diff mbox series

[v5,10/12] test: capsule: Remove public key embed logic from capsule update test

Message ID 20230725085725.350917-11-sughosh.ganu@linaro.org
State Superseded
Headers show
Series Integrate EFI capsule tasks into u-boot's build flow | expand

Commit Message

Sughosh Ganu July 25, 2023, 8:57 a.m. UTC
The embedding of the public key EFI Signature List(ESL) file into the
platform's DTB is now done at the time of u-boot build. Remove this
logic from the capsule update test' configuration.

Include the public key for the sandbox and sandbox_flattree variant
as part of the build.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
Changes since V4: None

 configs/sandbox_defconfig                    |  1 +
 configs/sandbox_flattree_defconfig           |  1 +
 test/py/tests/test_efi_capsule/conftest.py   | 37 ++++----------------
 test/py/tests/test_efi_capsule/signature.dts | 10 ------
 4 files changed, 9 insertions(+), 40 deletions(-)
 delete mode 100644 test/py/tests/test_efi_capsule/signature.dts

Comments

Simon Glass July 25, 2023, 10:52 p.m. UTC | #1
On Tue, 25 Jul 2023 at 02:58, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
>
> The embedding of the public key EFI Signature List(ESL) file into the
> platform's DTB is now done at the time of u-boot build. Remove this
> logic from the capsule update test' configuration.
>
> Include the public key for the sandbox and sandbox_flattree variant
> as part of the build.
>
> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> ---
> Changes since V4: None
>
>  configs/sandbox_defconfig                    |  1 +
>  configs/sandbox_flattree_defconfig           |  1 +
>  test/py/tests/test_efi_capsule/conftest.py   | 37 ++++----------------
>  test/py/tests/test_efi_capsule/signature.dts | 10 ------
>  4 files changed, 9 insertions(+), 40 deletions(-)
>  delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
>
> diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
> index 19cc6701e6..53e342b3fa 100644
> --- a/configs/sandbox_defconfig
> +++ b/configs/sandbox_defconfig
> @@ -342,6 +342,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
>  CONFIG_EFI_CAPSULE_ON_DISK=y
>  CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
>  CONFIG_EFI_CAPSULE_AUTHENTICATE=y
> +CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"

No, we cannot use hard-coded pathnames, still.

Please grep for /tmp/capsules throughout your series.

You should be able to drop the path if you put the file in the right
dir in the test. It runs in the working directory, I believe.

[..]

Regards,
Simon
Sughosh Ganu July 26, 2023, 9:22 a.m. UTC | #2
hi Simon,

On Wed, 26 Jul 2023 at 04:24, Simon Glass <sjg@chromium.org> wrote:
>
> On Tue, 25 Jul 2023 at 02:58, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> >
> > The embedding of the public key EFI Signature List(ESL) file into the
> > platform's DTB is now done at the time of u-boot build. Remove this
> > logic from the capsule update test' configuration.
> >
> > Include the public key for the sandbox and sandbox_flattree variant
> > as part of the build.
> >
> > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > ---
> > Changes since V4: None
> >
> >  configs/sandbox_defconfig                    |  1 +
> >  configs/sandbox_flattree_defconfig           |  1 +
> >  test/py/tests/test_efi_capsule/conftest.py   | 37 ++++----------------
> >  test/py/tests/test_efi_capsule/signature.dts | 10 ------
> >  4 files changed, 9 insertions(+), 40 deletions(-)
> >  delete mode 100644 test/py/tests/test_efi_capsule/signature.dts
> >
> > diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
> > index 19cc6701e6..53e342b3fa 100644
> > --- a/configs/sandbox_defconfig
> > +++ b/configs/sandbox_defconfig
> > @@ -342,6 +342,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
> >  CONFIG_EFI_CAPSULE_ON_DISK=y
> >  CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
> >  CONFIG_EFI_CAPSULE_AUTHENTICATE=y
> > +CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
>
> No, we cannot use hard-coded pathnames, still.
>
> Please grep for /tmp/capsules throughout your series.
>
> You should be able to drop the path if you put the file in the right
> dir in the test. It runs in the working directory, I believe.

Okay, let me check this out.

-sughosh
diff mbox series

Patch

diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig
index 19cc6701e6..53e342b3fa 100644
--- a/configs/sandbox_defconfig
+++ b/configs/sandbox_defconfig
@@ -342,6 +342,7 @@  CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
 CONFIG_EFI_CAPSULE_ON_DISK=y
 CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
 CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
 CONFIG_EFI_SECURE_BOOT=y
 CONFIG_TEST_FDTDEC=y
 CONFIG_UNIT_TEST=y
diff --git a/configs/sandbox_flattree_defconfig b/configs/sandbox_flattree_defconfig
index 8aa295686d..06b1408b90 100644
--- a/configs/sandbox_flattree_defconfig
+++ b/configs/sandbox_flattree_defconfig
@@ -227,6 +227,7 @@  CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
 CONFIG_EFI_CAPSULE_ON_DISK=y
 CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y
 CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
 CONFIG_UNIT_TEST=y
 CONFIG_UT_TIME=y
 CONFIG_UT_DM=y
diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
index 054be1ee97..99b502902e 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -25,48 +25,25 @@  def efi_capsule_data(request, u_boot_config):
     image_path = u_boot_config.persistent_data_dir + '/test_efi_capsule.img'
 
     try:
+        capsules_path_dir = '/tmp/capsules/'
         # Create a target device
         check_call('dd if=/dev/zero of=./spi.bin bs=1MiB count=16', shell=True)
 
         check_call('rm -rf %s' % mnt_point, shell=True)
         check_call('mkdir -p %s' % data_dir, shell=True)
         check_call('mkdir -p %s' % install_dir, shell=True)
-
-        capsule_auth_enabled = u_boot_config.buildconfig.get(
-                    'config_efi_capsule_authenticate')
-        if capsule_auth_enabled:
-            # Create private key (SIGNER.key) and certificate (SIGNER.crt)
-            check_call('cd %s; '
-                       'openssl req -x509 -sha256 -newkey rsa:2048 '
-                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
-                            '-out SIGNER.crt -nodes -days 365'
-                       % data_dir, shell=True)
-            check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
-                       % (data_dir, EFITOOLS_PATH), shell=True)
-
-            # Update dtb adding capsule certificate
-            check_call('cd %s; '
-                       'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
-                       % (data_dir, u_boot_config.source_dir), shell=True)
-            check_call('cd %s; '
-                       'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
-                       'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
-                            '-o test_sig.dtb signature.dtbo'
-                       % (data_dir, u_boot_config.build_dir), shell=True)
-
-            # Create *malicious* private key (SIGNER2.key) and certificate
-            # (SIGNER2.crt)
-            check_call('cd %s; '
-                       'openssl req -x509 -sha256 -newkey rsa:2048 '
-                            '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
-                            '-out SIGNER2.crt -nodes -days 365'
-                       % data_dir, shell=True)
+        check_call('cp %s/* %s ' % (capsules_path_dir, data_dir), shell=True)
 
         # Update dtb to add the version information
         check_call('cd %s; '
                    'cp %s/test/py/tests/test_efi_capsule/version.dts .'
                    % (data_dir, u_boot_config.source_dir), shell=True)
+
+        capsule_auth_enabled = u_boot_config.buildconfig.get(
+                    'config_efi_capsule_authenticate')
         if capsule_auth_enabled:
+            check_call('cp %s/arch/sandbox/dts/test.dtb %s/test_sig.dtb' %
+                       (u_boot_config.build_dir, data_dir), shell=True)
             check_call('cd %s; '
                        'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
                        'fdtoverlay -i test_sig.dtb '
diff --git a/test/py/tests/test_efi_capsule/signature.dts b/test/py/tests/test_efi_capsule/signature.dts
deleted file mode 100644
index 078cfc76c9..0000000000
--- a/test/py/tests/test_efi_capsule/signature.dts
+++ /dev/null
@@ -1,10 +0,0 @@ 
-// SPDX-License-Identifier: GPL-2.0+
-
-/dts-v1/;
-/plugin/;
-
-&{/} {
-	signature {
-		capsule-key = /incbin/("SIGNER.esl");
-	};
-};