Chromium Code Reviews Chromium Code Reviews
Issue
3781016:
Introduce SAFT TPM testing support. (Closed)
DescriptionThis CL builds upon previous SAFT enhancements and
introduces support for TPM kernel rollback testing.
The test as introduced checks the following:
- kernels with version below the current TMP version
do not get booted.
- if there is no kernel with the version equal or exceeding
the TPM kernel version value - boot in recovery mode.
- if both kernels's versions exceed the current TPM kernel
version value - verify that the BIOS bumps up the TPM kernel
version to the lowest of the two available kernels. (as of
now in this test both kernels have the same version number)
A new module is being introduced to support TPM testing.
There are two TPM NvRam spaces defined for CromeOs devices,
one for the BIOS and another one for the kernel. The spaces,
among other things, contain version numbers to prevent
rollback attempts.
The new module allows to read the spaces' contents and to
write into them. Writing into the kernel space requires
the machine to be booted in recovery mode, writing into the
BIOS space (not yet tested) requires the machine to be
booted in developer mode.
On top of booting in these special modes, the TPM lock
needs to be disabled for the write operation to succeed.
This requires editing of the TPM upstart config file
(done in tpm_handler:TpmHandler:enable_write_access()),
which in turn requires the root file system to be writable
when booting in recovery mode. Hence the modifications in
runtests.sh which first enable read/write mount of
the USB flash hosted the root file system and then modify
the kernel command line to mount it rw when booting off
the USB device.
Change-Id: I3a44ae51830f3525f51f03611d8b72a7039c9169
BUG=chromium-os:1976
TEST=manual
- build packages and the image as modified
- install the new image on the device and restart it
- place an alternative firmware image in /tmp
- run the SAFT as follows:
/usr/sbin/firmware/saft/runtests.sh /tmp/<new firmware>.fd
- follow the prompts (unplug and plug the flash device as
required
- observe SAFT to pass all 17 steps
- look for 'we are done' in /tmp/saft.log after test
completes
into
Committed: http://chrome-svn/viewvc/chromeos?view=rev&revision=3f200dc
Patch Set 1 : Introduce TPM test support in SAFT. #
Total comments: 8
Patch Set 2 : Addressed review comments. #
Messages
Total messages: 3 (0 generated)
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
