From patchwork Wed Apr 29 13:26:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Philippe REYNES X-Patchwork-Id: 238886 List-Id: U-Boot discussion From: philippe.reynes at softathome.com (Philippe Reynes) Date: Wed, 29 Apr 2020 15:26:16 +0200 Subject: [PATCH v3 1/2] test/py: vboot: add a test to check fit signature on fit with padding In-Reply-To: <1588166777-9610-1-git-send-email-philippe.reynes@softathome.com> References: <1588166777-9610-1-git-send-email-philippe.reynes@softathome.com> Message-ID: <1588166777-9610-2-git-send-email-philippe.reynes@softathome.com> The pytest vboot does all his tests on fit without padding. We add the same tests on fit with padding. Reviewed-by: Simon Glass Signed-off-by: Philippe Reynes --- test/py/tests/test_vboot.py | 52 ++++++++++++++++++++++++++++----------------- 1 file changed, 33 insertions(+), 19 deletions(-) Changelog: v3: - rebase on master v2: - no change diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index e67f2b3..6b998cf 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -30,11 +30,16 @@ import u_boot_utils as util import vboot_forge TESTDATA = [ - ['sha1', '', False], - ['sha1', '-pss', False], - ['sha256', '', False], - ['sha256', '-pss', False], - ['sha256', '-pss', True], + ['sha1', '', None, False], + ['sha1', '', '-E -p 0x10000', False], + ['sha1', '-pss', None, False], + ['sha1', '-pss', '-E -p 0x10000', False], + ['sha256', '', None, False], + ['sha256', '', '-E -p 0x10000', False], + ['sha256', '-pss', None, False], + ['sha256', '-pss', '-E -p 0x10000', False], + ['sha256', '-pss', None, True], + ['sha256', '-pss', '-E -p 0x10000', True], ] @pytest.mark.boardspec('sandbox') @@ -43,8 +48,8 @@ TESTDATA = [ @pytest.mark.requiredtool('fdtget') @pytest.mark.requiredtool('fdtput') @pytest.mark.requiredtool('openssl') - at pytest.mark.parametrize("sha_algo,padding,required", TESTDATA) -def test_vboot(u_boot_console, sha_algo, padding, required): + at pytest.mark.parametrize("sha_algo,padding,sign_options,required", TESTDATA) +def test_vboot(u_boot_console, sha_algo, padding, sign_options, required): """Test verified boot signing with mkimage and verification with 'bootm'. This works using sandbox only as it needs to update the device tree used @@ -104,7 +109,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required): util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f', '%s%s' % (datadir, its), fit]) - def sign_fit(sha_algo): + def sign_fit(sha_algo, options): """Sign the FIT Signs the FIT and writes the signature into it. It also writes the @@ -113,10 +118,13 @@ def test_vboot(u_boot_console, sha_algo, padding, required): Args: sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use. + options: Options to provide to mkimage. """ + args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, '-r', fit] + if options: + args += options.split(' ') cons.log.action('%s: Sign images' % sha_algo) - util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb, - '-r', fit]) + util.run_and_log(cons, args) def replace_fit_totalsize(size): """Replace FIT header's totalsize with something greater. @@ -154,7 +162,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required): util.run_and_log(cons, 'openssl req -batch -new -x509 -key %s%s.key ' '-out %s%s.crt' % (tmpdir, name, tmpdir, name)) - def test_with_algo(sha_algo, padding): + def test_with_algo(sha_algo, padding, sign_options): """Test verified boot with the given hash algorithm. This is the main part of the test code. The same procedure is followed @@ -163,6 +171,9 @@ def test_vboot(u_boot_console, sha_algo, padding, required): Args: sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use. + padding: Either '' or '-pss', to select the padding to use for the + rsa signature algorithm. + sign_options: Options to mkimage when signing a fit image. """ # Compile our device tree files for kernel and U-Boot. These are # regenerated here since mkimage will modify them (by adding a @@ -176,7 +187,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required): run_bootm(sha_algo, 'unsigned images', 'dev-', True) # Sign images with our dev keys - sign_fit(sha_algo) + sign_fit(sha_algo, sign_options) run_bootm(sha_algo, 'signed images', 'dev+', True) # Create a fresh .dtb without the public keys @@ -187,7 +198,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required): run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True) # Sign images with our dev keys - sign_fit(sha_algo) + sign_fit(sha_algo, sign_options) run_bootm(sha_algo, 'signed config', 'dev+', True) cons.log.action('%s: Check signed config on the host' % sha_algo) @@ -209,7 +220,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required): # Create a new properly signed fit and replace header bytes make_fit('sign-configs-%s%s.its' % (sha_algo, padding)) - sign_fit(sha_algo) + sign_fit(sha_algo, sign_options) bcfg = u_boot_console.config.buildconfig max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0) existing_size = replace_fit_totalsize(max_size + 1) @@ -240,7 +251,7 @@ def test_vboot(u_boot_console, sha_algo, padding, required): cons, [fit_check_sign, '-f', fit, '-k', dtb], 1, 'Failed to verify required signature') - def test_required_key(sha_algo, padding): + def test_required_key(sha_algo, padding, sign_options): """Test verified boot with the given hash algorithm. This function tests if U-Boot rejects an image when a required key isn't @@ -248,6 +259,9 @@ def test_vboot(u_boot_console, sha_algo, padding, required): Args: sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use + padding: Either '' or '-pss', to select the padding to use for the + rsa signature algorithm. + sign_options: Options to mkimage when signing a fit image. """ # Compile our device tree files for kernel and U-Boot. These are # regenerated here since mkimage will modify them (by adding a @@ -260,12 +274,12 @@ def test_vboot(u_boot_console, sha_algo, padding, required): # Build the FIT with prod key (keys required) and sign it. This puts the # signature into sandbox-u-boot.dtb, marked 'required' make_fit('sign-configs-%s%s-prod.its' % (sha_algo, padding)) - sign_fit(sha_algo) + sign_fit(sha_algo, sign_options) # Build the FIT with dev key (keys NOT required). This adds the # signature into sandbox-u-boot.dtb, NOT marked 'required'. make_fit('sign-configs-%s%s.its' % (sha_algo, padding)) - sign_fit(sha_algo) + sign_fit(sha_algo, sign_options) # So now sandbox-u-boot.dtb two signatures, for the prod and dev keys. # Only the prod key is set as 'required'. But FIT we just built has @@ -297,9 +311,9 @@ def test_vboot(u_boot_console, sha_algo, padding, required): old_dtb = cons.config.dtb cons.config.dtb = dtb if required: - test_required_key(sha_algo, padding) + test_required_key(sha_algo, padding, sign_options) else: - test_with_algo(sha_algo, padding) + test_with_algo(sha_algo, padding, sign_options) finally: # Go back to the original U-Boot with the correct dtb. cons.config.dtb = old_dtb From patchwork Wed Apr 29 13:26:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Philippe REYNES X-Patchwork-Id: 238885 List-Id: U-Boot discussion From: philippe.reynes at softathome.com (Philippe Reynes) Date: Wed, 29 Apr 2020 15:26:17 +0200 Subject: [PATCH v3 2/2] rsa: sig: fix config signature check for fit with padding In-Reply-To: <1588166777-9610-1-git-send-email-philippe.reynes@softathome.com> References: <1588166777-9610-1-git-send-email-philippe.reynes@softathome.com> Message-ID: <1588166777-9610-3-git-send-email-philippe.reynes@softathome.com> The signature check on config node is broken on fit with padding. To compute the signature for config node, U-Boot compute the signature on all properties of requested node for this config, except for the property "data". But, when padding is used for binary in a fit, there isn't a property "data" but two properties: "data-offset" and "data-size". So to fix the check of signature, we also don't use the properties "data-offset" and "data-size" when checking the signature on config node. Reviewed-by: Simon Glass Signed-off-by: Philippe Reynes --- common/image-fit-sig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changelog: v3: - rebase on master v2: - fix spelling in commit message (thanks Simon) diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c index 3e73578..a3a0c61 100644 --- a/common/image-fit-sig.c +++ b/common/image-fit-sig.c @@ -249,7 +249,7 @@ static int fit_config_check_sig(const void *fit, int noffset, int required_keynode, int conf_noffset, char **err_msgp) { - char * const exc_prop[] = {"data"}; + char * const exc_prop[] = {"data", "data-size", "data-position"}; const char *prop, *end, *name; struct image_sign_info info; const uint32_t *strings;