diff mbox series

[v3,13/13] test/py: efi_secboot: add a test for verifying with digest of signed image

Message ID 20200708050203.15230-14-takahiro.akashi@linaro.org
State Superseded, archived
Delegated to: Heinrich Schuchardt
Headers show
Series efi_loader: rework/improve UEFI secure boot code | expand

Commit Message

AKASHI Takahiro July 8, 2020, 5:02 a.m. UTC 
Signature database (db or dbx) may have not only certificates that contain
a public key for RSA decryption, but also digests of signed images.

In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID)
and if the value matches to a hash value calculated from image's binary,
authentication should pass in case of db, and fail in case of dbx.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 test/py/tests/test_efi_secboot/conftest.py    | 10 ++++
 test/py/tests/test_efi_secboot/test_signed.py | 49 +++++++++++++++++++
 2 files changed, 59 insertions(+)

Comments

Heinrich Schuchardt July 11, 2020, 6:47 a.m. UTC | #1 
On 7/8/20 7:02 AM, AKASHI Takahiro wrote:
> Signature database (db or dbx) may have not only certificates that contain
> a public key for RSA decryption, but also digests of signed images.
>
> In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID)
> and if the value matches to a hash value calculated from image's binary,
> authentication should pass in case of db, and fail in case of dbx.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  test/py/tests/test_efi_secboot/conftest.py    | 10 ++++
>  test/py/tests/test_efi_secboot/test_signed.py | 49 +++++++++++++++++++
>  2 files changed, 59 insertions(+)
>
> diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
> index c7da1a6e29a3..553550ee02b1 100644
> --- a/test/py/tests/test_efi_secboot/conftest.py
> +++ b/test/py/tests/test_efi_secboot/conftest.py
> @@ -120,6 +120,10 @@ def efi_boot_env(request, u_boot_config):
>          check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
>                     % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
>                     shell=True)
> +        ## dbx_db (with TEST_db certificate)
> +        check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db.esl dbx_db.auth'
> +                   % (mnt_point, EFITOOLS_PATH),
> +                   shell=True)
>
>          # Copy image
>          check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True)
> @@ -134,6 +138,12 @@ def efi_boot_env(request, u_boot_config):
>          check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth'
>                     % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
>                     shell=True)
> +        check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth'
> +                   % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
> +                   shell=True)
> +        check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth'
> +                   % (mnt_point, EFITOOLS_PATH),
> +                   shell=True)
>
>          check_call('sudo umount %s' % loop_dev, shell=True)
>          check_call('sudo losetup -d %s' % loop_dev, shell=True)
> diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
> index 1a31a57e12c2..7531bbac6a5f 100644
> --- a/test/py/tests/test_efi_secboot/test_signed.py
> +++ b/test/py/tests/test_efi_secboot/test_signed.py
> @@ -198,3 +198,52 @@ class TestEfiSignedImage(object):
>                  'efidebug test bootmgr'])
>              assert '\'HELLO\' failed' in ''.join(output)
>              assert 'efi_start_image() returned: 26' in ''.join(output)
> +
> +    def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
> +        """
> +        Test Case 6 - using digest of signed image in database
> +        """
> +        u_boot_console.restart_uboot()
> +        disk_img = efi_boot_env
> +        with u_boot_console.log.section('Test Case 6a'):
> +            # Test Case 6a, verified by image's digest in db
> +            output = u_boot_console.run_command_list([
> +                'host bind 0 %s' % disk_img,
> +                'fatload host 0:1 4000000 db_hello_signed.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
> +                'fatload host 0:1 4000000 KEK.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
> +                'fatload host 0:1 4000000 PK.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
> +            assert 'Failed to set EFI variable' not in ''.join(output)
> +            output = u_boot_console.run_command_list([
> +                'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
> +                'efidebug boot next 1',
> +                'bootefi bootmgr'])
> +            assert 'Hello, world!' in ''.join(output)
> +
> +        with u_boot_console.log.section('Test Case 6b'):
> +            # Test Case 6b, rejected by TEST_db certificate in dbx
> +            output = u_boot_console.run_command_list([
> +                'fatload host 0:1 4000000 dbx_db.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
> +            assert 'Failed to set EFI variable' not in ''.join(output)
> +            output = u_boot_console.run_command_list([
> +                'efidebug boot next 1',
> +                'efidebug test bootmgr'])
> +            assert '\'HELLO\' failed' in ''.join(output)
> +            assert 'efi_start_image() returned: 26' in ''.join(output)
> +
> +        with u_boot_console.log.section('Test Case 6c'):
> +            # Test Case 6c, rejected by image's digest in dbx
> +            output = u_boot_console.run_command_list([
> +                'fatload host 0:1 4000000 db.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
> +                'fatload host 0:1 4000000 dbx_hello_signed.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
> +            assert 'Failed to set EFI variable' not in ''.join(output)
> +            output = u_boot_console.run_command_list([
> +                'efidebug boot next 1',
> +                'efidebug test bootmgr'])
> +            assert '\'HELLO\' failed' in ''.join(output)
> +            assert 'efi_start_image() returned: 26' in ''.join(output)
>

This test fails due to not set time stamps for the *.auth files.

The timestamp in dbx_hello_signed.auth must be newer then dbx_db.auth.

db_hello_signed.auth must be older then db.auth.

I will add the missing time stamps.

Best regards

Heinrich
AKASHI Takahiro July 13, 2020, 12:20 a.m. UTC | #2 
Heinrich,

On Sat, Jul 11, 2020 at 08:47:15AM +0200, Heinrich Schuchardt wrote:
> On 7/8/20 7:02 AM, AKASHI Takahiro wrote:
> > Signature database (db or dbx) may have not only certificates that contain
> > a public key for RSA decryption, but also digests of signed images.
> >
> > In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID)
> > and if the value matches to a hash value calculated from image's binary,
> > authentication should pass in case of db, and fail in case of dbx.
> >
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> >  test/py/tests/test_efi_secboot/conftest.py    | 10 ++++
> >  test/py/tests/test_efi_secboot/test_signed.py | 49 +++++++++++++++++++
> >  2 files changed, 59 insertions(+)
> >
> > diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
> > index c7da1a6e29a3..553550ee02b1 100644
> > --- a/test/py/tests/test_efi_secboot/conftest.py
> > +++ b/test/py/tests/test_efi_secboot/conftest.py
> > @@ -120,6 +120,10 @@ def efi_boot_env(request, u_boot_config):
> >          check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
> >                     % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> >                     shell=True)
> > +        ## dbx_db (with TEST_db certificate)
> > +        check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db.esl dbx_db.auth'
> > +                   % (mnt_point, EFITOOLS_PATH),
> > +                   shell=True)
> >
> >          # Copy image
> >          check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True)
> > @@ -134,6 +138,12 @@ def efi_boot_env(request, u_boot_config):
> >          check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth'
> >                     % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
> >                     shell=True)
> > +        check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth'
> > +                   % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
> > +                   shell=True)
> > +        check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth'
> > +                   % (mnt_point, EFITOOLS_PATH),
> > +                   shell=True)
> >
> >          check_call('sudo umount %s' % loop_dev, shell=True)
> >          check_call('sudo losetup -d %s' % loop_dev, shell=True)
> > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
> > index 1a31a57e12c2..7531bbac6a5f 100644
> > --- a/test/py/tests/test_efi_secboot/test_signed.py
> > +++ b/test/py/tests/test_efi_secboot/test_signed.py
> > @@ -198,3 +198,52 @@ class TestEfiSignedImage(object):
> >                  'efidebug test bootmgr'])
> >              assert '\'HELLO\' failed' in ''.join(output)
> >              assert 'efi_start_image() returned: 26' in ''.join(output)
> > +
> > +    def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
> > +        """
> > +        Test Case 6 - using digest of signed image in database
> > +        """
> > +        u_boot_console.restart_uboot()
> > +        disk_img = efi_boot_env
> > +        with u_boot_console.log.section('Test Case 6a'):
> > +            # Test Case 6a, verified by image's digest in db
> > +            output = u_boot_console.run_command_list([
> > +                'host bind 0 %s' % disk_img,
> > +                'fatload host 0:1 4000000 db_hello_signed.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
> > +                'fatload host 0:1 4000000 KEK.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
> > +                'fatload host 0:1 4000000 PK.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
> > +            assert 'Failed to set EFI variable' not in ''.join(output)
> > +            output = u_boot_console.run_command_list([
> > +                'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
> > +                'efidebug boot next 1',
> > +                'bootefi bootmgr'])
> > +            assert 'Hello, world!' in ''.join(output)
> > +
> > +        with u_boot_console.log.section('Test Case 6b'):
> > +            # Test Case 6b, rejected by TEST_db certificate in dbx
> > +            output = u_boot_console.run_command_list([
> > +                'fatload host 0:1 4000000 dbx_db.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
> > +            assert 'Failed to set EFI variable' not in ''.join(output)
> > +            output = u_boot_console.run_command_list([
> > +                'efidebug boot next 1',
> > +                'efidebug test bootmgr'])
> > +            assert '\'HELLO\' failed' in ''.join(output)
> > +            assert 'efi_start_image() returned: 26' in ''.join(output)
> > +
> > +        with u_boot_console.log.section('Test Case 6c'):
> > +            # Test Case 6c, rejected by image's digest in dbx
> > +            output = u_boot_console.run_command_list([
> > +                'fatload host 0:1 4000000 db.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
> > +                'fatload host 0:1 4000000 dbx_hello_signed.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
> > +            assert 'Failed to set EFI variable' not in ''.join(output)
> > +            output = u_boot_console.run_command_list([
> > +                'efidebug boot next 1',
> > +                'efidebug test bootmgr'])
> > +            assert '\'HELLO\' failed' in ''.join(output)
> > +            assert 'efi_start_image() returned: 26' in ''.join(output)
> >
> 
> This test fails due to not set time stamps for the *.auth files.
> 
> The timestamp in dbx_hello_signed.auth must be newer then dbx_db.auth.
> db_hello_signed.auth must be older then db.auth.

I have fixed this issue by adding "sleep 2" to make different timestamps,
but forgot to put it in the follow-up patch.

I have taken the same approach in my intermediate certificates patch.
Apologies for any confusion.

-Takahiro Akashi

diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
index 94c50f6cf7ca..b74640240318 100644
--- a/test/py/tests/test_efi_secboot/conftest.py
+++ b/test/py/tests/test_efi_secboot/conftest.py
@@ -141,7 +141,9 @@ def efi_boot_env(request, u_boot_config):
         check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth'
                    % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
                    shell=True)
-        check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth'
+        # 'sleep 2' here because timestamp should be newer than dbx_db.auth
+        # See Test Case 6c
+        check_call('cd %s; sleep 2; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth'
                    % (mnt_point, EFITOOLS_PATH),
                    shell=True)
 
diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
index 7531bbac6a5f..8b1e132c756c 100644
--- a/test/py/tests/test_efi_secboot/test_signed.py
+++ b/test/py/tests/test_efi_secboot/test_signed.py
@@ -237,8 +237,6 @@ class TestEfiSignedImage(object):
         with u_boot_console.log.section('Test Case 6c'):
             # Test Case 6c, rejected by image's digest in dbx
             output = u_boot_console.run_command_list([
-                'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
                 'fatload host 0:1 4000000 dbx_hello_signed.auth',
                 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
             assert 'Failed to set EFI variable' not in ''.join(output)
diff mbox series

Patch

diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
index c7da1a6e29a3..553550ee02b1 100644
--- a/test/py/tests/test_efi_secboot/conftest.py
+++ b/test/py/tests/test_efi_secboot/conftest.py
@@ -120,6 +120,10 @@  def efi_boot_env(request, u_boot_config):
         check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
                    % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                    shell=True)
+        ## dbx_db (with TEST_db certificate)
+        check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db.esl dbx_db.auth'
+                   % (mnt_point, EFITOOLS_PATH),
+                   shell=True)
 
         # Copy image
         check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True)
@@ -134,6 +138,12 @@  def efi_boot_env(request, u_boot_config):
         check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth'
                    % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
                    shell=True)
+        check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth'
+                   % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
+                   shell=True)
+        check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth'
+                   % (mnt_point, EFITOOLS_PATH),
+                   shell=True)
 
         check_call('sudo umount %s' % loop_dev, shell=True)
         check_call('sudo losetup -d %s' % loop_dev, shell=True)
diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
index 1a31a57e12c2..7531bbac6a5f 100644
--- a/test/py/tests/test_efi_secboot/test_signed.py
+++ b/test/py/tests/test_efi_secboot/test_signed.py
@@ -198,3 +198,52 @@  class TestEfiSignedImage(object):
                 'efidebug test bootmgr'])
             assert '\'HELLO\' failed' in ''.join(output)
             assert 'efi_start_image() returned: 26' in ''.join(output)
+
+    def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
+        """
+        Test Case 6 - using digest of signed image in database
+        """
+        u_boot_console.restart_uboot()
+        disk_img = efi_boot_env
+        with u_boot_console.log.section('Test Case 6a'):
+            # Test Case 6a, verified by image's digest in db
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'fatload host 0:1 4000000 db_hello_signed.auth',
+                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'fatload host 0:1 4000000 KEK.auth',
+                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
+                'fatload host 0:1 4000000 PK.auth',
+                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
+            assert 'Failed to set EFI variable' not in ''.join(output)
+            output = u_boot_console.run_command_list([
+                'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
+                'efidebug boot next 1',
+                'bootefi bootmgr'])
+            assert 'Hello, world!' in ''.join(output)
+
+        with u_boot_console.log.section('Test Case 6b'):
+            # Test Case 6b, rejected by TEST_db certificate in dbx
+            output = u_boot_console.run_command_list([
+                'fatload host 0:1 4000000 dbx_db.auth',
+                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
+            assert 'Failed to set EFI variable' not in ''.join(output)
+            output = u_boot_console.run_command_list([
+                'efidebug boot next 1',
+                'efidebug test bootmgr'])
+            assert '\'HELLO\' failed' in ''.join(output)
+            assert 'efi_start_image() returned: 26' in ''.join(output)
+
+        with u_boot_console.log.section('Test Case 6c'):
+            # Test Case 6c, rejected by image's digest in dbx
+            output = u_boot_console.run_command_list([
+                'fatload host 0:1 4000000 db.auth',
+                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
+                'fatload host 0:1 4000000 dbx_hello_signed.auth',
+                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
+            assert 'Failed to set EFI variable' not in ''.join(output)
+            output = u_boot_console.run_command_list([
+                'efidebug boot next 1',
+                'efidebug test bootmgr'])
+            assert '\'HELLO\' failed' in ''.join(output)
+            assert 'efi_start_image() returned: 26' in ''.join(output)