mdeb diff --git a/platform-configs/include/novacustom-common.robot b/platform-configs/include/novacustom-common.robot index c73e28ba8..0c1839a5f 100644 --- a/platform-configs/include/novacustom-common.robot +++ b/platform-configs/include/novacustom-common.robot @@ -24,6 +24,7 @@ ${FLASH_VERIFY_METHOD}= none ${MAX_CPU_TEMP}= 82 ${AUTO_BOOT_TIME_OUT_DEFAULT_VALUE}= 6 ${FLASHING_METHOD}= internal +${TPM_EXPECTED_VERSION}= 2 ${DMIDECODE_SERIAL_NUMBER}= N/A ${DMIDECODE_MANUFACTURER}= Notebook @@ -114,6 +115,7 @@ ${WIFI_BLUETOOTH_CARD_SWITCH_SUPPORT}= ${TRUE} ${CAMERA_SWITCH_SUPPORT}= ${TRUE} ${EARLY_BOOT_DMA_SUPPORT}= ${TRUE} ${UEFI_PASSWORD_SUPPORT}= ${TRUE} +${TPM_EXPECTED_CHIP}= N/A # Test module: dasharo-performance ${SERIAL_BOOT_MEASURE}= ${TRUE} diff --git a/platform-configs/include/optiplex-common.robot b/platform-configs/include/optiplex-common.robot index 0f77045ff..9edfc84fb 100644 --- a/platform-configs/include/optiplex-common.robot +++ b/platform-configs/include/optiplex-common.robot @@ -16,6 +16,7 @@ ${SETUP_MENU_KEY}= ${F2} ${IPXE_BOOT_ENTRY}= Network Boot and Utilities ${POWER_CTRL}= sonoff ${MAX_CPU_TEMP}= 80 +${TPM_EXPECTED_VERSION}= 1 ${DMIDECODE_VENDOR}= 3mdeb ${DMIDECODE_FAMILY}= N/A @@ -72,6 +73,7 @@ ${SECURE_BOOT_SUPPORT}= ${TRUE} ${USB_MASS_STORAGE_SUPPORT}= ${TRUE} ${TCG_OPAL_DISK_PASSWORD_SUPPORT}= ${TRUE} ${UEFI_PASSWORD_SUPPORT}= ${TRUE} +${TPM_EXPECTED_CHIP}= N/A # Test module: dasharo-performance ${SERIAL_BOOT_MEASURE}= ${TRUE} diff --git a/platform-configs/include/pcengines.robot b/platform-configs/include/pcengines.robot index 5d5dcb792..f4be51410 100644 --- a/platform-configs/include/pcengines.robot +++ b/platform-configs/include/pcengines.robot @@ -39,6 +39,9 @@ ${DMIDECODE_FAMILY}= N/A # TODO ${DMIDECODE_TYPE}= Desktop +# TPM +${TPM_EXPECTED_VERSION}= 2 + # Supported test environments ${TESTS_IN_FIRMWARE_SUPPORT}= ${TRUE} ${TESTS_IN_UBUNTU_SUPPORT}= ${TRUE} @@ -89,6 +92,7 @@ ${MEASURED_BOOT_SUPPORT}= ${TRUE} ${SECURE_BOOT_SUPPORT}= ${TRUE} ${SECURE_BOOT_DEFAULT_STATE}= Disabled ${UEFI_PASSWORD_SUPPORT}= ${TRUE} +${TPM_EXPECTED_CHIP}= N/A # Test module: dasharo-performance ${SERIAL_BOOT_MEASURE}= ${TRUE} diff --git a/platform-configs/include/protectli-common.robot b/platform-configs/include/protectli-common.robot index 03ef61150..e2ccec206 100644 --- a/platform-configs/include/protectli-common.robot +++ b/platform-configs/include/protectli-common.robot @@ -20,6 +20,7 @@ ${CPU}= ${TBD} ${POWER_CTRL}= RteCtrl ${FLASH_VERIFY_METHOD}= tianocore-shell ${FLASH_VERIFY_OPTION}= UEFI Shell +${TPM_EXPECTED_VERSION}= 2 ${DMIDECODE_SERIAL_NUMBER}= N/A ${DMIDECODE_MANUFACTURER}= Protectli @@ -82,6 +83,7 @@ ${SECURE_BOOT_SUPPORT}= ${TRUE} ${SECURE_BOOT_DEFAULT_STATE}= Disabled ${USB_STACK_SUPPORT}= ${TRUE} ${USB_MASS_STORAGE_SUPPORT}= ${TRUE} +${TPM_EXPECTED_CHIP}= N/A # Test module: dasharo-performance ${SERIAL_BOOT_MEASURE}= ${TRUE} diff --git a/platform-configs/novacustom-nv41pz.robot b/platform-configs/novacustom-nv41pz.robot index 5e167891f..f8a7323c9 100644 --- a/platform-configs/novacustom-nv41pz.robot +++ b/platform-configs/novacustom-nv41pz.robot @@ -27,3 +27,5 @@ ${POWER_CTRL}= none ${USB_STACK_SUPPORT}= ${TRUE} ${TESTS_IN_WINDOWS_SUPPORT}= ${FALSE} + +${TPM_EXPECTED_CHIP}= SLB9670 diff --git a/platform-configs/novacustom-v540tnd.robot b/platform-configs/novacustom-v540tnd.robot index f0616cedb..6d68edc89 100644 --- a/platform-configs/novacustom-v540tnd.robot +++ b/platform-configs/novacustom-v540tnd.robot @@ -35,3 +35,4 @@ ${CLEVO_USB_C_HUB}= Thunderbolt 4 Dock ${DOCKING_STATION_USB_C_CHARGING_SUPPORT}= ${TRUE} ${DOCKING_STATION_AUDIO_SUPPORT}= ${TRUE} ${VERIFIED_BOOT_SUPPORT}= ${TRUE} +${TPM_EXPECTED_CHIP}= SLB9672 diff --git a/platform-configs/protectli-vp3230.robot b/platform-configs/protectli-vp3230.robot index 7da6c1b73..50c5be356 100644 --- a/platform-configs/protectli-vp3230.robot +++ b/platform-configs/protectli-vp3230.robot @@ -40,3 +40,4 @@ ${DEVICE_AUDIO1_WIN}= High Definition Audio Controller ${DEVICE_NVME_DISK}= N/A ${CLEVO_DISK}= N/A +${TPM_EXPECTED_CHIP}= SLB9670 diff --git a/platform-configs/protectli-vp4650.robot b/platform-configs/protectli-vp4650.robot index f7225b6d8..59c42f5f7 100644 --- a/platform-configs/protectli-vp4650.robot +++ b/platform-configs/protectli-vp4650.robot @@ -20,3 +20,5 @@ ${DMIDECODE_PRODUCT_NAME}= VP4650 ${CPU_MAX_FREQUENCY}= 4300 ${CPU_MIN_FREQUENCY}= 300 + +${TPM_EXPECTED_CHIP}= SLB9665