Hi Philippe, On Mon, May 25, 2026 at 9:52 AM Philippe Reynes <[email protected]> wrote: > > The vboot tests only consider rsa algo for signature. > To prepare the integration of ecdsa test, the signature > algo is now explicit. > > Reviewed-by: Simon Glass <[email protected]> > Reviewed-by: Simon Glass <[email protected]> > Signed-off-by: Philippe Reynes <[email protected]> > --- > v2: > - initial version > v3: > - no change > v4: > - no change > v5: > - no change > v6: > - no change > > test/py/tests/test_fit_ecdsa.py | 2 +- > test/py/tests/test_vboot.py | 99 ++++++++++--------- > ....its => sign-configs-sha1-rsa2048-pss.its} | 0 > ...sha1.its => sign-configs-sha1-rsa2048.its} | 0 > ... sign-configs-sha256-rsa2048-pss-prod.its} | 0 > ...ts => sign-configs-sha256-rsa2048-pss.its} | 0 > ...56.its => sign-configs-sha256-rsa2048.its} | 0 > ...84.its => sign-configs-sha384-rsa3072.its} | 0 > ...s.its => sign-images-sha1-rsa2048-pss.its} | 0 > ...-sha1.its => sign-images-sha1-rsa2048.its} | 0 > ...its => sign-images-sha256-rsa2048-pss.its} | 0 > ...256.its => sign-images-sha256-rsa2048.its} | 0 > ...384.its => sign-images-sha384-rsa3072.its} | 0 > 13 files changed, 51 insertions(+), 50 deletions(-) > rename test/py/tests/vboot/{sign-configs-sha1-pss.its => > sign-configs-sha1-rsa2048-pss.its} (100%) > rename test/py/tests/vboot/{sign-configs-sha1.its => > sign-configs-sha1-rsa2048.its} (100%) > rename test/py/tests/vboot/{sign-configs-sha256-pss-prod.its => > sign-configs-sha256-rsa2048-pss-prod.its} (100%) > rename test/py/tests/vboot/{sign-configs-sha256-pss.its => > sign-configs-sha256-rsa2048-pss.its} (100%) > rename test/py/tests/vboot/{sign-configs-sha256.its => > sign-configs-sha256-rsa2048.its} (100%) > rename test/py/tests/vboot/{sign-configs-sha384.its => > sign-configs-sha384-rsa3072.its} (100%) > rename test/py/tests/vboot/{sign-images-sha1-pss.its => > sign-images-sha1-rsa2048-pss.its} (100%) > rename test/py/tests/vboot/{sign-images-sha1.its => > sign-images-sha1-rsa2048.its} (100%) > rename test/py/tests/vboot/{sign-images-sha256-pss.its => > sign-images-sha256-rsa2048-pss.its} (100%) > rename test/py/tests/vboot/{sign-images-sha256.its => > sign-images-sha256-rsa2048.its} (100%) > rename test/py/tests/vboot/{sign-images-sha384.its => > sign-images-sha384-rsa3072.its} (100%) >
Looks good to me. Thanks! Reviewed-by: Raymond Mao <[email protected]> > diff --git a/test/py/tests/test_fit_ecdsa.py b/test/py/tests/test_fit_ecdsa.py > index 3e816d68eb6..e59390374af 100644 > --- a/test/py/tests/test_fit_ecdsa.py > +++ b/test/py/tests/test_fit_ecdsa.py > @@ -102,7 +102,7 @@ def test_fit_ecdsa(ubman): > with open(key_file, 'w') as f: > f.write(key.export_key(format='PEM')) > > - assemble_fit_image(fit_file, f'{datadir}/sign-images-sha256.its', > tempdir) > + assemble_fit_image(fit_file, > f'{datadir}/sign-images-sha256-rsa2048.its', tempdir) > > fit = SignableFitImage(ubman, fit_file) > nodes = fit.find_signable_image_nodes() > diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py > index 55518bed07e..496d314c649 100644 > --- a/test/py/tests/test_vboot.py > +++ b/test/py/tests/test_vboot.py > @@ -84,21 +84,21 @@ def make_fit(its, ubman, mkimage, dtc_args, datadir, fit): > # Only run the full suite on a few combinations, since it doesn't add any > more > # test coverage. > TESTDATA_IN = [ > - ['sha1-basic', 'sha1', '', None, False, True, False, False], > - ['sha1-pad', 'sha1', '', '-E -p 0x10000', False, False, False, False], > - ['sha1-pss', 'sha1', '-pss', None, False, False, False, False], > - ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False, False, False, > False], > - ['sha256-basic', 'sha256', '', None, False, False, False, False], > - ['sha256-pad', 'sha256', '', '-E -p 0x10000', False, False, False, > False], > - ['sha256-pss', 'sha256', '-pss', None, False, False, False, False], > - ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False, > False, False], > - ['sha256-pss-required', 'sha256', '-pss', None, True, False, False, > False], > - ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, > True, False, False], > - ['sha384-basic', 'sha384', '', None, False, False, False, False], > - ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False, False, > False], > - ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', False, False, True, > False], > - ['sha256-global-sign', 'sha256', '', '', False, False, False, True], > - ['sha256-global-sign-pss', 'sha256', '-pss', '', False, False, False, > True], > + ['sha1-basic', 'sha1', '-rsa2048', '', None, False, True, False, False], > + ['sha1-pad', 'sha1', '-rsa2048', '', '-E -p 0x10000', False, False, > False, False], > + ['sha1-pss', 'sha1', '-rsa2048', '-pss', None, False, False, False, > False], > + ['sha1-pss-pad', 'sha1', '-rsa2048', '-pss', '-E -p 0x10000', False, > False, False, False], > + ['sha256-basic', 'sha256', '-rsa2048', '', None, False, False, False, > False], > + ['sha256-pad', 'sha256', '-rsa2048', '', '-E -p 0x10000', False, False, > False, False], > + ['sha256-pss', 'sha256', '-rsa2048', '-pss', None, False, False, False, > False], > + ['sha256-pss-pad', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', False, > False, False, False], > + ['sha256-pss-required', 'sha256', '-rsa2048', '-pss', None, True, False, > False, False], > + ['sha256-pss-pad-required', 'sha256', '-rsa2048', '-pss', '-E -p > 0x10000', True, True, False, False], > + ['sha384-basic', 'sha384', '-rsa3072', '', None, False, False, False, > False], > + ['sha384-pad', 'sha384', '-rsa3072', '', '-E -p 0x10000', False, False, > False, False], > + ['algo-arg', 'algo-arg', '', '', '-o sha256,rsa2048', False, False, > True, False], > + ['sha256-global-sign', 'sha256', '-rsa2048', '', '', False, False, > False, True], > + ['sha256-global-sign-pss', 'sha256', '-rsa2048', '-pss', '', False, > False, False, True], > ] > > # Mark all but the first test as slow, so they are not run with '-k not slow' > @@ -111,9 +111,9 @@ TESTDATA += [pytest.param(*v, marks=pytest.mark.slow) for > v in TESTDATA_IN[1:]] > @pytest.mark.requiredtool('fdtget') > @pytest.mark.requiredtool('fdtput') > @pytest.mark.requiredtool('openssl') > [email protected]("name,sha_algo,padding,sign_options,required,full_test,algo_arg,global_sign", > [email protected]("name,sha_algo,sig_algo,padding,sign_options,required,full_test,algo_arg,global_sign", > TESTDATA) > -def test_vboot(ubman, name, sha_algo, padding, sign_options, required, > +def test_vboot(ubman, name, sha_algo, sig_algo, padding, sign_options, > required, > full_test, algo_arg, global_sign): > """Test verified boot signing with mkimage and verification with 'bootm'. > > @@ -287,7 +287,7 @@ def test_vboot(ubman, name, sha_algo, padding, > sign_options, required, > utils.run_and_log(ubman, 'openssl req -batch -new -x509 -key > %s%s.key ' > '-out %s%s.crt' % (tmpdir, name, tmpdir, name)) > > - def test_with_algo(sha_algo, padding, sign_options): > + def test_with_algo(sha_algo, sig_algo, padding, sign_options): > """Test verified boot with the given hash algorithm. > > This is the main part of the test code. The same procedure is > followed > @@ -308,7 +308,7 @@ def test_vboot(ubman, name, sha_algo, padding, > sign_options, required, > > # Build the FIT, but don't sign anything yet > ubman.log.action('%s: Test FIT with signed images' % sha_algo) > - make_fit('sign-images-%s%s.its' % (sha_algo, padding), ubman, > mkimage, dtc_args, datadir, fit) > + make_fit('sign-images-%s%s%s.its' % (sha_algo, sig_algo, padding), > ubman, mkimage, dtc_args, datadir, fit) > run_bootm(sha_algo, 'unsigned images', ' - OK' if algo_arg else > 'dev-', True) > > # Sign images with our dev keys > @@ -319,7 +319,7 @@ def test_vboot(ubman, name, sha_algo, padding, > sign_options, required, > dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb) > > ubman.log.action('%s: Test FIT with signed configuration' % sha_algo) > - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, > mkimage, dtc_args, datadir, fit) > + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), > ubman, mkimage, dtc_args, datadir, fit) > run_bootm(sha_algo, 'unsigned config', '%s+ OK' % ('sha256' if > algo_arg else sha_algo), True) > > # Sign images with our dev keys > @@ -383,7 +383,7 @@ def test_vboot(ubman, name, sha_algo, padding, > sign_options, required, > run_bootm(sha_algo, 'evil clone', 'Bad Data Hash', False, efit) > > # Create a new properly signed fit and replace header bytes > - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, > mkimage, dtc_args, datadir, fit) > + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), > ubman, mkimage, dtc_args, datadir, fit) > sign_fit(sha_algo, sign_options) > bcfg = ubman.config.buildconfig > max_size = int(bcfg.get('config_fit_signature_max_size', > 0x10000000), 0) > @@ -415,7 +415,7 @@ def test_vboot(ubman, name, sha_algo, padding, > sign_options, required, > ubman, [fit_check_sign, '-f', fit, '-k', dtb], > 1, 'Failed to verify required signature') > > - def test_required_key(sha_algo, padding, sign_options): > + def test_required_key(sha_algo, sig_algo, padding, sign_options): > """Test verified boot with the given hash algorithm. > > This function tests if U-Boot rejects an image when a required key > isn't > @@ -437,12 +437,12 @@ def test_vboot(ubman, name, sha_algo, padding, > sign_options, required, > > # Build the FIT with prod key (keys required) and sign it. This puts > the > # signature into sandbox-u-boot.dtb, marked 'required' > - make_fit('sign-configs-%s%s-prod.its' % (sha_algo, padding), ubman, > mkimage, dtc_args, datadir, fit) > + make_fit('sign-configs-%s%s%s-prod.its' % (sha_algo, sig_algo, > padding), ubman, mkimage, dtc_args, datadir, fit) > sign_fit(sha_algo, sign_options) > > # Build the FIT with dev key (keys NOT required). This adds the > # signature into sandbox-u-boot.dtb, NOT marked 'required'. > - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, > mkimage, dtc_args, datadir, fit) > + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), > ubman, mkimage, dtc_args, datadir, fit) > sign_fit_norequire(sha_algo, sign_options) > > # So now sandbox-u-boot.dtb two signatures, for the prod and dev > keys. > @@ -454,7 +454,7 @@ def test_vboot(ubman, name, sha_algo, padding, > sign_options, required, > > # Build the FIT with dev key (keys required) and sign it. This puts > the > # signature into sandbox-u-boot.dtb, marked 'required'. > - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, > mkimage, dtc_args, datadir, fit) > + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), > ubman, mkimage, dtc_args, datadir, fit) > sign_fit(sha_algo, sign_options) > > # Set the required-mode policy to "any". > @@ -534,8 +534,9 @@ def test_vboot(ubman, name, sha_algo, padding, > sign_options, required, > dtb = '%ssandbox-u-boot.dtb' % tmpdir > sig_node = '/configurations/conf-1/signature' > > - create_rsa_pair('dev') > - create_rsa_pair('prod') > + if sig_algo == "-rsa2048" or sig_algo == "-rsa3072" or sig_algo == "": > + create_rsa_pair('dev') > + create_rsa_pair('prod') > > # Create a number kernel image with zeroes > with open('%stest-kernel.bin' % tmpdir, 'wb') as fd: > @@ -554,9 +555,9 @@ def test_vboot(ubman, name, sha_algo, padding, > sign_options, required, > if global_sign: > test_global_sign(sha_algo, padding, sign_options) > elif required: > - test_required_key(sha_algo, padding, sign_options) > + test_required_key(sha_algo, sig_algo, padding, sign_options) > else: > - test_with_algo(sha_algo, padding, sign_options) > + test_with_algo(sha_algo, sig_algo, padding, sign_options) > finally: > # Go back to the original U-Boot with the correct dtb. > ubman.config.dtb = old_dtb > @@ -564,21 +565,21 @@ def test_vboot(ubman, name, sha_algo, padding, > sign_options, required, > > > TESTDATA_IN = [ > - ['sha1-basic', 'sha1', '', None, False], > - ['sha1-pad', 'sha1', '', '-E -p 0x10000', False], > - ['sha1-pss', 'sha1', '-pss', None, False], > - ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False], > - ['sha256-basic', 'sha256', '', None, False], > - ['sha256-pad', 'sha256', '', '-E -p 0x10000', False], > - ['sha256-pss', 'sha256', '-pss', None, False], > - ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False], > - ['sha256-pss-required', 'sha256', '-pss', None, False], > - ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', False], > - ['sha384-basic', 'sha384', '', None, False], > - ['sha384-pad', 'sha384', '', '-E -p 0x10000', False], > - ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', True], > - ['sha256-global-sign', 'sha256', '', '', False], > - ['sha256-global-sign-pss', 'sha256', '-pss', '', False], > + ['sha1-basic', 'sha1', '-rsa2048', '', None, False], > + ['sha1-pad', 'sha1', '-rsa2048', '', '-E -p 0x10000', False], > + ['sha1-pss', 'sha1', '-rsa2048', '-pss', None, False], > + ['sha1-pss-pad', 'sha1', '-rsa2048', '-pss', '-E -p 0x10000', False], > + ['sha256-basic', 'sha256', '-rsa2048', '', None, False], > + ['sha256-pad', 'sha256', '-rsa2048', '', '-E -p 0x10000', False], > + ['sha256-pss', 'sha256', '-rsa2048', '-pss', None, False], > + ['sha256-pss-pad', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', False], > + ['sha256-pss-required', 'sha256', '-rsa2048', '-pss', None, False], > + ['sha256-pss-pad-required', 'sha256', '-rsa2048' , '-pss', '-E -p > 0x10000', False], > + ['sha384-basic', 'sha384', '-rsa3072', '', None, False], > + ['sha384-pad', 'sha384', '-rsa3072', '', '-E -p 0x10000', False], > + ['algo-arg', 'algo-arg', '', '', '-o sha256,rsa2048', True], > + ['sha256-global-sign', 'sha256', '-rsa2048', '', '', False], > + ['sha256-global-sign-pss', 'sha256', '-rsa2048', '-pss', '', False], > ] > > # Mark all but the first test as slow, so they are not run with '-k not slow' > @@ -589,8 +590,8 @@ TESTDATA += [pytest.param(*v, marks=pytest.mark.slow) for > v in TESTDATA_IN[1:]] > @pytest.mark.buildconfigspec('fit_signature') > @pytest.mark.requiredtool('dtc') > @pytest.mark.requiredtool('openssl') > [email protected]("name,sha_algo,padding,sign_options,algo_arg", > TESTDATA) > -def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, > algo_arg): > [email protected]("name,sha_algo,sig_algo,padding,sign_options,algo_arg", > TESTDATA) > +def test_fdt_add_pubkey(ubman, name, sha_algo, sig_algo, padding, > sign_options, algo_arg): > """Test fdt_add_pubkey utility with bunch of different algo options.""" > > def sign_fit(sha_algo, options): > @@ -609,7 +610,7 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, > sign_options, algo_arg): > ubman.log.action('%s: Sign images' % sha_algo) > utils.run_and_log(ubman, args) > > - def test_add_pubkey(sha_algo, padding, sign_options): > + def test_add_pubkey(sha_algo, sig_algo, padding, sign_options): > """Test fdt_add_pubkey utility with given hash algorithm and padding. > > This function tests if fdt_add_pubkey utility may add public keys > into dtb. > @@ -632,7 +633,7 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, > sign_options, algo_arg): > 'rsa3072' if sha_algo == 'sha384' else > 'rsa2048'), > '-k', tmpdir, '-n', 'dev', '-r', 'conf', dtb]) > > - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, > mkimage, dtc_args, datadir, fit) > + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), > ubman, mkimage, dtc_args, datadir, fit) > > # Sign images with our dev keys > sign_fit(sha_algo, sign_options) > @@ -654,4 +655,4 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, > sign_options, algo_arg): > > # keys created in test_vboot test > > - test_add_pubkey(sha_algo, padding, sign_options) > + test_add_pubkey(sha_algo, sig_algo, padding, sign_options) > diff --git a/test/py/tests/vboot/sign-configs-sha1-pss.its > b/test/py/tests/vboot/sign-configs-sha1-rsa2048-pss.its > similarity index 100% > rename from test/py/tests/vboot/sign-configs-sha1-pss.its > rename to test/py/tests/vboot/sign-configs-sha1-rsa2048-pss.its > diff --git a/test/py/tests/vboot/sign-configs-sha1.its > b/test/py/tests/vboot/sign-configs-sha1-rsa2048.its > similarity index 100% > rename from test/py/tests/vboot/sign-configs-sha1.its > rename to test/py/tests/vboot/sign-configs-sha1-rsa2048.its > diff --git a/test/py/tests/vboot/sign-configs-sha256-pss-prod.its > b/test/py/tests/vboot/sign-configs-sha256-rsa2048-pss-prod.its > similarity index 100% > rename from test/py/tests/vboot/sign-configs-sha256-pss-prod.its > rename to test/py/tests/vboot/sign-configs-sha256-rsa2048-pss-prod.its > diff --git a/test/py/tests/vboot/sign-configs-sha256-pss.its > b/test/py/tests/vboot/sign-configs-sha256-rsa2048-pss.its > similarity index 100% > rename from test/py/tests/vboot/sign-configs-sha256-pss.its > rename to test/py/tests/vboot/sign-configs-sha256-rsa2048-pss.its > diff --git a/test/py/tests/vboot/sign-configs-sha256.its > b/test/py/tests/vboot/sign-configs-sha256-rsa2048.its > similarity index 100% > rename from test/py/tests/vboot/sign-configs-sha256.its > rename to test/py/tests/vboot/sign-configs-sha256-rsa2048.its > diff --git a/test/py/tests/vboot/sign-configs-sha384.its > b/test/py/tests/vboot/sign-configs-sha384-rsa3072.its > similarity index 100% > rename from test/py/tests/vboot/sign-configs-sha384.its > rename to test/py/tests/vboot/sign-configs-sha384-rsa3072.its > diff --git a/test/py/tests/vboot/sign-images-sha1-pss.its > b/test/py/tests/vboot/sign-images-sha1-rsa2048-pss.its > similarity index 100% > rename from test/py/tests/vboot/sign-images-sha1-pss.its > rename to test/py/tests/vboot/sign-images-sha1-rsa2048-pss.its > diff --git a/test/py/tests/vboot/sign-images-sha1.its > b/test/py/tests/vboot/sign-images-sha1-rsa2048.its > similarity index 100% > rename from test/py/tests/vboot/sign-images-sha1.its > rename to test/py/tests/vboot/sign-images-sha1-rsa2048.its > diff --git a/test/py/tests/vboot/sign-images-sha256-pss.its > b/test/py/tests/vboot/sign-images-sha256-rsa2048-pss.its > similarity index 100% > rename from test/py/tests/vboot/sign-images-sha256-pss.its > rename to test/py/tests/vboot/sign-images-sha256-rsa2048-pss.its > diff --git a/test/py/tests/vboot/sign-images-sha256.its > b/test/py/tests/vboot/sign-images-sha256-rsa2048.its > similarity index 100% > rename from test/py/tests/vboot/sign-images-sha256.its > rename to test/py/tests/vboot/sign-images-sha256-rsa2048.its > diff --git a/test/py/tests/vboot/sign-images-sha384.its > b/test/py/tests/vboot/sign-images-sha384-rsa3072.its > similarity index 100% > rename from test/py/tests/vboot/sign-images-sha384.its > rename to test/py/tests/vboot/sign-images-sha384-rsa3072.its > -- > 2.43.0 >
