Make sure test_vboot works with CONFIG_FIT_REQUIRE_CONFIG_SIGS set and unset. Enable CONFIG_FIT_REQUIRE_CONFIG_SIGS in sandbox_defconfig and leave it off in other sandbox configs
Co-authored-by: Copilot <[email protected]> Signed-off-by: Ludwig Nussel <[email protected]> --- Changes in v4: - test CONFIG_FIT_REQUIRE_CONFIG_SIGS in test_vboot - set CONFIG_FIT_REQUIRE_CONFIG_SIGS in sandbox_defconfig configs/sandbox_defconfig | 1 + test/py/tests/test_vboot.py | 60 +++++++++++++++++++++++++++++-------- 2 files changed, 49 insertions(+), 12 deletions(-) diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index ba800f7d19d..e9866a92fcb 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -21,6 +21,7 @@ CONFIG_EFI_CAPSULE_CRT_FILE="board/sandbox/capsule_pub_key_good.crt" CONFIG_BUTTON_CMD=y CONFIG_FIT=y CONFIG_FIT_SIGNATURE=y +CONFIG_FIT_REQUIRE_CONFIG_SIGS=y CONFIG_FIT_CIPHER=y CONFIG_FIT_VERBOSE=y CONFIG_BOOTMETH_ANDROID=y diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index 55518bed07e..f7156943c24 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -306,26 +306,54 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, dtc('sandbox-kernel.dts', ubman, dtc_args, datadir, tmpdir, dtb) dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb) - # Build the FIT, but don't sign anything yet - ubman.log.action('%s: Test FIT with signed images' % sha_algo) - make_fit('sign-images-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit) - run_bootm(sha_algo, 'unsigned images', ' - OK' if algo_arg else 'dev-', True) + bcfg = ubman.config.buildconfig + require_config_sigs = bcfg.get('config_fit_require_config_sigs', False) - # Sign images with our dev keys - sign_fit(sha_algo, sign_options) - run_bootm(sha_algo, 'signed images', 'dev+', True) + if not require_config_sigs: + # Build the FIT, but don't sign anything yet + ubman.log.action('%s: Test FIT with signed images' % sha_algo) + make_fit('sign-images-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit) + run_bootm(sha_algo, 'unsigned images', ' - OK' if algo_arg else 'dev-', True) - # Create a fresh .dtb without the public keys - dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb) + # Sign images with our dev keys + sign_fit(sha_algo, sign_options) + run_bootm(sha_algo, 'signed images', 'dev+', True) - ubman.log.action('%s: Test FIT with signed configuration' % sha_algo) + # Create a fresh .dtb without the public keys + dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb) + + ubman.log.action('%s: Test FIT with unsigned configuration' % sha_algo) make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit) - run_bootm(sha_algo, 'unsigned config', '%s+ OK' % ('sha256' if algo_arg else sha_algo), True) + if require_config_sigs: + # DTB has no /signature node; FIT_REQUIRE_CONFIG_SIGS makes this + # fail-closed, so U-Boot must reject the unsigned config FIT. + run_bootm(sha_algo, 'unsigned config', + 'No signature node found', False) + else: + # No required keys in the DTB, so an unsigned config FIT is fine. + run_bootm(sha_algo, 'unsigned config', + '%s+ OK' % ('sha256' if algo_arg else sha_algo), True) - # Sign images with our dev keys + ubman.log.action('%s: Test FIT with signed configuration' % sha_algo) sign_fit(sha_algo, sign_options) run_bootm(sha_algo, 'signed config', 'dev+', True) + # Test a signed FIT config when the DTB has no keys at all. + # Without FIT_REQUIRE_CONFIG_SIGS the absence of keys in the DTB means + # there are no required-key checks, so the boot must succeed. + # With FIT_REQUIRE_CONFIG_SIGS the missing /signature node in the DTB is + # treated as a hard failure regardless of whether the FIT is signed. + ubman.log.action('%s: Test signed FIT with no keys in DTB' % sha_algo) + dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb) + if require_config_sigs: + run_bootm(sha_algo, 'signed config, no DTB keys', + 'No signature node found', False) + else: + run_bootm(sha_algo, 'signed config, no DTB keys', + '%s+ OK' % ('sha256' if algo_arg else sha_algo), True) + # Restore keys in the DTB for the checks that follow. + sign_fit(sha_algo, sign_options) + ubman.log.action('%s: Check signed config on the host' % sha_algo) utils.run_and_log(ubman, [fit_check_sign, '-f', fit, '-k', dtb]) @@ -485,6 +513,14 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, padding: Either '' or '-pss', to select the padding to use for the rsa signature algorithm. """ + # test_fdt_add_pubkey reuses this tmpdir and needs sandbox-kernel.dtb, + # so compile it unconditionally before any early exit. + dtc('sandbox-kernel.dts', ubman, dtc_args, datadir, tmpdir, None) + + bcfg = ubman.config.buildconfig + if bcfg.get('config_fit_require_config_sigs', False): + pytest.skip('simple-images.its has no config-level signatures; ' + 'incompatible with CONFIG_FIT_REQUIRE_CONFIG_SIGS') dtb = '%ssandbox-u-boot-global%s.dtb' % (tmpdir, padding) ubman.config.dtb = dtb -- 2.43.0
