diff options
author | Jonathan Cave <jonathan.cave@canonical.com> | 2019-08-20 17:21:17 +0100 |
---|---|---|
committer | Jonathan Cave <jonathan.cave@canonical.com> | 2019-08-21 11:04:44 +0100 |
commit | 9fd5b5f47e1e4bd202fe8e38d8d39a9b06429906 (patch) | |
tree | 0237cf74ded25508834e28e6667bfbbce86d1208 /units/tpm | |
parent | c2227f5176142269326d80c3f5566e6e4e795914 (diff) |
tpm: import from p-p-snappy
Diffstat (limited to 'units/tpm')
-rw-r--r-- | units/tpm/category.pxu | 9 | ||||
-rw-r--r-- | units/tpm/manifest.pxu | 10 | ||||
-rw-r--r-- | units/tpm/sysfs.pxu | 81 | ||||
-rw-r--r-- | units/tpm/test-plan.pxu | 56 | ||||
-rw-r--r-- | units/tpm/tpm.pxu | 285 |
5 files changed, 441 insertions, 0 deletions
diff --git a/units/tpm/category.pxu b/units/tpm/category.pxu new file mode 100644 index 00000000..612346b9 --- /dev/null +++ b/units/tpm/category.pxu @@ -0,0 +1,9 @@ +# Copyright 2015 Canonical Ltd. +# All rights reserved. +# +# Written by: +# Zygmunt Krynicki <zygmunt.krynicki@canonical.com> + +unit: category +id: tpm +_name: TPM (Trusted Platform Module) diff --git a/units/tpm/manifest.pxu b/units/tpm/manifest.pxu new file mode 100644 index 00000000..cef5c861 --- /dev/null +++ b/units/tpm/manifest.pxu @@ -0,0 +1,10 @@ +# Copyright 2015 Canonical Ltd. +# All rights reserved. +# +# Written by: +# Zygmunt Krynicki <zygmunt.krynicki@canonical.com> + +unit: manifest entry +id: has_tpm_chip +_name: TPM1.2 chip +value-type: bool diff --git a/units/tpm/sysfs.pxu b/units/tpm/sysfs.pxu new file mode 100644 index 00000000..fdbf3902 --- /dev/null +++ b/units/tpm/sysfs.pxu @@ -0,0 +1,81 @@ +# Copyright 2015 Canonical Ltd. +# All rights reserved. +# +# Written by: +# Zygmunt Krynicki <zygmunt.krynicki@canonical.com> + +unit: job +id: sysfs_tpm_count +category_id: tpm +plugin: resource +_summary: Count the number of visible TPM chips in sysfs +_description: + This job just counts the number of visible TPM chips in as reported by + tpm-sysfs-resource tool. The only resource attribute is 'count' +command: echo "count: $(tpm-sysfs-resource | grep -F 'x-sysfs-device-name' | wc -l)" +estimated_duration: 2s +flags: preserve-locale + +unit: job +id: sysfs_tpm +category_id: tpm +plugin: resource +_summary: Collect TPM information from sysfs +_description: + This job collects all the available TPM information from + /sys/class/tpm/*/device/*. +command: tpm-sysfs-resource +estimated_duration: 2s +flags: preserve-locale +# Tie this resource with the has_tpm_chip manifest entry. This way it will +# automatically get skipped (and everything along with it) when according to +# the manifest, there is no TPM chip on the DUT. +requires: manifest.has_tpm_chip == 'True' +imports: from com.canonical.plainbox import manifest + +unit: job +id: sysfs_tpm_after_taking_ownership +category_id: tpm +plugin: resource +after: action/take-ownership +_summary: Collect TPM information from sysfs (after taking ownership) +_description: + This job collects all the available TPM information from + /sys/class/tpm/*/device/*. Distinct files present there are converted to + attributes of resource records. +command: tpm-sysfs-resource +estimated_duration: 2s +flags: preserve-locale +# See note about manifest on the sysfs_tpm job above. +requires: manifest.has_tpm_chip == 'True' +imports: from com.canonical.plainbox import manifest + +unit: job +id: sysfs_tpm_after_clearing_ownership +category_id: tpm +plugin: resource +after: action/clear-ownership +_summary: Collect TPM information from sysfs (after clearing ownership) +_description: + This job collects all the available TPM information from + /sys/class/tpm/*/device/*. Distinct files present there are converted to + attributes of resource records. +command: tpm-sysfs-resource +estimated_duration: 2s +flags: preserve-locale +# See note about manifest on the sysfs_tpm job above. +requires: manifest.has_tpm_chip == 'True' +imports: from com.canonical.plainbox import manifest + +unit: job +id: sysfs_dmi +category_id: tpm +plugin: resource +_summary: Collect DMI information from sysfs +_description: + This job collects all the available DMI information from /sys/class/dmi/id/*. + The main purpose of including this job is to allow the provider to include + vendor-specific quirks by looking at the sysfs_dmi.bios_vendor attribute. +command: dmi-sysfs-resource +estimated_duration: 1s +flags: preserve-locale diff --git a/units/tpm/test-plan.pxu b/units/tpm/test-plan.pxu new file mode 100644 index 00000000..0aafb843 --- /dev/null +++ b/units/tpm/test-plan.pxu @@ -0,0 +1,56 @@ +# Copyright 2015 Canonical Ltd. +# All rights reserved. +# +# Written by: +# Zygmunt Krynicki <zygmunt.krynicki@canonical.com> + +unit: test plan +id: tpm-manual +_name: TPM (Trusted Platform Module) Smoke Tests +_description: + This test plan contains simple tests for the TPM chip. The tests will ensure + that the TPM chip is present, is visible by the OS and that ownership over the + chip can be taken. + . + After testing, a number of logs are collected for additional analysis. +estimated_duration: 20m +include: + # First just the manifest stuff (interactive collection + resource) + com.canonical.plainbox::collect-manifest + com.canonical.plainbox::manifest + # Vendor-specific, interactive recovery process. We want to educate the tester + # how they can reset the TPM chip from unknown state using vendor-specific + # instructions. + recovery/.*/clear-tpm-chip + # Generic setup path, we want to go from any TPM state (Active, Inactive, + # Disabled) to Active where we can perform useful tests. + setup/enable-inactive-tpm + setup/enable-disabled-tpm + # The first thing we want to try is to clear the ownership of the TPM chip + # This will let us ensure that all the other tests are independent of any + # ownership or data already stored there. + action/clear-ownership + # Which might require us to reboot / poweroff the machine to complete. + action/re-enable-tpm + # Next we want to take the ownership of the chip. + action/take-ownership + # Finally, with the TPM chip owned, we can perform some simple query jobs and + # collect everything. + query/.* + +unit: test plan +id: tpm-automated +_name: Collect TPM (Trusted Platform Module) Information +_description: + This test plan contains a selection of jobs that collect various bits of + information about a TPM chip. They are designed to run with an owned TPM chip + that uses well-known (20 zero bytes) owner key. + . + This test plan is not interactive. +estimated_duration: 1m +include: + com.canonical.plainbox::manifest + # Next we want to take the ownership of the chip if it's not owned yet. + action/take-ownership + # Then collect all of the information + query/.* diff --git a/units/tpm/tpm.pxu b/units/tpm/tpm.pxu new file mode 100644 index 00000000..584dc53e --- /dev/null +++ b/units/tpm/tpm.pxu @@ -0,0 +1,285 @@ +# Copyright 2015-2016 Canonical Ltd. +# All rights reserved. +# +# Written by: +# Zygmunt Krynicki <zygmunt.krynicki@canonical.com> + +unit: job +id: setup/enable-disabled-tpm +category_id: tpm +_summary: Use BIOS to activate a disabled TPM chip +_purpose: + This job will reconfigure the TPM chip to be in the Active state. +_steps: + To enable the TPM chip in the BIOS, write down the following instructions and + exit the testing application. + . + INSTRUCTIONS FOR ENABLING THE TPM CHIP: + . + - Commence the test to restart the machine + - Enter BIOS using machine-specific hot-key (typically F1, F2, or delete) + - Navigate to TPM menu, the precise location may depend on your BIOS version + and the make and model of your DUT. On some models it is under the + following menu: Security / Security Chip. + - Change the current setting to Active + - Save BIOS settings + - Power the machine off (NOTE: a reboot may not be sufficient) + - Power the machine back on again + - Let the machine boot + - Restart the testing application +plugin: user-interact +user: root +command: reboot +estimated_duration: 3m +flags: preserve-locale noreturn +# NOTE: This job will only run if we know we have a TPM chip (according to the +# manifest) but we don't see one in sysfs (because it's disabled). +requires: sysfs_tpm_count.count == "0" and manifest.has_tpm_chip == 'True' +imports: from com.canonical.plainbox import manifest + +unit: job +id: setup/enable-inactive-tpm +category_id: tpm +_summary: Use BIOS to activate an inactive TPM chip +_purpose: + This job will reconfigure the TPM chip to be in the Active state. +_steps: + To enable the TPM chip in the BIOS, write down the following instructions and + exit the testing application. + . + INSTRUCTIONS FOR ENABLING THE TPM CHIP: + . + - Commence the test to restart the machine + - Enter BIOS using machine-specific hot-key (typically F1, F2, or delete) + - Navigate to TPM menu, the precise location may depend on your BIOS version + and the make and model of your DUT. On some models it is under the + following menu: Security / Security Chip. + - Change the current setting to Active + - Save BIOS settings + - Power the machine off (NOTE: a reboot may not be sufficient) + - Power the machine back on again + - Let the machine boot + - Restart the testing application +plugin: user-interact +user: root +command: reboot +# NOTE: This job will only run if we know we have a TPM chip (according to the +# manifest, again) but sysfs claims it's temporarily deactivated (which is the +# confusing way to say it's inactive) +requires: sysfs_tpm_count.count != "0" and sysfs_tpm.temp_deactivated == "1" +estimated_duration: 3m +flags: preserve-locale noreturn + +unit: job +id: action/clear-ownership +category_id: tpm +_summary: Clear ownership of the TPM chip +_purpose: + This job tries to automatically clear the ownership of an owned TPM chip. It + uses well-known owner secret (20 bytes of zeros). + . + NOTE: The actual TPM chip will be cleared after the machine reboots. After + reboot the TPM will be in the default state: unowned, disabled and inactive. + Subsequent jobs will instruct test operator to enter BIOS and re-enable the + chip. +_steps: + INSTRUCTIONS FOR CLEARING THE TPM CHIP: + . + - Commence the test to reboot the machine + - Let the machine boot + - Restart the testing application +plugin: user-interact +command: + tpm.clear --log debug --well-known && reboot +requires: sysfs_tpm.owned == "1" and sysfs_tpm.enabled == "1" and sysfs_tpm.active == "1" and sysfs_tpm.temp_deactivated == "0" +estimated_duration: 5s +flags: preserve-locale preserve-cwd + +unit: job +id: action/re-enable-tpm +category_id: tpm +_summary: Re-enable TPM chip in BIOS (after clearing ownership) +_purpose: + This job will re-enable the TPM chip in the BIOS after having cleared the ownership. +_steps: + To enable the TPM chip in the BIOS, write down the following instructions and + exit the testing application. + . + INSTRUCTIONS FOR ENABLING THE TPM CHIP: + . + - Commence the test to restart the machine + - Enter BIOS using machine-specific hot-key (typically F1, F2, or delete) + - Navigate to TPM menu, the precise location may depend on your BIOS version + and the make and model of your DUT. On some models it is under the + following menu: Security / Security Chip. + - Change the current setting to Active. If it is already in the active state + then set it to Disabled and then back to Active. This might be a bug in the BIOS. + - Save BIOS settings + - Power the machine off (NOTE: a reboot may not be sufficient) + - Power the machine back on again + - Let the machine boot + - Restart the testing application +plugin: user-interact +user: root +command: reboot +requires: sysfs_tpm_after_clearing_ownership.owned == "0" and sysfs_tpm_after_clearing_ownership.enabled == "0" and sysfs_tpm_after_clearing_ownership.active == "0" and sysfs_tpm_after_clearing_ownership.temp_deactivated == "1" +estimated_duration: 3m +flags: preserve-locale noreturn + +unit: job +id: action/take-ownership +category_id: tpm +_summary: Take ownership of the TPM chip +_description: + This job tries to automatically take the ownership of an unowned TPM chip. It + uses well-known owner and SRK secretes (20 bytes of zeros). +plugin: shell +command: tpm.takeownership --log debug --owner-well-known --srk-well-known +requires: sysfs_tpm.owned == "0" and sysfs_tpm.enabled == "1" and sysfs_tpm.active == "1" and sysfs_tpm.temp_deactivated == "0" +estimated_duration: 5s +flags: preserve-locale preserve-cwd + +# A bunch of shell jobs that run various TPM commands + +unit: job +id: query/tpm_version +category_id: tpm +_summary: Collect the output of tpm_version +_description: + This job collects the output of "tpm_version" for inspection by a + Certification engineer. +plugin: shell +requires: snap.name == 'tpm' +command: tpm.version 2>&1 +estimated_duration: 1s +flags: preserve-locale preserve-cwd + +unit: job +id: query/tpm_selftest +category_id: tpm +_summary: Collect the output of tpm_selftest +_description: + This job collects the output of "tpm_selftest" for inspection by the + Certification engineer. +plugin: shell +requires: snap.name == 'tpm' +command: tpm.selftest 2>&1 +estimated_duration: 1s +flags: preserve-locale preserve-cwd + +unit: job +id: query/tpm_setactive-status +category_id: tpm +_summary: Collect the output of tpm_setactive --status --well-known +_description: + This simply collects the output of "tpm_setactive --status --well-known" for + inspection by a Certification engineer. +plugin: shell +requires: snap.name == 'tpm' +command: tpm.setactive --status --well-known 2>&1 +estimated_duration: 1s +flags: preserve-locale preserve-cwd + +unit: job +id: query/tpm_nvinfo +category_id: tpm +_summary: Collect the output of tpm_nvinfo +_description: + This simply collects the output of "tpm_nvinfo" for inspection by a + Certification engineer. +plugin: shell +requires: snap.name == 'tpm' +command: tpm.nvinfo +estimated_duration: 1s +flags: preserve-locale preserve-cwd + +unit: job +id: query/tpm_restrictpubek-status +category_id: tpm +_summary: Collect the output of tpm_restrictpubek --status --well-known +_description: + This simply collects the output of "tpm_restrictpubek --status --well-known" + for inspection by a Certification engineer. +plugin: shell +requires: snap.name == 'tpm' +command: tpm.restrictpubek --status --well-known +estimated_duration: 1s +flags: preserve-locale preserve-cwd + +unit: job +id: query/tpm_restrictsrk-status +category_id: tpm +_summary: Collect the output of tpm_restrictsrk --status --well-known +_description: + This simply collects the output of "tpm_restrictsrk --status --well-known" + for inspection by a Certification engineer. +plugin: shell +requires: snap.name == 'tpm' +command: tpm.restrictsrk --status --well-known +estimated_duration: 1s +flags: preserve-locale preserve-cwd + +unit: job +id: query/tpm_setclearable-status +category_id: tpm +_summary: Collect the output of tpm_setclearable--status --well-known +_description: + This simply collects the output of "tpm_setclearable --status --well-known" + for inspection by a Certification engineer. +plugin: shell +requires: snap.name == 'tpm' +command: tpm.setclearable --status --well-known +estimated_duration: 1s +flags: preserve-locale preserve-cwd + +unit: job +id: query/tpm_setenable-status +category_id: tpm +_summary: Collect the output of tpm_setenable --status --well-known +_description: + This simply collects the output of "tpm_setenable --status --well-known" + for inspection by a Certification engineer. +plugin: shell +requires: snap.name == 'tpm' +command: tpm.setenable --status --well-known +estimated_duration: 1s +flags: preserve-locale preserve-cwd + +unit: job +id: query/tpm_setownable-status +category_id: tpm +_summary: Collect the output of tpm_setownable --status --well-known +_description: + This simply collects the output of "tpm_setownable --status --well-known" + for inspection by a Certification engineer. +plugin: shell +requires: snap.name == 'tpm' +command: tpm.setownable --status --well-known +estimated_duration: 1s +flags: preserve-locale preserve-cwd + +unit: job +id: query/tpm_setpresence -status +category_id: tpm +_summary: Collect the output of tpm_setpresence --status --well-known +_description: + This simply collects the output of "tpm_setpresence --status --well-known" + for inspection by a Certification engineer. +plugin: shell +requires: snap.name == 'tpm' +command: tpm.setpresence --status --well-known +estimated_duration: 1s +flags: preserve-locale preserve-cwd + +unit: job +id: query/tpm_getpubek +category_id: tpm +_summary: Collect the output of tpm_getpubek --well-known +_description: + This simply collects the output of "tpm_getpubek --well-known" + for inspection by a Certification engineer. +plugin: shell +requires: snap.name == 'tpm' +command: tpm.getpubek --well-known +estimated_duration: 1s +flags: preserve-locale preserve-cwd |