import vboot_forge
TESTDATA = [
- ['sha1', '', False],
- ['sha1', '-pss', False],
- ['sha256', '', False],
- ['sha256', '-pss', False],
- ['sha256', '-pss', True],
+ ['sha1', '', None, False],
+ ['sha1', '', '-E -p 0x10000', False],
+ ['sha1', '-pss', None, False],
+ ['sha1', '-pss', '-E -p 0x10000', False],
+ ['sha256', '', None, False],
+ ['sha256', '', '-E -p 0x10000', False],
+ ['sha256', '-pss', None, False],
+ ['sha256', '-pss', '-E -p 0x10000', False],
+ ['sha256', '-pss', None, True],
+ ['sha256', '-pss', '-E -p 0x10000', True],
]
@pytest.mark.boardspec('sandbox')
@pytest.mark.requiredtool('fdtget')
@pytest.mark.requiredtool('fdtput')
@pytest.mark.requiredtool('openssl')
-@pytest.mark.parametrize("sha_algo,padding,required", TESTDATA)
-def test_vboot(u_boot_console, sha_algo, padding, required):
+@pytest.mark.parametrize("sha_algo,padding,sign_options,required", TESTDATA)
+def test_vboot(u_boot_console, sha_algo, padding, sign_options, required):
"""Test verified boot signing with mkimage and verification with 'bootm'.
This works using sandbox only as it needs to update the device tree used
util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
'%s%s' % (datadir, its), fit])
- def sign_fit(sha_algo):
+ def sign_fit(sha_algo, options):
"""Sign the FIT
Signs the FIT and writes the signature into it. It also writes the
Args:
sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
use.
+ options: Options to provide to mkimage.
"""
+ args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, '-r', fit]
+ if options:
+ args += options.split(' ')
cons.log.action('%s: Sign images' % sha_algo)
- util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
- '-r', fit])
+ util.run_and_log(cons, args)
def replace_fit_totalsize(size):
"""Replace FIT header's totalsize with something greater.
util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '
'-out %s%s.crt' % (tmpdir, name, tmpdir, name))
- def test_with_algo(sha_algo, padding):
+ def test_with_algo(sha_algo, padding, sign_options):
"""Test verified boot with the given hash algorithm.
This is the main part of the test code. The same procedure is followed
Args:
sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
use.
+ padding: Either '' or '-pss', to select the padding to use for the
+ rsa signature algorithm.
+ sign_options: Options to mkimage when signing a fit image.
"""
# Compile our device tree files for kernel and U-Boot. These are
# regenerated here since mkimage will modify them (by adding a
run_bootm(sha_algo, 'unsigned images', 'dev-', True)
# Sign images with our dev keys
- sign_fit(sha_algo)
+ sign_fit(sha_algo, sign_options)
run_bootm(sha_algo, 'signed images', 'dev+', True)
# Create a fresh .dtb without the public keys
run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)
# Sign images with our dev keys
- sign_fit(sha_algo)
+ sign_fit(sha_algo, sign_options)
run_bootm(sha_algo, 'signed config', 'dev+', True)
cons.log.action('%s: Check signed config on the host' % sha_algo)
# Create a new properly signed fit and replace header bytes
make_fit('sign-configs-%s%s.its' % (sha_algo, padding))
- sign_fit(sha_algo)
+ sign_fit(sha_algo, sign_options)
bcfg = u_boot_console.config.buildconfig
max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0)
existing_size = replace_fit_totalsize(max_size + 1)
cons, [fit_check_sign, '-f', fit, '-k', dtb],
1, 'Failed to verify required signature')
- def test_required_key(sha_algo, padding):
+ def test_required_key(sha_algo, padding, sign_options):
"""Test verified boot with the given hash algorithm.
This function tests if U-Boot rejects an image when a required key isn't
Args:
sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use
+ padding: Either '' or '-pss', to select the padding to use for the
+ rsa signature algorithm.
+ sign_options: Options to mkimage when signing a fit image.
"""
# Compile our device tree files for kernel and U-Boot. These are
# regenerated here since mkimage will modify them (by adding a
# Build the FIT with prod key (keys required) and sign it. This puts the
# signature into sandbox-u-boot.dtb, marked 'required'
make_fit('sign-configs-%s%s-prod.its' % (sha_algo, padding))
- sign_fit(sha_algo)
+ sign_fit(sha_algo, sign_options)
# Build the FIT with dev key (keys NOT required). This adds the
# signature into sandbox-u-boot.dtb, NOT marked 'required'.
make_fit('sign-configs-%s%s.its' % (sha_algo, padding))
- sign_fit(sha_algo)
+ sign_fit(sha_algo, sign_options)
# So now sandbox-u-boot.dtb two signatures, for the prod and dev keys.
# Only the prod key is set as 'required'. But FIT we just built has
old_dtb = cons.config.dtb
cons.config.dtb = dtb
if required:
- test_required_key(sha_algo, padding)
+ test_required_key(sha_algo, padding, sign_options)
else:
- test_with_algo(sha_algo, padding)
+ test_with_algo(sha_algo, padding, sign_options)
finally:
# Go back to the original U-Boot with the correct dtb.
cons.config.dtb = old_dtb