diff mbox series

[v5,05/11] test/py: efi_capsule: add image authentication test

Message ID 20211028062356.98224-6-takahiro.akashi@linaro.org
State Superseded
Headers show
Series efi_loader: capsule: improve capsule authentication support | expand

Commit Message

AKASHI Takahiro Oct. 28, 2021, 6:23 a.m. UTC
Add a couple of test cases against capsule image authentication
for capsule-on-disk, where only a signed capsule file with the verified
signature will be applied to the system.

Due to the difficulty of embedding a public key (esl file) in U-Boot
binary during pytest setup time, all the keys/certificates are pre-created.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

---
 .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
 test/py/tests/test_efi_capsule/conftest.py    |  35 ++-
 test/py/tests/test_efi_capsule/signature.dts  |  10 +
 .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++
 4 files changed, 280 insertions(+), 3 deletions(-)
 create mode 100644 test/py/tests/test_efi_capsule/signature.dts
 create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

-- 
2.33.0

Comments

Simon Glass Oct. 29, 2021, 3:17 a.m. UTC | #1
Hi Takahiro,

On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro
<takahiro.akashi@linaro.org> wrote:
>

> Add a couple of test cases against capsule image authentication

> for capsule-on-disk, where only a signed capsule file with the verified

> signature will be applied to the system.

>

> Due to the difficulty of embedding a public key (esl file) in U-Boot

> binary during pytest setup time, all the keys/certificates are pre-created.

>

> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

> ---

>  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +

>  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-

>  test/py/tests/test_efi_capsule/signature.dts  |  10 +

>  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++

>  4 files changed, 280 insertions(+), 3 deletions(-)

>  create mode 100644 test/py/tests/test_efi_capsule/signature.dts

>  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

>

> diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py

> index 4fd6353c2040..aa9bf5eee3aa 100644

> --- a/test/py/tests/test_efi_capsule/capsule_defs.py

> +++ b/test/py/tests/test_efi_capsule/capsule_defs.py

> @@ -3,3 +3,8 @@

>  # Directories

>  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'

>  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'

> +

> +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and

> +# you need build a newer version on your own.

> +# The path must terminate with '/'.

> +EFITOOLS_PATH = ''

> diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py

> index 6ad5608cd71c..b0e84dec4931 100644

> --- a/test/py/tests/test_efi_capsule/conftest.py

> +++ b/test/py/tests/test_efi_capsule/conftest.py

> @@ -10,13 +10,13 @@ import pytest

>  from capsule_defs import *

>

>  #

> -# Fixture for UEFI secure boot test

> +# Fixture for UEFI capsule test

>  #

>

> -

>  @pytest.fixture(scope='session')

>  def efi_capsule_data(request, u_boot_config):

> -    """Set up a file system to be used in UEFI capsule test.

> +    """Set up a file system to be used in UEFI capsule and

> +       authentication test.

>

>      Args:

>          request: Pytest request object.

> @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):

>          check_call('mkdir -p %s' % data_dir, shell=True)

>          check_call('mkdir -p %s' % install_dir, shell=True)

>

> +        capsule_auth_enabled = u_boot_config.buildconfig.get(

> +                    'config_efi_capsule_authenticate')

> +        if capsule_auth_enabled:

> +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)

> +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'

> +                       % data_dir, shell=True)


run_and_log()?

Can you split up the args or something to reduce the line length?

> +            check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'

> +                       % (data_dir, EFITOOLS_PATH), shell=True)

> +

[..]

Regards,
Simon
AKASHI Takahiro Oct. 29, 2021, 5:25 a.m. UTC | #2
On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:
> Hi Takahiro,

> 

> On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro

> <takahiro.akashi@linaro.org> wrote:

> >

> > Add a couple of test cases against capsule image authentication

> > for capsule-on-disk, where only a signed capsule file with the verified

> > signature will be applied to the system.

> >

> > Due to the difficulty of embedding a public key (esl file) in U-Boot

> > binary during pytest setup time, all the keys/certificates are pre-created.

> >

> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

> > ---

> >  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +

> >  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-

> >  test/py/tests/test_efi_capsule/signature.dts  |  10 +

> >  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++

> >  4 files changed, 280 insertions(+), 3 deletions(-)

> >  create mode 100644 test/py/tests/test_efi_capsule/signature.dts

> >  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

> >

> > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py

> > index 4fd6353c2040..aa9bf5eee3aa 100644

> > --- a/test/py/tests/test_efi_capsule/capsule_defs.py

> > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py

> > @@ -3,3 +3,8 @@

> >  # Directories

> >  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'

> >  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'

> > +

> > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and

> > +# you need build a newer version on your own.

> > +# The path must terminate with '/'.

> > +EFITOOLS_PATH = ''

> > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py

> > index 6ad5608cd71c..b0e84dec4931 100644

> > --- a/test/py/tests/test_efi_capsule/conftest.py

> > +++ b/test/py/tests/test_efi_capsule/conftest.py

> > @@ -10,13 +10,13 @@ import pytest

> >  from capsule_defs import *

> >

> >  #

> > -# Fixture for UEFI secure boot test

> > +# Fixture for UEFI capsule test

> >  #

> >

> > -

> >  @pytest.fixture(scope='session')

> >  def efi_capsule_data(request, u_boot_config):

> > -    """Set up a file system to be used in UEFI capsule test.

> > +    """Set up a file system to be used in UEFI capsule and

> > +       authentication test.

> >

> >      Args:

> >          request: Pytest request object.

> > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):

> >          check_call('mkdir -p %s' % data_dir, shell=True)

> >          check_call('mkdir -p %s' % install_dir, shell=True)

> >

> > +        capsule_auth_enabled = u_boot_config.buildconfig.get(

> > +                    'config_efi_capsule_authenticate')

> > +        if capsule_auth_enabled:

> > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)

> > +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'

> > +                       % data_dir, shell=True)

> 

> run_and_log()?


I have always used this style of coding in this file as well as
other my pytests in test/py/tests (filesystem and secure boot).

So, at least in this patch, I don't want to have mixed styles.

> Can you split up the args or something to reduce the line length?


I will try to fix them if possible.

-Takahiro Akashi


> > +            check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'

> > +                       % (data_dir, EFITOOLS_PATH), shell=True)

> > +

> [..]

> 

> Regards,

> Simon
Simon Glass Nov. 2, 2021, 2:58 p.m. UTC | #3
Hi Takahiro,

On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro
<takahiro.akashi@linaro.org> wrote:
>

> On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:

> > Hi Takahiro,

> >

> > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro

> > <takahiro.akashi@linaro.org> wrote:

> > >

> > > Add a couple of test cases against capsule image authentication

> > > for capsule-on-disk, where only a signed capsule file with the verified

> > > signature will be applied to the system.

> > >

> > > Due to the difficulty of embedding a public key (esl file) in U-Boot

> > > binary during pytest setup time, all the keys/certificates are pre-created.

> > >

> > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

> > > ---

> > >  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +

> > >  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-

> > >  test/py/tests/test_efi_capsule/signature.dts  |  10 +

> > >  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++

> > >  4 files changed, 280 insertions(+), 3 deletions(-)

> > >  create mode 100644 test/py/tests/test_efi_capsule/signature.dts

> > >  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

> > >

> > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > index 4fd6353c2040..aa9bf5eee3aa 100644

> > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py

> > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > @@ -3,3 +3,8 @@

> > >  # Directories

> > >  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'

> > >  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'

> > > +

> > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and

> > > +# you need build a newer version on your own.

> > > +# The path must terminate with '/'.

> > > +EFITOOLS_PATH = ''

> > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py

> > > index 6ad5608cd71c..b0e84dec4931 100644

> > > --- a/test/py/tests/test_efi_capsule/conftest.py

> > > +++ b/test/py/tests/test_efi_capsule/conftest.py

> > > @@ -10,13 +10,13 @@ import pytest

> > >  from capsule_defs import *

> > >

> > >  #

> > > -# Fixture for UEFI secure boot test

> > > +# Fixture for UEFI capsule test

> > >  #

> > >

> > > -

> > >  @pytest.fixture(scope='session')

> > >  def efi_capsule_data(request, u_boot_config):

> > > -    """Set up a file system to be used in UEFI capsule test.

> > > +    """Set up a file system to be used in UEFI capsule and

> > > +       authentication test.

> > >

> > >      Args:

> > >          request: Pytest request object.

> > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):

> > >          check_call('mkdir -p %s' % data_dir, shell=True)

> > >          check_call('mkdir -p %s' % install_dir, shell=True)

> > >

> > > +        capsule_auth_enabled = u_boot_config.buildconfig.get(

> > > +                    'config_efi_capsule_authenticate')

> > > +        if capsule_auth_enabled:

> > > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)

> > > +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'

> > > +                       % data_dir, shell=True)

> >

> > run_and_log()?

>

> I have always used this style of coding in this file as well as

> other my pytests in test/py/tests (filesystem and secure boot).

>

> So, at least in this patch, I don't want to have mixed styles.


I don't mind about the style.

Does the command appear in the test log?

Regards,
Simon
AKASHI Takahiro Nov. 4, 2021, 2:04 a.m. UTC | #4
On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote:
> Hi Takahiro,

> 

> On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro

> <takahiro.akashi@linaro.org> wrote:

> >

> > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:

> > > Hi Takahiro,

> > >

> > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro

> > > <takahiro.akashi@linaro.org> wrote:

> > > >

> > > > Add a couple of test cases against capsule image authentication

> > > > for capsule-on-disk, where only a signed capsule file with the verified

> > > > signature will be applied to the system.

> > > >

> > > > Due to the difficulty of embedding a public key (esl file) in U-Boot

> > > > binary during pytest setup time, all the keys/certificates are pre-created.

> > > >

> > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

> > > > ---

> > > >  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +

> > > >  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-

> > > >  test/py/tests/test_efi_capsule/signature.dts  |  10 +

> > > >  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++

> > > >  4 files changed, 280 insertions(+), 3 deletions(-)

> > > >  create mode 100644 test/py/tests/test_efi_capsule/signature.dts

> > > >  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

> > > >

> > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > index 4fd6353c2040..aa9bf5eee3aa 100644

> > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > @@ -3,3 +3,8 @@

> > > >  # Directories

> > > >  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'

> > > >  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'

> > > > +

> > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and

> > > > +# you need build a newer version on your own.

> > > > +# The path must terminate with '/'.

> > > > +EFITOOLS_PATH = ''

> > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py

> > > > index 6ad5608cd71c..b0e84dec4931 100644

> > > > --- a/test/py/tests/test_efi_capsule/conftest.py

> > > > +++ b/test/py/tests/test_efi_capsule/conftest.py

> > > > @@ -10,13 +10,13 @@ import pytest

> > > >  from capsule_defs import *

> > > >

> > > >  #

> > > > -# Fixture for UEFI secure boot test

> > > > +# Fixture for UEFI capsule test

> > > >  #

> > > >

> > > > -

> > > >  @pytest.fixture(scope='session')

> > > >  def efi_capsule_data(request, u_boot_config):

> > > > -    """Set up a file system to be used in UEFI capsule test.

> > > > +    """Set up a file system to be used in UEFI capsule and

> > > > +       authentication test.

> > > >

> > > >      Args:

> > > >          request: Pytest request object.

> > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):

> > > >          check_call('mkdir -p %s' % data_dir, shell=True)

> > > >          check_call('mkdir -p %s' % install_dir, shell=True)

> > > >

> > > > +        capsule_auth_enabled = u_boot_config.buildconfig.get(

> > > > +                    'config_efi_capsule_authenticate')

> > > > +        if capsule_auth_enabled:

> > > > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)

> > > > +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'

> > > > +                       % data_dir, shell=True)

> > >

> > > run_and_log()?

> >

> > I have always used this style of coding in this file as well as

> > other my pytests in test/py/tests (filesystem and secure boot).

> >

> > So, at least in this patch, I don't want to have mixed styles.

> 

> I don't mind about the style.

> 

> Does the command appear in the test log?


I don't think so as it is invoked in conftest.py.
If the command fails, the tests will skip, and if it generates
a improper signature, the tests will fail.

-Takahiro Akashi


> Regards,

> Simon
Simon Glass Nov. 4, 2021, 2:49 a.m. UTC | #5
Hi Takahiro,

On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
>

> On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote:

> > Hi Takahiro,

> >

> > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro

> > <takahiro.akashi@linaro.org> wrote:

> > >

> > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:

> > > > Hi Takahiro,

> > > >

> > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro

> > > > <takahiro.akashi@linaro.org> wrote:

> > > > >

> > > > > Add a couple of test cases against capsule image authentication

> > > > > for capsule-on-disk, where only a signed capsule file with the verified

> > > > > signature will be applied to the system.

> > > > >

> > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot

> > > > > binary during pytest setup time, all the keys/certificates are pre-created.

> > > > >

> > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

> > > > > ---

> > > > >  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +

> > > > >  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-

> > > > >  test/py/tests/test_efi_capsule/signature.dts  |  10 +

> > > > >  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++

> > > > >  4 files changed, 280 insertions(+), 3 deletions(-)

> > > > >  create mode 100644 test/py/tests/test_efi_capsule/signature.dts

> > > > >  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

> > > > >

> > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > index 4fd6353c2040..aa9bf5eee3aa 100644

> > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > @@ -3,3 +3,8 @@

> > > > >  # Directories

> > > > >  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'

> > > > >  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'

> > > > > +

> > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and

> > > > > +# you need build a newer version on your own.

> > > > > +# The path must terminate with '/'.

> > > > > +EFITOOLS_PATH = ''

> > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py

> > > > > index 6ad5608cd71c..b0e84dec4931 100644

> > > > > --- a/test/py/tests/test_efi_capsule/conftest.py

> > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py

> > > > > @@ -10,13 +10,13 @@ import pytest

> > > > >  from capsule_defs import *

> > > > >

> > > > >  #

> > > > > -# Fixture for UEFI secure boot test

> > > > > +# Fixture for UEFI capsule test

> > > > >  #

> > > > >

> > > > > -

> > > > >  @pytest.fixture(scope='session')

> > > > >  def efi_capsule_data(request, u_boot_config):

> > > > > -    """Set up a file system to be used in UEFI capsule test.

> > > > > +    """Set up a file system to be used in UEFI capsule and

> > > > > +       authentication test.

> > > > >

> > > > >      Args:

> > > > >          request: Pytest request object.

> > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):

> > > > >          check_call('mkdir -p %s' % data_dir, shell=True)

> > > > >          check_call('mkdir -p %s' % install_dir, shell=True)

> > > > >

> > > > > +        capsule_auth_enabled = u_boot_config.buildconfig.get(

> > > > > +                    'config_efi_capsule_authenticate')

> > > > > +        if capsule_auth_enabled:

> > > > > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)

> > > > > +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'

> > > > > +                       % data_dir, shell=True)

> > > >

> > > > run_and_log()?

> > >

> > > I have always used this style of coding in this file as well as

> > > other my pytests in test/py/tests (filesystem and secure boot).

> > >

> > > So, at least in this patch, I don't want to have mixed styles.

> >

> > I don't mind about the style.

> >

> > Does the command appear in the test log?

>

> I don't think so as it is invoked in conftest.py.

> If the command fails, the tests will skip, and if it generates

> a improper signature, the tests will fail.


Well that is what I am getting at. Can you check?

The test log is supposed to show everything that happened. It does
that with other tests and I worry that using this function to run
things will mean that no one will be able to debug your test in CI.

Regards,
Simon
AKASHI Takahiro Nov. 5, 2021, 1:21 a.m. UTC | #6
On Wed, Nov 03, 2021 at 08:49:04PM -0600, Simon Glass wrote:
> Hi Takahiro,

> 

> On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:

> >

> > On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote:

> > > Hi Takahiro,

> > >

> > > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro

> > > <takahiro.akashi@linaro.org> wrote:

> > > >

> > > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:

> > > > > Hi Takahiro,

> > > > >

> > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro

> > > > > <takahiro.akashi@linaro.org> wrote:

> > > > > >

> > > > > > Add a couple of test cases against capsule image authentication

> > > > > > for capsule-on-disk, where only a signed capsule file with the verified

> > > > > > signature will be applied to the system.

> > > > > >

> > > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot

> > > > > > binary during pytest setup time, all the keys/certificates are pre-created.

> > > > > >

> > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

> > > > > > ---

> > > > > >  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +

> > > > > >  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-

> > > > > >  test/py/tests/test_efi_capsule/signature.dts  |  10 +

> > > > > >  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++

> > > > > >  4 files changed, 280 insertions(+), 3 deletions(-)

> > > > > >  create mode 100644 test/py/tests/test_efi_capsule/signature.dts

> > > > > >  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

> > > > > >

> > > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > index 4fd6353c2040..aa9bf5eee3aa 100644

> > > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > @@ -3,3 +3,8 @@

> > > > > >  # Directories

> > > > > >  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'

> > > > > >  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'

> > > > > > +

> > > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and

> > > > > > +# you need build a newer version on your own.

> > > > > > +# The path must terminate with '/'.

> > > > > > +EFITOOLS_PATH = ''

> > > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py

> > > > > > index 6ad5608cd71c..b0e84dec4931 100644

> > > > > > --- a/test/py/tests/test_efi_capsule/conftest.py

> > > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py

> > > > > > @@ -10,13 +10,13 @@ import pytest

> > > > > >  from capsule_defs import *

> > > > > >

> > > > > >  #

> > > > > > -# Fixture for UEFI secure boot test

> > > > > > +# Fixture for UEFI capsule test

> > > > > >  #

> > > > > >

> > > > > > -

> > > > > >  @pytest.fixture(scope='session')

> > > > > >  def efi_capsule_data(request, u_boot_config):

> > > > > > -    """Set up a file system to be used in UEFI capsule test.

> > > > > > +    """Set up a file system to be used in UEFI capsule and

> > > > > > +       authentication test.

> > > > > >

> > > > > >      Args:

> > > > > >          request: Pytest request object.

> > > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):

> > > > > >          check_call('mkdir -p %s' % data_dir, shell=True)

> > > > > >          check_call('mkdir -p %s' % install_dir, shell=True)

> > > > > >

> > > > > > +        capsule_auth_enabled = u_boot_config.buildconfig.get(

> > > > > > +                    'config_efi_capsule_authenticate')

> > > > > > +        if capsule_auth_enabled:

> > > > > > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)

> > > > > > +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'

> > > > > > +                       % data_dir, shell=True)

> > > > >

> > > > > run_and_log()?

> > > >

> > > > I have always used this style of coding in this file as well as

> > > > other my pytests in test/py/tests (filesystem and secure boot).

> > > >

> > > > So, at least in this patch, I don't want to have mixed styles.

> > >

> > > I don't mind about the style.

> > >

> > > Does the command appear in the test log?

> >

> > I don't think so as it is invoked in conftest.py.

> > If the command fails, the tests will skip, and if it generates

> > a improper signature, the tests will fail.

> 

> Well that is what I am getting at. Can you check?


Yes.

> The test log is supposed to show everything that happened. It does

> that with other tests


It does?
(I don't think so.)

> and I worry that using this function to run

> things will mean that no one will be able to debug your test in CI.


What is missing in general is that confest.py doesn't generate
line-by-line trace logs if needed.
It's not my test specific.

-Takahiro Akashi

> Regards,

> Simon
Simon Glass Nov. 5, 2021, 2:02 a.m. UTC | #7
Hi Takahiro,

On Thu, 4 Nov 2021 at 19:21, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
>

> On Wed, Nov 03, 2021 at 08:49:04PM -0600, Simon Glass wrote:

> > Hi Takahiro,

> >

> > On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:

> > >

> > > On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote:

> > > > Hi Takahiro,

> > > >

> > > > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro

> > > > <takahiro.akashi@linaro.org> wrote:

> > > > >

> > > > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:

> > > > > > Hi Takahiro,

> > > > > >

> > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro

> > > > > > <takahiro.akashi@linaro.org> wrote:

> > > > > > >

> > > > > > > Add a couple of test cases against capsule image authentication

> > > > > > > for capsule-on-disk, where only a signed capsule file with the verified

> > > > > > > signature will be applied to the system.

> > > > > > >

> > > > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot

> > > > > > > binary during pytest setup time, all the keys/certificates are pre-created.

> > > > > > >

> > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

> > > > > > > ---

> > > > > > >  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +

> > > > > > >  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-

> > > > > > >  test/py/tests/test_efi_capsule/signature.dts  |  10 +

> > > > > > >  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++

> > > > > > >  4 files changed, 280 insertions(+), 3 deletions(-)

> > > > > > >  create mode 100644 test/py/tests/test_efi_capsule/signature.dts

> > > > > > >  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

> > > > > > >

> > > > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > > index 4fd6353c2040..aa9bf5eee3aa 100644

> > > > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > > @@ -3,3 +3,8 @@

> > > > > > >  # Directories

> > > > > > >  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'

> > > > > > >  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'

> > > > > > > +

> > > > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and

> > > > > > > +# you need build a newer version on your own.

> > > > > > > +# The path must terminate with '/'.

> > > > > > > +EFITOOLS_PATH = ''

> > > > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py

> > > > > > > index 6ad5608cd71c..b0e84dec4931 100644

> > > > > > > --- a/test/py/tests/test_efi_capsule/conftest.py

> > > > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py

> > > > > > > @@ -10,13 +10,13 @@ import pytest

> > > > > > >  from capsule_defs import *

> > > > > > >

> > > > > > >  #

> > > > > > > -# Fixture for UEFI secure boot test

> > > > > > > +# Fixture for UEFI capsule test

> > > > > > >  #

> > > > > > >

> > > > > > > -

> > > > > > >  @pytest.fixture(scope='session')

> > > > > > >  def efi_capsule_data(request, u_boot_config):

> > > > > > > -    """Set up a file system to be used in UEFI capsule test.

> > > > > > > +    """Set up a file system to be used in UEFI capsule and

> > > > > > > +       authentication test.

> > > > > > >

> > > > > > >      Args:

> > > > > > >          request: Pytest request object.

> > > > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):

> > > > > > >          check_call('mkdir -p %s' % data_dir, shell=True)

> > > > > > >          check_call('mkdir -p %s' % install_dir, shell=True)

> > > > > > >

> > > > > > > +        capsule_auth_enabled = u_boot_config.buildconfig.get(

> > > > > > > +                    'config_efi_capsule_authenticate')

> > > > > > > +        if capsule_auth_enabled:

> > > > > > > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)

> > > > > > > +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'

> > > > > > > +                       % data_dir, shell=True)

> > > > > >

> > > > > > run_and_log()?

> > > > >

> > > > > I have always used this style of coding in this file as well as

> > > > > other my pytests in test/py/tests (filesystem and secure boot).

> > > > >

> > > > > So, at least in this patch, I don't want to have mixed styles.

> > > >

> > > > I don't mind about the style.

> > > >

> > > > Does the command appear in the test log?

> > >

> > > I don't think so as it is invoked in conftest.py.

> > > If the command fails, the tests will skip, and if it generates

> > > a improper signature, the tests will fail.

> >

> > Well that is what I am getting at. Can you check?

>

> Yes.

>

> > The test log is supposed to show everything that happened. It does

> > that with other tests

>

> It does?

> (I don't think so.)

>

> > and I worry that using this function to run

> > things will mean that no one will be able to debug your test in CI.

>

> What is missing in general is that confest.py doesn't generate

> line-by-line trace logs if needed.

> It's not my test specific.


Can you try checking test-log.html ?

Here is an example with a vboot test. See the lines with 'openssl' and
'dtc' ? That is what I am talking about.

Do you see this output with the command you are using?


[-] Section: test_vboot[sha1-basic-sha1--None-False-True]
TIME: NOW: 2021/11/04 19:52:55.916263

TIME: SINCE-PREV: 0:00:00.429408

TIME: SINCE-START: 0:00:00.429408

[-] Section: test_vboot[sha1-basic-sha1--None-False-True]/Starting U-Boot
TIME: NOW: 2021/11/04 19:52:55.916582

TIME: SINCE-PREV: 0:00:00.000319

TIME: SINCE-START: 0:00:00.429727

[-] Stream: console
Creating new bloblist size 400 at c000
sandbox_serial serial: pinctrl_select_state_full:
uclass_get_device_by_phandle_id: err=-19


U-Boot 2021.10-00200-g458c5ec2f57-dirty (Nov 04 2021 - 19:52:48 -0600)

Model: sandbox
DRAM:  128 MiB
Core:  246 devices, 88 uclasses, devicetree: board
WDT:   Not starting gpio-wdt
WDT:   Not starting wdt@0
MMC:   mmc2: 2 (SD), mmc1: 1 (SD), mmc0: 0 (SD)
Loading Environment from nowhere... OK
In:    cros-ec-keyb
Out:   vidconsole
Err:   vidconsole
Model: sandbox
SCSI:
Net:   eth0: eth@10002000, eth5: eth@10003000, eth3: sbe5, eth6:
eth@10004000, eth4: dsa-test-eth, eth2: lan0, eth7: lan1
Hit any key to stop autoboot:  2 %08%08%08 0
=>
TIME: NOW: 2021/11/04 19:52:56.023596

TIME: SINCE-PREV: 0:00:00.107014

TIME: SINCE-START: 0:00:00.536741

TIME: SINCE-SECTION: 0:00:00.107114

[-] Stream: openssl
+openssl genpkey -algorithm RSA -out /tmp/b/sandbox/sha1-basic/dev.key
-pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
...................+++++
...............+++++

TIME: NOW: 2021/11/04 19:52:56.067325

TIME: SINCE-PREV: 0:00:00.043729

TIME: SINCE-START: 0:00:00.580470

[-] Stream: openssl
+openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/dev.key
-out /tmp/b/sandbox/sha1-basic/dev.crt

TIME: NOW: 2021/11/04 19:52:56.077671

TIME: SINCE-PREV: 0:00:00.010346

TIME: SINCE-START: 0:00:00.590816

[-] Stream: openssl
+openssl genpkey -algorithm RSA -out
/tmp/b/sandbox/sha1-basic/prod.key -pkeyopt rsa_keygen_bits:2048
-pkeyopt rsa_keygen_pubexp:65537
...........................+++++
............+++++

TIME: NOW: 2021/11/04 19:52:56.127578

TIME: SINCE-PREV: 0:00:00.049907

TIME: SINCE-START: 0:00:00.640723

[-] Stream: openssl
+openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/prod.key
-out /tmp/b/sandbox/sha1-basic/prod.crt

TIME: NOW: 2021/11/04 19:52:56.136682

TIME: SINCE-PREV: 0:00:00.009104

TIME: SINCE-START: 0:00:00.649827

[-] Stream: dtc
+dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/
/scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-kernel.dts
-O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-kernel.dtb

TIME: NOW: 2021/11/04 19:52:56.142636

TIME: SINCE-PREV: 0:00:00.005954

TIME: SINCE-START: 0:00:00.655781

[-] Stream: dtc
+dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/
/scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts
-O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-u-boot.dtb
/scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts:7.10-9.4:
Warning (unit_address_vs_reg): /reset@0: node has a unit name, but no
reg or ranges property

TIME: NOW: 2021/11/04 19:52:56.147797

Regards,
Simon
AKASHI Takahiro Nov. 5, 2021, 3:24 a.m. UTC | #8
On Thu, Nov 04, 2021 at 08:02:37PM -0600, Simon Glass wrote:
> Hi Takahiro,

> 

> On Thu, 4 Nov 2021 at 19:21, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:

> >

> > On Wed, Nov 03, 2021 at 08:49:04PM -0600, Simon Glass wrote:

> > > Hi Takahiro,

> > >

> > > On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:

> > > >

> > > > On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote:

> > > > > Hi Takahiro,

> > > > >

> > > > > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro

> > > > > <takahiro.akashi@linaro.org> wrote:

> > > > > >

> > > > > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:

> > > > > > > Hi Takahiro,

> > > > > > >

> > > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro

> > > > > > > <takahiro.akashi@linaro.org> wrote:

> > > > > > > >

> > > > > > > > Add a couple of test cases against capsule image authentication

> > > > > > > > for capsule-on-disk, where only a signed capsule file with the verified

> > > > > > > > signature will be applied to the system.

> > > > > > > >

> > > > > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot

> > > > > > > > binary during pytest setup time, all the keys/certificates are pre-created.

> > > > > > > >

> > > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

> > > > > > > > ---

> > > > > > > >  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +

> > > > > > > >  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-

> > > > > > > >  test/py/tests/test_efi_capsule/signature.dts  |  10 +

> > > > > > > >  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++

> > > > > > > >  4 files changed, 280 insertions(+), 3 deletions(-)

> > > > > > > >  create mode 100644 test/py/tests/test_efi_capsule/signature.dts

> > > > > > > >  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

> > > > > > > >

> > > > > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > > > index 4fd6353c2040..aa9bf5eee3aa 100644

> > > > > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > > > @@ -3,3 +3,8 @@

> > > > > > > >  # Directories

> > > > > > > >  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'

> > > > > > > >  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'

> > > > > > > > +

> > > > > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and

> > > > > > > > +# you need build a newer version on your own.

> > > > > > > > +# The path must terminate with '/'.

> > > > > > > > +EFITOOLS_PATH = ''

> > > > > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py

> > > > > > > > index 6ad5608cd71c..b0e84dec4931 100644

> > > > > > > > --- a/test/py/tests/test_efi_capsule/conftest.py

> > > > > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py

> > > > > > > > @@ -10,13 +10,13 @@ import pytest

> > > > > > > >  from capsule_defs import *

> > > > > > > >

> > > > > > > >  #

> > > > > > > > -# Fixture for UEFI secure boot test

> > > > > > > > +# Fixture for UEFI capsule test

> > > > > > > >  #

> > > > > > > >

> > > > > > > > -

> > > > > > > >  @pytest.fixture(scope='session')

> > > > > > > >  def efi_capsule_data(request, u_boot_config):

> > > > > > > > -    """Set up a file system to be used in UEFI capsule test.

> > > > > > > > +    """Set up a file system to be used in UEFI capsule and

> > > > > > > > +       authentication test.

> > > > > > > >

> > > > > > > >      Args:

> > > > > > > >          request: Pytest request object.

> > > > > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):

> > > > > > > >          check_call('mkdir -p %s' % data_dir, shell=True)

> > > > > > > >          check_call('mkdir -p %s' % install_dir, shell=True)

> > > > > > > >

> > > > > > > > +        capsule_auth_enabled = u_boot_config.buildconfig.get(

> > > > > > > > +                    'config_efi_capsule_authenticate')

> > > > > > > > +        if capsule_auth_enabled:

> > > > > > > > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)

> > > > > > > > +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'

> > > > > > > > +                       % data_dir, shell=True)

> > > > > > >

> > > > > > > run_and_log()?

> > > > > >

> > > > > > I have always used this style of coding in this file as well as

> > > > > > other my pytests in test/py/tests (filesystem and secure boot).

> > > > > >

> > > > > > So, at least in this patch, I don't want to have mixed styles.

> > > > >

> > > > > I don't mind about the style.

> > > > >

> > > > > Does the command appear in the test log?

> > > >

> > > > I don't think so as it is invoked in conftest.py.

> > > > If the command fails, the tests will skip, and if it generates

> > > > a improper signature, the tests will fail.

> > >

> > > Well that is what I am getting at. Can you check?

> >

> > Yes.

> >

> > > The test log is supposed to show everything that happened. It does

> > > that with other tests

> >

> > It does?

> > (I don't think so.)

> >

> > > and I worry that using this function to run

> > > things will mean that no one will be able to debug your test in CI.

> >

> > What is missing in general is that confest.py doesn't generate

> > line-by-line trace logs if needed.

> > It's not my test specific.

> 

> Can you try checking test-log.html ?

> 

> Here is an example with a vboot test. See the lines with 'openssl' and

> 'dtc' ? That is what I am talking about.

> 

> Do you see this output with the command you are using?


No. In your case, openssl and dtc are called in a test function,
while my tool is invoked as part of fixture in confest.py.

What I requested is that command executions in fixtures be logged as well.

-Takahiro Akashi

> 

> [-] Section: test_vboot[sha1-basic-sha1--None-False-True]

> TIME: NOW: 2021/11/04 19:52:55.916263

> 

> TIME: SINCE-PREV: 0:00:00.429408

> 

> TIME: SINCE-START: 0:00:00.429408

> 

> [-] Section: test_vboot[sha1-basic-sha1--None-False-True]/Starting U-Boot

> TIME: NOW: 2021/11/04 19:52:55.916582

> 

> TIME: SINCE-PREV: 0:00:00.000319

> 

> TIME: SINCE-START: 0:00:00.429727

> 

> [-] Stream: console

> Creating new bloblist size 400 at c000

> sandbox_serial serial: pinctrl_select_state_full:

> uclass_get_device_by_phandle_id: err=-19

> 

> 

> U-Boot 2021.10-00200-g458c5ec2f57-dirty (Nov 04 2021 - 19:52:48 -0600)

> 

> Model: sandbox

> DRAM:  128 MiB

> Core:  246 devices, 88 uclasses, devicetree: board

> WDT:   Not starting gpio-wdt

> WDT:   Not starting wdt@0

> MMC:   mmc2: 2 (SD), mmc1: 1 (SD), mmc0: 0 (SD)

> Loading Environment from nowhere... OK

> In:    cros-ec-keyb

> Out:   vidconsole

> Err:   vidconsole

> Model: sandbox

> SCSI:

> Net:   eth0: eth@10002000, eth5: eth@10003000, eth3: sbe5, eth6:

> eth@10004000, eth4: dsa-test-eth, eth2: lan0, eth7: lan1

> Hit any key to stop autoboot:  2 %08%08%08 0

> =>

> TIME: NOW: 2021/11/04 19:52:56.023596

> 

> TIME: SINCE-PREV: 0:00:00.107014

> 

> TIME: SINCE-START: 0:00:00.536741

> 

> TIME: SINCE-SECTION: 0:00:00.107114

> 

> [-] Stream: openssl

> +openssl genpkey -algorithm RSA -out /tmp/b/sandbox/sha1-basic/dev.key

> -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537

> ...................+++++

> ...............+++++

> 

> TIME: NOW: 2021/11/04 19:52:56.067325

> 

> TIME: SINCE-PREV: 0:00:00.043729

> 

> TIME: SINCE-START: 0:00:00.580470

> 

> [-] Stream: openssl

> +openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/dev.key

> -out /tmp/b/sandbox/sha1-basic/dev.crt

> 

> TIME: NOW: 2021/11/04 19:52:56.077671

> 

> TIME: SINCE-PREV: 0:00:00.010346

> 

> TIME: SINCE-START: 0:00:00.590816

> 

> [-] Stream: openssl

> +openssl genpkey -algorithm RSA -out

> /tmp/b/sandbox/sha1-basic/prod.key -pkeyopt rsa_keygen_bits:2048

> -pkeyopt rsa_keygen_pubexp:65537

> ...........................+++++

> ............+++++

> 

> TIME: NOW: 2021/11/04 19:52:56.127578

> 

> TIME: SINCE-PREV: 0:00:00.049907

> 

> TIME: SINCE-START: 0:00:00.640723

> 

> [-] Stream: openssl

> +openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/prod.key

> -out /tmp/b/sandbox/sha1-basic/prod.crt

> 

> TIME: NOW: 2021/11/04 19:52:56.136682

> 

> TIME: SINCE-PREV: 0:00:00.009104

> 

> TIME: SINCE-START: 0:00:00.649827

> 

> [-] Stream: dtc

> +dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/

> /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-kernel.dts

> -O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-kernel.dtb

> 

> TIME: NOW: 2021/11/04 19:52:56.142636

> 

> TIME: SINCE-PREV: 0:00:00.005954

> 

> TIME: SINCE-START: 0:00:00.655781

> 

> [-] Stream: dtc

> +dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/

> /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts

> -O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-u-boot.dtb

> /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts:7.10-9.4:

> Warning (unit_address_vs_reg): /reset@0: node has a unit name, but no

> reg or ranges property

> 

> TIME: NOW: 2021/11/04 19:52:56.147797

> 

> Regards,

> Simon
Simon Glass Nov. 5, 2021, 4:12 p.m. UTC | #9
Hi Takahiro,

On Thu, 4 Nov 2021 at 21:24, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
>

> On Thu, Nov 04, 2021 at 08:02:37PM -0600, Simon Glass wrote:

> > Hi Takahiro,

> >

> > On Thu, 4 Nov 2021 at 19:21, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:

> > >

> > > On Wed, Nov 03, 2021 at 08:49:04PM -0600, Simon Glass wrote:

> > > > Hi Takahiro,

> > > >

> > > > On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:

> > > > >

> > > > > On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote:

> > > > > > Hi Takahiro,

> > > > > >

> > > > > > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro

> > > > > > <takahiro.akashi@linaro.org> wrote:

> > > > > > >

> > > > > > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:

> > > > > > > > Hi Takahiro,

> > > > > > > >

> > > > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro

> > > > > > > > <takahiro.akashi@linaro.org> wrote:

> > > > > > > > >

> > > > > > > > > Add a couple of test cases against capsule image authentication

> > > > > > > > > for capsule-on-disk, where only a signed capsule file with the verified

> > > > > > > > > signature will be applied to the system.

> > > > > > > > >

> > > > > > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot

> > > > > > > > > binary during pytest setup time, all the keys/certificates are pre-created.

> > > > > > > > >

> > > > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

> > > > > > > > > ---

> > > > > > > > >  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +

> > > > > > > > >  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-

> > > > > > > > >  test/py/tests/test_efi_capsule/signature.dts  |  10 +

> > > > > > > > >  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++

> > > > > > > > >  4 files changed, 280 insertions(+), 3 deletions(-)

> > > > > > > > >  create mode 100644 test/py/tests/test_efi_capsule/signature.dts

> > > > > > > > >  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py

> > > > > > > > >

> > > > > > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > > > > index 4fd6353c2040..aa9bf5eee3aa 100644

> > > > > > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py

> > > > > > > > > @@ -3,3 +3,8 @@

> > > > > > > > >  # Directories

> > > > > > > > >  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'

> > > > > > > > >  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'

> > > > > > > > > +

> > > > > > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and

> > > > > > > > > +# you need build a newer version on your own.

> > > > > > > > > +# The path must terminate with '/'.

> > > > > > > > > +EFITOOLS_PATH = ''

> > > > > > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py

> > > > > > > > > index 6ad5608cd71c..b0e84dec4931 100644

> > > > > > > > > --- a/test/py/tests/test_efi_capsule/conftest.py

> > > > > > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py

> > > > > > > > > @@ -10,13 +10,13 @@ import pytest

> > > > > > > > >  from capsule_defs import *

> > > > > > > > >

> > > > > > > > >  #

> > > > > > > > > -# Fixture for UEFI secure boot test

> > > > > > > > > +# Fixture for UEFI capsule test

> > > > > > > > >  #

> > > > > > > > >

> > > > > > > > > -

> > > > > > > > >  @pytest.fixture(scope='session')

> > > > > > > > >  def efi_capsule_data(request, u_boot_config):

> > > > > > > > > -    """Set up a file system to be used in UEFI capsule test.

> > > > > > > > > +    """Set up a file system to be used in UEFI capsule and

> > > > > > > > > +       authentication test.

> > > > > > > > >

> > > > > > > > >      Args:

> > > > > > > > >          request: Pytest request object.

> > > > > > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):

> > > > > > > > >          check_call('mkdir -p %s' % data_dir, shell=True)

> > > > > > > > >          check_call('mkdir -p %s' % install_dir, shell=True)

> > > > > > > > >

> > > > > > > > > +        capsule_auth_enabled = u_boot_config.buildconfig.get(

> > > > > > > > > +                    'config_efi_capsule_authenticate')

> > > > > > > > > +        if capsule_auth_enabled:

> > > > > > > > > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)

> > > > > > > > > +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'

> > > > > > > > > +                       % data_dir, shell=True)

> > > > > > > >

> > > > > > > > run_and_log()?

> > > > > > >

> > > > > > > I have always used this style of coding in this file as well as

> > > > > > > other my pytests in test/py/tests (filesystem and secure boot).

> > > > > > >

> > > > > > > So, at least in this patch, I don't want to have mixed styles.

> > > > > >

> > > > > > I don't mind about the style.

> > > > > >

> > > > > > Does the command appear in the test log?

> > > > >

> > > > > I don't think so as it is invoked in conftest.py.

> > > > > If the command fails, the tests will skip, and if it generates

> > > > > a improper signature, the tests will fail.

> > > >

> > > > Well that is what I am getting at. Can you check?

> > >

> > > Yes.

> > >

> > > > The test log is supposed to show everything that happened. It does

> > > > that with other tests

> > >

> > > It does?

> > > (I don't think so.)

> > >

> > > > and I worry that using this function to run

> > > > things will mean that no one will be able to debug your test in CI.

> > >

> > > What is missing in general is that confest.py doesn't generate

> > > line-by-line trace logs if needed.

> > > It's not my test specific.

> >

> > Can you try checking test-log.html ?

> >

> > Here is an example with a vboot test. See the lines with 'openssl' and

> > 'dtc' ? That is what I am talking about.

> >

> > Do you see this output with the command you are using?

>

> No. In your case, openssl and dtc are called in a test function,

> while my tool is invoked as part of fixture in confest.py.

>

> What I requested is that command executions in fixtures be logged as well.


OK, so it isn't possible to call run_and_log() in fixtures?

Regards,
Simon



>

> -Takahiro Akashi

>

> >

> > [-] Section: test_vboot[sha1-basic-sha1--None-False-True]

> > TIME: NOW: 2021/11/04 19:52:55.916263

> >

> > TIME: SINCE-PREV: 0:00:00.429408

> >

> > TIME: SINCE-START: 0:00:00.429408

> >

> > [-] Section: test_vboot[sha1-basic-sha1--None-False-True]/Starting U-Boot

> > TIME: NOW: 2021/11/04 19:52:55.916582

> >

> > TIME: SINCE-PREV: 0:00:00.000319

> >

> > TIME: SINCE-START: 0:00:00.429727

> >

> > [-] Stream: console

> > Creating new bloblist size 400 at c000

> > sandbox_serial serial: pinctrl_select_state_full:

> > uclass_get_device_by_phandle_id: err=-19

> >

> >

> > U-Boot 2021.10-00200-g458c5ec2f57-dirty (Nov 04 2021 - 19:52:48 -0600)

> >

> > Model: sandbox

> > DRAM:  128 MiB

> > Core:  246 devices, 88 uclasses, devicetree: board

> > WDT:   Not starting gpio-wdt

> > WDT:   Not starting wdt@0

> > MMC:   mmc2: 2 (SD), mmc1: 1 (SD), mmc0: 0 (SD)

> > Loading Environment from nowhere... OK

> > In:    cros-ec-keyb

> > Out:   vidconsole

> > Err:   vidconsole

> > Model: sandbox

> > SCSI:

> > Net:   eth0: eth@10002000, eth5: eth@10003000, eth3: sbe5, eth6:

> > eth@10004000, eth4: dsa-test-eth, eth2: lan0, eth7: lan1

> > Hit any key to stop autoboot:  2 %08%08%08 0

> > =>

> > TIME: NOW: 2021/11/04 19:52:56.023596

> >

> > TIME: SINCE-PREV: 0:00:00.107014

> >

> > TIME: SINCE-START: 0:00:00.536741

> >

> > TIME: SINCE-SECTION: 0:00:00.107114

> >

> > [-] Stream: openssl

> > +openssl genpkey -algorithm RSA -out /tmp/b/sandbox/sha1-basic/dev.key

> > -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537

> > ...................+++++

> > ...............+++++

> >

> > TIME: NOW: 2021/11/04 19:52:56.067325

> >

> > TIME: SINCE-PREV: 0:00:00.043729

> >

> > TIME: SINCE-START: 0:00:00.580470

> >

> > [-] Stream: openssl

> > +openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/dev.key

> > -out /tmp/b/sandbox/sha1-basic/dev.crt

> >

> > TIME: NOW: 2021/11/04 19:52:56.077671

> >

> > TIME: SINCE-PREV: 0:00:00.010346

> >

> > TIME: SINCE-START: 0:00:00.590816

> >

> > [-] Stream: openssl

> > +openssl genpkey -algorithm RSA -out

> > /tmp/b/sandbox/sha1-basic/prod.key -pkeyopt rsa_keygen_bits:2048

> > -pkeyopt rsa_keygen_pubexp:65537

> > ...........................+++++

> > ............+++++

> >

> > TIME: NOW: 2021/11/04 19:52:56.127578

> >

> > TIME: SINCE-PREV: 0:00:00.049907

> >

> > TIME: SINCE-START: 0:00:00.640723

> >

> > [-] Stream: openssl

> > +openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/prod.key

> > -out /tmp/b/sandbox/sha1-basic/prod.crt

> >

> > TIME: NOW: 2021/11/04 19:52:56.136682

> >

> > TIME: SINCE-PREV: 0:00:00.009104

> >

> > TIME: SINCE-START: 0:00:00.649827

> >

> > [-] Stream: dtc

> > +dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/

> > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-kernel.dts

> > -O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-kernel.dtb

> >

> > TIME: NOW: 2021/11/04 19:52:56.142636

> >

> > TIME: SINCE-PREV: 0:00:00.005954

> >

> > TIME: SINCE-START: 0:00:00.655781

> >

> > [-] Stream: dtc

> > +dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/

> > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts

> > -O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-u-boot.dtb

> > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts:7.10-9.4:

> > Warning (unit_address_vs_reg): /reset@0: node has a unit name, but no

> > reg or ranges property

> >

> > TIME: NOW: 2021/11/04 19:52:56.147797

> >

> > Regards,

> > Simon
AKASHI Takahiro Nov. 8, 2021, 4:15 a.m. UTC | #10
On Fri, Nov 05, 2021 at 10:12:20AM -0600, Simon Glass wrote:
> Hi Takahiro,
> 
> On Thu, 4 Nov 2021 at 21:24, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> >
> > On Thu, Nov 04, 2021 at 08:02:37PM -0600, Simon Glass wrote:
> > > Hi Takahiro,
> > >
> > > On Thu, 4 Nov 2021 at 19:21, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> > > >
> > > > On Wed, Nov 03, 2021 at 08:49:04PM -0600, Simon Glass wrote:
> > > > > Hi Takahiro,
> > > > >
> > > > > On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> > > > > >
> > > > > > On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote:
> > > > > > > Hi Takahiro,
> > > > > > >
> > > > > > > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro
> > > > > > > <takahiro.akashi@linaro.org> wrote:
> > > > > > > >
> > > > > > > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:
> > > > > > > > > Hi Takahiro,
> > > > > > > > >
> > > > > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro
> > > > > > > > > <takahiro.akashi@linaro.org> wrote:
> > > > > > > > > >
> > > > > > > > > > Add a couple of test cases against capsule image authentication
> > > > > > > > > > for capsule-on-disk, where only a signed capsule file with the verified
> > > > > > > > > > signature will be applied to the system.
> > > > > > > > > >
> > > > > > > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot
> > > > > > > > > > binary during pytest setup time, all the keys/certificates are pre-created.
> > > > > > > > > >
> > > > > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > > > > > > > > ---
> > > > > > > > > >  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
> > > > > > > > > >  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-
> > > > > > > > > >  test/py/tests/test_efi_capsule/signature.dts  |  10 +
> > > > > > > > > >  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++
> > > > > > > > > >  4 files changed, 280 insertions(+), 3 deletions(-)
> > > > > > > > > >  create mode 100644 test/py/tests/test_efi_capsule/signature.dts
> > > > > > > > > >  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> > > > > > > > > >
> > > > > > > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > > > > > index 4fd6353c2040..aa9bf5eee3aa 100644
> > > > > > > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > > > > > @@ -3,3 +3,8 @@
> > > > > > > > > >  # Directories
> > > > > > > > > >  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
> > > > > > > > > >  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
> > > > > > > > > > +
> > > > > > > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
> > > > > > > > > > +# you need build a newer version on your own.
> > > > > > > > > > +# The path must terminate with '/'.
> > > > > > > > > > +EFITOOLS_PATH = ''
> > > > > > > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
> > > > > > > > > > index 6ad5608cd71c..b0e84dec4931 100644
> > > > > > > > > > --- a/test/py/tests/test_efi_capsule/conftest.py
> > > > > > > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py
> > > > > > > > > > @@ -10,13 +10,13 @@ import pytest
> > > > > > > > > >  from capsule_defs import *
> > > > > > > > > >
> > > > > > > > > >  #
> > > > > > > > > > -# Fixture for UEFI secure boot test
> > > > > > > > > > +# Fixture for UEFI capsule test
> > > > > > > > > >  #
> > > > > > > > > >
> > > > > > > > > > -
> > > > > > > > > >  @pytest.fixture(scope='session')
> > > > > > > > > >  def efi_capsule_data(request, u_boot_config):
> > > > > > > > > > -    """Set up a file system to be used in UEFI capsule test.
> > > > > > > > > > +    """Set up a file system to be used in UEFI capsule and
> > > > > > > > > > +       authentication test.
> > > > > > > > > >
> > > > > > > > > >      Args:
> > > > > > > > > >          request: Pytest request object.
> > > > > > > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):
> > > > > > > > > >          check_call('mkdir -p %s' % data_dir, shell=True)
> > > > > > > > > >          check_call('mkdir -p %s' % install_dir, shell=True)
> > > > > > > > > >
> > > > > > > > > > +        capsule_auth_enabled = u_boot_config.buildconfig.get(
> > > > > > > > > > +                    'config_efi_capsule_authenticate')
> > > > > > > > > > +        if capsule_auth_enabled:
> > > > > > > > > > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)
> > > > > > > > > > +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'
> > > > > > > > > > +                       % data_dir, shell=True)
> > > > > > > > >
> > > > > > > > > run_and_log()?
> > > > > > > >
> > > > > > > > I have always used this style of coding in this file as well as
> > > > > > > > other my pytests in test/py/tests (filesystem and secure boot).
> > > > > > > >
> > > > > > > > So, at least in this patch, I don't want to have mixed styles.
> > > > > > >
> > > > > > > I don't mind about the style.
> > > > > > >
> > > > > > > Does the command appear in the test log?
> > > > > >
> > > > > > I don't think so as it is invoked in conftest.py.
> > > > > > If the command fails, the tests will skip, and if it generates
> > > > > > a improper signature, the tests will fail.
> > > > >
> > > > > Well that is what I am getting at. Can you check?
> > > >
> > > > Yes.
> > > >
> > > > > The test log is supposed to show everything that happened. It does
> > > > > that with other tests
> > > >
> > > > It does?
> > > > (I don't think so.)
> > > >
> > > > > and I worry that using this function to run
> > > > > things will mean that no one will be able to debug your test in CI.
> > > >
> > > > What is missing in general is that confest.py doesn't generate
> > > > line-by-line trace logs if needed.
> > > > It's not my test specific.
> > >
> > > Can you try checking test-log.html ?
> > >
> > > Here is an example with a vboot test. See the lines with 'openssl' and
> > > 'dtc' ? That is what I am talking about.
> > >
> > > Do you see this output with the command you are using?
> >
> > No. In your case, openssl and dtc are called in a test function,
> > while my tool is invoked as part of fixture in confest.py.
> >
> > What I requested is that command executions in fixtures be logged as well.
> 
> OK, so it isn't possible to call run_and_log() in fixtures?

My fixtures are declared with the scope "session", and so we can't
use u_boot_console which has the scope "function".
Any workaround?

-Takahiro Akashi


> Regards,
> Simon
> 
> 
> 
> >
> > -Takahiro Akashi
> >
> > >
> > > [-] Section: test_vboot[sha1-basic-sha1--None-False-True]
> > > TIME: NOW: 2021/11/04 19:52:55.916263
> > >
> > > TIME: SINCE-PREV: 0:00:00.429408
> > >
> > > TIME: SINCE-START: 0:00:00.429408
> > >
> > > [-] Section: test_vboot[sha1-basic-sha1--None-False-True]/Starting U-Boot
> > > TIME: NOW: 2021/11/04 19:52:55.916582
> > >
> > > TIME: SINCE-PREV: 0:00:00.000319
> > >
> > > TIME: SINCE-START: 0:00:00.429727
> > >
> > > [-] Stream: console
> > > Creating new bloblist size 400 at c000
> > > sandbox_serial serial: pinctrl_select_state_full:
> > > uclass_get_device_by_phandle_id: err=-19
> > >
> > >
> > > U-Boot 2021.10-00200-g458c5ec2f57-dirty (Nov 04 2021 - 19:52:48 -0600)
> > >
> > > Model: sandbox
> > > DRAM:  128 MiB
> > > Core:  246 devices, 88 uclasses, devicetree: board
> > > WDT:   Not starting gpio-wdt
> > > WDT:   Not starting wdt@0
> > > MMC:   mmc2: 2 (SD), mmc1: 1 (SD), mmc0: 0 (SD)
> > > Loading Environment from nowhere... OK
> > > In:    cros-ec-keyb
> > > Out:   vidconsole
> > > Err:   vidconsole
> > > Model: sandbox
> > > SCSI:
> > > Net:   eth0: eth@10002000, eth5: eth@10003000, eth3: sbe5, eth6:
> > > eth@10004000, eth4: dsa-test-eth, eth2: lan0, eth7: lan1
> > > Hit any key to stop autoboot:  2 %08%08%08 0
> > > =>
> > > TIME: NOW: 2021/11/04 19:52:56.023596
> > >
> > > TIME: SINCE-PREV: 0:00:00.107014
> > >
> > > TIME: SINCE-START: 0:00:00.536741
> > >
> > > TIME: SINCE-SECTION: 0:00:00.107114
> > >
> > > [-] Stream: openssl
> > > +openssl genpkey -algorithm RSA -out /tmp/b/sandbox/sha1-basic/dev.key
> > > -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
> > > ...................+++++
> > > ...............+++++
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.067325
> > >
> > > TIME: SINCE-PREV: 0:00:00.043729
> > >
> > > TIME: SINCE-START: 0:00:00.580470
> > >
> > > [-] Stream: openssl
> > > +openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/dev.key
> > > -out /tmp/b/sandbox/sha1-basic/dev.crt
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.077671
> > >
> > > TIME: SINCE-PREV: 0:00:00.010346
> > >
> > > TIME: SINCE-START: 0:00:00.590816
> > >
> > > [-] Stream: openssl
> > > +openssl genpkey -algorithm RSA -out
> > > /tmp/b/sandbox/sha1-basic/prod.key -pkeyopt rsa_keygen_bits:2048
> > > -pkeyopt rsa_keygen_pubexp:65537
> > > ...........................+++++
> > > ............+++++
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.127578
> > >
> > > TIME: SINCE-PREV: 0:00:00.049907
> > >
> > > TIME: SINCE-START: 0:00:00.640723
> > >
> > > [-] Stream: openssl
> > > +openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/prod.key
> > > -out /tmp/b/sandbox/sha1-basic/prod.crt
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.136682
> > >
> > > TIME: SINCE-PREV: 0:00:00.009104
> > >
> > > TIME: SINCE-START: 0:00:00.649827
> > >
> > > [-] Stream: dtc
> > > +dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/
> > > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-kernel.dts
> > > -O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-kernel.dtb
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.142636
> > >
> > > TIME: SINCE-PREV: 0:00:00.005954
> > >
> > > TIME: SINCE-START: 0:00:00.655781
> > >
> > > [-] Stream: dtc
> > > +dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/
> > > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts
> > > -O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-u-boot.dtb
> > > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts:7.10-9.4:
> > > Warning (unit_address_vs_reg): /reset@0: node has a unit name, but no
> > > reg or ranges property
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.147797
> > >
> > > Regards,
> > > Simon
Simon Glass Nov. 8, 2021, 3:58 p.m. UTC | #11
Hi Takahiro,

On Sun, 7 Nov 2021 at 21:15, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
>
> On Fri, Nov 05, 2021 at 10:12:20AM -0600, Simon Glass wrote:
> > Hi Takahiro,
> >
> > On Thu, 4 Nov 2021 at 21:24, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> > >
> > > On Thu, Nov 04, 2021 at 08:02:37PM -0600, Simon Glass wrote:
> > > > Hi Takahiro,
> > > >
> > > > On Thu, 4 Nov 2021 at 19:21, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> > > > >
> > > > > On Wed, Nov 03, 2021 at 08:49:04PM -0600, Simon Glass wrote:
> > > > > > Hi Takahiro,
> > > > > >
> > > > > > On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> > > > > > >
> > > > > > > On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote:
> > > > > > > > Hi Takahiro,
> > > > > > > >
> > > > > > > > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro
> > > > > > > > <takahiro.akashi@linaro.org> wrote:
> > > > > > > > >
> > > > > > > > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:
> > > > > > > > > > Hi Takahiro,
> > > > > > > > > >
> > > > > > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro
> > > > > > > > > > <takahiro.akashi@linaro.org> wrote:
> > > > > > > > > > >
> > > > > > > > > > > Add a couple of test cases against capsule image authentication
> > > > > > > > > > > for capsule-on-disk, where only a signed capsule file with the verified
> > > > > > > > > > > signature will be applied to the system.
> > > > > > > > > > >
> > > > > > > > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot
> > > > > > > > > > > binary during pytest setup time, all the keys/certificates are pre-created.
> > > > > > > > > > >
> > > > > > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > > > > > > > > > ---
> > > > > > > > > > >  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
> > > > > > > > > > >  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-
> > > > > > > > > > >  test/py/tests/test_efi_capsule/signature.dts  |  10 +
> > > > > > > > > > >  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++
> > > > > > > > > > >  4 files changed, 280 insertions(+), 3 deletions(-)
> > > > > > > > > > >  create mode 100644 test/py/tests/test_efi_capsule/signature.dts
> > > > > > > > > > >  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> > > > > > > > > > >
> > > > > > > > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > > > > > > index 4fd6353c2040..aa9bf5eee3aa 100644
> > > > > > > > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > > > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > > > > > > @@ -3,3 +3,8 @@
> > > > > > > > > > >  # Directories
> > > > > > > > > > >  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
> > > > > > > > > > >  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
> > > > > > > > > > > +
> > > > > > > > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
> > > > > > > > > > > +# you need build a newer version on your own.
> > > > > > > > > > > +# The path must terminate with '/'.
> > > > > > > > > > > +EFITOOLS_PATH = ''
> > > > > > > > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
> > > > > > > > > > > index 6ad5608cd71c..b0e84dec4931 100644
> > > > > > > > > > > --- a/test/py/tests/test_efi_capsule/conftest.py
> > > > > > > > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py
> > > > > > > > > > > @@ -10,13 +10,13 @@ import pytest
> > > > > > > > > > >  from capsule_defs import *
> > > > > > > > > > >
> > > > > > > > > > >  #
> > > > > > > > > > > -# Fixture for UEFI secure boot test
> > > > > > > > > > > +# Fixture for UEFI capsule test
> > > > > > > > > > >  #
> > > > > > > > > > >
> > > > > > > > > > > -
> > > > > > > > > > >  @pytest.fixture(scope='session')
> > > > > > > > > > >  def efi_capsule_data(request, u_boot_config):
> > > > > > > > > > > -    """Set up a file system to be used in UEFI capsule test.
> > > > > > > > > > > +    """Set up a file system to be used in UEFI capsule and
> > > > > > > > > > > +       authentication test.
> > > > > > > > > > >
> > > > > > > > > > >      Args:
> > > > > > > > > > >          request: Pytest request object.
> > > > > > > > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):
> > > > > > > > > > >          check_call('mkdir -p %s' % data_dir, shell=True)
> > > > > > > > > > >          check_call('mkdir -p %s' % install_dir, shell=True)
> > > > > > > > > > >
> > > > > > > > > > > +        capsule_auth_enabled = u_boot_config.buildconfig.get(
> > > > > > > > > > > +                    'config_efi_capsule_authenticate')
> > > > > > > > > > > +        if capsule_auth_enabled:
> > > > > > > > > > > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)
> > > > > > > > > > > +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'
> > > > > > > > > > > +                       % data_dir, shell=True)
> > > > > > > > > >
> > > > > > > > > > run_and_log()?
> > > > > > > > >
> > > > > > > > > I have always used this style of coding in this file as well as
> > > > > > > > > other my pytests in test/py/tests (filesystem and secure boot).
> > > > > > > > >
> > > > > > > > > So, at least in this patch, I don't want to have mixed styles.
> > > > > > > >
> > > > > > > > I don't mind about the style.
> > > > > > > >
> > > > > > > > Does the command appear in the test log?
> > > > > > >
> > > > > > > I don't think so as it is invoked in conftest.py.
> > > > > > > If the command fails, the tests will skip, and if it generates
> > > > > > > a improper signature, the tests will fail.
> > > > > >
> > > > > > Well that is what I am getting at. Can you check?
> > > > >
> > > > > Yes.
> > > > >
> > > > > > The test log is supposed to show everything that happened. It does
> > > > > > that with other tests
> > > > >
> > > > > It does?
> > > > > (I don't think so.)
> > > > >
> > > > > > and I worry that using this function to run
> > > > > > things will mean that no one will be able to debug your test in CI.
> > > > >
> > > > > What is missing in general is that confest.py doesn't generate
> > > > > line-by-line trace logs if needed.
> > > > > It's not my test specific.
> > > >
> > > > Can you try checking test-log.html ?
> > > >
> > > > Here is an example with a vboot test. See the lines with 'openssl' and
> > > > 'dtc' ? That is what I am talking about.
> > > >
> > > > Do you see this output with the command you are using?
> > >
> > > No. In your case, openssl and dtc are called in a test function,
> > > while my tool is invoked as part of fixture in confest.py.
> > >
> > > What I requested is that command executions in fixtures be logged as well.
> >
> > OK, so it isn't possible to call run_and_log() in fixtures?
>
> My fixtures are declared with the scope "session", and so we can't
> use u_boot_console which has the scope "function".
> Any workaround?

I'm really not sure. It sounds like it might be tricky...

Reviewed-by: Simon Glass <sjg@chromium.org>

Regards,
Simon
diff mbox series

Patch

diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py
index 4fd6353c2040..aa9bf5eee3aa 100644
--- a/test/py/tests/test_efi_capsule/capsule_defs.py
+++ b/test/py/tests/test_efi_capsule/capsule_defs.py
@@ -3,3 +3,8 @@ 
 # Directories
 CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
 CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
+
+# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
+# you need build a newer version on your own.
+# The path must terminate with '/'.
+EFITOOLS_PATH = ''
diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
index 6ad5608cd71c..b0e84dec4931 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -10,13 +10,13 @@  import pytest
 from capsule_defs import *
 
 #
-# Fixture for UEFI secure boot test
+# Fixture for UEFI capsule test
 #
 
-
 @pytest.fixture(scope='session')
 def efi_capsule_data(request, u_boot_config):
-    """Set up a file system to be used in UEFI capsule test.
+    """Set up a file system to be used in UEFI capsule and
+       authentication test.
 
     Args:
         request: Pytest request object.
@@ -40,6 +40,26 @@  def efi_capsule_data(request, u_boot_config):
         check_call('mkdir -p %s' % data_dir, shell=True)
         check_call('mkdir -p %s' % install_dir, shell=True)
 
+        capsule_auth_enabled = u_boot_config.buildconfig.get(
+                    'config_efi_capsule_authenticate')
+        if capsule_auth_enabled:
+            # Create private key (SIGNER.key) and certificate (SIGNER.crt)
+            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'
+                       % data_dir, shell=True)
+            check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
+                       % (data_dir, EFITOOLS_PATH), shell=True)
+
+            # Update dtb adding capsule certificate
+            check_call('cd %s; cp %s/test/py/tests/test_efi_capsule/signature.dts .'
+                       % (data_dir, u_boot_config.source_dir), shell=True)
+            check_call('cd %s; dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; fdtoverlay -i %s/arch/sandbox/dts/test.dtb -o test_sig.dtb signature.dtbo'
+                       % (data_dir, u_boot_config.build_dir), shell=True)
+
+            # Create *malicious* private key (SIGNER2.key) and certificate
+            # (SIGNER2.crt)
+            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER2.key -out SIGNER2.crt -nodes -days 365'
+                       % data_dir, shell=True)
+
         # Create capsule files
         # two regions: one for u-boot.bin and the other for u-boot.env
         check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
@@ -56,6 +76,15 @@  def efi_capsule_data(request, u_boot_config):
         check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' %
                    (data_dir, u_boot_config.build_dir),
                    shell=True)
+        if capsule_auth_enabled:
+            # firmware signed with proper key
+            check_call('cd %s; %s/tools/mkeficapsule --index 1 --monotonic-count 1 --private-key SIGNER.key --certificate SIGNER.crt --raw u-boot.bin.new Test11' %
+                       (data_dir, u_boot_config.build_dir),
+                       shell=True)
+            # firmware signed with *mal* key
+            check_call('cd %s; %s/tools/mkeficapsule --index 1 --monotonic-count 1 --private-key SIGNER2.key --certificate SIGNER2.crt --raw u-boot.bin.new Test12' %
+                       (data_dir, u_boot_config.build_dir),
+                       shell=True)
 
         # Create a disk image with EFI system partition
         check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts
new file mode 100644
index 000000000000..078cfc76c93c
--- /dev/null
+++ b/test/py/tests/test_efi_capsule/signature.dts
@@ -0,0 +1,10 @@ 
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+/plugin/;
+
+&{/} {
+	signature {
+		capsule-key = /incbin/("SIGNER.esl");
+	};
+};
diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
new file mode 100644
index 000000000000..e8bfd49e6363
--- /dev/null
+++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
@@ -0,0 +1,233 @@ 
+# SPDX-License-Identifier:      GPL-2.0+
+# Copyright (c) 2021, Linaro Limited
+# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+#
+# U-Boot UEFI: Firmware Update (Signed capsule) Test
+
+"""
+This test verifies capsule-on-disk firmware update
+with signed capsule files
+"""
+
+import pytest
+from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR
+
+@pytest.mark.boardspec('sandbox')
+@pytest.mark.buildconfigspec('efi_capsule_firmware_raw')
+@pytest.mark.buildconfigspec('efi_capsule_authenticate')
+@pytest.mark.buildconfigspec('dfu')
+@pytest.mark.buildconfigspec('dfu_sf')
+@pytest.mark.buildconfigspec('cmd_efidebug')
+@pytest.mark.buildconfigspec('cmd_fat')
+@pytest.mark.buildconfigspec('cmd_memory')
+@pytest.mark.buildconfigspec('cmd_nvedit_efi')
+@pytest.mark.buildconfigspec('cmd_sf')
+@pytest.mark.slow
+class TestEfiCapsuleFirmwareSigned(object):
+    def test_efi_capsule_auth1(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """
+        Test Case 1 - Update U-Boot on SPI Flash, raw image format
+                      0x100000-0x150000: U-Boot binary (but dummy)
+
+                      If the capsule is properly signed, the authentication
+                      should pass and the firmware be updated.
+        """
+        disk_img = efi_capsule_data
+        with u_boot_console.log.section('Test Case 1-a, before reboot'):
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
+                'efidebug boot order 1',
+                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
+                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                'env save'])
+
+            # initialize content
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR,
+                'sf write 4000000 100000 10',
+                'sf read 5000000 100000 10',
+                'md.b 5000000 10'])
+            assert 'Old' in ''.join(output)
+
+            # place a capsule file
+            output = u_boot_console.run_command_list([
+                'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR,
+                'fatwrite host 0:1 4000000 %s/Test11 $filesize' % CAPSULE_INSTALL_DIR,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test11' in ''.join(output)
+
+        # reboot
+        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
+        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR + '/test_sig.dtb'
+        u_boot_console.restart_uboot()
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        with u_boot_console.log.section('Test Case 1-b, after reboot'):
+            if not capsule_early:
+                # make sure that dfu_alt_info exists even persistent variables
+                # are not available.
+                output = u_boot_console.run_command_list([
+                    'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                    'host bind 0 %s' % disk_img,
+                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+                assert 'Test11' in ''.join(output)
+
+                # need to run uefi command to initiate capsule handling
+                output = u_boot_console.run_command(
+                    'env print -e Capsule0000')
+
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test11' not in ''.join(output)
+
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'sf read 4000000 100000 10',
+                'md.b 4000000 10'])
+            assert 'u-boot:New' in ''.join(output)
+
+    def test_efi_capsule_auth2(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """
+        Test Case 2 - Update U-Boot on SPI Flash, raw image format
+                      0x100000-0x150000: U-Boot binary (but dummy)
+
+                      If the capsule is signed but with an invalid key,
+                      the authentication should fail and the firmware
+                      not be updated.
+        """
+        disk_img = efi_capsule_data
+        with u_boot_console.log.section('Test Case 2-a, before reboot'):
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
+                'efidebug boot order 1',
+                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
+                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                'env save'])
+
+            # initialize content
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR,
+                'sf write 4000000 100000 10',
+                'sf read 5000000 100000 10',
+                'md.b 5000000 10'])
+            assert 'Old' in ''.join(output)
+
+            # place a capsule file
+            output = u_boot_console.run_command_list([
+                'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR,
+                'fatwrite host 0:1 4000000 %s/Test12 $filesize' % CAPSULE_INSTALL_DIR,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test12' in ''.join(output)
+
+        # reboot
+        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
+        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR + '/test_sig.dtb'
+        u_boot_console.restart_uboot()
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        with u_boot_console.log.section('Test Case 2-b, after reboot'):
+            if not capsule_early:
+                # make sure that dfu_alt_info exists even persistent variables
+                # are not available.
+                output = u_boot_console.run_command_list([
+                    'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                    'host bind 0 %s' % disk_img,
+                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+                assert 'Test12' in ''.join(output)
+
+                # need to run uefi command to initiate capsule handling
+                output = u_boot_console.run_command(
+                    'env print -e Capsule0000')
+
+            # deleted any way
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test12' not in ''.join(output)
+
+            # TODO: check CapsuleStatus in CapsuleXXXX
+
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'sf read 4000000 100000 10',
+                'md.b 4000000 10'])
+            assert 'u-boot:Old' in ''.join(output)
+
+    def test_efi_capsule_auth3(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """
+        Test Case 3 - Update U-Boot on SPI Flash, raw image format
+                      0x100000-0x150000: U-Boot binary (but dummy)
+
+                      If the capsule is not signed, the authentication
+                      should fail and the firmware not be updated.
+        """
+        disk_img = efi_capsule_data
+        with u_boot_console.log.section('Test Case 3-a, before reboot'):
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
+                'efidebug boot order 1',
+                'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
+                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                'env save'])
+
+            # initialize content
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR,
+                'sf write 4000000 100000 10',
+                'sf read 5000000 100000 10',
+                'md.b 5000000 10'])
+            assert 'Old' in ''.join(output)
+
+            # place a capsule file
+            output = u_boot_console.run_command_list([
+                'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR,
+                'fatwrite host 0:1 4000000 %s/Test02 $filesize' % CAPSULE_INSTALL_DIR,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test02' in ''.join(output)
+
+        # reboot
+        mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
+        u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR + '/test_sig.dtb'
+        u_boot_console.restart_uboot()
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        with u_boot_console.log.section('Test Case 3-b, after reboot'):
+            if not capsule_early:
+                # make sure that dfu_alt_info exists even persistent variables
+                # are not available.
+                output = u_boot_console.run_command_list([
+                    'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                    'host bind 0 %s' % disk_img,
+                    'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+                assert 'Test02' in ''.join(output)
+
+                # need to run uefi command to initiate capsule handling
+                output = u_boot_console.run_command(
+                    'env print -e Capsule0000')
+
+            # deleted any way
+            output = u_boot_console.run_command_list([
+                'host bind 0 %s' % disk_img,
+                'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
+            assert 'Test02' not in ''.join(output)
+
+            # TODO: check CapsuleStatus in CapsuleXXXX
+
+            output = u_boot_console.run_command_list([
+                'sf probe 0:0',
+                'sf read 4000000 100000 10',
+                'md.b 4000000 10'])
+            assert 'u-boot:Old' in ''.join(output)