@@ -94,7 +94,7 @@ def test_vboot(u_boot_console):
util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
'%s%s' % (datadir, its), fit])
- def sign_fit(sha_algo):
+ def sign_fit(sha_algo, options):
"""Sign the FIT
Signs the FIT and writes the signature into it. It also writes the
@@ -103,10 +103,13 @@ def test_vboot(u_boot_console):
Args:
sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
use.
+ options: Options to provide to mkimage.
"""
+ args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, '-r', fit]
+ if options:
+ args += options.split(' ')
cons.log.action('%s: Sign images' % sha_algo)
- util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
- '-r', fit])
+ util.run_and_log(cons, args)
def sign_fit_norequire(sha_algo):
"""Sign the FIT
@@ -142,7 +145,7 @@ def test_vboot(u_boot_console):
handle.write(struct.pack(">I", size))
return struct.unpack(">I", total_size)[0]
- def test_with_algo(sha_algo, padding):
+ def test_with_algo(sha_algo, padding, sign_options):
"""Test verified boot with the given hash algorithm.
This is the main part of the test code. The same procedure is followed
@@ -151,6 +154,9 @@ def test_vboot(u_boot_console):
Args:
sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
use.
+ padding: Either '' or '-pss', to select the padding to use for the
+ rsa signature algorithm.
+ sign_options: Options to mkimage when signing a fit image.
"""
# Compile our device tree files for kernel and U-Boot. These are
# regenerated here since mkimage will modify them (by adding a
@@ -164,7 +170,7 @@ def test_vboot(u_boot_console):
run_bootm(sha_algo, 'unsigned images', 'dev-', True)
# Sign images with our dev keys
- sign_fit(sha_algo)
+ sign_fit(sha_algo, sign_options)
run_bootm(sha_algo, 'signed images', 'dev+', True)
# Create a fresh .dtb without the public keys
@@ -175,7 +181,7 @@ def test_vboot(u_boot_console):
run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)
# Sign images with our dev keys
- sign_fit(sha_algo)
+ sign_fit(sha_algo, sign_options)
run_bootm(sha_algo, 'signed config', 'dev+', True)
cons.log.action('%s: Check signed config on the host' % sha_algo)
@@ -211,7 +217,7 @@ def test_vboot(u_boot_console):
util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
'-k', dtb], 1, 'Failed to verify required signature')
- def test_required_key(sha_algo, padding):
+ def test_required_key(sha_algo, padding, sign_options):
"""Test verified boot with the given hash algorithm.
This function test if u-boot reject an image when a required
@@ -220,6 +226,9 @@ def test_vboot(u_boot_console):
Args:
sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
use.
+ padding: Either '' or '-pss', to select the padding to use for the
+ rsa signature algorithm.
+ sign_options: Options to mkimage when signing a fit image.
"""
# Compile our device tree files for kernel and U-Boot. These are
# regenerated here since mkimage will modify them (by adding a
@@ -234,9 +243,9 @@ def test_vboot(u_boot_console):
# This FIT should not be accepted by u-boot because the key prod is required
cons.log.action('%s: Test FIT with configs images' % sha_algo)
make_fit('sign-configs-%s%s-prod.its' % (sha_algo , padding))
- sign_fit(sha_algo)
+ sign_fit(sha_algo, sign_options)
make_fit('sign-configs-%s%s.its' % (sha_algo , padding))
- sign_fit(sha_algo)
+ sign_fit(sha_algo, sign_options)
run_bootm(sha_algo, 'signed configs', '', False)
@@ -282,11 +291,16 @@ def test_vboot(u_boot_console):
# afterwards.
old_dtb = cons.config.dtb
cons.config.dtb = dtb
- test_with_algo('sha1','')
- test_with_algo('sha1','-pss')
- test_with_algo('sha256','')
- test_with_algo('sha256','-pss')
- test_required_key('sha256','-pss')
+ test_with_algo('sha1','', None)
+ test_with_algo('sha1','', '-E -p 0x10000')
+ test_with_algo('sha1','-pss', None)
+ test_with_algo('sha1','-pss', '-E -p 0x10000')
+ test_with_algo('sha256','', None)
+ test_with_algo('sha256','', '-E -p 0x10000')
+ test_with_algo('sha256','-pss', None)
+ test_with_algo('sha256','-pss', '-E -p 0x10000')
+ test_required_key('sha256','-pss', None)
+ test_required_key('sha256','-pss', '-E -p 0x10000')
finally:
# Go back to the original U-Boot with the correct dtb.
cons.config.dtb = old_dtb
The pytest vboot does all his tests on fit without padding. We add the same tests on fit with padding. Signed-off-by: Philippe Reynes <philippe.reynes at softathome.com> --- test/py/tests/test_vboot.py | 42 ++++++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 14 deletions(-)