test: capsule: Generate EFI capsules through binman

Support has been added for generating the EFI capsules through
binman. Make changes in the EFI capsule update testing feature to
generate capsules through binman.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
This commit is contained in:
Sughosh Ganu 2023-08-22 23:10:00 +05:30 committed by Tom Rini
parent b617611b27
commit 56f243dcbe
4 changed files with 367 additions and 174 deletions

View file

@ -0,0 +1,21 @@
// SPDX-License-Identifier: GPL-2.0+
/*
* Copyright (c) 2023, Linaro Limited
*/
#if !defined(_SANDBOX_EFI_CAPSULE_H_)
#define _SANDBOX_EFI_CAPSULE_H_
#define SANDBOX_UBOOT_IMAGE_GUID "09d7cf52-0720-4710-91d1-08469b7fe9c8"
#define SANDBOX_UBOOT_ENV_IMAGE_GUID "5a7021f5-fef2-48b4-aaba-832e777418c0"
#define SANDBOX_FIT_IMAGE_GUID "3673b45d-6a7c-46f3-9e60-adabb03f7937"
#define SANDBOX_INCORRECT_GUID "058b7d83-50d5-4c47-a195-60d86ad341c4"
#define UBOOT_FIT_IMAGE "u-boot_bin_env.itb"
#define CAPSULE_PRIV_KEY "capsule_priv_key_good.key"
#define CAPSULE_PUB_KEY "capsule_pub_key_good.crt"
#define CAPSULE_INVAL_KEY "capsule_priv_key_bad.key"
#define CAPSULE_INVAL_PUB_KEY "capsule_pub_key_bad.crt"
#endif /* _SANDBOX_EFI_CAPSULE_H_ */

View file

@ -0,0 +1,321 @@
// SPDX-License-Identifier: GPL-2.0+
/*
* Devicetree for capsule generation through binman
*/
/dts-v1/;
#include <sandbox_efi_capsule.h>
/ {
binman: binman {
multiple-images;
};
};
&binman {
itb {
filename = UBOOT_FIT_IMAGE;
fit {
description = "Automatic U-Boot environment update";
#address-cells = <2>;
images {
u-boot-bin {
description = "U-Boot binary on SPI Flash";
compression = "none";
type = "firmware";
arch = "sandbox";
load = <0>;
text {
text = "u-boot:New";
};
hash-1 {
algo = "sha1";
};
};
u-boot-env {
description = "U-Boot environment on SPI Flash";
compression = "none";
type = "firmware";
arch = "sandbox";
load = <0>;
text {
text = "u-boot-env:New";
};
hash-1 {
algo = "sha1";
};
};
};
};
};
capsule1 {
filename = "Test01";
efi-capsule {
image-index = <0x1>;
image-guid = SANDBOX_UBOOT_IMAGE_GUID;
text {
text = "u-boot:New";
};
};
};
capsule2 {
filename = "Test02";
efi-capsule {
image-index = <0x2>;
image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID;
text {
text = "u-boot-env:New";
};
};
};
capsule3 {
filename = "Test03";
efi-capsule {
image-index = <0x1>;
image-guid = SANDBOX_INCORRECT_GUID;
text {
text = "u-boot:New";
};
};
};
capsule4 {
filename = "Test04";
efi-capsule {
image-index = <0x1>;
image-guid = SANDBOX_FIT_IMAGE_GUID;
blob {
filename = UBOOT_FIT_IMAGE;
};
};
};
capsule5 {
filename = "Test05";
efi-capsule {
image-index = <0x1>;
image-guid = SANDBOX_INCORRECT_GUID;
blob {
filename = UBOOT_FIT_IMAGE;
};
};
};
capsule6 {
filename = "Test101";
efi-capsule {
image-index = <0x1>;
fw-version = <0x5>;
image-guid = SANDBOX_UBOOT_IMAGE_GUID;
text {
text = "u-boot:New";
};
};
};
capsule7 {
filename = "Test102";
efi-capsule {
image-index = <0x2>;
fw-version = <0xa>;
image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID;
text {
text = "u-boot-env:New";
};
};
};
capsule8 {
filename = "Test103";
efi-capsule {
image-index = <0x1>;
fw-version = <0x2>;
image-guid = SANDBOX_UBOOT_IMAGE_GUID;
text {
text = "u-boot:New";
};
};
};
capsule9 {
filename = "Test104";
efi-capsule {
image-index = <0x1>;
fw-version = <0x5>;
image-guid = SANDBOX_FIT_IMAGE_GUID;
blob {
filename = UBOOT_FIT_IMAGE;
};
};
};
capsule10 {
filename = "Test105";
efi-capsule {
image-index = <0x1>;
fw-version = <0x2>;
image-guid = SANDBOX_FIT_IMAGE_GUID;
blob {
filename = UBOOT_FIT_IMAGE;
};
};
};
capsule11 {
filename = "Test11";
efi-capsule {
image-index = <0x1>;
image-guid = SANDBOX_UBOOT_IMAGE_GUID;
private-key = CAPSULE_PRIV_KEY;
public-key-cert = CAPSULE_PUB_KEY;
monotonic-count = <0x1>;
text {
text = "u-boot:New";
};
};
};
capsule12 {
filename = "Test12";
efi-capsule {
image-index = <0x1>;
image-guid = SANDBOX_UBOOT_IMAGE_GUID;
private-key = CAPSULE_INVAL_KEY;
public-key-cert = CAPSULE_INVAL_PUB_KEY;
monotonic-count = <0x1>;
text {
text = "u-boot:New";
};
};
};
capsule13 {
filename = "Test13";
efi-capsule {
image-index = <0x1>;
image-guid = SANDBOX_FIT_IMAGE_GUID;
private-key = CAPSULE_PRIV_KEY;
public-key-cert = CAPSULE_PUB_KEY;
monotonic-count = <0x1>;
blob {
filename = UBOOT_FIT_IMAGE;
};
};
};
capsule14 {
filename = "Test14";
efi-capsule {
image-index = <0x1>;
image-guid = SANDBOX_FIT_IMAGE_GUID;
private-key = CAPSULE_INVAL_KEY;
public-key-cert = CAPSULE_INVAL_PUB_KEY;
monotonic-count = <0x1>;
blob {
filename = UBOOT_FIT_IMAGE;
};
};
};
capsule15 {
filename = "Test111";
efi-capsule {
image-index = <0x1>;
fw-version = <0x5>;
image-guid = SANDBOX_UBOOT_IMAGE_GUID;
private-key = CAPSULE_PRIV_KEY;
public-key-cert = CAPSULE_PUB_KEY;
monotonic-count = <0x1>;
text {
text = "u-boot:New";
};
};
};
capsule16 {
filename = "Test112";
efi-capsule {
image-index = <0x2>;
fw-version = <0xa>;
image-guid = SANDBOX_UBOOT_ENV_IMAGE_GUID;
private-key = CAPSULE_PRIV_KEY;
public-key-cert = CAPSULE_PUB_KEY;
monotonic-count = <0x1>;
text {
text = "u-boot-env:New";
};
};
};
capsule17 {
filename = "Test113";
efi-capsule {
image-index = <0x1>;
fw-version = <0x2>;
image-guid = SANDBOX_UBOOT_IMAGE_GUID;
private-key = CAPSULE_PRIV_KEY;
public-key-cert = CAPSULE_PUB_KEY;
monotonic-count = <0x1>;
text {
text = "u-boot:New";
};
};
};
capsule18 {
filename = "Test114";
efi-capsule {
image-index = <0x1>;
fw-version = <0x5>;
image-guid = SANDBOX_FIT_IMAGE_GUID;
private-key = CAPSULE_PRIV_KEY;
public-key-cert = CAPSULE_PUB_KEY;
monotonic-count = <0x1>;
blob {
filename = UBOOT_FIT_IMAGE;
};
};
};
capsule19 {
filename = "Test115";
efi-capsule {
image-index = <0x1>;
fw-version = <0x2>;
image-guid = SANDBOX_FIT_IMAGE_GUID;
private-key = CAPSULE_PRIV_KEY;
public-key-cert = CAPSULE_PUB_KEY;
monotonic-count = <0x1>;
blob {
filename = UBOOT_FIT_IMAGE;
};
};
};
};

View file

@ -4,6 +4,8 @@
"""Fixture for UEFI capsule test.""" """Fixture for UEFI capsule test."""
import os
from subprocess import call, check_call, CalledProcessError from subprocess import call, check_call, CalledProcessError
import pytest import pytest
from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR, EFITOOLS_PATH from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR, EFITOOLS_PATH
@ -34,15 +36,20 @@ def efi_capsule_data(request, u_boot_config):
capsule_auth_enabled = u_boot_config.buildconfig.get( capsule_auth_enabled = u_boot_config.buildconfig.get(
'config_efi_capsule_authenticate') 'config_efi_capsule_authenticate')
key_dir = u_boot_config.source_dir + '/board/sandbox'
if capsule_auth_enabled: if capsule_auth_enabled:
# Create private key (SIGNER.key) and certificate (SIGNER.crt) # Get the keys from the board directory
check_call('cd %s; ' check_call('cp %s/capsule_priv_key_good.key %s/SIGNER.key'
'openssl req -x509 -sha256 -newkey rsa:2048 ' % (key_dir, data_dir), shell=True)
'-subj /CN=TEST_SIGNER/ -keyout SIGNER.key ' check_call('cp %s/capsule_pub_key_good.crt %s/SIGNER.crt'
'-out SIGNER.crt -nodes -days 365' % (key_dir, data_dir), shell=True)
% data_dir, shell=True) check_call('cp %s/capsule_pub_esl_good.esl %s/SIGNER.esl'
check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl' % (key_dir, data_dir), shell=True)
% (data_dir, EFITOOLS_PATH), shell=True)
check_call('cp %s/capsule_priv_key_bad.key %s/SIGNER2.key'
% (key_dir, data_dir), shell=True)
check_call('cp %s/capsule_pub_key_bad.crt %s/SIGNER2.crt'
% (key_dir, data_dir), shell=True)
# Update dtb adding capsule certificate # Update dtb adding capsule certificate
check_call('cd %s; ' check_call('cd %s; '
@ -54,14 +61,6 @@ def efi_capsule_data(request, u_boot_config):
'-o test_sig.dtb signature.dtbo' '-o test_sig.dtb signature.dtbo'
% (data_dir, u_boot_config.build_dir), shell=True) % (data_dir, u_boot_config.build_dir), shell=True)
# Create *malicious* private key (SIGNER2.key) and certificate
# (SIGNER2.crt)
check_call('cd %s; '
'openssl req -x509 -sha256 -newkey rsa:2048 '
'-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
'-out SIGNER2.crt -nodes -days 365'
% data_dir, shell=True)
# Update dtb to add the version information # Update dtb to add the version information
check_call('cd %s; ' check_call('cd %s; '
'cp %s/test/py/tests/test_efi_capsule/version.dts .' 'cp %s/test/py/tests/test_efi_capsule/version.dts .'
@ -79,132 +78,20 @@ def efi_capsule_data(request, u_boot_config):
'-o test_ver.dtb version.dtbo' '-o test_ver.dtb version.dtbo'
% (data_dir, u_boot_config.build_dir), shell=True) % (data_dir, u_boot_config.build_dir), shell=True)
# Create capsule files
# two regions: one for u-boot.bin and the other for u-boot.env # two regions: one for u-boot.bin and the other for u-boot.env
check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir, check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
shell=True) shell=True)
check_call('sed -e \"s?BINFILE1?u-boot.bin.new?\" -e \"s?BINFILE2?u-boot.env.new?\" %s/test/py/tests/test_efi_capsule/uboot_bin_env.its > %s/uboot_bin_env.its' %
(u_boot_config.source_dir, data_dir),
shell=True)
check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test01' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --index 2 --guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test02' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 u-boot.bin.new Test03' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test04' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
'--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test101' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --index 2 --fw-version 10 '
'--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test102' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
'--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test103' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
'--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test104' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
'--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test105' %
(data_dir, u_boot_config.build_dir),
shell=True)
if capsule_auth_enabled: pythonpath = os.environ.get('PYTHONPATH', '')
# raw firmware signed with proper key os.environ['PYTHONPATH'] = pythonpath + ':' + '%s/scripts/dtc/pylibfdt' % u_boot_config.build_dir
check_call('cd %s; ' check_call('cd %s; '
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' 'cc -E -I %s/include -x assembler-with-cpp -o capsule_gen_tmp.dts %s/test/py/tests/test_efi_capsule/capsule_gen_binman.dts; '
'--private-key SIGNER.key --certificate SIGNER.crt ' 'dtc -I dts -O dtb capsule_gen_tmp.dts -o capsule_binman.dtb;'
'--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 ' % (data_dir, u_boot_config.source_dir, u_boot_config.source_dir), shell=True)
'u-boot.bin.new Test11' check_call('cd %s; '
% (data_dir, u_boot_config.build_dir), './tools/binman/binman --toolpath %s/tools build -u -d %s/capsule_binman.dtb -O %s -m --allow-missing -I %s -I ./board/sandbox -I ./arch/sandbox/dts'
shell=True) % (u_boot_config.source_dir, u_boot_config.build_dir, data_dir, data_dir, data_dir), shell=True)
# raw firmware signed with *mal* key os.environ['PYTHONPATH'] = pythonpath
check_call('cd %s; '
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
'--private-key SIGNER2.key '
'--certificate SIGNER2.crt '
'--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
'u-boot.bin.new Test12'
% (data_dir, u_boot_config.build_dir),
shell=True)
# FIT firmware signed with proper key
check_call('cd %s; '
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
'--private-key SIGNER.key --certificate SIGNER.crt '
'--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
'uboot_bin_env.itb Test13'
% (data_dir, u_boot_config.build_dir),
shell=True)
# FIT firmware signed with *mal* key
check_call('cd %s; '
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
'--private-key SIGNER2.key '
'--certificate SIGNER2.crt '
'--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
'uboot_bin_env.itb Test14'
% (data_dir, u_boot_config.build_dir),
shell=True)
# raw firmware signed with proper key with version information
check_call('cd %s; '
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
'--fw-version 5 '
'--private-key SIGNER.key --certificate SIGNER.crt '
'--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
'u-boot.bin.new Test111'
% (data_dir, u_boot_config.build_dir),
shell=True)
# raw firmware signed with proper key with version information
check_call('cd %s; '
'%s/tools/mkeficapsule --index 2 --monotonic-count 1 '
'--fw-version 10 '
'--private-key SIGNER.key --certificate SIGNER.crt '
'--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 '
'u-boot.env.new Test112'
% (data_dir, u_boot_config.build_dir),
shell=True)
# raw firmware signed with proper key with lower version information
check_call('cd %s; '
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
'--fw-version 2 '
'--private-key SIGNER.key --certificate SIGNER.crt '
'--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
'u-boot.bin.new Test113'
% (data_dir, u_boot_config.build_dir),
shell=True)
# FIT firmware signed with proper key with version information
check_call('cd %s; '
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
'--fw-version 5 '
'--private-key SIGNER.key --certificate SIGNER.crt '
'--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
'uboot_bin_env.itb Test114'
% (data_dir, u_boot_config.build_dir),
shell=True)
# FIT firmware signed with proper key with lower version information
check_call('cd %s; '
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
'--fw-version 2 '
'--private-key SIGNER.key --certificate SIGNER.crt '
'--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
'uboot_bin_env.itb Test115'
% (data_dir, u_boot_config.build_dir),
shell=True)
# Create a disk image with EFI system partition # Create a disk image with EFI system partition
check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' % check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %

View file

@ -1,36 +0,0 @@
/*
* Automatic software update for U-Boot
* Make sure the flashing addresses ('load' prop) is correct for your board!
*/
/dts-v1/;
/ {
description = "Automatic U-Boot environment update";
#address-cells = <2>;
images {
u-boot-bin {
description = "U-Boot binary on SPI Flash";
data = /incbin/("BINFILE1");
compression = "none";
type = "firmware";
arch = "sandbox";
load = <0>;
hash-1 {
algo = "sha1";
};
};
u-boot-env {
description = "U-Boot environment on SPI Flash";
data = /incbin/("BINFILE2");
compression = "none";
type = "firmware";
arch = "sandbox";
load = <0>;
hash-1 {
algo = "sha1";
};
};
};
};