From patchwork Fri May 6 12:36:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 570189 Delivered-To: patch@linaro.org Received: by 2002:a05:7000:66c4:0:0:0:0 with SMTP id x4csp1645673mal; Fri, 6 May 2022 05:36:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyAE5OwR+IQJaZM5ZtYr48SDEbdnd4FLQtA5YseEArSzal4Vm1g+qj6OmQbDTGk7iITWBNq X-Received: by 2002:a17:907:3c81:b0:6e6:cf3e:6e14 with SMTP id gl1-20020a1709073c8100b006e6cf3e6e14mr2781079ejc.181.1651840587287; Fri, 06 May 2022 05:36:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651840587; cv=none; d=google.com; s=arc-20160816; b=J1tQz2tnTvod360xYl4RH3Q91Tvob9NBwU7c6Ulvk+lH/pt7hk1+LALMu/g3STg/Sp vQbK2ptFEvUUaU4zCCs6hl5rE3TyRdYO/ihOHD8GtEAc4bNDB3KUNCCo3nkSYMMcyH4k iX2E320DFG4IWz7Ba/bY6Es49jL1+PQf8iPtFHr7df6HJOChkTRk6U+zz9cLr8eztjvH GiEvCoKYJnC/aZKkWbkGlB8/WSl9OcxPvAsUPOXtR2nEzom0YAAIXKw6q47H3DAq5mXY RG6EkTGj7cB2awF0AiiJ9S1sxfoBvgb2HGc5FFMt3usWgUb7LBVNiG4x7or5T43bXp66 vRJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=k6doUnquYs+iWIe2uqekExJs26CXjocEv6b4WQ+sPVI=; b=sJwtxto1YltFNn+2xMlJvJkpwRxjqlbn/F/Sbt/Ew9fzGXq2Rjk2vZ3jUuKpARLQbJ obps5zWz3waqgx424HThE59ypBFpFOZ+Jo9GrdeZwvhfpDZOsj1nrWtNb2HMBI/aIC4G 4brpKi5tt6QCB3NUv/Up3KXhcvGC5zk5QeA/a0QP9u5qQl6xs7i0yxYKg7OQIYZpZ/Vb LzcbaRp5UDMiCFaEe3yOc04zrALp0cYoFfAyPN2y6VowXjq72EWtCOLljSfZuAG6Q8Rs t1wbmjSTW12edUao6F6FtwiT4fbCp+M0kEfNNZAIZy45jD/h5vwoyu6E1Fidlxo9CKeM yYBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=NerBiUSA; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id kw19-20020a170907771300b006df799f10e4si4494978ejc.678.2022.05.06.05.36.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 May 2022 05:36:27 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=NerBiUSA; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D461F8408C; Fri, 6 May 2022 14:36:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="NerBiUSA"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0842E8400D; Fri, 6 May 2022 14:36:14 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B60B283DE0 for ; Fri, 6 May 2022 14:36:07 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x62c.google.com with SMTP id m20so14177206ejj.10 for ; Fri, 06 May 2022 05:36:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=k6doUnquYs+iWIe2uqekExJs26CXjocEv6b4WQ+sPVI=; b=NerBiUSAoTqHmonIwQmUO+6P4+S2rbseDkLVLVVaKGnuUbLXgMcosSAEoTedtuGBRT wisbIaB3fWlfDq0WyZGId4cW9irjyH3B6QfFZ3nx0r5qxPQ0svI/s6QP1H4+W+9m71eh KLtYapGAcu05SQXrK2XABjMKRAr0dK7haxWicbQLebl+oxsGJcantBuxUFWPVREpc5+U 5w9/ty4FiTNUWGHafoNnyZP+E0PFaQK5QzEnOqPWbwblNMwkgSwzgucWoW4BleD7Ij/p qCzLZ0hvuiuMxG/1RQF62/mnivKWm8qc3WdJyGYII1ElsNNTI/syHEc2CXoUDN21OoJj aefA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=k6doUnquYs+iWIe2uqekExJs26CXjocEv6b4WQ+sPVI=; b=mhGMKPBUj+1NYuHyJn6Xfoj//zwlX61wuhLPfcD07M6jj8pYAhNE7CS/9zEc5dydXJ ilrZBs9nHgoTmsXb5yeVWPmFJwtVt3CmIkZU089uiLiJFsHkw6iwJO39L2+JueV/dtuQ jp84MFfJqGbFmccN363JyGZSiFuceR6Ol1XtPAbB4fmjEXcmobDsh7GBXMbgluGKKvLj a3hqxLQgjfPVVFhhNi9XM+D7oE0pf3b2f/fPYvfOQq3taLyYHViK48VZ0AKE/5xnBnqq vfvOBwd9fQDyFZ5nvOUn+z1jjcNJHIz283GdBeUzx9rEufwZNgrCVGmZ+w3CF9QNiy24 Tojw== X-Gm-Message-State: AOAM532b9o6F5PSpROSx03WNw4BPl44CJV314VWcKRRrhEXlTQ3DAbyI BVt6w9D5rBw5ULwQlpDmJIAqKQ== X-Received: by 2002:a17:907:7f0a:b0:6f4:4450:d1bd with SMTP id qf10-20020a1709077f0a00b006f44450d1bdmr2690152ejc.700.1651840567489; Fri, 06 May 2022 05:36:07 -0700 (PDT) Received: from hades.. ([2a02:587:4689:642a:3efd:feff:fe6b:c5ca]) by smtp.gmail.com with ESMTPSA id hz22-20020a1709072cf600b006f3ef214de4sm1899238ejc.74.2022.05.06.05.36.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 May 2022 05:36:07 -0700 (PDT) From: Ilias Apalodimas To: xypron.glpk@gmx.de Cc: takahiro.akashi@linaro.org, Stuart.Yoder@arm.com, paul.liu@linaro.org, Ilias Apalodimas , u-boot@lists.denx.de Subject: [PATCH 2/2 v4] test/py: Add more test cases for rejecting an EFI image Date: Fri, 6 May 2022 15:36:01 +0300 Message-Id: <20220506123602.73303-2-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220506123602.73303-1-ilias.apalodimas@linaro.org> References: <20220506123602.73303-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas --- changes since v3: - move sha384/512 testing to a different fucntion changes since v2: - None changes since RFC: - new patch test/py/tests/test_efi_secboot/conftest.py | 6 +++ test/py/tests/test_efi_secboot/test_signed.py | 51 +++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 69a498ca003c..8a53dabe5414 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # dbx_hash1 (digest of TEST_db1 certificate) check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index cc9396a11d48..30b3fa4e701e 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -283,3 +283,54 @@ class TestEfiSignedImage(object): 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + + def test_efi_signed_image_auth7(self, u_boot_console, efi_boot_env): + """ + Test Case 7 - Reject images based on the sha384/512 of their x509 cert + """ + # sha384 of an x509 cert in dbx + u_boot_console.restart_uboot() + disk_img = efi_boot_env + with u_boot_console.log.section('Test Case 7a'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash384.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + # sha512 of an x509 cert in dbx + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 7b'): + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash512.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output)