From patchwork Fri Oct 14 06:57:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 615065 Delivered-To: patch@linaro.org Received: by 2002:a17:522:c983:b0:460:3032:e3c4 with SMTP id kr3csp113146pvb; Thu, 13 Oct 2022 23:58:36 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4mE5n2ko+5xKuQgmQl9MS2xzbpQP3Nip8T6TvkV+oISBKjuDo/VuDHWLRnWq/2gyZVSSSd X-Received: by 2002:a17:907:a4e:b0:77d:94d:8148 with SMTP id be14-20020a1709070a4e00b0077d094d8148mr2367073ejc.607.1665730716578; Thu, 13 Oct 2022 23:58:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665730716; cv=none; d=google.com; s=arc-20160816; b=Bia/3boYs31SO6rKBDdOBKkAzYVOhwf37ASyHv4XVGNfCYzCwUwFAwZBtzLVNv/I6P 9obtdLdVErQY5JNQRfPl7M6wmlpA63SmhvPtHLidBNSjmWKLdz8BzW2RhT4nMdS9DhGK G/ras+lZfuSH43PiZ6TrBMvW0ULfRZ/goYst3xm6MEidHo2enADqTaQVQGOqeRyghwVg nT31+CvR8dxsK9SVh+r/3CL+YlUFd3RBJXxgcX4L/Om5O2tYS96OEZajAY7zhyW9Xn5r DzDYa6+NCpERmzkpfEA4Wv9O97zbTMG2erDrSvzz6tbU4bKuaTw3xClFVblc2iAZgZiA 7lEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=4cYSkTlmCU6yU3jGWL+Zd9RpEOo9TT3cY5WIiDF3PJA=; b=B+YZSiKmVybnVq3LppocbVgo25xuNSkiBwDcsRC/nq8oYPVFheyO27hf7N+sjPJK8p H4AOQo4KoB7v7/B8L5/Yjs0tWYzpAH1GIlkb7mJiZ3YXmTXfcutEbOJhJwvhyq25KZoI Z9P+/YDbDiq9O71c72A1g1LYDiCvdowIiORhSk4cuDd+VhgEPzx1u0z20Oc9nyxwrUEW pcZKs8crYOPBeJqHtzbELF+/YHCPYqXIgz9HJEzkkVODKvr2A2FnoSida0DC8ecCT5ee o69NfzsOfYLyZpsPvzpxSlKC5VQLaTgLe+MGahzElnHZ/V8POOzI+rNVXwQdep4FoZeY lSzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JBK9aKdi; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id v10-20020a056402348a00b0045901aa2468si2047581edc.333.2022.10.13.23.58.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 23:58:36 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=JBK9aKdi; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9097584F39; Fri, 14 Oct 2022 08:58:01 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="JBK9aKdi"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id CAA9784F3F; Fri, 14 Oct 2022 08:57:53 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8770D84F22 for ; Fri, 14 Oct 2022 08:57:45 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-pj1-x1029.google.com with SMTP id a6-20020a17090abe0600b0020d7c0c6650so7114397pjs.0 for ; Thu, 13 Oct 2022 23:57:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=4cYSkTlmCU6yU3jGWL+Zd9RpEOo9TT3cY5WIiDF3PJA=; b=JBK9aKdil8ctsQnOVRrhgj8w2CW+7iNIkVmIGmMzdnQJzf6tYluOkZpHmx1UqI2jDY jC1gGPYnRR/p4eIOBl5NpUldFl1UYnR6UUstPEDl++pJIszknu0cZTYRnuCAXVz+kl+H 0vhw3sJOBjuUxKyH9xUhbKHAApedX7xVSMwFqYwnM492eJeqL1/cvvmQtk4etoQAwK1O ucq4EjMjOk/Mf+yEDx07ycP9VB1Uzj6b7iIl0LSOY0nniTWiKs+xwQLEkMSi7XN3/bEu xIC02+o2IbXTTwJWXDUz4thhECtthytjeJqWilIs36Cgjg5vCoLrLWE3LhI69lBniCma AO5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:in-reply-to:message-id:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4cYSkTlmCU6yU3jGWL+Zd9RpEOo9TT3cY5WIiDF3PJA=; b=APnDirAkdEE72T5L9KJleXpVLKfjobBu+jHJLDyVVSUoUqlKmSJs+GV4GrTwnqCGeU appEH9yEO4EhON0C3taboulDwHegduQGFUFYwzjNZYleL2qjtONWvNRCgqF1GqvnD/xx ZB2948C7Kkm1lrS6HVI43j11EIPrutyUMg99VPoBvowEThtukhwsoQBCQcbrPi+OOyDp /hHb5TqOZu7mcItKtxJWoblMQpjfs+6cP6gaWsjc8kT/fqwdDI/bmL52yL4mag/TR8il fQL2avirVfUB77lvBfViml/0uIV7P9CRL7EZEQbXYc9Pc+QO8XZ5Xw6V9U/NQpJTiEn3 hLHg== X-Gm-Message-State: ACrzQf0hoqbMEUfoSE4zdn9iLE2LgncvylHiVXFrUYTzkLLAqMe25szM BXOoQ5pq/MA7qfiHY1yrG2QphuNyQvSBeA== X-Received: by 2002:a17:902:f60b:b0:178:6a49:d4e3 with SMTP id n11-20020a170902f60b00b001786a49d4e3mr4007181plg.75.1665730662512; Thu, 13 Oct 2022 23:57:42 -0700 (PDT) Received: from localhost.localdomain ([240d:1a:cf7:5800:82fa:5bff:fe4b:26b1]) by smtp.gmail.com with ESMTPSA id d67-20020a621d46000000b00550724f8ea0sm850581pfd.128.2022.10.13.23.57.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 23:57:41 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Takahiro Akashi , Masahisa Kojima Subject: [PATCH v3 6/6] test: add test for eficonfig secure boot key management Date: Fri, 14 Oct 2022 15:57:00 +0900 Message-Id: <20221014065705.5249-7-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221014065705.5249-1-masahisa.kojima@linaro.org> References: <20221014065705.5249-1-masahisa.kojima@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean Provide a unit test for the eficonfig secure boot key management menu. Signed-off-by: Masahisa Kojima --- No change since v2 newly created in v2 test/py/tests/test_eficonfig/conftest.py | 84 +++- test/py/tests/test_eficonfig/defs.py | 14 + .../test_eficonfig/test_eficonfig_sbkey.py | 472 ++++++++++++++++++ 3 files changed, 568 insertions(+), 2 deletions(-) create mode 100644 test/py/tests/test_eficonfig/defs.py create mode 100644 test/py/tests/test_eficonfig/test_eficonfig_sbkey.py diff --git a/test/py/tests/test_eficonfig/conftest.py b/test/py/tests/test_eficonfig/conftest.py index f289df0362..6750d33989 100644 --- a/test/py/tests/test_eficonfig/conftest.py +++ b/test/py/tests/test_eficonfig/conftest.py @@ -2,11 +2,12 @@ """Fixture for UEFI eficonfig test """ - import os +import os.path import shutil -from subprocess import check_call +from subprocess import call, check_call, check_output, CalledProcessError import pytest +from defs import * @pytest.fixture(scope='session') def efi_eficonfig_data(u_boot_config): @@ -38,3 +39,82 @@ def efi_eficonfig_data(u_boot_config): shell=True) return image_path + +@pytest.fixture(scope='session') +def efi_boot_env(request, u_boot_config): + """Set up a file system to be used in UEFI secure boot test. + + Args: + request: Pytest request object. + u_boot_config: U-boot configuration. + + Return: + A path to disk image to be used for testing + """ + image_path = u_boot_config.persistent_data_dir + image_path = image_path + '/test_eficonfig_sb.img' + + try: + mnt_point = u_boot_config.build_dir + '/mnt_eficonfig_sb' + check_call('rm -rf {}'.format(mnt_point), shell=True) + check_call('mkdir -p {}'.format(mnt_point), shell=True) + + # suffix + # *.key: RSA private key in PEM + # *.crt: X509 certificate (self-signed) in PEM + # *.esl: signature list + # *.hash: message digest of image as signature list + # *.auth: signed signature list in signature database format + # *.efi: UEFI image + # *.efi.signed: signed UEFI image + + # Create signature database + # PK + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365' + % mnt_point, shell=True) + check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; %ssign-efi-sig-list -t "2020-04-01" -c PK.crt -k PK.key PK PK.esl PK.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # PK_null for deletion + check_call('cd %s; touch PK_null.esl; %ssign-efi-sig-list -t "2020-04-02" -c PK.crt -k PK.key PK PK_null.esl PK_null.auth' + % (mnt_point, EFITOOLS_PATH), shell=True) + # KEK + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365' + % mnt_point, shell=True) + check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; %ssign-efi-sig-list -t "2020-04-03" -c PK.crt -k PK.key KEK KEK.esl KEK.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + # db + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ -keyout db.key -out db.crt -nodes -days 365' + % mnt_point, shell=True) + check_call('cd %s; %scert-to-efi-sig-list -g %s db.crt db.esl; %ssign-efi-sig-list -t "2020-04-04" -c KEK.crt -k KEK.key db db.esl db.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + + # dbx_hash (digest of TEST_db certificate) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t "2013-05-27 01:02:03" -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + + # Copy image + check_call('cp %s/lib/efi_loader/helloworld.efi %s' % + (u_boot_config.build_dir, mnt_point), shell=True) + + # Sign image + check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi' + % mnt_point, shell=True) + + check_call('cd %s; rm -f *.key' % mnt_point, shell=True) + check_call('cd %s; rm -f *.crt' % mnt_point, shell=True) + check_call('cd %s; rm -f *.hash' % mnt_point, shell=True) + check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat {} {}'.format( + mnt_point, image_path), shell=True) + check_call('rm -rf {}'.format(mnt_point), shell=True) + + except CalledProcessError as exception: + pytest.skip('Setup failed: %s' % exception.cmd) + return + else: + yield image_path + finally: + call('rm -f %s' % image_path, shell=True) diff --git a/test/py/tests/test_eficonfig/defs.py b/test/py/tests/test_eficonfig/defs.py new file mode 100644 index 0000000000..b7a2a11851 --- /dev/null +++ b/test/py/tests/test_eficonfig/defs.py @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: GPL-2.0+ + +# Owner guid +GUID = '11111111-2222-3333-4444-123456789abc' + +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and +# you need build a newer version on your own. +# The path must terminate with '/'. +EFITOOLS_PATH = '' + +# "--addcert" option of sbsign must be available, otherwise +# you need build a newer version on your own. +# The path must terminate with '/'. +SBSIGN_PATH = '' diff --git a/test/py/tests/test_eficonfig/test_eficonfig_sbkey.py b/test/py/tests/test_eficonfig/test_eficonfig_sbkey.py new file mode 100644 index 0000000000..727288964d --- /dev/null +++ b/test/py/tests/test_eficonfig/test_eficonfig_sbkey.py @@ -0,0 +1,472 @@ +# SPDX-License-Identifier: GPL-2.0+ +""" Unit test for UEFI menu-driven configuration +""" + +import pytest +import time +from defs import * + +@pytest.mark.boardspec('sandbox') +@pytest.mark.buildconfigspec('cmd_eficonfig') +@pytest.mark.buildconfigspec('cmd_bootefi_bootmgr') +@pytest.mark.buildconfigspec('efi_secure_boot') +def test_efi_eficonfig_sbkey(u_boot_config, u_boot_console, efi_boot_env): + def send_user_input_and_wait(user_str, expect_str): + time.sleep(0.1) # TODO: does not work correctly without sleep + u_boot_console.run_command(cmd=user_str, wait_for_prompt=False, + wait_for_echo=True, send_nl=False) + u_boot_console.run_command(cmd='\x0d', wait_for_prompt=False, + wait_for_echo=False, send_nl=False) + if expect_str is not None: + for i in expect_str: + u_boot_console.p.expect([i]) + + def press_up_down_enter_and_wait(up_count, down_count, enter, expect_str): + # press UP key + for i in range(up_count): + u_boot_console.run_command(cmd='\x1b\x5b\x41', wait_for_prompt=False, + wait_for_echo=False, send_nl=False) + # press DOWN key + for i in range(down_count): + u_boot_console.run_command(cmd='\x1b\x5b\x42', wait_for_prompt=False, + wait_for_echo=False, send_nl=False) + # press ENTER if requested + if enter: + u_boot_console.run_command(cmd='\x0d', wait_for_prompt=False, + wait_for_echo=False, send_nl=False) + # wait expected output + if expect_str is not None: + for i in expect_str: + u_boot_console.p.expect([i]) + + def press_escape_key(wait_prompt): + u_boot_console.run_command(cmd='\x1b', wait_for_prompt=wait_prompt, wait_for_echo=False, send_nl=False) + + def press_enter_key(wait_prompt): + u_boot_console.run_command(cmd='\x0d', wait_for_prompt=wait_prompt, + wait_for_echo=False, send_nl=False) + + def check_current_is_maintenance_menu(): + for i in ('UEFI Maintenance Menu', 'Add Boot Option', 'Edit Boot Option', + 'Change Boot Order', 'Delete Boot Option', 'Secure Boot Configuration', 'Quit'): + u_boot_console.p.expect([i]) + + # Restart the system to clean the previous state + u_boot_console.restart_uboot() + # bind the test disk image for succeeding tests + u_boot_console.run_command(cmd = f'host bind 0 {efi_boot_env}') + + # + # Test Case 1: Enroll non-signed ESL(.esl or .crl) in order of KEK, DB, DBX and PK + # + with u_boot_console.temporary_timeout(500): + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + press_up_down_enter_and_wait(0, 4, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'): + u_boot_console.p.expect([i]) + + # set KEK.esl to KEK + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 7, True, 'Quit') + # check KEK is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'KEK', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509', 'Subject:', 'TEST_KEK', 'Issuer:', 'TEST_KEK'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set db.esl to db + press_up_down_enter_and_wait(0, 2, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 1, True, 'Quit') + # check db is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'db', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509', 'Subject:', 'TEST_db', 'Issuer:', 'TEST_db'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set dbx_hash.crl to dbx + press_up_down_enter_and_wait(0, 3, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 3, True, 'Quit') + # check dbx is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + # verify CRL, skip hash comparison because it varies in every test + for i in ('Show/Delete Signature Database', 'dbx', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509_SHA256 CRL', + 'TimeOfRevocation:', '2013-5-27 01:02:03'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set PK.esl to PK + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 9, True, 'Quit') + # check PK is expected value + press_up_down_enter_and_wait(0, 1, True, None) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'PK', + 'Owner GUID', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK', + 'Can not delete PK, Press any key to continue'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 4, True, 'Quit') + check_current_is_maintenance_menu() + + # + # Test Case 2: Enroll PK first, then non-signed esl fails to enroll + # + + # Restart the system to clean the previous state + u_boot_console.restart_uboot() + # bind the test disk image for succeeding tests + u_boot_console.run_command(cmd = f'host bind 0 {efi_boot_env}') + + with u_boot_console.temporary_timeout(500): + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + press_up_down_enter_and_wait(0, 4, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'): + u_boot_console.p.expect([i]) + + # set PK.auth to PK + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 8, True, 'Quit') + # check PK is expected value + press_up_down_enter_and_wait(0, 1, True, None) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'PK', + 'Owner GUID', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK', + 'Can not delete PK, Press any key to continue'): + u_boot_console.p.expect([i]) + + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'): + u_boot_console.p.expect([i]) + + # fail to set KEK.esl + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 7, True, 'Quit') + for i in ('ERROR! Failed to update signature database', + 'Press any key to continue'): + u_boot_console.p.expect([i]) + press_escape_key(False) + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # fail to set db.esl + press_up_down_enter_and_wait(0, 2, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 1, True, 'Quit') + for i in ('ERROR! Failed to update signature database', + 'Press any key to continue'): + u_boot_console.p.expect([i]) + press_escape_key(False) + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # fail to set dbx_hash.crl + press_up_down_enter_and_wait(0, 3, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 3, True, 'Quit') + for i in ('ERROR! Failed to update signature database', + 'Press any key to continue'): + u_boot_console.p.expect([i]) + press_escape_key(False) + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # + # Test Case 3: Enroll signed ESL(.auth) in order of PK, KEK, and db, then check status + # + + # Restart the system to clean the previous state + u_boot_console.restart_uboot() + # bind the test disk image for succeeding tests + u_boot_console.run_command(cmd = f'host bind 0 {efi_boot_env}') + + with u_boot_console.temporary_timeout(500): + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + press_up_down_enter_and_wait(0, 4, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'): + u_boot_console.p.expect([i]) + + # set PK.auth to PK + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 8, True, 'Quit') + # check PK is expected value + press_up_down_enter_and_wait(0, 1, True, None) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'PK', + 'Owner GUID', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK', + 'Can not delete PK, Press any key to continue'): + u_boot_console.p.expect([i]) + + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set KEK.auth to KEK + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 6, True, 'Quit') + # check KEK is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'KEK', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509', 'Subject:', 'TEST_KEK', 'Issuer:', 'TEST_KEK'): + u_boot_console.p.expect([i]) + + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set db.auth to db + press_up_down_enter_and_wait(0, 2, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + # check db is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'db', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509', 'Subject:', 'TEST_db', 'Issuer:', 'TEST_db'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 4, True, 'Quit') + check_current_is_maintenance_menu() + + # + # Test Case 4: start signed image allowed in db + # + + # Select 'Add Boot Option' + press_up_down_enter_and_wait(0, 0, True, 'Quit') + # Press the enter key to select 'Description:' entry, then enter Description + press_up_down_enter_and_wait(0, 0, True, 'enter description:') + # Send Description user input, press ENTER key to complete + send_user_input_and_wait('hello', 'Quit') + + # Set EFI image(helloworld.efi.signed) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'host 0:1') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 5, True, 'Quit') + for i in ('Description: hello', 'File: host 0:1/helloworld.efi.signed', + 'Initrd File:', 'Optional Data:', 'Save', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 4, True, 'Quit') + press_escape_key(False) + check_current_is_maintenance_menu() + press_escape_key(True) + response = u_boot_console.run_command(cmd = 'bootefi bootmgr') + assert 'Hello, world!' in response + + # + # Test Case 5: can not start the image if it is not signed + # + + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + # Select 'Edit Boot Option' + press_up_down_enter_and_wait(0, 1, True, None) + # Check the curren BootOrder + for i in ('hello', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + # Set EFI image(helloworld.efi) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'host 0:1') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 4, True, 'Quit') + for i in ('Description: hello', 'File: host 0:1/helloworld.efi', + 'Initrd File:', 'Optional Data:', 'Save', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 4, True, 'Quit') + press_escape_key(False) + check_current_is_maintenance_menu() + press_escape_key(True) + response = u_boot_console.run_command(cmd = 'bootefi bootmgr') + assert 'Image not authenticated' in response + + # + # Test Case 6: can not start the signed image if dbx revokes db certificate + # + + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + # Select 'Edit Boot Option' + press_up_down_enter_and_wait(0, 1, True, None) + # Check the curren BootOrder + for i in ('hello', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, 'Quit') + # Set EFI image(helloworld.efi.signed) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'host 0:1') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 5, True, 'Quit') + for i in ('Description: hello', 'File: host 0:1/helloworld.efi.signed', + 'Initrd File:', 'Optional Data:', 'Save', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 4, True, 'Quit') + press_escape_key(False) + check_current_is_maintenance_menu() + press_up_down_enter_and_wait(0, 4, True, 'Quit') + # set dbx_hash.auth to dbx + press_up_down_enter_and_wait(0, 3, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + # check db is expected value + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, None) + # verify CRL, skip hash comparison because it varies in every test + for i in ('Show/Delete Signature Database', 'dbx', + 'Owner GUID:', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type:', 'X509_SHA256 CRL', + 'TimeOfRevocation:', '2013-5-27 01:02:03'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + press_escape_key(False) + check_current_is_maintenance_menu() + press_escape_key(True) + response = u_boot_console.run_command(cmd = 'bootefi bootmgr') + assert 'Image not authenticated' in response + + # + # Test Case 7: clear PK with null key, check secure boot is OFF + # + + u_boot_console.run_command('eficonfig', wait_for_prompt=False) + check_current_is_maintenance_menu() + press_up_down_enter_and_wait(0, 4, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'): + u_boot_console.p.expect([i]) + + # clear PK with null key + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 10, True, 'Quit') + + press_up_down_enter_and_wait(0, 1, True, None) + for i in ('There is no entry in the signature database.', 'Press any key to continue'): + u_boot_console.p.expect([i]) + + press_enter_key(False) + press_up_down_enter_and_wait(0, 2, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'OFF'): + u_boot_console.p.expect([i]) + + # delete dbx + press_up_down_enter_and_wait(0, 3, True, 'Quit') + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_enter_key(False) + for i in ('TimeOfRevocation:', '2013-5-27 01:02:03'): + u_boot_console.p.expect([i]) + press_enter_key(False) + for i in ('Are you sure you want to delete this item?', 'Press ENTER to delete'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('There is no entry in the signature database.', + 'Press any key to continue'): + u_boot_console.p.expect([i]) + press_enter_key(False) + press_up_down_enter_and_wait(0, 2, True, 'Quit') + + # set PK.auth to PK + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 0, True, 'Quit') + press_up_down_enter_and_wait(0, 8, True, 'Quit') + # check PK is expected value + press_up_down_enter_and_wait(0, 1, True, None) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 0, True, None) + for i in ('Show/Delete Signature Database', 'PK', + 'Owner GUID', '11111111-2222-3333-4444-123456789ABC', + 'Signature Type', 'X509', 'Subject', 'TEST_PK', 'Issuer', 'TEST_PK', + 'Can not delete PK, Press any key to continue'): + u_boot_console.p.expect([i]) + press_escape_key(False) + for i in ('11111111-2222-3333-4444-123456789ABC', 'Quit'): + u_boot_console.p.expect([i]) + press_up_down_enter_and_wait(0, 1, True, 'Quit') + press_up_down_enter_and_wait(0, 2, True, 'Quit') + for i in ('UEFI Secure Boot Key Configuration', 'SecureBoot :', 'ON'): + u_boot_console.p.expect([i]) + press_escape_key(False) + check_current_is_maintenance_menu() + press_escape_key(True) + response = u_boot_console.run_command(cmd = 'bootefi bootmgr') + assert 'Hello, world!' in response