diff mbox series

[v8,10/10] test/py: efi_capsule: test for FMP versioning

Message ID 20230606094035.28990-11-masahisa.kojima@linaro.org
State Superseded
Headers show
Series FMP versioning support | expand

Commit Message

Masahisa Kojima June 6, 2023, 9:40 a.m. UTC
This test covers the FMP versioning for both raw and FIT image,
and both signed and non-signed capsule update.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
---
Changes in v8:
- remove excess semicolons

Changes in v7:
- use newly introduced common functions of efi_capsule test

 test/py/tests/test_efi_capsule/conftest.py    | 82 ++++++++++++++++++
 .../test_capsule_firmware_fit.py              | 80 ++++++++++++++++-
 .../test_capsule_firmware_raw.py              | 85 ++++++++++++++++++-
 .../test_capsule_firmware_signed_fit.py       | 65 ++++++++++++++
 .../test_capsule_firmware_signed_raw.py       | 70 +++++++++++++++
 test/py/tests/test_efi_capsule/version.dts    | 24 ++++++
 6 files changed, 404 insertions(+), 2 deletions(-)
 create mode 100644 test/py/tests/test_efi_capsule/version.dts

Comments

Heinrich Schuchardt June 6, 2023, 10 a.m. UTC | #1
On 6/6/23 11:40, Masahisa Kojima wrote:
> This test covers the FMP versioning for both raw and FIT image,
> and both signed and non-signed capsule update.
>
> Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>

Thanks for fixing some of the pylint issued.

Could you, please, run

pylint --enable-all-extensions test/py/tests/test_efi_capsule/*.py

Some warnings seem to remain relating to your changes, e.g.

test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py:223:8:
W0612: Unused variable 'capsule_auth' (unused-variable)

Best regards

Heinrich

> ---
> Changes in v8:
> - remove excess semicolons
>
> Changes in v7:
> - use newly introduced common functions of efi_capsule test
>
>   test/py/tests/test_efi_capsule/conftest.py    | 82 ++++++++++++++++++
>   .../test_capsule_firmware_fit.py              | 80 ++++++++++++++++-
>   .../test_capsule_firmware_raw.py              | 85 ++++++++++++++++++-
>   .../test_capsule_firmware_signed_fit.py       | 65 ++++++++++++++
>   .../test_capsule_firmware_signed_raw.py       | 70 +++++++++++++++
>   test/py/tests/test_efi_capsule/version.dts    | 24 ++++++
>   6 files changed, 404 insertions(+), 2 deletions(-)
>   create mode 100644 test/py/tests/test_efi_capsule/version.dts
>
> diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
> index a337e62936..d0e20df01e 100644
> --- a/test/py/tests/test_efi_capsule/conftest.py
> +++ b/test/py/tests/test_efi_capsule/conftest.py
> @@ -62,6 +62,23 @@ def efi_capsule_data(request, u_boot_config):
>                               '-out SIGNER2.crt -nodes -days 365'
>                          % data_dir, shell=True)
>
> +        # Update dtb to add the version information
> +        check_call('cd %s; '
> +                   'cp %s/test/py/tests/test_efi_capsule/version.dts .'
> +                   % (data_dir, u_boot_config.source_dir), shell=True)
> +        if capsule_auth_enabled:
> +            check_call('cd %s; '
> +                       'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
> +                       'fdtoverlay -i test_sig.dtb '
> +                            '-o test_ver.dtb version.dtbo'
> +                       % (data_dir), shell=True)
> +        else:
> +            check_call('cd %s; '
> +                       'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
> +                       'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
> +                            '-o test_ver.dtb version.dtbo'
> +                       % (data_dir, u_boot_config.build_dir), shell=True)
> +
>           # Create capsule files
>           # two regions: one for u-boot.bin and the other for u-boot.env
>           check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
> @@ -87,6 +104,26 @@ def efi_capsule_data(request, u_boot_config):
>           check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid  058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' %
>                      (data_dir, u_boot_config.build_dir),
>                      shell=True)
> +        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
> +                        '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test101' %
> +                   (data_dir, u_boot_config.build_dir),
> +                   shell=True)
> +        check_call('cd %s; %s/tools/mkeficapsule --index 2 --fw-version 10 '
> +                        '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test102' %
> +                   (data_dir, u_boot_config.build_dir),
> +                   shell=True)
> +        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
> +                        '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test103' %
> +                   (data_dir, u_boot_config.build_dir),
> +                   shell=True)
> +        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
> +                        '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test104' %
> +                   (data_dir, u_boot_config.build_dir),
> +                   shell=True)
> +        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
> +                        '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test105' %
> +                   (data_dir, u_boot_config.build_dir),
> +                   shell=True)
>
>           if capsule_auth_enabled:
>               # raw firmware signed with proper key
> @@ -123,6 +160,51 @@ def efi_capsule_data(request, u_boot_config):
>                               'uboot_bin_env.itb Test14'
>                          % (data_dir, u_boot_config.build_dir),
>                          shell=True)
> +            # raw firmware signed with proper key with version information
> +            check_call('cd %s; '
> +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> +                            '--fw-version 5 '
> +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> +                            '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
> +                            'u-boot.bin.new Test111'
> +                       % (data_dir, u_boot_config.build_dir),
> +                       shell=True)
> +            # raw firmware signed with proper key with version information
> +            check_call('cd %s; '
> +                       '%s/tools/mkeficapsule --index 2 --monotonic-count 1 '
> +                            '--fw-version 10 '
> +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> +                            '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 '
> +                            'u-boot.env.new Test112'
> +                       % (data_dir, u_boot_config.build_dir),
> +                       shell=True)
> +            # raw firmware signed with proper key with lower version information
> +            check_call('cd %s; '
> +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> +                            '--fw-version 2 '
> +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> +                            '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
> +                            'u-boot.bin.new Test113'
> +                       % (data_dir, u_boot_config.build_dir),
> +                       shell=True)
> +            # FIT firmware signed with proper key with version information
> +            check_call('cd %s; '
> +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> +                            '--fw-version 5 '
> +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> +                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
> +                            'uboot_bin_env.itb Test114'
> +                       % (data_dir, u_boot_config.build_dir),
> +                       shell=True)
> +            # FIT firmware signed with proper key with lower version information
> +            check_call('cd %s; '
> +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> +                            '--fw-version 2 '
> +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> +                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
> +                            'uboot_bin_env.itb Test115'
> +                       % (data_dir, u_boot_config.build_dir),
> +                       shell=True)
>
>           # Create a disk image with EFI system partition
>           check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
> diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py
> index fccf1f3fc1..a4df326c53 100644
> --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py
> +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py
> @@ -14,7 +14,8 @@ from capsule_common import (
>       place_capsule_file,
>       exec_manual_update,
>       check_file_removed,
> -    verify_content
> +    verify_content,
> +    do_reboot_dtb_specified
>   )
>
>   @pytest.mark.boardspec('sandbox_flattree')
> @@ -105,3 +106,80 @@ class TestEfiCapsuleFirmwareFit():
>
>               expected = 'u-boot-env:Old' if capsule_auth else 'u-boot-env:New'
>               verify_content(u_boot_console, '150000', expected)
> +
> +    def test_efi_capsule_fw3(
> +            self, u_boot_config, u_boot_console, efi_capsule_data):
> +        """ Test Case 3
> +        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
> +        0x100000-0x150000: U-Boot binary (but dummy)
> +        0x150000-0x200000: U-Boot environment (but dummy)
> +        """
> +        disk_img = efi_capsule_data
> +        capsule_files = ['Test104']
> +        with u_boot_console.log.section('Test Case 3-a, before reboot'):
> +            setup(u_boot_console, disk_img, '0x0000000000000004')
> +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> +            init_content(u_boot_console, '150000', 'u-boot.env.old', 'Old')
> +            place_capsule_file(u_boot_console, capsule_files)
> +
> +        # reboot
> +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> +
> +        capsule_early = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_on_disk_early')
> +        capsule_auth = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_authenticate')
> +        with u_boot_console.log.section('Test Case 3-b, after reboot'):
> +            if not capsule_early:
> +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> +
> +            # deleted anyway
> +            check_file_removed(u_boot_console, disk_img, capsule_files)
> +
> +            # make sure the dfu_alt_info exists because it is required for making ESRT.
> +            output = u_boot_console.run_command_list([
> +                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
> +                'efidebug capsule esrt'])
> +
> +            if capsule_auth:
> +                # capsule authentication failed
> +                verify_content(u_boot_console, '100000', 'u-boot:Old')
> +                verify_content(u_boot_console, '150000', 'u-boot-env:Old')
> +            else:
> +                # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
> +                assert '3673B45D-6A7C-46F3-9E60-ADABB03F7937' in ''.join(output)
> +                assert 'ESRT: fw_version=5' in ''.join(output)
> +                assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
> +
> +                verify_content(u_boot_console, '100000', 'u-boot:New')
> +                verify_content(u_boot_console, '150000', 'u-boot-env:New')
> +
> +    def test_efi_capsule_fw4(
> +            self, u_boot_config, u_boot_console, efi_capsule_data):
> +        """ Test Case 4
> +        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
> +        but fw_version is lower than lowest_supported_version
> +        No update should happen
> +        0x100000-0x150000: U-Boot binary (but dummy)
> +        """
> +        disk_img = efi_capsule_data
> +        capsule_files = ['Test105']
> +        with u_boot_console.log.section('Test Case 4-a, before reboot'):
> +            setup(u_boot_console, disk_img, '0x0000000000000004')
> +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> +            place_capsule_file(u_boot_console, capsule_files)
> +
> +        # reboot
> +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> +
> +        capsule_early = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_on_disk_early')
> +        capsule_auth = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_authenticate')
> +        with u_boot_console.log.section('Test Case 4-b, after reboot'):
> +            if not capsule_early:
> +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> +
> +            check_file_removed(u_boot_console, disk_img, capsule_files)
> +
> +            verify_content(u_boot_console, '100000', 'u-boot:Old')
> diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py
> index e00686a9fc..d63168498c 100644
> --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py
> +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py
> @@ -15,7 +15,8 @@ from capsule_common import (
>       exec_manual_update,
>       check_file_removed,
>       check_file_exist,
> -    verify_content
> +    verify_content,
> +    do_reboot_dtb_specified
>   )
>
>   @pytest.mark.boardspec('sandbox')
> @@ -146,3 +147,85 @@ class TestEfiCapsuleFirmwareRaw:
>
>               expected = 'u-boot-env:Old' if capsule_auth else 'u-boot-env:New'
>               verify_content(u_boot_console, '150000', expected)
> +
> +    def test_efi_capsule_fw4(
> +            self, u_boot_config, u_boot_console, efi_capsule_data):
> +        """ Test Case 4
> +        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
> +        0x100000-0x150000: U-Boot binary (but dummy)
> +        0x150000-0x200000: U-Boot environment (but dummy)
> +        """
> +        disk_img = efi_capsule_data
> +        capsule_files = ['Test101', 'Test102']
> +        with u_boot_console.log.section('Test Case 4-a, before reboot'):
> +            setup(u_boot_console, disk_img, '0x0000000000000004')
> +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> +            init_content(u_boot_console, '150000', 'u-boot.env.old', 'Old')
> +            place_capsule_file(u_boot_console, capsule_files)
> +
> +        # reboot
> +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> +
> +        capsule_early = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_on_disk_early')
> +        capsule_auth = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_authenticate')
> +        with u_boot_console.log.section('Test Case 4-b, after reboot'):
> +            if not capsule_early:
> +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> +
> +            # deleted anyway
> +            check_file_removed(u_boot_console, disk_img, capsule_files)
> +
> +            # make sure the dfu_alt_info exists because it is required for making ESRT.
> +            output = u_boot_console.run_command_list([
> +                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
> +                'efidebug capsule esrt'])
> +
> +            if capsule_auth:
> +                # capsule authentication failed
> +                verify_content(u_boot_console, '100000', 'u-boot:Old')
> +                verify_content(u_boot_console, '150000', 'u-boot-env:Old')
> +            else:
> +                # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
> +                assert '09D7CF52-0720-4710-91D1-08469B7FE9C8' in ''.join(output)
> +                assert 'ESRT: fw_version=5' in ''.join(output)
> +                assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
> +
> +                # ensure that SANDBOX_UBOOT_ENV_IMAGE_GUID is in the ESRT.
> +                assert '5A7021F5-FEF2-48B4-AABA-832E777418C0' in ''.join(output)
> +                assert 'ESRT: fw_version=10' in ''.join(output)
> +                assert 'ESRT: lowest_supported_fw_version=7' in ''.join(output)
> +
> +                verify_content(u_boot_console, '100000', 'u-boot:New')
> +                verify_content(u_boot_console, '150000', 'u-boot-env:New')
> +
> +    def test_efi_capsule_fw5(
> +            self, u_boot_config, u_boot_console, efi_capsule_data):
> +        """ Test Case 5
> +        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
> +        but fw_version is lower than lowest_supported_version
> +        No update should happen
> +        0x100000-0x150000: U-Boot binary (but dummy)
> +        """
> +        disk_img = efi_capsule_data
> +        capsule_files = ['Test103']
> +        with u_boot_console.log.section('Test Case 5-a, before reboot'):
> +            setup(u_boot_console, disk_img, '0x0000000000000004')
> +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> +            place_capsule_file(u_boot_console, capsule_files)
> +
> +        # reboot
> +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> +
> +        capsule_early = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_on_disk_early')
> +        capsule_auth = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_authenticate')
> +        with u_boot_console.log.section('Test Case 5-b, after reboot'):
> +            if not capsule_early:
> +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> +
> +            check_file_removed(u_boot_console, disk_img, capsule_files)
> +
> +            verify_content(u_boot_console, '100000', 'u-boot:Old')
> diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py
> index cbacdab4d1..509ad9d25c 100644
> --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py
> +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py
> @@ -126,3 +126,68 @@ class TestEfiCapsuleFirmwareSignedFit():
>               # TODO: check CapsuleStatus in CapsuleXXXX
>
>               verify_content(u_boot_console, '100000', 'u-boot:Old')
> +
> +    def test_efi_capsule_auth4(
> +            self, u_boot_config, u_boot_console, efi_capsule_data):
> +        """Test Case 4 - Update U-Boot on SPI Flash, raw image format with version information
> +        0x100000-0x150000: U-Boot binary (but dummy)
> +
> +        If the capsule is properly signed, the authentication
> +        should pass and the firmware be updated.
> +        """
> +        disk_img = efi_capsule_data
> +        capsule_files = ['Test114']
> +        with u_boot_console.log.section('Test Case 4-a, before reboot'):
> +            setup(u_boot_console, disk_img, '0x0000000000000004')
> +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> +            place_capsule_file(u_boot_console, capsule_files)
> +
> +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> +
> +        capsule_early = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_on_disk_early')
> +        with u_boot_console.log.section('Test Case 4-b, after reboot'):
> +            if not capsule_early:
> +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> +
> +            check_file_removed(u_boot_console, disk_img, capsule_files)
> +
> +            output = u_boot_console.run_command_list([
> +                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
> +                'efidebug capsule esrt'])
> +
> +            # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
> +            assert '3673B45D-6A7C-46F3-9E60-ADABB03F7937' in ''.join(output)
> +            assert 'ESRT: fw_version=5' in ''.join(output)
> +            assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
> +
> +            verify_content(u_boot_console, '100000', 'u-boot:New')
> +            verify_content(u_boot_console, '150000', 'u-boot-env:New')
> +
> +    def test_efi_capsule_auth5(
> +            self, u_boot_config, u_boot_console, efi_capsule_data):
> +        """Test Case 5 - Update U-Boot on SPI Flash, raw image format with version information
> +        0x100000-0x150000: U-Boot binary (but dummy)
> +
> +        If the capsule is signed but fw_version is lower than lowest
> +        supported version, the authentication should fail and the firmware
> +        not be updated.
> +        """
> +        disk_img = efi_capsule_data
> +        capsule_files = ['Test115']
> +        with u_boot_console.log.section('Test Case 5-a, before reboot'):
> +            setup(u_boot_console, disk_img, '0x0000000000000004')
> +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> +            place_capsule_file(u_boot_console, capsule_files)
> +
> +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> +
> +        capsule_early = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_on_disk_early')
> +        with u_boot_console.log.section('Test Case 5-b, after reboot'):
> +            if not capsule_early:
> +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> +
> +            check_file_removed(u_boot_console, disk_img, capsule_files)
> +
> +            verify_content(u_boot_console, '100000', 'u-boot:Old')
> diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py
> index 3d6274ff99..525ec76ca1 100644
> --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py
> +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py
> @@ -120,3 +120,73 @@ class TestEfiCapsuleFirmwareSignedRaw():
>               # TODO: check CapsuleStatus in CapsuleXXXX
>
>               verify_content(u_boot_console, '100000', 'u-boot:Old')
> +
> +    def test_efi_capsule_auth4(
> +            self, u_boot_config, u_boot_console, efi_capsule_data):
> +        """Test Case 4 - Update U-Boot on SPI Flash, raw image format with version information
> +        0x100000-0x150000: U-Boot binary (but dummy)
> +
> +        If the capsule is properly signed, the authentication
> +        should pass and the firmware be updated.
> +        """
> +        disk_img = efi_capsule_data
> +        capsule_files = ['Test111', 'Test112']
> +        with u_boot_console.log.section('Test Case 4-a, before reboot'):
> +            setup(u_boot_console, disk_img, '0x0000000000000004')
> +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> +            place_capsule_file(u_boot_console, capsule_files)
> +
> +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> +
> +        capsule_early = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_on_disk_early')
> +        with u_boot_console.log.section('Test Case 4-b, after reboot'):
> +            if not capsule_early:
> +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> +
> +            check_file_removed(u_boot_console, disk_img, capsule_files)
> +
> +            output = u_boot_console.run_command_list([
> +                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
> +                'efidebug capsule esrt'])
> +
> +            # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
> +            assert '09D7CF52-0720-4710-91D1-08469B7FE9C8' in ''.join(output)
> +            assert 'ESRT: fw_version=5' in ''.join(output)
> +            assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
> +
> +            # ensure that SANDBOX_UBOOT_ENV_IMAGE_GUID is in the ESRT.
> +            assert '5A7021F5-FEF2-48B4-AABA-832E777418C0' in ''.join(output)
> +            assert 'ESRT: fw_version=10' in ''.join(output)
> +            assert 'ESRT: lowest_supported_fw_version=7' in ''.join(output)
> +
> +            verify_content(u_boot_console, '100000', 'u-boot:New')
> +            verify_content(u_boot_console, '150000', 'u-boot-env:New')
> +
> +    def test_efi_capsule_auth5(
> +            self, u_boot_config, u_boot_console, efi_capsule_data):
> +        """Test Case 5 - Update U-Boot on SPI Flash, raw image format with version information
> +        0x100000-0x150000: U-Boot binary (but dummy)
> +
> +        If the capsule is signed but fw_version is lower than lowest
> +        supported version, the authentication should fail and the firmware
> +        not be updated.
> +        """
> +        disk_img = efi_capsule_data
> +        capsule_files = ['Test113']
> +        with u_boot_console.log.section('Test Case 5-a, before reboot'):
> +            setup(u_boot_console, disk_img, '0x0000000000000004')
> +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> +            place_capsule_file(u_boot_console, capsule_files)
> +
> +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> +
> +        capsule_early = u_boot_config.buildconfig.get(
> +            'config_efi_capsule_on_disk_early')
> +        with u_boot_console.log.section('Test Case 5-b, after reboot'):
> +            if not capsule_early:
> +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> +
> +            check_file_removed(u_boot_console, disk_img, capsule_files)
> +
> +            verify_content(u_boot_console, '100000', 'u-boot:Old')
> diff --git a/test/py/tests/test_efi_capsule/version.dts b/test/py/tests/test_efi_capsule/version.dts
> new file mode 100644
> index 0000000000..07850cc606
> --- /dev/null
> +++ b/test/py/tests/test_efi_capsule/version.dts
> @@ -0,0 +1,24 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +
> +/dts-v1/;
> +/plugin/;
> +
> +&{/} {
> +	firmware-version {
> +		image1 {
> +			lowest-supported-version = <3>;
> +			image-index = <1>;
> +			image-type-id = "09D7CF52-0720-4710-91D1-08469B7FE9C8";
> +		};
> +		image2 {
> +			lowest-supported-version = <7>;
> +			image-index = <2>;
> +			image-type-id = "5A7021F5-FEF2-48B4-AABA-832E777418C0";
> +		};
> +		image3 {
> +			lowest-supported-version = <3>;
> +			image-index = <1>;
> +			image-type-id = "3673B45D-6A7C-46F3-9E60-ADABB03F7937";
> +		};
> +	};
> +};
Masahisa Kojima June 7, 2023, 4:52 a.m. UTC | #2
On Tue, 6 Jun 2023 at 19:00, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
>
> On 6/6/23 11:40, Masahisa Kojima wrote:
> > This test covers the FMP versioning for both raw and FIT image,
> > and both signed and non-signed capsule update.
> >
> > Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
>
> Thanks for fixing some of the pylint issued.
>
> Could you, please, run
>
> pylint --enable-all-extensions test/py/tests/test_efi_capsule/*.py
>
> Some warnings seem to remain relating to your changes, e.g.
>
> test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py:223:8:
> W0612: Unused variable 'capsule_auth' (unused-variable)

Thank you, I will fix the pylint warnings as much as possible.

Regards,
Masahisa Kojima

>
> Best regards
>
> Heinrich
>
> > ---
> > Changes in v8:
> > - remove excess semicolons
> >
> > Changes in v7:
> > - use newly introduced common functions of efi_capsule test
> >
> >   test/py/tests/test_efi_capsule/conftest.py    | 82 ++++++++++++++++++
> >   .../test_capsule_firmware_fit.py              | 80 ++++++++++++++++-
> >   .../test_capsule_firmware_raw.py              | 85 ++++++++++++++++++-
> >   .../test_capsule_firmware_signed_fit.py       | 65 ++++++++++++++
> >   .../test_capsule_firmware_signed_raw.py       | 70 +++++++++++++++
> >   test/py/tests/test_efi_capsule/version.dts    | 24 ++++++
> >   6 files changed, 404 insertions(+), 2 deletions(-)
> >   create mode 100644 test/py/tests/test_efi_capsule/version.dts
> >
> > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
> > index a337e62936..d0e20df01e 100644
> > --- a/test/py/tests/test_efi_capsule/conftest.py
> > +++ b/test/py/tests/test_efi_capsule/conftest.py
> > @@ -62,6 +62,23 @@ def efi_capsule_data(request, u_boot_config):
> >                               '-out SIGNER2.crt -nodes -days 365'
> >                          % data_dir, shell=True)
> >
> > +        # Update dtb to add the version information
> > +        check_call('cd %s; '
> > +                   'cp %s/test/py/tests/test_efi_capsule/version.dts .'
> > +                   % (data_dir, u_boot_config.source_dir), shell=True)
> > +        if capsule_auth_enabled:
> > +            check_call('cd %s; '
> > +                       'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
> > +                       'fdtoverlay -i test_sig.dtb '
> > +                            '-o test_ver.dtb version.dtbo'
> > +                       % (data_dir), shell=True)
> > +        else:
> > +            check_call('cd %s; '
> > +                       'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
> > +                       'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
> > +                            '-o test_ver.dtb version.dtbo'
> > +                       % (data_dir, u_boot_config.build_dir), shell=True)
> > +
> >           # Create capsule files
> >           # two regions: one for u-boot.bin and the other for u-boot.env
> >           check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
> > @@ -87,6 +104,26 @@ def efi_capsule_data(request, u_boot_config):
> >           check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid  058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' %
> >                      (data_dir, u_boot_config.build_dir),
> >                      shell=True)
> > +        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
> > +                        '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test101' %
> > +                   (data_dir, u_boot_config.build_dir),
> > +                   shell=True)
> > +        check_call('cd %s; %s/tools/mkeficapsule --index 2 --fw-version 10 '
> > +                        '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test102' %
> > +                   (data_dir, u_boot_config.build_dir),
> > +                   shell=True)
> > +        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
> > +                        '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test103' %
> > +                   (data_dir, u_boot_config.build_dir),
> > +                   shell=True)
> > +        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
> > +                        '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test104' %
> > +                   (data_dir, u_boot_config.build_dir),
> > +                   shell=True)
> > +        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
> > +                        '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test105' %
> > +                   (data_dir, u_boot_config.build_dir),
> > +                   shell=True)
> >
> >           if capsule_auth_enabled:
> >               # raw firmware signed with proper key
> > @@ -123,6 +160,51 @@ def efi_capsule_data(request, u_boot_config):
> >                               'uboot_bin_env.itb Test14'
> >                          % (data_dir, u_boot_config.build_dir),
> >                          shell=True)
> > +            # raw firmware signed with proper key with version information
> > +            check_call('cd %s; '
> > +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> > +                            '--fw-version 5 '
> > +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> > +                            '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
> > +                            'u-boot.bin.new Test111'
> > +                       % (data_dir, u_boot_config.build_dir),
> > +                       shell=True)
> > +            # raw firmware signed with proper key with version information
> > +            check_call('cd %s; '
> > +                       '%s/tools/mkeficapsule --index 2 --monotonic-count 1 '
> > +                            '--fw-version 10 '
> > +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> > +                            '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 '
> > +                            'u-boot.env.new Test112'
> > +                       % (data_dir, u_boot_config.build_dir),
> > +                       shell=True)
> > +            # raw firmware signed with proper key with lower version information
> > +            check_call('cd %s; '
> > +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> > +                            '--fw-version 2 '
> > +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> > +                            '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
> > +                            'u-boot.bin.new Test113'
> > +                       % (data_dir, u_boot_config.build_dir),
> > +                       shell=True)
> > +            # FIT firmware signed with proper key with version information
> > +            check_call('cd %s; '
> > +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> > +                            '--fw-version 5 '
> > +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> > +                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
> > +                            'uboot_bin_env.itb Test114'
> > +                       % (data_dir, u_boot_config.build_dir),
> > +                       shell=True)
> > +            # FIT firmware signed with proper key with lower version information
> > +            check_call('cd %s; '
> > +                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
> > +                            '--fw-version 2 '
> > +                            '--private-key SIGNER.key --certificate SIGNER.crt '
> > +                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
> > +                            'uboot_bin_env.itb Test115'
> > +                       % (data_dir, u_boot_config.build_dir),
> > +                       shell=True)
> >
> >           # Create a disk image with EFI system partition
> >           check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
> > diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py
> > index fccf1f3fc1..a4df326c53 100644
> > --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py
> > +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py
> > @@ -14,7 +14,8 @@ from capsule_common import (
> >       place_capsule_file,
> >       exec_manual_update,
> >       check_file_removed,
> > -    verify_content
> > +    verify_content,
> > +    do_reboot_dtb_specified
> >   )
> >
> >   @pytest.mark.boardspec('sandbox_flattree')
> > @@ -105,3 +106,80 @@ class TestEfiCapsuleFirmwareFit():
> >
> >               expected = 'u-boot-env:Old' if capsule_auth else 'u-boot-env:New'
> >               verify_content(u_boot_console, '150000', expected)
> > +
> > +    def test_efi_capsule_fw3(
> > +            self, u_boot_config, u_boot_console, efi_capsule_data):
> > +        """ Test Case 3
> > +        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
> > +        0x100000-0x150000: U-Boot binary (but dummy)
> > +        0x150000-0x200000: U-Boot environment (but dummy)
> > +        """
> > +        disk_img = efi_capsule_data
> > +        capsule_files = ['Test104']
> > +        with u_boot_console.log.section('Test Case 3-a, before reboot'):
> > +            setup(u_boot_console, disk_img, '0x0000000000000004')
> > +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> > +            init_content(u_boot_console, '150000', 'u-boot.env.old', 'Old')
> > +            place_capsule_file(u_boot_console, capsule_files)
> > +
> > +        # reboot
> > +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> > +
> > +        capsule_early = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_on_disk_early')
> > +        capsule_auth = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_authenticate')
> > +        with u_boot_console.log.section('Test Case 3-b, after reboot'):
> > +            if not capsule_early:
> > +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> > +
> > +            # deleted anyway
> > +            check_file_removed(u_boot_console, disk_img, capsule_files)
> > +
> > +            # make sure the dfu_alt_info exists because it is required for making ESRT.
> > +            output = u_boot_console.run_command_list([
> > +                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
> > +                'efidebug capsule esrt'])
> > +
> > +            if capsule_auth:
> > +                # capsule authentication failed
> > +                verify_content(u_boot_console, '100000', 'u-boot:Old')
> > +                verify_content(u_boot_console, '150000', 'u-boot-env:Old')
> > +            else:
> > +                # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
> > +                assert '3673B45D-6A7C-46F3-9E60-ADABB03F7937' in ''.join(output)
> > +                assert 'ESRT: fw_version=5' in ''.join(output)
> > +                assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
> > +
> > +                verify_content(u_boot_console, '100000', 'u-boot:New')
> > +                verify_content(u_boot_console, '150000', 'u-boot-env:New')
> > +
> > +    def test_efi_capsule_fw4(
> > +            self, u_boot_config, u_boot_console, efi_capsule_data):
> > +        """ Test Case 4
> > +        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
> > +        but fw_version is lower than lowest_supported_version
> > +        No update should happen
> > +        0x100000-0x150000: U-Boot binary (but dummy)
> > +        """
> > +        disk_img = efi_capsule_data
> > +        capsule_files = ['Test105']
> > +        with u_boot_console.log.section('Test Case 4-a, before reboot'):
> > +            setup(u_boot_console, disk_img, '0x0000000000000004')
> > +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> > +            place_capsule_file(u_boot_console, capsule_files)
> > +
> > +        # reboot
> > +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> > +
> > +        capsule_early = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_on_disk_early')
> > +        capsule_auth = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_authenticate')
> > +        with u_boot_console.log.section('Test Case 4-b, after reboot'):
> > +            if not capsule_early:
> > +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> > +
> > +            check_file_removed(u_boot_console, disk_img, capsule_files)
> > +
> > +            verify_content(u_boot_console, '100000', 'u-boot:Old')
> > diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py
> > index e00686a9fc..d63168498c 100644
> > --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py
> > +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py
> > @@ -15,7 +15,8 @@ from capsule_common import (
> >       exec_manual_update,
> >       check_file_removed,
> >       check_file_exist,
> > -    verify_content
> > +    verify_content,
> > +    do_reboot_dtb_specified
> >   )
> >
> >   @pytest.mark.boardspec('sandbox')
> > @@ -146,3 +147,85 @@ class TestEfiCapsuleFirmwareRaw:
> >
> >               expected = 'u-boot-env:Old' if capsule_auth else 'u-boot-env:New'
> >               verify_content(u_boot_console, '150000', expected)
> > +
> > +    def test_efi_capsule_fw4(
> > +            self, u_boot_config, u_boot_console, efi_capsule_data):
> > +        """ Test Case 4
> > +        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
> > +        0x100000-0x150000: U-Boot binary (but dummy)
> > +        0x150000-0x200000: U-Boot environment (but dummy)
> > +        """
> > +        disk_img = efi_capsule_data
> > +        capsule_files = ['Test101', 'Test102']
> > +        with u_boot_console.log.section('Test Case 4-a, before reboot'):
> > +            setup(u_boot_console, disk_img, '0x0000000000000004')
> > +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> > +            init_content(u_boot_console, '150000', 'u-boot.env.old', 'Old')
> > +            place_capsule_file(u_boot_console, capsule_files)
> > +
> > +        # reboot
> > +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> > +
> > +        capsule_early = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_on_disk_early')
> > +        capsule_auth = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_authenticate')
> > +        with u_boot_console.log.section('Test Case 4-b, after reboot'):
> > +            if not capsule_early:
> > +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> > +
> > +            # deleted anyway
> > +            check_file_removed(u_boot_console, disk_img, capsule_files)
> > +
> > +            # make sure the dfu_alt_info exists because it is required for making ESRT.
> > +            output = u_boot_console.run_command_list([
> > +                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
> > +                'efidebug capsule esrt'])
> > +
> > +            if capsule_auth:
> > +                # capsule authentication failed
> > +                verify_content(u_boot_console, '100000', 'u-boot:Old')
> > +                verify_content(u_boot_console, '150000', 'u-boot-env:Old')
> > +            else:
> > +                # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
> > +                assert '09D7CF52-0720-4710-91D1-08469B7FE9C8' in ''.join(output)
> > +                assert 'ESRT: fw_version=5' in ''.join(output)
> > +                assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
> > +
> > +                # ensure that SANDBOX_UBOOT_ENV_IMAGE_GUID is in the ESRT.
> > +                assert '5A7021F5-FEF2-48B4-AABA-832E777418C0' in ''.join(output)
> > +                assert 'ESRT: fw_version=10' in ''.join(output)
> > +                assert 'ESRT: lowest_supported_fw_version=7' in ''.join(output)
> > +
> > +                verify_content(u_boot_console, '100000', 'u-boot:New')
> > +                verify_content(u_boot_console, '150000', 'u-boot-env:New')
> > +
> > +    def test_efi_capsule_fw5(
> > +            self, u_boot_config, u_boot_console, efi_capsule_data):
> > +        """ Test Case 5
> > +        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
> > +        but fw_version is lower than lowest_supported_version
> > +        No update should happen
> > +        0x100000-0x150000: U-Boot binary (but dummy)
> > +        """
> > +        disk_img = efi_capsule_data
> > +        capsule_files = ['Test103']
> > +        with u_boot_console.log.section('Test Case 5-a, before reboot'):
> > +            setup(u_boot_console, disk_img, '0x0000000000000004')
> > +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> > +            place_capsule_file(u_boot_console, capsule_files)
> > +
> > +        # reboot
> > +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> > +
> > +        capsule_early = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_on_disk_early')
> > +        capsule_auth = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_authenticate')
> > +        with u_boot_console.log.section('Test Case 5-b, after reboot'):
> > +            if not capsule_early:
> > +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> > +
> > +            check_file_removed(u_boot_console, disk_img, capsule_files)
> > +
> > +            verify_content(u_boot_console, '100000', 'u-boot:Old')
> > diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py
> > index cbacdab4d1..509ad9d25c 100644
> > --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py
> > +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py
> > @@ -126,3 +126,68 @@ class TestEfiCapsuleFirmwareSignedFit():
> >               # TODO: check CapsuleStatus in CapsuleXXXX
> >
> >               verify_content(u_boot_console, '100000', 'u-boot:Old')
> > +
> > +    def test_efi_capsule_auth4(
> > +            self, u_boot_config, u_boot_console, efi_capsule_data):
> > +        """Test Case 4 - Update U-Boot on SPI Flash, raw image format with version information
> > +        0x100000-0x150000: U-Boot binary (but dummy)
> > +
> > +        If the capsule is properly signed, the authentication
> > +        should pass and the firmware be updated.
> > +        """
> > +        disk_img = efi_capsule_data
> > +        capsule_files = ['Test114']
> > +        with u_boot_console.log.section('Test Case 4-a, before reboot'):
> > +            setup(u_boot_console, disk_img, '0x0000000000000004')
> > +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> > +            place_capsule_file(u_boot_console, capsule_files)
> > +
> > +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> > +
> > +        capsule_early = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_on_disk_early')
> > +        with u_boot_console.log.section('Test Case 4-b, after reboot'):
> > +            if not capsule_early:
> > +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> > +
> > +            check_file_removed(u_boot_console, disk_img, capsule_files)
> > +
> > +            output = u_boot_console.run_command_list([
> > +                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
> > +                'efidebug capsule esrt'])
> > +
> > +            # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
> > +            assert '3673B45D-6A7C-46F3-9E60-ADABB03F7937' in ''.join(output)
> > +            assert 'ESRT: fw_version=5' in ''.join(output)
> > +            assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
> > +
> > +            verify_content(u_boot_console, '100000', 'u-boot:New')
> > +            verify_content(u_boot_console, '150000', 'u-boot-env:New')
> > +
> > +    def test_efi_capsule_auth5(
> > +            self, u_boot_config, u_boot_console, efi_capsule_data):
> > +        """Test Case 5 - Update U-Boot on SPI Flash, raw image format with version information
> > +        0x100000-0x150000: U-Boot binary (but dummy)
> > +
> > +        If the capsule is signed but fw_version is lower than lowest
> > +        supported version, the authentication should fail and the firmware
> > +        not be updated.
> > +        """
> > +        disk_img = efi_capsule_data
> > +        capsule_files = ['Test115']
> > +        with u_boot_console.log.section('Test Case 5-a, before reboot'):
> > +            setup(u_boot_console, disk_img, '0x0000000000000004')
> > +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> > +            place_capsule_file(u_boot_console, capsule_files)
> > +
> > +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> > +
> > +        capsule_early = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_on_disk_early')
> > +        with u_boot_console.log.section('Test Case 5-b, after reboot'):
> > +            if not capsule_early:
> > +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> > +
> > +            check_file_removed(u_boot_console, disk_img, capsule_files)
> > +
> > +            verify_content(u_boot_console, '100000', 'u-boot:Old')
> > diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py
> > index 3d6274ff99..525ec76ca1 100644
> > --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py
> > +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py
> > @@ -120,3 +120,73 @@ class TestEfiCapsuleFirmwareSignedRaw():
> >               # TODO: check CapsuleStatus in CapsuleXXXX
> >
> >               verify_content(u_boot_console, '100000', 'u-boot:Old')
> > +
> > +    def test_efi_capsule_auth4(
> > +            self, u_boot_config, u_boot_console, efi_capsule_data):
> > +        """Test Case 4 - Update U-Boot on SPI Flash, raw image format with version information
> > +        0x100000-0x150000: U-Boot binary (but dummy)
> > +
> > +        If the capsule is properly signed, the authentication
> > +        should pass and the firmware be updated.
> > +        """
> > +        disk_img = efi_capsule_data
> > +        capsule_files = ['Test111', 'Test112']
> > +        with u_boot_console.log.section('Test Case 4-a, before reboot'):
> > +            setup(u_boot_console, disk_img, '0x0000000000000004')
> > +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> > +            place_capsule_file(u_boot_console, capsule_files)
> > +
> > +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> > +
> > +        capsule_early = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_on_disk_early')
> > +        with u_boot_console.log.section('Test Case 4-b, after reboot'):
> > +            if not capsule_early:
> > +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> > +
> > +            check_file_removed(u_boot_console, disk_img, capsule_files)
> > +
> > +            output = u_boot_console.run_command_list([
> > +                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
> > +                'efidebug capsule esrt'])
> > +
> > +            # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
> > +            assert '09D7CF52-0720-4710-91D1-08469B7FE9C8' in ''.join(output)
> > +            assert 'ESRT: fw_version=5' in ''.join(output)
> > +            assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
> > +
> > +            # ensure that SANDBOX_UBOOT_ENV_IMAGE_GUID is in the ESRT.
> > +            assert '5A7021F5-FEF2-48B4-AABA-832E777418C0' in ''.join(output)
> > +            assert 'ESRT: fw_version=10' in ''.join(output)
> > +            assert 'ESRT: lowest_supported_fw_version=7' in ''.join(output)
> > +
> > +            verify_content(u_boot_console, '100000', 'u-boot:New')
> > +            verify_content(u_boot_console, '150000', 'u-boot-env:New')
> > +
> > +    def test_efi_capsule_auth5(
> > +            self, u_boot_config, u_boot_console, efi_capsule_data):
> > +        """Test Case 5 - Update U-Boot on SPI Flash, raw image format with version information
> > +        0x100000-0x150000: U-Boot binary (but dummy)
> > +
> > +        If the capsule is signed but fw_version is lower than lowest
> > +        supported version, the authentication should fail and the firmware
> > +        not be updated.
> > +        """
> > +        disk_img = efi_capsule_data
> > +        capsule_files = ['Test113']
> > +        with u_boot_console.log.section('Test Case 5-a, before reboot'):
> > +            setup(u_boot_console, disk_img, '0x0000000000000004')
> > +            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
> > +            place_capsule_file(u_boot_console, capsule_files)
> > +
> > +        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
> > +
> > +        capsule_early = u_boot_config.buildconfig.get(
> > +            'config_efi_capsule_on_disk_early')
> > +        with u_boot_console.log.section('Test Case 5-b, after reboot'):
> > +            if not capsule_early:
> > +                exec_manual_update(u_boot_console, disk_img, capsule_files)
> > +
> > +            check_file_removed(u_boot_console, disk_img, capsule_files)
> > +
> > +            verify_content(u_boot_console, '100000', 'u-boot:Old')
> > diff --git a/test/py/tests/test_efi_capsule/version.dts b/test/py/tests/test_efi_capsule/version.dts
> > new file mode 100644
> > index 0000000000..07850cc606
> > --- /dev/null
> > +++ b/test/py/tests/test_efi_capsule/version.dts
> > @@ -0,0 +1,24 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +
> > +/dts-v1/;
> > +/plugin/;
> > +
> > +&{/} {
> > +     firmware-version {
> > +             image1 {
> > +                     lowest-supported-version = <3>;
> > +                     image-index = <1>;
> > +                     image-type-id = "09D7CF52-0720-4710-91D1-08469B7FE9C8";
> > +             };
> > +             image2 {
> > +                     lowest-supported-version = <7>;
> > +                     image-index = <2>;
> > +                     image-type-id = "5A7021F5-FEF2-48B4-AABA-832E777418C0";
> > +             };
> > +             image3 {
> > +                     lowest-supported-version = <3>;
> > +                     image-index = <1>;
> > +                     image-type-id = "3673B45D-6A7C-46F3-9E60-ADABB03F7937";
> > +             };
> > +     };
> > +};
>
diff mbox series

Patch

diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
index a337e62936..d0e20df01e 100644
--- a/test/py/tests/test_efi_capsule/conftest.py
+++ b/test/py/tests/test_efi_capsule/conftest.py
@@ -62,6 +62,23 @@  def efi_capsule_data(request, u_boot_config):
                             '-out SIGNER2.crt -nodes -days 365'
                        % data_dir, shell=True)
 
+        # Update dtb to add the version information
+        check_call('cd %s; '
+                   'cp %s/test/py/tests/test_efi_capsule/version.dts .'
+                   % (data_dir, u_boot_config.source_dir), shell=True)
+        if capsule_auth_enabled:
+            check_call('cd %s; '
+                       'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
+                       'fdtoverlay -i test_sig.dtb '
+                            '-o test_ver.dtb version.dtbo'
+                       % (data_dir), shell=True)
+        else:
+            check_call('cd %s; '
+                       'dtc -@ -I dts -O dtb -o version.dtbo version.dts; '
+                       'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
+                            '-o test_ver.dtb version.dtbo'
+                       % (data_dir, u_boot_config.build_dir), shell=True)
+
         # Create capsule files
         # two regions: one for u-boot.bin and the other for u-boot.env
         check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
@@ -87,6 +104,26 @@  def efi_capsule_data(request, u_boot_config):
         check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid  058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' %
                    (data_dir, u_boot_config.build_dir),
                    shell=True)
+        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
+                        '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test101' %
+                   (data_dir, u_boot_config.build_dir),
+                   shell=True)
+        check_call('cd %s; %s/tools/mkeficapsule --index 2 --fw-version 10 '
+                        '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test102' %
+                   (data_dir, u_boot_config.build_dir),
+                   shell=True)
+        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
+                        '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test103' %
+                   (data_dir, u_boot_config.build_dir),
+                   shell=True)
+        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 '
+                        '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test104' %
+                   (data_dir, u_boot_config.build_dir),
+                   shell=True)
+        check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 '
+                        '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test105' %
+                   (data_dir, u_boot_config.build_dir),
+                   shell=True)
 
         if capsule_auth_enabled:
             # raw firmware signed with proper key
@@ -123,6 +160,51 @@  def efi_capsule_data(request, u_boot_config):
                             'uboot_bin_env.itb Test14'
                        % (data_dir, u_boot_config.build_dir),
                        shell=True)
+            # raw firmware signed with proper key with version information
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--fw-version 5 '
+                            '--private-key SIGNER.key --certificate SIGNER.crt '
+                            '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
+                            'u-boot.bin.new Test111'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
+            # raw firmware signed with proper key with version information
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 2 --monotonic-count 1 '
+                            '--fw-version 10 '
+                            '--private-key SIGNER.key --certificate SIGNER.crt '
+                            '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 '
+                            'u-boot.env.new Test112'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
+            # raw firmware signed with proper key with lower version information
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--fw-version 2 '
+                            '--private-key SIGNER.key --certificate SIGNER.crt '
+                            '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
+                            'u-boot.bin.new Test113'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
+            # FIT firmware signed with proper key with version information
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--fw-version 5 '
+                            '--private-key SIGNER.key --certificate SIGNER.crt '
+                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
+                            'uboot_bin_env.itb Test114'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
+            # FIT firmware signed with proper key with lower version information
+            check_call('cd %s; '
+                       '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
+                            '--fw-version 2 '
+                            '--private-key SIGNER.key --certificate SIGNER.crt '
+                            '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
+                            'uboot_bin_env.itb Test115'
+                       % (data_dir, u_boot_config.build_dir),
+                       shell=True)
 
         # Create a disk image with EFI system partition
         check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py
index fccf1f3fc1..a4df326c53 100644
--- a/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py
+++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py
@@ -14,7 +14,8 @@  from capsule_common import (
     place_capsule_file,
     exec_manual_update,
     check_file_removed,
-    verify_content
+    verify_content,
+    do_reboot_dtb_specified
 )
 
 @pytest.mark.boardspec('sandbox_flattree')
@@ -105,3 +106,80 @@  class TestEfiCapsuleFirmwareFit():
 
             expected = 'u-boot-env:Old' if capsule_auth else 'u-boot-env:New'
             verify_content(u_boot_console, '150000', expected)
+
+    def test_efi_capsule_fw3(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """ Test Case 3
+        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
+        0x100000-0x150000: U-Boot binary (but dummy)
+        0x150000-0x200000: U-Boot environment (but dummy)
+        """
+        disk_img = efi_capsule_data
+        capsule_files = ['Test104']
+        with u_boot_console.log.section('Test Case 3-a, before reboot'):
+            setup(u_boot_console, disk_img, '0x0000000000000004')
+            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
+            init_content(u_boot_console, '150000', 'u-boot.env.old', 'Old')
+            place_capsule_file(u_boot_console, capsule_files)
+
+        # reboot
+        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        capsule_auth = u_boot_config.buildconfig.get(
+            'config_efi_capsule_authenticate')
+        with u_boot_console.log.section('Test Case 3-b, after reboot'):
+            if not capsule_early:
+                exec_manual_update(u_boot_console, disk_img, capsule_files)
+
+            # deleted anyway
+            check_file_removed(u_boot_console, disk_img, capsule_files)
+
+            # make sure the dfu_alt_info exists because it is required for making ESRT.
+            output = u_boot_console.run_command_list([
+                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                'efidebug capsule esrt'])
+
+            if capsule_auth:
+                # capsule authentication failed
+                verify_content(u_boot_console, '100000', 'u-boot:Old')
+                verify_content(u_boot_console, '150000', 'u-boot-env:Old')
+            else:
+                # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
+                assert '3673B45D-6A7C-46F3-9E60-ADABB03F7937' in ''.join(output)
+                assert 'ESRT: fw_version=5' in ''.join(output)
+                assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
+
+                verify_content(u_boot_console, '100000', 'u-boot:New')
+                verify_content(u_boot_console, '150000', 'u-boot-env:New')
+
+    def test_efi_capsule_fw4(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """ Test Case 4
+        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
+        but fw_version is lower than lowest_supported_version
+        No update should happen
+        0x100000-0x150000: U-Boot binary (but dummy)
+        """
+        disk_img = efi_capsule_data
+        capsule_files = ['Test105']
+        with u_boot_console.log.section('Test Case 4-a, before reboot'):
+            setup(u_boot_console, disk_img, '0x0000000000000004')
+            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
+            place_capsule_file(u_boot_console, capsule_files)
+
+        # reboot
+        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        capsule_auth = u_boot_config.buildconfig.get(
+            'config_efi_capsule_authenticate')
+        with u_boot_console.log.section('Test Case 4-b, after reboot'):
+            if not capsule_early:
+                exec_manual_update(u_boot_console, disk_img, capsule_files)
+
+            check_file_removed(u_boot_console, disk_img, capsule_files)
+
+            verify_content(u_boot_console, '100000', 'u-boot:Old')
diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py
index e00686a9fc..d63168498c 100644
--- a/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py
+++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py
@@ -15,7 +15,8 @@  from capsule_common import (
     exec_manual_update,
     check_file_removed,
     check_file_exist,
-    verify_content
+    verify_content,
+    do_reboot_dtb_specified
 )
 
 @pytest.mark.boardspec('sandbox')
@@ -146,3 +147,85 @@  class TestEfiCapsuleFirmwareRaw:
 
             expected = 'u-boot-env:Old' if capsule_auth else 'u-boot-env:New'
             verify_content(u_boot_console, '150000', expected)
+
+    def test_efi_capsule_fw4(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """ Test Case 4
+        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
+        0x100000-0x150000: U-Boot binary (but dummy)
+        0x150000-0x200000: U-Boot environment (but dummy)
+        """
+        disk_img = efi_capsule_data
+        capsule_files = ['Test101', 'Test102']
+        with u_boot_console.log.section('Test Case 4-a, before reboot'):
+            setup(u_boot_console, disk_img, '0x0000000000000004')
+            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
+            init_content(u_boot_console, '150000', 'u-boot.env.old', 'Old')
+            place_capsule_file(u_boot_console, capsule_files)
+
+        # reboot
+        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        capsule_auth = u_boot_config.buildconfig.get(
+            'config_efi_capsule_authenticate')
+        with u_boot_console.log.section('Test Case 4-b, after reboot'):
+            if not capsule_early:
+                exec_manual_update(u_boot_console, disk_img, capsule_files)
+
+            # deleted anyway
+            check_file_removed(u_boot_console, disk_img, capsule_files)
+
+            # make sure the dfu_alt_info exists because it is required for making ESRT.
+            output = u_boot_console.run_command_list([
+                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                'efidebug capsule esrt'])
+
+            if capsule_auth:
+                # capsule authentication failed
+                verify_content(u_boot_console, '100000', 'u-boot:Old')
+                verify_content(u_boot_console, '150000', 'u-boot-env:Old')
+            else:
+                # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
+                assert '09D7CF52-0720-4710-91D1-08469B7FE9C8' in ''.join(output)
+                assert 'ESRT: fw_version=5' in ''.join(output)
+                assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
+
+                # ensure that SANDBOX_UBOOT_ENV_IMAGE_GUID is in the ESRT.
+                assert '5A7021F5-FEF2-48B4-AABA-832E777418C0' in ''.join(output)
+                assert 'ESRT: fw_version=10' in ''.join(output)
+                assert 'ESRT: lowest_supported_fw_version=7' in ''.join(output)
+
+                verify_content(u_boot_console, '100000', 'u-boot:New')
+                verify_content(u_boot_console, '150000', 'u-boot-env:New')
+
+    def test_efi_capsule_fw5(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """ Test Case 5
+        Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version
+        but fw_version is lower than lowest_supported_version
+        No update should happen
+        0x100000-0x150000: U-Boot binary (but dummy)
+        """
+        disk_img = efi_capsule_data
+        capsule_files = ['Test103']
+        with u_boot_console.log.section('Test Case 5-a, before reboot'):
+            setup(u_boot_console, disk_img, '0x0000000000000004')
+            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
+            place_capsule_file(u_boot_console, capsule_files)
+
+        # reboot
+        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        capsule_auth = u_boot_config.buildconfig.get(
+            'config_efi_capsule_authenticate')
+        with u_boot_console.log.section('Test Case 5-b, after reboot'):
+            if not capsule_early:
+                exec_manual_update(u_boot_console, disk_img, capsule_files)
+
+            check_file_removed(u_boot_console, disk_img, capsule_files)
+
+            verify_content(u_boot_console, '100000', 'u-boot:Old')
diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py
index cbacdab4d1..509ad9d25c 100644
--- a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py
+++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py
@@ -126,3 +126,68 @@  class TestEfiCapsuleFirmwareSignedFit():
             # TODO: check CapsuleStatus in CapsuleXXXX
 
             verify_content(u_boot_console, '100000', 'u-boot:Old')
+
+    def test_efi_capsule_auth4(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """Test Case 4 - Update U-Boot on SPI Flash, raw image format with version information
+        0x100000-0x150000: U-Boot binary (but dummy)
+
+        If the capsule is properly signed, the authentication
+        should pass and the firmware be updated.
+        """
+        disk_img = efi_capsule_data
+        capsule_files = ['Test114']
+        with u_boot_console.log.section('Test Case 4-a, before reboot'):
+            setup(u_boot_console, disk_img, '0x0000000000000004')
+            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
+            place_capsule_file(u_boot_console, capsule_files)
+
+        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        with u_boot_console.log.section('Test Case 4-b, after reboot'):
+            if not capsule_early:
+                exec_manual_update(u_boot_console, disk_img, capsule_files)
+
+            check_file_removed(u_boot_console, disk_img, capsule_files)
+
+            output = u_boot_console.run_command_list([
+                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                'efidebug capsule esrt'])
+
+            # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
+            assert '3673B45D-6A7C-46F3-9E60-ADABB03F7937' in ''.join(output)
+            assert 'ESRT: fw_version=5' in ''.join(output)
+            assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
+
+            verify_content(u_boot_console, '100000', 'u-boot:New')
+            verify_content(u_boot_console, '150000', 'u-boot-env:New')
+
+    def test_efi_capsule_auth5(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """Test Case 5 - Update U-Boot on SPI Flash, raw image format with version information
+        0x100000-0x150000: U-Boot binary (but dummy)
+
+        If the capsule is signed but fw_version is lower than lowest
+        supported version, the authentication should fail and the firmware
+        not be updated.
+        """
+        disk_img = efi_capsule_data
+        capsule_files = ['Test115']
+        with u_boot_console.log.section('Test Case 5-a, before reboot'):
+            setup(u_boot_console, disk_img, '0x0000000000000004')
+            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
+            place_capsule_file(u_boot_console, capsule_files)
+
+        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        with u_boot_console.log.section('Test Case 5-b, after reboot'):
+            if not capsule_early:
+                exec_manual_update(u_boot_console, disk_img, capsule_files)
+
+            check_file_removed(u_boot_console, disk_img, capsule_files)
+
+            verify_content(u_boot_console, '100000', 'u-boot:Old')
diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py
index 3d6274ff99..525ec76ca1 100644
--- a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py
+++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py
@@ -120,3 +120,73 @@  class TestEfiCapsuleFirmwareSignedRaw():
             # TODO: check CapsuleStatus in CapsuleXXXX
 
             verify_content(u_boot_console, '100000', 'u-boot:Old')
+
+    def test_efi_capsule_auth4(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """Test Case 4 - Update U-Boot on SPI Flash, raw image format with version information
+        0x100000-0x150000: U-Boot binary (but dummy)
+
+        If the capsule is properly signed, the authentication
+        should pass and the firmware be updated.
+        """
+        disk_img = efi_capsule_data
+        capsule_files = ['Test111', 'Test112']
+        with u_boot_console.log.section('Test Case 4-a, before reboot'):
+            setup(u_boot_console, disk_img, '0x0000000000000004')
+            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
+            place_capsule_file(u_boot_console, capsule_files)
+
+        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        with u_boot_console.log.section('Test Case 4-b, after reboot'):
+            if not capsule_early:
+                exec_manual_update(u_boot_console, disk_img, capsule_files)
+
+            check_file_removed(u_boot_console, disk_img, capsule_files)
+
+            output = u_boot_console.run_command_list([
+                'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
+                'efidebug capsule esrt'])
+
+            # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT.
+            assert '09D7CF52-0720-4710-91D1-08469B7FE9C8' in ''.join(output)
+            assert 'ESRT: fw_version=5' in ''.join(output)
+            assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output)
+
+            # ensure that SANDBOX_UBOOT_ENV_IMAGE_GUID is in the ESRT.
+            assert '5A7021F5-FEF2-48B4-AABA-832E777418C0' in ''.join(output)
+            assert 'ESRT: fw_version=10' in ''.join(output)
+            assert 'ESRT: lowest_supported_fw_version=7' in ''.join(output)
+
+            verify_content(u_boot_console, '100000', 'u-boot:New')
+            verify_content(u_boot_console, '150000', 'u-boot-env:New')
+
+    def test_efi_capsule_auth5(
+            self, u_boot_config, u_boot_console, efi_capsule_data):
+        """Test Case 5 - Update U-Boot on SPI Flash, raw image format with version information
+        0x100000-0x150000: U-Boot binary (but dummy)
+
+        If the capsule is signed but fw_version is lower than lowest
+        supported version, the authentication should fail and the firmware
+        not be updated.
+        """
+        disk_img = efi_capsule_data
+        capsule_files = ['Test113']
+        with u_boot_console.log.section('Test Case 5-a, before reboot'):
+            setup(u_boot_console, disk_img, '0x0000000000000004')
+            init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old')
+            place_capsule_file(u_boot_console, capsule_files)
+
+        do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb')
+
+        capsule_early = u_boot_config.buildconfig.get(
+            'config_efi_capsule_on_disk_early')
+        with u_boot_console.log.section('Test Case 5-b, after reboot'):
+            if not capsule_early:
+                exec_manual_update(u_boot_console, disk_img, capsule_files)
+
+            check_file_removed(u_boot_console, disk_img, capsule_files)
+
+            verify_content(u_boot_console, '100000', 'u-boot:Old')
diff --git a/test/py/tests/test_efi_capsule/version.dts b/test/py/tests/test_efi_capsule/version.dts
new file mode 100644
index 0000000000..07850cc606
--- /dev/null
+++ b/test/py/tests/test_efi_capsule/version.dts
@@ -0,0 +1,24 @@ 
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+/plugin/;
+
+&{/} {
+	firmware-version {
+		image1 {
+			lowest-supported-version = <3>;
+			image-index = <1>;
+			image-type-id = "09D7CF52-0720-4710-91D1-08469B7FE9C8";
+		};
+		image2 {
+			lowest-supported-version = <7>;
+			image-index = <2>;
+			image-type-id = "5A7021F5-FEF2-48B4-AABA-832E777418C0";
+		};
+		image3 {
+			lowest-supported-version = <3>;
+			image-index = <1>;
+			image-type-id = "3673B45D-6A7C-46F3-9E60-ADABB03F7937";
+		};
+	};
+};