docs/tf_fuzz/index.rst - TF-M/tf-m-tools - TrustedFirmware Git Browser

 #######################################
 TF-Fuzz (Trusted-Firmware Fuzzer) guide
 #######################################

 ************
 Introduction
 ************

 TF-Fuzz is a TF-M fuzzing tool, at the PSA-call level.  At the time of writing
 this at least, presentations available at:

 - https://www.trustedfirmware.org/docs/TF-M_Fuzzing_Tool_TFOrg.pdf
 - https://zoom.us/rec/share/1dxZcZit111IadadyFqFU7IoP5X5aaa8gXUdr_UInxmMbyLzEqEmXQdx79-IWQ9p

 (These presentation materials may not all be viewable by all parties.)

 ****************
 Building TF-Fuzz
 ****************

 .. Note::

     These instructions assume the use of Ubuntu Linux.


 The following dependencies are required to build TF-Fuzz:


 .. code-block:: bash

    sudo apt-get update
    sudo apt-get install build-essential bison flex


 To build TF-Fuzz, simply type ``make`` in this directory.  The executable,
 called ``tfz``, is placed in this directory.

 ***************
 Running TF-Fuzz
 ***************

 To run ``tfz``, two environment variables must first be assigned:

 .. code-block:: bash

     export TF_FUZZ_LIB_DIR=<path to this TF-M installation>/tools/tf_fuzz/lib
     export TF_FUZZ_BPLATE=tfm_boilerplate.txt


 Examples of usage can be found in the ``demo`` directory. For more details, see :doc:`source_structure/demo_dir`.

 =======================
 Generating a test suite
 =======================

 To generate a testsuite for TF-M from a set of template files, use
 `generate_test_suite.sh`.

 .. code-block:: bash

     Usage: generate_test_suite.sh <template_dir> <suites_dir>

     Where:
         template_dir: The directory containing template files for the
                     fuzzing tool
         suites_dir: The suites directory in the TF-M working copy.
                     i.e.: $TF-M_ROOT/test/suites
     Example:
         cd tf-m-tools/tf_fuzz
         ./generate_test_suite.sh <path_to>/tf_fuzz/tests/  <path_to>/tf-m-tests/test_reg/test/secure_fw/suites


 After the test suite is generated, the new test suite needs to be added to the
 TF-M build by providing the following options to the CMake generate command
 (The path needs to be aligned with the test suite dir provided for the shell
 script above):

 .. code-block:: bash

     -DTFM_FUZZER_TOOL_TESTS=1
     -DTFM_FUZZER_TOOL_TESTS_CMAKE_INC_PATH=<path_to>/tf-m-tests/test_reg/test/secure_fw/suites/tf_fuzz

 **********************************
 ``.../tf_fuzz`` directory contents
 **********************************
 .. code-block:: bash

     assets       calls               demo      parser    tests        regression
     backupStuff  class_forwards.hpp  lib       document    tf_fuzz.cpp  utility
     boilerplate  commands            Makefile  template  tf_fuzz.hpp  visualStudio

 *************
 Code Overview
 *************
 To help understand the code, below is a C++-class hierarchy used in this code
 base.  They are explained further in the documents in their respective
 directories, so the file names where the classes are defined is listed below (this,
 very roughly in order of functional interactions, of chronological usage during
 execution, and of most-to-least importance):

 .. code-block:: bash

     template_line                         ./template/template_line.hpp
         sst_template_line                 ./template/template_line.hpp
             read_sst_template_line        ./template/sst_template_line.hpp
             remove_sst_template_line      ./template/sst_template_line.hpp
             set_sst_template_line         ./template/sst_template_line.hpp
         policy_template_line              ./template/template_line.hpp
             read_policy_template_line     ./template/crypto_template_line.hpp
             set_policy_template_line      ./template/crypto_template_line.hpp
         key_template_line                 ./template/template_line.hpp
             read_key_template_line        ./template/crypto_template_line.hpp
             remove_key_template_line      ./template/crypto_template_line.hpp
             set_key_template_line         ./template/crypto_template_line.hpp
         security_template_line            ./template/template_line.hpp
             security_hash_template_line   ./template/secure_template_line.hpp

     psa_call                              ./calls/psa_call.hpp
         crypto_call                       ./calls/psa_call.hpp
             policy_call                   ./calls/crypto_call.hpp
                 init_policy_call          ./calls/crypto_call.hpp
                 reset_policy_call         ./calls/crypto_call.hpp
                 add_policy_usage_call     ./calls/crypto_call.hpp
                 set_policy_lifetime_call  ./calls/crypto_call.hpp
                 set_policy_type_call      ./calls/crypto_call.hpp
                 set_policy_algorithm_call ./calls/crypto_call.hpp
                 set_policy_usage_call     ./calls/crypto_call.hpp
                 get_policy_lifetime_call  ./calls/crypto_call.hpp
                 get_policy_type_call      ./calls/crypto_call.hpp
                 get_policy_algorithm_call ./calls/crypto_call.hpp
                 get_policy_usage_call     ./calls/crypto_call.hpp
                 get_policy_size_call      ./calls/crypto_call.hpp
                 get_policy_call           ./calls/crypto_call.hpp
             key_call                      ./calls/crypto_call.hpp
                 generate_key_call         ./calls/crypto_call.hpp
                 create_key_call           ./calls/crypto_call.hpp
                 copy_key_call             ./calls/crypto_call.hpp
                 read_key_data_call        ./calls/crypto_call.hpp
                 remove_key_call           ./calls/crypto_call.hpp
         sst_call                         ./calls/psa_call.hpp
             sst_remove_call              ./calls/sst_call.hpp
             sst_get_call                 ./calls/sst_call.hpp
             sst_set_call                 ./calls/sst_call.hpp
         security_call                    ./calls/psa_call.hpp
             hash_call                    ./calls/security_call.hpp

     boilerplate                          ./boilerplate/boilerplate.hpp

     psa_asset                            ./assets/psa_asset.hpp
         crypto_asset                     ./assets/crypto_asset.hpp
             policy_asset                 ./assets/crypto_asset.hpp
             key_asset                    ./assets/crypto_asset.hpp
         sst_asset                        ./assets/sst_asset.hpp

     tf_fuzz_info                         ./tf_fuzz.hpp

     variables                            ./utility/variables.hpp
     crc32                                ./utility/compute.hpp

     gibberish                            ./utility/gibberish.hpp

     expect_info                          ./utility/data_blocks.hpp
     set_data_info                        ./utility/data_blocks.hpp
     asset_name_id_info                   ./utility/data_blocks.hpp

 .. seealso::
    Folder by folder descriptions of the code base can be found in :doc:`source_structure/index`.

 TF-Fuzz now has better-organized management of variables in the generated code.
 In particular, it maintains a list of variables named in the test template, and
 implicit in the code, notably variables assets are ``read`` into.  It also now has
 completely separate execution phases to parse the test template, simulate the
 sequence of PSA calls generated, and write out the expected results.  That
 simulation is only in enough detail to predict expected results.  Since TF-Fuzz
 currectly mostly addresses only SST calls, that simulation is very simple in
 nature -- just tracking data movement.

 .. toctree::
     :caption: Table of Contents
     :maxdepth: 1

     Source Structure <source_structure/index>

 --------------

 *Copyright (c) 2020-2024, Arm Limited. All rights reserved.*
	#######################################
	TF-Fuzz (Trusted-Firmware Fuzzer) guide
	#######################################

	************
	Introduction
	************

	TF-Fuzz is a TF-M fuzzing tool, at the PSA-call level. At the time of writing
	this at least, presentations available at:

	- https://www.trustedfirmware.org/docs/TF-M_Fuzzing_Tool_TFOrg.pdf
	- https://zoom.us/rec/share/1dxZcZit111IadadyFqFU7IoP5X5aaa8gXUdr_UInxmMbyLzEqEmXQdx79-IWQ9p

	(These presentation materials may not all be viewable by all parties.)

	****************
	Building TF-Fuzz
	****************

	.. Note::

	These instructions assume the use of Ubuntu Linux.


	The following dependencies are required to build TF-Fuzz:


	.. code-block:: bash

	sudo apt-get update
	sudo apt-get install build-essential bison flex


	To build TF-Fuzz, simply type ``make`` in this directory. The executable,
	called ``tfz``, is placed in this directory.

	***************
	Running TF-Fuzz
	***************

	To run ``tfz``, two environment variables must first be assigned:

	.. code-block:: bash

	export TF_FUZZ_LIB_DIR=<path to this TF-M installation>/tools/tf_fuzz/lib
	export TF_FUZZ_BPLATE=tfm_boilerplate.txt


	Examples of usage can be found in the ``demo`` directory. For more details, see :doc:`source_structure/demo_dir`.

	=======================
	Generating a test suite
	=======================

	To generate a testsuite for TF-M from a set of template files, use
	`generate_test_suite.sh`.

	.. code-block:: bash

	Usage: generate_test_suite.sh <template_dir> <suites_dir>

	Where:
	template_dir: The directory containing template files for the
	fuzzing tool
	suites_dir: The suites directory in the TF-M working copy.
	i.e.: $TF-M_ROOT/test/suites
	Example:
	cd tf-m-tools/tf_fuzz
	./generate_test_suite.sh <path_to>/tf_fuzz/tests/ <path_to>/tf-m-tests/test_reg/test/secure_fw/suites


	After the test suite is generated, the new test suite needs to be added to the
	TF-M build by providing the following options to the CMake generate command
	(The path needs to be aligned with the test suite dir provided for the shell
	script above):

	.. code-block:: bash

	-DTFM_FUZZER_TOOL_TESTS=1
	-DTFM_FUZZER_TOOL_TESTS_CMAKE_INC_PATH=<path_to>/tf-m-tests/test_reg/test/secure_fw/suites/tf_fuzz

	**********************************
	``.../tf_fuzz`` directory contents
	**********************************
	.. code-block:: bash

	assets calls demo parser tests regression
	backupStuff class_forwards.hpp lib document tf_fuzz.cpp utility
	boilerplate commands Makefile template tf_fuzz.hpp visualStudio

	*************
	Code Overview
	*************
	To help understand the code, below is a C++-class hierarchy used in this code
	base. They are explained further in the documents in their respective
	directories, so the file names where the classes are defined is listed below (this,
	very roughly in order of functional interactions, of chronological usage during
	execution, and of most-to-least importance):

	.. code-block:: bash

	template_line ./template/template_line.hpp
	sst_template_line ./template/template_line.hpp
	read_sst_template_line ./template/sst_template_line.hpp
	remove_sst_template_line ./template/sst_template_line.hpp
	set_sst_template_line ./template/sst_template_line.hpp
	policy_template_line ./template/template_line.hpp
	read_policy_template_line ./template/crypto_template_line.hpp
	set_policy_template_line ./template/crypto_template_line.hpp
	key_template_line ./template/template_line.hpp
	read_key_template_line ./template/crypto_template_line.hpp
	remove_key_template_line ./template/crypto_template_line.hpp
	set_key_template_line ./template/crypto_template_line.hpp
	security_template_line ./template/template_line.hpp
	security_hash_template_line ./template/secure_template_line.hpp

	psa_call ./calls/psa_call.hpp
	crypto_call ./calls/psa_call.hpp
	policy_call ./calls/crypto_call.hpp
	init_policy_call ./calls/crypto_call.hpp
	reset_policy_call ./calls/crypto_call.hpp
	add_policy_usage_call ./calls/crypto_call.hpp
	set_policy_lifetime_call ./calls/crypto_call.hpp
	set_policy_type_call ./calls/crypto_call.hpp
	set_policy_algorithm_call ./calls/crypto_call.hpp
	set_policy_usage_call ./calls/crypto_call.hpp
	get_policy_lifetime_call ./calls/crypto_call.hpp
	get_policy_type_call ./calls/crypto_call.hpp
	get_policy_algorithm_call ./calls/crypto_call.hpp
	get_policy_usage_call ./calls/crypto_call.hpp
	get_policy_size_call ./calls/crypto_call.hpp
	get_policy_call ./calls/crypto_call.hpp
	key_call ./calls/crypto_call.hpp
	generate_key_call ./calls/crypto_call.hpp
	create_key_call ./calls/crypto_call.hpp
	copy_key_call ./calls/crypto_call.hpp
	read_key_data_call ./calls/crypto_call.hpp
	remove_key_call ./calls/crypto_call.hpp
	sst_call ./calls/psa_call.hpp
	sst_remove_call ./calls/sst_call.hpp
	sst_get_call ./calls/sst_call.hpp
	sst_set_call ./calls/sst_call.hpp
	security_call ./calls/psa_call.hpp
	hash_call ./calls/security_call.hpp

	boilerplate ./boilerplate/boilerplate.hpp

	psa_asset ./assets/psa_asset.hpp
	crypto_asset ./assets/crypto_asset.hpp
	policy_asset ./assets/crypto_asset.hpp
	key_asset ./assets/crypto_asset.hpp
	sst_asset ./assets/sst_asset.hpp

	tf_fuzz_info ./tf_fuzz.hpp

	variables ./utility/variables.hpp
	crc32 ./utility/compute.hpp

	gibberish ./utility/gibberish.hpp

	expect_info ./utility/data_blocks.hpp
	set_data_info ./utility/data_blocks.hpp
	asset_name_id_info ./utility/data_blocks.hpp

	.. seealso::
	Folder by folder descriptions of the code base can be found in :doc:`source_structure/index`.

	TF-Fuzz now has better-organized management of variables in the generated code.
	In particular, it maintains a list of variables named in the test template, and
	implicit in the code, notably variables assets are ``read`` into. It also now has
	completely separate execution phases to parse the test template, simulate the
	sequence of PSA calls generated, and write out the expected results. That
	simulation is only in enough detail to predict expected results. Since TF-Fuzz
	currectly mostly addresses only SST calls, that simulation is very simple in
	nature -- just tracking data movement.

	.. toctree::
	:caption: Table of Contents
	:maxdepth: 1

	Source Structure <source_structure/index>

	--------------

	Copyright (c) 2020-2024, Arm Limited. All rights reserved.