From patchwork Mon Apr 18 05:53:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 563105 Delivered-To: patch@linaro.org Received: by 2002:a05:7000:6886:0:0:0:0 with SMTP id m6csp2159610map; Sun, 17 Apr 2022 22:54:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxXajCKBNbhfpxmqBqDiuVBy85ggkTpoCVvvmLaD8lnkTLQrWjpuD84htVstAv5J1un5pzX X-Received: by 2002:a17:907:1c06:b0:6df:b257:cbb3 with SMTP id nc6-20020a1709071c0600b006dfb257cbb3mr7702428ejc.631.1650261251284; Sun, 17 Apr 2022 22:54:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650261251; cv=none; d=google.com; s=arc-20160816; b=x3be2BF/xmjlzGMkR2P4ktcuNb+XzCkribZ6mvME/rkxkhCSugXehIzdlsZGiBsTJD FY/XLZQ2sbXhO63734LwPLLX2XK/wJLww240qgeskq6WDv0iskwHXiU/bUchvqWsUQzU XWw4Oxkf6SjUoCD4zbGS9049j9r9ea9Hd7RB29V8U5M+VkyO5MhjI3vQmLOgZ5JwwENf ljgHg0E69LbTxLAcI4/4Lzx/DqIInbs5Bi0yLH33FY7Z+xe/Y9KOAT8z0qJoeuaAIQNY UcwxIq0X6OjGEeQNvXwqhjF0MIal+sBFnJsNefrQFnzEgIw3O0fxbk1+kv/pQV2Onx7u 0GAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=T7u4i6TmbrntwEMjTf8ez3Nbx/k7MYJH3gAlQvG52dM=; b=Xma/HZNK7Dq0JtP3i+B51vw9wD454bmG9dOalHXNchpFN1qi7TnuHp+5wEZbGHsKej 6Y5ucAK8XCtPSBszkYsH2Ybe04c6TDlwtD40evZOPzOuLMHmuFw6qRpLdCxgLdq4l+ht PvboRmrFBEKte5AyPNxUJKj0ILY0dRiCiLcLAq8FqlXJn/Lewizd2Wn9kTfETlQtjgSE 8mwRBfRC0v6hsbnT5czGAtmtBxyknf2t0p6mZPxOWX1RSuzzS6Ld2UG5uw0mhz3Fdvpb vemu4/FskjXxybf9lPeB2qwGrlSbuXPNlpbtYPDdnrtr2FGKZLigcf1y2WZJxxz3SmJ2 zWmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TRT256b7; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id i6-20020a170906444600b006df76385d5dsi5506361ejp.509.2022.04.17.22.54.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 Apr 2022 22:54:11 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TRT256b7; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4E1FA83ABC; Mon, 18 Apr 2022 07:54:01 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="TRT256b7"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 1A9A4839E7; Mon, 18 Apr 2022 07:53:58 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 74956839E7 for ; Mon, 18 Apr 2022 07:53:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ed1-x531.google.com with SMTP id v4so16414298edl.7 for ; Sun, 17 Apr 2022 22:53:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=T7u4i6TmbrntwEMjTf8ez3Nbx/k7MYJH3gAlQvG52dM=; b=TRT256b73UOsyFKwnaAAYaKOENhc+tVEOzNGn4M7UXZMtgrciltrXpmcq4PlZlgBcf hM/gzmnEHxid2D2yx7baNWUxsQhTqKFUdqbxsobC5hA4kzudueFZYsbGAJFXdqjSFE0p ujfDmQeWXPa7jgDJgiYcFyI9n2bXY2eGrgXVtk3xPQ9fwLcYsiLol97OtwaEyiUbdwnM 1TGOKEaWCH3koEJoNbej7fNcggfV9qogVsFOj05VpKu7aTPIkh9y+2OEIHUM3AghUhEf R3Ich6Y9VjdNdS0qPO2hiSFpHpJTGm0y8+bl+xHTgVh1rXeIGLjuChocTvYPSGAihPmk IaKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=T7u4i6TmbrntwEMjTf8ez3Nbx/k7MYJH3gAlQvG52dM=; b=U1W83mbQ1DydXi5Ozbn55gKSj6A3yNxpVM2cRTU5p1s+GQcXoexPzN+z0nxlBRvWRc GxuS4EOT1Dh1I4UdjzKEdsnPk66OAmNAbdMSelhgESS67jeJ46PRWge6CJscRqrsUdoF ammD/lCoqCHVAEUFEhD0PhL23kUIWJk2MnGxZDkIz/DkwbrBuzfUHjm2j5zwRXs0clCf OshmnGUsd4K2Rf+2yX2mIffnnxZ0AMN3IjwZj1NAE09w3z7uWMm33FFZkClb5wFA1vw2 2o3kdvPnhR6tTApsN6fW0bD1J3SCwX43fjWRFouN7hETFAXsasc3/bV0jzuRA6XUkhPB To7w== X-Gm-Message-State: AOAM533jQp7obD09yG6vHhDU4tIrNOSfC/7amkCHYFqysoKIauRoDzjs qf/Jo/wXOXNuMSwmtUL51nQVUg== X-Received: by 2002:a05:6402:190d:b0:41b:a70d:1367 with SMTP id e13-20020a056402190d00b0041ba70d1367mr10485823edz.155.1650261233135; Sun, 17 Apr 2022 22:53:53 -0700 (PDT) Received: from hades.. ([2a02:587:4679:5116:3efd:feff:fe6b:c5ca]) by smtp.gmail.com with ESMTPSA id m1-20020a170906234100b006ef83025804sm2017517eja.87.2022.04.17.22.53.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 Apr 2022 22:53:52 -0700 (PDT) From: Ilias Apalodimas To: xypron.glpk@gmx.de Cc: takahiro.akashi@linaro.org, Stuart.Yoder@arm.com, paul.liu@linaro.org, Ilias Apalodimas , u-boot@lists.denx.de Subject: [PATCH 2/2 v2] test: Add more test cases for rejecting an EFI image Date: Mon, 18 Apr 2022 08:53:47 +0300 Message-Id: <20220418055348.1796136-2-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220418055348.1796136-1-ilias.apalodimas@linaro.org> References: <20220418055348.1796136-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas --- changes since v1: - new patch test/py/tests/test_efi_secboot/conftest.py | 6 +++ test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 69a498ca003c..8a53dabe5414 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # dbx_hash1 (digest of TEST_db1 certificate) check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index cc9396a11d48..80d5eff74be3 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -235,6 +235,56 @@ class TestEfiSignedImage(object): assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + # sha384 of an x509 cert in dbx + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 5e'): + # Test Case 5f, authenticated even if only one of signatures + # is verified. Same as before but reject dbx_hash1.auth only + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash384.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + # sha512 of an x509 cert in dbx + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 5e'): + # Test Case 5G, authenticated even if only one of signatures + # is verified. Same as before but reject dbx_hash1.auth only + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash512.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): """ Test Case 6 - using digest of signed image in database