new file mode 100644
@@ -0,0 +1,27 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
+
+header:
+ version: 14
+ includes:
+ - ci/fvp-base-ts.yml
+ - ci/meta-secure-core.yml
+
+repos:
+ meta-secure-core:
+ layers:
+ meta-tpm2:
+
+local_conf_header:
+ remove_secureboot: |
+ BBMASK += "efi-secure-boot"
+
+ ftpm_sp_test: |
+ # Include tpm2 related packages
+ IMAGE_INSTALL:append = " tpm2-tools-tests tpm2-abrmd tpm2-tss"
+ # Use systemd as the init system, which is required for the tpm2 self-tests
+ INIT_MANAGER = "systemd"
+ IMAGE_INSTALL:append = " systemd util-linux"
+
+ ts_ftpm_sp: |
+ MACHINE_FEATURES:append = " ts-ftpm"
+ RUN_TPM2_TESTS = "1"
@@ -24,3 +24,8 @@ WARN_QA:append:layer-meta-arm = " patch-status"
# Define base directory for meta-arm
META_ARM_LAYER_DIR := "${LAYERDIR}"
+
+BBFILES_DYNAMIC += " \
+ tpm2:${LAYERDIR}/dynamic-layers/meta-tpm2/*/*/*.bb \
+ tpm2:${LAYERDIR}/dynamic-layers/meta-tpm2/*/*/*.bbappend \
+"
new file mode 100644
@@ -0,0 +1,55 @@
+From b5269bd5380a8a7b202a27a558d98468e14ac642 Mon Sep 17 00:00:00 2001
+From: Imre Kis <imre.kis@arm.com>
+Date: Wed, 25 Sep 2024 15:44:08 +0200
+Subject: [PATCH] Remove simulator and abrmd startup
+
+Upstream-Status: Inappropriate
+Signed-off-by: Imre Kis <imre.kis@arm.com>
+---
+ test/integration/helpers.sh | 31 -------------------------------
+ 1 file changed, 31 deletions(-)
+
+diff --git a/test/integration/helpers.sh b/test/integration/helpers.sh
+index 4c861567..bb339078 100644
+--- a/test/integration/helpers.sh
++++ b/test/integration/helpers.sh
+@@ -396,37 +396,6 @@ function start_up() {
+
+ run_startup=true
+
+- if [ -n "$TPM2_SIM" ]; then
+- # Start the simulator
+- echo "Starting the simulator"
+- start_sim || exit 1
+- echo "Started the simulator"
+- else
+- echo "not starting simulator"
+- fi
+-
+- if [ -n "$TPM2_ABRMD" ]; then
+- echo "Starting tpm2-abrmd"
+- # Start tpm2-abrmd
+- start_abrmd || exit 1
+- run_startup=false
+- else
+- echo "not starting abrmd"
+- fi
+-
+- echo "TPM2TOOLS_TEST_TCTI=$TPM2TOOLS_TEST_TCTI"
+- if [ -z "$TPM2TOOLS_TEST_TCTI" ]; then
+- echo "TPM2TOOLS_TEST_TCTI not set, attempting to figure out default"
+- if [ -z "$tpm2tools_tcti" ]; then
+- echo "The simulator not abrmd was started, cannot determine a TCTI for tools."
+- exit 1;
+- fi
+- TPM2TOOLS_TEST_TCTI="$tpm2tools_tcti"
+- fi
+-
+- echo "export TPM2TOOLS_TCTI=\"$TPM2TOOLS_TEST_TCTI\""
+- export TPM2TOOLS_TCTI="$TPM2TOOLS_TEST_TCTI"
+-
+ recreate_info
+
+ echo "run_startup: $run_startup"
+--
+2.34.1
\ No newline at end of file
new file mode 100644
@@ -0,0 +1,56 @@
+From be44c3231fe40c99ba55abe4f8ae6a7bfed92bde Mon Sep 17 00:00:00 2001
+From: Gabor Toth <gabor.toth2@arm.com>
+Date: Thu, 30 Jan 2025 15:11:48 +0100
+Subject: [PATCH] abrmd_policysigned.sh: fix error, clear lockout
+
+Fix cleanup function to be able to return success.
+Clear lockout state at the end of the test.
+
+Upstream-Status: Pending
+Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
+---
+ test/integration/tests/abrmd_policysigned.sh | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/test/integration/tests/abrmd_policysigned.sh b/test/integration/tests/abrmd_policysigned.sh
+index 2a0b3994..d062f033 100644
+--- a/test/integration/tests/abrmd_policysigned.sh
++++ b/test/integration/tests/abrmd_policysigned.sh
+@@ -3,15 +3,19 @@
+ source helpers.sh
+
+ cleanup() {
+- rm -f session.ctx secret.dat private.pem public.pem signature.dat \
++ rm -f secret.dat private.pem public.pem signature.dat \
+ signing_key.ctx policy.signed prim.ctx sealing_key.priv sealing_key.pub \
+ unsealed.dat qual.dat to_sign.bin
+
+- tpm2 flushcontext $session_ctx 2>/dev/null || true
++ tpm2 flushcontext session.ctx 2>/dev/null || true
++
++ rm -f session.ctx
+
+ if [ "${1}" != "no-shutdown" ]; then
+ shut_down
+ fi
++
++ return 0
+ }
+ trap cleanup EXIT
+
+@@ -129,10 +133,12 @@ openssl dgst -sha256 -sign signing_key.priv -out signature.dat to_sign.bin
+ tpm2 policysigned -S session.ctx -g sha256 -s signature.dat -f ecdsa \
+ -c signing_key_pub.ctx --cphash cphash.bin
+ ### Authorize
+-tpm2 dictionarylockout -c session:session.ctx
++tpm2 dictionarylockout -c -p session:session.ctx
+
+ tpm2 flushcontext session.ctx
+ rm -f signing_key.priv signing_key.pub signing_key_pub.ctx cphash.bin \
+ session.ctx policy.signed to_sign.bin signature.dat
++
++tpm2 clear -c l "password"
+
+ exit 0
+--
+2.34.1
new file mode 100644
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# Some tests refers to these variables, which is not set at runtime
+export srcdir=/usr/share/tpm2-tools
+export abs_srcdir=$srcdir
+
+cd /usr/share/tpm2-tools/test/integration
+dbus-run-session bash tests/$1.sh
new file mode 100644
@@ -0,0 +1,123 @@
+#!/bin/bash
+
+tests=(
+ abrmd_extended-sessions
+ abrmd_nvundefinespecial
+ abrmd_policyauthorizenv
+ abrmd_policyauthorize
+ abrmd_policyauthvalue
+ abrmd_policycommandcode
+ abrmd_policycountertimer
+ abrmd_policycphash
+ abrmd_policyduplicationselect
+ abrmd_policynamehash
+ abrmd_policynv
+ abrmd_policynvwritten
+ abrmd_policyor
+ abrmd_policypassword
+ abrmd_policypcr
+ abrmd_policysecret
+ abrmd_policysigned
+ abrmd_policytemplate
+ abrmd_policyticket
+ activecredential
+ attestation
+ certifycreation
+ certify
+ changeauth
+ changeeps
+ changepps
+ checkquote
+ clearcontrol
+ clear
+ clockrateadjust
+ commandaudit
+ createak
+ createpolicy
+ createprimary
+ create
+ dictionarylockout
+ duplicate
+ ecc
+ encryptdecrypt
+ evictcontrol
+ flushcontext
+ getcap
+ getpolicydigest
+ getrandom
+ gettestresult
+ gettime
+ hash
+ hierarchycontrol
+ hmac
+ import
+ import_tpm
+ incrementalselftest
+ load
+ makecredential
+ nvcertify
+ nvinc
+ output_formats
+ pcrevent
+ pcrextend
+ pcrlist
+ pcrreset
+ pcrs_format
+ print
+ readclock
+ readpublic
+ rsadecrypt
+ rsaencrypt
+ selftest
+ sessionconfig
+ setprimarypolicy
+ startup
+ stirrandom
+ symlink
+ testparms
+ unseal
+ verifysignature
+ X509certutil
+)
+
+failed_tests=()
+
+# Failing tests:
+# createek
+# eventlog
+# getekcertificate
+# loadexternal
+# quote
+# rc_decode
+# send
+# send-tcti-cmd
+# sign
+# toggle_options
+# nv
+# pcrallocate
+# sessionaudit
+# setclock
+
+for test in "${tests[@]}"; do
+ echo '*******************************************************************************'
+ echo "${test} Starting..."
+
+ if tpm2-test "${test}"
+ then
+ echo "${test} OK"
+ else
+ echo "${test} FAILED"
+ failed_tests+=("${test}")
+ fi
+done
+echo '*******************************************************************************'
+
+if [ ${#failed_tests[@]} -ne 0 ]
+then
+ echo "ERROR: the following tpm2 tests failed:"
+ printf '\t%s\n' "${failed_tests[@]}"
+fi
+
+echo '*******************************************************************************'
+
+(exit ${#failed_tests[@]})
new file mode 100644
@@ -0,0 +1,27 @@
+# Include tpm2-tools dependencies. diffutils is needed for cmp tool, coreutils needed for dd and head (GNU instead of the busybox variant)
+# need perl-misc for shasum
+
+PACKAGES:prepend = "${PN}-tests "
+
+RDEPENDS:${PN}-tests += " ${PN} xxd bash bash-completion dbus python3-yamllint python3 perl-misc coreutils diffutils curl"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+SRC_URI:append = " \
+ file://0001-Remove-simulator-and-abrmd-startup.patch \
+ file://0003-abrmd_policysigned_sh-fix-error-clear-lockout.patch \
+ file://tpm2-test \
+ file://tpm2-test-all \
+ "
+
+do_install:append() {
+ install -d ${D}${datadir}/tpm2-tools/test
+ install -m 0755 ${UNPACKDIR}/tpm2-test ${D}${bindir}
+ install -m 0755 ${UNPACKDIR}/tpm2-test-all ${D}${bindir}
+
+ cd ${S}/test
+ find . -type d -exec install -d -m 0755 ${D}${datadir}/tpm2-tools/test/{} \;
+ find . -type f -exec install -m 0755 {} ${D}${datadir}/tpm2-tools/test/{} \;
+}
+
+FILES:${PN}-tests += "${datadir}/tpm2-tools/test ${bindir}/tpm2-test ${bindir}/tpm2-test-all"
@@ -4,6 +4,7 @@ from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.depends import OETestDepends
from oeqa.runtime.decorator.package import OEHasPackage
from oeqa.core.decorator.data import skipIfNotInDataVar
+from oeqa.core.decorator.oetimeout import OETimeout
class TrustedServicesTest(OERuntimeTestCase):
@@ -102,3 +103,11 @@ class TrustedServicesTest(OERuntimeTestCase):
'ts-se-proxy' not in self.tc.td['MACHINE_FEATURES']:
self.skipTest('Crypto SP is not deployed in the system.')
self.run_test_tool('ts-service-test -g Crypto')
+
+ @OEHasPackage(['tpm2-tools-tests'])
+ @skipIfNotInDataVar('MACHINE_FEATURES', 'ts-ftpm', 'fTPM SP is not included')
+ @skipIfNotInDataVar('RUN_TPM2_TESTS', '1', 'Automated test is disabled (RUN_TPM2_TESTS is undefined).')
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ @OETimeout(4*60*60)
+ def test_16_tpm2_test_all(self):
+ self.run_test_tool('tpm2-test-all')