efi: test/py: authenticate fit capsules

Add support for the authentication of UEFI capsules containing FIT images. The authentication code is moved out of the function handling raw images into a new function efi_firmware_capsule_authenticate(). The special case for the FMP header coming from edk2 tools is preserved. There is no functional change for capsules containing raw images. The python test for signed capsules with raw images is renamed with no functional change and a new test is added for signed capsules containing FIT images. This can be tested with sandbox64_defconfig or sandbox_flattree_defconfig, plus CONFIG_EFI_CAPSULE_AUTHENTICATE=y. Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
2022-05-31 09:55:34 +02:00
parent 82b3f4cb46
commit 8645aefc8b
4 changed files with 353 additions and 48 deletions
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -97,7 +97,7 @@ def efi_capsule_data(request, u_boot_config):
                   shell=True)

        if capsule_auth_enabled:
-            # firmware signed with proper key
+            # raw firmware signed with proper key
            check_call('cd %s; '
                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
                            '--private-key SIGNER.key --certificate SIGNER.crt '
@@ -105,7 +105,7 @@ def efi_capsule_data(request, u_boot_config):
                            'u-boot.bin.new Test11'
                       % (data_dir, u_boot_config.build_dir),
                       shell=True)
-            # firmware signed with *mal* key
+            # raw firmware signed with *mal* key
            check_call('cd %s; '
                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
                            '--private-key SIGNER2.key '
@@ -114,6 +114,23 @@ def efi_capsule_data(request, u_boot_config):
                            'u-boot.bin.new Test12'
                       % (data_dir, u_boot_config.build_dir),
                       shell=True)
+            # FIT firmware signed with proper key
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--private-key SIGNER.key --certificate SIGNER.crt '
+                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
+                            'uboot_bin_env.itb Test13'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
+            # FIT firmware signed with *mal* key
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--private-key SIGNER2.key '
+                            '--certificate SIGNER2.crt '
+                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
+                            'uboot_bin_env.itb Test14'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)

        # Create a disk image with EFI system partition
        check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %