1 # SPDX-License-Identifier: GPL-2.0+
2 # Copyright (c) 2019, Linaro Limited
3 # Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
5 # U-Boot UEFI: Variable Authentication Test
8 This test verifies variable authentication
15 @pytest.mark.boardspec('sandbox')
16 @pytest.mark.buildconfigspec('efi_secure_boot')
17 @pytest.mark.buildconfigspec('cmd_fat')
18 @pytest.mark.buildconfigspec('cmd_nvedit_efi')
20 class TestEfiAuthVar(object):
21 def test_efi_var_auth1(self, u_boot_console, efi_boot_env):
23 Test Case 1 - Install signature database
25 u_boot_console.restart_uboot()
26 disk_img = efi_boot_env
27 with u_boot_console.log.section('Test Case 1a'):
28 # Test Case 1a, Initial secure state
29 output = u_boot_console.run_command_list([
30 'host bind 0 %s' % disk_img,
31 'printenv -e SecureBoot'])
32 assert('00000000: 00' in ''.join(output))
34 output = u_boot_console.run_command(
35 'printenv -e SetupMode')
36 assert('00000000: 01' in output)
38 with u_boot_console.log.section('Test Case 1b'):
39 # Test Case 1b, PK without AUTHENTICATED_WRITE_ACCESS
40 output = u_boot_console.run_command_list([
41 'fatload host 0:1 4000000 PK.auth',
42 'setenv -e -nv -bs -rt -i 4000000,$filesize PK'])
43 assert(re.search('Failed to set EFI variable', ''.join(output)))
45 with u_boot_console.log.section('Test Case 1c'):
46 # Test Case 1c, install PK
47 output = u_boot_console.run_command_list([
48 'fatload host 0:1 4000000 PK.auth',
49 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
51 assert(re.search('PK:', ''.join(output)))
53 output = u_boot_console.run_command(
54 'printenv -e SecureBoot')
55 assert('00000000: 01' in output)
56 output = u_boot_console.run_command(
57 'printenv -e SetupMode')
58 assert('00000000: 00' in output)
60 with u_boot_console.log.section('Test Case 1d'):
61 # Test Case 1d, db/dbx without KEK
62 output = u_boot_console.run_command_list([
63 'fatload host 0:1 4000000 db.auth',
64 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
65 assert(re.search('Failed to set EFI variable', ''.join(output)))
67 output = u_boot_console.run_command_list([
68 'fatload host 0:1 4000000 db.auth',
69 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
70 assert(re.search('Failed to set EFI variable', ''.join(output)))
72 with u_boot_console.log.section('Test Case 1e'):
73 # Test Case 1e, install KEK
74 output = u_boot_console.run_command_list([
75 'fatload host 0:1 4000000 KEK.auth',
76 'setenv -e -nv -bs -rt -i 4000000,$filesize KEK'])
77 assert(re.search('Failed to set EFI variable', ''.join(output)))
79 output = u_boot_console.run_command_list([
80 'fatload host 0:1 4000000 KEK.auth',
81 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
82 'printenv -e -n KEK'])
83 assert(re.search('KEK:', ''.join(output)))
85 output = u_boot_console.run_command(
86 'printenv -e SecureBoot')
87 assert('00000000: 01' in output)
89 with u_boot_console.log.section('Test Case 1f'):
90 # Test Case 1f, install db
91 output = u_boot_console.run_command_list([
92 'fatload host 0:1 4000000 db.auth',
93 'setenv -e -nv -bs -rt -i 4000000,$filesize db'])
94 assert(re.search('Failed to set EFI variable', ''.join(output)))
96 output = u_boot_console.run_command_list([
97 'fatload host 0:1 4000000 db.auth',
98 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
99 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
100 assert(not re.search('Failed to set EFI variable', ''.join(output)))
101 assert(re.search('db:', ''.join(output)))
103 output = u_boot_console.run_command(
104 'printenv -e SecureBoot')
105 assert('00000000: 01' in output)
107 with u_boot_console.log.section('Test Case 1g'):
108 # Test Case 1g, install dbx
109 output = u_boot_console.run_command_list([
110 'fatload host 0:1 4000000 db.auth',
111 'setenv -e -nv -bs -rt -i 4000000,$filesize db'])
112 assert(re.search('Failed to set EFI variable', ''.join(output)))
114 output = u_boot_console.run_command_list([
115 'fatload host 0:1 4000000 db.auth',
116 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
117 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
118 assert(not re.search('Failed to set EFI variable', ''.join(output)))
119 assert(re.search('db:', ''.join(output)))
121 output = u_boot_console.run_command(
122 'printenv -e SecureBoot')
123 assert('00000000: 01' in output)
125 def test_efi_var_auth2(self, u_boot_console, efi_boot_env):
127 Test Case 2 - Update database by overwriting
129 u_boot_console.restart_uboot()
130 disk_img = efi_boot_env
131 with u_boot_console.log.section('Test Case 2a'):
132 # Test Case 2a, update without AUTHENTICATED_WRITE_ACCESS
133 output = u_boot_console.run_command_list([
134 'host bind 0 %s' % disk_img,
135 'fatload host 0:1 4000000 PK.auth',
136 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
137 'fatload host 0:1 4000000 KEK.auth',
138 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
139 'fatload host 0:1 4000000 db.auth',
140 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
141 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
142 assert(not re.search('Failed to set EFI variable', ''.join(output)))
143 assert(re.search('db:', ''.join(output)))
145 output = u_boot_console.run_command_list([
146 'fatload host 0:1 4000000 db1.auth',
147 'setenv -e -nv -bs -rt -i 4000000,$filesize db'])
148 assert(re.search('Failed to set EFI variable', ''.join(output)))
150 with u_boot_console.log.section('Test Case 2b'):
151 # Test Case 2b, update without correct signature
152 output = u_boot_console.run_command_list([
153 'fatload host 0:1 4000000 db.esl',
154 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
155 assert(re.search('Failed to set EFI variable', ''.join(output)))
157 with u_boot_console.log.section('Test Case 2c'):
158 # Test Case 2c, update with correct signature
159 output = u_boot_console.run_command_list([
160 'fatload host 0:1 4000000 db1.auth',
161 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
162 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
163 assert(not re.search('Failed to set EFI variable', ''.join(output)))
164 assert(re.search('db:', ''.join(output)))
166 def test_efi_var_auth3(self, u_boot_console, efi_boot_env):
168 Test Case 3 - Append database
170 u_boot_console.restart_uboot()
171 disk_img = efi_boot_env
172 with u_boot_console.log.section('Test Case 3a'):
173 # Test Case 3a, update without AUTHENTICATED_WRITE_ACCESS
174 output = u_boot_console.run_command_list([
175 'host bind 0 %s' % disk_img,
176 'fatload host 0:1 4000000 PK.auth',
177 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
178 'fatload host 0:1 4000000 KEK.auth',
179 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
180 'fatload host 0:1 4000000 db.auth',
181 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
182 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
183 assert(not re.search('Failed to set EFI variable', ''.join(output)))
184 assert(re.search('db:', ''.join(output)))
186 output = u_boot_console.run_command_list([
187 'fatload host 0:1 4000000 db1.auth',
188 'setenv -e -nv -bs -rt -a -i 4000000,$filesize db'])
189 assert(re.search('Failed to set EFI variable', ''.join(output)))
191 with u_boot_console.log.section('Test Case 3b'):
192 # Test Case 3b, update without correct signature
193 output = u_boot_console.run_command_list([
194 'fatload host 0:1 4000000 db.esl',
195 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db'])
196 assert(re.search('Failed to set EFI variable', ''.join(output)))
198 with u_boot_console.log.section('Test Case 3c'):
199 # Test Case 3c, update with correct signature
200 output = u_boot_console.run_command_list([
201 'fatload host 0:1 4000000 db1.auth',
202 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db',
203 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
204 assert(not re.search('Failed to set EFI variable', ''.join(output)))
205 assert(re.search('db:', ''.join(output)))
207 def test_efi_var_auth4(self, u_boot_console, efi_boot_env):
209 Test Case 4 - Delete database without authentication
211 u_boot_console.restart_uboot()
212 disk_img = efi_boot_env
213 with u_boot_console.log.section('Test Case 4a'):
214 # Test Case 4a, update without AUTHENTICATED_WRITE_ACCESS
215 output = u_boot_console.run_command_list([
216 'host bind 0 %s' % disk_img,
217 'fatload host 0:1 4000000 PK.auth',
218 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
219 'fatload host 0:1 4000000 KEK.auth',
220 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
221 'fatload host 0:1 4000000 db.auth',
222 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
223 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
224 assert(not re.search('Failed to set EFI variable', ''.join(output)))
225 assert(re.search('db:', ''.join(output)))
227 output = u_boot_console.run_command_list([
228 'setenv -e -nv -bs -rt db',
229 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
230 assert(re.search('Failed to set EFI variable', ''.join(output)))
231 assert(re.search('db:', ''.join(output)))
233 with u_boot_console.log.section('Test Case 4b'):
234 # Test Case 4b, update without correct signature/data
235 output = u_boot_console.run_command_list([
236 'setenv -e -nv -bs -rt -at db',
237 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
238 assert(re.search('Failed to set EFI variable', ''.join(output)))
239 assert(re.search('db:', ''.join(output)))
241 def test_efi_var_auth5(self, u_boot_console, efi_boot_env):
243 Test Case 5 - Uninstall(delete) PK
245 u_boot_console.restart_uboot()
246 disk_img = efi_boot_env
247 with u_boot_console.log.section('Test Case 5a'):
248 # Test Case 5a, Uninstall PK without correct signature
249 output = u_boot_console.run_command_list([
250 'host bind 0 %s' % disk_img,
251 'fatload host 0:1 4000000 PK.auth',
252 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
253 'fatload host 0:1 4000000 KEK.auth',
254 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
255 'fatload host 0:1 4000000 db.auth',
256 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
257 'printenv -e -n PK'])
258 assert(not re.search('Failed to set EFI variable', ''.join(output)))
259 assert(re.search('PK:', ''.join(output)))
261 output = u_boot_console.run_command_list([
262 'fatload host 0:1 4000000 PK_null.esl',
263 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
264 'printenv -e -n PK'])
265 assert(re.search('Failed to set EFI variable', ''.join(output)))
266 assert(re.search('PK:', ''.join(output)))
268 with u_boot_console.log.section('Test Case 5b'):
269 # Test Case 5b, Uninstall PK with correct signature
270 output = u_boot_console.run_command_list([
271 'fatload host 0:1 4000000 PK_null.auth',
272 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
273 'printenv -e -n PK'])
274 assert(not re.search('Failed to set EFI variable', ''.join(output)))
275 assert(re.search('\"PK\" not defined', ''.join(output)))
277 output = u_boot_console.run_command(
278 'printenv -e SecureBoot')
279 assert('00000000: 00' in output)
280 output = u_boot_console.run_command(
281 'printenv -e SetupMode')
282 assert('00000000: 01' in output)