From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DB53CC433EF for ; Tue, 19 Apr 2022 01:54:26 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E6D8880F91; Tue, 19 Apr 2022 03:54:24 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="dDXlqCVn"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 5E17183868; Tue, 19 Apr 2022 03:54:23 +0200 (CEST) Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C418380209 for ; Tue, 19 Apr 2022 03:54:19 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x52a.google.com with SMTP id r83so1984590pgr.2 for ; Mon, 18 Apr 2022 18:54:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to; bh=q+uXKQSRTID1t3a2dCKbJ3ER/2OFMM8VPMSdLCcxaZA=; b=dDXlqCVnaNHZXxJ7fD8ieHArGGbjMyduh7yppv9h+g6me1s8hvuI8G6ol8SeVeA5uy isElFzWFV6OrONSF7yr1OR+DAwLNaBzouKE0GPBzbdaNgyjfB7bVy5m7tkDGoSrkECQd iybWE2QxguEPEn0F+jqDaBaRLJBCa6zGv9jcm9DQJlc0OPMWU+RPsbE+stpGaoaiN4JJ J36pYsCZxjMd4bqL4Yz33VYen2ZOzB1asQGWN/7hVYEQxSXnXg9grlIXGu9O5EE/LY7/ jGxZOCNph38tVC6pkug1q0JN2hcKqUf/O0AECu/RhQL7+hGgEZIXwMbSeAwxZsoKJcJP pfyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to; bh=q+uXKQSRTID1t3a2dCKbJ3ER/2OFMM8VPMSdLCcxaZA=; b=7Doivi80bSLdabJfqN8gmOqztK6iY41B8vlBmVvJWgFd+qXILPJZCav6yZYeNA0JG9 QAOabRF0IU5iA+Il7c9j9huFSJu0hwaE1d82sKjteal2he6AXfTD8iVcREFxuz64i4TI M1JdhPVNKUsi241xOtjhI2hZslaX1t+SzTzufrdZ4OkZaidz805J/yBNnP4/4jOk3ELF RVpBIS3HkbuWirniHVqfoTiEOJ4jOijfszLlKNcYP/LYg2lCUxKOLKPxkYR5T5Xf4TGw EUS5U6T/jDApVi5caH41H0dSZ3hUD1Zqp1dmyszzvsZpWqOmOehf1Gc6FZz+kqcC4w7W fhvw== X-Gm-Message-State: AOAM5303bkyhxDSKYmcE0uXF5N2edh7SYu70CjZcxYJDnTK5g9s2201b O7BKex1VwgRleWbOGosjZV0pUQ== X-Google-Smtp-Source: ABdhPJxUj6Wx/ExZatBxus56eGu81JeFQZE+2njnbAeIsKIiZAWrI0L/NLnrDs26Ec5CblDYh1yRQQ== X-Received: by 2002:a65:68d2:0:b0:39d:b709:fe3 with SMTP id k18-20020a6568d2000000b0039db7090fe3mr12161877pgt.382.1650333258187; Mon, 18 Apr 2022 18:54:18 -0700 (PDT) Received: from laputa ([2400:4050:c3e1:100:5858:d3a6:5cad:ceeb]) by smtp.gmail.com with ESMTPSA id c2-20020a63a442000000b0039cc5a6af1csm13954302pgp.30.2022.04.18.18.54.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Apr 2022 18:54:17 -0700 (PDT) Date: Tue, 19 Apr 2022 10:54:14 +0900 From: AKASHI Takahiro To: Ilias Apalodimas Cc: xypron.glpk@gmx.de, Stuart.Yoder@arm.com, paul.liu@linaro.org, u-boot@lists.denx.de Subject: Re: [PATCH 2/2 v3] test/py: Add more test cases for rejecting an EFI image Message-ID: <20220419015414.GB47455@laputa> Mail-Followup-To: AKASHI Takahiro , Ilias Apalodimas , xypron.glpk@gmx.de, Stuart.Yoder@arm.com, paul.liu@linaro.org, u-boot@lists.denx.de References: <20220418180724.1855888-1-ilias.apalodimas@linaro.org> <20220418180724.1855888-2-ilias.apalodimas@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220418180724.1855888-2-ilias.apalodimas@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean On Mon, Apr 18, 2022 at 09:07:23PM +0300, Ilias Apalodimas wrote: > The previous patch adds support for rejecting images when the sha384/512 > of an x.509 certificate is present in dbx. Update the sandbox selftests > > Signed-off-by: Ilias Apalodimas > --- > changes since v2: > - None > changes since RFC: > - new patch > > test/py/tests/test_efi_secboot/conftest.py | 6 +++ > test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++ > 2 files changed, 56 insertions(+) > > diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py > index 69a498ca003c..8a53dabe5414 100644 > --- a/test/py/tests/test_efi_secboot/conftest.py > +++ b/test/py/tests/test_efi_secboot/conftest.py > @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config): > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > shell=True) > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > + shell=True) > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > + shell=True) > # dbx_hash1 (digest of TEST_db1 certificate) > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py > index cc9396a11d48..80d5eff74be3 100644 > --- a/test/py/tests/test_efi_secboot/test_signed.py > +++ b/test/py/tests/test_efi_secboot/test_signed.py > @@ -235,6 +235,56 @@ class TestEfiSignedImage(object): > assert '\'HELLO\' failed' in ''.join(output) > assert 'efi_start_image() returned: 26' in ''.join(output) > > + # sha384 of an x509 cert in dbx > + u_boot_console.restart_uboot() > + with u_boot_console.log.section('Test Case 5e'): > + # Test Case 5f, authenticated even if only one of signatures > + # is verified. Same as before but reject dbx_hash1.auth only Please describe the test scenario more specifically regarding sha384. > + output = u_boot_console.run_command_list([ > + 'host bind 0 %s' % disk_img, > + 'fatload host 0:1 4000000 db.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', > + 'fatload host 0:1 4000000 KEK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', > + 'fatload host 0:1 4000000 PK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', > + 'fatload host 0:1 4000000 db1.auth', > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', > + 'fatload host 0:1 4000000 dbx_hash384.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) > + assert 'Failed to set EFI variable' not in ''.join(output) > + output = u_boot_console.run_command_list([ > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', > + 'efidebug boot next 1', > + 'efidebug test bootmgr']) > + assert '\'HELLO\' failed' in ''.join(output) > + assert 'efi_start_image() returned: 26' in ''.join(output) > + > + # sha512 of an x509 cert in dbx > + u_boot_console.restart_uboot() > + with u_boot_console.log.section('Test Case 5e'): > + # Test Case 5G, authenticated even if only one of signatures > + # is verified. Same as before but reject dbx_hash1.auth only > + output = u_boot_console.run_command_list([ > + 'host bind 0 %s' % disk_img, > + 'fatload host 0:1 4000000 db.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', > + 'fatload host 0:1 4000000 KEK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', > + 'fatload host 0:1 4000000 PK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', > + 'fatload host 0:1 4000000 db1.auth', > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', > + 'fatload host 0:1 4000000 dbx_hash512.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) > + assert 'Failed to set EFI variable' not in ''.join(output) > + output = u_boot_console.run_command_list([ > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', > + 'efidebug boot next 1', > + 'efidebug test bootmgr']) > + assert '\'HELLO\' failed' in ''.join(output) > + assert 'efi_start_image() returned: 26' in ''.join(output) > + I prefer to have two separate test functions for sha384 and sha512. This way, we can test both cases independently. In the test run, even if sha384 case fails, sha512 can still be verified. -Takahiro Akashi > def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): > """ > Test Case 6 - using digest of signed image in database > -- > 2.32.0 >