diff options
-rw-r--r-- | Makefile | 32 | ||||
-rw-r--r-- | tests/big_firmware_tests.c | 75 | ||||
-rw-r--r-- | tests/big_kernel_tests.c | 77 | ||||
-rw-r--r-- | tests/firmware_image_tests.c | 119 | ||||
-rw-r--r-- | tests/firmware_rollback_tests.c | 92 | ||||
-rw-r--r-- | tests/firmware_splicing_tests.c | 83 | ||||
-rw-r--r-- | tests/firmware_verify_benchmark.c | 139 | ||||
-rw-r--r-- | tests/kernel_image_tests.c | 141 | ||||
-rw-r--r-- | tests/kernel_rollback_tests.c | 156 | ||||
-rw-r--r-- | tests/kernel_splicing_tests.c | 85 | ||||
-rw-r--r-- | tests/kernel_verify_benchmark.c | 159 | ||||
-rw-r--r-- | tests/rollback_index_test.c | 770 | ||||
-rwxr-xr-x | tests/run_image_verification_tests.sh | 81 | ||||
-rw-r--r-- | tests/verify_firmware_fuzz_driver.c | 66 | ||||
-rw-r--r-- | tests/verify_kernel_fuzz_driver.c | 57 | ||||
-rw-r--r-- | utility/load_firmware_test.c | 250 |
16 files changed, 3 insertions, 2379 deletions
@@ -623,24 +623,6 @@ TEST_NAMES += \ endif -# TODO: port these tests to new API, if not already eqivalent -# functionality in other tests. These don't even compile at present. -# -# big_firmware_tests -# big_kernel_tests -# firmware_image_tests -# firmware_rollback_tests -# firmware_splicing_tests -# firmware_verify_benchmark -# kernel_image_tests -# kernel_rollback_tests -# kernel_splicing_tests -# kernel_verify_benchmark -# rollback_index_test -# verify_firmware_fuzz_driver -# verify_kernel_fuzz_driver -# utility/load_firmware_test - # And a few more... TLCL_TEST_NAMES = \ tests/tpm_lite/tpmtest_earlyextend \ @@ -1034,9 +1016,6 @@ ${BUILD}/tests/vboot_audio_tests: \ ${BUILD}/firmware/lib/vboot_audio_for_test.o ALL_OBJS += ${BUILD}/firmware/lib/vboot_audio_for_test.o -${BUILD}/tests/rollback_index_test: INCLUDES += -I/usr/include -${BUILD}/tests/rollback_index_test: LIBS += -ltlcl - TLCL_TEST_BINS = $(addprefix ${BUILD}/,${TLCL_TEST_NAMES}) ${TLCL_TEST_BINS}: OBJS += ${BUILD}/tests/tpm_lite/tlcl_tests.o ${TLCL_TEST_BINS}: ${BUILD}/tests/tpm_lite/tlcl_tests.o @@ -1170,14 +1149,9 @@ endif tests/run_preamble_tests.sh --all tests/run_vbutil_tests.sh --all -# TODO: tests to run when ported to new API -# ./run_image_verification_tests.sh -# # Splicing tests -# ${BUILD}/tests/firmware_splicing_tests -# ${BUILD}/tests/kernel_splicing_tests -# # Rollback Tests -# ${BUILD}/tests/firmware_rollback_tests -# ${BUILD}/tests/kernel_rollback_tests +# TODO: There were a number of ancient tests that hadn't been run in years. +# They were removed with https://chromium-review.googlesource.com/#/c/214610/ +# Some day it might be nice to see what they were supposed to do. .PHONY: runalltests runalltests: runtests runfutiltests runlongtests diff --git a/tests/big_firmware_tests.c b/tests/big_firmware_tests.c deleted file mode 100644 index efb81d14..00000000 --- a/tests/big_firmware_tests.c +++ /dev/null @@ -1,75 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Tests if firmware image library deals with very large firmware. This - * is a quick and dirty test for detecting integer overflow issues. - */ - -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> - -#include "cryptolib.h" -#include "file_keys.h" -#include "firmware_image.h" -#include "test_common.h" -#include "utility.h" - -/* Choose a firmware size greater than the range of 32-bits unsigned. */ -#define BIG_FIRMWARE_SIZE (0x100000000ULL) - -#define ROOT_KEY_BASE_NAME "testkeys/key_rsa8192" -#define FIRMWARE_KEY_BASE_NAME "testkeys/key_rsa1024" - -const char* kRootKeyPublicFile = ROOT_KEY_BASE_NAME ".keyb"; -const char* kRootKeyFile = ROOT_KEY_BASE_NAME ".pem"; -const char* kFirmwareKeyPublicFile = FIRMWARE_KEY_BASE_NAME ".keyb"; -const char* kFirmwareKeyFile = FIRMWARE_KEY_BASE_NAME ".pem"; - -int BigFirmwareTest(void) { - int error_code = 0; - uint64_t len; - uint8_t* firmware_blob = NULL; - RSAPublicKey* root_key = RSAPublicKeyFromFile(kRootKeyPublicFile); - uint8_t* root_key_blob = BufferFromFile(kRootKeyPublicFile, &len); - uint8_t* firmware_sign_key_buf= BufferFromFile(kFirmwareKeyPublicFile, &len); - VBDEBUG(("Generating Big FirmwareImage...")); - FirmwareImage* image = - GenerateTestFirmwareImage(0, /* RSA1024/SHA1 */ - firmware_sign_key_buf, - 1, /* Firmware Key Version. */ - 1, /* Firmware Version */ - BIG_FIRMWARE_SIZE, - kRootKeyFile, - kFirmwareKeyFile, - 'F'); /* Firmware data fill. */ - if (!root_key || !root_key_blob || !firmware_sign_key_buf || !image) { - error_code = 1; - goto cleanup; - } - VBDEBUG(("Done.\n")); - TEST_EQ(VerifyFirmwareImage(root_key, image), - VERIFY_FIRMWARE_SUCCESS, - "Big FirmwareImage Verification"); - firmware_blob = GetFirmwareBlob(image, &len); - TEST_EQ(VerifyFirmware(root_key_blob, image->firmware_data, firmware_blob), - VERIFY_FIRMWARE_SUCCESS, - "Big Firmware Blob Verification"); - - cleanup: - Free(firmware_blob); - FirmwareImageFree(image); - Free(firmware_sign_key_buf); - RSAPublicKeyFree(root_key); - return error_code; -} - -int main(int argc, char* argv[1]) -{ - int error_code = 0; - error_code = BigFirmwareTest(); - if (!gTestSuccess) - error_code = 255; - return error_code; -} diff --git a/tests/big_kernel_tests.c b/tests/big_kernel_tests.c deleted file mode 100644 index 6d83aae4..00000000 --- a/tests/big_kernel_tests.c +++ /dev/null @@ -1,77 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Tests if firmware image library deals with very large firmware. This - * is a quick and dirty test for detecting integer overflow issues. - */ - -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> - -#include "cryptolib.h" -#include "file_keys.h" -#include "kernel_image.h" -#include "test_common.h" -#include "utility.h" - -/* Choose a kernel size greater than the range of 32-bits unsigned. */ -#define BIG_KERNEL_SIZE (0x100000000ULL) - -#define FIRMWARE_KEY_BASE_NAME "testkeys/key_rsa2048" -#define KERNEL_KEY_BASE_NAME "testkeys/key_rsa1024" - -const char* kFirmwareKeyPublicFile = FIRMWARE_KEY_BASE_NAME ".keyb"; -const char* kFirmwareKeyFile = FIRMWARE_KEY_BASE_NAME ".pem"; -const char* kKernelKeyPublicFile = KERNEL_KEY_BASE_NAME ".keyb"; -const char* kKernelKeyFile = KERNEL_KEY_BASE_NAME ".pem"; - -int BigKernelTest() { - int error_code = 0; - uint64_t len; - uint8_t* kernel_blob = NULL; - RSAPublicKey* firmware_key = RSAPublicKeyFromFile(kFirmwareKeyPublicFile); - uint8_t* firmware_key_blob = BufferFromFile(kFirmwareKeyPublicFile, &len); - uint8_t* kernel_sign_key_buf = BufferFromFile(kKernelKeyPublicFile, &len); - VBDEBUG(("Generating Big KernelImage...")); - KernelImage* image = - GenerateTestKernelImage(3, /* RSA2048/SHA1 */ - 0, /* RSA1024/SHA1 */ - kernel_sign_key_buf, - 1, /* Kernel Key Version. */ - 1, /* Kernel Version */ - BIG_KERNEL_SIZE, - kFirmwareKeyFile, - kKernelKeyFile, - 'K'); /* Kernel Data Fill. */ - if (!firmware_key || !firmware_key_blob || !kernel_sign_key_buf || !image) { - error_code = 1; - goto cleanup; - } - VBDEBUG(("Done.\n")); - TEST_EQ(VerifyKernelImage(firmware_key, image, 0), - VERIFY_KERNEL_SUCCESS, - "Big KernelImage Verification"); - kernel_blob = GetKernelBlob(image, &len); - TEST_EQ(VerifyKernel(firmware_key_blob, kernel_blob, 0), - VERIFY_KERNEL_SUCCESS, - "Big Kernel Blob Verification"); - -cleanup: - Free(kernel_blob); - KernelImageFree(image); - Free(kernel_sign_key_buf); - Free(firmware_key_blob); - RSAPublicKeyFree(firmware_key); - return error_code; -} - -int main(int argc, char* argv[1]) -{ - int error_code = 0; - error_code = BigKernelTest(); - if (!gTestSuccess) - error_code = 255; - return error_code; -} diff --git a/tests/firmware_image_tests.c b/tests/firmware_image_tests.c deleted file mode 100644 index 6201d473..00000000 --- a/tests/firmware_image_tests.c +++ /dev/null @@ -1,119 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Tests for firmware image library. - */ - -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> - -#include "cryptolib.h" -#include "file_keys.h" -#include "firmware_image.h" -#include "test_common.h" -#include "utility.h" - -/* Normal Firmware Blob Verification Tests. */ -void VerifyFirmwareTest(uint8_t* verification_header, - uint8_t* firmware_data, - uint8_t* root_key_blob) { - TEST_EQ(VerifyFirmware(root_key_blob, - verification_header, - firmware_data), - VERIFY_FIRMWARE_SUCCESS, - "Normal Firmware Blob Verification"); -} - -/* Normal FirmwareImage Verification Tests. */ -void VerifyFirmwareImageTest(FirmwareImage* image, - RSAPublicKey* root_key) { - TEST_EQ(VerifyFirmwareImage(root_key, image), - VERIFY_FIRMWARE_SUCCESS, - "Normal FirmwareImage Verification"); -} - -/* Tampered FirmwareImage Verification Tests. */ -void VerifyFirmwareImageTamperTest(FirmwareImage* image, - RSAPublicKey* root_key) { - image->firmware_version = 0; - TEST_EQ(VerifyFirmwareImage(root_key, image), - VERIFY_FIRMWARE_PREAMBLE_SIGNATURE_FAILED, - "FirmwareImage Preamble Tamper Verification"); - image->firmware_version = 1; - - image->firmware_data[0] = 'T'; - TEST_EQ(VerifyFirmwareImage(root_key, image), - VERIFY_FIRMWARE_SIGNATURE_FAILED, - "FirmwareImage Data Tamper Verification"); - image->firmware_data[0] = 'F'; - - image->firmware_key_signature[0] = 0xFF; - image->firmware_key_signature[1] = 0x00; - TEST_EQ(VerifyFirmwareImage(root_key, image), - VERIFY_FIRMWARE_ROOT_SIGNATURE_FAILED, - "FirmwareImage Root Signature Tamper Verification"); -} - -int main(int argc, char* argv[]) { - uint64_t len; - const char* root_key_file = NULL; - const char* firmware_key_file = NULL; - uint8_t* firmware_sign_key_buf = NULL; - uint8_t* root_key_blob = NULL; - uint8_t* firmware_blob = NULL; - uint64_t firmware_blob_len = 0; - FirmwareImage* image = NULL; - RSAPublicKey* root_key_pub = NULL; - int error_code = 0; - int algorithm; - if(argc != 6) { - fprintf(stderr, "Usage: %s <algorithm> <root key> <processed root pubkey>" - " <signing key> <processed signing key>\n", argv[0]); - return -1; - } - - /* Read verification keys and create a test image. */ - algorithm = atoi(argv[1]); - root_key_pub = RSAPublicKeyFromFile(argv[3]); - root_key_blob = BufferFromFile(argv[3], &len); - firmware_sign_key_buf = BufferFromFile(argv[5], &len); - root_key_file = argv[2]; - firmware_key_file = argv[4]; - image = GenerateTestFirmwareImage(algorithm, - firmware_sign_key_buf, - 1, /* Firmware Key Version. */ - 1, /* Firmware Version. */ - 1000, /* Firmware length. */ - root_key_file, - firmware_key_file, - 'F'); - - if (!root_key_pub || !firmware_sign_key_buf || !image) { - error_code = 1; - goto failure; - } - firmware_blob = GetFirmwareBlob(image, &firmware_blob_len); - - /* Test Firmware blob verify operations. */ - VerifyFirmwareTest(firmware_blob, - image->firmware_data, - root_key_blob); - - /* Test FirmwareImage verify operations. */ - VerifyFirmwareImageTest(image, root_key_pub); - VerifyFirmwareImageTamperTest(image, root_key_pub); - - if (!gTestSuccess) - error_code = 255; - -failure: - Free(firmware_blob); - FirmwareImageFree(image); - Free(firmware_sign_key_buf); - Free(root_key_blob); - RSAPublicKeyFree(root_key_pub); - - return error_code; -} diff --git a/tests/firmware_rollback_tests.c b/tests/firmware_rollback_tests.c deleted file mode 100644 index 09673a39..00000000 --- a/tests/firmware_rollback_tests.c +++ /dev/null @@ -1,92 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Tests for checking firmware rollback-prevention logic. - */ - -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> - -#include "cryptolib.h" -#include "file_keys.h" -#include "firmware_image.h" -#include "utility.h" -#include "rollback_index.h" -#include "test_common.h" - -const char* kRootKeyPublicFile = "testkeys/key_rsa8192.keyb"; -uint8_t kValidFirmwareData[1] = { 'F' }; -uint8_t kCorruptFirmwareData[1] = { 'X' }; - -/* Tests that check for correctness of the VerifyFirmwareDriver_f() logic - * and rollback prevention. */ -void VerifyFirmwareDriverTest(void) { - uint8_t* verification_blobA = NULL; - uint8_t* verification_blobB = NULL; - uint64_t len; - uint8_t* root_key_pub = BufferFromFile(kRootKeyPublicFile, &len); - - /* Initialize rollback index state. */ - g_firmware_key_version = 1; - g_firmware_version = 1; - - verification_blobA = GenerateRollbackTestVerificationBlob(1, 1); - verification_blobB = GenerateRollbackTestVerificationBlob(1, 1); - - TEST_EQ(VerifyFirmwareDriver_f(root_key_pub, - verification_blobA, - kValidFirmwareData, - verification_blobB, - kValidFirmwareData), - BOOT_FIRMWARE_A_CONTINUE, - "Firmware A (Valid with current version), " - "Firmware B (Valid with current version)"); - TEST_EQ(VerifyFirmwareDriver_f(root_key_pub, - verification_blobA, - kCorruptFirmwareData, - verification_blobB, - kValidFirmwareData), - BOOT_FIRMWARE_B_CONTINUE, - "Firmware A (Corrupt with current version), " - "Firmware B (Valid with current version)"); - TEST_EQ(VerifyFirmwareDriver_f(root_key_pub, - verification_blobA, - kValidFirmwareData, - verification_blobB, - kCorruptFirmwareData), - BOOT_FIRMWARE_A_CONTINUE, - "Firmware A (Valid with current version), " - "Firmware B (Corrupt with current version)"); - TEST_EQ(VerifyFirmwareDriver_f(root_key_pub, - verification_blobA, - kCorruptFirmwareData, - verification_blobB, - kCorruptFirmwareData), - BOOT_FIRMWARE_RECOVERY_CONTINUE, - "Firmware A (Corrupt with current version), " - "Firmware B (Corrupt with current version"); - g_firmware_key_version = 2; - g_firmware_version = 2; - TEST_EQ(VerifyFirmwareDriver_f(root_key_pub, - verification_blobA, - kValidFirmwareData, - verification_blobB, - kValidFirmwareData), - BOOT_FIRMWARE_RECOVERY_CONTINUE, - "Firmware A (Valid with old version), " - "Old Firmware B (Valid with old version)"); - - Free(root_key_pub); - Free(verification_blobA); - Free(verification_blobB); -} - -int main(int argc, char* argv[]) { - int error_code = 0; - VerifyFirmwareDriverTest(); - if (!gTestSuccess) - error_code = 255; - return error_code; -} diff --git a/tests/firmware_splicing_tests.c b/tests/firmware_splicing_tests.c deleted file mode 100644 index 17c327f4..00000000 --- a/tests/firmware_splicing_tests.c +++ /dev/null @@ -1,83 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Splicing tests for the firmware image verification library. - */ - -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> - -#include "cryptolib.h" -#include "file_keys.h" -#include "firmware_image.h" -#include "test_common.h" -#include "utility.h" - -#define ROOT_KEY_BASE_NAME "testkeys/key_rsa8192" -#define FIRMWARE_KEY_BASE_NAME "testkeys/key_rsa1024" - -const char* kRootKeyPublicFile = ROOT_KEY_BASE_NAME ".keyb"; -const char* kRootKeyFile = ROOT_KEY_BASE_NAME ".pem"; -const char* kFirmwareKeyPublicFile = FIRMWARE_KEY_BASE_NAME ".keyb"; -const char* kFirmwareKeyFile = FIRMWARE_KEY_BASE_NAME ".pem"; - -void VerifyFirmwareSplicingTest() -{ - uint64_t len; - FirmwareImage* image1 = NULL; - FirmwareImage* image2 = NULL; - uint8_t* firmware_blob = NULL; - uint8_t* firmware_sign_key_buf = NULL; - RSAPublicKey* root_key = RSAPublicKeyFromFile(kRootKeyPublicFile); - uint8_t* root_key_blob = BufferFromFile(kRootKeyPublicFile, &len); - firmware_sign_key_buf= BufferFromFile(kFirmwareKeyPublicFile, &len); - image1 = GenerateTestFirmwareImage(0, /* RSA1024/SHA1 */ - firmware_sign_key_buf, - 1, /* Firmware Key Version. */ - 1, /* Firmware Version */ - 1000, - kRootKeyFile, - kFirmwareKeyFile, - 'F'); /* Firmware data fill. */ - image2 = GenerateTestFirmwareImage(0, /* RSA1024/SHA1 */ - firmware_sign_key_buf, - 1, /* Firmware Key Version. */ - 2, /* Firmware Version */ - 1000, - kRootKeyFile, - kFirmwareKeyFile, - 'G'); /* Different Firmware data fill. */ - /* Verify that the originals verify. */ - TEST_EQ(VerifyFirmwareImage(root_key, image1), - VERIFY_FIRMWARE_SUCCESS, - "FirmwareImage firmware_data Original"); - TEST_EQ(VerifyFirmwareImage(root_key, image2), - VERIFY_FIRMWARE_SUCCESS, - "FirmwareImage firmware_data Original"); - - /* Splice firmware_data + firmware signature from [image1] - * and put it into [image2]. */ - Memcpy(image2->firmware_signature, image1->firmware_signature, - siglen_map[0]); - Memcpy(image2->firmware_data, image1->firmware_data, - image2->firmware_len); - - TEST_EQ(VerifyFirmwareImage(root_key, image2), - VERIFY_FIRMWARE_SIGNATURE_FAILED, - "FirmwareImage firmware_data Splicing"); - firmware_blob = GetFirmwareBlob(image2, &len); - TEST_EQ(VerifyFirmware(root_key_blob, firmware_blob, image2->firmware_data), - VERIFY_FIRMWARE_SIGNATURE_FAILED, - "Firmware Blob firmware_data Splicing"); -} - -int main(int argc, char* argv[]) -{ - int error_code = 0; - VerifyFirmwareSplicingTest(); - if (!gTestSuccess) - error_code = 255; - return error_code; -} diff --git a/tests/firmware_verify_benchmark.c b/tests/firmware_verify_benchmark.c deleted file mode 100644 index 3cdceff8..00000000 --- a/tests/firmware_verify_benchmark.c +++ /dev/null @@ -1,139 +0,0 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Timing benchmark for verifying a firmware image. - */ - -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> - -#include "cryptolib.h" -#include "file_keys.h" -#include "firmware_image.h" -#include "test_common.h" -#include "timer_utils.h" -#include "utility.h" - -#define FILE_NAME_SIZE 128 -#define NUM_OPERATIONS 100 /* Number of verify operations to time. */ - -#define FIRMWARE_SIZE_SMALL 512000 -#define FIRMWARE_SIZE_MEDIUM 1024000 -#define FIRMWARE_SIZE_LARGE 4096000 -const uint64_t g_firmware_sizes_to_test[] = { - FIRMWARE_SIZE_SMALL, - FIRMWARE_SIZE_MEDIUM, - FIRMWARE_SIZE_LARGE -}; -const char* g_firmware_size_labels[] = { - "small", - "medium", - "large" -}; -#define NUM_SIZES_TO_TEST (sizeof(g_firmware_sizes_to_test) / \ - sizeof(g_firmware_sizes_to_test[0])) - -int SpeedTestAlgorithm(int algorithm) { - int i, j, key_size, error_code = 0; - ClockTimerState ct; - double msecs; - uint64_t len; - uint8_t* firmware_sign_key = NULL; - uint8_t* root_key_blob = NULL; - char firmware_sign_key_file[FILE_NAME_SIZE]; - char file_name[FILE_NAME_SIZE]; - char* sha_strings[] = { /* Maps algorithm->SHA algorithm. */ - "sha1", "sha256", "sha512", /* RSA-1024 */ - "sha1", "sha256", "sha512", /* RSA-2048 */ - "sha1", "sha256", "sha512", /* RSA-4096 */ - "sha1", "sha256", "sha512", /* RSA-8192 */ - }; - uint8_t* verification_blobs[NUM_SIZES_TO_TEST]; - uint8_t* firmware_blobs[NUM_SIZES_TO_TEST]; - for (i = 0; i < NUM_SIZES_TO_TEST; ++i) - firmware_blobs[i] = NULL; - - key_size = siglen_map[algorithm] * 8; /* in bits. */ - snprintf(firmware_sign_key_file, FILE_NAME_SIZE, "testkeys/key_rsa%d.pem", - key_size); - - snprintf(file_name, FILE_NAME_SIZE, "testkeys/key_rsa%d.keyb", key_size); - firmware_sign_key = BufferFromFile(file_name, &len); - if (!firmware_sign_key) { - VBDEBUG(("Couldn't read pre-processed firmware signing key.\n")); - error_code = 1; - goto cleanup; - } - - /* Generate test images. */ - for (i = 0; i < NUM_SIZES_TO_TEST; ++i) { - firmware_blobs[i] = (uint8_t*) malloc(g_firmware_sizes_to_test[i]); - Memset(firmware_blobs[i], 'F', g_firmware_sizes_to_test[i]); - verification_blobs[i] = GenerateTestVerificationBlob( - algorithm, - firmware_sign_key, - 1, /* firmware key version. */ - 1, /* firmware version. */ - g_firmware_sizes_to_test[i], - "testkeys/key_rsa8192.pem", - firmware_sign_key_file); - if (!firmware_blobs[i]) { - VBDEBUG(("Couldn't generate test firmware images.\n")); - error_code = 1; - goto cleanup; - } - } - - /* Get pre-processed key used for verification. */ - root_key_blob = BufferFromFile("testkeys/key_rsa8192.keyb", &len); - if (!root_key_blob) { - VBDEBUG(("Couldn't read pre-processed rootkey.\n")); - error_code = 1; - goto cleanup; - } - - /* Now run the timing tests. */ - for (i = 0; i < NUM_SIZES_TO_TEST; ++i) { - StartTimer(&ct); - for (j = 0; j < NUM_OPERATIONS; ++j) { - if (VERIFY_FIRMWARE_SUCCESS != - VerifyFirmware(root_key_blob, - verification_blobs[i], - firmware_blobs[i])) - VBDEBUG(("Warning: Firmware Verification Failed.\n")); - } - StopTimer(&ct); - msecs = (float) GetDurationMsecs(&ct) / NUM_OPERATIONS; - fprintf(stderr, - "# Firmware (%s, Algo = %s):" - "\t%.02f ms/verification\n", - g_firmware_size_labels[i], - algo_strings[algorithm], - msecs); - fprintf(stdout, "ms_firmware_%s_rsa%d_%s:%.02f\n", - g_firmware_size_labels[i], - key_size, - sha_strings[algorithm], - msecs); - } - - cleanup: - for (i = 0; i < NUM_SIZES_TO_TEST; i++) { - free(firmware_blobs[i]); - free(verification_blobs[i]); - } - free(root_key_blob); - return error_code; -} - - -int main(int argc, char* argv[]) { - int i, error_code = 0; - for (i = 0; i < kNumAlgorithms; ++i) { - if (0 != (error_code = SpeedTestAlgorithm(i))) - return error_code; - } - return 0; -} diff --git a/tests/kernel_image_tests.c b/tests/kernel_image_tests.c deleted file mode 100644 index 8125e681..00000000 --- a/tests/kernel_image_tests.c +++ /dev/null @@ -1,141 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Tests for kernel image library. - */ - -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> - -#include "cryptolib.h" -#include "file_keys.h" -#include "kernel_image.h" -#include "test_common.h" -#include "utility.h" - -/* Normal Kernel Blob Verification Tests. */ -void VerifyKernelTest(uint8_t* kernel_blob, uint8_t* firmware_key_blob) { - TEST_EQ(VerifyKernel(firmware_key_blob, kernel_blob, DEV_MODE_ENABLED), - VERIFY_KERNEL_SUCCESS, - "Normal Kernel Blob Verification (Dev Mode)"); - - TEST_EQ(VerifyKernel(firmware_key_blob, kernel_blob, DEV_MODE_DISABLED), - VERIFY_KERNEL_SUCCESS, - "Normal Kernel Blob Verification (Trusted)"); -} - - -/* Normal KernelImage Verification Tests. */ -void VerifyKernelImageTest(KernelImage* image, - RSAPublicKey* firmware_key) { - TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_ENABLED), - VERIFY_KERNEL_SUCCESS, - "Normal KernelImage Verification (Dev Mode)"); - TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_DISABLED), - VERIFY_KERNEL_SUCCESS, - "Normal KernelImage Verification (Trusted)"); -} - -/* Tampered KernelImage Verification Tests. */ -void VerifyKernelImageTamperTest(KernelImage* image, - RSAPublicKey* firmware_key) { - image->bootloader_offset ^= 0xFF; - TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_ENABLED), - VERIFY_KERNEL_PREAMBLE_SIGNATURE_FAILED, - "KernelImage Config Tamper Verification (Dev Mode)"); - TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_DISABLED), - VERIFY_KERNEL_PREAMBLE_SIGNATURE_FAILED, - "KernelImage Config Tamper Verification (Trusted)"); - image->bootloader_offset ^= 0xFF; - - image->kernel_data[0] = 'T'; - TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_ENABLED), - VERIFY_KERNEL_SIGNATURE_FAILED, - "KernelImage Tamper Verification (Dev Mode)"); - TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_DISABLED), - VERIFY_KERNEL_SIGNATURE_FAILED, - "KernelImage Tamper Verification (Trusted)"); - image->kernel_data[0] = 'K'; - - image->kernel_key_signature[0] = 0xFF; - image->kernel_key_signature[1] = 0x00; - TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_ENABLED), - VERIFY_KERNEL_SUCCESS, - "KernelImage Key Signature Tamper Verification (Dev Mode)"); - TEST_EQ(VerifyKernelImage(firmware_key, image, DEV_MODE_DISABLED), - VERIFY_KERNEL_KEY_SIGNATURE_FAILED, - "KernelImage Key Signature Tamper Verification (Trusted)"); -} - -int main(int argc, char* argv[]) { - uint64_t len; - const char* firmware_key_file = NULL; - const char* kernel_key_file = NULL; - uint8_t* kernel_sign_key_buf = NULL; - uint8_t* firmware_key_blob = NULL; - uint8_t* kernel_blob = NULL; - uint64_t kernel_blob_len = 0; - KernelImage* image = NULL; - RSAPublicKey* firmware_key = NULL; - int error_code = 0; - - if(argc != 7) { - fprintf(stderr, "Usage: %s <firmware signing algorithm> " /* argv[1] */ - "<kernel signing algorithm> " /* argv[2] */ - "<firmware key> " /* argv[3] */ - "<processed firmware pubkey> " /* argv[4] */ - "<kernel signing key> " /* argv[5] */ - "<processed kernel signing key>\n", /* argv[6] */ - argv[0]); - return -1; - } - - /* Read verification keys and create a test image. */ - firmware_key = RSAPublicKeyFromFile(argv[4]); - firmware_key_blob = BufferFromFile(argv[4], &len); - kernel_sign_key_buf = BufferFromFile(argv[6], &len); - firmware_key_file = argv[3]; - kernel_key_file = argv[5]; - - if (!firmware_key || !kernel_sign_key_buf || !kernel_sign_key_buf) { - error_code = 1; - goto failure; - } - - image = GenerateTestKernelImage(atoi(argv[1]), - atoi(argv[2]), - kernel_sign_key_buf, - 1, /* Kernel Key Version */ - 1, /* Kernel Version */ - 1000, /* Kernel Size */ - firmware_key_file, - kernel_key_file, - 'K'); - if (!image) { - error_code = 1; - goto failure; - } - - kernel_blob = GetKernelBlob(image, &kernel_blob_len); - - /* Test Kernel blob verify operations. */ - VerifyKernelTest(kernel_blob, firmware_key_blob); - - /* Test KernelImage verify operations. */ - VerifyKernelImageTest(image, firmware_key); - VerifyKernelImageTamperTest(image, firmware_key); - - if (!gTestSuccess) - error_code = 255; - -failure: - Free(kernel_blob); - KernelImageFree(image); - Free(kernel_sign_key_buf); - Free(firmware_key_blob); - RSAPublicKeyFree(firmware_key); - - return error_code; -} diff --git a/tests/kernel_rollback_tests.c b/tests/kernel_rollback_tests.c deleted file mode 100644 index 2ecb05fc..00000000 --- a/tests/kernel_rollback_tests.c +++ /dev/null @@ -1,156 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Tests for checking kernel rollback-prevention logic. - */ - -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> - -#include "cryptolib.h" -#include "file_keys.h" -#include "kernel_image.h" -#include "rollback_index.h" -#include "test_common.h" -#include "utility.h" - -const char* kFirmwareKeyPublicFile = "testkeys/key_rsa1024.keyb"; - -/* Tests that check for correctness of the VerifyFirmwareDriver_f() logic - * and rollback prevention. */ -void VerifyKernelDriverTest(void) { - uint64_t len; - uint8_t* firmware_key_pub = BufferFromFile(kFirmwareKeyPublicFile, &len); - - /* TODO(gauravsh): Rebase this to use LoadKernel() (maybe by making - * it a part of load_kernel_test.c */ -#if 0 - /* Initialize kernel blobs, including their associated parition - * table attributed. */ - kernel_entry valid_kernelA = { - GenerateRollbackTestKernelBlob(1, 1, 0), - 15, /* Highest Priority. */ - 5, /* Enough for tests. */ - 0 /* Assume we haven't boot off it yet. */ - }; - kernel_entry corrupt_kernelA = { - GenerateRollbackTestKernelBlob(1, 1, 1), - 15, /* Highest Priority. */ - 5, /* Enough for tests. */ - 0 /* Assume we haven't boot off it yet. */ - }; - kernel_entry valid_kernelB = { - GenerateRollbackTestKernelBlob(1, 1, 0), - 1, /* Lower Priority. */ - 5, /* Enough for tests. */ - 0 /* Assume we haven't boot off it yet. */ - }; - kernel_entry corrupt_kernelB = { - GenerateRollbackTestKernelBlob(1, 1, 1), - 1, /* Lower Priority. */ - 5, /* Enough for tests. */ - 0 /* Assume we haven't boot off it yet. */ - }; - - /* Initialize rollback index state. */ - g_kernel_key_version = 1; - g_kernel_version = 1; - - /* Note: This test just checks the rollback prevention mechanism and not - * the full blown kernel boot logic. Updates to the kernel attributes - * in the paritition table are not tested. - */ - VBDEBUG(("Kernel A boot priority(15) > Kernel B boot priority(1)\n")); - TEST_EQ(VerifyKernelDriver_f(firmware_key_pub, - &valid_kernelA, &valid_kernelB, - DEV_MODE_DISABLED), - BOOT_KERNEL_A_CONTINUE, - "(Valid Kernel A (current version)\n" - " Valid Kernel B (current version) runs A):"); - TEST_EQ(VerifyKernelDriver_f(firmware_key_pub, - &corrupt_kernelA, &valid_kernelB, - DEV_MODE_DISABLED), - BOOT_KERNEL_B_CONTINUE, - "(Corrupt Kernel A (current version)\n" - " Valid Kernel B (current version) runs B):"); - TEST_EQ(VerifyKernelDriver_f(firmware_key_pub, - &valid_kernelA, &corrupt_kernelB, - DEV_MODE_DISABLED), - BOOT_KERNEL_A_CONTINUE, - "(Valid Kernel A (current version)\n" - " Corrupt Kernel B (current version) runs A):"); - TEST_EQ(VerifyKernelDriver_f(firmware_key_pub, - &corrupt_kernelA, &corrupt_kernelB, - DEV_MODE_DISABLED), - BOOT_KERNEL_RECOVERY_CONTINUE, - "(Corrupt Kernel A (current version)\n" - " Corrupt Kernel B (current version) runs Recovery):"); - - VBDEBUG(("\nSwapping boot priorities...\n" - "Kernel B boot priority(15) > Kernel A boot priority(1)\n")); - valid_kernelA.boot_priority = corrupt_kernelA.boot_priority = 1; - valid_kernelB.boot_priority = corrupt_kernelB.boot_priority = 15; - TEST_EQ(VerifyKernelDriver_f(firmware_key_pub, - &valid_kernelA, &valid_kernelB, - DEV_MODE_DISABLED), - BOOT_KERNEL_B_CONTINUE, - "(Valid Kernel A (current version)\n" - " Valid Kernel B (current version) runs B):"); - TEST_EQ(VerifyKernelDriver_f(firmware_key_pub, - &corrupt_kernelA, &valid_kernelB, - DEV_MODE_DISABLED), - BOOT_KERNEL_B_CONTINUE, - "(Corrupt Kernel A (current version)\n" - " Valid Kernel B (current version) runs B):"); - TEST_EQ(VerifyKernelDriver_f(firmware_key_pub, - &valid_kernelA, &corrupt_kernelB, - DEV_MODE_DISABLED), - BOOT_KERNEL_A_CONTINUE, - "(Valid Kernel A (current version)\n" - " Corrupt Kernel B (current version) runs A):"); - TEST_EQ(VerifyKernelDriver_f(firmware_key_pub, - &corrupt_kernelA, &corrupt_kernelB, - DEV_MODE_DISABLED), - BOOT_KERNEL_RECOVERY_CONTINUE, - "(Corrupt Kernel A (current version)\n" - " Corrupt Kernel B (current version) runs Recovery):"); - - VBDEBUG(("\nUpdating stored version information. Obsoleting " - "exiting kernel images.\n")); - g_kernel_key_version = 2; - g_kernel_version = 2; - TEST_EQ(VerifyKernelDriver_f(firmware_key_pub, - &valid_kernelA, &valid_kernelB, - DEV_MODE_DISABLED), - BOOT_KERNEL_RECOVERY_CONTINUE, - "(Valid Kernel A (old version)\n" - " Valid Kernel B (old version) runs Recovery):"); - - VBDEBUG(("\nGenerating updated Kernel A blob with " - "new version.\n")); - Free(valid_kernelA.kernel_blob); - valid_kernelA.kernel_blob = GenerateRollbackTestKernelBlob(3, 3, 0); - TEST_EQ(VerifyKernelDriver_f(firmware_key_pub, - &valid_kernelA, &valid_kernelB, - DEV_MODE_DISABLED), - BOOT_KERNEL_A_CONTINUE, - "(Valid Kernel A (new version)\n" - " Valid Kernel B (old version) runs A):"); - Free(valid_kernelA.kernel_blob); - Free(valid_kernelB.kernel_blob); - Free(corrupt_kernelA.kernel_blob); - Free(corrupt_kernelB.kernel_blob); -#endif - - Free(firmware_key_pub); -} - -int main(int argc, char* argv[]) { - int error_code = 0; - VerifyKernelDriverTest(); - if (!gTestSuccess) - error_code = 255; - return error_code; -} diff --git a/tests/kernel_splicing_tests.c b/tests/kernel_splicing_tests.c deleted file mode 100644 index 296af473..00000000 --- a/tests/kernel_splicing_tests.c +++ /dev/null @@ -1,85 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Splicing tests for the kernel image verification library. - */ - -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> - -#include "cryptolib.h" -#include "file_keys.h" -#include "kernel_image.h" -#include "test_common.h" -#include "utility.h" - -#define FIRMWARE_KEY_BASE_NAME "testkeys/key_rsa2048" -#define KERNEL_KEY_BASE_NAME "testkeys/key_rsa1024" - -const char* kFirmwareKeyPublicFile = FIRMWARE_KEY_BASE_NAME ".keyb"; -const char* kFirmwareKeyFile = FIRMWARE_KEY_BASE_NAME ".pem"; -const char* kKernelKeyPublicFile = KERNEL_KEY_BASE_NAME ".keyb"; -const char* kKernelKeyFile = KERNEL_KEY_BASE_NAME ".pem"; - -void VerifyKernelSplicingTest() -{ - uint64_t len; - KernelImage* image1 = NULL; - KernelImage* image2 = NULL; - uint8_t* kernel_blob = NULL; - uint8_t* kernel_sign_key_buf = NULL; - RSAPublicKey* firmware_key = RSAPublicKeyFromFile(kFirmwareKeyPublicFile); - uint8_t* firmware_key_blob = BufferFromFile(kFirmwareKeyPublicFile, &len); - kernel_sign_key_buf= BufferFromFile(kKernelKeyPublicFile, &len); - image1 = GenerateTestKernelImage(3, /* RSA2048/SHA1 */ - 0, /* RSA1024/SHA1 */ - kernel_sign_key_buf, - 1, /* Kernel Key Version. */ - 1, /* Kernel Version */ - 1000, /* Kernel Size. */ - kFirmwareKeyFile, - kKernelKeyFile, - 'K'); /* Kernel data fill. */ - image2 = GenerateTestKernelImage(3, /* RSA2058/SHA1 */ - 0, /* RSA1024/SHA1 */ - kernel_sign_key_buf, - 1, /* Kernel Key Version. */ - 2, /* Kernel Version */ - 1000, /* Kernel Size */ - kFirmwareKeyFile, - kKernelKeyFile, - 'L'); /* Different Kernel data fill. */ - /* Make sure the originals verify. */ - TEST_EQ(VerifyKernelImage(firmware_key, image1, 0), - VERIFY_KERNEL_SUCCESS, - "KernelImage kernel_data Original"); - TEST_EQ(VerifyKernelImage(firmware_key, image2, 0), - VERIFY_KERNEL_SUCCESS, - "KernelImage kernel_data Original"); - - /* Splice kernel_data + kernel signature from [image1] - * and put it into [image2]. */ - Memcpy(image2->kernel_signature, image1->kernel_signature, - siglen_map[0]); - Memcpy(image2->kernel_data, image1->kernel_data, - image2->kernel_len); - - TEST_NEQ(VerifyKernelImage(firmware_key, image2, 0), - VERIFY_KERNEL_SUCCESS, - "KernelImage kernel_data Splicing"); - kernel_blob = GetKernelBlob(image2, &len); - TEST_NEQ(VerifyKernel(firmware_key_blob, kernel_blob, 0), - VERIFY_KERNEL_SUCCESS, - "Kernel Blob kernel_data Splicing"); -} - -int main(int argc, char* argv[]) -{ - int error_code = 0; - VerifyKernelSplicingTest(); - if (!gTestSuccess) - error_code = 255; - return error_code; -} diff --git a/tests/kernel_verify_benchmark.c b/tests/kernel_verify_benchmark.c deleted file mode 100644 index 3ba113c5..00000000 --- a/tests/kernel_verify_benchmark.c +++ /dev/null @@ -1,159 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Timing benchmark for verifying a firmware image. - */ - -#include <stdint.h> -#include <stdio.h> -#include <stdlib.h> - -#include "cryptolib.h" -#include "file_keys.h" -#include "kernel_image.h" -#include "test_common.h" -#include "timer_utils.h" -#include "utility.h" - -#define FILE_NAME_SIZE 128 - -#define NUM_OPERATIONS 30 /* Number of verify operations to time. - * We use a smaller number here (30 vs. 100) - * since there are many more cases to consider - * (one for each combination of firmware and kernel - * signature algorithm. - */ - -#define KERNEL_SIZE_SMALL 512000 -#define KERNEL_SIZE_MEDIUM 1024000 -#define KERNEL_SIZE_LARGE 4096000 -const uint64_t g_kernel_sizes_to_test[] = { - KERNEL_SIZE_SMALL, - KERNEL_SIZE_MEDIUM, - KERNEL_SIZE_LARGE -}; -const char* g_kernel_size_labels[] = { - "small", - "medium", - "large" -}; -#define NUM_SIZES_TO_TEST (sizeof(g_kernel_sizes_to_test) / \ - sizeof(g_kernel_sizes_to_test[0])) - -int SpeedTestAlgorithm(int firmware_sign_algorithm, - int kernel_sign_algorithm) { - int i, j, error_code = 0; - int firmware_key_size, kernel_key_size; - ClockTimerState ct; - double msecs; - uint64_t len; - uint8_t* kernel_sign_key = NULL; - uint8_t* firmware_key_blob = NULL; - char firmware_sign_key_file[FILE_NAME_SIZE]; - char kernel_sign_key_file[FILE_NAME_SIZE]; - char file_name[FILE_NAME_SIZE]; /* Temp to hold a constructed file name */ - char* sha_strings[] = { /* Maps algorithm->SHA algorithm. */ - "sha1", "sha256", "sha512", /* RSA-1024 */ - "sha1", "sha256", "sha512", /* RSA-2048 */ - "sha1", "sha256", "sha512", /* RSA-4096 */ - "sha1", "sha256", "sha512", /* RSA-8192 */ - }; - uint8_t* kernel_blobs[NUM_SIZES_TO_TEST]; - for (i = 0; i < NUM_SIZES_TO_TEST; ++i) - kernel_blobs[i] = NULL; - - /* Get all needed test keys. */ - firmware_key_size = siglen_map[firmware_sign_algorithm] * 8; /* in bits. */ - kernel_key_size = siglen_map[kernel_sign_algorithm] * 8; /* in bits. */ - snprintf(firmware_sign_key_file, FILE_NAME_SIZE, "testkeys/key_rsa%d.pem", - firmware_key_size); - snprintf(kernel_sign_key_file, FILE_NAME_SIZE, "testkeys/key_rsa%d.pem", - kernel_key_size); - snprintf(file_name, FILE_NAME_SIZE, "testkeys/key_rsa%d.keyb", - kernel_key_size); - kernel_sign_key = BufferFromFile(file_name, &len); - if (!kernel_sign_key) { - VBDEBUG(("Couldn't read pre-processed public kernel signing key.\n")); - error_code = 1; - goto cleanup; - } - - /* Generate test images. */ - for (i = 0; i < NUM_SIZES_TO_TEST; ++i) { - kernel_blobs[i] = GenerateTestKernelBlob(firmware_sign_algorithm, - kernel_sign_algorithm, - kernel_sign_key, - 1, /* kernel key version. */ - 1, /* kernel version. */ - g_kernel_sizes_to_test[i], - firmware_sign_key_file, - kernel_sign_key_file); - if (!kernel_blobs[i]) { - VBDEBUG(("Couldn't generate test firmware images.\n")); - error_code = 1; - goto cleanup; - } - } - - /* Get pre-processed key used for verification. */ - snprintf(file_name, FILE_NAME_SIZE, "testkeys/key_rsa%d.keyb", - firmware_key_size); - firmware_key_blob = BufferFromFile(file_name, &len); - if (!firmware_key_blob) { - VBDEBUG(("Couldn't read pre-processed firmware public key.\n")); - error_code = 1; - goto cleanup; - } - - /* Now run the timing tests. */ - for (i = 0; i < NUM_SIZES_TO_TEST; ++i) { - StartTimer(&ct); - for (j = 0; j < NUM_OPERATIONS; ++j) { - if (VERIFY_KERNEL_SUCCESS != - VerifyKernel(firmware_key_blob, kernel_blobs[i], 0)) - VBDEBUG(("Warning: Kernel Verification Failed.\n")); - } - StopTimer(&ct); - msecs = (float) GetDurationMsecs(&ct) / NUM_OPERATIONS; - fprintf(stderr, - "# Kernel (%s, Algo = %s / %s):" - "\t%.02f ms/verification\n", - g_kernel_size_labels[i], - algo_strings[firmware_sign_algorithm], - algo_strings[kernel_sign_algorithm], - msecs); - fprintf(stdout, "ms_kernel_%s_rsa%d_%s_rsa%d_%s:%.02f\n", - g_kernel_size_labels[i], - firmware_key_size, - sha_strings[firmware_sign_algorithm], - kernel_key_size, - sha_strings[kernel_sign_algorithm], - msecs); - } - - cleanup: - for (i = 0; i < NUM_SIZES_TO_TEST; ++i) - Free(kernel_blobs[i]); - Free(firmware_key_blob); - Free(kernel_sign_key); - return error_code; -} - - -int main(int argc, char* argv[]) { - int i, j, error_code = 0; - for (i = 0; i < kNumAlgorithms; ++i) { /* Firmware Signing Algorithm. */ - for (j = 0; j < kNumAlgorithms; ++j) { /* Kernel Signing Algorithm. */ - /* Only measure if the kernel signing algorithm is weaker or equal to - * the firmware signing algorithm. */ - if (siglen_map[j] > siglen_map[i]) - continue; - if (siglen_map[j] == siglen_map[i] && hash_size_map[j] > hash_size_map[i]) - continue; - if (0 != (error_code = SpeedTestAlgorithm(i, j))) - return error_code; - } - } - return 0; -} diff --git a/tests/rollback_index_test.c b/tests/rollback_index_test.c deleted file mode 100644 index d84b8ea2..00000000 --- a/tests/rollback_index_test.c +++ /dev/null @@ -1,770 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - */ - -/* Exhaustive testing for correctness and integrity of TPM locking code from - * all interesting initial conditions. - * - * This program iterates through a large number of initial states of the TPM at - * power on, and executes the code related to initialing the TPM and managing - * the anti-rollback indices. - * - * This program must be run on a system with "TPM-agnostic" BIOS: that is, the - * system must have a TPM (as of this date, the emulator isn't good enough, - * because it doesn't support bGlobalLock), but the firmware should not issue a - * TPM_Startup. In addition, the TPM drivers must be loaded (tpm_tis, tpm, and - * tpm_bios) but tcsd should NOT be running. However, tcsd must be installed, - * as well as the command tpm_takeownership from the TPM tools, and tpm-nvtool - * from third-party/tpm. - * - * This program must be run as root. It issues multiple reboots, saving and - * restoring the state from a file. Typically it works in two phases: on one - * reboot it sets the TPM to a certain state, and in the next reboot it runs - * the test. - * - * This program may take a long time to complete. - * - * A companion upstart file rbtest.conf contains test setup instructions. Look - * around for it. - */ - -#include "rollback_index.h" -#include "tlcl.h" -#include "tss_constants.h" -#include "utility.h" - -#include <stdarg.h> -#include <stdint.h> -#include <stdio.h> -#include <string.h> -#include <sys/types.h> -#include <syslog.h> -#include <unistd.h> - -#define RETURN_ON_FAILURE(tpm_command) do { \ - uint32_t result; \ - if ((result = (tpm_command)) != TPM_SUCCESS) { \ - return result; \ - } \ - } while (0) - -#define WRITE_BUCKET_NV_INDEX 0x1050 -#define STATEPATH "/var/spool/rbtest.state" -#define TPM_ANY_FAILURE (-1) - -#define TPM_MAX_NV_WRITE_NOOWNER 64 -#define MAX_NV_WRITES_AT_BOOT 18 /* see comment below */ -#define INITIALIZATION_NV_WRITES 11 /* see below */ - -const int high_writecount = TPM_MAX_NV_WRITE_NOOWNER; -/* The -1 below is to make sure there is at least one case when we don't hit - * the write limit. It is probably unnecessary, but we pay this cost to avoid - * an off-by-one error. - */ -const int low_writecount = TPM_MAX_NV_WRITE_NOOWNER - MAX_NV_WRITES_AT_BOOT - 1; -const int low_writecount_when_initialized = TPM_MAX_NV_WRITE_NOOWNER - - MAX_NV_WRITES_AT_BOOT + INITIALIZATION_NV_WRITES; - -/* - * This structure contains all TPM states of interest, and other testing - * states. It is saved and restored from a file across all reboots. - * - * OWNED/UNOWNED - * ACTIVATED/DEACTIVATED - * ENABLED/DISABLED - * WRITE COUNT - * - * The write count tests hitting the write limit with an unowned TPM. After - * resetting the TPM we reset the write count to zero, then we perform - * |writecount| writes to bring the count to the desired number. - * - * Low write counts are not interesting, because we know they cannot cause the - * code to hit the limit during a single boot. There are a total of N - * SafeWrite and SafeDefineSpace call sites, where N = MAX_NV_WRITES_AT_BOOT. - * Every call site can be reached at most once at every boot (there are no - * loops or multiple nested calls). So we only need to test N + 1 different - * initial values of the NVRAM write count (between 64 - (N + 1)) and 64). - * - * A number of calls happen at initialization, so when the TPM_IS_INITIALIZED - * space exists, we only need to start checking at TPM_MAX_NV_WRITE_NOOWNER - - * MAX_NV_WRITES_AT_BOOT + INITIALIZATION_NV_WRITES. - * - * TPM_IS_INITIALIZED space exists/does not exist - * KERNEL_MUST_USE_BACKUP = 0 or 1 - * KERNEL_VERSIONS exists/does not - * KERNEL_VERSIONS space has wrong permissions - * KERNEL_VERSIONS does not contain the replacement-prevention value - * KERNEL_VERSIONS and KERNEL_VERSIONS_BACKUP are the same/are not - * DEVELOPER_MODE_NV_INDEX = 0 or 1 - * - * developer switch on/off - * recovery switch on/off - */ - -typedef struct RBTState { - /* Internal testing state */ - int advancing; /* this is 1 if we are setting the TPM to the next initial - state, 0 if we are running the test. */ - - /* TPM state */ - int writecount; - int owned; - int disable; - int deactivated; - int TPM_IS_INITIALIZED_exists; - int KERNEL_MUST_USE_BACKUP; - int KERNEL_VERSIONS_exists; - int KERNEL_VERSIONS_wrong_permissions; - int KERNEL_VERSIONS_wrong_value; - int KERNEL_VERSIONS_same_as_backup; - int DEVELOPER_MODE; /* content of DEVELOPER_MODE space */ - int developer; /* setting of developer mode switch */ - int recovery; /* booting in recovery mode */ -} RBTState; - -RBTState RBTS; - -/* Set to 1 if the TPM was cleared in this run, to avoid clearing it again - * before we set the write count. - */ -int tpm_was_just_cleared = 0; - -const char* RBTS_format = - "advancing=%d, owned=%d, disable=%d, activated=%d, " - "writecount=%d, TII_exists=%d, KMUB=%d, " - "KV_exists=%d, KV_wp=%d, KV_wv=%d, KV_sab=%d, DM=%d, dm=%d, rm=%d"; - -static void Log(const char* format, ...) { - va_list ap; - va_start(ap, format); - vsyslog(LOG_INFO, format, ap); - va_end(ap); - va_start(ap, format); - vfprintf(stderr, format, ap); - va_end(ap); - fprintf(stderr, "\n"); -} - -static void reboot(void) { - int status; - Log("requesting reboot"); - status = system("/sbin/reboot"); - if (status != 0) { - Log("reboot failed with status %d", status); - exit(1); - } -} - -static uint32_t SafeWrite(uint32_t index, uint8_t* data, uint32_t length) { - uint32_t result = TlclWrite(index, data, length); - if (result == TPM_E_MAXNVWRITES) { - RETURN_ON_FAILURE(TPMClearAndReenable()); - result = TlclWrite(index, data, length); - tpm_was_just_cleared = 0; - } - return result; -} - -static uint32_t SafeDefineSpace(uint32_t index, uint32_t perm, uint32_t size) { - uint32_t result = TlclDefineSpace(index, perm, size); - if (result == TPM_E_MAXNVWRITES) { - RETURN_ON_FAILURE(TPMClearAndReenable()); - result = TlclDefineSpace(index, perm, size); - tpm_was_just_cleared = 0; - } - return result; -} - -static void RollbackTest_SaveState(FILE* file) { - rewind(file); - fprintf(file, RBTS_format, - RBTS.advancing, - RBTS.owned, - RBTS.disable, - RBTS.deactivated, - RBTS.writecount, - RBTS.TPM_IS_INITIALIZED_exists, - RBTS.KERNEL_MUST_USE_BACKUP, - RBTS.KERNEL_VERSIONS_exists, - RBTS.KERNEL_VERSIONS_wrong_permissions, - RBTS.KERNEL_VERSIONS_wrong_value, - RBTS.KERNEL_VERSIONS_same_as_backup, - RBTS.DEVELOPER_MODE, - RBTS.developer, - RBTS.recovery); -} - -static void RollbackTest_RestoreState(FILE* file) { - if (fscanf(file, RBTS_format, - &RBTS.advancing, - &RBTS.owned, - &RBTS.disable, - &RBTS.deactivated, - &RBTS.writecount, - &RBTS.TPM_IS_INITIALIZED_exists, - &RBTS.KERNEL_MUST_USE_BACKUP, - &RBTS.KERNEL_VERSIONS_exists, - &RBTS.KERNEL_VERSIONS_wrong_permissions, - &RBTS.KERNEL_VERSIONS_wrong_value, - &RBTS.KERNEL_VERSIONS_same_as_backup, - &RBTS.DEVELOPER_MODE, - &RBTS.developer, - &RBTS.recovery) != sizeof(RBTS)/sizeof(int)) { - Log("failed to restore state"); - exit(1); - } -} - -static void RollbackTest_LogState(void) { - Log(RBTS_format, - RBTS.advancing, - RBTS.owned, - RBTS.disable, - RBTS.deactivated, - RBTS.writecount, - RBTS.TPM_IS_INITIALIZED_exists, - RBTS.KERNEL_MUST_USE_BACKUP, - RBTS.KERNEL_VERSIONS_exists, - RBTS.KERNEL_VERSIONS_wrong_permissions, - RBTS.KERNEL_VERSIONS_wrong_value, - RBTS.KERNEL_VERSIONS_same_as_backup, - RBTS.DEVELOPER_MODE, - RBTS.developer, - RBTS.recovery); -} - -/* Executes a TPM command from the shell. - */ -static void RollbackTest_TPMShellCommand(char* command) { - int status; - TlclCloseDevice(); - status = system("/usr/sbin/tcsd"); - if (status != 0) { - Log("could not start tcsd"); - exit(1); - } - status = system("/usr/bin/sleep 0.1"); - status = system(command); - if (status != 0) { - Log("command %s returned 0x%x", command, status); - exit(1); - } - status = system("/usr/bin/pkill tcsd"); - if (status != 0) { - Log("could not kill tcsd, status 0x%x", status); - exit(1); - } - status = system("/usr/bin/sleep 0.1"); - TlclOpenDevice(); -} - -/* Sets or clears ownership. - */ -static uint32_t RollbackTest_SetOwnership(int ownership) { - if (ownership) { - /* Requesting owned state */ - int owned = TlclIsOwned(); - if (!owned) { - Log("acquiring ownership"); - RollbackTest_TPMShellCommand("/usr/sbin/tpm_takeownership -y -z"); - Log("ownership acquired"); - } - } else { - /* Requesting unowned state */ - Log("clearing TPM"); - RETURN_ON_FAILURE(TPMClearAndReenable()); - tpm_was_just_cleared = 1; - } - return TPM_SUCCESS; -} - -/* Removes a space. This is a huge pain, because spaces can be removed only - * when the TPM is owned. - */ -static uint32_t RollbackTest_RemoveSpace(uint32_t index) { - char command[1024]; - RollbackTest_SetOwnership(1); - snprintf(command, sizeof(command), - "/usr/bin/tpm-nvtool --release --index 0x%x --owner_password \"\"", - index); - Log("releasing space %x with command: %s", index, command); - RollbackTest_TPMShellCommand(command); - Log("space %x released", index); - return TPM_SUCCESS; -} - -/* Checks if the TPM is disabled/deactivated, and optionally enables/activates. - * Does not disable/deactivate here because it might interfere with other - * operations. - */ -static uint32_t RollbackTest_PartiallyAdjustFlags(uint8_t* disable, - uint8_t* deactivated) { - RETURN_ON_FAILURE(TlclGetFlags(disable, deactivated)); - - if (*deactivated && !RBTS.deactivated) { - /* Needs to enable before we can activate. */ - RETURN_ON_FAILURE(TlclSetEnable()); - *disable = 0; - /* Needs to reboot after activating. */ - RETURN_ON_FAILURE(TlclSetDeactivated(0)); - reboot(); - } - /* We disable and deactivate at the end, if needed. */ - - if (*disable && !RBTS.disable) { - RETURN_ON_FAILURE(TlclSetEnable()); - } - return TPM_SUCCESS; -} - -/* Removes or creates the TPM_IS_INITIALIZED space. - */ -static uint32_t RollbackTest_AdjustIsInitialized(void) { - int initialized; - RETURN_ON_FAILURE(GetSpacesInitialized(&initialized)); - if (RBTS.TPM_IS_INITIALIZED_exists && !initialized) { - RETURN_ON_FAILURE(SafeDefineSpace(TPM_IS_INITIALIZED_NV_INDEX, - TPM_NV_PER_PPWRITE, sizeof(uint32_t))); - } - if (!RBTS.TPM_IS_INITIALIZED_exists && initialized) { - RETURN_ON_FAILURE(RollbackTest_RemoveSpace(TPM_IS_INITIALIZED_NV_INDEX)); - } - return TPM_SUCCESS; -} - -/* Sets or clears KERNEL_MUST_USE_BACKUP. - */ -static uint32_t RollbackTest_AdjustMustUseBackup(void) { - uint32_t must_use_backup; - RETURN_ON_FAILURE(TlclRead(KERNEL_MUST_USE_BACKUP_NV_INDEX, - (uint8_t*) &must_use_backup, - sizeof(must_use_backup))); - if (RBTS.KERNEL_MUST_USE_BACKUP != must_use_backup) { - RETURN_ON_FAILURE(SafeWrite(KERNEL_MUST_USE_BACKUP_NV_INDEX, - (uint8_t*) &must_use_backup, - sizeof(must_use_backup))); - } - return TPM_SUCCESS; -} - -/* Adjusts KERNEL_VERSIONS space. - */ -static uint32_t RollbackTest_AdjustKernelVersions(int* wrong_value) { - uint8_t kdata[KERNEL_SPACE_SIZE]; - int exists; - uint32_t result; - - result = TlclRead(KERNEL_VERSIONS_NV_INDEX, kdata, sizeof(kdata)); - if (result != TPM_SUCCESS && result != TPM_E_BADINDEX) { - return result; - } - *wrong_value = Memcmp(kdata + sizeof(uint32_t), KERNEL_SPACE_UID, - KERNEL_SPACE_UID_SIZE); /* for later use */ - exists = result == TPM_SUCCESS; - if (RBTS.KERNEL_VERSIONS_exists && !exists) { - RETURN_ON_FAILURE(SafeDefineSpace(KERNEL_VERSIONS_NV_INDEX, - TPM_NV_PER_PPWRITE, KERNEL_SPACE_SIZE)); - } - if (!RBTS.KERNEL_VERSIONS_exists && exists) { - RETURN_ON_FAILURE(RollbackTest_RemoveSpace(KERNEL_VERSIONS_NV_INDEX)); - } - return TPM_SUCCESS; -} - -/* Adjusts permissions of KERNEL_VERSIONS space. Updates |wrong_value| to - * reflect that currently the space contains the wrong value (i.e. does not - * contain the GRWL identifier). - */ -static uint32_t RollbackTest_AdjustKernelPermissions(int* wrong_value) { - uint32_t perms; - - /* Wrong permissions */ - RETURN_ON_FAILURE(TlclGetPermissions(KERNEL_VERSIONS_NV_INDEX, &perms)); - if (RBTS.KERNEL_VERSIONS_wrong_permissions && perms == TPM_NV_PER_PPWRITE) { - /* Redefines with wrong permissions. */ - RETURN_ON_FAILURE(RollbackTest_RemoveSpace(KERNEL_VERSIONS_NV_INDEX)); - RETURN_ON_FAILURE(SafeDefineSpace(KERNEL_VERSIONS_NV_INDEX, - TPM_NV_PER_PPWRITE | - TPM_NV_PER_GLOBALLOCK, - KERNEL_SPACE_SIZE)); - *wrong_value = 1; - } - if (!RBTS.KERNEL_VERSIONS_wrong_permissions && - perms != TPM_NV_PER_PPWRITE) { - /* Redefines with right permissions. */ - RETURN_ON_FAILURE(SafeDefineSpace(KERNEL_VERSIONS_NV_INDEX, - TPM_NV_PER_PPWRITE, 0)); - RETURN_ON_FAILURE(SafeDefineSpace(KERNEL_VERSIONS_NV_INDEX, - TPM_NV_PER_PPWRITE, - KERNEL_SPACE_SIZE)); - *wrong_value = 1; - } - return TPM_SUCCESS; -} - -static uint32_t RollbackTest_AdjustKernelValue(int wrong_value) { - if (!RBTS.KERNEL_VERSIONS_wrong_value && wrong_value) { - RETURN_ON_FAILURE(SafeWrite(KERNEL_VERSIONS_NV_INDEX, - KERNEL_SPACE_INIT_DATA, KERNEL_SPACE_SIZE)); - } - if (RBTS.KERNEL_VERSIONS_wrong_value && !wrong_value) { - RETURN_ON_FAILURE(SafeWrite(KERNEL_VERSIONS_NV_INDEX, - (uint8_t*) "mickey mouse", - KERNEL_SPACE_SIZE)); - } - return TPM_SUCCESS; -} - -/* Adjusts value of KERNEL_VERSIONS_BACKUP space. - */ -static uint32_t RollbackTest_AdjustKernelBackup(void) { - /* Same as backup */ - uint32_t kv, kvbackup; - RETURN_ON_FAILURE(TlclRead(KERNEL_VERSIONS_NV_INDEX, - (uint8_t*) &kv, sizeof(kv))); - RETURN_ON_FAILURE(TlclRead(KERNEL_VERSIONS_BACKUP_NV_INDEX, - (uint8_t*) &kvbackup, sizeof(kvbackup))); - if (RBTS.KERNEL_VERSIONS_same_as_backup && kv != kvbackup) { - kvbackup = kv; - RETURN_ON_FAILURE(SafeWrite(KERNEL_VERSIONS_BACKUP_NV_INDEX, - (uint8_t*) &kvbackup, sizeof(kvbackup))); - } - if (!RBTS.KERNEL_VERSIONS_same_as_backup && kv == kvbackup) { - kvbackup = kv + 1; - RETURN_ON_FAILURE(SafeWrite(KERNEL_VERSIONS_BACKUP_NV_INDEX, - (uint8_t*) &kvbackup, sizeof(kvbackup))); - } - return TPM_SUCCESS; -} - -/* Adjust the value in the developer mode transition space. - */ -static uint32_t RollbackTest_AdjustDeveloperMode(void) { - uint32_t dev; - /* Developer mode transitions */ - RETURN_ON_FAILURE(TlclRead(DEVELOPER_MODE_NV_INDEX, - (uint8_t*) &dev, sizeof(dev))); - - if (RBTS.developer != dev) { - dev = RBTS.developer; - RETURN_ON_FAILURE(SafeWrite(DEVELOPER_MODE_NV_INDEX, - (uint8_t*) &dev, sizeof(dev))); - } - return TPM_SUCCESS; -} - -/* Changes the unowned write count. - */ -static uint32_t RollbackTest_AdjustWriteCount(void) { - int i; - if (!RBTS.owned) { - /* Sets the unowned write count, but only if we think that it will make a - * difference for the test. In other words: we're trying to reduce the - * number if initial states with some reasoning that we hope is correct. - */ - if (RBTS.writecount > low_writecount) { - if (!tpm_was_just_cleared) { - /* Unknown write count: must clear the TPM to reset to 0 */ - RETURN_ON_FAILURE(TPMClearAndReenable()); - } - for (i = 0; i < RBTS.writecount; i++) { - /* Changes the value to ensure that the TPM won't optimize away - * writes. - */ - uint8_t b = (uint8_t) i; - RETURN_ON_FAILURE(SafeWrite(WRITE_BUCKET_NV_INDEX, &b, 1)); - } - } - } - return TPM_SUCCESS; -} - -/* Sets the TPM to the right state for the next test run. - * - * Functionally correct ordering is tricky. Optimal ordering is even trickier - * (no claim to this). May succeed only partially and require a reboot to - * continue (if the TPM was deactivated at boot). - */ -static uint32_t RollbackTest_SetTPMState(int initialize) { - uint8_t disable, deactivated; - int wrong_value = 0; - - /* Initializes if needed */ - if (initialize) { - TlclLibInit(); - /* Don't worry if we're already started. */ - (void) TlclStartup(); - RETURN_ON_FAILURE(TlclContinueSelfTest()); - RETURN_ON_FAILURE(TlclAssertPhysicalPresence()); - } - - RETURN_ON_FAILURE(RollbackTest_PartiallyAdjustFlags(&disable, &deactivated)); - RETURN_ON_FAILURE(RollbackTest_AdjustIsInitialized()); - RETURN_ON_FAILURE(RollbackTest_AdjustMustUseBackup()); - RETURN_ON_FAILURE(RollbackTest_AdjustKernelVersions(&wrong_value)); - - if (RBTS.KERNEL_VERSIONS_exists) { - /* Adjusting these states only makes sense when the kernel versions space - * exists. */ - RETURN_ON_FAILURE(RollbackTest_AdjustKernelPermissions(&wrong_value)); - RETURN_ON_FAILURE(RollbackTest_AdjustKernelValue(wrong_value)); - RETURN_ON_FAILURE(RollbackTest_AdjustKernelBackup()); - } - - RETURN_ON_FAILURE(RollbackTest_AdjustDeveloperMode()); - RETURN_ON_FAILURE(RollbackTest_SetOwnership(RBTS.owned)); - /* Do not remove spaces between SetOwnership and AdjustWriteCount, as that - * might change the ownership state. Also do not issue any writes from now - * on, because AdjustWriteCount tries to avoid unneccessary clears, and after - * that, any writes will obviously change the write count. - */ - RETURN_ON_FAILURE(RollbackTest_AdjustWriteCount()); - - /* Finally, disables and/or deactivates. Must deactivate before disabling - */ - if (!deactivated && RBTS.deactivated) { - RETURN_ON_FAILURE(TlclSetDeactivated(1)); - } - /* It's better to do this last, even though most commands we use work with - * the TPM disabled. - */ - if (!disable && RBTS.disable) { - RETURN_ON_FAILURE(TlclClearEnable()); - } - return TPM_SUCCESS; -} - -#define ADVANCE(rbts_field, min, max) do { \ - if (RBTS.rbts_field == max) { \ - RBTS.rbts_field = min; \ - } else { \ - RBTS.rbts_field++; \ - return 0; \ - } \ - } while (0) - -#define ADVANCEB(field) ADVANCE(field, 0, 1) - -static int RollbackTest_AdvanceState(void) { - /* This is a generalized counter. It advances an element of the RTBS - * structure, and when it hits its maximum value, it resets the element and - * moves on to the next element, similar to the way a decimal counter - * increases each digit from 0 to 9 and back to 0 with a carry. - * - * Tip: put the expensive state changes at the end. - */ - ADVANCEB(developer); - ADVANCEB(recovery); - ADVANCEB(TPM_IS_INITIALIZED_exists); - ADVANCEB(KERNEL_MUST_USE_BACKUP); - if (RBTS.owned) { - ADVANCEB(KERNEL_VERSIONS_exists); - ADVANCEB(KERNEL_VERSIONS_wrong_permissions); - ADVANCEB(KERNEL_VERSIONS_wrong_value); - ADVANCEB(KERNEL_VERSIONS_same_as_backup); - } - ADVANCEB(DEVELOPER_MODE); - /* The writecount is meaningful only when the TPM is not owned. */ - if (!RBTS.owned) { - ADVANCE(writecount, low_writecount, high_writecount); - if (RBTS.TPM_IS_INITIALIZED_exists) { - /* We don't have to go through the full range in this case. */ - if (RBTS.writecount < low_writecount_when_initialized) { - RBTS.writecount = low_writecount_when_initialized; - } - } - } - ADVANCEB(deactivated); - ADVANCEB(disable); - ADVANCEB(owned); - if (RBTS.owned == 0) { - /* overflow */ - return 1; - } - return 0; -} - -static void RollbackTest_InitializeState(void) { - FILE* file = fopen(STATEPATH, "w"); - if (file == NULL) { - fprintf(stderr, "could not open %s for writing\n", STATEPATH); - exit(1); - } - RBTS.writecount = low_writecount; - RollbackTest_SaveState(file); -} - -uint32_t RollbackTest_Test(void) { - uint16_t key_version, version; - - if (RBTS.recovery) { - if (RBTS.developer) { - /* Developer Recovery mode */ - RETURN_ON_FAILURE(RollbackKernelRecovery(1)); - } else { - /* Normal Recovery mode */ - RETURN_ON_FAILURE(RollbackKernelRecovery(0)); - } - } else { - if (RBTS.developer) { - /* Developer mode */ - key_version = 0; - version = 0; - RETURN_ON_FAILURE(RollbackFirmwareSetup(1)); - RETURN_ON_FAILURE(RollbackFirmwareLock()); - } else { - /* Normal mode */ - key_version = 0; - version = 0; - RETURN_ON_FAILURE(RollbackFirmwareSetup(0)); - RETURN_ON_FAILURE(RollbackFirmwareLock()); - RETURN_ON_FAILURE(RollbackKernelRead(&key_version, &version)); - RETURN_ON_FAILURE(RollbackKernelWrite(key_version, version)); - RETURN_ON_FAILURE(RollbackKernelLock()); - } - } - return TPM_SUCCESS; -} - -/* One-time call to create the WRITE_BUCKET space. - */ -static uint32_t RollbackTest_InitializeTPM(void) { - TlclLibInit(); - RETURN_ON_FAILURE(TlclStartup()); - RETURN_ON_FAILURE(TlclContinueSelfTest()); - RETURN_ON_FAILURE(TlclAssertPhysicalPresence()); - RETURN_ON_FAILURE(SafeDefineSpace(WRITE_BUCKET_NV_INDEX, - TPM_NV_PER_PPWRITE, 1)); - RETURN_ON_FAILURE(RollbackTest_SetTPMState(0)); - return TPM_SUCCESS; -} - -static void RollbackTest_Initialize(void) { - Log("initializing"); - RollbackTest_InitializeState(); - if (RollbackTest_InitializeTPM() != TPM_SUCCESS) { - Log("couldn't initialize TPM"); - exit(1); - } -} - -/* Advances the desired TPM state and sets the TPM to the new state. - */ -static void RollbackTest_Advance(FILE* file) { - uint32_t result; - Log("advancing state"); - if (RollbackTest_AdvanceState()) { - Log("done"); - exit(0); - } - result = RollbackTest_SetTPMState(1); - if (result == TPM_SUCCESS) { - RBTS.advancing = 0; - RollbackTest_SaveState(file); - reboot(); - } else { - Log("SetTPMState failed with 0x%x\n", result); - exit(1); - } -} - -/* Performs the test for the current TPM state, and verify that the outcome - * matches the expectations. - */ -static void RollbackTest_RunOneTest(FILE* file) { - uint32_t result; - uint32_t expected_result = TPM_SUCCESS; - - if (!RBTS.KERNEL_VERSIONS_exists || - RBTS.KERNEL_VERSIONS_wrong_permissions || - RBTS.KERNEL_VERSIONS_wrong_value) { - expected_result = TPM_E_CORRUPTED_STATE; - } - - if (!RBTS.KERNEL_VERSIONS_exists && !RBTS.TPM_IS_INITIALIZED_exists) { - /* The space will be recreated */ - expected_result = TPM_SUCCESS; - } - - if ((!RBTS.TPM_IS_INITIALIZED_exists || !RBTS.KERNEL_VERSIONS_exists) - && RBTS.owned) { - /* Cannot create spaces without owner authorization */ - expected_result = TPM_E_OWNER_SET; - } - - if (RBTS.TPM_IS_INITIALIZED_exists && !RBTS.KERNEL_VERSIONS_exists) { - expected_result = TPM_ANY_FAILURE; - } - - result = RollbackTest_Test(); - - if (result == expected_result || - (result != TPM_SUCCESS && expected_result == TPM_ANY_FAILURE)) { - Log("test succeeded with 0x%x\n", result); - RBTS.advancing = 1; - RollbackTest_SaveState(file); - reboot(); - } else { - Log("test failed with 0x%x, expecting 0x%x\n", result, expected_result); - exit(1); - } -} - -static FILE* RollbackTest_OpenState(void) { - FILE* file = fopen(STATEPATH, "r+"); - if (file == NULL) { - Log("%s could not be opened", STATEPATH); - exit(1); - } - return file; -} - -/* Sync saved state with TPM state. - */ -static void RollbackTest_Sync(void) { - FILE *file = RollbackTest_OpenState(); - uint32_t result; - RollbackTest_RestoreState(file); - Log("Syncing state"); - result = RollbackTest_SetTPMState(1); - if (result != TPM_SUCCESS) { - Log("Sync failed with %x", result); - exit(1); - } -} - -/* Runs one testing iteration and advances the testing state. - */ -static void RollbackTest_Run(void) { - FILE* file = RollbackTest_OpenState(); - RollbackTest_RestoreState(file); - RollbackTest_LogState(); - if (RBTS.advancing) { - RollbackTest_Advance(file); - } else { - RollbackTest_RunOneTest(file); - } -} - -int main(int argc, char** argv) { - - openlog("rbtest", LOG_CONS | LOG_PERROR, LOG_USER); - - if (geteuid() != 0) { - fprintf(stderr, "rollback-test: must run as root\n"); - exit(1); - } - - if (argc == 2 && strcmp(argv[1], "initialize") == 0) { - RollbackTest_Initialize(); - } else if (argc == 2 && strcmp(argv[1], "sync") == 0) { - RollbackTest_Sync(); - } else if (argc == 1) { - RollbackTest_Run(); - } else { - fprintf(stderr, "usage: rollback-test [ initialize ]\n"); - exit(1); - } - return 0; -} diff --git a/tests/run_image_verification_tests.sh b/tests/run_image_verification_tests.sh deleted file mode 100755 index 025066a4..00000000 --- a/tests/run_image_verification_tests.sh +++ /dev/null @@ -1,81 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2010 The Chromium OS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -# Run verified boot firmware and kernel verification tests. - -# Load common constants and variables. -. "$(dirname "$0")/common.sh" - -return_code=0 - -function test_firmware_verification { - algorithmcounter=0 - for keylen in ${key_lengths[@]} - do - for hashalgo in ${hash_algos[@]} - do - echo -e "For Root key ${COL_YELLOW}RSA-$keylen/$hashalgo${COL_STOP}:" - ${TEST_DIR}/firmware_image_tests $algorithmcounter \ - ${TESTKEY_DIR}/key_rsa8192.pem \ - ${TESTKEY_DIR}/key_rsa8192.keyb \ - ${TESTKEY_DIR}/key_rsa${keylen}.pem \ - ${TESTKEY_DIR}/key_rsa${keylen}.keyb - if [ $? -ne 0 ] - then - return_code=255 - fi - let algorithmcounter=algorithmcounter+1 - done - done -} - -function test_kernel_verification { -# Test for various combinations of firmware signing algorithm and -# kernel signing algorithm - firmware_algorithmcounter=0 - kernel_algorithmcounter=0 - for firmware_keylen in ${key_lengths[@]} - do - for firmware_hashalgo in ${hash_algos[@]} - do - let kernel_algorithmcounter=0 - for kernel_keylen in ${key_lengths[@]} - do - for kernel_hashalgo in ${hash_algos[@]} - do - echo -e "For ${COL_YELLOW}Firmware signing algorithm \ -RSA-${firmware_keylen}/${firmware_hashalgo}${COL_STOP} \ -and ${COL_YELLOW}Kernel signing algorithm RSA-${kernel_keylen}/\ -${kernel_hashalgo}${COL_STOP}" - ${TEST_DIR}/kernel_image_tests \ - $firmware_algorithmcounter $kernel_algorithmcounter \ - ${TESTKEY_DIR}/key_rsa${firmware_keylen}.pem \ - ${TESTKEY_DIR}/key_rsa${firmware_keylen}.keyb \ - ${TESTKEY_DIR}/key_rsa${kernel_keylen}.pem \ - ${TESTKEY_DIR}/key_rsa${kernel_keylen}.keyb - if [ $? -ne 0 ] - then - return_code=255 - fi - let kernel_algorithmcounter=kernel_algorithmcounter+1 - done - done - let firmware_algorithmcounter=firmware_algorithmcounter+1 - done - done -} - -check_test_keys - -echo -echo "Testing high-level firmware image verification..." -test_firmware_verification - -echo -echo "Testing high-level kernel image verification..." -test_kernel_verification - -exit $return_code diff --git a/tests/verify_firmware_fuzz_driver.c b/tests/verify_firmware_fuzz_driver.c deleted file mode 100644 index 3868d74f..00000000 --- a/tests/verify_firmware_fuzz_driver.c +++ /dev/null @@ -1,66 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Utility for aiding fuzz testing of firmware image verification code. - */ - -#include <stdint.h> -#include <stdio.h> - -#include "file_keys.h" -#include "firmware_image.h" -#include "utility.h" - -int VerifySignedFirmware(const char* root_key_file, - const char* verification_file, - const char* firmware_file) { - int error, error_code = 0; - uint64_t len; - uint8_t* verification_blob = BufferFromFile(verification_file, &len); - uint8_t* firmware_blob = BufferFromFile(firmware_file, &len); - uint8_t* root_key_blob = BufferFromFile(root_key_file, &len); - - if (!root_key_blob) { - fprintf(stderr, "Couldn't read pre-processed public root key.\n"); - error_code = 1; - } - - if (!error_code && !firmware_blob) { - fprintf(stderr, "Couldn't read firmware image.\n"); - error_code = 1; - } - - if (!error_code && !verification_blob) { - fprintf(stderr, "Couldn't read verification data image.\n"); - error_code = 1; - } - - if (!error_code && (error = VerifyFirmware(root_key_blob, - verification_blob, - firmware_blob))) { - fprintf(stderr, "%s\n", VerifyFirmwareErrorString(error)); - error_code = 1; - } - Free(root_key_blob); - Free(firmware_blob); - if (error_code) - return 0; - else - return 1; -} - -int main(int argc, char* argv[]) { - if (argc != 4) { - fprintf(stderr, "Usage: %s <verification blob> <image_to_verify> <root_keyb>" - "\n", argv[0]); - return -1; - } - if (VerifySignedFirmware(argv[3], argv[1], argv[2])) { - fprintf(stderr, "Verification SUCCESS!\n"); - return 0; - } else { - fprintf(stderr, "Verification FAILURE!\n"); - return -1; - } -} diff --git a/tests/verify_kernel_fuzz_driver.c b/tests/verify_kernel_fuzz_driver.c deleted file mode 100644 index e429f5e0..00000000 --- a/tests/verify_kernel_fuzz_driver.c +++ /dev/null @@ -1,57 +0,0 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Utility for aiding fuzz testing of kernel image verification code. - */ - -#include <stdint.h> -#include <stdio.h> - -#include "file_keys.h" -#include "kernel_image.h" -#include "utility.h" - -int VerifySignedKernel(const char* image_file, - const char* firmware_key_file) { - int error, error_code = 0; - uint64_t len; - uint8_t* kernel_blob = BufferFromFile(image_file, &len); - uint8_t* firmware_key_blob = BufferFromFile(firmware_key_file, &len); - - if (!firmware_key_blob) { - fprintf(stderr, "Couldn't read pre-processed public firmware key.\n"); - error_code = 1; - } - - if (!error_code && !kernel_blob) { - fprintf(stderr, "Couldn't read kernel image or malformed image.\n"); - error_code = 1; - } - - if (!error_code && (error = VerifyKernel(firmware_key_blob, kernel_blob, - 0))) { /* Trusted Mode. */ - fprintf(stderr, "%s\n", VerifyKernelErrorString(error)); - error_code = 1; - } - Free(firmware_key_blob); - Free(kernel_blob); - if (error_code) - return 0; - return 1; -} - -int main(int argc, char* argv[]) { - if (argc != 3) { - fprintf(stderr, "Usage: %s <image_to_verify> <firmware_keyb>\n", argv[0]); - return -1; - } - if (VerifySignedKernel(argv[1], argv[2])) { - fprintf(stderr, "Verification SUCCESS!\n"); - return 0; - } - else { - fprintf(stderr, "Verification FAILURE!\n"); - return -1; - } -} diff --git a/utility/load_firmware_test.c b/utility/load_firmware_test.c deleted file mode 100644 index 062d8e75..00000000 --- a/utility/load_firmware_test.c +++ /dev/null @@ -1,250 +0,0 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Routines for verifying a firmware image's signature. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "fmap.h" -#include "gbb_header.h" -#include "host_common.h" -#include "host_misc.h" -#include "load_firmware_fw.h" - - -typedef struct _CallerInternal { - struct { - uint8_t* fw; - uint64_t size; - } firmware[2]; -} CallerInternal; - -static char* progname = NULL; -static char* image_path = NULL; - - -/* wrapper of FmapAreaIndex; print error when not found */ -int FmapAreaIndexOrError(const FmapHeader* fh, const FmapAreaHeader* ah, - const char* name); - -int GetFirmwareBody(LoadFirmwareParams* params, uint64_t firmware_index) { - CallerInternal* ci = (CallerInternal*) params->caller_internal; - - if (firmware_index != 0 && firmware_index != 1) - return 1; - -#if 0 - VbUpdateFirmwareBodyHash(params, - ci->firmware[firmware_index].fw, - ci->firmware[firmware_index].size); -#endif - - return 0; -} - -/* Get GBB - * - * Return pointer to GBB from firmware image, or NULL if not found. - * - * [base_of_rom] pointer to firmware image - * [fmap] pointer to Flash Map of firmware image - * [gbb_size] GBB size will be stored here if GBB is found - */ -void* GetFirmwareGBB(const void* base_of_rom, const void* fmap, - uint64_t* gbb_size) { - const FmapHeader* fh = (const FmapHeader*) fmap; - const FmapAreaHeader* ah = (const FmapAreaHeader*) - (fmap + sizeof(FmapHeader)); - int i = FmapAreaIndexOrError(fh, ah, "GBB"); - - if (i < 0) - return NULL; - - *gbb_size = ah[i].area_size; - return (void*)(base_of_rom + ah[i].area_offset); -} - -/* Get verification block - * - * Return zero if succeed, or non-zero if failed - * - * [base_of_rom] pointer to firmware image - * [fmap] pointer to Flash Map of firmware image - * [index] index of verification block - * [verification_block_ptr] pointer to storing the found verification block - * [verification_size_ptr] pointer to store the found verification block size - */ -int GetVerificationBlock(const void* base_of_rom, const void* fmap, int index, - void** verification_block_ptr, uint64_t* verification_size_ptr) { - const char* key_area_name[2] = { - "VBLOCK_A", - "VBLOCK_B" - }; - const FmapHeader* fh = (const FmapHeader*) fmap; - const FmapAreaHeader* ah = (const FmapAreaHeader*) - (fmap + sizeof(FmapHeader)); - int i = FmapAreaIndexOrError(fh, ah, key_area_name[index]); - const void* kb; - const VbKeyBlockHeader* kbh; - const VbFirmwarePreambleHeader* fph; - - if (i < 0) - return 1; - - kb = base_of_rom + ah[i].area_offset; - *verification_block_ptr = (void*) kb; - - kbh = (const VbKeyBlockHeader*) kb; - fph = (const VbFirmwarePreambleHeader*) (kb + kbh->key_block_size); - - *verification_size_ptr = kbh->key_block_size + fph->preamble_size; - - return 0; -} - -/* Return non-zero if not found */ -int GetFirmwareData(const void* base_of_rom, const void* fmap, int index, - void *verification_block, uint8_t** body_ptr, uint64_t *size_ptr) { - const char* data_area_name[2] = { - "FW_MAIN_A", - "FW_MAIN_B" - }; - const FmapHeader* fh = (const FmapHeader*) fmap; - const FmapAreaHeader* ah = (const FmapAreaHeader*) - (fmap + sizeof(FmapHeader)); - const VbKeyBlockHeader* kbh = (const VbKeyBlockHeader*) verification_block; - const VbFirmwarePreambleHeader* fph = (const VbFirmwarePreambleHeader*) - (verification_block + kbh->key_block_size); - int i = FmapAreaIndexOrError(fh, ah, data_area_name[index]); - - if (i < 0) - return 1; - - *body_ptr = (uint8_t*) (base_of_rom + ah[i].area_offset); - *size_ptr = (uint64_t) fph->body_signature.data_size; - return 0; -} - -/* Verify firmware image [base_of_rom] using [fmap] for looking up areas. - * Return zero on success, non-zero on error - * - * [base_of_rom] pointer to start of firmware image - * [fmap] pointer to start of Flash Map of firmware image - */ -int DriveLoadFirmware(const void* base_of_rom, const void* fmap, - const uint64_t boot_flags) { - LoadFirmwareParams lfp; - CallerInternal ci; - - VbError_t status; - int index; - - void** vblock_ptr[2] = { - &lfp.verification_block_0, &lfp.verification_block_1 - }; - uint64_t* vsize_ptr[2] = { - &lfp.verification_size_0, &lfp.verification_size_1 - }; - - /* Initialize LoadFirmwareParams lfp */ - - lfp.caller_internal = &ci; - lfp.gbb_data = GetFirmwareGBB(base_of_rom, fmap, &lfp.gbb_size); - if (!lfp.gbb_data) { - printf("ERROR: cannot get firmware GBB\n"); - return 1; - } - - printf("firmware GBB at 0x%08" PRIx64 "\n", - (uint64_t) (lfp.gbb_data - base_of_rom)); - - /* Loop to initialize firmware key and data A / B */ - for (index = 0; index < 2; ++index) { - if (GetVerificationBlock(base_of_rom, fmap, index, - vblock_ptr[index], vsize_ptr[index])) { - printf("ERROR: cannot get key block %d\n", index); - return 1; - } - - printf("verification block %d at 0x%08" PRIx64 "\n", index, - (uint64_t) (*vblock_ptr[index] - base_of_rom)); - printf("verification block %d size is 0x%08" PRIx64 "\n", index, - *vsize_ptr[index]); - - if (GetFirmwareData(base_of_rom, fmap, index, *vblock_ptr[index], - &(ci.firmware[index].fw), &(ci.firmware[index].size))) { - printf("ERROR: cannot get firmware body %d\n", index); - return 1; - } - - printf("firmware %c at 0x%08" PRIx64 "\n", "AB"[index], - (uint64_t) ((void*) ci.firmware[index].fw - base_of_rom)); - printf("firmware %c size is 0x%08" PRIx64 "\n", "AB"[index], - ci.firmware[index].size); - } - - lfp.shared_data_blob = malloc(VB_SHARED_DATA_MIN_SIZE); - lfp.shared_data_size = VB_SHARED_DATA_MIN_SIZE; - printf("shared data size 0x%08" PRIx32 "\n", lfp.shared_data_size); - /* TODO: load_firmware_test was broken in the wrapper API rewrite. - * Nothing uses it, so we haven't noticed yet. Need to fix it. See - * crosbug.com/17564. LoadFirmware() now assumes that VbInit() has - * been called to set up the shared data structure, but that isn't - * happening here. */ - - status = LoadFirmware(&lfp); - printf("LoadFirmware returned: 0x%x\n", (int)status); - - free(lfp.shared_data_blob); - - return 0; -} - -/* wrap FmapAreaIndex; print error when not found */ -int FmapAreaIndexOrError(const FmapHeader* fh, const FmapAreaHeader* ah, - const char* name) { - int i = FmapAreaIndex(fh, ah, name); - if (i < 0) - fprintf(stderr, "%s: can't find %s in firmware image\n", progname, name); - return i; -} - -int main(int argc, char* argv[]) { - int i; - int retval = 0; - const void* base_of_rom; - const void* fmap; - uint64_t boot_flags = 0, rom_size; - - progname = argv[0]; - - if (argc < 2) { - fprintf(stderr, "usage: %s [-b NUM] <firmware_image>\n", progname); - exit(1); - } - - for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-b") && i < argc - 1) - boot_flags = strtoull(argv[++i], NULL, 0); - else - image_path = argv[i]; - } - - base_of_rom = ReadFile(image_path, &rom_size); - if (base_of_rom == NULL) { - fprintf(stderr, "%s: can not open %s\n", progname, image_path); - exit(1); - } - - fmap = FmapFind((char*) base_of_rom, rom_size); - - retval = DriveLoadFirmware(base_of_rom, fmap, boot_flags); - - free((void*) base_of_rom); - - return retval; -} |