Hi Philippe, On Mon, May 25, 2026 at 9:52 AM Philippe Reynes <[email protected]> wrote: > > This commit adds test case for ecdsa on fit, but not (yet) for > the global image signature (preload). > > Reviewed-by: Simon Glass <[email protected]> > Reviewed-by: Simon Glass <[email protected]> > Signed-off-by: Philippe Reynes <[email protected]> > --- > v2: > - initial version > v3: > - no change > v4: > - no change > v5: > - no change > v6: > - no change > > test/py/tests/test_vboot.py | 29 ++++++++++++ > .../vboot/sign-configs-sha256-ecdsa256.its | 45 +++++++++++++++++++ > .../vboot/sign-configs-sha256-ecdsa384.its | 45 +++++++++++++++++++ > .../vboot/sign-configs-sha256-ecdsa521.its | 45 +++++++++++++++++++ > .../vboot/sign-images-sha256-ecdsa256.its | 42 +++++++++++++++++ > .../vboot/sign-images-sha256-ecdsa384.its | 42 +++++++++++++++++ > .../vboot/sign-images-sha256-ecdsa521.its | 42 +++++++++++++++++ > 7 files changed, 290 insertions(+) > create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa256.its > create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa384.its > create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa521.its > create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa256.its > create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa384.its > create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa521.its >
Looks good to me. Thanks! Reviewed-by: Raymond Mao <[email protected]> > diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py > index 496d314c649..4e4d9529031 100644 > --- a/test/py/tests/test_vboot.py > +++ b/test/py/tests/test_vboot.py > @@ -94,6 +94,9 @@ TESTDATA_IN = [ > ['sha256-pss-pad', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', False, > False, False, False], > ['sha256-pss-required', 'sha256', '-rsa2048', '-pss', None, True, False, > False, False], > ['sha256-pss-pad-required', 'sha256', '-rsa2048', '-pss', '-E -p > 0x10000', True, True, False, False], > + ['sha256-basic-ecdsa256', 'sha256', '-ecdsa256', '', None, False, False, > False, False], > + ['sha256-basic-ecdsa384', 'sha256', '-ecdsa384', '', None, False, False, > False, False], > + ['sha256-basic-ecdsa521', 'sha256', '-ecdsa521', '', None, False, False, > False, False], > ['sha384-basic', 'sha384', '-rsa3072', '', None, False, False, False, > False], > ['sha384-pad', 'sha384', '-rsa3072', '', '-E -p 0x10000', False, False, > False, False], > ['algo-arg', 'algo-arg', '', '', '-o sha256,rsa2048', False, False, > True, False], > @@ -287,6 +290,29 @@ def test_vboot(ubman, name, sha_algo, sig_algo, padding, > sign_options, required, > utils.run_and_log(ubman, 'openssl req -batch -new -x509 -key > %s%s.key ' > '-out %s%s.crt' % (tmpdir, name, tmpdir, name)) > > + def create_ecdsa_pair(name): > + """Generate a new ECDSA key pair > + > + Args: > + name: Name of the key (e.g. 'dev') > + """ > + > + if sig_algo == "-ecdsa256": > + curve_name = "secp256r1" > + elif sig_algo == "-ecdsa384": > + curve_name = "secp384r1" > + elif sig_algo == "-ecdsa521": > + curve_name = "secp521r1" > + else: > + curve_name = "unknownCurve" > + > + utils.run_and_log(ubman, 'openssl ecparam -name %s -genkey -noout > -out %s%s.pem' % > + (curve_name, tmpdir, name)) > + > + # Create a certificate containing the public key > + utils.run_and_log(ubman, 'openssl req -batch -new -x509 -key > %s%s.pem ' > + '-out %s%s.crt' % (tmpdir, name, tmpdir, name)) > + > def test_with_algo(sha_algo, sig_algo, padding, sign_options): > """Test verified boot with the given hash algorithm. > > @@ -537,6 +563,9 @@ def test_vboot(ubman, name, sha_algo, sig_algo, padding, > sign_options, required, > if sig_algo == "-rsa2048" or sig_algo == "-rsa3072" or sig_algo == "": > create_rsa_pair('dev') > create_rsa_pair('prod') > + elif sig_algo == "-ecdsa256" or sig_algo == "-ecdsa384" or sig_algo == > "-ecdsa521": > + create_ecdsa_pair('dev') > + create_ecdsa_pair('prod') > > # Create a number kernel image with zeroes > with open('%stest-kernel.bin' % tmpdir, 'wb') as fd: > diff --git a/test/py/tests/vboot/sign-configs-sha256-ecdsa256.its > b/test/py/tests/vboot/sign-configs-sha256-ecdsa256.its > new file mode 100644 > index 00000000000..4d0ef903a78 > --- /dev/null > +++ b/test/py/tests/vboot/sign-configs-sha256-ecdsa256.its > @@ -0,0 +1,45 @@ > +/dts-v1/; > + > +/ { > + description = "Chrome OS kernel image with one or more FDT blobs"; > + #address-cells = <1>; > + > + images { > + kernel { > + data = /incbin/("test-kernel.bin"); > + type = "kernel_noload"; > + arch = "sandbox"; > + os = "linux"; > + compression = "none"; > + load = <0x4>; > + entry = <0x8>; > + kernel-version = <1>; > + hash-1 { > + algo = "sha256"; > + }; > + }; > + fdt-1 { > + description = "snow"; > + data = /incbin/("sandbox-kernel.dtb"); > + type = "flat_dt"; > + arch = "sandbox"; > + compression = "none"; > + fdt-version = <1>; > + hash-1 { > + algo = "sha256"; > + }; > + }; > + }; > + configurations { > + default = "conf-1"; > + conf-1 { > + kernel = "kernel"; > + fdt = "fdt-1"; > + signature { > + algo = "sha256,ecdsa256"; > + key-name-hint = "dev"; > + sign-images = "fdt", "kernel"; > + }; > + }; > + }; > +}; > diff --git a/test/py/tests/vboot/sign-configs-sha256-ecdsa384.its > b/test/py/tests/vboot/sign-configs-sha256-ecdsa384.its > new file mode 100644 > index 00000000000..10427b43659 > --- /dev/null > +++ b/test/py/tests/vboot/sign-configs-sha256-ecdsa384.its > @@ -0,0 +1,45 @@ > +/dts-v1/; > + > +/ { > + description = "Chrome OS kernel image with one or more FDT blobs"; > + #address-cells = <1>; > + > + images { > + kernel { > + data = /incbin/("test-kernel.bin"); > + type = "kernel_noload"; > + arch = "sandbox"; > + os = "linux"; > + compression = "none"; > + load = <0x4>; > + entry = <0x8>; > + kernel-version = <1>; > + hash-1 { > + algo = "sha256"; > + }; > + }; > + fdt-1 { > + description = "snow"; > + data = /incbin/("sandbox-kernel.dtb"); > + type = "flat_dt"; > + arch = "sandbox"; > + compression = "none"; > + fdt-version = <1>; > + hash-1 { > + algo = "sha256"; > + }; > + }; > + }; > + configurations { > + default = "conf-1"; > + conf-1 { > + kernel = "kernel"; > + fdt = "fdt-1"; > + signature { > + algo = "sha256,ecdsa384"; > + key-name-hint = "dev"; > + sign-images = "fdt", "kernel"; > + }; > + }; > + }; > +}; > diff --git a/test/py/tests/vboot/sign-configs-sha256-ecdsa521.its > b/test/py/tests/vboot/sign-configs-sha256-ecdsa521.its > new file mode 100644 > index 00000000000..a65593ec64b > --- /dev/null > +++ b/test/py/tests/vboot/sign-configs-sha256-ecdsa521.its > @@ -0,0 +1,45 @@ > +/dts-v1/; > + > +/ { > + description = "Chrome OS kernel image with one or more FDT blobs"; > + #address-cells = <1>; > + > + images { > + kernel { > + data = /incbin/("test-kernel.bin"); > + type = "kernel_noload"; > + arch = "sandbox"; > + os = "linux"; > + compression = "none"; > + load = <0x4>; > + entry = <0x8>; > + kernel-version = <1>; > + hash-1 { > + algo = "sha256"; > + }; > + }; > + fdt-1 { > + description = "snow"; > + data = /incbin/("sandbox-kernel.dtb"); > + type = "flat_dt"; > + arch = "sandbox"; > + compression = "none"; > + fdt-version = <1>; > + hash-1 { > + algo = "sha256"; > + }; > + }; > + }; > + configurations { > + default = "conf-1"; > + conf-1 { > + kernel = "kernel"; > + fdt = "fdt-1"; > + signature { > + algo = "sha256,ecdsa521"; > + key-name-hint = "dev"; > + sign-images = "fdt", "kernel"; > + }; > + }; > + }; > +}; > diff --git a/test/py/tests/vboot/sign-images-sha256-ecdsa256.its > b/test/py/tests/vboot/sign-images-sha256-ecdsa256.its > new file mode 100644 > index 00000000000..009003bb601 > --- /dev/null > +++ b/test/py/tests/vboot/sign-images-sha256-ecdsa256.its > @@ -0,0 +1,42 @@ > +/dts-v1/; > + > +/ { > + description = "Chrome OS kernel image with one or more FDT blobs"; > + #address-cells = <1>; > + > + images { > + kernel { > + data = /incbin/("test-kernel.bin"); > + type = "kernel_noload"; > + arch = "sandbox"; > + os = "linux"; > + compression = "none"; > + load = <0x4>; > + entry = <0x8>; > + kernel-version = <1>; > + signature { > + algo = "sha256,ecdsa256"; > + key-name-hint = "dev"; > + }; > + }; > + fdt-1 { > + description = "snow"; > + data = /incbin/("sandbox-kernel.dtb"); > + type = "flat_dt"; > + arch = "sandbox"; > + compression = "none"; > + fdt-version = <1>; > + signature { > + algo = "sha256,ecdsa256"; > + key-name-hint = "dev"; > + }; > + }; > + }; > + configurations { > + default = "conf-1"; > + conf-1 { > + kernel = "kernel"; > + fdt = "fdt-1"; > + }; > + }; > +}; > diff --git a/test/py/tests/vboot/sign-images-sha256-ecdsa384.its > b/test/py/tests/vboot/sign-images-sha256-ecdsa384.its > new file mode 100644 > index 00000000000..567de687a06 > --- /dev/null > +++ b/test/py/tests/vboot/sign-images-sha256-ecdsa384.its > @@ -0,0 +1,42 @@ > +/dts-v1/; > + > +/ { > + description = "Chrome OS kernel image with one or more FDT blobs"; > + #address-cells = <1>; > + > + images { > + kernel { > + data = /incbin/("test-kernel.bin"); > + type = "kernel_noload"; > + arch = "sandbox"; > + os = "linux"; > + compression = "none"; > + load = <0x4>; > + entry = <0x8>; > + kernel-version = <1>; > + signature { > + algo = "sha256,ecdsa384"; > + key-name-hint = "dev"; > + }; > + }; > + fdt-1 { > + description = "snow"; > + data = /incbin/("sandbox-kernel.dtb"); > + type = "flat_dt"; > + arch = "sandbox"; > + compression = "none"; > + fdt-version = <1>; > + signature { > + algo = "sha256,ecdsa384"; > + key-name-hint = "dev"; > + }; > + }; > + }; > + configurations { > + default = "conf-1"; > + conf-1 { > + kernel = "kernel"; > + fdt = "fdt-1"; > + }; > + }; > +}; > diff --git a/test/py/tests/vboot/sign-images-sha256-ecdsa521.its > b/test/py/tests/vboot/sign-images-sha256-ecdsa521.its > new file mode 100644 > index 00000000000..74ed45b21b8 > --- /dev/null > +++ b/test/py/tests/vboot/sign-images-sha256-ecdsa521.its > @@ -0,0 +1,42 @@ > +/dts-v1/; > + > +/ { > + description = "Chrome OS kernel image with one or more FDT blobs"; > + #address-cells = <1>; > + > + images { > + kernel { > + data = /incbin/("test-kernel.bin"); > + type = "kernel_noload"; > + arch = "sandbox"; > + os = "linux"; > + compression = "none"; > + load = <0x4>; > + entry = <0x8>; > + kernel-version = <1>; > + signature { > + algo = "sha256,ecdsa521"; > + key-name-hint = "dev"; > + }; > + }; > + fdt-1 { > + description = "snow"; > + data = /incbin/("sandbox-kernel.dtb"); > + type = "flat_dt"; > + arch = "sandbox"; > + compression = "none"; > + fdt-version = <1>; > + signature { > + algo = "sha256,ecdsa521"; > + key-name-hint = "dev"; > + }; > + }; > + }; > + configurations { > + default = "conf-1"; > + conf-1 { > + kernel = "kernel"; > + fdt = "fdt-1"; > + }; > + }; > +}; > -- > 2.43.0 >
