[PATCH v6 07/15] test: py: vboot: prepare integration test for ecdsa
Raymond Mao
raymondmaoca at gmail.com
Mon May 25 17:32:13 CEST 2026
Hi Philippe,
On Mon, May 25, 2026 at 9:52 AM Philippe Reynes
<philippe.reynes at softathome.com> wrote:
>
> The vboot tests only consider rsa algo for signature.
> To prepare the integration of ecdsa test, the signature
> algo is now explicit.
>
> Reviewed-by: Simon Glass <simon.glass at canonical.com>
> Reviewed-by: Simon Glass <sjg at chromium.org>
> Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com>
> ---
> v2:
> - initial version
> v3:
> - no change
> v4:
> - no change
> v5:
> - no change
> v6:
> - no change
>
> test/py/tests/test_fit_ecdsa.py | 2 +-
> test/py/tests/test_vboot.py | 99 ++++++++++---------
> ....its => sign-configs-sha1-rsa2048-pss.its} | 0
> ...sha1.its => sign-configs-sha1-rsa2048.its} | 0
> ... sign-configs-sha256-rsa2048-pss-prod.its} | 0
> ...ts => sign-configs-sha256-rsa2048-pss.its} | 0
> ...56.its => sign-configs-sha256-rsa2048.its} | 0
> ...84.its => sign-configs-sha384-rsa3072.its} | 0
> ...s.its => sign-images-sha1-rsa2048-pss.its} | 0
> ...-sha1.its => sign-images-sha1-rsa2048.its} | 0
> ...its => sign-images-sha256-rsa2048-pss.its} | 0
> ...256.its => sign-images-sha256-rsa2048.its} | 0
> ...384.its => sign-images-sha384-rsa3072.its} | 0
> 13 files changed, 51 insertions(+), 50 deletions(-)
> rename test/py/tests/vboot/{sign-configs-sha1-pss.its => sign-configs-sha1-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha1.its => sign-configs-sha1-rsa2048.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha256-pss-prod.its => sign-configs-sha256-rsa2048-pss-prod.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha256-pss.its => sign-configs-sha256-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha256.its => sign-configs-sha256-rsa2048.its} (100%)
> rename test/py/tests/vboot/{sign-configs-sha384.its => sign-configs-sha384-rsa3072.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha1-pss.its => sign-images-sha1-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha1.its => sign-images-sha1-rsa2048.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha256-pss.its => sign-images-sha256-rsa2048-pss.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha256.its => sign-images-sha256-rsa2048.its} (100%)
> rename test/py/tests/vboot/{sign-images-sha384.its => sign-images-sha384-rsa3072.its} (100%)
>
Looks good to me. Thanks!
Reviewed-by: Raymond Mao <raymondmaoca at gmail.com>
> diff --git a/test/py/tests/test_fit_ecdsa.py b/test/py/tests/test_fit_ecdsa.py
> index 3e816d68eb6..e59390374af 100644
> --- a/test/py/tests/test_fit_ecdsa.py
> +++ b/test/py/tests/test_fit_ecdsa.py
> @@ -102,7 +102,7 @@ def test_fit_ecdsa(ubman):
> with open(key_file, 'w') as f:
> f.write(key.export_key(format='PEM'))
>
> - assemble_fit_image(fit_file, f'{datadir}/sign-images-sha256.its', tempdir)
> + assemble_fit_image(fit_file, f'{datadir}/sign-images-sha256-rsa2048.its', tempdir)
>
> fit = SignableFitImage(ubman, fit_file)
> nodes = fit.find_signable_image_nodes()
> diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
> index 55518bed07e..496d314c649 100644
> --- a/test/py/tests/test_vboot.py
> +++ b/test/py/tests/test_vboot.py
> @@ -84,21 +84,21 @@ def make_fit(its, ubman, mkimage, dtc_args, datadir, fit):
> # Only run the full suite on a few combinations, since it doesn't add any more
> # test coverage.
> TESTDATA_IN = [
> - ['sha1-basic', 'sha1', '', None, False, True, False, False],
> - ['sha1-pad', 'sha1', '', '-E -p 0x10000', False, False, False, False],
> - ['sha1-pss', 'sha1', '-pss', None, False, False, False, False],
> - ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False, False, False, False],
> - ['sha256-basic', 'sha256', '', None, False, False, False, False],
> - ['sha256-pad', 'sha256', '', '-E -p 0x10000', False, False, False, False],
> - ['sha256-pss', 'sha256', '-pss', None, False, False, False, False],
> - ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False, False, False],
> - ['sha256-pss-required', 'sha256', '-pss', None, True, False, False, False],
> - ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True, False, False],
> - ['sha384-basic', 'sha384', '', None, False, False, False, False],
> - ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False, False, False],
> - ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', False, False, True, False],
> - ['sha256-global-sign', 'sha256', '', '', False, False, False, True],
> - ['sha256-global-sign-pss', 'sha256', '-pss', '', False, False, False, True],
> + ['sha1-basic', 'sha1', '-rsa2048', '', None, False, True, False, False],
> + ['sha1-pad', 'sha1', '-rsa2048', '', '-E -p 0x10000', False, False, False, False],
> + ['sha1-pss', 'sha1', '-rsa2048', '-pss', None, False, False, False, False],
> + ['sha1-pss-pad', 'sha1', '-rsa2048', '-pss', '-E -p 0x10000', False, False, False, False],
> + ['sha256-basic', 'sha256', '-rsa2048', '', None, False, False, False, False],
> + ['sha256-pad', 'sha256', '-rsa2048', '', '-E -p 0x10000', False, False, False, False],
> + ['sha256-pss', 'sha256', '-rsa2048', '-pss', None, False, False, False, False],
> + ['sha256-pss-pad', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', False, False, False, False],
> + ['sha256-pss-required', 'sha256', '-rsa2048', '-pss', None, True, False, False, False],
> + ['sha256-pss-pad-required', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', True, True, False, False],
> + ['sha384-basic', 'sha384', '-rsa3072', '', None, False, False, False, False],
> + ['sha384-pad', 'sha384', '-rsa3072', '', '-E -p 0x10000', False, False, False, False],
> + ['algo-arg', 'algo-arg', '', '', '-o sha256,rsa2048', False, False, True, False],
> + ['sha256-global-sign', 'sha256', '-rsa2048', '', '', False, False, False, True],
> + ['sha256-global-sign-pss', 'sha256', '-rsa2048', '-pss', '', False, False, False, True],
> ]
>
> # Mark all but the first test as slow, so they are not run with '-k not slow'
> @@ -111,9 +111,9 @@ TESTDATA += [pytest.param(*v, marks=pytest.mark.slow) for v in TESTDATA_IN[1:]]
> @pytest.mark.requiredtool('fdtget')
> @pytest.mark.requiredtool('fdtput')
> @pytest.mark.requiredtool('openssl')
> - at pytest.mark.parametrize("name,sha_algo,padding,sign_options,required,full_test,algo_arg,global_sign",
> + at pytest.mark.parametrize("name,sha_algo,sig_algo,padding,sign_options,required,full_test,algo_arg,global_sign",
> TESTDATA)
> -def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
> +def test_vboot(ubman, name, sha_algo, sig_algo, padding, sign_options, required,
> full_test, algo_arg, global_sign):
> """Test verified boot signing with mkimage and verification with 'bootm'.
>
> @@ -287,7 +287,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
> utils.run_and_log(ubman, 'openssl req -batch -new -x509 -key %s%s.key '
> '-out %s%s.crt' % (tmpdir, name, tmpdir, name))
>
> - def test_with_algo(sha_algo, padding, sign_options):
> + def test_with_algo(sha_algo, sig_algo, padding, sign_options):
> """Test verified boot with the given hash algorithm.
>
> This is the main part of the test code. The same procedure is followed
> @@ -308,7 +308,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
>
> # Build the FIT, but don't sign anything yet
> ubman.log.action('%s: Test FIT with signed images' % sha_algo)
> - make_fit('sign-images-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> + make_fit('sign-images-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> run_bootm(sha_algo, 'unsigned images', ' - OK' if algo_arg else 'dev-', True)
>
> # Sign images with our dev keys
> @@ -319,7 +319,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
> dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb)
>
> ubman.log.action('%s: Test FIT with signed configuration' % sha_algo)
> - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> run_bootm(sha_algo, 'unsigned config', '%s+ OK' % ('sha256' if algo_arg else sha_algo), True)
>
> # Sign images with our dev keys
> @@ -383,7 +383,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
> run_bootm(sha_algo, 'evil clone', 'Bad Data Hash', False, efit)
>
> # Create a new properly signed fit and replace header bytes
> - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> sign_fit(sha_algo, sign_options)
> bcfg = ubman.config.buildconfig
> max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0)
> @@ -415,7 +415,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
> ubman, [fit_check_sign, '-f', fit, '-k', dtb],
> 1, 'Failed to verify required signature')
>
> - def test_required_key(sha_algo, padding, sign_options):
> + def test_required_key(sha_algo, sig_algo, padding, sign_options):
> """Test verified boot with the given hash algorithm.
>
> This function tests if U-Boot rejects an image when a required key isn't
> @@ -437,12 +437,12 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
>
> # Build the FIT with prod key (keys required) and sign it. This puts the
> # signature into sandbox-u-boot.dtb, marked 'required'
> - make_fit('sign-configs-%s%s-prod.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> + make_fit('sign-configs-%s%s%s-prod.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> sign_fit(sha_algo, sign_options)
>
> # Build the FIT with dev key (keys NOT required). This adds the
> # signature into sandbox-u-boot.dtb, NOT marked 'required'.
> - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> sign_fit_norequire(sha_algo, sign_options)
>
> # So now sandbox-u-boot.dtb two signatures, for the prod and dev keys.
> @@ -454,7 +454,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
>
> # Build the FIT with dev key (keys required) and sign it. This puts the
> # signature into sandbox-u-boot.dtb, marked 'required'.
> - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> sign_fit(sha_algo, sign_options)
>
> # Set the required-mode policy to "any".
> @@ -534,8 +534,9 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
> dtb = '%ssandbox-u-boot.dtb' % tmpdir
> sig_node = '/configurations/conf-1/signature'
>
> - create_rsa_pair('dev')
> - create_rsa_pair('prod')
> + if sig_algo == "-rsa2048" or sig_algo == "-rsa3072" or sig_algo == "":
> + create_rsa_pair('dev')
> + create_rsa_pair('prod')
>
> # Create a number kernel image with zeroes
> with open('%stest-kernel.bin' % tmpdir, 'wb') as fd:
> @@ -554,9 +555,9 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
> if global_sign:
> test_global_sign(sha_algo, padding, sign_options)
> elif required:
> - test_required_key(sha_algo, padding, sign_options)
> + test_required_key(sha_algo, sig_algo, padding, sign_options)
> else:
> - test_with_algo(sha_algo, padding, sign_options)
> + test_with_algo(sha_algo, sig_algo, padding, sign_options)
> finally:
> # Go back to the original U-Boot with the correct dtb.
> ubman.config.dtb = old_dtb
> @@ -564,21 +565,21 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
>
>
> TESTDATA_IN = [
> - ['sha1-basic', 'sha1', '', None, False],
> - ['sha1-pad', 'sha1', '', '-E -p 0x10000', False],
> - ['sha1-pss', 'sha1', '-pss', None, False],
> - ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False],
> - ['sha256-basic', 'sha256', '', None, False],
> - ['sha256-pad', 'sha256', '', '-E -p 0x10000', False],
> - ['sha256-pss', 'sha256', '-pss', None, False],
> - ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False],
> - ['sha256-pss-required', 'sha256', '-pss', None, False],
> - ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', False],
> - ['sha384-basic', 'sha384', '', None, False],
> - ['sha384-pad', 'sha384', '', '-E -p 0x10000', False],
> - ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', True],
> - ['sha256-global-sign', 'sha256', '', '', False],
> - ['sha256-global-sign-pss', 'sha256', '-pss', '', False],
> + ['sha1-basic', 'sha1', '-rsa2048', '', None, False],
> + ['sha1-pad', 'sha1', '-rsa2048', '', '-E -p 0x10000', False],
> + ['sha1-pss', 'sha1', '-rsa2048', '-pss', None, False],
> + ['sha1-pss-pad', 'sha1', '-rsa2048', '-pss', '-E -p 0x10000', False],
> + ['sha256-basic', 'sha256', '-rsa2048', '', None, False],
> + ['sha256-pad', 'sha256', '-rsa2048', '', '-E -p 0x10000', False],
> + ['sha256-pss', 'sha256', '-rsa2048', '-pss', None, False],
> + ['sha256-pss-pad', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', False],
> + ['sha256-pss-required', 'sha256', '-rsa2048', '-pss', None, False],
> + ['sha256-pss-pad-required', 'sha256', '-rsa2048' , '-pss', '-E -p 0x10000', False],
> + ['sha384-basic', 'sha384', '-rsa3072', '', None, False],
> + ['sha384-pad', 'sha384', '-rsa3072', '', '-E -p 0x10000', False],
> + ['algo-arg', 'algo-arg', '', '', '-o sha256,rsa2048', True],
> + ['sha256-global-sign', 'sha256', '-rsa2048', '', '', False],
> + ['sha256-global-sign-pss', 'sha256', '-rsa2048', '-pss', '', False],
> ]
>
> # Mark all but the first test as slow, so they are not run with '-k not slow'
> @@ -589,8 +590,8 @@ TESTDATA += [pytest.param(*v, marks=pytest.mark.slow) for v in TESTDATA_IN[1:]]
> @pytest.mark.buildconfigspec('fit_signature')
> @pytest.mark.requiredtool('dtc')
> @pytest.mark.requiredtool('openssl')
> - at pytest.mark.parametrize("name,sha_algo,padding,sign_options,algo_arg", TESTDATA)
> -def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg):
> + at pytest.mark.parametrize("name,sha_algo,sig_algo,padding,sign_options,algo_arg", TESTDATA)
> +def test_fdt_add_pubkey(ubman, name, sha_algo, sig_algo, padding, sign_options, algo_arg):
> """Test fdt_add_pubkey utility with bunch of different algo options."""
>
> def sign_fit(sha_algo, options):
> @@ -609,7 +610,7 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg):
> ubman.log.action('%s: Sign images' % sha_algo)
> utils.run_and_log(ubman, args)
>
> - def test_add_pubkey(sha_algo, padding, sign_options):
> + def test_add_pubkey(sha_algo, sig_algo, padding, sign_options):
> """Test fdt_add_pubkey utility with given hash algorithm and padding.
>
> This function tests if fdt_add_pubkey utility may add public keys into dtb.
> @@ -632,7 +633,7 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg):
> 'rsa3072' if sha_algo == 'sha384' else 'rsa2048'),
> '-k', tmpdir, '-n', 'dev', '-r', 'conf', dtb])
>
> - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
> + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit)
>
> # Sign images with our dev keys
> sign_fit(sha_algo, sign_options)
> @@ -654,4 +655,4 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg):
>
> # keys created in test_vboot test
>
> - test_add_pubkey(sha_algo, padding, sign_options)
> + test_add_pubkey(sha_algo, sig_algo, padding, sign_options)
> diff --git a/test/py/tests/vboot/sign-configs-sha1-pss.its b/test/py/tests/vboot/sign-configs-sha1-rsa2048-pss.its
> similarity index 100%
> rename from test/py/tests/vboot/sign-configs-sha1-pss.its
> rename to test/py/tests/vboot/sign-configs-sha1-rsa2048-pss.its
> diff --git a/test/py/tests/vboot/sign-configs-sha1.its b/test/py/tests/vboot/sign-configs-sha1-rsa2048.its
> similarity index 100%
> rename from test/py/tests/vboot/sign-configs-sha1.its
> rename to test/py/tests/vboot/sign-configs-sha1-rsa2048.its
> diff --git a/test/py/tests/vboot/sign-configs-sha256-pss-prod.its b/test/py/tests/vboot/sign-configs-sha256-rsa2048-pss-prod.its
> similarity index 100%
> rename from test/py/tests/vboot/sign-configs-sha256-pss-prod.its
> rename to test/py/tests/vboot/sign-configs-sha256-rsa2048-pss-prod.its
> diff --git a/test/py/tests/vboot/sign-configs-sha256-pss.its b/test/py/tests/vboot/sign-configs-sha256-rsa2048-pss.its
> similarity index 100%
> rename from test/py/tests/vboot/sign-configs-sha256-pss.its
> rename to test/py/tests/vboot/sign-configs-sha256-rsa2048-pss.its
> diff --git a/test/py/tests/vboot/sign-configs-sha256.its b/test/py/tests/vboot/sign-configs-sha256-rsa2048.its
> similarity index 100%
> rename from test/py/tests/vboot/sign-configs-sha256.its
> rename to test/py/tests/vboot/sign-configs-sha256-rsa2048.its
> diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384-rsa3072.its
> similarity index 100%
> rename from test/py/tests/vboot/sign-configs-sha384.its
> rename to test/py/tests/vboot/sign-configs-sha384-rsa3072.its
> diff --git a/test/py/tests/vboot/sign-images-sha1-pss.its b/test/py/tests/vboot/sign-images-sha1-rsa2048-pss.its
> similarity index 100%
> rename from test/py/tests/vboot/sign-images-sha1-pss.its
> rename to test/py/tests/vboot/sign-images-sha1-rsa2048-pss.its
> diff --git a/test/py/tests/vboot/sign-images-sha1.its b/test/py/tests/vboot/sign-images-sha1-rsa2048.its
> similarity index 100%
> rename from test/py/tests/vboot/sign-images-sha1.its
> rename to test/py/tests/vboot/sign-images-sha1-rsa2048.its
> diff --git a/test/py/tests/vboot/sign-images-sha256-pss.its b/test/py/tests/vboot/sign-images-sha256-rsa2048-pss.its
> similarity index 100%
> rename from test/py/tests/vboot/sign-images-sha256-pss.its
> rename to test/py/tests/vboot/sign-images-sha256-rsa2048-pss.its
> diff --git a/test/py/tests/vboot/sign-images-sha256.its b/test/py/tests/vboot/sign-images-sha256-rsa2048.its
> similarity index 100%
> rename from test/py/tests/vboot/sign-images-sha256.its
> rename to test/py/tests/vboot/sign-images-sha256-rsa2048.its
> diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384-rsa3072.its
> similarity index 100%
> rename from test/py/tests/vboot/sign-images-sha384.its
> rename to test/py/tests/vboot/sign-images-sha384-rsa3072.its
> --
> 2.43.0
>
More information about the U-Boot
mailing list