PNOR SBE corruption Test case modification
Changes:
- 1) Update the Test case tags and descriptions
e.g: Use "Secure Cold Boot" instead just "Secure Boot"
- 2) Verifying for the error RC string instead of -
Hard coded Error log/SRC code/Reference code (Still Needs More Testing)
- 3) Verifying for the corruption RC in the SOL console log
- 4) Added Corrupted SBE image to sandbox path
- 5) Added more documentation and TODO's wherever necessary
Tested: Tested. OK
Resolve openbmc/openbmc-test-automation#1643
Change-Id: I9876dd9f6ab2c72f81d10f8e39a8bfc7ed08bddf
Signed-off-by: Lakshminarayana R. Kammath <lkammath@in.ibm.com>
Signed-off-by: Devindia <devindia@in.ibm.com>
Signed-off-by: Lakshminarayana R. Kammath <lkammath@in.ibm.com>
diff --git a/data/pnor_test_data/SBE b/data/pnor_test_data/SBE
new file mode 100644
index 0000000..ca9d13e
--- /dev/null
+++ b/data/pnor_test_data/SBE
Binary files differ
diff --git a/openpower/secureboot/secure.robot b/openpower/secureboot/secure.robot
index ceac1e4..359fa31 100644
--- a/openpower/secureboot/secure.robot
+++ b/openpower/secureboot/secure.robot
@@ -2,10 +2,12 @@
Documentation Secure boot related test cases.
# Test Parameters:
-# FFDC_TOOL_DIR_PATH The path to the directory containing FFDC translation
-# tools such as eSEL.pl.
+# SEL to PEL conversion:
+# https://github.com/openbmc/openbmc-test-automation/blob/master/docs/
+# openbmc_test_tools.md#converting-sels-to-readable-format
Resource ../../lib/utils.robot
+Resource ../../lib/state_manager.robot
Resource ../../lib/boot_utils.robot
Resource ../../lib/secure_utils.robot
Resource ../../lib/open_power_utils.robot
@@ -21,49 +23,52 @@
*** Variables ***
${security_access_bit_mask} ${0xC000000000000000}
-# Description of BC8A1E07 A problem occurred during the IPL of the system.
-${pnor_corruption_src} BC8A1E07
+# TODO: will enable this in next commit
+#${pnor_corruption_rc} SECUREBOOT::RC_ROM_VERIFY
+${pnor_corruption_rc} 0x1E07
${bmc_image_dir_path} /usr/local/share/pnor
-${bmc_guard_dir_path} /var/lib/phosphor-software-manager/pnor/prsv
-${FFDC_TOOL_DIR_PATH} ${EMPTY}
+${bmc_guard_part_path} /var/lib/phosphor-software-manager/pnor/prsv/GUARD
*** Test Cases ***
-Validate Secure Boot With TPM Policy Disabled
- [Documentation] Validate secure boot with TPM policy disabled.
- [Tags] Validate_Secure_Boot_With_TPM_Policy_Disabled
+# All the test cases requires by default jumpers to be positioned
+# between 1 & 2. If this is not met test cases would fail
+# TODO:https://github.com/openbmc/openbmc-test-automation/issues/1644
+Validate Secure Cold Boot With TPM Policy Disabled
+ [Documentation] Validate secure cold boot with TPM policy disabled.
+ [Tags] Validate_Secure_Cold_Boot_With_TPM_Policy_Disabled
Validate Secure Boot With TPM Policy Enabled Or Disabled ${0}
-Validate Secure Boot With TPM Policy Enabled
- [Documentation] Validate secure boot with TPM policy enabled.
- [Tags] Validate_Secure_Boot_With_TPM_Policy_Enabled
+Validate Secure Cold Boot With TPM Policy Enabled
+ [Documentation] Validate secure cold boot with TPM policy enabled.
+ [Tags] Validate_Secure_Cold_Boot_With_TPM_Policy_Enabled
Validate Secure Boot With TPM Policy Enabled Or Disabled ${1}
-Violate Secure Boot Via Corrupt Key In SBE During Host Boot
- [Documentation] Violate secure boot via corrupt key SBE during host boot.
- [Tags] Violate_Secure_Boot_Via_Corrupt_Key_In_SBE_During_Host_Boot
+Secure Boot Violation Using Corrupt SBE Image On Cold Boot
+ [Documentation] Secure boot violation using corrupt SBE image on cold boot.
+ [Tags] Secure_Boot_Violation_Using_Corrupt_SBE_Image_On_Cold_Boot
- Violate Secure Boot Via Corrupt Key
- ... SBE ${pnor_corruption_src} ${bmc_image_dir_path}
+ Violate Secure Boot Using Corrupt Image
+ ... SBE ${pnor_corruption_rc} ${bmc_image_dir_path}
*** Keywords ***
-Violate Secure Boot Via Corrupt Key
- [Documentation] Cause secure boot violation during host boot
- ... with corrupted key.
- [Arguments] ${partition} ${error_src} ${bmc_image_dir_path}
+Violate Secure Boot Using Corrupt Image
+ [Documentation] Cause secure boot violation during cold boot
+ ... with corrupted image.
+ [Arguments] ${partition} ${error_rc} ${bmc_image_dir_path}
# Description of argument(s):
# partition The partition which is to be corrupted
# (e.g. "SBE", "HBI", "HBB", "HBRT", "HBBL", "OCC").
- # error_src The system reference code that is expected as a
+ # error_rc The RC that is expected as a
# result of the secure boot violation
- # (e.g. "BC8A1E07").
+ # (e.g. "SECUREBOOT::RC_ROM_VERIFY").
# bmc_image_dir_path BMC image path.
Set And Verify TPM Policy ${1}
@@ -78,14 +83,27 @@
# Load corrupted image to /usr/local/share/pnor.
Open Connection For SCP
Log ${bmc_image_dir_path}
+ Log ${error_rc}
+
scp.Put File
... ${EXEC_DIR}/data/pnor_test_data/${partition} ${bmc_image_dir_path}
- # Starting a power on.
- BMC Execute Command /usr/sbin/obmcutil poweron
- Wait Until Keyword Succeeds 10 min 10 sec Error Logs Should Exist
+ ${error_log_path}= Catenate ${SB_LOG_DIR_PATH}/partition-corruption
+ Create Directory ${error_log_path}
- Wait Until Keyword Succeeds 10 min 10 sec Collect Error Logs and Verify SRC ${error_src}
+ Set Global Variable ${error_log_path}
+ Log ${error_log_path}
+
+ # Starting a power on.
+ # TODO: Need to move to REST Power On. Needs more testing.
+ BMC Execute Command /usr/sbin/obmcutil poweron
+ Wait Until Keyword Succeeds 15 min 15 sec Error Logs Should Exist
+
+ #TODO: This will be enabled little later as more tesing required
+ #Wait Until Keyword Succeeds 5 min 5 sec Collect Error Logs and Verify SRC ${error_rc} ${error_log_path}
+
+ # Verify the RC 0x1E07 in the SOL logs.
+ Get And Verify Partition Corruption ${sol_log_file_path}
# Remove the file from /usr/local/share/pnor/.
BMC Execute Command rm -rf ${bmc_image_dir_path}*
@@ -97,23 +115,21 @@
Collect Error Logs and Verify SRC
- [Documentation] Collect error logs and verify src.
- [Arguments] ${system_reference_code}
+ [Documentation] Verify error log entry & signature description.
+ [Arguments] ${error_rc} ${log_prefix}
# Description of argument(s):
- # system_reference_code The system reference code that the caller
- # expects to be found among the existing
- # error log entries (e.g. "BC8A1E07").
- # system_reference_code Src code.
+ # error_rc Error log signature description.
+ # log_prefix Log path prefix.
- Convert eSEL To Elog Format ${FFDC_TOOL_DIR_PATH}
+ Error Logs Should Not Exist
- ${cmd}= Catenate
- ... grep -i ${system_reference_code} ${FFDC_TOOL_DIR_PATH}/esel.out.txt
- ${rc} ${output}= Run and Return RC and Output ${cmd}
+ Collect eSEL Log ${log_prefix}
+ ${error_log_file_path}= Catenate ${log_prefix}esel.txt
+ ${rc} ${output}= Run and Return RC and Output
+ ... grep -i ${error_rc} ${error_log_file_path}
Should Be Equal ${rc} ${0}
- ... msg=${system_reference_code} not found in the existing error logs.
-
+ Should Not Be Empty ${output}
Get And Verify Security Access Bit
[Documentation] Get and verify security access bit.
@@ -133,12 +149,34 @@
... msg=Return code from ${cmd} not zero.
# Verify the value of "Security Access Bit".
+ # If fails, probable issue is Jumper position.
${security_access_bit}= Convert to Integer ${security_access_bit_str}
${result}= Evaluate ${security_access_bit_mask} & ${security_access_bit}
Should Be Equal ${result} ${security_access_bit_mask}
... msg=System is not booted in secure mode. values=False
+Get And Verify Partition Corruption
+ [Documentation] Get and verify partition corruption.
+ [Arguments] ${sol_log_file_path}
+
+ # Description of argument(s):
+ # sol_log_file_path The path to the file containing SOL data
+ # which was collected during a REST Power On.
+
+ # Sample output:
+ # 44.47498|secure|Secureboot Failure plid = 0x90000007, rc = 0x1E07
+
+ ${cmd}= Catenate
+ ... grep -i "Secureboot Failure" ${sol_log_file_path} | awk '{ print $8 }'
+ ${rc} ${corruption_rc_str}= Run and Return RC and Output ${cmd}
+ Should Be Equal ${rc} ${0}
+ ... msg=Return code from ${cmd} not zero.
+
+ # Verify the RC 0x1E07 from sol output".
+ Should Be Equal As Strings ${corruption_rc_str} ${pnor_corruption_rc}
+ ... msg=SB violation due to PNOR partition corruption not reported. values=False
+
Validate Secure Boot With TPM Policy Enabled Or Disabled
[Documentation] Validate secure boot with TPM policy enabled or disabled.
@@ -166,20 +204,23 @@
Suite Setup Execution
- [Documentation] Suite Setup Execution
+ [Documentation] Suite Setup Execution.
- Run export PATH=$PATH:${FFDC_TOOL_DIR_PATH}
- Set Environment Variable ${FFDC_TOOL_DIR_PATH} ${FFDC_TOOL_DIR_PATH}
${bmc_image_dir_path}= Add Trailing Slash ${bmc_image_dir_path}
- ${bmc_guard_dir_path}= Add Trailing Slash ${bmc_guard_dir_path}
+
+ ${SB_LOG_DIR_PATH}= Catenate ${EXECDIR}/SB_logs/
+ Set Suite Variable ${SB_LOG_DIR_PATH}
+
+ Create Directory ${SB_LOG_DIR_PATH}
+ Empty Directory ${SB_LOG_DIR_PATH}
Set Global Variable ${bmc_image_dir_path}
Log ${bmc_image_dir_path}
BMC Execute Command rm -rf ${bmc_image_dir_path}*
- Set Global Variable ${bmc_guard_dir_path}
- Log ${bmc_guard_dir_path}
- BMC Execute Command rm -rf ${bmc_guard_dir_path}*
+ Set Global Variable ${bmc_guard_part_path}
+ Log ${bmc_guard_part_path}
+ BMC Execute Command rm -rf ${bmc_guard_part_path}
Test Setup Execution
@@ -194,7 +235,6 @@
Delete Error Logs And Verify
-
Test Teardown Execution
[Documentation] Test teardown execution.