diff --git a/dasharo-security/sovereign-boot.robot b/dasharo-security/sovereign-boot.robot new file mode 100644 index 0000000000..5e4ee64376 --- /dev/null +++ b/dasharo-security/sovereign-boot.robot @@ -0,0 +1,203 @@ +*** Settings *** +Library Collections +Library OperatingSystem +Library Process +Library String +Library Telnet timeout=20 seconds connection_timeout=120 seconds +Library SSHLibrary timeout=90 seconds +Library RequestsLibrary +Resource ../keywords.robot +Resource ../keys.robot +Resource ../variables.robot + +Suite Setup Run Keywords +... Prepare Test Suite +... AND +... Skip If not ${SOVEREIGN_BOOT_SUPPORT} Sovereign Boot tests not supported +Suite Teardown Run Keyword +... Log Out And Close Connection +# This must be in Test Setup, not Suite Setup, because of a known problem +# with QEMU: https://github.com/Dasharo/open-source-firmware-validation/issues/132 +Test Setup Run Keyword If ${TESTS_IN_FIRMWARE_SUPPORT} +... Restore Initial DUT Connection Method + + +*** Variables *** +${SET_SV_BOOT_PROVISIONED_CMD}= setvar SvBootConfig -guid B57031B9-1ABB-45F8-A9CB-AC5AAD72AD31 -bs -nv \=0101 + + +*** Test Cases *** +SVB001.001 Sovereign Boot Wizard shows up on first boot + [Documentation] This test aims to verify that wizard is launched on + ... first boot. + Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SVB001.001 not supported + Power On + ${out}= Read From Terminal Until Sovereign Boot Provisioning Wizard + Should Not Contain ${out} ${TIANOCORE_STRING} + +SVB001.002 Sovereign Boot Wizard shows up after settings reset + [Documentation] This test aims to verify that wizard is launched after + ... settings reset. + Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SVB001.002 not supported + Power On + Read From Terminal Until Sovereign Boot Provisioning Wizard + Read From Terminal Until restored default system settings. + ${menu}= Get Menu Construction Esc=Exit 0 1 + # Read the remaining part of the menu + Read From Terminal + # We should check if [Exit] exists, but the menu is so small, that it has to be scrolled + Press Key N Times 1 ${ESC} + # Pressing ESC will get us to setup + ${menu}= Get Setup Menu Construction + # Boot to Shell and emulate provisioned state. Will be removed in later phases of the project + Enter UEFI Shell From Setup ${menu} + Execute UEFI Shell Command ${SET_SV_BOOT_PROVISIONED_CMD} + # Reset the system + Tianocore Reset System + # From now on we can use generic keywords + Enter Setup Menu Tianocore + Reset To Defaults Tianocore + Save Changes And Reset + ${out}= Read From Terminal Until Sovereign Boot Provisioning Wizard + +SVB001.003 Sovereign Boot Wizard shows up after first boot option verification fails + [Documentation] This test aims to verify that wizard is launched after + ... settings reset. + Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SVB001.003 not supported + # FIXME: doesn't work on QEMU, start QEMU with DTS already mounted! + # Mount USB Disk Image ${TEST_DATA_DIR}/dts/dts-base-image-v2.1.3.wic + Power On + Read From Terminal Until Sovereign Boot Provisioning Wizard + Read From Terminal Until restored default system settings. + ${menu}= Get Menu Construction Esc=Exit 0 1 + # Read the remaining part of the menu + Read From Terminal + # We should check if [Exit] exists, but the menu is so small, that it has to be scrolled + Press Key N Times 1 ${ESC} + # Pressing ESC will get us to setup + ${menu}= Get Setup Menu Construction + # Boot to Shell and emulate provisioned state. Will be removed in later phases of the project + Enter UEFI Shell From Setup ${menu} + Execute UEFI Shell Command ${SET_SV_BOOT_PROVISIONED_CMD} + # Reset the system + Tianocore Reset System + ${sb_menu}= Enter Secure Boot Menu And Return Construction + Enable Secure Boot ${sb_menu} + # Save Changes And Reset + # Changes to Secure Boot menu takes action immediately, so we can just reset + Tianocore Reset System + # Now the DTS should fail to boot + # TODO: Ensure the veri first boot option is really unsigned. On real HW it may need to set + # DTS as first boot option beforehand. + Read From Terminal Until Sovereign Boot Provisioning Wizard + Read From Terminal Until boot an untrusted image. + ${menu}= Get Menu Construction Esc=Exit 0 1 + # Read the remaining part of the menu + Read From Terminal + Press Key N Times 1 ${ESC} + # UEFI Boot Manager should print information about Secure Boot status and image verification status + Read From Terminal Until Secure Boot is enabled. + Read From Terminal Until The image signature is invalid or missing! + +SVB002.001 Sovereign Boot Wizard disable option works + [Documentation] This test aims to verify that wizard disable option works. + Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SVB002.001 not supported + Power On + # Sovereign Boot should be provisioend at this point, use generic keyword. + ${sb_menu}= Enter Secure Boot Menu And Return Construction + # Remove line that is not an option + ${sv_index}= Get Index From List ${sb_menu} *** Sovereign Boot Options *** + Remove From List ${sb_menu} ${sv_index} + ${changed}= Set Option State ${sb_menu} Enable Sovereign Boot ${FALSE} + IF ${changed} == ${TRUE} + # Changing Sovereign Boot state to disabled issues a special popup + Read From Terminal Until Disabling Sovereign Boot will restore default Secure Boot Keys & databases. + Read From Terminal Until Are you sure? + # Confirm the choice + Press Enter + # Wait until the popup disappears + Get Secure Boot Menu Construction + ELSE + Fail "Sovereign Boot should be enabled at this point" + END + Tianocore Reset System + # We should be able to boot straight to setup with prompts when wizard is disabled + ${sb_menu}= Enter Secure Boot Menu And Return Construction + ${sv_index}= Get Index From List ${sb_menu} *** Sovereign Boot Options *** + Remove From List ${sb_menu} ${sv_index} + List Should Not Contain Value ${sb_menu} > Launch Sovereign Boot Wizard + ${changed}= Set Option State ${sb_menu} Enable Sovereign Boot ${FALSE} + Should Not Be True ${changed} + +SVB002.002 Sovereign Boot Wizard enable option works + [Documentation] This test aims to verify that wizard enable option works. + Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SVB002.002 not supported + Power On + ${sb_menu}= Enter Secure Boot Menu And Return Construction + # Remove line that is not an option + ${sv_index}= Get Index From List ${sb_menu} *** Sovereign Boot Options *** + Remove From List ${sb_menu} ${sv_index} + ${changed}= Set Option State ${sb_menu} Enable Sovereign Boot ${TRUE} + IF ${changed} == ${TRUE} + # Changing Sovereign Boot state to enabled takes action immediately + Tianocore Reset System + ELSE + Fail "Sovereign Boot should be disabled at this point" + END + # Sovereign boot welcome string should appear again + Read From Terminal Until Sovereign Boot Provisioning Wizard + Read From Terminal Until restored default system settings. + ${menu}= Get Menu Construction Esc=Exit 0 1 + # Read the remaining part of the menu + Read From Terminal + # We should check if [Exit] exists, but the menu is so small, that it has to be scrolled + Press Key N Times 1 ${ESC} + # Pressing ESC will get us to setup + ${menu}= Get Setup Menu Construction + ${sb_menu}= Enter Secure Boot Menu From Setup ${menu} + List Should Contain Value ${sb_menu} > Launch Sovereign Boot Wizard + +SVB003.001 Sovereign Boot Wizard parses boot options correctly + Skip If not ${TESTS_IN_FIRMWARE_SUPPORT} SVB003.001 not supported + Power On + Read From Terminal Until Sovereign Boot Provisioning Wizard + Read From Terminal Until scheme you would like to use: + ${menu}= Get Menu Construction Esc=Exit 0 1 + # No default selection here, just one press to go to SOvereign Boot configuration view + Press Key N Times And Enter 1 ${ARROW_DOWN} + Read From Terminal Until A new bootloader/key has been detected. + ${out}= Read From Terminal Until Esc=Exit + # TODO: check the Bootorder and Boot#### variables to get a list of expected boot options + Should Contain ${out} Description: Dasharo Tools Suite (on QEMU HARDDISK) + Should Contain ${out} File path: \\EFI\\DTS\\grubx64.efi + # Press Enter to do not trust the key and move to the next bootloader + Press Enter + ${out}= Read From Terminal Until Esc=Exit + Should Contain ${out} Description: QEMU HARDDISK + Should Contain ${out} File path: \\EFI\\BOOT\\BOOTX64.EFI + # Now there should be no more bootloaders found + Press Enter + Read From Terminal Until No more bootloaders found. + Read From Terminal Until Press ENTER to continue ... + Press Enter + # Remove it later once the proper flow is implemented + Read From Terminal Until Sovereign Boot is already provisioned. + + +*** Keywords *** +Enter UEFI Shell From Setup + [Arguments] ${setup_menu} + ${boot_menu}= Enter Submenu From Snapshot And Return Construction ${setup_menu} One Time Boot + Set Prompt For Terminal Shell> + Enter Submenu From Snapshot ${boot_menu} UEFI Shell + Read From Terminal Until Prompt + Sleep 1s + +Enter Secure Boot Menu From Setup + [Arguments] ${setup_menu} + ${device_mgr_menu}= Enter Submenu From Snapshot And Return Construction + ... ${setup_menu} + ... Device Manager + Enter Submenu From Snapshot ${device_mgr_menu} Secure Boot Configuration + ${sb_menu}= Get Secure Boot Menu Construction + RETURN ${sb_menu} diff --git a/lib/usb-hid-msc-lib.robot b/lib/usb-hid-msc-lib.robot index 3bbeae1c8e..b4e51a54e4 100644 --- a/lib/usb-hid-msc-lib.robot +++ b/lib/usb-hid-msc-lib.robot @@ -25,7 +25,7 @@ Mount USB Disk Image # FXIME: Currently works only for QEMU and PiKVM. Remove when support for # other methods is added. - IF "${MANUFACTURER}" != "QEMU" or "${DUT_CONNECTION_METHOD}" != "pikvm" + IF "${MANUFACTURER}" != "QEMU" and "${DUT_CONNECTION_METHOD}" != "pikvm" RETURN END diff --git a/platform-configs/include/default.robot b/platform-configs/include/default.robot index 8185049415..069228525e 100644 --- a/platform-configs/include/default.robot +++ b/platform-configs/include/default.robot @@ -199,6 +199,7 @@ ${UEFI_PASSWORD_SUPPORT}= ${FALSE} ${HAS_SUPERIO_SERIAL}= ${FALSE} ${INTEL_CBNT_SUPPORT}= ${FALSE} ${INTEL_CBNT_STATUS_MENU_SUPPORT}= ${FALSE} +${SOVEREIGN_BOOT_SUPPORT}= ${FALSE} # Test module: dasharo-performance ${SERIAL_BOOT_MEASURE}= ${FALSE} diff --git a/platform-configs/qemu.robot b/platform-configs/qemu.robot index 8950e5258f..9c530c46cc 100644 --- a/platform-configs/qemu.robot +++ b/platform-configs/qemu.robot @@ -83,6 +83,9 @@ ${AUTO_BOOT_TIME_OUT_DEFAULT_VALUE}= 0 # Test module: dasharo-stability ${CAPSULE_UPDATE_SUPPORT}= ${TRUE} +# Test module: dasharo-security +${SOVEREIGN_BOOT_SUPPORT}= ${TRUE} + *** Keywords *** Power On