[PATCH 5/5] test/py: efi_secboot: add a test for a forged signed image
AKASHI Takahiro
takahiro.akashi at linaro.org
Tue Jul 5 07:48:15 CEST 2022
In this test case, a image binary, helloworld.efi.signed, is willfully
modified to print a corrupted message while the signature itself is
unchanged.
This binary must be rejected under secure boot mode.
Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
---
test/py/tests/test_efi_secboot/conftest.py | 3 ++
test/py/tests/test_efi_secboot/forge_image.sh | 5 +++
test/py/tests/test_efi_secboot/test_signed.py | 35 +++++++++++++++++++
3 files changed, 43 insertions(+)
create mode 100644 test/py/tests/test_efi_secboot/forge_image.sh
diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py
index 8a53dabe5414..db6b8d301f85 100644
--- a/test/py/tests/test_efi_secboot/conftest.py
+++ b/test/py/tests/test_efi_secboot/conftest.py
@@ -105,6 +105,9 @@ def efi_boot_env(request, u_boot_config):
# Sign already-signed image with another key
check_call('cd %s; sbsign --key db1.key --cert db1.crt --output helloworld.efi.signed_2sigs helloworld.efi.signed'
% mnt_point, shell=True)
+ # Create a corrupted signed image
+ check_call('cd %s; sh %s/test/py/tests/test_efi_secboot/forge_image.sh helloworld.efi.signed helloworld_forged.efi.signed'
+ % (mnt_point, u_boot_config.source_dir), shell=True)
# Digest image
check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth'
% (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
diff --git a/test/py/tests/test_efi_secboot/forge_image.sh b/test/py/tests/test_efi_secboot/forge_image.sh
new file mode 100644
index 000000000000..2465d10fa7b8
--- /dev/null
+++ b/test/py/tests/test_efi_secboot/forge_image.sh
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+#!/bin/sh
+
+replace_exp="s/H\0e\0l\0l\0o\0/h\0E\0L\0L\0O\0/g"
+perl -p -e ${replace_exp} < $1 > $2
diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py
index 30b3fa4e701e..ca52e853d8f8 100644
--- a/test/py/tests/test_efi_secboot/test_signed.py
+++ b/test/py/tests/test_efi_secboot/test_signed.py
@@ -334,3 +334,38 @@ class TestEfiSignedImage(object):
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
+
+ def test_efi_signed_image_auth8(self, u_boot_console, efi_boot_env):
+ """
+ Test Case 8 - Secure boot is in force,
+ Same as Test Case 2 but the image binary to be loaded
+ was willfully modified (forged)
+ Must be rejected.
+ """
+ u_boot_console.restart_uboot()
+ disk_img = efi_boot_env
+ with u_boot_console.log.section('Test Case 8a'):
+ # Test Case 8a, Secure boot is not yet forced
+ output = u_boot_console.run_command_list([
+ 'host bind 0 %s' % disk_img,
+ 'efidebug boot add -b 1 HELLO1 host 0:1 /helloworld_forged.efi.signed -s ""',
+ 'efidebug boot next 1',
+ 'efidebug test bootmgr'])
+ assert('hELLO, world!' in ''.join(output))
+
+ with u_boot_console.log.section('Test Case 8b'):
+ # Test Case 8b, Install signature database and verify the image
+ output = u_boot_console.run_command_list([
+ 'fatload host 0:1 4000000 db.auth',
+ 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
+ 'fatload host 0:1 4000000 KEK.auth',
+ 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
+ 'fatload host 0:1 4000000 PK.auth',
+ 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
+ assert 'Failed to set EFI variable' not in ''.join(output)
+ output = u_boot_console.run_command_list([
+ 'efidebug boot next 1',
+ 'efidebug test bootmgr'])
+ assert(not 'hELLO, world!' in ''.join(output))
+ assert('\'HELLO1\' failed' in ''.join(output))
+ assert('efi_start_image() returned: 26' in ''.join(output))
--
2.36.1
More information about the U-Boot
mailing list