This commit adds test case for ecdsa on fit, but not (yet) for the global image signature (preload).
Signed-off-by: Philippe Reynes <[email protected]> --- v2: - initial version test/py/tests/test_vboot.py | 29 ++++++++++++ .../vboot/sign-configs-sha256-ecdsa256.its | 45 +++++++++++++++++++ .../vboot/sign-configs-sha256-ecdsa384.its | 45 +++++++++++++++++++ .../vboot/sign-configs-sha256-ecdsa521.its | 45 +++++++++++++++++++ .../vboot/sign-images-sha256-ecdsa256.its | 42 +++++++++++++++++ .../vboot/sign-images-sha256-ecdsa384.its | 42 +++++++++++++++++ .../vboot/sign-images-sha256-ecdsa521.its | 42 +++++++++++++++++ 7 files changed, 290 insertions(+) create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa256.its create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa384.its create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa521.its create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa256.its create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa384.its create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa521.its diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index fd1bf6eb8aa..d2eeda816e2 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -94,6 +94,9 @@ TESTDATA_IN = [ ['sha256-pss-pad', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', False, False, False, False], ['sha256-pss-required', 'sha256', '-rsa2048', '-pss', None, True, False, False, False], ['sha256-pss-pad-required', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', True, True, False, False], + ['sha256-basic-ecdsa256', 'sha256', '-ecdsa256', '', None, False, False, False, False], + ['sha256-basic-ecdsa384', 'sha256', '-ecdsa384', '', None, False, False, False, False], + ['sha256-basic-ecdsa521', 'sha256', '-ecdsa521', '', None, False, False, False, False], ['sha384-basic', 'sha384', '-rsa3072', '', None, False, False, False, False], ['sha384-pad', 'sha384', '-rsa3072', '', '-E -p 0x10000', False, False, False, False], ['algo-arg', 'algo-arg', '', '', '-o sha256,rsa2048', False, False, True, False], @@ -287,6 +290,29 @@ def test_vboot(ubman, name, sha_algo, sig_algo, padding, sign_options, required, utils.run_and_log(ubman, 'openssl req -batch -new -x509 -key %s%s.key ' '-out %s%s.crt' % (tmpdir, name, tmpdir, name)) + def create_ecdsa_pair(name): + """Generate a new ECDSA key pair + + Args: + name: Name of of the key (e.g. 'dev') + """ + + if sig_algo == "-ecdsa256": + curve_name = "secp256r1" + elif sig_algo == "-ecdsa384": + curve_name = "secp384r1" + elif sig_algo == "-ecdsa521": + curve_name = "secp521r1" + else: + curve_name = "unknownCurve" + + utils.run_and_log(ubman, 'openssl ecparam -name %s -genkey -noout -out %s%s.pem' % + (curve_name, tmpdir, name)) + + # Create a certificate containing the public key + utils.run_and_log(ubman, 'openssl req -batch -new -x509 -key %s%s.pem ' + '-out %s%s.crt' % (tmpdir, name, tmpdir, name)) + def test_with_algo(sha_algo, sig_algo, padding, sign_options): """Test verified boot with the given hash algorithm. @@ -523,6 +549,9 @@ def test_vboot(ubman, name, sha_algo, sig_algo, padding, sign_options, required, if sig_algo == "-rsa2048" or sig_algo == "-rsa3072" or sig_algo == "": create_rsa_pair('dev') create_rsa_pair('prod') + elif sig_algo == "-ecdsa256" or sig_algo == "-ecdsa384" or sig_algo == "-ecdsa521": + create_ecdsa_pair('dev') + create_ecdsa_pair('prod') # Create a number kernel image with zeroes with open('%stest-kernel.bin' % tmpdir, 'wb') as fd: diff --git a/test/py/tests/vboot/sign-configs-sha256-ecdsa256.its b/test/py/tests/vboot/sign-configs-sha256-ecdsa256.its new file mode 100644 index 00000000000..4d0ef903a78 --- /dev/null +++ b/test/py/tests/vboot/sign-configs-sha256-ecdsa256.its @@ -0,0 +1,45 @@ +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + hash-1 { + algo = "sha256"; + }; + }; + fdt-1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + hash-1 { + algo = "sha256"; + }; + }; + }; + configurations { + default = "conf-1"; + conf-1 { + kernel = "kernel"; + fdt = "fdt-1"; + signature { + algo = "sha256,ecdsa256"; + key-name-hint = "dev"; + sign-images = "fdt", "kernel"; + }; + }; + }; +}; diff --git a/test/py/tests/vboot/sign-configs-sha256-ecdsa384.its b/test/py/tests/vboot/sign-configs-sha256-ecdsa384.its new file mode 100644 index 00000000000..10427b43659 --- /dev/null +++ b/test/py/tests/vboot/sign-configs-sha256-ecdsa384.its @@ -0,0 +1,45 @@ +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + hash-1 { + algo = "sha256"; + }; + }; + fdt-1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + hash-1 { + algo = "sha256"; + }; + }; + }; + configurations { + default = "conf-1"; + conf-1 { + kernel = "kernel"; + fdt = "fdt-1"; + signature { + algo = "sha256,ecdsa384"; + key-name-hint = "dev"; + sign-images = "fdt", "kernel"; + }; + }; + }; +}; diff --git a/test/py/tests/vboot/sign-configs-sha256-ecdsa521.its b/test/py/tests/vboot/sign-configs-sha256-ecdsa521.its new file mode 100644 index 00000000000..a65593ec64b --- /dev/null +++ b/test/py/tests/vboot/sign-configs-sha256-ecdsa521.its @@ -0,0 +1,45 @@ +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + hash-1 { + algo = "sha256"; + }; + }; + fdt-1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + hash-1 { + algo = "sha256"; + }; + }; + }; + configurations { + default = "conf-1"; + conf-1 { + kernel = "kernel"; + fdt = "fdt-1"; + signature { + algo = "sha256,ecdsa521"; + key-name-hint = "dev"; + sign-images = "fdt", "kernel"; + }; + }; + }; +}; diff --git a/test/py/tests/vboot/sign-images-sha256-ecdsa256.its b/test/py/tests/vboot/sign-images-sha256-ecdsa256.its new file mode 100644 index 00000000000..009003bb601 --- /dev/null +++ b/test/py/tests/vboot/sign-images-sha256-ecdsa256.its @@ -0,0 +1,42 @@ +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + signature { + algo = "sha256,ecdsa256"; + key-name-hint = "dev"; + }; + }; + fdt-1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + signature { + algo = "sha256,ecdsa256"; + key-name-hint = "dev"; + }; + }; + }; + configurations { + default = "conf-1"; + conf-1 { + kernel = "kernel"; + fdt = "fdt-1"; + }; + }; +}; diff --git a/test/py/tests/vboot/sign-images-sha256-ecdsa384.its b/test/py/tests/vboot/sign-images-sha256-ecdsa384.its new file mode 100644 index 00000000000..567de687a06 --- /dev/null +++ b/test/py/tests/vboot/sign-images-sha256-ecdsa384.its @@ -0,0 +1,42 @@ +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + signature { + algo = "sha256,ecdsa384"; + key-name-hint = "dev"; + }; + }; + fdt-1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + signature { + algo = "sha256,ecdsa384"; + key-name-hint = "dev"; + }; + }; + }; + configurations { + default = "conf-1"; + conf-1 { + kernel = "kernel"; + fdt = "fdt-1"; + }; + }; +}; diff --git a/test/py/tests/vboot/sign-images-sha256-ecdsa521.its b/test/py/tests/vboot/sign-images-sha256-ecdsa521.its new file mode 100644 index 00000000000..74ed45b21b8 --- /dev/null +++ b/test/py/tests/vboot/sign-images-sha256-ecdsa521.its @@ -0,0 +1,42 @@ +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + signature { + algo = "sha256,ecdsa521"; + key-name-hint = "dev"; + }; + }; + fdt-1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + signature { + algo = "sha256,ecdsa521"; + key-name-hint = "dev"; + }; + }; + }; + configurations { + default = "conf-1"; + conf-1 { + kernel = "kernel"; + fdt = "fdt-1"; + }; + }; +}; -- 2.43.0
