expect/linux-tpm.exp

#
# Copyright (c) 2020-2022, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
# Expect script for Linux/Buildroot using Measured Boot & fTPM
#

source [file join [file dirname [info script]] utils.inc]
source [file join [file dirname [info script]] handle-arguments.inc]

# File to store the event log from the ftpm service.
set TFA_DIGEST [get_param tfa_digest "tfa_event_log"]

# regexp for non-zero PCR0
set non_zero_pcr "(?!(\\s00){16})((\\s(\[0-9a-f\]){2}){16}\\s)"
set zero_pcr "(\\s00){16}\\s+(00\\s){16}"

expect {
        # Wait for the start of the event log dump.
        "TCG_EfiSpecIDEvent:" {
                set digest_log [open $TFA_DIGEST w]
        }
}

expect {
        # Parse the event log from the debug logs and store the digests
        # so they can be matched later with what the fTPM reads.

        -re "Digest(\\s|\\w)*:\\s(\\w{2}\\s){16}|\
        : (\\w{2}\\s){16}|\
        Event(\\s|\\w)*:\\s\\w+\\s" {
                puts $digest_log $expect_out(0,string)
                exp_continue
        }

        -exact "Booting BL31" {
                close $digest_log
        }
}

expect {
        "login" {
                send "root\n"
        }
}

expect {
        "#" {
                # Load the fTPM driver and retrieves PCR0
                send "ftpm\n"
        }
}

expect {
        # Pass condition: PCR0 must not be all zeros.

        -re $non_zero_pcr {
                exp_continue
        }

        "#" {
                # get PCR1 value
                send "pcrread -ha 1\n"
        }
}

expect {
        # Pass condition: PCR1 must not be all zeros.

        -re $non_zero_pcr {
                exp_continue
        }

        "#" { }
}

# Iterate over the rest of PCRs and check that they all are zeros.
for {set i 2} {$i < 11} {incr i} {
        send "pcrread -ha $i\n"

        expect {
                -re $zero_pcr { }

                -re $non_zero_pcr {
                        exit_uart -1
                }
        }
}

expect_string "#" "finished reading PCRs"

# Match the previously stored digest with the one generated by the
# fTPM service. The pass criteria is that both digests must match,
# meaning that TF-A successfully passed the event log to the TPM service.
if {[catch {exec diff -s $TFA_DIGEST ftpm_event_log} result options] == 0} {
        message "tests succeeded, digests matched"
} else {
        message "tests failed, digests did not match"
        exit_uart -1
}