[PATCH v3] test_vboot.py: include test of fdt_add_pubkey tool
From: Roman Kopytin Roman.Kopytin@kaspersky.com
Signed-off-by: Roman Kopytin Roman.Kopytin@kaspersky.com Signed-off-by: Ivan Mikhaylov fr0st61te@gmail.com Cc: Rasmus Villemoes rasmus.villemoes@prevas.dk --- test/py/tests/test_vboot.py | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+)
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index e3e7ca4b21..5ae622fe21 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -491,6 +491,37 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, # Check that the boot fails if the global signature is not provided run_bootm(sha_algo, 'global image signature', 'signature is mandatory', False)
+ def test_fdt_add_pubkey(sha_algo, padding, sign_options): + """Test fdt_add_pubkey utility with given hash algorithm and padding. + + This function tests if fdt_add_pubkey utility may add public keys into dtb. + + Args: + sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use + padding: Either '' or '-pss', to select the padding to use for the + rsa signature algorithm. + sign_options: Options to mkimage when signing a fit image. + """ + + # Create a fresh .dtb without the public keys + dtc('sandbox-u-boot.dts') + make_fit('sign-configs-%s%s.its' % (sha_algo, padding)) + + # Sign images with our dev keys + sign_fit(sha_algo, sign_options) + + # Create a fresh .dtb without the public keys + dtc('sandbox-u-boot.dts') + + cons.log.action('%s: Test fdt_add_pubkey with signed configuration' % sha_algo) + # Then add the dev key via the fdt_add_pubkey tool + util.run_and_log(cons, [fdt_add_pubkey, '-a', '%s,%s' % ('sha256' if algo_arg else sha_algo, \ + 'rsa3072' if sha_algo == 'sha384' else 'rsa2048'), + '-k', tmpdir, '-n', 'dev', '-r', 'conf', dtb]) + + # Check with fit_check_sign that FIT is signed with key + util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb]) + cons = u_boot_console tmpdir = os.path.join(cons.config.result_dir, name) + '/' if not os.path.exists(tmpdir): @@ -500,6 +531,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, mkimage = cons.config.build_dir + '/tools/mkimage' binman = cons.config.source_dir + '/tools/binman/binman' fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign' + fdt_add_pubkey = cons.config.build_dir + '/tools/fdt_add_pubkey' dtc_args = '-I dts -O dtb -i %s' % tmpdir dtb = '%ssandbox-u-boot.dtb' % tmpdir sig_node = '/configurations/conf-1/signature' @@ -516,6 +548,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, with open(evil_kernel, 'wb') as fd: fd.write(500 * b'\x01')
+ test_fdt_add_pubkey(sha_algo, padding, sign_options) try: # We need to use our own device tree file. Remember to restore it # afterwards.
Hi Ivan,
On Sun, 19 Mar 2023 at 12:42, Ivan Mikhaylov fr0st61te@gmail.com wrote:
From: Roman Kopytin Roman.Kopytin@kaspersky.com
Please add a commit message.
Signed-off-by: Roman Kopytin Roman.Kopytin@kaspersky.com Signed-off-by: Ivan Mikhaylov fr0st61te@gmail.com Cc: Rasmus Villemoes rasmus.villemoes@prevas.dk
test/py/tests/test_vboot.py | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+)
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index e3e7ca4b21..5ae622fe21 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -491,6 +491,37 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, # Check that the boot fails if the global signature is not provided run_bootm(sha_algo, 'global image signature', 'signature is mandatory', False)
- def test_fdt_add_pubkey(sha_algo, padding, sign_options):
"""Test fdt_add_pubkey utility with given hash algorithm and padding.This function tests if fdt_add_pubkey utility may add public keys into dtb.Args:sha_algo: Either 'sha1' or 'sha256', to select the algorithm to usepadding: Either '' or '-pss', to select the padding to use for thersa signature algorithm.sign_options: Options to mkimage when signing a fit image."""# Create a fresh .dtb without the public keysdtc('sandbox-u-boot.dts')make_fit('sign-configs-%s%s.its' % (sha_algo, padding))# Sign images with our dev keyssign_fit(sha_algo, sign_options)# Create a fresh .dtb without the public keysdtc('sandbox-u-boot.dts')cons.log.action('%s: Test fdt_add_pubkey with signed configuration' % sha_algo)# Then add the dev key via the fdt_add_pubkey toolutil.run_and_log(cons, [fdt_add_pubkey, '-a', '%s,%s' % ('sha256' if algo_arg else sha_algo, \'rsa3072' if sha_algo == 'sha384' else 'rsa2048'),'-k', tmpdir, '-n', 'dev', '-r', 'conf', dtb])# Check with fit_check_sign that FIT is signed with keyutil.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])- cons = u_boot_console tmpdir = os.path.join(cons.config.result_dir, name) + '/' if not os.path.exists(tmpdir):
@@ -500,6 +531,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, mkimage = cons.config.build_dir + '/tools/mkimage' binman = cons.config.source_dir + '/tools/binman/binman' fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
- fdt_add_pubkey = cons.config.build_dir + '/tools/fdt_add_pubkey' dtc_args = '-I dts -O dtb -i %s' % tmpdir dtb = '%ssandbox-u-boot.dtb' % tmpdir sig_node = '/configurations/conf-1/signature'
@@ -516,6 +548,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, with open(evil_kernel, 'wb') as fd: fd.write(500 * b'\x01')
- test_fdt_add_pubkey(sha_algo, padding, sign_options) try: # We need to use our own device tree file. Remember to restore it # afterwards.
-- 2.39.1
I'm not sure how you are testing this, but it fails for me:
+openssl req -batch -new -x509 -key /tmp/b/sandbox/sha256-global-sign-pss/prod.key -out /tmp/b/sandbox/sha256-global-sign-pss/prod.crt +dtc -I dts -O dtb -i /tmp/b/sandbox/sha256-global-sign-pss/ /home/sjg/c/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts -O dtb -o /tmp/b/sandbox/sha256-global-sign-pss/sandbox-u-boot.dtb /home/sjg/c/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts:10.10-12.4: Warning (unit_address_vs_reg): /reset@0: node has a unit name, but no reg or ranges property +/tmp/b/sandbox/tools/mkimage -D -I dts -O dtb -i /tmp/b/sandbox/sha256-global-sign-pss/ -f /home/sjg/c/src/third_party/u-boot/files/test/py/tests/vboot/sign-configs-sha256-pss.its /tmp/b/sandbox/sha256-global-sign-pss/test.fit FATAL ERROR: Couldn't open "sandbox-kernel.dtb": No such file or directory /tmp/b/sandbox/tools/mkimage: Can't open /tmp/b/sandbox/sha256-global-sign-pss/test.fit.tmp: No such file or directory Error: Bad parameters for FIT image type Usage: /tmp/b/sandbox/tools/mkimage [-T type] -l image -l ==> list image header information -T ==> parse image file as 'type' -q ==> quiet /tmp/b/sandbox/tools/mkimage [-x] -A arch -O os -T type -C comp -a addr -e ep -n name -d data_file[:data_file...] image -A ==> set architecture to 'arch' -O ==> set operating system to 'os' -T ==> set image type to 'type' -C ==> set compression type 'comp' -a ==> set load address to 'addr' (hex) -e ==> set entry point to 'ep' (hex) -n ==> set image name to 'name' -R ==> set second image name to 'name' -d ==> use image data from 'datafile' -x ==> set XIP (execute in place) -s ==> create an image with no data -v ==> verbose /tmp/b/sandbox/tools/mkimage [-D dtc_options] [-f fit-image.its|-f auto|-f auto-conf|-F] [-b <dtb> [-b <dtb>]] [-E] [-B size] [-i <ramdisk.cpio.gz>] fit-image <dtb> file is used with -f auto, it may occur multiple times. -D => set all options for device tree compiler -f => input filename for FIT source -i => input filename for ramdisk file -E => place data outside of the FIT structure -B => align size in hex for FIT structure and header -b => append the device tree binary to the FIT -t => update the timestamp in the FIT Signing / verified boot options: [-k keydir] [-K dtb] [ -c <comment>] [-p addr] [-r] [-N engine] -k => set directory containing private keys -K => write public keys to this .dtb file -g => set key name hint -G => use this signing key (in lieu of -k) -c => add comment in signature node -F => re-sign existing FIT image -p => place external data at a static position -r => mark keys used as 'required' in dtb -N => openssl engine to use for signing -o => algorithm to use for signing /tmp/b/sandbox/tools/mkimage -V ==> print version information and exit Use '-T list' to see a list of available image types Long options are available; read the man page for details Exit code: 1 ================================================== short test summary info ================================================== FAILED test/py/tests/test_vboot.py::test_vboot[sha1-basic-sha1--None-False-True-False-False] - ValueError: Exit code: 1 FAILED test/py/tests/test_vboot.py::test_vboot[sha1-pad-sha1---E -p 0x10000-False-False-False-False] - ValueError: Exit co... FAILED test/py/tests/test_vboot.py::test_vboot[sha1-pss-sha1--pss-None-False-False-False-False] - ValueError: Exit code: 1 FAILED test/py/tests/test_vboot.py::test_vboot[sha1-pss-pad-sha1--pss--E -p 0x10000-False-False-False-False] - ValueError:... FAILED test/py/tests/test_vboot.py::test_vboot[sha256-basic-sha256--None-False-False-False-False] - ValueError: Exit code: 1 FAILED test/py/tests/test_vboot.py::test_vboot[sha256-pad-sha256---E -p 0x10000-False-False-False-False] - ValueError: Exi... FAILED test/py/tests/test_vboot.py::test_vboot[sha256-pss-sha256--pss-None-False-False-False-False] - ValueError: Exit cod... FAILED test/py/tests/test_vboot.py::test_vboot[sha256-pss-pad-sha256--pss--E -p 0x10000-False-False-False-False] - ValueEr... FAILED test/py/tests/test_vboot.py::test_vboot[sha256-pss-required-sha256--pss-None-True-False-False-False] - ValueError: ... FAILED test/py/tests/test_vboot.py::test_vboot[sha256-pss-pad-required-sha256--pss--E -p 0x10000-True-True-False-False] - ... FAILED test/py/tests/test_vboot.py::test_vboot[sha384-basic-sha384--None-False-False-False-False] - ValueError: Exit code: 1 FAILED test/py/tests/test_vboot.py::test_vboot[sha384-pad-sha384---E -p 0x10000-False-False-False-False] - ValueError: Exi... FAILED test/py/tests/test_vboot.py::test_vboot[algo-arg-algo-arg---o sha256,rsa2048-False-False-True-False] - ValueError: ... FAILED test/py/tests/test_vboot.py::test_vboot[sha256-global-sign-sha256---False-False-False-True] - ValueError: Exit code: 1 FAILED test/py/tests/test_vboot.py::test_vboot[sha256-global-sign-pss-sha256--pss--False-False-False-True] - ValueError: E...
If it helps, my alias to run a test is:
# Run a pytest on sandbox # $1: Name of test to run (optional, else run all)
function pyt { local tests local para
if [ "$1" = "-b" ]; then crosfw $b || return 1 shift fi
if [ "$1" = "-p" ]; then para="-n$(nproc) -q" shift fi tests="$@" echo $para $tests
shift test/py/test.py -B sandbox --build-dir /tmp/b/sandbox ${para} ${tests:+"-k $tests"} $@ }
and I build sandbox into /tmp/b/sandbox before typing 'pyt vboot' to run the test.
Also, when I mention adding it to its own test, I mean creating a new function (like test_vboot() but at the end of the file and without unnecessary parameterized arguments) to do your check. There is no need to embed it in the existing test and I think it actually confuses things, since the existing test already adds the public key to the DT.
With a separate test you can still use some code from test_vboot() if you need to - just break it into a separate helper that both test functions can call. Your test should simple create a DT, add a key to it and then check that the key is there (using fit_check_sign for that is fine).
Regards, Simon
participants (2)
-
Ivan Mikhaylov -
Simon Glass