diff mbox series

[v2,1/2] test/py: vboot: add a test to check fit signature on fit with padding

Message ID 1585411565-6749-2-git-send-email-philippe.reynes@softathome.com
State Accepted
Delegated to: Tom Rini
Headers show
Series test/py: vboot: fix signature check on config node | expand

Commit Message

Philippe Reynes March 28, 2020, 4:06 p.m. UTC
The pytest vboot does all his tests on fit without padding.
We add the same tests on fit with padding.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
---
 test/py/tests/test_vboot.py | 42 ++++++++++++++++++++++++++++--------------
 1 file changed, 28 insertions(+), 14 deletions(-)

Changelog:
v2:
- no change

Comments

Tom Rini April 28, 2020, 1:53 p.m. UTC | #1
On Sat, Mar 28, 2020 at 05:06:04PM +0100, Philippe Reynes wrote:

> The pytest vboot does all his tests on fit without padding.
> We add the same tests on fit with padding.
> 
> Reviewed-by: Simon Glass <sjg@chromium.org>
> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
> ---
>  test/py/tests/test_vboot.py | 42 ++++++++++++++++++++++++++++--------------
>  1 file changed, 28 insertions(+), 14 deletions(-)
> 
> Changelog:
> v2:
> - no change

This and 2/2 need to be rebased on top of the current fixes that've been
done for the CVE we fixed in v2020.04 I believe, thanks and sorry!
diff mbox series

Patch

diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 9c41ee5..32299be 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -94,7 +94,7 @@  def test_vboot(u_boot_console):
         util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
                                 '%s%s' % (datadir, its), fit])
 
-    def sign_fit(sha_algo):
+    def sign_fit(sha_algo, options):
         """Sign the FIT
 
         Signs the FIT and writes the signature into it. It also writes the
@@ -103,10 +103,13 @@  def test_vboot(u_boot_console):
         Args:
             sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
                     use.
+            options: Options to provide to mkimage.
         """
+        args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, '-r', fit]
+        if options:
+            args += options.split(' ')
         cons.log.action('%s: Sign images' % sha_algo)
-        util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
-                                '-r', fit])
+        util.run_and_log(cons, args)
 
     def sign_fit_norequire(sha_algo):
         """Sign the FIT
@@ -142,7 +145,7 @@  def test_vboot(u_boot_console):
             handle.write(struct.pack(">I", size))
         return struct.unpack(">I", total_size)[0]
 
-    def test_with_algo(sha_algo, padding):
+    def test_with_algo(sha_algo, padding, sign_options):
         """Test verified boot with the given hash algorithm.
 
         This is the main part of the test code. The same procedure is followed
@@ -151,6 +154,9 @@  def test_vboot(u_boot_console):
         Args:
             sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
                     use.
+            padding: Either '' or '-pss', to select the padding to use for the
+                    rsa signature algorithm.
+            sign_options: Options to mkimage when signing a fit image.
         """
         # Compile our device tree files for kernel and U-Boot. These are
         # regenerated here since mkimage will modify them (by adding a
@@ -164,7 +170,7 @@  def test_vboot(u_boot_console):
         run_bootm(sha_algo, 'unsigned images', 'dev-', True)
 
         # Sign images with our dev keys
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)
         run_bootm(sha_algo, 'signed images', 'dev+', True)
 
         # Create a fresh .dtb without the public keys
@@ -175,7 +181,7 @@  def test_vboot(u_boot_console):
         run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)
 
         # Sign images with our dev keys
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)
         run_bootm(sha_algo, 'signed config', 'dev+', True)
 
         cons.log.action('%s: Check signed config on the host' % sha_algo)
@@ -211,7 +217,7 @@  def test_vboot(u_boot_console):
         util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
                 '-k', dtb], 1, 'Failed to verify required signature')
 
-    def test_required_key(sha_algo, padding):
+    def test_required_key(sha_algo, padding, sign_options):
         """Test verified boot with the given hash algorithm.
 
         This function test if u-boot reject an image when a required
@@ -220,6 +226,9 @@  def test_vboot(u_boot_console):
         Args:
             sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
                     use.
+            padding: Either '' or '-pss', to select the padding to use for the
+                    rsa signature algorithm.
+            sign_options: Options to mkimage when signing a fit image.
         """
         # Compile our device tree files for kernel and U-Boot. These are
         # regenerated here since mkimage will modify them (by adding a
@@ -234,9 +243,9 @@  def test_vboot(u_boot_console):
         # This FIT should not be accepted by u-boot because the key prod is required
         cons.log.action('%s: Test FIT with configs images' % sha_algo)
         make_fit('sign-configs-%s%s-prod.its' % (sha_algo , padding))
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)
         make_fit('sign-configs-%s%s.its' % (sha_algo , padding))
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)
 
         run_bootm(sha_algo, 'signed configs', '', False)
 
@@ -282,11 +291,16 @@  def test_vboot(u_boot_console):
         # afterwards.
         old_dtb = cons.config.dtb
         cons.config.dtb = dtb
-        test_with_algo('sha1','')
-        test_with_algo('sha1','-pss')
-        test_with_algo('sha256','')
-        test_with_algo('sha256','-pss')
-        test_required_key('sha256','-pss')
+        test_with_algo('sha1','', None)
+        test_with_algo('sha1','', '-E -p 0x10000')
+        test_with_algo('sha1','-pss', None)
+        test_with_algo('sha1','-pss', '-E -p 0x10000')
+        test_with_algo('sha256','', None)
+        test_with_algo('sha256','', '-E -p 0x10000')
+        test_with_algo('sha256','-pss', None)
+        test_with_algo('sha256','-pss', '-E -p 0x10000')
+        test_required_key('sha256','-pss', None)
+        test_required_key('sha256','-pss', '-E -p 0x10000')
     finally:
         # Go back to the original U-Boot with the correct dtb.
         cons.config.dtb = old_dtb