--- /dev/null
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Devicetree for capsule generation through binman
+ */
+
+/dts-v1/;
+
+#include <sandbox_efi_capsule.h>
+
+/ {
+ binman: binman {
+ multiple-images;
+ };
+};
+
+&binman {
+ itb {
+ filename = UBOOT_FIT_IMAGE;
+
+ fit {
+ description = "Automatic U-Boot environment update";
+ #address-cells = <2>;
+
+ images {
+ u-boot-bin {
+ description = "U-Boot binary on SPI Flash";
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ text {
+ text = "u-boot:New";
+ };
+
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ u-boot-env {
+ description = "U-Boot environment on SPI Flash";
+ compression = "none";
+ type = "firmware";
+ arch = "sandbox";
+ load = <0>;
+ text {
+ text = "u-boot-env:New";
+ };
+
+ hash-1 {
+ algo = "sha1";
+ };
+ };
+ };
+ };
+ };
+
+ capsule1 {
+ filename = "Test01";
+ efi-capsule {
+ image-index = <0x1>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule2 {
+ filename = "Test02";
+ efi-capsule {
+ image-index = <0x2>;
+ image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID;
+
+ text {
+ text = "u-boot-env:New";
+ };
+ };
+ };
+
+ capsule3 {
+ filename = "Test03";
+ efi-capsule {
+ image-index = <0x1>;
+ image-guid = SANDBOX_INCORRECT_GUID;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule4 {
+ filename = "Test04";
+ efi-capsule {
+ image-index = <0x1>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule5 {
+ filename = "Test05";
+ efi-capsule {
+ image-index = <0x1>;
+ image-guid = SANDBOX_INCORRECT_GUID;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule6 {
+ filename = "Test101";
+ efi-capsule {
+ image-index = <0x1>;
+ fw-version = <0x5>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule7 {
+ filename = "Test102";
+ efi-capsule {
+ image-index = <0x2>;
+ fw-version = <0xa>;
+ image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID;
+
+ text {
+ text = "u-boot-env:New";
+ };
+ };
+ };
+
+ capsule8 {
+ filename = "Test103";
+ efi-capsule {
+ image-index = <0x1>;
+ fw-version = <0x2>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule9 {
+ filename = "Test104";
+ efi-capsule {
+ image-index = <0x1>;
+ fw-version = <0x5>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule10 {
+ filename = "Test105";
+ efi-capsule {
+ image-index = <0x1>;
+ fw-version = <0x2>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule11 {
+ filename = "Test11";
+ efi-capsule {
+ image-index = <0x1>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule12 {
+ filename = "Test12";
+ efi-capsule {
+ image-index = <0x1>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+ private-key = CAPSULE_INVAL_KEY;
+ public-key-cert = CAPSULE_INVAL_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule13 {
+ filename = "Test13";
+ efi-capsule {
+ image-index = <0x1>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule14 {
+ filename = "Test14";
+ efi-capsule {
+ image-index = <0x1>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+ private-key = CAPSULE_INVAL_KEY;
+ public-key-cert = CAPSULE_INVAL_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule15 {
+ filename = "Test111";
+ efi-capsule {
+ image-index = <0x1>;
+ fw-version = <0x5>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule16 {
+ filename = "Test112";
+ efi-capsule {
+ image-index = <0x2>;
+ fw-version = <0xa>;
+ image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ text {
+ text = "u-boot-env:New";
+ };
+ };
+ };
+
+ capsule17 {
+ filename = "Test113";
+ efi-capsule {
+ image-index = <0x1>;
+ fw-version = <0x2>;
+ image-guid = SANDBOX_UBOOT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ text {
+ text = "u-boot:New";
+ };
+ };
+ };
+
+ capsule18 {
+ filename = "Test114";
+ efi-capsule {
+ image-index = <0x1>;
+ fw-version = <0x5>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+
+ capsule19 {
+ filename = "Test115";
+ efi-capsule {
+ image-index = <0x1>;
+ fw-version = <0x2>;
+ image-guid = SANDBOX_FIT_IMAGE_GUID;
+ private-key = CAPSULE_PRIV_KEY;
+ public-key-cert = CAPSULE_PUB_KEY;
+ monotonic-count = <0x1>;
+
+ blob {
+ filename = UBOOT_FIT_IMAGE;
+ };
+ };
+ };
+};
"""Fixture for UEFI capsule test."""
+import os
+
from subprocess import call, check_call, CalledProcessError
import pytest
from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR, EFITOOLS_PATH
capsule_auth_enabled = u_boot_config.buildconfig.get(
'config_efi_capsule_authenticate')
+ key_dir = u_boot_config.source_dir + '/board/sandbox'
if capsule_auth_enabled:
- # Create private key (SIGNER.key) and certificate (SIGNER.crt)
- check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
- '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
- '-out SIGNER.crt -nodes -days 365'
- % data_dir, shell=True)
- check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
- % (data_dir, EFITOOLS_PATH), shell=True)
+ # Get the keys from the board directory
+ check_call('cp %s/capsule_priv_key_good.key %s/SIGNER.key'
+ % (key_dir, data_dir), shell=True)
+ check_call('cp %s/capsule_pub_key_good.crt %s/SIGNER.crt'
+ % (key_dir, data_dir), shell=True)
+ check_call('cp %s/capsule_pub_esl_good.esl %s/SIGNER.esl'
+ % (key_dir, data_dir), shell=True)
+
+ check_call('cp %s/capsule_priv_key_bad.key %s/SIGNER2.key'
+ % (key_dir, data_dir), shell=True)
+ check_call('cp %s/capsule_pub_key_bad.crt %s/SIGNER2.crt'
+ % (key_dir, data_dir), shell=True)
# Update dtb adding capsule certificate
check_call('cd %s; '
'-o test_sig.dtb signature.dtbo'
% (data_dir, u_boot_config.build_dir), shell=True)
- # Create *malicious* private key (SIGNER2.key) and certificate
- # (SIGNER2.crt)
- check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
- '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
- '-out SIGNER2.crt -nodes -days 365'
- % data_dir, shell=True)
-
# Update dtb to add the version information
check_call('cd %s; '
'cp %s/test/py/tests/test_efi_capsule/version.dts .'
'-o test_ver.dtb version.dtbo'
% (data_dir, u_boot_config.build_dir), shell=True)
- # Create capsule files
# two regions: one for u-boot.bin and the other for u-boot.env
check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
shell=True)
- check_call('sed -e \"s?BINFILE1?u-boot.bin.new?\" -e \"s?BINFILE2?u-boot.env.new?\" %s/test/py/tests/test_efi_capsule/uboot_bin_env.its > %s/uboot_bin_env.its' %
- (u_boot_config.source_dir, data_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test01' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 2 --guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test02' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 u-boot.bin.new Test03' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test04' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test101' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 2 --fw-version 10 '
- '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test102' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test103' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test104' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test105' %
- (data_dir, u_boot_config.build_dir),
- shell=True)
- if capsule_auth_enabled:
- # raw firmware signed with proper key
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
- 'u-boot.bin.new Test11'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # raw firmware signed with *mal* key
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--private-key SIGNER2.key '
- '--certificate SIGNER2.crt '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
- 'u-boot.bin.new Test12'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # FIT firmware signed with proper key
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
- 'uboot_bin_env.itb Test13'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # FIT firmware signed with *mal* key
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--private-key SIGNER2.key '
- '--certificate SIGNER2.crt '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
- 'uboot_bin_env.itb Test14'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # raw firmware signed with proper key with version information
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--fw-version 5 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
- 'u-boot.bin.new Test111'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # raw firmware signed with proper key with version information
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 2 --monotonic-count 1 '
- '--fw-version 10 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 '
- 'u-boot.env.new Test112'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # raw firmware signed with proper key with lower version information
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--fw-version 2 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
- 'u-boot.bin.new Test113'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # FIT firmware signed with proper key with version information
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--fw-version 5 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
- 'uboot_bin_env.itb Test114'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
- # FIT firmware signed with proper key with lower version information
- check_call('cd %s; '
- '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
- '--fw-version 2 '
- '--private-key SIGNER.key --certificate SIGNER.crt '
- '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
- 'uboot_bin_env.itb Test115'
- % (data_dir, u_boot_config.build_dir),
- shell=True)
+ pythonpath = os.environ.get('PYTHONPATH', '')
+ os.environ['PYTHONPATH'] = pythonpath + ':' + '%s/scripts/dtc/pylibfdt' % u_boot_config.build_dir
+ check_call('cd %s; '
+ 'cc -E -I %s/include -x assembler-with-cpp -o capsule_gen_tmp.dts %s/test/py/tests/test_efi_capsule/capsule_gen_binman.dts; '
+ 'dtc -I dts -O dtb capsule_gen_tmp.dts -o capsule_binman.dtb;'
+ % (data_dir, u_boot_config.source_dir, u_boot_config.source_dir), shell=True)
+ check_call('cd %s; '
+ './tools/binman/binman --toolpath %s/tools build -u -d %s/capsule_binman.dtb -O %s -m --allow-missing -I %s -I ./board/sandbox -I ./arch/sandbox/dts'
+ % (u_boot_config.source_dir, u_boot_config.build_dir, data_dir, data_dir, data_dir), shell=True)
+ os.environ['PYTHONPATH'] = pythonpath
# Create a disk image with EFI system partition
check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
projects / u-boot.git / commitdiff