test/py: vboot: add a test to check fit signature on fit with padding

The pytest vboot does all his tests on fit without padding. We add the same tests on fit with padding. Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
2024-11-24 21:54:01 +00:00 · 2020-04-29 15:26:16 +02:00 · 2020-04-29 15:26:16 +02:00 · eb7690e81f
commit eb7690e81f
parent f4070e6f6c
1 changed files with 33 additions and 19 deletions
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@ -30,11 +30,16 @@ import u_boot_utils as util
 import vboot_forge

 TESTDATA = [
-    ['sha1', '', False],
-    ['sha1', '-pss', False],
-    ['sha256', '', False],
-    ['sha256', '-pss', False],
-    ['sha256', '-pss', True],
+    ['sha1', '', None, False],
+    ['sha1', '', '-E -p 0x10000', False],
+    ['sha1', '-pss', None, False],
+    ['sha1', '-pss', '-E -p 0x10000', False],
+    ['sha256', '', None, False],
+    ['sha256', '', '-E -p 0x10000', False],
+    ['sha256', '-pss', None, False],
+    ['sha256', '-pss', '-E -p 0x10000', False],
+    ['sha256', '-pss', None, True],
+    ['sha256', '-pss', '-E -p 0x10000', True],
 ]

@pytest.mark.boardspec('sandbox')
@ -43,8 +48,8 @@ TESTDATA = [
@pytest.mark.requiredtool('fdtget')
@pytest.mark.requiredtool('fdtput')
@pytest.mark.requiredtool('openssl')
-@pytest.mark.parametrize("sha_algo,padding,required", TESTDATA)
-def test_vboot(u_boot_console, sha_algo, padding, required):
+@pytest.mark.parametrize("sha_algo,padding,sign_options,required", TESTDATA)
+def test_vboot(u_boot_console, sha_algo, padding, sign_options, required):
    """Test verified boot signing with mkimage and verification with 'bootm'.

    This works using sandbox only as it needs to update the device tree used
@ -104,7 +109,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required):
        util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
                                '%s%s' % (datadir, its), fit])

-    def sign_fit(sha_algo):
+    def sign_fit(sha_algo, options):
        """Sign the FIT

        Signs the FIT and writes the signature into it. It also writes the
@ -113,10 +118,13 @@ def test_vboot(u_boot_console, sha_algo, padding, required):
        Args:
            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
                    use.
+            options: Options to provide to mkimage.
        """
+        args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, '-r', fit]
+        if options:
+            args += options.split(' ')
        cons.log.action('%s: Sign images' % sha_algo)
-        util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
-                                '-r', fit])
+        util.run_and_log(cons, args)

    def replace_fit_totalsize(size):
        """Replace FIT header's totalsize with something greater.
@ -154,7 +162,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required):
        util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key '
                         '-out %s%s.crt' % (tmpdir, name, tmpdir, name))

-    def test_with_algo(sha_algo, padding):
+    def test_with_algo(sha_algo, padding, sign_options):
        """Test verified boot with the given hash algorithm.

        This is the main part of the test code. The same procedure is followed
@ -163,6 +171,9 @@ def test_vboot(u_boot_console, sha_algo, padding, required):
        Args:
            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
                    use.
+            padding: Either '' or '-pss', to select the padding to use for the
+                    rsa signature algorithm.
+            sign_options: Options to mkimage when signing a fit image.
        """
        # Compile our device tree files for kernel and U-Boot. These are
        # regenerated here since mkimage will modify them (by adding a
@ -176,7 +187,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required):
        run_bootm(sha_algo, 'unsigned images', 'dev-', True)

        # Sign images with our dev keys
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)
        run_bootm(sha_algo, 'signed images', 'dev+', True)

        # Create a fresh .dtb without the public keys
@ -187,7 +198,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required):
        run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)

        # Sign images with our dev keys
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)
        run_bootm(sha_algo, 'signed config', 'dev+', True)

        cons.log.action('%s: Check signed config on the host' % sha_algo)
@ -209,7 +220,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required):

        # Create a new properly signed fit and replace header bytes
        make_fit('sign-configs-%s%s.its' % (sha_algo, padding))
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)
        bcfg = u_boot_console.config.buildconfig
        max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0)
        existing_size = replace_fit_totalsize(max_size + 1)
@ -240,7 +251,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required):
            cons, [fit_check_sign, '-f', fit, '-k', dtb],
            1, 'Failed to verify required signature')

-    def test_required_key(sha_algo, padding):
+    def test_required_key(sha_algo, padding, sign_options):
        """Test verified boot with the given hash algorithm.

        This function tests if U-Boot rejects an image when a required key isn't
@ -248,6 +259,9 @@ def test_vboot(u_boot_console, sha_algo, padding, required):

        Args:
            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use
+            padding: Either '' or '-pss', to select the padding to use for the
+                    rsa signature algorithm.
+            sign_options: Options to mkimage when signing a fit image.
        """
        # Compile our device tree files for kernel and U-Boot. These are
        # regenerated here since mkimage will modify them (by adding a
@ -260,12 +274,12 @@ def test_vboot(u_boot_console, sha_algo, padding, required):
        # Build the FIT with prod key (keys required) and sign it. This puts the
        # signature into sandbox-u-boot.dtb, marked 'required'
        make_fit('sign-configs-%s%s-prod.its' % (sha_algo, padding))
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)

        # Build the FIT with dev key (keys NOT required). This adds the
        # signature into sandbox-u-boot.dtb, NOT marked 'required'.
        make_fit('sign-configs-%s%s.its' % (sha_algo, padding))
-        sign_fit(sha_algo)
+        sign_fit(sha_algo, sign_options)

        # So now sandbox-u-boot.dtb two signatures, for the prod and dev keys.
        # Only the prod key is set as 'required'. But FIT we just built has
@ -297,9 +311,9 @@ def test_vboot(u_boot_console, sha_algo, padding, required):
        old_dtb = cons.config.dtb
        cons.config.dtb = dtb
        if required:
-            test_required_key(sha_algo, padding)
+            test_required_key(sha_algo, padding, sign_options)
        else:
-            test_with_algo(sha_algo, padding)
+            test_with_algo(sha_algo, padding, sign_options)
    finally:
        # Go back to the original U-Boot with the correct dtb.
        cons.config.dtb = old_dtb