Message ID | 20191113005306.30356-17-takahiro.akashi@linaro.org |
---|---|
State | Changes Requested, archived |
Delegated to: | Heinrich Schuchardt |
Headers | show |
Series | efi_loader: add secure boot support | expand |
On 11/13/19 1:53 AM, AKASHI Takahiro wrote: > Provide test cases for > * image authentication for signed images > (test_efi_secboot/test_signed.py) > * image authentication for unsigned images > (test_efi_secboot/test_unsigned.py) > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > --- > test/py/tests/test_efi_secboot/test_signed.py | 97 +++++++++++++++++ > .../tests/test_efi_secboot/test_unsigned.py | 100 ++++++++++++++++++ > 2 files changed, 197 insertions(+) > create mode 100644 test/py/tests/test_efi_secboot/test_signed.py > create mode 100644 test/py/tests/test_efi_secboot/test_unsigned.py > > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py > new file mode 100644 > index 000000000000..00f539462eb8 > --- /dev/null > +++ b/test/py/tests/test_efi_secboot/test_signed.py > @@ -0,0 +1,97 @@ > +# SPDX-License-Identifier: GPL-2.0+ > +# Copyright (c) 2019, Linaro Limited > +# Author: AKASHI Takahiro <takahiro.akashi@linaro.org> > +# > +# U-Boot UEFI: Signed Image Authentication Test > + > +""" > +This test verifies image authentication for signed images. > +""" > + > +import pytest > +import re > +from defs import * > + > +@pytest.mark.boardspec('sandbox') Why would we only test on the sandbox? This leaves 32bit untested. > +@pytest.mark.buildconfigspec('efi_secure_boot') > +@pytest.mark.buildconfigspec('cmd_efidebug') > +@pytest.mark.buildconfigspec('cmd_fat') > +@pytest.mark.buildconfigspec('cmd_nvedit_efi') > +@pytest.mark.slow > +class TestEfiSignedImage(object): > + def test_efi_signed_image_auth1(self, u_boot_console, efi_boot_env): > + """ > + Test Case 1 - authenticated by db > + """ > + disk_img = efi_boot_env > + with u_boot_console.log.section('Test Case 1a'): > + # Test Case 1a, run signed image if no db/dbx > + output = u_boot_console.run_command_list([ > + 'host bind 0 %s' % disk_img, > + 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', > + 'efidebug boot next 1', > + 'bootefi bootmgr']) > + assert(re.search('Hello, world!', ''.join(output))) > + > + with u_boot_console.log.section('Test Case 1b'): > + # Test Case 1b, run unsigned image if no db/dbx > + output = u_boot_console.run_command_list([ > + 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""', > + 'efidebug boot next 2', > + 'bootefi bootmgr']) > + assert(re.search('Hello, world!', ''.join(output))) > + > + with u_boot_console.log.section('Test Case 1c'): > + # Test Case 1c, not authenticated by db > + output = u_boot_console.run_command_list([ > + 'fatload host 0:1 4000000 db.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', > + 'fatload host 0:1 4000000 KEK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > + 'fatload host 0:1 4000000 PK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > + assert(not re.search('Failed to set EFI variable', ''.join(output))) > + output = u_boot_console.run_command_list([ > + 'efidebug boot next 2', > + 'bootefi bootmgr']) > + assert(re.search('\'HELLO2\' failed', ''.join(output))) > + > + with u_boot_console.log.section('Test Case 1d'): > + # Test Case 1d, authenticated by db > + output = u_boot_console.run_command_list([ > + 'efidebug boot next 1', > + 'bootefi bootmgr']) > + assert(re.search('Hello, world!', ''.join(output))) > + > + def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env): > + """ > + Test Case 2 - rejected by dbx > + """ > + disk_img = efi_boot_env > + with u_boot_console.log.section('Test Case 2a'): > + # Test Case 2a, rejected by dbx > + output = u_boot_console.run_command_list([ > + 'host bind 0 %s' % disk_img, > + 'fatload host 0:1 4000000 db.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', > + 'fatload host 0:1 4000000 KEK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > + 'fatload host 0:1 4000000 PK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > + assert(not re.search('Failed to set EFI variable', ''.join(output))) > + output = u_boot_console.run_command_list([ > + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', > + 'efidebug boot next 1', > + 'bootefi bootmgr']) > + assert(re.search('\'HELLO\' failed', ''.join(output))) > + > + with u_boot_console.log.section('Test Case 2b'): > + # Test Case 2b, rejected by dbx even if db allows > + output = u_boot_console.run_command_list([ > + 'fatload host 0:1 4000000 db.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) > + assert(not re.search('Failed to set EFI variable', ''.join(output))) > + output = u_boot_console.run_command_list([ > + 'efidebug boot next 1', > + 'bootefi bootmgr']) > + assert(re.search('\'HELLO\' failed', ''.join(output))) > diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py > new file mode 100644 > index 000000000000..2bfa188b530c > --- /dev/null > +++ b/test/py/tests/test_efi_secboot/test_unsigned.py > @@ -0,0 +1,100 @@ > +# SPDX-License-Identifier: GPL-2.0+ > +# Copyright (c) 2019, Linaro Limited > +# Author: AKASHI Takahiro <takahiro.akashi@linaro.org> > +# > +# U-Boot UEFI: Signed Image Authentication Test > + > +""" > +This test verifies image authentication for unsigned images. > +""" > + > +import pytest > +import re > +from defs import * > + > +@pytest.mark.boardspec('sandbox') > +@pytest.mark.buildconfigspec('efi_secure_boot') > +@pytest.mark.buildconfigspec('cmd_efidebug') > +@pytest.mark.buildconfigspec('cmd_fat') > +@pytest.mark.buildconfigspec('cmd_nvedit_efi') > +@pytest.mark.slow > +class TestEfiUnsignedImage(object): > + def test_efi_unsigned_image_auth1(self, u_boot_console, efi_boot_env): > + """ > + Test Case 1 - rejected when not digest in db or dbx > + """ > + disk_img = efi_boot_env > + with u_boot_console.log.section('Test Case 1'): > + # Test Case 1 > + output = u_boot_console.run_command_list([ > + 'host bind 0 %s' % disk_img, > + 'fatload host 0:1 4000000 KEK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > + 'fatload host 0:1 4000000 PK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > + assert(not re.search('Failed to set EFI variable', ''.join(output))) > + > + output = u_boot_console.run_command_list([ > + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', > + 'efidebug boot next 1', > + 'bootefi bootmgr']) > + assert(re.search('\'HELLO\' failed', ''.join(output))) > + > + def test_efi_unsigned_image_auth2(self, u_boot_console, efi_boot_env): > + """ > + Test Case 2 - authenticated by digest in db > + """ > + disk_img = efi_boot_env > + with u_boot_console.log.section('Test Case 2'): > + # Test Case 2 > + output = u_boot_console.run_command_list([ > + 'host bind 0 %s' % disk_img, > + 'fatload host 0:1 4000000 db_hello.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', > + 'fatload host 0:1 4000000 KEK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > + 'fatload host 0:1 4000000 PK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > + assert(not re.search('Failed to set EFI variable', ''.join(output))) > + > + output = u_boot_console.run_command_list([ > + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', > + 'efidebug boot next 1', > + 'bootefi bootmgr']) > + assert(re.search('Hello, world!', ''.join(output))) > + > + def test_efi_unsigned_image_auth3(self, u_boot_console, efi_boot_env): > + """ > + Test Case 3 - rejected by digest in dbx > + """ > + disk_img = efi_boot_env > + with u_boot_console.log.section('Test Case 3a'): > + # Test Case 3a, rejected by dbx > + output = u_boot_console.run_command_list([ > + 'host bind 0 %s' % disk_img, > + 'fatload host 0:1 4000000 db_hello.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', > + 'fatload host 0:1 4000000 KEK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > + 'fatload host 0:1 4000000 PK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > + assert(not re.search('Failed to set EFI variable', ''.join(output))) > + > + output = u_boot_console.run_command_list([ > + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', You cannot assume any host file system to be connected as nothing in you test definition requires this. Best regards Heinrich > + 'efidebug boot next 1', > + 'bootefi bootmgr']) > + assert(re.search('\'HELLO\' failed', ''.join(output))) > + > + with u_boot_console.log.section('Test Case 3b'): > + # Test Case 3b, rejected by dbx even if db allows > + output = u_boot_console.run_command_list([ > + 'fatload host 0:1 4000000 db_hello.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) > + assert(not re.search('Failed to set EFI variable', ''.join(output))) > + > + output = u_boot_console.run_command_list([ > + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', > + 'efidebug boot next 1', > + 'bootefi bootmgr']) > + assert(re.search('\'HELLO\' failed', ''.join(output))) >
Heinrich, On Sat, Nov 16, 2019 at 09:31:04PM +0100, Heinrich Schuchardt wrote: > On 11/13/19 1:53 AM, AKASHI Takahiro wrote: > >Provide test cases for > > * image authentication for signed images > > (test_efi_secboot/test_signed.py) > > * image authentication for unsigned images > > (test_efi_secboot/test_unsigned.py) > > > >Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> > >--- > > test/py/tests/test_efi_secboot/test_signed.py | 97 +++++++++++++++++ > > .../tests/test_efi_secboot/test_unsigned.py | 100 ++++++++++++++++++ > > 2 files changed, 197 insertions(+) > > create mode 100644 test/py/tests/test_efi_secboot/test_signed.py > > create mode 100644 test/py/tests/test_efi_secboot/test_unsigned.py > > > >diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py > >new file mode 100644 > >index 000000000000..00f539462eb8 > >--- /dev/null > >+++ b/test/py/tests/test_efi_secboot/test_signed.py > >@@ -0,0 +1,97 @@ > >+# SPDX-License-Identifier: GPL-2.0+ > >+# Copyright (c) 2019, Linaro Limited > >+# Author: AKASHI Takahiro <takahiro.akashi@linaro.org> > >+# > >+# U-Boot UEFI: Signed Image Authentication Test > >+ > >+""" > >+This test verifies image authentication for signed images. > >+""" > >+ > >+import pytest > >+import re > >+from defs import * > >+ > >+@pytest.mark.boardspec('sandbox') > > Why would we only test on the sandbox? This leaves 32bit untested. I commented on this issue on patch#15. > >+@pytest.mark.buildconfigspec('efi_secure_boot') > >+@pytest.mark.buildconfigspec('cmd_efidebug') > >+@pytest.mark.buildconfigspec('cmd_fat') > >+@pytest.mark.buildconfigspec('cmd_nvedit_efi') > >+@pytest.mark.slow > >+class TestEfiSignedImage(object): > >+ def test_efi_signed_image_auth1(self, u_boot_console, efi_boot_env): > >+ """ > >+ Test Case 1 - authenticated by db > >+ """ > >+ disk_img = efi_boot_env > >+ with u_boot_console.log.section('Test Case 1a'): > >+ # Test Case 1a, run signed image if no db/dbx > >+ output = u_boot_console.run_command_list([ > >+ 'host bind 0 %s' % disk_img, > >+ 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', > >+ 'efidebug boot next 1', > >+ 'bootefi bootmgr']) > >+ assert(re.search('Hello, world!', ''.join(output))) > >+ > >+ with u_boot_console.log.section('Test Case 1b'): > >+ # Test Case 1b, run unsigned image if no db/dbx > >+ output = u_boot_console.run_command_list([ > >+ 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""', > >+ 'efidebug boot next 2', > >+ 'bootefi bootmgr']) > >+ assert(re.search('Hello, world!', ''.join(output))) > >+ > >+ with u_boot_console.log.section('Test Case 1c'): > >+ # Test Case 1c, not authenticated by db > >+ output = u_boot_console.run_command_list([ > >+ 'fatload host 0:1 4000000 db.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', > >+ 'fatload host 0:1 4000000 KEK.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > >+ 'fatload host 0:1 4000000 PK.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > >+ assert(not re.search('Failed to set EFI variable', ''.join(output))) > >+ output = u_boot_console.run_command_list([ > >+ 'efidebug boot next 2', > >+ 'bootefi bootmgr']) > >+ assert(re.search('\'HELLO2\' failed', ''.join(output))) > >+ > >+ with u_boot_console.log.section('Test Case 1d'): > >+ # Test Case 1d, authenticated by db > >+ output = u_boot_console.run_command_list([ > >+ 'efidebug boot next 1', > >+ 'bootefi bootmgr']) > >+ assert(re.search('Hello, world!', ''.join(output))) > >+ > >+ def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env): > >+ """ > >+ Test Case 2 - rejected by dbx > >+ """ > >+ disk_img = efi_boot_env > >+ with u_boot_console.log.section('Test Case 2a'): > >+ # Test Case 2a, rejected by dbx > >+ output = u_boot_console.run_command_list([ > >+ 'host bind 0 %s' % disk_img, > >+ 'fatload host 0:1 4000000 db.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', > >+ 'fatload host 0:1 4000000 KEK.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > >+ 'fatload host 0:1 4000000 PK.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > >+ assert(not re.search('Failed to set EFI variable', ''.join(output))) > >+ output = u_boot_console.run_command_list([ > >+ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', > >+ 'efidebug boot next 1', > >+ 'bootefi bootmgr']) > >+ assert(re.search('\'HELLO\' failed', ''.join(output))) > >+ > >+ with u_boot_console.log.section('Test Case 2b'): > >+ # Test Case 2b, rejected by dbx even if db allows > >+ output = u_boot_console.run_command_list([ > >+ 'fatload host 0:1 4000000 db.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) > >+ assert(not re.search('Failed to set EFI variable', ''.join(output))) > >+ output = u_boot_console.run_command_list([ > >+ 'efidebug boot next 1', > >+ 'bootefi bootmgr']) > >+ assert(re.search('\'HELLO\' failed', ''.join(output))) > >diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py > >new file mode 100644 > >index 000000000000..2bfa188b530c > >--- /dev/null > >+++ b/test/py/tests/test_efi_secboot/test_unsigned.py > >@@ -0,0 +1,100 @@ > >+# SPDX-License-Identifier: GPL-2.0+ > >+# Copyright (c) 2019, Linaro Limited > >+# Author: AKASHI Takahiro <takahiro.akashi@linaro.org> > >+# > >+# U-Boot UEFI: Signed Image Authentication Test > >+ > >+""" > >+This test verifies image authentication for unsigned images. > >+""" > >+ > >+import pytest > >+import re > >+from defs import * > >+ > >+@pytest.mark.boardspec('sandbox') > >+@pytest.mark.buildconfigspec('efi_secure_boot') > >+@pytest.mark.buildconfigspec('cmd_efidebug') > >+@pytest.mark.buildconfigspec('cmd_fat') > >+@pytest.mark.buildconfigspec('cmd_nvedit_efi') > >+@pytest.mark.slow > >+class TestEfiUnsignedImage(object): > >+ def test_efi_unsigned_image_auth1(self, u_boot_console, efi_boot_env): > >+ """ > >+ Test Case 1 - rejected when not digest in db or dbx > >+ """ > >+ disk_img = efi_boot_env > >+ with u_boot_console.log.section('Test Case 1'): > >+ # Test Case 1 > >+ output = u_boot_console.run_command_list([ > >+ 'host bind 0 %s' % disk_img, > >+ 'fatload host 0:1 4000000 KEK.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > >+ 'fatload host 0:1 4000000 PK.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > >+ assert(not re.search('Failed to set EFI variable', ''.join(output))) > >+ > >+ output = u_boot_console.run_command_list([ > >+ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', > >+ 'efidebug boot next 1', > >+ 'bootefi bootmgr']) > >+ assert(re.search('\'HELLO\' failed', ''.join(output))) > >+ > >+ def test_efi_unsigned_image_auth2(self, u_boot_console, efi_boot_env): > >+ """ > >+ Test Case 2 - authenticated by digest in db > >+ """ > >+ disk_img = efi_boot_env > >+ with u_boot_console.log.section('Test Case 2'): > >+ # Test Case 2 > >+ output = u_boot_console.run_command_list([ > >+ 'host bind 0 %s' % disk_img, > >+ 'fatload host 0:1 4000000 db_hello.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', > >+ 'fatload host 0:1 4000000 KEK.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > >+ 'fatload host 0:1 4000000 PK.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > >+ assert(not re.search('Failed to set EFI variable', ''.join(output))) > >+ > >+ output = u_boot_console.run_command_list([ > >+ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', > >+ 'efidebug boot next 1', > >+ 'bootefi bootmgr']) > >+ assert(re.search('Hello, world!', ''.join(output))) > >+ > >+ def test_efi_unsigned_image_auth3(self, u_boot_console, efi_boot_env): > >+ """ > >+ Test Case 3 - rejected by digest in dbx > >+ """ > >+ disk_img = efi_boot_env > >+ with u_boot_console.log.section('Test Case 3a'): > >+ # Test Case 3a, rejected by dbx > >+ output = u_boot_console.run_command_list([ > >+ 'host bind 0 %s' % disk_img, > >+ 'fatload host 0:1 4000000 db_hello.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', > >+ 'fatload host 0:1 4000000 KEK.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > >+ 'fatload host 0:1 4000000 PK.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > >+ assert(not re.search('Failed to set EFI variable', ''.join(output))) > >+ > >+ output = u_boot_console.run_command_list([ > >+ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', > > You cannot assume any host file system to be connected as nothing in you > test definition requires this. ditto. Thanks, -Takahiro Akashi > Best regards > > Heinrich > > >+ 'efidebug boot next 1', > >+ 'bootefi bootmgr']) > >+ assert(re.search('\'HELLO\' failed', ''.join(output))) > >+ > >+ with u_boot_console.log.section('Test Case 3b'): > >+ # Test Case 3b, rejected by dbx even if db allows > >+ output = u_boot_console.run_command_list([ > >+ 'fatload host 0:1 4000000 db_hello.auth', > >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) > >+ assert(not re.search('Failed to set EFI variable', ''.join(output))) > >+ > >+ output = u_boot_console.run_command_list([ > >+ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', > >+ 'efidebug boot next 1', > >+ 'bootefi bootmgr']) > >+ assert(re.search('\'HELLO\' failed', ''.join(output))) > > >
diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py new file mode 100644 index 000000000000..00f539462eb8 --- /dev/null +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -0,0 +1,97 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (c) 2019, Linaro Limited +# Author: AKASHI Takahiro <takahiro.akashi@linaro.org> +# +# U-Boot UEFI: Signed Image Authentication Test + +""" +This test verifies image authentication for signed images. +""" + +import pytest +import re +from defs import * + +@pytest.mark.boardspec('sandbox') +@pytest.mark.buildconfigspec('efi_secure_boot') +@pytest.mark.buildconfigspec('cmd_efidebug') +@pytest.mark.buildconfigspec('cmd_fat') +@pytest.mark.buildconfigspec('cmd_nvedit_efi') +@pytest.mark.slow +class TestEfiSignedImage(object): + def test_efi_signed_image_auth1(self, u_boot_console, efi_boot_env): + """ + Test Case 1 - authenticated by db + """ + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 1a'): + # Test Case 1a, run signed image if no db/dbx + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert(re.search('Hello, world!', ''.join(output))) + + with u_boot_console.log.section('Test Case 1b'): + # Test Case 1b, run unsigned image if no db/dbx + output = u_boot_console.run_command_list([ + 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""', + 'efidebug boot next 2', + 'bootefi bootmgr']) + assert(re.search('Hello, world!', ''.join(output))) + + with u_boot_console.log.section('Test Case 1c'): + # Test Case 1c, not authenticated by db + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert(not re.search('Failed to set EFI variable', ''.join(output))) + output = u_boot_console.run_command_list([ + 'efidebug boot next 2', + 'bootefi bootmgr']) + assert(re.search('\'HELLO2\' failed', ''.join(output))) + + with u_boot_console.log.section('Test Case 1d'): + # Test Case 1d, authenticated by db + output = u_boot_console.run_command_list([ + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert(re.search('Hello, world!', ''.join(output))) + + def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env): + """ + Test Case 2 - rejected by dbx + """ + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 2a'): + # Test Case 2a, rejected by dbx + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert(not re.search('Failed to set EFI variable', ''.join(output))) + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert(re.search('\'HELLO\' failed', ''.join(output))) + + with u_boot_console.log.section('Test Case 2b'): + # Test Case 2b, rejected by dbx even if db allows + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) + assert(not re.search('Failed to set EFI variable', ''.join(output))) + output = u_boot_console.run_command_list([ + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert(re.search('\'HELLO\' failed', ''.join(output))) diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py new file mode 100644 index 000000000000..2bfa188b530c --- /dev/null +++ b/test/py/tests/test_efi_secboot/test_unsigned.py @@ -0,0 +1,100 @@ +# SPDX-License-Identifier: GPL-2.0+ +# Copyright (c) 2019, Linaro Limited +# Author: AKASHI Takahiro <takahiro.akashi@linaro.org> +# +# U-Boot UEFI: Signed Image Authentication Test + +""" +This test verifies image authentication for unsigned images. +""" + +import pytest +import re +from defs import * + +@pytest.mark.boardspec('sandbox') +@pytest.mark.buildconfigspec('efi_secure_boot') +@pytest.mark.buildconfigspec('cmd_efidebug') +@pytest.mark.buildconfigspec('cmd_fat') +@pytest.mark.buildconfigspec('cmd_nvedit_efi') +@pytest.mark.slow +class TestEfiUnsignedImage(object): + def test_efi_unsigned_image_auth1(self, u_boot_console, efi_boot_env): + """ + Test Case 1 - rejected when not digest in db or dbx + """ + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 1'): + # Test Case 1 + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert(not re.search('Failed to set EFI variable', ''.join(output))) + + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert(re.search('\'HELLO\' failed', ''.join(output))) + + def test_efi_unsigned_image_auth2(self, u_boot_console, efi_boot_env): + """ + Test Case 2 - authenticated by digest in db + """ + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 2'): + # Test Case 2 + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db_hello.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert(not re.search('Failed to set EFI variable', ''.join(output))) + + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert(re.search('Hello, world!', ''.join(output))) + + def test_efi_unsigned_image_auth3(self, u_boot_console, efi_boot_env): + """ + Test Case 3 - rejected by digest in dbx + """ + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 3a'): + # Test Case 3a, rejected by dbx + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db_hello.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + assert(not re.search('Failed to set EFI variable', ''.join(output))) + + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert(re.search('\'HELLO\' failed', ''.join(output))) + + with u_boot_console.log.section('Test Case 3b'): + # Test Case 3b, rejected by dbx even if db allows + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 db_hello.auth', + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) + assert(not re.search('Failed to set EFI variable', ''.join(output))) + + output = u_boot_console.run_command_list([ + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""', + 'efidebug boot next 1', + 'bootefi bootmgr']) + assert(re.search('\'HELLO\' failed', ''.join(output)))
Provide test cases for * image authentication for signed images (test_efi_secboot/test_signed.py) * image authentication for unsigned images (test_efi_secboot/test_unsigned.py) Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> --- test/py/tests/test_efi_secboot/test_signed.py | 97 +++++++++++++++++ .../tests/test_efi_secboot/test_unsigned.py | 100 ++++++++++++++++++ 2 files changed, 197 insertions(+) create mode 100644 test/py/tests/test_efi_secboot/test_signed.py create mode 100644 test/py/tests/test_efi_secboot/test_unsigned.py