Re: [PATCH v8 14/15] test: py: vboot: add test for global image signature

2022-03-31 Thread Tom Rini 
On Mon, Mar 28, 2022 at 10:57:06PM +0200, Philippe Reynes wrote:

> Adds test units for the pre-load header signature.
> 
> Signed-off-by: Philippe Reynes 

Applied to u-boot/next, thanks!

-- 
Tom


signature.asc
Description: PGP signature

[PATCH v8 14/15] test: py: vboot: add test for global image signature

2022-03-28 Thread Philippe Reynes 
Adds test units for the pre-load header signature.

Signed-off-by: Philippe Reynes 
---
 test/py/tests/test_vboot.py   | 148 --
 test/py/tests/vboot/sandbox-binman-pss.dts|  25 +++
 test/py/tests/vboot/sandbox-binman.dts|  24 +++
 .../tests/vboot/sandbox-u-boot-global-pss.dts |  28 
 test/py/tests/vboot/sandbox-u-boot-global.dts |  27 
 test/py/tests/vboot/simple-images.its |  36 +
 6 files changed, 272 insertions(+), 16 deletions(-)
 create mode 100644 test/py/tests/vboot/sandbox-binman-pss.dts
 create mode 100644 test/py/tests/vboot/sandbox-binman.dts
 create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-pss.dts
 create mode 100644 test/py/tests/vboot/sandbox-u-boot-global.dts
 create mode 100644 test/py/tests/vboot/simple-images.its

diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index ac8ed9f114..040147d88b 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -21,6 +21,14 @@ For configuration verification:
 - Corrupt the signature
 - Check that image verification no-longer works
 
+For pre-load header verification:
+- Create FIT image with a pre-load header
+- Check that signature verification succeeds
+- Corrupt the FIT image
+- Check that signature verification fails
+- Launch an FIT image without a pre-load header
+- Check that image verification fails
+
 Tests run with both SHA1 and SHA256 hashing.
 """
 
@@ -35,19 +43,21 @@ import vboot_evil
 # Only run the full suite on a few combinations, since it doesn't add any more
 # test coverage.
 TESTDATA = [
-['sha1-basic', 'sha1', '', None, False, True, False],
-['sha1-pad', 'sha1', '', '-E -p 0x1', False, False, False],
-['sha1-pss', 'sha1', '-pss', None, False, False, False],
-['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x1', False, False, False],
-['sha256-basic', 'sha256', '', None, False, False, False],
-['sha256-pad', 'sha256', '', '-E -p 0x1', False, False, False],
-['sha256-pss', 'sha256', '-pss', None, False, False, False],
-['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x1', False, False, False],
-['sha256-pss-required', 'sha256', '-pss', None, True, False, False],
-['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x1', True, True, 
False],
-['sha384-basic', 'sha384', '', None, False, False, False],
-['sha384-pad', 'sha384', '', '-E -p 0x1', False, False, False],
-['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', False, False, True],
+['sha1-basic', 'sha1', '', None, False, True, False, False],
+['sha1-pad', 'sha1', '', '-E -p 0x1', False, False, False, False],
+['sha1-pss', 'sha1', '-pss', None, False, False, False, False],
+['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x1', False, False, False, 
False],
+['sha256-basic', 'sha256', '', None, False, False, False, False],
+['sha256-pad', 'sha256', '', '-E -p 0x1', False, False, False, False],
+['sha256-pss', 'sha256', '-pss', None, False, False, False, False],
+['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x1', False, False, False, 
False],
+['sha256-pss-required', 'sha256', '-pss', None, True, False, False, False],
+['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x1', True, True, 
False, False],
+['sha384-basic', 'sha384', '', None, False, False, False, False],
+['sha384-pad', 'sha384', '', '-E -p 0x1', False, False, False, False],
+['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', False, False, True, 
False],
+['sha256-global-sign', 'sha256', '', '', False, False, False, True],
+['sha256-global-sign-pss', 'sha256', '-pss', '', False, False, False, 
True],
 ]
 
 @pytest.mark.boardspec('sandbox')
@@ -56,10 +66,10 @@ TESTDATA = [
 @pytest.mark.requiredtool('fdtget')
 @pytest.mark.requiredtool('fdtput')
 @pytest.mark.requiredtool('openssl')
-@pytest.mark.parametrize("name,sha_algo,padding,sign_options,required,full_test,algo_arg",
+@pytest.mark.parametrize("name,sha_algo,padding,sign_options,required,full_test,algo_arg,global_sign",
  TESTDATA)
 def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
-   full_test, algo_arg):
+   full_test, algo_arg, global_sign):
 """Test verified boot signing with mkimage and verification with 'bootm'.
 
 This works using sandbox only as it needs to update the device tree used
@@ -81,6 +91,33 @@ def test_vboot(u_boot_console, name, sha_algo, padding, 
sign_options, required,
 util.run_and_log(cons, 'dtc %s %s%s -O dtb '
  '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb))
 
+def dtc_options(dts, options):
+"""Run the device tree compiler to compile a .dts file
+
+The output file will be the same as the input file but with a .dtb
+extension.
+
+Args:
+dts: Device tree file to compile.
+options: Options provided to the