From patchwork Wed Feb 9 18:01:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Philippe REYNES X-Patchwork-Id: 1590668 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=softathome1.onmicrosoft.com header.i=@softathome1.onmicrosoft.com header.a=rsa-sha256 header.s=selector1-softathome1-onmicrosoft-com header.b=V3shS8+p; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Jv7833c7pz9sCD for ; Thu, 10 Feb 2022 05:05:07 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C8E5983F16; Wed, 9 Feb 2022 19:02:57 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=softathome.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=softathome1.onmicrosoft.com header.i=@softathome1.onmicrosoft.com header.b="V3shS8+p"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id C8F1783EB7; Wed, 9 Feb 2022 19:02:13 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from FRA01-MR2-obe.outbound.protection.outlook.com (mail-mr2fra01on062d.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e19::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A9FDA83ECA for ; Wed, 9 Feb 2022 19:01:47 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=softathome.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=philippe.reynes@softathome.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fWT8RQEMdNwmmzQbXKkUaf/yOrLroAqowtrpEGNymjrwHPzYrHlzYZWAu+illoL+To5KcCAjIsFvMarMSigoWsgHGLLD79fG+PbmuJZJmBWvXqXHmFPafL4gTwT0HFjXsVXXpI73K1uDKuJLMotoyW2LKnBj6MgcJaecVbBUKKe7x8nCgBW3vaQaTUn8dn/PUqOideNY2YoYgKwOoZ2HZzcVYwhWD+3mV1N4BHqtnDyI8cv97Sx8zsf/JwJltFiYies4kbqlDDGmio3jWQE7pFhZ6fo282uY0tONKsvGJumrC5WMXtQSt2xy2/S7wCTE96yfKeTPF8g8nazbqbFghQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QXrXE106g7CzScJNNstrt9YGAHNRjyoY0y/yf0jCbhU=; b=dg9eLIh5R3km+Taf8cnn1DlXecnZrxEJQeWtrJA6gLWvX5olfamcAZPTjd2jj6KQc0A6AVJBPNAs2X5455CVe0iCgM3/oXwq7wwlMY+LPjdoiA1pGF47wht5pigXLhs1v1v2xfgZBYFnfNCqWVYdjokCtrcUNw8nENHMAnPGK/z/5pCdR9fJqrgf65HHAjHSBnjwLz4GGLh/IGAlt5UjvoeWzGSUGmSVxyvuER/PhvHJuLMzR5ip7fxhPndCQGboUG2fyY2qntTeYmhp/vz/8SoWU1cq64+vvSHXdlYiYQTrsyOvbF3/aVJnQCz1i7JGhrb+yf0R37Wz96cREY7DvQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 149.6.166.170) smtp.rcpttodomain=chromium.org smtp.mailfrom=softathome.com; dmarc=bestguesspass action=none header.from=softathome.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=softathome1.onmicrosoft.com; s=selector1-softathome1-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QXrXE106g7CzScJNNstrt9YGAHNRjyoY0y/yf0jCbhU=; b=V3shS8+pqUdWESRvhX9Dp1fJdO+V4AKDF12ND58BBKMsDzHoocIYK4MVE2gAOiNbVRxncR06s9au3RaM134ZvatuXzE+YStdCPn3iGu+WElH9Cxm2eN010xCM1NdQWXl8l9wO+escuMsQtflBrZGi587NaStlqgJ3xrnfom0kAyrZ2vvwVAFJSe3ARCV+/eXuCkh1+qKFiq4gf1fk9RdqCY8atKY1fY/jf6pMyIgi85vK5v93u0e28iFn63NTL1jJ4eP5DnieLi8E4DHwGNlNoF5suax/dsWkLe2U5ZYgfEUMo1IrMqn4qDNjxwL8btDhhmGi7ecoCDah7AXg0OPhQ== Received: from PR0P264CA0159.FRAP264.PROD.OUTLOOK.COM (2603:10a6:100:1b::27) by MRXP264MB0535.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500:1c::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4975.11; Wed, 9 Feb 2022 18:01:45 +0000 Received: from PR2FRA01FT009.eop-fra01.prod.protection.outlook.com (2603:10a6:100:1b:cafe::77) by PR0P264CA0159.outlook.office365.com (2603:10a6:100:1b::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4975.11 via Frontend Transport; Wed, 9 Feb 2022 18:01:45 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 149.6.166.170) smtp.mailfrom=softathome.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=softathome.com; Received-SPF: Pass (protection.outlook.com: domain of softathome.com designates 149.6.166.170 as permitted sender) receiver=protection.outlook.com; client-ip=149.6.166.170; helo=proxy.softathome.com; Received: from proxy.softathome.com (149.6.166.170) by PR2FRA01FT009.mail.protection.outlook.com (10.152.48.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4975.11 via Frontend Transport; Wed, 9 Feb 2022 18:01:45 +0000 Received: from sah1lpt571.softathome.com (unknown [192.168.75.67]) by proxy.softathome.com (Postfix) with ESMTPSA id C0E83201F4; Wed, 9 Feb 2022 19:01:44 +0100 (CET) From: Philippe Reynes To: sjg@chromium.org, rasmus.villemoes@prevas.dk Cc: u-boot@lists.denx.de, Philippe Reynes Subject: [PATCH v5 14/16] test: py: vboot: add test for global image signature Date: Wed, 9 Feb 2022 19:01:26 +0100 Message-Id: <20220209180128.10655-15-philippe.reynes@softathome.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220209180128.10655-1-philippe.reynes@softathome.com> References: <20220209180128.10655-1-philippe.reynes@softathome.com> X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: bd06e17a-4b26-4b91-eb1e-08d9ebf63c1c X-MS-TrafficTypeDiagnostic: MRXP264MB0535:EE_ X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:219; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: YskWYD9dk85fgti40VKIyQv34idXjHOxSgLOGbB+vq/q5i1CdSpOwbEU2FzTVWgTBBTd5otwBrqJQWdgG48SbPmev/JSmNE4ENxMVc3A5OUDMBILiax03DeemnvjGYrysWYtgSJZLx0i3DrrSFEbzfuxP6dw2o3XieS1VNe4ghvmOOeVdCLog90LQl7kcduS0p2DY3/OS0E7wE11r5focxtNZvOnPFvR2Ww0XaNILSI4P8ML3IwhQFdzHtBy2fh4Zwe7uKG9Z16KVfH9dGNzp4MmvK0Mqjj26hFTBuWX+uwalev0TwUCm7oFwO7xkqGTbn5wv9qfbxaahvSmYlcz88m4PQbgbAtzW/umCGrkki2YY/+NRhqBcNZgzx8430VTCgwC4JiChlp2LjVpQCMpGCJ0HSOoXxAfHrf47AUJzTDnbJu01e+Nbi8L2JGMGausToclH2Kf8bVB52GqdOUDWtAmsVHvIjI9+d0odcLQ3N65TWuOrpuclkmPRukI09FmJbTDbQuIeb+QbZW5Dwxi+YEPaxf6Wq85SfTd2kLUwvgDPkhDHu0JRFFxcKseD68KPB8xNFCqnqaKktrfSSE5Xvm8lslyx0gdQ/cI1m1vNgN/CJ+vgzIl8WGVLOa/Wf53CA+9ud0lamGdBAvvcQytzG3sQv3x0DJd8DFxzE+SVYXPNjdL/gYrZgu2Rl6p8qszRksm+8uGRigb2Twgca3q5g== X-Forefront-Antispam-Report: CIP:149.6.166.170; CTRY:FR; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:proxy.softathome.com; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(13230001)(4636009)(36840700001)(40470700004)(46966006)(8676002)(4326008)(70206006)(70586007)(316002)(6966003)(508600001)(86362001)(36756003)(356005)(81166007)(82960400001)(6266002)(336012)(6666004)(36860700001)(8936002)(26005)(186003)(107886003)(7696005)(2616005)(1076003)(5660300002)(426003)(40460700003)(47076005)(82310400004)(83380400001)(2906002)(44832011)(30864003)(36900700001); DIR:OUT; SFP:1101; X-OriginatorOrg: softathome.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Feb 2022 18:01:45.2177 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: bd06e17a-4b26-4b91-eb1e-08d9ebf63c1c X-MS-Exchange-CrossTenant-Id: aa10e044-e405-4c10-8353-36b4d0cce511 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=aa10e044-e405-4c10-8353-36b4d0cce511; Ip=[149.6.166.170]; Helo=[proxy.softathome.com] X-MS-Exchange-CrossTenant-AuthSource: PR2FRA01FT009.eop-fra01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MRXP264MB0535 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Adds test units for the pre-load header signature. Signed-off-by: Philippe Reynes --- test/py/tests/test_vboot.py | 123 +++++++++++++++--- test/py/tests/vboot/sandbox-binman-pss.dts | 25 ++++ test/py/tests/vboot/sandbox-binman.dts | 24 ++++ .../tests/vboot/sandbox-u-boot-global-pss.dts | 28 ++++ test/py/tests/vboot/sandbox-u-boot-global.dts | 27 ++++ test/py/tests/vboot/simple-images.its | 36 +++++ 6 files changed, 248 insertions(+), 15 deletions(-) create mode 100644 test/py/tests/vboot/sandbox-binman-pss.dts create mode 100644 test/py/tests/vboot/sandbox-binman.dts create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-pss.dts create mode 100644 test/py/tests/vboot/sandbox-u-boot-global.dts create mode 100644 test/py/tests/vboot/simple-images.its diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index b080d482af..e53c2c7a00 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -35,18 +35,20 @@ import vboot_evil # Only run the full suite on a few combinations, since it doesn't add any more # test coverage. TESTDATA = [ - ['sha1-basic', 'sha1', '', None, False, True], - ['sha1-pad', 'sha1', '', '-E -p 0x10000', False, False], - ['sha1-pss', 'sha1', '-pss', None, False, False], - ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False, False], - ['sha256-basic', 'sha256', '', None, False, False], - ['sha256-pad', 'sha256', '', '-E -p 0x10000', False, False], - ['sha256-pss', 'sha256', '-pss', None, False, False], - ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False], - ['sha256-pss-required', 'sha256', '-pss', None, True, False], - ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True], - ['sha384-basic', 'sha384', '', None, False, False], - ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False], + ['sha1-basic', 'sha1', '', None, False, True, False], + ['sha1-pad', 'sha1', '', '-E -p 0x10000', False, False, False], + ['sha1-pss', 'sha1', '-pss', None, False, False, False], + ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False, False, False], + ['sha256-basic', 'sha256', '', None, False, False, False], + ['sha256-pad', 'sha256', '', '-E -p 0x10000', False, False, False], + ['sha256-pss', 'sha256', '-pss', None, False, False, False], + ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False, False], + ['sha256-pss-required', 'sha256', '-pss', None, True, False, False], + ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True, False], + ['sha384-basic', 'sha384', '', None, False, False, False], + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False, False], + ['sha256-global-sign', 'sha256', '', '', False, False, True], + ['sha256-global-sign-pss', 'sha256', '-pss', '', False, False, True], ] @pytest.mark.boardspec('sandbox') @@ -55,10 +57,10 @@ TESTDATA = [ @pytest.mark.requiredtool('fdtget') @pytest.mark.requiredtool('fdtput') @pytest.mark.requiredtool('openssl') -@pytest.mark.parametrize("name,sha_algo,padding,sign_options,required,full_test", +@pytest.mark.parametrize("name,sha_algo,padding,sign_options,required,full_test,global_sign", TESTDATA) def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, - full_test): + full_test,global_sign): """Test verified boot signing with mkimage and verification with 'bootm'. This works using sandbox only as it needs to update the device tree used @@ -80,6 +82,29 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, util.run_and_log(cons, 'dtc %s %s%s -O dtb ' '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb)) + def dtc_options(dts, options): + """Run the device tree compiler to compile a .dts file + + The output file will be the same as the input file but with a .dtb + extension. + + Args: + dts: Device tree file to compile. + options: Options provided to the compiler. + """ + dtb = dts.replace('.dts', '.dtb') + util.run_and_log(cons, 'dtc %s %s%s -O dtb ' + '-o %s%s %s' % (dtc_args, datadir, dts, tmpdir, dtb, options)) + + def run_binman(dtb): + """Run binman to build an image + + Args: + dtb: Device tree file used as input file. + """ + util.run_and_log(cons, [binman, 'build', '-d', "%s/%s" % (tmpdir,dtb), + '-a', "key-path=%s" % tmpdir, '-O', tmpdir, '-I', tmpdir]) + def run_bootm(sha_algo, test_type, expect_string, boots, fit=None): """Run a 'bootm' command U-Boot. @@ -138,6 +163,23 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, cons.log.action('%s: Sign images' % sha_algo) util.run_and_log(cons, args) + def sign_fit_dtb(sha_algo, options, dtb): + """Sign the FIT + + Signs the FIT and writes the signature into it. It also writes the + public key into the dtb. + + Args: + sha_algo: Either 'sha1' or 'sha256', to select the algorithm to + use. + options: Options to provide to mkimage. + """ + args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, '-r', fit] + if options: + args += options.split(' ') + cons.log.action('%s: Sign images' % sha_algo) + util.run_and_log(cons, args) + def sign_fit_norequire(sha_algo, options): """Sign the FIT @@ -175,6 +217,11 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, handle.write(struct.pack(">I", size)) return struct.unpack(">I", total_size)[0] + def corrupt_file(fit,offset,value): + with open(fit, 'r+b') as handle: + handle.seek(offset) + handle.write(struct.pack(">I", value)) + def create_rsa_pair(name): """Generate a new RSA key paid and certificate @@ -373,6 +420,49 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, (dtb)) run_bootm(sha_algo, 'multi required key', '', False) + def test_global_sign(sha_algo, padding, sign_options): + """Test global image signature with the given hash algorithm and padding. + + Args: + sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use + padding: Either '' or '-pss', to select the padding to use for the + rsa signature algorithm. + """ + + dtb = '%ssandbox-u-boot-global%s.dtb' % (tmpdir, padding) + cons.config.dtb = dtb + + # Compile our device tree files for kernel and U-Boot. These are + # regenerated here since mkimage will modify them (by adding a + # public key) below. + dtc('sandbox-kernel.dts') + dtc_options('sandbox-u-boot-global%s.dts' % padding, '-p 1024') + + # Build the FIT with dev key (keys NOT required). This adds the + # signature into sandbox-u-boot.dtb, NOT marked 'required'. + make_fit('simple-images.its') + sign_fit_dtb(sha_algo, '', dtb) + + # Build the dtb for binman that define the pre-load header + # with the global sigature. + dtc('sandbox-binman%s.dts' % padding) + + # Run binman to create the final image with the not signed fit + # and the pre-load header that contains the global signature. + run_binman('sandbox-binman%s.dtb' % padding) + + # Check that the signature is correctly verified by u-boot + run_bootm(sha_algo, 'global image signature', 'signature check has succeed', True, "%ssandbox.img" % tmpdir) + + # Corrupt the image (just one byte after the pre-load header) + corrupt_file("%ssandbox.img" % tmpdir, 4096, 255); + + # Check that the signature verification fails + run_bootm(sha_algo, 'global image signature', 'signature check has failed', False, "%ssandbox.img" % tmpdir) + + # Check that the boot fails if the global signature is not provided + run_bootm(sha_algo, 'global image signature', 'signature is mandatory', False) + cons = u_boot_console tmpdir = os.path.join(cons.config.result_dir, name) + '/' if not os.path.exists(tmpdir): @@ -380,6 +470,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, datadir = cons.config.source_dir + '/test/py/tests/vboot/' fit = '%stest.fit' % tmpdir mkimage = cons.config.build_dir + '/tools/mkimage' + binman = cons.config.source_dir + '/tools/binman/binman' fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign' dtc_args = '-I dts -O dtb -i %s' % tmpdir dtb = '%ssandbox-u-boot.dtb' % tmpdir @@ -402,7 +493,9 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, # afterwards. old_dtb = cons.config.dtb cons.config.dtb = dtb - if required: + if global_sign: + test_global_sign(sha_algo, padding, sign_options) + elif required: test_required_key(sha_algo, padding, sign_options) else: test_with_algo(sha_algo, padding, sign_options) diff --git a/test/py/tests/vboot/sandbox-binman-pss.dts b/test/py/tests/vboot/sandbox-binman-pss.dts new file mode 100644 index 0000000000..54f82f1df5 --- /dev/null +++ b/test/py/tests/vboot/sandbox-binman-pss.dts @@ -0,0 +1,25 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + filename = "sandbox.img"; + + pre-load { + image = "test.fit"; + algo-name = "sha256,rsa2048"; + padding-name = "pss"; + key-name = "dev.key"; + header-size = <4096>; + version = <1>; + }; + + blob-ext { + filename = "test.fit"; + }; + }; +}; diff --git a/test/py/tests/vboot/sandbox-binman.dts b/test/py/tests/vboot/sandbox-binman.dts new file mode 100644 index 0000000000..56d835a938 --- /dev/null +++ b/test/py/tests/vboot/sandbox-binman.dts @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + filename = "sandbox.img"; + + pre-load { + image = "test.fit"; + algo-name = "sha256,rsa2048"; + key-name = "dev.key"; + header-size = <4096>; + version = <1>; + }; + + blob-ext { + filename = "test.fit"; + }; + }; +}; diff --git a/test/py/tests/vboot/sandbox-u-boot-global-pss.dts b/test/py/tests/vboot/sandbox-u-boot-global-pss.dts new file mode 100644 index 0000000000..c59a68221b --- /dev/null +++ b/test/py/tests/vboot/sandbox-u-boot-global-pss.dts @@ -0,0 +1,28 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + model = "Sandbox Verified Boot Test"; + compatible = "sandbox"; + + binman { + }; + + reset@0 { + compatible = "sandbox,reset"; + }; + + image { + pre-load { + sig { + algo-name = "sha256,rsa2048"; + padding-name = "pss"; + signature-size = <256>; + mandatory = "yes"; + + key-name = "dev"; + }; + }; + }; +}; diff --git a/test/py/tests/vboot/sandbox-u-boot-global.dts b/test/py/tests/vboot/sandbox-u-boot-global.dts new file mode 100644 index 0000000000..1409f9e1a1 --- /dev/null +++ b/test/py/tests/vboot/sandbox-u-boot-global.dts @@ -0,0 +1,27 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + model = "Sandbox Verified Boot Test"; + compatible = "sandbox"; + + binman { + }; + + reset@0 { + compatible = "sandbox,reset"; + }; + + image { + pre-load { + sig { + algo-name = "sha256,rsa2048"; + signature-size = <256>; + mandatory = "yes"; + + key-name = "dev"; + }; + }; + }; +}; diff --git a/test/py/tests/vboot/simple-images.its b/test/py/tests/vboot/simple-images.its new file mode 100644 index 0000000000..f62786456b --- /dev/null +++ b/test/py/tests/vboot/simple-images.its @@ -0,0 +1,36 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + }; + fdt-1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + }; + }; + configurations { + default = "conf-1"; + conf-1 { + kernel = "kernel"; + fdt = "fdt-1"; + }; + }; +};