[PATCH v2 0/3] tpm: Start to tidy up TPM tests
This series is a starting point only. It tries to provide some direction for how the TPM tests should be run on real hardware and on sandbox.
For sandbox, things are relatively easy since the TPM is reset before each test. Tests should start up the TPM before doing anything. Tests can be run in parallel, which is fine because tests are independent.
For real hardware, tests cannot be made independent, other than by resetting the board, which if the hardware is correct, resets the TPM. So there may be more work to do to figure that out. The approach taken in this series for real hardware is to have a few tests which do init, then have the rest of the tests assume that the init is done. Tests that depend on the TPM already being inited can use 'tpm autostart' which works OK on sandbox and real hardware.
Changes in v2: - Keep test_tpm2_continue_self_test()
Simon Glass (3): tpm: sandbox: Support self-test continue in emulator tpm: Convert sandbox-focussed tests to C tpm: Drop unwanted special cases for sandbox
drivers/tpm/tpm_tis_sandbox.c | 1 + test/dm/tpm.c | 77 +++++++++++++++++++++++++++++++- test/py/tests/test_tpm2.py | 84 +++++------------------------------ 3 files changed, 87 insertions(+), 75 deletions(-)
Add support for the self-test continue command in the TPM v1.2 emulator, to match the functionality in the TPM v2 emulator.
Signed-off-by: Simon Glass sjg@chromium.org Reviewed-by: Ilias Apalodimas ilias.apalodimas@linaro.org ---
(no changes since v1)
drivers/tpm/tpm_tis_sandbox.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/tpm/tpm_tis_sandbox.c b/drivers/tpm/tpm_tis_sandbox.c index 7350e1c4d525..ca992eeb90f9 100644 --- a/drivers/tpm/tpm_tis_sandbox.c +++ b/drivers/tpm/tpm_tis_sandbox.c @@ -222,6 +222,7 @@ static int sandbox_tpm_xfer(struct udevice *dev, const uint8_t *sendbuf, case 0x72: /* physical set deactivated */ case 0x99: /* startup */ case 0x50: /* self test full */ + case 0x53: /* self test continue */ case 0x4000000a: /* assert physical presence */ *recv_len = 12; memset(recvbuf, '\0', *recv_len);
Some of the Python tests are a pain because they don't reset the TPM state before each test. Driver model tests do this, so convert the tests to C.
This means that these tests won't run on real hardware, but we have tests which do TPM init, so there is still enough coverage.
Rename and update the Python tpm_init test to use 'tpm autostart', since this deals with starting up ready for the tests below.
Signed-off-by: Simon Glass sjg@chromium.org ---
Changes in v2: - Keep test_tpm2_continue_self_test()
test/dm/tpm.c | 77 +++++++++++++++++++++++++++++++++++++- test/py/tests/test_tpm2.py | 38 +------------------ 2 files changed, 76 insertions(+), 39 deletions(-)
diff --git a/test/dm/tpm.c b/test/dm/tpm.c index cde933ab2848..f8264af13789 100644 --- a/test/dm/tpm.c +++ b/test/dm/tpm.c @@ -50,14 +50,87 @@ static int test_tpm_init(struct unit_test_state *uts, enum tpm_version version) return 0; }
-static int dm_test_tpm(struct unit_test_state *uts) +static int dm_test_tpm_init(struct unit_test_state *uts) { ut_assertok(test_tpm_init(uts, TPM_V1)); ut_assertok(test_tpm_init(uts, TPM_V2));
return 0; } -DM_TEST(dm_test_tpm, UT_TESTF_SCAN_FDT); +DM_TEST(dm_test_tpm_init, UT_TESTF_SCAN_FDT); + +/* Test TPM startup */ +static int test_tpm_startup(struct unit_test_state *uts, + enum tpm_version version) +{ + struct udevice *dev; + + /* check probe success */ + ut_assertok(get_tpm_version(version, &dev)); + + ut_assertok(tpm_init(dev)); + ut_assertok(tpm_startup(dev, TPM_ST_CLEAR)); + + return 0; +} + +static int dm_test_tpm_startup(struct unit_test_state *uts) +{ + ut_assertok(test_tpm_startup(uts, TPM_V1)); + ut_assertok(test_tpm_startup(uts, TPM_V2)); + + return 0; +} +DM_TEST(dm_test_tpm_startup, UT_TESTF_SCAN_FDT); + +/* Test TPM self-test full */ +static int test_tpm_self_test_full(struct unit_test_state *uts, + enum tpm_version version) +{ + struct udevice *dev; + + /* check probe success */ + ut_assertok(get_tpm_version(version, &dev)); + + ut_assertok(tpm_init(dev)); + ut_assertok(tpm_startup(dev, TPM_ST_CLEAR)); + + return 0; +} + +static int dm_test_tpm_self_test_full(struct unit_test_state *uts) +{ + ut_assertok(test_tpm_self_test_full(uts, TPM_V1)); + ut_assertok(test_tpm_self_test_full(uts, TPM_V2)); + + return 0; +} +DM_TEST(dm_test_tpm_self_test_full, UT_TESTF_SCAN_FDT); + +/* Test TPM self-test continue */ +static int test_tpm_self_test_cont(struct unit_test_state *uts, + enum tpm_version version) +{ + struct udevice *dev; + + /* check probe success */ + ut_assertok(get_tpm_version(version, &dev)); + + ut_assertok(tpm_init(dev)); + ut_assertok(tpm_startup(dev, TPM_ST_CLEAR)); + ut_assertok(tpm_continue_self_test(dev)); + + return 0; +} + +static int dm_test_tpm_self_test_cont(struct unit_test_state *uts) +{ + ut_assertok(test_tpm_self_test_cont(uts, TPM_V1)); + ut_assertok(test_tpm_self_test_cont(uts, TPM_V2)); + + return 0; +} +DM_TEST(dm_test_tpm_self_test_cont, UT_TESTF_SCAN_FDT);
/* Test report_state */ static int dm_test_tpm_report_state(struct unit_test_state *uts) diff --git a/test/py/tests/test_tpm2.py b/test/py/tests/test_tpm2.py index 1d654cd4a23b..8ed337eddc10 100644 --- a/test/py/tests/test_tpm2.py +++ b/test/py/tests/test_tpm2.py @@ -56,7 +56,7 @@ def is_sandbox(cons): return sys_arch == 'sandbox'
@pytest.mark.buildconfigspec('cmd_tpm_v2') -def test_tpm2_init(u_boot_console): +def test_tpm2_autostart(u_boot_console): """Init the software stack to use TPMv2 commands.""" skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False) if skip_test: @@ -65,19 +65,6 @@ def test_tpm2_init(u_boot_console): output = u_boot_console.run_command('echo $?') assert output.endswith('0')
-@pytest.mark.buildconfigspec('cmd_tpm_v2') -def test_tpm2_startup(u_boot_console): - """Execute a TPM2_Startup command. - - Initiate the TPM internal state machine. - """ - skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False) - if skip_test: - pytest.skip('skip TPM device test') - u_boot_console.run_command('tpm2 startup TPM2_SU_CLEAR') - output = u_boot_console.run_command('echo $?') - assert output.endswith('0') - def tpm2_sandbox_init(u_boot_console): """Put sandbox back into a known state so we can run a test
@@ -92,29 +79,6 @@ def tpm2_sandbox_init(u_boot_console): if skip_test: pytest.skip('skip TPM device test')
-@pytest.mark.buildconfigspec('cmd_tpm_v2') -def test_tpm2_sandbox_self_test_full(u_boot_console): - """Execute a TPM2_SelfTest (full) command. - - Ask the TPM to perform all self tests to also enable full capabilities. - """ - if is_sandbox(u_boot_console): - u_boot_console.restart_uboot() - u_boot_console.run_command('tpm2 autostart') - output = u_boot_console.run_command('echo $?') - assert output.endswith('0') - - u_boot_console.run_command('tpm2 startup TPM2_SU_CLEAR') - output = u_boot_console.run_command('echo $?') - assert output.endswith('0') - - skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False) - if skip_test: - pytest.skip('skip TPM device test') - u_boot_console.run_command('tpm2 self_test full') - output = u_boot_console.run_command('echo $?') - assert output.endswith('0') - @pytest.mark.buildconfigspec('cmd_tpm_v2') def test_tpm2_continue_self_test(u_boot_console): """Execute a TPM2_SelfTest (continued) command.
Hi Simon,
On Sat, Nov 11, 2023 at 05:43:37PM -0700, Simon Glass wrote:
Some of the Python tests are a pain because they don't reset the TPM state before each test. Driver model tests do this, so convert the tests to C.
The python tests restart u-boot though. The problem is a bit different here. Python tests run late, so if the efi subsystem runs first, future tpm_init() calls will return -EBUSY. Perhaps the dm tests run earlier?
This means that these tests won't run on real hardware, but we have tests which do TPM init, so there is still enough coverage.
Rename and update the Python tpm_init test to use 'tpm autostart', since this deals with starting up ready for the tests below.
Signed-off-by: Simon Glass sjg@chromium.org
Changes in v2:
- Keep test_tpm2_continue_self_test()
test/dm/tpm.c | 77 +++++++++++++++++++++++++++++++++++++- test/py/tests/test_tpm2.py | 38 +------------------ 2 files changed, 76 insertions(+), 39 deletions(-)
diff --git a/test/dm/tpm.c b/test/dm/tpm.c index cde933ab2848..f8264af13789 100644 --- a/test/dm/tpm.c +++ b/test/dm/tpm.c @@ -50,14 +50,87 @@ static int test_tpm_init(struct unit_test_state *uts, enum tpm_version version) return 0; }
-static int dm_test_tpm(struct unit_test_state *uts) +static int dm_test_tpm_init(struct unit_test_state *uts) { ut_assertok(test_tpm_init(uts, TPM_V1)); ut_assertok(test_tpm_init(uts, TPM_V2));
return 0; } -DM_TEST(dm_test_tpm, UT_TESTF_SCAN_FDT); +DM_TEST(dm_test_tpm_init, UT_TESTF_SCAN_FDT);
+/* Test TPM startup */ +static int test_tpm_startup(struct unit_test_state *uts,
enum tpm_version version)+{
- struct udevice *dev;
- /* check probe success */
- ut_assertok(get_tpm_version(version, &dev));
- ut_assertok(tpm_init(dev));
- ut_assertok(tpm_startup(dev, TPM_ST_CLEAR));
- return 0;
+}
+static int dm_test_tpm_startup(struct unit_test_state *uts) +{
- ut_assertok(test_tpm_startup(uts, TPM_V1));
- ut_assertok(test_tpm_startup(uts, TPM_V2));
- return 0;
+} +DM_TEST(dm_test_tpm_startup, UT_TESTF_SCAN_FDT);
+/* Test TPM self-test full */ +static int test_tpm_self_test_full(struct unit_test_state *uts,
enum tpm_version version)+{
- struct udevice *dev;
- /* check probe success */
- ut_assertok(get_tpm_version(version, &dev));
- ut_assertok(tpm_init(dev));
- ut_assertok(tpm_startup(dev, TPM_ST_CLEAR));
Replace this sequence with test_tpm_startup().
Probably a c/p mistake but you need to call tpm_self_test_full() as well.
- return 0;
+}
+static int dm_test_tpm_self_test_full(struct unit_test_state *uts) +{
- ut_assertok(test_tpm_self_test_full(uts, TPM_V1));
- ut_assertok(test_tpm_self_test_full(uts, TPM_V2));
- return 0;
+}
[...]
Thanks /Ilias
These don't seem to be needed.
Add a few notes about what to do next. Also mention parallel tests in at the top of thefile.
Signed-off-by: Simon Glass sjg@chromium.org Reviewed-by: Ilias Apalodimas ilias.apalodimas@linaro.org ---
(no changes since v1)
test/py/tests/test_tpm2.py | 46 +++++++++----------------------------- 1 file changed, 10 insertions(+), 36 deletions(-)
diff --git a/test/py/tests/test_tpm2.py b/test/py/tests/test_tpm2.py index 8ed337eddc10..47370dad9f60 100644 --- a/test/py/tests/test_tpm2.py +++ b/test/py/tests/test_tpm2.py @@ -27,6 +27,16 @@ behavior. * Setup env__tpm_device_test_skip to True if tests with TPM devices should be skipped.
+Parallel tests +-------------- + +These tests can be run in parallel on sandbox. In that case any action taken +by one test may be independent of another. For sandbox, care should be taken to +ensure that tests are independent. + +Unfortunately, tests cannot be made independent on real hardware, since there is +no way to reset the TPM other than restarting the board. Perhaps that would be +the best approach? """
updates = 0 @@ -50,11 +60,6 @@ def force_init(u_boot_console, force=False): u_boot_console.run_command('tpm2 clear TPM2_RH_PLATFORM') u_boot_console.run_command('echo --- end of init ---')
-def is_sandbox(cons): - # Array slice removes leading/trailing quotes. - sys_arch = cons.config.buildconfig.get('config_sys_arch', '"sandbox"')[1:-1] - return sys_arch == 'sandbox' - @pytest.mark.buildconfigspec('cmd_tpm_v2') def test_tpm2_autostart(u_boot_console): """Init the software stack to use TPMv2 commands.""" @@ -65,20 +70,6 @@ def test_tpm2_autostart(u_boot_console): output = u_boot_console.run_command('echo $?') assert output.endswith('0')
-def tpm2_sandbox_init(u_boot_console): - """Put sandbox back into a known state so we can run a test - - This allows all tests to run in parallel, since no test depends on another. - """ - u_boot_console.restart_uboot() - u_boot_console.run_command('tpm2 autostart') - output = u_boot_console.run_command('echo $?') - assert output.endswith('0') - - skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False) - if skip_test: - pytest.skip('skip TPM device test') - @pytest.mark.buildconfigspec('cmd_tpm_v2') def test_tpm2_continue_self_test(u_boot_console): """Execute a TPM2_SelfTest (continued) command. @@ -90,8 +81,6 @@ def test_tpm2_continue_self_test(u_boot_console): skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False) if skip_test: pytest.skip('skip TPM device test') - if is_sandbox(u_boot_console): - tpm2_sandbox_init(u_boot_console) u_boot_console.run_command('tpm2 self_test continue') output = u_boot_console.run_command('echo $?') assert output.endswith('0') @@ -108,9 +97,6 @@ def test_tpm2_clear(u_boot_console): not have a password set, otherwise this test will fail. ENDORSEMENT and PLATFORM hierarchies are also available. """ - if is_sandbox(u_boot_console): - tpm2_sandbox_init(u_boot_console) - skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False) if skip_test: pytest.skip('skip TPM device test') @@ -131,8 +117,6 @@ def test_tpm2_change_auth(u_boot_console): Use the LOCKOUT hierarchy for this. ENDORSEMENT and PLATFORM hierarchies are also available. """ - if is_sandbox(u_boot_console): - tpm2_sandbox_init(u_boot_console) force_init(u_boot_console)
u_boot_console.run_command('tpm2 change_auth TPM2_RH_LOCKOUT unicorn') @@ -157,9 +141,6 @@ def test_tpm2_get_capability(u_boot_console): There is no expected default values because it would depend on the chip used. We can still save them in order to check they have changed later. """ - if is_sandbox(u_boot_console): - tpm2_sandbox_init(u_boot_console) - force_init(u_boot_console) ram = u_boot_utils.find_ram_base(u_boot_console)
@@ -181,8 +162,6 @@ def test_tpm2_dam_parameters(u_boot_console): the authentication, otherwise the lockout will be engaged after the first failed authentication attempt. """ - if is_sandbox(u_boot_console): - tpm2_sandbox_init(u_boot_console) force_init(u_boot_console) ram = u_boot_utils.find_ram_base(u_boot_console)
@@ -205,9 +184,6 @@ def test_tpm2_pcr_read(u_boot_console):
Perform a PCR read of the 10th PCR. Must be zero. """ - if is_sandbox(u_boot_console): - tpm2_sandbox_init(u_boot_console) - force_init(u_boot_console) ram = u_boot_utils.find_ram_base(u_boot_console)
@@ -234,8 +210,6 @@ def test_tpm2_pcr_extend(u_boot_console): No authentication mechanism is used here, not protecting against packet replay, yet. """ - if is_sandbox(u_boot_console): - tpm2_sandbox_init(u_boot_console) force_init(u_boot_console) ram = u_boot_utils.find_ram_base(u_boot_console)
participants (2)
-
Ilias Apalodimas -
Simon Glass