[PATCH 1/2] test/py: vboot: add a test to check fit signature on fit with padding

27 Mar 2020

The pytest vboot does all his tests on fit without padding.
We add the same tests on fit with padding.
Signed-off-by: Philippe Reynes philippe.reynes@softathome.com
---
 test/py/tests/test_vboot.py | 42 ++++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)

diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 9c41ee5..32299be 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -94,7 +94,7 @@ def test_vboot(u_boot_console):
         util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
                                 '%s%s' % (datadir, its), fit])
-    def sign_fit(sha_algo):
+    def sign_fit(sha_algo, options):
         """Sign the FIT
Signs the FIT and writes the signature into it. It also writes the
@@ -103,10 +103,13 @@ def test_vboot(u_boot_console):
         Args:
             sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
                     use.
+            options: Options to provide to mkimage.
         """
+        args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, '-r', fit]
+        if options:
+            args += options.split(' ')
         cons.log.action('%s: Sign images' % sha_algo)
-        util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
-                                '-r', fit])
+        util.run_and_log(cons, args)
def sign_fit_norequire(sha_algo):
         """Sign the FIT
@@ -142,7 +145,7 @@ def test_vboot(u_boot_console):
             handle.write(struct.pack(">I", size))
         return struct.unpack(">I", total_size)[0]
-    def test_with_algo(sha_algo, padding):
+    def test_with_algo(sha_algo, padding, sign_options):
         """Test verified boot with the given hash algorithm.
This is the main part of the test code. The same procedure is followed
@@ -151,6 +154,9 @@ def test_vboot(u_boot_console):
         Args:
             sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
                     use.
+            padding: Either '' or '-pss', to select the padding to use for the
+                    rsa signature algorithm.
+            sign_options: Options to mkimage when signing a fit image.
         """
         # Compile our device tree files for kernel and U-Boot. These are
         # regenerated here since mkimage will modify them (by adding a
@@ -164,7 +170,7 @@ def test_vboot(u_boot_console):
         run_bootm(sha_algo, 'unsigned images', 'dev-', True)
# Sign images with our dev keys
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)
         run_bootm(sha_algo, 'signed images', 'dev+', True)
# Create a fresh .dtb without the public keys
@@ -175,7 +181,7 @@ def test_vboot(u_boot_console):
         run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)
# Sign images with our dev keys
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)
         run_bootm(sha_algo, 'signed config', 'dev+', True)
cons.log.action('%s: Check signed config on the host' % sha_algo)
@@ -211,7 +217,7 @@ def test_vboot(u_boot_console):
         util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
                 '-k', dtb], 1, 'Failed to verify required signature')
-    def test_required_key(sha_algo, padding):
+    def test_required_key(sha_algo, padding, sign_options):
         """Test verified boot with the given hash algorithm.
This function test if u-boot reject an image when a required
@@ -220,6 +226,9 @@ def test_vboot(u_boot_console):
         Args:
             sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
                     use.
+            padding: Either '' or '-pss', to select the padding to use for the
+                    rsa signature algorithm.
+            sign_options: Options to mkimage when signing a fit image.
         """
         # Compile our device tree files for kernel and U-Boot. These are
         # regenerated here since mkimage will modify them (by adding a
@@ -234,9 +243,9 @@ def test_vboot(u_boot_console):
         # This FIT should not be accepted by u-boot because the key prod is required
         cons.log.action('%s: Test FIT with configs images' % sha_algo)
         make_fit('sign-configs-%s%s-prod.its' % (sha_algo , padding))
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)
         make_fit('sign-configs-%s%s.its' % (sha_algo , padding))
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)
run_bootm(sha_algo, 'signed configs', '', False)
@@ -282,11 +291,16 @@ def test_vboot(u_boot_console):
         # afterwards.
         old_dtb = cons.config.dtb
         cons.config.dtb = dtb
-        test_with_algo('sha1','')
-        test_with_algo('sha1','-pss')
-        test_with_algo('sha256','')
-        test_with_algo('sha256','-pss')
-        test_required_key('sha256','-pss')
+        test_with_algo('sha1','', None)
+        test_with_algo('sha1','', '-E -p 0x10000')
+        test_with_algo('sha1','-pss', None)
+        test_with_algo('sha1','-pss', '-E -p 0x10000')
+        test_with_algo('sha256','', None)
+        test_with_algo('sha256','', '-E -p 0x10000')
+        test_with_algo('sha256','-pss', None)
+        test_with_algo('sha256','-pss', '-E -p 0x10000')
+        test_required_key('sha256','-pss', None)
+        test_required_key('sha256','-pss', '-E -p 0x10000')
     finally:
         # Go back to the original U-Boot with the correct dtb.
         cons.config.dtb = old_dtb
-- 
2.7.4


    