dasharo-security/tpm-support.robot: Refactor TPM version and support …

…tests This commit introduces a new variable TPM_EXPECTED_VERSION to various platform configs. Then, Verify TPM Version tests are changed to refer to this new variable. Additionally, replace cbmem -L with cbmem -1 with grep, to first ensure only last boot is taken into consideration, and then, to reduce to amount of data sent via RTE, which can cause 30s timeout to trigger. Signed-off-by: Sebastian Czapla <[email protected]>
Dasharo · Oct 15, 2024 · 8bab4c2 · 8bab4c2
1 parent 737f4ba
commit 8bab4c2
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 23 deletions.
diff --git a/dasharo-security/tpm-support.robot b/dasharo-security/tpm-support.robot
@@ -29,13 +29,9 @@ TPM001.001 TPM Support (firmware)
     [Documentation]    This test aims to verify that the TPM is initialized
     ...    correctly and the PCRs can be accessed from the firmware.
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    TPM001.001 not supported
+    Skip If    '${PAYLOAD}' != 'tianocore'    Available only for tianocore
     Power On
-    Boot System Or From Connected Disk    ubuntu
-    Login To Linux
-    Switch To Root User
-    Get Cbmem From Cloud
-    ${out}=    Execute Command In Terminal    cbmem -L
-    Should Contain Any    ${out}    TPM2 log    TCPA log
+    Validate Expected TPM In Firmware
 
 TPM001.002 TPM Support (Ubuntu)
     [Documentation]    Check whether the TPM is initialized correctly and the
@@ -65,13 +61,9 @@ TPM002.001 Verify TPM version (firmware)
     [Documentation]    This test aims to verify that the TPM version is
     ...    correctly recognized by the firmware.
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    TPM002.001 not supported
+    Skip If    '${PAYLOAD}' != 'tianocore'    Available only for tianocore
     Power On
-    Boot System Or From Connected Disk    ubuntu
-    Login To Linux
-    Switch To Root User
-    Get Cbmem From Cloud
-    ${out}=    Execute Command In Terminal    cbmem -L
-    Should Contain Any    ${out}    TPM2 log    TCPA log
+    Validate Expected TPM In Firmware
 
 TPM002.002 Verify TPM version (Ubuntu)
     [Documentation]    This test aims to verify that the TPM version is
@@ -82,9 +74,7 @@ TPM002.002 Verify TPM version (Ubuntu)
     Boot System Or From Connected Disk    ubuntu
     Login To Linux
     Switch To Root User
-    ${out}=    Execute Command In Terminal    cat /sys/class/tpm/tpm0/tpm_version_major
-    # TPM 2.0 and 1.2
-    Should Contain Any    ${out}    1    2
+    Validate Expected TPM In Linux
 
 TPM002.003 Verify TPM version (Windows)
     [Documentation]    This test aims to verify that the TPM version is
@@ -118,7 +108,13 @@ TPM003.002 Check TPM Physical Presence Interface (Ubuntu)
     Login To Linux
     Switch To Root User
     ${out}=    Execute Command In Terminal    cat /sys/class/tpm/tpm0/ppi/version
-    Should Contain Any    ${out}    1.2    1.3
+    IF    '${TPM_EXPECTED_VERSION}' == '1'
+        Should Contain    ${out}    1.2
+    ELSE IF    '${TPM_EXPECTED_VERSION}' == '2'
+        Should Contain    ${out}    1.3
+    ELSE
+        Fail    Invalid expected version, please verify config
+    END
 
 TPM003.003 Check TPM Physical Presence Interface (Windows)
     [Documentation]    This test aims to verify that the TPM Physical Presence
@@ -142,14 +138,32 @@ Validate Any TPM
     [Documentation]    Checks for TPM major version, and validates it.
     ${tpm_ver}=    Execute Command In Terminal    cat /sys/class/tpm/tpm0/tpm_version_major
     IF    '${tpm_ver}' == '2'
-        Detect Or Install Package    tpm2-tools
-        ${out}=    Execute Command In Terminal    tpm2_pcrread
-        Should Contain    ${out}    sha1:
-        Should Contain    ${out}    sha256:
+        ${out}=    Execute Command In Terminal    test -d /sys/class/tpm/tpm0/pcr-sha256 && echo "PCR Valid"
+        Should Contain    ${out}    PCR Valid
     ELSE IF    '${tpm_ver}' == '1'
-        Detect Or Install Package    tpm-tools
-        ${out}=    Execute Command In Terminal    tpm_selftest
-        Should Contain    ${out}    TPM Test Results:
+        ${out}=    Execute Command In Terminal    test -d /sys/class/tpm/tpm0/pcr-sha1 && echo "PCR Valid"
+        Should Contain    ${out}    PCR Valid
     ELSE
         Fail    No valid TPM version available.
     END
+
+Validate Expected TPM In Linux
+    [Documentation]    Checks if major TPM version matches the expected
+    ...    value.
+    ${tpm_ver}=    Execute Command In Terminal    cat /sys/class/tpm/tpm0/tpm_version_major
+    IF    '${TPM_EXPECTED_VERSION}' != '${tpm_ver}'
+        Fail    Platform TPM version mismatch
+    END
+
+Validate Expected TPM In Firmware
+    ${setup_menu}=    Enter Setup Menu Tianocore And Return Construction
+    ${device_mgr_menu}=    Enter Submenu From Snapshot And Return Construction
+    ...    ${setup_menu}
+    ...    Device Manager
+    IF    '${TPM_EXPECTED_VERSION}' == '1'
+        Should Contain    ${device_mgr_menu}    > TCG Configuration
+    ELSE IF    '${TPM_EXPECTED_VERSION}' == '2'
+        Should Contain    ${device_mgr_menu}    > TCG2 Configuration
+    ELSE
+        Fail    Invalid expected version, please verify config
+    END
diff --git a/platform-configs/include/msi-z690-common.robot b/platform-configs/include/msi-z690-common.robot
@@ -25,6 +25,7 @@ ${POWER_CTRL}=                                  sonoff
 ${FLASH_VERIFY_METHOD}=                         none
 ${WIFI_CARD}=                                   ${TBD}
 ${MAX_CPU_TEMP}=                                80
+${TPM_EXPECTED_VERSION}=                        2
 
 ${DMIDECODE_MANUFACTURER}=                      Micro-Star International Co., Ltd.
 ${DMIDECODE_VENDOR}=                            3mdeb

diff --git a/platform-configs/include/novacustom-common.robot b/platform-configs/include/novacustom-common.robot
@@ -24,6 +24,7 @@ ${FLASH_VERIFY_METHOD}=                             none
 ${MAX_CPU_TEMP}=                                    82
 ${AUTO_BOOT_TIME_OUT_DEFAULT_VALUE}=                6
 ${FLASHING_METHOD}=                                 internal
+${TPM_EXPECTED_VERSION}=                            2
 
 ${DMIDECODE_SERIAL_NUMBER}=                         N/A
 ${DMIDECODE_MANUFACTURER}=                          Notebook

diff --git a/platform-configs/include/optiplex-common.robot b/platform-configs/include/optiplex-common.robot
@@ -16,6 +16,7 @@ ${SETUP_MENU_KEY}=                              ${F2}
 ${IPXE_BOOT_ENTRY}=                             Network Boot and Utilities
 ${POWER_CTRL}=                                  sonoff
 ${MAX_CPU_TEMP}=                                80
+${TPM_EXPECTED_VERSION}=                        1
 
 ${DMIDECODE_VENDOR}=                            3mdeb
 ${DMIDECODE_FAMILY}=                            N/A

diff --git a/platform-configs/include/pcengines.robot b/platform-configs/include/pcengines.robot
@@ -39,6 +39,9 @@ ${DMIDECODE_FAMILY}=                        N/A
 # TODO
 ${DMIDECODE_TYPE}=                          Desktop
 
+# TPM
+${TPM_EXPECTED_VERSION}=                    2
+
 # Supported test environments
 ${TESTS_IN_FIRMWARE_SUPPORT}=               ${TRUE}
 ${TESTS_IN_UBUNTU_SUPPORT}=                 ${TRUE}

diff --git a/platform-configs/include/protectli-common.robot b/platform-configs/include/protectli-common.robot
@@ -20,6 +20,7 @@ ${CPU}=                                         ${TBD}
 ${POWER_CTRL}=                                  RteCtrl
 ${FLASH_VERIFY_METHOD}=                         tianocore-shell
 ${FLASH_VERIFY_OPTION}=                         UEFI Shell
+${TPM_EXPECTED_VERSION}=                        2
 
 ${DMIDECODE_SERIAL_NUMBER}=                     N/A
 ${DMIDECODE_MANUFACTURER}=                      Protectli