From ce5172cf655533eabb977556036509416385cd90 Mon Sep 17 00:00:00 2001 From: Philippe Reynes Date: Wed, 18 Sep 2019 16:04:53 +0200 Subject: [PATCH] pytest: vboot: add a test for required key This commit add a test in the vboot test to check that when a required key is asked, only FIT signed with this key is used/accepted by u-boot. Signed-off-by: Philippe Reynes --- test/py/tests/test_vboot.py | 57 +++++++++++++++++++ .../vboot/sign-configs-sha256-pss-prod.its | 46 +++++++++++++++ 2 files changed, 103 insertions(+) create mode 100644 test/py/tests/vboot/sign-configs-sha256-pss-prod.its diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index 4627ceb026..9c41ee56b1 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -80,6 +80,8 @@ def test_vboot(u_boot_console): assert(expect_string in ''.join(output)) if boots: assert('sandbox: continuing, as we cannot run' in ''.join(output)) + else: + assert('sandbox: continuing, as we cannot run' not in ''.join(output)) def make_fit(its): """Make a new FIT from the .its source file. @@ -106,6 +108,20 @@ def test_vboot(u_boot_console): util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb, '-r', fit]) + def sign_fit_norequire(sha_algo): + """Sign the FIT + + Signs the FIT and writes the signature into it. It also writes the + public key into the dtb. + + Args: + sha_algo: Either 'sha1' or 'sha256', to select the algorithm to + use. + """ + cons.log.action('%s: Sign images' % sha_algo) + util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb, + fit]) + def replace_fit_totalsize(size): """Replace FIT header's totalsize with something greater. @@ -195,6 +211,35 @@ def test_vboot(u_boot_console): util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit, '-k', dtb], 1, 'Failed to verify required signature') + def test_required_key(sha_algo, padding): + """Test verified boot with the given hash algorithm. + + This function test if u-boot reject an image when a required + key isn't used to sign a FIT. + + Args: + sha_algo: Either 'sha1' or 'sha256', to select the algorithm to + use. + """ + # Compile our device tree files for kernel and U-Boot. These are + # regenerated here since mkimage will modify them (by adding a + # public key) below. + dtc('sandbox-kernel.dts') + dtc('sandbox-u-boot.dts') + + # Build the FIT with prod key (keys required) + # Build the FIT with dev key (keys NOT required) + # The dtb contain the key prod and dev and the key prod are set as required. + # Then try to boot the FIT with dev key + # This FIT should not be accepted by u-boot because the key prod is required + cons.log.action('%s: Test FIT with configs images' % sha_algo) + make_fit('sign-configs-%s%s-prod.its' % (sha_algo , padding)) + sign_fit(sha_algo) + make_fit('sign-configs-%s%s.its' % (sha_algo , padding)) + sign_fit(sha_algo) + + run_bootm(sha_algo, 'signed configs', '', False) + cons = u_boot_console tmpdir = cons.config.result_dir + '/' tmp = tmpdir + 'vboot.tmp' @@ -217,6 +262,17 @@ def test_vboot(u_boot_console): util.run_and_log(cons, 'openssl req -batch -new -x509 -key %sdev.key -out ' '%sdev.crt' % (tmpdir, tmpdir)) + # Create an RSA key pair (prod) + public_exponent = 65537 + util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %sprod.key ' + '-pkeyopt rsa_keygen_bits:2048 ' + '-pkeyopt rsa_keygen_pubexp:%d' % + (tmpdir, public_exponent)) + + # Create a certificate containing the public key (prod) + util.run_and_log(cons, 'openssl req -batch -new -x509 -key %sprod.key -out ' + '%sprod.crt' % (tmpdir, tmpdir)) + # Create a number kernel image with zeroes with open('%stest-kernel.bin' % tmpdir, 'w') as fd: fd.write(5000 * chr(0)) @@ -230,6 +286,7 @@ def test_vboot(u_boot_console): test_with_algo('sha1','-pss') test_with_algo('sha256','') test_with_algo('sha256','-pss') + test_required_key('sha256','-pss') finally: # Go back to the original U-Boot with the correct dtb. cons.config.dtb = old_dtb diff --git a/test/py/tests/vboot/sign-configs-sha256-pss-prod.its b/test/py/tests/vboot/sign-configs-sha256-pss-prod.its new file mode 100644 index 0000000000..aac732e304 --- /dev/null +++ b/test/py/tests/vboot/sign-configs-sha256-pss-prod.its @@ -0,0 +1,46 @@ +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + hash-1 { + algo = "sha256"; + }; + }; + fdt-1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + hash-1 { + algo = "sha256"; + }; + }; + }; + configurations { + default = "conf-1"; + conf-1 { + kernel = "kernel"; + fdt = "fdt-1"; + signature { + algo = "sha256,rsa2048"; + padding = "pss"; + key-name-hint = "prod"; + sign-images = "fdt", "kernel"; + }; + }; + }; +}; -- 2.25.1