[PATCH v3 13/13] test/py: efi_secboot: add a test for verifying with digest of signed image

All of lore.kernel.org
 help / color / mirror / Atom feed

From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH v3 13/13] test/py: efi_secboot: add a test for verifying with digest of signed image
Date: Mon, 13 Jul 2020 09:20:20 +0900	[thread overview]
Message-ID: <20200713002020.GB31381@laputa> (raw)
In-Reply-To: <722ac5f9-794b-7924-f1d6-b506c076e155@gmx.de>

Heinrich,

On Sat, Jul 11, 2020 at 08:47:15AM +0200, Heinrich Schuchardt wrote:
> On 7/8/20 7:02 AM, AKASHI Takahiro wrote:
> > Signature database (db or dbx) may have not only certificates that contain
> > a public key for RSA decryption, but also digests of signed images.
> >
> > In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID)
> > and if the value matches to a hash value calculated from image's binary,
> > authentication should pass in case of db, and fail in case of dbx.
> >
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> >  test/py/tests/test_efi_secboot/conftest.py    | 10 ++++
> >  test/py/tests/test_efi_secboot/test_signed.py | 49 +++++++++++++++++++
> >  2 files changed, 59 insertions(+)
> >
> > diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
> > index c7da1a6e29a3..553550ee02b1 100644
> > --- a/test/py/tests/test_efi_secboot/conftest.py
> > +++ b/test/py/tests/test_efi_secboot/conftest.py
> > @@ -120,6 +120,10 @@ def efi_boot_env(request, u_boot_config):
> >          check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
> >                     % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> >                     shell=True)
> > +        ## dbx_db (with TEST_db certificate)
> > +        check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db.esl dbx_db.auth'
> > +                   % (mnt_point, EFITOOLS_PATH),
> > +                   shell=True)
> >
> >          # Copy image
> >          check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True)
> > @@ -134,6 +138,12 @@ def efi_boot_env(request, u_boot_config):
> >          check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth'
> >                     % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
> >                     shell=True)
> > +        check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth'
> > +                   % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
> > +                   shell=True)
> > +        check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth'
> > +                   % (mnt_point, EFITOOLS_PATH),
> > +                   shell=True)
> >
> >          check_call('sudo umount %s' % loop_dev, shell=True)
> >          check_call('sudo losetup -d %s' % loop_dev, shell=True)
> > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
> > index 1a31a57e12c2..7531bbac6a5f 100644
> > --- a/test/py/tests/test_efi_secboot/test_signed.py
> > +++ b/test/py/tests/test_efi_secboot/test_signed.py
> > @@ -198,3 +198,52 @@ class TestEfiSignedImage(object):
> >                  'efidebug test bootmgr'])
> >              assert '\'HELLO\' failed' in ''.join(output)
> >              assert 'efi_start_image() returned: 26' in ''.join(output)
> > +
> > +    def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
> > +        """
> > +        Test Case 6 - using digest of signed image in database
> > +        """
> > +        u_boot_console.restart_uboot()
> > +        disk_img = efi_boot_env
> > +        with u_boot_console.log.section('Test Case 6a'):
> > +            # Test Case 6a, verified by image's digest in db
> > +            output = u_boot_console.run_command_list([
> > +                'host bind 0 %s' % disk_img,
> > +                'fatload host 0:1 4000000 db_hello_signed.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
> > +                'fatload host 0:1 4000000 KEK.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
> > +                'fatload host 0:1 4000000 PK.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
> > +            assert 'Failed to set EFI variable' not in ''.join(output)
> > +            output = u_boot_console.run_command_list([
> > +                'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
> > +                'efidebug boot next 1',
> > +                'bootefi bootmgr'])
> > +            assert 'Hello, world!' in ''.join(output)
> > +
> > +        with u_boot_console.log.section('Test Case 6b'):
> > +            # Test Case 6b, rejected by TEST_db certificate in dbx
> > +            output = u_boot_console.run_command_list([
> > +                'fatload host 0:1 4000000 dbx_db.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
> > +            assert 'Failed to set EFI variable' not in ''.join(output)
> > +            output = u_boot_console.run_command_list([
> > +                'efidebug boot next 1',
> > +                'efidebug test bootmgr'])
> > +            assert '\'HELLO\' failed' in ''.join(output)
> > +            assert 'efi_start_image() returned: 26' in ''.join(output)
> > +
> > +        with u_boot_console.log.section('Test Case 6c'):
> > +            # Test Case 6c, rejected by image's digest in dbx
> > +            output = u_boot_console.run_command_list([
> > +                'fatload host 0:1 4000000 db.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
> > +                'fatload host 0:1 4000000 dbx_hello_signed.auth',
> > +                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
> > +            assert 'Failed to set EFI variable' not in ''.join(output)
> > +            output = u_boot_console.run_command_list([
> > +                'efidebug boot next 1',
> > +                'efidebug test bootmgr'])
> > +            assert '\'HELLO\' failed' in ''.join(output)
> > +            assert 'efi_start_image() returned: 26' in ''.join(output)
> >
> 
> This test fails due to not set time stamps for the *.auth files.
> 
> The timestamp in dbx_hello_signed.auth must be newer then dbx_db.auth.
> db_hello_signed.auth must be older then db.auth.

I have fixed this issue by adding "sleep 2" to make different timestamps,
but forgot to put it in the follow-up patch.

I have taken the same approach in my intermediate certificates patch.
Apologies for any confusion.

-Takahiro Akashi

diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
index 94c50f6cf7ca..b74640240318 100644
--- a/test/py/tests/test_efi_secboot/conftest.py
+++ b/test/py/tests/test_efi_secboot/conftest.py
@@ -141,7 +141,9 @@ def efi_boot_env(request, u_boot_config):
         check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth'
                    % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
                    shell=True)
-        check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth'
+        # 'sleep 2' here because timestamp should be newer than dbx_db.auth
+        # See Test Case 6c
+        check_call('cd %s; sleep 2; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth'
                    % (mnt_point, EFITOOLS_PATH),
                    shell=True)
 
diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
index 7531bbac6a5f..8b1e132c756c 100644
--- a/test/py/tests/test_efi_secboot/test_signed.py
+++ b/test/py/tests/test_efi_secboot/test_signed.py
@@ -237,8 +237,6 @@ class TestEfiSignedImage(object):
         with u_boot_console.log.section('Test Case 6c'):
             # Test Case 6c, rejected by image's digest in dbx
             output = u_boot_console.run_command_list([
-                'fatload host 0:1 4000000 db.auth',
-                'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
                 'fatload host 0:1 4000000 dbx_hello_signed.auth',
                 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
             assert 'Failed to set EFI variable' not in ''.join(output)

next prev parent reply	other threads:[~2020-07-13  0:20 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-08  5:01 [PATCH v3 00/13] efi_loader: rework/improve UEFI secure boot code AKASHI Takahiro
2020-07-08  5:01 ` [PATCH v3 01/13] lib/crypto, efi_loader: avoid multiple inclusions of header files AKASHI Takahiro
2020-07-08 10:29   ` Heinrich Schuchardt
2020-07-09  0:47     ` AKASHI Takahiro
2020-07-08  5:01 ` [PATCH v3 02/13] efi_loader: image_loader: add a check against certificate type of authenticode AKASHI Takahiro
2020-07-08  5:01 ` [PATCH v3 03/13] efi_loader: image_loader: retrieve authenticode only if it exists AKASHI Takahiro
2020-07-08  5:01 ` [PATCH v3 04/13] efi_loader: signature: fix a size check against revocation list AKASHI Takahiro
2020-07-08  5:01 ` [PATCH v3 05/13] efi_loader: signature: make efi_hash_regions more generic AKASHI Takahiro
2020-07-08  5:01 ` [PATCH v3 06/13] efi_loader: image_loader: verification for all signatures should pass AKASHI Takahiro
2020-07-08  5:01 ` [PATCH v3 07/13] efi_loader: image_loader: add digest-based verification for signed image AKASHI Takahiro
2020-07-08  5:01 ` [PATCH v3 08/13] test/py: efi_secboot: apply autopep8 AKASHI Takahiro
2020-07-08  5:01 ` [PATCH v3 09/13] test/py: efi_secboot: more fixes against pylint AKASHI Takahiro
2020-07-08  5:02 ` [PATCH v3 10/13] test/py: efi_secboot: split "signed image" test case-1 into two cases AKASHI Takahiro
2020-07-08  5:02 ` [PATCH v3 11/13] test/py: efi_secboot: add a test against certificate revocation AKASHI Takahiro
2020-07-08  5:02 ` [PATCH v3 12/13] test/py: efi_secboot: add a test for multiple signatures AKASHI Takahiro
2020-07-08  5:02 ` [PATCH v3 13/13] test/py: efi_secboot: add a test for verifying with digest of signed image AKASHI Takahiro
2020-07-11  6:47   ` Heinrich Schuchardt
2020-07-13  0:20     ` AKASHI Takahiro [this message]
2020-07-08 16:40 ` [PATCH v3 00/13] efi_loader: rework/improve UEFI secure boot code Heinrich Schuchardt

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:94c50f6cf7c dfblob:b7464024031 dfblob:7531bbac6a5
dfblob:8b1e132c756 )
 OR (
bs:"[PATCH v3 13/13] test/py: efi_secboot: add a test for verifying with digest of signed image" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200713002020.GB31381@laputa \
    --to=takahiro.akashi@linaro.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.