coreboot-redundant-boot: Add slot A protection test

dasharo-stability/coreboot-redundant-boot.robot

@@ -5,18 +5,19 @@ Library             String
 Resource            ../variables.robot
 Resource            ../keywords.robot
 
-Suite Setup         Run Keyword
+Suite Setup         Run Keywords
 ...                     Prepare Test Suite
+...                     AND    Skip If    not ${COREBOOT_REDUNDANT_BOOT_SUPPORT}
 Suite Teardown      Run Keyword
 ...                     Log Out And Close Connection
 
 Default Tags        automated
 
 
 *** Variables ***
-${NVRAM_ATTEMPT_B_FLAG}=        attempt_slot_b    # TBD
-${NVRAM_ATTEMPT_B_FLAG_SET}=    Enable    # TBD
-${NVRAM_ATTEMPT_B_FLAG_CLR}=    Disable    # TBD
+${NVRAM_ATTEMPT_B_FLAG}=        attempt_slot_b
+${NVRAM_ATTEMPT_B_FLAG_SET}=    Enable
+${NVRAM_ATTEMPT_B_FLAG_CLR}=    Disable
 
 
 *** Test Cases ***
@@ -76,6 +77,33 @@ CRB003.201 Boot Slot A After Clearing Attempt Slot B Flag (Ubuntu)
     Switch To Root User
     Should Have Booted From Slot    COREBOOT
 
+CRB004.201 Slot A Protection (Ubuntu)
+    [Documentation]    Check if the coreboot Slot A is protected with the
+    ...    redundant boot feature turned on.
+    Skip If
+    ...    ${COREBOOT_REDUNDANT_BOOT_BOOTBLOCK_OFFSET} is ${None}
+    ...    ${COREBOOT_REDUNDANT_BOOT_BOOTBLOCK_OFFSET} not defined, skipping test
+    Power On
+    Boot System Or From Connected Disk    ${ENV_ID_UBUNTU}
+    Login To Linux
+    Switch To Root User
+    Set Attempt Slot B Flag    ${TRUE}
+    Execute Reboot Command
+
+    Boot System Or From Connected Disk    ${ENV_ID_UBUNTU}
+    Login To Linux
+    Switch To Root User
+
+    Verify Region Range Protected    # BOOTBLOCK
+    ...    BIOS
+    ...    ${COREBOOT_REDUNDANT_BOOT_BOOTBLOCK_OFFSET.start}
+    ...    ${COREBOOT_REDUNDANT_BOOT_BOOTBLOCK_OFFSET.end}
+
+    Verify Region Range Protected    # COREBOOT
+    ...    BIOS
+    ...    ${COREBOOT_REDUNDANT_BOOT_COREBOOT_OFFSET.start}
+    ...    ${COREBOOT_REDUNDANT_BOOT_COREBOOT_OFFSET.end}
+
 
 *** Keywords ***
 Set Attempt Slot B Flag
@@ -93,7 +121,6 @@ Set Attempt Slot B Flag
 Should Have Booted From Slot
     [Arguments]    ${slot}
     ${slot}=    Convert To Lower Case    ${slot}
-    # TBD - will this show slot B?
     ${out}=    Execute Command In Terminal    cbmem -c | grep "Booting from"
     ${out}=    Convert To Lower Case    ${out}
     ${out}=    Strip String    ${out}

lib/flash.robot

@@ -191,3 +191,73 @@ Read Firmware
     ELSE
         Fail    Read firmware not implemented for platform config ${CONFIG}
     END
+
+Get Flashrom Regions
+    ${output}=    Execute Command In Terminal    flashrom -p internal
+    ${lines}=    Split To Lines    ${output}
+    VAR    &{dict}=    &{EMPTY}
+    FOR    ${l}    IN    @{lines}
+        ${m}=    Get Regexp Matches
+        ...    ${l}
+        ...    FREG[0-9]+: (.+) region \\((0x[0-9a-f]+)-(0x[0-9a-f]+)\\) is (.+)
+        ...    1
+        ...    2
+        ...    3
+        ...    4
+        IF    ${m} != []
+            VAR    &{region}=    start=${m[0][1]}    end=${m[0][2]}    state=${m[0][3]}
+            Set To Dictionary    ${dict}    ${m[0][0]}=${region}
+        END
+    END
+    RETURN    ${dict}
+
+Get Flashrom Readonly Offsets
+    ${output}=    Execute Command In Terminal    flashrom -p internal
+    ${lines}=    Split To Lines    ${output}
+    VAR    @{list}=    @{EMPTY}
+    FOR    ${l}    IN    @{lines}
+        ${m}=    Get Regexp Matches    ${l}    Warning: (0x[0-9a-f]+)-(0x[0-9a-f]+) is read-only    1    2
+        IF    ${m} != []
+            VAR    &{region}=    start=${m[0][0]}    end=${m[0][1]}
+            Append To List    ${list}    ${region}
+        END
+    END
+    RETURN    ${list}
+
+Calculate Expected Flashrom Readonly Region
+    [Tags]    robot:private
+    [Arguments]    ${region_name}    ${start_offset}    ${end_offset}
+    ${flashrom_regions}=    Get Flashrom Regions
+    ${bios_start}=    Get From Dictionary    ${flashrom_regions['${region_name}']}    start
+    ${bios_end}=    Get From Dictionary    ${flashrom_regions['${region_name}']}    end
+    ${expected_readonly_start}=    Evaluate    hex(${bios_start} + ${COREBOOT_REDUNDANT_BOOT_BOOTBLOCK_OFFSET.start})
+    ${expected_readonly_end}=    Evaluate    hex(${bios_start} + ${COREBOOT_REDUNDANT_BOOT_BOOTBLOCK_OFFSET.end})
+    VAR    &{expected_readonly}=    start=${expected_readonly_start}    end=${expected_readonly_end}
+    RETURN    ${expected_readonly}
+
+Verify Region Range Protected
+    [Arguments]    ${region_name}    ${expected_start}    ${expected_end}
+    ${readonly_regions}=    Get Flashrom Readonly Offsets
+    IF    len(${readonly_regions}) == 0
+        Fail    No readonly regions found in flashrom output
+    END
+
+    ${expected_readonly_bootblock}=    Calculate Expected Flashrom Readonly Region
+    ...    region_name=${region_name}
+    ...    start_offset=${expected_start}
+    ...    end_offset=${expected_end}
+
+    VAR    ${expected_readonly_found}=    ${FALSE}
+    FOR    ${region}    IN    @{readonly_regions}
+        Log To Console    Found readonly region: ${region}
+        Log To Console    Expected readonly region: ${expected_readonly_bootblock}
+        ${start_matches}=    Evaluate    int(${region['start']}) == int(${expected_readonly_bootblock['start']})
+        ${end_matches}=    Evaluate    int(${region['end']}) == int(${expected_readonly_bootblock['end']})
+        IF    ${start_matches} and ${end_matches}
+            VAR    ${expected_readonly_found}=    ${TRUE}
+            BREAK
+        END
+    END
+    IF    not ${expected_readonly_found}
+        Fail    Expected readonly region ${expected_readonly_bootblock} not found in flashrom output
+    END

platform-configs/include/default.robot

@@ -199,6 +199,9 @@ ${POWERSHELL_STR_INTERNAL_IN}=                      Microphone Array (Realtek(R)
 ${POWERSHELL_STR_HEADSET_OUT}=                      ${POWERSHELL_STR_INTERNAL_OUT}
 ${POWERSHELL_STR_HEADSET_IN}=                       Microphone (Realtek(R) Audio)
 ${POWERSHELL_STR_HDMI_OUT}=                         Audio Driver for Display Audio
+${COREBOOT_REDUNDANT_BOOT_SUPPORT}=                 ${FALSE}
+${COREBOOT_REDUNDANT_BOOT_BOOTBLOCK_OFFSET}=        ${NONE}
+${COREBOOT_REDUNDANT_BOOT_COREBOOT_OFFSET}=         ${NONE}
 
 # Test module: dasharo-security
 ${TPM_SUPPORTED_VERSION}=                           ${NONE}

platform-configs/protectli-vp6650.robot

@@ -3,41 +3,45 @@ Resource    include/protectli-vp66xx.robot
 
 
 *** Variables ***
-${INITIAL_DUT_CONNECTION_METHOD}=       Telnet
-${DUT_CONNECTION_METHOD}=               ${INITIAL_DUT_CONNECTION_METHOD}
-${INITIAL_CPU_FREQUENCY}=               1100
-${DEF_CORES_PER_SOCKET}=                2
-${DEF_THREADS_PER_CORE}=                2
-${DEF_THREADS_TOTAL}=                   4
-${DEF_ONLINE_CPU}=                      0-3
-${DEF_SOCKETS}=                         1
-
-${POWER_CTRL}=                          sonoff
-${WIFI_CARD_UBUNTU}=                    Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter
-${LTE_CARD}=                            ${TBD}
-${DEVICE_NVME_DISK}=                    Non-Volatile memory controller
-${USB_MODEL}=                           SanDisk
-
-${DMIDECODE_PRODUCT_NAME}=              VP6650
-${HAS_E_CORES}=                         ${TRUE}
-
-${CPU_MIN_FREQUENCY}=                   400
-${CPU_MAX_FREQUENCY}=                   4400
-${PLATFORM_CPU_SPEED}=                  2.50
-${PLATFORM_RAM_SPEED}=                  4200
-${PLATFORM_RAM_SIZE}=                   4209492
-
-@{ETH_PERF_PAIR_2_G}=                   enp5s0    enp6s0
-@{ETH_PERF_PAIR_10_G}=                  enp2s0f0np0    enp2s0f1np1
-
-@{ETH_PORTS}=                           64-62-66-22-84-f5
-...                                     64-62-66-22-84-f6
-...                                     64-62-66-22-84-f7
-...                                     64-62-66-22-84-f8
-
-${SATA_SUPPORT}=                        ${True}
-${TESTS_IN_XCP_NG_SUPPORT}=             ${True}
-@{TESTED_LINUX_DISTROS}=                ${ENV_ID_UBUNTU}    ${ENV_ID_XCP_NG}
+${INITIAL_DUT_CONNECTION_METHOD}=               Telnet
+${DUT_CONNECTION_METHOD}=                       ${INITIAL_DUT_CONNECTION_METHOD}
+${INITIAL_CPU_FREQUENCY}=                       1100
+${DEF_CORES_PER_SOCKET}=                        2
+${DEF_THREADS_PER_CORE}=                        2
+${DEF_THREADS_TOTAL}=                           4
+${DEF_ONLINE_CPU}=                              0-3
+${DEF_SOCKETS}=                                 1
+
+${POWER_CTRL}=                                  sonoff
+${WIFI_CARD_UBUNTU}=                            Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter
+${LTE_CARD}=                                    ${TBD}
+${DEVICE_NVME_DISK}=                            Non-Volatile memory controller
+${USB_MODEL}=                                   SanDisk
+
+${DMIDECODE_PRODUCT_NAME}=                      VP6650
+${HAS_E_CORES}=                                 ${TRUE}
+
+${CPU_MIN_FREQUENCY}=                           400
+${CPU_MAX_FREQUENCY}=                           4400
+${PLATFORM_CPU_SPEED}=                          2.50
+${PLATFORM_RAM_SPEED}=                          4200
+${PLATFORM_RAM_SIZE}=                           4209492
+
+@{ETH_PERF_PAIR_2_G}=                           enp5s0    enp6s0
+@{ETH_PERF_PAIR_10_G}=                          enp2s0f0np0    enp2s0f1np1
+
+@{ETH_PORTS}=                                   64-62-66-22-84-f5
+...                                             64-62-66-22-84-f6
+...                                             64-62-66-22-84-f7
+...                                             64-62-66-22-84-f8
+
+${SATA_SUPPORT}=                                ${True}
+${TESTS_IN_XCP_NG_SUPPORT}=                     ${True}
+@{TESTED_LINUX_DISTROS}=                        ${ENV_ID_UBUNTU}    ${ENV_ID_XCP_NG}
+
+# TODO - define in platform configs depending on platforms fmap
+${COREBOOT_REDUNDANT_BOOT_BOOTBLOCK_OFFSET}=    ${None}
+${COREBOOT_REDUNDANT_BOOT_COREBOOT_OFFSET}=     ${None}
 
 
 *** Keywords ***