Software APIs
ownership_unlock_unittest.cc
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #include "sw/device/silicon_creator/lib/ownership/ownership_unlock.h"
6 
7 #include <stdint.h>
8 
9 #include "gmock/gmock.h"
10 #include "gtest/gtest.h"
11 #include "sw/device/lib/base/global_mock.h"
12 #include "sw/device/lib/base/hardened.h"
13 #include "sw/device/silicon_creator/lib/boot_data.h"
14 #include "sw/device/silicon_creator/lib/boot_svc/mock_boot_svc_header.h"
15 #include "sw/device/silicon_creator/lib/drivers/mock_hmac.h"
16 #include "sw/device/silicon_creator/lib/drivers/mock_lifecycle.h"
17 #include "sw/device/silicon_creator/lib/drivers/mock_rnd.h"
18 #include "sw/device/silicon_creator/lib/error.h"
19 #include "sw/device/silicon_creator/lib/ownership/datatypes.h"
20 #include "sw/device/silicon_creator/lib/ownership/mock_ownership_key.h"
21 #include "sw/device/silicon_creator/lib/ownership/owner_block.h"
22 #include "sw/device/silicon_creator/testing/rom_test.h"
23 
24 namespace {
25 using ::testing::_;
26 using ::testing::Return;
27 using ::testing::SetArgPointee;
28 
29 /*
30  * The OwnershipUnlockTest fixture provides a pre-initialized bootdata and
31  * boot_svc_msg with relevant values filled in. The tests will have to
32  * modify some of these values (ie: ownership_state or the unlock request
33  * type) to test the various code-paths in the ownership unlock module.
34  */
35 class OwnershipUnlockTest : public rom_test::RomTest {
36  protected:
37  boot_data_t bootdata_ = {
38  .nonce = {1, 2},
39  .ownership_state = kOwnershipStateLockedOwner,
40  };
41  boot_svc_msg_t message_ = {
42  .ownership_unlock_req =
43  {
44  .header =
45  {
46  .type = kBootSvcOwnershipUnlockReqType,
47  },
48  .din = {0, 0},
49  .nonce = {1, 2},
50  },
51  };
52 
53  void SetUp() override {
54  // Most tests operate with the owner configuration
55  // in the Open mode.
56  owner_page[0].update_mode = kOwnershipUpdateModeOpen;
57  }
58 
59  rom_test::MockHmac hmac_;
60  rom_test::MockRnd rnd_;
61  rom_test::MockBootSvcHeader hdr_;
62  rom_test::MockLifecycle lifecycle_;
63  rom_test::MockOwnershipKey ownership_key_;
64 };
65 
66 class OwnershipUnlockAnyStateTest
67  : public OwnershipUnlockTest,
68  public testing::WithParamInterface<ownership_state_t> {};
69 
70 class OwnershipUnlockEndorsedStateTest
71  : public OwnershipUnlockTest,
72  public testing::WithParamInterface<ownership_state_t> {};
73 
74 class OwnershipUnlockedUpdateStateTest
75  : public OwnershipUnlockTest,
76  public testing::WithParamInterface<ownership_state_t> {};
77 
78 class OwnershipUnlockAbortValidStateTest
79  : public OwnershipUnlockTest,
80  public testing::WithParamInterface<ownership_state_t> {};
81 
82 class OwnershipUnlockAbortInvalidStateTest
83  : public OwnershipUnlockTest,
84  public testing::WithParamInterface<ownership_state_t> {};
85 
86 class OwnershipUnlockUpdateModesTest
87  : public OwnershipUnlockTest,
88  public testing::WithParamInterface<ownership_update_mode_t> {};
89 
90 // Tests that a bad `unlock_mode` returns an Invalid Request.
91 TEST_F(OwnershipUnlockTest, BadUnlockMode) {
92  message_.ownership_unlock_req.unlock_mode = 12345;
93  EXPECT_CALL(hdr_, Finalize(_, _, _));
94  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
95  EXPECT_EQ(error, kErrorOwnershipInvalidRequest);
96 }
97 
98 // Test that requesting LockedOwner->UnlockedAny works.
99 TEST_F(OwnershipUnlockTest, UnlockAny) {
100  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockAny;
101  EXPECT_CALL(ownership_key_,
102  validate(0,
103  static_cast<ownership_key_t>(kOwnershipKeyUnlock |
104  kOwnershipKeyRecovery),
105  _, _, _))
106  .WillOnce(Return(kHardenedBoolTrue));
107  EXPECT_CALL(lifecycle_, DeviceId(_))
108  .WillOnce(SetArgPointee<0>((lifecycle_device_id_t){0}));
109  EXPECT_CALL(rnd_, Uint32()).WillRepeatedly(Return(5));
110  EXPECT_CALL(hdr_, Finalize(_, _, _));
111 
112  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
113  EXPECT_EQ(error, kErrorWriteBootdataThenReboot);
114  EXPECT_EQ(bootdata_.nonce.value[0], 5);
115  EXPECT_EQ(bootdata_.nonce.value[1], 5);
116  EXPECT_EQ(bootdata_.ownership_state, kOwnershipStateUnlockedAny);
117 }
118 
119 // Test that requesting LockedOwner->UnlockedAny fails when the signature is
120 // bad.
121 TEST_F(OwnershipUnlockTest, UnlockAnyBadSignature) {
122  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockAny;
123  EXPECT_CALL(ownership_key_,
124  validate(0,
125  static_cast<ownership_key_t>(kOwnershipKeyUnlock |
126  kOwnershipKeyRecovery),
127  _, _, _))
128  .WillOnce(Return(kHardenedBoolFalse));
129  EXPECT_CALL(hdr_, Finalize(_, _, _));
130 
131  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
132  EXPECT_EQ(error, kErrorOwnershipInvalidSignature);
133  EXPECT_EQ(bootdata_.ownership_state, kOwnershipStateLockedOwner);
134 }
135 
136 // Test that requesting LockedOwner->UnlockedAny fails when the DIN doesn't
137 // match.
138 TEST_F(OwnershipUnlockTest, UnlockAnyBadDin) {
139  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockAny;
140  EXPECT_CALL(ownership_key_,
141  validate(0,
142  static_cast<ownership_key_t>(kOwnershipKeyUnlock |
143  kOwnershipKeyRecovery),
144  _, _, _))
145  .WillOnce(Return(kHardenedBoolTrue));
146  EXPECT_CALL(lifecycle_, DeviceId(_))
147  .WillOnce(SetArgPointee<0>((lifecycle_device_id_t){0, 1, 1}));
148  EXPECT_CALL(hdr_, Finalize(_, _, _));
149 
150  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
151  EXPECT_EQ(error, kErrorOwnershipInvalidDin);
152  EXPECT_EQ(bootdata_.ownership_state, kOwnershipStateLockedOwner);
153 }
154 
155 // Test that requesting LockedOwner->UnlockedAny fails when the nonce doesn't
156 // match.
157 TEST_F(OwnershipUnlockTest, UnlockAnyBadNonce) {
158  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockAny;
159  message_.ownership_unlock_req.nonce = {3, 4};
160  EXPECT_CALL(ownership_key_,
161  validate(0,
162  static_cast<ownership_key_t>(kOwnershipKeyUnlock |
163  kOwnershipKeyRecovery),
164  _, _, _))
165  .WillOnce(Return(kHardenedBoolTrue));
166  EXPECT_CALL(hdr_, Finalize(_, _, _));
167 
168  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
169  EXPECT_EQ(error, kErrorOwnershipInvalidNonce);
170  EXPECT_EQ(bootdata_.ownership_state, kOwnershipStateLockedOwner);
171 }
172 
173 // Test that requesting UnlockedAny all non-LockedOwner states fails.
174 TEST_P(OwnershipUnlockAnyStateTest, InvalidState) {
175  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockAny;
176  bootdata_.ownership_state = static_cast<uint32_t>(GetParam());
177  EXPECT_CALL(hdr_, Finalize(_, _, _));
178 
179  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
180  EXPECT_EQ(error, kErrorOwnershipInvalidState);
181 }
182 
183 INSTANTIATE_TEST_SUITE_P(AllCases, OwnershipUnlockAnyStateTest,
184  testing::Values(kOwnershipStateUnlockedSelf,
185  kOwnershipStateUnlockedAny,
186  kOwnershipStateUnlockedEndorsed));
187 
188 // Test that requesting LockedOwner->UnlockedEndorsed works.
189 TEST_F(OwnershipUnlockTest, UnlockEndorsed) {
190  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockEndorsed;
191  EXPECT_CALL(ownership_key_,
192  validate(0,
193  static_cast<ownership_key_t>(kOwnershipKeyUnlock |
194  kOwnershipKeyRecovery),
195  _, _, _))
196  .WillOnce(Return(kHardenedBoolTrue));
197  EXPECT_CALL(lifecycle_, DeviceId(_))
198  .WillOnce(SetArgPointee<0>((lifecycle_device_id_t){0}));
199  EXPECT_CALL(hmac_, sha256(_, _, _))
200  .WillOnce([&](const void *, size_t, hmac_digest_t *digest) {
201  for (size_t i = 0; i < ARRAYSIZE(digest->digest); ++i) {
202  digest->digest[i] = i;
203  }
204  });
205  EXPECT_CALL(rnd_, Uint32()).WillRepeatedly(Return(5));
206  EXPECT_CALL(hdr_, Finalize(_, _, _));
207 
208  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
209  EXPECT_EQ(error, kErrorWriteBootdataThenReboot);
210  EXPECT_EQ(bootdata_.nonce.value[0], 5);
211  EXPECT_EQ(bootdata_.nonce.value[1], 5);
212  EXPECT_EQ(bootdata_.ownership_state, kOwnershipStateUnlockedEndorsed);
213  for (size_t i = 0; i < ARRAYSIZE(bootdata_.next_owner); ++i) {
214  EXPECT_EQ(bootdata_.next_owner[i], i);
215  }
216 }
217 
218 // Test that requesting LockedOwner->UnlockedEndorsed fails when the signature
219 // is bad.
220 TEST_F(OwnershipUnlockTest, UnlockEndorsedBadSignature) {
221  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockEndorsed;
222  EXPECT_CALL(ownership_key_,
223  validate(0,
224  static_cast<ownership_key_t>(kOwnershipKeyUnlock |
225  kOwnershipKeyRecovery),
226  _, _, _))
227  .WillOnce(Return(kHardenedBoolFalse));
228  EXPECT_CALL(hdr_, Finalize(_, _, _));
229 
230  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
231  EXPECT_EQ(error, kErrorOwnershipInvalidSignature);
232  EXPECT_EQ(bootdata_.ownership_state, kOwnershipStateLockedOwner);
233 }
234 
235 // Test that requesting LockedOwner->UnlockedEndorsed fails when the nonce
236 // doesn't match.
237 TEST_F(OwnershipUnlockTest, UnlockEndorsedBadNonce) {
238  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockEndorsed;
239  message_.ownership_unlock_req.nonce = {3, 4};
240  EXPECT_CALL(ownership_key_,
241  validate(0,
242  static_cast<ownership_key_t>(kOwnershipKeyUnlock |
243  kOwnershipKeyRecovery),
244  _, _, _))
245  .WillOnce(Return(kHardenedBoolTrue));
246  EXPECT_CALL(hdr_, Finalize(_, _, _));
247 
248  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
249  EXPECT_EQ(error, kErrorOwnershipInvalidNonce);
250  EXPECT_EQ(bootdata_.ownership_state, kOwnershipStateLockedOwner);
251 }
252 
253 // Test that requesting UnlockedEndorsed all non-LockedOwner states fails.
254 TEST_P(OwnershipUnlockEndorsedStateTest, InvalidState) {
255  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockEndorsed;
256  bootdata_.ownership_state = static_cast<uint32_t>(GetParam());
257  EXPECT_CALL(hdr_, Finalize(_, _, _));
258 
259  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
260  EXPECT_EQ(error, kErrorOwnershipInvalidState);
261 }
262 
263 INSTANTIATE_TEST_SUITE_P(AllCases, OwnershipUnlockEndorsedStateTest,
264  testing::Values(kOwnershipStateUnlockedSelf,
265  kOwnershipStateUnlockedAny,
266  kOwnershipStateUnlockedEndorsed));
267 
268 // Test that requesting LockedOwner->UnlockedSelf works.
269 TEST_F(OwnershipUnlockTest, UnlockUpdate) {
270  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockUpdate;
271  EXPECT_CALL(
272  ownership_key_,
273  validate(0, static_cast<ownership_key_t>(kOwnershipKeyUnlock), _, _, _))
274  .WillOnce(Return(kHardenedBoolTrue));
275  EXPECT_CALL(lifecycle_, DeviceId(_))
276  .WillOnce(SetArgPointee<0>((lifecycle_device_id_t){0}));
277  EXPECT_CALL(rnd_, Uint32()).WillRepeatedly(Return(5));
278  EXPECT_CALL(hdr_, Finalize(_, _, _));
279 
280  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
281  EXPECT_EQ(error, kErrorWriteBootdataThenReboot);
282  EXPECT_EQ(bootdata_.nonce.value[0], 5);
283  EXPECT_EQ(bootdata_.nonce.value[1], 5);
284  EXPECT_EQ(bootdata_.ownership_state, kOwnershipStateUnlockedSelf);
285 }
286 
287 // Test that requesting LockedOwner->UnlockedSelf fails when the signature is
288 // bad.
289 TEST_F(OwnershipUnlockTest, UnlockedUpdateBadSignature) {
290  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockUpdate;
291  EXPECT_CALL(
292  ownership_key_,
293  validate(0, static_cast<ownership_key_t>(kOwnershipKeyUnlock), _, _, _))
294  .WillOnce(Return(kHardenedBoolFalse));
295  EXPECT_CALL(hdr_, Finalize(_, _, _));
296 
297  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
298  EXPECT_EQ(error, kErrorOwnershipInvalidSignature);
299  EXPECT_EQ(bootdata_.ownership_state, kOwnershipStateLockedOwner);
300 }
301 
302 // Test that requesting LockedOwner->UnlockedSelf fails when the nonce doesn't
303 // match.
304 TEST_F(OwnershipUnlockTest, UnlockedUpdateBadNonce) {
305  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockUpdate;
306  message_.ownership_unlock_req.nonce = {3, 4};
307 
308  EXPECT_CALL(
309  ownership_key_,
310  validate(0, static_cast<ownership_key_t>(kOwnershipKeyUnlock), _, _, _))
311  .WillOnce(Return(kHardenedBoolTrue));
312  EXPECT_CALL(hdr_, Finalize(_, _, _));
313 
314  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
315  EXPECT_EQ(error, kErrorOwnershipInvalidNonce);
316  EXPECT_EQ(bootdata_.ownership_state, kOwnershipStateLockedOwner);
317 }
318 
319 // Test that requesting UnlockUpdate all non-LockedOwner states fails.
320 TEST_P(OwnershipUnlockedUpdateStateTest, InvalidState) {
321  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockUpdate;
322  bootdata_.ownership_state = static_cast<uint32_t>(GetParam());
323  EXPECT_CALL(hdr_, Finalize(_, _, _));
324 
325  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
326  EXPECT_EQ(error, kErrorOwnershipInvalidState);
327 }
328 
329 INSTANTIATE_TEST_SUITE_P(AllCases, OwnershipUnlockedUpdateStateTest,
330  testing::Values(kOwnershipStateUnlockedSelf,
331  kOwnershipStateUnlockedEndorsed,
332  kOwnershipStateRecovery));
333 
334 // Test that requesting an UnlockAbort from valid states works.
335 TEST_P(OwnershipUnlockAbortValidStateTest, UnlockAbort) {
336  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockAbort;
337  bootdata_.ownership_state = static_cast<uint32_t>(GetParam());
338  EXPECT_CALL(
339  ownership_key_,
340  validate(0, static_cast<ownership_key_t>(kOwnershipKeyUnlock), _, _, _))
341  .WillOnce(Return(kHardenedBoolTrue));
342  EXPECT_CALL(lifecycle_, DeviceId(_))
343  .WillOnce(SetArgPointee<0>((lifecycle_device_id_t){0}));
344  EXPECT_CALL(rnd_, Uint32()).WillRepeatedly(Return(5));
345  EXPECT_CALL(hdr_, Finalize(_, _, _));
346 
347  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
348  EXPECT_EQ(error, kErrorWriteBootdataThenReboot);
349  EXPECT_EQ(bootdata_.nonce.value[0], 5);
350  EXPECT_EQ(bootdata_.nonce.value[1], 5);
351  EXPECT_EQ(bootdata_.ownership_state, kOwnershipStateLockedOwner);
352 }
353 
354 INSTANTIATE_TEST_SUITE_P(AllCases, OwnershipUnlockAbortValidStateTest,
355  testing::Values(kOwnershipStateUnlockedSelf,
356  kOwnershipStateUnlockedEndorsed,
357  kOwnershipStateUnlockedAny));
358 
359 // Test that requesting an UnlockAbort from valid states works.
360 TEST_P(OwnershipUnlockAbortInvalidStateTest, UnlockAbort) {
361  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockAbort;
362  bootdata_.ownership_state = static_cast<uint32_t>(GetParam());
363  EXPECT_CALL(hdr_, Finalize(_, _, _));
364 
365  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
366  EXPECT_EQ(error, kErrorOwnershipInvalidState);
367 }
368 
369 INSTANTIATE_TEST_SUITE_P(AllCases, OwnershipUnlockAbortInvalidStateTest,
370  testing::Values(kOwnershipStateLockedOwner,
371  kOwnershipStateRecovery));
372 
373 // Test that UnlockAny succeeds in Open mode and fails in Self and NewVersion
374 // mode.
375 TEST_P(OwnershipUnlockUpdateModesTest, UnlockAny) {
376  ownership_update_mode_t mode = GetParam();
377  owner_page[0].update_mode = static_cast<uint32_t>(mode);
378  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockAny;
379  rom_error_t expect;
380  switch (mode) {
381  case kOwnershipUpdateModeOpen:
382  EXPECT_CALL(ownership_key_,
383  validate(0,
384  static_cast<ownership_key_t>(kOwnershipKeyUnlock |
385  kOwnershipKeyRecovery),
386  _, _, _))
387  .WillOnce(Return(kHardenedBoolTrue));
388  EXPECT_CALL(lifecycle_, DeviceId(_))
389  .WillOnce(SetArgPointee<0>((lifecycle_device_id_t){0}));
390  EXPECT_CALL(rnd_, Uint32()).WillRepeatedly(Return(5));
391  expect = kErrorWriteBootdataThenReboot;
392  break;
393  case kOwnershipUpdateModeNewVersion:
394  expect = kErrorOwnershipUnlockDenied;
395  break;
396  case kOwnershipUpdateModeSelf:
397  case kOwnershipUpdateModeSelfVersion:
398  expect = kErrorOwnershipInvalidMode;
399  break;
400  }
401 
402  EXPECT_CALL(hdr_, Finalize(_, _, _));
403  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
404  EXPECT_EQ(error, expect);
405 }
406 
407 // Test that UnlockUpdate succeeds in Open and Self mode and fails in NewVersion
408 // mode.
409 TEST_P(OwnershipUnlockUpdateModesTest, UnlockUpdate) {
410  ownership_update_mode_t mode = GetParam();
411  owner_page[0].update_mode = static_cast<uint32_t>(mode);
412  message_.ownership_unlock_req.unlock_mode = kBootSvcUnlockUpdate;
413  rom_error_t expect;
414  switch (mode) {
415  case kOwnershipUpdateModeOpen:
416  case kOwnershipUpdateModeSelf:
417  case kOwnershipUpdateModeSelfVersion:
418  EXPECT_CALL(ownership_key_,
419  validate(0, static_cast<ownership_key_t>(kOwnershipKeyUnlock),
420  _, _, _))
421  .WillOnce(Return(kHardenedBoolTrue));
422  EXPECT_CALL(lifecycle_, DeviceId(_))
423  .WillOnce(SetArgPointee<0>((lifecycle_device_id_t){0}));
424  EXPECT_CALL(rnd_, Uint32()).WillRepeatedly(Return(5));
425  expect = kErrorWriteBootdataThenReboot;
426  break;
427  case kOwnershipUpdateModeNewVersion:
428  expect = kErrorOwnershipUnlockDenied;
429  break;
430  }
431 
432  EXPECT_CALL(hdr_, Finalize(_, _, _));
433  rom_error_t error = ownership_unlock_handler(&message_, &bootdata_);
434  EXPECT_EQ(error, expect);
435 }
436 
437 INSTANTIATE_TEST_SUITE_P(AllCases, OwnershipUnlockUpdateModesTest,
438  testing::Values(kOwnershipUpdateModeOpen,
439  kOwnershipUpdateModeSelf,
440  kOwnershipUpdateModeSelfVersion,
441  kOwnershipUpdateModeNewVersion));
442 
443 } // namespace
Return to OpenTitan Documentation