[PATCH 8/9] test: Account PCR updates properly during testing

Simon Glass sjg at chromium.org
Wed May 10 22:46:20 CEST 2023 

Hi Ilias,

On Wed, 10 May 2023 at 09:26, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> Hi Simon,
>
> On Wed, 10 May 2023 at 17:32, Simon Glass <sjg at chromium.org> wrote:
> >
> > Hi Ilias,
> >
> > On Wed, 10 May 2023 at 01:44, Ilias Apalodimas
> > <ilias.apalodimas at linaro.org> wrote:
> > >
> > > Currently we only read the pcr updates once on test_tpm2_pcr_read().
> > > It turns out that the tpm init sequence of force_init() which consists
> > > of:
> > > - tpm2 init
> > > - tpm2 startup TPM2_SU_CLEAR
> > > - tpm2 self_test full
> > > - tpm2 clear TPM2_RH_LOCKOUT
> > >
> > > also counts as an update.  Running this in the console verifies the
> > > update bump
> > > => tpm2 init
> > > => tpm2 startup TPM2_SU_CLEAR
> > > => tpm2 self_test full
> > > => tpm pcr_read 10 $loadaddr
> > > PCR #10 content (28 known updates):
> > >  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > => tpm2 clear TPM2_RH_LOCKOUT
> > > => tpm pcr_read 10 $loadaddr
> > > PCR #10 content (29 known updates):
> > >  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > >  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > > =>
> > >
> > > Instead of relying on the initial read do a read just before updating
> > > the PCR to ensure we read the correct values before testing
> > >
> > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > > ---
> > >  test/py/tests/test_tpm2.py | 6 ++++++
> > >  1 file changed, 6 insertions(+)
> >
> > Reviewed-by: Simon Glass <sjg at chromium.org>
> >
> > How do these tests pass today? Or do they not?
>
> They, what I suspect was happening is that the order of testing, or
> init changed with Eddies patches.  As a consequence the test started
> failing because it ended up with updates bumped by two instead of 1.
> Regardless I think this makes sense to apply overall as the current
> logic was making too many assumptions on the order of tests or the TPM
> state.

The test order should not matter. But perhaps a board reset is needed
between these tests? That's what's so nice about sandbox. It is easy
to reset the test state.

Regards,
SImon

More information about the U-Boot mailing list