Skip to content

Commit

Permalink
[test] Adding lms optionality tests for auth manifest verification
Browse files Browse the repository at this point in the history
  • Loading branch information
@mhatrevi @jhand2
mhatrevi authored and jhand2 committed Jan 30, 2025
1 parent bcda7fa commit 77e61bd
Show file tree
Hide file tree
Showing 2 changed files with 91 additions and 110 deletions.
2 changes: 1 addition & 1 deletion runtime/tests/runtime_integration_tests/test_authorize_and_stash.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -553,7 +553,7 @@ fn test_authorize_and_stash_after_update_reset_unauthorized_fw_id() {
// Trigger an update reset.
update_fw(&mut model, &APP_WITH_UART, ImageOptions::default());

// Attempt Authorization with a bad image hash.
// Attempt Authorization with a unauthorized fw id.
let mut authorize_and_stash_cmd = MailboxReq::AuthorizeAndStash(AuthorizeAndStashReq {
hdr: MailboxReqHeader { chksum: 0 },
fw_id: FW_ID_127,
Expand Down
199 changes: 90 additions & 109 deletions runtime/tests/runtime_integration_tests/test_set_auth_manifest.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -328,8 +328,12 @@ fn test_set_auth_manifest_cmd_invalid_len() {
);
}

fn test_manifest_expect_err(manifest: AuthorizationManifest, expected_err: CaliptraError) {
let mut model = run_rt_test_lms(RuntimeTestArgs::default(), true);
fn set_manifest_command_execute(
manifest: AuthorizationManifest,
lms_verify: bool,
expected_err: Option<CaliptraError>,
) {
let mut model = run_rt_test_lms(RuntimeTestArgs::default(), lms_verify);

model.step_until(|m| {
m.soc_ifc().cptra_boot_status().read() == u32::from(RtBootStatus::RtReadyForCommands)
Expand All @@ -346,54 +350,32 @@ fn test_manifest_expect_err(manifest: AuthorizationManifest, expected_err: Calip
});
set_auth_manifest_cmd.populate_chksum().unwrap();

let resp = model
.mailbox_execute(
u32::from(CommandId::SET_AUTH_MANIFEST),
set_auth_manifest_cmd.as_bytes().unwrap(),
)
.unwrap_err();

assert_error(&mut model, expected_err, resp);
let result = model.mailbox_execute(
u32::from(CommandId::SET_AUTH_MANIFEST),
set_auth_manifest_cmd.as_bytes().unwrap(),
);
if let Some(expected_err) = expected_err {
assert_error(&mut model, expected_err, result.unwrap_err());
} else {
result.unwrap().expect("We should have received a response");
}
}

#[test]
fn test_set_auth_manifest_cmd_zero_metadata_entry() {
let auth_manifest = create_auth_manifest_of_metadata_size(0);
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT),
);
}

#[test]
fn test_set_auth_manifest_cmd_max_metadata_entry_limit() {
let auth_manifest =
create_auth_manifest_of_metadata_size(AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT);

let mut model = run_rt_test_lms(RuntimeTestArgs::default(), true);

model.step_until(|m| {
m.soc_ifc().cptra_boot_status().read() == u32::from(RtBootStatus::RtReadyForCommands)
});

let buf = auth_manifest.as_bytes();
let mut auth_manifest_slice = [0u8; SetAuthManifestReq::MAX_MAN_SIZE];
auth_manifest_slice[..buf.len()].copy_from_slice(buf);

let mut set_auth_manifest_cmd = MailboxReq::SetAuthManifest(SetAuthManifestReq {
hdr: MailboxReqHeader { chksum: 0 },
manifest_size: buf.len() as u32,
manifest: auth_manifest_slice,
});
set_auth_manifest_cmd.populate_chksum().unwrap();

model
.mailbox_execute(
u32::from(CommandId::SET_AUTH_MANIFEST),
set_auth_manifest_cmd.as_bytes().unwrap(),
)
.unwrap()
.expect("We should have received a response");
set_manifest_command_execute(auth_manifest, true, None);
}

#[test]
Expand All @@ -419,79 +401,101 @@ fn test_set_auth_manifest_cmd_max_plus_one_metadata_entry_limit() {
};
}

test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT),
);
}

#[test]
fn test_set_auth_manifest_invalid_preamble_marker() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.marker = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_INVALID_AUTH_MANIFEST_MARKER,
true,
Some(CaliptraError::RUNTIME_INVALID_AUTH_MANIFEST_MARKER),
);
}

#[test]
fn test_set_auth_manifest_invalid_preamble_size() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.size -= 1;
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_PREAMBLE_SIZE_MISMATCH,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_PREAMBLE_SIZE_MISMATCH),
);
}

#[test]
fn test_set_auth_manifest_invalid_vendor_ecc_sig() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.vendor_pub_keys_signatures.ecc_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_ECC_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_ECC_SIGNATURE_INVALID),
);
}

#[test]
fn test_set_auth_manifest_invalid_vendor_lms_sig() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.vendor_pub_keys_signatures.lms_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_LMS_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_LMS_SIGNATURE_INVALID),
);
}

#[test]
fn test_set_auth_manifest_invalid_vendor_lms_sig_no_lms() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.vendor_pub_keys_signatures.lms_sig = Default::default();
set_manifest_command_execute(auth_manifest, false, None);
}

#[test]
fn test_set_auth_manifest_invalid_owner_ecc_sig() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.owner_pub_keys_signatures.ecc_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_ECC_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_ECC_SIGNATURE_INVALID),
);
}

#[test]
fn test_set_auth_manifest_invalid_owner_lms_sig() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.owner_pub_keys_signatures.lms_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_LMS_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_LMS_SIGNATURE_INVALID),
);
}

#[test]
fn test_set_auth_manifest_invalid_owner_lms_sig_no_lms() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.owner_pub_keys_signatures.lms_sig = Default::default();
set_manifest_command_execute(auth_manifest, false, None);
}

#[test]
fn test_set_auth_manifest_invalid_metadata_list_count() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.image_metadata_col.entry_count = 0;
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT),
);
}

Expand All @@ -502,9 +506,10 @@ fn test_set_auth_manifest_invalid_vendor_metadata_ecc_sig() {
.preamble
.vendor_image_metdata_signatures
.ecc_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_ECC_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_ECC_SIGNATURE_INVALID),
);
}

Expand All @@ -515,22 +520,34 @@ fn test_set_auth_manifest_invalid_vendor_metadata_lms_sig() {
.preamble
.vendor_image_metdata_signatures
.lms_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_LMS_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_LMS_SIGNATURE_INVALID),
);
}

#[test]
fn test_set_auth_manifest_invalid_vendor_metadata_lms_sig_no_lms() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest
.preamble
.vendor_image_metdata_signatures
.lms_sig = Default::default();
set_manifest_command_execute(auth_manifest, false, None);
}

#[test]
fn test_set_auth_manifest_invalid_owner_metadata_ecc_sig() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest
.preamble
.owner_image_metdata_signatures
.ecc_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_ECC_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_ECC_SIGNATURE_INVALID),
);
}

Expand All @@ -541,11 +558,21 @@ fn test_set_auth_manifest_invalid_owner_metadata_lms_sig() {
.preamble
.owner_image_metdata_signatures
.lms_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_LMS_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_LMS_SIGNATURE_INVALID),
);
}
#[test]
fn test_set_auth_manifest_invalid_owner_metadata_lms_sig_no_lms() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest
.preamble
.owner_image_metdata_signatures
.lms_sig = Default::default();
set_manifest_command_execute(auth_manifest, false, None);
}

#[test]
fn test_set_auth_manifest_cmd_ignore_vendor_ecc_sig() {
Expand All @@ -557,30 +584,7 @@ fn test_set_auth_manifest_cmd_ignore_vendor_ecc_sig() {
.vendor_image_metdata_signatures
.ecc_sig = Default::default();

let buf = auth_manifest.as_bytes();
let mut auth_manifest_slice = [0u8; SetAuthManifestReq::MAX_MAN_SIZE];
auth_manifest_slice[..buf.len()].copy_from_slice(buf);

let mut model = run_rt_test_lms(RuntimeTestArgs::default(), true);

model.step_until(|m| {
m.soc_ifc().cptra_boot_status().read() == u32::from(RtBootStatus::RtReadyForCommands)
});

let mut set_auth_manifest_cmd = MailboxReq::SetAuthManifest(SetAuthManifestReq {
hdr: MailboxReqHeader { chksum: 0 },
manifest_size: buf.len() as u32,
manifest: auth_manifest_slice,
});
set_auth_manifest_cmd.populate_chksum().unwrap();

model
.mailbox_execute(
u32::from(CommandId::SET_AUTH_MANIFEST),
set_auth_manifest_cmd.as_bytes().unwrap(),
)
.unwrap()
.expect("We should have received a response");
set_manifest_command_execute(auth_manifest, true, None);
}

#[test]
Expand All @@ -593,28 +597,5 @@ fn test_set_auth_manifest_cmd_ignore_vendor_lms_sig() {
.vendor_image_metdata_signatures
.lms_sig = Default::default();

let buf = auth_manifest.as_bytes();
let mut auth_manifest_slice = [0u8; SetAuthManifestReq::MAX_MAN_SIZE];
auth_manifest_slice[..buf.len()].copy_from_slice(buf);

let mut model = run_rt_test_lms(RuntimeTestArgs::default(), true);

model.step_until(|m| {
m.soc_ifc().cptra_boot_status().read() == u32::from(RtBootStatus::RtReadyForCommands)
});

let mut set_auth_manifest_cmd = MailboxReq::SetAuthManifest(SetAuthManifestReq {
hdr: MailboxReqHeader { chksum: 0 },
manifest_size: buf.len() as u32,
manifest: auth_manifest_slice,
});
set_auth_manifest_cmd.populate_chksum().unwrap();

model
.mailbox_execute(
u32::from(CommandId::SET_AUTH_MANIFEST),
set_auth_manifest_cmd.as_bytes().unwrap(),
)
.unwrap()
.expect("We should have received a response");
set_manifest_command_execute(auth_manifest, true, None);
}

0 comments on commit 77e61bd

Please sign in to comment.