From patchwork Tue Jun 6 09:40:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Masahisa Kojima X-Patchwork-Id: 689693 Delivered-To: patch@linaro.org Received: by 2002:a5d:4d8a:0:0:0:0:0 with SMTP id b10csp2538232wru; Tue, 6 Jun 2023 02:43:59 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6sZOAy3zKt1c9gc622sKaQlzHjUGI4CZ9wIyasDZNwUFNVKdQYVR7JAAunXdAmCPqjK5GO X-Received: by 2002:a54:4705:0:b0:39a:aff8:a64c with SMTP id k5-20020a544705000000b0039aaff8a64cmr1725278oik.23.1686044639521; Tue, 06 Jun 2023 02:43:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686044639; cv=none; d=google.com; s=arc-20160816; b=Mz5Aev9C8/ZTydo8DERWQgmDF8OlbTW9/NHR6ew1acuMJ0sCRE3Pu1hn1NhR+deY7a RXZQwBV7QqCHd2OrpxSiPSw4vNtkyp3he1b8MZw4lG3pZiPNIMDSp3wxtkDiJR5AWo7p nY9rvGF0oCnqXBekv4PmQdSKXBcPdiLBhQlLD9ZM9KLa1/v9E2AnhSjnIuHJ2JMDrtyg W2S1J8FwZEUIXokWRe4GnDxWSqGl4Tb+E0ZCRctbRXamy3f7tR5Mayyaav/OZhlS6CHY 00p29fuDd7zYlV/e/p3wWAZzg0T+p5tU10knpJgNnIwufDMUbdMD/ETUPC5IZkMZE/9e XbGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KXQj7HNXG4ndf06ULkDyc/Rz8mKXUPsCkRqVEFdPDyc=; b=JZuJ374g6t3jdKZklyWh7X5NXxOXwbBvihzq9GQ8K8jCex+ctyPrHdSjkiTdg/y/Q3 5gFDSFB0nuBF5Wu72Jr+JBQ4mIeTXUQuA+3+BPubnlFiTdIj9tEOOeoHFPFoyXErb6q/ DmBQHmFmsJGl5Vmd4qfs3yOQoZ7cEfkYvnBP7TpPwBZDx3Wy0QbYgo+U0jSWMTX3mXuq mMEjKcmmKIuD8vUJuG/ymz4Li4IotUm/aFKvWpw/VxUu4zApNjRkh74/184WCt5FJuzz am/gtOO/ko8aAoyuaTHxQzys9VktNqjb0pReZ+oOgLBoG2l6PKYsvIGknWhk5mqiC5Kh 8w9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=hLDpbEWz; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id b3-20020a170903228300b001b061dcdb78si7338476plh.92.2023.06.06.02.43.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jun 2023 02:43:59 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=hLDpbEWz; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 02DF085FF0; Tue, 6 Jun 2023 11:42:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="hLDpbEWz"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8ADD085F0D; Tue, 6 Jun 2023 11:42:20 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A8D5685EEB for ; Tue, 6 Jun 2023 11:42:05 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=masahisa.kojima@linaro.org Received: by mail-il1-x12d.google.com with SMTP id e9e14a558f8ab-33b204f0ca0so29860135ab.2 for ; Tue, 06 Jun 2023 02:42:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1686044523; x=1688636523; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KXQj7HNXG4ndf06ULkDyc/Rz8mKXUPsCkRqVEFdPDyc=; b=hLDpbEWzYQ7SUCJeAryjN6E2nNbLya6mzimVLBa5D3CTKNGC5JwGlWKgPZPEJrUWUW sdAGnyWECJH+TY28vjSyfeVgAB7LicG5HDfxQ0JDyLwiR+pqGdMWMhYtW9Ej8rsCA8XM hPnKLWKy6hEDS7ZSJ9W38KVgMxCScBt6yE0cuKEFblzP8iE50tbmXmP0C/y0afB1qkl4 aUF5S+QVXbI+bhwGNgZcFpyso3/9gZCAqMSUCmWt6Ne/FXyC/m0gLw3JfDe9AHLpxzwK 1Yhi8yUfQMFG6Y4rE8JEL9+Uc02SYNdh7LxZzXAb0TUOqqRnj0RuPksoi365mZvggtEL NZfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686044523; x=1688636523; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KXQj7HNXG4ndf06ULkDyc/Rz8mKXUPsCkRqVEFdPDyc=; b=eG5s1EulpmBnEv/w+fxI4AerueHqtmDSWntDORTitsZjB0PmXpAj3+wSav76XPNpg1 e6iSgAXOzhM//khMIqEnu1cU7rSyuqIUDKArS/078y8vRPxoKr1hxTGf5reywDKr7gqs 3AKheoz0Sw6rrY8qUZ0FkmacnUVcul6hWXQ+SyyIu1qeAwb129M1QmAg7avSq2pHd5/1 EvfAwStOeceUJx1NV0fYYbygPMjy+Q1oYeNIGQcupvdAuKqLmNsVciuQdGtAZ+ezbqiZ F2KItI8xFKIvEEeQYxbyooNAz7wjV6Zwf0zYq/ExzFlr2kJR7jgtn1I1JyHp0LePeH3L ynyw== X-Gm-Message-State: AC+VfDwzTZ8F303gpHiYcKoLoEJvL0UUJYD7kWHOIySHUMUMWip7s3uR KuNIuOVIVbFkDyY2Gxs0d8VgttAu7xsv4KdZBDA= X-Received: by 2002:a92:dad0:0:b0:33d:1587:e7ef with SMTP id o16-20020a92dad0000000b0033d1587e7efmr2928734ilq.24.1686044522729; Tue, 06 Jun 2023 02:42:02 -0700 (PDT) Received: from ubuntu-SVE15129CJS.. ([240d:1a:cf7:5800:d3c2:bf07:d08b:b72d]) by smtp.gmail.com with ESMTPSA id u25-20020aa78399000000b00627ed4e23e0sm6542809pfm.101.2023.06.06.02.42.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Jun 2023 02:42:02 -0700 (PDT) From: Masahisa Kojima To: u-boot@lists.denx.de Cc: Heinrich Schuchardt , Ilias Apalodimas , Simon Glass , Takahiro Akashi , malte.schmidt-oss@weidmueller.com, Masahisa Kojima Subject: [PATCH v8 10/10] test/py: efi_capsule: test for FMP versioning Date: Tue, 6 Jun 2023 18:40:34 +0900 Message-Id: <20230606094035.28990-11-masahisa.kojima@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230606094035.28990-1-masahisa.kojima@linaro.org> References: <20230606094035.28990-1-masahisa.kojima@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean This test covers the FMP versioning for both raw and FIT image, and both signed and non-signed capsule update. Signed-off-by: Masahisa Kojima --- Changes in v8: - remove excess semicolons Changes in v7: - use newly introduced common functions of efi_capsule test test/py/tests/test_efi_capsule/conftest.py | 82 ++++++++++++++++++ .../test_capsule_firmware_fit.py | 80 ++++++++++++++++- .../test_capsule_firmware_raw.py | 85 ++++++++++++++++++- .../test_capsule_firmware_signed_fit.py | 65 ++++++++++++++ .../test_capsule_firmware_signed_raw.py | 70 +++++++++++++++ test/py/tests/test_efi_capsule/version.dts | 24 ++++++ 6 files changed, 404 insertions(+), 2 deletions(-) create mode 100644 test/py/tests/test_efi_capsule/version.dts diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index a337e62936..d0e20df01e 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -62,6 +62,23 @@ def efi_capsule_data(request, u_boot_config): '-out SIGNER2.crt -nodes -days 365' % data_dir, shell=True) + # Update dtb to add the version information + check_call('cd %s; ' + 'cp %s/test/py/tests/test_efi_capsule/version.dts .' + % (data_dir, u_boot_config.source_dir), shell=True) + if capsule_auth_enabled: + check_call('cd %s; ' + 'dtc -@ -I dts -O dtb -o version.dtbo version.dts; ' + 'fdtoverlay -i test_sig.dtb ' + '-o test_ver.dtb version.dtbo' + % (data_dir), shell=True) + else: + check_call('cd %s; ' + 'dtc -@ -I dts -O dtb -o version.dtbo version.dts; ' + 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb ' + '-o test_ver.dtb version.dtbo' + % (data_dir, u_boot_config.build_dir), shell=True) + # Create capsule files # two regions: one for u-boot.bin and the other for u-boot.env check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir, @@ -87,6 +104,26 @@ def efi_capsule_data(request, u_boot_config): check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' % (data_dir, u_boot_config.build_dir), shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 ' + '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test101' % + (data_dir, u_boot_config.build_dir), + shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 2 --fw-version 10 ' + '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test102' % + (data_dir, u_boot_config.build_dir), + shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 ' + '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test103' % + (data_dir, u_boot_config.build_dir), + shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 5 ' + '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test104' % + (data_dir, u_boot_config.build_dir), + shell=True) + check_call('cd %s; %s/tools/mkeficapsule --index 1 --fw-version 2 ' + '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test105' % + (data_dir, u_boot_config.build_dir), + shell=True) if capsule_auth_enabled: # raw firmware signed with proper key @@ -123,6 +160,51 @@ def efi_capsule_data(request, u_boot_config): 'uboot_bin_env.itb Test14' % (data_dir, u_boot_config.build_dir), shell=True) + # raw firmware signed with proper key with version information + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--fw-version 5 ' + '--private-key SIGNER.key --certificate SIGNER.crt ' + '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 ' + 'u-boot.bin.new Test111' + % (data_dir, u_boot_config.build_dir), + shell=True) + # raw firmware signed with proper key with version information + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 2 --monotonic-count 1 ' + '--fw-version 10 ' + '--private-key SIGNER.key --certificate SIGNER.crt ' + '--guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 ' + 'u-boot.env.new Test112' + % (data_dir, u_boot_config.build_dir), + shell=True) + # raw firmware signed with proper key with lower version information + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--fw-version 2 ' + '--private-key SIGNER.key --certificate SIGNER.crt ' + '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 ' + 'u-boot.bin.new Test113' + % (data_dir, u_boot_config.build_dir), + shell=True) + # FIT firmware signed with proper key with version information + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--fw-version 5 ' + '--private-key SIGNER.key --certificate SIGNER.crt ' + '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 ' + 'uboot_bin_env.itb Test114' + % (data_dir, u_boot_config.build_dir), + shell=True) + # FIT firmware signed with proper key with lower version information + check_call('cd %s; ' + '%s/tools/mkeficapsule --index 1 --monotonic-count 1 ' + '--fw-version 2 ' + '--private-key SIGNER.key --certificate SIGNER.crt ' + '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 ' + 'uboot_bin_env.itb Test115' + % (data_dir, u_boot_config.build_dir), + shell=True) # Create a disk image with EFI system partition check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' % diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py index fccf1f3fc1..a4df326c53 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_fit.py @@ -14,7 +14,8 @@ from capsule_common import ( place_capsule_file, exec_manual_update, check_file_removed, - verify_content + verify_content, + do_reboot_dtb_specified ) @pytest.mark.boardspec('sandbox_flattree') @@ -105,3 +106,80 @@ class TestEfiCapsuleFirmwareFit(): expected = 'u-boot-env:Old' if capsule_auth else 'u-boot-env:New' verify_content(u_boot_console, '150000', expected) + + def test_efi_capsule_fw3( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ Test Case 3 + Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version + 0x100000-0x150000: U-Boot binary (but dummy) + 0x150000-0x200000: U-Boot environment (but dummy) + """ + disk_img = efi_capsule_data + capsule_files = ['Test104'] + with u_boot_console.log.section('Test Case 3-a, before reboot'): + setup(u_boot_console, disk_img, '0x0000000000000004') + init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old') + init_content(u_boot_console, '150000', 'u-boot.env.old', 'Old') + place_capsule_file(u_boot_console, capsule_files) + + # reboot + do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb') + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') + with u_boot_console.log.section('Test Case 3-b, after reboot'): + if not capsule_early: + exec_manual_update(u_boot_console, disk_img, capsule_files) + + # deleted anyway + check_file_removed(u_boot_console, disk_img, capsule_files) + + # make sure the dfu_alt_info exists because it is required for making ESRT. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'efidebug capsule esrt']) + + if capsule_auth: + # capsule authentication failed + verify_content(u_boot_console, '100000', 'u-boot:Old') + verify_content(u_boot_console, '150000', 'u-boot-env:Old') + else: + # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT. + assert '3673B45D-6A7C-46F3-9E60-ADABB03F7937' in ''.join(output) + assert 'ESRT: fw_version=5' in ''.join(output) + assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output) + + verify_content(u_boot_console, '100000', 'u-boot:New') + verify_content(u_boot_console, '150000', 'u-boot-env:New') + + def test_efi_capsule_fw4( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ Test Case 4 + Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version + but fw_version is lower than lowest_supported_version + No update should happen + 0x100000-0x150000: U-Boot binary (but dummy) + """ + disk_img = efi_capsule_data + capsule_files = ['Test105'] + with u_boot_console.log.section('Test Case 4-a, before reboot'): + setup(u_boot_console, disk_img, '0x0000000000000004') + init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old') + place_capsule_file(u_boot_console, capsule_files) + + # reboot + do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb') + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') + with u_boot_console.log.section('Test Case 4-b, after reboot'): + if not capsule_early: + exec_manual_update(u_boot_console, disk_img, capsule_files) + + check_file_removed(u_boot_console, disk_img, capsule_files) + + verify_content(u_boot_console, '100000', 'u-boot:Old') diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py index e00686a9fc..d63168498c 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_raw.py @@ -15,7 +15,8 @@ from capsule_common import ( exec_manual_update, check_file_removed, check_file_exist, - verify_content + verify_content, + do_reboot_dtb_specified ) @pytest.mark.boardspec('sandbox') @@ -146,3 +147,85 @@ class TestEfiCapsuleFirmwareRaw: expected = 'u-boot-env:Old' if capsule_auth else 'u-boot-env:New' verify_content(u_boot_console, '150000', expected) + + def test_efi_capsule_fw4( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ Test Case 4 + Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version + 0x100000-0x150000: U-Boot binary (but dummy) + 0x150000-0x200000: U-Boot environment (but dummy) + """ + disk_img = efi_capsule_data + capsule_files = ['Test101', 'Test102'] + with u_boot_console.log.section('Test Case 4-a, before reboot'): + setup(u_boot_console, disk_img, '0x0000000000000004') + init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old') + init_content(u_boot_console, '150000', 'u-boot.env.old', 'Old') + place_capsule_file(u_boot_console, capsule_files) + + # reboot + do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb') + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') + with u_boot_console.log.section('Test Case 4-b, after reboot'): + if not capsule_early: + exec_manual_update(u_boot_console, disk_img, capsule_files) + + # deleted anyway + check_file_removed(u_boot_console, disk_img, capsule_files) + + # make sure the dfu_alt_info exists because it is required for making ESRT. + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'efidebug capsule esrt']) + + if capsule_auth: + # capsule authentication failed + verify_content(u_boot_console, '100000', 'u-boot:Old') + verify_content(u_boot_console, '150000', 'u-boot-env:Old') + else: + # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT. + assert '09D7CF52-0720-4710-91D1-08469B7FE9C8' in ''.join(output) + assert 'ESRT: fw_version=5' in ''.join(output) + assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output) + + # ensure that SANDBOX_UBOOT_ENV_IMAGE_GUID is in the ESRT. + assert '5A7021F5-FEF2-48B4-AABA-832E777418C0' in ''.join(output) + assert 'ESRT: fw_version=10' in ''.join(output) + assert 'ESRT: lowest_supported_fw_version=7' in ''.join(output) + + verify_content(u_boot_console, '100000', 'u-boot:New') + verify_content(u_boot_console, '150000', 'u-boot-env:New') + + def test_efi_capsule_fw5( + self, u_boot_config, u_boot_console, efi_capsule_data): + """ Test Case 5 + Update U-Boot on SPI Flash, raw image format with fw_version and lowest_supported_version + but fw_version is lower than lowest_supported_version + No update should happen + 0x100000-0x150000: U-Boot binary (but dummy) + """ + disk_img = efi_capsule_data + capsule_files = ['Test103'] + with u_boot_console.log.section('Test Case 5-a, before reboot'): + setup(u_boot_console, disk_img, '0x0000000000000004') + init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old') + place_capsule_file(u_boot_console, capsule_files) + + # reboot + do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb') + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + capsule_auth = u_boot_config.buildconfig.get( + 'config_efi_capsule_authenticate') + with u_boot_console.log.section('Test Case 5-b, after reboot'): + if not capsule_early: + exec_manual_update(u_boot_console, disk_img, capsule_files) + + check_file_removed(u_boot_console, disk_img, capsule_files) + + verify_content(u_boot_console, '100000', 'u-boot:Old') diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py index cbacdab4d1..509ad9d25c 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_fit.py @@ -126,3 +126,68 @@ class TestEfiCapsuleFirmwareSignedFit(): # TODO: check CapsuleStatus in CapsuleXXXX verify_content(u_boot_console, '100000', 'u-boot:Old') + + def test_efi_capsule_auth4( + self, u_boot_config, u_boot_console, efi_capsule_data): + """Test Case 4 - Update U-Boot on SPI Flash, raw image format with version information + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is properly signed, the authentication + should pass and the firmware be updated. + """ + disk_img = efi_capsule_data + capsule_files = ['Test114'] + with u_boot_console.log.section('Test Case 4-a, before reboot'): + setup(u_boot_console, disk_img, '0x0000000000000004') + init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old') + place_capsule_file(u_boot_console, capsule_files) + + do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb') + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 4-b, after reboot'): + if not capsule_early: + exec_manual_update(u_boot_console, disk_img, capsule_files) + + check_file_removed(u_boot_console, disk_img, capsule_files) + + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'efidebug capsule esrt']) + + # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT. + assert '3673B45D-6A7C-46F3-9E60-ADABB03F7937' in ''.join(output) + assert 'ESRT: fw_version=5' in ''.join(output) + assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output) + + verify_content(u_boot_console, '100000', 'u-boot:New') + verify_content(u_boot_console, '150000', 'u-boot-env:New') + + def test_efi_capsule_auth5( + self, u_boot_config, u_boot_console, efi_capsule_data): + """Test Case 5 - Update U-Boot on SPI Flash, raw image format with version information + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is signed but fw_version is lower than lowest + supported version, the authentication should fail and the firmware + not be updated. + """ + disk_img = efi_capsule_data + capsule_files = ['Test115'] + with u_boot_console.log.section('Test Case 5-a, before reboot'): + setup(u_boot_console, disk_img, '0x0000000000000004') + init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old') + place_capsule_file(u_boot_console, capsule_files) + + do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb') + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 5-b, after reboot'): + if not capsule_early: + exec_manual_update(u_boot_console, disk_img, capsule_files) + + check_file_removed(u_boot_console, disk_img, capsule_files) + + verify_content(u_boot_console, '100000', 'u-boot:Old') diff --git a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py index 3d6274ff99..525ec76ca1 100644 --- a/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py +++ b/test/py/tests/test_efi_capsule/test_capsule_firmware_signed_raw.py @@ -120,3 +120,73 @@ class TestEfiCapsuleFirmwareSignedRaw(): # TODO: check CapsuleStatus in CapsuleXXXX verify_content(u_boot_console, '100000', 'u-boot:Old') + + def test_efi_capsule_auth4( + self, u_boot_config, u_boot_console, efi_capsule_data): + """Test Case 4 - Update U-Boot on SPI Flash, raw image format with version information + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is properly signed, the authentication + should pass and the firmware be updated. + """ + disk_img = efi_capsule_data + capsule_files = ['Test111', 'Test112'] + with u_boot_console.log.section('Test Case 4-a, before reboot'): + setup(u_boot_console, disk_img, '0x0000000000000004') + init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old') + place_capsule_file(u_boot_console, capsule_files) + + do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb') + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 4-b, after reboot'): + if not capsule_early: + exec_manual_update(u_boot_console, disk_img, capsule_files) + + check_file_removed(u_boot_console, disk_img, capsule_files) + + output = u_boot_console.run_command_list([ + 'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"', + 'efidebug capsule esrt']) + + # ensure that SANDBOX_UBOOT_IMAGE_GUID is in the ESRT. + assert '09D7CF52-0720-4710-91D1-08469B7FE9C8' in ''.join(output) + assert 'ESRT: fw_version=5' in ''.join(output) + assert 'ESRT: lowest_supported_fw_version=3' in ''.join(output) + + # ensure that SANDBOX_UBOOT_ENV_IMAGE_GUID is in the ESRT. + assert '5A7021F5-FEF2-48B4-AABA-832E777418C0' in ''.join(output) + assert 'ESRT: fw_version=10' in ''.join(output) + assert 'ESRT: lowest_supported_fw_version=7' in ''.join(output) + + verify_content(u_boot_console, '100000', 'u-boot:New') + verify_content(u_boot_console, '150000', 'u-boot-env:New') + + def test_efi_capsule_auth5( + self, u_boot_config, u_boot_console, efi_capsule_data): + """Test Case 5 - Update U-Boot on SPI Flash, raw image format with version information + 0x100000-0x150000: U-Boot binary (but dummy) + + If the capsule is signed but fw_version is lower than lowest + supported version, the authentication should fail and the firmware + not be updated. + """ + disk_img = efi_capsule_data + capsule_files = ['Test113'] + with u_boot_console.log.section('Test Case 5-a, before reboot'): + setup(u_boot_console, disk_img, '0x0000000000000004') + init_content(u_boot_console, '100000', 'u-boot.bin.old', 'Old') + place_capsule_file(u_boot_console, capsule_files) + + do_reboot_dtb_specified(u_boot_config, u_boot_console, 'test_ver.dtb') + + capsule_early = u_boot_config.buildconfig.get( + 'config_efi_capsule_on_disk_early') + with u_boot_console.log.section('Test Case 5-b, after reboot'): + if not capsule_early: + exec_manual_update(u_boot_console, disk_img, capsule_files) + + check_file_removed(u_boot_console, disk_img, capsule_files) + + verify_content(u_boot_console, '100000', 'u-boot:Old') diff --git a/test/py/tests/test_efi_capsule/version.dts b/test/py/tests/test_efi_capsule/version.dts new file mode 100644 index 0000000000..07850cc606 --- /dev/null +++ b/test/py/tests/test_efi_capsule/version.dts @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; +/plugin/; + +&{/} { + firmware-version { + image1 { + lowest-supported-version = <3>; + image-index = <1>; + image-type-id = "09D7CF52-0720-4710-91D1-08469B7FE9C8"; + }; + image2 { + lowest-supported-version = <7>; + image-index = <2>; + image-type-id = "5A7021F5-FEF2-48B4-AABA-832E777418C0"; + }; + image3 { + lowest-supported-version = <3>; + image-index = <1>; + image-type-id = "3673B45D-6A7C-46F3-9E60-ADABB03F7937"; + }; + }; +};