commit b87f37be64a7707753f65defee95ea50f73da9a7
author Manish V Badarkhe <Manish.Badarkhe@arm.com> Wed Nov 10 18:53:05 2021 +0000
committer Zelalem Aweke <zelalem.aweke@arm.com> Thu Nov 11 23:55:50 2021 +0100
tree 257ac30b6e76a2613cddb3dd85ff39eb38f14c78
parent 849c5cf934c3cd8b1ceae95d80dd0f36dc01dad7

fix(linux-tpm): skip PCR0 check with SHA384 algorithm

A third party service 'ftpm' does not throw a non-zero value
of PCR0 with SHA384 algorithm hence skip checking of PCR0
value when this algorithm gets selected.

Change-Id: Ie464e22917008fdf4eab9bb017928755c2794ed3
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

expect/linux-tpm-384.exp

diff --git a/expect/linux-tpm-384.exp b/expect/linux-tpm-384.exp
new file mode 100644
index 0000000..1aa70b9
--- /dev/null
+++ b/expect/linux-tpm-384.exp
@@ -0,0 +1,106 @@
+#
+# Copyright (c) 2021, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# Expect script for Linux/Buildroot using Measured Boot & fTPM
+# It is a copy of linux-tpm.exp which doesn't check PCR0 value,
+# as that doesn't apply to this config
+#
+
+source [file join [file dirname [info script]] utils.inc]
+source [file join [file dirname [info script]] handle-arguments.inc]
+
+# File to store the event log from the ftpm service.
+set TFA_DIGEST [get_param tfa_digest "tfa_event_log"]
+set digest_log [open $TFA_DIGEST w]
+
+# regexp for non-zero PCR0
+set non_zero_pcr "(?!(\\s00){16})((\\s(\[0-9a-f\]){2}){16}\\s)"
+
+expect {
+        # Parse the event log from the debug logs and store the digests
+        # so they can be matched later with what the fTPM read.
+
+        -re "Digest(\\s|\\w)*:\\s(\\w{2}\\s){16}|\
+        : (\\w{2}\\s){16}|\
+        Event(\\s|\\w)*:\\s\\w+\\s" {
+                puts $digest_log $expect_out(0,string)
+                exp_continue
+        }
+
+        -exact "Booting BL31" {
+                close $digest_log
+        }
+
+        timeout {
+                exit_timeout
+        }
+}
+
+expect {
+        "login" {
+                send "root\n"
+        }
+
+        timeout {
+                exit_timeout
+        }
+}
+
+expect {
+        "#" {
+                # Load the fTPM driver
+                send "ftpm\n"
+        }
+
+        timeout {
+                exit_timeout
+        }
+}
+
+expect {
+        "#" { }
+
+        timeout {
+                exit_timeout
+        }
+}
+
+# Iterate over the rest of PCRs and check that they all are zeros.
+for {set i 1} {$i < 11} {incr i} {
+        send "pcrread -ha $i\n"
+
+        expect {
+                -re "(\\s00){16}\\s+(00\\s){16}" { }
+
+                -re $non_zero_pcr {
+                        exit_uart -1
+                }
+
+                timeout {
+                        exit_timeout
+                }
+        }
+}
+
+# Match the previously stored digest with the one generated by the
+# fTPM service. The pass criteria is that both digests must match,
+# meaning that TF-A successfully passed the event log to the TPM service.
+expect {
+        "#" {
+                spawn diff -s $TFA_DIGEST ftpm_event_log
+        }
+
+        timeout {
+                exit_timeout
+        }
+}
+
+expect {
+        -exact "are identical" {
+                exit_uart 0
+        }
+}
+
+exit_uart -1