From patchwork Thu Jul  2 06:29:25 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Heinrich Schuchardt <xypron.glpk@gmx.de>
X-Patchwork-Id: 1321137
X-Patchwork-Delegate: xypron.glpk@gmx.de
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=gmx.de
Authentication-Results: ozlabs.org;
	dkim=pass (1024-bit key;
 secure) header.d=gmx.net header.i=@gmx.net header.a=rsa-sha256
 header.s=badeba3b8450 header.b=bw48m7HR;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 49yBK63qfPz9sR4
	for <incoming@patchwork.ozlabs.org>; Thu,  2 Jul 2020 18:36:42 +1000 (AEST)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id D71EB82210;
	Thu,  2 Jul 2020 10:23:21 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=none (p=none dis=none) header.from=gmx.de
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key;
 secure) header.d=gmx.net header.i=@gmx.net header.b="bw48m7HR";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 0A6C481B44; Thu,  2 Jul 2020 08:29:35 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,FREEMAIL_FROM,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,URIBL_BLOCKED
 autolearn=ham autolearn_force=no version=3.4.2
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 684078006D
 for <u-boot@lists.denx.de>; Thu,  2 Jul 2020 08:29:31 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=none (p=none dis=none) header.from=gmx.de
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=xypron.glpk@gmx.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1593671369;
 bh=+xSH7/vxyD0ZEc9P7ZF5Dmu1MsVHcuvv7QkuxGVaYLE=;
 h=X-UI-Sender-Class:From:To:Cc:Subject:Date;
 b=bw48m7HRraFoIjL24Tt5cgEBYpJKm0wJgdBua5OhupSgI/xNzGSxxefArlZaoAAT+
 9811N8WBwGovbXt3nem+RHLD/IYgWfAKu0fUNwOCujDsy4EwKVz4ThKkSy9bh8sAof
 BSLeUnqA5AVY+N9BXWWQlDCGWfMS8PjTXLDqj9Cg=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from LT02.fritz.box ([88.152.145.75]) by mail.gmx.com (mrgmx104
 [212.227.17.174]) with ESMTPSA (Nemesis) id 1MulqN-1j0QWo2ovz-00rm35; Thu, 02
 Jul 2020 08:29:29 +0200
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
To: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: Alexander Graf <agraf@csgraf.de>, u-boot@lists.denx.de,
 Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: [PATCH 1/1] test: correct time stamps for UEFI authentication
Date: Thu,  2 Jul 2020 08:29:25 +0200
Message-Id: <20200702062925.137348-1-xypron.glpk@gmx.de>
X-Mailer: git-send-email 2.27.0
MIME-Version: 1.0
X-Provags-ID: V03:K1:Iae0LeQV5UGUapM2CxleOu4B6KhA8vgC6oZCyWzSM3VfDzAiRRU
 x0v2ffMIffQX1llCU1ar5W/0h/WhuixbieXAmsYjKik4qcEMg4Du4wQc3+DSLdxDXd73yQI
 Nm17qmBwTO9CQV4ropKjmt3kq4sa9s8A/+tl2zUb7nTCE+AXp0h6hHGIfk7/mqZUoqr13UB
 kuZ3tCkH5HgFf1Mi1QCpQ==
X-UI-Out-Filterresults: notjunk:1;V03:K0:4TfRZVnGpBc=:6XrN/oNy9UaTmy6RsdIFOy
 VKvX07tOpQZmfy7tMJvj6uyoQgXf3VDeeGyg4dhRfitr+makQ+mPmlkreFBY1gXpv78km5Hzj
 zoGBkflcOXPBHXCEqacTRY4P7utyGd5icrfUEcijziv8S/gJduANmAamfDnHfgjfrrc10NgSA
 9ojfz0xKSbMl/6Z1I+m0577lbFOmYMOZAgTCyAjn/dXDrFZdfUPAKo8EqaOw3PaIkwvZ81RLq
 1EAO7z4QXDV1/odgF235EAur1WCxVETbyOzqAWItGBNCpn6RBvDVpGf5HfNMz/JoReommvQ96
 TjJbHK+qGU3OWZ5VCNNrB4VD9IQI5qD2WdnV5c0JTYsdex2EalKqlqWz+cIn0rVZw/kJSKp0T
 cfNoiwKFetrptEQIdgDqycfk/blSjoXK+LiqjFpdMryZ+/ttTKZMQO9vTpaAjF3Q8gCA3R73C
 AA79qxIR6qhYpxOAHUpnVpGTEfHIJDZ02Nv0fTQjoHjPm9hGikyAff8NTd7w0bPXMzrWYMxUc
 ZVkjuGVdMxs+ImwTjFk8jQOKQz14CxEQm1PuX9lMzeyHA0t3HAJx+6CcoBvFMr1hxBnO1+yFx
 4HCuZak0ByAZWbvjTh8A+WhDEEt7wdNokLE7mUmO0GTfqN0Mp9dXNp53LhkHXWl4mAwvxlPUW
 02eZb6NlyzgkjsMWwM4cMfi3NOD8vo831PKe8wpEzohwU7Ei3e9gybAxdG+xme10yww2IYrLH
 sD1bdqfXIatji2HyNrAfPMlDzs47l0bqhx+SHLrkBMX1kccKziTS0jX6WOduZ8Zz1wF2L9Xb7
 OKh1ukeYvPellYmLAOMql+9rQK16QUTkjZG8gYSjdnYQWLsqyfaVZ27FFFUUi0+q+8DGO72z5
 pc8qzLSBiYJMjV74zNxX+gP/xY7QSRYbygxaNYImo2OP1kAJNBC7qAUUS44psxPz0uLh+zKf0
 JILUmS8QHXg8yVm6OTZ+6AHBJrH4Yw/NOQmKYl5b7DK30jMkfUWPQ3uPNdPEZu6S04KDzgp/P
 SduUQr50ggiLzOBj63qdBfbaPwttZf0Zjqdu9MzLCd9X203N2gqEbW2cIjhqSAlUElrc/k9an
 CSrsXEA1AYYYbOmqSjNlSZcWurX89bxJ4YT/cYEUbDWASp8Q/aeEE6ldImJRbmaedygtCi2Q6
 9Ky34kgtUAcGgQYKRRuOyPks60SpgoLugRSlcTPdE3g1t2/D0/w4NQyCCSoECu2Esha9riom4
 VZuuYKw1VxAkXy7EyVLrC9ulc423G9FgnVo8N/w==
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de
X-Virus-Status: Clean

A time authenticated variable cannot be overwritten with another value
with the same time stamp. So we must ensure the correct sequence of time
stamps when generating out test data.

Using parameter -t for sign-efi-sig-list gives reproducible results and
avoids sleep statements.

In test_authvar.py test 1g loading a variable with the same time stamp
fails. Correct the expected result.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 test/py/tests/test_efi_secboot/conftest.py     | 16 ++++++++--------
 test/py/tests/test_efi_secboot/test_authvar.py |  3 ++-
 2 files changed, 10 insertions(+), 9 deletions(-)

--
2.27.0

diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
index 5d99b8b718..ac5a780fdb 100644
--- a/test/py/tests/test_efi_secboot/conftest.py
+++ b/test/py/tests/test_efi_secboot/conftest.py
@@ -76,37 +76,37 @@ def efi_boot_env(request, u_boot_config):
         ## PK
         check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365'
                             % mnt_point, shell=True)
-        check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth'
+        check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -t "2020-04-01" -c PK.crt -k PK.key PK PK.esl PK.auth'
                             % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                             shell=True)
         ## PK_null for deletion
-        check_call('cd %s; sleep 2; touch PK_null.esl; %ssign-efi-sig-list -c PK.crt -k PK.key PK PK_null.esl PK_null.auth'
+        check_call('cd %s; touch PK_null.esl; %ssign-efi-sig-list -t "2020-04-02" -c PK.crt -k PK.key PK PK_null.esl PK_null.auth'
                             % (mnt_point, EFITOOLS_PATH), shell=True)
         ## KEK
         check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365'
                             % mnt_point, shell=True)
-        check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth'
+        check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -t "2020-04-03" -c PK.crt -k PK.key KEK KEK.esl KEK.auth'
                             % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                             shell=True)
         ## db
         check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ -keyout db.key -out db.crt -nodes -days 365'
                             % mnt_point, shell=True)
-        check_call('cd %s; %scert-to-efi-sig-list -g %s db.crt db.esl; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth'
+        check_call('cd %s; %scert-to-efi-sig-list -g %s db.crt db.esl; %ssign-efi-sig-list -t "2020-04-04" -c KEK.crt -k KEK.key db db.esl db.auth'
                             % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                             shell=True)
         ## db1
         check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db1/ -keyout db1.key -out db1.crt -nodes -days 365'
                             % mnt_point, shell=True)
-        check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db1.esl db1.auth'
+        check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key db db1.esl db1.auth'
                             % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                             shell=True)
         ## db1-update
-        check_call('cd %s; %ssign-efi-sig-list -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth'
+        check_call('cd %s; %ssign-efi-sig-list -t "2020-04-06" -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth'
                             % (mnt_point, EFITOOLS_PATH), shell=True)
         ## dbx
         check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365'
                             % mnt_point, shell=True)
-        check_call('cd %s; %scert-to-efi-sig-list -g %s dbx.crt dbx.esl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth'
+        check_call('cd %s; %scert-to-efi-sig-list -g %s dbx.crt dbx.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth'
                             % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                             shell=True)

@@ -117,7 +117,7 @@ def efi_boot_env(request, u_boot_config):
         check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi'
                             % mnt_point, shell=True)
         ## Digest image
-        check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth'
+        check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth'
                             % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
                             shell=True)

diff --git a/test/py/tests/test_efi_secboot/test_authvar.py b/test/py/tests/test_efi_secboot/test_authvar.py
index 9912694a3e..e28bb280e6 100644
--- a/test/py/tests/test_efi_secboot/test_authvar.py
+++ b/test/py/tests/test_efi_secboot/test_authvar.py
@@ -111,11 +111,12 @@ class TestEfiAuthVar(object):
                 'setenv -e -nv -bs -rt -i 4000000,$filesize db'])
             assert(re.search('Failed to set EFI variable', ''.join(output)))

+            # We cannot load the variable twice with the same time stamp.
             output = u_boot_console.run_command_list([
                 'fatload host 0:1 4000000 db.auth',
                 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
                 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
-            assert(not re.search('Failed to set EFI variable', ''.join(output)))
+            assert(re.search('Failed to set EFI variable', ''.join(output)))
             assert(re.search('db:', ''.join(output)))

             output = u_boot_console.run_command(