[PATCH v6 08/15] test: vboot: add test for ecdsa
Raymond Mao
raymondmaoca at gmail.com
Mon May 25 17:33:19 CEST 2026
Hi Philippe,
On Mon, May 25, 2026 at 9:52 AM Philippe Reynes
<philippe.reynes at softathome.com> wrote:
>
> This commit adds test case for ecdsa on fit, but not (yet) for
> the global image signature (preload).
>
> Reviewed-by: Simon Glass <simon.glass at canonical.com>
> Reviewed-by: Simon Glass <sjg at chromium.org>
> Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com>
> ---
> v2:
> - initial version
> v3:
> - no change
> v4:
> - no change
> v5:
> - no change
> v6:
> - no change
>
> test/py/tests/test_vboot.py | 29 ++++++++++++
> .../vboot/sign-configs-sha256-ecdsa256.its | 45 +++++++++++++++++++
> .../vboot/sign-configs-sha256-ecdsa384.its | 45 +++++++++++++++++++
> .../vboot/sign-configs-sha256-ecdsa521.its | 45 +++++++++++++++++++
> .../vboot/sign-images-sha256-ecdsa256.its | 42 +++++++++++++++++
> .../vboot/sign-images-sha256-ecdsa384.its | 42 +++++++++++++++++
> .../vboot/sign-images-sha256-ecdsa521.its | 42 +++++++++++++++++
> 7 files changed, 290 insertions(+)
> create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa256.its
> create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa384.its
> create mode 100644 test/py/tests/vboot/sign-configs-sha256-ecdsa521.its
> create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa256.its
> create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa384.its
> create mode 100644 test/py/tests/vboot/sign-images-sha256-ecdsa521.its
>
Looks good to me. Thanks!
Reviewed-by: Raymond Mao <raymondmaoca at gmail.com>
> diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
> index 496d314c649..4e4d9529031 100644
> --- a/test/py/tests/test_vboot.py
> +++ b/test/py/tests/test_vboot.py
> @@ -94,6 +94,9 @@ TESTDATA_IN = [
> ['sha256-pss-pad', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', False, False, False, False],
> ['sha256-pss-required', 'sha256', '-rsa2048', '-pss', None, True, False, False, False],
> ['sha256-pss-pad-required', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', True, True, False, False],
> + ['sha256-basic-ecdsa256', 'sha256', '-ecdsa256', '', None, False, False, False, False],
> + ['sha256-basic-ecdsa384', 'sha256', '-ecdsa384', '', None, False, False, False, False],
> + ['sha256-basic-ecdsa521', 'sha256', '-ecdsa521', '', None, False, False, False, False],
> ['sha384-basic', 'sha384', '-rsa3072', '', None, False, False, False, False],
> ['sha384-pad', 'sha384', '-rsa3072', '', '-E -p 0x10000', False, False, False, False],
> ['algo-arg', 'algo-arg', '', '', '-o sha256,rsa2048', False, False, True, False],
> @@ -287,6 +290,29 @@ def test_vboot(ubman, name, sha_algo, sig_algo, padding, sign_options, required,
> utils.run_and_log(ubman, 'openssl req -batch -new -x509 -key %s%s.key '
> '-out %s%s.crt' % (tmpdir, name, tmpdir, name))
>
> + def create_ecdsa_pair(name):
> + """Generate a new ECDSA key pair
> +
> + Args:
> + name: Name of the key (e.g. 'dev')
> + """
> +
> + if sig_algo == "-ecdsa256":
> + curve_name = "secp256r1"
> + elif sig_algo == "-ecdsa384":
> + curve_name = "secp384r1"
> + elif sig_algo == "-ecdsa521":
> + curve_name = "secp521r1"
> + else:
> + curve_name = "unknownCurve"
> +
> + utils.run_and_log(ubman, 'openssl ecparam -name %s -genkey -noout -out %s%s.pem' %
> + (curve_name, tmpdir, name))
> +
> + # Create a certificate containing the public key
> + utils.run_and_log(ubman, 'openssl req -batch -new -x509 -key %s%s.pem '
> + '-out %s%s.crt' % (tmpdir, name, tmpdir, name))
> +
> def test_with_algo(sha_algo, sig_algo, padding, sign_options):
> """Test verified boot with the given hash algorithm.
>
> @@ -537,6 +563,9 @@ def test_vboot(ubman, name, sha_algo, sig_algo, padding, sign_options, required,
> if sig_algo == "-rsa2048" or sig_algo == "-rsa3072" or sig_algo == "":
> create_rsa_pair('dev')
> create_rsa_pair('prod')
> + elif sig_algo == "-ecdsa256" or sig_algo == "-ecdsa384" or sig_algo == "-ecdsa521":
> + create_ecdsa_pair('dev')
> + create_ecdsa_pair('prod')
>
> # Create a number kernel image with zeroes
> with open('%stest-kernel.bin' % tmpdir, 'wb') as fd:
> diff --git a/test/py/tests/vboot/sign-configs-sha256-ecdsa256.its b/test/py/tests/vboot/sign-configs-sha256-ecdsa256.its
> new file mode 100644
> index 00000000000..4d0ef903a78
> --- /dev/null
> +++ b/test/py/tests/vboot/sign-configs-sha256-ecdsa256.its
> @@ -0,0 +1,45 @@
> +/dts-v1/;
> +
> +/ {
> + description = "Chrome OS kernel image with one or more FDT blobs";
> + #address-cells = <1>;
> +
> + images {
> + kernel {
> + data = /incbin/("test-kernel.bin");
> + type = "kernel_noload";
> + arch = "sandbox";
> + os = "linux";
> + compression = "none";
> + load = <0x4>;
> + entry = <0x8>;
> + kernel-version = <1>;
> + hash-1 {
> + algo = "sha256";
> + };
> + };
> + fdt-1 {
> + description = "snow";
> + data = /incbin/("sandbox-kernel.dtb");
> + type = "flat_dt";
> + arch = "sandbox";
> + compression = "none";
> + fdt-version = <1>;
> + hash-1 {
> + algo = "sha256";
> + };
> + };
> + };
> + configurations {
> + default = "conf-1";
> + conf-1 {
> + kernel = "kernel";
> + fdt = "fdt-1";
> + signature {
> + algo = "sha256,ecdsa256";
> + key-name-hint = "dev";
> + sign-images = "fdt", "kernel";
> + };
> + };
> + };
> +};
> diff --git a/test/py/tests/vboot/sign-configs-sha256-ecdsa384.its b/test/py/tests/vboot/sign-configs-sha256-ecdsa384.its
> new file mode 100644
> index 00000000000..10427b43659
> --- /dev/null
> +++ b/test/py/tests/vboot/sign-configs-sha256-ecdsa384.its
> @@ -0,0 +1,45 @@
> +/dts-v1/;
> +
> +/ {
> + description = "Chrome OS kernel image with one or more FDT blobs";
> + #address-cells = <1>;
> +
> + images {
> + kernel {
> + data = /incbin/("test-kernel.bin");
> + type = "kernel_noload";
> + arch = "sandbox";
> + os = "linux";
> + compression = "none";
> + load = <0x4>;
> + entry = <0x8>;
> + kernel-version = <1>;
> + hash-1 {
> + algo = "sha256";
> + };
> + };
> + fdt-1 {
> + description = "snow";
> + data = /incbin/("sandbox-kernel.dtb");
> + type = "flat_dt";
> + arch = "sandbox";
> + compression = "none";
> + fdt-version = <1>;
> + hash-1 {
> + algo = "sha256";
> + };
> + };
> + };
> + configurations {
> + default = "conf-1";
> + conf-1 {
> + kernel = "kernel";
> + fdt = "fdt-1";
> + signature {
> + algo = "sha256,ecdsa384";
> + key-name-hint = "dev";
> + sign-images = "fdt", "kernel";
> + };
> + };
> + };
> +};
> diff --git a/test/py/tests/vboot/sign-configs-sha256-ecdsa521.its b/test/py/tests/vboot/sign-configs-sha256-ecdsa521.its
> new file mode 100644
> index 00000000000..a65593ec64b
> --- /dev/null
> +++ b/test/py/tests/vboot/sign-configs-sha256-ecdsa521.its
> @@ -0,0 +1,45 @@
> +/dts-v1/;
> +
> +/ {
> + description = "Chrome OS kernel image with one or more FDT blobs";
> + #address-cells = <1>;
> +
> + images {
> + kernel {
> + data = /incbin/("test-kernel.bin");
> + type = "kernel_noload";
> + arch = "sandbox";
> + os = "linux";
> + compression = "none";
> + load = <0x4>;
> + entry = <0x8>;
> + kernel-version = <1>;
> + hash-1 {
> + algo = "sha256";
> + };
> + };
> + fdt-1 {
> + description = "snow";
> + data = /incbin/("sandbox-kernel.dtb");
> + type = "flat_dt";
> + arch = "sandbox";
> + compression = "none";
> + fdt-version = <1>;
> + hash-1 {
> + algo = "sha256";
> + };
> + };
> + };
> + configurations {
> + default = "conf-1";
> + conf-1 {
> + kernel = "kernel";
> + fdt = "fdt-1";
> + signature {
> + algo = "sha256,ecdsa521";
> + key-name-hint = "dev";
> + sign-images = "fdt", "kernel";
> + };
> + };
> + };
> +};
> diff --git a/test/py/tests/vboot/sign-images-sha256-ecdsa256.its b/test/py/tests/vboot/sign-images-sha256-ecdsa256.its
> new file mode 100644
> index 00000000000..009003bb601
> --- /dev/null
> +++ b/test/py/tests/vboot/sign-images-sha256-ecdsa256.its
> @@ -0,0 +1,42 @@
> +/dts-v1/;
> +
> +/ {
> + description = "Chrome OS kernel image with one or more FDT blobs";
> + #address-cells = <1>;
> +
> + images {
> + kernel {
> + data = /incbin/("test-kernel.bin");
> + type = "kernel_noload";
> + arch = "sandbox";
> + os = "linux";
> + compression = "none";
> + load = <0x4>;
> + entry = <0x8>;
> + kernel-version = <1>;
> + signature {
> + algo = "sha256,ecdsa256";
> + key-name-hint = "dev";
> + };
> + };
> + fdt-1 {
> + description = "snow";
> + data = /incbin/("sandbox-kernel.dtb");
> + type = "flat_dt";
> + arch = "sandbox";
> + compression = "none";
> + fdt-version = <1>;
> + signature {
> + algo = "sha256,ecdsa256";
> + key-name-hint = "dev";
> + };
> + };
> + };
> + configurations {
> + default = "conf-1";
> + conf-1 {
> + kernel = "kernel";
> + fdt = "fdt-1";
> + };
> + };
> +};
> diff --git a/test/py/tests/vboot/sign-images-sha256-ecdsa384.its b/test/py/tests/vboot/sign-images-sha256-ecdsa384.its
> new file mode 100644
> index 00000000000..567de687a06
> --- /dev/null
> +++ b/test/py/tests/vboot/sign-images-sha256-ecdsa384.its
> @@ -0,0 +1,42 @@
> +/dts-v1/;
> +
> +/ {
> + description = "Chrome OS kernel image with one or more FDT blobs";
> + #address-cells = <1>;
> +
> + images {
> + kernel {
> + data = /incbin/("test-kernel.bin");
> + type = "kernel_noload";
> + arch = "sandbox";
> + os = "linux";
> + compression = "none";
> + load = <0x4>;
> + entry = <0x8>;
> + kernel-version = <1>;
> + signature {
> + algo = "sha256,ecdsa384";
> + key-name-hint = "dev";
> + };
> + };
> + fdt-1 {
> + description = "snow";
> + data = /incbin/("sandbox-kernel.dtb");
> + type = "flat_dt";
> + arch = "sandbox";
> + compression = "none";
> + fdt-version = <1>;
> + signature {
> + algo = "sha256,ecdsa384";
> + key-name-hint = "dev";
> + };
> + };
> + };
> + configurations {
> + default = "conf-1";
> + conf-1 {
> + kernel = "kernel";
> + fdt = "fdt-1";
> + };
> + };
> +};
> diff --git a/test/py/tests/vboot/sign-images-sha256-ecdsa521.its b/test/py/tests/vboot/sign-images-sha256-ecdsa521.its
> new file mode 100644
> index 00000000000..74ed45b21b8
> --- /dev/null
> +++ b/test/py/tests/vboot/sign-images-sha256-ecdsa521.its
> @@ -0,0 +1,42 @@
> +/dts-v1/;
> +
> +/ {
> + description = "Chrome OS kernel image with one or more FDT blobs";
> + #address-cells = <1>;
> +
> + images {
> + kernel {
> + data = /incbin/("test-kernel.bin");
> + type = "kernel_noload";
> + arch = "sandbox";
> + os = "linux";
> + compression = "none";
> + load = <0x4>;
> + entry = <0x8>;
> + kernel-version = <1>;
> + signature {
> + algo = "sha256,ecdsa521";
> + key-name-hint = "dev";
> + };
> + };
> + fdt-1 {
> + description = "snow";
> + data = /incbin/("sandbox-kernel.dtb");
> + type = "flat_dt";
> + arch = "sandbox";
> + compression = "none";
> + fdt-version = <1>;
> + signature {
> + algo = "sha256,ecdsa521";
> + key-name-hint = "dev";
> + };
> + };
> + };
> + configurations {
> + default = "conf-1";
> + conf-1 {
> + kernel = "kernel";
> + fdt = "fdt-1";
> + };
> + };
> +};
> --
> 2.43.0
>
More information about the U-Boot
mailing list