FIH TEST TOOL

This directory contains a tool for testing the fault injection mitigations implemented by TF-M.

Description

The tool relies on QEMU (simulating the AN521 target), and GDB.

The tool will:

  • first compile a version of TF-M with the given parameters.

  • Then setup some infrastructure used for control of a QEMU session, including a Virtual Hard Drive (VHD) to save test state and some FIFOs for control.

  • Then run GDB, which then creates a QEMU instance and attaches to it via the GDBserver interface and the FIFOs.

  • Run through an example execution of TF-M, conducting fault tests.

  • Output a JSON file with details of which tests where run, and what failed.

The workflow for actually running the test execution is as follows:

  • Perform setup, including starting QEMU.

  • Until the end_breakpoint is hit:

    • Execute through the program until a test_location breakpoint is hit.

    • Save the execution state to the QEMU VHD.

    • Enable all the critical point breakpoints.

    • Run through until the end_breakpoint to save the “known good” state. The

      state saving is described below.

    • For each of the fault tests specified:

      • Load the test_start state, so that a clean environment is present.

      • Perform the fault.

      • Run through, evaluating any critical memory at every

        critical point breakpoint and saving this to the test state.

      • Detect any failure loop states, QEMU crashes, or the end breakpoint,

        and end the test.

      • Compare the execution state of the test with the “known good” state.

    • Load the state at the start of the test.

    • Disable all the critical point breakpoints.

The output file will be inside the created TFM build directory. It is named results.json The name of the created TFM build dir will be determined by the build options. For example build_GNUARM_debug_OFF_2/results.json

Dependencies

  • qemu-system-arm

  • gdb-multiarch (with python3 support)

  • python3.7+

  • python packages detailed in requirements.txt

The version of python packaged with gdb-multiarch can differ from the version of python that is shipped by the system. The version of python used by gdb-multiarch can can be tested by running the command: gdb-multiarch -batch -ex “python import sys; print(sys.version)”. If this version is not greater than or equal to 3.7, then gdb-multiarch may need to be upgraded. Under some distributions, this might require upgrading to a later version of the distribution.

Usage of the tool

Options can be determined by using

./fih_test --help

In general, executing fih_test from a directory inside the TF-M source directory (<TFM_DIR>/build), will automatically set the SOURCE_DIR and BUILD_DIR variables / arguments correctly.

For example:

cd <TFM_DIR>
mkdir build
cd build
<Path to>/fih_test -p LOW

# Test with certain function
<Path to>/fih_test -p LOW -l 2 -f "tfm_hal_set_up_static_boundaries"

# Build the AXF file again if the source code has been changed
<Path to>/fih_test -p LOW -l 2 -r

Fault types

The types of faults simulated is controlled by faults/__init__.py. This file should be altered to change the fault simulation parameters. To add new fault types, new fault files should be added to the faults directory.

Currently, the implemented fault types are:

  • Setting a single register (from r0 to r15) to a random uint32

  • Setting a single register (from r0 to r15) to zero

  • Skipping between 1 and 7 instructions

All of these will be run at every evaluation point, currently 40 faults per evaluation point.

Working with results

Results are written as a JSON file, and can be large. As such, it can be useful to employ dedicated tools to parse the JSON.

The use of jq <https://stedolan.github.io/jq/> is highly recommended. Full documentation of this program is out of scope of this document, but instructions and reference material can be found at the linked webpage.

For example, to find the amount of passes:

cat results.json | jq 'select(.passed==true) | .passed' | wc -l

And the amount of fails:

cat results.json | jq 'select(.passed==false) | .passed' | wc -l

To find all the faults that caused failures, and the information about where they occurred:

cat results.json | jq 'select(.passed==false) | {pc: .pc, file: .file, line: .line, asm: .asm, fault: .fault}'

Copyright (c) 2021-2022, Arm Limited. All rights reserved.