verification

package module
v0.0.0-...-e0c847c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 6, 2025 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Overview

Package verification provides verification tests for implementations of the DPE iRoT profile.

Index

Constants

This section is empty.

Variables

View Source 
var (
	OidExtensionSubjectKeyIdentifier   = asn1.ObjectIdentifier{2, 5, 29, 14}
	OidExtensionKeyUsage               = asn1.ObjectIdentifier{2, 5, 29, 15}
	OidExtensionAuthorityKeyIdentifier = asn1.ObjectIdentifier{2, 5, 29, 35}
	OidExtensionBasicConstraints       = asn1.ObjectIdentifier{2, 5, 29, 19}
	OidExtensionExtKeyUsage            = asn1.ObjectIdentifier{2, 5, 29, 37}
	OidExtensionTcgDiceUeid            = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 4}
	OidExtensionTcgDiceMultiTcbInfo    = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 5}
	OidExtensionTcgDiceKpIdentityInit  = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 6}
	OidExtensionTcgDiceKpIdentityLoc   = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 7}
	OidExtensionTcgDiceKpAttestInit    = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 8}
	OidExtensionTcgDiceKpAttestLoc     = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 9}
	OidExtensionTcgDiceKpAssertInit    = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 10}
	OidExtensionTcgDiceKpAssertLoc     = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 11}
	OidExtensionTcgDiceKpEca           = asn1.ObjectIdentifier{2, 23, 133, 5, 4, 100, 12}
	OidSHA256                          = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
	OidSHA384                          = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
)

This file is used to test the certify key command.

View Source 
var AllTestCases = []TestCase{
	CertifyKeyTestCase,
	CertifyKeyCsrTestCase,
	CertifyKeySimulationTestCase,
	GetCertificateChainTestCase,
	TpmPolicySigningTestCase,
	RotateContextTestCase,
	RotateContextSimulationTestCase,
	SignAsymmetricTestCase,
	SignSimulationTestCase,
	GetProfileTestCase,
	InitializeContextTestCase,
	InitializeContextSimulationTestCase,
	InvalidHandleTestCase,
	WrongLocalityTestCase,
}

AllTestCases contains all DPE test cases

View Source 
var CertifyKeyCsrTestCase = TestCase{
	"CertifyKeyCsr", TestCertifyKeyCsr, []string{"AutoInit", "Csr"},
}

CertifyKeyCsrTestCase tests CertifyKey with type = CSR

View Source 
var CertifyKeySimulationTestCase = TestCase{
	"CertifyKeySimulation", TestCertifyKeySimulation, []string{"AutoInit", "Simulation", "X509"},
}

CertifyKeySimulationTestCase tests CertifyKey on Simulation mode contexts

View Source 
var CertifyKeyTestCase = TestCase{
	"CertifyKey", TestCertifyKey, []string{"AutoInit", "X509"},
}

CertifyKeyTestCase tests CertifyKey

View Source 
var DeriveContextInputFlagsTestCase = TestCase{
	"DeriveContext_InputFlagsSupport", TestInternalInputFlags, []string{"AutoInit", "InternalDice", "InternalInfo"},
}

DeriveContextInputFlagsTestCase tests DeriveContext with the input flags InternalDiceInfo and InternalInputInfo.

View Source 
var DeriveContextLocalityTestCase = TestCase{
	"DeriveContext_ChangeLocality", TestChangeLocality, []string{"AutoInit"},
}

DeriveContextLocalityTestCase tests DerivedContext with the ChangeLocality flag.

View Source 
var DeriveContextMaxTCIsTestCase = TestCase{
	"DeriveContext_MaxTCIs", TestMaxTCIs, []string{"AutoInit", "X509"},
}

DeriveContextMaxTCIsTestCase checks whether the number of derived contexts is limited by MAX_TCI_NODES attribute of the profile

View Source 
var DeriveContextPrivilegeEscalationTestCase = TestCase{
	"DeriveContext_PrivilegeEscalation", TestPrivilegesEscalation, []string{"AutoInit", "X509"},
}

DeriveContextPrivilegeEscalationTestCase tests that commands trying to use features that are unsupported by child context fail.

View Source 
var DeriveContextRecursiveOnDerivedContextsTestCase = TestCase{
	"DeriveContext_RecursiveOnDerivedContexts", TestDeriveContextRecursiveOnDerivedContexts, []string{"AutoInit", "Recursive", "RetainParentContext", "X509", "RotateContext"},
}

DeriveContextRecursiveOnDerivedContextsTestCase tests DeriveContext with the Recursive input flag on derived contexts

View Source 
var DeriveContextRecursiveTestCase = TestCase{
	"DeriveContext_Recursive", TestDeriveContextRecursive, []string{"AutoInit", "Recursive", "X509"},
}

DeriveContextRecursiveTestCase tests DeriveContext with the Recursive input flag

View Source 
var DeriveContextSimulationTestCase = TestCase{
	"DeriveContextSimulation", TestDeriveContextSimulation, []string{"AutoInit", "Simulation", "X509", "InternalDice", "InternalInfo", "RetainParentContext"},
}

DeriveContextSimulationTestCase tests DeriveContext with Simulation contexts

View Source 
var DeriveContextTestCase = TestCase{
	"DeriveContext", TestDeriveContext, []string{"AutoInit", "RetainParentContext"},
}

DeriveContextTestCase tests DeriveContext

View Source 
var GetCertificateChainTestCase = TestCase{
	"GetCertificateChain", TestGetCertificateChain, []string{"AutoInit", "X509"},
}

GetCertificateChainTestCase tests GetCertificateChain

View Source 
var GetProfileTestCase = TestCase{
	"GetProfile", TestGetProfile, []string{},
}

GetProfileTestCase tests GetProfile

View Source 
var InitializeContextSimulationTestCase = TestCase{
	"InitializeContextSimulation", TestInitializeSimulation, []string{"Simulation"},
}

InitializeContextSimulationTestCase tests InitializeContext in simulation mode

View Source 
var InitializeContextTestCase = TestCase{
	"InitializeContext", TestInitializeContext, []string{},
}

InitializeContextTestCase tests InitializeContext

View Source 
var InvalidHandle = client.ContextHandle{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}

InvalidHandle is a sample DPE handle which is very unlikely to be valid

View Source 
var InvalidHandleTestCase = TestCase{
	"CheckInvalidHandle", TestInvalidHandle, []string{"Simulation", "RotateContext"},
}

InvalidHandleTestCase tests various commands with invalid context handles

View Source 
var IrreversibleTestCases = []TestCase{
	DeriveContextTestCase,
	DeriveContextLocalityTestCase,
	DeriveContextPrivilegeEscalationTestCase,
	DeriveContextMaxTCIsTestCase,
	DeriveContextRecursiveTestCase,
	DeriveContextRecursiveOnDerivedContextsTestCase,
}

IrreversibleTestCases contains test cases that are not reversible.

View Source 
var RotateContextSimulationTestCase = TestCase{
	"RotateContextHandleSimulation", TestRotateContextHandleSimulation, []string{"Simulation", "RotateContext"},
}

RotateContextSimulationTestCase tests RotateContext with Simulation contexts

View Source 
var RotateContextTestCase = TestCase{
	"RotateContextHandle", TestRotateContextHandle, []string{"AutoInit", "RotateContext"},
}

RotateContextTestCase tests RotateContext

View Source 
var SignAsymmetricTestCase = TestCase{
	"Sign", TestAsymmetricSigning, []string{"AutoInit", "X509"},
}

SignAsymmetricTestCase tests Sign

View Source 
var SignSimulationTestCase = TestCase{
	"SignSimulation", TestSignSimulation, []string{"Simulation"},
}

SignSimulationTestCase tests Sign with Simulation contexts

View Source 
var TargetExe *string

TargetExe is the simulator executable to use for this test target

View Source 
var TcgDiceCriticalExtensions = [...]string{
	OidExtensionTcgDiceMultiTcbInfo.String(),
	OidExtensionTcgDiceUeid.String(),
}

TcgDiceCriticalExtensions are the OIDs of DICE extensions which must be marked as critical

View Source 
var TcgDiceExtendedKeyUsages = [...]string{
	OidExtensionTcgDiceKpIdentityLoc.String(),
	OidExtensionTcgDiceKpAttestLoc.String(),
}

TcgDiceExtendedKeyUsages are the DICE OIDs expected to be present in the DPE leaf EKU extension

View Source 
var TestDeriveContextCdiExportTestCase = TestCase{
	"DeriveContextCdiExport", TestDeriveContextCdiExport, []string{"CdiExport"},
}

TestDeriveContextCdiExportTestCase tests DeriveContext

View Source 
var TpmPolicySigningTestCase = TestCase{
	"TPMPolicySigning", TestTpmPolicySigning, []string{"AutoInit", "X509"},
}

TpmPolicySigningTestCase tests using DPE to satisfy TPM PolicySigned

View Source 
var UnsupportedCommand = TestCase{
	"CheckSupportForCommand", TestUnsupportedCommand, []string{"AutoInit"},
}

UnsupportedCommand tests calling unsupported commands

View Source 
var UnsupportedCommandFlag = TestCase{
	"CheckSupportForCommandFlag", TestUnsupportedCommandFlag, []string{"AutoInit", "RotateContext"},
}

UnsupportedCommandFlag tests calling unsupported commands flags

View Source 
var WrongLocalityTestCase = TestCase{
	"CheckWrongLocality", TestWrongLocality, []string{"AutoInit", "RotateContext"},
}

WrongLocalityTestCase tests various commands with invalid localities

Functions

func GetSimulatorTarget 

func GetSimulatorTarget(supportNeeded []string, targetExe string) client.TestDPEInstance

GetSimulatorTarget gets the simulator target

func RunTargetTestCases 

func RunTargetTestCases(target TestTarget, t *testing.T)

RunTargetTestCases runs all test cases for target

func TestAsymmetricSigning 

func TestAsymmetricSigning(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestAsymmetricSigning obtains and validates signature of asymmetric signing. Check whether the digital signature returned by Sign command can be verified using public key in signing key certificate returned by CertifyKey command.

func TestCertifyKey 

func TestCertifyKey(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestCertifyKey tests calling CertifyKey

func TestCertifyKeyCsr 

func TestCertifyKeyCsr(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestCertifyKeyCsr tests calling CeritifyKey with type = CSR

func TestCertifyKeySimulation 

func TestCertifyKeySimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestCertifyKeySimulation tests calling CertifyKey on simulation contexts

func TestChangeLocality 

func TestChangeLocality(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestChangeLocality validates DerivedChild command with ChangeLocality flag.

func TestDeriveContext 

func TestDeriveContext(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestDeriveContext tests calling DeriveContext with different arguments.

func TestDeriveContextCdiExport 

func TestDeriveContextCdiExport(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestDeriveContextCdiExport tests calling DeriveContext with CdiExport flag set.

func TestDeriveContextRecursive 

func TestDeriveContextRecursive(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestDeriveContextRecursive checks whether the DeriveContext command updates the current TCI and cumulative TCI when the recursive flag is set.

func TestDeriveContextRecursiveOnDerivedContexts 

func TestDeriveContextRecursiveOnDerivedContexts(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestDeriveContextRecursiveOnDerivedContexts tests the DeriveContext command with the recursive flag on derived child contexts.

func TestDeriveContextSimulation 

func TestDeriveContextSimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestDeriveContextSimulation tests calling DeriveContext in simulation context

func TestGetCertificateChain 

func TestGetCertificateChain(d client.TestDPEInstance, client client.DPEClient, t *testing.T)

TestGetCertificateChain tests calling GetCertificateChain

func TestGetProfile 

func TestGetProfile(d client.TestDPEInstance, client client.DPEClient, t *testing.T)

TestGetProfile tests calling GetProfile

func TestInitializeContext 

func TestInitializeContext(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestInitializeContext tests calling InitializeContext

func TestInitializeSimulation 

func TestInitializeSimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestInitializeSimulation tests calling InitializeContext simulation mode

func TestInternalInputFlags 

func TestInternalInputFlags(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestInternalInputFlags checks whether the DeriveContext input flags - InternalDiceInfo, InternalInputInfo are supported while creating child contexts when these features are supported in DPE profile.

func TestInvalidHandle 

func TestInvalidHandle(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestInvalidHandle checks whether error is reported when non-existent handle is passed as input to DPE commands. Exceptions are - GetProfile, InitializeContext, GetCertificateChain, commands which do not need context handle as input parameter.

func TestMaxTCIs 

func TestMaxTCIs(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestMaxTCIs Checks whether the number of derived contexts (TCI nodes) are limited by MAX_TCI_NODES attribute of the profile

func TestPrivilegesEscalation 

func TestPrivilegesEscalation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestPrivilegesEscalation checks the privilege escalation of child When commands try to make use of features that are unsupported by child context, they fail.

func TestRotateContextHandle 

func TestRotateContextHandle(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestRotateContextHandle tests the RotateContextHandle command

func TestRotateContextHandleSimulation 

func TestRotateContextHandleSimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestRotateContextHandleSimulation tests calling RotateContextHandle on simulation contexts

func TestSignSimulation 

func TestSignSimulation(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestSignSimulation checks command fails in simulated context because this context does not allow signing. This is because simulation context does not allow using context's private key.

func TestTpmPolicySigning 

func TestTpmPolicySigning(d dpe.TestDPEInstance, c dpe.DPEClient, t *testing.T)

TestTpmPolicySigning tests using DPE to satisfy TPM PolicySigned

func TestUnsupportedCommand 

func TestUnsupportedCommand(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestUnsupportedCommand checks whether error is reported while using commands that are turned off in DPE. DPE commands - RotateContextHandle requires support to be enabled in DPE profile before being called.

func TestUnsupportedCommandFlag 

func TestUnsupportedCommandFlag(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestUnsupportedCommandFlag checks whether error is reported while enabling command flags that are turned off in DPE. The DPE command may be available but some of its flags may not be supported by DPE. DPE profile supports the below attributes. Simulation : Allows caller to request for context initialization in simulation mode Csr : Allows caller to request the key cert in CSR format X509 : Allows caller to request the key cert in X509 format InternalInfo : Allows caller to derive child context with InternalInfo InternalDice : Allows caller to derive child context with InternalDice

func TestWrongLocality 

func TestWrongLocality(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

TestWrongLocality checks whether error is reported when caller from one locality issues DPE commands in another locality. Exceptions are - GetProfile, InitializeContext, GetCertificateChain, commands which do not need context handle as input and hence locality is irrelevant.

Types

type AuthorityKeyIdentifier 

type AuthorityKeyIdentifier struct {
	KeyIdentifier []byte `asn1:"optional,tag:0"`
}

type BasicConstraints 

type BasicConstraints struct {
	IsCA              bool `asn1`
	PathLenConstraint int  `asn1:"optional"`
}

BasicConstraints represents an X.509 BasicConstraints extension

type CertifyKeyParams 

type CertifyKeyParams struct {
	Label []byte
	Flags client.CertifyKeyFlags
}

CertifyKeyParams holds configurable parameters to CertifyKey for test-cases

type DiceTcbInfo 

type DiceTcbInfo struct {
	Vendor             string              `asn1:"optional,tag:0,utf8"`
	Model              string              `asn1:"optional,tag:1,utf8"`
	Version            string              `asn1:"optional,tag:2,utf8"`
	SVN                int                 `asn1:"optional,tag:3"`
	Layer              int                 `asn1:"optional,tag:4"`
	Index              int                 `asn1:"optional,tag:5"`
	Fwids              []Fwid              `asn1:"optional,tag:6"`
	Flags              OperationalFlag     `asn1:"optional,tag:7"`
	VendorInfo         []byte              `asn1:"optional,tag:8"`
	Type               []byte              `asn1:"optional,tag:9"`
	IntegrityRegisters []IntegrityRegister `asn1:"optional,tag:10"`
}

type DpeTestFunc 

type DpeTestFunc func(d client.TestDPEInstance, c client.DPEClient, t *testing.T)

DpeTestFunc is the function template that a DPE test case must implement

type Fwid 

type Fwid struct {
	HashAlg asn1.ObjectIdentifier
	Digest  []byte
}

Fwid represents a TCG DICE FWID structure

type IntegrityRegister 

type IntegrityRegister struct {
	RegisterName    string `asn1:"optional,tag:0,ia5"`
	RegisterNum     int    `asn1:"optional,tag:1"`
	RegisterDigests []Fwid `asn1:"optional,tag:2"`
}

type OperationalFlag 

type OperationalFlag int

OperationalFlag represents the TCBInfo Operational Flags field 

const (
	NotConfigured OperationalFlag = iota
	NotSecure
	Debug
	Recovery
)

TCG spec-defined operational flags

type SubjectKeyIdentifier 

type SubjectKeyIdentifier = []byte

type TcgMultiTcbInfo 

type TcgMultiTcbInfo = []DiceTcbInfo

TcgMultiTcbInfo represents a sequence of TCBInfos

type TcgUeidExtension 

type TcgUeidExtension struct {
	Ueid []uint8 `asn1:"ueid,implicit"`
}

TcgUeidExtension is tcg-dice-Ueid OBJECT IDENTIFIER ::= {tcg-dice 4} 

TcgUeid ::== SEQUENCE {
		ueid OCTET STRING
}

type TestCase 

type TestCase struct {
	Name          string
	Run           DpeTestFunc
	SupportNeeded []string
}

TestCase is metadata for a DPE test case

type TestTarget 

type TestTarget struct {
	Name      string
	D         client.TestDPEInstance
	TestCases []TestCase
}

TestTarget is a client.TestDPEInstance and corresponding list of test cases to run against that target.

func GetSimulatorTargets 

func GetSimulatorTargets() []TestTarget

GetSimulatorTargets gets different simulator targets with different support vectors to run the verification tests against

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.