commit 98de503180dbf9afc51f3f7f864d1a3243507398
author Javier Almansa Sobrino <javier.almansasobrino@arm.com> Thu Sep 17 12:47:05 2020 +0100
committer Alexei Fedorov <Alexei.Fedorov@arm.com> Wed Sep 23 11:26:51 2020 +0000
tree d31a7fc9e7b95b812d509e989c2183aa5f2061d8
parent 2ddcc8cc3f0dfee1ba772b97e0a375f590a718fa

Add support to test TF-A Measured Boot through an external TPM service.

Perform automatic tests to ensure that Measured Boot functionality on
TF-A can interact with an external TPM service.

This patch performs the following tests:

1.- Check that PCR0 Digest is not all zeros
2.- Check that the rest of PCRs are all zero
3.- Check that the event log written by TF-A is the same as read by
    the TPM service.

The patch is not meant to test whether the digests are correct or not
(testing if the TPM service is buggy or not is beyond the scope of
this test). It just tests that an external TPM service is able to
access the TPM event log generated by TF-A and that it can be properly
processed.

Change-Id: I5fba87005886ff549345bd92675d2f2a9fe44e79
Signed-off-by: Javier Almansa Sobrino <javier.almansasobrino@arm.com>

expect/linux-tpm.exp

diff --git a/expect/linux-tpm.exp b/expect/linux-tpm.exp
new file mode 100644
index 0000000..9d137e8
--- /dev/null
+++ b/expect/linux-tpm.exp
@@ -0,0 +1,110 @@
+#
+# Copyright (c) 2020, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# Expect script for Linux/Buildroot using Measured Boot & fTPM
+#
+
+source [file join [file dirname [info script]] utils.inc]
+source [file join [file dirname [info script]] handle-arguments.inc]
+
+# File to store the event log from the ftpm service.
+set TFA_DIGEST [get_param tfa_digest "tfa_event_log"]
+set digest_log [open $TFA_DIGEST w]
+
+# regexp for non-zero PCR0
+set non_zero_pcr "(?!(\\s00){16})((\\s(\[0-9a-f\]){2}){16}\\s)"
+
+expect {
+        # Parse the event log from the debug logs and store the digests
+        # so they can be matched later with what the fTPM read.
+
+        -re "Digest(\\s|\\w)*:\\s(\\w{2}\\s){16}|\
+        : (\\w{2}\\s){16}|\
+        Event(\\s|\\w)*:\\s\\w+\\s" {
+                puts $digest_log $expect_out(0,string)
+                exp_continue
+        }
+
+        -exact "Booting BL31" {
+                close $digest_log
+        }
+
+        timeout {
+                exit_timeout
+        }
+}
+
+expect {
+        "login" {
+                send "root\n"
+        }
+
+        timeout {
+                exit_timeout
+        }
+}
+
+expect {
+        "#" {
+                # Load the fTPM driver and retrieves PCR0
+                send "ftpm\n"
+        }
+
+        timeout {
+                exit_timeout
+        }
+}
+
+expect {
+        # Pass condition: PCR0 must not be all zeros.
+
+        -re $non_zero_pcr {
+                exp_continue
+        }
+
+        "#" { }
+
+        timeout {
+                exit_timeout
+        }
+}
+
+# Iterate over the rest of PCRs and check that they all are zeros.
+for {set i 1} {$i < 11} {incr i} {
+        send "pcrread -ha $i\n"
+
+        expect {
+                -re "(\\s00){16}\\s+(00\\s){16}" { }
+
+                -re $non_zero_pcr {
+                        exit_uart -1
+                }
+
+                timeout {
+                        exit_timeout
+                }
+        }
+}
+
+# Match the previously stored digest with the one generated by the
+# fTPM service. The pass criteria is that both digests must match,
+# meaning that TF-A successfully passed the event log to the TPM service.
+expect {
+        "#" {
+                spawn diff -s $TFA_DIGEST ftpm_event_log
+        }
+
+        timeout {
+                exit_timeout
+        }
+}
+
+expect {
+        -exact "are identical" {
+                exit_uart 0
+        }
+}
+
+exit_uart -1