Skip to content

Commit

Permalink
Add DeriveContext recursive=true verification tests
Browse files Browse the repository at this point in the history
These are just the old ExtendTci tests with a few changes.
  • Loading branch information
sree-revoori1 authored and jhand2 committed Feb 16, 2024
1 parent 79f1f85 commit 5c9f6ed
Show file tree
Hide file tree
Showing 3 changed files with 197 additions and 1 deletion.
174 changes: 174 additions & 0 deletions verification/testing/deriveContext.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,11 @@
package verification

import (
"bytes"
"crypto/sha256"
"crypto/sha512"
"errors"
"hash"
"testing"

"github.com/chipsalliance/caliptra-dpe/verification/client"
Expand Down Expand Up @@ -308,3 +312,173 @@ func TestDeriveContextSimulation(d client.TestDPEInstance, c client.DPEClient, t
}
handle = &resp.NewContextHandle
}

// TestDeriveContextRecursive checks whether the DeriveContext command updates the current TCI
// and cumulative TCI when the recursive flag is set.
func TestDeriveContextRecursive(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
var err error
useSimulation := false // To indicate that simulation context is not used

// Get default context handle
handle := getInitialContextHandle(d, c, t, useSimulation)

// Get digest size
profile, err := client.GetTransportProfile(d)
if err != nil {
t.Fatalf("[FATAL]: Could not get profile: %v", err)
}
digestLen := profile.GetDigestSize()

tciValue := make([]byte, digestLen)
for i := range tciValue {
tciValue[i] = byte(i)
}

handle, tcbInfo, err := getTcbInfoForHandle(c, handle)
if err != nil {
t.Fatal(err)
}
lastCumulative := tcbInfo.Fwids[1].Digest

// Set current TCI value
_, err = c.DeriveContext(handle,
tciValue,
client.DeriveContextFlags(client.Recursive),
0, 0)
if err != nil {
t.Fatalf("[FATAL]: Could not set TCI value: %v", err)
}

// Check current and cumulative measurement by CertifyKey
expectedCumulative := computeExpectedCumulative(lastCumulative, tciValue)
verifyMeasurements(c, t, handle, tciValue, expectedCumulative)
}

// TestDeriveContextRecursiveOnDerivedContexts tests the DeriveContext command with
// the recursive flag on derived child contexts.
func TestDeriveContextRecursiveOnDerivedContexts(d client.TestDPEInstance, c client.DPEClient, t *testing.T) {
useSimulation := false // To indicate that simulation context is not used

// Get default context handle
handle := getInitialContextHandle(d, c, t, useSimulation)

// Get digest size
profile, err := client.GetTransportProfile(d)
if err != nil {
t.Fatalf("[FATAL]: Could not get profile: %v", err)
}
digestLen := profile.GetDigestSize()

// Initialize TCI inputs
tciValue := make([]byte, digestLen)
for i := range tciValue {
tciValue[i] = byte(i + 1)
}

extendTciValue := make([]byte, digestLen)
for i := range extendTciValue {
extendTciValue[i] = byte(i + 2)
}

// Preserve parent context to restore for subsequent tests.
parentHandle, err := c.RotateContextHandle(handle, client.RotateContextHandleFlags(0))
if err != nil {
t.Errorf("[ERROR]: Error while rotating parent context handle, this may cause failure in subsequent tests: %s", err)
}

// Change parent back to default context
defer func() {
_, err = c.RotateContextHandle(parentHandle, client.RotateContextHandleFlags(client.TargetIsDefault))
if err != nil {
t.Errorf("[ERROR]: Error while restoring parent context handle as default context handle, this may cause failure in subsequent tests: %s", err)
}
}()

// DeriveContext with input data, tag it and check TCI_CUMULATIVE
childCtx, err := c.DeriveContext(parentHandle, tciValue, client.DeriveContextFlags(client.RetainParentContext|client.InputAllowX509), 0, 0)
if err != nil {
t.Fatalf("[FATAL]: Error while creating default child handle in default context: %s", err)
}

childHandle := &childCtx.NewContextHandle
parentHandle = &childCtx.ParentContextHandle

// Clean up contexts
defer func() {
err := c.DestroyContext(childHandle)
if err != nil {
t.Errorf("[ERROR]: Error while cleaning up derived context, this may cause failure in subsequent tests: %s", err)
}
}()

childHandle, childTcbInfo, err := getTcbInfoForHandle(c, childHandle)
if err != nil {
t.Fatalf("[FATAL]: Could not get TcbInfo: %v", err)
}

if !bytes.Equal(childTcbInfo.Fwids[0].Digest, tciValue) {
t.Errorf("[ERROR]: Got current TCI %x, expected %x", childTcbInfo.Fwids[0].Digest, tciValue)
}

// Check TCI_CUMULATIVE after creating child context
wantCumulativeTCI := computeExpectedCumulative(make([]byte, digestLen), childTcbInfo.Fwids[0].Digest)
if !bytes.Equal(childTcbInfo.Fwids[1].Digest, wantCumulativeTCI) {
t.Errorf("[ERROR]: Child node's cumulative TCI %x, expected %x", childTcbInfo.Fwids[1].Digest, wantCumulativeTCI)
}

// Set current TCI value
lastCumulative := childTcbInfo.Fwids[1].Digest
resp, err := c.DeriveContext(childHandle,
extendTciValue,
client.DeriveContextFlags(client.Recursive),
0, 0)
if err != nil {
t.Fatalf("[FATAL]: Could not set TCI value: %v", err)
}
childHandle = &resp.ParentContextHandle

childHandle, childTcbInfo, err = getTcbInfoForHandle(c, childHandle)
if err != nil {
t.Fatalf("[FATAL]: Could not get TcbInfo: %v", err)
}

if !bytes.Equal(childTcbInfo.Fwids[0].Digest, extendTciValue) {
t.Errorf("[ERROR]: Got current TCI %x, expected %x", childTcbInfo.Fwids[0].Digest, extendTciValue)
}

wantCumulativeTCI = computeExpectedCumulative(lastCumulative, extendTciValue)
if !bytes.Equal(childTcbInfo.Fwids[1].Digest, wantCumulativeTCI) {
t.Errorf("[ERROR]: Child node's cumulative TCI %x, expected %x", childTcbInfo.Fwids[1].Digest, wantCumulativeTCI)
}
}

func computeExpectedCumulative(lastCumulative []byte, tciValue []byte) []byte {
var hasher hash.Hash
digestLen := len(lastCumulative)
if digestLen == 32 {
hasher = sha256.New()
} else if digestLen == 48 {
hasher = sha512.New384()
}
hasher.Write(lastCumulative)
hasher.Write(tciValue)
return hasher.Sum(nil)
}

func verifyMeasurements(c client.DPEClient, t *testing.T, handle *client.ContextHandle, expectedCurrent []byte, expectedCumulative []byte) {
handle, tcbInfo, err := getTcbInfoForHandle(c, handle)
if err != nil {
t.Fatal(err)
}

// Check that the last TcbInfo current/cumulative are as expected
current := tcbInfo.Fwids[0].Digest
cumulative := tcbInfo.Fwids[1].Digest
if !bytes.Equal(current, expectedCurrent) {
t.Errorf("[ERROR]: Unexpected TCI_CURRENT digest, want %v but got %v", expectedCurrent, current)
}

if !bytes.Equal(cumulative, expectedCumulative) {
t.Errorf("[ERROR]: Unexpected cumulative TCI value, want %v but got %v", expectedCumulative, cumulative)
}
}
12 changes: 11 additions & 1 deletion verification/testing/simulator.go
Original file line number Diff line number Diff line change
Expand Up @@ -255,7 +255,7 @@ func GetSimulatorTargets() []TestTarget {
},
{
"DefaultSupport",
getTestTarget([]string{"AutoInit", "Simulation", "X509", "Csr", "IsCA", "RotateContext", "Recursive", "IsSymmetric"}),
getTestTarget([]string{"AutoInit", "Simulation", "X509", "Csr", "IsCA", "RotateContext", "Recursive", "IsSymmetric", "RetainParentContext"}),
AllTestCases,
},
{
Expand Down Expand Up @@ -368,6 +368,16 @@ func GetSimulatorTargets() []TestTarget {
getTestTarget([]string{"AutoInit", "Simulation"}),
[]TestCase{DeriveContextLocalityTestCase},
},
{
"DeriveContext_Recursive",
getTestTarget([]string{"AutoInit", "Recursive", "X509"}),
[]TestCase{DeriveContextRecursiveTestCase},
},
{
"DeriveContext_RecursiveOnDerivedContexts",
getTestTarget([]string{"AutoInit", "Recursive", "RetainParentContext", "X509", "RotateContext"}),
[]TestCase{DeriveContextRecursiveOnDerivedContextsTestCase},
},
}
}

Expand Down
12 changes: 12 additions & 0 deletions verification/testing/verification.go
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,16 @@ var DeriveContextInputFlagsTestCase = TestCase{
"DeriveContext_InputFlagsSupport", TestInternalInputFlags, []string{"AutoInit", "InternalDice", "InternalInfo"},
}

// DeriveContextRecursiveTestCase tests DeriveContext with the Recursive input flag
var DeriveContextRecursiveTestCase = TestCase{
"DeriveContext_Recursive", TestDeriveContextRecursive, []string{"AutoInit", "Recursive", "X509"},
}

// DeriveContextRecursiveOnDerivedContextsTestCase tests DeriveContext with the Recursive input flag on derived contexts
var DeriveContextRecursiveOnDerivedContextsTestCase = TestCase{
"DeriveContext_RecursiveOnDerivedContexts", TestDeriveContextRecursiveOnDerivedContexts, []string{"AutoInit", "Recursive", "RetainParentContext", "X509", "RotateContext"},
}

// AllTestCases contains all DPE test cases
var AllTestCases = []TestCase{
CertifyKeyTestCase,
Expand All @@ -166,6 +176,8 @@ var IrreversibleTestCases = []TestCase{
DeriveContextLocalityTestCase,
DeriveContextPrivilegeEscalationTestCase,
DeriveContextMaxTCIsTestCase,
DeriveContextRecursiveTestCase,
DeriveContextRecursiveOnDerivedContextsTestCase,
}

// RunTargetTestCases runs all test cases for target
Expand Down

0 comments on commit 5c9f6ed

Please sign in to comment.