Skip to content

Commit

Permalink
[test] Adding lms optionality tests for auth manifest verification
Browse files Browse the repository at this point in the history
  • Loading branch information
@mhatrevi
mhatrevi committed Jan 29, 2025
1 parent 37dc9b1 commit 9051bc0
Showing 1 changed file with 84 additions and 107 deletions.
191 changes: 84 additions & 107 deletions runtime/tests/runtime_integration_tests/test_set_auth_manifest.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -328,8 +328,8 @@ fn test_set_auth_manifest_cmd_invalid_len() {
);
}

fn test_manifest_expect_err(manifest: AuthorizationManifest, expected_err: CaliptraError) {
let mut model = run_rt_test_lms(RuntimeTestArgs::default(), true);
fn set_manifest_command_execute(manifest: AuthorizationManifest, lms_verify: bool, expected_err: Option<CaliptraError>) {
let mut model = run_rt_test_lms(RuntimeTestArgs::default(), lms_verify);

model.step_until(|m| {
m.soc_ifc().cptra_boot_status().read() == u32::from(RtBootStatus::RtReadyForCommands)
Expand All @@ -346,54 +346,32 @@ fn test_manifest_expect_err(manifest: AuthorizationManifest, expected_err: Calip
});
set_auth_manifest_cmd.populate_chksum().unwrap();

let resp = model
let result = model
.mailbox_execute(
u32::from(CommandId::SET_AUTH_MANIFEST),
set_auth_manifest_cmd.as_bytes().unwrap(),
)
.unwrap_err();

assert_error(&mut model, expected_err, resp);
set_auth_manifest_cmd.as_bytes().unwrap());
if let Some(expected_err) = expected_err {
assert_error(&mut model, expected_err, result.unwrap_err());
} else {
result.unwrap().expect("We should have received a response");
}
}

#[test]
fn test_set_auth_manifest_cmd_zero_metadata_entry() {
let auth_manifest = create_auth_manifest_of_metadata_size(0);
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT),
);
}

#[test]
fn test_set_auth_manifest_cmd_max_metadata_entry_limit() {
let auth_manifest =
create_auth_manifest_of_metadata_size(AUTH_MANIFEST_IMAGE_METADATA_MAX_COUNT);

let mut model = run_rt_test_lms(RuntimeTestArgs::default(), true);

model.step_until(|m| {
m.soc_ifc().cptra_boot_status().read() == u32::from(RtBootStatus::RtReadyForCommands)
});

let buf = auth_manifest.as_bytes();
let mut auth_manifest_slice = [0u8; SetAuthManifestReq::MAX_MAN_SIZE];
auth_manifest_slice[..buf.len()].copy_from_slice(buf);

let mut set_auth_manifest_cmd = MailboxReq::SetAuthManifest(SetAuthManifestReq {
hdr: MailboxReqHeader { chksum: 0 },
manifest_size: buf.len() as u32,
manifest: auth_manifest_slice,
});
set_auth_manifest_cmd.populate_chksum().unwrap();

model
.mailbox_execute(
u32::from(CommandId::SET_AUTH_MANIFEST),
set_auth_manifest_cmd.as_bytes().unwrap(),
)
.unwrap()
.expect("We should have received a response");
set_manifest_command_execute(auth_manifest, true, None);
}

#[test]
Expand All @@ -419,79 +397,101 @@ fn test_set_auth_manifest_cmd_max_plus_one_metadata_entry_limit() {
};
}

test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT),
);
}

#[test]
fn test_set_auth_manifest_invalid_preamble_marker() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.marker = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_INVALID_AUTH_MANIFEST_MARKER,
true,
Some(CaliptraError::RUNTIME_INVALID_AUTH_MANIFEST_MARKER),
);
}

#[test]
fn test_set_auth_manifest_invalid_preamble_size() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.size -= 1;
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_PREAMBLE_SIZE_MISMATCH,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_PREAMBLE_SIZE_MISMATCH),
);
}

#[test]
fn test_set_auth_manifest_invalid_vendor_ecc_sig() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.vendor_pub_keys_signatures.ecc_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_ECC_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_ECC_SIGNATURE_INVALID),
);
}

#[test]
fn test_set_auth_manifest_invalid_vendor_lms_sig() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.vendor_pub_keys_signatures.lms_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_LMS_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_LMS_SIGNATURE_INVALID),
);
}

#[test]
fn test_set_auth_manifest_invalid_vendor_lms_sig_no_lms() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.vendor_pub_keys_signatures.lms_sig = Default::default();
set_manifest_command_execute(auth_manifest, false, None);
}

#[test]
fn test_set_auth_manifest_invalid_owner_ecc_sig() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.owner_pub_keys_signatures.ecc_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_ECC_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_ECC_SIGNATURE_INVALID),
);
}

#[test]
fn test_set_auth_manifest_invalid_owner_lms_sig() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.owner_pub_keys_signatures.lms_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_LMS_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_LMS_SIGNATURE_INVALID),
);
}

#[test]
fn test_set_auth_manifest_invalid_owner_lms_sig_no_lms() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.preamble.owner_pub_keys_signatures.lms_sig = Default::default();
set_manifest_command_execute(auth_manifest, false, None);
}

#[test]
fn test_set_auth_manifest_invalid_metadata_list_count() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest.image_metadata_col.entry_count = 0;
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_IMAGE_METADATA_LIST_INVALID_ENTRY_COUNT),
);
}

Expand All @@ -502,9 +502,10 @@ fn test_set_auth_manifest_invalid_vendor_metadata_ecc_sig() {
.preamble
.vendor_image_metdata_signatures
.ecc_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_ECC_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_ECC_SIGNATURE_INVALID),
);
}

Expand All @@ -515,22 +516,34 @@ fn test_set_auth_manifest_invalid_vendor_metadata_lms_sig() {
.preamble
.vendor_image_metdata_signatures
.lms_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_LMS_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_VENDOR_LMS_SIGNATURE_INVALID),
);
}

#[test]
fn test_set_auth_manifest_invalid_vendor_metadata_lms_sig_no_lms() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest
.preamble
.vendor_image_metdata_signatures
.lms_sig = Default::default();
set_manifest_command_execute(auth_manifest, false, None);
}

#[test]
fn test_set_auth_manifest_invalid_owner_metadata_ecc_sig() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest
.preamble
.owner_image_metdata_signatures
.ecc_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_ECC_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_ECC_SIGNATURE_INVALID),
);
}

Expand All @@ -541,11 +554,21 @@ fn test_set_auth_manifest_invalid_owner_metadata_lms_sig() {
.preamble
.owner_image_metdata_signatures
.lms_sig = Default::default();
test_manifest_expect_err(
set_manifest_command_execute(
auth_manifest,
CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_LMS_SIGNATURE_INVALID,
true,
Some(CaliptraError::RUNTIME_AUTH_MANIFEST_OWNER_LMS_SIGNATURE_INVALID),
);
}
#[test]
fn test_set_auth_manifest_invalid_owner_metadata_lms_sig_no_lms() {
let mut auth_manifest = create_auth_manifest(AuthManifestFlags::VENDOR_SIGNATURE_REQUIRED);
auth_manifest
.preamble
.owner_image_metdata_signatures
.lms_sig = Default::default();
set_manifest_command_execute(auth_manifest, false, None);
}

#[test]
fn test_set_auth_manifest_cmd_ignore_vendor_ecc_sig() {
Expand All @@ -557,30 +580,7 @@ fn test_set_auth_manifest_cmd_ignore_vendor_ecc_sig() {
.vendor_image_metdata_signatures
.ecc_sig = Default::default();

let buf = auth_manifest.as_bytes();
let mut auth_manifest_slice = [0u8; SetAuthManifestReq::MAX_MAN_SIZE];
auth_manifest_slice[..buf.len()].copy_from_slice(buf);

let mut model = run_rt_test_lms(RuntimeTestArgs::default(), true);

model.step_until(|m| {
m.soc_ifc().cptra_boot_status().read() == u32::from(RtBootStatus::RtReadyForCommands)
});

let mut set_auth_manifest_cmd = MailboxReq::SetAuthManifest(SetAuthManifestReq {
hdr: MailboxReqHeader { chksum: 0 },
manifest_size: buf.len() as u32,
manifest: auth_manifest_slice,
});
set_auth_manifest_cmd.populate_chksum().unwrap();

model
.mailbox_execute(
u32::from(CommandId::SET_AUTH_MANIFEST),
set_auth_manifest_cmd.as_bytes().unwrap(),
)
.unwrap()
.expect("We should have received a response");
set_manifest_command_execute(auth_manifest, true, None);
}

#[test]
Expand All @@ -593,28 +593,5 @@ fn test_set_auth_manifest_cmd_ignore_vendor_lms_sig() {
.vendor_image_metdata_signatures
.lms_sig = Default::default();

let buf = auth_manifest.as_bytes();
let mut auth_manifest_slice = [0u8; SetAuthManifestReq::MAX_MAN_SIZE];
auth_manifest_slice[..buf.len()].copy_from_slice(buf);

let mut model = run_rt_test_lms(RuntimeTestArgs::default(), true);

model.step_until(|m| {
m.soc_ifc().cptra_boot_status().read() == u32::from(RtBootStatus::RtReadyForCommands)
});

let mut set_auth_manifest_cmd = MailboxReq::SetAuthManifest(SetAuthManifestReq {
hdr: MailboxReqHeader { chksum: 0 },
manifest_size: buf.len() as u32,
manifest: auth_manifest_slice,
});
set_auth_manifest_cmd.populate_chksum().unwrap();

model
.mailbox_execute(
u32::from(CommandId::SET_AUTH_MANIFEST),
set_auth_manifest_cmd.as_bytes().unwrap(),
)
.unwrap()
.expect("We should have received a response");
set_manifest_command_execute(auth_manifest, true, None);
}

0 comments on commit 9051bc0

Please sign in to comment.