Re: [PATCH v2 5/5] test_vboot.py: include test of fdt_add_pubkey tool

Hi Ivan,

On Tue, 7 Mar 2023 at 14:13, Ivan Mikhaylov fr0st61te@gmail.com wrote:

From: Roman Kopytin Roman.Kopytin@kaspersky.com

Signed-off-by: Roman Kopytin Roman.Kopytin@kaspersky.com Cc: Rasmus Villemoes rasmus.villemoes@prevas.dk

---

test/py/tests/test_vboot.py | 8 ++++++++ 1 file changed, 8 insertions(+)

diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index e3e7ca4b21..956b8fcd43 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -313,6 +313,13 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,

     util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])

•    # Create a fresh .dtb without the public keys
  

•    dtc('sandbox-u-boot.dts')
  

•    # Then add the dev key via the fdt_add_pubkey tool
  

•    util.run_and_log(cons, [fdt_add_pubkey, '-a', '%s,rsa2048' % sha_algo,
  

•                            '-k', tmpdir, '-n', 'dev', '-r', 'conf', dtb])
  

•    util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])
  

•    if full_test:
         # Make sure that U-Boot checks that the config is in the list of
         # hashed nodes. If it isn't, a security bypass is possible.
  

@@ -500,6 +507,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, mkimage = cons.config.build_dir + '/tools/mkimage' binman = cons.config.source_dir + '/tools/binman/binman' fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'

• fdt_add_pubkey = cons.config.build_dir + '/tools/fdt_add_pubkey' dtc_args = '-I dts -O dtb -i %s' % tmpdir dtb = '%ssandbox-u-boot.dtb' % tmpdir sig_node = '/configurations/conf-1/signature'

-- 2.39.1

Unfortunately this test fails on sandbox:

https://source.denx.de/u-boot/custodians/u-boot-dm/-/jobs/591975

I think it would be better to put it in its own test (perhaps in the same file) so we are not doing it on every test run. Also you could check (in a very basic way) that it adds the key correctly since we don't really need another test of the logic of doing that. We are just checking that your tool calls that logic correctly.

I'll drop this one when applying, for now. Please take a look.

Regards, Simon