Hi Ludwig, On Tue, 12 May 2026 at 09:26, Ludwig Nussel <[email protected]> wrote: > > On 5/7/26 18:39, Simon Glass wrote: > > Hi Ludwig, > > > > On 2026-05-07T12:06:22, Ludwig Nussel <[email protected]> wrote: > > > >> (optionally) enforce signatures so we can't accidentally boot > >> unsigned fit images. > > > > Since you are adding a new policy knob (FIT_SIGNATURE_REQUIRED) and a > > new verifier path (fit_all_configurations_verify()), please can you > > add coverage in test/py/tests/test_vboot.py for both the > > required-but-no-keys case and the iminfo signature path? Without tests > > it is easy for a future change to silently regress the fail-closed > > behaviour. > > The function also tests image signing. That's mutually exclusive to > having conf signatures required. Should I adjust the function to not > expect successful image signing tests when > fit_require_config_sigs is on, resp only test the fail-closed mode if > fit_require_config_sigs is actually on?
Yes you can adjust the conditions on the tests as needed, or use pytest.skip() The goal is basically just to have test coverage. Sometimes we use sandbox and sandbox_flattree (or sandbox64) together, so we can cover config combinations. Regards, Simon
