├── .clang-format ├── .dockerignore ├── .github ├── .gitignore ├── builder │ ├── .gitignore │ ├── Dockerfile │ ├── Dockerfile-internal-6 │ ├── Dockerfile-internal-7 │ └── common.sh ├── dependabot.yml ├── dependabot │ ├── 2023-07-14.csv │ ├── 2023-07-14.json │ ├── 2023-07-19.csv │ ├── 2023-07-19.json │ ├── 2023-08-07.csv │ ├── 2023-08-07.json │ ├── 2023-09-13.csv │ ├── 2023-09-13.json │ ├── 2023-11-07.csv │ ├── 2023-11-07.json │ ├── 2024-02-23.csv │ └── 2024-02-23.json ├── linters │ ├── .flake8 │ ├── .hadolint.yaml │ ├── .isort.cfg │ ├── .jscpd.json │ ├── .markdown-lint.yml │ ├── .mypy.ini │ ├── .python-black │ ├── .textlintrc │ ├── .yaml-lint.yml │ └── actionlint.yml └── workflows │ ├── ci.yml │ ├── codeql.yml │ ├── dependency-review.yml │ ├── docs.yml │ ├── scans.yml │ └── scorecards.yml ├── .gitignore ├── .gitleaksignore ├── .pre-commit-config.yaml ├── BOM.txt ├── CITATION.cff ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── Cargo.toml ├── Dockerfile ├── LICENSE ├── README.md ├── SECURITY.md ├── build.rs ├── config-user.mk ├── docs ├── .gitignore ├── book.toml └── src │ ├── .gitignore │ ├── README.md │ ├── SUMMARY.md │ ├── config │ ├── README.md │ ├── common-options.md │ ├── installing-in-projects.md │ └── loading-module.md │ ├── developer │ ├── README.md │ ├── build.md │ ├── debugging.md │ ├── refresh.md │ ├── release.md │ └── specific-simics-version.md │ ├── documentation │ └── README.md │ ├── fuzzing │ ├── README.md │ ├── analyzing-results.md │ ├── choose-harnessing-method.md │ ├── compatibility.md │ ├── optimizing-for-fuzzing.md │ └── running-fuzzer.md │ ├── harnessing │ ├── README.md │ ├── closed-box.md │ ├── compiled-in.md │ └── manual.md │ ├── images │ ├── DEBUGGING_FUZZER_Run_and_Debug.png │ ├── HARNESSING_UEFI_SIMPLE_Run_Target.png │ ├── HARNESSING_UEFI_SIMPLE_Run_Target_Post.png │ ├── REQUIREMENTS_Test_Micro_Checkpoints_Post.png │ ├── REQUIREMENTS_Test_Micro_Checkpoints_Pre.png │ ├── REQUIREMENTS_Test_Micro_Checkpoints_TestRun.png │ ├── SETUP_Install_Finished.png │ ├── SETUP_Install_Only.png │ ├── SETUP_Install_Proceed.png │ ├── SETUP_Select_Install_Directory.png │ ├── demo.cast │ ├── logo-social.png │ ├── logo.png │ ├── logo.svg │ └── mini.mp4 │ ├── setup │ ├── README.md │ ├── docker.md │ ├── linux.md │ └── windows.md │ └── tutorials │ ├── README.md │ ├── edk2-simics-platform-bios │ ├── README.md │ ├── booting.md │ ├── building-bios.md │ ├── configuring.md │ ├── harnessing.md │ ├── obtaining-sources.md │ ├── optimizing.md │ └── running.md │ ├── edk2-uefi │ ├── README.md │ ├── building-the-application.md │ ├── configuring-the-fuzzer.md │ ├── optimizing-for-speed.md │ ├── reproducing-runs.md │ ├── running-the-fuzzer.md │ ├── testing-the-application.md │ └── writing-the-application.md │ ├── kernel-module │ ├── README.md │ ├── build-configuration-updates.md │ ├── kernel-module-code.md │ ├── kernel-module-harnessing.md │ ├── running-the-fuzzer.md │ ├── target-software-boilerplate.md │ └── target-software-outline.md │ └── windows-kernel │ ├── README.md │ ├── building-windows-image │ ├── README.md │ ├── change-default-shell-to-powershell.md │ ├── clone-and-build-hevd.md │ ├── compile-the-fuzz-harness.md │ ├── convert-image.md │ ├── create-a-fuzz-harness.md │ ├── create-a-project.md │ ├── create-a-vm.md │ ├── create-and-start-the-driver-service.md │ ├── download-windows.md │ ├── enable-ssh-port-forwarding-in-virtualbox.md │ ├── images │ │ ├── 2024-03-16-11-55-02.png │ │ ├── 2024-03-16-11-55-58.png │ │ ├── 2024-03-16-11-56-39.png │ │ ├── 2024-03-16-11-57-17.png │ │ ├── 2024-03-16-11-57-48.png │ │ ├── 2024-03-16-11-58-06.png │ │ ├── 2024-03-16-11-59-33.png │ │ ├── 2024-03-16-12-01-17.png │ │ ├── 2024-03-16-12-04-27.png │ │ ├── 2024-03-16-12-04-40.png │ │ ├── 2024-03-16-12-09-20.png │ │ ├── 2024-03-16-12-10-29.png │ │ ├── 2024-03-16-12-11-56.png │ │ ├── 2024-03-16-12-13-14.png │ │ ├── 2024-03-16-12-14-15.png │ │ ├── 2024-03-16-12-14-29.png │ │ ├── 2024-03-16-12-17-25.png │ │ ├── 2024-03-16-12-17-50.png │ │ ├── 2024-03-16-12-18-07.png │ │ ├── 2024-03-16-12-18-57.png │ │ ├── 2024-03-16-12-19-09.png │ │ ├── 2024-03-16-12-19-23.png │ │ ├── 2024-03-16-12-26-28.png │ │ ├── 2024-03-16-12-26-46.png │ │ ├── 2024-03-16-12-27-02.png │ │ ├── 2024-03-16-12-28-52.png │ │ ├── 2024-03-16-12-29-09.png │ │ ├── 2024-03-16-12-29-30.png │ │ ├── 2024-03-16-12-29-53.png │ │ ├── 2024-03-16-12-30-18.png │ │ ├── 2024-03-16-12-30-49.png │ │ ├── 2024-03-16-12-31-10.png │ │ ├── 2024-03-16-12-31-28.png │ │ ├── 2024-03-16-12-31-45.png │ │ ├── 2024-03-16-12-32-12.png │ │ ├── 2024-03-16-12-36-59.png │ │ ├── 2024-03-16-12-37-56.png │ │ ├── 2024-03-16-12-38-12.png │ │ ├── 2024-03-16-12-45-13.png │ │ ├── 2024-03-16-12-46-16.png │ │ ├── 2024-03-16-12-46-28.png │ │ ├── 2024-03-16-12-46-44.png │ │ ├── 2024-03-16-12-47-01.png │ │ ├── 2024-03-16-12-50-38.png │ │ ├── 2024-03-16-13-16-20.png │ │ ├── 2024-03-21-12-24-34.png │ │ └── 2024-03-21-12-25-39.png │ ├── install-hevd-driver.md │ ├── install-simics-agent.md │ ├── install-the-code-signing-certificate.md │ ├── install-virtualbox.md │ ├── install-windows.md │ ├── installing-development-tools.md │ ├── installing-the-ewdk.md │ ├── run-the-fuzz-harness.md │ ├── run-the-fuzzer.md │ ├── run-the-simulation.md │ └── set-up-ssh.md │ ├── create-a-project.md │ ├── images │ ├── 2024-03-21-16-50-53.png │ ├── 2024-03-21-17-38-46.png │ ├── 2024-04-01-09-10-48.png │ ├── 2024-04-01-09-11-19.png │ ├── 2024-04-01-09-19-09.png │ ├── 2024-04-12-12-25-13.png │ └── 2024-04-12-12-49-03.png │ ├── run-the-fuzzer.md │ └── run-the-simulation.md ├── examples ├── .gitignore ├── docker-example │ └── fuzz.simics ├── manual-example │ ├── Dockerfile │ ├── README.md │ ├── build.ninja │ ├── fuzz.simics │ ├── minimal_boot_disk.craff │ └── test.c ├── rsrc │ └── minimal_boot_disk.craff └── tutorials │ ├── edk2-simics-platform │ ├── .gitignore │ ├── Dockerfile │ ├── Dockerfile-custom │ ├── build-custom.sh │ ├── build.sh │ ├── edk2-platforms.patch │ ├── project │ │ ├── .gitignore │ │ ├── fuzz.simics │ │ ├── fuzz2.simics │ │ ├── run-alderlake.simics │ │ ├── run-custom.simics │ │ ├── run.simics │ │ ├── targets │ │ │ └── qsp-x86 │ │ │ │ ├── qsp-uefi-custom.target.yml │ │ │ │ └── qsp-uefi-custom.target.yml.include │ │ └── uefi.params │ └── tsffs-gcc-x86_64.h │ ├── edk2-uefi │ ├── .gitignore │ ├── Dockerfile │ ├── build.sh │ ├── project │ │ ├── campaign.sh │ │ └── run.simics │ └── src │ │ ├── PlatformBuild.py │ │ ├── Tutorial.c │ │ ├── Tutorial.dsc │ │ ├── Tutorial.inf │ │ └── tsffs.h │ ├── risc-v-kernel │ ├── .gitignore │ ├── Dockerfile │ ├── build.sh │ ├── project │ │ └── run.simics │ └── src │ │ ├── simics_simple_riscv_defconfig │ │ ├── tsffs.h │ │ ├── tutorial-kernel-modules │ │ ├── Config.in │ │ ├── external.desc │ │ ├── external.mk │ │ └── package │ │ │ └── kernel-modules │ │ │ ├── Config.in │ │ │ ├── kernel-modules.mk │ │ │ └── tutorial-mod │ │ │ ├── Config.in │ │ │ ├── Makefile │ │ │ ├── tsffs.h │ │ │ ├── tutorial-mod.c │ │ │ └── tutorial-mod.mk │ │ └── tutorial-mod-driver.c │ └── windows-kernel │ ├── .gitignore │ ├── fuzz.simics │ └── run.simics ├── harness ├── .gitignore ├── README.md ├── build.sh ├── test.c ├── test.sh ├── tsffs-gcc-aarch64.h ├── tsffs-gcc-arm32.h ├── tsffs-gcc-riscv32.h ├── tsffs-gcc-riscv64.h ├── tsffs-gcc-x86.h ├── tsffs-gcc-x86_64.h ├── tsffs-msvc-x86_64.asm ├── tsffs-msvc-x86_64.h └── tsffs.h ├── rust-toolchain.toml ├── scripts ├── build-internal.sh ├── build.sh ├── check.sh ├── ci.sh ├── cov.sh ├── dependabot.sh ├── fmt.sh └── license.sh ├── src ├── arch │ ├── aarch64.rs │ ├── arm.rs │ ├── mod.rs │ ├── risc_v.rs │ ├── x86.rs │ └── x86_64.rs ├── fuzzer │ ├── executors │ │ ├── inprocess │ │ │ ├── inner.rs │ │ │ └── mod.rs │ │ └── mod.rs │ ├── feedbacks │ │ └── mod.rs │ ├── messages │ │ └── mod.rs │ ├── mod.rs │ └── tokenize │ │ └── mod.rs ├── haps │ └── mod.rs ├── interfaces │ ├── config.rs │ ├── fuzz.rs │ └── mod.rs ├── lib.rs ├── log │ └── mod.rs ├── magic │ └── mod.rs ├── os │ ├── mod.rs │ └── windows │ │ ├── debug_info.rs │ │ ├── idt.rs │ │ ├── kernel.rs │ │ ├── mod.rs │ │ ├── paging.rs │ │ ├── pdb.rs │ │ ├── structs.rs │ │ └── util.rs ├── source_cov │ └── mod.rs ├── state │ └── mod.rs ├── tracer │ └── mod.rs ├── traits │ └── mod.rs └── util │ └── mod.rs └── tests ├── riscv_64_kernel_from_userspace_magic_6_0_185.rs ├── riscv_64_kernel_from_userspace_magic_latest.rs ├── riscv_64_kernel_magic_6_0_185.rs ├── riscv_64_kernel_magic_latest.rs ├── riscv_64_userspace_magic_6_0_185.rs ├── riscv_64_userspace_magic_latest.rs ├── rsrc ├── README.md ├── build.sh ├── minimal_boot_disk.craff ├── riscv-64 │ ├── .config │ ├── .gitignore │ ├── Dockerfile │ ├── build.sh │ ├── simics_simple_riscv_defconfig │ ├── test-kernel-modules │ │ ├── Config.in │ │ ├── external.desc │ │ ├── external.mk │ │ └── package │ │ │ └── kernel-modules │ │ │ ├── Config.in │ │ │ ├── kernel-modules.mk │ │ │ └── test-mod │ │ │ ├── Config.in │ │ │ ├── Makefile │ │ │ ├── test-mod.c │ │ │ └── test-mod.mk │ ├── test-mod-userspace.c │ ├── test-mod.c │ └── test.c ├── test-lcov │ ├── build.sh │ ├── html │ │ ├── home │ │ │ ├── index.html │ │ │ └── rhart │ │ │ │ ├── hub │ │ │ │ ├── index.html │ │ │ │ └── tsffs │ │ │ │ │ ├── index.html │ │ │ │ │ └── tests │ │ │ │ │ ├── index.html │ │ │ │ │ └── rsrc │ │ │ │ │ ├── index.html │ │ │ │ │ └── test-lcov │ │ │ │ │ ├── index.html │ │ │ │ │ ├── subdir1 │ │ │ │ │ ├── index.html │ │ │ │ │ └── test.c.html │ │ │ │ │ ├── subdir2 │ │ │ │ │ ├── index.html │ │ │ │ │ └── test-subdir2.c.html │ │ │ │ │ ├── test.c.html │ │ │ │ │ └── test2.c.html │ │ │ │ └── index.html │ │ └── index.html │ ├── subdir1 │ │ └── test.c │ ├── subdir2 │ │ └── test-subdir2.c │ ├── test.c │ └── test2.c ├── x86-user │ ├── .gitignore │ ├── build.ninja │ ├── build.sh │ └── test.c ├── x86_64-breakpoint-uefi-edk2 │ ├── .gitignore │ ├── Dockerfile │ ├── build.ninja │ ├── build.sh │ └── src │ │ ├── .gitignore │ │ ├── HelloWorld.c │ │ ├── HelloWorld.dsc │ │ ├── HelloWorld.inf │ │ ├── HelloWorldExtra.uni │ │ ├── HelloWorldStr.uni │ │ └── PlatformBuild.py ├── x86_64-crash-uefi │ ├── .gitignore │ ├── build.ninja │ ├── build.sh │ └── test.c ├── x86_64-timeout-uefi-edk2 │ ├── .gitignore │ ├── Dockerfile │ ├── build.ninja │ ├── build.sh │ └── src │ │ ├── .gitignore │ │ ├── HelloWorld.c │ │ ├── HelloWorld.dsc │ │ ├── HelloWorld.inf │ │ ├── HelloWorldExtra.uni │ │ ├── HelloWorldStr.uni │ │ └── PlatformBuild.py ├── x86_64-uefi-edk2 │ ├── .gitignore │ ├── Dockerfile │ ├── build.ninja │ ├── build.sh │ └── src │ │ ├── .gitignore │ │ ├── HelloWorld.c │ │ ├── HelloWorld.dsc │ │ ├── HelloWorld.inf │ │ ├── HelloWorldExtra.uni │ │ ├── HelloWorldStr.uni │ │ └── PlatformBuild.py └── x86_64-uefi │ ├── .gitignore │ ├── build.ninja │ ├── build.sh │ ├── test-cov.c │ ├── test-fast.c │ └── test.c ├── x86_64_edk2_magic_6_0_185.rs ├── x86_64_edk2_magic_latest.rs ├── x86_64_edk2_timeout_6_0_185.rs ├── x86_64_edk2_timeout_latest.rs ├── x86_64_magic_6_0_185.rs ├── x86_64_magic_apitest_6_0_185.rs ├── x86_64_magic_apitest_latest.rs ├── x86_64_magic_crash_6_0_185.rs ├── x86_64_magic_crash_latest.rs ├── x86_64_magic_latest.rs ├── x86_64_magic_reporting_6_0_185.rs ├── x86_64_magic_reporting_latest.rs ├── x86_64_magic_speedtest_6_0_185.rs ├── x86_64_magic_speedtest_latest.rs ├── x86_64_magic_speedtest_tokenize_6_0_185.rs ├── x86_64_magic_speedtest_tokenize_latest.rs ├── x86_64_manual_6_0_185.rs ├── x86_64_manual_latest.rs ├── x86_64_manual_max_6_0_185.rs ├── x86_64_manual_max_latest.rs ├── x86_userspace_magic_6_0_185.rs └── x86_userspace_magic_latest.rs /.clang-format: -------------------------------------------------------------------------------- 1 | --- 2 | BasedOnStyle: Google 3 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | # Ignore dockerfile so re-runs with dockerfile-only fixes don't rebuild 2 | **/Dockerfile 3 | **/target/ 4 | **/*.img 5 | **/*.diff.craff 6 | # Don't add scripts so that builds dont have to rerun on script changes to those builds 7 | scripts 8 | target -------------------------------------------------------------------------------- /.github/.gitignore: -------------------------------------------------------------------------------- 1 | logs -------------------------------------------------------------------------------- /.github/builder/.gitignore: -------------------------------------------------------------------------------- 1 | rsrc 2 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: docker 4 | directory: /.github/builder 5 | schedule: 6 | interval: daily 7 | 8 | - package-ecosystem: github-actions 9 | directory: / 10 | schedule: 11 | interval: daily 12 | 13 | - package-ecosystem: docker 14 | directory: / 15 | schedule: 16 | interval: daily 17 | 18 | - package-ecosystem: docker 19 | directory: /examples/manual-example 20 | schedule: 21 | interval: daily 22 | 23 | - package-ecosystem: docker 24 | directory: /examples/tutorials/edk2-simics-platform 25 | schedule: 26 | interval: daily 27 | 28 | - package-ecosystem: docker 29 | directory: /examples/tutorials/edk2-uefi 30 | schedule: 31 | interval: daily 32 | 33 | - package-ecosystem: docker 34 | directory: /examples/tutorials/risc-v-kernel 35 | schedule: 36 | interval: daily 37 | 38 | - package-ecosystem: docker 39 | directory: /tests/rsrc/riscv-64 40 | schedule: 41 | interval: daily 42 | 43 | - package-ecosystem: docker 44 | directory: /tests/rsrc/x86_64-breakpoint-uefi-edk2 45 | schedule: 46 | interval: daily 47 | 48 | - package-ecosystem: docker 49 | directory: /tests/rsrc/x86_64-timeout-uefi-edk2 50 | schedule: 51 | interval: daily 52 | 53 | - package-ecosystem: docker 54 | directory: /tests/rsrc/x86_64-uefi-edk2 55 | schedule: 56 | interval: daily 57 | -------------------------------------------------------------------------------- /.github/dependabot/2023-11-07.csv: -------------------------------------------------------------------------------- 1 | CVE,Package Name,Severity,Manifest File,Status,CVSS,CVSS Vector,Vulnerable Versions,Fixed Versions,Triaged By,Triage Reason,Triage Comment 2 | -------------------------------------------------------------------------------- /.github/dependabot/2023-11-07.json: -------------------------------------------------------------------------------- 1 | [ 2 | 3 | ] 4 | -------------------------------------------------------------------------------- /.github/dependabot/2024-02-23.csv: -------------------------------------------------------------------------------- 1 | CVE,Package Name,Severity,Manifest File,Status,CVSS,CVSS Vector,Vulnerable Versions,Fixed Versions,Triaged By,Triage Reason,Triage Comment 2 | -------------------------------------------------------------------------------- /.github/dependabot/2024-02-23.json: -------------------------------------------------------------------------------- 1 | [ 2 | 3 | ] 4 | -------------------------------------------------------------------------------- /.github/linters/.flake8: -------------------------------------------------------------------------------- 1 | [flake8] 2 | max-line-length = 88 3 | extend-ignore = E203 -------------------------------------------------------------------------------- /.github/linters/.hadolint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ########################## 3 | ## Hadolint config file ## 4 | ########################## 5 | 6 | failure-threshold: warning 7 | 8 | ignored: 9 | - DL3022 # DL3022 raises a false positive when --build-context is used to provide multiple 10 | # contexts -------------------------------------------------------------------------------- /.github/linters/.isort.cfg: -------------------------------------------------------------------------------- 1 | [settings] 2 | profile=black 3 | -------------------------------------------------------------------------------- /.github/linters/.jscpd.json: -------------------------------------------------------------------------------- 1 | { 2 | "threshold": 0, 3 | "reporters": [ 4 | "consoleFull" 5 | ], 6 | "ignore": [ 7 | "ci.yml" 8 | ], 9 | "absolute": true 10 | } -------------------------------------------------------------------------------- /.github/linters/.markdown-lint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ########################### 3 | ########################### 4 | ## Markdown Linter rules ## 5 | ########################### 6 | ########################### 7 | 8 | # Linter rules doc: 9 | # - https://github.com/DavidAnson/markdownlint 10 | # 11 | # Note: 12 | # To comment out a single error: 13 | # 14 | # any violations you want 15 | # 16 | # 17 | 18 | ############### 19 | # Rules by id # 20 | ############### 21 | MD004: false # Unordered list style 22 | MD007: 23 | indent: 2 # Unordered list indentation 24 | MD013: 25 | line_length: 88 # Line length 80 is far too short 26 | ignore_code_blocks: true 27 | tables: false 28 | code_blocks: false 29 | MD026: 30 | punctuation: ".,;:!。,;:" # List of not allowed 31 | MD029: false # Ordered list item prefix 32 | MD033: false # Allow inline HTML 33 | MD036: false # Emphasis used instead of a heading 34 | MD041: false # HTML can be at the top of the file for the image and such 35 | MD045: false # Do not require alt text 36 | 37 | ################# 38 | # Rules by tags # 39 | ################# 40 | blank_lines: false # Error on blank lines 41 | -------------------------------------------------------------------------------- /.github/linters/.mypy.ini: -------------------------------------------------------------------------------- 1 | # Global options: 2 | 3 | [mypy] 4 | ignore_missing_imports = True -------------------------------------------------------------------------------- /.github/linters/.python-black: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/.github/linters/.python-black -------------------------------------------------------------------------------- /.github/linters/.textlintrc: -------------------------------------------------------------------------------- 1 | { 2 | "rules": { 3 | "terminology": false 4 | } 5 | } -------------------------------------------------------------------------------- /.github/linters/.yaml-lint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | ########################################### 3 | # These are the rules used for # 4 | # linting all the yaml files in the stack # 5 | # NOTE: # 6 | # You can disable line with: # 7 | # # yamllint disable-line # 8 | ########################################### 9 | rules: 10 | braces: 11 | level: warning 12 | min-spaces-inside: 0 13 | max-spaces-inside: 0 14 | min-spaces-inside-empty: 1 15 | max-spaces-inside-empty: 5 16 | brackets: 17 | level: warning 18 | min-spaces-inside: 0 19 | max-spaces-inside: 0 20 | min-spaces-inside-empty: 1 21 | max-spaces-inside-empty: 5 22 | colons: 23 | level: warning 24 | max-spaces-before: 0 25 | max-spaces-after: 1 26 | commas: 27 | level: warning 28 | max-spaces-before: 0 29 | min-spaces-after: 1 30 | max-spaces-after: 1 31 | comments: disable 32 | comments-indentation: disable 33 | document-end: disable 34 | document-start: 35 | level: warning 36 | present: true 37 | empty-lines: 38 | level: warning 39 | max: 2 40 | max-start: 0 41 | max-end: 0 42 | hyphens: 43 | level: warning 44 | max-spaces-after: 1 45 | indentation: 46 | level: warning 47 | spaces: consistent 48 | indent-sequences: true 49 | check-multi-line-strings: false 50 | key-duplicates: enable 51 | line-length: 52 | level: warning 53 | max: 120 54 | allow-non-breakable-words: true 55 | allow-non-breakable-inline-mappings: true 56 | ignore: | 57 | ci.yml 58 | new-line-at-end-of-file: disable 59 | new-lines: 60 | type: unix 61 | trailing-spaces: disable 62 | -------------------------------------------------------------------------------- /.github/linters/actionlint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | self-hosted-runner: 3 | # Labels of self-hosted runner in array of string 4 | labels: 5 | - gasp 6 | -------------------------------------------------------------------------------- /.github/workflows/dependency-review.yml: -------------------------------------------------------------------------------- 1 | # Dependency Review Action 2 | # 3 | # This Action will scan dependency manifest files that change as part of a Pull Request, 4 | # surfacing known-vulnerable versions of the packages declared or updated in the PR. 5 | # Once installed, if the workflow run is marked as required, 6 | # PRs introducing known-vulnerable packages will be blocked from merging. 7 | # 8 | # Source repository: https://github.com/actions/dependency-review-action 9 | name: 'Dependency Review' 10 | on: [pull_request] 11 | 12 | permissions: 13 | contents: read 14 | 15 | jobs: 16 | dependency-review: 17 | runs-on: ubuntu-latest 18 | steps: 19 | - name: Harden Runner 20 | uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 21 | with: 22 | egress-policy: audit 23 | 24 | - name: 'Checkout Repository' 25 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 26 | - name: 'Dependency Review' 27 | uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 28 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | Cargo.lock 2 | .env 3 | .secrets 4 | .secret* 5 | .mypy_cache 6 | *restricted* 7 | config.mk 8 | .package-list 9 | .modcache 10 | simics 11 | !simics/ 12 | simics-eclipse 13 | simics-gui 14 | simics-old 15 | GNUmakefile* 16 | *~ 17 | compiler.mk 18 | *.project-setup.new 19 | documentation 20 | !documentation/ 21 | *.log 22 | 23 | 24 | .cargo/ 25 | .vscode/ 26 | .mypy_cache/ 27 | .project-properties/ 28 | bin/ 29 | dist-packages/ 30 | dist/ 31 | distfile-list/ 32 | doc-src/ 33 | doc/ 34 | linux64/ 35 | logs/ 36 | packageinfo/ 37 | packageinfo/ 38 | target/ 39 | targets/ 40 | win64/ 41 | packages/ -------------------------------------------------------------------------------- /.gitleaksignore: -------------------------------------------------------------------------------- 1 | 6fff107aa30d12a9e7c1bb0ae12d0892cf8267e1:docs/src/tutorials/edk2-uefi/writing-the-application.md:generic-api-key:160 2 | 067469f3f03739661a08afdf1542bc3e088deeeb:docs/src/tutorials/edk2-uefi/writing-the-application.md:generic-api-key:160 3 | 6e7bfe7256ea34323926bdbc2f7c157126782c87:docs/src/tutorials/edk2-uefi.md:generic-api-key:167 -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/gitleaks/gitleaks 3 | rev: v8.16.3 4 | hooks: 5 | - id: gitleaks 6 | - repo: https://github.com/jumanjihouse/pre-commit-hooks 7 | rev: 3.0.0 8 | hooks: 9 | - id: shellcheck 10 | - repo: https://github.com/pocc/pre-commit-hooks 11 | rev: v1.3.5 12 | hooks: 13 | - id: cpplint 14 | - repo: https://github.com/pre-commit/pre-commit-hooks 15 | rev: v4.4.0 16 | hooks: 17 | - id: end-of-file-fixer 18 | - id: trailing-whitespace 19 | - repo: https://github.com/pylint-dev/pylint 20 | rev: v2.17.2 21 | hooks: 22 | - id: pylint 23 | -------------------------------------------------------------------------------- /CITATION.cff: -------------------------------------------------------------------------------- 1 | cff-version: 1.2.0 2 | message: "A collection of fuzzing training resources." 3 | authors: 4 | - family-names: "Marken" 5 | given-names: "Brandon" 6 | orcid: " https://orcid.org/0000-0001-6262-7042" 7 | - family-names: "Geunzel" 8 | given-names: "Robert" 9 | orcid: "" 10 | - family-names: "Hart" 11 | given-names: "Rowan" 12 | orcid: "https://orcid.org/0000-0001-9932-3798" 13 | 14 | title: "Intel TSFFS -- Target Software Fuzzer For Simics" 15 | version: 0.1.0 16 | doi: "" 17 | date-released: 2023-01-01 18 | url: "https://github.com/intel/tsffs" 19 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | ## License 4 | 5 | TSFFS is licensed under the terms in [LICENSE](LICENSE). By contributing to the project, 6 | you agree to the license and copyright terms therein and release your contribution under 7 | these terms. 8 | 9 | ## Sign your work 10 | 11 | Please use the sign-off line at the end of the patch. Your signature certifies that you 12 | wrote the patch or otherwise have the right to pass it on as an open-source patch. The 13 | rules are pretty simple: if you can certify the below (from 14 | [developercertificate.org](http://developercertificate.org/)): 15 | 16 | ```text 17 | Developer Certificate of Origin 18 | Version 1.1 19 | 20 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 21 | 660 York Street, Suite 102, 22 | San Francisco, CA 94110 USA 23 | 24 | Everyone is permitted to copy and distribute verbatim copies of this 25 | license document, but changing it is not allowed. 26 | 27 | Developer's Certificate of Origin 1.1 28 | 29 | By making a contribution to this project, I certify that: 30 | 31 | (a) The contribution was created in whole or in part by me and I 32 | have the right to submit it under the open source license 33 | indicated in the file; or 34 | 35 | (b) The contribution is based upon previous work that, to the best 36 | of my knowledge, is covered under an appropriate open source 37 | license and I have the right under that license to submit that 38 | work with modifications, whether created in whole or in part 39 | by me, under the same open source license (unless I am 40 | permitted to submit under a different license), as indicated 41 | in the file; or 42 | 43 | (c) The contribution was provided directly to me by some other 44 | person who certified (a), (b) or (c) and I have not modified 45 | it. 46 | 47 | (d) I understand and agree that this project and the contribution 48 | are public and that a record of the contribution (including all 49 | personal information I submit with it, including my sign-off) is 50 | maintained indefinitely and may be redistributed consistent with 51 | this project or the open source license(s) involved. 52 | ``` 53 | 54 | Then you just add a line to every git commit message: 55 | 56 | ```text 57 | Signed-off-by: Joe Smith 58 | ``` 59 | 60 | Use a known identity (sorry, no anonymous contributions.) 61 | 62 | If you set your `user.name` and `user.email` git configs, you can sign your 63 | commit automatically with `git commit -s`. 64 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | Intel is committed to rapidly addressing security vulnerabilities affecting our 4 | customers and providing clear guidance on the solution, impact, severity and mitigation. 5 | 6 | ## Reporting a Vulnerability 7 | 8 | Please report any security vulnerabilities in this project [utilizing the guidelines 9 | here](https://www.intel.com/content/www/us/en/security-center/vulnerability-handling-guidelines.html). 10 | -------------------------------------------------------------------------------- /build.rs: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | /// The environment variable containing the path to the Simics installation 5 | const SIMICS_BASE_ENV: &str = "SIMICS_BASE"; 6 | 7 | fn main() { 8 | println!("cargo:rerun-if-env-changed={SIMICS_BASE_ENV}"); 9 | simics_build_utils::emit_cfg_directives().expect("Failed to emit cfg directives"); 10 | simics_build_utils::emit_link_info().expect("Failed to emit link info"); 11 | } 12 | -------------------------------------------------------------------------------- /config-user.mk: -------------------------------------------------------------------------------- 1 | # coding: utf-8 2 | 3 | # © 2010 Intel Corporation 4 | # 5 | # This software and the related documents are Intel copyrighted materials, and 6 | # your use of them is governed by the express license under which they were 7 | # provided to you ("License"). Unless the License provides otherwise, you may 8 | # not use, modify, copy, publish, distribute, disclose or transmit this software 9 | # or the related documents without Intel's prior written permission. 10 | # 11 | # This software and the related documents are provided as is, with no express or 12 | # implied warranties, other than those that are expressly stated in the License. 13 | 14 | 15 | 16 | USER_BUILD_ID=tsffs:1 17 | 18 | ifeq ($(HOST_TYPE),win64) 19 | LIBS=-lws2_32 -loleaut32 -lole32 -lbcrypt -luserenv -lntdll 20 | endif 21 | 22 | ifeq ($(HOST_TYPE),linux64) 23 | LDFLAGS=-Wl,--gc-sections 24 | endif -------------------------------------------------------------------------------- /docs/.gitignore: -------------------------------------------------------------------------------- 1 | book 2 | -------------------------------------------------------------------------------- /docs/book.toml: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | [book] 5 | authors = ["novafacing"] 6 | language = "en" 7 | multilingual = false 8 | src = "src" 9 | title = "TSFFS: Target Software Fuzzer for SIMICS" 10 | 11 | [output.html] 12 | 13 | [output.linkcheck] -------------------------------------------------------------------------------- /docs/src/.gitignore: -------------------------------------------------------------------------------- 1 | crates/ 2 | simics/ -------------------------------------------------------------------------------- /docs/src/config/README.md: -------------------------------------------------------------------------------- 1 | # Configuration 2 | 3 | Before TSFFS can fuzz target software, it must be configured. The configuration API is 4 | kept as simple as possible, with sane defaults. TSFFS exposes all of its configuration 5 | options as Simics *attributes* which means that you can list its configuration options 6 | by running the following in a Simics CLI prompt in a project with TSFFS installed (see 7 | [Installing in Projects](installing-in-projects.md)). 8 | 9 | ```simics 10 | load-module tsffs 11 | list-attributes tsffs 12 | ``` 13 | 14 | You'll see a list of attributes, each of which has help documentation available through 15 | the Simics CLI like: 16 | 17 | ```simics 18 | help tsffs.exceptions 19 | ``` 20 | 21 | To read about all of the TSFFS options in detail, including methods for setup, 22 | installation, and configuration: 23 | 24 | - [Installing In Projects](installing-in-projects.md) 25 | - [Loading The TSFFS Module](loading-module.md) 26 | - [Common Options](common-options.md) -------------------------------------------------------------------------------- /docs/src/config/loading-module.md: -------------------------------------------------------------------------------- 1 | # Loading & Initializing TSFFS 2 | 3 | Before TSFFS can be used, the module must be loaded, an instance of the fuzzer must be 4 | created and instantiated, and the fuzzer must be configured for your target. 5 | 6 | - [Loading \& Initializing TSFFS](#loading--initializing-tsffs) 7 | - [Loading the Module](#loading-the-module) 8 | - [Initializing the Fuzzer](#initializing-the-fuzzer) 9 | - [Configuring the Fuzzer](#configuring-the-fuzzer) 10 | 11 | ## Loading the Module 12 | 13 | The TSFFS module can be loaded by running (in a SIMICS script): 14 | 15 | ```simics 16 | load-module tsffs 17 | ``` 18 | 19 | Or, in a Python script: 20 | 21 | ```python 22 | SIM_load_module("tsffs") 23 | ``` 24 | 25 | ## Initializing the Fuzzer 26 | 27 | "The Fuzzer" is an instance of the `tsffs` class, declared in the `tsffs` module. The 28 | `tsffs` class can only be instantiated once in a given simulation. 29 | 30 | This can be done by running (in a SIMICS script): 31 | 32 | ```simics 33 | init-tsffs 34 | ``` 35 | 36 | Alternatively, in a Python script, you can write: 37 | 38 | ```python 39 | tsffs_cls = SIM_get_class("tsffs") 40 | ``` 41 | 42 | And in the Python script, once we have the `tsffs_cls` an instance can be created with: 43 | 44 | ```python 45 | tsffs = SIM_create_object(tsffs_cls, "tsffs", []) 46 | ``` 47 | 48 | The fuzzer instance is now created and ready to configure and use. 49 | 50 | ## Configuring the Fuzzer 51 | 52 | The fuzzer is configured via various attributes, many of which have default values. You 53 | can view the list of configuration settings at runtime by running: 54 | 55 | ```python 56 | @print(*tsffs.attributes, sep="\n") 57 | ``` 58 | 59 | Most settings can be set from Python scripting, for example the timeout can be set to 3 60 | seconds with: 61 | 62 | ```python 63 | @tsffs.timeout = 3.0 64 | ``` -------------------------------------------------------------------------------- /docs/src/developer/README.md: -------------------------------------------------------------------------------- 1 | # Developer Documentation 2 | 3 | - [Build Internals](build.md) 4 | - [Refreshing Build Environment](refresh.md) 5 | - [Building Against A Specific SIMICS Version](specific-simics-version.md) 6 | - [Debugging TSFFS](debugging.md) -------------------------------------------------------------------------------- /docs/src/developer/debugging.md: -------------------------------------------------------------------------------- 1 | # Debugging 2 | 3 | Hopefully not very often, but once in a while you may need to debug the TSFFS module. 4 | 5 | The easiest way to do this is by loading and using it in a script that does what you 6 | want. For example, early in development there was a bug when calling the interface 7 | API. 8 | 9 | 10 | So this script was used to help debug: 11 | 12 | ```txt 13 | load-module tsffs 14 | @tsffs = SIM_create_object(SIM_get_class("tsffs"), "tsffs", []) 15 | tsffs.log-level 4 16 | @import time 17 | @print("Sleeping") 18 | @time.sleep(30) 19 | # Call your API here 20 | ``` 21 | 22 | ALl this script does is sleep for 30 seconds, then call the API we care about. The 30 23 | second sleep gives you enough time to run this script, find the PID of the simics 24 | process, and attach it with GDB. Once in GDB, just break all threads on the place you 25 | want to debug. 26 | 27 | 28 | ```sh 29 | $ ./simics -no-gui --no-win ./test.simics 30 | $ ps aux | grep simics | grep -v grep | awk '{print $2}' 31 | 134284 32 | $ gdb -q attach 134284 33 | gdb> thread apply all break set_corpus_directory 34 | gdb> continue 35 | ... 36 | ``` 37 | 38 | In general, most bugs will happen in FFI code, so breakpointing should be relatively 39 | straightforward. However, in complex cases demangling may be necessary. For this, 40 | a new version of GDB including rustfilt is suggested. -------------------------------------------------------------------------------- /docs/src/developer/refresh.md: -------------------------------------------------------------------------------- 1 | # Refreshing Build Environment 2 | 3 | In some cases, the TSFFS package environment can become desynchronized with the local 4 | SIMICS installation. To resolve this issue, you can remove the files SIMICS/ISPM added 5 | during setup and re-initialize the project by running `cargo clean`. 6 | -------------------------------------------------------------------------------- /docs/src/developer/release.md: -------------------------------------------------------------------------------- 1 | # Releasing TSFFS 2 | 3 | 1. Run check script: `./check.sh` 4 | - This will report issues with formatting (C and Python formatting can be ignored 5 | for releases, markdown and Rust issues should be fixed) 6 | - This will perform most checks done in CI including dependencies 7 | - Any dependencies that are outdated or flag vulnerabilities in audits should be 8 | updated 9 | - Any code which has breaking changes (very rare) should be fixed 10 | -------------------------------------------------------------------------------- /docs/src/developer/specific-simics-version.md: -------------------------------------------------------------------------------- 1 | # Targeting A Specific SIMICS Version 2 | 3 | The Simics version the module is built against is determined by the Simics base 4 | directory pointed to by the `SIMICS_BASE` environment variable. For example, running: 5 | 6 | ```sh 7 | SIMICS_BASE=/home/user/simics/simics-6.0.185/ cargo simics-build 8 | ``` 9 | 10 | will build the module against Simics version 6.0.185. 11 | -------------------------------------------------------------------------------- /docs/src/documentation/README.md: -------------------------------------------------------------------------------- 1 | # Documenation 2 | 3 | Documentation for the public distribution of SIMICS and all the crates which make up 4 | TSFFS are provided here. 5 | 6 | - [SIMICS Documentation](https://intel.github.io/simulator-bindings/simics/index.html) 7 | - [Crate Documentation](https://intel.github.io/simulator-bindings/crates/index.html) 8 | - [tsffs](https://intel.github.io/tsffs/crates/tsffs/index.html) 9 | - [simics](https://intel.github.io/simulator-bindings/crates/simics/index.html) 10 | - [simics-macro](https://intel.github.io/simulator-bindings/crates/simics_macro/index.html) 11 | - [simics-codegen](https://intel.github.io/simulator-bindings/crates/simics_codegen/index.html) 12 | - [simics-api-sys](https://intel.github.io/simulator-bindings/crates/simics_api_sys/index.html) 13 | - [ispm-wrapper](https://intel.github.io/simulator-bindings/crates/ispm_wrapper/index.html) 14 | -------------------------------------------------------------------------------- /docs/src/fuzzing/README.md: -------------------------------------------------------------------------------- 1 | # Fuzzing 2 | 3 | - [Checking Compatibility](compatibility.md) 4 | - [Choosing a Harnessing Method](choose-harnessing-method.md) 5 | - [Running the Fuzzer](running-fuzzer.md) 6 | - [Optimizing for Fuzzing](optimizing-for-fuzzing.md) -------------------------------------------------------------------------------- /docs/src/fuzzing/analyzing-results.md: -------------------------------------------------------------------------------- 1 | # Analyzing Results 2 | 3 | Once a solution is found, the fuzzer can be run in *repro* mode which will: 4 | 5 | * Save a bookmark when the testcase is written 6 | * Write only one testcase, the bytes from the specified file 7 | * Stop without resetting to the initial snapshot 8 | 9 | Repro mode can be run after stopping execution, or before executing the fuzzing loop. 10 | 11 | ```python 12 | tsffs.iface.fuzz.repro("%simics%/solutions/TESTCASE") 13 | ``` -------------------------------------------------------------------------------- /docs/src/fuzzing/choose-harnessing-method.md: -------------------------------------------------------------------------------- 1 | # Choosing a Harnessing Method 2 | 3 | As covered in the [harnessing](../harnessing/) section, there are three options for 4 | harnessing a given target software: 5 | 6 | - Open-box, or compiled-in harnesses using provided macros 7 | - Closed-box harnessing that injects testcases into some target software memory 8 | - Fully manual harnessing that returns the testcase to the harnessing script 9 | 10 | The method that should be used depends on your target software and, more importantly, 11 | your build system. 12 | 13 | ## Compiled-In/Open-Box Harnessing 14 | 15 | If you control the build system and are able to modify the code, you 16 | should almost always prefer the compiled-in harnesses. When you control the compilation, 17 | some examples of when compiled-in harnesses should be used are: 18 | 19 | - Your UEFI application has a function (or code flow) that takes external input 20 | - Uses files from the filesystem, SRAM, or other persistent storage 21 | - Takes input from the operating system 22 | - Your Kernel module takes external input 23 | - Receives input from user-space via IOCTL or system call 24 | - Uses DMA or MMIO to take input from an external source 25 | - Your user space application takes user input 26 | - From command line 27 | - From a file 28 | 29 | ## Closed-Box Harnessing 30 | 31 | The closed-box harnessing methods covered in 32 | [the closed-box section](../harnessing/closed-box.md) work in the same way as the 33 | open-box harnessing approach. They should be used when the software takes input in the 34 | same way as software that would be harnessed using the open-box approach, but whose 35 | code or build system cannot be changed to add compiled-in harnessing. 36 | 37 | ## Fully Manual Harnessing 38 | 39 | Fully manual harnessing should be used in cases where neither other approach is 40 | possible or in extremely complex cases. For example, when significant code is required 41 | to preprocess and send an input via an external interface, for harnessing code such as 42 | a UEFI update mechanism. This approach (when used correctly) can save time that would 43 | have been spent writing a harness in the target software, but you should take care that 44 | in-target harnessing is not the best option. -------------------------------------------------------------------------------- /docs/src/fuzzing/optimizing-for-fuzzing.md: -------------------------------------------------------------------------------- 1 | # Optimizing for Fuzzing 2 | 3 | There are a few techniques that can be used to optimize the fuzzer for performance while 4 | fuzzing. 5 | 6 | ## Reduce Output 7 | 8 | The most effective (and, helpfully, often the easiest) way to improve performance of the 9 | fuzzer is to eliminate as much output as possible from the target software. You can use 10 | the preprocessor definition `FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` to do this: 11 | 12 | Before: 13 | 14 | ```c 15 | log_info("Some info about what's happening"); 16 | log_debug("Some even more info about what's happening, the value is %d", some_value); 17 | ``` 18 | 19 | After: 20 | 21 | ```c 22 | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 23 | log_info("Some info about what's happening"); 24 | log_debug("Some even more info about what's happening, the value is %d", some_value); 25 | #endif 26 | ``` 27 | 28 | This will reduce the logging output, which is important in SIMICS as it reduces the running 29 | of the console output model, which is much slower than the CPU model. 30 | 31 | ## Run as little as possible 32 | 33 | In general, the harnesses for fuzzing should be placed as close around the code you 34 | actually wish to fuzz as possible. For example, if you only want to fuzz a specific function, 35 | like `YourSpecialDecoder`, place your harnesses immediately around the function call you 36 | want to fuzz: 37 | 38 | ```c 39 | HARNESS_START(buf, buf_size_ptr); 40 | int retval = YourSpecialDecoder(certbuf, certbuf_size_ptr); 41 | 42 | if (!retval) { 43 | /// An error occurred 44 | HARNESS_ASSERT(); 45 | } else { 46 | HARNESS_STOP(); 47 | } 48 | ``` -------------------------------------------------------------------------------- /docs/src/fuzzing/running-fuzzer.md: -------------------------------------------------------------------------------- 1 | # Running the Fuzzer 2 | 3 | Once a fuzzing campaign is set up, you can generally run the fuzzer like: 4 | 5 | ```sh 6 | ./simics --no-win --batch-mode fuzz.simics 7 | ``` 8 | 9 | At a log level of 2 or greater (i.e. set `tsffs.log-level 2` in your script) , you'll 10 | see statistics of the current progress during execution. -------------------------------------------------------------------------------- /docs/src/harnessing/README.md: -------------------------------------------------------------------------------- 1 | # Harnessing 2 | 3 | Harnessing target software to effectively use TSFFS to fuzz it is a target-dependent 4 | subject, so examples of each supported harnessing method are provided here. The order of 5 | each approach here is roughly equivalent to the preferred order harnessing should be 6 | tried. If possible, the target software should be harnessed at the source-code level. If 7 | not, try injecting testcases into its memory directly, and if this is still not possible 8 | or not appropriate for your use case, the fully-manual approach can be used. 9 | 10 | - [Using Compiled-In Harnesses](compiled-in.md) 11 | - [Closed-Box Testcase Injection](closed-box.md) 12 | - [Manual Testcase Injection](manual.md) -------------------------------------------------------------------------------- /docs/src/harnessing/manual.md: -------------------------------------------------------------------------------- 1 | # Manual Harnessing 2 | 3 | If the target software does not provide opportunity for injecting testcases into memory, 4 | for example when testing an application which takes input via a network or other 5 | hardware interface, manual harnessing can be used. This interface simply provides a way 6 | for users to obtain the fuzzing test case directly from the fuzzer and use it in any way 7 | that is appropriate. 8 | 9 | Harnessing in this way can be done using the api. Note that the API method still takes 10 | a CPU object. When called, the initial snapshot is still captured in the same way as 11 | with other [closed-box](closed-box.md) harnessing methods. 12 | 13 | ```python 14 | @testcase = tsffs.iface.fuzz.start_without_buffer(cpu) 15 | ``` -------------------------------------------------------------------------------- /docs/src/images/DEBUGGING_FUZZER_Run_and_Debug.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/DEBUGGING_FUZZER_Run_and_Debug.png -------------------------------------------------------------------------------- /docs/src/images/HARNESSING_UEFI_SIMPLE_Run_Target.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/HARNESSING_UEFI_SIMPLE_Run_Target.png -------------------------------------------------------------------------------- /docs/src/images/HARNESSING_UEFI_SIMPLE_Run_Target_Post.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/HARNESSING_UEFI_SIMPLE_Run_Target_Post.png -------------------------------------------------------------------------------- /docs/src/images/REQUIREMENTS_Test_Micro_Checkpoints_Post.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/REQUIREMENTS_Test_Micro_Checkpoints_Post.png -------------------------------------------------------------------------------- /docs/src/images/REQUIREMENTS_Test_Micro_Checkpoints_Pre.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/REQUIREMENTS_Test_Micro_Checkpoints_Pre.png -------------------------------------------------------------------------------- /docs/src/images/REQUIREMENTS_Test_Micro_Checkpoints_TestRun.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/REQUIREMENTS_Test_Micro_Checkpoints_TestRun.png -------------------------------------------------------------------------------- /docs/src/images/SETUP_Install_Finished.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/SETUP_Install_Finished.png -------------------------------------------------------------------------------- /docs/src/images/SETUP_Install_Only.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/SETUP_Install_Only.png -------------------------------------------------------------------------------- /docs/src/images/SETUP_Install_Proceed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/SETUP_Install_Proceed.png -------------------------------------------------------------------------------- /docs/src/images/SETUP_Select_Install_Directory.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/SETUP_Select_Install_Directory.png -------------------------------------------------------------------------------- /docs/src/images/logo-social.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/logo-social.png -------------------------------------------------------------------------------- /docs/src/images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/logo.png -------------------------------------------------------------------------------- /docs/src/images/mini.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/images/mini.mp4 -------------------------------------------------------------------------------- /docs/src/setup/README.md: -------------------------------------------------------------------------------- 1 | # Setup 2 | 3 | Setup instructions are provided for all major platforms TSFFS supports (all platforms 4 | supported by SIMICS). 5 | 6 | - [Docker](docker.md) 7 | - [Linux](linux.md) 8 | - [Windows](windows.md) -------------------------------------------------------------------------------- /docs/src/tutorials/README.md: -------------------------------------------------------------------------------- 1 | # Tutorials 2 | 3 | We have several tutorials for harnessing and fuzzing various target software. 4 | 5 | - [Fuzzing an EDK2 UEFI Application](edk2-uefi) 6 | - [Fuzzing a Kernel Module](kernel-module) 7 | - [Fuzzing a Custom BIOS](edk2-simics-platform-bios) 8 | - [Fuzzing a Windows Kernel Mode Driver](windows-kernel) -------------------------------------------------------------------------------- /docs/src/tutorials/edk2-simics-platform-bios/README.md: -------------------------------------------------------------------------------- 1 | # EDK2 SIMICS Platform BIOS Tutorial 2 | 3 | This tutorial will walk you through the entire process of creating, building, and 4 | fuzzing a platform BIOS image. You can read about what exactly a platform BIOS FD image 5 | contains 6 | [here](https://tianocore-docs.github.io/edk2-BuildSpecification/release-1.28/10_post-build_imagegen_stage_-_flash/105_create_the_fd_image_files.html#105-create-the-fd-image-files). 7 | 8 | - [Obtaining Sources](obtaining-sources.md) 9 | - [Building the BIOS](building-bios.md) 10 | - [Booting the BIOS](booting.md) 11 | - [Harnessing the BIOS Boot Logo Parser](harnessing.md) 12 | - [Configuring the Fuzzer](configuring.md) 13 | - [Running the Fuzzer](running.md) 14 | - [Optimizing the Fuzzer](optimizing.md) -------------------------------------------------------------------------------- /docs/src/tutorials/edk2-simics-platform-bios/running.md: -------------------------------------------------------------------------------- 1 | # Running the Fuzzer 2 | 3 | Now that everything is harnessed, we can run the fuzzer: 4 | 5 | ```sh 6 | ./simics --no-win fuzz.simics 7 | ``` 8 | 9 | After some time, we should be able to discover the bugs we added. -------------------------------------------------------------------------------- /docs/src/tutorials/edk2-uefi/README.md: -------------------------------------------------------------------------------- 1 | # Fuzzing an EDK2 UEFI Application 2 | 3 | This tutorial will walk you through the entire process of creating, building, and 4 | fuzzing a UEFI application built with EDK2 on the x86-64 platform. The completed example 5 | code and fuzzing script can be found in the [edk2-uefi tutorial 6 | directory](https://github.com/intel/tsffs/tree/main/examples/tutorials/edk2-uefi). 7 | 8 | - [Writing the Application](writing-the-application.md) 9 | - [Building the Application](building-the-application.md) 10 | - [Testing the Application](testing-the-application.md) 11 | - [Configuring the Fuzzer](configuring-the-fuzzer.md) 12 | - [Running the Fuzzer](running-the-fuzzer.md) 13 | - [Reproducing Runs](reproducing-runs.md) 14 | - [Optimizing For Speed](optimizing-for-speed.md) -------------------------------------------------------------------------------- /docs/src/tutorials/edk2-uefi/reproducing-runs.md: -------------------------------------------------------------------------------- 1 | # Reproducing Runs 2 | 3 | It is unlikely you'll find any bugs with this harness (if you do, report them to edk2!), 4 | but we can still test the "repro" functionality which allows you to replay an execution 5 | of a testcase from an input file. After pressing Ctrl+C during execution, list the 6 | corpus files (tip: `!` in front of a line in the SIMICS console lets you run shell 7 | commands): 8 | 9 | ```txt 10 | simics> !ls corpus 11 | 0 12 | 1 13 | 2 14 | 3 15 | 4385dc33f608888d 16 | 5b7dc5642294ccb9 17 | ``` 18 | 19 | You will probably have several files. Let's examine testcase `4385dc33f608888d`: 20 | 21 | ```txt 22 | simics> !hexdump -C corpus/4385dc33f608888d | head -n 2 23 | 00000000 30 82 04 e8 30 82 04 53 a0 03 02 01 02 02 1d 58 |0...0..S.......X| 24 | 00000010 74 4e e3 aa f9 7e e8 ff 2f 67 53 31 6e 62 3d 1e |tN...~../gS1nb=.| 25 | ``` 26 | 27 | We can tell the fuzzer that we want to run with this specific input by using: 28 | 29 | ```txt 30 | simics> @tsffs.iface.fuzz.repro("%simics%/corpus/4385dc33f608888d") 31 | ``` 32 | 33 | The simulation will run once with this input, then output a message that you can replay 34 | the simulation by running: 35 | 36 | ```txt 37 | simics> reverse-to start 38 | ``` 39 | 40 | From here, you can examine memory and registers (with `x`), single step execution (`si`) 41 | and more! Check out the SIMICS documentation and explore all the deep debugging 42 | capabilities that SIMICS offers. When you're done exploring, run `c` to continue. 43 | 44 | You can change the testcase you are examining by choosing a different one with 45 | `tsffs.iface.fuzz.repro`, but you cannot resume fuzzing after entering repro mode due 46 | to inconsistencies with the simulated system clock. 47 | -------------------------------------------------------------------------------- /docs/src/tutorials/edk2-uefi/running-the-fuzzer.md: -------------------------------------------------------------------------------- 1 | # Running the Fuzzer 2 | 3 | Now that we have configured the fuzzer and harnessed our target application, it's time 4 | to run again: 5 | 6 | ```sh 7 | ./simics --no-win run.simics 8 | ``` 9 | 10 | Press Ctrl+C at any time to stop the fuzzing process and return to the SIMICS CLI. 11 | From there you can run `continue` to continue the fuzzing process. 12 | -------------------------------------------------------------------------------- /docs/src/tutorials/kernel-module/README.md: -------------------------------------------------------------------------------- 1 | # Fuzzing a Kernel Module 2 | 3 | This tutorial will walk you through the entire process of creating, building, and 4 | fuzzing a Linux Kernel module running on the simulated RISC-V platform. The complete 5 | example code and scripts can be found in the [kernel-module tutorial 6 | directory](https://github.com/intel/tsffs/tree/main/examples/tutorials/edk2-uefi). 7 | 8 | - [Target Software Outline](target-software-outline.md) 9 | - [Target Software Boilerplate](target-software-boilerplate.md) 10 | - [Kernel Module Code](kernel-module-code.md) 11 | - [Kernel Module Harnessing](kernel-module-harnessing.md) 12 | - [Updating the Build Configuration](build-configuration-updates.md) 13 | - [Running the Fuzzer](running-the-fuzzer.md) -------------------------------------------------------------------------------- /docs/src/tutorials/kernel-module/target-software-outline.md: -------------------------------------------------------------------------------- 1 | # Target Software Outline 2 | 3 | We are targeting RISC-V, so we will be using [buildroot](https://buildroot.org/) for 4 | our toolchain and Linux build. We need to build the following: 5 | 6 | * `fw_jump.elf`, `Image`, and `rootfs.ext2`, our firmware jump binary, linux kernel 7 | image, and root filesystem, respectively. These three files are expected by the 8 | public RISC-V platform model for SIMICS to boot Linux. Other approaches can be 9 | used but will require significantly more customization. 10 | * `tutorial-mod.ko` our tutorial kernel module. We'll create a kernel module which 11 | provides a virtual device which can be controlled via IOCTL. 12 | * `tutorial-mod-driver` a user-space application which will trigger the funcionality 13 | we want to fuzz in our kernel module. We'll discuss how to harness both by 14 | compiling the harness code into the kernel module *and* by compiling the harness code 15 | into the user-space driver application. 16 | 17 | We'll use the 18 | [br2-external](https://buildroot.org/downloads/manual/manual.html#outside-br-custom) 19 | mechanism to keep our kernel module package separate from the buildroot tree. 20 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/README.md: -------------------------------------------------------------------------------- 1 | # Fuzzing a Windows Kernel Mode Driver (KMD) 2 | 3 | This tutorial will walk you through the process of creating, building, and fuzzing a 4 | Windows Kernel Mode Driver (KMD) running on the simulated x86_64 platform on Windows 11. 5 | 6 | - [Building a Windows Image](building-windows-image/README.md) 7 | - [Create a Simics Project](create-a-project.md) 8 | - [Run and Set Up the Simulation](run-the-simulation.md) 9 | - [Run the Fuzzer](run-the-fuzzer.md) -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/README.md: -------------------------------------------------------------------------------- 1 | # Building a Simics-Compatible Windows Kernel Development VM 2 | 3 | We will use VirtualBox to create a Windows Kernel Development Virtual machine 4 | before converting the VirtualBox Virtual Disk Image (VDI) to the CRAFF format used by 5 | Simics. 6 | 7 | There are several advantages to creating the image this way: 8 | 9 | - Speed: VirtualBox runs faster than Simics and is easier to work with interactively 10 | - Compatibility: The image can be used for other purposes 11 | - Iteration: Speed and compatibility allow iterating on the image contents more quickly 12 | 13 | 1. [Install VirtualBox](install-virtualbox.md) 14 | 2. [Download Windows](download-windows.md) 15 | 3. [Create a VM](create-a-vm.md) 16 | 4. [Install Windows](install-windows.md) 17 | 5. [Set Up SSH](set-up-ssh.md) 18 | 6. [Enable SSH Port Forwarding in VirtualBox](enable-ssh-port-forwarding-in-virtualbox.md) 19 | 7. [Change Default Shell to PowerShell](change-default-shell-to-powershell.md) 20 | 8. [Installing the EWDK](installing-the-ewdk.md) 21 | 9. [Installing Development Tools](installing-development-tools.md) 22 | 10. [Install Simics Agent](install-simics-agent.md) 23 | 11. [Clone and Build HEVD](clone-and-build-hevd.md) 24 | 12. [Install the Code Signing Certificate](install-the-code-signing-certificate.md) 25 | 13. [Install HEVD Driver](install-hevd-driver.md) 26 | 14. [Create a Fuzz Harness](create-a-fuzz-harness.md) 27 | 15. [Compile the Fuzz Harness](compile-the-fuzz-harness.md) 28 | 16. [Convert the Image to CRAFF](convert-image.md) 29 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/change-default-shell-to-powershell.md: -------------------------------------------------------------------------------- 1 | # Change Default Shell to PowerShell 2 | 3 | This is a CMD command prompt. The remainder of the tutorials for Windows will 4 | provide only PowerShell commands. To change the default shell for OpenSSH to 5 | PowerShell, run: 6 | 7 | ```cmd 8 | powershell.exe -Command "New-ItemProperty -Path 'HKLM:\SOFTWARE\OpenSSH' -Name DefaultShell -Value 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -PropertyType String -Force" 9 | ``` 10 | 11 | Exiting the SSH session by running `exit`, then reconnecting with `ssh -p 2222 12 | user@localhost` should log you into a PowerShell session by default: 13 | 14 | ```txt 15 | Windows PowerShell 16 | Copyright (C) Microsoft Corporation. All rights reserved. 17 | 18 | Try the new cross-platform PowerShell https://aka.ms/pscore6 19 | 20 | PS C:\Users\user> 21 | ``` 22 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/clone-and-build-hevd.md: -------------------------------------------------------------------------------- 1 | # Clone and Build HEVD 2 | 3 | We will use [HackSys Extreme Vulnerable Driver 4 | (HEVD)](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver) as our windows 5 | driver target. 6 | 7 | We'll clone HEVD into our home directory and enter the EWDK build environment. 8 | 9 | ```powershell 10 | cd ~ 11 | git clone https://github.com/novafacing/HackSysExtremeVulnerableDriver -b windows-training 12 | cd HackSysExtremeVulnerableDriver/Driver 13 | W:\LaunchBuildEnv.cmd 14 | ``` 15 | 16 | Now, we can go ahead and build the driver: 17 | 18 | ```cmd 19 | cmake -S . -B build -DKITS_ROOT="W:\Program Files\Windows Kits\10" 20 | cmake --build build --config Release 21 | ``` 22 | 23 | And exit our build environment: 24 | 25 | ```cmd 26 | exit 27 | ``` 28 | 29 | Back in PowerShell, check to make sure there is a release directory: 30 | 31 | ```powershell 32 | ls build/HEVD/Windows/ 33 | ``` 34 | 35 | You should see: 36 | 37 | 38 | ```txt 39 | 40 | Directory: C:\Users\user\HackSysExtremeVulnerableDriver\Driver\build\HEVD\Windows 41 | 42 | 43 | Mode LastWriteTime Length Name 44 | ---- ------------- ------ ---- 45 | d----- 12/20/2023 7:16 PM CMakeFiles 46 | d----- 12/20/2023 7:16 PM HEVD.dir 47 | d----- 12/20/2023 7:17 PM Release 48 | -a---- 12/20/2023 7:16 PM 1073 cmake_install.cmake 49 | -a---- 12/20/2023 7:17 PM 2275 hevd.cat 50 | -a---- 12/20/2023 7:17 PM 1456 HEVD.inf 51 | -a---- 12/20/2023 7:17 PM 32216 HEVD.sys 52 | -a---- 12/20/2023 7:16 PM 45308 HEVD.vcxproj 53 | -a---- 12/20/2023 7:16 PM 4117 HEVD.vcxproj.filters 54 | ``` 55 | 56 | If so, we're in business! 57 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/compile-the-fuzz-harness.md: -------------------------------------------------------------------------------- 1 | # Compile the Fuzz Harness 2 | 3 | That's all we need to test the driver from user-space. We can now compile the harness by 4 | entering the Build Environment for VS Community (not the EWDK): 5 | 6 | ```powershell 7 | Set-ExecutionPolicy Unrestricted 8 | & 'C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1' -Arch amd64 9 | ml64 /c /Cp /Cx /Zf tsffs-msvc-x86_64.asm 10 | cl fuzzer.c tsffs-msvc-x86_64.obj 11 | ``` 12 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/convert-image.md: -------------------------------------------------------------------------------- 1 | # Convert Image to CRAFF 2 | 3 | Now that we have set up our Windows image, we need to convert the image to the 4 | CRAFF format that Simics uses. 5 | 6 | First, shut down the guest machine with: 7 | 8 | ```powershell 9 | shutdown /s /f /t 0 10 | ``` 11 | 12 | ## Find The Virtual Disk Image 13 | 14 | After the guest machine has shut down, click the "Storage" category header in 15 | the machine page shown below. 16 | 17 | ![Storage category header](images/2024-03-21-12-24-34.png) 18 | 19 | The settings window for Storage will appear. Note the "Location" field. This is 20 | the path to the virtual disk image. 21 | 22 | ![Location field showing virtual disk image path](images/2024-03-21-12-25-39.png) 23 | 24 | ## Convert the Virtual Disk Image 25 | 26 | To convert the VDI to raw, we can use either the VirtualBox CLI: 27 | 28 | ```sh 29 | VBoxManage clonehd "/path/to/VirtualBox VMs/Windows 11/Windows 11.vdi" "examples/tutorials/windows-kernel/windows-11.img" --format raw 30 | ``` 31 | 32 | Or we can use the qemu-img tool (included with QEMU installations): 33 | 34 | ```sh 35 | qemu-img convert -f vdi -O vdi "/path/to/VirtualBox VMs/Windows 11/Windows 11.vdi" "examples/tutorials/windows-kernel/windows-11.img" 36 | ``` 37 | 38 | Then, we will use the `craff` utility included with Simics. Find your Simics 39 | base directory (e.g. `simics-6.0.185`), and run: 40 | 41 | ```sh 42 | ~/simics/simics-6.0.185/bin/craff -o examples/tutorials/windows-kernel/windows-11.craff examples/tutorials/windows-kernel/windows-11.img 43 | ``` 44 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/create-a-project.md: -------------------------------------------------------------------------------- 1 | # Create a Simics Project 2 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/create-and-start-the-driver-service.md: -------------------------------------------------------------------------------- 1 | # Create and Start the Driver Service 2 | 3 | We'll create a service for the driver and start it. 4 | 5 | ```powershell 6 | sc.exe create HEVD type= kernel binPath= C:\Users\user\HackSysExtremeVulnerableDriver\Driver\build\HEVD\Windows\HEVD.sys 7 | sc.exe start HEVD 8 | ``` 9 | 10 | You should see: 11 | 12 | 13 | ```txt 14 | 15 | SERVICE_NAME: HEVD 16 | TYPE : 1 KERNEL_DRIVER 17 | STATE : 4 RUNNING 18 | (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) 19 | WIN32_EXIT_CODE : 0 (0x0) 20 | SERVICE_EXIT_CODE : 0 (0x0) 21 | CHECKPOINT : 0x0 22 | WAIT_HINT : 0x0 23 | PID : 0 24 | FLAGS : 25 | ``` 26 | 27 | This means our vulnerable driver is now running. 28 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/download-windows.md: -------------------------------------------------------------------------------- 1 | # Download Windows 2 | 3 | Download an ISO for 64-bit Windows 11 from the [Direct 4 | Link](https://software-static.download.prss.microsoft.com/dbazure/888969d5-f34g-4e03-ac9d-1f9786c66749/22631.2428.231001-0608.23H2_NI_RELEASE_SVC_REFRESH_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso) 5 | or if this does not work, download from the [Microsoft Evaluation 6 | Center](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-11-enterprise). You 7 | will be asked for your email and name, but there is no validation of this information 8 | and you will be given a download link regardless of what is entered. 9 | 10 | The ISO should have a filename like: 11 | 12 | `22631.2428.231001-0608.23H2_NI_RELEASE_SVC_REFRESH_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso` 13 | 14 | This tutorial assumes version 23H2, but should be the same for future versions. 15 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/enable-ssh-port-forwarding-in-virtualbox.md: -------------------------------------------------------------------------------- 1 | # Enable SSH Port Forwarding in VirtualBox 2 | 3 | Shut down the VM by selecting `File` > `Close` in the 4 | VirtualBox menu bar, then select "Send the shutdown 5 | signal". 6 | 7 | ![](images/2024-03-16-12-45-13.png) 8 | 9 | Click "Settings" in the Windows 11 image tab. 10 | 11 | ![](images/2024-03-16-12-10-29.png) 12 | 13 | 14 | Select the "Network" tab on the left. 15 | 16 | ![](images/2024-03-16-12-46-16.png) 17 | 18 | Select the "Advanced" drop-down menu. 19 | 20 | ![](images/2024-03-16-12-46-28.png) 21 | 22 | Select the "Port Forwarding" button to open the port forwarding menu. 23 | 24 | ![](images/2024-03-16-12-46-44.png) 25 | 26 | Select the top-right button "Adds port forwarding rule" to add a new rule. 27 | 28 | ![](images/2024-03-16-12-47-01.png) 29 | 30 | Set the name to "OpenSSH" on protocol TCP from host 31 | port 2222 to guest port 22. Leave both IP fields blank. 32 | Select "OK" in the port forwarding menu, then select 33 | "OK" on the settings menu. 34 | 35 | ![](images/2024-03-16-12-50-38.png) 36 | 37 | Start the image back up by clicking "Start" in the 38 | Windows 11 image tab. 39 | 40 | Then, on your host (if your host is a Windows machine, 41 | enable the `OpenSSH.CLIENT` capability on your host as 42 | shown above), run: 43 | 44 | ```sh 45 | ssh -p 2222 user@localhost 46 | ``` 47 | 48 | After entering the password at the prompt, you should 49 | be greeted with a command prompt: 50 | 51 | ```txt 52 | Microsoft Windows [Version 10.0.22631.2428] 53 | (c) Microsoft Corporation. All rights reserved. 54 | 55 | user@DESKTOP-QNP1C9S C:\Users\user> 56 | ``` 57 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-55-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-55-02.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-55-58.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-55-58.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-56-39.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-56-39.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-57-17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-57-17.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-57-48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-57-48.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-58-06.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-58-06.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-59-33.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-11-59-33.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-01-17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-01-17.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-04-27.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-04-27.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-04-40.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-04-40.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-09-20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-09-20.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-10-29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-10-29.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-11-56.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-11-56.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-13-14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-13-14.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-14-15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-14-15.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-14-29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-14-29.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-17-25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-17-25.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-17-50.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-17-50.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-18-07.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-18-07.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-18-57.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-18-57.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-19-09.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-19-09.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-19-23.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-19-23.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-26-28.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-26-28.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-26-46.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-26-46.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-27-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-27-02.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-28-52.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-28-52.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-29-09.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-29-09.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-29-30.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-29-30.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-29-53.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-29-53.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-30-18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-30-18.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-30-49.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-30-49.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-31-10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-31-10.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-31-28.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-31-28.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-31-45.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-31-45.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-32-12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-32-12.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-36-59.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-36-59.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-37-56.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-37-56.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-38-12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-38-12.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-45-13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-45-13.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-46-16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-46-16.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-46-28.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-46-28.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-46-44.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-46-44.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-47-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-47-01.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-50-38.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-12-50-38.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-13-16-20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-16-13-16-20.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-21-12-24-34.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-21-12-24-34.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-21-12-25-39.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/building-windows-image/images/2024-03-21-12-25-39.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/install-hevd-driver.md: -------------------------------------------------------------------------------- 1 | # Install HEVD Driver 2 | 3 | With the HEVD driver installed, we will create a 4 | service and set it to automatically run on system 5 | start. 6 | 7 | First, create the service: 8 | 9 | ```powershell 10 | sc.exe create HEVD type= kernel start= auto binPath= C:\Users\user\HackSysExtremeVulnerableDriver\Driver\build\HEVD\Windows\HEVD.sys 11 | ``` 12 | 13 | The service will automatically start on reboot. 14 | 15 | Reboot the guest with: 16 | 17 | ```powershell 18 | shutdown /r /f /t 0 19 | ``` 20 | 21 | And reconnect via ssh: 22 | 23 | ```sh 24 | ssh -p 2222 user@localhost 25 | ``` 26 | 27 | We will then check that the service is started with: 28 | 29 | ```powershell 30 | sc.exe query HEVD 31 | ``` 32 | 33 | You should see: 34 | 35 | ```txt 36 | SERVICE_NAME: HEVD 37 | TYPE : 1 KERNEL_DRIVER 38 | STATE : 4 RUNNING 39 | (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) 40 | WIN32_EXIT_CODE : 0 (0x0) 41 | SERVICE_EXIT_CODE : 0 (0x0) 42 | CHECKPOINT : 0x0 43 | WAIT_HINT : 0x0 44 | ``` 45 | 46 | The driver is installed and set to start automatically. 47 | 48 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/install-simics-agent.md: -------------------------------------------------------------------------------- 1 | # Install the Simics Agent 2 | 3 | You should already have Simics installed on your machine. In the Simics base directory 4 | (e.g. `simics-6.0.185`), unzip `targets/common/images/simics_agent_binaries.zip`. 5 | 6 | From the unzipped files, copy `simics_agent_x86_win64.exe` to the guest machine: 7 | 8 | ```sh 9 | scp -P 2222 simics_agent_x86_win64.exe "user@localhost:C:\\Users\\user\\" 10 | ``` 11 | 12 | Next, on the guest machine, set the agent to run at logon: 13 | 14 | ```powershell 15 | schtasks /create /sc onlogon /tn "Simics Agent" /tr "C:\Users\user\simics_agent_x86_win64.exe" 16 | ``` 17 | 18 | Now, set the `user` account to automatically log in at boot: 19 | 20 | ```powershell 21 | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f 22 | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d "user" /f 23 | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d "password" /f 24 | ``` 25 | 26 | Restart the machine with: 27 | 28 | ```powershell 29 | shutdown /r /f /t 0 30 | ``` 31 | 32 | And reconnect with: 33 | 34 | ```sh 35 | ssh -P 2222 user@localhost 36 | ``` 37 | 38 | Ensure the agent is running: 39 | 40 | ```powershell 41 | ps | findstr simics 42 | ``` 43 | 44 | You should see output like: 45 | 46 | ```powershell 47 | 41 4 508 1408 0.02 4132 1 simics_agent_x86_win64 48 | ``` -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/install-the-code-signing-certificate.md: -------------------------------------------------------------------------------- 1 | # Install the Code Signing Certificate 2 | 3 | Windows does not permit loading drivers signed with 4 | untrusted certificates, so we need to both import our 5 | untrusted certificate and enable test signing. From the 6 | `HackSysExtremeVulnerableDriver\Driver` directory, run 7 | the following to enable test signing and reboot (which 8 | is required after enabling test signing): 9 | 10 | ```powershell 11 | certutil -importPFX HEVD\Windows\HEVD.pfx 12 | bcdedit -set TESTSIGNING on 13 | bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS 14 | shutdown /r /f /t 0 15 | ``` 16 | 17 | Once the Virtual Machine reboots, you can reconnect with `ssh -p 2222 user@localhost`. 18 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/install-virtualbox.md: -------------------------------------------------------------------------------- 1 | # Install VirtualBox 2 | 3 | Install VirtualBox from [virtualbox.org](https://www.virtualbox.org/wiki/Downloads). 4 | VirtualBox supports Windows, Linux, and macOS. 5 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/install-windows.md: -------------------------------------------------------------------------------- 1 | # Install Windows 2 | 3 | Change the language options if desired, but note the tutorial 4 | will assume English. 5 | 6 | ![](images/2024-03-16-12-04-27.png) 7 | 8 | Select "Install Now". 9 | 10 | ![](images/2024-03-16-12-04-40.png) 11 | 12 | Accept the license terms and select "Next". 13 | 14 | ![](images/2024-03-16-12-09-20.png) 15 | 16 | Select "Custom: Install Windows only (advanced)". 17 | 18 | ![](images/2024-03-16-12-17-50.png) 19 | 20 | Select "New". 21 | 22 | ![](images/2024-03-16-12-18-07.png) 23 | 24 | Select "Apply". The default size is the full size of the virtual drive. 25 | 26 | ![](images/2024-03-16-12-18-57.png) 27 | 28 | Select "OK". 29 | 30 | ![](images/2024-03-16-12-19-09.png) 31 | 32 | Select "Next". 33 | 34 | ![](images/2024-03-16-12-19-23.png) 35 | 36 | Wait for the installation process to complete. The machine will reboot a couple times. 37 | If prompted to press a key to boot from CD or DVD, do not press anything, because we do 38 | not want to do that. 39 | 40 | Select your region. 41 | 42 | ![](images/2024-03-16-12-26-28.png) 43 | 44 | Select your keyboard layout. 45 | 46 | ![](images/2024-03-16-12-26-46.png) 47 | 48 | Skip adding a second keyboard layout unless you need one. 49 | 50 | ![](images/2024-03-16-12-27-02.png) 51 | 52 | Select "Sign-in Options". 53 | 54 | ![](images/2024-03-16-12-28-52.png) 55 | 56 | Select "Domain join instead". 57 | 58 | ![](images/2024-03-16-12-29-09.png) 59 | 60 | Set a username. For this tutorial, we'll use `user`. Select "Next". 61 | 62 | ![](images/2024-03-16-12-29-53.png) 63 | 64 | Set a password. For this tutorial, we'll use `password`. Select "Next". 65 | 66 | ![](images/2024-03-16-12-30-18.png) 67 | 68 | Confirm your password. Select "Next". 69 | 70 | ![](images/2024-03-16-12-30-49.png) 71 | 72 | Our first dog's name was `password`. Select "Next". 73 | 74 | ![](images/2024-03-16-12-31-10.png) 75 | 76 | Surprisingly, we were also born in the city of `password`. Select "Next". 77 | 78 | ![](images/2024-03-16-12-31-28.png) 79 | 80 | This cannot possibly be a coincidence! Our childhood nickname was also `password`. 81 | Select "Next". 82 | 83 | ![](images/2024-03-16-12-31-45.png) 84 | 85 | Disable some of Microsoft's snooping by checking "No" for all options. Then select "Accept". 86 | 87 | ![](images/2024-03-16-12-32-12.png) 88 | 89 | Eventually, you'll be greeted with a clean desktop. 90 | 91 | ![](images/2024-03-16-12-36-59.png) 92 | 93 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/run-the-fuzz-harness.md: -------------------------------------------------------------------------------- 1 | # Run the Fuzz Harness 2 | 3 | Now we just run: 4 | 5 | ```powershell 6 | ./fuzzer.exe 7 | ``` 8 | 9 | And start testing the driver! The first thing we'll see is that it runs *really* quite 10 | fast, which is great. If we let the fuzzer run long enough, it'll eventually decide to 11 | generate an input that overflows the buffer, but it may take some time because we 12 | currently have no *feedback* from the driver we're testing -- only from the fuzzer 13 | program itself. This is "dumb fuzzing" at its finest, and we'll walk through the 14 | various options to improve the situation, starting with the easiest. -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/run-the-fuzzer.md: -------------------------------------------------------------------------------- 1 | # Run the Fuzzer 2 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/run-the-simulation.md: -------------------------------------------------------------------------------- 1 | # Run and Set Up the Simulation 2 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/building-windows-image/set-up-ssh.md: -------------------------------------------------------------------------------- 1 | # Set Up SSH 2 | 3 | Click the Windows button and type "powershell". Then 4 | right click "Windows PowerShell" and select "Run as 5 | administrator". 6 | 7 | ![](images/2024-03-16-12-37-56.png) 8 | 9 | At the User Account Control (UAC) prompt, select "Yes". 10 | 11 | ![](images/2024-03-16-12-38-12.png) 12 | 13 | We will install and enable OpenSSH server as described 14 | in the [Microsoft 15 | Documentation](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell). 16 | In the PowerShell prompt, run: 17 | 18 | ```powershell 19 | Add-WindowsCapability -Online -name OpenSSH.CLIENT~~~~0.0.1.0 20 | ``` 21 | 22 | Next, in the PowerShell prompt, run: 23 | 24 | ```powershell 25 | Add-WindowsCapability -Online -name OpenSSH.Server~~~~0.0.1.0 26 | ``` 27 | 28 | Note that if this command fails with an error code, you 29 | may need to disconnect from any connected VPN/proxy on 30 | the host machine then restart the guest virtual 31 | machine, [or set up the proxy on the guest virtual 32 | machine](https://support.microsoft.com/en-us/windows/use-a-proxy-server-in-windows-03096c53-0554-4ffe-b6ab-8b1deee8dae1#ID0EFD=Windows_10). 33 | 34 | Then, run: 35 | 36 | ```powershell 37 | Start-Service sshd 38 | Set-Service -name sshd -StartupType 'Automatic' 39 | ``` 40 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/create-a-project.md: -------------------------------------------------------------------------------- 1 | # Create a Project 2 | 3 | Now that we have a disk image, we'll create a project 4 | for fuzzing our Windows machine. 5 | 6 | From the root of this repository: 7 | 8 | ```sh 9 | cd examples/tutorials/windows-kernel 10 | ispm projects . --create 1000-latest 2096-latest 8112-latest 1030-latest 31337-latest --ignore-existing-files 11 | ``` 12 | 13 | 14 | Make sure `windows-11.craff` is in the project 15 | directory. Then, create a script `run.simics`. Before 16 | we start fuzzing, we'll need to let Windows set itself 17 | up on the new simulated hardware. 18 | 19 | `run.simics` should look like this to initialize TSFFS and start the simulation. 20 | 21 | ```simics 22 | $cpu_comp_class = "x86QSP2" 23 | $disk0_image = "%simics%/windows-11.craff" 24 | $use_vmp = FALSE 25 | $create_usb_tablet = TRUE 26 | $num_cores = 1 27 | $num_threads = 2 28 | 29 | run-command-file "%simics%/targets/qsp-x86/qsp-hdd-boot.simics" 30 | ``` 31 | 32 | -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/images/2024-03-21-16-50-53.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/images/2024-03-21-16-50-53.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/images/2024-03-21-17-38-46.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/images/2024-03-21-17-38-46.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/images/2024-04-01-09-10-48.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/images/2024-04-01-09-10-48.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/images/2024-04-01-09-11-19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/images/2024-04-01-09-11-19.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/images/2024-04-01-09-19-09.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/images/2024-04-01-09-19-09.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/images/2024-04-12-12-25-13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/images/2024-04-12-12-25-13.png -------------------------------------------------------------------------------- /docs/src/tutorials/windows-kernel/images/2024-04-12-12-49-03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/docs/src/tutorials/windows-kernel/images/2024-04-12-12-49-03.png -------------------------------------------------------------------------------- /examples/.gitignore: -------------------------------------------------------------------------------- 1 | restricted/ -------------------------------------------------------------------------------- /examples/manual-example/README.md: -------------------------------------------------------------------------------- 1 | # Manual Example 2 | 3 | This example shows how to manually harness a binary in black-box mode 4 | (that is, without being able to compile in a harness). 5 | 6 | To run this example, from the *repo root* run: 7 | 8 | ```sh 9 | docker build -t tsffs-manual -f examples/manual-example/Dockerfile . 10 | docker run -it tsffs-manual 11 | ``` 12 | 13 | Then in the container run: 14 | 15 | ```sh 16 | ./simics -no-gui --no-win --batch-mode fuzz.simics 17 | ``` -------------------------------------------------------------------------------- /examples/manual-example/build.ninja: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | rule cc 5 | command = clang -target x86_64-pc-win32-coff -fno-stack-protector -fshort-wchar $ 6 | -mno-red-zone $cflags -c $in -o $out 7 | 8 | rule link 9 | command = lld -flavor link $ldflags -filealign:16 -subsystem:efi_application -nodefaultlib -dll $ 10 | -entry:UefiMain $in -out:$out 11 | 12 | rule copy 13 | command = cp $in $out 14 | 15 | build test.o: cc test.c 16 | cflags = -O0 -g -gcodeview -gdwarf-5 -gembed-source -fstandalone-debug 17 | build test.efi: link test.o 18 | ldflags = -debug -debugtype:pdata 19 | -------------------------------------------------------------------------------- /examples/manual-example/fuzz.simics: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | # Read the start and stop addresses from the files containing them (see Dockerfile for 5 | # how they are generated) 6 | @simenv.start_addr = int(open("START_ADDRESS").read().strip(), 16) 7 | @simenv.stop_addr = int(open("STOP_ADDRESS").read().strip(), 16) 8 | 9 | # Configure the fuzzer 10 | load-module tsffs 11 | init-tsffs 12 | @tsffs.log_level = 4 13 | @tsffs.start_on_harness = False 14 | @tsffs.stop_on_harness = False 15 | @tsffs.timeout = 3.0 16 | @tsffs.exceptions += [14] 17 | @tsffs.set_generate_random_corpus = True 18 | @tsffs.token_executables += [SIM_lookup_file("%simics%/test.efi")] 19 | 20 | # load the target 21 | load-target "qsp-x86/uefi-shell" namespace = qsp machine:hardware:storage:disk0:image = "minimal_boot_disk.craff" 22 | 23 | # Set a breakpoint for start and stop events 24 | $start_bp = (bp.memory.break -x $start_addr) 25 | $stop_bp = (bp.memory.break -x $stop_addr) 26 | 27 | # Continuously wait for the start bp to occur after reset, and call the start method 28 | script-branch { 29 | while 1 { 30 | bp.wait-for-breakpoint id = $start_bp 31 | echo "Got start BP" 32 | local $rdi = (qsp.mb.cpu0.core[0][0].read-reg reg-name = "rdi") 33 | echo ("Starting with buffer " + $rdi) 34 | @tsffs.iface.fuzz.start_with_maximum_size(conf.qsp.mb.cpu0.core[0][0], simenv.rdi, 8) 35 | } 36 | } 37 | 38 | # Continuously wait for the stop bp to occur after reset, and call the start method 39 | script-branch { 40 | while 1 { 41 | bp.wait-for-breakpoint id = $stop_bp 42 | echo "Got stop BP" 43 | @tsffs.iface.fuzz.stop() 44 | } 45 | } 46 | 47 | # Enter the EFI shell and run the EFI application 48 | script-branch { 49 | bp.console_string.wait-for qsp.serconsole.con "Shell>" 50 | qsp.serconsole.con.input "FS0:\n" 51 | bp.time.wait-for seconds = 1.0 52 | local $manager = (start-agent-manager) 53 | qsp.serconsole.con.input ("SimicsAgent.efi --download " + (lookup-file "%simics%/test.efi") + "\n") 54 | bp.time.wait-for seconds = 1.0 55 | # Set an execute breakpoint on the address we found by disassembling 56 | # the EFI binary (see the dockerfile for the rizin command used) 57 | qsp.serconsole.con.input "test.efi\n" 58 | } 59 | 60 | run -------------------------------------------------------------------------------- /examples/manual-example/minimal_boot_disk.craff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/examples/manual-example/minimal_boot_disk.craff -------------------------------------------------------------------------------- /examples/rsrc/minimal_boot_disk.craff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/examples/rsrc/minimal_boot_disk.craff -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/.gitignore: -------------------------------------------------------------------------------- 1 | workspace 2 | tsffs*.h -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/Dockerfile-custom: -------------------------------------------------------------------------------- 1 | FROM ghcr.io/tianocore/containers/fedora-37-build:a0dd931 2 | 3 | SHELL ["/bin/bash", "-o", "pipefail", "-c"] 4 | 5 | 6 | ENV EDK_TOOLS_PATH=/workspace/edk2/BaseTools/ 7 | ENV PACKAGES_PATH="/workspace/edk2:/workspace/edk2-platforms:/workspace/edk2-non-osi" 8 | ENV WORKSPACE=/workspace/ 9 | 10 | WORKDIR /workspace 11 | 12 | COPY workspace/edk2 /workspace/edk2/ 13 | 14 | RUN source edk2/edksetup.sh && \ 15 | make -C edk2/BaseTools/ 16 | 17 | COPY workspace/edk2-platforms /workspace/edk2-platforms 18 | COPY workspace/edk2-non-osi /workspace/edk2-non-osi 19 | COPY workspace/FSP /workspace/FSP 20 | 21 | WORKDIR /workspace/edk2-platforms/Platform/Intel 22 | 23 | # Build SimicsOpenBoardPkg 24 | RUN source /workspace/edk2/edksetup.sh && \ 25 | python build_bios.py -p BoardX58Ich10X64 -d -t GCC 26 | -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/build-custom.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 7 | IMAGE_NAME="edk2-simics" 8 | DOCKERFILE="${SCRIPT_DIR}/Dockerfile-custom" 9 | CONTAINER_UID=$(echo "${RANDOM}" | sha256sum | head -c 8) 10 | CONTAINER_NAME="${IMAGE_NAME}-tmp-${CONTAINER_UID}" 11 | EDK2_HASH="eccdab6" 12 | EDK2_PLATFORMS_HASH="f446fff" 13 | EDK2_NON_OSI_HASH="1f4d784" 14 | INTEL_FSP_HASH="8beacd5" 15 | 16 | if [ ! -d "${SCRIPT_DIR}/workspace" ]; then 17 | mkdir -p "${SCRIPT_DIR}/workspace" 18 | git clone https://github.com/tianocore/edk2.git "${SCRIPT_DIR}/workspace/edk2" 19 | git -C "${SCRIPT_DIR}/workspace/edk2" checkout "${EDK2_HASH}" 20 | git -C "${SCRIPT_DIR}/workspace/edk2" submodule update --init 21 | git clone https://github.com/tianocore/edk2-platforms.git "${SCRIPT_DIR}/workspace/edk2-platforms" 22 | git -C "${SCRIPT_DIR}/workspace/edk2-platforms" checkout "${EDK2_PLATFORMS_HASH}" 23 | git -C "${SCRIPT_DIR}/workspace/edk2-platforms" submodule update --init 24 | cp "${SCRIPT_DIR}/../../../harness/tsffs.h" "${SCRIPT_DIR}/workspace/edk2-platforms/Platform/Intel/SimicsOpenBoardPkg/Library/DxeLogoLib/tsffs.h" 25 | git clone https://github.com/tianocore/edk2-non-osi.git "${SCRIPT_DIR}/workspace/edk2-non-osi" 26 | git -C "${SCRIPT_DIR}/workspace/edk2-non-osi" checkout "${EDK2_NON_OSI_HASH}" 27 | git -C "${SCRIPT_DIR}/workspace/edk2-non-osi" submodule update --init 28 | git clone https://github.com/IntelFsp/FSP.git "${SCRIPT_DIR}/workspace/FSP" 29 | git -C "${SCRIPT_DIR}/workspace/FSP" checkout "${INTEL_FSP_HASH}" 30 | git -C "${SCRIPT_DIR}/workspace/FSP" submodule update --init 31 | fi 32 | 33 | docker build -t "${IMAGE_NAME}" -f "${DOCKERFILE}" "${SCRIPT_DIR}" 34 | docker create --name "${CONTAINER_NAME}" "${IMAGE_NAME}" bash 35 | docker cp "${CONTAINER_NAME}:/workspace/Build/SimicsOpenBoardPkg/BoardX58Ich10/DEBUG_GCC/FV/" "${SCRIPT_DIR}/BoardX58Ich10_CUSTOM" 36 | docker rm -f "${CONTAINER_NAME}" 37 | mkdir -p "${SCRIPT_DIR}/project/targets/qsp-x86/images/" 38 | cp "${SCRIPT_DIR}/BoardX58Ich10_CUSTOM/BOARDX58ICH10.fd" "${SCRIPT_DIR}/project/targets/qsp-x86/images/BOARDX58ICH10_CUSTOM.fd" 39 | cp "${SCRIPT_DIR}/../../rsrc/minimal_boot_disk.craff" "${SCRIPT_DIR}/project/minimal_boot_disk.craff" 40 | -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 7 | IMAGE_NAME="edk2-simics-platform" 8 | DOCKERFILE="${SCRIPT_DIR}/Dockerfile" 9 | CONTAINER_UID=$(echo "${RANDOM}" | sha256sum | head -c 8) 10 | CONTAINER_NAME="${IMAGE_NAME}-tmp-${CONTAINER_UID}" 11 | 12 | cp "${SCRIPT_DIR}/../../../harness/tsffs.h" "${SCRIPT_DIR}/tsffs.h" 13 | mkdir -p "${SCRIPT_DIR}/project/" 14 | docker build -t "${IMAGE_NAME}" -f "${DOCKERFILE}" --build-arg "PROJECT=${SCRIPT_DIR}/project/workspace/" "${SCRIPT_DIR}" 15 | docker create --name "${CONTAINER_NAME}" "${IMAGE_NAME}" bash 16 | rm -rf "${SCRIPT_DIR}/project/workspace/" 17 | docker cp "${CONTAINER_NAME}:${SCRIPT_DIR}/project/workspace/" "${SCRIPT_DIR}/project/workspace/" 18 | docker rm -f "${CONTAINER_NAME}" -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/project/.gitignore: -------------------------------------------------------------------------------- 1 | corpus 2 | modules 3 | solutions -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/project/fuzz.simics: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | load-module tsffs 5 | init-tsffs 6 | tsffs.log-level 4 7 | @tsffs.start_on_harness = True 8 | @tsffs.stop_on_harness = True 9 | @tsffs.timeout = 3.0 10 | @tsffs.exceptions = [13, 14] 11 | 12 | load-module uefi-fw-tracker 13 | 14 | load-target "qsp-x86/qsp-uefi-custom" namespace = qsp machine:hardware:firmware:bios = "%simics%/workspace/Build/SimicsOpenBoardPkg/BoardX58Ich10/DEBUG_GCC/FV/BOARDX58ICH10.fd" 15 | 16 | new-os-awareness name = qsp.software 17 | qsp.software.insert-tracker tracker = uefi_fw_tracker_comp 18 | qsp.software.tracker.detect-parameters -overwrite param-file = "%simics%/uefi.params" map-file = "%simics%/workspace/Build/SimicsOpenBoardPkg/BoardX58Ich10/DEBUG_GCC/SimicsX58.map" 19 | qsp.software.tracker.load-parameters "%simics%/uefi.params" 20 | qsp.software.enable-tracker 21 | 22 | script-branch { 23 | while 1 { 24 | bp.source_location.wait-for DebugAssert -x -error-not-planted 25 | echo "Got breakpoint" 26 | @tsffs.iface.fuzz.solution(1, "DebugAssert") 27 | } 28 | } 29 | 30 | run 31 | -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/project/fuzz2.simics: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | load-module tsffs 5 | init-tsffs 6 | tsffs.log-level 4 7 | @tsffs.start_on_harness = True 8 | @tsffs.stop_on_harness = True 9 | @tsffs.timeout = 3.0 10 | @tsffs.exceptions = [13, 14] 11 | 12 | load-module uefi-fw-tracker 13 | 14 | load-target "qsp-x86/qsp-uefi-custom" namespace = qsp machine:hardware:firmware:bios = "%simics%/workspace/Build/SimicsOpenBoardPkg/BoardX58Ich10/DEBUG_GCC/FV/BOARDX58ICH10.fd" 15 | 16 | new-os-awareness name = qsp.software 17 | qsp.software.insert-tracker tracker = uefi_fw_tracker_comp 18 | qsp.software.tracker.detect-parameters -overwrite param-file = "%simics%/uefi.params" map-file = "%simics%/workspace/Build/SimicsOpenBoardPkg/BoardX58Ich10/DEBUG_GCC/SimicsX58.map" 19 | qsp.software.tracker.load-parameters "%simics%/uefi.params" 20 | qsp.software.enable-tracker 21 | @tcf = SIM_get_debugger() 22 | @debug_context = tcf.iface.debug_query.matching_contexts('"UEFI Firmware"/*')[1][0] 23 | @simenv.debug_assert_address = next(filter(lambda s: s.get("symbol") == "DebugAssert", tcf.iface.debug_symbol.list_functions(debug_context)[1])).get("address") 24 | $ctx = (new-context) 25 | qsp.mb.cpu0.core[0][0].set-context $ctx 26 | $debug_assert_bp = ($ctx.break -x $debug_assert_address) 27 | @tsffs.breakpoints = [simenv.debug_assert_bp] 28 | 29 | run 30 | -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/project/run-alderlake.simics: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | load-target "qsp-x86/qsp-uefi-custom-alderlake" namespace = qsp machine:hardware:firmware:bios = "%simics%/targets/qsp-x86/images/ALDERLAKEPRVP.fd" machine:hardware:storage:disk0:image = "minimal_boot_disk.craff" machine:hardware:processor:class = "x86-alderlake" 5 | 6 | 7 | 8 | run 9 | -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/project/run-custom.simics: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | # Load the TSFFS module (to make sure we can load it) 5 | load-module tsffs 6 | init-tsffs 7 | tsffs.log-level 4 8 | @tsffs.start_on_harness = True 9 | @tsffs.stop_on_harness = True 10 | @tsffs.timeout = 3.0 11 | @tsffs.exceptions = [13, 14] 12 | 13 | load-target "qsp-x86/qsp-uefi-custom" namespace = qsp machine:hardware:firmware:bios = "%simics%/targets/qsp-x86/images/BOARDX58ICH10_CUSTOM.fd" 14 | 15 | run 16 | -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/project/run.simics: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | load-target "qsp-x86/qsp-uefi-custom" namespace = qsp machine:hardware:firmware:bios = "%simics%/workspace/Build/SimicsOpenBoardPkg/BoardX58Ich10/DEBUG_GCC/FV/BOARDX58ICH10.fd" 5 | 6 | script-branch { 7 | local $con = qsp.serconsole.con 8 | bp.console_string.wait-for $con "Shell>" 9 | bp.time.wait-for seconds = .5 10 | qsp.serconsole.con.input "help\n" 11 | bp.time.wait-for seconds = .5 12 | } 13 | 14 | run 15 | -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/project/targets/qsp-x86/qsp-uefi-custom.target.yml: -------------------------------------------------------------------------------- 1 | %YAML 1.2 2 | --- 3 | description: QSP booting to EFI shell, defaults to empty disks 4 | params: 5 | machine: 6 | system_info: 7 | type: str 8 | description: A short string describing what this system is. 9 | default: "QSP x86 - UEFI Shell" 10 | hardware: 11 | import: "%simics%/targets/qsp-x86/hardware.yml" 12 | defaults: 13 | name: qsp 14 | rtc: 15 | time: auto 16 | usb_tablet: 17 | create: true 18 | firmware: 19 | bios: ^machine:software:firmware:bios 20 | lan_bios: 21 | spi_flash: ^machine:software:firmware:spi_flash 22 | uefi_device: 23 | advanced: 2 24 | name: 25 | type: str 26 | default: simics_uefi 27 | description: | 28 | Name of a simics-uefi device added under the top component. 29 | video_mode: 30 | type: int 31 | default: 5 32 | description: | 33 | Bochs GFX Mode to be set by UEFI BIOS during boot before OS handover. 34 | software: 35 | firmware: 36 | description: Firmware images 37 | advanced: 2 38 | bios: 39 | type: file 40 | description: BIOS file. 41 | default: "%simics%/workspace/Build/SimicsOpenBoardPkg/BoardX58Ich10/DEBUG_GCC/FV/BOARDX58ICH10.fd" 42 | lan_bios: 43 | type: file 44 | required: false 45 | description: ROM BIOS file for the ICH10 LAN Ethernet adaptor 46 | spi_flash: 47 | type: file 48 | default: "%simics%/targets/qsp-x86/images/spi-flash.bin" 49 | description: The ICH10 SPI flash file to use. 50 | script_delay: 51 | type: int 52 | default: 1 53 | description: Script delay multiplier during UEFI boot 54 | 55 | network: 56 | switch: 57 | import: "%simics%/targets/common/ethernet-setup.yml" 58 | service_node: 59 | import: "%simics%/targets/common/sn-setup.yml" 60 | defaults: 61 | ethernet_switch: ^network:switch:ethernet_switch:name 62 | 63 | output: 64 | system: 65 | type: str 66 | output: yes 67 | default: ^machine:hardware:output:system 68 | script: "%script%/qsp-uefi-custom.target.yml.include" 69 | ... 70 | -------------------------------------------------------------------------------- /examples/tutorials/edk2-simics-platform/project/targets/qsp-x86/qsp-uefi-custom.target.yml.include: -------------------------------------------------------------------------------- 1 | run-script "%simics%/targets/qsp-x86/hardware.yml" namespace = machine:hardware 2 | 3 | 4 | local $system = (params.get machine:hardware:output:system) 5 | 6 | 7 | instantiate-components $system 8 | 9 | # Add Simics UEFI meta-data device 10 | if (params.get machine:uefi_device:name) { 11 | @name = f"{simenv.system}.{params['machine:uefi_device:name']}" 12 | @dev = SIM_create_object("simics-uefi", name, []) 13 | @getattr(conf, simenv.system).mb.nb.pci_bus.devices.append([0, 7, dev]) 14 | @dev.video_mode = params['machine:uefi_device:video_mode'] 15 | } 16 | 17 | ## Name system 18 | $system->system_info = (params.get machine:system_info) 19 | 20 | ## Set a time quantum that provides reasonable performance 21 | set-time-quantum cell = $system.cell seconds = 0.0001 22 | 23 | ## Set up Ethernet 24 | run-script "%simics%/targets/common/ethernet-setup.yml" namespace = network:switch 25 | if (params.get network:switch:create_network) { 26 | local $ethernet_switch = (params.get network:switch:ethernet_switch:name) 27 | connect ($ethernet_switch.get-free-connector) (params.get machine:hardware:output:eth_slot) 28 | instantiate-components (params.get network:switch:ethernet_switch:name) 29 | } 30 | run-script "%simics%/targets/common/sn-setup.yml" namespace = network:service_node 31 | 32 | local $system = (params.get machine:hardware:output:system) 33 | 34 | local $system = (params.get machine:hardware:output:system) 35 | 36 | script-branch { 37 | local $con = $system.serconsole.con 38 | # NOTE: We have to modify this from the included target because 39 | # the custom BIOS doesn't print the original message until the menu appears 40 | bp.console_string.wait-for $con "End Load Options Dumping" 41 | bp.time.wait-for seconds = 5.0 42 | echo "Got load options dump" 43 | echo "Opening EFI shell" 44 | $con.input -e Esc 45 | bp.time.wait-for seconds = 5.0 46 | 47 | $con.input -e Down 48 | $con.input -e Down 49 | $con.input -e Enter 50 | bp.time.wait-for seconds = 5.0 51 | 52 | foreach $i in (range 6) { 53 | $con.input -e Down 54 | } 55 | 56 | $con.input -e Enter 57 | $con.input -e Enter 58 | } 59 | -------------------------------------------------------------------------------- /examples/tutorials/edk2-uefi/.gitignore: -------------------------------------------------------------------------------- 1 | project/* 2 | !project/run.simics -------------------------------------------------------------------------------- /examples/tutorials/edk2-uefi/Dockerfile: -------------------------------------------------------------------------------- 1 | # hadolint global ignore=DL3008 2 | FROM ghcr.io/tianocore/containers/ubuntu-22-build:a0dd931@sha256:bcda96cb0b9a39a881122ab7d3be86e6151f4c66968421827384c97850c790a5 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | 5 | SHELL ["/bin/bash", "-o", "pipefail", "-c"] 6 | 7 | ENV EDK2_REPO_URL "https://github.com/tianocore/edk2.git" 8 | ENV EDK2_REPO_HASH "d189de3b0a2f44f4c9b87ed120be16569ea19b51" 9 | ENV EDK2_PATH "/edk2" 10 | 11 | 12 | RUN git clone "${EDK2_REPO_URL}" "${EDK2_PATH}" && \ 13 | git -C "${EDK2_PATH}" checkout "${EDK2_REPO_HASH}" && \ 14 | python3 -m pip install --no-cache-dir -r "${EDK2_PATH}/pip-requirements.txt" && \ 15 | stuart_setup -c "${EDK2_PATH}/.pytool/CISettings.py" TOOL_CHAIN_TAG=GCC&& \ 16 | stuart_update -c "${EDK2_PATH}/.pytool/CISettings.py" TOOL_CHAIN_TAG=GCC 17 | 18 | COPY src "${EDK2_PATH}/Tutorial/" 19 | 20 | RUN stuart_setup -c "${EDK2_PATH}/Tutorial/PlatformBuild.py" TOOL_CHAIN_TAG=GCC && \ 21 | stuart_update -c "${EDK2_PATH}/Tutorial/PlatformBuild.py" TOOL_CHAIN_TAG=GCC && \ 22 | python3 "${EDK2_PATH}/BaseTools/Edk2ToolsBuild.py" -t GCC 23 | 24 | WORKDIR "${EDK2_PATH}" 25 | 26 | RUN source ${EDK2_PATH}/edksetup.sh && \ 27 | ( stuart_build -c ${EDK2_PATH}/Tutorial/PlatformBuild.py TOOL_CHAIN_TAG=GCC \ 28 | EDK_TOOLS_PATH=${EDK2_PATH}/BaseTools/ \ 29 | || ( cat ${EDK2_PATH}/Tutorial/Build/BUILDLOG.txt && exit 1 ) ) 30 | -------------------------------------------------------------------------------- /examples/tutorials/edk2-uefi/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | 7 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 8 | IMAGE_NAME="tsffs-tutorial-edk2-uefi" 9 | CONTAINER_UID=$(echo "${RANDOM}" | sha256sum | head -c 8) 10 | CONTAINER_NAME="${IMAGE_NAME}-tmp-${CONTAINER_UID}" 11 | 12 | mkdir -p "${SCRIPT_DIR}/project/" 13 | docker build -t "${IMAGE_NAME}" -f "Dockerfile" "${SCRIPT_DIR}" 14 | docker create --name "${CONTAINER_NAME}" "${IMAGE_NAME}" 15 | docker cp \ 16 | "${CONTAINER_NAME}:/edk2/Tutorial/Build/CryptoPkg/All/DEBUG_GCC/X64/Tutorial/Tutorial/DEBUG/Tutorial.efi" \ 17 | "${SCRIPT_DIR}/project/Tutorial.efi" 18 | docker cp \ 19 | "${CONTAINER_NAME}:/edk2/Tutorial/Build/CryptoPkg/All/DEBUG_GCC/X64/Tutorial/Tutorial/DEBUG/Tutorial.map" \ 20 | "${SCRIPT_DIR}/project/Tutorial.map" 21 | docker cp \ 22 | "${CONTAINER_NAME}:/edk2/Tutorial/Build/CryptoPkg/All/DEBUG_GCC/X64/Tutorial/Tutorial/DEBUG/Tutorial.debug" \ 23 | "${SCRIPT_DIR}/project/Tutorial.debug" 24 | docker rm -f "${CONTAINER_NAME}" -------------------------------------------------------------------------------- /examples/tutorials/edk2-uefi/project/campaign.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SESSION_NAME="my-tsffs-campaign" 4 | 5 | # Create a new tmux session or attach to an existing one 6 | tmux new-session -d -s "$SESSION_NAME" 7 | 8 | # Loop to create 8 windows and run the command in each window 9 | for i in {0..7}; do 10 | # Create a new window 11 | tmux new-window -t "$SESSION_NAME:$i" -n "${SESSION_NAME}-window-$i" 12 | 13 | # Run the command in the new window 14 | tmux send-keys -t "$SESSION_NAME:$i" "./simics -no-gui --no-win --batch-mode run.simics" C-m 15 | done 16 | 17 | # Attach to the tmux session 18 | tmux attach-session -t "$SESSION_NAME" 19 | -------------------------------------------------------------------------------- /examples/tutorials/edk2-uefi/project/run.simics: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | # Load the TSFFS module (to make sure we can load it) 5 | 6 | load-module tsffs 7 | init-tsffs 8 | tsffs.log-level 2 9 | @tsffs.start_on_harness = True 10 | @tsffs.stop_on_harness = True 11 | @tsffs.timeout = 3.0 12 | @tsffs.exceptions = [13, 14] 13 | 14 | load-target "qsp-x86/uefi-shell" namespace = qsp machine:hardware:storage:disk0:image = "minimal_boot_disk.craff" 15 | 16 | script-branch { 17 | bp.time.wait-for seconds = 15 18 | qsp.serconsole.con.input "\n" 19 | bp.time.wait-for seconds = .5 20 | qsp.serconsole.con.input "FS0:\n" 21 | bp.time.wait-for seconds = .5 22 | local $manager = (start-agent-manager) 23 | qsp.serconsole.con.input ("SimicsAgent.efi --download " + (lookup-file "%simics%/Tutorial.efi") + "\n") 24 | bp.time.wait-for seconds = .5 25 | qsp.serconsole.con.input "Tutorial.efi\n" 26 | } 27 | 28 | run -------------------------------------------------------------------------------- /examples/tutorials/edk2-uefi/src/Tutorial.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include "tsffs.h" 12 | 13 | void hexdump(UINT8 *buf, UINTN size) { 14 | for (UINTN i = 0; i < size; i++) { 15 | if (i != 0 && i % 26 == 0) { 16 | Print(L"\n"); 17 | } else if (i != 0 && i % 2 == 0) { 18 | Print(L" "); 19 | } 20 | Print(L"%02x", buf[i]); 21 | } 22 | Print(L"\n"); 23 | } 24 | 25 | EFI_STATUS 26 | EFIAPI 27 | UefiMain(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable) { 28 | UINTN MaxInputSize = 0x1000; 29 | UINTN InputSize = MaxInputSize; 30 | UINT8 *Input = (UINT8 *)AllocatePages(EFI_SIZE_TO_PAGES(MaxInputSize)); 31 | 32 | if (!Input) { 33 | return EFI_OUT_OF_RESOURCES; 34 | } 35 | 36 | HARNESS_START(Input, &InputSize); 37 | 38 | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 39 | Print(L"Input: %p Size: %d\n", Input, InputSize); 40 | #endif 41 | UINT8 *Cert = Input; 42 | UINTN CertSize = InputSize / 2; 43 | UINT8 *CACert = (Input + CertSize); 44 | UINTN CACertSize = CertSize; 45 | 46 | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 47 | Print(L"Certificate:\n"); 48 | hexdump(Cert, CertSize); 49 | Print(L"CA Certificate:\n"); 50 | hexdump(CACert, CACertSize); 51 | #endif 52 | 53 | BOOLEAN Status = X509VerifyCert(Cert, CertSize, CACert, CACertSize); 54 | 55 | if (Status) { 56 | HARNESS_ASSERT(); 57 | } else { 58 | HARNESS_STOP(); 59 | } 60 | 61 | if (Input) { 62 | FreePages(Input, EFI_SIZE_TO_PAGES(MaxInputSize)); 63 | } 64 | 65 | return EFI_SUCCESS; 66 | } -------------------------------------------------------------------------------- /examples/tutorials/edk2-uefi/src/Tutorial.dsc: -------------------------------------------------------------------------------- 1 | [Defines] 2 | PLATFORM_NAME = Tutorial 3 | PLATFORM_GUID = 0458dade-8b6e-4e45-b773-1b27cbda3e06 4 | PLATFORM_VERSION = 0.01 5 | DSC_SPECIFICATION = 0x00010006 6 | OUTPUT_DIRECTORY = Build/Tutorial 7 | SUPPORTED_ARCHITECTURES = X64 8 | BUILD_TARGETS = DEBUG|RELEASE|NOOPT 9 | SKUID_IDENTIFIER = DEFAULT 10 | 11 | !include MdePkg/MdeLibs.dsc.inc 12 | !include CryptoPkg/CryptoPkg.dsc 13 | 14 | [LibraryClasses] 15 | BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf 16 | BaseLib|MdePkg/Library/BaseLib/BaseLib.inf 17 | BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf 18 | DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf 19 | HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf 20 | IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf 21 | IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf 22 | MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf 23 | OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf 24 | PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf 25 | PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf 26 | SynchronizationLib|MdePkg/Library/BaseSynchronizationLib/BaseSynchronizationLib.inf 27 | UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf 28 | UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf 29 | UefiLib|MdePkg/Library/UefiLib/UefiLib.inf 30 | UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf 31 | TimerLib|UefiCpuPkg/Library/CpuTimerLib/BaseCpuTimerLib.inf 32 | 33 | [Components] 34 | Tutorial/Tutorial.inf -------------------------------------------------------------------------------- /examples/tutorials/edk2-uefi/src/Tutorial.inf: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | [Defines] 5 | INF_VERSION = 0x00010005 6 | BASE_NAME = Tutorial 7 | FILE_GUID = 6987936E-ED34-44db-AE97-1FA5E4ED2116 8 | MODULE_TYPE = UEFI_APPLICATION 9 | VERSION_STRING = 1.0 10 | ENTRY_POINT = UefiMain 11 | UEFI_HII_RESOURCE_SECTION = TRUE 12 | 13 | [Sources] 14 | Tutorial.c 15 | 16 | [Packages] 17 | CryptoPkg/CryptoPkg.dec 18 | MdeModulePkg/MdeModulePkg.dec 19 | MdePkg/MdePkg.dec 20 | 21 | [LibraryClasses] 22 | BaseCryptLib 23 | SynchronizationLib 24 | UefiApplicationEntryPoint 25 | UefiLib -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/.gitignore: -------------------------------------------------------------------------------- 1 | project/* 2 | !project/run.simics -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/Dockerfile: -------------------------------------------------------------------------------- 1 | # hadolint global ignore=DL3008 2 | FROM ubuntu:24.04@sha256:1e622c5f073b4f6bfad6632f2616c7f59ef256e96fe78bf6a595d1dc4376ac02 AS buildroot 3 | 4 | SHELL ["/bin/bash", "-o", "pipefail", "-c"] 5 | 6 | ENV DEBIAN_FRONTEND=noninteractive 7 | ENV FORCE_UNSAFE_CONFIGURE=1 8 | 9 | RUN apt-get -y update && \ 10 | apt-get -y install \ 11 | bash bc build-essential cpio file git gcc g++ rsync unzip wget && \ 12 | git clone \ 13 | https://github.com/buildroot/buildroot.git 14 | 15 | WORKDIR /buildroot 16 | 17 | COPY src /src/ 18 | 19 | RUN mkdir -p /output/ && \ 20 | cp /src/simics_simple_riscv_defconfig configs/simics_simple_riscv_defconfig && \ 21 | make BR2_EXTERNAL=/src/tutorial-kernel-modules/ simics_simple_riscv_defconfig && \ 22 | make BR2_EXTERNAL=/src/tutorial-kernel-modules/ 23 | 24 | RUN cp output/build/tutorial-mod-1.0/tutorial-mod.ko \ 25 | output/images/Image \ 26 | output/images/fw_jump.elf \ 27 | output/images/rootfs.ext2 \ 28 | /output && \ 29 | output/host/bin/riscv64-buildroot-linux-gnu-gcc \ 30 | -o /output/tutorial-mod-driver /src/tutorial-mod-driver.c 31 | -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 7 | IMAGE_NAME="tsffs-tutorial-riscv64-kernel-module" 8 | CONTAINER_UID=$(echo "${RANDOM}" | sha256sum | head -c 8) 9 | CONTAINER_NAME="${IMAGE_NAME}-tmp-${CONTAINER_UID}" 10 | 11 | mkdir -p "${SCRIPT_DIR}/project/targets/risc-v-simple/images/linux/" 12 | docker build -t "${IMAGE_NAME}" -f "${SCRIPT_DIR}/Dockerfile" "${SCRIPT_DIR}" 13 | docker create --name "${CONTAINER_NAME}" "${IMAGE_NAME}" 14 | docker cp \ 15 | "${CONTAINER_NAME}:/output/Image"\ 16 | "${SCRIPT_DIR}/project/targets/risc-v-simple/images/linux/" 17 | docker cp \ 18 | "${CONTAINER_NAME}:/output/fw_jump.elf"\ 19 | "${SCRIPT_DIR}/project/targets/risc-v-simple/images/linux/" 20 | docker cp \ 21 | "${CONTAINER_NAME}:/output/rootfs.ext2"\ 22 | "${SCRIPT_DIR}/project/targets/risc-v-simple/images/linux/" 23 | docker cp \ 24 | "${CONTAINER_NAME}:/output/tutorial-mod.ko"\ 25 | "${SCRIPT_DIR}/project/" 26 | docker cp \ 27 | "${CONTAINER_NAME}:/output/tutorial-mod-driver"\ 28 | "${SCRIPT_DIR}/project/" 29 | docker rm -f "${CONTAINER_NAME}" 30 | 31 | dd if=/dev/zero "of=${SCRIPT_DIR}/project/test.fs" bs=1024 count=131072 32 | mkfs.fat "${SCRIPT_DIR}/project/test.fs" 33 | mcopy -i "${SCRIPT_DIR}/project/test.fs" "${SCRIPT_DIR}/project/tutorial-mod-driver" ::tutorial-mod-driver 34 | mcopy -i "${SCRIPT_DIR}/project/test.fs" "${SCRIPT_DIR}/project/tutorial-mod.ko" ::tutorial-mod.ko -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/project/run.simics: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | load-module tsffs 5 | init-tsffs 6 | 7 | tsffs.log-level 4 8 | @tsffs.start_on_harness = True 9 | @tsffs.stop_on_harness = True 10 | @tsffs.timeout = 3.0 11 | @tsffs.exceptions = [14] 12 | 13 | load-target "risc-v-simple/linux" namespace = riscv machine:hardware:storage:disk1:image = "test.fs.craff" 14 | 15 | script-branch { 16 | bp.time.wait-for seconds = 15 17 | board.console.con.input "mkdir /mnt/disk0\r\n" 18 | bp.time.wait-for seconds = 1.0 19 | board.console.con.input "mount /dev/vdb /mnt/disk0\r\n" 20 | bp.time.wait-for seconds = 1.0 21 | board.console.con.input "insmod /mnt/disk0/tutorial-mod.ko\r\n" 22 | bp.time.wait-for seconds = 1.0 23 | board.console.con.input "/mnt/disk0/tutorial-mod-driver\r\n" 24 | } 25 | 26 | run 27 | -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/src/tutorial-kernel-modules/Config.in: -------------------------------------------------------------------------------- 1 | source "$BR2_EXTERNAL_TUTORIAL_KERNEL_MODULES_PATH/package/kernel-modules/Config.in" -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/src/tutorial-kernel-modules/external.desc: -------------------------------------------------------------------------------- 1 | name: TUTORIAL_KERNEL_MODULES -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/src/tutorial-kernel-modules/external.mk: -------------------------------------------------------------------------------- 1 | include $(sort $(wildcard $(BR2_EXTERNAL_TUTORIAL_KERNEL_MODULES_PATH)/package/*/*.mk)) -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/src/tutorial-kernel-modules/package/kernel-modules/Config.in: -------------------------------------------------------------------------------- 1 | menu "Kernel Modules" 2 | source "$BR2_EXTERNAL_TUTORIAL_KERNEL_MODULES_PATH/package/kernel-modules/tutorial-mod/Config.in" 3 | endmenu 4 | -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/src/tutorial-kernel-modules/package/kernel-modules/kernel-modules.mk: -------------------------------------------------------------------------------- 1 | include $(sort $(wildcard $(BR2_EXTERNAL_TUTORIAL_KERNEL_MODULES_PATH)/package/*/*/*.mk)) -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/src/tutorial-kernel-modules/package/kernel-modules/tutorial-mod/Config.in: -------------------------------------------------------------------------------- 1 | config BR2_PACKAGE_TUTORIAL_MOD 2 | bool "tutorial-mod" 3 | depends on BR2_LINUX_KERNEL 4 | help 5 | Tutorial kernel module for TSFFS fuzzing -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/src/tutorial-kernel-modules/package/kernel-modules/tutorial-mod/Makefile: -------------------------------------------------------------------------------- 1 | obj-m += $(addsuffix .o, $(notdir $(basename $(wildcard $(BR2_EXTERNAL_TUTORIAL_KERNEL_MODULES_PATH)/package/kernel-modules/tutorial-mod/*.c)))) 2 | 3 | .PHONY: all clean 4 | 5 | all: 6 | $(MAKE) -C '/lib/modules/$(shell uname -r)/build' M='$(PWD)' modules 7 | 8 | clean: 9 | $(MAKE) -C '$(LINUX_DIR)' M='$(PWD)' clean -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/src/tutorial-kernel-modules/package/kernel-modules/tutorial-mod/tutorial-mod.mk: -------------------------------------------------------------------------------- 1 | TUTORIAL_MOD_VERSION = 1.0 2 | TUTORIAL_MOD_SITE = $(BR2_EXTERNAL_TUTORIAL_KERNEL_MODULES_PATH)/package/kernel-modules/tutorial-mod 3 | TUTORIAL_MOD_SITE_METHOD = local 4 | 5 | $(eval $(kernel-module)) 6 | $(eval $(generic-package)) -------------------------------------------------------------------------------- /examples/tutorials/risc-v-kernel/src/tutorial-mod-driver.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include "tsffs.h" 12 | 13 | #define MAJOR_NUM 100 14 | #define IOCTL_SET_MSG _IOW(MAJOR_NUM, 0, char *) 15 | #define IOCTL_GET_MSG _IOR(MAJOR_NUM, 1, char *) 16 | #define IOCTL_GET_NTH_BYTE _IOWR(MAJOR_NUM, 2, int) 17 | #define DEVICE_FILE_NAME "char_dev" 18 | #define DEVICE_PATH "/dev/char_dev" 19 | 20 | int ioctl_set_msg(int file_desc, char *message) { 21 | int ret_val; 22 | 23 | ret_val = ioctl(file_desc, IOCTL_SET_MSG, message); 24 | 25 | if (ret_val < 0) { 26 | printf("ioctl_set_msg failed:%d\n", ret_val); 27 | } 28 | 29 | return ret_val; 30 | } 31 | 32 | int ioctl_get_msg(int file_desc) { 33 | int ret_val; 34 | char message[100] = {0}; 35 | 36 | ret_val = ioctl(file_desc, IOCTL_GET_MSG, message); 37 | 38 | if (ret_val < 0) { 39 | printf("ioctl_get_msg failed:%d\n", ret_val); 40 | } 41 | printf("get_msg message:%s", message); 42 | 43 | return ret_val; 44 | } 45 | 46 | int ioctl_get_nth_byte(int file_desc) { 47 | int i, c; 48 | 49 | printf("get_nth_byte message:"); 50 | 51 | i = 0; 52 | do { 53 | c = ioctl(file_desc, IOCTL_GET_NTH_BYTE, i++); 54 | 55 | if (c < 0) { 56 | printf("\nioctl_get_nth_byte failed at the %d'th byte:\n", i); 57 | return c; 58 | } 59 | 60 | putchar(c); 61 | } while (c != 0); 62 | 63 | return 0; 64 | } 65 | 66 | int main(void) { 67 | int file_desc, ret_val; 68 | char *msg = "AAAAAAAA\n"; 69 | 70 | file_desc = open(DEVICE_PATH, O_RDWR); 71 | if (file_desc < 0) { 72 | printf("Can't open device file: %s, error:%d\n", DEVICE_PATH, file_desc); 73 | exit(EXIT_FAILURE); 74 | } 75 | 76 | ret_val = ioctl_set_msg(file_desc, msg); 77 | if (ret_val) goto error; 78 | 79 | close(file_desc); 80 | return 0; 81 | error: 82 | close(file_desc); 83 | exit(EXIT_FAILURE); 84 | } -------------------------------------------------------------------------------- /examples/tutorials/windows-kernel/.gitignore: -------------------------------------------------------------------------------- 1 | *.craff 2 | *.img -------------------------------------------------------------------------------- /examples/tutorials/windows-kernel/run.simics: -------------------------------------------------------------------------------- 1 | 2 | $cpu_comp_class = "x86QSP2" 3 | $disk0_image = "%simics%/windows-11.img" 4 | $use_vmp = FALSE 5 | $create_usb_tablet = TRUE 6 | $num_cores = 1 7 | $num_threads = 2 8 | 9 | if not (file-exists "breakpoint-boot") { 10 | echo "Breakpoint screenshot not found, booting. You must create the breakpoint screenshot manually." 11 | # If we haven't taken a screenshot yet, we need to manually run, screenshot, and 12 | # save the diff file 13 | run-command-file "%simics%/targets/qsp-x86/qsp-hdd-boot.simics" 14 | 15 | # Once the machine is booted up and you can see the Agent CMD window, press Ctrl+C 16 | # and run these two commands in the Simics console to take a screenshot and save the 17 | # diff file 18 | # 19 | # board.disk0.hd_image.save-diff-file filename = "windows-11.diff.craff" 20 | # board.console.con.save-break-xy breakpoint-boot 0 0 120 120 21 | 22 | run 23 | } 24 | 25 | if file-exists "booted.ckpt" { 26 | echo "Booted checkpoint found, loading..." 27 | read-configuration "booted.ckpt" 28 | } else { 29 | echo "No booted checkpoint saved, running..." 30 | run-command-file "%simics%/targets/qsp-x86/qsp-hdd-boot.simics" 31 | board.disk0.hd_image.add-diff-file filename = "windows-11.diff.craff" 32 | # Uncomment this line to enable VNC for headless access 33 | # board.console.con.vnc-setup port = 7500 password = "PassPass" 34 | } 35 | 36 | script-branch { 37 | board.console.con.bp-wait-for-gfx breakpoint-boot 1 38 | echo "Got booted breakpoint. Waiting 10 seconds..." 39 | bp.time.wait-for seconds = 10 40 | echo "Got booted breakpoint, stopping..." 41 | stop 42 | 43 | if not (file-exists "booted.ckpt") { 44 | echo "Got booted BP, saving checkpoint..." 45 | write-configuration booted.ckpt 46 | } else { 47 | echo "Already had checkpoint, not saving..." 48 | } 49 | 50 | start-agent-manager 51 | $matic = (agent_manager.connect-to-agent) 52 | continue 53 | $matic.wait-for-job 54 | $matic.agent-poll-interval ms = 60000 55 | stop 56 | $matic.upload-dir -overwrite "%simics%/fuzzer/" 57 | # Without fuzzing, this should blue screen the machine 58 | $matic.run "C:\\fuzzer\\fuzzer.exe" 59 | continue 60 | $matic.wait-for-job 61 | echo "Done with jobs..." 62 | } 63 | 64 | run 65 | -------------------------------------------------------------------------------- /harness/.gitignore: -------------------------------------------------------------------------------- 1 | *.o -------------------------------------------------------------------------------- /harness/README.md: -------------------------------------------------------------------------------- 1 | # Harness Collection for TSFFS 2 | 3 | This directory contains a selection of provided (and tested) harness header files. All 4 | harnesses are tested automatically at project test time for correct passing of the 5 | testcase and size addresses. 6 | 7 | All headers define the following: 8 | 9 | * `MAGIC_START` - The value used by default to signal the fuzzer to start 10 | * `MAGIC_STOP` - The value used by default to signal the fuzzer to stop 11 | * `HARNESS_START(uint8_t **addr_ptr, size_t * size_ptr)` - The macro used to signal the 12 | fuzzer to start fuzzing, writing each testcase to the buffer pointed to by `addr_ptr` 13 | and writing the size of each testcase to `size_ptr`, where `*size_ptr` is initially 14 | equal to the maximum testcase size (i.e. the size of `*addr_ptr`). 15 | * `HARNESS_STOP()` - The macro used to signal the fuzzer to stop the current execution, 16 | restore the snapshot taken at the location of `HARNESS_START`, and start another 17 | execution with a new testcase, without saving the input (no error or solution 18 | occurred). 19 | * `HARNESS_ASSERT()` - The macro used to signal the fuzzer to stop the current 20 | execution, restore the snapshot taken at the location of `HARNESS_START`, and start 21 | another execution with a new testcase, while saving the input (an error or solution 22 | occurred). 23 | 24 | Some architectures or programming environments require an assembly file in addition to 25 | the provided header file. Notably, MSVC does not support intrinsics when compiling 26 | edk2-based UEFI code, and does not support inline assembly, so assembly files are 27 | necessary. -------------------------------------------------------------------------------- /harness/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 4 | 5 | cat < "${SCRIPT_DIR}/tsffs.h" 6 | // Copyright (C) 2024 Intel Corporation 7 | // SPDX-License-Identifier: Apache-2.0 8 | 9 | #if defined(__GNUC__) || defined(__clang__) 10 | #ifdef __i386__ 11 | $(cat "${SCRIPT_DIR}/tsffs-gcc-x86.h") 12 | #elif __x86_64__ 13 | $(cat "${SCRIPT_DIR}/tsffs-gcc-x86_64.h") 14 | #elif __riscv && !__LP64__ 15 | $(cat "${SCRIPT_DIR}/tsffs-gcc-riscv32.h") 16 | #elif __riscv && __LP64__ 17 | $(cat "${SCRIPT_DIR}/tsffs-gcc-riscv64.h") 18 | #elif __aarch64__ 19 | $(cat "${SCRIPT_DIR}/tsffs-gcc-aarch64.h") 20 | #elif __arm__ 21 | $(cat "${SCRIPT_DIR}/tsffs-gcc-arm32.h") 22 | #else 23 | #error "Unsupported platform!" 24 | #endif 25 | #elif _MSC_VER 26 | $(cat "${SCRIPT_DIR}/tsffs-msvc-x86_64.h") 27 | #else 28 | #error "Unsupported compiler!" 29 | #endif 30 | EOF 31 | 32 | ./test.sh 33 | -------------------------------------------------------------------------------- /harness/test.c: -------------------------------------------------------------------------------- 1 | #ifdef SINGLE_FILE 2 | #include "tsffs.h" 3 | #else 4 | #ifdef __i386__ 5 | #include "tsffs-gcc-x86.h" 6 | #elif __x86_64__ 7 | #include "tsffs-gcc-x86_64.h" 8 | #elif __riscv && !__LP64__ 9 | #include "tsffs-gcc-riscv32.h" 10 | #elif __riscv && __LP64__ 11 | #include "tsffs-gcc-riscv64.h" 12 | #elif __aarch64__ 13 | #include "tsffs-gcc-aarch64.h" 14 | #elif __arm__ 15 | #include "tsffs-gcc-arm32.h" 16 | #endif 17 | #endif 18 | 19 | #include 20 | 21 | int test_start() { 22 | char buf[1024]; 23 | size_t size = 1024; 24 | HARNESS_START(buf, &size); 25 | return 0; 26 | } 27 | 28 | int test_start_with_maximum_size() { 29 | char buf[1024]; 30 | size_t size = 1024; 31 | HARNESS_START_WITH_MAXIMUM_SIZE(buf, size); 32 | return 0; 33 | } 34 | 35 | int test_start_with_maximum_size_and_ptr() { 36 | char buf[1024]; 37 | size_t size = 1024; 38 | HARNESS_START_WITH_MAXIMUM_SIZE_AND_PTR(buf, &size, 1024); 39 | return 0; 40 | } 41 | 42 | int test_stop() { 43 | char buf[1024]; 44 | size_t size = 1024; 45 | HARNESS_STOP(); 46 | return 0; 47 | } 48 | 49 | int test_assert() { 50 | char buf[1024]; 51 | size_t size = 1024; 52 | HARNESS_ASSERT(); 53 | return 0; 54 | } 55 | 56 | #ifndef __arm__ 57 | int test_start_index() { 58 | char buf[1024]; 59 | size_t size = 1024; 60 | HARNESS_START_INDEX(1, buf, &size); 61 | return 0; 62 | } 63 | 64 | int test_start_with_maximum_size_index() { 65 | char buf[1024]; 66 | size_t size = 1024; 67 | HARNESS_START_WITH_MAXIMUM_SIZE_INDEX(2, buf, size); 68 | return 0; 69 | } 70 | 71 | int test_start_with_maximum_size_and_ptr_index() { 72 | char buf[1024]; 73 | size_t size = 1024; 74 | HARNESS_START_WITH_MAXIMUM_SIZE_AND_PTR_INDEX(3, buf, &size, 1024); 75 | return 0; 76 | } 77 | 78 | int test_stop_index() { 79 | char buf[1024]; 80 | size_t size = 1024; 81 | HARNESS_STOP_INDEX(4); 82 | return 0; 83 | } 84 | 85 | int test_assert_index() { 86 | char buf[1024]; 87 | size_t size = 1024; 88 | HARNESS_ASSERT_INDEX(5); 89 | return 0; 90 | } 91 | 92 | 93 | #endif 94 | 95 | int main() {} 96 | -------------------------------------------------------------------------------- /rust-toolchain.toml: -------------------------------------------------------------------------------- 1 | [toolchain] 2 | channel = "nightly-2025-02-28" 3 | -------------------------------------------------------------------------------- /scripts/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -e 7 | 8 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 9 | ROOT_DIR="${SCRIPT_DIR}/../" 10 | BUILDER_DIR="${ROOT_DIR}/.github/builder/" 11 | IMAGE_NAME="tsffs-builder" 12 | CONTAINER_UID=$(echo "${RANDOM}" | sha256sum | head -c 8) 13 | CONTAINER_NAME="${IMAGE_NAME}-tmp-${CONTAINER_UID}" 14 | 15 | # shellcheck disable=SC1091 16 | source "${BUILDER_DIR}/common.sh" 17 | 18 | download_and_verify_builder_deps 19 | 20 | unset SIMICS_BASE 21 | docker build \ 22 | --build-arg \ 23 | "PUBLIC_SIMICS_PACKAGE_VERSION_1000=${PUBLIC_SIMICS_PACKAGE_VERSION_1000}" \ 24 | -t "${IMAGE_NAME}" -f "${BUILDER_DIR}/Dockerfile" "${ROOT_DIR}" 25 | docker create --name "${CONTAINER_NAME}" "${IMAGE_NAME}" bash 26 | mkdir -p "${ROOT_DIR}/packages" 27 | docker cp "${CONTAINER_NAME}:/packages" "${ROOT_DIR}/" 28 | docker rm -f "${CONTAINER_NAME}" 29 | -------------------------------------------------------------------------------- /scripts/cov.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 7 | 8 | if ! command -v cargo-llvm-cov &>/dev/null; then 9 | echo "cargo-llvm-cov must be installed! Run 'cargo install cargo-llvm-cov'" 10 | exit 1 11 | fi 12 | 13 | pushd "${SCRIPT_DIR}" || exit 1 14 | 15 | cargo llvm-cov --features=6.0.169 16 | -------------------------------------------------------------------------------- /scripts/dependabot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | if ! command -v jq &>/dev/null; then 7 | echo "jq must be installed. Install it with your package manager" 8 | exit 1 9 | fi 10 | 11 | if ! command -v git &>/dev/null; then 12 | echo "jq must be installed. Install it with your package manager" 13 | exit 1 14 | fi 15 | 16 | if [ -z "${GITHUB_TOKEN}" ]; then 17 | if ! command -v gh &>/dev/null; then 18 | echo "gh must be installed. Install it with your package manager" 19 | exit 1 20 | fi 21 | 22 | if ! GITHUB_TOKEN=$(gh auth token); then 23 | GITHUB_TOKEN=$(gh auth status -t 2>&1 | grep 'Token:' | awk '{print $3}') || 24 | (echo "Failed to get token." && exit 1) 25 | 26 | fi 27 | 28 | fi 29 | 30 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 31 | DEPENDABOT_DIR="${SCRIPT_DIR}/../.github/dependabot" 32 | 33 | pushd "${SCRIPT_DIR}" || exit 1 34 | 35 | # REPOSITORY=$(git remote get-url origin | awk -F'/' '{print $(NF-1)"/"$(NF)}') 36 | DATE=$(date '+%Y-%m-%d') 37 | CSV="${DEPENDABOT_DIR}/${DATE}.csv" 38 | JSON="${DEPENDABOT_DIR}/${DATE}.json" 39 | 40 | curl -o "${JSON}" -L \ 41 | -H "Accept: application/vnd.github+json" \ 42 | -H "Authorization: Bearer ${GITHUB_TOKEN}" \ 43 | -H "X-Github-Api-Version: 2022-11-28" \ 44 | https://api.github.com/repos/intel/tsffs/dependabot/alerts 45 | 46 | echo "CVE,Package Name,Severity,Manifest File,Status,CVSS,CVSS Vector,Vulnerable Versions,Fixed Versions,Triaged By,Triage Reason,Triage Comment" >"${CSV}" 47 | 48 | jq '.[] | [.security_advisory.cve_id,.dependency.package.name,.security_advisory.severity,.dependency.manifest_path,.state,.security_advisory.cvss.score,.security_advisory.cvss.vector_string,.security_vulnerability.vulnerable_version_range,.fixed_at,.dismissed_by,.dismissed_reason,.dismissed_comment] | @csv' <"${JSON}" >>"${CSV}" 49 | 50 | echo "🐱 Adding dependabot outputs to git with git add" 51 | 52 | git add "${JSON}" 53 | git add "${CSV}" 54 | -------------------------------------------------------------------------------- /scripts/fmt.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | # Clang-Format 7 | 8 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 9 | 10 | if ! command -v cargo &>/dev/null; then 11 | echo "cargo must be installed! Install from https://rustup.rs" 12 | exit 1 13 | fi 14 | 15 | if ! command -v fd &>/dev/null; then 16 | echo "fd must be installed! Install with 'cargo install fd-find'" 17 | exit 1 18 | fi 19 | 20 | if ! command -v clang-format &>/dev/null; then 21 | echo "clang-format must be installed! Install with your system package manager." 22 | exit 1 23 | fi 24 | 25 | if ! command -v black &>/dev/null; then 26 | echo "black must be installed! Install with 'python3 -m pip install black'" 27 | exit 1 28 | fi 29 | 30 | if ! command -v isort &>/dev/null; then 31 | echo "isort must be installed! Install with 'python3 -m pip install isort'" 32 | exit 1 33 | fi 34 | 35 | if ! command -v markdownlint &>/dev/null; then 36 | echo "markdownlint must be installed! Install with 'npm i -g markdownlint-cli'" 37 | exit 1 38 | fi 39 | 40 | echo "=================" 41 | echo "Formatting C/C++" 42 | echo "=================" 43 | 44 | fd '.*(\.h|\.c|\.cc|\.hh)$' -x clang-format -i {} 45 | 46 | echo "=================" 47 | echo "Formatting Rust" 48 | echo "=================" 49 | 50 | cargo fmt --all 51 | 52 | echo "=================" 53 | echo "Formatting Python" 54 | echo "=================" 55 | 56 | fd '.*\.py$' -x black 57 | fd '.*\.py$' -x isort --profile black 58 | 59 | echo "=================" 60 | echo "Formatting Markdown" 61 | echo "=================" 62 | 63 | fd '.*\.md$' -x markdownlint -f -c "${SCRIPT_DIR}/../.github/linters/.markdown-lint.yml" {} 64 | -------------------------------------------------------------------------------- /scripts/license.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 7 | 8 | if ! command -v fd &>/dev/null; then 9 | echo "fd must be installed! Install with 'cargo install fd-find'" 10 | exit 1 11 | fi 12 | 13 | if ! command -v rargs &>/dev/null; then 14 | echo "rargs must be installed! Install with 'cargo install rargs'" 15 | exit 1 16 | fi 17 | 18 | fd -t f -0 '.*\.rs$' "${SCRIPT_DIR}/../" | rargs -0 bash -c \ 19 | "if ! grep -q 'SPDX-License-Identifier: Apache-2.0' {}; then 20 | if grep -qzE '^#!/' {}; then 21 | echo 'Adding license to file with shebang' {} 22 | sed -i '2s/^/\n\/\/ Copyright (C) 2024 Intel Corporation\n\/\/ SPDX-License-Identifier: Apache-2.0\n\n/' {} 23 | else 24 | echo 'Adding license to ' {} 25 | sed -i '1s/^/\/\/ Copyright (C) 2024 Intel Corporation\n\/\/ SPDX-License-Identifier: Apache-2.0\n\n/' {} 26 | fi 27 | fi" 28 | 29 | fd -t f -0 '.*\.(c|h|cc|hh|hpp|cpp)$' "${SCRIPT_DIR}/../" | rargs -0 bash -c \ 30 | "if ! grep -q 'SPDX-License-Identifier: Apache-2.0' {} && ! grep -q 'LICENSE: IGNORE' {}; then 31 | echo 'Adding license to ' {} 32 | sed -i '1s/^/\/\/ Copyright (C) 2024 Intel Corporation\n\/\/ SPDX-License-Identifier: Apache-2.0\n\n/' {} 33 | fi" 34 | 35 | MISSING_LICENSE_FILES=() 36 | 37 | while IFS= read -r -d $'\0' LICENSE_REQUIRED_FILE; do 38 | if ! grep -q 'SPDX-License-Identifier: Apache-2.0' "${LICENSE_REQUIRED_FILE}" && ! grep -q 'LICENSE: IGNORE' "${LICENSE_REQUIRED_FILE}"; then 39 | MISSING_LICENSE_FILES+=("${LICENSE_REQUIRED_FILE}") 40 | fi 41 | done < <(fd -0 -t f -e 'c' -e 'dml' -e 'h' \ 42 | -e 'inf' -e 'ini' -e 'ninja' -e 'nsh' -e 'py' -e 'rs' -e 'sh' -e 'simics' \ 43 | -e 'toml' -e 'yaml' -e 'yml' . "${SCRIPT_DIR}/../") 44 | 45 | if [ "${#MISSING_LICENSE_FILES[@]}" -eq 0 ]; then 46 | exit 0 47 | else 48 | echo "Files found missing license block:" 49 | for MISSING_LICENSE_FILE in "${MISSING_LICENSE_FILES[@]}"; do 50 | echo "${MISSING_LICENSE_FILE}" 51 | done 52 | exit 1 53 | fi 54 | -------------------------------------------------------------------------------- /src/fuzzer/executors/mod.rs: -------------------------------------------------------------------------------- 1 | //! Executors take input, and run it in the target. 2 | 3 | #[allow(unused)] 4 | // Unused are allowed, we may want hooks in the future 5 | pub(crate) mod inprocess; 6 | -------------------------------------------------------------------------------- /src/fuzzer/messages/mod.rs: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | use serde::Serialize; 5 | 6 | #[derive(Serialize, Debug, Clone)] 7 | pub(crate) enum FuzzerMessage { 8 | String(String), 9 | Interesting { indices: Vec, input: Vec }, 10 | Crash { indices: Vec, input: Vec }, 11 | Timeout { indices: Vec, input: Vec }, 12 | } 13 | -------------------------------------------------------------------------------- /src/interfaces/config.rs: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | use crate::{arch::ArchitectureHint, Tsffs}; 5 | use simics::{debug, get_processor_number, interface, AsConfObject, ConfObject, Result}; 6 | use std::{ 7 | ffi::{c_char, CStr}, 8 | str::FromStr, 9 | }; 10 | 11 | #[interface(name = "config")] 12 | impl Tsffs { 13 | /// Add a processor to be traced. By default, only the processor the start event occurs on 14 | /// is used for tracing. 15 | pub fn add_trace_processor(&mut self, cpu: *mut ConfObject) -> Result<()> { 16 | debug!( 17 | self.as_conf_object(), 18 | "add_trace_processor({:#x})", cpu as usize 19 | ); 20 | 21 | self.add_processor(cpu, false)?; 22 | 23 | Ok(()) 24 | } 25 | 26 | /// Set an architecture hint to be used for a particular processor. This allows overriding 27 | /// the detected or reported architecture for the processor object. This is particularly 28 | /// useful for x86 processors which report as x86-64 processors, or when fuzzing x86 code 29 | /// running on an x86-64 processor in a backward compatibility mode. 30 | pub fn add_architecture_hint(&mut self, cpu: *mut ConfObject, hint: *mut c_char) -> Result<()> { 31 | let hint = unsafe { CStr::from_ptr(hint) }.to_str()?; 32 | let processor_number = get_processor_number(cpu)?; 33 | debug!( 34 | self.as_conf_object(), 35 | "add_architecture_hint({processor_number}, {hint})" 36 | ); 37 | self.architecture_hints 38 | .insert(processor_number, ArchitectureHint::from_str(hint)?); 39 | 40 | Ok(()) 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/interfaces/mod.rs: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | //! Interfaces accessible from Simics script and Python 5 | 6 | pub(crate) mod config; 7 | pub(crate) mod fuzz; 8 | -------------------------------------------------------------------------------- /src/magic/mod.rs: -------------------------------------------------------------------------------- 1 | //! Magic number definitions 2 | 3 | use std::fmt::Display; 4 | 5 | use num_derive::{FromPrimitive, ToPrimitive}; 6 | #[allow(unused_imports)] 7 | use num_traits::{FromPrimitive as _, ToPrimitive as _}; 8 | use serde::{Deserialize, Serialize}; 9 | 10 | #[repr(i64)] 11 | #[derive(Debug, Copy, Clone, PartialEq, Deserialize, Serialize, FromPrimitive, ToPrimitive)] 12 | pub enum MagicNumber { 13 | StartBufferPtrSizePtr = 1, 14 | StartBufferPtrSizeVal = 2, 15 | StartBufferPtrSizePtrVal = 3, 16 | StopNormal = 4, 17 | StopAssert = 5, 18 | } 19 | 20 | impl Display for MagicNumber { 21 | fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { 22 | write!(f, "{}", *self as i64) 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/os/mod.rs: -------------------------------------------------------------------------------- 1 | #![allow(unused)] 2 | 3 | use std::{collections::HashMap, path::PathBuf}; 4 | 5 | use lcov2::Records; 6 | 7 | pub mod windows; 8 | 9 | #[derive(Debug)] 10 | pub struct DebugInfoConfig<'a> { 11 | pub system: bool, 12 | pub user_debug_info: &'a HashMap>, 13 | pub coverage: &'a mut Records, 14 | } 15 | -------------------------------------------------------------------------------- /src/os/windows/idt.rs: -------------------------------------------------------------------------------- 1 | #[repr(C)] // NOTE: Without repr(C) alignment causes corruption 2 | #[derive(Debug, Clone)] 3 | // NOTE: The vergilius generated struct is incorrectly sized so we use this one 4 | pub struct IdtEntry64 { 5 | offset_low: u16, 6 | selector: u16, 7 | ist: u8, 8 | type_attr: u8, 9 | offset_middle: u16, 10 | offset_high: u32, 11 | _reserved: u32, 12 | } 13 | 14 | impl IdtEntry64 { 15 | pub fn offset(&self) -> u64 { 16 | (self.offset_high as u64) << 32 | (self.offset_middle as u64) << 16 | self.offset_low as u64 17 | } 18 | 19 | pub fn selector(&self) -> u16 { 20 | self.selector 21 | } 22 | 23 | pub fn ist(&self) -> u8 { 24 | self.ist & 0b111 25 | } 26 | 27 | pub fn gate_type(&self) -> u8 { 28 | self.type_attr & 0b1111 29 | } 30 | 31 | pub fn dpl(&self) -> u8 { 32 | (self.type_attr >> 5) & 0b11 33 | } 34 | 35 | pub fn present(&self) -> bool { 36 | (self.type_attr >> 7) & 1 == 1 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /src/state/mod.rs: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | //! Definitions for tracking the state of the fuzzer 5 | 6 | use anyhow::{anyhow, Error, Result}; 7 | use serde::{Deserialize, Serialize}; 8 | use serde_json::{from_str, to_string}; 9 | use simics::api::ConfObject; 10 | use std::{ 11 | fmt::{Display, Formatter}, 12 | ptr::null_mut, 13 | str::FromStr, 14 | }; 15 | 16 | use crate::{magic::MagicNumber, ManualStartInfo}; 17 | 18 | #[derive(Serialize, Deserialize, Debug, Clone)] 19 | pub(crate) enum SolutionKind { 20 | Timeout, 21 | Exception, 22 | Breakpoint, 23 | Manual, 24 | } 25 | 26 | #[derive(Debug, Clone, Serialize, Deserialize)] 27 | /// Definition of all the reasons the simulator could be stopped by the fuzzer. In general, 28 | /// callbacks in the fuzzer, for example [`Driver::on_magic_instruction`] may be called 29 | /// asynchronously and stop the simulation. 30 | pub(crate) enum StopReason { 31 | Magic { 32 | magic_number: MagicNumber, 33 | }, 34 | ManualStart { 35 | #[serde(skip, default = "null_mut")] 36 | processor: *mut ConfObject, 37 | info: ManualStartInfo, 38 | }, 39 | ManualStartWithoutBuffer { 40 | #[serde(skip, default = "null_mut")] 41 | processor: *mut ConfObject, 42 | }, 43 | ManualStop, 44 | Solution { 45 | kind: SolutionKind, 46 | }, 47 | } 48 | 49 | impl Display for StopReason { 50 | fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { 51 | write!(f, "{}", to_string(self).unwrap_or_default()) 52 | } 53 | } 54 | 55 | impl FromStr for StopReason { 56 | type Err = Error; 57 | 58 | fn from_str(s: &str) -> Result { 59 | from_str(s).map_err(|e| anyhow!("Failed to deserialize from string: {e}")) 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /src/traits/mod.rs: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | use crate::tracer::{CmpExpr, CmpType}; 5 | use anyhow::Result; 6 | 7 | /// Trait for disassemblers of various architectures to implement to permit branch 8 | /// and compare tracing 9 | pub trait TracerDisassembler { 10 | fn disassemble(&mut self, bytes: &[u8]) -> Result<()>; 11 | fn disassemble_to_string(&mut self, bytes: &[u8]) -> Result; 12 | fn last_was_control_flow(&self) -> bool; 13 | fn last_was_call(&self) -> bool; 14 | fn last_was_ret(&self) -> bool; 15 | fn last_was_cmp(&self) -> bool; 16 | fn cmp(&self) -> Vec; 17 | fn cmp_type(&self) -> Vec; 18 | } 19 | -------------------------------------------------------------------------------- /src/util/mod.rs: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | use anyhow::Result; 5 | use simics::api::{get_attribute, get_object}; 6 | use simics::FromAttrValueList; 7 | 8 | #[derive(Debug, Clone, FromAttrValueList)] 9 | pub(crate) struct MicroCheckpointInfo { 10 | #[allow(unused)] 11 | pub name: String, 12 | #[allow(unused)] 13 | pub pages: i64, 14 | #[allow(unused)] 15 | pub zero: i64, 16 | } 17 | 18 | #[allow(unused)] 19 | pub(crate) struct Utils; 20 | 21 | #[allow(unused)] 22 | impl Utils { 23 | /// Get the list of saved micro checkpoints 24 | pub fn get_micro_checkpoints() -> Result> { 25 | let checkpoints: Vec = 26 | get_attribute(get_object("sim.rexec")?, "state_info")?.try_into()?; 27 | 28 | Ok(checkpoints) 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /tests/rsrc/README.md: -------------------------------------------------------------------------------- 1 | # Tests 2 | 3 | Examples that should be tested should be placed here. Each example should have a 4 | `build.sh` script that generates or places all files required to run the test into the 5 | test's directory. The `build.sh` script may accept a `SIMICS_BASE` environment 6 | variable to locate simics-provided scripts. 7 | 8 | For example, [minimal-riscv-64/build.sh](minimal-riscv-64/build.sh) produces: 9 | 10 | - `fw_jump.elf` 11 | - `Image` 12 | - `rootfs.ext2` 13 | - `test` 14 | - `test-mod` 15 | - `test-mod-userspace` 16 | - `test-mod.ko` 17 | 18 | All of which are used by the tests that use this example. The files should be output in 19 | the same directory structure they should be placed into the SIMICS project set up for 20 | testing. 21 | 22 | Test scripts should be named following the pattern `test*.simics` and placed in the test 23 | directory. 24 | 25 | -------------------------------------------------------------------------------- /tests/rsrc/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -e 7 | 8 | if [ -z "${SIMICS_BASE}" ]; then 9 | echo "SIMICS_BASE is not set, defaulting to latest." 10 | SIMICS_BASE="$(ispm packages --list-installed --json | jq -r '[ .installedPackages[] | select(.pkgNumber == 1000) ] | ([ .[].version ] | max_by(split(".") | map(tonumber))) as $m | first(first(.[]|select(.version == $m)).paths[0])')" 11 | export SIMICS_BASE 12 | fi 13 | 14 | if [ ! -d "${SIMICS_BASE}" ]; then 15 | echo "SIMICS_BASE ${SIMICS_BASE} is not a directory." 16 | exit 1 17 | fi 18 | 19 | for TARGET in *; do 20 | if [ -d "${TARGET}" ]; then 21 | pushd "${TARGET}" || exit 1 22 | echo "Building ${TARGET}" 23 | ./build.sh 24 | popd || exit 1 25 | fi 26 | done 27 | -------------------------------------------------------------------------------- /tests/rsrc/minimal_boot_disk.craff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intel/tsffs/fe43b532ba4755b23bb4678c0b44d9235ad88493/tests/rsrc/minimal_boot_disk.craff -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/.gitignore: -------------------------------------------------------------------------------- 1 | *.elf 2 | Image 3 | *.tar.gz 4 | *.ext2 5 | test 6 | test-mod 7 | !test-mod/ 8 | test-mod-userspace 9 | test-mod.ko 10 | *.h 11 | *.craff 12 | *.fs -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/Dockerfile: -------------------------------------------------------------------------------- 1 | # hadolint global ignore=DL3008 2 | FROM ubuntu:22.04@sha256:adbb90115a21969d2fe6fa7f9af4253e16d45f8d4c1e930182610c4731962658 AS buildroot 3 | 4 | ARG BUILDROOT_REV="2023.11.x" 5 | 6 | SHELL ["/bin/bash", "-o", "pipefail", "-c"] 7 | 8 | ENV DEBIAN_FRONTEND=noninteractive 9 | 10 | RUN apt-get -y update && \ 11 | apt-get -y install \ 12 | bash \ 13 | bc \ 14 | build-essential \ 15 | cpio \ 16 | file \ 17 | git \ 18 | gcc \ 19 | g++ \ 20 | rsync \ 21 | unzip \ 22 | wget 23 | 24 | RUN git clone \ 25 | https://github.com/buildroot/buildroot.git && \ 26 | git -C buildroot checkout "${BUILDROOT_REV}" 27 | 28 | WORKDIR /buildroot 29 | 30 | # Build user-space test program 31 | RUN mkdir -p /test/usr/ 32 | COPY test-kernel-modules /test/test-kernel-modules/ 33 | COPY simics_simple_riscv_defconfig configs/simics_simple_riscv_defconfig 34 | COPY test.c /test/usr/test.c 35 | COPY test-mod.c /test/usr/test-mod.c 36 | COPY test-mod-userspace.c /test/usr/test-mod-userspace.c 37 | COPY tsffs.h /test/usr/tsffs.h 38 | 39 | # Build Linux, Linux Kernel Modules & RootFS 40 | # Build size: 7.9G 41 | RUN make BR2_EXTERNAL=/test/test-kernel-modules/ simics_simple_riscv_defconfig && \ 42 | make && \ 43 | echo "Compressing images" && \ 44 | tar -C output/images -czvf images.tar.gz Image fw_jump.elf rootfs.ext2 && \ 45 | echo "Copying images" && \ 46 | cp images.tar.gz /test/ && \ 47 | echo "Building test" && \ 48 | /buildroot/output/host/bin/riscv64-buildroot-linux-gnu-gcc -o /test/usr/test /test/usr/test.c && \ 49 | echo "Building test-mod" && \ 50 | /buildroot/output/host/bin/riscv64-buildroot-linux-gnu-gcc -o /test/usr/test-mod /test/usr/test-mod.c && \ 51 | echo "Building test-mod-userspace" && \ 52 | /buildroot/output/host/bin/riscv64-buildroot-linux-gnu-gcc -o /test/usr/test-mod-userspace /test/usr/test-mod-userspace.c && \ 53 | echo "Copying test mod" && \ 54 | cp /buildroot/output/build/test-mod*/test-mod.ko /test/usr/test-mod.ko && \ 55 | echo "Copied all build artifacts" 56 | 57 | -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | # Build the HelloWorld.efi module and copy it into the resource directory for the example 7 | # this only needs to be run if you want to modify the source code for the HelloWorld.efi module, 8 | # otherwise, the EFI is included in the source tree for ease of use 9 | 10 | set -e 11 | 12 | 13 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 14 | IMAGE_NAME="buildroot-build-tsffs-gcc-riscv64-test" 15 | CONTAINER_UID=$(echo "${RANDOM}" | sha256sum | head -c 8) 16 | CONTAINER_NAME="${IMAGE_NAME}-tmp-${CONTAINER_UID}" 17 | CRAFF="${SCRIPT_DIR}/../../../bin/craff" 18 | CRAFF_FS="${SCRIPT_DIR}/../../../bin/craff-fs" 19 | 20 | if [ -n "${SIMICS_BASE}" ]; then 21 | mkdir -p "${SCRIPT_DIR}/../../../bin" 22 | cp "${SIMICS_BASE}/linux64/bin/craff" "${CRAFF}" 23 | cp "${SIMICS_BASE}/linux64/bin/craff-fs" "${CRAFF_FS}" 24 | fi 25 | 26 | pushd "${SCRIPT_DIR}" || exit 1 27 | 28 | cp "${SCRIPT_DIR}/../../../harness/tsffs.h" "${SCRIPT_DIR}/tsffs.h" 29 | cp "${SCRIPT_DIR}/../../../harness/tsffs.h" "${SCRIPT_DIR}/test-kernel-modules/package/kernel-modules/test-mod/tsffs.h" 30 | mkdir -p "${SCRIPT_DIR}/targets/risc-v-simple/images/linux/" 31 | 32 | echo "Building container" 33 | docker buildx build -t "${IMAGE_NAME}" -f "Dockerfile" . > "${SCRIPT_DIR}/build.log" 2>&1 || { tail -n 1000 "${SCRIPT_DIR}/build.log"; exit 1; } 34 | echo "Container build finished" 35 | docker create --name "${CONTAINER_NAME}" "${IMAGE_NAME}" 36 | docker cp \ 37 | "${CONTAINER_NAME}:/buildroot/images.tar.gz" \ 38 | "${SCRIPT_DIR}/images.tar.gz" 39 | docker cp \ 40 | "${CONTAINER_NAME}:/test/usr/test" \ 41 | "${SCRIPT_DIR}/test" 42 | docker cp \ 43 | "${CONTAINER_NAME}:/test/usr/test-mod" \ 44 | "${SCRIPT_DIR}/test-mod" 45 | docker cp \ 46 | "${CONTAINER_NAME}:/test/usr/test-mod-userspace" \ 47 | "${SCRIPT_DIR}/test-mod-userspace" 48 | docker cp \ 49 | "${CONTAINER_NAME}:/test/usr/test-mod.ko"\ 50 | "${SCRIPT_DIR}/test-mod.ko" 51 | docker rm -f "${CONTAINER_NAME}" 52 | 53 | tar -C "${SCRIPT_DIR}/targets/risc-v-simple/images/linux/" -xf images.tar.gz 54 | rm images.tar.gz 55 | 56 | dd if=/dev/zero of=test.fs bs=1024 count=131072 57 | mkfs.fat test.fs 58 | mcopy -i test.fs test-mod-userspace ::test-mod-userspace 59 | mcopy -i test.fs test-mod ::test-mod 60 | mcopy -i test.fs test ::test 61 | mcopy -i test.fs test-mod.ko ::test-mod.ko 62 | "${CRAFF}" -o test.fs.craff test.fs 63 | -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/test-kernel-modules/Config.in: -------------------------------------------------------------------------------- 1 | source "$BR2_EXTERNAL_TEST_KERNEL_MODULES_PATH/package/kernel-modules/Config.in" -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/test-kernel-modules/external.desc: -------------------------------------------------------------------------------- 1 | name: TEST_KERNEL_MODULES -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/test-kernel-modules/external.mk: -------------------------------------------------------------------------------- 1 | include $(sort $(wildcard $(BR2_EXTERNAL_TEST_KERNEL_MODULES_PATH)/package/*/*.mk)) -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/test-kernel-modules/package/kernel-modules/Config.in: -------------------------------------------------------------------------------- 1 | menu "Kernel Modules" 2 | source "$BR2_EXTERNAL_TEST_KERNEL_MODULES_PATH/package/kernel-modules/test-mod/Config.in" 3 | endmenu 4 | -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/test-kernel-modules/package/kernel-modules/kernel-modules.mk: -------------------------------------------------------------------------------- 1 | include $(sort $(wildcard $(BR2_EXTERNAL_TEST_KERNEL_MODULES_PATH)/package/*/*/*.mk)) -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/test-kernel-modules/package/kernel-modules/test-mod/Config.in: -------------------------------------------------------------------------------- 1 | config BR2_PACKAGE_TEST_MOD 2 | bool "test-mod" 3 | depends on BR2_LINUX_KERNEL 4 | help 5 | Test kernel module for TSFFS fuzzing -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/test-kernel-modules/package/kernel-modules/test-mod/Makefile: -------------------------------------------------------------------------------- 1 | obj-m += $(addsuffix .o, $(notdir $(basename $(wildcard $(BR2_EXTERNAL_TEST_KERNEL_MODULES_PATH)/package/kernel-modules/test-mod/*.c)))) 2 | 3 | .PHONY: all clean 4 | 5 | all: 6 | $(MAKE) -C '/lib/modules/$(shell uname -r)/build' M='$(PWD)' modules 7 | 8 | clean: 9 | $(MAKE) -C '$(LINUX_DIR)' M='$(PWD)' clean -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/test-kernel-modules/package/kernel-modules/test-mod/test-mod.mk: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # test-mod 4 | # 5 | ################################################################################ 6 | 7 | TEST_MOD_VERSION = 1.0 8 | TEST_MOD_SITE = $(BR2_EXTERNAL_TEST_KERNEL_MODULES_PATH)/package/kernel-modules/test-mod 9 | TEST_MOD_SITE_METHOD = local 10 | 11 | $(eval $(kernel-module)) 12 | $(eval $(generic-package)) -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/test-mod-userspace.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include "tsffs.h" 12 | 13 | #define MAJOR_NUM 100 14 | #define IOCTL_SET_MSG _IOW(MAJOR_NUM, 0, char *) 15 | #define IOCTL_GET_MSG _IOR(MAJOR_NUM, 1, char *) 16 | #define IOCTL_GET_NTH_BYTE _IOWR(MAJOR_NUM, 2, int) 17 | #define DEVICE_FILE_NAME "char_dev" 18 | #define DEVICE_PATH "/dev/char_dev" 19 | 20 | int ioctl_set_msg(int file_desc, char *message) { 21 | int ret_val; 22 | 23 | ret_val = ioctl(file_desc, IOCTL_SET_MSG, message); 24 | 25 | if (ret_val < 0) { 26 | printf("ioctl_set_msg failed:%d\n", ret_val); 27 | } 28 | 29 | return ret_val; 30 | } 31 | 32 | int ioctl_get_msg(int file_desc) { 33 | int ret_val; 34 | char message[100] = {0}; 35 | 36 | ret_val = ioctl(file_desc, IOCTL_GET_MSG, message); 37 | 38 | if (ret_val < 0) { 39 | printf("ioctl_get_msg failed:%d\n", ret_val); 40 | } 41 | printf("get_msg message:%s", message); 42 | 43 | return ret_val; 44 | } 45 | 46 | int ioctl_get_nth_byte(int file_desc) { 47 | int i, c; 48 | 49 | printf("get_nth_byte message:"); 50 | 51 | i = 0; 52 | do { 53 | c = ioctl(file_desc, IOCTL_GET_NTH_BYTE, i++); 54 | 55 | if (c < 0) { 56 | printf("\nioctl_get_nth_byte failed at the %d'th byte:\n", i); 57 | return c; 58 | } 59 | 60 | putchar(c); 61 | } while (c != 0); 62 | 63 | return 0; 64 | } 65 | 66 | int main(void) { 67 | int file_desc, ret_val; 68 | char msg[80] = {0}; 69 | 70 | file_desc = open(DEVICE_PATH, O_RDWR); 71 | if (file_desc < 0) { 72 | printf("Can't open device file: %s, error:%d\n", DEVICE_PATH, file_desc); 73 | exit(EXIT_FAILURE); 74 | } 75 | 76 | size_t msg_size = 80; 77 | size_t *msg_size_ptr = &msg_size; 78 | 79 | HARNESS_START_INDEX(1, msg, msg_size_ptr); 80 | 81 | ret_val = ioctl_set_msg(file_desc, msg); 82 | 83 | HARNESS_STOP_INDEX(1); 84 | 85 | if (ret_val) goto error; 86 | 87 | close(file_desc); 88 | return 0; 89 | error: 90 | close(file_desc); 91 | exit(EXIT_FAILURE); 92 | } 93 | -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/test-mod.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #define MAJOR_NUM 100 12 | #define IOCTL_SET_MSG _IOW(MAJOR_NUM, 0, char *) 13 | #define IOCTL_GET_MSG _IOR(MAJOR_NUM, 1, char *) 14 | #define IOCTL_GET_NTH_BYTE _IOWR(MAJOR_NUM, 2, int) 15 | #define DEVICE_FILE_NAME "char_dev" 16 | #define DEVICE_PATH "/dev/char_dev" 17 | 18 | int ioctl_set_msg(int file_desc, char *message) { 19 | int ret_val; 20 | 21 | ret_val = ioctl(file_desc, IOCTL_SET_MSG, message); 22 | 23 | if (ret_val < 0) { 24 | printf("ioctl_set_msg failed:%d\n", ret_val); 25 | } 26 | 27 | return ret_val; 28 | } 29 | 30 | int ioctl_get_msg(int file_desc) { 31 | int ret_val; 32 | char message[100] = {0}; 33 | 34 | ret_val = ioctl(file_desc, IOCTL_GET_MSG, message); 35 | 36 | if (ret_val < 0) { 37 | printf("ioctl_get_msg failed:%d\n", ret_val); 38 | } 39 | printf("get_msg message:%s", message); 40 | 41 | return ret_val; 42 | } 43 | 44 | int ioctl_get_nth_byte(int file_desc) { 45 | int i, c; 46 | 47 | printf("get_nth_byte message:"); 48 | 49 | i = 0; 50 | do { 51 | c = ioctl(file_desc, IOCTL_GET_NTH_BYTE, i++); 52 | 53 | if (c < 0) { 54 | printf("\nioctl_get_nth_byte failed at the %d'th byte:\n", i); 55 | return c; 56 | } 57 | 58 | putchar(c); 59 | } while (c != 0); 60 | 61 | return 0; 62 | } 63 | 64 | int main(void) { 65 | int file_desc, ret_val; 66 | char *msg = "AAAAAAAA\n"; 67 | 68 | file_desc = open(DEVICE_PATH, O_RDWR); 69 | if (file_desc < 0) { 70 | printf("Can't open device file: %s, error:%d\n", DEVICE_PATH, file_desc); 71 | exit(EXIT_FAILURE); 72 | } 73 | 74 | ret_val = ioctl_set_msg(file_desc, msg); 75 | if (ret_val) goto error; 76 | 77 | close(file_desc); 78 | return 0; 79 | error: 80 | close(file_desc); 81 | exit(EXIT_FAILURE); 82 | } -------------------------------------------------------------------------------- /tests/rsrc/riscv-64/test.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | #include "tsffs.h" 9 | 10 | const char *password = "fuzzing!"; 11 | 12 | int check(char *buffer) { 13 | if ((((char *)buffer)[0]) == password[0]) { 14 | if ((((char *)buffer)[1]) == password[1]) { 15 | if ((((char *)buffer)[2]) == password[2]) { 16 | if ((((char *)buffer)[3]) == password[3]) { 17 | if ((((char *)buffer)[4]) == password[4]) { 18 | if ((((char *)buffer)[5]) == password[5]) { 19 | if ((((char *)buffer)[6]) == password[6]) { 20 | if ((((char *)buffer)[7]) == password[7]) { 21 | printf("All characters were correct!\n"); 22 | uint8_t *ptr = (uint8_t *)0xffffffffffffffff; 23 | *ptr = 0; 24 | } 25 | } 26 | } 27 | } 28 | } 29 | } 30 | } 31 | } 32 | 33 | return 0; 34 | } 35 | 36 | int main() { 37 | // We have a size and a buffer of that size. The address of the buffer and the 38 | // address of the size variable will be passed to the fuzzer. On the first 39 | // start harness, the fuzzer will save the initial value of the size and the 40 | // addresses of both variables. On each iteration of the fuzzer, up to the 41 | // initial size bytes of fuzzer input data will be written to the buffer, and 42 | // the current testcase size in bytes will be written to the size variable. 43 | char buffer[8] = {'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A'}; 44 | size_t size = sizeof(buffer); 45 | size_t *size_ptr = &size; 46 | 47 | setvbuf(stdout, NULL, _IONBF, 0); 48 | setvbuf(stderr, NULL, _IONBF, 0); 49 | 50 | // printf("Running test...\n"); 51 | 52 | HARNESS_START(buffer, size_ptr); 53 | 54 | // NOTE: Because of line buffering at the simics level, this will be extremely 55 | // garbled. 56 | printf("sz: %zu\ntc: ", size); 57 | 58 | for (size_t i = 0; i < size; i++) { 59 | printf("%02x", buffer[i]); 60 | } 61 | 62 | printf("\n"); 63 | 64 | check(buffer); 65 | 66 | HARNESS_STOP(); 67 | 68 | return 0; 69 | } -------------------------------------------------------------------------------- /tests/rsrc/test-lcov/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | -------------------------------------------------------------------------------- /tests/rsrc/test-lcov/html/home/index.html: -------------------------------------------------------------------------------- 1 | TSFFS Coverage Report
TSFFS Code Coverage Report
Current view:Top Level - html - home
Generated On2024-07-16 17:40:25
CoverageTotalHit
Lines87.50%2421
Functions100.00%44
File/DirectoryLine CoverageTotal LinesHit LinesFunction CoverageTotal FunctionsHit Functions
rhart87.50%2421100.00%44
-------------------------------------------------------------------------------- /tests/rsrc/test-lcov/html/home/rhart/hub/index.html: -------------------------------------------------------------------------------- 1 | TSFFS Coverage Report
TSFFS Code Coverage Report
Current view:Top Level - rhart - hub
Generated On2024-07-16 17:40:25
CoverageTotalHit
Lines87.50%2421
Functions100.00%44
File/DirectoryLine CoverageTotal LinesHit LinesFunction CoverageTotal FunctionsHit Functions
tsffs87.50%2421100.00%44
-------------------------------------------------------------------------------- /tests/rsrc/test-lcov/html/home/rhart/hub/tsffs/index.html: -------------------------------------------------------------------------------- 1 | TSFFS Coverage Report
TSFFS Code Coverage Report
Current view:Top Level - hub - tsffs
Generated On2024-07-16 17:40:25
CoverageTotalHit
Lines87.50%2421
Functions100.00%44
File/DirectoryLine CoverageTotal LinesHit LinesFunction CoverageTotal FunctionsHit Functions
tests87.50%2421100.00%44
-------------------------------------------------------------------------------- /tests/rsrc/test-lcov/html/home/rhart/hub/tsffs/tests/index.html: -------------------------------------------------------------------------------- 1 | TSFFS Coverage Report
TSFFS Code Coverage Report
Current view:Top Level - tsffs - tests
Generated On2024-07-16 17:40:25
CoverageTotalHit
Lines87.50%2421
Functions100.00%44
File/DirectoryLine CoverageTotal LinesHit LinesFunction CoverageTotal FunctionsHit Functions
rsrc87.50%2421100.00%44
-------------------------------------------------------------------------------- /tests/rsrc/test-lcov/html/home/rhart/hub/tsffs/tests/rsrc/index.html: -------------------------------------------------------------------------------- 1 | TSFFS Coverage Report
TSFFS Code Coverage Report
Current view:Top Level - tests - rsrc
Generated On2024-07-16 17:40:25
CoverageTotalHit
Lines87.50%2421
Functions100.00%44
File/DirectoryLine CoverageTotal LinesHit LinesFunction CoverageTotal FunctionsHit Functions
test-lcov87.50%2421100.00%44
-------------------------------------------------------------------------------- /tests/rsrc/test-lcov/html/home/rhart/hub/tsffs/tests/rsrc/test-lcov/subdir1/index.html: -------------------------------------------------------------------------------- 1 | TSFFS Coverage Report
TSFFS Code Coverage Report
Current view:Top Level - test-lcov - subdir1
Generated On2024-07-16 17:40:25
CoverageTotalHit
Lines85.71%76
Functions100.00%11
File/DirectoryLine CoverageTotal LinesHit LinesFunction CoverageTotal FunctionsHit Functions
test.c85.71%76100.00%11
-------------------------------------------------------------------------------- /tests/rsrc/test-lcov/html/home/rhart/hub/tsffs/tests/rsrc/test-lcov/subdir2/index.html: -------------------------------------------------------------------------------- 1 | TSFFS Coverage Report
TSFFS Code Coverage Report
Current view:Top Level - test-lcov - subdir2
Generated On2024-07-16 17:40:25
CoverageTotalHit
Lines85.71%76
Functions100.00%11
File/DirectoryLine CoverageTotal LinesHit LinesFunction CoverageTotal FunctionsHit Functions
test-subdir2.c85.71%76100.00%11
-------------------------------------------------------------------------------- /tests/rsrc/test-lcov/html/home/rhart/index.html: -------------------------------------------------------------------------------- 1 | TSFFS Coverage Report
TSFFS Code Coverage Report
Current view:Top Level - home - rhart
Generated On2024-07-16 17:40:25
CoverageTotalHit
Lines87.50%2421
Functions100.00%44
File/DirectoryLine CoverageTotal LinesHit LinesFunction CoverageTotal FunctionsHit Functions
hub87.50%2421100.00%44
-------------------------------------------------------------------------------- /tests/rsrc/test-lcov/html/index.html: -------------------------------------------------------------------------------- 1 | TSFFS Coverage Report
TSFFS Code Coverage Report
Current view:Top Level - html
Generated On2024-07-16 17:40:25
CoverageTotalHit
Lines87.50%2421
Functions100.00%44
File/DirectoryLine CoverageTotal LinesHit LinesFunction CoverageTotal FunctionsHit Functions
home87.50%2421100.00%44
-------------------------------------------------------------------------------- /tests/rsrc/test-lcov/subdir1/test.c: -------------------------------------------------------------------------------- 1 | #include 2 | extern int x(int); 3 | 4 | int main() { 5 | int a = 0; 6 | 7 | a += 1; 8 | 9 | a = x(a); 10 | 11 | if (a == 15) { 12 | printf("%s\n", "hello"); 13 | } else { 14 | printf("no\n"); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /tests/rsrc/test-lcov/subdir2/test-subdir2.c: -------------------------------------------------------------------------------- 1 | #include 2 | extern int x(int); 3 | 4 | int main() { 5 | int a = 0; 6 | 7 | a += 1; 8 | 9 | a = x(a); 10 | 11 | if (a == 15) { 12 | printf("%s\n", "hello"); 13 | } else { 14 | printf("no\n"); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /tests/rsrc/test-lcov/test.c: -------------------------------------------------------------------------------- 1 | #include 2 | extern int x(int); 3 | 4 | int main() { 5 | int a = 0; 6 | 7 | a += 1; 8 | 9 | a = x(a); 10 | 11 | if (a == 15) { 12 | printf("%s\n", "hello"); 13 | } else { 14 | printf("no\n"); 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /tests/rsrc/test-lcov/test2.c: -------------------------------------------------------------------------------- 1 | int x(int a) { 2 | return a; 3 | } 4 | -------------------------------------------------------------------------------- /tests/rsrc/x86-user/.gitignore: -------------------------------------------------------------------------------- 1 | .ninja_log 2 | test 3 | *.h 4 | *.fs 5 | *.craff -------------------------------------------------------------------------------- /tests/rsrc/x86-user/build.ninja: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | rule cc 5 | command = clang $cflags -o $out $in 6 | 7 | build test: cc test.c 8 | cflags = -m32 -static -O0 9 | -------------------------------------------------------------------------------- /tests/rsrc/x86-user/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 7 | CRAFF="${SCRIPT_DIR}/../../../bin/craff" 8 | CRAFF_FS="${SCRIPT_DIR}/../../../bin/craff-fs" 9 | 10 | if [ -n "${SIMICS_BASE}" ]; then 11 | mkdir -p "${SCRIPT_DIR}/../../../bin" 12 | cp "${SIMICS_BASE}/linux64/bin/craff" "${CRAFF}" 13 | cp "${SIMICS_BASE}/linux64/bin/craff-fs" "${CRAFF_FS}" 14 | fi 15 | 16 | 17 | cp "${SCRIPT_DIR}/../../../harness/tsffs.h" "${SCRIPT_DIR}/tsffs.h" 18 | cp "${SCRIPT_DIR}/../../rsrc/minimal_boot_disk.craff" "${SCRIPT_DIR}/minimal_boot_disk.craff" 19 | 20 | ninja 21 | 22 | dd if=/dev/zero of=test.fs bs=1024 count=131072 23 | mkfs.fat test.fs 24 | mcopy -i test.fs test ::test 25 | "${CRAFF}" -o test.fs.craff test.fs -------------------------------------------------------------------------------- /tests/rsrc/x86-user/test.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "tsffs.h" 10 | 11 | const char hex[] = {'0', '1', '2', '3', '4', '5', '6', '7', 12 | '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; 13 | const char *password = "fuzzing!"; 14 | 15 | int check(char *buffer) { 16 | if ((((char *)buffer)[0]) == password[0]) { 17 | if ((((char *)buffer)[1]) == password[1]) { 18 | if ((((char *)buffer)[2]) == password[2]) { 19 | if ((((char *)buffer)[3]) == password[3]) { 20 | if ((((char *)buffer)[4]) == password[4]) { 21 | if ((((char *)buffer)[5]) == password[5]) { 22 | if ((((char *)buffer)[6]) == password[6]) { 23 | if ((((char *)buffer)[7]) == password[7]) { 24 | puts("All characters were correct!"); 25 | uint8_t *ptr = (uint8_t *)0xffffffff; 26 | *ptr = 0; 27 | } 28 | } 29 | } 30 | } 31 | } 32 | } 33 | } 34 | } 35 | 36 | return 0; 37 | } 38 | 39 | // The entrypoint of our EFI application 40 | int main() { 41 | // We have a size and a buffer of that size. The address of the buffer and the 42 | // address of the size variable will be passed to the fuzzer. On the first 43 | // start harness, the fuzzer will save the initial value of the size and the 44 | // addresses of both variables. On each iteration of the fuzzer, up to the 45 | // initial size bytes of fuzzer input data will be written to the buffer, and 46 | // the current testcase size in bytes will be written to the size variable. 47 | char buffer[8] = {'A', 'A', 'A', 'A', 'A', 'A', 'A', 'A'}; 48 | size_t size = sizeof(buffer); 49 | 50 | printf("%p %p (%zu)\n", buffer, &size, size); 51 | fflush(stdout); 52 | sleep(3); 53 | 54 | HARNESS_START(buffer, &size); 55 | 56 | printf("%p %p (%zu)\n", buffer, &size, size); 57 | 58 | for (size_t i = 0; i < size; i++) { 59 | printf("%02x", (unsigned int)buffer[i]); 60 | } 61 | 62 | printf("\n"); 63 | 64 | check(buffer); 65 | 66 | HARNESS_STOP(); 67 | 68 | return 0; 69 | } -------------------------------------------------------------------------------- /tests/rsrc/x86_64-breakpoint-uefi-edk2/.gitignore: -------------------------------------------------------------------------------- 1 | .ninja_log 2 | test.efi 3 | *.craff -------------------------------------------------------------------------------- /tests/rsrc/x86_64-breakpoint-uefi-edk2/Dockerfile: -------------------------------------------------------------------------------- 1 | # hadolint global ignore=DL3008 2 | FROM ghcr.io/tianocore/containers/ubuntu-22-build:a0dd931@sha256:bcda96cb0b9a39a881122ab7d3be86e6151f4c66968421827384c97850c790a5 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | 5 | SHELL ["/bin/bash", "-o", "pipefail", "-c"] 6 | 7 | ENV EDK2_REPO_URL "https://github.com/tianocore/edk2.git" 8 | ENV EDK2_REPO_HASH "95d8a1c255cfb8e063d679930d08ca6426eb5701" 9 | ENV EDK2_PATH "/edk2" 10 | 11 | 12 | RUN git clone "${EDK2_REPO_URL}" "${EDK2_PATH}" && \ 13 | git -C "${EDK2_PATH}" checkout "${EDK2_REPO_HASH}" && \ 14 | python3 -m pip install --no-cache-dir -r "${EDK2_PATH}/pip-requirements.txt" && \ 15 | stuart_setup -c "${EDK2_PATH}/.pytool/CISettings.py" TOOL_CHAIN_TAG=GCC5 && \ 16 | stuart_update -c "${EDK2_PATH}/.pytool/CISettings.py" TOOL_CHAIN_TAG=GCC5 17 | 18 | COPY src "${EDK2_PATH}/HelloWorld/" 19 | 20 | RUN stuart_setup -c "${EDK2_PATH}/HelloWorld/PlatformBuild.py" TOOL_CHAIN_TAG=GCC5 && \ 21 | stuart_update -c "${EDK2_PATH}/HelloWorld/PlatformBuild.py" TOOL_CHAIN_TAG=GCC5 && \ 22 | python3 "${EDK2_PATH}/BaseTools/Edk2ToolsBuild.py" -t GCC5 23 | 24 | WORKDIR "${EDK2_PATH}" 25 | 26 | RUN source ${EDK2_PATH}/edksetup.sh && \ 27 | ( stuart_build -c ${EDK2_PATH}/HelloWorld/PlatformBuild.py TOOL_CHAIN_TAG=GCC5 \ 28 | EDK_TOOLS_PATH=${EDK2_PATH}/BaseTools/ \ 29 | || ( cat ${EDK2_PATH}/HelloWorld/Build/BUILDLOG.txt && exit 1 ) ) 30 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-breakpoint-uefi-edk2/build.ninja: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | rule runbuild 5 | command = bash build.sh 6 | 7 | build HelloWorld.efi: runbuild 8 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-breakpoint-uefi-edk2/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | # Build the HelloWorld.efi module and copy it into the resource directory for the example 7 | # this only needs to be run if you want to modify the source code for the HelloWorld.efi module, 8 | # otherwise, the EFI is included in the source tree for ease of use 9 | 10 | set -e 11 | 12 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 13 | IMAGE_NAME="edk2-build-tsffs-gcc-x86_64-test-breakpoint" 14 | CONTAINER_UID=$(echo "${RANDOM}" | sha256sum | head -c 8) 15 | CONTAINER_NAME="${IMAGE_NAME}-tmp-${CONTAINER_UID}" 16 | 17 | pushd "${SCRIPT_DIR}" || exit 1 18 | 19 | cp "${SCRIPT_DIR}/../../../harness/tsffs.h" "${SCRIPT_DIR}/src/tsffs.h" 20 | cp "${SCRIPT_DIR}/../minimal_boot_disk.craff" "${SCRIPT_DIR}/minimal_boot_disk.craff" 21 | 22 | docker buildx build -t "${IMAGE_NAME}" -f "Dockerfile" . 23 | docker create --name "${CONTAINER_NAME}" "${IMAGE_NAME}" 24 | docker cp \ 25 | "${CONTAINER_NAME}:/edk2/HelloWorld/Build/HelloWorld/DEBUG_GCC5/X64/HelloWorld.efi" \ 26 | "${SCRIPT_DIR}/test.efi" 27 | docker rm -f "${CONTAINER_NAME}" 28 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-breakpoint-uefi-edk2/src/.gitignore: -------------------------------------------------------------------------------- 1 | *.h -------------------------------------------------------------------------------- /tests/rsrc/x86_64-breakpoint-uefi-edk2/src/HelloWorld.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | /** @file 5 | This sample application bases on HelloWorld PCD setting 6 | to print "UEFI Hello World!" to the UEFI Console. 7 | Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
8 | SPDX-License-Identifier: BSD-2-Clause-Patent 9 | **/ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #include "tsffs.h" 20 | 21 | /** 22 | The user Entry Point for Application. The user code starts with this function 23 | as the real entry point for the application. 24 | @param[in] ImageHandle The firmware allocated handle for the EFI image. 25 | @param[in] SystemTable A pointer to the EFI System Table. 26 | @retval EFI_SUCCESS The entry point is executed successfully. 27 | @retval other Some error occurs when executing this entry point. 28 | **/ 29 | EFI_STATUS 30 | EFIAPI 31 | UefiMain(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable) { 32 | UINTN input_max_size = 0x1000; 33 | UINTN input_size = input_max_size; 34 | EFI_PHYSICAL_ADDRESS address = 0x4000000; 35 | EFI_STATUS status; 36 | status = gBS->AllocatePages(AllocateAddress, EfiRuntimeServicesCode, 37 | EFI_SIZE_TO_PAGES(input_max_size), &address); 38 | if (EFI_ERROR(status)) { 39 | return EFI_OUT_OF_RESOURCES; 40 | } 41 | UINT8 *input = (UINT8 *)address; 42 | 43 | HARNESS_START(input, &input_size); 44 | 45 | if (*input == 0x41) { 46 | // Trigger RW breakpoint 47 | SetMem((VOID *)input, input_size, 0x44); 48 | } 49 | 50 | HARNESS_STOP(); 51 | 52 | return EFI_SUCCESS; 53 | } -------------------------------------------------------------------------------- /tests/rsrc/x86_64-breakpoint-uefi-edk2/src/HelloWorld.dsc: -------------------------------------------------------------------------------- 1 | [Defines] 2 | PLATFORM_NAME = HelloWorld 3 | PLATFORM_GUID = 0458dade-8b6e-4e45-b773-1b27cbda3e06 4 | PLATFORM_VERSION = 0.01 5 | DSC_SPECIFICATION = 0x00010006 6 | OUTPUT_DIRECTORY = Build/HelloWorld 7 | SUPPORTED_ARCHITECTURES = IA32|X64|ARM|AARCH64 8 | BUILD_TARGETS = DEBUG|RELEASE|NOOPT 9 | SKUID_IDENTIFIER = DEFAULT 10 | DEFINE DEBUG_ENABLE_OUTPUT = FALSE # Set to TRUE to enable debug output 11 | DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x80000040 # Flags to control amount of debug output 12 | DEFINE DEBUG_PROPERTY_MASK = 0 13 | 14 | !include MdePkg/MdeLibs.dsc.inc 15 | 16 | [PcdsFeatureFlag] 17 | 18 | [PcdsFixedAtBuild] 19 | gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|$(DEBUG_PROPERTY_MASK) 20 | gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|$(DEBUG_PRINT_ERROR_LEVEL) 21 | 22 | [LibraryClasses] 23 | UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf 24 | UefiLib|MdePkg/Library/UefiLib/UefiLib.inf 25 | PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf 26 | BaseLib|MdePkg/Library/BaseLib/BaseLib.inf 27 | BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf 28 | PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf 29 | MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf 30 | UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf 31 | DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf 32 | UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf 33 | 34 | # Include the Debug Library if needed 35 | !if $(DEBUG_ENABLE_OUTPUT) 36 | DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf 37 | DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf 38 | !else ## DEBUG_ENABLE_OUTPUT 39 | DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf 40 | !endif ## DEBUG_ENABLE_OUTPUT 41 | 42 | [Components] 43 | HelloWorld/HelloWorld.inf -------------------------------------------------------------------------------- /tests/rsrc/x86_64-breakpoint-uefi-edk2/src/HelloWorld.inf: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | [Defines] 5 | INF_VERSION = 0x00010005 6 | BASE_NAME = HelloWorld 7 | MODULE_UNI_FILE = HelloWorld.uni 8 | FILE_GUID = 6987936E-ED34-44db-AE97-1FA5E4ED2116 9 | MODULE_TYPE = UEFI_APPLICATION 10 | VERSION_STRING = 1.0 11 | ENTRY_POINT = UefiMain 12 | 13 | # 14 | # This flag specifies whether HII resource section is generated into PE image. 15 | # 16 | UEFI_HII_RESOURCE_SECTION = TRUE 17 | 18 | # 19 | # The following information is for reference only and not required by the build tools. 20 | # 21 | # VALID_ARCHITECTURES = IA32 X64 EBC 22 | # 23 | 24 | [Sources] 25 | HelloWorld.c 26 | HelloWorldStr.uni 27 | 28 | [Packages] 29 | # MdePkg.dec provides the Pcds used below 30 | MdePkg/MdePkg.dec 31 | MdeModulePkg/MdeModulePkg.dec 32 | 33 | [LibraryClasses] 34 | UefiApplicationEntryPoint 35 | UefiLib 36 | PcdLib 37 | 38 | [FeaturePcd] 39 | gEfiMdeModulePkgTokenSpaceGuid.PcdHelloWorldPrintEnable ## CONSUMES 40 | 41 | [Pcd] 42 | gEfiMdeModulePkgTokenSpaceGuid.PcdHelloWorldPrintString ## SOMETIMES_CONSUMES 43 | gEfiMdeModulePkgTokenSpaceGuid.PcdHelloWorldPrintTimes ## SOMETIMES_CONSUMES 44 | 45 | [UserExtensions.TianoCore."ExtraFiles"] 46 | HelloWorldExtra.uni -------------------------------------------------------------------------------- /tests/rsrc/x86_64-breakpoint-uefi-edk2/src/HelloWorldExtra.uni: -------------------------------------------------------------------------------- 1 | // /** @file 2 | // HelloWorld Localized Strings and Content 3 | // 4 | // Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
5 | // 6 | // SPDX-License-Identifier: BSD-2-Clause-Patent 7 | // 8 | // **/ 9 | 10 | #string STR_PROPERTIES_MODULE_NAME 11 | #language en-US 12 | "Hello World Application" 13 | 14 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-breakpoint-uefi-edk2/src/HelloWorldStr.uni: -------------------------------------------------------------------------------- 1 | // /** @file 2 | // Sample UEFI Application Reference EDKII Module. 3 | // 4 | // This is a sample shell application that will print "UEFI Hello World!" to the 5 | // UEFI Console based on PCD setting. 6 | // 7 | // It demos how to use EDKII PCD mechanism to make code more flexible. 8 | // 9 | // Copyright (c) 2016, Intel Corporation. All rights reserved.
10 | // 11 | // SPDX-License-Identifier: BSD-2-Clause-Patent 12 | // 13 | // **/ 14 | 15 | /=# 16 | 17 | #langdef en-US "English" 18 | 19 | #string STR_HELLO_WORLD_HELP_INFORMATION #language en-US "" 20 | ".TH HelloWorld 0 "Displays a \"UEFI Hello World!\" string."\r\n" 21 | ".SH NAME\r\n" 22 | "HelloWorld application.\r\n" -------------------------------------------------------------------------------- /tests/rsrc/x86_64-crash-uefi/.gitignore: -------------------------------------------------------------------------------- 1 | test.efi 2 | .ninja_log 3 | test.lib 4 | test.o 5 | *.h 6 | *.craff -------------------------------------------------------------------------------- /tests/rsrc/x86_64-crash-uefi/build.ninja: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | rule cc 5 | command = clang -target x86_64-pc-win32-coff -fno-stack-protector -fshort-wchar $ 6 | -mno-red-zone $cflags -c $in -o $out 7 | 8 | rule link 9 | command = lld -flavor link -filealign:16 -subsystem:efi_application -nodefaultlib -dll $ 10 | -entry:UefiMain $in -out:$out 11 | 12 | rule copy 13 | command = cp $in $out 14 | 15 | build test.o: cc test.c 16 | cflags = -O0 17 | build test.efi: link test.o 18 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-crash-uefi/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -e 7 | 8 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 9 | 10 | cp "${SCRIPT_DIR}/../../../harness/tsffs.h" "${SCRIPT_DIR}/tsffs.h" 11 | cp "${SCRIPT_DIR}/../../rsrc/minimal_boot_disk.craff" "${SCRIPT_DIR}/minimal_boot_disk.craff" 12 | 13 | ninja -------------------------------------------------------------------------------- /tests/rsrc/x86_64-timeout-uefi-edk2/.gitignore: -------------------------------------------------------------------------------- 1 | .ninja_log 2 | test.efi 3 | *.craff -------------------------------------------------------------------------------- /tests/rsrc/x86_64-timeout-uefi-edk2/Dockerfile: -------------------------------------------------------------------------------- 1 | # hadolint global ignore=DL3008 2 | FROM ghcr.io/tianocore/containers/ubuntu-22-build:a0dd931@sha256:bcda96cb0b9a39a881122ab7d3be86e6151f4c66968421827384c97850c790a5 3 | 4 | ENV DEBIAN_FRONTEND=noninteractive 5 | 6 | SHELL ["/bin/bash", "-o", "pipefail", "-c"] 7 | 8 | ENV EDK2_REPO_URL "https://github.com/tianocore/edk2.git" 9 | ENV EDK2_REPO_HASH "95d8a1c255cfb8e063d679930d08ca6426eb5701" 10 | ENV EDK2_PATH "/edk2" 11 | 12 | 13 | RUN git clone "${EDK2_REPO_URL}" "${EDK2_PATH}" && \ 14 | git -C "${EDK2_PATH}" checkout "${EDK2_REPO_HASH}" && \ 15 | python3 -m pip install --no-cache-dir -r "${EDK2_PATH}/pip-requirements.txt" && \ 16 | stuart_setup -c "${EDK2_PATH}/.pytool/CISettings.py" TOOL_CHAIN_TAG=GCC5 && \ 17 | stuart_update -c "${EDK2_PATH}/.pytool/CISettings.py" TOOL_CHAIN_TAG=GCC5 18 | 19 | COPY src "${EDK2_PATH}/HelloWorld/" 20 | 21 | RUN stuart_setup -c "${EDK2_PATH}/HelloWorld/PlatformBuild.py" TOOL_CHAIN_TAG=GCC5 && \ 22 | stuart_update -c "${EDK2_PATH}/HelloWorld/PlatformBuild.py" TOOL_CHAIN_TAG=GCC5 && \ 23 | python3 "${EDK2_PATH}/BaseTools/Edk2ToolsBuild.py" -t GCC5 24 | 25 | WORKDIR "${EDK2_PATH}" 26 | 27 | RUN source ${EDK2_PATH}/edksetup.sh && \ 28 | ( stuart_build -c ${EDK2_PATH}/HelloWorld/PlatformBuild.py TOOL_CHAIN_TAG=GCC5 \ 29 | EDK_TOOLS_PATH=${EDK2_PATH}/BaseTools/ \ 30 | || ( cat ${EDK2_PATH}/HelloWorld/Build/BUILDLOG.txt && exit 1 ) ) 31 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-timeout-uefi-edk2/build.ninja: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | rule runbuild 5 | command = bash build.sh 6 | 7 | build HelloWorld.efi: runbuild 8 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-timeout-uefi-edk2/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | # Build the HelloWorld.efi module and copy it into the resource directory for the example 7 | # this only needs to be run if you want to modify the source code for the HelloWorld.efi module, 8 | # otherwise, the EFI is included in the source tree for ease of use 9 | 10 | set -e 11 | 12 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 13 | IMAGE_NAME="edk2-build-tsffs-gcc-x86_64-test" 14 | CONTAINER_UID=$(echo "${RANDOM}" | sha256sum | head -c 8) 15 | CONTAINER_NAME="${IMAGE_NAME}-tmp-${CONTAINER_UID}" 16 | 17 | pushd "${SCRIPT_DIR}" || exit 1 18 | 19 | cp "${SCRIPT_DIR}/../../../harness/tsffs.h" "${SCRIPT_DIR}/src/tsffs.h" 20 | cp "${SCRIPT_DIR}/../../rsrc/minimal_boot_disk.craff" "${SCRIPT_DIR}/minimal_boot_disk.craff" 21 | 22 | docker buildx build -t "${IMAGE_NAME}" -f "Dockerfile" . 23 | docker create --name "${CONTAINER_NAME}" "${IMAGE_NAME}" 24 | docker cp \ 25 | "${CONTAINER_NAME}:/edk2/HelloWorld/Build/HelloWorld/DEBUG_GCC5/X64/HelloWorld.efi" \ 26 | "${SCRIPT_DIR}/test.efi" 27 | docker rm -f "${CONTAINER_NAME}" -------------------------------------------------------------------------------- /tests/rsrc/x86_64-timeout-uefi-edk2/src/.gitignore: -------------------------------------------------------------------------------- 1 | *.h -------------------------------------------------------------------------------- /tests/rsrc/x86_64-timeout-uefi-edk2/src/HelloWorld.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | /** @file 5 | This sample application bases on HelloWorld PCD setting 6 | to print "UEFI Hello World!" to the UEFI Console. 7 | Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
8 | SPDX-License-Identifier: BSD-2-Clause-Patent 9 | **/ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #include "tsffs.h" 20 | 21 | /** 22 | The user Entry Point for Application. The user code starts with this function 23 | as the real entry point for the application. 24 | @param[in] ImageHandle The firmware allocated handle for the EFI image. 25 | @param[in] SystemTable A pointer to the EFI System Table. 26 | @retval EFI_SUCCESS The entry point is executed successfully. 27 | @retval other Some error occurs when executing this entry point. 28 | **/ 29 | EFI_STATUS 30 | EFIAPI 31 | UefiMain(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable) { 32 | UINTN input_max_size = 64; 33 | UINTN input_size = input_max_size; 34 | UINT8 *input = (UINT8 *)AllocatePages(EFI_SIZE_TO_PAGES(input_max_size)); 35 | 36 | if (!input) { 37 | return EFI_OUT_OF_RESOURCES; 38 | } 39 | 40 | SetMem((VOID *)input, input_max_size, 0x44); 41 | 42 | HARNESS_START(input, &input_size); 43 | 44 | if (*input == 0x41) { 45 | Print(L"Stalling...\n"); 46 | gBS->Stall(10 * 1000 * 1000); 47 | } 48 | 49 | HARNESS_STOP(); 50 | 51 | if (input) { 52 | FreePages(input, EFI_SIZE_TO_PAGES(input_max_size)); 53 | } 54 | 55 | return EFI_SUCCESS; 56 | } -------------------------------------------------------------------------------- /tests/rsrc/x86_64-timeout-uefi-edk2/src/HelloWorld.dsc: -------------------------------------------------------------------------------- 1 | [Defines] 2 | PLATFORM_NAME = HelloWorld 3 | PLATFORM_GUID = 0458dade-8b6e-4e45-b773-1b27cbda3e06 4 | PLATFORM_VERSION = 0.01 5 | DSC_SPECIFICATION = 0x00010006 6 | OUTPUT_DIRECTORY = Build/HelloWorld 7 | SUPPORTED_ARCHITECTURES = IA32|X64|ARM|AARCH64 8 | BUILD_TARGETS = DEBUG|RELEASE|NOOPT 9 | SKUID_IDENTIFIER = DEFAULT 10 | DEFINE DEBUG_ENABLE_OUTPUT = FALSE # Set to TRUE to enable debug output 11 | DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x80000040 # Flags to control amount of debug output 12 | DEFINE DEBUG_PROPERTY_MASK = 0 13 | 14 | !include MdePkg/MdeLibs.dsc.inc 15 | 16 | [PcdsFeatureFlag] 17 | 18 | [PcdsFixedAtBuild] 19 | gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|$(DEBUG_PROPERTY_MASK) 20 | gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|$(DEBUG_PRINT_ERROR_LEVEL) 21 | 22 | [LibraryClasses] 23 | UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf 24 | UefiLib|MdePkg/Library/UefiLib/UefiLib.inf 25 | PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf 26 | BaseLib|MdePkg/Library/BaseLib/BaseLib.inf 27 | BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf 28 | PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf 29 | MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf 30 | UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf 31 | DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf 32 | UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf 33 | 34 | # Include the Debug Library if needed 35 | !if $(DEBUG_ENABLE_OUTPUT) 36 | DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf 37 | DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf 38 | !else ## DEBUG_ENABLE_OUTPUT 39 | DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf 40 | !endif ## DEBUG_ENABLE_OUTPUT 41 | 42 | [Components] 43 | HelloWorld/HelloWorld.inf -------------------------------------------------------------------------------- /tests/rsrc/x86_64-timeout-uefi-edk2/src/HelloWorld.inf: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | [Defines] 5 | INF_VERSION = 0x00010005 6 | BASE_NAME = HelloWorld 7 | MODULE_UNI_FILE = HelloWorld.uni 8 | FILE_GUID = 6987936E-ED34-44db-AE97-1FA5E4ED2116 9 | MODULE_TYPE = UEFI_APPLICATION 10 | VERSION_STRING = 1.0 11 | ENTRY_POINT = UefiMain 12 | 13 | # 14 | # This flag specifies whether HII resource section is generated into PE image. 15 | # 16 | UEFI_HII_RESOURCE_SECTION = TRUE 17 | 18 | # 19 | # The following information is for reference only and not required by the build tools. 20 | # 21 | # VALID_ARCHITECTURES = IA32 X64 EBC 22 | # 23 | 24 | [Sources] 25 | HelloWorld.c 26 | HelloWorldStr.uni 27 | 28 | [Packages] 29 | # MdePkg.dec provides the Pcds used below 30 | MdePkg/MdePkg.dec 31 | MdeModulePkg/MdeModulePkg.dec 32 | 33 | [LibraryClasses] 34 | UefiApplicationEntryPoint 35 | UefiLib 36 | PcdLib 37 | 38 | [FeaturePcd] 39 | gEfiMdeModulePkgTokenSpaceGuid.PcdHelloWorldPrintEnable ## CONSUMES 40 | 41 | [Pcd] 42 | gEfiMdeModulePkgTokenSpaceGuid.PcdHelloWorldPrintString ## SOMETIMES_CONSUMES 43 | gEfiMdeModulePkgTokenSpaceGuid.PcdHelloWorldPrintTimes ## SOMETIMES_CONSUMES 44 | 45 | [UserExtensions.TianoCore."ExtraFiles"] 46 | HelloWorldExtra.uni -------------------------------------------------------------------------------- /tests/rsrc/x86_64-timeout-uefi-edk2/src/HelloWorldExtra.uni: -------------------------------------------------------------------------------- 1 | // /** @file 2 | // HelloWorld Localized Strings and Content 3 | // 4 | // Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
5 | // 6 | // SPDX-License-Identifier: BSD-2-Clause-Patent 7 | // 8 | // **/ 9 | 10 | #string STR_PROPERTIES_MODULE_NAME 11 | #language en-US 12 | "Hello World Application" 13 | 14 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-timeout-uefi-edk2/src/HelloWorldStr.uni: -------------------------------------------------------------------------------- 1 | // /** @file 2 | // Sample UEFI Application Reference EDKII Module. 3 | // 4 | // This is a sample shell application that will print "UEFI Hello World!" to the 5 | // UEFI Console based on PCD setting. 6 | // 7 | // It demos how to use EDKII PCD mechanism to make code more flexible. 8 | // 9 | // Copyright (c) 2016, Intel Corporation. All rights reserved.
10 | // 11 | // SPDX-License-Identifier: BSD-2-Clause-Patent 12 | // 13 | // **/ 14 | 15 | /=# 16 | 17 | #langdef en-US "English" 18 | 19 | #string STR_HELLO_WORLD_HELP_INFORMATION #language en-US "" 20 | ".TH HelloWorld 0 "Displays a \"UEFI Hello World!\" string."\r\n" 21 | ".SH NAME\r\n" 22 | "HelloWorld application.\r\n" -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi-edk2/.gitignore: -------------------------------------------------------------------------------- 1 | .ninja_log 2 | test.efi 3 | *.craff -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi-edk2/Dockerfile: -------------------------------------------------------------------------------- 1 | # hadolint global ignore=DL3008 2 | FROM ghcr.io/tianocore/containers/ubuntu-22-build:a0dd931@sha256:bcda96cb0b9a39a881122ab7d3be86e6151f4c66968421827384c97850c790a5 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | 5 | SHELL ["/bin/bash", "-o", "pipefail", "-c"] 6 | 7 | ENV EDK2_REPO_URL "https://github.com/tianocore/edk2.git" 8 | ENV EDK2_REPO_HASH "95d8a1c255cfb8e063d679930d08ca6426eb5701" 9 | ENV EDK2_PATH "/edk2" 10 | 11 | 12 | RUN git clone "${EDK2_REPO_URL}" "${EDK2_PATH}" && \ 13 | git -C "${EDK2_PATH}" checkout "${EDK2_REPO_HASH}" && \ 14 | python3 -m pip install --no-cache-dir -r "${EDK2_PATH}/pip-requirements.txt" && \ 15 | stuart_setup -c "${EDK2_PATH}/.pytool/CISettings.py" TOOL_CHAIN_TAG=GCC5 && \ 16 | stuart_update -c "${EDK2_PATH}/.pytool/CISettings.py" TOOL_CHAIN_TAG=GCC5 17 | 18 | COPY src "${EDK2_PATH}/HelloWorld/" 19 | 20 | RUN stuart_setup -c "${EDK2_PATH}/HelloWorld/PlatformBuild.py" TOOL_CHAIN_TAG=GCC5 && \ 21 | stuart_update -c "${EDK2_PATH}/HelloWorld/PlatformBuild.py" TOOL_CHAIN_TAG=GCC5 && \ 22 | python3 "${EDK2_PATH}/BaseTools/Edk2ToolsBuild.py" -t GCC5 23 | 24 | WORKDIR "${EDK2_PATH}" 25 | 26 | RUN source ${EDK2_PATH}/edksetup.sh && \ 27 | ( stuart_build -c ${EDK2_PATH}/HelloWorld/PlatformBuild.py TOOL_CHAIN_TAG=GCC5 \ 28 | EDK_TOOLS_PATH=${EDK2_PATH}/BaseTools/ \ 29 | || ( cat ${EDK2_PATH}/HelloWorld/Build/BUILDLOG.txt && exit 1 ) ) 30 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi-edk2/build.ninja: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | rule runbuild 5 | command = bash build.sh 6 | 7 | build HelloWorld.efi: runbuild 8 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi-edk2/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | # Build the HelloWorld.efi module and copy it into the resource directory for the example 7 | # this only needs to be run if you want to modify the source code for the HelloWorld.efi module, 8 | # otherwise, the EFI is included in the source tree for ease of use 9 | 10 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 11 | IMAGE_NAME="edk2-build-tsffs-gcc-x86_64-test" 12 | CONTAINER_UID=$(echo "${RANDOM}" | sha256sum | head -c 8) 13 | CONTAINER_NAME="${IMAGE_NAME}-tmp-${CONTAINER_UID}" 14 | 15 | pushd "${SCRIPT_DIR}" || exit 1 16 | 17 | cp "${SCRIPT_DIR}/../../../harness/tsffs.h" "${SCRIPT_DIR}/src/tsffs.h" 18 | cp "${SCRIPT_DIR}/../../rsrc/minimal_boot_disk.craff" "${SCRIPT_DIR}/minimal_boot_disk.craff" 19 | 20 | docker buildx build -t "${IMAGE_NAME}" -f "Dockerfile" . 21 | docker create --name "${CONTAINER_NAME}" "${IMAGE_NAME}" 22 | docker cp \ 23 | "${CONTAINER_NAME}:/edk2/HelloWorld/Build/HelloWorld/DEBUG_GCC5/X64/HelloWorld.efi" \ 24 | "${SCRIPT_DIR}/test.efi" 25 | docker rm -f "${CONTAINER_NAME}" -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi-edk2/src/.gitignore: -------------------------------------------------------------------------------- 1 | *.h -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi-edk2/src/HelloWorld.c: -------------------------------------------------------------------------------- 1 | // Copyright (C) 2024 Intel Corporation 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | /** @file 5 | This sample application bases on HelloWorld PCD setting 6 | to print "UEFI Hello World!" to the UEFI Console. 7 | Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
8 | SPDX-License-Identifier: BSD-2-Clause-Patent 9 | **/ 10 | 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | #include "tsffs.h" 20 | 21 | /** 22 | The user Entry Point for Application. The user code starts with this function 23 | as the real entry point for the application. 24 | @param[in] ImageHandle The firmware allocated handle for the EFI image. 25 | @param[in] SystemTable A pointer to the EFI System Table. 26 | @retval EFI_SUCCESS The entry point is executed successfully. 27 | @retval other Some error occurs when executing this entry point. 28 | **/ 29 | EFI_STATUS 30 | EFIAPI 31 | UefiMain(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable) { 32 | UINTN input_max_size = 64; 33 | UINTN input_size = input_max_size; 34 | UINT8 *input = (UINT8 *)AllocatePages(EFI_SIZE_TO_PAGES(input_max_size)); 35 | 36 | if (!input) { 37 | return EFI_OUT_OF_RESOURCES; 38 | } 39 | 40 | SetMem((VOID *)input, input_max_size, 0x44); 41 | 42 | HARNESS_START(input, &input_size); 43 | 44 | switch (*input) { 45 | case 'A': { 46 | // Invalid opcode 47 | __asm__(".byte 0x06"); 48 | } 49 | case 'B': { 50 | // Sleep for 10 seconds, this is a "hang" 51 | 52 | // NOTE: gBS is the global Boot Services table 53 | gBS->Stall(10 * 1000 * 1000); 54 | } 55 | case 'C': { 56 | // This will page fault 57 | UINT8 *ptr = (UINT8 *)0xffffffffffffffff; 58 | *ptr = 0x00; 59 | } 60 | default: { 61 | // Nothing, this is a "success" 62 | Print(L"Working...\n"); 63 | } 64 | } 65 | 66 | HARNESS_STOP(); 67 | 68 | if (input) { 69 | FreePages(input, EFI_SIZE_TO_PAGES(input_max_size)); 70 | } 71 | 72 | return EFI_SUCCESS; 73 | } -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi-edk2/src/HelloWorld.dsc: -------------------------------------------------------------------------------- 1 | [Defines] 2 | PLATFORM_NAME = HelloWorld 3 | PLATFORM_GUID = 0458dade-8b6e-4e45-b773-1b27cbda3e06 4 | PLATFORM_VERSION = 0.01 5 | DSC_SPECIFICATION = 0x00010006 6 | OUTPUT_DIRECTORY = Build/HelloWorld 7 | SUPPORTED_ARCHITECTURES = IA32|X64|ARM|AARCH64 8 | BUILD_TARGETS = DEBUG|RELEASE|NOOPT 9 | SKUID_IDENTIFIER = DEFAULT 10 | DEFINE DEBUG_ENABLE_OUTPUT = FALSE # Set to TRUE to enable debug output 11 | DEFINE DEBUG_PRINT_ERROR_LEVEL = 0x80000040 # Flags to control amount of debug output 12 | DEFINE DEBUG_PROPERTY_MASK = 0 13 | 14 | !include MdePkg/MdeLibs.dsc.inc 15 | 16 | [PcdsFeatureFlag] 17 | 18 | [PcdsFixedAtBuild] 19 | gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|$(DEBUG_PROPERTY_MASK) 20 | gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|$(DEBUG_PRINT_ERROR_LEVEL) 21 | 22 | [LibraryClasses] 23 | UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf 24 | UefiLib|MdePkg/Library/UefiLib/UefiLib.inf 25 | PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf 26 | BaseLib|MdePkg/Library/BaseLib/BaseLib.inf 27 | BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf 28 | PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf 29 | MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf 30 | UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf 31 | DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf 32 | UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/UefiRuntimeServicesTableLib.inf 33 | 34 | # Include the Debug Library if needed 35 | !if $(DEBUG_ENABLE_OUTPUT) 36 | DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf 37 | DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf 38 | !else ## DEBUG_ENABLE_OUTPUT 39 | DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf 40 | !endif ## DEBUG_ENABLE_OUTPUT 41 | 42 | [Components] 43 | HelloWorld/HelloWorld.inf -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi-edk2/src/HelloWorld.inf: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | [Defines] 5 | INF_VERSION = 0x00010005 6 | BASE_NAME = HelloWorld 7 | MODULE_UNI_FILE = HelloWorld.uni 8 | FILE_GUID = 6987936E-ED34-44db-AE97-1FA5E4ED2116 9 | MODULE_TYPE = UEFI_APPLICATION 10 | VERSION_STRING = 1.0 11 | ENTRY_POINT = UefiMain 12 | 13 | # 14 | # This flag specifies whether HII resource section is generated into PE image. 15 | # 16 | UEFI_HII_RESOURCE_SECTION = TRUE 17 | 18 | # 19 | # The following information is for reference only and not required by the build tools. 20 | # 21 | # VALID_ARCHITECTURES = IA32 X64 EBC 22 | # 23 | 24 | [Sources] 25 | HelloWorld.c 26 | HelloWorldStr.uni 27 | 28 | [Packages] 29 | # MdePkg.dec provides the Pcds used below 30 | MdePkg/MdePkg.dec 31 | MdeModulePkg/MdeModulePkg.dec 32 | 33 | [LibraryClasses] 34 | UefiApplicationEntryPoint 35 | UefiLib 36 | PcdLib 37 | 38 | [FeaturePcd] 39 | gEfiMdeModulePkgTokenSpaceGuid.PcdHelloWorldPrintEnable ## CONSUMES 40 | 41 | [Pcd] 42 | gEfiMdeModulePkgTokenSpaceGuid.PcdHelloWorldPrintString ## SOMETIMES_CONSUMES 43 | gEfiMdeModulePkgTokenSpaceGuid.PcdHelloWorldPrintTimes ## SOMETIMES_CONSUMES 44 | 45 | [UserExtensions.TianoCore."ExtraFiles"] 46 | HelloWorldExtra.uni -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi-edk2/src/HelloWorldExtra.uni: -------------------------------------------------------------------------------- 1 | // /** @file 2 | // HelloWorld Localized Strings and Content 3 | // 4 | // Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
5 | // 6 | // SPDX-License-Identifier: BSD-2-Clause-Patent 7 | // 8 | // **/ 9 | 10 | #string STR_PROPERTIES_MODULE_NAME 11 | #language en-US 12 | "Hello World Application" 13 | 14 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi-edk2/src/HelloWorldStr.uni: -------------------------------------------------------------------------------- 1 | // /** @file 2 | // Sample UEFI Application Reference EDKII Module. 3 | // 4 | // This is a sample shell application that will print "UEFI Hello World!" to the 5 | // UEFI Console based on PCD setting. 6 | // 7 | // It demos how to use EDKII PCD mechanism to make code more flexible. 8 | // 9 | // Copyright (c) 2016, Intel Corporation. All rights reserved.
10 | // 11 | // SPDX-License-Identifier: BSD-2-Clause-Patent 12 | // 13 | // **/ 14 | 15 | /=# 16 | 17 | #langdef en-US "English" 18 | 19 | #string STR_HELLO_WORLD_HELP_INFORMATION #language en-US "" 20 | ".TH HelloWorld 0 "Displays a \"UEFI Hello World!\" string."\r\n" 21 | ".SH NAME\r\n" 22 | "HelloWorld application.\r\n" -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi/.gitignore: -------------------------------------------------------------------------------- 1 | .ninja_log 2 | *.efi 3 | *.lib 4 | *.o 5 | *.h 6 | *.craff -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi/build.ninja: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Intel Corporation 2 | # SPDX-License-Identifier: Apache-2.0 3 | 4 | rule cc 5 | command = clang -target x86_64-pc-win32-coff -fno-stack-protector -fshort-wchar $ 6 | -mno-red-zone $cflags -c $in -o $out 7 | 8 | rule link 9 | command = lld -flavor link -filealign:16 -subsystem:efi_application -nodefaultlib -dll $ 10 | -entry:UefiMain $in -out:$out 11 | 12 | rule copy 13 | command = cp $in $out 14 | 15 | build test.o: cc test.c 16 | cflags = -O0 17 | build test.efi: link test.o 18 | build test-fast.o: cc test-fast.c 19 | cflags = -O0 20 | build test-fast.efi: link test-fast.o 21 | build test-cov.o: cc test-cov.c 22 | cflags = -O0 23 | build test-cov.efi: link test-cov.o 24 | -------------------------------------------------------------------------------- /tests/rsrc/x86_64-uefi/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Copyright (C) 2024 Intel Corporation 4 | # SPDX-License-Identifier: Apache-2.0 5 | 6 | set -e 7 | 8 | SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) 9 | 10 | cp "${SCRIPT_DIR}/../../../harness/tsffs.h" "${SCRIPT_DIR}/tsffs.h" 11 | cp "${SCRIPT_DIR}/../../rsrc/minimal_boot_disk.craff" "${SCRIPT_DIR}/minimal_boot_disk.craff" 12 | 13 | ninja --------------------------------------------------------------------------------