fix(linux-tpm): skip PCR0 check with SHA384 algorithm
A third party service 'ftpm' does not throw a non-zero value
of PCR0 with SHA384 algorithm hence skip checking of PCR0
value when this algorithm gets selected.
Change-Id: Ie464e22917008fdf4eab9bb017928755c2794ed3
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
diff --git a/expect/linux-tpm-384.exp b/expect/linux-tpm-384.exp
new file mode 100644
index 0000000..1aa70b9
--- /dev/null
+++ b/expect/linux-tpm-384.exp
@@ -0,0 +1,106 @@
+#
+# Copyright (c) 2021, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# Expect script for Linux/Buildroot using Measured Boot & fTPM
+# It is a copy of linux-tpm.exp which doesn't check PCR0 value,
+# as that doesn't apply to this config
+#
+
+source [file join [file dirname [info script]] utils.inc]
+source [file join [file dirname [info script]] handle-arguments.inc]
+
+# File to store the event log from the ftpm service.
+set TFA_DIGEST [get_param tfa_digest "tfa_event_log"]
+set digest_log [open $TFA_DIGEST w]
+
+# regexp for non-zero PCR0
+set non_zero_pcr "(?!(\\s00){16})((\\s(\[0-9a-f\]){2}){16}\\s)"
+
+expect {
+ # Parse the event log from the debug logs and store the digests
+ # so they can be matched later with what the fTPM read.
+
+ -re "Digest(\\s|\\w)*:\\s(\\w{2}\\s){16}|\
+ : (\\w{2}\\s){16}|\
+ Event(\\s|\\w)*:\\s\\w+\\s" {
+ puts $digest_log $expect_out(0,string)
+ exp_continue
+ }
+
+ -exact "Booting BL31" {
+ close $digest_log
+ }
+
+ timeout {
+ exit_timeout
+ }
+}
+
+expect {
+ "login" {
+ send "root\n"
+ }
+
+ timeout {
+ exit_timeout
+ }
+}
+
+expect {
+ "#" {
+ # Load the fTPM driver
+ send "ftpm\n"
+ }
+
+ timeout {
+ exit_timeout
+ }
+}
+
+expect {
+ "#" { }
+
+ timeout {
+ exit_timeout
+ }
+}
+
+# Iterate over the rest of PCRs and check that they all are zeros.
+for {set i 1} {$i < 11} {incr i} {
+ send "pcrread -ha $i\n"
+
+ expect {
+ -re "(\\s00){16}\\s+(00\\s){16}" { }
+
+ -re $non_zero_pcr {
+ exit_uart -1
+ }
+
+ timeout {
+ exit_timeout
+ }
+ }
+}
+
+# Match the previously stored digest with the one generated by the
+# fTPM service. The pass criteria is that both digests must match,
+# meaning that TF-A successfully passed the event log to the TPM service.
+expect {
+ "#" {
+ spawn diff -s $TFA_DIGEST ftpm_event_log
+ }
+
+ timeout {
+ exit_timeout
+ }
+}
+
+expect {
+ -exact "are identical" {
+ exit_uart 0
+ }
+}
+
+exit_uart -1
diff --git a/group/tf-l1-boot-tests-misc/fvp-mb-384-optee-romlib:fvp-optee.mb-linux.rootfs+ftpm-romlib-fip.ftpm-aemv8a b/group/tf-l1-boot-tests-misc/fvp-mb-384-optee-romlib:fvp-optee.mb-linux.rootfs+ftpm_384-romlib-fip.ftpm-aemv8a
similarity index 100%
rename from group/tf-l1-boot-tests-misc/fvp-mb-384-optee-romlib:fvp-optee.mb-linux.rootfs+ftpm-romlib-fip.ftpm-aemv8a
rename to group/tf-l1-boot-tests-misc/fvp-mb-384-optee-romlib:fvp-optee.mb-linux.rootfs+ftpm_384-romlib-fip.ftpm-aemv8a
diff --git a/lava-expect/linux-tpm-384.exp b/lava-expect/linux-tpm-384.exp
new file mode 100644
index 0000000..16eab17
--- /dev/null
+++ b/lava-expect/linux-tpm-384.exp
@@ -0,0 +1,28 @@
+#
+# Copyright (c) 2021, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# Expect script for Linux/Buildroot using Measured Boot & fTPM
+# It is a copy of linux-tpm.exp which doesn't check PCR0 value,
+# as that doesn't apply to this config
+#
+
+# Parse the event log from the debug logs and store the digests
+# so they can be matched later with what the fTPM read.
+expect_string+=('m;Booting Trusted Firmware;Booting BL31;Digest(\s|\w)*:\s(\w{2}\s){16}@: (\w{2}\s){16}@Event(\s|\w)*:\s\w+\s')
+
+# Wait for the login prompt
+expect_string+=("i;buildroot login:")
+
+# Login then load the fTPM driver
+# Note: Do not check sanity of PCR0
+expect_string+=("i;#;;;root")
+expect_string+=("i;;;;ftpm")
+
+# Iterate over the rest of PCRs and check that they all are zeros.
+zero_pcr="(\s00){16}\s+(00\s){16}"
+for i in $(seq 1 11); do
+ expect_string+=("i;#")
+ expect_string+=("i;${zero_pcr};;;pcrread -ha $i")
+done
diff --git a/run_config/fvp-linux.rootfs+ftpm_384 b/run_config/fvp-linux.rootfs+ftpm_384
new file mode 100644
index 0000000..69b45a7
--- /dev/null
+++ b/run_config/fvp-linux.rootfs+ftpm_384
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2021, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# It is a copy of fvp-linux.rootfs+ftpm with another expect script
+# to run
+#
+
+post_tf_build() {
+ # Get the images for the test.
+ edk_url="$tfa_downloads/ftpm/FVP_AARCH64_EFI.fd"
+ rootfs_url="$tfa_downloads/ftpm/boot-fat.uefi.img" get_rootfs
+ url="$edk_url" saveas="edk2.bin" fetch_file
+ archive_file "edk2.bin"
+
+ # Configure the uarts for tracking.
+ uart="0" timeout="600" file="linux-tpm-384.exp" track_expect
+ uart="1" timeout="600" file="tpm-logs.exp" track_expect
+ set_run_env "ports_script" "$ci_root/model/ftpm-ports.awk"
+ set_run_env "num_uarts" "2"
+
+ payload_type="linux" gen_fvp_yaml_template
+}