| *** Settings *** |
| Documentation Secure boot related test cases. |
| |
| # Test Parameters: |
| # SEL to PEL conversion: |
| # https://github.com/openbmc/openbmc-test-automation/blob/master/docs/ |
| # openbmc_test_tools.md#converting-sels-to-readable-format |
| |
| Resource ../../lib/utils.robot |
| Resource ../../lib/state_manager.robot |
| Resource ../../lib/boot_utils.robot |
| Resource ../../lib/secure_utils.robot |
| Resource ../../lib/open_power_utils.robot |
| Resource ../../lib/logging_utils.robot |
| Resource ../../lib/openbmc_ffdc_methods.robot |
| |
| Library ../../lib/gen_misc.py |
| |
| Suite Setup Suite Setup Execution |
| Test Setup Test Setup Execution |
| Test Teardown Test Teardown Execution |
| |
| *** Variables *** |
| |
| ${security_access_bit_mask} ${0xC000000000000000} |
| # TODO: will enable this in next commit |
| #${pnor_corruption_rc} SECUREBOOT::RC_ROM_VERIFY |
| ${pnor_corruption_rc} 0x1E07 |
| ${bmc_image_dir_path} /usr/local/share/pnor |
| ${bmc_guard_part_path} /var/lib/phosphor-software-manager/pnor/prsv/GUARD |
| |
| *** Test Cases *** |
| |
| # All the test cases requires by default jumpers to be positioned |
| # between 1 & 2. If this is not met test cases would fail |
| # TODO:https://github.com/openbmc/openbmc-test-automation/issues/1644 |
| Validate Secure Cold Boot With TPM Policy Disabled |
| [Documentation] Validate secure cold boot with TPM policy disabled. |
| [Tags] Validate_Secure_Cold_Boot_With_TPM_Policy_Disabled |
| |
| Validate Secure Boot With TPM Policy Enabled Or Disabled ${0} |
| |
| |
| Validate Secure Cold Boot With TPM Policy Enabled |
| [Documentation] Validate secure cold boot with TPM policy enabled. |
| [Tags] Validate_Secure_Cold_Boot_With_TPM_Policy_Enabled |
| |
| Validate Secure Boot With TPM Policy Enabled Or Disabled ${1} |
| |
| |
| Secure Boot Violation Using Corrupt SBE Image On Cold Boot |
| [Documentation] Secure boot violation using corrupt SBE image on cold boot. |
| [Tags] Secure_Boot_Violation_Using_Corrupt_SBE_Image_On_Cold_Boot |
| |
| Violate Secure Boot Using Corrupt Image |
| ... SBE ${pnor_corruption_rc} ${bmc_image_dir_path} |
| |
| |
| *** Keywords *** |
| |
| Violate Secure Boot Using Corrupt Image |
| [Documentation] Cause secure boot violation during cold boot |
| ... with corrupted image. |
| [Arguments] ${partition} ${error_rc} ${bmc_image_dir_path} |
| |
| # Description of argument(s): |
| # partition The partition which is to be corrupted |
| # (e.g. "SBE", "HBI", "HBB", "HBRT", "HBBL", "OCC"). |
| # error_rc The RC that is expected as a |
| # result of the secure boot violation |
| # (e.g. "SECUREBOOT::RC_ROM_VERIFY"). |
| # bmc_image_dir_path BMC image path. |
| |
| Set And Verify TPM Policy ${1} |
| |
| # Descipiton: |
| # Cause a secure boot violation by copying an BMC image file to the |
| # target BMC and then starting a power on. |
| # This action should result in: |
| # 1) an error log entry |
| # 2) the system going to "Quiesced" state. |
| |
| # Load corrupted image to /usr/local/share/pnor. |
| Open Connection For SCP |
| Log ${bmc_image_dir_path} |
| Log ${error_rc} |
| |
| scp.Put File |
| ... ${EXEC_DIR}/data/pnor_test_data/${partition} ${bmc_image_dir_path} |
| |
| ${error_log_path}= Catenate ${SB_LOG_DIR_PATH}/partition-corruption |
| Create Directory ${error_log_path} |
| |
| Set Global Variable ${error_log_path} |
| Log ${error_log_path} |
| |
| # Starting a power on. |
| # TODO: Need to move to REST Power On. Needs more testing. |
| BMC Execute Command /usr/sbin/obmcutil poweron |
| Wait Until Keyword Succeeds 15 min 15 sec Error Logs Should Exist |
| |
| # TODO: This will be enabled little later as more tesing required |
| # Wait Until Keyword Succeeds |
| # ... 5 min 5 sec Collect Error Logs and Verify SRC ${error_rc} ${error_log_path} |
| |
| # Verify the RC 0x1E07 in the SOL logs. |
| Get And Verify Partition Corruption ${sol_log_file_path} |
| |
| # Remove the file from /usr/local/share/pnor/. |
| BMC Execute Command rm -rf ${bmc_image_dir_path}* |
| |
| # Check if system reaches quiesce state. |
| Run Keywords |
| ... Wait Until Keyword Succeeds 3 min 5 sec Is Host Quiesced AND |
| ... Recover Quiesced Host |
| |
| |
| Collect Error Logs and Verify SRC |
| [Documentation] Verify error log entry & signature description. |
| [Arguments] ${error_rc} ${log_prefix} |
| |
| # Description of argument(s): |
| # error_rc Error log signature description. |
| # log_prefix Log path prefix. |
| |
| Error Logs Should Not Exist |
| |
| Collect eSEL Log ${log_prefix} |
| ${error_log_file_path}= Catenate ${log_prefix}esel.txt |
| ${rc} ${output}= Run and Return RC and Output |
| ... grep -i ${error_rc} ${error_log_file_path} |
| Should Be Equal ${rc} ${0} |
| Should Not Be Empty ${output} |
| |
| Get And Verify Security Access Bit |
| [Documentation] Get and verify security access bit. |
| [Arguments] ${sol_log_file_path} |
| |
| # Description of argument(s): |
| # sol_log_file_path The path to the file containing SOL data |
| # which was collected during a REST Power On. |
| |
| # Sample output: |
| # 19.68481|SECURE|Security Access Bit> 0xC000000000000000 |
| |
| ${cmd}= Catenate |
| ... grep "Security Access Bit" ${sol_log_file_path} | awk '{ print $4 }' |
| ${rc} ${security_access_bit_str}= Run and Return RC and Output ${cmd} |
| Should Be Equal ${rc} ${0} |
| ... msg=Return code from ${cmd} not zero. |
| |
| # Verify the value of "Security Access Bit". |
| # If fails, probable issue is Jumper position. |
| |
| ${security_access_bit}= Convert to Integer ${security_access_bit_str} |
| ${result}= Evaluate ${security_access_bit_mask} & ${security_access_bit} |
| Should Be Equal ${result} ${security_access_bit_mask} |
| ... msg=System is not booted in secure mode. values=False |
| |
| Get And Verify Partition Corruption |
| [Documentation] Get and verify partition corruption. |
| [Arguments] ${sol_log_file_path} |
| |
| # Description of argument(s): |
| # sol_log_file_path The path to the file containing SOL data |
| # which was collected during a REST Power On. |
| |
| # Sample output: |
| # 44.47498|secure|Secureboot Failure plid = 0x90000007, rc = 0x1E07 |
| |
| ${cmd}= Catenate |
| ... grep -i "Secureboot Failure" ${sol_log_file_path} | awk '{ print $8 }' |
| ${rc} ${corruption_rc_str}= Run and Return RC and Output ${cmd} |
| Should Be Equal ${rc} ${0} |
| ... msg=Return code from ${cmd} not zero. |
| |
| # Verify the RC 0x1E07 from sol output". |
| Should Be Equal As Strings ${corruption_rc_str} ${pnor_corruption_rc} |
| ... msg=SB violation due to PNOR partition corruption not reported. values=False |
| |
| |
| Validate Secure Boot With TPM Policy Enabled Or Disabled |
| [Documentation] Validate secure boot with TPM policy enabled or disabled. |
| [Arguments] ${tpm_policy} |
| |
| # Description of argument(s): |
| # tpm_policy Enable-0 or Disable-1. |
| |
| Set And Verify TPM Policy ${tpm_policy} |
| REST Power On quiet=1 |
| Validate Secure Boot ${sol_log_file_path} |
| |
| |
| Validate Secure Boot |
| [Documentation] Validate secure boot. |
| [Arguments] ${sol_log_file_path} |
| |
| # Description of argument(s): |
| # sol_log_file_path The path to the file containing SOL data |
| # which was collected during a REST Power On. |
| |
| Get And Verify Security Access Bit ${sol_log_file_path} |
| Error Logs Should Not Exist |
| REST Verify No Gard Records |
| |
| |
| Suite Setup Execution |
| [Documentation] Suite Setup Execution. |
| |
| ${bmc_image_dir_path}= Add Trailing Slash ${bmc_image_dir_path} |
| |
| ${SB_LOG_DIR_PATH}= Catenate ${EXECDIR}/SB_logs/ |
| Set Suite Variable ${SB_LOG_DIR_PATH} |
| |
| Create Directory ${SB_LOG_DIR_PATH} |
| Empty Directory ${SB_LOG_DIR_PATH} |
| |
| Set Global Variable ${bmc_image_dir_path} |
| Log ${bmc_image_dir_path} |
| BMC Execute Command rm -rf ${bmc_image_dir_path}* |
| |
| Set Global Variable ${bmc_guard_part_path} |
| Log ${bmc_guard_part_path} |
| BMC Execute Command rm -rf ${bmc_guard_part_path} |
| |
| |
| Test Setup Execution |
| [Documentation] Test setup execution. |
| |
| ${timestamp}= Get Current Date result_format=%Y%m%d%H%M%S |
| ${sol_log_file_path}= Catenate ${EXECDIR}/Secure_SOL${timestamp} |
| Start SOL Console Logging ${sol_log_file_path} |
| Set Suite Variable ${sol_log_file_path} |
| |
| REST Power Off stack_mode=skip quiet=1 |
| Delete Error Logs And Verify |
| |
| |
| Test Teardown Execution |
| [Documentation] Test teardown execution. |
| |
| Stop SOL Console Logging |
| Run rm -rf ${sol_log_file_path} |
| |
| # Removing the corrupted file from BMC. |
| BMC Execute Command rm -rf ${bmc_image_dir_path}* |