Add a couple of test cases against capsule image authentication
for capsule-on-disk, where only a signed capsule file with the verified
signature will be applied to the system.
Due to the difficulty of embedding a public key (esl file) in U-Boot
binary during pytest setup time, all the keys/certificates are pre-created.
Signed-off-by: AKASHI Takahiro
---
.../py/tests/test_efi_capsule/capsule_defs.py | 5 +
test/py/tests/test_efi_capsule/conftest.py| 52 +++-
test/py/tests/test_efi_capsule/signature.dts | 10 +
.../test_capsule_firmware_signed.py | 254 ++
4 files changed, 318 insertions(+), 3 deletions(-)
create mode 100644 test/py/tests/test_efi_capsule/signature.dts
create mode 100644
test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py
b/test/py/tests/test_efi_capsule/capsule_defs.py
index 4fd6353c2040..aa9bf5eee3aa 100644
--- a/test/py/tests/test_efi_capsule/capsule_defs.py
+++ b/test/py/tests/test_efi_capsule/capsule_defs.py
@@ -3,3 +3,8 @@
# Directories
CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
+
+# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
+# you need build a newer version on your own.
+# The path must terminate with '/'.
+EFITOOLS_PATH = ''
diff --git a/test/py/tests/test_efi_capsule/conftest.py
b/test/py/tests/test_efi_capsule/conftest.py
index 6ad5608cd71c..27c05971ca32 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -10,13 +10,13 @@ import pytest
from capsule_defs import *
#
-# Fixture for UEFI secure boot test
+# Fixture for UEFI capsule test
#
-
@pytest.fixture(scope='session')
def efi_capsule_data(request, u_boot_config):
-"""Set up a file system to be used in UEFI capsule test.
+"""Set up a file system to be used in UEFI capsule and
+ authentication test.
Args:
request: Pytest request object.
@@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config):
check_call('mkdir -p %s' % data_dir, shell=True)
check_call('mkdir -p %s' % install_dir, shell=True)
+capsule_auth_enabled = u_boot_config.buildconfig.get(
+'config_efi_capsule_authenticate')
+if capsule_auth_enabled:
+# Create private key (SIGNER.key) and certificate (SIGNER.crt)
+check_call('cd %s; '
+ 'openssl req -x509 -sha256 -newkey rsa:2048 '
+'-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
+'-out SIGNER.crt -nodes -days 365'
+ % data_dir, shell=True)
+check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
+ % (data_dir, EFITOOLS_PATH), shell=True)
+
+# Update dtb adding capsule certificate
+check_call('cd %s; '
+ 'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
+ % (data_dir, u_boot_config.source_dir), shell=True)
+check_call('cd %s; '
+ 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
+ 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
+'-o test_sig.dtb signature.dtbo'
+ % (data_dir, u_boot_config.build_dir), shell=True)
+
+# Create *malicious* private key (SIGNER2.key) and certificate
+# (SIGNER2.crt)
+check_call('cd %s; '
+ 'openssl req -x509 -sha256 -newkey rsa:2048 '
+'-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
+'-out SIGNER2.crt -nodes -days 365'
+ % data_dir, shell=True)
+
# Create capsule files
# two regions: one for u-boot.bin and the other for u-boot.env
check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n
u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n
u-boot-env:New > u-boot.env.new' % data_dir,
@@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config):
check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index
1 Test02' %
(data_dir, u_boot_config.build_dir),
shell=True)
+if capsule_auth_enabled:
+# firmware signed with proper key
+check_call('cd %s; '
+ '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+'--private-key SIGNER.key --certificate SIGNER.crt
'
+'--raw u-boot.bin.new Test11'
+ % (data_dir, u_boot_config.build_dir),
+ shell=True)
+# firmware signed with *mal* key
+check_call('cd %s; '
+ '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+