[PATCH v8 06/12] test/py: efi_capsule: add image authentication test
Heinrich Schuchardt
xypron.glpk at gmx.de
Sat Jan 1 23:18:47 CET 2022
On 12/20/21 06:02, AKASHI Takahiro wrote:
> Add a couple of test cases against capsule image authentication
> for capsule-on-disk, where only a signed capsule file with the verified
> signature will be applied to the system.
>
> Due to the difficulty of embedding a public key (esl file) in U-Boot
> binary during pytest setup time, all the keys/certificates are pre-created.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> Reviewed-by: Simon Glass <sjg at chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> ---
> .../py/tests/test_efi_capsule/capsule_defs.py | 5 +
> test/py/tests/test_efi_capsule/conftest.py | 52 +++-
> test/py/tests/test_efi_capsule/signature.dts | 10 +
> .../test_capsule_firmware_signed.py | 254 ++++++++++++++++++
> 4 files changed, 318 insertions(+), 3 deletions(-)
> create mode 100644 test/py/tests/test_efi_capsule/signature.dts
> create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
>
> diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py
> index 4fd6353c2040..aa9bf5eee3aa 100644
> --- a/test/py/tests/test_efi_capsule/capsule_defs.py
> +++ b/test/py/tests/test_efi_capsule/capsule_defs.py
> @@ -3,3 +3,8 @@
> # Directories
> CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
> CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
> +
> +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
> +# you need build a newer version on your own.
Why should I build it on my own? The version in Debian Bullseye and
Ubuntu Impish is 1.9.2. Is your Linux distro outdated?
> +# The path must terminate with '/'.
> +EFITOOLS_PATH = ''
This is contradictory.
'' seems not to be '/' terminated.
> diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
> index 6ad5608cd71c..27c05971ca32 100644
> --- a/test/py/tests/test_efi_capsule/conftest.py
> +++ b/test/py/tests/test_efi_capsule/conftest.py
> @@ -10,13 +10,13 @@ import pytest
> from capsule_defs import *
>
> #
> -# Fixture for UEFI secure boot test
> +# Fixture for UEFI capsule test
> #
>
> -
> @pytest.fixture(scope='session')
> def efi_capsule_data(request, u_boot_config):
> - """Set up a file system to be used in UEFI capsule test.
> + """Set up a file system to be used in UEFI capsule and
> + authentication test.
>
> Args:
> request: Pytest request object.
> @@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config):
> check_call('mkdir -p %s' % data_dir, shell=True)
> check_call('mkdir -p %s' % install_dir, shell=True)
>
> + capsule_auth_enabled = u_boot_config.buildconfig.get(
> + 'config_efi_capsule_authenticate')
> + if capsule_auth_enabled:
> + # Create private key (SIGNER.key) and certificate (SIGNER.crt)
> + check_call('cd %s; '
> + 'openssl req -x509 -sha256 -newkey rsa:2048 '
> + '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
> + '-out SIGNER.crt -nodes -days 365'
> + % data_dir, shell=True)
> + check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
> + % (data_dir, EFITOOLS_PATH), shell=True)
> +
> + # Update dtb adding capsule certificate
> + check_call('cd %s; '
> + 'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
> + % (data_dir, u_boot_config.source_dir), shell=True)
> + check_call('cd %s; '
> + 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
> + 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
> + '-o test_sig.dtb signature.dtbo'
> + % (data_dir, u_boot_config.build_dir), shell=True)
> +
> + # Create *malicious* private key (SIGNER2.key) and certificate
There is nothing malicious in an unsupported private key.
%s/\*malicious\*/unsupported/
Best regards
Heinrich
> + # (SIGNER2.crt)
> + check_call('cd %s; '
> + 'openssl req -x509 -sha256 -newkey rsa:2048 '
> + '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
> + '-out SIGNER2.crt -nodes -days 365'
> + % data_dir, shell=True)
> +
> # Create capsule files
> # two regions: one for u-boot.bin and the other for u-boot.env
> check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
> @@ -56,6 +86,22 @@ def efi_capsule_data(request, u_boot_config):
> check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' %
> (data_dir, u_boot_config.build_dir),
> shell=True)
> + if capsule_auth_enabled:
> + # firmware signed with proper key
> + check_call('cd %s; '
> + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> + '--private-key SIGNER.key --certificate SIGNER.crt '
> + '--raw u-boot.bin.new Test11'
> + % (data_dir, u_boot_config.build_dir),
> + shell=True)
> + # firmware signed with *mal* key
> + check_call('cd %s; '
> + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> + '--private-key SIGNER2.key '
> + '--certificate SIGNER2.crt '
> + '--raw u-boot.bin.new Test12'
> + % (data_dir, u_boot_config.build_dir),
> + shell=True)
>
> # Create a disk image with EFI system partition
> check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
> diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts
> new file mode 100644
> index 000000000000..078cfc76c93c
> --- /dev/null
> +++ b/test/py/tests/test_efi_capsule/signature.dts
> @@ -0,0 +1,10 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +
> +/dts-v1/;
> +/plugin/;
> +
> +&{/} {
> + signature {
> + capsule-key = /incbin/("SIGNER.esl");
> + };
> +};
> diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> new file mode 100644
> index 000000000000..593b032e9015
> --- /dev/null
> +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> @@ -0,0 +1,254 @@
> +# SPDX-License-Identifier: GPL-2.0+
> +# Copyright (c) 2021, Linaro Limited
> +# Author: AKASHI Takahiro <takahiro.akashi at linaro.org>
> +#
> +# U-Boot UEFI: Firmware Update (Signed capsule) Test
> +
> +"""
> +This test verifies capsule-on-disk firmware update
> +with signed capsule files
> +"""
> +
> +import pytest
> +from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR
> +
> + at pytest.mark.boardspec('sandbox')
> + at pytest.mark.buildconfigspec('efi_capsule_firmware_raw')
> + at pytest.mark.buildconfigspec('efi_capsule_authenticate')
> + at pytest.mark.buildconfigspec('dfu')
> + at pytest.mark.buildconfigspec('dfu_sf')
> + at pytest.mark.buildconfigspec('cmd_efidebug')
> + at pytest.mark.buildconfigspec('cmd_fat')
> + at pytest.mark.buildconfigspec('cmd_memory')
> + at pytest.mark.buildconfigspec('cmd_nvedit_efi')
> + at pytest.mark.buildconfigspec('cmd_sf')
> + at pytest.mark.slow
> +class TestEfiCapsuleFirmwareSigned(object):
> + def test_efi_capsule_auth1(
> + self, u_boot_config, u_boot_console, efi_capsule_data):
> + """
> + Test Case 1 - Update U-Boot on SPI Flash, raw image format
> + 0x100000-0x150000: U-Boot binary (but dummy)
> +
> + If the capsule is properly signed, the authentication
> + should pass and the firmware be updated.
> + """
> + disk_img = efi_capsule_data
> + with u_boot_console.log.section('Test Case 1-a, before reboot'):
> + output = u_boot_console.run_command_list([
> + 'host bind 0 %s' % disk_img,
> + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
> + 'efidebug boot order 1',
> + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
> + 'env set dfu_alt_info '
> + '"sf 0:0=u-boot-bin raw 0x100000 '
> + '0x50000;u-boot-env raw 0x150000 0x200000"',
> + 'env save'])
> +
> + # initialize content
> + output = u_boot_console.run_command_list([
> + 'sf probe 0:0',
> + 'fatload host 0:1 4000000 %s/u-boot.bin.old'
> + % CAPSULE_DATA_DIR,
> + 'sf write 4000000 100000 10',
> + 'sf read 5000000 100000 10',
> + 'md.b 5000000 10'])
> + assert 'Old' in ''.join(output)
> +
> + # place a capsule file
> + output = u_boot_console.run_command_list([
> + 'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR,
> + 'fatwrite host 0:1 4000000 %s/Test11 $filesize'
> + % CAPSULE_INSTALL_DIR,
> + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> + assert 'Test11' in ''.join(output)
> +
> + # reboot
> + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
> + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
> + + '/test_sig.dtb'
> + u_boot_console.restart_uboot()
> +
> + capsule_early = u_boot_config.buildconfig.get(
> + 'config_efi_capsule_on_disk_early')
> + with u_boot_console.log.section('Test Case 1-b, after reboot'):
> + if not capsule_early:
> + # make sure that dfu_alt_info exists even persistent variables
> + # are not available.
> + output = u_boot_console.run_command_list([
> + 'env set dfu_alt_info '
> + '"sf 0:0=u-boot-bin raw 0x100000 '
> + '0x50000;u-boot-env raw 0x150000 0x200000"',
> + 'host bind 0 %s' % disk_img,
> + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> + assert 'Test11' in ''.join(output)
> +
> + # need to run uefi command to initiate capsule handling
> + output = u_boot_console.run_command(
> + 'env print -e Capsule0000')
> +
> + output = u_boot_console.run_command_list([
> + 'host bind 0 %s' % disk_img,
> + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> + assert 'Test11' not in ''.join(output)
> +
> + output = u_boot_console.run_command_list([
> + 'sf probe 0:0',
> + 'sf read 4000000 100000 10',
> + 'md.b 4000000 10'])
> + assert 'u-boot:New' in ''.join(output)
> +
> + def test_efi_capsule_auth2(
> + self, u_boot_config, u_boot_console, efi_capsule_data):
> + """
> + Test Case 2 - Update U-Boot on SPI Flash, raw image format
> + 0x100000-0x150000: U-Boot binary (but dummy)
> +
> + If the capsule is signed but with an invalid key,
> + the authentication should fail and the firmware
> + not be updated.
> + """
> + disk_img = efi_capsule_data
> + with u_boot_console.log.section('Test Case 2-a, before reboot'):
> + output = u_boot_console.run_command_list([
> + 'host bind 0 %s' % disk_img,
> + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
> + 'efidebug boot order 1',
> + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
> + 'env set dfu_alt_info '
> + '"sf 0:0=u-boot-bin raw 0x100000 '
> + '0x50000;u-boot-env raw 0x150000 0x200000"',
> + 'env save'])
> +
> + # initialize content
> + output = u_boot_console.run_command_list([
> + 'sf probe 0:0',
> + 'fatload host 0:1 4000000 %s/u-boot.bin.old'
> + % CAPSULE_DATA_DIR,
> + 'sf write 4000000 100000 10',
> + 'sf read 5000000 100000 10',
> + 'md.b 5000000 10'])
> + assert 'Old' in ''.join(output)
> +
> + # place a capsule file
> + output = u_boot_console.run_command_list([
> + 'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR,
> + 'fatwrite host 0:1 4000000 %s/Test12 $filesize'
> + % CAPSULE_INSTALL_DIR,
> + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> + assert 'Test12' in ''.join(output)
> +
> + # reboot
> + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
> + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
> + + '/test_sig.dtb'
> + u_boot_console.restart_uboot()
> +
> + capsule_early = u_boot_config.buildconfig.get(
> + 'config_efi_capsule_on_disk_early')
> + with u_boot_console.log.section('Test Case 2-b, after reboot'):
> + if not capsule_early:
> + # make sure that dfu_alt_info exists even persistent variables
> + # are not available.
> + output = u_boot_console.run_command_list([
> + 'env set dfu_alt_info '
> + '"sf 0:0=u-boot-bin raw 0x100000 '
> + '0x50000;u-boot-env raw 0x150000 0x200000"',
> + 'host bind 0 %s' % disk_img,
> + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> + assert 'Test12' in ''.join(output)
> +
> + # need to run uefi command to initiate capsule handling
> + output = u_boot_console.run_command(
> + 'env print -e Capsule0000')
> +
> + # deleted any way
> + output = u_boot_console.run_command_list([
> + 'host bind 0 %s' % disk_img,
> + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> + assert 'Test12' not in ''.join(output)
> +
> + # TODO: check CapsuleStatus in CapsuleXXXX
> +
> + output = u_boot_console.run_command_list([
> + 'sf probe 0:0',
> + 'sf read 4000000 100000 10',
> + 'md.b 4000000 10'])
> + assert 'u-boot:Old' in ''.join(output)
> +
> + def test_efi_capsule_auth3(
> + self, u_boot_config, u_boot_console, efi_capsule_data):
> + """
> + Test Case 3 - Update U-Boot on SPI Flash, raw image format
> + 0x100000-0x150000: U-Boot binary (but dummy)
> +
> + If the capsule is not signed, the authentication
> + should fail and the firmware not be updated.
> + """
> + disk_img = efi_capsule_data
> + with u_boot_console.log.section('Test Case 3-a, before reboot'):
> + output = u_boot_console.run_command_list([
> + 'host bind 0 %s' % disk_img,
> + 'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
> + 'efidebug boot order 1',
> + 'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
> + 'env set dfu_alt_info '
> + '"sf 0:0=u-boot-bin raw 0x100000 '
> + '0x50000;u-boot-env raw 0x150000 0x200000"',
> + 'env save'])
> +
> + # initialize content
> + output = u_boot_console.run_command_list([
> + 'sf probe 0:0',
> + 'fatload host 0:1 4000000 %s/u-boot.bin.old'
> + % CAPSULE_DATA_DIR,
> + 'sf write 4000000 100000 10',
> + 'sf read 5000000 100000 10',
> + 'md.b 5000000 10'])
> + assert 'Old' in ''.join(output)
> +
> + # place a capsule file
> + output = u_boot_console.run_command_list([
> + 'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR,
> + 'fatwrite host 0:1 4000000 %s/Test02 $filesize'
> + % CAPSULE_INSTALL_DIR,
> + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> + assert 'Test02' in ''.join(output)
> +
> + # reboot
> + mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
> + u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
> + + '/test_sig.dtb'
> + u_boot_console.restart_uboot()
> +
> + capsule_early = u_boot_config.buildconfig.get(
> + 'config_efi_capsule_on_disk_early')
> + with u_boot_console.log.section('Test Case 3-b, after reboot'):
> + if not capsule_early:
> + # make sure that dfu_alt_info exists even persistent variables
> + # are not available.
> + output = u_boot_console.run_command_list([
> + 'env set dfu_alt_info '
> + '"sf 0:0=u-boot-bin raw 0x100000 '
> + '0x50000;u-boot-env raw 0x150000 0x200000"',
> + 'host bind 0 %s' % disk_img,
> + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> + assert 'Test02' in ''.join(output)
> +
> + # need to run uefi command to initiate capsule handling
> + output = u_boot_console.run_command(
> + 'env print -e Capsule0000')
> +
> + # deleted any way
> + output = u_boot_console.run_command_list([
> + 'host bind 0 %s' % disk_img,
> + 'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
> + assert 'Test02' not in ''.join(output)
> +
> + # TODO: check CapsuleStatus in CapsuleXXXX
> +
> + output = u_boot_console.run_command_list([
> + 'sf probe 0:0',
> + 'sf read 4000000 100000 10',
> + 'md.b 4000000 10'])
> + assert 'u-boot:Old' in ''.join(output)
More information about the U-Boot
mailing list