From d5927cd01e761177d7dde9db072e48c11c1c3ed8 Mon Sep 17 00:00:00 2001
From: Craig Hesling <hesling@chromium.org>
Date: Fri, 26 Jul 2019 09:29:14 -0700
Subject: fuzz_host_cmd: Add fuzzing for fpsensor host cmds

This adds the host commands declared in fpsensor_state.c to the
fuzzing mix. They are the following:

EC_CMD_FP_SEED       0x0408
EC_CMD_FP_ENC_STATUS 0x0409
EC_CMD_FP_MODE       0x0402
EC_CMD_FP_CONTEXT    0x0406

This is not the complete fpsensor host command interface.
More host commands will be added in followup CLs.

BRANCH=none
BUG=b:116065496
TEST=# Pull in TEST_COVERAGE fix
     git fetch "https://chromium.googlesource.com/chromiumos/platform/ec" \
     refs/changes/86/1725186/1 && git cherry-pick FETCH_HEAD
     make host-host_command_fuzz TEST_COVERAGE=1
     timeout 5m ./build/host/host_command_fuzz/host_command_fuzz.exe
     llvm-profdata merge -sparse default.profraw -o default.profdata
     llvm-cov show build/host/host_command_fuzz/host_command_fuzz.exe \
     --instr-profile=default.profdata --format=html --output-dir=cov
     # Inspect cov/.../common/fpsensor/fpsensor_state.c.html to verify
TEST=make buildall -j

Change-Id: I69e9833463944a0dfba49e5671987b7fec565bf4
Signed-off-by: Craig Hesling <hesling@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1661122
---
 common/mock/build.mk            |  3 +--
 common/mock/rollback_mock.c     | 33 +++++++++++++++++++++++++++++++++
 fuzz/fuzz_config.h              |  7 +++++++
 fuzz/host_command_fuzz.mocklist |  7 +++++++
 fuzz/host_command_fuzz.tasklist |  3 ++-
 include/mock/rollback_mock.h    | 22 ++++++++++++++++++++++
 6 files changed, 72 insertions(+), 3 deletions(-)
 create mode 100644 common/mock/rollback_mock.c
 create mode 100644 fuzz/host_command_fuzz.mocklist
 create mode 100644 include/mock/rollback_mock.h

diff --git a/common/mock/build.mk b/common/mock/build.mk
index 190dde9be8..037718d3bb 100644
--- a/common/mock/build.mk
+++ b/common/mock/build.mk
@@ -4,5 +4,4 @@
 
 # See common/mock/README.md for more information.
 
-# Example:
-# mock-$(HAS_MOCK_ROLLBACK) += rollback_mock.o
\ No newline at end of file
+mock-$(HAS_MOCK_ROLLBACK) += rollback_mock.o
diff --git a/common/mock/rollback_mock.c b/common/mock/rollback_mock.c
new file mode 100644
index 0000000000..6a04b6142a
--- /dev/null
+++ b/common/mock/rollback_mock.c
@@ -0,0 +1,33 @@
+/* Copyright 2019 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "mock/rollback_mock.h"
+
+#include <stdint.h>
+#include <string.h>
+
+#include "common.h"
+#include "compile_time_macros.h"
+#include "util.h"
+
+struct mock_ctrl_rollback mock_ctrl_rollback = MOCK_CTRL_DEFAULT_ROLLBACK;
+
+static const uint8_t fake_rollback_secret[] = {
+	0xcf, 0xe3, 0x23, 0x76, 0x35, 0x04, 0xc2, 0x0f,
+	0x0d, 0xb6, 0x02, 0xa9, 0x68, 0xba, 0x2a, 0x61,
+	0x86, 0x2a, 0x85, 0xd1, 0xca, 0x09, 0x54, 0x8a,
+	0x6b, 0xe2, 0xe3, 0x38, 0xde, 0x5d, 0x59, 0x14,
+};
+
+BUILD_ASSERT(sizeof(fake_rollback_secret) == CONFIG_ROLLBACK_SECRET_SIZE);
+
+/* Mock the rollback for unit or fuzz tests. */
+int rollback_get_secret(uint8_t *secret)
+{
+	if (mock_ctrl_rollback.get_secret_fail)
+		return EC_ERROR_UNKNOWN;
+	memcpy(secret, fake_rollback_secret, sizeof(fake_rollback_secret));
+	return EC_SUCCESS;
+}
diff --git a/fuzz/fuzz_config.h b/fuzz/fuzz_config.h
index 105fa26bd4..49b5a192d3 100644
--- a/fuzz/fuzz_config.h
+++ b/fuzz/fuzz_config.h
@@ -97,6 +97,13 @@ enum nvmem_users {
 #else
 #define CONFIG_HOSTCMD_DEBUG_MODE HCDEBUG_OFF
 #endif /* ! FUZZ_HOSTCMD_VERBOSE */
+
+/* The following are for fpsensor host commands. */
+#define CONFIG_AES
+#define CONFIG_AES_GCM
+#define CONFIG_ROLLBACK_SECRET_SIZE 32
+#define CONFIG_SHA256
+
 #endif /* TEST_HOST_COMMAND_FUZZ */
 
 #if defined(TEST_USB_PD_FUZZ)
diff --git a/fuzz/host_command_fuzz.mocklist b/fuzz/host_command_fuzz.mocklist
new file mode 100644
index 0000000000..d84275532e
--- /dev/null
+++ b/fuzz/host_command_fuzz.mocklist
@@ -0,0 +1,7 @@
+/* Copyright 2019 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+ #define CONFIG_TEST_MOCK_LIST \
+        MOCK(ROLLBACK)
diff --git a/fuzz/host_command_fuzz.tasklist b/fuzz/host_command_fuzz.tasklist
index 24870f2abb..c95bf17c64 100644
--- a/fuzz/host_command_fuzz.tasklist
+++ b/fuzz/host_command_fuzz.tasklist
@@ -6,4 +6,5 @@
 /**
  * See CONFIG_TASK_LIST in config.h for details.
  */
-#define CONFIG_TEST_TASK_LIST
+#define CONFIG_TEST_TASK_LIST \
+        TASK_TEST(FPSENSOR, fp_task_simulate, NULL, TASK_STACK_SIZE)
diff --git a/include/mock/rollback_mock.h b/include/mock/rollback_mock.h
new file mode 100644
index 0000000000..eb2dea6dd9
--- /dev/null
+++ b/include/mock/rollback_mock.h
@@ -0,0 +1,22 @@
+/* Copyright 2019 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#ifndef __MOCK_ROLLBACK_MOCK_H
+#define __MOCK_ROLLBACK_MOCK_H
+
+#include <stdbool.h>
+
+struct mock_ctrl_rollback {
+	bool get_secret_fail;
+};
+
+#define MOCK_CTRL_DEFAULT_ROLLBACK             \
+{                                              \
+	.get_secret_fail = false,              \
+}
+
+extern struct mock_ctrl_rollback mock_ctrl_rollback;
+
+#endif  /* __MOCK_ROLLBACK_MOCK_H */
-- 
cgit v1.2.1