test/py: efi_capsule: add image authentication test
Add a couple of test cases against capsule image authentication for capsule-on-disk, where only a signed capsule file with the verified signature will be applied to the system. Due to the difficulty of embedding a public key (esl file) in U-Boot binary during pytest setup time, all the keys/certificates are pre-created. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Simon Glass <sjg@chromium.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
This commit is contained in:
AKASHI Takahiro
committed by
Heinrich Schuchardt
Heinrich Schuchardt
parent
a62eb06f7c
commit
bad58cb308
@@ -10,13 +10,13 @@ import pytest
|
||||
from capsule_defs import *
|
||||
|
||||
#
|
||||
# Fixture for UEFI secure boot test
|
||||
# Fixture for UEFI capsule test
|
||||
#
|
||||
|
||||
|
||||
@pytest.fixture(scope='session')
|
||||
def efi_capsule_data(request, u_boot_config):
|
||||
"""Set up a file system to be used in UEFI capsule test.
|
||||
"""Set up a file system to be used in UEFI capsule and
|
||||
authentication test.
|
||||
|
||||
Args:
|
||||
request: Pytest request object.
|
||||
@@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config):
|
||||
check_call('mkdir -p %s' % data_dir, shell=True)
|
||||
check_call('mkdir -p %s' % install_dir, shell=True)
|
||||
|
||||
capsule_auth_enabled = u_boot_config.buildconfig.get(
|
||||
'config_efi_capsule_authenticate')
|
||||
if capsule_auth_enabled:
|
||||
# Create private key (SIGNER.key) and certificate (SIGNER.crt)
|
||||
check_call('cd %s; '
|
||||
'openssl req -x509 -sha256 -newkey rsa:2048 '
|
||||
'-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
|
||||
'-out SIGNER.crt -nodes -days 365'
|
||||
% data_dir, shell=True)
|
||||
check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
|
||||
% (data_dir, EFITOOLS_PATH), shell=True)
|
||||
|
||||
# Update dtb adding capsule certificate
|
||||
check_call('cd %s; '
|
||||
'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
|
||||
% (data_dir, u_boot_config.source_dir), shell=True)
|
||||
check_call('cd %s; '
|
||||
'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
|
||||
'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
|
||||
'-o test_sig.dtb signature.dtbo'
|
||||
% (data_dir, u_boot_config.build_dir), shell=True)
|
||||
|
||||
# Create *malicious* private key (SIGNER2.key) and certificate
|
||||
# (SIGNER2.crt)
|
||||
check_call('cd %s; '
|
||||
'openssl req -x509 -sha256 -newkey rsa:2048 '
|
||||
'-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
|
||||
'-out SIGNER2.crt -nodes -days 365'
|
||||
% data_dir, shell=True)
|
||||
|
||||
# Create capsule files
|
||||
# two regions: one for u-boot.bin and the other for u-boot.env
|
||||
check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
|
||||
@@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config):
|
||||
check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' %
|
||||
(data_dir, u_boot_config.build_dir),
|
||||
shell=True)
|
||||
if capsule_auth_enabled:
|
||||
# firmware signed with proper key
|
||||
check_call('cd %s; '
|
||||
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
|
||||
'--private-key SIGNER.key --certificate SIGNER.crt '
|
||||
'--raw u-boot.bin.new Test11'
|
||||
% (data_dir, u_boot_config.build_dir),
|
||||
shell=True)
|
||||
# firmware signed with *mal* key
|
||||
check_call('cd %s; '
|
||||
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
|
||||
'--private-key SIGNER2.key '
|
||||
'--certificate SIGNER2.crt '
|
||||
'--raw u-boot.bin.new Test12'
|
||||
% (data_dir, u_boot_config.build_dir),
|
||||
shell=True)
|
||||
|
||||
# Create a disk image with EFI system partition
|
||||
check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
|
||||
|
||||
Reference in New Issue
Block a user