feat(handoff): add measured boot tftf config
Add test configuration to test firmware handoff with the measured boot
enabled. In TFTF receive the transfer list and if there's a present
event log, run some sanity checks to make sure that the log is valid.
Dump the event log for processing by the expect scripts.
Change-Id: Icbcd00ca739d8b47ba66e64745193f2432659334
Signed-off-by: Harrison Mutai <harrison.mutai@arm.com>
diff --git a/expect/tftf.inc b/expect/tftf.inc
index 2b671fd..b47d1c3 100644
--- a/expect/tftf.inc
+++ b/expect/tftf.inc
@@ -10,6 +10,10 @@
expect_re "Running at NS-EL(1|2)"
+if {[info exists ::env(measured_boot)]} {
+ capture_and_compare_log tftf_event_log "TEST COMPLETE" tfa_event_log
+}
+
expect {
"Tests Failed : 0" {
expect_string "Exiting tests." "all TFTF tests passed"
diff --git a/expect/trusted-firmware.inc b/expect/trusted-firmware.inc
index d19d7e7..15c2359 100644
--- a/expect/trusted-firmware.inc
+++ b/expect/trusted-firmware.inc
@@ -24,9 +24,15 @@
message "BL2 loading error"
exit_uart -1
}
- }
+ }
- expect_string "BL1: Booting BL31"
+ # Capture the event log from TF-A if we are running with measured boot
+ # enabled.
+ if {[info exists ::env(measured_boot)]} {
+ capture_log tfa_event_log "BL1: Booting BL31"
+ } else {
+ expect_string "BL1: Booting BL31"
+ }
} else {
message "Skipping early boot messages from BL1 and BL2"
}
diff --git a/expect/tsp.exp b/expect/tsp.exp
index f152335..24b99fd 100644
--- a/expect/tsp.exp
+++ b/expect/tsp.exp
@@ -43,4 +43,11 @@
}
}
-source [file join [file dirname [info script]] uart-hold.inc]
+# In case of measured boot, capture the event log that's been passed to the TSP,
+# this is used to ensure that the same event log is produced in BL2. Match the
+# previously stored digest with the one generated by the TSP service.
+if {[info exists ::env(measured_boot)]} {
+ capture_and_compare_log tsp_event_log "TSP: cpu" tfa_event_log
+}
+
+source [file join [file dirname [info script]] uart-hold.inc]
\ No newline at end of file
diff --git a/expect/utils.inc b/expect/utils.inc
index 48f72de..d9113d7 100644
--- a/expect/utils.inc
+++ b/expect/utils.inc
@@ -104,3 +104,37 @@
}
}
}
+
+proc capture_log {out end_re} {
+ set event_log [open $out w]
+ expect "TCG_EfiSpecIDEvent"
+
+ expect {
+ # Parse the event log from the debug logs and store the digests
+ # so they can be matched later with what TF-A stored on the event log.
+ -re "Digest(\\s|\\w)*:\\s(\\w{2}\\s){16}|\
+ : (\\w{2}\\s){16}|\
+ (Event|EventType|EventSize)\\s*:\\s\\w+\\s" {
+ puts $event_log $expect_out(0,string)
+ exp_continue
+ }
+
+ -re "$end_re" {
+ close $event_log
+ }
+ }
+}
+
+proc capture_and_compare_log {out end_re compare} {
+ set event_log [open $out w]
+ capture_log $out $end_re
+
+ # Match the previously the given digests. The pass criteria is that both
+ # digests must match.
+ if {[catch {exec diff -s $out $compare} result options] == 0} {
+ message "tests succeeded, digests matched"
+ } else {
+ message "tests failed, digests did not match"
+ exit_uart -1
+ }
+}
diff --git a/group/tftf-l2-fvp/fvp-tbb-psa-mbedtls-mb-tspd-handoff,fvp-aarch64-handoff:fvp-tftf-fip.tftf-aemva-tspd-debug b/group/tftf-l2-fvp/fvp-tbb-psa-mbedtls-mb-tspd-handoff,fvp-aarch64-handoff:fvp-tftf-fip.tftf-aemva-tspd-debug
new file mode 100644
index 0000000..efa52ef
--- /dev/null
+++ b/group/tftf-l2-fvp/fvp-tbb-psa-mbedtls-mb-tspd-handoff,fvp-aarch64-handoff:fvp-tftf-fip.tftf-aemva-tspd-debug
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2025 Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+fetch_tf_resource() {
+ uart="0" set_expect_variable "measured_boot" "1"
+ uart="2" set_expect_variable "measured_boot" "1"
+}
diff --git a/script/tf-coverity/tf-cov-make b/script/tf-coverity/tf-cov-make
index ba307a4..a6dd752 100755
--- a/script/tf-coverity/tf-cov-make
+++ b/script/tf-coverity/tf-cov-make
@@ -160,6 +160,8 @@
clean_build $fvp_common_flags TRANSFER_LIST=1
clean_build $fvp_common_flags CROSS_COMPILE=arm-none-eabi- TRANSFER_LIST=1 \
AARCH32_SP=sp_min ARCH=aarch32
+clean_build $fvp_common_flags TRANSFER_LIST=1 ${ARM_TBB_OPTIONS} \
+ MBOOT_EL_HASH_ALG=sha256 MEASURED_BOOT=1
# HOB List support
clean_build $fvp_common_flags HOB_LIST=1
diff --git a/tf_config/fvp-tbb-psa-mbedtls-mb-tspd-handoff b/tf_config/fvp-tbb-psa-mbedtls-mb-tspd-handoff
new file mode 100644
index 0000000..76a7041
--- /dev/null
+++ b/tf_config/fvp-tbb-psa-mbedtls-mb-tspd-handoff
@@ -0,0 +1,12 @@
+ARM_ROTPK_LOCATION=devel_rsa
+CROSS_COMPILE=aarch64-none-elf-
+EVENT_LOG_LEVEL=20
+MEASURED_BOOT=1
+FVP_TRUSTED_SRAM_SIZE=384
+GENERATE_COT=1
+PLAT=fvp
+PSA_CRYPTO=1
+ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem
+SPD=tspd
+TRUSTED_BOARD_BOOT=1
+TRANSFER_LIST=1