From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: AKASHI Takahiro <takahiro.akashi@linaro.org>,
xypron.glpk@gmx.de, u-boot@lists.denx.de
Subject: Re: [PATCH 2/2] test/py: efi_secboot: adjust secure boot tests to code changes
Date: Mon, 14 Feb 2022 08:56:07 +0200 [thread overview]
Message-ID: <Ygn9B5kO//iFunBp@hades> (raw)
In-Reply-To: <20220214063606.GH39639@laputa>
On Mon, Feb 14, 2022 at 03:36:06PM +0900, AKASHI Takahiro wrote:
> On Mon, Feb 14, 2022 at 08:18:03AM +0200, Ilias Apalodimas wrote:
> > On Mon, Feb 14, 2022 at 10:50:08AM +0900, AKASHI Takahiro wrote:
> > > Ilias,
> > >
> > > On Fri, Feb 11, 2022 at 09:37:50AM +0200, Ilias Apalodimas wrote:
> > > > The previous patch is changing U-Boot's behavior wrt certificate based
> > > > binary authentication. Specifically an image who's digest of a
> > > > certificate is found in dbx is now rejected. Fix the test accordingly
> > > > and add another one testing signatures in reverse order
> > > >
> > > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> > > > ---
> > > > changes since RFC:
> > > > - Added another test cases checking signature hashes in reverse order
> > > > test/py/tests/test_efi_secboot/test_signed.py | 30 +++++++++++++++++--
> > > > 1 file changed, 28 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
> > > > index 0aee34479f55..cc9396a11d48 100644
> > > > --- a/test/py/tests/test_efi_secboot/test_signed.py
> > > > +++ b/test/py/tests/test_efi_secboot/test_signed.py
> > > > @@ -186,7 +186,7 @@ class TestEfiSignedImage(object):
> > > > assert 'Hello, world!' in ''.join(output)
> > > >
> > > > with u_boot_console.log.section('Test Case 5c'):
> > > > - # Test Case 5c, not rejected if one of signatures (digest of
> > > > + # Test Case 5c, rejected if one of signatures (digest of
> > > > # certificate) is revoked
> > > > output = u_boot_console.run_command_list([
> > > > 'fatload host 0:1 4000000 dbx_hash.auth',
> > > > @@ -195,7 +195,8 @@ class TestEfiSignedImage(object):
> > > > output = u_boot_console.run_command_list([
> > > > 'efidebug boot next 1',
> > > > 'efidebug test bootmgr'])
> > > > - assert 'Hello, world!' in ''.join(output)
> > > > + assert '\'HELLO\' failed' in ''.join(output)
> > > > + assert 'efi_start_image() returned: 26' in ''.join(output)
> > > >
> > > > with u_boot_console.log.section('Test Case 5d'):
> > > > # Test Case 5d, rejected if both of signatures are revoked
> > > > @@ -209,6 +210,31 @@ class TestEfiSignedImage(object):
> > > > assert '\'HELLO\' failed' in ''.join(output)
> > > > assert 'efi_start_image() returned: 26' in ''.join(output)
> > > >
> > > > + # Try rejection in reverse order.
> > >
> > > "Reverse order" of what?
> >
> > Of the test right above
>
> Please specify the signature database, I guess "dbx"?
>
> > >
> > > > + u_boot_console.restart_uboot()
> > >
> > > I don't think we need 'restart' here.
> > > I added it in each test function (not test case), IIRC, because we didn't
> > > have file-based non-volatile variables at that time.
> >
> > You do. dbx already holds dbx_hash.auth and dbx1_hash.auth (in that order) at
> > that point. The point is cleaning up dbx and testing against dbx1_hash.
>
> Why not simply overwrite "dbx" variable?
> Without "-a", "env set -e" does it if it is properly signed with KEK.
>
I am not sure you've understood the bug yet. If I did that, db's 1sts
entry would still be there. The whole point is insert dbx1_hash first. The
easiest way to do this is on an empty database, instead of starting
overwriting and cleaning variables. Why is rebooting even a problem?
> > >
> > > > + with u_boot_console.log.section('Test Case 5e'):
> > > > + # Test Case 5e, authenticated even if only one of signatures
> > > > + # is verified. Same as before but reject dbx_hash1.auth only
> > >
> > > Please specify what test case "before" means.
> >
> > The test that run right before that
>
> Please add a particular test case number to avoid any ambiguity.
> I believe that a test case description should be easy enough to understand
> and convey no ambiguity especially if there is some subtle difference
> between cases.
This is exactly the test case right above with dbx1_auth inserted first. I
think it's fine under the current test.
>
> > >
> > > > + output = u_boot_console.run_command_list([
> > > > + 'host bind 0 %s' % disk_img,
> > > > + 'fatload host 0:1 4000000 db.auth',
> > > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
> > > > + 'fatload host 0:1 4000000 KEK.auth',
> > > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
> > > > + 'fatload host 0:1 4000000 PK.auth',
> > > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
> > > > + 'fatload host 0:1 4000000 db1.auth',
> > > > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
> > > > + 'fatload host 0:1 4000000 dbx_hash1.auth',
> > > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
> > >
> > > Now "db" has db.auth and db1.auth in this order and
> > > 'dbx" has dbx_hash1.auth.
> > > Is this what you intend to test?
> >
> > Yes. The patchset solved 2 bugs. One was not rejecting the image when a
> > single dbx entry was found. The second was that depending on the order the
> > image was signed and the keys inserted into dbx, the code could reject or
> > accept the image.
>
> Which part of "dbx" (or "db"?) is in a reverse order?
the first tests add dbx_hash -> dbx1_hash, while the second purges the dbx
database and adds dbx1_hash to test against.
Regards
/Ilias
>
> -Takahiro Akashi
>
>
> > >
> > > -Takahiro Akashi
> > >
> > > > + assert 'Failed to set EFI variable' not in ''.join(output)
> > > > + output = u_boot_console.run_command_list([
> > > > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""',
> > > > + 'efidebug boot next 1',
> > > > + 'efidebug test bootmgr'])
> > > > + assert '\'HELLO\' failed' in ''.join(output)
> > > > + assert 'efi_start_image() returned: 26' in ''.join(output)
> > > > +
> > > > def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
> > > > """
> > > > Test Case 6 - using digest of signed image in database
> > > > --
> > > > 2.32.0
> > > >
> >
> > Regards
> > /Ilias
next prev parent reply other threads:[~2022-02-14 6:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-11 7:37 [PATCH 1/2] efi_loader: fix dual signed image certification Ilias Apalodimas
2022-02-11 7:37 ` [PATCH 2/2] test/py: efi_secboot: adjust secure boot tests to code changes Ilias Apalodimas
2022-02-14 1:50 ` AKASHI Takahiro
2022-02-14 6:18 ` Ilias Apalodimas
2022-02-14 6:36 ` AKASHI Takahiro
2022-02-14 6:56 ` Ilias Apalodimas [this message]
2022-02-15 0:30 ` AKASHI Takahiro
2022-02-15 6:50 ` Ilias Apalodimas
2022-02-16 2:18 ` AKASHI Takahiro
2022-02-16 9:51 ` Ilias Apalodimas
2022-02-16 10:03 ` Ilias Apalodimas
2022-02-16 2:20 ` AKASHI Takahiro
2022-02-16 9:52 ` Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Ygn9B5kO//iFunBp@hades \
--to=ilias.apalodimas@linaro.org \
--cc=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox