test/py: efi_capsule: add image authentication test

Add a couple of test cases against capsule image authentication for capsule-on-disk, where only a signed capsule file with the verified signature will be applied to the system. Due to the difficulty of embedding a public key (esl file) in U-Boot binary during pytest setup time, all the keys/certificates are pre-created. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Simon Glass <sjg@chromium.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
author: AKASHI Takahiro <takahiro.akashi@linaro.org> 2022-02-09 19:10:38 +0900
committer: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 2022-02-11 20:07:55 +0100
commit: bad58cb308acdf739e855e3336dfdf1a8d7b08a4 (patch)
tree: 8ec0e9c67429f1f15e3687bfef7e1912f8da7b18 /test/py/tests/test_efi_capsule/conftest.py
parent: a62eb06f7c2b80e80a1f14f8950c3fb6958a97d4 (diff)
1 files changed, 49 insertions, 3 deletions
diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
index 6ad5608cd7..27c05971ca 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -10,13 +10,13 @@ import pytest
 from capsule_defs import *
 
 #
-# Fixture for UEFI secure boot test
+# Fixture for UEFI capsule test
 #
 
-
 @pytest.fixture(scope='session')
 def efi_capsule_data(request, u_boot_config):
-    """Set up a file system to be used in UEFI capsule test.
+    """Set up a file system to be used in UEFI capsule and
+       authentication test.
 
     Args:
         request: Pytest request object.
@@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config):
         check_call('mkdir -p %s' % data_dir, shell=True)
         check_call('mkdir -p %s' % install_dir, shell=True)
 
+        capsule_auth_enabled = u_boot_config.buildconfig.get(
+                    'config_efi_capsule_authenticate')
+        if capsule_auth_enabled:
+            # Create private key (SIGNER.key) and certificate (SIGNER.crt)
+            check_call('cd %s; '
+                       'openssl req -x509 -sha256 -newkey rsa:2048 '
+                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
+                            '-out SIGNER.crt -nodes -days 365'
+                       % data_dir, shell=True)
+            check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
+                       % (data_dir, EFITOOLS_PATH), shell=True)
+
+            # Update dtb adding capsule certificate
+            check_call('cd %s; '
+                       'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
+                       % (data_dir, u_boot_config.source_dir), shell=True)
+            check_call('cd %s; '
+                       'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
+                       'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
+                            '-o test_sig.dtb signature.dtbo'
+                       % (data_dir, u_boot_config.build_dir), shell=True)
+
+            # Create *malicious* private key (SIGNER2.key) and certificate
+            # (SIGNER2.crt)
+            check_call('cd %s; '
+                       'openssl req -x509 -sha256 -newkey rsa:2048 '
+                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
+                            '-out SIGNER2.crt -nodes -days 365'
+                       % data_dir, shell=True)
+
         # Create capsule files
         # two regions: one for u-boot.bin and the other for u-boot.env
         check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
@@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config):
         check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' %
                    (data_dir, u_boot_config.build_dir),
                    shell=True)
+        if capsule_auth_enabled:
+            # firmware signed with proper key
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--private-key SIGNER.key --certificate SIGNER.crt '
+                            '--raw u-boot.bin.new Test11'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
+            # firmware signed with *mal* key
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--private-key SIGNER2.key '
+                            '--certificate SIGNER2.crt '
+                            '--raw u-boot.bin.new Test12'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
 
         # Create a disk image with EFI system partition
         check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
author	AKASHI Takahiro <takahiro.akashi@linaro.org>	2022-02-09 19:10:38 +0900
committer	Heinrich Schuchardt <heinrich.schuchardt@canonical.com>	2022-02-11 20:07:55 +0100
commit	bad58cb308acdf739e855e3336dfdf1a8d7b08a4 (patch)
tree	8ec0e9c67429f1f15e3687bfef7e1912f8da7b18 /test/py/tests/test_efi_capsule/conftest.py
parent	a62eb06f7c2b80e80a1f14f8950c3fb6958a97d4 (diff)