dasharo-security/secure-boot.robot: Add OS Secure Boot PK enrollment test

Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>

Author: miczyg1

dasharo-security/secure-boot.robot

@@ -43,7 +43,6 @@ SBO001.001 Check Secure Boot default state (firmware)
     [Documentation]    This test aims to verify that Secure Boot state after
     ...    flashing the platform with the Dasharo firmware is
     ...    correct.
-    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SBO001.001 not supported
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    SBO001.001 not supported
     Power On
     ${setup_menu}=    Enter Setup Menu Tianocore And Return Construction
@@ -60,7 +59,6 @@ SBO002.001 UEFI Secure Boot (Ubuntu)
     [Documentation]    This test verifies that Secure Boot can be enabled from
     ...    boot menu and, after the DUT reset, it is seen from
     ...    the OS.
-    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SBO002.001 not supported
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    SBO002.001 not supported
 
     # 1. Make sure that SB is enabled
@@ -97,7 +95,6 @@ SBO002.002 UEFI Secure Boot (Windows)
     [Documentation]    This test verifies that Secure Boot can be enabled from
     ...    boot menu and, after the DUT reset, it is seen from
     ...    the OS.
-    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SBO002.002 not supported
     Skip If    not ${TESTS_IN_WINDOWS_SUPPORT}    SBO002.002 not supported
 
     # 1. Make sure that SB is enabled
@@ -133,7 +130,6 @@ SBO002.002 UEFI Secure Boot (Windows)
 SBO003.001 Attempt to boot file with the correct key from Boot Maintenance Manager (firmware)
     [Documentation]    This test verifies that Secure Boot allows booting a
     ...    signed file with a correct key.
-    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SBO004.001 not supported
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    SBO004.001 not supported
     Power On
     ${sb_menu}=    Enter Secure Boot Menu And Return Construction
@@ -158,7 +154,6 @@ SBO003.001 Attempt to boot file with the correct key from Boot Maintenance Manag
 SBO004.001 Attempt to boot file without the key from Boot Maintenance Manager (firmware)
     [Documentation]    This test verifies that Secure Boot blocks booting a file
     ...    without a key.
-    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SBO004.001 not supported
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    SBO004.001 not supported
     # 1. Make sure that SB is enabled
     Power On
@@ -176,7 +171,6 @@ SBO004.001 Attempt to boot file without the key from Boot Maintenance Manager (f
 SBO005.001 Attempt to boot file with the wrong-signed key from Boot Maintenance Manager (firmware)
     [Documentation]    This test verifies that Secure Boot disallows booting
     ...    a signed file with a wrong-signed key.
-    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SBO005.001 not supported
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    SBO005.001 not supported
     # 1. Make sure that SB is enabled
     Power On
@@ -194,7 +188,6 @@ SBO005.001 Attempt to boot file with the wrong-signed key from Boot Maintenance
 SBO006.001 Reset Secure Boot Keys option availability (firmware)
     [Documentation]    This test verifies that the Reset Secure Boot Keys
     ...    option is available
-    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SBO006.001 not supported
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    SBO006.001 not supported
     Power On
     ${setup_menu}=    Enter Setup Menu Tianocore And Return Construction
@@ -210,7 +203,6 @@ SBO006.001 Reset Secure Boot Keys option availability (firmware)
 SBO007.001 Attempt to boot the file after restoring keys to default (firmware)
     [Documentation]    This test verifies that restoring the keys to default
     ...    removes any custom added certificates.
-    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SBO007.001 not supported
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    SBO007.001 not supported
     Power On
     ${sb_menu}=    Enter Secure Boot Menu And Return Construction
@@ -249,7 +241,6 @@ SBO007.001 Attempt to boot the file after restoring keys to default (firmware)
 SBO008.001 Attempt to enroll the key in the incorrect format (firmware)
     [Documentation]    This test verifies that it is impossible to load
     ...    a certificate in the wrong file format.
-    Skip If    not ${TESTS_IN_FIRMWARE_SUPPORT}    SBO008.001 not supported
     Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    SBO008.001 not supported
     # 1. Make sure that SB is enabled
     Power On
@@ -264,6 +255,124 @@ SBO008.001 Attempt to enroll the key in the incorrect format (firmware)
     Select File In File Explorer    cert_fake.der
     Read From Terminal Until    ERROR: Unsupported file type!
 
+SBO009.001 Attempt to enroll and delete new PK key in OS (Ubuntu)
+    [Documentation]    This test verifies that it is impossible to load
+    ...    a certificate in the wrong file format.
+    Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    SBO009.001 not supported
+    # 1. Make sure that SB is enabled and default keys enrolled.
+    Power On
+    ${sb_menu}=    Enter Secure Boot Menu And Return Construction
+    ${advanced_menu}=    Enter Advanced Secure Boot Keys Management And Return Construction    ${sb_menu}
+    Reset To Default Secure Boot Keys    ${advanced_menu}
+    # 2. Delete PK so that we can enroll a new one in OS
+    Enter PK Options And Delete PK    ${advanced_menu}
+    # Let the flash operation be finished before resetting
+    Sleep    1
+    Tianocore Reset System
+    # Now boot to the OS
+    Boot System Or From Connected Disk    ${ENV_ID_UBUNTU}
+    Login To Linux
+    Switch To Root User
+    # The magic starts here...
+    # Check if we are in SetupMode
+    ${out}=    Read Secure Boot Variable    SetupMode
+    ${setup_mode}=    Convert To Integer    ${out}
+    IF    ${setup_mode} != 1    Fail    Secure Boot not in setup mode
+    # Generate a new PK key and enroll the new PK. Setup mode should be cleared
+    Generate New PK Key Set
+    ${status}=    Enroll New PK From OS
+    IF    ${status} != 0    Fail    Could not enroll new PK from OS
+    ${out}=    Read Secure Boot Variable    SetupMode
+    ${setup_mode}=    Convert To Integer    ${out}
+    IF    ${setup_mode} != 0    Fail    Secure Boot not in user mode
+    # Attempt to delete PK. We should get back to Setup Mode
+    ${status}=    Enroll New PK From OS    noPK.auth
+    IF    ${status} != 0    Fail    Could not delete PK from OS
+    ${out}=    Read Secure Boot Variable    SetupMode
+    ${setup_mode}=    Convert To Integer    ${out}
+    IF    ${setup_mode} != 1    Fail    Secure Boot not in setup mode
+
+SBO009.002 Attempt to change existing PK key in OS (Ubuntu)
+    [Documentation]    This test verifies that it is impossible to load
+    ...    a certificate in the wrong file format.
+    Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    SBO009.002 not supported
+    # 1. Make sure that SB is enabled and default keys enrolled.
+    Power On
+    ${sb_menu}=    Enter Secure Boot Menu And Return Construction
+    ${advanced_menu}=    Enter Advanced Secure Boot Keys Management And Return Construction    ${sb_menu}
+    Reset To Default Secure Boot Keys    ${advanced_menu}
+    # 2. Delete PK so that we can enroll a new one in OS
+    Enter PK Options And Delete PK    ${advanced_menu}
+    # Let the flash operation be finished before resetting
+    Sleep    1
+    Tianocore Reset System
+    # Now boot to the OS
+    Boot System Or From Connected Disk    ${ENV_ID_UBUNTU}
+    Login To Linux
+    Switch To Root User
+    # The magic starts here...
+    # Check if we are in SetupMode
+    ${out}=    Read Secure Boot Variable    SetupMode
+    ${setup_mode}=    Convert To Integer    ${out}
+    IF    ${setup_mode} != 1    Fail    Secure Boot not in setup mode
+    # Generate a new PK key and enroll the new PK. Setup mode should be cleared
+    Generate New PK Key Set
+    ${status}=    Enroll New PK From OS
+    IF    ${status} != 0    Fail    Could not enroll new PK from OS
+    ${out}=    Read Secure Boot Variable    SetupMode
+    ${setup_mode}=    Convert To Integer    ${out}
+    IF    ${setup_mode} != 0    Fail    Secure Boot not in user mode
+    # Attempt to change PK.
+    Generate New PK Key Set    newPK
+    # Sign the new PK signature list with existing PK
+    Execute Command In Terminal
+    ...    sign-efi-sig-list -k PK.key -c PK.crt PK newPK.esl newPK.auth
+    ${status}=    Enroll New PK From OS    newPk.auth
+    IF    ${status} != 0    Fail    Could not change PK from OS
+    ${out}=    Read Secure Boot Variable    SetupMode
+    ${setup_mode}=    Convert To Integer    ${out}
+    IF    ${setup_mode} != 0    Fail    Secure Boot not in user mode
+
+SBO009.003 Attempt to change PK with incorrectly signed PK in OS (Ubuntu)
+    [Documentation]    This test verifies that it is impossible to load
+    ...    a certificate in the wrong file format.
+    Skip If    not ${TESTS_IN_UBUNTU_SUPPORT}    SBO009.003 not supported
+    # 1. Make sure that SB is enabled and default keys enrolled.
+    Power On
+    ${sb_menu}=    Enter Secure Boot Menu And Return Construction
+    ${advanced_menu}=    Enter Advanced Secure Boot Keys Management And Return Construction    ${sb_menu}
+    Reset To Default Secure Boot Keys    ${advanced_menu}
+    # 2. Delete PK so that we can enroll a new one in OS
+    Enter PK Options And Delete PK    ${advanced_menu}
+    # Let the flash operation be finished before resetting
+    Sleep    1
+    Tianocore Reset System
+    # Now boot to the OS
+    Boot System Or From Connected Disk    ${ENV_ID_UBUNTU}
+    Login To Linux
+    Switch To Root User
+    # The magic starts here...
+    # Check if we are in SetupMode
+    ${out}=    Read Secure Boot Variable    SetupMode
+    ${setup_mode}=    Convert To Integer    ${out}
+    IF    ${setup_mode} != 1    Fail    Secure Boot not in setup mode
+    # Generate a new PK key and enroll the new PK. Setup mode should be cleared
+    Generate New PK Key Set
+    ${status}=    Enroll New PK From OS
+    IF    ${status} != 0    Fail    Could not enroll new PK from OS
+    ${out}=    Read Secure Boot Variable    SetupMode
+    ${setup_mode}=    Convert To Integer    ${out}
+    IF    ${setup_mode} != 0    Fail    Secure Boot not in user mode
+    # Attempt to change PK but do not sign it with current PK.
+    Generate New PK Key Set    newPK
+    ${status}=    Enroll New PK From OS    newPK.auth
+    IF    ${status} == 0
+        Fail    Unauthorized PK has been enrolled successfully
+    END
+    ${out}=    Read Secure Boot Variable    SetupMode
+    ${setup_mode}=    Convert To Integer    ${out}
+    IF    ${setup_mode} != 0    Fail    Secure Boot not in user mode
+
 
 *** Keywords ***
 Set Secure Boot State To Disabled

lib/secure-boot-lib.robot

@@ -18,6 +18,56 @@ ${BAD_FORMAT_URL}=          https://cloud.3mdeb.com/index.php/s/AsBnATiHTZQ6jae/
 ${BAD_FORMAT_NAME}=         bad_format.img
 ${BAD_FORMAT_SHA256}=       59d17bc120dfd0f2e6948a2bfdbdf5fb06eddcb44f9a053a8e7b8f677e21858c
 
+${EFIVARFS}=                /sys/firmware/efi/efivars
+${EFI_GLOBAL_VAR_GUID}=     8be4df61-93ca-11d2-aa0d-00e098032b8c
+${SECURE_BOOT_DB_GUID}=     d719b2cb-3d3a-4596-a3bc-dad00e67656f
+
+&{PK_VAR}=                  varname=PK
+...                         guid=${EFI_GLOBAL_VAR_GUID}
+...                         length=0
+&{KEK_VAR}=                 varname=KEK
+...                         guid=${EFI_GLOBAL_VAR_GUID}
+...                         length=0
+&{DB_VAR}=                  varname=db
+...                         guid=${SECURE_BOOT_DB_GUID}
+...                         length=0
+&{DBX_VAR}=                 varname=dbx
+...                         guid=${SECURE_BOOT_DB_GUID}
+...                         length=0
+&{DBT_VAR}=                 varname=dbt
+...                         guid=${SECURE_BOOT_DB_GUID}
+...                         length=0
+&{PK_DEFAULT_VAR}=          varname=PKDefault
+...                         guid=${EFI_GLOBAL_VAR_GUID}
+...                         length=0
+&{KEK_DEFAULT_VAR}=         varname=KEKDefault
+...                         guid=${EFI_GLOBAL_VAR_GUID}
+...                         length=0
+&{DB_DEFAULT_VAR}=          varname=dbDefault
+...                         guid=${SECURE_BOOT_DB_GUID}
+...                         length=0
+&{DBX_DEFAULT_VAR}=         varname=dbxDefault
+...                         guid=${SECURE_BOOT_DB_GUID}
+...                         length=0
+&{DBT_DEFAULT_VAR}=         varname=dbtDefault
+...                         guid=${SECURE_BOOT_DB_GUID}
+...                         length=0
+&{SECURE_BOOT_VAR}=         varname=SecureBoot
+...                         guid=${EFI_GLOBAL_VAR_GUID}
+...                         length=1
+&{SETUP_MODE_VAR}=          varname=SetupMode
+...                         guid=${EFI_GLOBAL_VAR_GUID}
+...                         length=1
+&{VENDOR_KEYS_VAR}=         varname=VendorKeys
+...                         guid=${EFI_GLOBAL_VAR_GUID}
+...                         length=1
+
+@{SB_VAR_LIST}=             &{PK_VAR}    &{KEK_VAR}    &{DB_VAR}    &{DBX_VAR}
+...                         &{PK_DEFAULT_VAR}    &{KEK_DEFAULT_VAR}
+...                         &{DB_DEFAULT_VAR}    &{DBX_DEFAULT_VAR}
+...                         &{SECURE_BOOT_VAR}    &{SETUP_MODE_VAR}
+...                         &{VENDOR_KEYS_VAR}
+
 
 *** Keywords ***
 Get Secure Boot Menu Construction
@@ -272,3 +322,93 @@ Restore Secure Boot Defaults
         Enable Secure Boot    ${sb_menu}
     END
     # Changes to Secure Boot take action immediately, so we can just continue
+
+Enter PK Options And Delete PK
+    [Documentation]    Enters Advanced Secure Boot Keys Management menu and
+    ...    then PK Options, and deletes PK. Keyword assumes PK is present.
+    [Arguments]    ${advanced_menu}
+    ${pk_opts_menu}=    Enter Submenu From Snapshot And Return Construction
+    ...    ${advanced_menu}
+    ...    PK Options
+    ...    opt_only=${TRUE}
+    Should Contain    ${pk_opts_menu}    > Enroll PK
+    # Bug in EDK2, 'K' in Pk is small in this string
+    Should Contain Match    ${pk_opts_menu}    Delete Pk [*
+    # Select Delete PK
+    Press Key N Times And Enter    1    ${ARROW_DOWN}
+    # Consume pop-up and confirm action
+    Read From Terminal Until    Are you sure you want to delete PK?
+    Read From Terminal Until    discard change and return
+    Write Bare Into Terminal    y
+
+Generate New PK Key Set
+    [Documentation]    Creates a set of file required to manage PK via OS.
+    [Arguments]    ${basename}=PK
+    VAR    ${keygen_cmd}=
+    ...    openssl req -new -x509 -newkey rsa:2048 -subj \"/CN\=PK/\"
+    ...    -keyout ${basename}.key -out ${basename}.crt -days 3650 -nodes -sha256
+    ...    separator=${SPACE}
+    VAR    ${pk_sign_cmd}=
+    ...    sign-efi-sig-list -t "$(date --date\='1 second' +'%Y-%m-%d %H:%M:%S')"
+    ...    -k ${basename}.key -c ${basename}.crt PK ${basename}.esl ${basename}.auth
+    ...    separator=${SPACE}
+    VAR    ${no_pk_sign_cmd}=
+    ...    sign-efi-sig-list -t "$(date --date\='1 second' +'%Y-%m-%d %H:%M:%S')"
+    ...    -k ${basename}.key -c ${basename}.crt PK /dev/null no${basename}.auth
+    ...    separator=${SPACE}
+    Execute Command In Terminal    ${keygen_cmd}
+    Execute Command In Terminal    cert-to-efi-sig-list ${basename}.crt ${basename}.esl
+    # Enrolling new keys may fail if we try to use these files too quickly.
+    # Timestamp verification may fail.
+    Sleep    2s
+    Execute Command In Terminal    ${pk_sign_cmd}
+    Sleep    2s
+    Execute Command In Terminal    ${no_pk_sign_cmd}
+    Sleep    3s
+
+Get SB Variable Info
+    [Documentation]    Returns the GUID for given Secure Boot variable name.
+    [Arguments]    ${varname}
+    FOR    ${var}    IN    @{SB_VAR_LIST}
+        IF    '${var.varname}' == '${varname}'    RETURN    ${var}
+    END
+    Fail    Invalid Secure Boot Variable Name
+
+Read Secure Boot Variable
+    [Documentation]    Reads a Secure Boot variable via efivarfs
+    [Arguments]    ${var}    ${n_bytes}=0
+    ${var_info}=    Get SB Variable Info    ${var}
+    # Check if the file even exists
+    ${status}=    Execute Command In Terminal
+    ...    test -f ${EFIVARFS}/${var}-${var_info.guid}; echo $?
+    ${status}=    Convert To Integer    ${status}
+    IF    ${status} != 0    RETURN    ${EMPTY}
+    # If 0 bytes to read, read whole file, skipping the 4 first bytes
+    # indicating attribute
+    IF    ${n_bytes} == 0
+        ${ret}=    Execute Command In Terminal
+        ...    xxd -p -s +4 ${EFIVARFS}/${var}-${var_info.guid}
+    ELSE
+        # It is safe to read more than the length of the variable. 'tail' will
+        # simply return all bytes of the variable, including attribute.
+        ${ret}=    Execute Command In Terminal
+        ...    tail -c ${n_bytes} ${EFIVARFS}/${var}-${var_info.guid} | xxd -p
+    END
+    RETURN    ${ret}
+
+Enroll New PK From OS
+    [Documentation]    Enrolls a new PK from file.
+    [Arguments]    ${pk_auth_file}=PK.auth
+    ${status}=    Execute Command In Terminal
+    ...    test -f ${EFIVARFS}/${PK_VAR.varname}-${PK_VAR.guid}; echo $?
+    ${status}=    Convert To Integer    ${status}
+    # Disable immutability attribute of the file in OS
+    IF    ${status} == 0
+        Execute Command In Terminal
+        ...    chattr -i ${EFIVARFS}/${PK_VAR.varname}-${PK_VAR.guid}
+    END
+    ${out}=    Execute Command In Terminal
+    ...    efi-updatevar -f ${pk_auth_file} PK
+    ${status}=    Execute Command In Terminal    echo $?
+    ${status}=    Convert To Integer    ${status}
+    RETURN    ${status}