mirror of
				https://github.com/smaeul/u-boot.git
				synced 2025-10-25 01:58:13 +01:00 
			
		
		
		
	For pcr_read and pcr_extend commands allow the digest algorithm to be specified by an additional argument. If not specified it will default to SHA256 for backwards compatibility. Additionally update test_tpm2.py for the changes in output in pcr_read which now shows the algo and algo length in the output. A follow-on to this could be to extend all PCR banks with the detected algo when the <digest_algo> argument is 'auto'. Signed-off-by: Tim Harvey <tharvey@gateworks.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
		
			
				
	
	
		
			319 lines
		
	
	
		
			12 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			319 lines
		
	
	
		
			12 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| # SPDX-License-Identifier: GPL-2.0+
 | |
| # Copyright (c) 2018, Bootlin
 | |
| # Author: Miquel Raynal <miquel.raynal@bootlin.com>
 | |
| 
 | |
| import os.path
 | |
| import pytest
 | |
| import u_boot_utils
 | |
| import re
 | |
| import time
 | |
| 
 | |
| """
 | |
| Test the TPMv2.x related commands. You must have a working hardware setup in
 | |
| order to do these tests.
 | |
| 
 | |
| Notes:
 | |
| * These tests will prove the password mechanism. The TPM chip must be cleared of
 | |
| any password.
 | |
| * Commands like pcr_setauthpolicy and pcr_resetauthpolicy are not implemented
 | |
| here because they would fail the tests in most cases (TPMs do not implement them
 | |
| and return an error).
 | |
| 
 | |
| 
 | |
| Note:
 | |
| This test doesn't rely on boardenv_* configuration value but can change test
 | |
| behavior.
 | |
| 
 | |
| * Setup env__tpm_device_test_skip to True if tests with TPM devices should be
 | |
| skipped.
 | |
| 
 | |
| """
 | |
| 
 | |
| updates = 0
 | |
| 
 | |
| def force_init(u_boot_console, force=False):
 | |
|     """When a test fails, U-Boot is reset. Because TPM stack must be initialized
 | |
|     after each reboot, we must ensure these lines are always executed before
 | |
|     trying any command or they will fail with no reason. Executing 'tpm init'
 | |
|     twice will spawn an error used to detect that the TPM was not reset and no
 | |
|     initialization code should be run.
 | |
|     """
 | |
|     skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
 | |
|     if skip_test:
 | |
|         pytest.skip('skip TPM device test')
 | |
|     output = u_boot_console.run_command('tpm2 autostart')
 | |
|     if force or not 'Error' in output:
 | |
|         u_boot_console.run_command('echo --- start of init ---')
 | |
|         u_boot_console.run_command('tpm2 clear TPM2_RH_LOCKOUT')
 | |
|         output = u_boot_console.run_command('echo $?')
 | |
|         if not output.endswith('0'):
 | |
|             u_boot_console.run_command('tpm2 clear TPM2_RH_PLATFORM')
 | |
|         u_boot_console.run_command('echo --- end of init ---')
 | |
| 
 | |
| def is_sandbox(cons):
 | |
|     # Array slice removes leading/trailing quotes.
 | |
|     sys_arch = cons.config.buildconfig.get('config_sys_arch', '"sandbox"')[1:-1]
 | |
|     return sys_arch == 'sandbox'
 | |
| 
 | |
| @pytest.mark.buildconfigspec('cmd_tpm_v2')
 | |
| def test_tpm2_init(u_boot_console):
 | |
|     """Init the software stack to use TPMv2 commands."""
 | |
|     skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
 | |
|     if skip_test:
 | |
|         pytest.skip('skip TPM device test')
 | |
|     u_boot_console.run_command('tpm2 autostart')
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
| @pytest.mark.buildconfigspec('cmd_tpm_v2')
 | |
| def test_tpm2_startup(u_boot_console):
 | |
|     """Execute a TPM2_Startup command.
 | |
| 
 | |
|     Initiate the TPM internal state machine.
 | |
|     """
 | |
|     skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
 | |
|     if skip_test:
 | |
|         pytest.skip('skip TPM device test')
 | |
|     u_boot_console.run_command('tpm2 startup TPM2_SU_CLEAR')
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
| def tpm2_sandbox_init(u_boot_console):
 | |
|     """Put sandbox back into a known state so we can run a test
 | |
| 
 | |
|     This allows all tests to run in parallel, since no test depends on another.
 | |
|     """
 | |
|     u_boot_console.restart_uboot()
 | |
|     u_boot_console.run_command('tpm2 autostart')
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
|     skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
 | |
|     if skip_test:
 | |
|         pytest.skip('skip TPM device test')
 | |
| 
 | |
| @pytest.mark.buildconfigspec('cmd_tpm_v2')
 | |
| def test_tpm2_sandbox_self_test_full(u_boot_console):
 | |
|     """Execute a TPM2_SelfTest (full) command.
 | |
| 
 | |
|     Ask the TPM to perform all self tests to also enable full capabilities.
 | |
|     """
 | |
|     if is_sandbox(u_boot_console):
 | |
|         u_boot_console.restart_uboot()
 | |
|         u_boot_console.run_command('tpm2 autostart')
 | |
|         output = u_boot_console.run_command('echo $?')
 | |
|         assert output.endswith('0')
 | |
| 
 | |
|         u_boot_console.run_command('tpm2 startup TPM2_SU_CLEAR')
 | |
|         output = u_boot_console.run_command('echo $?')
 | |
|         assert output.endswith('0')
 | |
| 
 | |
|     skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
 | |
|     if skip_test:
 | |
|         pytest.skip('skip TPM device test')
 | |
|     u_boot_console.run_command('tpm2 self_test full')
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
| @pytest.mark.buildconfigspec('cmd_tpm_v2')
 | |
| def test_tpm2_continue_self_test(u_boot_console):
 | |
|     """Execute a TPM2_SelfTest (continued) command.
 | |
| 
 | |
|     Ask the TPM to finish its self tests (alternative to the full test) in order
 | |
|     to enter a fully operational state.
 | |
|     """
 | |
| 
 | |
|     skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
 | |
|     if skip_test:
 | |
|         pytest.skip('skip TPM device test')
 | |
|     if is_sandbox(u_boot_console):
 | |
|         tpm2_sandbox_init(u_boot_console)
 | |
|     u_boot_console.run_command('tpm2 self_test continue')
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
| @pytest.mark.buildconfigspec('cmd_tpm_v2')
 | |
| def test_tpm2_clear(u_boot_console):
 | |
|     """Execute a TPM2_Clear command.
 | |
| 
 | |
|     Ask the TPM to reset entirely its internal state (including internal
 | |
|     configuration, passwords, counters and DAM parameters). This is half of the
 | |
|     TAKE_OWNERSHIP command from TPMv1.
 | |
| 
 | |
|     Use the LOCKOUT hierarchy for this. The LOCKOUT/PLATFORM hierarchies must
 | |
|     not have a password set, otherwise this test will fail. ENDORSEMENT and
 | |
|     PLATFORM hierarchies are also available.
 | |
|     """
 | |
|     if is_sandbox(u_boot_console):
 | |
|         tpm2_sandbox_init(u_boot_console)
 | |
| 
 | |
|     skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
 | |
|     if skip_test:
 | |
|         pytest.skip('skip TPM device test')
 | |
|     u_boot_console.run_command('tpm2 clear TPM2_RH_LOCKOUT')
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
|     u_boot_console.run_command('tpm2 clear TPM2_RH_PLATFORM')
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
| @pytest.mark.buildconfigspec('cmd_tpm_v2')
 | |
| def test_tpm2_change_auth(u_boot_console):
 | |
|     """Execute a TPM2_HierarchyChangeAuth command.
 | |
| 
 | |
|     Ask the TPM to change the owner, ie. set a new password: 'unicorn'
 | |
| 
 | |
|     Use the LOCKOUT hierarchy for this. ENDORSEMENT and PLATFORM hierarchies are
 | |
|     also available.
 | |
|     """
 | |
|     if is_sandbox(u_boot_console):
 | |
|         tpm2_sandbox_init(u_boot_console)
 | |
|     force_init(u_boot_console)
 | |
| 
 | |
|     u_boot_console.run_command('tpm2 change_auth TPM2_RH_LOCKOUT unicorn')
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
|     u_boot_console.run_command('tpm2 clear TPM2_RH_LOCKOUT unicorn')
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     u_boot_console.run_command('tpm2 clear TPM2_RH_PLATFORM')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
| @pytest.mark.buildconfigspec('sandbox')
 | |
| @pytest.mark.buildconfigspec('cmd_tpm_v2')
 | |
| def test_tpm2_get_capability(u_boot_console):
 | |
|     """Execute a TPM_GetCapability command.
 | |
| 
 | |
|     Display one capability. In our test case, let's display the default DAM
 | |
|     lockout counter that should be 0 since the CLEAR:
 | |
|     - TPM_CAP_TPM_PROPERTIES = 0x6
 | |
|     - TPM_PT_LOCKOUT_COUNTER (1st parameter) = PTR_VAR + 14
 | |
| 
 | |
|     There is no expected default values because it would depend on the chip
 | |
|     used. We can still save them in order to check they have changed later.
 | |
|     """
 | |
|     if is_sandbox(u_boot_console):
 | |
|         tpm2_sandbox_init(u_boot_console)
 | |
| 
 | |
|     force_init(u_boot_console)
 | |
|     ram = u_boot_utils.find_ram_base(u_boot_console)
 | |
| 
 | |
|     read_cap = u_boot_console.run_command('tpm2 get_capability 0x6 0x20e 0x200 1') #0x%x 1' % ram)
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
|     assert 'Property 0x0000020e: 0x00000000' in read_cap
 | |
| 
 | |
| @pytest.mark.buildconfigspec('cmd_tpm_v2')
 | |
| def test_tpm2_dam_parameters(u_boot_console):
 | |
|     """Execute a TPM2_DictionaryAttackParameters command.
 | |
| 
 | |
|     Change Dictionary Attack Mitigation (DAM) parameters. Ask the TPM to change:
 | |
|     - Max number of failed authentication before lockout: 3
 | |
|     - Time before the failure counter is automatically decremented: 10 sec
 | |
|     - Time after a lockout failure before it can be attempted again: 0 sec
 | |
| 
 | |
|     For an unknown reason, the DAM parameters must be changed before changing
 | |
|     the authentication, otherwise the lockout will be engaged after the first
 | |
|     failed authentication attempt.
 | |
|     """
 | |
|     if is_sandbox(u_boot_console):
 | |
|         tpm2_sandbox_init(u_boot_console)
 | |
|     force_init(u_boot_console)
 | |
|     ram = u_boot_utils.find_ram_base(u_boot_console)
 | |
| 
 | |
|     # Set the DAM parameters to known values
 | |
|     u_boot_console.run_command('tpm2 dam_parameters 3 10 0')
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
|     # Check the values have been saved
 | |
|     read_cap = u_boot_console.run_command('tpm2 get_capability 0x6 0x20f 0x%x 3' % ram)
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
|     assert 'Property 0x0000020f: 0x00000003' in read_cap
 | |
|     assert 'Property 0x00000210: 0x0000000a' in read_cap
 | |
|     assert 'Property 0x00000211: 0x00000000' in read_cap
 | |
| 
 | |
| @pytest.mark.buildconfigspec('cmd_tpm_v2')
 | |
| def test_tpm2_pcr_read(u_boot_console):
 | |
|     """Execute a TPM2_PCR_Read command.
 | |
| 
 | |
|     Perform a PCR read of the 10th PCR. Must be zero.
 | |
|     """
 | |
|     if is_sandbox(u_boot_console):
 | |
|         tpm2_sandbox_init(u_boot_console)
 | |
| 
 | |
|     force_init(u_boot_console)
 | |
|     ram = u_boot_utils.find_ram_base(u_boot_console)
 | |
| 
 | |
|     read_pcr = u_boot_console.run_command('tpm2 pcr_read 10 0x%x' % ram)
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
|     # Save the number of PCR updates
 | |
|     str = re.findall(r'\d+ known updates', read_pcr)[0]
 | |
|     global updates
 | |
|     updates = int(re.findall(r'\d+', str)[0])
 | |
| 
 | |
|     # Check the output value
 | |
|     assert 'PCR #10 sha256 32 byte content' in read_pcr
 | |
|     assert '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00' in read_pcr
 | |
| 
 | |
| @pytest.mark.buildconfigspec('cmd_tpm_v2')
 | |
| def test_tpm2_pcr_extend(u_boot_console):
 | |
|     """Execute a TPM2_PCR_Extend command.
 | |
| 
 | |
|     Perform a PCR extension with a known hash in memory (zeroed since the board
 | |
|     must have been rebooted).
 | |
| 
 | |
|     No authentication mechanism is used here, not protecting against packet
 | |
|     replay, yet.
 | |
|     """
 | |
|     if is_sandbox(u_boot_console):
 | |
|         tpm2_sandbox_init(u_boot_console)
 | |
|     force_init(u_boot_console)
 | |
|     ram = u_boot_utils.find_ram_base(u_boot_console)
 | |
| 
 | |
|     read_pcr = u_boot_console.run_command('tpm2 pcr_read 10 0x%x' % (ram + 0x20))
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
|     str = re.findall(r'\d+ known updates', read_pcr)[0]
 | |
|     updates = int(re.findall(r'\d+', str)[0])
 | |
| 
 | |
|     u_boot_console.run_command('tpm2 pcr_extend 10 0x%x' % ram)
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
|     # Read the value back into a different place so we can still use 'ram' as
 | |
|     # our zero bytes
 | |
|     read_pcr = u_boot_console.run_command('tpm2 pcr_read 10 0x%x' % (ram + 0x20))
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
|     assert 'f5 a5 fd 42 d1 6a 20 30 27 98 ef 6e d3 09 97 9b' in read_pcr
 | |
|     assert '43 00 3d 23 20 d9 f0 e8 ea 98 31 a9 27 59 fb 4b' in read_pcr
 | |
| 
 | |
|     str = re.findall(r'\d+ known updates', read_pcr)[0]
 | |
|     new_updates = int(re.findall(r'\d+', str)[0])
 | |
|     assert (updates + 1) == new_updates
 | |
| 
 | |
|     u_boot_console.run_command('tpm2 pcr_extend 10 0x%x' % ram)
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
| 
 | |
|     read_pcr = u_boot_console.run_command('tpm2 pcr_read 10 0x%x' % (ram + 0x20))
 | |
|     output = u_boot_console.run_command('echo $?')
 | |
|     assert output.endswith('0')
 | |
|     assert '7a 05 01 f5 95 7b df 9c b3 a8 ff 49 66 f0 22 65' in read_pcr
 | |
|     assert 'f9 68 65 8b 7a 9c 62 64 2c ba 11 65 e8 66 42 f5' in read_pcr
 | |
| 
 | |
|     str = re.findall(r'\d+ known updates', read_pcr)[0]
 | |
|     new_updates = int(re.findall(r'\d+', str)[0])
 | |
|     assert (updates + 2) == new_updates
 | |
| 
 | |
| @pytest.mark.buildconfigspec('cmd_tpm_v2')
 | |
| def test_tpm2_cleanup(u_boot_console):
 | |
|     """Ensure the TPM is cleared from password or test related configuration."""
 | |
| 
 | |
|     force_init(u_boot_console, True)
 |