From patchwork Mon Jul 13 00:20:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 241401 List-Id: U-Boot discussion From: takahiro.akashi at linaro.org (AKASHI Takahiro) Date: Mon, 13 Jul 2020 09:20:20 +0900 Subject: [PATCH v3 13/13] test/py: efi_secboot: add a test for verifying with digest of signed image In-Reply-To: <722ac5f9-794b-7924-f1d6-b506c076e155@gmx.de> References: <20200708050203.15230-1-takahiro.akashi@linaro.org> <20200708050203.15230-14-takahiro.akashi@linaro.org> <722ac5f9-794b-7924-f1d6-b506c076e155@gmx.de> Message-ID: <20200713002020.GB31381@laputa> Heinrich, On Sat, Jul 11, 2020 at 08:47:15AM +0200, Heinrich Schuchardt wrote: > On 7/8/20 7:02 AM, AKASHI Takahiro wrote: > > Signature database (db or dbx) may have not only certificates that contain > > a public key for RSA decryption, but also digests of signed images. > > > > In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) > > and if the value matches to a hash value calculated from image's binary, > > authentication should pass in case of db, and fail in case of dbx. > > > > Signed-off-by: AKASHI Takahiro > > --- > > test/py/tests/test_efi_secboot/conftest.py | 10 ++++ > > test/py/tests/test_efi_secboot/test_signed.py | 49 +++++++++++++++++++ > > 2 files changed, 59 insertions(+) > > > > diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py > > index c7da1a6e29a3..553550ee02b1 100644 > > --- a/test/py/tests/test_efi_secboot/conftest.py > > +++ b/test/py/tests/test_efi_secboot/conftest.py > > @@ -120,6 +120,10 @@ def efi_boot_env(request, u_boot_config): > > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' > > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > shell=True) > > + ## dbx_db (with TEST_db certificate) > > + check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db.esl dbx_db.auth' > > + % (mnt_point, EFITOOLS_PATH), > > + shell=True) > > > > # Copy image > > check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) > > @@ -134,6 +138,12 @@ def efi_boot_env(request, u_boot_config): > > check_call('cd %s; %shash-to-efi-sig-list helloworld.efi db_hello.hash; %ssign-efi-sig-list -t "2020-04-07" -c KEK.crt -k KEK.key db db_hello.hash db_hello.auth' > > % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), > > shell=True) > > + check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth' > > + % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), > > + shell=True) > > + check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth' > > + % (mnt_point, EFITOOLS_PATH), > > + shell=True) > > > > check_call('sudo umount %s' % loop_dev, shell=True) > > check_call('sudo losetup -d %s' % loop_dev, shell=True) > > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py > > index 1a31a57e12c2..7531bbac6a5f 100644 > > --- a/test/py/tests/test_efi_secboot/test_signed.py > > +++ b/test/py/tests/test_efi_secboot/test_signed.py > > @@ -198,3 +198,52 @@ class TestEfiSignedImage(object): > > 'efidebug test bootmgr']) > > assert '\'HELLO\' failed' in ''.join(output) > > assert 'efi_start_image() returned: 26' in ''.join(output) > > + > > + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): > > + """ > > + Test Case 6 - using digest of signed image in database > > + """ > > + u_boot_console.restart_uboot() > > + disk_img = efi_boot_env > > + with u_boot_console.log.section('Test Case 6a'): > > + # Test Case 6a, verified by image's digest in db > > + output = u_boot_console.run_command_list([ > > + 'host bind 0 %s' % disk_img, > > + 'fatload host 0:1 4000000 db_hello_signed.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', > > + 'fatload host 0:1 4000000 KEK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', > > + 'fatload host 0:1 4000000 PK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', > > + 'efidebug boot next 1', > > + 'bootefi bootmgr']) > > + assert 'Hello, world!' in ''.join(output) > > + > > + with u_boot_console.log.section('Test Case 6b'): > > + # Test Case 6b, rejected by TEST_db certificate in dbx > > + output = u_boot_console.run_command_list([ > > + 'fatload host 0:1 4000000 dbx_db.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot next 1', > > + 'efidebug test bootmgr']) > > + assert '\'HELLO\' failed' in ''.join(output) > > + assert 'efi_start_image() returned: 26' in ''.join(output) > > + > > + with u_boot_console.log.section('Test Case 6c'): > > + # Test Case 6c, rejected by image's digest in dbx > > + output = u_boot_console.run_command_list([ > > + 'fatload host 0:1 4000000 db.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', > > + 'fatload host 0:1 4000000 dbx_hello_signed.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot next 1', > > + 'efidebug test bootmgr']) > > + assert '\'HELLO\' failed' in ''.join(output) > > + assert 'efi_start_image() returned: 26' in ''.join(output) > > > > This test fails due to not set time stamps for the *.auth files. > > The timestamp in dbx_hello_signed.auth must be newer then dbx_db.auth. > db_hello_signed.auth must be older then db.auth. I have fixed this issue by adding "sleep 2" to make different timestamps, but forgot to put it in the follow-up patch. I have taken the same approach in my intermediate certificates patch. Apologies for any confusion. -Takahiro Akashi diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 94c50f6cf7ca..b74640240318 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -141,7 +141,9 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %shash-to-efi-sig-list helloworld.efi.signed db_hello_signed.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello_signed.hash db_hello_signed.auth' % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), shell=True) - check_call('cd %s; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth' + # 'sleep 2' here because timestamp should be newer than dbx_db.auth + # See Test Case 6c + check_call('cd %s; sleep 2; %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx db_hello_signed.hash dbx_hello_signed.auth' % (mnt_point, EFITOOLS_PATH), shell=True) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 7531bbac6a5f..8b1e132c756c 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -237,8 +237,6 @@ class TestEfiSignedImage(object): with u_boot_console.log.section('Test Case 6c'): # Test Case 6c, rejected by image's digest in dbx output = u_boot_console.run_command_list([ - 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', 'fatload host 0:1 4000000 dbx_hello_signed.auth', 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output)