From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id EADACC433EF for ; Thu, 10 Feb 2022 05:22:50 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 3437580F6F; Thu, 10 Feb 2022 06:22:48 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="b0tRS9Bo"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4F5C080F90; Thu, 10 Feb 2022 06:22:46 +0100 (CET) Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0A76180EEE for ; Thu, 10 Feb 2022 06:22:43 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x62e.google.com with SMTP id c3so877450pls.5 for ; Wed, 09 Feb 2022 21:22:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to; bh=Je6MObfDS+9nMljHZuwdN/qZPiyHy5JPS1apbQ0bfV4=; b=b0tRS9Bo4rdI5nq1CaA1jRKfS70/DXiZjelVnNCI7bvrtPAFMw0Gt9PMZnNykq4GBO KJ94BElkVsn5m16lxnq2P52wb9wem9FQws/DYGYh/SamUJYm9qeW0S0xLPEoLG0JYasP StM5w160mTU+2FmgArQefgrIjWglXssrPP60kljoF4jFHSAT64rmaEV1ogpqi/OQVgSS Uz0zlQz+380pm47dHN/ekdGbMtuxtzOgwuGW4CCCo9WaiIZ4jjPnMfZOmE0hQdaQgedd ayEbt3Kv4zMTMs0tIytsHfD9dpUgMoEEmEF78clZDsM9UWtGfzdBks2DZ9WHywykKJbF xLtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to; bh=Je6MObfDS+9nMljHZuwdN/qZPiyHy5JPS1apbQ0bfV4=; b=i+rTZEmnJWPhkpMMZTG4EHoVHvmE6P4nPg2ny/xo3MPcnFDFKh1vAaktTFWVGh519F BLdNwf/jDoiESZa108SW8gC0sEzG80Y6O+lOwI72IPyE9H+QGVrB0p34ANrGHCUvC90F gIJdaoS73V3e3l/ts3SbHVxh82TEapJ/3ORQaM4DtDqMle133fBeDDOMyryy5rbWCuGF g3LXerBFb3402Pi/AM5YpaG/RLN2lUt3P/BzwoO5HddyuUyBSqvCSKqr3P61TWAeWZ+j DTQrIajoM/dvR2TkdAhd1aicvhMJwbuWp/xtF8ZZezLhK9vUPz0Gh0SaFK75Na983Wg+ h/tQ== X-Gm-Message-State: AOAM531cKH7MyQ1eigY0XT0S3kZYbpr3k0fEbJ396J40RTbCTAaapvtA yRsLRmP1mLuX3ycUMiNmyZSB9MSg8jarZw== X-Google-Smtp-Source: ABdhPJxuPO62A6CuT9bqGKI7TxdDj4c3VA2CyeT4zPCqzIvdc1Rc8FYSedNS4iDXxRZt8daSC8Dfsw== X-Received: by 2002:a17:902:b708:: with SMTP id d8mr5665372pls.67.1644470561365; Wed, 09 Feb 2022 21:22:41 -0800 (PST) Received: from laputa ([2400:4050:c3e1:100:412e:384:fab9:f24]) by smtp.gmail.com with ESMTPSA id u33sm21860528pfg.195.2022.02.09.21.22.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Feb 2022 21:22:40 -0800 (PST) Date: Thu, 10 Feb 2022 14:22:37 +0900 From: AKASHI Takahiro To: Ilias Apalodimas Cc: xypron.glpk@gmx.de, u-boot@lists.denx.de Subject: Re: [RFC PATCH 2/2] test/py: efi_secboot: adjust secure boot tests to code changes Message-ID: <20220210052237.GE12412@laputa> Mail-Followup-To: AKASHI Takahiro , Ilias Apalodimas , xypron.glpk@gmx.de, u-boot@lists.denx.de References: <20220204073202.4141198-1-ilias.apalodimas@linaro.org> <20220204073202.4141198-2-ilias.apalodimas@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220204073202.4141198-2-ilias.apalodimas@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean On Fri, Feb 04, 2022 at 09:32:02AM +0200, Ilias Apalodimas wrote: > The previous patch is changing U-Boot's behavior wrt certificate based > binary authentication. Specifically an image who's digest of a > certificate is found in dbx is now rejected. Fix the test accordingly Please not only fix the given test case, but also add more cases if needed or appropriate for wider coverage of corner cases. You mentioned in the previous commit that the order of certificates should not affect the verification result. If so, we need, at least, one more test case where the order of certificates in db is different. I think that trying to maintain the test scenario that way will help improve the robustness of verification logic. -Takahiro Akashi > Signed-off-by: Ilias Apalodimas > --- > test/py/tests/test_efi_secboot/test_signed.py | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py > index 0aee34479f55..7f5ec78261da 100644 > --- a/test/py/tests/test_efi_secboot/test_signed.py > +++ b/test/py/tests/test_efi_secboot/test_signed.py > @@ -186,7 +186,7 @@ class TestEfiSignedImage(object): > assert 'Hello, world!' in ''.join(output) > > with u_boot_console.log.section('Test Case 5c'): > - # Test Case 5c, not rejected if one of signatures (digest of > + # Test Case 5c, rejected if one of signatures (digest of > # certificate) is revoked > output = u_boot_console.run_command_list([ > 'fatload host 0:1 4000000 dbx_hash.auth', > @@ -195,7 +195,8 @@ class TestEfiSignedImage(object): > output = u_boot_console.run_command_list([ > 'efidebug boot next 1', > 'efidebug test bootmgr']) > - assert 'Hello, world!' in ''.join(output) > + assert '\'HELLO\' failed' in ''.join(output) > + assert 'efi_start_image() returned: 26' in ''.join(output) > > with u_boot_console.log.section('Test Case 5d'): > # Test Case 5d, rejected if both of signatures are revoked > -- > 2.32.0 >