[PATCH v2 5/5] test_vboot.py: include test of fdt_add_pubkey tool

Simon Glass sjg at chromium.org
Sat Mar 11 02:46:38 CET 2023 

Hi Ivan,

On Tue, 7 Mar 2023 at 14:13, Ivan Mikhaylov <fr0st61te at gmail.com> wrote:
>
> From: Roman Kopytin <Roman.Kopytin at kaspersky.com>
>
> Signed-off-by: Roman Kopytin <Roman.Kopytin at kaspersky.com>
> Cc: Rasmus Villemoes <rasmus.villemoes at prevas.dk>
> ---
>  test/py/tests/test_vboot.py | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
> index e3e7ca4b21..956b8fcd43 100644
> --- a/test/py/tests/test_vboot.py
> +++ b/test/py/tests/test_vboot.py
> @@ -313,6 +313,13 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
>
>          util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])
>
> +        # Create a fresh .dtb without the public keys
> +        dtc('sandbox-u-boot.dts')
> +        # Then add the dev key via the fdt_add_pubkey tool
> +        util.run_and_log(cons, [fdt_add_pubkey, '-a', '%s,rsa2048' % sha_algo,
> +                                '-k', tmpdir, '-n', 'dev', '-r', 'conf', dtb])
> +        util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])
> +
>          if full_test:
>              # Make sure that U-Boot checks that the config is in the list of
>              # hashed nodes. If it isn't, a security bypass is possible.
> @@ -500,6 +507,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
>      mkimage = cons.config.build_dir + '/tools/mkimage'
>      binman = cons.config.source_dir + '/tools/binman/binman'
>      fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
> +    fdt_add_pubkey = cons.config.build_dir + '/tools/fdt_add_pubkey'
>      dtc_args = '-I dts -O dtb -i %s' % tmpdir
>      dtb = '%ssandbox-u-boot.dtb' % tmpdir
>      sig_node = '/configurations/conf-1/signature'
> --
> 2.39.1
>

Unfortunately this test fails on sandbox:

https://source.denx.de/u-boot/custodians/u-boot-dm/-/jobs/591975

I think it would be better to put it in its own test (perhaps in the
same file) so we are not doing it on every test run. Also you could
check (in a very basic way) that it adds the key correctly since we
don't really need another test of the logic of doing that. We are just
checking that your tool calls that logic correctly.

I'll drop this one when applying, for now. Please take a look.

Regards,
Simon

More information about the U-Boot mailing list