[U-Boot] [PATCH 14/16] efi_loader, pytest: set up secure boot environment

Heinrich Schuchardt xypron.glpk at gmx.de
Sat Nov 16 20:19:33 UTC 2019 

On 11/13/19 1:53 AM, AKASHI Takahiro wrote:
> A fixture for UEFI secure boot tests (image authentication and variable
> authentication) is defined. A small file system with test data in a single
> partition formatted in fat is created.

Why do we need a file system? That seems overly complicated.

Can't we use tFTP to download the file you want to check like we do for
helloworld.efi and grub.efi.

>
> This test requires efitools v1.5.2 or later. If the system's efitools
> is older, you have to build it on your own and define EFITOOLS_PATH.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> ---
>   .travis.yml                                |   4 +
>   test/py/README.md                          |   4 +
>   test/py/tests/test_efi_secboot/conftest.py | 128 +++++++++++++++++++++
>   test/py/tests/test_efi_secboot/defs.py     |  21 ++++
>   4 files changed, 157 insertions(+)
>   create mode 100644 test/py/tests/test_efi_secboot/conftest.py
>   create mode 100644 test/py/tests/test_efi_secboot/defs.py
>
> diff --git a/.travis.yml b/.travis.yml
> index 1e9837869508..edb87fc6396d 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -38,6 +38,10 @@ addons:
>       - libisl15
>       - clang-7
>       - srecord
> +    - coreutils
> +    - dosfstools
> +    - efitools
> +    - udisks2
>
>   install:
>    # Clone uboot-test-hooks
> diff --git a/test/py/README.md b/test/py/README.md
> index 3cbe01b73e28..bb8d6c9d21dd 100644
> --- a/test/py/README.md
> +++ b/test/py/README.md
> @@ -38,6 +38,10 @@ will be required.  The following is an incomplete list:
>   | sudo OR guestmount |
>   | e2fsprogs      |
>   | dosfstools     |
> +| coreutils      |
> +| efitools       |
> +| sbsigntools    |
> +| udisks2        |
>
>   Please use the apporirate commands for your distribution to match these tools
>   up with the package that provides them.
> diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
> new file mode 100644
> index 000000000000..e50f749ad1a6
> --- /dev/null
> +++ b/test/py/tests/test_efi_secboot/conftest.py
> @@ -0,0 +1,128 @@
> +# SPDX-License-Identifier:      GPL-2.0+
> +# Copyright (c) 2019, Linaro Limited
> +# Author: AKASHI Takahiro <takahiro.akashi at linaro.org>
> +
> +import os
> +import os.path
> +import pytest
> +import re
> +from subprocess import call, check_call, check_output, CalledProcessError
> +from defs import *
> +
> +#
> +# Fixture for UEFI secure boot test
> +#
> +# NOTE: yield_fixture was deprecated since pytest-3.0
> + at pytest.yield_fixture()

If it is deprecated, don't use it.

https://docs.pytest.org/en/latest/yieldfixture.html

Best regards

Heinrich

> +def efi_boot_env(request, u_boot_config):
> +    """Set up a file system to be used in UEFI secure boot test.
> +
> +    Args:
> +        request: Pytest request object.
> +	u_boot_config: U-boot configuration.
> +
> +    Return:
> +        A path to disk image to be used for testing
> +    """
> +    global HELLO_PATH
> +
> +    image_path = u_boot_config.persistent_data_dir
> +    image_path = image_path + '/' + EFI_SECBOOT_IMAGE_NAME
> +    image_size = EFI_SECBOOT_IMAGE_SIZE
> +    part_size = EFI_SECBOOT_PART_SIZE
> +    fs_type = EFI_SECBOOT_FS_TYPE
> +
> +    if HELLO_PATH == '':
> +        HELLO_PATH = u_boot_config.build_dir + '/lib/efi_loader/helloworld.efi'
> +
> +    try:
> +        # create a disk/partition
> +        check_call('dd if=/dev/zero of=%s bs=1MiB count=%d'
> +                            % (image_path, image_size), shell=True)
> +        check_call('sgdisk %s -n 1:0:+%dMiB'
> +                            % (image_path, part_size), shell=True)
> +        # create a file system
> +        check_call('dd if=/dev/zero of=%s.tmp bs=1MiB count=%d'
> +                            % (image_path, part_size), shell=True)
> +        check_call('mkfs -t %s %s.tmp' % (fs_type, image_path), shell=True)
> +        check_call('dd if=%s.tmp of=%s bs=1MiB seek=1 count=%d conv=notrunc'
> +                            % (image_path, image_path, 1), shell=True)
> +        check_call('rm %s.tmp' % image_path, shell=True)
> +        out_data = check_output('udisksctl loop-setup -f %s -o %d'
> +                            % (image_path, 1048576), shell=True).decode()
> +        m = re.search('(?<= as )(.*)\.', out_data)
> +        loop_dev = m.group(1)
> +        # print 'loop device is: %s' % loop_dev
> +        out_data = check_output('udisksctl info -b %s' % loop_dev, shell=True).decode()
> +        m = re.search('MountPoints:[ \t]+(.*)', out_data)
> +        mnt_point = m.group(1)
> +        # print 'mount point is: %s' % mnt_point
> +
> +        # suffix
> +        # *.key: RSA private key in PEM
> +        # *.crt: X509 certificate (self-signed) in PEM
> +        # *.esl: signature list
> +        # *.hash: message digest of image as signature list
> +        # *.auth: signed signature list in signature database format
> +        # *.efi: UEFI image
> +        # *.efi.signed: signed UEFI image
> +
> +        # Create signature database
> +        ## PK
> +        check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365'
> +                            % mnt_point, shell=True)
> +        check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth'
> +                            % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> +                            shell=True)
> +        ## PK_null for deletion
> +        check_call('cd %s; sleep 2; touch PK_null.esl; %ssign-efi-sig-list -c PK.crt -k PK.key PK PK_null.esl PK_null.auth'
> +                            % (mnt_point, EFITOOLS_PATH), shell=True)
> +        ## KEK
> +        check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365'
> +                            % mnt_point, shell=True)
> +        check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth'
> +                            % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> +                            shell=True)
> +        ## db
> +        check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ -keyout db.key -out db.crt -nodes -days 365'
> +                            % mnt_point, shell=True)
> +        check_call('cd %s; %scert-to-efi-sig-list -g %s db.crt db.esl; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth'
> +                            % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> +                            shell=True)
> +        ## db1
> +        check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db1/ -keyout db1.key -out db1.crt -nodes -days 365'
> +                            % mnt_point, shell=True)
> +        check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db1.esl db1.auth'
> +                            % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> +                            shell=True)
> +        ## db1-update
> +        check_call('cd %s; %ssign-efi-sig-list -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth'
> +                            % (mnt_point, EFITOOLS_PATH), shell=True)
> +        ## dbx
> +        check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365'
> +                            % mnt_point, shell=True)
> +        check_call('cd %s; %scert-to-efi-sig-list -g %s dbx.crt dbx.esl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth'
> +                            % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> +                            shell=True)
> +
> +        # Copy image
> +        check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True)
> +
> +        ## Sign image
> +        check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi'
> +                            % mnt_point, shell=True)
> +        ## Digest image
> +        check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth'
> +                            % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
> +                            shell=True)
> +
> +        check_call('udisksctl unmount -b %s' % loop_dev, shell=True)
> +        # check_call('udisksctl loop-delete -b %s' % loop_dev, shell=True)
> +    except CalledProcessError as e:
> +        pytest.skip('Setup failed: %s' % e.cmd)
> +        return
> +    else:
> +        yield image_path
> +    finally:
> +        call('echo %s' % image_path, shell=True)
> +        # call('rm -f %s' % image_path, shell=True)
> diff --git a/test/py/tests/test_efi_secboot/defs.py b/test/py/tests/test_efi_secboot/defs.py
> new file mode 100644
> index 000000000000..d6222809c547
> --- /dev/null
> +++ b/test/py/tests/test_efi_secboot/defs.py
> @@ -0,0 +1,21 @@
> +# SPDX-License-Identifier:      GPL-2.0+
> +
> +# Disk image name
> +EFI_SECBOOT_IMAGE_NAME='test_efi_secboot.img'
> +
> +# Size in MiB
> +EFI_SECBOOT_IMAGE_SIZE=16
> +EFI_SECBOOT_PART_SIZE=8
> +
> +# Partition file system type
> +EFI_SECBOOT_FS_TYPE='vfat'
> +
> +# Owner guid
> +GUID='11111111-2222-3333-4444-123456789abc'
> +
> +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
> +# you need build a newer version on your own.
> +EFITOOLS_PATH=''
> +
> +# Hello World application for sandbox
> +HELLO_PATH=''
>

More information about the U-Boot mailing list