From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 09541C433FE for ; Thu, 10 Feb 2022 07:31:12 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 87C8A80FDE; Thu, 10 Feb 2022 08:31:10 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="vKiwGm5r"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 930C980FE1; Thu, 10 Feb 2022 08:31:08 +0100 (CET) Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7182980FDD for ; Thu, 10 Feb 2022 08:31:05 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x102e.google.com with SMTP id on2so4392894pjb.4 for ; Wed, 09 Feb 2022 23:31:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to; bh=uvnJ/lPIfNU4pBeDtAff2kXQcAG7Al84lVXHM3pNSmE=; b=vKiwGm5rmse147qK2EvaEkNh8KEixbJUwOAa0Ggd+Dw0xcXi4F8fhwbeTmdiTXoGUk T8pClkrYNma/fb9z2GVI1K3dYLF7/7ciZxoE1LlzxVG5tTc27tEONyj++KsKitjCUPO9 CSURpOkNmEuevDDW5RgFEVaxde1Nr6PxBBeFKNHC/QS1Jp32iUDVLa3nETod4pB4GcsM HXM9qpTdOlK3vgKSDpEsIZdXHOvauQxgy8tg5dlJBHM+/drQLt3q+jaBKmQNE5LVZkMD qe+/7Qg+8eqmXac16xJYk560sEdikgHvobiDlax0dnPwfByEpCyV13+Ekk8bIzvXGm68 VDiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to; bh=uvnJ/lPIfNU4pBeDtAff2kXQcAG7Al84lVXHM3pNSmE=; b=RT0CsWlcBAVxRnJVCNeTLx8a1kSRmblo8S6b05Up52fN6hOH7eH+VOWvVY35kbxkGB hpFriqXpflNVj6jAI1FMaTfev2FwEMD4dNM/oXVSPwRxgFdPe+lZynBfGrO70HNkyFf0 zlRcJNnZsHDtawcTeHqPnBSdFg9bGvvQMwPQYA85NN5v7riFeymzprD+i8pIeBzVSK4g TK5eMvsdBV87wLoSBOQpctLtIyOeD18rUx+ox7Kui54RhBCMxMVVEtHW3yPCRowMClIb hm9Y9IpFG6htwk579W/+CtDPGokYL0h9JzhzNvHytrXvZzWCQc91JtXTlGBtXDdPDM2Q BQiQ== X-Gm-Message-State: AOAM532NB9i44F+VjtDO8HnQ7KNjMemsgM2ANIi2jqFvRbcy6CVfPbrO 0SqSPrULogoKmh0pWjH0fPCWMA== X-Google-Smtp-Source: ABdhPJxBaGIb2Z1lXprg7RbxuHU85u9QwQe54VVysPlOPsQR8jXSHW0amv4V7ZTGAKeoPuBKOmdKiQ== X-Received: by 2002:a17:902:c947:: with SMTP id i7mr3086117pla.167.1644478263769; Wed, 09 Feb 2022 23:31:03 -0800 (PST) Received: from laputa ([2400:4050:c3e1:100:412e:384:fab9:f24]) by smtp.gmail.com with ESMTPSA id ng16sm1252293pjb.12.2022.02.09.23.31.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Feb 2022 23:31:03 -0800 (PST) Date: Thu, 10 Feb 2022 16:31:00 +0900 From: AKASHI Takahiro To: Ilias Apalodimas Cc: xypron.glpk@gmx.de, u-boot@lists.denx.de Subject: Re: [RFC PATCH 2/2] test/py: efi_secboot: adjust secure boot tests to code changes Message-ID: <20220210073100.GF12412@laputa> Mail-Followup-To: AKASHI Takahiro , Ilias Apalodimas , xypron.glpk@gmx.de, u-boot@lists.denx.de References: <20220204073202.4141198-1-ilias.apalodimas@linaro.org> <20220204073202.4141198-2-ilias.apalodimas@linaro.org> <20220210052237.GE12412@laputa> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean On Thu, Feb 10, 2022 at 09:14:25AM +0200, Ilias Apalodimas wrote: > Akashi-san > > On Thu, 10 Feb 2022 at 07:22, AKASHI Takahiro > wrote: > > > > On Fri, Feb 04, 2022 at 09:32:02AM +0200, Ilias Apalodimas wrote: > > > The previous patch is changing U-Boot's behavior wrt certificate based > > > binary authentication. Specifically an image who's digest of a > > > certificate is found in dbx is now rejected. Fix the test accordingly > > > > Please not only fix the given test case, but also add more cases > > if needed or appropriate for wider coverage of corner cases. > > You mentioned in the previous commit that the order of certificates > > should not affect the verification result. > > If so, we need, at least, one more test case where the order of certificates > > in db is different. > > > > I think that trying to maintain the test scenario that way will help improve > > the robustness of verification logic. > > And we agree, but my concern right now is fix the existing use cases. But you have to verify the logic works in the same way whatever the order of certificates is. I think that is your intent in this patch. -Takahiro Akashi > There are some SCT tests wrt certification of binaries, so I intend > to port more cases for those in the future. > > Cheers > /Ilias > > > > -Takahiro Akashi > > > > > > > Signed-off-by: Ilias Apalodimas > > > --- > > > test/py/tests/test_efi_secboot/test_signed.py | 5 +++-- > > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > > > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py > > > index 0aee34479f55..7f5ec78261da 100644 > > > --- a/test/py/tests/test_efi_secboot/test_signed.py > > > +++ b/test/py/tests/test_efi_secboot/test_signed.py > > > @@ -186,7 +186,7 @@ class TestEfiSignedImage(object): > > > assert 'Hello, world!' in ''.join(output) > > > > > > with u_boot_console.log.section('Test Case 5c'): > > > - # Test Case 5c, not rejected if one of signatures (digest of > > > + # Test Case 5c, rejected if one of signatures (digest of > > > # certificate) is revoked > > > output = u_boot_console.run_command_list([ > > > 'fatload host 0:1 4000000 dbx_hash.auth', > > > @@ -195,7 +195,8 @@ class TestEfiSignedImage(object): > > > output = u_boot_console.run_command_list([ > > > 'efidebug boot next 1', > > > 'efidebug test bootmgr']) > > > - assert 'Hello, world!' in ''.join(output) > > > + assert '\'HELLO\' failed' in ''.join(output) > > > + assert 'efi_start_image() returned: 26' in ''.join(output) > > > > > > with u_boot_console.log.section('Test Case 5d'): > > > # Test Case 5d, rejected if both of signatures are revoked > > > -- > > > 2.32.0 > > >