[PATCH v2 6/6] test: add test for eficonfig secure boot key management
Masahisa Kojima
masahisa.kojima at linaro.org
Tue Oct 4 16:35:42 CEST 2022
Provide a unit test for the eficonfig secure boot key
management menu.
Signed-off-by: Masahisa Kojima <masahisa.kojima at linaro.org>
---
newly created in v2
test/py/tests/test_eficonfig/conftest.py | 84 +++-
test/py/tests/test_eficonfig/defs.py | 14 +
.../test_eficonfig/test_eficonfig_sbkey.py | 472 ++++++++++++++++++
3 files changed, 568 insertions(+), 2 deletions(-)
create mode 100644 test/py/tests/test_eficonfig/defs.py
create mode 100644 test/py/tests/test_eficonfig/test_eficonfig_sbkey.py
diff --git a/test/py/tests/test_eficonfig/conftest.py b/test/py/tests/test_eficonfig/conftest.py
index f289df0362..6750d33989 100644
--- a/test/py/tests/test_eficonfig/conftest.py
+++ b/test/py/tests/test_eficonfig/conftest.py
@@ -2,11 +2,12 @@
"""Fixture for UEFI eficonfig test
"""
-
import os
+import os.path
import shutil
-from subprocess import check_call
+from subprocess import call, check_call, check_output, CalledProcessError
import pytest
+from defs import *
@pytest.fixture(scope='session')
def efi_eficonfig_data(u_boot_config):
@@ -38,3 +39,82 @@ def efi_eficonfig_data(u_boot_config):
shell=True)
return image_path
+
+ at pytest.fixture(scope='session')
+def efi_boot_env(request, u_boot_config):
+ """Set up a file system to be used in UEFI secure boot test.
+
+ Args:
+ request: Pytest request object.
+ u_boot_config: U-boot configuration.
+
+ Return:
+ A path to disk image to be used for testing
+ """
+ image_path = u_boot_config.persistent_data_dir
+ image_path = image_path + '/test_eficonfig_sb.img'
+
+ try:
+ mnt_point = u_boot_config.build_dir + '/mnt_eficonfig_sb'
+ check_call('rm -rf {}'.format(mnt_point), shell=True)
+ check_call('mkdir -p {}'.format(mnt_point), shell=True)
+
+ # suffix
+ # *.key: RSA private key in PEM
+ # *.crt: X509 certificate (self-signed) in PEM
+ # *.esl: signature list
+ # *.hash: message digest of image as signature list
+ # *.auth: signed signature list in signature database format
+ # *.efi: UEFI image
+ # *.efi.signed: signed UEFI image
+
+ # Create signature database
+ # PK
+ check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365'
+ % mnt_point, shell=True)
+ check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -t "2020-04-01" -c PK.crt -k PK.key PK PK.esl PK.auth'
+ % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
+ shell=True)
+ # PK_null for deletion
+ check_call('cd %s; touch PK_null.esl; %ssign-efi-sig-list -t "2020-04-02" -c PK.crt -k PK.key PK PK_null.esl PK_null.auth'
+ % (mnt_point, EFITOOLS_PATH), shell=True)
+ # KEK
+ check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365'
+ % mnt_point, shell=True)
+ check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -t "2020-04-03" -c PK.crt -k PK.key KEK KEK.esl KEK.auth'
+ % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
+ shell=True)
+ # db
+ check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ -keyout db.key -out db.crt -nodes -days 365'
+ % mnt_point, shell=True)
+ check_call('cd %s; %scert-to-efi-sig-list -g %s db.crt db.esl; %ssign-efi-sig-list -t "2020-04-04" -c KEK.crt -k KEK.key db db.esl db.auth'
+ % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
+ shell=True)
+
+ # dbx_hash (digest of TEST_db certificate)
+ check_call('cd %s; %scert-to-efi-hash-list -g %s -t "2013-05-27 01:02:03" -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth'
+ % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
+ shell=True)
+
+ # Copy image
+ check_call('cp %s/lib/efi_loader/helloworld.efi %s' %
+ (u_boot_config.build_dir, mnt_point), shell=True)
+
+ # Sign image
+ check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi'
+ % mnt_point, shell=True)
+
+ check_call('cd %s; rm -f *.key' % mnt_point, shell=True)
+ check_call('cd %s; rm -f *.crt' % mnt_point, shell=True)
+ check_call('cd %s; rm -f *.hash' % mnt_point, shell=True)
+ check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat {} {}'.format(
+ mnt_point, image_path), shell=True)
+ check_call('rm -rf {}'.format(mnt_point), shell=True)
+
+ except CalledProcessError as exception:
+ pytest.skip('Setup failed: %s' % exception.cmd)
+ return
+ else:
+ yield image_path
+ finally:
+ call('rm -f %s' % image_path, shell=True)
diff --git a/test/py/tests/test_eficonfig/defs.py b/test/py/tests/test_eficonfig/defs.py
new file mode 100644
index 0000000000..b7a2a11851
--- /dev/null
+++ b/test/py/tests/test_eficonfig/defs.py
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: GPL-2.0+
+
+# Owner guid
+GUID = '11111111-2222-3333-4444-123456789abc'
+
+# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
+# you need build a newer version on your own.
+# The path must terminate with '/'.
+EFITOOLS_PATH = ''
+
+# "--addcert" option of sbsign must be available, otherwise
+# you need build a newer version on your own.
+# The path must terminate with '/'.
+SBSIGN_PATH = ''
diff --git a/test/py/tests/test_eficonfig/test_eficonfig_sbkey.py b/test/py/tests/test_eficonfig/test_eficonfig_sbkey.py
new file mode 100644
index 0000000000..727288964d
--- /dev/null
+++ b/test/py/tests/test_eficonfig/test_eficonfig_sbkey.py
@@ -0,0 +1,472 @@
+# SPDX-License-Identifier: GPL-2.0+
+""" Unit test for UEFI menu-driven configuration
+"""
+
+import pytest
+import time
+from defs import *
+
+ at pytest.mark.boardspec('sandbox')
+ at pytest.mark.buildconfigspec('cmd_eficonfig')
+ at pytest.mark.buildconfigspec('cmd_bootefi_bootmgr')
+ at pytest.mark.buildconfigspec('efi_secure_boot')
+def test_efi_eficonfig_sbkey(u_boot_config, u_boot_console, efi_boot_env):
+ def send_user_input_and_wait(user_str, expect_str):
+ time.sleep(0.1) # TODO: does not work correctly without sleep
+ u_boot_console.run_command(cmd=user_str, wait_for_prompt=False,
+ wait_for_echo=True, send_nl=False)
+ u_boot_console.run_command(cmd='\x0d', wait_for_prompt=False,
+ wait_for_echo=False, send_nl=False)
+ if expect_str is not None:
+ for i in expect_str:
+ u_boot_console.p.expect([i])
+
+ def press_up_down_enter_and_wait(up_count, down_count, enter, expect_str):
+ # press UP key
+ for i in range(up_count):
+ u_boot_console.run_command(cmd='\x1b\x5b\x41', wait_for_prompt=False,
+ wait_for_echo=False, send_nl=False)
+ # press DOWN key
+ for i in range(down_count):
+ u_boot_console.run_command(cmd='\x1b\x5b\x42', wait_for_prompt=False,
+ wait_for_echo=False, send_nl=False)
+ # press ENTER if requested
+ if enter:
+ u_boot_console.run_command(cmd='\x0d', wait_for_prompt=False,
+ wait_for_echo=False, send_nl=False)
+ # wait expected output
+ if expect_str is not None:
+ for i in expect_str:
+ u_boot_console.p.expect([i])
+
+ def press_escape_key(wait_prompt):
+ u_boot_console.run_command(cmd='\x1b', wait_for_prompt=wait_prompt, wait_for_echo=False, send_nl=False)
+
+ def press_enter_key(wait_prompt):
+ u_boot_console.run_command(cmd='\x0d', wait_for_prompt=wait_prompt,
+ wait_for_echo=False, send_nl=False)
+
+ def check_current_is_maintenance_menu():
+ for i in ('UEFI Maintenance Menu', 'Add Boot Option', 'Edit Boot Option',
+ 'Change Boot Order', 'Delete Boot Option', 'Secure Boot Configuration', 'Quit'):
+ u_boot_console.p.expect([i])
+
+ # Restart the system to clean the previous state
+ u_boot_console.restart_uboot()
+ # bind the test disk image for succeeding tests
+ u_boot_console.run_command(cmd = f'host bind 0 {efi_boot_env}')
+
+ #
+ # Test Case 1: Enroll non-signed ESL(.esl or .crl) in order of KEK, DB, DBX and PK
+ #
+ with u_boot_console.temporary_timeout(500):
+ u_boot_console.run_command('eficonfig', wait_for_prompt=False)
+ check_current_is_maintenance_menu()
+ press_up_down_enter_and_wait(0, 4, True, 'Quit')
+ for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'):
+ u_boot_console.p.expect([i])
+
+ # set KEK.esl to KEK
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 7, True, 'Quit')
+ # check KEK is expected value
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, None)
+ for i in ('Show/Delete Signature Database', 'KEK',
+ 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC',
+ 'Signature Type:', 'X509', 'Subject:', 'TEST_KEK', 'Issuer:', 'TEST_KEK'):
+ u_boot_console.p.expect([i])
+ press_escape_key(False)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+
+ # set db.esl to db
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ # check db is expected value
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, None)
+ for i in ('Show/Delete Signature Database', 'db',
+ 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC',
+ 'Signature Type:', 'X509', 'Subject:', 'TEST_db', 'Issuer:', 'TEST_db'):
+ u_boot_console.p.expect([i])
+ press_escape_key(False)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+
+ # set dbx_hash.crl to dbx
+ press_up_down_enter_and_wait(0, 3, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 3, True, 'Quit')
+ # check dbx is expected value
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, None)
+ # verify CRL, skip hash comparison because it varies in every test
+ for i in ('Show/Delete Signature Database', 'dbx',
+ 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC',
+ 'Signature Type:', 'X509_SHA256 CRL',
+ 'TimeOfRevocation:', '2013-5-27 01:02:03'):
+ u_boot_console.p.expect([i])
+ press_escape_key(False)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+
+ # set PK.esl to PK
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 9, True, 'Quit')
+ # check PK is expected value
+ press_up_down_enter_and_wait(0, 1, True, None)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 0, True, None)
+ for i in ('Show/Delete Signature Database', 'PK',
+ 'Owner GUID', '11111111-2222-3333-4444-123456789ABC',
+ 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK',
+ 'Can not delete PK, Press any key to continue'):
+ u_boot_console.p.expect([i])
+ press_escape_key(False)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+ for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 4, True, 'Quit')
+ check_current_is_maintenance_menu()
+
+ #
+ # Test Case 2: Enroll PK first, then non-signed esl fails to enroll
+ #
+
+ # Restart the system to clean the previous state
+ u_boot_console.restart_uboot()
+ # bind the test disk image for succeeding tests
+ u_boot_console.run_command(cmd = f'host bind 0 {efi_boot_env}')
+
+ with u_boot_console.temporary_timeout(500):
+ u_boot_console.run_command('eficonfig', wait_for_prompt=False)
+ check_current_is_maintenance_menu()
+ press_up_down_enter_and_wait(0, 4, True, 'Quit')
+ for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'):
+ u_boot_console.p.expect([i])
+
+ # set PK.auth to PK
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 8, True, 'Quit')
+ # check PK is expected value
+ press_up_down_enter_and_wait(0, 1, True, None)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 0, True, None)
+ for i in ('Show/Delete Signature Database', 'PK',
+ 'Owner GUID', '11111111-2222-3333-4444-123456789ABC',
+ 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK',
+ 'Can not delete PK, Press any key to continue'):
+ u_boot_console.p.expect([i])
+
+ press_escape_key(False)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+ for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'):
+ u_boot_console.p.expect([i])
+
+ # fail to set KEK.esl
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 7, True, 'Quit')
+ for i in ('ERROR! Failed to update signature database',
+ 'Press any key to continue'):
+ u_boot_console.p.expect([i])
+ press_escape_key(False)
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+
+ # fail to set db.esl
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ for i in ('ERROR! Failed to update signature database',
+ 'Press any key to continue'):
+ u_boot_console.p.expect([i])
+ press_escape_key(False)
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+
+ # fail to set dbx_hash.crl
+ press_up_down_enter_and_wait(0, 3, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 3, True, 'Quit')
+ for i in ('ERROR! Failed to update signature database',
+ 'Press any key to continue'):
+ u_boot_console.p.expect([i])
+ press_escape_key(False)
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+
+ #
+ # Test Case 3: Enroll signed ESL(.auth) in order of PK, KEK, and db, then check status
+ #
+
+ # Restart the system to clean the previous state
+ u_boot_console.restart_uboot()
+ # bind the test disk image for succeeding tests
+ u_boot_console.run_command(cmd = f'host bind 0 {efi_boot_env}')
+
+ with u_boot_console.temporary_timeout(500):
+ u_boot_console.run_command('eficonfig', wait_for_prompt=False)
+ check_current_is_maintenance_menu()
+ press_up_down_enter_and_wait(0, 4, True, 'Quit')
+ for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'):
+ u_boot_console.p.expect([i])
+
+ # set PK.auth to PK
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 8, True, 'Quit')
+ # check PK is expected value
+ press_up_down_enter_and_wait(0, 1, True, None)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 0, True, None)
+ for i in ('Show/Delete Signature Database', 'PK',
+ 'Owner GUID', '11111111-2222-3333-4444-123456789ABC',
+ 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK',
+ 'Can not delete PK, Press any key to continue'):
+ u_boot_console.p.expect([i])
+
+ press_escape_key(False)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+
+ # set KEK.auth to KEK
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 6, True, 'Quit')
+ # check KEK is expected value
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, None)
+ for i in ('Show/Delete Signature Database', 'KEK',
+ 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC',
+ 'Signature Type:', 'X509', 'Subject:', 'TEST_KEK', 'Issuer:', 'TEST_KEK'):
+ u_boot_console.p.expect([i])
+
+ press_escape_key(False)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+
+ # set db.auth to db
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ # check db is expected value
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, None)
+ for i in ('Show/Delete Signature Database', 'db',
+ 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC',
+ 'Signature Type:', 'X509', 'Subject:', 'TEST_db', 'Issuer:', 'TEST_db'):
+ u_boot_console.p.expect([i])
+ press_escape_key(False)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+
+ for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 4, True, 'Quit')
+ check_current_is_maintenance_menu()
+
+ #
+ # Test Case 4: start signed image allowed in db
+ #
+
+ # Select 'Add Boot Option'
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ # Press the enter key to select 'Description:' entry, then enter Description
+ press_up_down_enter_and_wait(0, 0, True, 'enter description:')
+ # Send Description user input, press ENTER key to complete
+ send_user_input_and_wait('hello', 'Quit')
+
+ # Set EFI image(helloworld.efi.signed)
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'host 0:1')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 5, True, 'Quit')
+ for i in ('Description: hello', 'File: host 0:1/helloworld.efi.signed',
+ 'Initrd File:', 'Optional Data:', 'Save', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 4, True, 'Quit')
+ press_escape_key(False)
+ check_current_is_maintenance_menu()
+ press_escape_key(True)
+ response = u_boot_console.run_command(cmd = 'bootefi bootmgr')
+ assert 'Hello, world!' in response
+
+ #
+ # Test Case 5: can not start the image if it is not signed
+ #
+
+ u_boot_console.run_command('eficonfig', wait_for_prompt=False)
+ check_current_is_maintenance_menu()
+ # Select 'Edit Boot Option'
+ press_up_down_enter_and_wait(0, 1, True, None)
+ # Check the curren BootOrder
+ for i in ('hello', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 0, True, None)
+ # Set EFI image(helloworld.efi)
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'host 0:1')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 4, True, 'Quit')
+ for i in ('Description: hello', 'File: host 0:1/helloworld.efi',
+ 'Initrd File:', 'Optional Data:', 'Save', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 4, True, 'Quit')
+ press_escape_key(False)
+ check_current_is_maintenance_menu()
+ press_escape_key(True)
+ response = u_boot_console.run_command(cmd = 'bootefi bootmgr')
+ assert 'Image not authenticated' in response
+
+ #
+ # Test Case 6: can not start the signed image if dbx revokes db certificate
+ #
+
+ u_boot_console.run_command('eficonfig', wait_for_prompt=False)
+ check_current_is_maintenance_menu()
+ # Select 'Edit Boot Option'
+ press_up_down_enter_and_wait(0, 1, True, None)
+ # Check the curren BootOrder
+ for i in ('hello', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ # Set EFI image(helloworld.efi.signed)
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'host 0:1')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 5, True, 'Quit')
+ for i in ('Description: hello', 'File: host 0:1/helloworld.efi.signed',
+ 'Initrd File:', 'Optional Data:', 'Save', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 4, True, 'Quit')
+ press_escape_key(False)
+ check_current_is_maintenance_menu()
+ press_up_down_enter_and_wait(0, 4, True, 'Quit')
+ # set dbx_hash.auth to dbx
+ press_up_down_enter_and_wait(0, 3, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+ # check db is expected value
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, None)
+ # verify CRL, skip hash comparison because it varies in every test
+ for i in ('Show/Delete Signature Database', 'dbx',
+ 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC',
+ 'Signature Type:', 'X509_SHA256 CRL',
+ 'TimeOfRevocation:', '2013-5-27 01:02:03'):
+ u_boot_console.p.expect([i])
+ press_escape_key(False)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+ press_escape_key(False)
+ check_current_is_maintenance_menu()
+ press_escape_key(True)
+ response = u_boot_console.run_command(cmd = 'bootefi bootmgr')
+ assert 'Image not authenticated' in response
+
+ #
+ # Test Case 7: clear PK with null key, check secure boot is OFF
+ #
+
+ u_boot_console.run_command('eficonfig', wait_for_prompt=False)
+ check_current_is_maintenance_menu()
+ press_up_down_enter_and_wait(0, 4, True, 'Quit')
+ for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'):
+ u_boot_console.p.expect([i])
+
+ # clear PK with null key
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 10, True, 'Quit')
+
+ press_up_down_enter_and_wait(0, 1, True, None)
+ for i in ('There is no entry in the signature database.', 'Press any key to continue'):
+ u_boot_console.p.expect([i])
+
+ press_enter_key(False)
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+ for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'):
+ u_boot_console.p.expect([i])
+
+ # delete dbx
+ press_up_down_enter_and_wait(0, 3, True, 'Quit')
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_enter_key(False)
+ for i in ('TimeOfRevocation:', '2013-5-27 01:02:03'):
+ u_boot_console.p.expect([i])
+ press_enter_key(False)
+ for i in ('Are you sure you want to delete this item?', 'Press ENTER to delete'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 0, True, None)
+ for i in ('There is no entry in the signature database.',
+ 'Press any key to continue'):
+ u_boot_console.p.expect([i])
+ press_enter_key(False)
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+
+ # set PK.auth to PK
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 0, True, 'Quit')
+ press_up_down_enter_and_wait(0, 8, True, 'Quit')
+ # check PK is expected value
+ press_up_down_enter_and_wait(0, 1, True, None)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 0, True, None)
+ for i in ('Show/Delete Signature Database', 'PK',
+ 'Owner GUID', '11111111-2222-3333-4444-123456789ABC',
+ 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK',
+ 'Can not delete PK, Press any key to continue'):
+ u_boot_console.p.expect([i])
+ press_escape_key(False)
+ for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'):
+ u_boot_console.p.expect([i])
+ press_up_down_enter_and_wait(0, 1, True, 'Quit')
+ press_up_down_enter_and_wait(0, 2, True, 'Quit')
+ for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'):
+ u_boot_console.p.expect([i])
+ press_escape_key(False)
+ check_current_is_maintenance_menu()
+ press_escape_key(True)
+ response = u_boot_console.run_command(cmd = 'bootefi bootmgr')
+ assert 'Hello, world!' in response
--
2.17.1
More information about the U-Boot
mailing list