[PATCH 3/3] binman: add test for sign option

Sean Anderson sean.anderson at seco.com
Mon Apr 11 17:02:33 CEST 2022 


On 4/10/22 6:37 PM, Alper Nebi Yasak wrote:
> I initially ignored this test because I didn't like the implementation
> anyway, but I disagree with some of Sean's comments here so I wanted to
> add on what I think.
> 
> On 08/04/2022 22:26, Ivan Mikhaylov wrote:
>> On Fri, 2022-04-08 at 11:39 -0400, Sean Anderson wrote:
>>> On 3/21/22 5:43 PM, Ivan Mikhaylov wrote:
>>>> Add the test which provides sequence of actions:
>>>>   1. create the image from binman dts
>>>>   2. create public and private keys
>>>>   3. add public key into dtb with fdt_add_pubkey
>>>>   4. sign image with new sign option
>>>>   5. check with fit_check_sign
>>>>
>>>> Signed-off-by: Ivan Mikhaylov <ivan.mikhaylov at siemens.com>
>>>> ---
>>>>  tools/binman/ftest.py              | 42 +++++++++++++++++++
>>>>  tools/binman/test/225_fit_sign.dts | 67
>>>> ++++++++++++++++++++++++++++++
>>>>  2 files changed, 109 insertions(+)
>>>>  create mode 100644 tools/binman/test/225_fit_sign.dts
>>>>
>>>> diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py
>>>> index 8f00db6945..8a3d3720c4 100644
>>>> --- a/tools/binman/ftest.py
>>>> +++ b/tools/binman/ftest.py
>>>> @@ -3088,6 +3088,48 @@ class TestFunctional(unittest.TestCase):
>>>>          self.assertEqual(len(U_BOOT_DATA), entry.contents_size)
>>>>          self.assertEqual(len(U_BOOT_DATA), entry.size)
>>>>  
>>>> +    def testSignSimple(self):
>>>> +        """Test signing a single file"""
>>>> +
>>>> +        data = self._DoReadFileRealDtb('225_fit_sign.dts')
>>>> +
>>>> +        updated_fname = tools.GetOutputFilename('image-
>>>> updated.bin')
>>>> +        tools.WriteFile(updated_fname, data)
>>>> +
>>>> +        outdir = os.path.join(self._indir, 'extract')
>>>> +        einfos = control.ExtractEntries(updated_fname, None,
>>>> outdir, [])
>>>> +
>>>> +        dtb = tools.GetOutputFilename('source.dtb')
>>>> +        private_key = tools.GetOutputFilename('test_key.key')
>>>> +        public_key = tools.GetOutputFilename('test_key.crt')
>>>> +        fit = tools.GetOutputFilename('fit.fit')
>>>> +        key_dir = tools.GetOutputDir()
>>>> +
>>>> +        def check_sign(fit, key):
>>>
>>> please inline this, since it is only called once
>>>
>>>> +            try:
>>>> +                tools.Run('fit_check_sign', '-k', key, '-f', fit)
>>>> +            except:
>>>> +                return False
>>>
>>> you can just do a bare tools.Run() and if an exception is raised it
>>> will
>>> cause the test to fail.
>> 
>> Ok, good to know.
> 
> It will cause a test 'error' instead of a 'failure'. You should keep the
> try-except, but call self.fail(...) in the except case with a reasonable
> error message. Nesting multiple try blocks is a bit ugly, so you could
> keep the single-use function.
> 
> It would be even better if you added more cases testing various signing
> conditions, with this as a helper function in the outer scope that all
> of them can use.
> 
> You could extend it to check if the signature nodes in the updated
> fdtmap match the arguments passed to 'binman sign' (but your current
> implementation doesn't update those nodes).
> 
>>>
>>>> +            return True
>>>> +
>>>> +        is_signed = False
>>>> +        try:
>>>> +            tools.Run('openssl', 'req', '-batch' , '-newkey',
>>>> 'rsa:4096',
>>>> +                      '-sha256', '-new',  '-nodes',  '-x509', '-
>>>> keyout',
>>>> +                      private_key, '-out', public_key)
>>>> +            tools.Run('fdt_add_pubkey', '-a', 'sha256,rsa4096', '-
>>>> k', key_dir,
>>>> +                      '-n', 'test_key', dtb)
>>>> +            with test_util.capture_sys_output() as (stdout,
>>>> stderr):
>>>> +                # do sign with private key
>>>> +                self._DoBinman('sign', '-i', updated_fname, '-k',
>>>> private_key,
>>>> +                               '-a', 'sha256,rsa4096', '-f', fit,
>>>> 'fit')
>>>> +                is_signed = check_sign(fit, dtb)
>>>> +        finally:
>>>> +            shutil.rmtree(key_dir)
>>>> +
>>>> +        self.assertEqual(is_signed, True)
>>>
>>> so no need for this assert here
>>>> +
>>>> +
>>>>      def _RunReplaceCmd(self, entry_name, data, decomp=True,
>>>> allow_resize=True,
>>>>                         dts='132_replace.dts'):
>>>>          """Replace an entry in an image
> 
> New tests usually are added at the end of this file. IIRC they should be
> ordered by their test dts' number.
> 
>>>> diff --git a/tools/binman/test/225_fit_sign.dts
>>>> b/tools/binman/test/225_fit_sign.dts
>>>> new file mode 100644
>>>> index 0000000000..2bfa826106
>>>> --- /dev/null
>>>> +++ b/tools/binman/test/225_fit_sign.dts
>>>> @@ -0,0 +1,67 @@
>>>> +// SPDX-License-Identifier: GPL-2.0+
>>>> +
>>>> +/dts-v1/;
>>>> +
>>>> +/ {
>>>> +       #address-cells = <1>;
>>>> +       #size-cells = <1>;
>>>> +
>>>> +       binman {
>>>
>>> I don't really understand what's going on in this test case.
> 
> Binman mocks most entries' data during tests, the test images aren't
> meaningful or usable beyond what's in the python test case code. In this
> case, we only need a 'fit' entry with a signature we can run 'binman
> sign' on, and a 'fdtmap' so we can recognize that the built image has
> that 'fit' entry in it. The rest is just fluff.

I was primarily confused by the duplicate/extraneous binaries also
present. In addition to being tests, these device trees also function as
examples, so I think it is desirable for them to be somewhat sane.

--Sean

More information about the U-Boot mailing list