BBSR(R101_BBSR) added check for default SecureBoot vars (#81)

- Added new assertions, which queries for PKDefault, KEKDefault, DBDefault and DBXDefault variables, check their presence and verifies whether attributes are correctly set as per UEFI spec. Signed-off-by: Amrathesh <[email protected]>
ARM-software · Sep 3, 2024 · c5ca05a · c5ca05a
1 parent 0db5c21
commit c5ca05a
Show file tree

Hide file tree

Showing 3 changed files with 108 additions and 4 deletions.
diff --git a/bbsr/sct-tests/SecureBoot/BlackBoxTest/Guid.h b/bbsr/sct-tests/SecureBoot/BlackBoxTest/Guid.h
@@ -2,7 +2,7 @@
 
   Copyright 2006 - 2016 Unified EFI, Inc.<BR>
   Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-  Copyright 2021, Arm LTD.
+  Copyright 2021 - 2024, Arm Ltd.
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
@@ -75,6 +75,18 @@ extern EFI_GUID gSecureBootVariableAttributesBbTestAssertionGuid007;
 
 extern EFI_GUID gSecureBootVariableAttributesBbTestAssertionGuid008;
 
+#define EFI_TEST_SECUREBOOTVARIABLEATTRIBUTES_ASSERTION_009_GUID \
+{0xaba4f85b, 0x7b07, 0x4e6b, {0x93, 0xa6, 0x29, 0x19, 0x8d, 0x50, 0x89, 0x34} }
+
+#define EFI_TEST_SECUREBOOTVARIABLEATTRIBUTES_ASSERTION_010_GUID \
+{0xbfa3ad10, 0x1c20, 0x48e5, {0x9d, 0x0d, 0x1c, 0x1b, 0x0b, 0x3d, 0xc2, 0x7b} }
+
+#define EFI_TEST_SECUREBOOTVARIABLEATTRIBUTES_ASSERTION_011_GUID \
+{0xaf0d74e7, 0xa36c, 0x4b07, {0x95, 0xf9, 0xdb, 0x6a, 0x24, 0xac, 0xe1, 0x7f} }
+
+#define EFI_TEST_SECUREBOOTVARIABLEATTRIBUTES_ASSERTION_012_GUID \
+{0xdc5c7717, 0xed10, 0x476c, {0xb6, 0x5e, 0x6e, 0x00, 0x9e, 0xe0, 0x03, 0x23} }
+
 #define EFI_TEST_SECUREBOOTVARIABLEUPDATES_ASSERTION_001_GUID \
 { 0xd2073163, 0xedb0, 0x4d6b, {0xba, 0x8f, 0x5c, 0x61, 0x16, 0xc1, 0x59, 0x2c }}
 
@@ -217,4 +229,4 @@ extern EFI_GUID gSecureBootImageLoadingBbTestAssertionGuid019;
 #define EFI_TEST_SECUREBOOTIMAGELOADING_ASSERTION_020_GUID \
 { 0x523e5c4b, 0x789b, 0x4283, {0xb9, 0x5e, 0x04, 0x1f, 0x28, 0x70, 0x3a, 0x30}}
 
-extern EFI_GUID gSecureBootImageLoadingBbTestAssertionGuid020;
+extern EFI_GUID gSecureBootImageLoadingBbTestAssertionGuid020;
diff --git a/bbsr/sct-tests/SecureBoot/BlackBoxTest/SecureBootBBTestMain.h b/bbsr/sct-tests/SecureBoot/BlackBoxTest/SecureBootBBTestMain.h
@@ -2,7 +2,7 @@
 
   Copyright 2006 - 2016 Unified EFI, Inc.<BR>
   Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-  Copyright 2021, 2023, Arm LTD.
+  Copyright 2021 - 2024, Arm Ltd.
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
@@ -43,6 +43,15 @@ Module Name:
 
 #define SECURE_BOOT_BB_TEST_REVISION    0x00010000
 
+#define DEF_SECURE_VARS_NUM 4
+#define MAX_VAR_NAME_LEN    1024
+
+typedef struct {
+  CHAR16    Name[MAX_VAR_NAME_LEN];
+  UINT32   Attributes;
+  EFI_GUID TestAssertionGuid;
+} VARIABLE_DATA;
+
 #define SECURE_BOOT_BB_TEST_GUID        \
   { 0xCBADA58E, 0xA1AA, 0x45DF, {0xBD, 0xDF, 0xF9, 0xBA, 0x12, 0x92, 0xF8, 0x87 }}
 

diff --git a/bbsr/sct-tests/SecureBoot/BlackBoxTest/VariableAttributesBBTest.c b/bbsr/sct-tests/SecureBoot/BlackBoxTest/VariableAttributesBBTest.c
@@ -2,7 +2,7 @@
 
   Copyright 2006 - 2012 Unified EFI, Inc.<BR>
   Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-  Copyright 2021, 2023 Arm LTD.
+  Copyright 2021 - 2024, Arm Ltd.
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
@@ -37,6 +37,17 @@ Module Name:
 #define DB_ATTRIBUTES (EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
 #define DBX_ATTRIBUTES (EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
 
+VARIABLE_DATA DefSecureBootVarArray[DEF_SECURE_VARS_NUM] = {
+  {L"PKDefault",   (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS),
+   EFI_TEST_SECUREBOOTVARIABLEATTRIBUTES_ASSERTION_009_GUID},
+  {L"KEKDefault",  (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS),
+   EFI_TEST_SECUREBOOTVARIABLEATTRIBUTES_ASSERTION_010_GUID},
+  {L"dbDefault",   (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS),
+   EFI_TEST_SECUREBOOTVARIABLEATTRIBUTES_ASSERTION_011_GUID},
+  {L"dbxDefault",  (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS),
+   EFI_TEST_SECUREBOOTVARIABLEATTRIBUTES_ASSERTION_012_GUID},
+};
+
 //
 // Prototypes (external)
 //
@@ -79,6 +90,8 @@ VariableAttributesTest(
   UINTN                               DataSize;
   UINT8                               Data[MAX_BUFFER_SIZE];
   UINT32                              Attributes;
+  VOID                                *DataPtr;
+  UINT32                              Index;
 
   //
   // Get test support library interfaces
@@ -373,6 +386,76 @@ VariableAttributesTest(
                  Attributes, DB_ATTRIBUTES
                  );
 
+  // verify implementation of default secureboot variables
+  Result = EFI_TEST_ASSERTION_PASSED;
+  for (Index = 0; Index < DEF_SECURE_VARS_NUM; Index++) {
+    // discover buffer size required
+    DataSize = 0;
+    DataPtr     = NULL;
+    Status = gtRT->GetVariable (
+                          DefSecureBootVarArray[Index].Name,
+                          &gEfiGlobalVariableGuid,
+                          &Attributes,
+                          &DataSize,
+                          DataPtr
+                          );
+
+    if (Status == EFI_BUFFER_TOO_SMALL) {
+      gtBS->AllocatePool (
+                  EfiBootServicesData,
+                  DataSize,
+                  (VOID **) &DataPtr
+                  );
+
+      Status = gtRT->GetVariable (
+                          DefSecureBootVarArray[Index].Name,
+                          &gEfiGlobalVariableGuid,
+                          &Attributes,
+                          &DataSize,
+                          DataPtr
+                          );
+    }
+
+    if (Status == EFI_SUCCESS) {
+      // check the attributes
+      if (Attributes != DefSecureBootVarArray[Index].Attributes) {
+        Result   = EFI_TEST_ASSERTION_FAILED;
+        StandardLib->RecordMessage (
+                    StandardLib,
+                    EFI_VERBOSE_LEVEL_DEFAULT,
+                    L"Variable Name: %s, Variable Attribute: 0x%08x, Expected Attribute: 0x%08x\n",
+                    DefSecureBootVarArray[Index].Name,
+                    Attributes,
+                    DefSecureBootVarArray[Index].Attributes
+                    );
+      }
+    } else {
+      Result   = EFI_TEST_ASSERTION_FAILED;
+      StandardLib->RecordMessage (
+                    StandardLib,
+                    EFI_VERBOSE_LEVEL_DEFAULT,
+                    L"Failed to fetch Variable = %s, Status = 0x%x\n",
+                    DefSecureBootVarArray[Index].Name,
+                    Status
+                    );
+    }
+
+    // Record assertion
+    StandardLib->RecordAssertion (
+                  StandardLib,
+                  Result,
+                  DefSecureBootVarArray[Index].TestAssertionGuid,
+                  L"BBSR Check Default SecureBoot Variable",
+                  L"%s :%a:%d:Status - %r",
+                  DefSecureBootVarArray[Index].Name,
+                  __FILE__,
+                  (UINTN)__LINE__,
+                  Status
+                  );
+    // reset the Result for next iteration
+    Result = EFI_TEST_ASSERTION_PASSED;
+  }
+
   //
   // Trace ...
   //