Re: [RFC PATCH 2/2] test/py: efi_secboot: adjust secure boot tests to code changes

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: xypron.glpk@gmx.de, u-boot@lists.denx.de
Subject: Re: [RFC PATCH 2/2] test/py: efi_secboot: adjust secure boot tests to code changes
Date: Thu, 10 Feb 2022 14:22:37 +0900	[thread overview]
Message-ID: <20220210052237.GE12412@laputa> (raw)
In-Reply-To: <20220204073202.4141198-2-ilias.apalodimas@linaro.org>

On Fri, Feb 04, 2022 at 09:32:02AM +0200, Ilias Apalodimas wrote:
> The previous patch is changing U-Boot's behavior wrt certificate based
> binary authentication.  Specifically an image who's digest of a
> certificate is found in dbx is now rejected.  Fix the test accordingly

Please not only fix the given test case, but also add more cases
if needed or appropriate for wider coverage of corner cases.
You mentioned in the previous commit that the order of certificates
should not affect the verification result.
If so, we need, at least, one more test case where the order of certificates
in db is different.

I think that trying to maintain the test scenario that way will help improve
the robustness of verification logic.

-Takahiro Akashi


> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>  test/py/tests/test_efi_secboot/test_signed.py | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
> index 0aee34479f55..7f5ec78261da 100644
> --- a/test/py/tests/test_efi_secboot/test_signed.py
> +++ b/test/py/tests/test_efi_secboot/test_signed.py
> @@ -186,7 +186,7 @@ class TestEfiSignedImage(object):
>              assert 'Hello, world!' in ''.join(output)
>  
>          with u_boot_console.log.section('Test Case 5c'):
> -            # Test Case 5c, not rejected if one of signatures (digest of
> +            # Test Case 5c, rejected if one of signatures (digest of
>              # certificate) is revoked
>              output = u_boot_console.run_command_list([
>                  'fatload host 0:1 4000000 dbx_hash.auth',
> @@ -195,7 +195,8 @@ class TestEfiSignedImage(object):
>              output = u_boot_console.run_command_list([
>                  'efidebug boot next 1',
>                  'efidebug test bootmgr'])
> -            assert 'Hello, world!' in ''.join(output)
> +            assert '\'HELLO\' failed' in ''.join(output)
> +            assert 'efi_start_image() returned: 26' in ''.join(output)
>  
>          with u_boot_console.log.section('Test Case 5d'):
>              # Test Case 5d, rejected if both of signatures are revoked
> -- 
> 2.32.0
>

next prev parent reply	other threads:[~2022-02-10  5:22 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-04  7:32 [RFC PATCH 1/2] efi_loader: fix dual signed image certification Ilias Apalodimas
2022-02-04  7:32 ` [RFC PATCH 2/2] test/py: efi_secboot: adjust secure boot tests to code changes Ilias Apalodimas
2022-02-10  5:22   ` AKASHI Takahiro [this message]
2022-02-10  7:14     ` Ilias Apalodimas
2022-02-10  7:31       ` AKASHI Takahiro
2022-02-10  8:00         ` Ilias Apalodimas
2022-02-10  5:13 ` [RFC PATCH 1/2] efi_loader: fix dual signed image certification AKASHI Takahiro
2022-02-10  7:13   ` Ilias Apalodimas
2022-02-10  7:31     ` Heinrich Schuchardt
2022-02-10  7:33       ` Ilias Apalodimas
2022-02-10  7:41         ` AKASHI Takahiro
2022-02-10  7:55           ` Ilias Apalodimas
2022-02-10  8:01             ` AKASHI Takahiro
2022-02-11  6:15               ` Ilias Apalodimas
2022-02-10  7:36     ` AKASHI Takahiro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220210052237.GE12412@laputa \
    --to=takahiro.akashi@linaro.org \
    --cc=ilias.apalodimas@linaro.org \
    --cc=u-boot@lists.denx.de \
    --cc=xypron.glpk@gmx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox