summaryrefslogtreecommitdiff
path: root/units/tpm
diff options
authorJonathan Cave <jonathan.cave@canonical.com>2019-08-20 17:21:17 +0100
committerJonathan Cave <jonathan.cave@canonical.com>2019-08-21 11:04:44 +0100
commit9fd5b5f47e1e4bd202fe8e38d8d39a9b06429906 (patch)
tree0237cf74ded25508834e28e6667bfbbce86d1208 /units/tpm
parentc2227f5176142269326d80c3f5566e6e4e795914 (diff)
tpm: import from p-p-snappy
Diffstat (limited to 'units/tpm')
-rw-r--r--units/tpm/category.pxu9
-rw-r--r--units/tpm/manifest.pxu10
-rw-r--r--units/tpm/sysfs.pxu81
-rw-r--r--units/tpm/test-plan.pxu56
-rw-r--r--units/tpm/tpm.pxu285
5 files changed, 441 insertions, 0 deletions
diff --git a/units/tpm/category.pxu b/units/tpm/category.pxu
new file mode 100644
index 00000000..612346b9
--- /dev/null
+++ b/units/tpm/category.pxu
@@ -0,0 +1,9 @@
+# Copyright 2015 Canonical Ltd.
+# All rights reserved.
+#
+# Written by:
+# Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+
+unit: category
+id: tpm
+_name: TPM (Trusted Platform Module)
diff --git a/units/tpm/manifest.pxu b/units/tpm/manifest.pxu
new file mode 100644
index 00000000..cef5c861
--- /dev/null
+++ b/units/tpm/manifest.pxu
@@ -0,0 +1,10 @@
+# Copyright 2015 Canonical Ltd.
+# All rights reserved.
+#
+# Written by:
+# Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+
+unit: manifest entry
+id: has_tpm_chip
+_name: TPM1.2 chip
+value-type: bool
diff --git a/units/tpm/sysfs.pxu b/units/tpm/sysfs.pxu
new file mode 100644
index 00000000..fdbf3902
--- /dev/null
+++ b/units/tpm/sysfs.pxu
@@ -0,0 +1,81 @@
+# Copyright 2015 Canonical Ltd.
+# All rights reserved.
+#
+# Written by:
+# Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+
+unit: job
+id: sysfs_tpm_count
+category_id: tpm
+plugin: resource
+_summary: Count the number of visible TPM chips in sysfs
+_description:
+ This job just counts the number of visible TPM chips in as reported by
+ tpm-sysfs-resource tool. The only resource attribute is 'count'
+command: echo "count: $(tpm-sysfs-resource | grep -F 'x-sysfs-device-name' | wc -l)"
+estimated_duration: 2s
+flags: preserve-locale
+
+unit: job
+id: sysfs_tpm
+category_id: tpm
+plugin: resource
+_summary: Collect TPM information from sysfs
+_description:
+ This job collects all the available TPM information from
+ /sys/class/tpm/*/device/*.
+command: tpm-sysfs-resource
+estimated_duration: 2s
+flags: preserve-locale
+# Tie this resource with the has_tpm_chip manifest entry. This way it will
+# automatically get skipped (and everything along with it) when according to
+# the manifest, there is no TPM chip on the DUT.
+requires: manifest.has_tpm_chip == 'True'
+imports: from com.canonical.plainbox import manifest
+
+unit: job
+id: sysfs_tpm_after_taking_ownership
+category_id: tpm
+plugin: resource
+after: action/take-ownership
+_summary: Collect TPM information from sysfs (after taking ownership)
+_description:
+ This job collects all the available TPM information from
+ /sys/class/tpm/*/device/*. Distinct files present there are converted to
+ attributes of resource records.
+command: tpm-sysfs-resource
+estimated_duration: 2s
+flags: preserve-locale
+# See note about manifest on the sysfs_tpm job above.
+requires: manifest.has_tpm_chip == 'True'
+imports: from com.canonical.plainbox import manifest
+
+unit: job
+id: sysfs_tpm_after_clearing_ownership
+category_id: tpm
+plugin: resource
+after: action/clear-ownership
+_summary: Collect TPM information from sysfs (after clearing ownership)
+_description:
+ This job collects all the available TPM information from
+ /sys/class/tpm/*/device/*. Distinct files present there are converted to
+ attributes of resource records.
+command: tpm-sysfs-resource
+estimated_duration: 2s
+flags: preserve-locale
+# See note about manifest on the sysfs_tpm job above.
+requires: manifest.has_tpm_chip == 'True'
+imports: from com.canonical.plainbox import manifest
+
+unit: job
+id: sysfs_dmi
+category_id: tpm
+plugin: resource
+_summary: Collect DMI information from sysfs
+_description:
+ This job collects all the available DMI information from /sys/class/dmi/id/*.
+ The main purpose of including this job is to allow the provider to include
+ vendor-specific quirks by looking at the sysfs_dmi.bios_vendor attribute.
+command: dmi-sysfs-resource
+estimated_duration: 1s
+flags: preserve-locale
diff --git a/units/tpm/test-plan.pxu b/units/tpm/test-plan.pxu
new file mode 100644
index 00000000..0aafb843
--- /dev/null
+++ b/units/tpm/test-plan.pxu
@@ -0,0 +1,56 @@
+# Copyright 2015 Canonical Ltd.
+# All rights reserved.
+#
+# Written by:
+# Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+
+unit: test plan
+id: tpm-manual
+_name: TPM (Trusted Platform Module) Smoke Tests
+_description:
+ This test plan contains simple tests for the TPM chip. The tests will ensure
+ that the TPM chip is present, is visible by the OS and that ownership over the
+ chip can be taken.
+ .
+ After testing, a number of logs are collected for additional analysis.
+estimated_duration: 20m
+include:
+ # First just the manifest stuff (interactive collection + resource)
+ com.canonical.plainbox::collect-manifest
+ com.canonical.plainbox::manifest
+ # Vendor-specific, interactive recovery process. We want to educate the tester
+ # how they can reset the TPM chip from unknown state using vendor-specific
+ # instructions.
+ recovery/.*/clear-tpm-chip
+ # Generic setup path, we want to go from any TPM state (Active, Inactive,
+ # Disabled) to Active where we can perform useful tests.
+ setup/enable-inactive-tpm
+ setup/enable-disabled-tpm
+ # The first thing we want to try is to clear the ownership of the TPM chip
+ # This will let us ensure that all the other tests are independent of any
+ # ownership or data already stored there.
+ action/clear-ownership
+ # Which might require us to reboot / poweroff the machine to complete.
+ action/re-enable-tpm
+ # Next we want to take the ownership of the chip.
+ action/take-ownership
+ # Finally, with the TPM chip owned, we can perform some simple query jobs and
+ # collect everything.
+ query/.*
+
+unit: test plan
+id: tpm-automated
+_name: Collect TPM (Trusted Platform Module) Information
+_description:
+ This test plan contains a selection of jobs that collect various bits of
+ information about a TPM chip. They are designed to run with an owned TPM chip
+ that uses well-known (20 zero bytes) owner key.
+ .
+ This test plan is not interactive.
+estimated_duration: 1m
+include:
+ com.canonical.plainbox::manifest
+ # Next we want to take the ownership of the chip if it's not owned yet.
+ action/take-ownership
+ # Then collect all of the information
+ query/.*
diff --git a/units/tpm/tpm.pxu b/units/tpm/tpm.pxu
new file mode 100644
index 00000000..584dc53e
--- /dev/null
+++ b/units/tpm/tpm.pxu
@@ -0,0 +1,285 @@
+# Copyright 2015-2016 Canonical Ltd.
+# All rights reserved.
+#
+# Written by:
+# Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
+
+unit: job
+id: setup/enable-disabled-tpm
+category_id: tpm
+_summary: Use BIOS to activate a disabled TPM chip
+_purpose:
+ This job will reconfigure the TPM chip to be in the Active state.
+_steps:
+ To enable the TPM chip in the BIOS, write down the following instructions and
+ exit the testing application.
+ .
+ INSTRUCTIONS FOR ENABLING THE TPM CHIP:
+ .
+ - Commence the test to restart the machine
+ - Enter BIOS using machine-specific hot-key (typically F1, F2, or delete)
+ - Navigate to TPM menu, the precise location may depend on your BIOS version
+ and the make and model of your DUT. On some models it is under the
+ following menu: Security / Security Chip.
+ - Change the current setting to Active
+ - Save BIOS settings
+ - Power the machine off (NOTE: a reboot may not be sufficient)
+ - Power the machine back on again
+ - Let the machine boot
+ - Restart the testing application
+plugin: user-interact
+user: root
+command: reboot
+estimated_duration: 3m
+flags: preserve-locale noreturn
+# NOTE: This job will only run if we know we have a TPM chip (according to the
+# manifest) but we don't see one in sysfs (because it's disabled).
+requires: sysfs_tpm_count.count == "0" and manifest.has_tpm_chip == 'True'
+imports: from com.canonical.plainbox import manifest
+
+unit: job
+id: setup/enable-inactive-tpm
+category_id: tpm
+_summary: Use BIOS to activate an inactive TPM chip
+_purpose:
+ This job will reconfigure the TPM chip to be in the Active state.
+_steps:
+ To enable the TPM chip in the BIOS, write down the following instructions and
+ exit the testing application.
+ .
+ INSTRUCTIONS FOR ENABLING THE TPM CHIP:
+ .
+ - Commence the test to restart the machine
+ - Enter BIOS using machine-specific hot-key (typically F1, F2, or delete)
+ - Navigate to TPM menu, the precise location may depend on your BIOS version
+ and the make and model of your DUT. On some models it is under the
+ following menu: Security / Security Chip.
+ - Change the current setting to Active
+ - Save BIOS settings
+ - Power the machine off (NOTE: a reboot may not be sufficient)
+ - Power the machine back on again
+ - Let the machine boot
+ - Restart the testing application
+plugin: user-interact
+user: root
+command: reboot
+# NOTE: This job will only run if we know we have a TPM chip (according to the
+# manifest, again) but sysfs claims it's temporarily deactivated (which is the
+# confusing way to say it's inactive)
+requires: sysfs_tpm_count.count != "0" and sysfs_tpm.temp_deactivated == "1"
+estimated_duration: 3m
+flags: preserve-locale noreturn
+
+unit: job
+id: action/clear-ownership
+category_id: tpm
+_summary: Clear ownership of the TPM chip
+_purpose:
+ This job tries to automatically clear the ownership of an owned TPM chip. It
+ uses well-known owner secret (20 bytes of zeros).
+ .
+ NOTE: The actual TPM chip will be cleared after the machine reboots. After
+ reboot the TPM will be in the default state: unowned, disabled and inactive.
+ Subsequent jobs will instruct test operator to enter BIOS and re-enable the
+ chip.
+_steps:
+ INSTRUCTIONS FOR CLEARING THE TPM CHIP:
+ .
+ - Commence the test to reboot the machine
+ - Let the machine boot
+ - Restart the testing application
+plugin: user-interact
+command:
+ tpm.clear --log debug --well-known && reboot
+requires: sysfs_tpm.owned == "1" and sysfs_tpm.enabled == "1" and sysfs_tpm.active == "1" and sysfs_tpm.temp_deactivated == "0"
+estimated_duration: 5s
+flags: preserve-locale preserve-cwd
+
+unit: job
+id: action/re-enable-tpm
+category_id: tpm
+_summary: Re-enable TPM chip in BIOS (after clearing ownership)
+_purpose:
+ This job will re-enable the TPM chip in the BIOS after having cleared the ownership.
+_steps:
+ To enable the TPM chip in the BIOS, write down the following instructions and
+ exit the testing application.
+ .
+ INSTRUCTIONS FOR ENABLING THE TPM CHIP:
+ .
+ - Commence the test to restart the machine
+ - Enter BIOS using machine-specific hot-key (typically F1, F2, or delete)
+ - Navigate to TPM menu, the precise location may depend on your BIOS version
+ and the make and model of your DUT. On some models it is under the
+ following menu: Security / Security Chip.
+ - Change the current setting to Active. If it is already in the active state
+ then set it to Disabled and then back to Active. This might be a bug in the BIOS.
+ - Save BIOS settings
+ - Power the machine off (NOTE: a reboot may not be sufficient)
+ - Power the machine back on again
+ - Let the machine boot
+ - Restart the testing application
+plugin: user-interact
+user: root
+command: reboot
+requires: sysfs_tpm_after_clearing_ownership.owned == "0" and sysfs_tpm_after_clearing_ownership.enabled == "0" and sysfs_tpm_after_clearing_ownership.active == "0" and sysfs_tpm_after_clearing_ownership.temp_deactivated == "1"
+estimated_duration: 3m
+flags: preserve-locale noreturn
+
+unit: job
+id: action/take-ownership
+category_id: tpm
+_summary: Take ownership of the TPM chip
+_description:
+ This job tries to automatically take the ownership of an unowned TPM chip. It
+ uses well-known owner and SRK secretes (20 bytes of zeros).
+plugin: shell
+command: tpm.takeownership --log debug --owner-well-known --srk-well-known
+requires: sysfs_tpm.owned == "0" and sysfs_tpm.enabled == "1" and sysfs_tpm.active == "1" and sysfs_tpm.temp_deactivated == "0"
+estimated_duration: 5s
+flags: preserve-locale preserve-cwd
+
+# A bunch of shell jobs that run various TPM commands
+
+unit: job
+id: query/tpm_version
+category_id: tpm
+_summary: Collect the output of tpm_version
+_description:
+ This job collects the output of "tpm_version" for inspection by a
+ Certification engineer.
+plugin: shell
+requires: snap.name == 'tpm'
+command: tpm.version 2>&1
+estimated_duration: 1s
+flags: preserve-locale preserve-cwd
+
+unit: job
+id: query/tpm_selftest
+category_id: tpm
+_summary: Collect the output of tpm_selftest
+_description:
+ This job collects the output of "tpm_selftest" for inspection by the
+ Certification engineer.
+plugin: shell
+requires: snap.name == 'tpm'
+command: tpm.selftest 2>&1
+estimated_duration: 1s
+flags: preserve-locale preserve-cwd
+
+unit: job
+id: query/tpm_setactive-status
+category_id: tpm
+_summary: Collect the output of tpm_setactive --status --well-known
+_description:
+ This simply collects the output of "tpm_setactive --status --well-known" for
+ inspection by a Certification engineer.
+plugin: shell
+requires: snap.name == 'tpm'
+command: tpm.setactive --status --well-known 2>&1
+estimated_duration: 1s
+flags: preserve-locale preserve-cwd
+
+unit: job
+id: query/tpm_nvinfo
+category_id: tpm
+_summary: Collect the output of tpm_nvinfo
+_description:
+ This simply collects the output of "tpm_nvinfo" for inspection by a
+ Certification engineer.
+plugin: shell
+requires: snap.name == 'tpm'
+command: tpm.nvinfo
+estimated_duration: 1s
+flags: preserve-locale preserve-cwd
+
+unit: job
+id: query/tpm_restrictpubek-status
+category_id: tpm
+_summary: Collect the output of tpm_restrictpubek --status --well-known
+_description:
+ This simply collects the output of "tpm_restrictpubek --status --well-known"
+ for inspection by a Certification engineer.
+plugin: shell
+requires: snap.name == 'tpm'
+command: tpm.restrictpubek --status --well-known
+estimated_duration: 1s
+flags: preserve-locale preserve-cwd
+
+unit: job
+id: query/tpm_restrictsrk-status
+category_id: tpm
+_summary: Collect the output of tpm_restrictsrk --status --well-known
+_description:
+ This simply collects the output of "tpm_restrictsrk --status --well-known"
+ for inspection by a Certification engineer.
+plugin: shell
+requires: snap.name == 'tpm'
+command: tpm.restrictsrk --status --well-known
+estimated_duration: 1s
+flags: preserve-locale preserve-cwd
+
+unit: job
+id: query/tpm_setclearable-status
+category_id: tpm
+_summary: Collect the output of tpm_setclearable--status --well-known
+_description:
+ This simply collects the output of "tpm_setclearable --status --well-known"
+ for inspection by a Certification engineer.
+plugin: shell
+requires: snap.name == 'tpm'
+command: tpm.setclearable --status --well-known
+estimated_duration: 1s
+flags: preserve-locale preserve-cwd
+
+unit: job
+id: query/tpm_setenable-status
+category_id: tpm
+_summary: Collect the output of tpm_setenable --status --well-known
+_description:
+ This simply collects the output of "tpm_setenable --status --well-known"
+ for inspection by a Certification engineer.
+plugin: shell
+requires: snap.name == 'tpm'
+command: tpm.setenable --status --well-known
+estimated_duration: 1s
+flags: preserve-locale preserve-cwd
+
+unit: job
+id: query/tpm_setownable-status
+category_id: tpm
+_summary: Collect the output of tpm_setownable --status --well-known
+_description:
+ This simply collects the output of "tpm_setownable --status --well-known"
+ for inspection by a Certification engineer.
+plugin: shell
+requires: snap.name == 'tpm'
+command: tpm.setownable --status --well-known
+estimated_duration: 1s
+flags: preserve-locale preserve-cwd
+
+unit: job
+id: query/tpm_setpresence -status
+category_id: tpm
+_summary: Collect the output of tpm_setpresence --status --well-known
+_description:
+ This simply collects the output of "tpm_setpresence --status --well-known"
+ for inspection by a Certification engineer.
+plugin: shell
+requires: snap.name == 'tpm'
+command: tpm.setpresence --status --well-known
+estimated_duration: 1s
+flags: preserve-locale preserve-cwd
+
+unit: job
+id: query/tpm_getpubek
+category_id: tpm
+_summary: Collect the output of tpm_getpubek --well-known
+_description:
+ This simply collects the output of "tpm_getpubek --well-known"
+ for inspection by a Certification engineer.
+plugin: shell
+requires: snap.name == 'tpm'
+command: tpm.getpubek --well-known
+estimated_duration: 1s
+flags: preserve-locale preserve-cwd