From ccea2d9b99a0f736134bf92ee97ce6d311fb7d67 Mon Sep 17 00:00:00 2001 From: Sebastian Czapla Date: Wed, 4 Sep 2024 11:38:27 +0200 Subject: [PATCH 1/8] dasharo-security/tpm-support.robot: Refactor TPM version and support tests This commit introduces two new variables, EXPECTED_TPM_CHIP and EXPECTED_TPM_VERSION. Additionally, refactor few keywords and tests within tpm-support.robot Signed-off-by: Sebastian Czapla --- dasharo-security/tpm-support.robot | 63 +++++++++---------- lib/tpm.robot | 37 +++++++++++ platform-configs/include/default.robot | 2 + .../include/optiplex-common.robot | 3 + platform-configs/novacustom-nv41pz.robot | 3 + platform-configs/novacustom-v540tnd.robot | 3 + platform-configs/protectli-vp2420.robot | 3 + platform-configs/protectli-vp2430.robot | 3 + platform-configs/protectli-vp3230.robot | 3 + platform-configs/protectli-vp4650.robot | 3 + 10 files changed, 91 insertions(+), 32 deletions(-) diff --git a/dasharo-security/tpm-support.robot b/dasharo-security/tpm-support.robot index 67cb70b756..66950c3a66 100644 --- a/dasharo-security/tpm-support.robot +++ b/dasharo-security/tpm-support.robot @@ -10,6 +10,7 @@ Library RequestsLibrary # stuff in all test cases Resource ../variables.robot Resource ../keywords.robot +Resource ../lib/tpm.robot Resource ../keys.robot # TODO: @@ -20,22 +21,27 @@ Suite Setup Run Keywords ... Prepare Test Suite ... AND ... Skip If not ${TPM_SUPPORT} TPM tests not supported +... AND +... Skip If '${TPM_EXPECTED_VERSION}' == '0' TPM Version unset Suite Teardown Run Keyword ... Log Out And Close Connection *** Test Cases *** TPM001.001 TPM Support (firmware) - [Documentation] This test aims to verify that the TPM is initialized - ... correctly and the PCRs can be accessed from the firmware. + [Documentation] This test aims to verify that the TPM is initialized, + ... detected and logged correctly by FW via cbmem, directly in Ubuntu Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM001.001 not supported Power On Boot System Or From Connected Disk ubuntu Login To Linux Switch To Root User - Get Cbmem From Cloud - ${out}= Execute Command In Terminal cbmem -L - Should Contain Any ${out} TPM2 log TCPA log + Verify Presence Of TPM Via Sysfs + ${result}= Run Keyword And Ignore Error Validate Expected TPM Chip Via Cbmem + IF '${result}[0]' == 'FAIL' + Log To Console \nChip detection failed, attempting cbmem log detection\n + Validate Expected TPM Version Via Cbmem Log + END TPM001.002 TPM Support (Ubuntu) [Documentation] Check whether the TPM is initialized correctly and the @@ -45,7 +51,8 @@ TPM001.002 TPM Support (Ubuntu) Boot System Or From Connected Disk ubuntu Login To Linux Switch To Root User - Validate Any TPM + Verify Presence Of TPM Via Sysfs + Verify Presence Of Any PCRs Via Sysfs TPM001.003 TPM Support (Windows) [Documentation] Check whether the TPM is initialized correctly and the @@ -69,9 +76,12 @@ TPM002.001 Verify TPM version (firmware) Boot System Or From Connected Disk ubuntu Login To Linux Switch To Root User - Get Cbmem From Cloud - ${out}= Execute Command In Terminal cbmem -L - Should Contain Any ${out} TPM2 log TCPA log + Verify Presence Of TPM Via Sysfs + ${result}= Run Keyword And Ignore Error Validate Expected TPM Chip Via Cbmem + IF '${result}[0]' == 'FAIL' + Log To Console \nChip detection failed, attempting cbmem log detection\n + Validate Expected TPM Version Via Cbmem Log + END TPM002.002 Verify TPM version (Ubuntu) [Documentation] This test aims to verify that the TPM version is @@ -82,9 +92,8 @@ TPM002.002 Verify TPM version (Ubuntu) Boot System Or From Connected Disk ubuntu Login To Linux Switch To Root User - ${out}= Execute Command In Terminal cat /sys/class/tpm/tpm0/tpm_version_major - # TPM 2.0 and 1.2 - Should Contain Any ${out} 1 2 + Verify Presence Of TPM Via Sysfs + Validate Expected TPM Version Via Sysfs TPM002.003 Verify TPM version (Windows) [Documentation] This test aims to verify that the TPM version is @@ -98,7 +107,8 @@ TPM002.003 Verify TPM version (Windows) TPM003.001 Check TPM Physical Presence Interface (firmware) [Documentation] This test aims to verify that the TPM Physical Presence - ... Interface is supported by the firmware. + ... Interface is supported by the firmware and the log can be detected + ... with cbmem within Ubuntu Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM003.001 not supported Power On Boot System Or From Connected Disk ubuntu @@ -117,8 +127,15 @@ TPM003.002 Check TPM Physical Presence Interface (Ubuntu) Boot System Or From Connected Disk ubuntu Login To Linux Switch To Root User + Verify Presence Of TPM Via Sysfs ${out}= Execute Command In Terminal cat /sys/class/tpm/tpm0/ppi/version - Should Contain Any ${out} 1.2 1.3 + IF '${TPM_EXPECTED_VERSION}' == '1' + Should Contain ${out} 1.2 + ELSE IF '${TPM_EXPECTED_VERSION}' == '2' + Should Contain ${out} 1.3 + ELSE + Fail Invalid expected version, please verify config + END TPM003.003 Check TPM Physical Presence Interface (Windows) [Documentation] This test aims to verify that the TPM Physical Presence @@ -135,21 +152,3 @@ TPM003.003 Check TPM Physical Presence Interface (Windows) # Skip If not ${tpm_support} TPM003.004 not supported # Skip If not ${tests_in_ubuntu_support} TPM003.004 not supported # TODO: https://docs.dasharo.com/unified-test-documentation/dasharo-security/200-tpm-support/#tpm003004-change-active-pcr-banks-with-tpm-ppi-firmware - - -*** Keywords *** -Validate Any TPM - [Documentation] Checks for TPM major version, and validates it. - ${tpm_ver}= Execute Command In Terminal cat /sys/class/tpm/tpm0/tpm_version_major - IF '${tpm_ver}' == '2' - Detect Or Install Package tpm2-tools - ${out}= Execute Command In Terminal tpm2_pcrread - Should Contain ${out} sha1: - Should Contain ${out} sha256: - ELSE IF '${tpm_ver}' == '1' - Detect Or Install Package tpm-tools - ${out}= Execute Command In Terminal tpm_selftest - Should Contain ${out} TPM Test Results: - ELSE - Fail No valid TPM version available. - END diff --git a/lib/tpm.robot b/lib/tpm.robot index 610231da27..d935a2d6d7 100644 --- a/lib/tpm.robot +++ b/lib/tpm.robot @@ -67,3 +67,40 @@ Validate PCRs Against Event Log Should Contain ${hash} ${sha_hash} ignore_case=${TRUE} END END + +Validate Expected TPM Version Via Sysfs + [Documentation] Checks if detected major TPM version matches the expected + ... value. + ${tpm_ver}= Execute Command In Terminal cat /sys/class/tpm/tpm0/tpm_version_major + IF '${TPM_EXPECTED_VERSION}' != '${tpm_ver}' + Fail Platform TPM version mismatch + END + +Validate Expected TPM Chip Via Cbmem + [Documentation] Check that correct TPM chip is found while FW boots + Get Cbmem From Cloud + ${tpm_chip_found}= Execute Command In Terminal cbmem -1 | grep -i "Found TPM" + Should Contain ${tpm_chip_found} ${TPM_EXPECTED_CHIP} + +Validate Expected TPM Version Via Cbmem Log + [Documentation] Check if appropriate log is created by FW + Get Cbmem From Cloud + ${out}= Execute Command In Terminal cbmem -L + IF '${TPM_EXPECTED_VERSION}' == '1' + Should Contain ${out} TCPA log + ELSE IF '${TPM_EXPECTED_VERSION}' == '2' + Should Contain ${out} TPM2 log + ELSE + Fail Invalid expected version, please verify config + END + +Verify Presence Of TPM Via Sysfs + [Documentation] Use sysfs interface to detect presence of TPM + ... in the system. + ${tpm_presence}= Execute Command In Terminal test -d /sys/class/tpm/tpm0 && echo "Found TPM" + Should Contain ${tpm_presence} Found TPM + +Verify Presence Of Any PCRs Via Sysfs + [Documentation] Check sysfs interface for presence of any PCR + ${pcr_state}= Execute Command In Terminal ls /sys/class/tpm/tpm0/pcr-sha* &>/dev/null && echo "Found PCRs" + Should Contain ${pcr_state} Found PCRs diff --git a/platform-configs/include/default.robot b/platform-configs/include/default.robot index f5f7bbc0cc..b2115af8d0 100644 --- a/platform-configs/include/default.robot +++ b/platform-configs/include/default.robot @@ -178,6 +178,8 @@ ${ROMHOLE_SUPPORT}= ${FALSE} # Test module: dasharo-security ${TPM_SUPPORT}= ${FALSE} +${TPM_EXPECTED_CHIP}= FILL_WITH_CORRECT_VALUE_BEFORE_TESTING +${TPM_EXPECTED_VERSION}= 0 ${VERIFIED_BOOT_SUPPORT}= ${FALSE} ${VERIFIED_BOOT_POPUP_SUPPORT}= ${FALSE} ${MEASURED_BOOT_SUPPORT}= ${FALSE} diff --git a/platform-configs/include/optiplex-common.robot b/platform-configs/include/optiplex-common.robot index 0f77045ff8..5c6b428831 100644 --- a/platform-configs/include/optiplex-common.robot +++ b/platform-configs/include/optiplex-common.robot @@ -67,6 +67,9 @@ ${DCU_SERIAL_SUPPORT}= ${TRUE} # Test module: dasharo-security ${TPM_SUPPORT}= ${TRUE} +${TPM_EXPECTED_VERSION}= 1 +# Cannot acquire tpm chip with cbmem on Optiplex platforms +${TPM_EXPECTED_CHIP}= N/A ${MEASURED_BOOT_SUPPORT}= ${TRUE} ${SECURE_BOOT_SUPPORT}= ${TRUE} ${USB_MASS_STORAGE_SUPPORT}= ${TRUE} diff --git a/platform-configs/novacustom-nv41pz.robot b/platform-configs/novacustom-nv41pz.robot index 5e167891f9..ec55c11703 100644 --- a/platform-configs/novacustom-nv41pz.robot +++ b/platform-configs/novacustom-nv41pz.robot @@ -27,3 +27,6 @@ ${POWER_CTRL}= none ${USB_STACK_SUPPORT}= ${TRUE} ${TESTS_IN_WINDOWS_SUPPORT}= ${FALSE} + +${TPM_EXPECTED_VERSION}= 2 +${TPM_EXPECTED_CHIP}= SLB9670 diff --git a/platform-configs/novacustom-v540tnd.robot b/platform-configs/novacustom-v540tnd.robot index f0616cedb4..c57c412105 100644 --- a/platform-configs/novacustom-v540tnd.robot +++ b/platform-configs/novacustom-v540tnd.robot @@ -35,3 +35,6 @@ ${CLEVO_USB_C_HUB}= Thunderbolt 4 Dock ${DOCKING_STATION_USB_C_CHARGING_SUPPORT}= ${TRUE} ${DOCKING_STATION_AUDIO_SUPPORT}= ${TRUE} ${VERIFIED_BOOT_SUPPORT}= ${TRUE} + +${TPM_EXPECTED_VERSION}= 2 +${TPM_EXPECTED_CHIP}= SLB9672 diff --git a/platform-configs/protectli-vp2420.robot b/platform-configs/protectli-vp2420.robot index a95dacacea..d85f30f0f6 100644 --- a/platform-configs/protectli-vp2420.robot +++ b/platform-configs/protectli-vp2420.robot @@ -29,6 +29,9 @@ ${WATCHDOG_SUPPORT}= ${TRUE} ${ETHERNET_ID}= 8086:15f3 +${TPM_EXPECTED_VERSION}= 2 +${TPM_EXPECTED_CHIP}= SLB9670 + *** Keywords *** Flash Protectli VP2420 Internal diff --git a/platform-configs/protectli-vp2430.robot b/platform-configs/protectli-vp2430.robot index 1b884d369f..5734e6e3ec 100644 --- a/platform-configs/protectli-vp2430.robot +++ b/platform-configs/protectli-vp2430.robot @@ -49,3 +49,6 @@ ${BLUETOOTH_CARD_UBUNTU}= Intel Corp. AX200 Bluetooth ... 00-e0-97-1b-00-4a ${ETHERNET_ID}= 8086:125c + +${TPM_EXPECTED_VERSION}= 2 +${TPM_EXPECTED_CHIP}= SLB9670 diff --git a/platform-configs/protectli-vp3230.robot b/platform-configs/protectli-vp3230.robot index db39a7e47d..ffe5f70d24 100644 --- a/platform-configs/protectli-vp3230.robot +++ b/platform-configs/protectli-vp3230.robot @@ -43,3 +43,6 @@ ${CLEVO_DISK}= N/A @{ETH_PORTS}= 64-62-66-23-8f-19 ... 64-62-66-23-8f-1a + +${TPM_EXPECTED_VERSION}= 2 +${TPM_EXPECTED_CHIP}= SLB9670 diff --git a/platform-configs/protectli-vp4650.robot b/platform-configs/protectli-vp4650.robot index e2b7fe9dfe..5e35dd611c 100644 --- a/platform-configs/protectli-vp4650.robot +++ b/platform-configs/protectli-vp4650.robot @@ -27,3 +27,6 @@ ${CPU_MIN_FREQUENCY}= 300 ... 64-62-66-21-42-8e ... 64-62-66-21-42-8d ... 64-62-66-21-42-8c + +${TPM_EXPECTED_VERSION}= 2 +${TPM_EXPECTED_CHIP}= SLB9665 From 6cad2d365509ee60862dc1cfdfe5e7ac17c6df99 Mon Sep 17 00:00:00 2001 From: Sebastian Czapla Date: Mon, 27 Jan 2025 11:55:32 +0100 Subject: [PATCH 2/8] scripts/get-robot-variables.sh: Add TPM to config generation Signed-off-by: Sebastian Czapla --- scripts/get-robot-variables.sh | 45 ++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/scripts/get-robot-variables.sh b/scripts/get-robot-variables.sh index e151ea0476..815bc75fa2 100755 --- a/scripts/get-robot-variables.sh +++ b/scripts/get-robot-variables.sh @@ -159,6 +159,49 @@ while IFS= read -r audio_device_name; do eval "DEVICE_AUDIO$counter='$audio_device_name'" done <<< "$audio_device_names" +# cbmem and TPM detection variables +CBMEM_BINARY_PATH="/usr/local/bin/cbmem" +CBMEM_EXPECTED_HASH="169c5a5a63699cb37cf08d1eff83e59f146ffa98cf283145f27adecc081ac3f6" +CBMEM_URL="https://cloud.3mdeb.com/index.php/s/C6LJMi4bWz3wzR9/download" +TPM_VER_PATH="/sys/class/tpm/tpm0/tpm_version_major" + +ensure_valid_cbmem() { + if [[ -f "$CBMEM_BINARY_PATH" ]]; then + local current_hash + current_hash=$(sha256sum "$CBMEM_BINARY_PATH" | awk '{print $1}') + + if [[ "$current_hash" == "$CBMEM_EXPECTED_HASH" ]]; then + sudo chmod 777 "$CBMEM_BINARY_PATH" + return 0 + fi + else + echo "Fetching cbmem from cloud..." + sudo curl -o "$CBMEM_BINARY_PATH" "$CBMEM_URL" + + if [[ $? -eq 0 ]]; then + echo "Success!" + sudo chmod 777 "$CBMEM_BINARY_PATH" + else + echo "Failed..." + return 1 + fi + fi +} + +ensure_valid_cbmem + +if [ -f ${TPM_VER_PATH} ]; then + TPM_EXPECTED_VERSION=$(cat ${TPM_VER_PATH}) +else + TPM_EXPECTED_VERSION=0 +fi + +if [ -f /usr/local/bin/cbmem ]; then + TPM_EXPECTED_CHIP=$(sudo /usr/local/bin/cbmem -1 | grep "Found TPM" | awk 'NR==1{print $5}'); +else + TPM_EXPECTED_CHIP="Unknown" +fi + # Print collected information if -p is provided if [ "$PRINT" = true ]; then echo "-----------------------WiFi-------------------------" @@ -271,6 +314,8 @@ fi [[ -n "$DEF_CORES_PER_SOCKET" ]] && echo "\${DEF_CORES_PER_SOCKET}= $DEF_CORES_PER_SOCKET" [[ -n "$DEF_SOCKETS" ]] && echo "\${DEF_SOCKETS}= $DEF_SOCKETS" [[ -n "$DEF_ONLINE_CPU" ]] && echo "\${DEF_ONLINE_CPU}= $DEF_ONLINE_CPU" + [[ -n "$TPM_EXPECTED_VERSION" ]] && echo "\${TPM_EXPECTED_VERSION}= $TPM_EXPECTED_VERSION" + [[ -n "$TPM_EXPECTED_CHIP" ]] && echo "\${TPM_EXPECTED_CHIP}= $TPM_EXPECTED_CHIP" for i in $(seq 1 $counter); do eval "audio_device_name=\$DEVICE_AUDIO$i" From 8f64a70e04bb6199530db3a962ad98933d3a4aed Mon Sep 17 00:00:00 2001 From: Sebastian Czapla Date: Mon, 27 Jan 2025 12:12:31 +0100 Subject: [PATCH 3/8] dasharo-security/tpm2-commands.robot: Add more skip conditions Signed-off-by: Sebastian Czapla --- dasharo-security/measured-boot.robot | 4 +++- dasharo-security/tpm2-commands.robot | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/dasharo-security/measured-boot.robot b/dasharo-security/measured-boot.robot index 462cf9c8cf..a5fbd063ae 100644 --- a/dasharo-security/measured-boot.robot +++ b/dasharo-security/measured-boot.robot @@ -10,8 +10,8 @@ Library RequestsLibrary # stuff in all test cases Resource ../variables.robot Resource ../keywords.robot -Resource ../keys.robot Resource ../lib/tpm.robot +Resource ../keys.robot # TODO: # - document which setup/teardown keywords to use and what are they doing @@ -301,8 +301,10 @@ Measured Boot Suite Setup Prepare Test Suite Skip If not ${MEASURED_BOOT_SUPPORT} Measured boot is not supported Skip If not ${TESTS_IN_UBUNTU_SUPPORT} Tests in Ubuntu are not supported + Skip If '${TPM_EXPECTED_VERSION}' == '0' TPM Version in platform config does not support this suite Power On Boot Ubuntu And Login To Root + Verify Presence Of TPM Via Sysfs Detect Or Install Package tpm2-tools # Disable service that adds dbx certificates which could interfere with tests Execute Command In Terminal systemctl disable secureboot-db.service diff --git a/dasharo-security/tpm2-commands.robot b/dasharo-security/tpm2-commands.robot index e7a57260a4..70861607f8 100644 --- a/dasharo-security/tpm2-commands.robot +++ b/dasharo-security/tpm2-commands.robot @@ -10,6 +10,7 @@ Library RequestsLibrary # stuff in all test cases Resource ../variables.robot Resource ../keywords.robot +Resource ../lib/tpm.robot Resource ../keys.robot # TODO: @@ -264,9 +265,11 @@ TPM2 Suite Setup Prepare Test Suite Skip If not ${TPM_SUPPORT} TPM tests not supported Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM commands tests supported only on Ubuntu + Skip If '${TPM_EXPECTED_VERSION}' != '2' TPM Version in platform config does not support this suite Power On Boot System Or From Connected Disk ubuntu Login To Linux + Verify Presence Of TPM Via Sysfs Switch To Root User Detect Or Install Package tpm2-tools ${passed}= Run Keyword And Return Status From 16b763d733a9952e49313243db5e6245ddef569a Mon Sep 17 00:00:00 2001 From: Sebastian Czapla Date: Mon, 27 Jan 2025 12:57:56 +0100 Subject: [PATCH 4/8] scripts/get-robot-variables.sh: Fix awk expression Signed-off-by: Sebastian Czapla --- scripts/get-robot-variables.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/get-robot-variables.sh b/scripts/get-robot-variables.sh index 815bc75fa2..abbf054408 100755 --- a/scripts/get-robot-variables.sh +++ b/scripts/get-robot-variables.sh @@ -197,7 +197,7 @@ else fi if [ -f /usr/local/bin/cbmem ]; then - TPM_EXPECTED_CHIP=$(sudo /usr/local/bin/cbmem -1 | grep "Found TPM" | awk 'NR==1{print $5}'); + TPM_EXPECTED_CHIP=$(sudo /usr/local/bin/cbmem -1 | grep "Found TPM" | awk 'NR==1{print $6}'); else TPM_EXPECTED_CHIP="Unknown" fi From 100632196a3b2152f11f80d83633934e3f2d8393 Mon Sep 17 00:00:00 2001 From: Sebastian Czapla Date: Mon, 27 Jan 2025 15:47:06 +0100 Subject: [PATCH 5/8] tpm-support: Merge TPM variables Signed-off-by: Sebastian Czapla --- dasharo-security/measured-boot.robot | 2 +- dasharo-security/tpm-support.robot | 10 ++++------ dasharo-security/tpm2-commands.robot | 5 ++--- lib/tpm.robot | 6 +++--- platform-configs/include/default.robot | 3 +-- platform-configs/include/msi-z690-common.robot | 2 +- platform-configs/include/novacustom-common.robot | 2 +- platform-configs/include/optiplex-common.robot | 3 +-- platform-configs/include/pcengines.robot | 2 +- platform-configs/include/protectli-common.robot | 2 +- platform-configs/novacustom-nv41pz.robot | 2 +- platform-configs/novacustom-v540tnd.robot | 2 +- platform-configs/odroid-h4-plus.robot | 2 +- platform-configs/protectli-vp2420.robot | 2 +- platform-configs/protectli-vp2430.robot | 2 +- platform-configs/protectli-vp3230.robot | 2 +- platform-configs/protectli-vp4650.robot | 2 +- platform-configs/protectli-vp6650.robot | 2 ++ platform-configs/qemu.robot | 2 +- platform-configs/raptor-cs_talos2.robot | 2 +- platform-configs/rpi-3b.robot | 2 +- scripts/get-robot-variables.sh | 6 +++--- scripts/lib/mappings.json | 2 +- trenchboot/01-without-drtm.robot | 2 +- trenchboot/02-with-drtm.robot | 2 +- 25 files changed, 34 insertions(+), 37 deletions(-) diff --git a/dasharo-security/measured-boot.robot b/dasharo-security/measured-boot.robot index a5fbd063ae..169677747a 100644 --- a/dasharo-security/measured-boot.robot +++ b/dasharo-security/measured-boot.robot @@ -299,9 +299,9 @@ Restore SB And Tianocore Defaults And Reset Measured Boot Suite Setup Prepare Test Suite + Skip If ${TPM_SUPPORTED_VERSION} == None Measured boot tests require TPM Skip If not ${MEASURED_BOOT_SUPPORT} Measured boot is not supported Skip If not ${TESTS_IN_UBUNTU_SUPPORT} Tests in Ubuntu are not supported - Skip If '${TPM_EXPECTED_VERSION}' == '0' TPM Version in platform config does not support this suite Power On Boot Ubuntu And Login To Root Verify Presence Of TPM Via Sysfs diff --git a/dasharo-security/tpm-support.robot b/dasharo-security/tpm-support.robot index 66950c3a66..2625ec44b5 100644 --- a/dasharo-security/tpm-support.robot +++ b/dasharo-security/tpm-support.robot @@ -20,9 +20,7 @@ Resource ../keys.robot Suite Setup Run Keywords ... Prepare Test Suite ... AND -... Skip If not ${TPM_SUPPORT} TPM tests not supported -... AND -... Skip If '${TPM_EXPECTED_VERSION}' == '0' TPM Version unset +... Skip If ${TPM_SUPPORTED_VERSION} == None TPM tests not supported Suite Teardown Run Keyword ... Log Out And Close Connection @@ -129,9 +127,9 @@ TPM003.002 Check TPM Physical Presence Interface (Ubuntu) Switch To Root User Verify Presence Of TPM Via Sysfs ${out}= Execute Command In Terminal cat /sys/class/tpm/tpm0/ppi/version - IF '${TPM_EXPECTED_VERSION}' == '1' + IF '${TPM_SUPPORTED_VERSION}' == '1' Should Contain ${out} 1.2 - ELSE IF '${TPM_EXPECTED_VERSION}' == '2' + ELSE IF '${TPM_SUPPORTED_VERSION}' == '2' Should Contain ${out} 1.3 ELSE Fail Invalid expected version, please verify config @@ -149,6 +147,6 @@ TPM003.003 Check TPM Physical Presence Interface (Windows) # TPM003.004 Change active PCR banks with TPM PPI (firmware) # [Documentation] This test aims to verify that the TPM Physical Presence # ... Interface is working properly in the firmware by changing active TPM PCR banks. -# Skip If not ${tpm_support} TPM003.004 not supported +# Skip If not ${TPM_SUPPORTED_VERSION} TPM003.004 not supported # Skip If not ${tests_in_ubuntu_support} TPM003.004 not supported # TODO: https://docs.dasharo.com/unified-test-documentation/dasharo-security/200-tpm-support/#tpm003004-change-active-pcr-banks-with-tpm-ppi-firmware diff --git a/dasharo-security/tpm2-commands.robot b/dasharo-security/tpm2-commands.robot index 70861607f8..b0adee1802 100644 --- a/dasharo-security/tpm2-commands.robot +++ b/dasharo-security/tpm2-commands.robot @@ -263,14 +263,13 @@ Check If SHA1 And SHA256 Banks Are Enabled TPM2 Suite Setup Prepare Test Suite - Skip If not ${TPM_SUPPORT} TPM tests not supported + Skip If ${TPM_SUPPORTED_VERSION} != '2' TPM commands tests supported only TPM2 Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM commands tests supported only on Ubuntu - Skip If '${TPM_EXPECTED_VERSION}' != '2' TPM Version in platform config does not support this suite Power On Boot System Or From Connected Disk ubuntu Login To Linux - Verify Presence Of TPM Via Sysfs Switch To Root User + Verify Presence Of TPM Via Sysfs Detect Or Install Package tpm2-tools ${passed}= Run Keyword And Return Status ... Check If SHA1 And SHA256 Banks Are Enabled diff --git a/lib/tpm.robot b/lib/tpm.robot index d935a2d6d7..8f99d14e47 100644 --- a/lib/tpm.robot +++ b/lib/tpm.robot @@ -72,7 +72,7 @@ Validate Expected TPM Version Via Sysfs [Documentation] Checks if detected major TPM version matches the expected ... value. ${tpm_ver}= Execute Command In Terminal cat /sys/class/tpm/tpm0/tpm_version_major - IF '${TPM_EXPECTED_VERSION}' != '${tpm_ver}' + IF '${TPM_SUPPORTED_VERSION}' != '${tpm_ver}' Fail Platform TPM version mismatch END @@ -86,9 +86,9 @@ Validate Expected TPM Version Via Cbmem Log [Documentation] Check if appropriate log is created by FW Get Cbmem From Cloud ${out}= Execute Command In Terminal cbmem -L - IF '${TPM_EXPECTED_VERSION}' == '1' + IF '${TPM_SUPPORTED_VERSION}' == '1' Should Contain ${out} TCPA log - ELSE IF '${TPM_EXPECTED_VERSION}' == '2' + ELSE IF '${TPM_SUPPORTED_VERSION}' == '2' Should Contain ${out} TPM2 log ELSE Fail Invalid expected version, please verify config diff --git a/platform-configs/include/default.robot b/platform-configs/include/default.robot index b2115af8d0..d42a047322 100644 --- a/platform-configs/include/default.robot +++ b/platform-configs/include/default.robot @@ -177,9 +177,8 @@ ${DCU_SERIAL_SUPPORT}= ${FALSE} ${ROMHOLE_SUPPORT}= ${FALSE} # Test module: dasharo-security -${TPM_SUPPORT}= ${FALSE} +${TPM_SUPPORTED_VERSION}= ${None} ${TPM_EXPECTED_CHIP}= FILL_WITH_CORRECT_VALUE_BEFORE_TESTING -${TPM_EXPECTED_VERSION}= 0 ${VERIFIED_BOOT_SUPPORT}= ${FALSE} ${VERIFIED_BOOT_POPUP_SUPPORT}= ${FALSE} ${MEASURED_BOOT_SUPPORT}= ${FALSE} diff --git a/platform-configs/include/msi-z690-common.robot b/platform-configs/include/msi-z690-common.robot index b08506be46..8bb3083bf7 100644 --- a/platform-configs/include/msi-z690-common.robot +++ b/platform-configs/include/msi-z690-common.robot @@ -90,7 +90,7 @@ ${SATA_SUPPORT}= ${TRUE} ${RESET_TO_DEFAULTS_SUPPORT}= ${TRUE} # Test module: dasharo-security -${TPM_SUPPORT}= ${TRUE} +${TPM_SUPPORTED_VERSION}= 2 ${VERIFIED_BOOT_SUPPORT}= ${TRUE} ${VERIFIED_BOOT_POPUP_SUPPORT}= ${TRUE} ${MEASURED_BOOT_SUPPORT}= ${TRUE} diff --git a/platform-configs/include/novacustom-common.robot b/platform-configs/include/novacustom-common.robot index c73e28ba8d..245b3bb50a 100644 --- a/platform-configs/include/novacustom-common.robot +++ b/platform-configs/include/novacustom-common.robot @@ -99,7 +99,7 @@ ${DTS_FIRMWARE_FLASHING_SUPPORT}= ${TRUE} ${DTS_EC_FLASHING_SUPPORT}= ${TRUE} # Test module: dasharo-security -${TPM_SUPPORT}= ${TRUE} +${TPM_SUPPORTED_VERSION}= 2 ${VERIFIED_BOOT_SUPPORT}= ${TRUE} ${VERIFIED_BOOT_POPUP_SUPPORT}= ${TRUE} ${MEASURED_BOOT_SUPPORT}= ${TRUE} diff --git a/platform-configs/include/optiplex-common.robot b/platform-configs/include/optiplex-common.robot index 5c6b428831..6b63041786 100644 --- a/platform-configs/include/optiplex-common.robot +++ b/platform-configs/include/optiplex-common.robot @@ -66,8 +66,7 @@ ${DCU_UUID_SUPPORT}= ${TRUE} ${DCU_SERIAL_SUPPORT}= ${TRUE} # Test module: dasharo-security -${TPM_SUPPORT}= ${TRUE} -${TPM_EXPECTED_VERSION}= 1 +${TPM_SUPPORTED_VERSION}= 1 # Cannot acquire tpm chip with cbmem on Optiplex platforms ${TPM_EXPECTED_CHIP}= N/A ${MEASURED_BOOT_SUPPORT}= ${TRUE} diff --git a/platform-configs/include/pcengines.robot b/platform-configs/include/pcengines.robot index 29c9b9991e..5a066ab160 100644 --- a/platform-configs/include/pcengines.robot +++ b/platform-configs/include/pcengines.robot @@ -83,7 +83,7 @@ ${MINI_PC_IE_SLOT_SUPPORT}= ${TRUE} ${APU_CONFIGURATION_MENU_SUPPORT}= ${TRUE} # Test module: dasharo-security -${TPM_SUPPORT}= ${TRUE} +${TPM_SUPPORTED_VERSION}= 2 ${VERIFIED_BOOT_SUPPORT}= ${TRUE} ${VERIFIED_BOOT_POPUP_SUPPORT}= ${TRUE} ${MEASURED_BOOT_SUPPORT}= ${TRUE} diff --git a/platform-configs/include/protectli-common.robot b/platform-configs/include/protectli-common.robot index 03ef611509..1904ff75eb 100644 --- a/platform-configs/include/protectli-common.robot +++ b/platform-configs/include/protectli-common.robot @@ -77,7 +77,7 @@ ${DCU_UUID_SUPPORT}= ${TRUE} ${DCU_SERIAL_SUPPORT}= ${TRUE} # Test module: dasharo-security -${TPM_SUPPORT}= ${TRUE} +${TPM_SUPPORTED_VERSION}= 2 ${SECURE_BOOT_SUPPORT}= ${TRUE} ${SECURE_BOOT_DEFAULT_STATE}= Disabled ${USB_STACK_SUPPORT}= ${TRUE} diff --git a/platform-configs/novacustom-nv41pz.robot b/platform-configs/novacustom-nv41pz.robot index ec55c11703..f8f4f00e90 100644 --- a/platform-configs/novacustom-nv41pz.robot +++ b/platform-configs/novacustom-nv41pz.robot @@ -28,5 +28,5 @@ ${POWER_CTRL}= none ${USB_STACK_SUPPORT}= ${TRUE} ${TESTS_IN_WINDOWS_SUPPORT}= ${FALSE} -${TPM_EXPECTED_VERSION}= 2 +${TPM_SUPPORTED_VERSION}= 2 ${TPM_EXPECTED_CHIP}= SLB9670 diff --git a/platform-configs/novacustom-v540tnd.robot b/platform-configs/novacustom-v540tnd.robot index c57c412105..3c563abb1b 100644 --- a/platform-configs/novacustom-v540tnd.robot +++ b/platform-configs/novacustom-v540tnd.robot @@ -36,5 +36,5 @@ ${DOCKING_STATION_USB_C_CHARGING_SUPPORT}= ${TRUE} ${DOCKING_STATION_AUDIO_SUPPORT}= ${TRUE} ${VERIFIED_BOOT_SUPPORT}= ${TRUE} -${TPM_EXPECTED_VERSION}= 2 +${TPM_SUPPORTED_VERSION}= 2 ${TPM_EXPECTED_CHIP}= SLB9672 diff --git a/platform-configs/odroid-h4-plus.robot b/platform-configs/odroid-h4-plus.robot index 10599ab14e..6eb3a5bab5 100644 --- a/platform-configs/odroid-h4-plus.robot +++ b/platform-configs/odroid-h4-plus.robot @@ -89,7 +89,7 @@ ${CPU_TEMPERATURE_MEASURE}= ${TRUE} ${PLATFORM_STABILITY_CHECKING}= ${TRUE} # Dasharo security -${TPM_SUPPORT}= ${TRUE} +${TPM_SUPPORTED_VERSION}= 2 ${TPM_DETECT_SUPPORT}= ${TRUE} ${VERIFIED_BOOT_SUPPORT}= ${TRUE} ${BIOS_LOCK_SUPPORT}= ${TRUE} diff --git a/platform-configs/protectli-vp2420.robot b/platform-configs/protectli-vp2420.robot index d85f30f0f6..d1a855be7d 100644 --- a/platform-configs/protectli-vp2420.robot +++ b/platform-configs/protectli-vp2420.robot @@ -29,7 +29,7 @@ ${WATCHDOG_SUPPORT}= ${TRUE} ${ETHERNET_ID}= 8086:15f3 -${TPM_EXPECTED_VERSION}= 2 +${TPM_SUPPORTED_VERSION}= 2 ${TPM_EXPECTED_CHIP}= SLB9670 diff --git a/platform-configs/protectli-vp2430.robot b/platform-configs/protectli-vp2430.robot index 5734e6e3ec..7b3c6a90ad 100644 --- a/platform-configs/protectli-vp2430.robot +++ b/platform-configs/protectli-vp2430.robot @@ -50,5 +50,5 @@ ${BLUETOOTH_CARD_UBUNTU}= Intel Corp. AX200 Bluetooth ${ETHERNET_ID}= 8086:125c -${TPM_EXPECTED_VERSION}= 2 +${TPM_SUPPORTED_VERSION}= 2 ${TPM_EXPECTED_CHIP}= SLB9670 diff --git a/platform-configs/protectli-vp3230.robot b/platform-configs/protectli-vp3230.robot index ffe5f70d24..6197ebc0b1 100644 --- a/platform-configs/protectli-vp3230.robot +++ b/platform-configs/protectli-vp3230.robot @@ -44,5 +44,5 @@ ${CLEVO_DISK}= N/A @{ETH_PORTS}= 64-62-66-23-8f-19 ... 64-62-66-23-8f-1a -${TPM_EXPECTED_VERSION}= 2 +${TPM_SUPPORTED_VERSION}= 2 ${TPM_EXPECTED_CHIP}= SLB9670 diff --git a/platform-configs/protectli-vp4650.robot b/platform-configs/protectli-vp4650.robot index 5e35dd611c..3224df5347 100644 --- a/platform-configs/protectli-vp4650.robot +++ b/platform-configs/protectli-vp4650.robot @@ -28,5 +28,5 @@ ${CPU_MIN_FREQUENCY}= 300 ... 64-62-66-21-42-8d ... 64-62-66-21-42-8c -${TPM_EXPECTED_VERSION}= 2 +${TPM_SUPPORTED_VERSION}= 2 ${TPM_EXPECTED_CHIP}= SLB9665 diff --git a/platform-configs/protectli-vp6650.robot b/platform-configs/protectli-vp6650.robot index 3d83fc8f5c..327d7422cb 100644 --- a/platform-configs/protectli-vp6650.robot +++ b/platform-configs/protectli-vp6650.robot @@ -28,3 +28,5 @@ ${PLATFORM_RAM_SIZE}= 65536 ... 64-62-66-22-84-f6 ... 64-62-66-22-84-f7 ... 64-62-66-22-84-f8 + +${TPM_SUPPORTED_VERSION}= ${None} diff --git a/platform-configs/qemu.robot b/platform-configs/qemu.robot index dd5bdf0016..90265e2628 100644 --- a/platform-configs/qemu.robot +++ b/platform-configs/qemu.robot @@ -61,7 +61,7 @@ ${RESET_TO_DEFAULTS_SUPPORT}= ${TRUE} ${ESP_SCANNING_SUPPORT}= ${TRUE} # Test module: dasharo-security -${TPM_SUPPORT}= ${TRUE} +${TPM_SUPPORTED_VERSION}= 2 ${VERIFIED_BOOT_SUPPORT}= ${TRUE} ${VERIFIED_BOOT_POPUP_SUPPORT}= ${TRUE} ${MEASURED_BOOT_SUPPORT}= ${TRUE} diff --git a/platform-configs/raptor-cs_talos2.robot b/platform-configs/raptor-cs_talos2.robot index adeeca0efd..cc1c7b4ddc 100644 --- a/platform-configs/raptor-cs_talos2.robot +++ b/platform-configs/raptor-cs_talos2.robot @@ -108,7 +108,7 @@ ${ESP_SCANNING_SUPPORT}= ${FALSE} ${L3_CACHE_SUPPORT}= ${TRUE} # Test module: dasharo-security -${TPM_SUPPORT}= ${TRUE} +${TPM_SUPPORTED_VERSION}= 2 ${VERIFIED_BOOT_SUPPORT}= ${FALSE} ${VERIFIED_BOOT_POPUP_SUPPORT}= ${FALSE} ${MEASURED_BOOT_SUPPORT}= ${FALSE} diff --git a/platform-configs/rpi-3b.robot b/platform-configs/rpi-3b.robot index 223fcec657..e2a3c5632f 100644 --- a/platform-configs/rpi-3b.robot +++ b/platform-configs/rpi-3b.robot @@ -118,7 +118,7 @@ ${DEFAULT_POWER_STATE_AFTER_FAIL}= Powered Off ${ESP_SCANNING_SUPPORT}= ${FALSE} # Test module: dasharo-security -${TPM_SUPPORT}= ${FALSE} +${TPM_SUPPORTED_VERSION}= ${None} ${VERIFIED_BOOT_SUPPORT}= ${FALSE} ${VERIFIED_BOOT_POPUP_SUPPORT}= ${FALSE} ${MEASURED_BOOT_SUPPORT}= ${FALSE} diff --git a/scripts/get-robot-variables.sh b/scripts/get-robot-variables.sh index abbf054408..942000f6c5 100755 --- a/scripts/get-robot-variables.sh +++ b/scripts/get-robot-variables.sh @@ -191,9 +191,9 @@ ensure_valid_cbmem() { ensure_valid_cbmem if [ -f ${TPM_VER_PATH} ]; then - TPM_EXPECTED_VERSION=$(cat ${TPM_VER_PATH}) + TPM_SUPPORTED_VERSION=$(cat ${TPM_VER_PATH}) else - TPM_EXPECTED_VERSION=0 + TPM_SUPPORTED_VERSION=\$\{None\} fi if [ -f /usr/local/bin/cbmem ]; then @@ -314,7 +314,7 @@ fi [[ -n "$DEF_CORES_PER_SOCKET" ]] && echo "\${DEF_CORES_PER_SOCKET}= $DEF_CORES_PER_SOCKET" [[ -n "$DEF_SOCKETS" ]] && echo "\${DEF_SOCKETS}= $DEF_SOCKETS" [[ -n "$DEF_ONLINE_CPU" ]] && echo "\${DEF_ONLINE_CPU}= $DEF_ONLINE_CPU" - [[ -n "$TPM_EXPECTED_VERSION" ]] && echo "\${TPM_EXPECTED_VERSION}= $TPM_EXPECTED_VERSION" + [[ -n "$TPM_SUPPORTED_VERSION" ]] && echo "\${TPM_SUPPORTED_VERSION}= $TPM_SUPPORTED_VERSION" [[ -n "$TPM_EXPECTED_CHIP" ]] && echo "\${TPM_EXPECTED_CHIP}= $TPM_EXPECTED_CHIP" for i in $(seq 1 $counter); do diff --git a/scripts/lib/mappings.json b/scripts/lib/mappings.json index b2bb01a766..0c4f7aec09 100644 --- a/scripts/lib/mappings.json +++ b/scripts/lib/mappings.json @@ -2,7 +2,7 @@ "options": { "CONFIG_MAINBOARD_POWER_FAILURE_STATE": "DEFAULT_POWER_STATE_AFTER_FAIL", "CONFIG_VBOOT": "VERIFIED_BOOT_SUPPORT", - "CONFIG_TPM": "TPM_SUPPORT", + "CONFIG_TPM": "TPM_SUPPORTED_VERSION", "CONFIG_EDK2_SECURE_BOOT_SUPPORT": "SECURE_BOOT_SUPPORT", "CONFIG_EDK2_IPXE_OPTION_NAME": "IPXE_BOOT_ENTRY", "CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME": "DMIDECODE_PRODUCT_NAME", diff --git a/trenchboot/01-without-drtm.robot b/trenchboot/01-without-drtm.robot index 9fdbf6e278..37dca3c849 100644 --- a/trenchboot/01-without-drtm.robot +++ b/trenchboot/01-without-drtm.robot @@ -57,7 +57,7 @@ WOD004.001 DRTM event log doesn't exist TrenchBoot Suite Setup Prepare Test Suite - Skip If not ${TPM_SUPPORT} TPM tests not supported + Skip If ${TPM_SUPPORTED_VERSION} == None TPM tests not supported Skip If not ${TRENCHBOOT_SUPPORT} TrenchBoot tests aren't supported Skip If not ${TESTS_IN_METATB_SUPPORT} Tests in meta-trenchboot aren't supported diff --git a/trenchboot/02-with-drtm.robot b/trenchboot/02-with-drtm.robot index c5627893a4..7655b95abf 100644 --- a/trenchboot/02-with-drtm.robot +++ b/trenchboot/02-with-drtm.robot @@ -159,7 +159,7 @@ WTD007.001 SRTM log aligns with PCR values TrenchBoot Suite Setup Prepare Test Suite - Skip If not ${TPM_SUPPORT} TPM tests not supported + Skip If ${TPM_SUPPORTED_VERSION} == None TPM tests not supported Skip If not ${TRENCHBOOT_SUPPORT} TrenchBoot tests aren't supported Skip If not ${TESTS_IN_METATB_SUPPORT} Tests in meta-trenchboot aren't supported From c5e882033dcad8054a6d74fa18d9062103e56197 Mon Sep 17 00:00:00 2001 From: Sebastian Czapla Date: Mon, 27 Jan 2025 16:22:26 +0100 Subject: [PATCH 6/8] dasharo-security/tpm-support.robot: Extract common actions into kwd Signed-off-by: Sebastian Czapla --- dasharo-security/tpm-support.robot | 45 +++++++++++------------------- 1 file changed, 16 insertions(+), 29 deletions(-) diff --git a/dasharo-security/tpm-support.robot b/dasharo-security/tpm-support.robot index 2625ec44b5..b2501488ba 100644 --- a/dasharo-security/tpm-support.robot +++ b/dasharo-security/tpm-support.robot @@ -30,11 +30,7 @@ TPM001.001 TPM Support (firmware) [Documentation] This test aims to verify that the TPM is initialized, ... detected and logged correctly by FW via cbmem, directly in Ubuntu Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM001.001 not supported - Power On - Boot System Or From Connected Disk ubuntu - Login To Linux - Switch To Root User - Verify Presence Of TPM Via Sysfs + Prepare TPM Test On Ubuntu ${result}= Run Keyword And Ignore Error Validate Expected TPM Chip Via Cbmem IF '${result}[0]' == 'FAIL' Log To Console \nChip detection failed, attempting cbmem log detection\n @@ -45,11 +41,7 @@ TPM001.002 TPM Support (Ubuntu) [Documentation] Check whether the TPM is initialized correctly and the ... PCRs can be accessed from the Linux OS. Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM001.002 not supported - Power On - Boot System Or From Connected Disk ubuntu - Login To Linux - Switch To Root User - Verify Presence Of TPM Via Sysfs + Prepare TPM Test On Ubuntu Verify Presence Of Any PCRs Via Sysfs TPM001.003 TPM Support (Windows) @@ -70,11 +62,7 @@ TPM002.001 Verify TPM version (firmware) [Documentation] This test aims to verify that the TPM version is ... correctly recognized by the firmware. Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM002.001 not supported - Power On - Boot System Or From Connected Disk ubuntu - Login To Linux - Switch To Root User - Verify Presence Of TPM Via Sysfs + Prepare TPM Test On Ubuntu ${result}= Run Keyword And Ignore Error Validate Expected TPM Chip Via Cbmem IF '${result}[0]' == 'FAIL' Log To Console \nChip detection failed, attempting cbmem log detection\n @@ -86,11 +74,7 @@ TPM002.002 Verify TPM version (Ubuntu) ... correctly recognized by the operating system. [Tags] minimal-regression Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM002.002 not supported - Power On - Boot System Or From Connected Disk ubuntu - Login To Linux - Switch To Root User - Verify Presence Of TPM Via Sysfs + Prepare TPM Test On Ubuntu Validate Expected TPM Version Via Sysfs TPM002.003 Verify TPM version (Windows) @@ -108,10 +92,7 @@ TPM003.001 Check TPM Physical Presence Interface (firmware) ... Interface is supported by the firmware and the log can be detected ... with cbmem within Ubuntu Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM003.001 not supported - Power On - Boot System Or From Connected Disk ubuntu - Login To Linux - Switch To Root User + Prepare TPM Test On Ubuntu Get Cbmem From Cloud ${out}= Execute Command In Terminal cbmem -1 | grep PPI Should Contain ${out} PPI: Pending OS request @@ -121,11 +102,7 @@ TPM003.002 Check TPM Physical Presence Interface (Ubuntu) [Documentation] This test aims to verify that the TPM Physical Presence ... Interface is correctly recognized by the operating system. Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM003.002 not supported - Power On - Boot System Or From Connected Disk ubuntu - Login To Linux - Switch To Root User - Verify Presence Of TPM Via Sysfs + Prepare TPM Test On Ubuntu ${out}= Execute Command In Terminal cat /sys/class/tpm/tpm0/ppi/version IF '${TPM_SUPPORTED_VERSION}' == '1' Should Contain ${out} 1.2 @@ -150,3 +127,13 @@ TPM003.003 Check TPM Physical Presence Interface (Windows) # Skip If not ${TPM_SUPPORTED_VERSION} TPM003.004 not supported # Skip If not ${tests_in_ubuntu_support} TPM003.004 not supported # TODO: https://docs.dasharo.com/unified-test-documentation/dasharo-security/200-tpm-support/#tpm003004-change-active-pcr-banks-with-tpm-ppi-firmware + + +*** Keywords *** +Prepare TPM Test On Ubuntu + [Documentation] Run common actions required for TPM tests in Ubuntu + Power On + Boot System Or From Connected Disk ubuntu + Login To Linux + Switch To Root User + Verify Presence Of TPM Via Sysfs From 034ccfe8054d7bece4a00ea2077b0cbc86698999 Mon Sep 17 00:00:00 2001 From: Sebastian Czapla Date: Tue, 28 Jan 2025 09:39:04 +0100 Subject: [PATCH 7/8] dasharo-security/tpm-support.robot: Fix skip conditions in WIP code Signed-off-by: Sebastian Czapla --- dasharo-security/tpm-support.robot | 4 ++-- platform-configs/protectli-vp6650.robot | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/dasharo-security/tpm-support.robot b/dasharo-security/tpm-support.robot index b2501488ba..99a72d16cf 100644 --- a/dasharo-security/tpm-support.robot +++ b/dasharo-security/tpm-support.robot @@ -124,8 +124,8 @@ TPM003.003 Check TPM Physical Presence Interface (Windows) # TPM003.004 Change active PCR banks with TPM PPI (firmware) # [Documentation] This test aims to verify that the TPM Physical Presence # ... Interface is working properly in the firmware by changing active TPM PCR banks. -# Skip If not ${TPM_SUPPORTED_VERSION} TPM003.004 not supported -# Skip If not ${tests_in_ubuntu_support} TPM003.004 not supported +# Skip If not ${TPM_SUPPORTED_VERSION} == None TPM003.004 not supported +# Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM003.004 not supported # TODO: https://docs.dasharo.com/unified-test-documentation/dasharo-security/200-tpm-support/#tpm003004-change-active-pcr-banks-with-tpm-ppi-firmware diff --git a/platform-configs/protectli-vp6650.robot b/platform-configs/protectli-vp6650.robot index 327d7422cb..3d83fc8f5c 100644 --- a/platform-configs/protectli-vp6650.robot +++ b/platform-configs/protectli-vp6650.robot @@ -28,5 +28,3 @@ ${PLATFORM_RAM_SIZE}= 65536 ... 64-62-66-22-84-f6 ... 64-62-66-22-84-f7 ... 64-62-66-22-84-f8 - -${TPM_SUPPORTED_VERSION}= ${None} From 7cd69000ec31862efcbae8bbbac6532ece751abb Mon Sep 17 00:00:00 2001 From: Sebastian Czapla Date: Tue, 4 Feb 2025 13:16:55 +0100 Subject: [PATCH 8/8] dasharo-security/tpm-support.robot: Clarify kwd names, fix variable gen Signed-off-by: Sebastian Czapla --- dasharo-security/tpm-support.robot | 8 ++++---- lib/tpm.robot | 4 ++-- scripts/get-robot-variables.sh | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/dasharo-security/tpm-support.robot b/dasharo-security/tpm-support.robot index 99a72d16cf..4778c1fe30 100644 --- a/dasharo-security/tpm-support.robot +++ b/dasharo-security/tpm-support.robot @@ -31,10 +31,10 @@ TPM001.001 TPM Support (firmware) ... detected and logged correctly by FW via cbmem, directly in Ubuntu Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM001.001 not supported Prepare TPM Test On Ubuntu - ${result}= Run Keyword And Ignore Error Validate Expected TPM Chip Via Cbmem + ${result}= Run Keyword And Ignore Error Validate Expected TPM Chip Via Cbmem Console Log IF '${result}[0]' == 'FAIL' Log To Console \nChip detection failed, attempting cbmem log detection\n - Validate Expected TPM Version Via Cbmem Log + Validate Expected TPM Version Via Cbmem TPM Eventlog END TPM001.002 TPM Support (Ubuntu) @@ -63,10 +63,10 @@ TPM002.001 Verify TPM version (firmware) ... correctly recognized by the firmware. Skip If not ${TESTS_IN_UBUNTU_SUPPORT} TPM002.001 not supported Prepare TPM Test On Ubuntu - ${result}= Run Keyword And Ignore Error Validate Expected TPM Chip Via Cbmem + ${result}= Run Keyword And Ignore Error Validate Expected TPM Chip Via Cbmem Console Log IF '${result}[0]' == 'FAIL' Log To Console \nChip detection failed, attempting cbmem log detection\n - Validate Expected TPM Version Via Cbmem Log + Validate Expected TPM Version Via Cbmem TPM Eventlog END TPM002.002 Verify TPM version (Ubuntu) diff --git a/lib/tpm.robot b/lib/tpm.robot index 8f99d14e47..9152dce7a6 100644 --- a/lib/tpm.robot +++ b/lib/tpm.robot @@ -76,13 +76,13 @@ Validate Expected TPM Version Via Sysfs Fail Platform TPM version mismatch END -Validate Expected TPM Chip Via Cbmem +Validate Expected TPM Chip Via Cbmem Console Log [Documentation] Check that correct TPM chip is found while FW boots Get Cbmem From Cloud ${tpm_chip_found}= Execute Command In Terminal cbmem -1 | grep -i "Found TPM" Should Contain ${tpm_chip_found} ${TPM_EXPECTED_CHIP} -Validate Expected TPM Version Via Cbmem Log +Validate Expected TPM Version Via Cbmem TPM Eventlog [Documentation] Check if appropriate log is created by FW Get Cbmem From Cloud ${out}= Execute Command In Terminal cbmem -L diff --git a/scripts/get-robot-variables.sh b/scripts/get-robot-variables.sh index 942000f6c5..82ccf911e0 100755 --- a/scripts/get-robot-variables.sh +++ b/scripts/get-robot-variables.sh @@ -196,8 +196,8 @@ else TPM_SUPPORTED_VERSION=\$\{None\} fi -if [ -f /usr/local/bin/cbmem ]; then - TPM_EXPECTED_CHIP=$(sudo /usr/local/bin/cbmem -1 | grep "Found TPM" | awk 'NR==1{print $6}'); +if [ -f ${CBMEM_BINARY_PATH} ]; then + TPM_EXPECTED_CHIP=$(sudo ${CBMEM_BINARY_PATH} -1 | grep "Found TPM" | awk 'NR==1{print $6}'); else TPM_EXPECTED_CHIP="Unknown" fi @@ -314,7 +314,7 @@ fi [[ -n "$DEF_CORES_PER_SOCKET" ]] && echo "\${DEF_CORES_PER_SOCKET}= $DEF_CORES_PER_SOCKET" [[ -n "$DEF_SOCKETS" ]] && echo "\${DEF_SOCKETS}= $DEF_SOCKETS" [[ -n "$DEF_ONLINE_CPU" ]] && echo "\${DEF_ONLINE_CPU}= $DEF_ONLINE_CPU" - [[ -n "$TPM_SUPPORTED_VERSION" ]] && echo "\${TPM_SUPPORTED_VERSION}= $TPM_SUPPORTED_VERSION" + [[ -n "$TPM_SUPPORTED_VERSION" ]] && echo "\${TPM_SUPPORTED_VERSION}= $TPM_SUPPORTED_VERSION" [[ -n "$TPM_EXPECTED_CHIP" ]] && echo "\${TPM_EXPECTED_CHIP}= $TPM_EXPECTED_CHIP" for i in $(seq 1 $counter); do