On Tue, Apr 19, 2022 at 10:54:14AM +0900, AKASHI Takahiro wrote: > On Mon, Apr 18, 2022 at 09:07:23PM +0300, Ilias Apalodimas wrote: > > The previous patch adds support for rejecting images when the sha384/512 > > of an x.509 certificate is present in dbx. Update the sandbox selftests > > > > Signed-off-by: Ilias Apalodimas <[email protected]> > > --- > > changes since v2: > > - None > > changes since RFC: > > - new patch > > > > test/py/tests/test_efi_secboot/conftest.py | 6 +++ > > test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++ > > 2 files changed, 56 insertions(+) > > > > diff --git a/test/py/tests/test_efi_secboot/conftest.py > > b/test/py/tests/test_efi_secboot/conftest.py > > index 69a498ca003c..8a53dabe5414 100644 > > --- a/test/py/tests/test_efi_secboot/conftest.py > > +++ b/test/py/tests/test_efi_secboot/conftest.py > > @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config): > > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 > > db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k > > KEK.key dbx dbx_hash.crl dbx_hash.auth' > > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > shell=True) > > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 > > db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k > > KEK.key dbx dbx_hash384.crl dbx_hash384.auth' > > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > + shell=True) > > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 > > db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k > > KEK.key dbx dbx_hash512.crl dbx_hash512.auth' > > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > + shell=True) > > # dbx_hash1 (digest of TEST_db1 certificate) > > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 > > db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k > > KEK.key dbx dbx_hash1.crl dbx_hash1.auth' > > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > diff --git a/test/py/tests/test_efi_secboot/test_signed.py > > b/test/py/tests/test_efi_secboot/test_signed.py > > index cc9396a11d48..80d5eff74be3 100644 > > --- a/test/py/tests/test_efi_secboot/test_signed.py > > +++ b/test/py/tests/test_efi_secboot/test_signed.py > > @@ -235,6 +235,56 @@ class TestEfiSignedImage(object): > > assert '\'HELLO\' failed' in ''.join(output) > > assert 'efi_start_image() returned: 26' in ''.join(output) > > > > + # sha384 of an x509 cert in dbx > > + u_boot_console.restart_uboot() > > + with u_boot_console.log.section('Test Case 5e'): > > + # Test Case 5f, authenticated even if only one of signatures > > + # is verified. Same as before but reject dbx_hash1.auth only > > Please describe the test scenario more specifically regarding sha384. > > > + output = u_boot_console.run_command_list([ > > + 'host bind 0 %s' % disk_img, > > + 'fatload host 0:1 4000000 db.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 KEK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', > > + 'fatload host 0:1 4000000 PK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', > > + 'fatload host 0:1 4000000 db1.auth', > > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 dbx_hash384.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot add -b 1 HELLO host 0:1 > > /helloworld.efi.signed_2sigs -s ""', > > + 'efidebug boot next 1', > > + 'efidebug test bootmgr']) > > + assert '\'HELLO\' failed' in ''.join(output) > > + assert 'efi_start_image() returned: 26' in ''.join(output) > > + > > + # sha512 of an x509 cert in dbx > > + u_boot_console.restart_uboot() > > + with u_boot_console.log.section('Test Case 5e'): > > + # Test Case 5G, authenticated even if only one of signatures > > + # is verified. Same as before but reject dbx_hash1.auth only > > + output = u_boot_console.run_command_list([ > > + 'host bind 0 %s' % disk_img, > > + 'fatload host 0:1 4000000 db.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 KEK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', > > + 'fatload host 0:1 4000000 PK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', > > + 'fatload host 0:1 4000000 db1.auth', > > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 dbx_hash512.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot add -b 1 HELLO host 0:1 > > /helloworld.efi.signed_2sigs -s ""', > > + 'efidebug boot next 1', > > + 'efidebug test bootmgr']) > > + assert '\'HELLO\' failed' in ''.join(output) > > + assert 'efi_start_image() returned: 26' in ''.join(output) > > + > > I prefer to have two separate test functions for sha384 and sha512. > This way, we can test both cases independently. > In the test run, even if sha384 case fails, sha512 can still be verified. >
Sure, I'll split them on v4 Thanks /Ilias > -Takahiro Akashi > > > > def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): > > """ > > Test Case 6 - using digest of signed image in database > > -- > > 2.32.0 > >
