From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 16/16] efi_loader, pytest: add UEFI secure boot tests (image)
Date: Mon, 18 Nov 2019 15:00:24 +0900 [thread overview]
Message-ID: <20191118060023.GO22427@linaro.org> (raw)
In-Reply-To: <4efac252-05a6-4126-4566-e511ae70fe0f@gmx.de>
Heinrich,
On Sat, Nov 16, 2019 at 09:31:04PM +0100, Heinrich Schuchardt wrote:
> On 11/13/19 1:53 AM, AKASHI Takahiro wrote:
> >Provide test cases for
> > * image authentication for signed images
> > (test_efi_secboot/test_signed.py)
> > * image authentication for unsigned images
> > (test_efi_secboot/test_unsigned.py)
> >
> >Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >---
> > test/py/tests/test_efi_secboot/test_signed.py | 97 +++++++++++++++++
> > .../tests/test_efi_secboot/test_unsigned.py | 100 ++++++++++++++++++
> > 2 files changed, 197 insertions(+)
> > create mode 100644 test/py/tests/test_efi_secboot/test_signed.py
> > create mode 100644 test/py/tests/test_efi_secboot/test_unsigned.py
> >
> >diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
> >new file mode 100644
> >index 000000000000..00f539462eb8
> >--- /dev/null
> >+++ b/test/py/tests/test_efi_secboot/test_signed.py
> >@@ -0,0 +1,97 @@
> >+# SPDX-License-Identifier: GPL-2.0+
> >+# Copyright (c) 2019, Linaro Limited
> >+# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >+#
> >+# U-Boot UEFI: Signed Image Authentication Test
> >+
> >+"""
> >+This test verifies image authentication for signed images.
> >+"""
> >+
> >+import pytest
> >+import re
> >+from defs import *
> >+
> >+ at pytest.mark.boardspec('sandbox')
>
> Why would we only test on the sandbox? This leaves 32bit untested.
I commented on this issue on patch#15.
> >+ at pytest.mark.buildconfigspec('efi_secure_boot')
> >+ at pytest.mark.buildconfigspec('cmd_efidebug')
> >+ at pytest.mark.buildconfigspec('cmd_fat')
> >+ at pytest.mark.buildconfigspec('cmd_nvedit_efi')
> >+ at pytest.mark.slow
> >+class TestEfiSignedImage(object):
> >+ def test_efi_signed_image_auth1(self, u_boot_console, efi_boot_env):
> >+ """
> >+ Test Case 1 - authenticated by db
> >+ """
> >+ disk_img = efi_boot_env
> >+ with u_boot_console.log.section('Test Case 1a'):
> >+ # Test Case 1a, run signed image if no db/dbx
> >+ output = u_boot_console.run_command_list([
> >+ 'host bind 0 %s' % disk_img,
> >+ 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""',
> >+ 'efidebug boot next 1',
> >+ 'bootefi bootmgr'])
> >+ assert(re.search('Hello, world!', ''.join(output)))
> >+
> >+ with u_boot_console.log.section('Test Case 1b'):
> >+ # Test Case 1b, run unsigned image if no db/dbx
> >+ output = u_boot_console.run_command_list([
> >+ 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""',
> >+ 'efidebug boot next 2',
> >+ 'bootefi bootmgr'])
> >+ assert(re.search('Hello, world!', ''.join(output)))
> >+
> >+ with u_boot_console.log.section('Test Case 1c'):
> >+ # Test Case 1c, not authenticated by db
> >+ output = u_boot_console.run_command_list([
> >+ 'fatload host 0:1 4000000 db.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
> >+ 'fatload host 0:1 4000000 KEK.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
> >+ 'fatload host 0:1 4000000 PK.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
> >+ assert(not re.search('Failed to set EFI variable', ''.join(output)))
> >+ output = u_boot_console.run_command_list([
> >+ 'efidebug boot next 2',
> >+ 'bootefi bootmgr'])
> >+ assert(re.search('\'HELLO2\' failed', ''.join(output)))
> >+
> >+ with u_boot_console.log.section('Test Case 1d'):
> >+ # Test Case 1d, authenticated by db
> >+ output = u_boot_console.run_command_list([
> >+ 'efidebug boot next 1',
> >+ 'bootefi bootmgr'])
> >+ assert(re.search('Hello, world!', ''.join(output)))
> >+
> >+ def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env):
> >+ """
> >+ Test Case 2 - rejected by dbx
> >+ """
> >+ disk_img = efi_boot_env
> >+ with u_boot_console.log.section('Test Case 2a'):
> >+ # Test Case 2a, rejected by dbx
> >+ output = u_boot_console.run_command_list([
> >+ 'host bind 0 %s' % disk_img,
> >+ 'fatload host 0:1 4000000 db.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
> >+ 'fatload host 0:1 4000000 KEK.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
> >+ 'fatload host 0:1 4000000 PK.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
> >+ assert(not re.search('Failed to set EFI variable', ''.join(output)))
> >+ output = u_boot_console.run_command_list([
> >+ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
> >+ 'efidebug boot next 1',
> >+ 'bootefi bootmgr'])
> >+ assert(re.search('\'HELLO\' failed', ''.join(output)))
> >+
> >+ with u_boot_console.log.section('Test Case 2b'):
> >+ # Test Case 2b, rejected by dbx even if db allows
> >+ output = u_boot_console.run_command_list([
> >+ 'fatload host 0:1 4000000 db.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
> >+ assert(not re.search('Failed to set EFI variable', ''.join(output)))
> >+ output = u_boot_console.run_command_list([
> >+ 'efidebug boot next 1',
> >+ 'bootefi bootmgr'])
> >+ assert(re.search('\'HELLO\' failed', ''.join(output)))
> >diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py
> >new file mode 100644
> >index 000000000000..2bfa188b530c
> >--- /dev/null
> >+++ b/test/py/tests/test_efi_secboot/test_unsigned.py
> >@@ -0,0 +1,100 @@
> >+# SPDX-License-Identifier: GPL-2.0+
> >+# Copyright (c) 2019, Linaro Limited
> >+# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >+#
> >+# U-Boot UEFI: Signed Image Authentication Test
> >+
> >+"""
> >+This test verifies image authentication for unsigned images.
> >+"""
> >+
> >+import pytest
> >+import re
> >+from defs import *
> >+
> >+ at pytest.mark.boardspec('sandbox')
> >+ at pytest.mark.buildconfigspec('efi_secure_boot')
> >+ at pytest.mark.buildconfigspec('cmd_efidebug')
> >+ at pytest.mark.buildconfigspec('cmd_fat')
> >+ at pytest.mark.buildconfigspec('cmd_nvedit_efi')
> >+ at pytest.mark.slow
> >+class TestEfiUnsignedImage(object):
> >+ def test_efi_unsigned_image_auth1(self, u_boot_console, efi_boot_env):
> >+ """
> >+ Test Case 1 - rejected when not digest in db or dbx
> >+ """
> >+ disk_img = efi_boot_env
> >+ with u_boot_console.log.section('Test Case 1'):
> >+ # Test Case 1
> >+ output = u_boot_console.run_command_list([
> >+ 'host bind 0 %s' % disk_img,
> >+ 'fatload host 0:1 4000000 KEK.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
> >+ 'fatload host 0:1 4000000 PK.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
> >+ assert(not re.search('Failed to set EFI variable', ''.join(output)))
> >+
> >+ output = u_boot_console.run_command_list([
> >+ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
> >+ 'efidebug boot next 1',
> >+ 'bootefi bootmgr'])
> >+ assert(re.search('\'HELLO\' failed', ''.join(output)))
> >+
> >+ def test_efi_unsigned_image_auth2(self, u_boot_console, efi_boot_env):
> >+ """
> >+ Test Case 2 - authenticated by digest in db
> >+ """
> >+ disk_img = efi_boot_env
> >+ with u_boot_console.log.section('Test Case 2'):
> >+ # Test Case 2
> >+ output = u_boot_console.run_command_list([
> >+ 'host bind 0 %s' % disk_img,
> >+ 'fatload host 0:1 4000000 db_hello.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
> >+ 'fatload host 0:1 4000000 KEK.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
> >+ 'fatload host 0:1 4000000 PK.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
> >+ assert(not re.search('Failed to set EFI variable', ''.join(output)))
> >+
> >+ output = u_boot_console.run_command_list([
> >+ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
> >+ 'efidebug boot next 1',
> >+ 'bootefi bootmgr'])
> >+ assert(re.search('Hello, world!', ''.join(output)))
> >+
> >+ def test_efi_unsigned_image_auth3(self, u_boot_console, efi_boot_env):
> >+ """
> >+ Test Case 3 - rejected by digest in dbx
> >+ """
> >+ disk_img = efi_boot_env
> >+ with u_boot_console.log.section('Test Case 3a'):
> >+ # Test Case 3a, rejected by dbx
> >+ output = u_boot_console.run_command_list([
> >+ 'host bind 0 %s' % disk_img,
> >+ 'fatload host 0:1 4000000 db_hello.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
> >+ 'fatload host 0:1 4000000 KEK.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
> >+ 'fatload host 0:1 4000000 PK.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
> >+ assert(not re.search('Failed to set EFI variable', ''.join(output)))
> >+
> >+ output = u_boot_console.run_command_list([
> >+ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
>
> You cannot assume any host file system to be connected as nothing in you
> test definition requires this.
ditto.
Thanks,
-Takahiro Akashi
> Best regards
>
> Heinrich
>
> >+ 'efidebug boot next 1',
> >+ 'bootefi bootmgr'])
> >+ assert(re.search('\'HELLO\' failed', ''.join(output)))
> >+
> >+ with u_boot_console.log.section('Test Case 3b'):
> >+ # Test Case 3b, rejected by dbx even if db allows
> >+ output = u_boot_console.run_command_list([
> >+ 'fatload host 0:1 4000000 db_hello.auth',
> >+ 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
> >+ assert(not re.search('Failed to set EFI variable', ''.join(output)))
> >+
> >+ output = u_boot_console.run_command_list([
> >+ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
> >+ 'efidebug boot next 1',
> >+ 'bootefi bootmgr'])
> >+ assert(re.search('\'HELLO\' failed', ''.join(output)))
> >
>
next prev parent reply other threads:[~2019-11-18 6:00 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-13 0:52 [U-Boot] [PATCH 00/16] efi_loader: add secure boot support AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 01/16] include: pe.h: add signature-related definitions AKASHI Takahiro
2019-11-16 17:42 ` Heinrich Schuchardt
2019-11-18 5:44 ` AKASHI Takahiro
2019-11-18 6:26 ` Heinrich Schuchardt
2019-11-18 6:53 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 02/16] include: image.h: export hash algorithm helper functions AKASHI Takahiro
2019-11-16 17:59 ` Heinrich Schuchardt
2019-11-18 6:22 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 03/16] secure boot: rename CONFIG_SECURE_BOOT config option AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 04/16] efi_loader: add CONFIG_EFI_SECURE_BOOT " AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 05/16] efi_loader: add signature verification functions AKASHI Takahiro
2019-11-16 20:00 ` Heinrich Schuchardt
2019-11-18 7:57 ` AKASHI Takahiro
2019-11-18 8:31 ` AKASHI Takahiro
2019-11-19 5:22 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 06/16] efi_loader: add signature database parser AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 07/16] efi_loader: variable: support variable authentication AKASHI Takahiro
2019-11-16 20:02 ` Heinrich Schuchardt
2019-11-18 7:08 ` AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 08/16] efi_loader: variable: add secure boot state transition AKASHI Takahiro
2019-11-13 0:52 ` [U-Boot] [PATCH 09/16] efi_loader: variable: add VendorKeys variable AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 10/16] efi_loader: image_loader: support image authentication AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 11/16] efi_loader: set up secure boot AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 12/16] cmd: env: use appropriate guid for authenticated UEFI variable AKASHI Takahiro
2019-11-16 20:10 ` Heinrich Schuchardt
2019-11-18 6:34 ` AKASHI Takahiro
2019-11-18 6:56 ` Patrick Wildt
2019-11-13 0:53 ` [U-Boot] [PATCH 13/16] cmd: env: add "-at" option to "env set -e" command AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 14/16] efi_loader, pytest: set up secure boot environment AKASHI Takahiro
2019-11-16 20:19 ` Heinrich Schuchardt
2019-11-18 5:52 ` AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 15/16] efi_loader, pytest: add UEFI secure boot tests (authenticated variables) AKASHI Takahiro
2019-11-16 20:28 ` Heinrich Schuchardt
2019-11-18 5:58 ` AKASHI Takahiro
2019-11-20 2:17 ` AKASHI Takahiro
2019-11-13 0:53 ` [U-Boot] [PATCH 16/16] efi_loader, pytest: add UEFI secure boot tests (image) AKASHI Takahiro
2019-11-16 20:31 ` Heinrich Schuchardt
2019-11-18 6:00 ` AKASHI Takahiro [this message]
2019-11-15 2:19 ` [U-Boot] [PATCH 00/16] efi_loader: add secure boot support AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191118060023.GO22427@linaro.org \
--to=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.