@@ -398,6 +398,14 @@ stages:
wget -O - https://github.com/riscv/opensbi/releases/download/v0.9/opensbi-0.9-rv-bin.tar.xz | tar -C /tmp -xJ;
export OPENSBI=/tmp/opensbi-0.9-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
fi
+ if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then
+ if [ ! -d "/tmp/capsules/" ]; then
+ mkdir -p /tmp/capsules/;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
+ cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
+ fi
+ fi
# the below corresponds to .gitlab-ci.yml "script"
cd ${WORK_DIR}
export UBOOT_TRAVIS_BUILD_DIR=/tmp/${TEST_PY_BD};
@@ -580,6 +588,15 @@ stages:
cd ${WORK_DIR}
# make environment variables available as tests are running inside a container
export BUILDMAN="${BUILDMAN}"
+ if [[ "${BUILDMAN}" == "sandbox" ]] || [[ "${BUILDMAN}" == "sandbox x86" ]]; then
+ if [ ! -d "/tmp/capsules/" ]; then
+ mkdir -p /tmp/capsules/;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
+ cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
+ fi
+ fi
+
git config --global --add safe.directory ${WORK_DIR}
EOF
cat << "EOF" >> build.sh
@@ -37,6 +37,14 @@ stages:
export OPENSBI=/tmp/opensbi-0.9-rv-bin/share/opensbi/lp64/generic/firmware/fw_dynamic.bin;
fi
+ - if [[ "${TEST_PY_BD}" == "sandbox" ]] || [[ "${TEST_PY_BD}" == "sandbox_flattree" ]]; then
+ if [ ! -d "/tmp/capsules/" ]; then
+ mkdir -p /tmp/capsules/;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
+ cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
+ fi
+ fi
after_script:
- cp -v /tmp/${TEST_PY_BD}/*.{html,css} .
- rm -rf /tmp/uboot-test-hooks /tmp/venv
@@ -132,6 +140,13 @@ build all other platforms:
script:
- ret=0;
git config --global --add safe.directory "${CI_PROJECT_DIR}";
+ if [ ! -d "/tmp/capsules/" ]; then
+ mkdir -p /tmp/capsules/;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER.key -out /tmp/capsules/SIGNER.crt -nodes -days 365;
+ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout /tmp/capsules/SIGNER2.key -out /tmp/capsules/SIGNER2.crt -nodes -days 365;
+ cert-to-efi-sig-list /tmp/capsules/SIGNER.crt /tmp/capsules/SIGNER.esl;
+ fi
+
./tools/buildman/buildman -o /tmp -PEWM -x arm,powerpc || ret=$?;
if [[ $ret -ne 0 ]]; then
./tools/buildman/buildman -o /tmp -seP;
@@ -106,3 +106,7 @@
#if IS_ENABLED(CONFIG_SUPPORT_VPL)
#include "sandbox_vpl.dtsi"
#endif
+
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+#include "sandbox_capsule.dtsi"
+#endif
new file mode 100644
@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Devicetree file for embedding ESL into test DTB
+ */
+
+&binman {
+ fdt-esl-embed {
+ esl-file = CONFIG_EFI_CAPSULE_ESL_FILE;
+ dtb = "test.dtb", "u-boot.dtb";
+ concat = "./u-boot-nodtb.bin", "./u-boot.dtb", "./u-boot.bin";
+ };
+};
@@ -1828,3 +1828,7 @@
#ifdef CONFIG_SANDBOX_VPL
#include "sandbox_vpl.dtsi"
#endif
+
+#ifdef CONFIG_EFI_CAPSULE_AUTHENTICATE
+#include "sandbox_capsule.dtsi"
+#endif
@@ -339,6 +339,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_RAW=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
CONFIG_EFI_SECURE_BOOT=y
CONFIG_TEST_FDTDEC=y
CONFIG_UNIT_TEST=y
@@ -226,6 +226,7 @@ CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
CONFIG_EFI_CAPSULE_ON_DISK=y
CONFIG_EFI_CAPSULE_FIRMWARE_FIT=y
CONFIG_EFI_CAPSULE_AUTHENTICATE=y
+CONFIG_EFI_CAPSULE_ESL_FILE="/tmp/capsules/SIGNER.esl"
CONFIG_UNIT_TEST=y
CONFIG_UT_TIME=y
CONFIG_UT_DM=y
@@ -80,6 +80,65 @@ def pytest_addoption(parser):
help='Run sandbox under gdbserver. The argument is the channel '+
'over which gdbserver should communicate, e.g. localhost:1234')
+def setup_capsule_auth_build(source_dir, build_dir, board_type, log):
+ """Setup the platform's build for capsule authenticate
+
+ This generates the keys needed for signing the capsules along
+ with the EFI Signature List(ESL) file, with the capsule
+ authentication feature enabled.
+
+ The ESL file is subsequently embedded into the platform's
+ dtb during the u-boot build, to be used for capsule
+ authentication.
+
+ Two sets of keys are generated, namely SIGNER and SIGNER2.
+ The SIGNER2 key pair is used as a malicious key for testing the
+ the capsule authentication functionality.
+
+ Args:
+ soruce_dir (str): Directory containing source code
+ build_dir (str): Directory to build in
+ board_type (str): board_type parameter (e.g. 'sandbox')
+ log (Logfile): Log file to use
+
+ Returns:
+ Nothing.
+ """
+ def run_command(name, cmd, source_dir):
+ with log.section(name):
+ if isinstance(cmd, str):
+ cmd = cmd.split()
+ runner = log.get_runner(name, None)
+ runner.run(cmd, cwd=source_dir)
+ runner.close()
+ log.status_pass('OK')
+
+ capsule_sig_dir = '/tmp/capsules/'
+ sig_name = 'SIGNER'
+ mkdir_p(capsule_sig_dir)
+ name = 'openssl'
+ cmd = ( 'openssl req -x509 -sha256 -newkey rsa:2048 '
+ '-subj /CN=TEST_SIGNER/ -keyout %s%s.key '
+ '-out %s%s.crt -nodes -days 365'
+ % (capsule_sig_dir, sig_name, capsule_sig_dir, sig_name)
+ )
+ run_command(name, cmd, source_dir)
+
+ name = 'cert-to-efi-sig-list'
+ cmd = ( 'cert-to-efi-sig-list %s%s.crt %s%s.esl'
+ % (capsule_sig_dir, sig_name, capsule_sig_dir, sig_name)
+ )
+ run_command(name, cmd, source_dir)
+
+ sig_name = 'SIGNER2'
+ name = 'openssl'
+ cmd = ( 'openssl req -x509 -sha256 -newkey rsa:2048 '
+ '-subj /CN=TEST_SIGNER/ -keyout %s%s.key '
+ '-out %s%s.crt -nodes -days 365'
+ % (capsule_sig_dir, sig_name, capsule_sig_dir, sig_name)
+ )
+ run_command(name, cmd, source_dir)
+
def run_build(config, source_dir, build_dir, board_type, log):
"""run_build: Build U-Boot
@@ -102,6 +161,11 @@ def run_build(config, source_dir, build_dir, board_type, log):
o_opt = 'O=%s' % build_dir
else:
o_opt = ''
+
+ capsule_auth_boards = ( 'sandbox', 'sandbox_flattree' )
+ if board_type in capsule_auth_boards:
+ setup_capsule_auth_build(source_dir, build_dir, board_type, log)
+
cmds = (
['make', o_opt, '-s', board_type + '_defconfig'],
['make', o_opt, '-s', '-j{}'.format(os.cpu_count())],
@@ -32,36 +32,6 @@ def efi_capsule_data(request, u_boot_config):
check_call('mkdir -p %s' % data_dir, shell=True)
check_call('mkdir -p %s' % install_dir, shell=True)
- capsule_auth_enabled = u_boot_config.buildconfig.get(
- 'config_efi_capsule_authenticate')
- if capsule_auth_enabled:
- # Create private key (SIGNER.key) and certificate (SIGNER.crt)
- check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
- '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
- '-out SIGNER.crt -nodes -days 365'
- % data_dir, shell=True)
- check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
- % (data_dir, EFITOOLS_PATH), shell=True)
-
- # Update dtb adding capsule certificate
- check_call('cd %s; '
- 'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
- % (data_dir, u_boot_config.source_dir), shell=True)
- check_call('cd %s; '
- 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
- 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
- '-o test_sig.dtb signature.dtbo'
- % (data_dir, u_boot_config.build_dir), shell=True)
-
- # Create *malicious* private key (SIGNER2.key) and certificate
- # (SIGNER2.crt)
- check_call('cd %s; '
- 'openssl req -x509 -sha256 -newkey rsa:2048 '
- '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
- '-out SIGNER2.crt -nodes -days 365'
- % data_dir, shell=True)
-
# Create capsule files
# two regions: one for u-boot.bin and the other for u-boot.env
check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
@@ -88,7 +58,14 @@ def efi_capsule_data(request, u_boot_config):
(data_dir, u_boot_config.build_dir),
shell=True)
+ capsule_auth_enabled = u_boot_config.buildconfig.get(
+ 'config_efi_capsule_authenticate')
if capsule_auth_enabled:
+ capsules_path_dir = '/tmp/capsules/'
+ check_call('mv %s/* %s ' %(capsules_path_dir, data_dir), shell=True)
+ check_call('cp %s/arch/sandbox/dts/test.dtb %s/test_sig.dtb' %
+ (u_boot_config.build_dir, data_dir), shell=True)
+
# raw firmware signed with proper key
check_call('cd %s; '
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
deleted file mode 100644
@@ -1,10 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0+
-
-/dts-v1/;
-/plugin/;
-
-&{/} {
- signature {
- capsule-key = /incbin/("SIGNER.esl");
- };
-};
Currently, the keys and the EFI Signature List(ESL) file used for testing capsule authentication functionality are being generated after the u-boot image has been built. The ESL file is then embedded into the platform's DTB for capsule authentication. This flow has been changed through an earlier commit, which embeds the ESL file into the platform's dtb(s) as part of the u-boot build. This requires generating the keys and the ESL file prior to invoking the u-boot build. Bring about the same sequence of generating these files prior to invoking the u-boot build while testing. For testing the EFI capsule functionality through manual invocation of pytest, changes have been made to the configuration to generate the openssl keys and the ESL file prior to u-boot build. Similar changes have been made in the CI test environment to generate the keys and the ESL prior to the u-boot build. The binman node needed for invoking the corresponding entry module for embedding the ESL has been added for sandbox to facilitate testing. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> --- Changes since V1: * Add the logic to generate the keys in the yml files which get used in the CI setup. * Add a fdt-esl-embed node in sandbox's binman node with capsule authentication enabled. .azure-pipelines.yml | 17 ++++++ .gitlab-ci.yml | 15 +++++ arch/sandbox/dts/sandbox.dts | 4 ++ arch/sandbox/dts/sandbox_capsule.dtsi | 12 ++++ arch/sandbox/dts/test.dts | 4 ++ configs/sandbox_defconfig | 1 + configs/sandbox_flattree_defconfig | 1 + test/py/conftest.py | 64 ++++++++++++++++++++ test/py/tests/test_efi_capsule/conftest.py | 37 +++-------- test/py/tests/test_efi_capsule/signature.dts | 10 --- 10 files changed, 125 insertions(+), 40 deletions(-) create mode 100644 arch/sandbox/dts/sandbox_capsule.dtsi delete mode 100644 test/py/tests/test_efi_capsule/signature.dts