From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2CF2EC433EF for ; Tue, 19 Apr 2022 05:40:04 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id BE5F683AD1; Tue, 19 Apr 2022 07:40:01 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="CGMkzY97"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id C46E283AED; Tue, 19 Apr 2022 07:39:59 +0200 (CEST) Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id EF7A283ABE for ; Tue, 19 Apr 2022 07:39:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wm1-x32d.google.com with SMTP id m15-20020a7bca4f000000b0038fdc1394b1so778773wml.2 for ; Mon, 18 Apr 2022 22:39:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=6lkSdf95+LUX2iwbOyK50Q9CdJf8KmX5H0+Sk8lqTj4=; b=CGMkzY97V5164q2FEdnOiPM86xS9Jv/XZGR5yw3Ax8Z5LJvRzsVnsJVxcSzi940NVh XBpkYRdSaOGCkPfZ4DxreacUOOV7NcuCxmt63ybZs/Gl7KDt/qe/lojcW3KkFqiLf3mx BUTjLMqGH5Rfns9MiI0Jcz7Oo0SOgqSrLnAPo6RUqxEuweeSoczjSzQW0ECNBQNRruLb iXEhrSKJTmW3HlZbNQfTfKAykq4+mhMaJ8TgvqoQ0cJkTdFTQtT7LJLfQUt40VwCR5VH wu9fZC6zVqieyYKSqC6DcU/bSncHdZz+kMVMTJXHDxQPY4NrD9Y874mhtMzGgzg4Ab5l s8eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=6lkSdf95+LUX2iwbOyK50Q9CdJf8KmX5H0+Sk8lqTj4=; b=0Sa+PoQUup8g5+1PnlFJNKSDfR5FaPldVtT7lk3USNMA3f5wcrNCqZ+IeSbE5gowOU MDLNIeVm0GMleM9r+CYk8CtnGASIk6Wrids8d49m22xM7KSBUmCEKCI9nNSRWZP5mgvq bz8/cxKgpGb33aMCQRDBLOIW7Vgyab7RrSfo/UvvvHmVyuHUj5EzaK9aSqiFatWaVVbZ TcH9gSO4AcMaeHp/92a2at+NIRMOYl6mo3UxFWD62ym5EGxRySiXKUyt+q+zV2FWjBfB IVj1MeuAleNXFVmDWR1f6c7ebzJro1U20wA96WXdrqIRnIo7FNLZvrVrq9IZ3U9NV1Nt nbNQ== X-Gm-Message-State: AOAM5309JyKKDqHW2Av/epZxPvezCCWoyYoxedkEekINzfRHUuRoTdeR ZmTosyG09HnL8P+H6de063p6qA== X-Google-Smtp-Source: ABdhPJyLXtTdi1m1K53sONtNxJoLPe2B40Hcu5fYv87z9VsSsFRaprEfdvdvOLdH0XaAt43oN5UG1Q== X-Received: by 2002:a1c:7416:0:b0:38e:b8b7:e271 with SMTP id p22-20020a1c7416000000b0038eb8b7e271mr17778442wmc.7.1650346796485; Mon, 18 Apr 2022 22:39:56 -0700 (PDT) Received: from hera (athedsl-4461779.home.otenet.gr. [94.71.4.195]) by smtp.gmail.com with ESMTPSA id p12-20020a5d68cc000000b00207a6461ecdsm11527498wrw.93.2022.04.18.22.39.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Apr 2022 22:39:55 -0700 (PDT) Date: Tue, 19 Apr 2022 08:39:53 +0300 From: Ilias Apalodimas To: AKASHI Takahiro , xypron.glpk@gmx.de, Stuart.Yoder@arm.com, paul.liu@linaro.org, u-boot@lists.denx.de Subject: Re: [PATCH 2/2 v3] test/py: Add more test cases for rejecting an EFI image Message-ID: References: <20220418180724.1855888-1-ilias.apalodimas@linaro.org> <20220418180724.1855888-2-ilias.apalodimas@linaro.org> <20220419015414.GB47455@laputa> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220419015414.GB47455@laputa> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean On Tue, Apr 19, 2022 at 10:54:14AM +0900, AKASHI Takahiro wrote: > On Mon, Apr 18, 2022 at 09:07:23PM +0300, Ilias Apalodimas wrote: > > The previous patch adds support for rejecting images when the sha384/512 > > of an x.509 certificate is present in dbx. Update the sandbox selftests > > > > Signed-off-by: Ilias Apalodimas > > --- > > changes since v2: > > - None > > changes since RFC: > > - new patch > > > > test/py/tests/test_efi_secboot/conftest.py | 6 +++ > > test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++ > > 2 files changed, 56 insertions(+) > > > > diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py > > index 69a498ca003c..8a53dabe5414 100644 > > --- a/test/py/tests/test_efi_secboot/conftest.py > > +++ b/test/py/tests/test_efi_secboot/conftest.py > > @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config): > > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' > > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > shell=True) > > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' > > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > + shell=True) > > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' > > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > + shell=True) > > # dbx_hash1 (digest of TEST_db1 certificate) > > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' > > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py > > index cc9396a11d48..80d5eff74be3 100644 > > --- a/test/py/tests/test_efi_secboot/test_signed.py > > +++ b/test/py/tests/test_efi_secboot/test_signed.py > > @@ -235,6 +235,56 @@ class TestEfiSignedImage(object): > > assert '\'HELLO\' failed' in ''.join(output) > > assert 'efi_start_image() returned: 26' in ''.join(output) > > > > + # sha384 of an x509 cert in dbx > > + u_boot_console.restart_uboot() > > + with u_boot_console.log.section('Test Case 5e'): > > + # Test Case 5f, authenticated even if only one of signatures > > + # is verified. Same as before but reject dbx_hash1.auth only > > Please describe the test scenario more specifically regarding sha384. > > > + output = u_boot_console.run_command_list([ > > + 'host bind 0 %s' % disk_img, > > + 'fatload host 0:1 4000000 db.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 KEK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', > > + 'fatload host 0:1 4000000 PK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', > > + 'fatload host 0:1 4000000 db1.auth', > > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 dbx_hash384.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', > > + 'efidebug boot next 1', > > + 'efidebug test bootmgr']) > > + assert '\'HELLO\' failed' in ''.join(output) > > + assert 'efi_start_image() returned: 26' in ''.join(output) > > + > > + # sha512 of an x509 cert in dbx > > + u_boot_console.restart_uboot() > > + with u_boot_console.log.section('Test Case 5e'): > > + # Test Case 5G, authenticated even if only one of signatures > > + # is verified. Same as before but reject dbx_hash1.auth only > > + output = u_boot_console.run_command_list([ > > + 'host bind 0 %s' % disk_img, > > + 'fatload host 0:1 4000000 db.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 KEK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', > > + 'fatload host 0:1 4000000 PK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', > > + 'fatload host 0:1 4000000 db1.auth', > > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 dbx_hash512.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', > > + 'efidebug boot next 1', > > + 'efidebug test bootmgr']) > > + assert '\'HELLO\' failed' in ''.join(output) > > + assert 'efi_start_image() returned: 26' in ''.join(output) > > + > > I prefer to have two separate test functions for sha384 and sha512. > This way, we can test both cases independently. > In the test run, even if sha384 case fails, sha512 can still be verified. > Sure, I'll split them on v4 Thanks /Ilias > -Takahiro Akashi > > > > def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): > > """ > > Test Case 6 - using digest of signed image in database > > -- > > 2.32.0 > >