From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Simon Glass <sjg@chromium.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
Alex Graf <agraf@csgraf.de>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Sughosh Ganu <sughosh.ganu@linaro.org>,
Masami Hiramatsu <masami.hiramatsu@linaro.org>,
U-Boot Mailing List <u-boot@lists.denx.de>
Subject: Re: [PATCH v5 05/11] test/py: efi_capsule: add image authentication test
Date: Fri, 5 Nov 2021 10:21:02 +0900 [thread overview]
Message-ID: <20211105012102.GB27316@laputa> (raw)
In-Reply-To: <CAPnjgZ1jekmz_mGCRFvTzWYQG9zOro67GN3hLG9q023Nn67zEg@mail.gmail.com>
On Wed, Nov 03, 2021 at 08:49:04PM -0600, Simon Glass wrote:
> Hi Takahiro,
>
> On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> >
> > On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote:
> > > Hi Takahiro,
> > >
> > > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro
> > > <takahiro.akashi@linaro.org> wrote:
> > > >
> > > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:
> > > > > Hi Takahiro,
> > > > >
> > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro
> > > > > <takahiro.akashi@linaro.org> wrote:
> > > > > >
> > > > > > Add a couple of test cases against capsule image authentication
> > > > > > for capsule-on-disk, where only a signed capsule file with the verified
> > > > > > signature will be applied to the system.
> > > > > >
> > > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot
> > > > > > binary during pytest setup time, all the keys/certificates are pre-created.
> > > > > >
> > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > > > > ---
> > > > > > .../py/tests/test_efi_capsule/capsule_defs.py | 5 +
> > > > > > test/py/tests/test_efi_capsule/conftest.py | 35 ++-
> > > > > > test/py/tests/test_efi_capsule/signature.dts | 10 +
> > > > > > .../test_capsule_firmware_signed.py | 233 ++++++++++++++++++
> > > > > > 4 files changed, 280 insertions(+), 3 deletions(-)
> > > > > > create mode 100644 test/py/tests/test_efi_capsule/signature.dts
> > > > > > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> > > > > >
> > > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > index 4fd6353c2040..aa9bf5eee3aa 100644
> > > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > @@ -3,3 +3,8 @@
> > > > > > # Directories
> > > > > > CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
> > > > > > CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
> > > > > > +
> > > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
> > > > > > +# you need build a newer version on your own.
> > > > > > +# The path must terminate with '/'.
> > > > > > +EFITOOLS_PATH = ''
> > > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
> > > > > > index 6ad5608cd71c..b0e84dec4931 100644
> > > > > > --- a/test/py/tests/test_efi_capsule/conftest.py
> > > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py
> > > > > > @@ -10,13 +10,13 @@ import pytest
> > > > > > from capsule_defs import *
> > > > > >
> > > > > > #
> > > > > > -# Fixture for UEFI secure boot test
> > > > > > +# Fixture for UEFI capsule test
> > > > > > #
> > > > > >
> > > > > > -
> > > > > > @pytest.fixture(scope='session')
> > > > > > def efi_capsule_data(request, u_boot_config):
> > > > > > - """Set up a file system to be used in UEFI capsule test.
> > > > > > + """Set up a file system to be used in UEFI capsule and
> > > > > > + authentication test.
> > > > > >
> > > > > > Args:
> > > > > > request: Pytest request object.
> > > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):
> > > > > > check_call('mkdir -p %s' % data_dir, shell=True)
> > > > > > check_call('mkdir -p %s' % install_dir, shell=True)
> > > > > >
> > > > > > + capsule_auth_enabled = u_boot_config.buildconfig.get(
> > > > > > + 'config_efi_capsule_authenticate')
> > > > > > + if capsule_auth_enabled:
> > > > > > + # Create private key (SIGNER.key) and certificate (SIGNER.crt)
> > > > > > + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'
> > > > > > + % data_dir, shell=True)
> > > > >
> > > > > run_and_log()?
> > > >
> > > > I have always used this style of coding in this file as well as
> > > > other my pytests in test/py/tests (filesystem and secure boot).
> > > >
> > > > So, at least in this patch, I don't want to have mixed styles.
> > >
> > > I don't mind about the style.
> > >
> > > Does the command appear in the test log?
> >
> > I don't think so as it is invoked in conftest.py.
> > If the command fails, the tests will skip, and if it generates
> > a improper signature, the tests will fail.
>
> Well that is what I am getting at. Can you check?
Yes.
> The test log is supposed to show everything that happened. It does
> that with other tests
It does?
(I don't think so.)
> and I worry that using this function to run
> things will mean that no one will be able to debug your test in CI.
What is missing in general is that confest.py doesn't generate
line-by-line trace logs if needed.
It's not my test specific.
-Takahiro Akashi
> Regards,
> Simon
next prev parent reply other threads:[~2021-11-05 1:21 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-28 6:23 [PATCH v5 00/11] efi_loader: capsule: improve capsule authentication support AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 01/11] efi_loader: capsule: drop __weak from efi_get_public_key_data() AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 02/11] tools: mkeficapsule: add firmwware image signing AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-29 4:56 ` AKASHI Takahiro
2021-11-02 14:56 ` Simon Glass
2021-11-02 15:13 ` Mark Kettenis
2021-11-04 2:51 ` Simon Glass
2021-11-04 14:31 ` Mark Kettenis
2021-11-04 15:11 ` Simon Glass
2021-11-04 16:51 ` Mark Kettenis
2021-11-05 2:02 ` Simon Glass
2021-11-05 8:36 ` Mark Kettenis
2021-11-05 1:04 ` AKASHI Takahiro
2021-11-05 2:02 ` Simon Glass
2021-11-05 2:35 ` AKASHI Takahiro
2021-11-05 9:35 ` AKASHI Takahiro
2021-11-08 4:55 ` AKASHI Takahiro
2021-11-15 7:50 ` AKASHI Takahiro
2021-11-08 8:46 ` AKASHI Takahiro
2021-11-04 2:59 ` AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 03/11] tools: mkeficapsule: add man page AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 04/11] doc: update UEFI document for usage of mkeficapsule AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-29 5:20 ` AKASHI Takahiro
2021-11-02 14:57 ` Simon Glass
2021-11-04 1:49 ` AKASHI Takahiro
2021-11-04 15:11 ` Simon Glass
2021-11-05 3:15 ` AKASHI Takahiro
2021-11-05 16:12 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 05/11] test/py: efi_capsule: add image authentication test AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-29 5:25 ` AKASHI Takahiro
2021-11-02 14:58 ` Simon Glass
2021-11-04 2:04 ` AKASHI Takahiro
2021-11-04 2:49 ` Simon Glass
2021-11-05 1:21 ` AKASHI Takahiro [this message]
2021-11-05 2:02 ` Simon Glass
2021-11-05 3:24 ` AKASHI Takahiro
2021-11-05 16:12 ` Simon Glass
2021-11-08 4:15 ` AKASHI Takahiro
2021-11-08 15:58 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 06/11] tools: mkeficapsule: allow for specifying GUID explicitly AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 07/11] test/py: efi_capsule: align with the syntax change of mkeficapsule AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 08/11] test/py: efi_capsule: add a test for "--guid" option AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 09/11] test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 10/11] (RFC) tools: add fdtsig.sh AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 11/11] (RFC) efi_loader, dts: add public keys for capsules to device tree AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211105012102.GB27316@laputa \
--to=takahiro.akashi@linaro.org \
--cc=agraf@csgraf.de \
--cc=ilias.apalodimas@linaro.org \
--cc=masami.hiramatsu@linaro.org \
--cc=sjg@chromium.org \
--cc=sughosh.ganu@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox