Merge tag 'efi-2022-04-rc2-4' of https://source.denx.de/u-boot/custodians/u-boot-efi

Pull request for efi-2022-04-rc2-4 Documentation: * mkeficapsule man-page UEFI changes: * add support for signing images to mkeficapsule * add support for user define capsule GUID * adjust unit tests for capsules * fix UEFI image signature validation in case of multiple signatures
author: Tom Rini <trini@konsulko.com> 2022-02-11 15:07:49 -0500
committer: Tom Rini <trini@konsulko.com> 2022-02-11 15:11:52 -0500
commit: 162c22bfbc4141f22937c6bc37aa02fd4621e76c (patch)
tree: 11bf6381111a8a5eade9fc5f8a0dc91e5f402b74 /test/py/tests/test_efi_capsule/conftest.py
parent: dd1c255cbc6d3bdf3211a7c9d8fd36e7696e39bb (diff)
parent: 72b509b7019878e2a5f69bcf7198a0927a77ad60 (diff)
1 files changed, 54 insertions, 5 deletions
diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
index 6ad5608cd7..9076087a12 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -10,13 +10,13 @@ import pytest
 from capsule_defs import *
 
 #
-# Fixture for UEFI secure boot test
+# Fixture for UEFI capsule test
 #
 
-
 @pytest.fixture(scope='session')
 def efi_capsule_data(request, u_boot_config):
-    """Set up a file system to be used in UEFI capsule test.
+    """Set up a file system to be used in UEFI capsule and
+       authentication test.
 
     Args:
         request: Pytest request object.
@@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config):
         check_call('mkdir -p %s' % data_dir, shell=True)
         check_call('mkdir -p %s' % install_dir, shell=True)
 
+        capsule_auth_enabled = u_boot_config.buildconfig.get(
+                    'config_efi_capsule_authenticate')
+        if capsule_auth_enabled:
+            # Create private key (SIGNER.key) and certificate (SIGNER.crt)
+            check_call('cd %s; '
+                       'openssl req -x509 -sha256 -newkey rsa:2048 '
+                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
+                            '-out SIGNER.crt -nodes -days 365'
+                       % data_dir, shell=True)
+            check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
+                       % (data_dir, EFITOOLS_PATH), shell=True)
+
+            # Update dtb adding capsule certificate
+            check_call('cd %s; '
+                       'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
+                       % (data_dir, u_boot_config.source_dir), shell=True)
+            check_call('cd %s; '
+                       'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
+                       'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
+                            '-o test_sig.dtb signature.dtbo'
+                       % (data_dir, u_boot_config.build_dir), shell=True)
+
+            # Create *malicious* private key (SIGNER2.key) and certificate
+            # (SIGNER2.crt)
+            check_call('cd %s; '
+                       'openssl req -x509 -sha256 -newkey rsa:2048 '
+                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
+                            '-out SIGNER2.crt -nodes -days 365'
+                       % data_dir, shell=True)
+
         # Create capsule files
         # two regions: one for u-boot.bin and the other for u-boot.env
         check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
@@ -50,12 +80,31 @@ def efi_capsule_data(request, u_boot_config):
         check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' %
                    (data_dir, u_boot_config.build_dir),
                    shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --fit uboot_bin_env.itb --index 1 Test01' %
+        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fit uboot_bin_env.itb Test01' %
+                   (data_dir, u_boot_config.build_dir),
+                   shell=True)
+        check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' %
                    (data_dir, u_boot_config.build_dir),
                    shell=True)
-        check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' %
+        check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid E2BB9C06-70E9-4B14-97A3-5A7913176E3F u-boot.bin.new Test03' %
                    (data_dir, u_boot_config.build_dir),
                    shell=True)
+        if capsule_auth_enabled:
+            # firmware signed with proper key
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--private-key SIGNER.key --certificate SIGNER.crt '
+                            '--raw u-boot.bin.new Test11'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
+            # firmware signed with *mal* key
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--private-key SIGNER2.key '
+                            '--certificate SIGNER2.crt '
+                            '--raw u-boot.bin.new Test12'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
 
         # Create a disk image with EFI system partition
         check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
author	Tom Rini <trini@konsulko.com>	2022-02-11 15:07:49 -0500
committer	Tom Rini <trini@konsulko.com>	2022-02-11 15:11:52 -0500
commit	162c22bfbc4141f22937c6bc37aa02fd4621e76c (patch)
tree	11bf6381111a8a5eade9fc5f8a0dc91e5f402b74 /test/py/tests/test_efi_capsule/conftest.py
parent	dd1c255cbc6d3bdf3211a7c9d8fd36e7696e39bb (diff)
parent	72b509b7019878e2a5f69bcf7198a0927a77ad60 (diff)