u-boot/test/vboot/vboot_test.sh
Stephen Warren 4d907025d6 sandbox: restore ability to access host fs through standard commands
Commit 95fac6ab45 "sandbox: Use os functions to read host device tree"
removed the ability for get_device_and_partition() to handle the "host"
device type, and redirect accesses to it to the host filesystem. This
broke some unit tests that use this feature. So, revert that change. The
code added back by this patch is slightly different to pacify checkpatch.

However, we're then left with "host" being both:
- A pseudo device that accesses the hosts real filesystem.
- An emulated block device, which accesses "sectors" inside a file stored
  on the host.

In order to resolve this discrepancy, rename the pseudo device from host
to hostfs, and adjust the unit-tests for this change.

The "help sb" output is modified to reflect this rename, and state where
the host and hostfs devices should be used.

Signed-off-by: Stephen Warren <swarren@nvidia.com>
Tested-by: Josh Wu <josh.wu@atmel.com>
Acked-by: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
2014-06-23 15:37:23 -06:00

143 lines
3.1 KiB
Bash
Executable file

#!/bin/bash
#
# Copyright (c) 2013, Google Inc.
#
# Simple Verified Boot Test Script
#
# SPDX-License-Identifier: GPL-2.0+
set -e
# Run U-Boot and report the result
# Args:
# $1: Test message
run_uboot() {
echo -n "Test Verified Boot Run: $1: "
${uboot} -d sandbox-u-boot.dtb >${tmp} -c '
sb load hostfs - 100 test.fit;
fdt addr 100;
bootm 100;
reset'
if ! grep -q "$2" ${tmp}; then
echo
echo "Verified boot key check failed, output follows:"
cat ${tmp}
false
else
echo "OK"
fi
}
echo "Simple Verified Boot Test"
echo "========================="
echo
echo "Please see doc/uImage.FIT/verified-boot.txt for more information"
echo
err=0
tmp=/tmp/vboot_test.$$
dir=$(dirname $0)
if [ -z ${O} ]; then
O=.
fi
O=$(readlink -f ${O})
dtc="-I dts -O dtb -p 2000"
uboot="${O}/u-boot"
mkimage="${O}/tools/mkimage"
fit_check_sign="${O}/tools/fit_check_sign"
keys="${dir}/dev-keys"
echo ${mkimage} -D "${dtc}"
echo "Build keys"
mkdir -p ${keys}
# Create an RSA key pair
openssl genrsa -F4 -out ${keys}/dev.key 2048 2>/dev/null
# Create a certificate containing the public key
openssl req -batch -new -x509 -key ${keys}/dev.key -out ${keys}/dev.crt
pushd ${dir} >/dev/null
function do_test {
echo do $sha test
# Compile our device tree files for kernel and U-Boot
dtc -p 0x1000 sandbox-kernel.dts -O dtb -o sandbox-kernel.dtb
dtc -p 0x1000 sandbox-u-boot.dts -O dtb -o sandbox-u-boot.dtb
# Create a number kernel image with zeroes
head -c 5000 /dev/zero >test-kernel.bin
# Build the FIT, but don't sign anything yet
echo Build FIT with signed images
${mkimage} -D "${dtc}" -f sign-images-$sha.its test.fit >${tmp}
run_uboot "unsigned signatures:" "dev-"
# Sign images with our dev keys
echo Sign images
${mkimage} -D "${dtc}" -F -k dev-keys -K sandbox-u-boot.dtb \
-r test.fit >${tmp}
run_uboot "signed images" "dev+"
# Create a fresh .dtb without the public keys
dtc -p 0x1000 sandbox-u-boot.dts -O dtb -o sandbox-u-boot.dtb
echo Build FIT with signed configuration
${mkimage} -D "${dtc}" -f sign-configs-$sha.its test.fit >${tmp}
run_uboot "unsigned config" $sha"+ OK"
# Sign images with our dev keys
echo Sign images
${mkimage} -D "${dtc}" -F -k dev-keys -K sandbox-u-boot.dtb \
-r test.fit >${tmp}
run_uboot "signed config" "dev+"
echo check signed config on the host
if ! ${fit_check_sign} -f test.fit -k sandbox-u-boot.dtb >${tmp}; then
echo
echo "Verified boot key check on host failed, output follows:"
cat ${tmp}
false
else
if ! grep -q "dev+" ${tmp}; then
echo
echo "Verified boot key check failed, output follows:"
cat ${tmp}
false
else
echo "OK"
fi
fi
run_uboot "signed config" "dev+"
# Increment the first byte of the signature, which should cause failure
sig=$(fdtget -t bx test.fit /configurations/conf@1/signature@1 value)
newbyte=$(printf %x $((0x${sig:0:2} + 1)))
sig="${newbyte} ${sig:2}"
fdtput -t bx test.fit /configurations/conf@1/signature@1 value ${sig}
run_uboot "signed config with bad hash" "Bad Data Hash"
}
sha=sha1
do_test
sha=sha256
do_test
popd >/dev/null
echo
if ${ok}; then
echo "Test passed"
else
echo "Test failed"
fi