[PATCH v3] test_vboot.py: include test of fdt_add_pubkey tool

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Ivan Mikhaylov <fr0st61te@gmail.com>
To: Simon Glass <sjg@chromium.org>, Jan Kiszka <jan.kiszka@siemens.com>
Cc: u-boot@lists.denx.de, Roman Kopytin <Roman.Kopytin@kaspersky.com>,
	Ivan Mikhaylov <fr0st61te@gmail.com>,
	Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Subject: [PATCH v3] test_vboot.py: include test of fdt_add_pubkey tool
Date: Sun, 19 Mar 2023 02:42:32 +0000	[thread overview]
Message-ID: <20230319024232.50020-1-fr0st61te@gmail.com> (raw)

From: Roman Kopytin <Roman.Kopytin@kaspersky.com>

Signed-off-by: Roman Kopytin <Roman.Kopytin@kaspersky.com>
Signed-off-by: Ivan Mikhaylov <fr0st61te@gmail.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
---
 test/py/tests/test_vboot.py | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index e3e7ca4b21..5ae622fe21 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -491,6 +491,37 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
         # Check that the boot fails if the global signature is not provided
         run_bootm(sha_algo, 'global image signature', 'signature is mandatory', False)
 
+    def test_fdt_add_pubkey(sha_algo, padding, sign_options):
+        """Test fdt_add_pubkey utility with given hash algorithm and padding.
+
+        This function tests if fdt_add_pubkey utility may add public keys into dtb.
+
+        Args:
+            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use
+            padding: Either '' or '-pss', to select the padding to use for the
+                    rsa signature algorithm.
+            sign_options: Options to mkimage when signing a fit image.
+        """
+
+        # Create a fresh .dtb without the public keys
+        dtc('sandbox-u-boot.dts')
+        make_fit('sign-configs-%s%s.its' % (sha_algo, padding))
+
+        # Sign images with our dev keys
+        sign_fit(sha_algo, sign_options)
+
+        # Create a fresh .dtb without the public keys
+        dtc('sandbox-u-boot.dts')
+
+        cons.log.action('%s: Test fdt_add_pubkey with signed configuration' % sha_algo)
+        # Then add the dev key via the fdt_add_pubkey tool
+        util.run_and_log(cons, [fdt_add_pubkey, '-a', '%s,%s' % ('sha256' if algo_arg else sha_algo, \
+                                'rsa3072' if sha_algo == 'sha384' else 'rsa2048'),
+                                '-k', tmpdir, '-n', 'dev', '-r', 'conf', dtb])
+
+        # Check with fit_check_sign that FIT is signed with key
+        util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])
+
     cons = u_boot_console
     tmpdir = os.path.join(cons.config.result_dir, name) + '/'
     if not os.path.exists(tmpdir):
@@ -500,6 +531,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
     mkimage = cons.config.build_dir + '/tools/mkimage'
     binman = cons.config.source_dir + '/tools/binman/binman'
     fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
+    fdt_add_pubkey = cons.config.build_dir + '/tools/fdt_add_pubkey'
     dtc_args = '-I dts -O dtb -i %s' % tmpdir
     dtb = '%ssandbox-u-boot.dtb' % tmpdir
     sig_node = '/configurations/conf-1/signature'
@@ -516,6 +548,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
     with open(evil_kernel, 'wb') as fd:
         fd.write(500 * b'\x01')
 
+    test_fdt_add_pubkey(sha_algo, padding, sign_options)
     try:
         # We need to use our own device tree file. Remember to restore it
         # afterwards.
-- 
2.39.1

next             reply	other threads:[~2023-03-18 23:42 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-19  2:42 Ivan Mikhaylov [this message]
2023-03-19 19:29 ` [PATCH v3] test_vboot.py: include test of fdt_add_pubkey tool Simon Glass

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e3e7ca4b2 dfblob:5ae622fe2 )
 OR (
bs:"[PATCH v3] test_vboot.py: include test of fdt_add_pubkey tool" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230319024232.50020-1-fr0st61te@gmail.com \
    --to=fr0st61te@gmail.com \
    --cc=Roman.Kopytin@kaspersky.com \
    --cc=jan.kiszka@siemens.com \
    --cc=rasmus.villemoes@prevas.dk \
    --cc=sjg@chromium.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox