mirror of
https://github.com/AsahiLinux/u-boot
synced 2025-01-19 16:44:30 +00:00
8645aefc8b
Add support for the authentication of UEFI capsules containing FIT images. The authentication code is moved out of the function handling raw images into a new function efi_firmware_capsule_authenticate(). The special case for the FMP header coming from edk2 tools is preserved. There is no functional change for capsules containing raw images. The python test for signed capsules with raw images is renamed with no functional change and a new test is added for signed capsules containing FIT images. This can be tested with sandbox64_defconfig or sandbox_flattree_defconfig, plus CONFIG_EFI_CAPSULE_AUTHENTICATE=y. Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
149 lines
7.1 KiB
Python
149 lines
7.1 KiB
Python
# SPDX-License-Identifier: GPL-2.0+
|
|
# Copyright (c) 2020, Linaro Limited
|
|
# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
|
|
|
import os
|
|
import os.path
|
|
import re
|
|
from subprocess import call, check_call, check_output, CalledProcessError
|
|
import pytest
|
|
from capsule_defs import *
|
|
|
|
#
|
|
# Fixture for UEFI capsule test
|
|
#
|
|
|
|
@pytest.fixture(scope='session')
|
|
def efi_capsule_data(request, u_boot_config):
|
|
"""Set up a file system to be used in UEFI capsule and
|
|
authentication test.
|
|
|
|
Args:
|
|
request: Pytest request object.
|
|
u_boot_config: U-boot configuration.
|
|
|
|
Return:
|
|
A path to disk image to be used for testing
|
|
"""
|
|
global CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR
|
|
|
|
mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
|
|
data_dir = mnt_point + CAPSULE_DATA_DIR
|
|
install_dir = mnt_point + CAPSULE_INSTALL_DIR
|
|
image_path = u_boot_config.persistent_data_dir + '/test_efi_capsule.img'
|
|
|
|
try:
|
|
# Create a target device
|
|
check_call('dd if=/dev/zero of=./spi.bin bs=1MiB count=16', shell=True)
|
|
|
|
check_call('rm -rf %s' % mnt_point, shell=True)
|
|
check_call('mkdir -p %s' % data_dir, shell=True)
|
|
check_call('mkdir -p %s' % install_dir, shell=True)
|
|
|
|
capsule_auth_enabled = u_boot_config.buildconfig.get(
|
|
'config_efi_capsule_authenticate')
|
|
if capsule_auth_enabled:
|
|
# Create private key (SIGNER.key) and certificate (SIGNER.crt)
|
|
check_call('cd %s; '
|
|
'openssl req -x509 -sha256 -newkey rsa:2048 '
|
|
'-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
|
|
'-out SIGNER.crt -nodes -days 365'
|
|
% data_dir, shell=True)
|
|
check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
|
|
% (data_dir, EFITOOLS_PATH), shell=True)
|
|
|
|
# Update dtb adding capsule certificate
|
|
check_call('cd %s; '
|
|
'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
|
|
% (data_dir, u_boot_config.source_dir), shell=True)
|
|
check_call('cd %s; '
|
|
'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
|
|
'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
|
|
'-o test_sig.dtb signature.dtbo'
|
|
% (data_dir, u_boot_config.build_dir), shell=True)
|
|
|
|
# Create *malicious* private key (SIGNER2.key) and certificate
|
|
# (SIGNER2.crt)
|
|
check_call('cd %s; '
|
|
'openssl req -x509 -sha256 -newkey rsa:2048 '
|
|
'-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
|
|
'-out SIGNER2.crt -nodes -days 365'
|
|
% data_dir, shell=True)
|
|
|
|
# Create capsule files
|
|
# two regions: one for u-boot.bin and the other for u-boot.env
|
|
check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
|
|
shell=True)
|
|
check_call('sed -e \"s?BINFILE1?u-boot.bin.new?\" -e \"s?BINFILE2?u-boot.env.new?\" %s/test/py/tests/test_efi_capsule/uboot_bin_env.its > %s/uboot_bin_env.its' %
|
|
(u_boot_config.source_dir, data_dir),
|
|
shell=True)
|
|
check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' %
|
|
(data_dir, u_boot_config.build_dir),
|
|
shell=True)
|
|
check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test01' %
|
|
(data_dir, u_boot_config.build_dir),
|
|
shell=True)
|
|
check_call('cd %s; %s/tools/mkeficapsule --index 2 --guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test02' %
|
|
(data_dir, u_boot_config.build_dir),
|
|
shell=True)
|
|
check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 u-boot.bin.new Test03' %
|
|
(data_dir, u_boot_config.build_dir),
|
|
shell=True)
|
|
check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test04' %
|
|
(data_dir, u_boot_config.build_dir),
|
|
shell=True)
|
|
check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' %
|
|
(data_dir, u_boot_config.build_dir),
|
|
shell=True)
|
|
|
|
if capsule_auth_enabled:
|
|
# raw firmware signed with proper key
|
|
check_call('cd %s; '
|
|
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
|
|
'--private-key SIGNER.key --certificate SIGNER.crt '
|
|
'--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
|
|
'u-boot.bin.new Test11'
|
|
% (data_dir, u_boot_config.build_dir),
|
|
shell=True)
|
|
# raw firmware signed with *mal* key
|
|
check_call('cd %s; '
|
|
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
|
|
'--private-key SIGNER2.key '
|
|
'--certificate SIGNER2.crt '
|
|
'--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
|
|
'u-boot.bin.new Test12'
|
|
% (data_dir, u_boot_config.build_dir),
|
|
shell=True)
|
|
# FIT firmware signed with proper key
|
|
check_call('cd %s; '
|
|
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
|
|
'--private-key SIGNER.key --certificate SIGNER.crt '
|
|
'--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
|
|
'uboot_bin_env.itb Test13'
|
|
% (data_dir, u_boot_config.build_dir),
|
|
shell=True)
|
|
# FIT firmware signed with *mal* key
|
|
check_call('cd %s; '
|
|
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
|
|
'--private-key SIGNER2.key '
|
|
'--certificate SIGNER2.crt '
|
|
'--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
|
|
'uboot_bin_env.itb Test14'
|
|
% (data_dir, u_boot_config.build_dir),
|
|
shell=True)
|
|
|
|
# Create a disk image with EFI system partition
|
|
check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
|
|
(mnt_point, image_path), shell=True)
|
|
check_call('sgdisk %s -A 1:set:0 -t 1:C12A7328-F81F-11D2-BA4B-00A0C93EC93B' %
|
|
image_path, shell=True)
|
|
|
|
except CalledProcessError as exception:
|
|
pytest.skip('Setup failed: %s' % exception.cmd)
|
|
return
|
|
else:
|
|
yield image_path
|
|
finally:
|
|
call('rm -rf %s' % mnt_point, shell=True)
|
|
call('rm -f %s' % image_path, shell=True)
|
|
call('rm -f ./spi.bin', shell=True)
|