1# Copyright 2017 The Chromium OS Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5import logging 6 7from autotest_lib.client.common_lib import error 8from autotest_lib.server import autotest, test 9from autotest_lib.client.common_lib.cros import tpm_utils 10 11 12class firmware_Cr50InvalidateRW(test.test): 13 """ 14 Verify the inactive Cr50 header on the first login after cryptohome 15 restarts. 16 17 There are two special cases this test covers: logging in after the TPM 18 owner is cleared and logging in as guest. 19 20 After the tpm owner is cleared, corrupting the header will be done on 21 the second login. During guest login the owner wont be cleared. 22 """ 23 version = 1 24 25 GET_CRYPTOHOME_MESSAGE ='grep cryptohomed /var/log/messages' 26 SUCCESS = 'Successfully invalidated inactive Cr50 RW' 27 FAIL = 'Invalidating inactive Cr50 RW failed' 28 NO_ATTEMPT = 'Did not try to invalidate header' 29 LOGIN_ATTEMPTS = 5 30 31 def initialize(self, host): 32 super(firmware_Cr50InvalidateRW, self).initialize() 33 34 self.host = host 35 self.client_at = autotest.Autotest(self.host) 36 37 self.last_message = None 38 # get the messages already in /var/log/messages so we don't use them 39 # later. 40 self.check_for_invalidated_rw() 41 42 43 def check_for_invalidated_rw(self): 44 """Use /var/log/messages to see if the rw header was invalidated. 45 46 Returns a string NO_ATTEMPT if cryptohome did not try to invalidate the 47 header or the cryptohome message if the attempt failed or succeeded. 48 """ 49 # Get the relevant messages from /var/log/messages 50 message_str = self.host.run(self.GET_CRYPTOHOME_MESSAGE, 51 verbose=False).stdout.strip() 52 53 # Remove the messages we have seen in the past 54 if self.last_message: 55 message_str = message_str.rsplit(self.last_message, 1)[-1] 56 messages = message_str.split('\n') 57 58 # Save the last message so we can identify new messages later 59 self.last_message = messages[-1] 60 61 rv = self.NO_ATTEMPT 62 # print all cryptohome messages. 63 for message in messages: 64 logging.debug(message) 65 # Return the message that is related to the RW invalidate attempt 66 if self.FAIL in message or self.SUCCESS in message: 67 rv = message 68 return rv 69 70 71 def login(self, use_guest): 72 """Run the test to login.""" 73 if use_guest: 74 self.client_at.run_test('login_CryptohomeIncognito') 75 else: 76 self.client_at.run_test('login_LoginSuccess') 77 78 79 def login_and_verify(self, use_guest=False, corrupt_login=None): 80 """Verify the header is only invalidated on the specified login. 81 82 login LOGIN_ATTEMPTS times. Verify that cryptohome only tries to corrupt 83 the inactive cr50 header on the specified login. If it tries on a 84 different login or fails to corrupt the header, raise an error. 85 86 Args: 87 use_guest: True to login as guest 88 corrupt_login: The login attempt that we expect the header to be 89 corrupted on 90 91 Raises: 92 TestError if the system attempts to corrupt the header on any login 93 that isn't corrupt_login or if an attepmt to corrupt the header 94 fails. 95 """ 96 for i in xrange(self.LOGIN_ATTEMPTS): 97 attempt = i + 1 98 99 self.login(use_guest) 100 result = self.check_for_invalidated_rw() 101 102 message = '%slogin %d: %s' % ('guest ' if use_guest else '', 103 attempt, result) 104 logging.info(message) 105 106 # Anytime the invalidate attempt fails raise an error 107 if self.FAIL in result: 108 raise error.TestError(message) 109 110 # The header should be invalidated only on corrupt_login. Raise 111 # an error if it was invalidated on some other login or if 112 # cryptohome did not try on the first one. 113 if (attempt == corrupt_login) != (self.SUCCESS in result): 114 raise error.TestError('Unexpected result %s' % message) 115 116 117 def restart_cryptohome(self): 118 """Restart cryptohome 119 120 Cryptohome only sends the command to corrupt the header once. Once it 121 has been sent it wont be sent again until cryptohome is restarted. 122 """ 123 self.host.run('restart cryptohomed') 124 125 126 def clear_tpm_owner(self): 127 """Clear the tpm owner.""" 128 logging.info('Clearing the TPM owner') 129 tpm_utils.ClearTPMOwnerRequest(self.host) 130 131 132 def after_run_once(self): 133 """Print the run information after each successful run""" 134 logging.info('finished run %d', self.iteration) 135 136 137 def run_once(self, host): 138 # After clearing the tpm owner the header will be corrupted on the 139 # second login 140 self.clear_tpm_owner() 141 self.login_and_verify(corrupt_login=2) 142 143 # The header is corrupted on the first login after cryptohome is reset 144 self.restart_cryptohome() 145 self.login_and_verify(corrupt_login=1) 146 147 # Cryptohome is reset after reboot 148 self.host.reboot() 149 self.login_and_verify(corrupt_login=1) 150 151 # The header is not corrupted after guest login, but will be corrupted 152 # on the first login after that. 153 self.restart_cryptohome() 154 self.login_and_verify(use_guest=True) 155 self.login_and_verify(corrupt_login=1) 156