From patchwork Sat Mar 28 16:06:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Philippe REYNES X-Patchwork-Id: 1263260 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=softathome.com Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48qNrc201Pz9sQt for ; Sun, 29 Mar 2020 03:06:40 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9FD4A818B7; Sat, 28 Mar 2020 17:06:25 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=softathome.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id EE0408188A; Sat, 28 Mar 2020 17:06:13 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from vrout10.yaziba.net (vrout10.yaziba.net [185.56.204.32]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 291B181885 for ; Sat, 28 Mar 2020 17:06:09 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=softathome.com Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=philippe.reynes@softathome.com Received: from mtaout10.int.yaziba.net (mtaout10.int.yaziba.net [10.4.20.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by vrout10.yaziba.net (mx10.yaziba.net) with ESMTPS id 9F5AE5208F; Sat, 28 Mar 2020 17:06:08 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mtaout10.int.yaziba.net (Postfix) with ESMTP id 9E2E216022C; Sat, 28 Mar 2020 17:06:08 +0100 (CET) Received: from mtaout10.int.yaziba.net ([127.0.0.1]) by localhost (mtaout10.int.yaziba.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id v6A1WpFScVDb; Sat, 28 Mar 2020 17:06:08 +0100 (CET) Received: from sahnlpt0333.softathome.com (lfbn-idf3-1-1227-240.w92-170.abo.wanadoo.fr [92.170.165.240]) by mtaout10.int.yaziba.net (Postfix) with ESMTPSA id 4AF9516021B; Sat, 28 Mar 2020 17:06:08 +0100 (CET) From: Philippe Reynes To: sjg@chromium.org Cc: u-boot@lists.denx.de, Philippe Reynes Subject: [PATCH v2 1/2] test/py: vboot: add a test to check fit signature on fit with padding Date: Sat, 28 Mar 2020 17:06:04 +0100 Message-Id: <1585411565-6749-2-git-send-email-philippe.reynes@softathome.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1585411565-6749-1-git-send-email-philippe.reynes@softathome.com> References: <1585411565-6749-1-git-send-email-philippe.reynes@softathome.com> X-CLAMAV-SCAN: ok X-VRSPAM-SCORE: 0 X-VRSPAM-STATE: legit X-VRSPAM-CAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrudeiuddgkeefucetufdoteggodetrfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffojghfsedttdertdertddtnecuhfhrohhmpefrhhhilhhiphhpvgcutfgvhihnvghsuceophhhihhlihhpphgvrdhrvgihnhgvshesshhofhhtrghthhhomhgvrdgtohhmqeenucfkphepledvrddujedtrdduieehrddvgedtnecurfgrrhgrmhepmhhouggvpehsmhhtphhouhht X-VRSPAM-EXTCAUSE: mhhouggvpehsmhhtphhouhht X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de X-Virus-Status: Clean The pytest vboot does all his tests on fit without padding. We add the same tests on fit with padding. Reviewed-by: Simon Glass Signed-off-by: Philippe Reynes --- test/py/tests/test_vboot.py | 42 ++++++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 14 deletions(-) Changelog: v2: - no change diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index 9c41ee5..32299be 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -94,7 +94,7 @@ def test_vboot(u_boot_console): util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f', '%s%s' % (datadir, its), fit]) - def sign_fit(sha_algo): + def sign_fit(sha_algo, options): """Sign the FIT Signs the FIT and writes the signature into it. It also writes the @@ -103,10 +103,13 @@ def test_vboot(u_boot_console): Args: sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use. + options: Options to provide to mkimage. """ + args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, '-r', fit] + if options: + args += options.split(' ') cons.log.action('%s: Sign images' % sha_algo) - util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb, - '-r', fit]) + util.run_and_log(cons, args) def sign_fit_norequire(sha_algo): """Sign the FIT @@ -142,7 +145,7 @@ def test_vboot(u_boot_console): handle.write(struct.pack(">I", size)) return struct.unpack(">I", total_size)[0] - def test_with_algo(sha_algo, padding): + def test_with_algo(sha_algo, padding, sign_options): """Test verified boot with the given hash algorithm. This is the main part of the test code. The same procedure is followed @@ -151,6 +154,9 @@ def test_vboot(u_boot_console): Args: sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use. + padding: Either '' or '-pss', to select the padding to use for the + rsa signature algorithm. + sign_options: Options to mkimage when signing a fit image. """ # Compile our device tree files for kernel and U-Boot. These are # regenerated here since mkimage will modify them (by adding a @@ -164,7 +170,7 @@ def test_vboot(u_boot_console): run_bootm(sha_algo, 'unsigned images', 'dev-', True) # Sign images with our dev keys - sign_fit(sha_algo) + sign_fit(sha_algo, sign_options) run_bootm(sha_algo, 'signed images', 'dev+', True) # Create a fresh .dtb without the public keys @@ -175,7 +181,7 @@ def test_vboot(u_boot_console): run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True) # Sign images with our dev keys - sign_fit(sha_algo) + sign_fit(sha_algo, sign_options) run_bootm(sha_algo, 'signed config', 'dev+', True) cons.log.action('%s: Check signed config on the host' % sha_algo) @@ -211,7 +217,7 @@ def test_vboot(u_boot_console): util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit, '-k', dtb], 1, 'Failed to verify required signature') - def test_required_key(sha_algo, padding): + def test_required_key(sha_algo, padding, sign_options): """Test verified boot with the given hash algorithm. This function test if u-boot reject an image when a required @@ -220,6 +226,9 @@ def test_vboot(u_boot_console): Args: sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use. + padding: Either '' or '-pss', to select the padding to use for the + rsa signature algorithm. + sign_options: Options to mkimage when signing a fit image. """ # Compile our device tree files for kernel and U-Boot. These are # regenerated here since mkimage will modify them (by adding a @@ -234,9 +243,9 @@ def test_vboot(u_boot_console): # This FIT should not be accepted by u-boot because the key prod is required cons.log.action('%s: Test FIT with configs images' % sha_algo) make_fit('sign-configs-%s%s-prod.its' % (sha_algo , padding)) - sign_fit(sha_algo) + sign_fit(sha_algo, sign_options) make_fit('sign-configs-%s%s.its' % (sha_algo , padding)) - sign_fit(sha_algo) + sign_fit(sha_algo, sign_options) run_bootm(sha_algo, 'signed configs', '', False) @@ -282,11 +291,16 @@ def test_vboot(u_boot_console): # afterwards. old_dtb = cons.config.dtb cons.config.dtb = dtb - test_with_algo('sha1','') - test_with_algo('sha1','-pss') - test_with_algo('sha256','') - test_with_algo('sha256','-pss') - test_required_key('sha256','-pss') + test_with_algo('sha1','', None) + test_with_algo('sha1','', '-E -p 0x10000') + test_with_algo('sha1','-pss', None) + test_with_algo('sha1','-pss', '-E -p 0x10000') + test_with_algo('sha256','', None) + test_with_algo('sha256','', '-E -p 0x10000') + test_with_algo('sha256','-pss', None) + test_with_algo('sha256','-pss', '-E -p 0x10000') + test_required_key('sha256','-pss', None) + test_required_key('sha256','-pss', '-E -p 0x10000') finally: # Go back to the original U-Boot with the correct dtb. cons.config.dtb = old_dtb