From 0274e50e057e1969876c9d1ef6e2a530688cf5ee Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Fri, 14 Aug 2020 14:39:24 +0900 Subject: [PATCH] test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro --- test/py/tests/test_efi_secboot/conftest.py | 5 +--- test/py/tests/test_efi_secboot/test_signed.py | 26 +++++++++++++------ 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index bf27d995b1..69a498ca00 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -70,9 +70,6 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key db db1.esl db1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) - # db1-update - check_call('cd %s; %ssign-efi-sig-list -t "2020-04-06" -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth' - % (mnt_point, EFITOOLS_PATH), shell=True) # dbx (TEST_dbx certificate) check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365' % mnt_point, shell=True) @@ -84,7 +81,7 @@ def efi_boot_env(request, u_boot_config): % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) # dbx_hash1 (digest of TEST_db1 certificate) - check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) # dbx_db (with TEST_db certificate) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 7531bbac6a..1443ba7b62 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -157,7 +157,8 @@ class TestEfiSignedImage(object): u_boot_console.restart_uboot() disk_img = efi_boot_env with u_boot_console.log.section('Test Case 5a'): - # Test Case 5a, rejected if any of signatures is not verified + # Test Case 5a, authenticated even if only one of signatures + # is verified output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', @@ -171,8 +172,7 @@ class TestEfiSignedImage(object): 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""', 'efidebug boot next 1', 'efidebug test bootmgr']) - assert '\'HELLO\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'Hello, world!' in ''.join(output) with u_boot_console.log.section('Test Case 5b'): # Test Case 5b, authenticated if both signatures are verified @@ -181,19 +181,29 @@ class TestEfiSignedImage(object): 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ - 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""', 'efidebug boot next 1', - 'bootefi bootmgr']) + 'efidebug test bootmgr']) assert 'Hello, world!' in ''.join(output) with u_boot_console.log.section('Test Case 5c'): - # Test Case 5c, rejected if any of signatures is revoked + # Test Case 5c, not rejected if one of signatures (digest of + # certificate) is revoked output = u_boot_console.run_command_list([ - 'fatload host 0:1 4000000 dbx_hash1.auth', + 'fatload host 0:1 4000000 dbx_hash.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ - 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert 'Hello, world!' in ''.join(output) + + with u_boot_console.log.section('Test Case 5d'): + # Test Case 5d, rejected if both of signatures are revoked + output = u_boot_console.run_command_list([ + 'fatload host 0:1 4000000 dbx_hash1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) -- 2.39.5