[PATCH v4 4/6] test: vboot: handle CONFIG_FIT_REQUIRE_CONFIG_SIGS in test_vboot
Ludwig Nussel
ludwig.nussel at siemens.com
Wed May 13 16:08:14 CEST 2026
Make sure test_vboot works with CONFIG_FIT_REQUIRE_CONFIG_SIGS set
and unset.
Enable CONFIG_FIT_REQUIRE_CONFIG_SIGS in sandbox_defconfig and leave
it off in other sandbox configs
Co-authored-by: Copilot <223556219+Copilot at users.noreply.github.com>
Signed-off-by: Ludwig Nussel <ludwig.nussel at siemens.com>
---
Changes in v4:
- test CONFIG_FIT_REQUIRE_CONFIG_SIGS in test_vboot
- set CONFIG_FIT_REQUIRE_CONFIG_SIGS in sandbox_defconfig
configs/sandbox_defconfig | 1 +
test/py/tests/test_vboot.py | 60 +++++++++++++++++++++++++++++--------
2 files changed, 49 insertions(+), 12 deletions(-)
diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index ba800f7d19d..e9866a92fcb 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -21,6 +21,7 @@ CONFIG_EFI_CAPSULE_CRT_FILE="board/sandbox/capsule_pub_key_good.crt"
CONFIG_BUTTON_CMD=y
CONFIG_FIT=y
CONFIG_FIT_SIGNATURE=y
+CONFIG_FIT_REQUIRE_CONFIG_SIGS=y
CONFIG_FIT_CIPHER=y
CONFIG_FIT_VERBOSE=y
CONFIG_BOOTMETH_ANDROID=y
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 55518bed07e..f7156943c24 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -306,26 +306,54 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
dtc('sandbox-kernel.dts', ubman, dtc_args, datadir, tmpdir, dtb)
dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb)
- # Build the FIT, but don't sign anything yet
- ubman.log.action('%s: Test FIT with signed images' % sha_algo)
- make_fit('sign-images-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
- run_bootm(sha_algo, 'unsigned images', ' - OK' if algo_arg else 'dev-', True)
+ bcfg = ubman.config.buildconfig
+ require_config_sigs = bcfg.get('config_fit_require_config_sigs', False)
- # Sign images with our dev keys
- sign_fit(sha_algo, sign_options)
- run_bootm(sha_algo, 'signed images', 'dev+', True)
+ if not require_config_sigs:
+ # Build the FIT, but don't sign anything yet
+ ubman.log.action('%s: Test FIT with signed images' % sha_algo)
+ make_fit('sign-images-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
+ run_bootm(sha_algo, 'unsigned images', ' - OK' if algo_arg else 'dev-', True)
- # Create a fresh .dtb without the public keys
- dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb)
+ # Sign images with our dev keys
+ sign_fit(sha_algo, sign_options)
+ run_bootm(sha_algo, 'signed images', 'dev+', True)
- ubman.log.action('%s: Test FIT with signed configuration' % sha_algo)
+ # Create a fresh .dtb without the public keys
+ dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb)
+
+ ubman.log.action('%s: Test FIT with unsigned configuration' % sha_algo)
make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
- run_bootm(sha_algo, 'unsigned config', '%s+ OK' % ('sha256' if algo_arg else sha_algo), True)
+ if require_config_sigs:
+ # DTB has no /signature node; FIT_REQUIRE_CONFIG_SIGS makes this
+ # fail-closed, so U-Boot must reject the unsigned config FIT.
+ run_bootm(sha_algo, 'unsigned config',
+ 'No signature node found', False)
+ else:
+ # No required keys in the DTB, so an unsigned config FIT is fine.
+ run_bootm(sha_algo, 'unsigned config',
+ '%s+ OK' % ('sha256' if algo_arg else sha_algo), True)
- # Sign images with our dev keys
+ ubman.log.action('%s: Test FIT with signed configuration' % sha_algo)
sign_fit(sha_algo, sign_options)
run_bootm(sha_algo, 'signed config', 'dev+', True)
+ # Test a signed FIT config when the DTB has no keys at all.
+ # Without FIT_REQUIRE_CONFIG_SIGS the absence of keys in the DTB means
+ # there are no required-key checks, so the boot must succeed.
+ # With FIT_REQUIRE_CONFIG_SIGS the missing /signature node in the DTB is
+ # treated as a hard failure regardless of whether the FIT is signed.
+ ubman.log.action('%s: Test signed FIT with no keys in DTB' % sha_algo)
+ dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb)
+ if require_config_sigs:
+ run_bootm(sha_algo, 'signed config, no DTB keys',
+ 'No signature node found', False)
+ else:
+ run_bootm(sha_algo, 'signed config, no DTB keys',
+ '%s+ OK' % ('sha256' if algo_arg else sha_algo), True)
+ # Restore keys in the DTB for the checks that follow.
+ sign_fit(sha_algo, sign_options)
+
ubman.log.action('%s: Check signed config on the host' % sha_algo)
utils.run_and_log(ubman, [fit_check_sign, '-f', fit, '-k', dtb])
@@ -485,6 +513,14 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
padding: Either '' or '-pss', to select the padding to use for the
rsa signature algorithm.
"""
+ # test_fdt_add_pubkey reuses this tmpdir and needs sandbox-kernel.dtb,
+ # so compile it unconditionally before any early exit.
+ dtc('sandbox-kernel.dts', ubman, dtc_args, datadir, tmpdir, None)
+
+ bcfg = ubman.config.buildconfig
+ if bcfg.get('config_fit_require_config_sigs', False):
+ pytest.skip('simple-images.its has no config-level signatures; '
+ 'incompatible with CONFIG_FIT_REQUIRE_CONFIG_SIGS')
dtb = '%ssandbox-u-boot-global%s.dtb' % (tmpdir, padding)
ubman.config.dtb = dtb
--
2.43.0
More information about the U-Boot
mailing list