From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: xypron.glpk@gmx.de, Stuart.Yoder@arm.com, paul.liu@linaro.org,
u-boot@lists.denx.de
Subject: Re: [PATCH 2/2 v3] test/py: Add more test cases for rejecting an EFI image
Date: Tue, 19 Apr 2022 10:54:14 +0900 [thread overview]
Message-ID: <20220419015414.GB47455@laputa> (raw)
In-Reply-To: <20220418180724.1855888-2-ilias.apalodimas@linaro.org>
On Mon, Apr 18, 2022 at 09:07:23PM +0300, Ilias Apalodimas wrote:
> The previous patch adds support for rejecting images when the sha384/512
> of an x.509 certificate is present in dbx. Update the sandbox selftests
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
> changes since v2:
> - None
> changes since RFC:
> - new patch
>
> test/py/tests/test_efi_secboot/conftest.py | 6 +++
> test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++
> 2 files changed, 56 insertions(+)
>
> diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
> index 69a498ca003c..8a53dabe5414 100644
> --- a/test/py/tests/test_efi_secboot/conftest.py
> +++ b/test/py/tests/test_efi_secboot/conftest.py
> @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config):
> check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth'
> % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> shell=True)
> + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth'
> + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> + shell=True)
> + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth'
> + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> + shell=True)
> # dbx_hash1 (digest of TEST_db1 certificate)
> check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
> % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
> index cc9396a11d48..80d5eff74be3 100644
> --- a/test/py/tests/test_efi_secboot/test_signed.py
> +++ b/test/py/tests/test_efi_secboot/test_signed.py
> @@ -235,6 +235,56 @@ class TestEfiSignedImage(object):
> assert '\'HELLO\' failed' in ''.join(output)
> assert 'efi_start_image() returned: 26' in ''.join(output)
>
> + # sha384 of an x509 cert in dbx
> + u_boot_console.restart_uboot()
> + with u_boot_console.log.section('Test Case 5e'):
> + # Test Case 5f, authenticated even if only one of signatures
> + # is verified. Same as before but reject dbx_hash1.auth only
Please describe the test scenario more specifically regarding sha384.
> + output = u_boot_console.run_command_list([
> + 'host bind 0 %s' % disk_img,
> + 'fatload host 0:1 4000000 db.auth',
> + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
> + 'fatload host 0:1 4000000 KEK.auth',
> + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
> + 'fatload host 0:1 4000000 PK.auth',
> + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
> + 'fatload host 0:1 4000000 db1.auth',
> + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
> + 'fatload host 0:1 4000000 dbx_hash384.auth',
> + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
> + assert 'Failed to set EFI variable' not in ''.join(output)
> + output = u_boot_console.run_command_list([
> + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""',
> + 'efidebug boot next 1',
> + 'efidebug test bootmgr'])
> + assert '\'HELLO\' failed' in ''.join(output)
> + assert 'efi_start_image() returned: 26' in ''.join(output)
> +
> + # sha512 of an x509 cert in dbx
> + u_boot_console.restart_uboot()
> + with u_boot_console.log.section('Test Case 5e'):
> + # Test Case 5G, authenticated even if only one of signatures
> + # is verified. Same as before but reject dbx_hash1.auth only
> + output = u_boot_console.run_command_list([
> + 'host bind 0 %s' % disk_img,
> + 'fatload host 0:1 4000000 db.auth',
> + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
> + 'fatload host 0:1 4000000 KEK.auth',
> + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
> + 'fatload host 0:1 4000000 PK.auth',
> + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
> + 'fatload host 0:1 4000000 db1.auth',
> + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
> + 'fatload host 0:1 4000000 dbx_hash512.auth',
> + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
> + assert 'Failed to set EFI variable' not in ''.join(output)
> + output = u_boot_console.run_command_list([
> + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""',
> + 'efidebug boot next 1',
> + 'efidebug test bootmgr'])
> + assert '\'HELLO\' failed' in ''.join(output)
> + assert 'efi_start_image() returned: 26' in ''.join(output)
> +
I prefer to have two separate test functions for sha384 and sha512.
This way, we can test both cases independently.
In the test run, even if sha384 case fails, sha512 can still be verified.
-Takahiro Akashi
> def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
> """
> Test Case 6 - using digest of signed image in database
> --
> 2.32.0
>
next prev parent reply other threads:[~2022-04-19 1:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-18 18:07 [PATCH 1/2] efi_loader: add sha384/512 on certificate revocation Ilias Apalodimas
2022-04-18 18:07 ` [PATCH 2/2 v3] test/py: Add more test cases for rejecting an EFI image Ilias Apalodimas
2022-04-19 1:54 ` AKASHI Takahiro [this message]
2022-04-19 5:39 ` Ilias Apalodimas
2022-04-19 1:46 ` [PATCH 1/2] efi_loader: add sha384/512 on certificate revocation AKASHI Takahiro
2022-04-19 5:49 ` Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220419015414.GB47455@laputa \
--to=takahiro.akashi@linaro.org \
--cc=Stuart.Yoder@arm.com \
--cc=ilias.apalodimas@linaro.org \
--cc=paul.liu@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox