From patchwork Fri Feb 11 07:37:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 541779 Delivered-To: patch@linaro.org Received: by 2002:ad5:420f:0:0:0:0:0 with SMTP id e15csp2867986imo; Thu, 10 Feb 2022 23:38:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJwQhKXEbV6U3l7IidGOFeh7NIwUpu9Z78gLjhI7mt6l0cCCrymdcQupZzmXln3pdxHgKmBj X-Received: by 2002:a17:907:94d4:: with SMTP id dn20mr336239ejc.208.1644565091671; Thu, 10 Feb 2022 23:38:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644565091; cv=none; d=google.com; s=arc-20160816; b=jMVGXAhJb2qZLY6zxLHORpOpnT2y80351oNaCVVQ8yOy6GQVdWSOlZhdY0WwzUsBuF 9V9FQAMry2p305/rdStyEJJCwQfj++Ioot5lmnal/Gm3wcbPOjcE0ifjmjBKxttCJVVv MWDq9dVNuqs6rd4gIOtrVI0wY3HaSz+Knzx9xVHCxGnXpPKq2R3q7/M+2l3cdImymNYN Uy8n6CUVZZaxIKoic9n49DvTs/Dv7ejQMzBleIOy2EiV5i+UNz4RXtuoZOn9kWMkz3ng 4S3hC8qJTW2UxOC3/a3VDYvUACy2qouofS6rqKF1fKTXU/7rmVBU0KtJy/nCMRRaso4i gUYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ghfAK7+1hV9XvWUucdxPfePgt0yKH+qVExBmT2YyvcI=; b=DSZDxQQwiA0mvqvvkfkx/OpnhD9lZAY6g1Z1LbIC8fnafmc9DwQnDINp2jVptzyxSd uP71SSgRJAEt+UMKQXaG80X/EvbznHPGoY76j2edc7qg4rZZPVpNfKko/yhpi5dWAMTQ PXfLjRdOlYZc28Xs75AQM33CGVc9TjBElPuEpHYEfOWyZQTVGQRq9FtZ5gQfh0Xtbq5N StFHcMlES1sFg+jqugV1ri4JGHMFoWdd2ZWOT1ZygU0S8ro5Br7HwmzfFwLsoOvE0B6w pa2CrrJs+K2ZEhy+C4/k9SYiZiN6uyod730Vegb66TZY7DM25ousd+YbboMKuMpOvYj3 8a9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=QpcQTWg+; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id sg16si5293199ejc.489.2022.02.10.23.38.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Feb 2022 23:38:11 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=QpcQTWg+; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6AAAD837F2; Fri, 11 Feb 2022 08:38:02 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="QpcQTWg+"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 79881837F2; Fri, 11 Feb 2022 08:37:58 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 099C5837F2 for ; Fri, 11 Feb 2022 08:37:55 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ed1-x530.google.com with SMTP id da4so15058300edb.4 for ; Thu, 10 Feb 2022 23:37:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ghfAK7+1hV9XvWUucdxPfePgt0yKH+qVExBmT2YyvcI=; b=QpcQTWg+LeABA2EoaQzkKl8mlwZ3ypHJXCGyRknzmv3CDWyM7Hoo82tuBuuUbNDHkp PMLOehAmyT93u/UeEDQd/k9TQ9DbzxN25XzAT4k9ri329+eO8JlD/bx68Ns/Bp1nnJdz qeak3pkXfesc8Bu3HrSqHbH6/FOEx0dFBJrMTKY1WTvJTRqT3xKSw+hCmoFslPBaTLdi e3yMXjnei7Kg1NC6otHW19yltXZe3UGpawS5hGyGMPxCjZu4of11lXFYKAfGb3wuEg42 q2lX4wIHTCvMgh4zY+FyrgLoCBVCeHXo7FNg1RdxRqSXn5Lz8q4IOdYt4BUllpGLuJyh EQRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ghfAK7+1hV9XvWUucdxPfePgt0yKH+qVExBmT2YyvcI=; b=M9zoyahZzpsF7CvO2eiI6TAACjpZPYzCCNDR7pB+5Fgxff1msTNLeUxRlLuBidyBEt B85aJrO/+8CObwLqpieTUWSyngTxYrOJDjX1mjX+KwusTRSFzX4PlGu+ETv+pVPHNtX5 06jSHgfGfCn4NnHpM8MG1oVerc/XDiMyVZgTW2cMZ+vLvbZYqKpLEwvMpGR1X6EPj3VM RX5DlH8ZYj9xOJIKBo2Rgy/6z5OqLPb4BFNTEFR0En97kF8n8dHHEIFzta8SiNLMvWKv se9q6pmjI0fBJtsDUGm65qd2+yQF9rWLTzGUaPZhhxbFx5bW48QCDBJlAhkp8A1tnKu5 qlNA== X-Gm-Message-State: AOAM532Js+tyRkcG3cpF3lLRWoQNKplqnmOo5Mq+sIpVbeRJbd2CF8Kn FX5jpFHZxsaJ8BBEKPs5lMAd1A== X-Received: by 2002:a05:6402:4384:: with SMTP id o4mr547382edc.15.1644565074643; Thu, 10 Feb 2022 23:37:54 -0800 (PST) Received: from hades.. ([2a02:587:46a6:e776:3efd:feff:fe6b:c5cb]) by smtp.gmail.com with ESMTPSA id d11sm333503ejo.207.2022.02.10.23.37.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Feb 2022 23:37:54 -0800 (PST) From: Ilias Apalodimas To: xypron.glpk@gmx.de, takahiro.akashi@linaro.org Cc: Ilias Apalodimas , u-boot@lists.denx.de Subject: [PATCH 2/2] test/py: efi_secboot: adjust secure boot tests to code changes Date: Fri, 11 Feb 2022 09:37:50 +0200 Message-Id: <20220211073750.733348-2-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220211073750.733348-1-ilias.apalodimas@linaro.org> References: <20220211073750.733348-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean The previous patch is changing U-Boot's behavior wrt certificate based binary authentication. Specifically an image who's digest of a certificate is found in dbx is now rejected. Fix the test accordingly and add another one testing signatures in reverse order Signed-off-by: Ilias Apalodimas --- changes since RFC: - Added another test cases checking signature hashes in reverse order test/py/tests/test_efi_secboot/test_signed.py | 30 +++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 0aee34479f55..cc9396a11d48 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -186,7 +186,7 @@ class TestEfiSignedImage(object): assert 'Hello, world!' in ''.join(output) with u_boot_console.log.section('Test Case 5c'): - # Test Case 5c, not rejected if one of signatures (digest of + # Test Case 5c, rejected if one of signatures (digest of # certificate) is revoked output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx_hash.auth', @@ -195,7 +195,8 @@ class TestEfiSignedImage(object): output = u_boot_console.run_command_list([ 'efidebug boot next 1', 'efidebug test bootmgr']) - assert 'Hello, world!' in ''.join(output) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) with u_boot_console.log.section('Test Case 5d'): # Test Case 5d, rejected if both of signatures are revoked @@ -209,6 +210,31 @@ class TestEfiSignedImage(object): assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + # Try rejection in reverse order. + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 5e'): + # Test Case 5e, authenticated even if only one of signatures + # is verified. Same as before but reject dbx_hash1.auth only + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash1.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): """ Test Case 6 - using digest of signed image in database