[U-Boot] [PATCH v2 19/19] test/py: add TPMv2.0 test suite
Miquel Raynal
miquel.raynal at bootlin.com
Thu Mar 29 07:44:01 UTC 2018
Add tests for the TPMv2.0 commands.
These commands need a physical TPM to run properly, there is no sandbox
support yet.
Signed-off-by: Miquel Raynal <miquel.raynal at bootlin.com>
---
test/py/tests/test_tpm2.py | 254 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 254 insertions(+)
create mode 100644 test/py/tests/test_tpm2.py
diff --git a/test/py/tests/test_tpm2.py b/test/py/tests/test_tpm2.py
new file mode 100644
index 0000000000..eb2bc93cd3
--- /dev/null
+++ b/test/py/tests/test_tpm2.py
@@ -0,0 +1,254 @@
+# Copyright (c) 2018, Bootlin
+#
+# SPDX-License-Identifier: GPL-2.0
+
+import os.path
+import pytest
+import u_boot_utils
+import re
+import time
+
+"""
+Test the TPMv2 related commands. You must have a working hardware setup in order
+to do these tests.
+
+Notes:
+* These tests will prove the password mechanism. The TPM chip must be cleared of
+any password.
+* Commands like pcr_setauthpolicy and pcr_resetauthpolicy are not implemented
+here because they would fail the tests in most cases (TPMs do not implement them
+and return an error).
+"""
+
+updates = 0
+
+def force_init(u_boot_console):
+ """When a test fails, U-Boot is reset. Because TPM stack must be initialized
+ after each reboot, we must ensure these lines are always executed before
+ trying any command or they will fail with no reason.
+ """
+ output = u_boot_console.run_command('tpm init TPM2')
+ if not 'TPM error: -16' in output:
+ u_boot_console.run_command('echo --- start of init ---')
+ u_boot_console.run_command('tpm startup TPM2_SU_CLEAR')
+ u_boot_console.run_command('tpm self_test_full')
+ u_boot_console.run_command('tpm force_clear TPM2_RH_LOCKOUT')
+ output = u_boot_console.run_command('echo $?')
+ if not output.endswith('0'):
+ u_boot_console.run_command('tpm force_clear TPM2_RH_PLATFORM')
+ u_boot_console.run_command('echo --- end of init ---')
+
+ at pytest.mark.buildconfigspec('tpm')
+ at pytest.mark.buildconfigspec('tpm_tis_spi')
+ at pytest.mark.buildconfigspec('cmd_tpm')
+def test_tpm2_init(u_boot_console):
+ """Init the software stack to use TPMv2 commands."""
+
+ output = u_boot_console.run_command('tpm init TPM2')
+ assert output.endswith('TPM complies to the v2.x specification')
+
+ at pytest.mark.buildconfigspec('tpm')
+ at pytest.mark.buildconfigspec('tpm_tis_spi')
+ at pytest.mark.buildconfigspec('cmd_tpm')
+def test_tpm2_startup(u_boot_console):
+ """Execute a TPM2_Startup command.
+
+ Initiate the TPM internal state machine.
+ """
+
+ u_boot_console.run_command('tpm startup TPM2_SU_CLEAR')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+ at pytest.mark.buildconfigspec('tpm')
+ at pytest.mark.buildconfigspec('tpm_tis_spi')
+ at pytest.mark.buildconfigspec('cmd_tpm')
+def test_tpm2_self_test_full(u_boot_console):
+ """Execute a TPM2_SelfTest (full) command.
+
+ Ask the TPM to perform all self tests to also enable full capabilities.
+ """
+
+ u_boot_console.run_command('tpm self_test_full')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+ at pytest.mark.buildconfigspec('tpm')
+ at pytest.mark.buildconfigspec('tpm_tis_spi')
+ at pytest.mark.buildconfigspec('cmd_tpm')
+def test_tpm2_continue_self_test(u_boot_console):
+ """Execute a TPM2_SelfTest (continued) command.
+
+ Ask the TPM to finish its self tests (alternative to the full test) in order
+ to enter a fully operational state.
+ """
+
+ u_boot_console.run_command('tpm continue_self_test')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+ at pytest.mark.buildconfigspec('tpm')
+ at pytest.mark.buildconfigspec('tpm_tis_spi')
+ at pytest.mark.buildconfigspec('cmd_tpm')
+def test_tpm2_clear(u_boot_console):
+ """Execute a TPM2_Clear command.
+
+ Ask the TPM to reset entirely its internal state (including internal
+ configuration, passwords, counters and DAM parameters). This is half of the
+ TAKE_OWNERSHIP command from TPMv1.
+
+ Use the LOCKOUT hierarchy for this. The LOCKOUT/PLATFORM hierarchies must
+ not have a password set, otherwise this test will fail. ENDORSEMENT and
+ PLATFORM hierarchies are also available.
+ """
+
+ u_boot_console.run_command('tpm force_clear TPM2_RH_LOCKOUT')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+ u_boot_console.run_command('tpm force_clear TPM2_RH_PLATFORM')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+ at pytest.mark.buildconfigspec('tpm')
+ at pytest.mark.buildconfigspec('tpm_tis_spi')
+ at pytest.mark.buildconfigspec('cmd_tpm')
+def test_tpm2_change_auth(u_boot_console):
+ """Execute a TPM2_HierarchyChangeAuth command.
+
+ Ask the TPM to change the owner, ie. set a new password: 'unicorn'
+
+ Use the LOCKOUT hierarchy for this. ENDORSEMENT and PLATFORM hierarchies are
+ also available.
+ """
+
+ force_init(u_boot_console)
+
+ u_boot_console.run_command('tpm change_auth TPM2_RH_LOCKOUT unicorn')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+ u_boot_console.run_command('tpm force_clear TPM2_RH_LOCKOUT')
+ output = u_boot_console.run_command('echo $?')
+ u_boot_console.run_command('tpm force_clear TPM2_RH_PLATFORM')
+ assert not output.endswith('0')
+
+ at pytest.mark.buildconfigspec('tpm')
+ at pytest.mark.buildconfigspec('tpm_tis_spi')
+ at pytest.mark.buildconfigspec('cmd_tpm')
+def test_tpm2_get_capability(u_boot_console):
+ """Execute a TPM_GetCapability command.
+
+ Display one capability. In our test case, let's display the default DAM
+ lockout counter that should be 0 since the CLEAR:
+ - TPM_CAP_TPM_PROPERTIES = 0x6
+ - TPM_PT_LOCKOUT_COUNTER (1st parameter) = PTR_VAR + 14
+
+ There is no expected default values because it would depend on the chip
+ used. We can still save them in order to check they have changed later.
+ """
+
+ force_init(u_boot_console)
+ ram = u_boot_utils.find_ram_base(u_boot_console)
+
+ read_cap = u_boot_console.run_command('tpm get_capability 0x6 0x20e 0x%x 1' % ram)
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+ assert 'Property 0x0000020e: 0x00000000' in read_cap
+
+ at pytest.mark.buildconfigspec('tpm')
+ at pytest.mark.buildconfigspec('tpm_tis_spi')
+ at pytest.mark.buildconfigspec('cmd_tpm')
+def test_tpm2_dam_set_parameters(u_boot_console):
+ """Execute a TPM2_DictionaryAttackParameters command.
+
+ Change Dictionary Attack Mitigation (DAM) parameters. Ask the TPM to change:
+ - Max number of failed authentication before lockout: 3
+ - Time before the failure counter is automatically decremented: 10 sec
+ - Time after a lockout failure before it can be attempted again: 0 sec
+
+ For an unknown reason, the DAM parameters must be changed before changing
+ the authentication, otherwise the lockout will be engaged after the first
+ failed authentication attempt.
+ """
+
+ force_init(u_boot_console)
+ ram = u_boot_utils.find_ram_base(u_boot_console)
+
+ # Set the DAM parameters to known values
+ u_boot_console.run_command('tpm dam_set_parameters 3 10 0')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+ # Check the values have been saved
+ read_cap = u_boot_console.run_command('tpm get_capability 0x6 0x20f 0x%x 3' % ram)
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+ assert 'Property 0x0000020f: 0x00000003' in read_cap
+ assert 'Property 0x00000210: 0x0000000a' in read_cap
+ assert 'Property 0x00000211: 0x00000000' in read_cap
+
+ at pytest.mark.buildconfigspec('tpm')
+ at pytest.mark.buildconfigspec('tpm_tis_spi')
+ at pytest.mark.buildconfigspec('cmd_tpm')
+def test_tpm2_read(u_boot_console):
+ """Execute a TPM2_PCR_Read command.
+
+ Perform a PCR read of the 0th PCR. Must be zero.
+ """
+
+ force_init(u_boot_console)
+ ram = u_boot_utils.find_ram_base(u_boot_console) + 1024
+
+ read_pcr = u_boot_console.run_command('tpm pcr_read 0 0x%x' % ram)
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+ # Save the number of PCR updates
+ str = re.findall(r'known updates: \d+', read_pcr)[0]
+ global updates
+ updates = int(re.findall(r'\d+', str)[0])
+
+ # Check the output value
+ assert 'Named PCR 0 content' in read_pcr
+ assert '''
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00''' in read_pcr
+
+ at pytest.mark.buildconfigspec('tpm')
+ at pytest.mark.buildconfigspec('tpm_tis_spi')
+ at pytest.mark.buildconfigspec('cmd_tpm')
+def test_tpm2_extend(u_boot_console):
+ """Execute a TPM2_PCR_Extend command.
+
+ Perform a PCR extension with a known hash in memory (zeroed since the board
+ must have been rebooted).
+
+ No authentication mechanism is used here, not protecting against packet
+ replay, yet.
+ """
+
+ force_init(u_boot_console)
+ ram = u_boot_utils.find_ram_base(u_boot_console) + 1024
+
+ u_boot_console.run_command('tpm pcr_extend 0 0x%x' % ram)
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+ read_pcr = u_boot_console.run_command('tpm pcr_read 0 0x%x' % ram)
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+ assert 'f5 a5 fd 42 d1 6a 20 30 27 98 ef 6e d3 09 97 9b' in read_pcr
+ assert '43 00 3d 23 20 d9 f0 e8 ea 98 31 a9 27 59 fb 4b' in read_pcr
+
+ str = re.findall(r'known updates: \d+', read_pcr)[0]
+ new_updates = int(re.findall(r'\d+', str)[0])
+ assert (updates + 1) == new_updates
+
+ at pytest.mark.buildconfigspec('tpm')
+ at pytest.mark.buildconfigspec('tpm_tis_spi')
+ at pytest.mark.buildconfigspec('cmd_tpm')
+def test_tpm2_cleanup(u_boot_console):
+ """Ensure the TPM is cleared from password or test related configuration."""
+
+ force_init(u_boot_console)
--
2.14.1
More information about the U-Boot
mailing list