From 8bab4c26fb5cb47a38837106486526f7e5feab96 Mon Sep 17 00:00:00 2001 From: Sebastian Czapla Date: Wed, 4 Sep 2024 11:38:27 +0200 Subject: [PATCH] dasharo-security/tpm-support.robot: Refactor TPM version and support tests This commit introduces a new variable TPM_EXPECTED_VERSION to various platform configs. Then, Verify TPM Version tests are changed to refer to this new variable. Additionally, replace cbmem -L with cbmem -1 with grep, to first ensure only last boot is taken into consideration, and then, to reduce to amount of data sent via RTE, which can cause 30s timeout to trigger. Signed-off-by: Sebastian Czapla --- dasharo-security/tpm-support.robot | 60 ++++++++++++------- .../include/msi-z690-common.robot | 1 + .../include/novacustom-common.robot | 1 + .../include/optiplex-common.robot | 1 + platform-configs/include/pcengines.robot | 3 + .../include/protectli-common.robot | 1 + 6 files changed, 44 insertions(+), 23 deletions(-) diff --git a/dasharo-security/tpm-support.robot b/dasharo-security/tpm-support.robot index 67cb70b756..8e4cfb9f5e 100644 --- a/dasharo-security/tpm-support.robot +++ b/dasharo-security/tpm-support.robot @@ -29,13 +29,9 @@ TPM001.001 TPM Support (firmware) [Documentation] This test aims to verify that the TPM is initialized ... correctly and the PCRs can be accessed from the firmware. Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM001.001 not supported + Skip If '${PAYLOAD}' != 'tianocore' Available only for tianocore Power On - Boot System Or From Connected Disk ubuntu - Login To Linux - Switch To Root User - Get Cbmem From Cloud - ${out}= Execute Command In Terminal cbmem -L - Should Contain Any ${out} TPM2 log TCPA log + Validate Expected TPM In Firmware TPM001.002 TPM Support (Ubuntu) [Documentation] Check whether the TPM is initialized correctly and the @@ -65,13 +61,9 @@ TPM002.001 Verify TPM version (firmware) [Documentation] This test aims to verify that the TPM version is ... correctly recognized by the firmware. Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM002.001 not supported + Skip If '${PAYLOAD}' != 'tianocore' Available only for tianocore Power On - Boot System Or From Connected Disk ubuntu - Login To Linux - Switch To Root User - Get Cbmem From Cloud - ${out}= Execute Command In Terminal cbmem -L - Should Contain Any ${out} TPM2 log TCPA log + Validate Expected TPM In Firmware TPM002.002 Verify TPM version (Ubuntu) [Documentation] This test aims to verify that the TPM version is @@ -82,9 +74,7 @@ TPM002.002 Verify TPM version (Ubuntu) Boot System Or From Connected Disk ubuntu Login To Linux Switch To Root User - ${out}= Execute Command In Terminal cat /sys/class/tpm/tpm0/tpm_version_major - # TPM 2.0 and 1.2 - Should Contain Any ${out} 1 2 + Validate Expected TPM In Linux TPM002.003 Verify TPM version (Windows) [Documentation] This test aims to verify that the TPM version is @@ -118,7 +108,13 @@ TPM003.002 Check TPM Physical Presence Interface (Ubuntu) Login To Linux Switch To Root User ${out}= Execute Command In Terminal cat /sys/class/tpm/tpm0/ppi/version - Should Contain Any ${out} 1.2 1.3 + IF '${TPM_EXPECTED_VERSION}' == '1' + Should Contain ${out} 1.2 + ELSE IF '${TPM_EXPECTED_VERSION}' == '2' + Should Contain ${out} 1.3 + ELSE + Fail Invalid expected version, please verify config + END TPM003.003 Check TPM Physical Presence Interface (Windows) [Documentation] This test aims to verify that the TPM Physical Presence @@ -142,14 +138,32 @@ Validate Any TPM [Documentation] Checks for TPM major version, and validates it. ${tpm_ver}= Execute Command In Terminal cat /sys/class/tpm/tpm0/tpm_version_major IF '${tpm_ver}' == '2' - Detect Or Install Package tpm2-tools - ${out}= Execute Command In Terminal tpm2_pcrread - Should Contain ${out} sha1: - Should Contain ${out} sha256: + ${out}= Execute Command In Terminal test -d /sys/class/tpm/tpm0/pcr-sha256 && echo "PCR Valid" + Should Contain ${out} PCR Valid ELSE IF '${tpm_ver}' == '1' - Detect Or Install Package tpm-tools - ${out}= Execute Command In Terminal tpm_selftest - Should Contain ${out} TPM Test Results: + ${out}= Execute Command In Terminal test -d /sys/class/tpm/tpm0/pcr-sha1 && echo "PCR Valid" + Should Contain ${out} PCR Valid ELSE Fail No valid TPM version available. END + +Validate Expected TPM In Linux + [Documentation] Checks if major TPM version matches the expected + ... value. + ${tpm_ver}= Execute Command In Terminal cat /sys/class/tpm/tpm0/tpm_version_major + IF '${TPM_EXPECTED_VERSION}' != '${tpm_ver}' + Fail Platform TPM version mismatch + END + +Validate Expected TPM In Firmware + ${setup_menu}= Enter Setup Menu Tianocore And Return Construction + ${device_mgr_menu}= Enter Submenu From Snapshot And Return Construction + ... ${setup_menu} + ... Device Manager + IF '${TPM_EXPECTED_VERSION}' == '1' + Should Contain ${device_mgr_menu} > TCG Configuration + ELSE IF '${TPM_EXPECTED_VERSION}' == '2' + Should Contain ${device_mgr_menu} > TCG2 Configuration + ELSE + Fail Invalid expected version, please verify config + END diff --git a/platform-configs/include/msi-z690-common.robot b/platform-configs/include/msi-z690-common.robot index 50029c208b..6b8dcf24e7 100644 --- a/platform-configs/include/msi-z690-common.robot +++ b/platform-configs/include/msi-z690-common.robot @@ -25,6 +25,7 @@ ${POWER_CTRL}= sonoff ${FLASH_VERIFY_METHOD}= none ${WIFI_CARD}= ${TBD} ${MAX_CPU_TEMP}= 80 +${TPM_EXPECTED_VERSION}= 2 ${DMIDECODE_MANUFACTURER}= Micro-Star International Co., Ltd. ${DMIDECODE_VENDOR}= 3mdeb diff --git a/platform-configs/include/novacustom-common.robot b/platform-configs/include/novacustom-common.robot index 7ad8c433d8..7651aa1ba5 100644 --- a/platform-configs/include/novacustom-common.robot +++ b/platform-configs/include/novacustom-common.robot @@ -24,6 +24,7 @@ ${FLASH_VERIFY_METHOD}= none ${MAX_CPU_TEMP}= 82 ${AUTO_BOOT_TIME_OUT_DEFAULT_VALUE}= 6 ${FLASHING_METHOD}= internal +${TPM_EXPECTED_VERSION}= 2 ${DMIDECODE_SERIAL_NUMBER}= N/A ${DMIDECODE_MANUFACTURER}= Notebook diff --git a/platform-configs/include/optiplex-common.robot b/platform-configs/include/optiplex-common.robot index f6ea525677..fdae6c7fb7 100644 --- a/platform-configs/include/optiplex-common.robot +++ b/platform-configs/include/optiplex-common.robot @@ -16,6 +16,7 @@ ${SETUP_MENU_KEY}= ${F2} ${IPXE_BOOT_ENTRY}= Network Boot and Utilities ${POWER_CTRL}= sonoff ${MAX_CPU_TEMP}= 80 +${TPM_EXPECTED_VERSION}= 1 ${DMIDECODE_VENDOR}= 3mdeb ${DMIDECODE_FAMILY}= N/A diff --git a/platform-configs/include/pcengines.robot b/platform-configs/include/pcengines.robot index 74d4dfcdbb..1ba1a9c3f1 100644 --- a/platform-configs/include/pcengines.robot +++ b/platform-configs/include/pcengines.robot @@ -39,6 +39,9 @@ ${DMIDECODE_FAMILY}= N/A # TODO ${DMIDECODE_TYPE}= Desktop +# TPM +${TPM_EXPECTED_VERSION}= 2 + # Supported test environments ${TESTS_IN_FIRMWARE_SUPPORT}= ${TRUE} ${TESTS_IN_UBUNTU_SUPPORT}= ${TRUE} diff --git a/platform-configs/include/protectli-common.robot b/platform-configs/include/protectli-common.robot index 9579012773..3b290d97eb 100644 --- a/platform-configs/include/protectli-common.robot +++ b/platform-configs/include/protectli-common.robot @@ -20,6 +20,7 @@ ${CPU}= ${TBD} ${POWER_CTRL}= RteCtrl ${FLASH_VERIFY_METHOD}= tianocore-shell ${FLASH_VERIFY_OPTION}= UEFI Shell +${TPM_EXPECTED_VERSION}= 2 ${DMIDECODE_SERIAL_NUMBER}= N/A ${DMIDECODE_MANUFACTURER}= Protectli