From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: AKASHI Takahiro <takahiro.akashi@linaro.org>,
xypron.glpk@gmx.de, Stuart.Yoder@arm.com, paul.liu@linaro.org,
u-boot@lists.denx.de
Subject: Re: [PATCH 2/2 v3] test/py: Add more test cases for rejecting an EFI image
Date: Tue, 19 Apr 2022 08:39:53 +0300 [thread overview]
Message-ID: <Yl5LKVrt+RBmo6F7@hera> (raw)
In-Reply-To: <20220419015414.GB47455@laputa>
On Tue, Apr 19, 2022 at 10:54:14AM +0900, AKASHI Takahiro wrote:
> On Mon, Apr 18, 2022 at 09:07:23PM +0300, Ilias Apalodimas wrote:
> > The previous patch adds support for rejecting images when the sha384/512
> > of an x.509 certificate is present in dbx. Update the sandbox selftests
> >
> > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> > ---
> > changes since v2:
> > - None
> > changes since RFC:
> > - new patch
> >
> > test/py/tests/test_efi_secboot/conftest.py | 6 +++
> > test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++
> > 2 files changed, 56 insertions(+)
> >
> > diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
> > index 69a498ca003c..8a53dabe5414 100644
> > --- a/test/py/tests/test_efi_secboot/conftest.py
> > +++ b/test/py/tests/test_efi_secboot/conftest.py
> > @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config):
> > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth'
> > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> > shell=True)
> > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth'
> > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> > + shell=True)
> > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth'
> > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> > + shell=True)
> > # dbx_hash1 (digest of TEST_db1 certificate)
> > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
> > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
> > index cc9396a11d48..80d5eff74be3 100644
> > --- a/test/py/tests/test_efi_secboot/test_signed.py
> > +++ b/test/py/tests/test_efi_secboot/test_signed.py
> > @@ -235,6 +235,56 @@ class TestEfiSignedImage(object):
> > assert '\'HELLO\' failed' in ''.join(output)
> > assert 'efi_start_image() returned: 26' in ''.join(output)
> >
> > + # sha384 of an x509 cert in dbx
> > + u_boot_console.restart_uboot()
> > + with u_boot_console.log.section('Test Case 5e'):
> > + # Test Case 5f, authenticated even if only one of signatures
> > + # is verified. Same as before but reject dbx_hash1.auth only
>
> Please describe the test scenario more specifically regarding sha384.
>
> > + output = u_boot_console.run_command_list([
> > + 'host bind 0 %s' % disk_img,
> > + 'fatload host 0:1 4000000 db.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
> > + 'fatload host 0:1 4000000 KEK.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
> > + 'fatload host 0:1 4000000 PK.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
> > + 'fatload host 0:1 4000000 db1.auth',
> > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
> > + 'fatload host 0:1 4000000 dbx_hash384.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
> > + assert 'Failed to set EFI variable' not in ''.join(output)
> > + output = u_boot_console.run_command_list([
> > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""',
> > + 'efidebug boot next 1',
> > + 'efidebug test bootmgr'])
> > + assert '\'HELLO\' failed' in ''.join(output)
> > + assert 'efi_start_image() returned: 26' in ''.join(output)
> > +
> > + # sha512 of an x509 cert in dbx
> > + u_boot_console.restart_uboot()
> > + with u_boot_console.log.section('Test Case 5e'):
> > + # Test Case 5G, authenticated even if only one of signatures
> > + # is verified. Same as before but reject dbx_hash1.auth only
> > + output = u_boot_console.run_command_list([
> > + 'host bind 0 %s' % disk_img,
> > + 'fatload host 0:1 4000000 db.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
> > + 'fatload host 0:1 4000000 KEK.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
> > + 'fatload host 0:1 4000000 PK.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
> > + 'fatload host 0:1 4000000 db1.auth',
> > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
> > + 'fatload host 0:1 4000000 dbx_hash512.auth',
> > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
> > + assert 'Failed to set EFI variable' not in ''.join(output)
> > + output = u_boot_console.run_command_list([
> > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""',
> > + 'efidebug boot next 1',
> > + 'efidebug test bootmgr'])
> > + assert '\'HELLO\' failed' in ''.join(output)
> > + assert 'efi_start_image() returned: 26' in ''.join(output)
> > +
>
> I prefer to have two separate test functions for sha384 and sha512.
> This way, we can test both cases independently.
> In the test run, even if sha384 case fails, sha512 can still be verified.
>
Sure, I'll split them on v4
Thanks
/Ilias
> -Takahiro Akashi
>
>
> > def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
> > """
> > Test Case 6 - using digest of signed image in database
> > --
> > 2.32.0
> >
next prev parent reply other threads:[~2022-04-19 5:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-18 18:07 [PATCH 1/2] efi_loader: add sha384/512 on certificate revocation Ilias Apalodimas
2022-04-18 18:07 ` [PATCH 2/2 v3] test/py: Add more test cases for rejecting an EFI image Ilias Apalodimas
2022-04-19 1:54 ` AKASHI Takahiro
2022-04-19 5:39 ` Ilias Apalodimas [this message]
2022-04-19 1:46 ` [PATCH 1/2] efi_loader: add sha384/512 on certificate revocation AKASHI Takahiro
2022-04-19 5:49 ` Ilias Apalodimas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yl5LKVrt+RBmo6F7@hera \
--to=ilias.apalodimas@linaro.org \
--cc=Stuart.Yoder@arm.com \
--cc=paul.liu@linaro.org \
--cc=takahiro.akashi@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox