[PATCH 2/2 v3] test/py: Add more test cases for rejecting an EFI image

AKASHI Takahiro takahiro.akashi at linaro.org
Tue Apr 19 03:54:14 CEST 2022


On Mon, Apr 18, 2022 at 09:07:23PM +0300, Ilias Apalodimas wrote:
> The previous patch adds support for rejecting images when the sha384/512
> of an x.509 certificate is present in dbx.  Update the sandbox selftests
> 
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> ---
> changes since v2:
> - None
> changes since RFC:
> - new patch 
> 
>  test/py/tests/test_efi_secboot/conftest.py    |  6 +++
>  test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++
>  2 files changed, 56 insertions(+)
> 
> diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
> index 69a498ca003c..8a53dabe5414 100644
> --- a/test/py/tests/test_efi_secboot/conftest.py
> +++ b/test/py/tests/test_efi_secboot/conftest.py
> @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config):
>          check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth'
>                     % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
>                     shell=True)
> +        check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth'
> +                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> +                   shell=True)
> +        check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth'
> +                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> +                   shell=True)
>          # dbx_hash1 (digest of TEST_db1 certificate)
>          check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
>                     % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
> diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
> index cc9396a11d48..80d5eff74be3 100644
> --- a/test/py/tests/test_efi_secboot/test_signed.py
> +++ b/test/py/tests/test_efi_secboot/test_signed.py
> @@ -235,6 +235,56 @@ class TestEfiSignedImage(object):
>              assert '\'HELLO\' failed' in ''.join(output)
>              assert 'efi_start_image() returned: 26' in ''.join(output)
>  
> +        # sha384 of an x509 cert in dbx
> +        u_boot_console.restart_uboot()
> +        with u_boot_console.log.section('Test Case 5e'):
> +            # Test Case 5f, authenticated even if only one of signatures
> +            # is verified. Same as before but reject dbx_hash1.auth only

Please describe the test scenario more specifically regarding sha384.

> +            output = u_boot_console.run_command_list([
> +                'host bind 0 %s' % disk_img,
> +                'fatload host 0:1 4000000 db.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
> +                'fatload host 0:1 4000000 KEK.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
> +                'fatload host 0:1 4000000 PK.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
> +                'fatload host 0:1 4000000 db1.auth',
> +                'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
> +                'fatload host 0:1 4000000 dbx_hash384.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
> +            assert 'Failed to set EFI variable' not in ''.join(output)
> +            output = u_boot_console.run_command_list([
> +                'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""',
> +                'efidebug boot next 1',
> +                'efidebug test bootmgr'])
> +            assert '\'HELLO\' failed' in ''.join(output)
> +            assert 'efi_start_image() returned: 26' in ''.join(output)
> +
> +        # sha512 of an x509 cert in dbx
> +        u_boot_console.restart_uboot()
> +        with u_boot_console.log.section('Test Case 5e'):
> +            # Test Case 5G, authenticated even if only one of signatures
> +            # is verified. Same as before but reject dbx_hash1.auth only
> +            output = u_boot_console.run_command_list([
> +                'host bind 0 %s' % disk_img,
> +                'fatload host 0:1 4000000 db.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
> +                'fatload host 0:1 4000000 KEK.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
> +                'fatload host 0:1 4000000 PK.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
> +                'fatload host 0:1 4000000 db1.auth',
> +                'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
> +                'fatload host 0:1 4000000 dbx_hash512.auth',
> +                'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
> +            assert 'Failed to set EFI variable' not in ''.join(output)
> +            output = u_boot_console.run_command_list([
> +                'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""',
> +                'efidebug boot next 1',
> +                'efidebug test bootmgr'])
> +            assert '\'HELLO\' failed' in ''.join(output)
> +            assert 'efi_start_image() returned: 26' in ''.join(output)
> +

I prefer to have two separate test functions for sha384 and sha512.
This way, we can test both cases independently.
In the test run, even if sha384 case fails, sha512 can still be verified.

-Takahiro Akashi


>      def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
>          """
>          Test Case 6 - using digest of signed image in database
> -- 
> 2.32.0
> 


More information about the U-Boot mailing list