[PATCH v3] test_vboot.py: include test of fdt_add_pubkey tool

19 Mar 2023

From: Roman Kopytin Roman.Kopytin@kaspersky.com
Signed-off-by: Roman Kopytin Roman.Kopytin@kaspersky.com
Signed-off-by: Ivan Mikhaylov fr0st61te@gmail.com
Cc: Rasmus Villemoes rasmus.villemoes@prevas.dk
---
 test/py/tests/test_vboot.py | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index e3e7ca4b21..5ae622fe21 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -491,6 +491,37 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
         # Check that the boot fails if the global signature is not provided
         run_bootm(sha_algo, 'global image signature', 'signature is mandatory', False)
+    def test_fdt_add_pubkey(sha_algo, padding, sign_options):
+        """Test fdt_add_pubkey utility with given hash algorithm and padding.
+
+        This function tests if fdt_add_pubkey utility may add public keys into dtb.
+
+        Args:
+            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use
+            padding: Either '' or '-pss', to select the padding to use for the
+                    rsa signature algorithm.
+            sign_options: Options to mkimage when signing a fit image.
+        """
+
+        # Create a fresh .dtb without the public keys
+        dtc('sandbox-u-boot.dts')
+        make_fit('sign-configs-%s%s.its' % (sha_algo, padding))
+
+        # Sign images with our dev keys
+        sign_fit(sha_algo, sign_options)
+
+        # Create a fresh .dtb without the public keys
+        dtc('sandbox-u-boot.dts')
+
+        cons.log.action('%s: Test fdt_add_pubkey with signed configuration' % sha_algo)
+        # Then add the dev key via the fdt_add_pubkey tool
+        util.run_and_log(cons, [fdt_add_pubkey, '-a', '%s,%s' % ('sha256' if algo_arg else sha_algo, \
+                                'rsa3072' if sha_algo == 'sha384' else 'rsa2048'),
+                                '-k', tmpdir, '-n', 'dev', '-r', 'conf', dtb])
+
+        # Check with fit_check_sign that FIT is signed with key
+        util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])
+
     cons = u_boot_console
     tmpdir = os.path.join(cons.config.result_dir, name) + '/'
     if not os.path.exists(tmpdir):
@@ -500,6 +531,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
     mkimage = cons.config.build_dir + '/tools/mkimage'
     binman = cons.config.source_dir + '/tools/binman/binman'
     fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
+    fdt_add_pubkey = cons.config.build_dir + '/tools/fdt_add_pubkey'
     dtc_args = '-I dts -O dtb -i %s' % tmpdir
     dtb = '%ssandbox-u-boot.dtb' % tmpdir
     sig_node = '/configurations/conf-1/signature'
@@ -516,6 +548,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
     with open(evil_kernel, 'wb') as fd:
         fd.write(500 * b'\x01')
+    test_fdt_add_pubkey(sha_algo, padding, sign_options)
     try:
         # We need to use our own device tree file. Remember to restore it
         # afterwards.
-- 
2.39.1


    