From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 31782C6FD20
	for <u-boot@archiver.kernel.org>; Wed,  8 Mar 2023 13:21:09 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 60AAC85DBA;
	Wed,  8 Mar 2023 14:20:29 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="eXqwF8Bz";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 1C51785C47; Tue,  7 Mar 2023 23:13:55 +0100 (CET)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com
 [IPv6:2a00:1450:4864:20::12c])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 733F685C61
 for <u-boot@lists.denx.de>; Tue,  7 Mar 2023 23:13:51 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=fr0st61te@gmail.com
Received: by mail-lf1-x12c.google.com with SMTP id n2so18964458lfb.12
 for <u-boot@lists.denx.de>; Tue, 07 Mar 2023 14:13:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20210112; t=1678227231;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=ONSN7gPkcLQL+a3APM4v+yWYZpCKdKOYR0nOWgXEEFc=;
 b=eXqwF8Bziy0HozpFyWjKSBgmzY0SlcFPJ9EQbr+24vYoU/L62NBdV4GOIi1fCxWPFZ
 ssknc4WJsV4Nzzotx2O8WPuqzjNIw2CfhinGxArDvuRKQH7UDK6jumyqaR2i2sQ9U4C5
 8Hv1BaCr1ykW73tl21zGaF1f6kzWt04/QdlLyU9w4Btm7mGudQFm071ejNhFxXQo7s7f
 N1XPdpfVnY10Kl2YgxVnN5JiTd+HB/3OVRUTMDk5r6/GnfV+a+dwN1ZcLzEn5oMcCowE
 FrvQSpe8Vflbl9F1GvXF3SPD2sVA7kHVBqheAdku8urEWVLmdv68EMEONQrtmEhni4+s
 Serg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112; t=1678227231;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=ONSN7gPkcLQL+a3APM4v+yWYZpCKdKOYR0nOWgXEEFc=;
 b=VX1EaRCgPc6ENrzimAgsoAFZvjtA8G4mci4XZb/PEOG6l7jv9/u47BB1ROC3VYkD4w
 rtHsixY6rV4kNDC3s8nHr/Rrd4d3NKtpa/QTfOn2F7LSYVv0NKmJNFbO6V7UemMDT4Zy
 kE39gxlHm2w9MXjMeCZwNQg1f/8lRisBICeErl63apgB4bcLgoDZYKaMB99iGfoDPr6q
 0vUNH9Mhy9GZUPVSaxXmIIr17keLMowd+U+kGKMBPhtRrCxtZRhgmTZ5RmnPOs+72m2V
 Lr8TWgqt9KnXQp7f+Cj+z8M6c4WxrnS7ggqch/IMcGyXHkesWm45P46SNEHO/BJF/yFZ
 AtVQ==
X-Gm-Message-State: AO0yUKXLvGPYkQ8GlrmdCigPr5c6kU8yCNgbUIJQ19RBuVLCrkHHq0Rn
 O5xNuTjwpPN0BnqvifYCuIM=
X-Google-Smtp-Source: AK7set9tsCyEldMPzP1wQR1g+G9yQdqinbA4sKK96Aai4OeyQ23QwrN4smEr6wEKdyDfMLYEugea+A==
X-Received: by 2002:a19:a409:0:b0:4e7:fa9a:4d3c with SMTP id
 q9-20020a19a409000000b004e7fa9a4d3cmr3463041lfc.16.1678227230879; 
 Tue, 07 Mar 2023 14:13:50 -0800 (PST)
Received: from localhost.localdomain (95-31-185-99.broadband.corbina.ru.
 [95.31.185.99]) by smtp.googlemail.com with ESMTPSA id
 l8-20020a19c208000000b004db3890cb53sm2159726lfc.223.2023.03.07.14.13.50
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 07 Mar 2023 14:13:50 -0800 (PST)
From: Ivan Mikhaylov <fr0st61te@gmail.com>
To: Simon Glass <sjg@chromium.org>,
	Jan Kiszka <jan.kiszka@siemens.com>
Cc: u-boot@lists.denx.de,
	Ivan Mikhaylov <fr0st61te@gmail.com>
Subject: [PATCH v2 3/5] binman: add tests for sign option
Date: Wed,  8 Mar 2023 01:13:40 +0000
Message-Id: <20230308011342.21992-4-fr0st61te@gmail.com>
X-Mailer: git-send-email 2.39.1
In-Reply-To: <20230308011342.21992-1-fr0st61te@gmail.com>
References: <20230308011342.21992-1-fr0st61te@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Wed, 08 Mar 2023 14:20:15 +0100
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean

Add the test which provides sequence of actions:
  1. create the image from binman dts
  2. create public and private keys
  3. add public key into dtb with fdt_add_pubkey
  4. 1. sign FIT container with new sign option with extracting from
        image
     2. sign exact FIT container with replacing of it in image
  5. check with fit_check_sign

Signed-off-by: Ivan Mikhaylov <fr0st61te@gmail.com>
---
 tools/binman/ftest.py              | 61 +++++++++++++++++++++++++++++
 tools/binman/test/277_fit_sign.dts | 63 ++++++++++++++++++++++++++++++
 2 files changed, 124 insertions(+)
 create mode 100644 tools/binman/test/277_fit_sign.dts

diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
index d74aa90a62..84b2370271 100644
--- a/tools/binman/ftest.py
+++ b/tools/binman/ftest.py
@@ -709,6 +709,14 @@ class TestFunctional(unittest.TestCase):
         AddNode(dtb.GetRoot(), '')
         return tree
 
+    def _CheckSign(self, fit, key):
+        try:
+            tools.run('fit_check_sign', '-k', key, '-f', fit)
+        except:
+            self.fail('Expected signed FIT container')
+            return False
+        return True
+
     def testRun(self):
         """Test a basic run with valid args"""
         result = self._RunBinman('-h')
@@ -6404,6 +6412,59 @@ fdt         fdtmap                Extract the devicetree blob from the fdtmap
             self._DoTestFile('278_mkimage_missing_multiple.dts', allow_missing=False)
         self.assertIn("not found in input path", str(e.exception))
 
+    def _PrepareSignEnv(self, dts='277_fit_sign.dts'):
+        """Prepare sign environment
+
+        Create private and public keys, add pubkey into dtb.
+
+        Returns:
+            Tuple:
+                FIT container
+                Image name
+                Private key
+                DTB
+        """
+
+        data = self._DoReadFileRealDtb(dts)
+        updated_fname = tools.get_output_filename('image-updated.bin')
+        tools.write_file(updated_fname, data)
+        dtb = tools.get_output_filename('source.dtb')
+        private_key = tools.get_output_filename('test_key.key')
+        public_key = tools.get_output_filename('test_key.crt')
+        fit = tools.get_output_filename('fit.fit')
+        key_dir = tools.get_output_dir()
+
+        tools.run('openssl', 'req', '-batch' , '-newkey', 'rsa:4096',
+                  '-sha256', '-new',  '-nodes',  '-x509', '-keyout',
+                  private_key, '-out', public_key)
+        tools.run('fdt_add_pubkey', '-a', 'sha256,rsa4096', '-k', key_dir,
+                  '-n', 'test_key', '-r', 'conf', dtb)
+
+        return fit, updated_fname, private_key, dtb
+
+    def testSignSimple(self):
+        """Test that a FIT container can be signed in image"""
+        is_signed = False
+        fit, fname, private_key, dtb = self._PrepareSignEnv()
+
+        # do sign with private key
+        control.SignEntries(fname, None, private_key, 'sha256,rsa4096',
+                            ['fit'])
+        is_signed = self._CheckSign(fit, dtb)
+
+        self.assertEqual(is_signed, True)
+
+    def testSignExactFIT(self):
+        """Test that a FIT container can be signed and replaced in image"""
+        is_signed = False
+        fit, fname, private_key, dtb = self._PrepareSignEnv()
+
+        # do sign with private key
+        self._DoBinman('sign', '-i', fname, '-k', private_key, '-a',
+                       'sha256,rsa4096', '-f', fit, 'fit')
+        is_signed = self._CheckSign(fit, dtb)
+
+        self.assertEqual(is_signed, True)
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/tools/binman/test/277_fit_sign.dts b/tools/binman/test/277_fit_sign.dts
new file mode 100644
index 0000000000..b9f17dc5c0
--- /dev/null
+++ b/tools/binman/test/277_fit_sign.dts
@@ -0,0 +1,63 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+	#address-cells = <1>;
+	#size-cells = <1>;
+
+	binman {
+		size = <0x100000>;
+		allow-repack;
+
+		fit {
+			description = "U-Boot";
+			offset = <0x10000>;
+			images {
+				u-boot-1 {
+					description = "U-Boot";
+					type = "standalone";
+					arch = "arm64";
+					os = "u-boot";
+					compression = "none";
+					hash-1 {
+						algo = "sha256";
+					};
+					u-boot {
+					};
+				};
+
+				fdt-1 {
+					description = "test.dtb";
+					type = "flat_dt";
+					arch = "arm64";
+					compression = "none";
+					hash-1 {
+						algo = "sha256";
+					};
+					u-boot-spl-dtb {
+					};
+				};
+
+			};
+
+			configurations {
+				default = "conf-1";
+				conf-1 {
+					description = "u-boot with fdt";
+					firmware = "u-boot-1";
+					fdt = "fdt-1";
+					signature-1 {
+						algo = "sha256,rsa4096";
+						key-name-hint = "test_key";
+						sign-images = "firmware", "fdt";
+					};
+
+				};
+			};
+		};
+
+		fdtmap {
+		};
+	};
+};
-- 
2.39.1