public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed
From: Ivan Mikhaylov <fr0st61te@gmail.com>
To: Simon Glass <sjg@chromium.org>, Jan Kiszka <jan.kiszka@siemens.com>
Cc: u-boot@lists.denx.de, Ivan Mikhaylov <fr0st61te@gmail.com>
Subject: [PATCH v2 3/5] binman: add tests for sign option
Date: Wed,  8 Mar 2023 01:13:40 +0000	[thread overview]
Message-ID: <20230308011342.21992-4-fr0st61te@gmail.com> (raw)
In-Reply-To: <20230308011342.21992-1-fr0st61te@gmail.com>

Add the test which provides sequence of actions:
  1. create the image from binman dts
  2. create public and private keys
  3. add public key into dtb with fdt_add_pubkey
  4. 1. sign FIT container with new sign option with extracting from
        image
     2. sign exact FIT container with replacing of it in image
  5. check with fit_check_sign

Signed-off-by: Ivan Mikhaylov <fr0st61te@gmail.com>
---
 tools/binman/ftest.py              | 61 +++++++++++++++++++++++++++++
 tools/binman/test/277_fit_sign.dts | 63 ++++++++++++++++++++++++++++++
 2 files changed, 124 insertions(+)
 create mode 100644 tools/binman/test/277_fit_sign.dts

diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index d74aa90a62..84b2370271 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -709,6 +709,14 @@ class TestFunctional(unittest.TestCase):
         AddNode(dtb.GetRoot(), '')
         return tree
 
+    def _CheckSign(self, fit, key):
+        try:
+            tools.run('fit_check_sign', '-k', key, '-f', fit)
+        except:
+            self.fail('Expected signed FIT container')
+            return False
+        return True
+
     def testRun(self):
         """Test a basic run with valid args"""
         result = self._RunBinman('-h')
@@ -6404,6 +6412,59 @@ fdt         fdtmap                Extract the devicetree blob from the fdtmap
             self._DoTestFile('278_mkimage_missing_multiple.dts', allow_missing=False)
         self.assertIn("not found in input path", str(e.exception))
 
+    def _PrepareSignEnv(self, dts='277_fit_sign.dts'):
+        """Prepare sign environment
+
+        Create private and public keys, add pubkey into dtb.
+
+        Returns:
+            Tuple:
+                FIT container
+                Image name
+                Private key
+                DTB
+        """
+
+        data = self._DoReadFileRealDtb(dts)
+        updated_fname = tools.get_output_filename('image-updated.bin')
+        tools.write_file(updated_fname, data)
+        dtb = tools.get_output_filename('source.dtb')
+        private_key = tools.get_output_filename('test_key.key')
+        public_key = tools.get_output_filename('test_key.crt')
+        fit = tools.get_output_filename('fit.fit')
+        key_dir = tools.get_output_dir()
+
+        tools.run('openssl', 'req', '-batch' , '-newkey', 'rsa:4096',
+                  '-sha256', '-new',  '-nodes',  '-x509', '-keyout',
+                  private_key, '-out', public_key)
+        tools.run('fdt_add_pubkey', '-a', 'sha256,rsa4096', '-k', key_dir,
+                  '-n', 'test_key', '-r', 'conf', dtb)
+
+        return fit, updated_fname, private_key, dtb
+
+    def testSignSimple(self):
+        """Test that a FIT container can be signed in image"""
+        is_signed = False
+        fit, fname, private_key, dtb = self._PrepareSignEnv()
+
+        # do sign with private key
+        control.SignEntries(fname, None, private_key, 'sha256,rsa4096',
+                            ['fit'])
+        is_signed = self._CheckSign(fit, dtb)
+
+        self.assertEqual(is_signed, True)
+
+    def testSignExactFIT(self):
+        """Test that a FIT container can be signed and replaced in image"""
+        is_signed = False
+        fit, fname, private_key, dtb = self._PrepareSignEnv()
+
+        # do sign with private key
+        self._DoBinman('sign', '-i', fname, '-k', private_key, '-a',
+                       'sha256,rsa4096', '-f', fit, 'fit')
+        is_signed = self._CheckSign(fit, dtb)
+
+        self.assertEqual(is_signed, True)
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/tools/binman/test/277_fit_sign.dts b/tools/binman/test/277_fit_sign.dts
new file mode 100644
index 0000000000..b9f17dc5c0
--- /dev/null
+++ b/tools/binman/test/277_fit_sign.dts
@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+	#address-cells = <1>;
+	#size-cells = <1>;
+
+	binman {
+		size = <0x100000>;
+		allow-repack;
+
+		fit {
+			description = "U-Boot";
+			offset = <0x10000>;
+			images {
+				u-boot-1 {
+					description = "U-Boot";
+					type = "standalone";
+					arch = "arm64";
+					os = "u-boot";
+					compression = "none";
+					hash-1 {
+						algo = "sha256";
+					};
+					u-boot {
+					};
+				};
+
+				fdt-1 {
+					description = "test.dtb";
+					type = "flat_dt";
+					arch = "arm64";
+					compression = "none";
+					hash-1 {
+						algo = "sha256";
+					};
+					u-boot-spl-dtb {
+					};
+				};
+
+			};
+
+			configurations {
+				default = "conf-1";
+				conf-1 {
+					description = "u-boot with fdt";
+					firmware = "u-boot-1";
+					fdt = "fdt-1";
+					signature-1 {
+						algo = "sha256,rsa4096";
+						key-name-hint = "test_key";
+						sign-images = "firmware", "fdt";
+					};
+
+				};
+			};
+		};
+
+		fdtmap {
+		};
+	};
+};
-- 
2.39.1


  parent reply	other threads:[~2023-03-08 13:21 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-08  1:13 [PATCH v2 0/5] Introduce new sign binman's option Ivan Mikhaylov
2023-03-08  1:13 ` [PATCH v2 1/5] binman: add documentation for binman sign option Ivan Mikhaylov
2023-03-11  1:47   ` Simon Glass
2023-03-12 17:36     ` Simon Glass
2023-03-08  1:13 ` [PATCH v2 2/5] binman: add sign option for binman Ivan Mikhaylov
2023-03-11  1:37   ` Simon Glass
2023-03-11  1:47     ` Simon Glass
2023-03-12 17:36       ` Simon Glass
2023-03-08  1:13 ` Ivan Mikhaylov [this message]
2023-03-11  1:47   ` [PATCH v2 3/5] binman: add tests for sign option Simon Glass
2023-03-11  1:48     ` Simon Glass
2023-03-12 17:36       ` Simon Glass
2023-03-08  1:13 ` [PATCH v2 4/5] tools: add fdt_add_pubkey Ivan Mikhaylov
2023-03-11  1:47   ` Simon Glass
2023-03-08  1:13 ` [PATCH v2 5/5] test_vboot.py: include test of fdt_add_pubkey tool Ivan Mikhaylov
2023-03-11  1:46   ` Simon Glass
2023-03-16  4:17     ` Ivan Mikhaylov
2023-03-16 13:59       ` Simon Glass
2023-03-16 17:45         ` Ivan Mikhaylov
2023-03-16 21:49           ` Simon Glass

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230308011342.21992-4-fr0st61te@gmail.com \
    --to=fr0st61te@gmail.com \
    --cc=jan.kiszka@siemens.com \
    --cc=sjg@chromium.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox