From patchwork Mon Apr 18 18:07:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 563107 Delivered-To: patch@linaro.org Received: by 2002:a05:7000:6886:0:0:0:0 with SMTP id m6csp2627114map; Mon, 18 Apr 2022 11:07:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyaXLMgp48EvPYIoMUwbcttaoE6dxi5ykQ4tg7jDcji0oQHoB7tgUUPUgvDdLOb//J9cB+y X-Received: by 2002:a17:907:6d90:b0:6e8:c8e7:8622 with SMTP id sb16-20020a1709076d9000b006e8c8e78622mr10414673ejc.242.1650305261106; Mon, 18 Apr 2022 11:07:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650305261; cv=none; d=google.com; s=arc-20160816; b=F+GsSkV+7Dp8rNu7D93Vwvr0CvaBCCWKCiulfJD2iOGjPiBBL/O61Y+tgmf+3dEwp7 2KVX+b8bjCYMXDTmVc+LEGqk64Xtst+PUOqXuxQE7d+AKKDqSq1JzmZxkEUu2gOGPcr6 F/91C5q/rJDb2jQZtar9wsELTjQc0ZfGS8jZUjRglSC+cpTTnde5cpHG3KSgMbfH5sqo Y2DzAPWc5kIdFk31DCh/CNwCPIL+xbdbgpPSQV90MsQxb6SV7DjbdRa1jMT51bEG4S9i DOAhGJS0OvO/bB6PZgX2Ql7r8Ar0xwSpx88gmICASRX6kMrPaNf1Ms14boOsDLoHl7DD QSbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xyyw9p4/Zqx8JjWAooole9iiQL8E1thT/i/XCm2DR3k=; b=eXvw9YanKFR52zuE/Q1w+RomaeEU55sJ2JuCAXeSuBpvaPz3Ks1cevnVlxbm/ofLMX DM90QwoWY3GLvzct6VoMjkjcb3THLH0fWxVDo5j/qm/pRen/IRl54Kci3e1iEyCEG3/T TwRnILaiSSXrlT/7YlQiIYS8YasfyFk7hd2BwZ7y3AEdhYKY4BtdCl47Wp1OlGkXPMwM 6TjTz2z62cQ+pKkyu4PMxSC/FnKIiGxsBRC9Mzmv8vEM26TSYQNO54ijfRcYSanYO7bw HX4woFGEiXwHfAFxZ7/ax0n3GXVIBNsMa0setB1GnQWZH0ALmK/rjPUxXakFkF3hE+XZ 2MoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="eUIRr/6H"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id kq12-20020a170906abcc00b006e88b062ff8si7209139ejb.679.2022.04.18.11.07.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Apr 2022 11:07:41 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="eUIRr/6H"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2A34183AFF; Mon, 18 Apr 2022 20:07:37 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="eUIRr/6H"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E82CE839B2; Mon, 18 Apr 2022 20:07:32 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2066A838AE for ; Mon, 18 Apr 2022 20:07:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-wm1-x32b.google.com with SMTP id y21so7700331wmi.2 for ; Mon, 18 Apr 2022 11:07:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xyyw9p4/Zqx8JjWAooole9iiQL8E1thT/i/XCm2DR3k=; b=eUIRr/6H8fPeKFqvgoHp+xCGporlzXvkeVS25VXIJ3FReXvOjuRtGuErMqtwU7M4+U h0o4l0KV3K6JCqxI6uBWv7rHnlxjLCcC6ZhxKjq1ufLayAsFVUnOlLfJjUfEnFiQr2tR HgIfFp/cFl9jXPPgRif6DEbAlGs1nugsYNzrlobkZCZW/hRhjunjk0X2vwWwv6KFSPT+ 6ILwTWIHonhiBlKkddYnWyLn9MjcfWa3S7jRavsMgodMSxmiv6Hso5G10kwbd7B8AQtQ nQMSK2lfhF5LpkDKY4wsf9lXUXRsqQ8pGZIFz5uF/43C25mR8gdJ/wtdBTK0JDClwKpO iX+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xyyw9p4/Zqx8JjWAooole9iiQL8E1thT/i/XCm2DR3k=; b=eoXRcv8jZBwABk5fkbe+wmViVw0kKOrI1o22E1VIv1QIxSvElOBugpW0VEMhXvsyuo damr4b5kQSCVu6Xzer2cc0zaqbo+oHZKPk1/4/vbOXIDPaKuxFXsy0MaMYyRC4H7cRT1 rA1LrbeQLEQ7SQfOY7ToW1HIw6Bz98EtQ9Oml31KBLDFFC0rqdYe1CzFfxdmjA1v3s+y 4K+fIsCvzvBkXOB6SDgxQxuPS1qvpHVQqAki5ptlTWnNvfqkSGPYVcbZd0S2gRZ0s/Dr 6JGwALPBkVLCFpwAHZw/AWnDzimCMWyba+vSoJRp3C6wBnuoj1HWNiLheyrwlRw3DBO/ cZMw== X-Gm-Message-State: AOAM5325T/58fam9QtWq/zlLWT071H8Rdko5tvjM/cYBd35QEgv6nIY4 l7CjnTFYnz5iNZ0kQuU+IxJKaQ== X-Received: by 2002:a7b:c844:0:b0:37b:b986:7726 with SMTP id c4-20020a7bc844000000b0037bb9867726mr12893015wml.160.1650305249734; Mon, 18 Apr 2022 11:07:29 -0700 (PDT) Received: from hades.. ([2a02:587:462a:d233:3efd:feff:fe6b:c5ca]) by smtp.gmail.com with ESMTPSA id l14-20020adffe8e000000b00207af9cdd90sm10637580wrr.39.2022.04.18.11.07.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Apr 2022 11:07:29 -0700 (PDT) From: Ilias Apalodimas To: xypron.glpk@gmx.de Cc: takahiro.akashi@linaro.org, Stuart.Yoder@arm.com, paul.liu@linaro.org, Ilias Apalodimas , u-boot@lists.denx.de Subject: [PATCH 2/2 v3] test/py: Add more test cases for rejecting an EFI image Date: Mon, 18 Apr 2022 21:07:23 +0300 Message-Id: <20220418180724.1855888-2-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220418180724.1855888-1-ilias.apalodimas@linaro.org> References: <20220418180724.1855888-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas --- changes since v2: - None changes since RFC: - new patch test/py/tests/test_efi_secboot/conftest.py | 6 +++ test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 69a498ca003c..8a53dabe5414 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # dbx_hash1 (digest of TEST_db1 certificate) check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index cc9396a11d48..80d5eff74be3 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -235,6 +235,56 @@ class TestEfiSignedImage(object): assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + # sha384 of an x509 cert in dbx + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 5e'): + # Test Case 5f, authenticated even if only one of signatures + # is verified. Same as before but reject dbx_hash1.auth only + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash384.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + # sha512 of an x509 cert in dbx + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 5e'): + # Test Case 5G, authenticated even if only one of signatures + # is verified. Same as before but reject dbx_hash1.auth only + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash512.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): """ Test Case 6 - using digest of signed image in database