[RFC PATCH v2 8/9] test: py: vboot: prepare integration test for ecdsa
Philippe Reynes
philippe.reynes at softathome.com
Thu Feb 19 14:25:51 CET 2026
The vboot tests only consider rsa algo for signature.
To prepare the integration of ecdsa test, the signature
algo is now explicit.
Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com>
---
v2:
- initial version
test/py/tests/test_fit_ecdsa.py | 2 +-
test/py/tests/test_vboot.py | 99 ++++++++++---------
....its => sign-configs-sha1-rsa2048-pss.its} | 0
...sha1.its => sign-configs-sha1-rsa2048.its} | 0
... sign-configs-sha256-rsa2048-pss-prod.its} | 0
...ts => sign-configs-sha256-rsa2048-pss.its} | 0
...56.its => sign-configs-sha256-rsa2048.its} | 0
...84.its => sign-configs-sha384-rsa3072.its} | 0
...s.its => sign-images-sha1-rsa2048-pss.its} | 0
...-sha1.its => sign-images-sha1-rsa2048.its} | 0
...its => sign-images-sha256-rsa2048-pss.its} | 0
...256.its => sign-images-sha256-rsa2048.its} | 0
...384.its => sign-images-sha384-rsa3072.its} | 0
13 files changed, 51 insertions(+), 50 deletions(-)
rename test/py/tests/vboot/{sign-configs-sha1-pss.its => sign-configs-sha1-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha1.its => sign-configs-sha1-rsa2048.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha256-pss-prod.its => sign-configs-sha256-rsa2048-pss-prod.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha256-pss.its => sign-configs-sha256-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha256.its => sign-configs-sha256-rsa2048.its} (100%)
rename test/py/tests/vboot/{sign-configs-sha384.its => sign-configs-sha384-rsa3072.its} (100%)
rename test/py/tests/vboot/{sign-images-sha1-pss.its => sign-images-sha1-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-images-sha1.its => sign-images-sha1-rsa2048.its} (100%)
rename test/py/tests/vboot/{sign-images-sha256-pss.its => sign-images-sha256-rsa2048-pss.its} (100%)
rename test/py/tests/vboot/{sign-images-sha256.its => sign-images-sha256-rsa2048.its} (100%)
rename test/py/tests/vboot/{sign-images-sha384.its => sign-images-sha384-rsa3072.its} (100%)
diff --git a/test/py/tests/test_fit_ecdsa.py b/test/py/tests/test_fit_ecdsa.py
index 3e816d68eb6..e59390374af 100644
--- a/test/py/tests/test_fit_ecdsa.py
+++ b/test/py/tests/test_fit_ecdsa.py
@@ -102,7 +102,7 @@ def test_fit_ecdsa(ubman):
with open(key_file, 'w') as f:
f.write(key.export_key(format='PEM'))
- assemble_fit_image(fit_file, f'{datadir}/sign-images-sha256.its', tempdir)
+ assemble_fit_image(fit_file, f'{datadir}/sign-images-sha256-rsa2048.its', tempdir)
fit = SignableFitImage(ubman, fit_file)
nodes = fit.find_signable_image_nodes()
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 7a7f9c379de..fd1bf6eb8aa 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -84,21 +84,21 @@ def make_fit(its, ubman, mkimage, dtc_args, datadir, fit):
# Only run the full suite on a few combinations, since it doesn't add any more
# test coverage.
TESTDATA_IN = [
- ['sha1-basic', 'sha1', '', None, False, True, False, False],
- ['sha1-pad', 'sha1', '', '-E -p 0x10000', False, False, False, False],
- ['sha1-pss', 'sha1', '-pss', None, False, False, False, False],
- ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False, False, False, False],
- ['sha256-basic', 'sha256', '', None, False, False, False, False],
- ['sha256-pad', 'sha256', '', '-E -p 0x10000', False, False, False, False],
- ['sha256-pss', 'sha256', '-pss', None, False, False, False, False],
- ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False, False, False],
- ['sha256-pss-required', 'sha256', '-pss', None, True, False, False, False],
- ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True, False, False],
- ['sha384-basic', 'sha384', '', None, False, False, False, False],
- ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False, False, False],
- ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', False, False, True, False],
- ['sha256-global-sign', 'sha256', '', '', False, False, False, True],
- ['sha256-global-sign-pss', 'sha256', '-pss', '', False, False, False, True],
+ ['sha1-basic', 'sha1', '-rsa2048', '', None, False, True, False, False],
+ ['sha1-pad', 'sha1', '-rsa2048', '', '-E -p 0x10000', False, False, False, False],
+ ['sha1-pss', 'sha1', '-rsa2048', '-pss', None, False, False, False, False],
+ ['sha1-pss-pad', 'sha1', '-rsa2048', '-pss', '-E -p 0x10000', False, False, False, False],
+ ['sha256-basic', 'sha256', '-rsa2048', '', None, False, False, False, False],
+ ['sha256-pad', 'sha256', '-rsa2048', '', '-E -p 0x10000', False, False, False, False],
+ ['sha256-pss', 'sha256', '-rsa2048', '-pss', None, False, False, False, False],
+ ['sha256-pss-pad', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', False, False, False, False],
+ ['sha256-pss-required', 'sha256', '-rsa2048', '-pss', None, True, False, False, False],
+ ['sha256-pss-pad-required', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', True, True, False, False],
+ ['sha384-basic', 'sha384', '-rsa3072', '', None, False, False, False, False],
+ ['sha384-pad', 'sha384', '-rsa3072', '', '-E -p 0x10000', False, False, False, False],
+ ['algo-arg', 'algo-arg', '', '', '-o sha256,rsa2048', False, False, True, False],
+ ['sha256-global-sign', 'sha256', '-rsa2048', '', '', False, False, False, True],
+ ['sha256-global-sign-pss', 'sha256', '-rsa2048', '-pss', '', False, False, False, True],
]
# Mark all but the first test as slow, so they are not run with '-k not slow'
@@ -111,9 +111,9 @@ TESTDATA += [pytest.param(*v, marks=pytest.mark.slow) for v in TESTDATA_IN[1:]]
@pytest.mark.requiredtool('fdtget')
@pytest.mark.requiredtool('fdtput')
@pytest.mark.requiredtool('openssl')
- at pytest.mark.parametrize("name,sha_algo,padding,sign_options,required,full_test,algo_arg,global_sign",
+ at pytest.mark.parametrize("name,sha_algo,sig_algo,padding,sign_options,required,full_test,algo_arg,global_sign",
TESTDATA)
-def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
+def test_vboot(ubman, name, sha_algo, sig_algo, padding, sign_options, required,
full_test, algo_arg, global_sign):
"""Test verified boot signing with mkimage and verification with 'bootm'.
@@ -287,7 +287,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
utils.run_and_log(ubman, 'openssl req -batch -new -x509 -key %s%s.key '
'-out %s%s.crt' % (tmpdir, name, tmpdir, name))
- def test_with_algo(sha_algo, padding, sign_options):
+ def test_with_algo(sha_algo, sig_algo, padding, sign_options):
"""Test verified boot with the given hash algorithm.
This is the main part of the test code. The same procedure is followed
@@ -308,7 +308,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
# Build the FIT, but don't sign anything yet
ubman.log.action('%s: Test FIT with signed images' % sha_algo)
- make_fit('sign-images-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
+ make_fit('sign-images-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
run_bootm(sha_algo, 'unsigned images', ' - OK' if algo_arg else 'dev-', True)
# Sign images with our dev keys
@@ -319,7 +319,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb)
ubman.log.action('%s: Test FIT with signed configuration' % sha_algo)
- make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
+ make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
run_bootm(sha_algo, 'unsigned config', '%s+ OK' % ('sha256' if algo_arg else sha_algo), True)
# Sign images with our dev keys
@@ -369,7 +369,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
run_bootm(sha_algo, 'evil kernel@', msg, False, efit)
# Create a new properly signed fit and replace header bytes
- make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
+ make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
sign_fit(sha_algo, sign_options)
bcfg = ubman.config.buildconfig
max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0)
@@ -401,7 +401,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
ubman, [fit_check_sign, '-f', fit, '-k', dtb],
1, 'Failed to verify required signature')
- def test_required_key(sha_algo, padding, sign_options):
+ def test_required_key(sha_algo, sig_algo, padding, sign_options):
"""Test verified boot with the given hash algorithm.
This function tests if U-Boot rejects an image when a required key isn't
@@ -423,12 +423,12 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
# Build the FIT with prod key (keys required) and sign it. This puts the
# signature into sandbox-u-boot.dtb, marked 'required'
- make_fit('sign-configs-%s%s-prod.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
+ make_fit('sign-configs-%s%s%s-prod.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
sign_fit(sha_algo, sign_options)
# Build the FIT with dev key (keys NOT required). This adds the
# signature into sandbox-u-boot.dtb, NOT marked 'required'.
- make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
+ make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
sign_fit_norequire(sha_algo, sign_options)
# So now sandbox-u-boot.dtb two signatures, for the prod and dev keys.
@@ -440,7 +440,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
# Build the FIT with dev key (keys required) and sign it. This puts the
# signature into sandbox-u-boot.dtb, marked 'required'.
- make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
+ make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
sign_fit(sha_algo, sign_options)
# Set the required-mode policy to "any".
@@ -520,8 +520,9 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
dtb = '%ssandbox-u-boot.dtb' % tmpdir
sig_node = '/configurations/conf-1/signature'
- create_rsa_pair('dev')
- create_rsa_pair('prod')
+ if sig_algo == "-rsa2048" or sig_algo == "-rsa3072" or sig_algo == "":
+ create_rsa_pair('dev')
+ create_rsa_pair('prod')
# Create a number kernel image with zeroes
with open('%stest-kernel.bin' % tmpdir, 'wb') as fd:
@@ -540,9 +541,9 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
if global_sign:
test_global_sign(sha_algo, padding, sign_options)
elif required:
- test_required_key(sha_algo, padding, sign_options)
+ test_required_key(sha_algo, sig_algo, padding, sign_options)
else:
- test_with_algo(sha_algo, padding, sign_options)
+ test_with_algo(sha_algo, sig_algo, padding, sign_options)
finally:
# Go back to the original U-Boot with the correct dtb.
ubman.config.dtb = old_dtb
@@ -550,21 +551,21 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
TESTDATA_IN = [
- ['sha1-basic', 'sha1', '', None, False],
- ['sha1-pad', 'sha1', '', '-E -p 0x10000', False],
- ['sha1-pss', 'sha1', '-pss', None, False],
- ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False],
- ['sha256-basic', 'sha256', '', None, False],
- ['sha256-pad', 'sha256', '', '-E -p 0x10000', False],
- ['sha256-pss', 'sha256', '-pss', None, False],
- ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False],
- ['sha256-pss-required', 'sha256', '-pss', None, False],
- ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', False],
- ['sha384-basic', 'sha384', '', None, False],
- ['sha384-pad', 'sha384', '', '-E -p 0x10000', False],
- ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', True],
- ['sha256-global-sign', 'sha256', '', '', False],
- ['sha256-global-sign-pss', 'sha256', '-pss', '', False],
+ ['sha1-basic', 'sha1', '-rsa2048', '', None, False],
+ ['sha1-pad', 'sha1', '-rsa2048', '', '-E -p 0x10000', False],
+ ['sha1-pss', 'sha1', '-rsa2048', '-pss', None, False],
+ ['sha1-pss-pad', 'sha1', '-rsa2048', '-pss', '-E -p 0x10000', False],
+ ['sha256-basic', 'sha256', '-rsa2048', '', None, False],
+ ['sha256-pad', 'sha256', '-rsa2048', '', '-E -p 0x10000', False],
+ ['sha256-pss', 'sha256', '-rsa2048', '-pss', None, False],
+ ['sha256-pss-pad', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', False],
+ ['sha256-pss-required', 'sha256', '-rsa2048', '-pss', None, False],
+ ['sha256-pss-pad-required', 'sha256', '-rsa2048' , '-pss', '-E -p 0x10000', False],
+ ['sha384-basic', 'sha384', '-rsa3072', '', None, False],
+ ['sha384-pad', 'sha384', '-rsa3072', '', '-E -p 0x10000', False],
+ ['algo-arg', 'algo-arg', '', '', '-o sha256,rsa2048', True],
+ ['sha256-global-sign', 'sha256', '-rsa2048', '', '', False],
+ ['sha256-global-sign-pss', 'sha256', '-rsa2048', '-pss', '', False],
]
# Mark all but the first test as slow, so they are not run with '-k not slow'
@@ -575,8 +576,8 @@ TESTDATA += [pytest.param(*v, marks=pytest.mark.slow) for v in TESTDATA_IN[1:]]
@pytest.mark.buildconfigspec('fit_signature')
@pytest.mark.requiredtool('dtc')
@pytest.mark.requiredtool('openssl')
- at pytest.mark.parametrize("name,sha_algo,padding,sign_options,algo_arg", TESTDATA)
-def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg):
+ at pytest.mark.parametrize("name,sha_algo,sig_algo,padding,sign_options,algo_arg", TESTDATA)
+def test_fdt_add_pubkey(ubman, name, sha_algo, sig_algo, padding, sign_options, algo_arg):
"""Test fdt_add_pubkey utility with bunch of different algo options."""
def sign_fit(sha_algo, options):
@@ -595,7 +596,7 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg):
ubman.log.action('%s: Sign images' % sha_algo)
utils.run_and_log(ubman, args)
- def test_add_pubkey(sha_algo, padding, sign_options):
+ def test_add_pubkey(sha_algo, sig_algo, padding, sign_options):
"""Test fdt_add_pubkey utility with given hash algorithm and padding.
This function tests if fdt_add_pubkey utility may add public keys into dtb.
@@ -618,7 +619,7 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg):
'rsa3072' if sha_algo == 'sha384' else 'rsa2048'),
'-k', tmpdir, '-n', 'dev', '-r', 'conf', dtb])
- make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
+ make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
# Sign images with our dev keys
sign_fit(sha_algo, sign_options)
@@ -640,4 +641,4 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg):
# keys created in test_vboot test
- test_add_pubkey(sha_algo, padding, sign_options)
+ test_add_pubkey(sha_algo, sig_algo, padding, sign_options)
diff --git a/test/py/tests/vboot/sign-configs-sha1-pss.its b/test/py/tests/vboot/sign-configs-sha1-rsa2048-pss.its
similarity index 100%
rename from test/py/tests/vboot/sign-configs-sha1-pss.its
rename to test/py/tests/vboot/sign-configs-sha1-rsa2048-pss.its
diff --git a/test/py/tests/vboot/sign-configs-sha1.its b/test/py/tests/vboot/sign-configs-sha1-rsa2048.its
similarity index 100%
rename from test/py/tests/vboot/sign-configs-sha1.its
rename to test/py/tests/vboot/sign-configs-sha1-rsa2048.its
diff --git a/test/py/tests/vboot/sign-configs-sha256-pss-prod.its b/test/py/tests/vboot/sign-configs-sha256-rsa2048-pss-prod.its
similarity index 100%
rename from test/py/tests/vboot/sign-configs-sha256-pss-prod.its
rename to test/py/tests/vboot/sign-configs-sha256-rsa2048-pss-prod.its
diff --git a/test/py/tests/vboot/sign-configs-sha256-pss.its b/test/py/tests/vboot/sign-configs-sha256-rsa2048-pss.its
similarity index 100%
rename from test/py/tests/vboot/sign-configs-sha256-pss.its
rename to test/py/tests/vboot/sign-configs-sha256-rsa2048-pss.its
diff --git a/test/py/tests/vboot/sign-configs-sha256.its b/test/py/tests/vboot/sign-configs-sha256-rsa2048.its
similarity index 100%
rename from test/py/tests/vboot/sign-configs-sha256.its
rename to test/py/tests/vboot/sign-configs-sha256-rsa2048.its
diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384-rsa3072.its
similarity index 100%
rename from test/py/tests/vboot/sign-configs-sha384.its
rename to test/py/tests/vboot/sign-configs-sha384-rsa3072.its
diff --git a/test/py/tests/vboot/sign-images-sha1-pss.its b/test/py/tests/vboot/sign-images-sha1-rsa2048-pss.its
similarity index 100%
rename from test/py/tests/vboot/sign-images-sha1-pss.its
rename to test/py/tests/vboot/sign-images-sha1-rsa2048-pss.its
diff --git a/test/py/tests/vboot/sign-images-sha1.its b/test/py/tests/vboot/sign-images-sha1-rsa2048.its
similarity index 100%
rename from test/py/tests/vboot/sign-images-sha1.its
rename to test/py/tests/vboot/sign-images-sha1-rsa2048.its
diff --git a/test/py/tests/vboot/sign-images-sha256-pss.its b/test/py/tests/vboot/sign-images-sha256-rsa2048-pss.its
similarity index 100%
rename from test/py/tests/vboot/sign-images-sha256-pss.its
rename to test/py/tests/vboot/sign-images-sha256-rsa2048-pss.its
diff --git a/test/py/tests/vboot/sign-images-sha256.its b/test/py/tests/vboot/sign-images-sha256-rsa2048.its
similarity index 100%
rename from test/py/tests/vboot/sign-images-sha256.its
rename to test/py/tests/vboot/sign-images-sha256-rsa2048.its
diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384-rsa3072.its
similarity index 100%
rename from test/py/tests/vboot/sign-images-sha384.its
rename to test/py/tests/vboot/sign-images-sha384-rsa3072.its
--
2.43.0
More information about the U-Boot
mailing list