From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB0C6C433F5 for ; Fri, 5 Nov 2021 03:24:31 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BC07161242 for ; Fri, 5 Nov 2021 03:24:30 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org BC07161242 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 84C3C836E4; Fri, 5 Nov 2021 04:24:28 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ag0OVNKD"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 05CD1836E6; Fri, 5 Nov 2021 04:24:27 +0100 (CET) Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C3FE2836B6 for ; Fri, 5 Nov 2021 04:24:22 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x632.google.com with SMTP id r5so10311443pls.1 for ; Thu, 04 Nov 2021 20:24:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to; bh=Ik3WtcfR1XKWDdgaXzuSawIQVMbPeCvayMqXpIVzn3Q=; b=ag0OVNKDUSFaiLW1AZeWt+lejgzgRQsycwv+RoR7yD+ModS9r/5HSuIyvyuN5eYeng rZ9BSOADsGuaLYAI6VV6YXblRDno5DWV+5oYPkrokyziMQmlrbGDVT7ATsy6emm+M3sg gIJdz9Wysmm5y19/Bqk3OK3LOeiwERpDFRJBjFqDCMrNl4ZyJ9tsJ0ePeQIGFReWGZrR 7Fht+pqECg1U7zXrVq0AlLVHpIjc18WCv5Ny1UJepgIBsx4nGlyeJCyycCZch0LlGHPR rvbvV5S7DuNsOHFbjbn+wO0e2liZNgAMx/GMSUlMYyNZqA/6kxEuA7PGTVq6Em44782Z sbDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to; bh=Ik3WtcfR1XKWDdgaXzuSawIQVMbPeCvayMqXpIVzn3Q=; b=RDoNC0uUhExC17ljA7rtWMQoE7FppzukLSEsQS6sJf7u38vtw0Li8Z1Gd+UZTc1nZQ wpSZdsLN4aBHkmBhkEJyraP8TTyjblRMaZqpiJdm3iLd+8yg3iRuH7V8Isj2iq9ydqxr RebVZYE11BuGQNpE/4f0MvFJzxY2ZAyDqvlaYuXGe/cNAf7ahUG6tcbXlhJESo6hFatn HJYyh6Bay67vhmdEsZnc7wPlq9jx05WSPz8hUWt1V0MSRJ4YN/wkra2zEgLBAs0HKoqw FiB3kn95LWGlER0KRRguVv7XsAct0Qrns7SXQAUKvb4LN9pbNm8UjO8y/xPqfaNLSnFV rSTQ== X-Gm-Message-State: AOAM532urV/7/Q34ep2T63rEnVz8ITNA4Jzth5gAORh/WXAvpy5+zrOR awxm6c3/pkYsrrEVDGVjTa0gJA== X-Google-Smtp-Source: ABdhPJxtIv0xsJGK8RKoXCQpiNk2PuOcBcTV2sIjg7VEs8WnJ5uYpYyePyOBAlvl9j77vNaNvpadDg== X-Received: by 2002:a17:90b:2413:: with SMTP id nr19mr2657527pjb.137.1636082661037; Thu, 04 Nov 2021 20:24:21 -0700 (PDT) Received: from laputa ([2400:4050:c3e1:100:844c:5534:2811:8a4d]) by smtp.gmail.com with ESMTPSA id y4sm6383260pfi.178.2021.11.04.20.24.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Nov 2021 20:24:20 -0700 (PDT) Date: Fri, 5 Nov 2021 12:24:16 +0900 From: AKASHI Takahiro To: Simon Glass Cc: Heinrich Schuchardt , Alex Graf , Ilias Apalodimas , Sughosh Ganu , Masami Hiramatsu , U-Boot Mailing List Subject: Re: [PATCH v5 05/11] test/py: efi_capsule: add image authentication test Message-ID: <20211105032416.GF27316@laputa> Mail-Followup-To: AKASHI Takahiro , Simon Glass , Heinrich Schuchardt , Alex Graf , Ilias Apalodimas , Sughosh Ganu , Masami Hiramatsu , U-Boot Mailing List References: <20211028062356.98224-1-takahiro.akashi@linaro.org> <20211028062356.98224-6-takahiro.akashi@linaro.org> <20211029052539.GC33977@laputa> <20211104020403.GB46422@laputa> <20211105012102.GB27316@laputa> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean On Thu, Nov 04, 2021 at 08:02:37PM -0600, Simon Glass wrote: > Hi Takahiro, > > On Thu, 4 Nov 2021 at 19:21, AKASHI Takahiro wrote: > > > > On Wed, Nov 03, 2021 at 08:49:04PM -0600, Simon Glass wrote: > > > Hi Takahiro, > > > > > > On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro wrote: > > > > > > > > On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote: > > > > > Hi Takahiro, > > > > > > > > > > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro > > > > > wrote: > > > > > > > > > > > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote: > > > > > > > Hi Takahiro, > > > > > > > > > > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro > > > > > > > wrote: > > > > > > > > > > > > > > > > Add a couple of test cases against capsule image authentication > > > > > > > > for capsule-on-disk, where only a signed capsule file with the verified > > > > > > > > signature will be applied to the system. > > > > > > > > > > > > > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot > > > > > > > > binary during pytest setup time, all the keys/certificates are pre-created. > > > > > > > > > > > > > > > > Signed-off-by: AKASHI Takahiro > > > > > > > > --- > > > > > > > > .../py/tests/test_efi_capsule/capsule_defs.py | 5 + > > > > > > > > test/py/tests/test_efi_capsule/conftest.py | 35 ++- > > > > > > > > test/py/tests/test_efi_capsule/signature.dts | 10 + > > > > > > > > .../test_capsule_firmware_signed.py | 233 ++++++++++++++++++ > > > > > > > > 4 files changed, 280 insertions(+), 3 deletions(-) > > > > > > > > create mode 100644 test/py/tests/test_efi_capsule/signature.dts > > > > > > > > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py > > > > > > > > > > > > > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py > > > > > > > > index 4fd6353c2040..aa9bf5eee3aa 100644 > > > > > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py > > > > > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py > > > > > > > > @@ -3,3 +3,8 @@ > > > > > > > > # Directories > > > > > > > > CAPSULE_DATA_DIR = '/EFI/CapsuleTestData' > > > > > > > > CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule' > > > > > > > > + > > > > > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and > > > > > > > > +# you need build a newer version on your own. > > > > > > > > +# The path must terminate with '/'. > > > > > > > > +EFITOOLS_PATH = '' > > > > > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py > > > > > > > > index 6ad5608cd71c..b0e84dec4931 100644 > > > > > > > > --- a/test/py/tests/test_efi_capsule/conftest.py > > > > > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py > > > > > > > > @@ -10,13 +10,13 @@ import pytest > > > > > > > > from capsule_defs import * > > > > > > > > > > > > > > > > # > > > > > > > > -# Fixture for UEFI secure boot test > > > > > > > > +# Fixture for UEFI capsule test > > > > > > > > # > > > > > > > > > > > > > > > > - > > > > > > > > @pytest.fixture(scope='session') > > > > > > > > def efi_capsule_data(request, u_boot_config): > > > > > > > > - """Set up a file system to be used in UEFI capsule test. > > > > > > > > + """Set up a file system to be used in UEFI capsule and > > > > > > > > + authentication test. > > > > > > > > > > > > > > > > Args: > > > > > > > > request: Pytest request object. > > > > > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config): > > > > > > > > check_call('mkdir -p %s' % data_dir, shell=True) > > > > > > > > check_call('mkdir -p %s' % install_dir, shell=True) > > > > > > > > > > > > > > > > + capsule_auth_enabled = u_boot_config.buildconfig.get( > > > > > > > > + 'config_efi_capsule_authenticate') > > > > > > > > + if capsule_auth_enabled: > > > > > > > > + # Create private key (SIGNER.key) and certificate (SIGNER.crt) > > > > > > > > + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365' > > > > > > > > + % data_dir, shell=True) > > > > > > > > > > > > > > run_and_log()? > > > > > > > > > > > > I have always used this style of coding in this file as well as > > > > > > other my pytests in test/py/tests (filesystem and secure boot). > > > > > > > > > > > > So, at least in this patch, I don't want to have mixed styles. > > > > > > > > > > I don't mind about the style. > > > > > > > > > > Does the command appear in the test log? > > > > > > > > I don't think so as it is invoked in conftest.py. > > > > If the command fails, the tests will skip, and if it generates > > > > a improper signature, the tests will fail. > > > > > > Well that is what I am getting at. Can you check? > > > > Yes. > > > > > The test log is supposed to show everything that happened. It does > > > that with other tests > > > > It does? > > (I don't think so.) > > > > > and I worry that using this function to run > > > things will mean that no one will be able to debug your test in CI. > > > > What is missing in general is that confest.py doesn't generate > > line-by-line trace logs if needed. > > It's not my test specific. > > Can you try checking test-log.html ? > > Here is an example with a vboot test. See the lines with 'openssl' and > 'dtc' ? That is what I am talking about. > > Do you see this output with the command you are using? No. In your case, openssl and dtc are called in a test function, while my tool is invoked as part of fixture in confest.py. What I requested is that command executions in fixtures be logged as well. -Takahiro Akashi > > [-] Section: test_vboot[sha1-basic-sha1--None-False-True] > TIME: NOW: 2021/11/04 19:52:55.916263 > > TIME: SINCE-PREV: 0:00:00.429408 > > TIME: SINCE-START: 0:00:00.429408 > > [-] Section: test_vboot[sha1-basic-sha1--None-False-True]/Starting U-Boot > TIME: NOW: 2021/11/04 19:52:55.916582 > > TIME: SINCE-PREV: 0:00:00.000319 > > TIME: SINCE-START: 0:00:00.429727 > > [-] Stream: console > Creating new bloblist size 400 at c000 > sandbox_serial serial: pinctrl_select_state_full: > uclass_get_device_by_phandle_id: err=-19 > > > U-Boot 2021.10-00200-g458c5ec2f57-dirty (Nov 04 2021 - 19:52:48 -0600) > > Model: sandbox > DRAM: 128 MiB > Core: 246 devices, 88 uclasses, devicetree: board > WDT: Not starting gpio-wdt > WDT: Not starting wdt@0 > MMC: mmc2: 2 (SD), mmc1: 1 (SD), mmc0: 0 (SD) > Loading Environment from nowhere... OK > In: cros-ec-keyb > Out: vidconsole > Err: vidconsole > Model: sandbox > SCSI: > Net: eth0: eth@10002000, eth5: eth@10003000, eth3: sbe5, eth6: > eth@10004000, eth4: dsa-test-eth, eth2: lan0, eth7: lan1 > Hit any key to stop autoboot: 2 %08%08%08 0 > => > TIME: NOW: 2021/11/04 19:52:56.023596 > > TIME: SINCE-PREV: 0:00:00.107014 > > TIME: SINCE-START: 0:00:00.536741 > > TIME: SINCE-SECTION: 0:00:00.107114 > > [-] Stream: openssl > +openssl genpkey -algorithm RSA -out /tmp/b/sandbox/sha1-basic/dev.key > -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 > ...................+++++ > ...............+++++ > > TIME: NOW: 2021/11/04 19:52:56.067325 > > TIME: SINCE-PREV: 0:00:00.043729 > > TIME: SINCE-START: 0:00:00.580470 > > [-] Stream: openssl > +openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/dev.key > -out /tmp/b/sandbox/sha1-basic/dev.crt > > TIME: NOW: 2021/11/04 19:52:56.077671 > > TIME: SINCE-PREV: 0:00:00.010346 > > TIME: SINCE-START: 0:00:00.590816 > > [-] Stream: openssl > +openssl genpkey -algorithm RSA -out > /tmp/b/sandbox/sha1-basic/prod.key -pkeyopt rsa_keygen_bits:2048 > -pkeyopt rsa_keygen_pubexp:65537 > ...........................+++++ > ............+++++ > > TIME: NOW: 2021/11/04 19:52:56.127578 > > TIME: SINCE-PREV: 0:00:00.049907 > > TIME: SINCE-START: 0:00:00.640723 > > [-] Stream: openssl > +openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/prod.key > -out /tmp/b/sandbox/sha1-basic/prod.crt > > TIME: NOW: 2021/11/04 19:52:56.136682 > > TIME: SINCE-PREV: 0:00:00.009104 > > TIME: SINCE-START: 0:00:00.649827 > > [-] Stream: dtc > +dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/ > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-kernel.dts > -O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-kernel.dtb > > TIME: NOW: 2021/11/04 19:52:56.142636 > > TIME: SINCE-PREV: 0:00:00.005954 > > TIME: SINCE-START: 0:00:00.655781 > > [-] Stream: dtc > +dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/ > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts > -O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-u-boot.dtb > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts:7.10-9.4: > Warning (unit_address_vs_reg): /reset@0: node has a unit name, but no > reg or ranges property > > TIME: NOW: 2021/11/04 19:52:56.147797 > > Regards, > Simon