| Message ID | 20220418180724.1855888-2-ilias.apalodimas@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [1/2] efi_loader: add sha384/512 on certificate revocation | expand |
On Mon, Apr 18, 2022 at 09:07:23PM +0300, Ilias Apalodimas wrote: > The previous patch adds support for rejecting images when the sha384/512 > of an x.509 certificate is present in dbx. Update the sandbox selftests > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> > --- > changes since v2: > - None > changes since RFC: > - new patch > > test/py/tests/test_efi_secboot/conftest.py | 6 +++ > test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++ > 2 files changed, 56 insertions(+) > > diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py > index 69a498ca003c..8a53dabe5414 100644 > --- a/test/py/tests/test_efi_secboot/conftest.py > +++ b/test/py/tests/test_efi_secboot/conftest.py > @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config): > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > shell=True) > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > + shell=True) > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > + shell=True) > # dbx_hash1 (digest of TEST_db1 certificate) > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py > index cc9396a11d48..80d5eff74be3 100644 > --- a/test/py/tests/test_efi_secboot/test_signed.py > +++ b/test/py/tests/test_efi_secboot/test_signed.py > @@ -235,6 +235,56 @@ class TestEfiSignedImage(object): > assert '\'HELLO\' failed' in ''.join(output) > assert 'efi_start_image() returned: 26' in ''.join(output) > > + # sha384 of an x509 cert in dbx > + u_boot_console.restart_uboot() > + with u_boot_console.log.section('Test Case 5e'): > + # Test Case 5f, authenticated even if only one of signatures > + # is verified. Same as before but reject dbx_hash1.auth only Please describe the test scenario more specifically regarding sha384. > + output = u_boot_console.run_command_list([ > + 'host bind 0 %s' % disk_img, > + 'fatload host 0:1 4000000 db.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', > + 'fatload host 0:1 4000000 KEK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', > + 'fatload host 0:1 4000000 PK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', > + 'fatload host 0:1 4000000 db1.auth', > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', > + 'fatload host 0:1 4000000 dbx_hash384.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) > + assert 'Failed to set EFI variable' not in ''.join(output) > + output = u_boot_console.run_command_list([ > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', > + 'efidebug boot next 1', > + 'efidebug test bootmgr']) > + assert '\'HELLO\' failed' in ''.join(output) > + assert 'efi_start_image() returned: 26' in ''.join(output) > + > + # sha512 of an x509 cert in dbx > + u_boot_console.restart_uboot() > + with u_boot_console.log.section('Test Case 5e'): > + # Test Case 5G, authenticated even if only one of signatures > + # is verified. Same as before but reject dbx_hash1.auth only > + output = u_boot_console.run_command_list([ > + 'host bind 0 %s' % disk_img, > + 'fatload host 0:1 4000000 db.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', > + 'fatload host 0:1 4000000 KEK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', > + 'fatload host 0:1 4000000 PK.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', > + 'fatload host 0:1 4000000 db1.auth', > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', > + 'fatload host 0:1 4000000 dbx_hash512.auth', > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) > + assert 'Failed to set EFI variable' not in ''.join(output) > + output = u_boot_console.run_command_list([ > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', > + 'efidebug boot next 1', > + 'efidebug test bootmgr']) > + assert '\'HELLO\' failed' in ''.join(output) > + assert 'efi_start_image() returned: 26' in ''.join(output) > + I prefer to have two separate test functions for sha384 and sha512. This way, we can test both cases independently. In the test run, even if sha384 case fails, sha512 can still be verified. -Takahiro Akashi > def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): > """ > Test Case 6 - using digest of signed image in database > -- > 2.32.0 >
On Tue, Apr 19, 2022 at 10:54:14AM +0900, AKASHI Takahiro wrote: > On Mon, Apr 18, 2022 at 09:07:23PM +0300, Ilias Apalodimas wrote: > > The previous patch adds support for rejecting images when the sha384/512 > > of an x.509 certificate is present in dbx. Update the sandbox selftests > > > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> > > --- > > changes since v2: > > - None > > changes since RFC: > > - new patch > > > > test/py/tests/test_efi_secboot/conftest.py | 6 +++ > > test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++ > > 2 files changed, 56 insertions(+) > > > > diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py > > index 69a498ca003c..8a53dabe5414 100644 > > --- a/test/py/tests/test_efi_secboot/conftest.py > > +++ b/test/py/tests/test_efi_secboot/conftest.py > > @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config): > > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' > > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > shell=True) > > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' > > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > + shell=True) > > + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' > > + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > + shell=True) > > # dbx_hash1 (digest of TEST_db1 certificate) > > check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' > > % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), > > diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py > > index cc9396a11d48..80d5eff74be3 100644 > > --- a/test/py/tests/test_efi_secboot/test_signed.py > > +++ b/test/py/tests/test_efi_secboot/test_signed.py > > @@ -235,6 +235,56 @@ class TestEfiSignedImage(object): > > assert '\'HELLO\' failed' in ''.join(output) > > assert 'efi_start_image() returned: 26' in ''.join(output) > > > > + # sha384 of an x509 cert in dbx > > + u_boot_console.restart_uboot() > > + with u_boot_console.log.section('Test Case 5e'): > > + # Test Case 5f, authenticated even if only one of signatures > > + # is verified. Same as before but reject dbx_hash1.auth only > > Please describe the test scenario more specifically regarding sha384. > > > + output = u_boot_console.run_command_list([ > > + 'host bind 0 %s' % disk_img, > > + 'fatload host 0:1 4000000 db.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 KEK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', > > + 'fatload host 0:1 4000000 PK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', > > + 'fatload host 0:1 4000000 db1.auth', > > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 dbx_hash384.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', > > + 'efidebug boot next 1', > > + 'efidebug test bootmgr']) > > + assert '\'HELLO\' failed' in ''.join(output) > > + assert 'efi_start_image() returned: 26' in ''.join(output) > > + > > + # sha512 of an x509 cert in dbx > > + u_boot_console.restart_uboot() > > + with u_boot_console.log.section('Test Case 5e'): > > + # Test Case 5G, authenticated even if only one of signatures > > + # is verified. Same as before but reject dbx_hash1.auth only > > + output = u_boot_console.run_command_list([ > > + 'host bind 0 %s' % disk_img, > > + 'fatload host 0:1 4000000 db.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 KEK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', > > + 'fatload host 0:1 4000000 PK.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', > > + 'fatload host 0:1 4000000 db1.auth', > > + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', > > + 'fatload host 0:1 4000000 dbx_hash512.auth', > > + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) > > + assert 'Failed to set EFI variable' not in ''.join(output) > > + output = u_boot_console.run_command_list([ > > + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', > > + 'efidebug boot next 1', > > + 'efidebug test bootmgr']) > > + assert '\'HELLO\' failed' in ''.join(output) > > + assert 'efi_start_image() returned: 26' in ''.join(output) > > + > > I prefer to have two separate test functions for sha384 and sha512. > This way, we can test both cases independently. > In the test run, even if sha384 case fails, sha512 can still be verified. > Sure, I'll split them on v4 Thanks /Ilias > -Takahiro Akashi > > > > def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): > > """ > > Test Case 6 - using digest of signed image in database > > -- > > 2.32.0 > >
diff --git a/test/py/tests/test_efi_secboot/conftest.py b/test/py/tests/test_efi_secboot/conftest.py index 69a498ca003c..8a53dabe5414 100644 --- a/test/py/tests/test_efi_secboot/conftest.py +++ b/test/py/tests/test_efi_secboot/conftest.py @@ -80,6 +80,12 @@ def efi_boot_env(request, u_boot_config): check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db.crt dbx_hash.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash.crl dbx_hash.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 384 db.crt dbx_hash384.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash384.crl dbx_hash384.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) + check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 512 db.crt dbx_hash512.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash512.crl dbx_hash512.auth' + % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), + shell=True) # dbx_hash1 (digest of TEST_db1 certificate) check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth' % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH), diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index cc9396a11d48..80d5eff74be3 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -235,6 +235,56 @@ class TestEfiSignedImage(object): assert '\'HELLO\' failed' in ''.join(output) assert 'efi_start_image() returned: 26' in ''.join(output) + # sha384 of an x509 cert in dbx + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 5e'): + # Test Case 5f, authenticated even if only one of signatures + # is verified. Same as before but reject dbx_hash1.auth only + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash384.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + + # sha512 of an x509 cert in dbx + u_boot_console.restart_uboot() + with u_boot_console.log.section('Test Case 5e'): + # Test Case 5G, authenticated even if only one of signatures + # is verified. Same as before but reject dbx_hash1.auth only + output = u_boot_console.run_command_list([ + 'host bind 0 %s' % disk_img, + 'fatload host 0:1 4000000 db.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', + 'fatload host 0:1 4000000 KEK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', + 'fatload host 0:1 4000000 PK.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', + 'fatload host 0:1 4000000 db1.auth', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', + 'fatload host 0:1 4000000 dbx_hash512.auth', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) + assert 'Failed to set EFI variable' not in ''.join(output) + output = u_boot_console.run_command_list([ + 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', + 'efidebug boot next 1', + 'efidebug test bootmgr']) + assert '\'HELLO\' failed' in ''.join(output) + assert 'efi_start_image() returned: 26' in ''.join(output) + def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): """ Test Case 6 - using digest of signed image in database
The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> --- changes since v2: - None changes since RFC: - new patch test/py/tests/test_efi_secboot/conftest.py | 6 +++ test/py/tests/test_efi_secboot/test_signed.py | 50 +++++++++++++++++++ 2 files changed, 56 insertions(+)