dasharo-security/tpm-support.robot: Refactor TPM version and support …

dasharo-security/measured-boot.robot

@@ -10,8 +10,8 @@ Library             RequestsLibrary
 # stuff in all test cases
 Resource            ../variables.robot
 Resource            ../keywords.robot
-Resource            ../keys.robot
 Resource            ../lib/tpm.robot
+Resource            ../keys.robot
 
 # TODO:
 # - document which setup/teardown keywords to use and what are they doing
@@ -299,10 +299,12 @@ Restore SB And Tianocore Defaults And Reset
 
 Measured Boot Suite Setup
     Prepare Test Suite
+    Skip If    ${TPM_SUPPORTED_VERSION} == None    Measured boot tests require TPM
     Skip If    not ${MEASURED_BOOT_SUPPORT}    Measured boot is not supported
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    Tests in Ubuntu are not supported
     Power On
     Boot Ubuntu And Login To Root
+    Verify Presence Of TPM Via Sysfs
     Detect Or Install Package    tpm2-tools
     # Disable service that adds dbx certificates which could interfere with tests
     Execute Command In Terminal    systemctl disable secureboot-db.service

dasharo-security/tpm-support.robot

@@ -10,6 +10,7 @@ Library             RequestsLibrary
 # stuff in all test cases
 Resource            ../variables.robot
 Resource            ../keywords.robot
+Resource            ../lib/tpm.robot
 Resource            ../keys.robot
 
 # TODO:
@@ -19,33 +20,29 @@ Resource            ../keys.robot
 Suite Setup         Run Keywords
 ...                     Prepare Test Suite
 ...                     AND
-...                     Skip If    not ${TPM_SUPPORT}    TPM tests not supported
+...                     Skip If    ${TPM_SUPPORTED_VERSION} == None    TPM tests not supported
 Suite Teardown      Run Keyword
 ...                     Log Out And Close Connection
 
 
 *** Test Cases ***
 TPM001.001 TPM Support (firmware)
-    [Documentation]    This test aims to verify that the TPM is initialized
-    ...    correctly and the PCRs can be accessed from the firmware.
+    [Documentation]    This test aims to verify that the TPM is initialized,
+    ...    detected and logged correctly by FW via cbmem, directly in Ubuntu
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    TPM001.001 not supported
-    Power On
-    Boot System Or From Connected Disk    ubuntu
-    Login To Linux
-    Switch To Root User
-    Get Cbmem From Cloud
-    ${out}=    Execute Command In Terminal    cbmem -L
-    Should Contain Any    ${out}    TPM2 log    TCPA log
+    Prepare TPM Test On Ubuntu
+    ${result}=    Run Keyword And Ignore Error    Validate Expected TPM Chip Via Cbmem
+    IF    '${result}[0]' == 'FAIL'
+        Log To Console    \nChip detection failed, attempting cbmem log detection\n
+        Validate Expected TPM Version Via Cbmem Log
+    END
 
 TPM001.002 TPM Support (Ubuntu)
     [Documentation]    Check whether the TPM is initialized correctly and the
     ...    PCRs can be accessed from the Linux OS.
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    TPM001.002 not supported
-    Power On
-    Boot System Or From Connected Disk    ubuntu
-    Login To Linux
-    Switch To Root User
-    Validate Any TPM
+    Prepare TPM Test On Ubuntu
+    Verify Presence Of Any PCRs Via Sysfs
 
 TPM001.003 TPM Support (Windows)
     [Documentation]    Check whether the TPM is initialized correctly and the
@@ -65,26 +62,20 @@ TPM002.001 Verify TPM version (firmware)
     [Documentation]    This test aims to verify that the TPM version is
     ...    correctly recognized by the firmware.
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    TPM002.001 not supported
-    Power On
-    Boot System Or From Connected Disk    ubuntu
-    Login To Linux
-    Switch To Root User
-    Get Cbmem From Cloud
-    ${out}=    Execute Command In Terminal    cbmem -L
-    Should Contain Any    ${out}    TPM2 log    TCPA log
+    Prepare TPM Test On Ubuntu
+    ${result}=    Run Keyword And Ignore Error    Validate Expected TPM Chip Via Cbmem
+    IF    '${result}[0]' == 'FAIL'
+        Log To Console    \nChip detection failed, attempting cbmem log detection\n
+        Validate Expected TPM Version Via Cbmem Log
+    END
 
 TPM002.002 Verify TPM version (Ubuntu)
     [Documentation]    This test aims to verify that the TPM version is
     ...    correctly recognized by the operating system.
     [Tags]    minimal-regression
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    TPM002.002 not supported
-    Power On
-    Boot System Or From Connected Disk    ubuntu
-    Login To Linux
-    Switch To Root User
-    ${out}=    Execute Command In Terminal    cat /sys/class/tpm/tpm0/tpm_version_major
-    # TPM 2.0 and 1.2
-    Should Contain Any    ${out}    1    2
+    Prepare TPM Test On Ubuntu
+    Validate Expected TPM Version Via Sysfs
 
 TPM002.003 Verify TPM version (Windows)
     [Documentation]    This test aims to verify that the TPM version is
@@ -98,12 +89,10 @@ TPM002.003 Verify TPM version (Windows)
 
 TPM003.001 Check TPM Physical Presence Interface (firmware)
     [Documentation]    This test aims to verify that the TPM Physical Presence
-    ...    Interface is supported by the firmware.
+    ...    Interface is supported by the firmware and the log can be detected
+    ...    with cbmem within Ubuntu
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    TPM003.001 not supported
-    Power On
-    Boot System Or From Connected Disk    ubuntu
-    Login To Linux
-    Switch To Root User
+    Prepare TPM Test On Ubuntu
     Get Cbmem From Cloud
     ${out}=    Execute Command In Terminal    cbmem -1 | grep PPI
     Should Contain    ${out}    PPI: Pending OS request
@@ -113,12 +102,15 @@ TPM003.002 Check TPM Physical Presence Interface (Ubuntu)
     [Documentation]    This test aims to verify that the TPM Physical Presence
     ...    Interface is correctly recognized by the operating system.
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    TPM003.002 not supported
-    Power On
-    Boot System Or From Connected Disk    ubuntu
-    Login To Linux
-    Switch To Root User
+    Prepare TPM Test On Ubuntu
     ${out}=    Execute Command In Terminal    cat /sys/class/tpm/tpm0/ppi/version
-    Should Contain Any    ${out}    1.2    1.3
+    IF    '${TPM_SUPPORTED_VERSION}' == '1'
+        Should Contain    ${out}    1.2
+    ELSE IF    '${TPM_SUPPORTED_VERSION}' == '2'
+        Should Contain    ${out}    1.3
+    ELSE
+        Fail    Invalid expected version, please verify config
+    END
 
 TPM003.003 Check TPM Physical Presence Interface (Windows)
     [Documentation]    This test aims to verify that the TPM Physical Presence
@@ -132,24 +124,16 @@ TPM003.003 Check TPM Physical Presence Interface (Windows)
 # TPM003.004 Change active PCR banks with TPM PPI (firmware)
 #    [Documentation]    This test aims to verify that the TPM Physical Presence
 #    ...    Interface is working properly in the firmware by changing active TPM PCR banks.
-#    Skip If    not ${tpm_support}    TPM003.004 not supported
+#    Skip If    not ${TPM_SUPPORTED_VERSION}    TPM003.004 not supported
 #    Skip If    not ${tests_in_ubuntu_support}    TPM003.004 not supported
 # TODO: https://docs.dasharo.com/unified-test-documentation/dasharo-security/200-tpm-support/#tpm003004-change-active-pcr-banks-with-tpm-ppi-firmware
 
 
 *** Keywords ***
-Validate Any TPM
-    [Documentation]    Checks for TPM major version, and validates it.
-    ${tpm_ver}=    Execute Command In Terminal    cat /sys/class/tpm/tpm0/tpm_version_major
-    IF    '${tpm_ver}' == '2'
-        Detect Or Install Package    tpm2-tools
-        ${out}=    Execute Command In Terminal    tpm2_pcrread
-        Should Contain    ${out}    sha1:
-        Should Contain    ${out}    sha256:
-    ELSE IF    '${tpm_ver}' == '1'
-        Detect Or Install Package    tpm-tools
-        ${out}=    Execute Command In Terminal    tpm_selftest
-        Should Contain    ${out}    TPM Test Results:
-    ELSE
-        Fail    No valid TPM version available.
-    END
+Prepare TPM Test On Ubuntu
+    [Documentation]    Run common actions required for TPM tests in Ubuntu
+    Power On
+    Boot System Or From Connected Disk    ubuntu
+    Login To Linux
+    Switch To Root User
+    Verify Presence Of TPM Via Sysfs

dasharo-security/tpm2-commands.robot

@@ -10,6 +10,7 @@ Library             RequestsLibrary
 # stuff in all test cases
 Resource            ../variables.robot
 Resource            ../keywords.robot
+Resource            ../lib/tpm.robot
 Resource            ../keys.robot
 
 # TODO:
@@ -262,12 +263,13 @@ Check If SHA1 And SHA256 Banks Are Enabled
 
 TPM2 Suite Setup
     Prepare Test Suite
-    Skip If    not ${TPM_SUPPORT}    TPM tests not supported
+    Skip If    ${TPM_SUPPORTED_VERSION} != '2'    TPM commands tests supported only TPM2
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    TPM commands tests supported only on Ubuntu
     Power On
     Boot System Or From Connected Disk    ubuntu
     Login To Linux
     Switch To Root User
+    Verify Presence Of TPM Via Sysfs
     Detect Or Install Package    tpm2-tools
     ${passed}=    Run Keyword And Return Status
     ...    Check If SHA1 And SHA256 Banks Are Enabled

lib/tpm.robot

@@ -67,3 +67,40 @@ Validate PCRs Against Event Log
             Should Contain    ${hash}    ${sha_hash}    ignore_case=${TRUE}
         END
     END
+
+Validate Expected TPM Version Via Sysfs
+    [Documentation]    Checks if detected major TPM version matches the expected
+    ...    value.
+    ${tpm_ver}=    Execute Command In Terminal    cat /sys/class/tpm/tpm0/tpm_version_major
+    IF    '${TPM_SUPPORTED_VERSION}' != '${tpm_ver}'
+        Fail    Platform TPM version mismatch
+    END
+
+Validate Expected TPM Chip Via Cbmem
+    [Documentation]    Check that correct TPM chip is found while FW boots
+    Get Cbmem From Cloud
+    ${tpm_chip_found}=    Execute Command In Terminal    cbmem -1 | grep -i "Found TPM"
+    Should Contain    ${tpm_chip_found}    ${TPM_EXPECTED_CHIP}
+
+Validate Expected TPM Version Via Cbmem Log
+    [Documentation]    Check if appropriate log is created by FW
+    Get Cbmem From Cloud
+    ${out}=    Execute Command In Terminal    cbmem -L
+    IF    '${TPM_SUPPORTED_VERSION}' == '1'
+        Should Contain    ${out}    TCPA log
+    ELSE IF    '${TPM_SUPPORTED_VERSION}' == '2'
+        Should Contain    ${out}    TPM2 log
+    ELSE
+        Fail    Invalid expected version, please verify config
+    END
+
+Verify Presence Of TPM Via Sysfs
+    [Documentation]    Use sysfs interface to detect presence of TPM
+    ...    in the system.
+    ${tpm_presence}=    Execute Command In Terminal    test -d /sys/class/tpm/tpm0 && echo "Found TPM"
+    Should Contain    ${tpm_presence}    Found TPM
+
+Verify Presence Of Any PCRs Via Sysfs
+    [Documentation]    Check sysfs interface for presence of any PCR
+    ${pcr_state}=    Execute Command In Terminal    ls /sys/class/tpm/tpm0/pcr-sha* &>/dev/null && echo "Found PCRs"
+    Should Contain    ${pcr_state}    Found PCRs

platform-configs/include/default.robot

@@ -177,7 +177,8 @@ ${DCU_SERIAL_SUPPORT}=                              ${FALSE}
 ${ROMHOLE_SUPPORT}=                                 ${FALSE}
 
 # Test module: dasharo-security
-${TPM_SUPPORT}=                                     ${FALSE}
+${TPM_SUPPORTED_VERSION}=                           ${None}
+${TPM_EXPECTED_CHIP}=                               FILL_WITH_CORRECT_VALUE_BEFORE_TESTING
 ${VERIFIED_BOOT_SUPPORT}=                           ${FALSE}
 ${VERIFIED_BOOT_POPUP_SUPPORT}=                     ${FALSE}
 ${MEASURED_BOOT_SUPPORT}=                           ${FALSE}

platform-configs/include/msi-z690-common.robot

@@ -90,7 +90,7 @@ ${SATA_SUPPORT}=                                ${TRUE}
 ${RESET_TO_DEFAULTS_SUPPORT}=                   ${TRUE}
 
 # Test module: dasharo-security
-${TPM_SUPPORT}=                                 ${TRUE}
+${TPM_SUPPORTED_VERSION}=                       2
 ${VERIFIED_BOOT_SUPPORT}=                       ${TRUE}
 ${VERIFIED_BOOT_POPUP_SUPPORT}=                 ${TRUE}
 ${MEASURED_BOOT_SUPPORT}=                       ${TRUE}

platform-configs/include/novacustom-common.robot

@@ -99,7 +99,7 @@ ${DTS_FIRMWARE_FLASHING_SUPPORT}=                   ${TRUE}
 ${DTS_EC_FLASHING_SUPPORT}=                         ${TRUE}
 
 # Test module: dasharo-security
-${TPM_SUPPORT}=                                     ${TRUE}
+${TPM_SUPPORTED_VERSION}=                           2
 ${VERIFIED_BOOT_SUPPORT}=                           ${TRUE}
 ${VERIFIED_BOOT_POPUP_SUPPORT}=                     ${TRUE}
 ${MEASURED_BOOT_SUPPORT}=                           ${TRUE}

platform-configs/include/optiplex-common.robot

@@ -66,7 +66,9 @@ ${DCU_UUID_SUPPORT}=                            ${TRUE}
 ${DCU_SERIAL_SUPPORT}=                          ${TRUE}
 
 # Test module: dasharo-security
-${TPM_SUPPORT}=                                 ${TRUE}
+${TPM_SUPPORTED_VERSION}=                       1
+# Cannot acquire tpm chip with cbmem on Optiplex platforms
+${TPM_EXPECTED_CHIP}=                           N/A
 ${MEASURED_BOOT_SUPPORT}=                       ${TRUE}
 ${SECURE_BOOT_SUPPORT}=                         ${TRUE}
 ${USB_MASS_STORAGE_SUPPORT}=                    ${TRUE}

platform-configs/include/pcengines.robot

@@ -83,7 +83,7 @@ ${MINI_PC_IE_SLOT_SUPPORT}=                 ${TRUE}
 ${APU_CONFIGURATION_MENU_SUPPORT}=          ${TRUE}
 
 # Test module: dasharo-security
-${TPM_SUPPORT}=                             ${TRUE}
+${TPM_SUPPORTED_VERSION}=                   2
 ${VERIFIED_BOOT_SUPPORT}=                   ${TRUE}
 ${VERIFIED_BOOT_POPUP_SUPPORT}=             ${TRUE}
 ${MEASURED_BOOT_SUPPORT}=                   ${TRUE}

platform-configs/include/protectli-common.robot

@@ -77,7 +77,7 @@ ${DCU_UUID_SUPPORT}=                            ${TRUE}
 ${DCU_SERIAL_SUPPORT}=                          ${TRUE}
 
 # Test module: dasharo-security
-${TPM_SUPPORT}=                                 ${TRUE}
+${TPM_SUPPORTED_VERSION}=                       2
 ${SECURE_BOOT_SUPPORT}=                         ${TRUE}
 ${SECURE_BOOT_DEFAULT_STATE}=                   Disabled
 ${USB_STACK_SUPPORT}=                           ${TRUE}

platform-configs/novacustom-nv41pz.robot

@@ -27,3 +27,6 @@ ${POWER_CTRL}=                  none
 
 ${USB_STACK_SUPPORT}=           ${TRUE}
 ${TESTS_IN_WINDOWS_SUPPORT}=    ${FALSE}
+
+${TPM_SUPPORTED_VERSION}=       2
+${TPM_EXPECTED_CHIP}=           SLB9670

platform-configs/novacustom-v540tnd.robot

@@ -35,3 +35,6 @@ ${CLEVO_USB_C_HUB}=                             Thunderbolt 4 Dock
 ${DOCKING_STATION_USB_C_CHARGING_SUPPORT}=      ${TRUE}
 ${DOCKING_STATION_AUDIO_SUPPORT}=               ${TRUE}
 ${VERIFIED_BOOT_SUPPORT}=                       ${TRUE}
+
+${TPM_SUPPORTED_VERSION}=                       2
+${TPM_EXPECTED_CHIP}=                           SLB9672

platform-configs/odroid-h4-plus.robot

@@ -89,7 +89,7 @@ ${CPU_TEMPERATURE_MEASURE}=                     ${TRUE}
 ${PLATFORM_STABILITY_CHECKING}=                 ${TRUE}
 
 # Dasharo security
-${TPM_SUPPORT}=                                 ${TRUE}
+${TPM_SUPPORTED_VERSION}=                       2
 ${TPM_DETECT_SUPPORT}=                          ${TRUE}
 ${VERIFIED_BOOT_SUPPORT}=                       ${TRUE}
 ${BIOS_LOCK_SUPPORT}=                           ${TRUE}

platform-configs/protectli-vp2420.robot

@@ -29,6 +29,9 @@ ${WATCHDOG_SUPPORT}=                ${TRUE}
 
 ${ETHERNET_ID}=                     8086:15f3
 
+${TPM_SUPPORTED_VERSION}=           2
+${TPM_EXPECTED_CHIP}=               SLB9670
+
 
 *** Keywords ***
 Flash Protectli VP2420 Internal

platform-configs/protectli-vp2430.robot

@@ -49,3 +49,6 @@ ${BLUETOOTH_CARD_UBUNTU}=           Intel Corp. AX200 Bluetooth
 ...                                 00-e0-97-1b-00-4a
 
 ${ETHERNET_ID}=                     8086:125c
+
+${TPM_SUPPORTED_VERSION}=           2
+${TPM_EXPECTED_CHIP}=               SLB9670

platform-configs/protectli-vp3230.robot

@@ -43,3 +43,6 @@ ${CLEVO_DISK}=                      N/A
 
 @{ETH_PORTS}=                       64-62-66-23-8f-19
 ...                                 64-62-66-23-8f-1a
+
+${TPM_SUPPORTED_VERSION}=           2
+${TPM_EXPECTED_CHIP}=               SLB9670

platform-configs/protectli-vp4650.robot

@@ -27,3 +27,6 @@ ${CPU_MIN_FREQUENCY}=           300
 ...                             64-62-66-21-42-8e
 ...                             64-62-66-21-42-8d
 ...                             64-62-66-21-42-8c
+
+${TPM_SUPPORTED_VERSION}=       2
+${TPM_EXPECTED_CHIP}=           SLB9665

platform-configs/protectli-vp6650.robot

@@ -28,3 +28,5 @@ ${PLATFORM_RAM_SIZE}=           65536
 ...                             64-62-66-22-84-f6
 ...                             64-62-66-22-84-f7
 ...                             64-62-66-22-84-f8
+
+${TPM_SUPPORTED_VERSION}=       ${None}

platform-configs/qemu.robot

@@ -61,7 +61,7 @@ ${RESET_TO_DEFAULTS_SUPPORT}=               ${TRUE}
 ${ESP_SCANNING_SUPPORT}=                    ${TRUE}
 
 # Test module: dasharo-security
-${TPM_SUPPORT}=                             ${TRUE}
+${TPM_SUPPORTED_VERSION}=                   2
 ${VERIFIED_BOOT_SUPPORT}=                   ${TRUE}
 ${VERIFIED_BOOT_POPUP_SUPPORT}=             ${TRUE}
 ${MEASURED_BOOT_SUPPORT}=                   ${TRUE}

platform-configs/raptor-cs_talos2.robot

@@ -108,7 +108,7 @@ ${ESP_SCANNING_SUPPORT}=                            ${FALSE}
 ${L3_CACHE_SUPPORT}=                                ${TRUE}
 
 # Test module: dasharo-security
-${TPM_SUPPORT}=                                     ${TRUE}
+${TPM_SUPPORTED_VERSION}=                           2
 ${VERIFIED_BOOT_SUPPORT}=                           ${FALSE}
 ${VERIFIED_BOOT_POPUP_SUPPORT}=                     ${FALSE}
 ${MEASURED_BOOT_SUPPORT}=                           ${FALSE}

platform-configs/rpi-3b.robot

@@ -118,7 +118,7 @@ ${DEFAULT_POWER_STATE_AFTER_FAIL}=                  Powered Off
 ${ESP_SCANNING_SUPPORT}=                            ${FALSE}
 
 # Test module: dasharo-security
-${TPM_SUPPORT}=                                     ${FALSE}
+${TPM_SUPPORTED_VERSION}=                           ${None}
 ${VERIFIED_BOOT_SUPPORT}=                           ${FALSE}
 ${VERIFIED_BOOT_POPUP_SUPPORT}=                     ${FALSE}
 ${MEASURED_BOOT_SUPPORT}=                           ${FALSE}