mirror of
https://github.com/AsahiLinux/u-boot
synced 2025-03-03 23:07:12 +00:00
cbea241e93
The UEFI spec allows a packed array of UEFI device paths in the FilePathList[] of an EFI_LOAD_OPTION. The first file path must describe the loaded image but the rest are OS specific. Previous patches parse the device path and try to use the second member of the array as an initrd. So let's modify efidebug slightly and install the second file described in the command line as the initrd device path. Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
117 lines
5.1 KiB
Python
117 lines
5.1 KiB
Python
# SPDX-License-Identifier: GPL-2.0+
|
|
# Copyright (c) 2019, Linaro Limited
|
|
# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
|
#
|
|
# U-Boot UEFI: Signed Image Authentication Test
|
|
|
|
"""
|
|
This test verifies image authentication for unsigned images.
|
|
"""
|
|
|
|
import pytest
|
|
|
|
|
|
@pytest.mark.boardspec('sandbox')
|
|
@pytest.mark.buildconfigspec('efi_secure_boot')
|
|
@pytest.mark.buildconfigspec('cmd_efidebug')
|
|
@pytest.mark.buildconfigspec('cmd_fat')
|
|
@pytest.mark.buildconfigspec('cmd_nvedit_efi')
|
|
@pytest.mark.slow
|
|
class TestEfiUnsignedImage(object):
|
|
def test_efi_unsigned_image_auth1(self, u_boot_console, efi_boot_env):
|
|
"""
|
|
Test Case 1 - rejected when not digest in db or dbx
|
|
"""
|
|
u_boot_console.restart_uboot()
|
|
disk_img = efi_boot_env
|
|
with u_boot_console.log.section('Test Case 1'):
|
|
# Test Case 1
|
|
output = u_boot_console.run_command_list([
|
|
'host bind 0 %s' % disk_img,
|
|
'fatload host 0:1 4000000 KEK.auth',
|
|
'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
|
|
'fatload host 0:1 4000000 PK.auth',
|
|
'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
|
|
assert 'Failed to set EFI variable' not in ''.join(output)
|
|
|
|
output = u_boot_console.run_command_list([
|
|
'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi ""',
|
|
'efidebug boot next 1',
|
|
'bootefi bootmgr'])
|
|
assert '\'HELLO\' failed' in ''.join(output)
|
|
output = u_boot_console.run_command_list([
|
|
'efidebug boot next 1',
|
|
'efidebug test bootmgr'])
|
|
assert 'efi_start_image() returned: 26' in ''.join(output)
|
|
assert 'Hello, world!' not in ''.join(output)
|
|
|
|
def test_efi_unsigned_image_auth2(self, u_boot_console, efi_boot_env):
|
|
"""
|
|
Test Case 2 - authenticated by digest in db
|
|
"""
|
|
u_boot_console.restart_uboot()
|
|
disk_img = efi_boot_env
|
|
with u_boot_console.log.section('Test Case 2'):
|
|
# Test Case 2
|
|
output = u_boot_console.run_command_list([
|
|
'host bind 0 %s' % disk_img,
|
|
'fatload host 0:1 4000000 db_hello.auth',
|
|
'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
|
|
'fatload host 0:1 4000000 KEK.auth',
|
|
'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
|
|
'fatload host 0:1 4000000 PK.auth',
|
|
'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
|
|
assert 'Failed to set EFI variable' not in ''.join(output)
|
|
|
|
output = u_boot_console.run_command_list([
|
|
'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi ""',
|
|
'efidebug boot next 1',
|
|
'bootefi bootmgr'])
|
|
assert 'Hello, world!' in ''.join(output)
|
|
|
|
def test_efi_unsigned_image_auth3(self, u_boot_console, efi_boot_env):
|
|
"""
|
|
Test Case 3 - rejected by digest in dbx
|
|
"""
|
|
u_boot_console.restart_uboot()
|
|
disk_img = efi_boot_env
|
|
with u_boot_console.log.section('Test Case 3a'):
|
|
# Test Case 3a, rejected by dbx
|
|
output = u_boot_console.run_command_list([
|
|
'host bind 0 %s' % disk_img,
|
|
'fatload host 0:1 4000000 db_hello.auth',
|
|
'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
|
|
'fatload host 0:1 4000000 KEK.auth',
|
|
'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
|
|
'fatload host 0:1 4000000 PK.auth',
|
|
'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK'])
|
|
assert 'Failed to set EFI variable' not in ''.join(output)
|
|
|
|
output = u_boot_console.run_command_list([
|
|
'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi ""',
|
|
'efidebug boot next 1',
|
|
'bootefi bootmgr'])
|
|
assert '\'HELLO\' failed' in ''.join(output)
|
|
output = u_boot_console.run_command_list([
|
|
'efidebug boot next 1',
|
|
'efidebug test bootmgr'])
|
|
assert 'efi_start_image() returned: 26' in ''.join(output)
|
|
assert 'Hello, world!' not in ''.join(output)
|
|
|
|
with u_boot_console.log.section('Test Case 3b'):
|
|
# Test Case 3b, rejected by dbx even if db allows
|
|
output = u_boot_console.run_command_list([
|
|
'fatload host 0:1 4000000 db_hello.auth',
|
|
'setenv -e -nv -bs -rt -at -i 4000000:$filesize db'])
|
|
assert 'Failed to set EFI variable' not in ''.join(output)
|
|
|
|
output = u_boot_console.run_command_list([
|
|
'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi ""',
|
|
'efidebug boot next 1',
|
|
'bootefi bootmgr'])
|
|
assert '\'HELLO\' failed' in ''.join(output)
|
|
output = u_boot_console.run_command_list([
|
|
'efidebug boot next 1',
|
|
'efidebug test bootmgr'])
|
|
assert 'efi_start_image() returned: 26' in ''.join(output)
|
|
assert 'Hello, world!' not in ''.join(output)
|