eaw/u-boot
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge tag 'efi-2020-10-rc1' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi into next

Browse Source 
Pull request for UEFI sub-system for efi-2020-10-rc1

This series comprises error corrections for the UEFI subsystem:

* correct consideration of timestamps for variable authentication
* correct collection of data regions for code authentication
* correct unit tests to test loading dbx
* enable FAT_WRITE as required by the UEFI spec

The boot manager uses log functions instead of printf() and debug().

The UEFI intialization state is exported.
This commit is contained in:
Tom Rini
2020-07-05 18:13:12 -04:00
parent df3d0a3f95 93f6201af7
commit 621e09cb3b
16 changed files with 424 additions and 240 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
test/lib/Makefile
View File

@@ -3,6 +3,7 @@
# (C) Copyright 2018
# Mario Six, Guntermann & Drunck GmbH, mario.six@gdsys.cc
obj-y += cmd_ut_lib.o
obj-$(CONFIG_EFI_SECURE_BOOT) += efi_image_region.o
obj-y += hexdump.o
obj-y += lmb.o
obj-y += string.o

163
test/lib/efi_image_region.c Normal file
View File

@@ -0,0 +1,163 @@
// SPDX-License-Identifier: GPL-2.0+
/*
* (C) Copyright 2020, Heinrich Schuchardt <xypron.glpk@gmx.de>
*/
#include <common.h>
#include <efi_loader.h>
#include <test/lib.h>
#include <test/test.h>
#include <test/ut.h>
#define UT_REG_CAPACITY 6
static int lib_test_efi_image_region_add(struct unit_test_state *uts)
{
struct efi_image_regions *regs;
regs = calloc(sizeof(*regs) +
sizeof(struct image_region) * UT_REG_CAPACITY, 1);
ut_assert(regs);
regs->max = UT_REG_CAPACITY;
ut_asserteq(0, regs->num);
ut_asserteq_64(EFI_INVALID_PARAMETER,
efi_image_region_add(regs, (void *)0x4000,
(void *)0x3000, 1));
ut_asserteq(0, regs->num);
ut_asserteq_64(EFI_SUCCESS,
efi_image_region_add(regs, (void *)0x3100,
(void *)0x4000, 1));
ut_asserteq(1, regs->num);
ut_asserteq_64(EFI_SUCCESS,
efi_image_region_add(regs, (void *)0x2000,
(void *)0x3100, 1));
ut_asserteq(2, regs->num);
ut_asserteq_64(EFI_SUCCESS,
efi_image_region_add(regs, (void *)0x1000,
(void *)0x1f00, 1));
ut_asserteq(3, regs->num);
ut_asserteq_64(EFI_SUCCESS,
efi_image_region_add(regs, (void *)0x4000,
(void *)0x4e00, 1));
ut_asserteq(4, regs->num);
ut_asserteq_64(EFI_SUCCESS,
efi_image_region_add(regs, (void *)0x1f00,
(void *)0x2001, 1));
ut_asserteq(5, regs->num);
ut_asserteq_ptr((void *)0x3100, regs->reg[0].data);
ut_asserteq(0x0f00, regs->reg[0].size);
ut_asserteq_ptr((void *)0x2000, regs->reg[1].data);
ut_asserteq(0x1100, regs->reg[1].size);
ut_asserteq_ptr((void *)0x1000, regs->reg[2].data);
ut_asserteq(0x0f00, regs->reg[2].size);
ut_asserteq_ptr((void *)0x4000, regs->reg[3].data);
ut_asserteq(0x0e00, regs->reg[3].size);
ut_asserteq_ptr((void *)0x1f00, regs->reg[4].data);
ut_asserteq(0x0101, regs->reg[4].size);
free(regs);
return 0;
}
LIB_TEST(lib_test_efi_image_region_add, 0);
static int lib_test_efi_image_region_sort(struct unit_test_state *uts)
{
struct efi_image_regions *regs;
regs = calloc(sizeof(*regs) +
sizeof(struct image_region) * UT_REG_CAPACITY, 1);
ut_assert(regs);
regs->max = UT_REG_CAPACITY;
ut_asserteq(0, regs->num);
ut_asserteq_64(EFI_INVALID_PARAMETER,
efi_image_region_add(regs, (void *)0x4000,
(void *)0x3000, 0));
ut_asserteq(0, regs->num);
ut_asserteq_64(EFI_SUCCESS,
efi_image_region_add(regs, (void *)0x3100,
(void *)0x4000, 0));
ut_asserteq(1, regs->num);
ut_asserteq_64(EFI_SUCCESS,
efi_image_region_add(regs, (void *)0x2000,
(void *)0x3100, 0));
ut_asserteq(2, regs->num);
ut_asserteq_64(EFI_SUCCESS,
efi_image_region_add(regs, (void *)0x1000,
(void *)0x1f00, 0));
ut_asserteq(3, regs->num);
ut_asserteq_64(EFI_SUCCESS,
efi_image_region_add(regs, (void *)0x4000,
(void *)0x4e00, 0));
ut_asserteq(4, regs->num);
ut_asserteq_64(EFI_INVALID_PARAMETER,
efi_image_region_add(regs, (void *)0x1f00,
(void *)0x2001, 0));
ut_asserteq(4, regs->num);
ut_asserteq_64(EFI_INVALID_PARAMETER,
efi_image_region_add(regs, (void *)0x10ff,
(void *)0x11ff, 0));
ut_asserteq(4, regs->num);
ut_asserteq_64(EFI_INVALID_PARAMETER,
efi_image_region_add(regs, (void *)0x0000,
(void *)0x6000, 0));
ut_asserteq(4, regs->num);
ut_asserteq_64(EFI_INVALID_PARAMETER,
efi_image_region_add(regs, (void *)0x3100,
(void *)0x0e00, 0));
ut_asserteq(4, regs->num);
ut_asserteq_64(EFI_INVALID_PARAMETER,
efi_image_region_add(regs, (void *)0x3200,
(void *)0x0e00, 0));
ut_asserteq(4, regs->num);
ut_asserteq_64(EFI_INVALID_PARAMETER,
efi_image_region_add(regs, (void *)0x3200,
(void *)0x0d00, 0));
ut_asserteq(4, regs->num);
ut_asserteq_64(EFI_SUCCESS,
efi_image_region_add(regs, (void *)0x1f00,
(void *)0x2000, 0));
ut_asserteq(5, regs->num);
ut_asserteq_64(EFI_SUCCESS,
efi_image_region_add(regs, (void *)0x4000,
(void *)0x4000, 0));
ut_asserteq(6, regs->num);
ut_asserteq_64(EFI_OUT_OF_RESOURCES,
efi_image_region_add(regs, (void *)0x6000,
(void *)0x0100, 0));
ut_asserteq(6, regs->num);
ut_asserteq_ptr((void *)0x1000, regs->reg[0].data);
ut_asserteq(0x0f00, regs->reg[0].size);
ut_asserteq_ptr((void *)0x1f00, regs->reg[1].data);
ut_asserteq(0x0100, regs->reg[1].size);
ut_asserteq_ptr((void *)0x2000, regs->reg[2].data);
ut_asserteq(0x1100, regs->reg[2].size);
ut_asserteq_ptr((void *)0x3100, regs->reg[3].data);
ut_asserteq(0x0f00, regs->reg[3].size);
ut_asserteq_ptr((void *)0x4000, regs->reg[4].data);
ut_asserteq(0x0000, regs->reg[4].size);
ut_asserteq_ptr((void *)0x4000, regs->reg[5].data);
ut_asserteq(0x0e00, regs->reg[5].size);
free(regs);
return 0;
}
LIB_TEST(lib_test_efi_image_region_sort, 0);

4
test/py/tests/test_efi_fit.py
View File

@@ -106,14 +106,14 @@ FDT_DATA = '''
/ {
#address-cells = <1>;
#size-cells = <0>;
#size-cells = <1>;
model = "%(sys-arch)s %(fdt_type)s EFI FIT Boot Test";
compatible = "%(sys-arch)s";
reset@0 {
compatible = "%(sys-arch)s,reset";
reg = <0>;
reg = <0 4>;
};
};
'''

16
test/py/tests/test_efi_secboot/conftest.py
View File

@@ -76,37 +76,37 @@ def efi_boot_env(request, u_boot_config):
## PK
check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365'
% mnt_point, shell=True)
check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth'
check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -t "2020-04-01" -c PK.crt -k PK.key PK PK.esl PK.auth'
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
shell=True)
## PK_null for deletion
check_call('cd %s; sleep 2; touch PK_null.esl; %ssign-efi-sig-list -c PK.crt -k PK.key PK PK_null.esl PK_null.auth'
check_call('cd %s; touch PK_null.esl; %ssign-efi-sig-list -t "2020-04-02" -c PK.crt -k PK.key PK PK_null.esl PK_null.auth'
% (mnt_point, EFITOOLS_PATH), shell=True)
## KEK
check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365'
% mnt_point, shell=True)
check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth'
check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -t "2020-04-03" -c PK.crt -k PK.key KEK KEK.esl KEK.auth'
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
shell=True)
## db
check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ -keyout db.key -out db.crt -nodes -days 365'
% mnt_point, shell=True)
check_call('cd %s; %scert-to-efi-sig-list -g %s db.crt db.esl; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth'
check_call('cd %s; %scert-to-efi-sig-list -g %s db.crt db.esl; %ssign-efi-sig-list -t "2020-04-04" -c KEK.crt -k KEK.key db db.esl db.auth'
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
shell=True)
## db1
check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db1/ -keyout db1.key -out db1.crt -nodes -days 365'
% mnt_point, shell=True)
check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db1.esl db1.auth'
check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key db db1.esl db1.auth'
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
shell=True)
## db1-update
check_call('cd %s; %ssign-efi-sig-list -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth'
check_call('cd %s; %ssign-efi-sig-list -t "2020-04-06" -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth'
% (mnt_point, EFITOOLS_PATH), shell=True)
## dbx
check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365'
% mnt_point, shell=True)
check_call('cd %s; %scert-to-efi-sig-list -g %s dbx.crt dbx.esl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth'
check_call('cd %s; %scert-to-efi-sig-list -g %s dbx.crt dbx.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth'
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
shell=True)
@@ -117,7 +117,7 @@ def efi_boot_env(request, u_boot_config):
check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi'
% mnt_point, shell=True)
## Digest image
check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth'
check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth'
% (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH),
shell=True)

91
test/py/tests/test_efi_secboot/test_authvar.py
View File

@@ -9,7 +9,6 @@ This test verifies variable authentication
"""
import pytest
import re
from defs import *
@pytest.mark.boardspec('sandbox')
@@ -40,7 +39,7 @@ class TestEfiAuthVar(object):
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -i 4000000,$filesize PK'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
with u_boot_console.log.section('Test Case 1c'):
# Test Case 1c, install PK
@@ -48,7 +47,7 @@ class TestEfiAuthVar(object):
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
'printenv -e -n PK'])
assert(re.search('PK:', ''.join(output)))
assert('PK:' in ''.join(output))
output = u_boot_console.run_command(
'printenv -e SecureBoot')
@@ -62,25 +61,25 @@ class TestEfiAuthVar(object):
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
with u_boot_console.log.section('Test Case 1e'):
# Test Case 1e, install KEK
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -i 4000000,$filesize KEK'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'printenv -e -n KEK'])
assert(re.search('KEK:', ''.join(output)))
assert('KEK:' in ''.join(output))
output = u_boot_console.run_command(
'printenv -e SecureBoot')
@@ -91,14 +90,14 @@ class TestEfiAuthVar(object):
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -i 4000000,$filesize db'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('db:', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
assert('db:' in ''.join(output))
output = u_boot_console.run_command(
'printenv -e SecureBoot')
@@ -107,16 +106,16 @@ class TestEfiAuthVar(object):
with u_boot_console.log.section('Test Case 1g'):
# Test Case 1g, install dbx
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -i 4000000,$filesize db'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
'fatload host 0:1 4000000 dbx.auth',
'setenv -e -nv -bs -rt -i 4000000,$filesize dbx'])
assert('Failed to set EFI variable' in ''.join(output))
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('db:', ''.join(output)))
'fatload host 0:1 4000000 dbx.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f dbx'])
assert(not 'Failed to set EFI variable' in ''.join(output))
assert('dbx:' in ''.join(output))
output = u_boot_console.run_command(
'printenv -e SecureBoot')
@@ -133,26 +132,26 @@ class TestEfiAuthVar(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('db:', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
assert('db:' in ''.join(output))
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db1.auth',
'setenv -e -nv -bs -rt -i 4000000,$filesize db'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
with u_boot_console.log.section('Test Case 2b'):
# Test Case 2b, update without correct signature
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db.esl',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
with u_boot_console.log.section('Test Case 2c'):
# Test Case 2c, update with correct signature
@@ -160,8 +159,8 @@ class TestEfiAuthVar(object):
'fatload host 0:1 4000000 db1.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('db:', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
assert('db:' in ''.join(output))
def test_efi_var_auth3(self, u_boot_console, efi_boot_env):
"""
@@ -174,26 +173,26 @@ class TestEfiAuthVar(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('db:', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
assert('db:' in ''.join(output))
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db1.auth',
'setenv -e -nv -bs -rt -a -i 4000000,$filesize db'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
with u_boot_console.log.section('Test Case 3b'):
# Test Case 3b, update without correct signature
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db.esl',
'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
with u_boot_console.log.section('Test Case 3c'):
# Test Case 3c, update with correct signature
@@ -201,8 +200,8 @@ class TestEfiAuthVar(object):
'fatload host 0:1 4000000 db1.auth',
'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db',
'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('db:', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
assert('db:' in ''.join(output))
def test_efi_var_auth4(self, u_boot_console, efi_boot_env):
"""
@@ -215,28 +214,28 @@ class TestEfiAuthVar(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('db:', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
assert('db:' in ''.join(output))
output = u_boot_console.run_command_list([
'setenv -e -nv -bs -rt db',
'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('db:', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
assert('db:' in ''.join(output))
with u_boot_console.log.section('Test Case 4b'):
# Test Case 4b, update without correct signature/data
output = u_boot_console.run_command_list([
'setenv -e -nv -bs -rt -at db',
'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('db:', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
assert('db:' in ''.join(output))
def test_efi_var_auth5(self, u_boot_console, efi_boot_env):
"""
@@ -249,21 +248,21 @@ class TestEfiAuthVar(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK; echo',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
'printenv -e -n PK'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('PK:', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
assert('PK:' in ''.join(output))
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 PK_null.esl',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
'printenv -e -n PK'])
assert(re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('PK:', ''.join(output)))
assert('Failed to set EFI variable' in ''.join(output))
assert('PK:' in ''.join(output))
with u_boot_console.log.section('Test Case 5b'):
# Test Case 5b, Uninstall PK with correct signature
@@ -271,8 +270,8 @@ class TestEfiAuthVar(object):
'fatload host 0:1 4000000 PK_null.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK',
'printenv -e -n PK'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(re.search('\"PK\" not defined', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
assert('\"PK\" not defined' in ''.join(output))
output = u_boot_console.run_command(
'printenv -e SecureBoot')

38
test/py/tests/test_efi_secboot/test_signed.py
View File

@@ -9,7 +9,6 @@ This test verifies image authentication for signed images.
"""
import pytest
import re
from defs import *
@pytest.mark.boardspec('sandbox')
@@ -29,10 +28,10 @@ class TestEfiSignedImage(object):
# Test Case 1a, run signed image if no db/dbx
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""; echo',
'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""',
'efidebug boot next 1',
'bootefi bootmgr'])
assert(re.search('Hello, world!', ''.join(output)))
assert('Hello, world!' in ''.join(output))
with u_boot_console.log.section('Test Case 1b'):
# Test Case 1b, run unsigned image if no db/dbx
@@ -40,7 +39,7 @@ class TestEfiSignedImage(object):
'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""',
'efidebug boot next 2',
'bootefi bootmgr'])
assert(re.search('Hello, world!', ''.join(output)))
assert('Hello, world!' in ''.join(output))
with u_boot_console.log.section('Test Case 1c'):
# Test Case 1c, not authenticated by db
@@ -51,24 +50,23 @@ class TestEfiSignedImage(object):
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot next 2',
'bootefi bootmgr'])
assert(re.search('\'HELLO2\' failed', ''.join(output)))
assert('\'HELLO2\' failed' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot next 2',
'efidebug test bootmgr'])
assert(re.search('efi_start_image[(][)] returned: 26',
''.join(output)))
assert(not re.search('Hello, world!', ''.join(output)))
assert('efi_start_image() returned: 26' in ''.join(output))
assert(not 'Hello, world!' in ''.join(output))
with u_boot_console.log.section('Test Case 1d'):
# Test Case 1d, authenticated by db
output = u_boot_console.run_command_list([
'efidebug boot next 1',
'bootefi bootmgr'])
assert(re.search('Hello, world!', ''.join(output)))
assert('Hello, world!' in ''.join(output))
def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env):
"""
@@ -81,37 +79,35 @@ class TestEfiSignedImage(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx; echo',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
'efidebug boot next 1',
'bootefi bootmgr'])
assert(re.search('\'HELLO\' failed', ''.join(output)))
assert('\'HELLO\' failed' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot next 1',
'efidebug test bootmgr'])
assert(re.search('efi_start_image[(][)] returned: 26',
''.join(output)))
assert(not re.search('Hello, world!', ''.join(output)))
assert('efi_start_image() returned: 26' in ''.join(output))
assert(not 'Hello, world!' in ''.join(output))
with u_boot_console.log.section('Test Case 2b'):
# Test Case 2b, rejected by dbx even if db allows
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot next 1',
'bootefi bootmgr'])
assert(re.search('\'HELLO\' failed', ''.join(output)))
assert('\'HELLO\' failed' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot next 1',
'efidebug test bootmgr'])
assert(re.search('efi_start_image[(][)] returned: 26',
''.join(output)))
assert(not re.search('Hello, world!', ''.join(output)))
assert('efi_start_image() returned: 26' in ''.join(output))
assert(not 'Hello, world!' in ''.join(output))

38
test/py/tests/test_efi_secboot/test_unsigned.py
View File

@@ -9,7 +9,6 @@ This test verifies image authentication for unsigned images.
"""
import pytest
import re
from defs import *
@pytest.mark.boardspec('sandbox')
@@ -30,22 +29,21 @@ class TestEfiUnsignedImage(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK; echo',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
'efidebug boot next 1',
'bootefi bootmgr'])
assert(re.search('\'HELLO\' failed', ''.join(output)))
assert('\'HELLO\' failed' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot next 1',
'efidebug test bootmgr'])
assert(re.search('efi_start_image[(][)] returned: 26',
''.join(output)))
assert(not re.search('Hello, world!', ''.join(output)))
assert('efi_start_image() returned: 26' in ''.join(output))
assert(not 'Hello, world!' in ''.join(output))
def test_efi_unsigned_image_auth2(self, u_boot_console, efi_boot_env):
"""
@@ -58,18 +56,18 @@ class TestEfiUnsignedImage(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 db_hello.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db; echo',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
'efidebug boot next 1',
'bootefi bootmgr'])
assert(re.search('Hello, world!', ''.join(output)))
assert('Hello, world!' in ''.join(output))
def test_efi_unsigned_image_auth3(self, u_boot_console, efi_boot_env):
"""
@@ -82,40 +80,38 @@ class TestEfiUnsignedImage(object):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 db_hello.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx; echo',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
'efidebug boot next 1',
'bootefi bootmgr'])
assert(re.search('\'HELLO\' failed', ''.join(output)))
assert('\'HELLO\' failed' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot next 1',
'efidebug test bootmgr'])
assert(re.search('efi_start_image[(][)] returned: 26',
''.join(output)))
assert(not re.search('Hello, world!', ''.join(output)))
assert('efi_start_image() returned: 26' in ''.join(output))
assert(not 'Hello, world!' in ''.join(output))
with u_boot_console.log.section('Test Case 3b'):
# Test Case 3b, rejected by dbx even if db allows
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 db_hello.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
assert(not re.search('Failed to set EFI variable', ''.join(output)))
assert(not 'Failed to set EFI variable' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot add 1 HELLO host 0:1 /helloworld.efi ""',
'efidebug boot next 1',
'bootefi bootmgr'])
assert(re.search('\'HELLO\' failed', ''.join(output)))
assert('\'HELLO\' failed' in ''.join(output))
output = u_boot_console.run_command_list([
'efidebug boot next 1',
'efidebug test bootmgr'])
assert(re.search('efi_start_image[(][)] returned: 26',
''.join(output)))
assert(not re.search('Hello, world!', ''.join(output)))
assert('efi_start_image() returned: 26' in ''.join(output))
assert(not 'Hello, world!' in ''.join(output))