| *** Settings *** |
| Documentation Secure boot related test cases. |
| |
| # Test Parameters: |
| # FFDC_TOOL_DIR_PATH The path to the directory containing FFDC translation |
| # tools such as eSEL.pl. |
| |
| Resource ../../lib/utils.robot |
| Resource ../../lib/boot_utils.robot |
| Resource ../../lib/secure_utils.robot |
| Resource ../../lib/open_power_utils.robot |
| Resource ../../lib/logging_utils.robot |
| Resource ../../lib/openbmc_ffdc_methods.robot |
| |
| Library ../../lib/gen_misc.py |
| |
| Suite Setup Suite Setup Execution |
| Test Setup Test Setup Execution |
| Test Teardown Test Teardown Execution |
| |
| *** Variables *** |
| |
| ${security_access_bit_mask} ${0xC000000000000000} |
| # Description of BC8A1E07 A problem occurred during the IPL of the system. |
| ${pnor_corruption_src} BC8A1E07 |
| ${bmc_image_dir_path} /usr/local/share/pnor |
| ${bmc_guard_dir_path} /var/lib/phosphor-software-manager/pnor/prsv |
| ${FFDC_TOOL_DIR_PATH} ${EMPTY} |
| |
| *** Test Cases *** |
| |
| Validate Secure Boot With TPM Policy Disabled |
| [Documentation] Validate secure boot with TPM policy disabled. |
| [Tags] Validate_Secure_Boot_With_TPM_Policy_Disabled |
| |
| Validate Secure Boot With TPM Policy Enabled Or Disabled ${0} |
| |
| |
| Validate Secure Boot With TPM Policy Enabled |
| [Documentation] Validate secure boot with TPM policy enabled. |
| [Tags] Validate_Secure_Boot_With_TPM_Policy_Enabled |
| |
| Validate Secure Boot With TPM Policy Enabled Or Disabled ${1} |
| |
| |
| Violate Secure Boot Via Corrupt Key In SBE During Host Boot |
| [Documentation] Violate secure boot via corrupt key SBE during host boot. |
| [Tags] Violate_Secure_Boot_Via_Corrupt_Key_In_SBE_During_Host_Boot |
| |
| Violate Secure Boot Via Corrupt Key |
| ... SBE ${pnor_corruption_src} ${bmc_image_dir_path} |
| |
| |
| *** Keywords *** |
| |
| Violate Secure Boot Via Corrupt Key |
| [Documentation] Cause secure boot violation during host boot |
| ... with corrupted key. |
| [Arguments] ${partition} ${error_src} ${bmc_image_dir_path} |
| |
| # Description of argument(s): |
| # partition The partition which is to be corrupted |
| # (e.g. "SBE", "HBI", "HBB", "HBRT", "HBBL", "OCC"). |
| # error_src The system reference code that is expected as a |
| # result of the secure boot violation |
| # (e.g. "BC8A1E07"). |
| # bmc_image_dir_path BMC image path. |
| |
| Set And Verify TPM Policy ${1} |
| |
| # Descipiton: |
| # Cause a secure boot violation by copying an BMC image file to the |
| # target BMC and then starting a power on. |
| # This action should result in: |
| # 1) an error log entry |
| # 2) the system going to "Quiesced" state. |
| |
| # Load corrupted image to /usr/local/share/pnor. |
| Open Connection For SCP |
| Log ${bmc_image_dir_path} |
| scp.Put File |
| ... ${EXEC_DIR}/data/pnor_test_data/${partition} ${bmc_image_dir_path} |
| |
| # Starting a power on. |
| BMC Execute Command /usr/sbin/obmcutil poweron |
| Wait Until Keyword Succeeds 10 min 10 sec Error Logs Should Exist |
| |
| Wait Until Keyword Succeeds 10 min 10 sec Collect Error Logs and Verify SRC ${error_src} |
| |
| # Remove the file from /usr/local/share/pnor/. |
| BMC Execute Command rm -rf ${bmc_image_dir_path}* |
| |
| # Check if system reaches quiesce state. |
| Run Keywords |
| ... Wait Until Keyword Succeeds 3 min 5 sec Is Host Quiesced AND |
| ... Recover Quiesced Host |
| |
| |
| Collect Error Logs and Verify SRC |
| [Documentation] Collect error logs and verify src. |
| [Arguments] ${system_reference_code} |
| |
| # Description of argument(s): |
| # system_reference_code The system reference code that the caller |
| # expects to be found among the existing |
| # error log entries (e.g. "BC8A1E07"). |
| # system_reference_code Src code. |
| |
| Convert eSEL To Elog Format ${FFDC_TOOL_DIR_PATH} |
| |
| ${cmd}= Catenate |
| ... grep -i ${system_reference_code} ${FFDC_TOOL_DIR_PATH}/esel.out.txt |
| ${rc} ${output}= Run and Return RC and Output ${cmd} |
| Should Be Equal ${rc} ${0} |
| ... msg=${system_reference_code} not found in the existing error logs. |
| |
| |
| Get And Verify Security Access Bit |
| [Documentation] Get and verify security access bit. |
| [Arguments] ${sol_log_file_path} |
| |
| # Description of argument(s): |
| # sol_log_file_path The path to the file containing SOL data |
| # which was collected during a REST Power On. |
| |
| # Sample output: |
| # 19.68481|SECURE|Security Access Bit> 0xC000000000000000 |
| |
| ${cmd}= Catenate |
| ... grep "Security Access Bit" ${sol_log_file_path} | awk '{ print $4 }' |
| ${rc} ${security_access_bit_str}= Run and Return RC and Output ${cmd} |
| Should Be Equal ${rc} ${0} |
| ... msg=Return code from ${cmd} not zero. |
| |
| # Verify the value of "Security Access Bit". |
| |
| ${security_access_bit}= Convert to Integer ${security_access_bit_str} |
| ${result}= Evaluate ${security_access_bit_mask} & ${security_access_bit} |
| Should Be Equal ${result} ${security_access_bit_mask} |
| ... msg=System is not booted in secure mode. values=False |
| |
| |
| Validate Secure Boot With TPM Policy Enabled Or Disabled |
| [Documentation] Validate secure boot with TPM policy enabled or disabled. |
| [Arguments] ${tpm_policy} |
| |
| # Description of argument(s): |
| # tpm_policy Enable-0 or Disable-1. |
| |
| Set And Verify TPM Policy ${tpm_policy} |
| REST Power On quiet=1 |
| Validate Secure Boot ${sol_log_file_path} |
| |
| |
| Validate Secure Boot |
| [Documentation] Validate secure boot. |
| [Arguments] ${sol_log_file_path} |
| |
| # Description of argument(s): |
| # sol_log_file_path The path to the file containing SOL data |
| # which was collected during a REST Power On. |
| |
| Get And Verify Security Access Bit ${sol_log_file_path} |
| Error Logs Should Not Exist |
| REST Verify No Gard Records |
| |
| |
| Suite Setup Execution |
| [Documentation] Suite Setup Execution |
| |
| Run export PATH=$PATH:${FFDC_TOOL_DIR_PATH} |
| Set Environment Variable ${FFDC_TOOL_DIR_PATH} ${FFDC_TOOL_DIR_PATH} |
| ${bmc_image_dir_path}= Add Trailing Slash ${bmc_image_dir_path} |
| ${bmc_guard_dir_path}= Add Trailing Slash ${bmc_guard_dir_path} |
| |
| Set Global Variable ${bmc_image_dir_path} |
| Log ${bmc_image_dir_path} |
| BMC Execute Command rm -rf ${bmc_image_dir_path}* |
| |
| Set Global Variable ${bmc_guard_dir_path} |
| Log ${bmc_guard_dir_path} |
| BMC Execute Command rm -rf ${bmc_guard_dir_path}* |
| |
| |
| Test Setup Execution |
| [Documentation] Test setup execution. |
| |
| ${timestamp}= Get Current Date result_format=%Y%m%d%H%M%S |
| ${sol_log_file_path}= Catenate ${EXECDIR}/Secure_SOL${timestamp} |
| Start SOL Console Logging ${sol_log_file_path} |
| Set Suite Variable ${sol_log_file_path} |
| |
| REST Power Off stack_mode=skip quiet=1 |
| Delete Error Logs And Verify |
| |
| |
| |
| Test Teardown Execution |
| [Documentation] Test teardown execution. |
| |
| Stop SOL Console Logging |
| Run rm -rf ${sol_log_file_path} |
| |
| # Removing the corrupted file from BMC. |
| BMC Execute Command rm -rf ${bmc_image_dir_path}* |