search

Dasharo / open-source-firmware-validation

OSFV infrastructure with automated tests and scripts for managing test results
Apache License 2.0
6 stars 1 forks source link

Encrypted rootfs release #212

Open TomaszAIR opened 4 months ago

TomaszAIR commented 4 months ago

Gather all tests that were implemented while working on Encrypted rootfs based on TPM

TomaszAIR commented 4 months ago

Results on qemu after latest rebase

λ robot -b file.txt -L TRACE -v ansible_config:yes -v rte_ip:127.0.0.1 -v snipeit:no -v config:qemu dasharo-security/tpm2-commands.robot
==============================================================================
Tpm2-Commands
==============================================================================
TPMCMD001.001 Check if both SHA1 and SHA256 PCRs are enabled (Ubun... | PASS |
------------------------------------------------------------------------------
TPMCMD002.001 PCRREAD Function Verification (Ubuntu 22.04) :: This... | PASS |
------------------------------------------------------------------------------
TPMCMD003.001 PCREXTEND And PCRRESET Functions (Ubuntu 22.04) :: T... | PASS |
------------------------------------------------------------------------------
TPMCMD003.002 PCREXTEND And PCRRESET Functions - locality protecti... | PASS |
------------------------------------------------------------------------------
TPMCMD004.001 PCREVENT Function (Ubuntu 22.04) :: This test aims t... | PASS |
------------------------------------------------------------------------------
TPMCMD005.001 CREATEPRIMARY Function Verification (Ubuntu 22.04) :... | PASS |
------------------------------------------------------------------------------
TPMCMD006.001 NVDEFINE and NVUNDEFINE Functions Verification (Ubun... | PASS |
------------------------------------------------------------------------------
TPMCMD007.001 CREATE Function (Ubuntu 22.04) :: This test aims to ... | PASS |
------------------------------------------------------------------------------
TPMCMD007.002 CREATELOADED Function (Ubuntu 22.04) :: This test ai... | PASS |
------------------------------------------------------------------------------
TPMCMD008.001 Signing the file (Ubuntu 22.04) :: Check whether the... | PASS |
------------------------------------------------------------------------------
TPMCMD009.001 Encryption and Decryption of the file (Ubuntu 22.04)... | SKIP |
TPM doesn't supports TPM2_EncryptDecrypt nor TPM2_EncryptDecrypt2
------------------------------------------------------------------------------
TPMCMD010.001 Hashing the file (Ubuntu 22.04) :: Check whether the... | PASS |
------------------------------------------------------------------------------
TPMCMD011.001 Performing HMAC operation on the file (Ubuntu 22.04)... | PASS |
------------------------------------------------------------------------------
TPMCMD012.001 Sealing and Unsealing the file without Policy (Ubunt... | PASS |
------------------------------------------------------------------------------
TPMCMD013.001 Sealing and Unsealing with Policy - Password Only (U... | PASS |
------------------------------------------------------------------------------
TPMCMD013.002 Sealing and Unsealing with Policy - PCR Only (Ubuntu... | PASS |
------------------------------------------------------------------------------
TPMCMD013.003 Sealing and unsealing with Policy - Password and PCR... | PASS |
------------------------------------------------------------------------------
Tpm2-Commands                                                         | PASS |
17 tests, 16 passed, 0 failed, 1 skipped
==============================================================================
Debug:   /home/tzyjewski/files/open-source-firmware-validation/file.txt
Output:  /home/tzyjewski/files/open-source-firmware-validation/output.xml
Log:     /home/tzyjewski/files/open-source-firmware-validation/log.html
Report:  /home/tzyjewski/files/open-source-firmware-validation/report.html

λ robot -b file.txt -L TRACE -v ansible_config:yes -v rte_ip:127.0.0.1 -v snipeit:no -v config:qemu dasharo-security/tpm-support.robot
==============================================================================
Tpm-Support
==============================================================================
TPM001.001 TPM Support (firmware) :: This test aims to verify that... | FAIL |
'Table not found.
' does not contain 'TPM2 log'
------------------------------------------------------------------------------
TPM001.002 TPM Support (Ubuntu 20.04) :: Check whether the TPM is ... | PASS |
------------------------------------------------------------------------------
TPM001.003 TPM Support (Windows 11) :: Check whether the TPM is in... | SKIP |
TPM001.003 not supported
------------------------------------------------------------------------------
TPM001.004 TPM Support (BIOS) :: This test aims to verify that the... | PASS |
------------------------------------------------------------------------------
TPM002.001 Verify TPM version (Ubuntu 22.04) :: This test aims to ... | PASS |
------------------------------------------------------------------------------
TPM002.002 Verify TPM version (Windows 11) :: This test aims to ve... | SKIP |
TPM002.002 not supported
------------------------------------------------------------------------------
TPM003.001 Check TPM Physical Presence Interface (firmware) :: Thi... | FAIL |
'Table not found.
' does not contain 'PPI: Pending OS request'
------------------------------------------------------------------------------
TPM003.002 Check TPM Physical Presence Interface (Ubuntu 22.04) ::... | PASS |
------------------------------------------------------------------------------
TPM003.003 Check TPM Physical Presence Interface (Windows 11) :: T... | SKIP |
TPM003.003 not supported
------------------------------------------------------------------------------
TPM004.001 Check TPM Clear procedure :: This test aims to verify w... | PASS |
------------------------------------------------------------------------------
TPM005.001 Check TPM Hash Algorithm Support SHA1 (Firmware) :: Thi... | PASS |
------------------------------------------------------------------------------
TPM005.002 Check TPM Hash Algorithm Support SHA256 (Firmware) :: T... | PASS |
------------------------------------------------------------------------------
TPM005.003 Check TPM Hash Algorithm Support SHA384 (Firmware) :: T... | PASS |
------------------------------------------------------------------------------
TPM005.004 Check TPM Hash Algorithm Support SHA512 (Firmware) :: T... | PASS |
------------------------------------------------------------------------------
TPM006.001 Encrypt and Decrypt non-rootfs partition (Ubuntu 22.04)... | PASS |
------------------------------------------------------------------------------
TPM007.001 Encrypt and Decrypt rootfs partition (Ubuntu 22.04) :: ... | PASS |
------------------------------------------------------------------------------
Tpm-Support                                                           | FAIL |
16 tests, 11 passed, 2 failed, 3 skipped
==============================================================================
Debug:   /home/tzyjewski/files/open-source-firmware-validation/file.txt
Output:  /home/tzyjewski/files/open-source-firmware-validation/output.xml
Log:     /home/tzyjewski/files/open-source-firmware-validation/log.html
Report:  /home/tzyjewski/files/open-source-firmware-validation/report.html

TPM001.001 and TPM003.001 fails as we started QEMU with EDK2 only so cbmem does not return data.

Test executed on qemu, started with DRIVE_PATH=./qemu-data/ubuntu-enc.qcow2 ./scripts/ci/qemu-run.sh graphic os

ubuntu-enc.qcow2 is an encrypted Ubuntu image with efi partition labeled as ubuntu-enc and rootfs partition labeled as encrypted-rootfs. Both label names are used in test TPM007.001 scenario.

macpijan commented 2 months ago

@TomaszAIR I do not understand why I see in this MR commits already present in: https://github.com/Dasharo/open-source-firmware-validation/pull/187

There seems to be a mismatch in the history. Since there is lots of duplicated code in this MR, reviewing this one would not be very productive.

TomaszAIR commented 2 months ago

@macpijan I did not pushed rebased branch before. Now it should not have commits from #187