| Simon Glass | 8729d58 | 2016-07-03 09:40:46 -0600 | [diff] [blame] | 1 | # Copyright (c) 2013, Google Inc. |
| 2 | # |
| 3 | # SPDX-License-Identifier: GPL-2.0+ |
| 4 | # |
| 5 | # U-Boot Verified Boot Test |
| 6 | |
| 7 | """ |
| 8 | This tests verified boot in the following ways: |
| 9 | |
| 10 | For image verification: |
| 11 | - Create FIT (unsigned) with mkimage |
| 12 | - Check that verification shows that no keys are verified |
| 13 | - Sign image |
| 14 | - Check that verification shows that a key is now verified |
| 15 | |
| 16 | For configuration verification: |
| 17 | - Corrupt signature and check for failure |
| 18 | - Create FIT (with unsigned configuration) with mkimage |
| 19 | - Check that image veriication works |
| 20 | - Sign the FIT and mark the key as 'required' for verification |
| 21 | - Check that image verification works |
| 22 | - Corrupt the signature |
| 23 | - Check that image verification no-longer works |
| 24 | |
| 25 | Tests run with both SHA1 and SHA256 hashing. |
| 26 | """ |
| 27 | |
| 28 | import pytest |
| 29 | import sys |
| 30 | import u_boot_utils as util |
| 31 | |
| Michal Simek | 04a4786 | 2016-07-18 08:49:08 +0200 | [diff] [blame^] | 32 | @pytest.mark.boardspec('sandbox') |
| Simon Glass | 8729d58 | 2016-07-03 09:40:46 -0600 | [diff] [blame] | 33 | @pytest.mark.buildconfigspec('fit_signature') |
| 34 | def test_vboot(u_boot_console): |
| 35 | """Test verified boot signing with mkimage and verification with 'bootm'. |
| 36 | |
| 37 | This works using sandbox only as it needs to update the device tree used |
| 38 | by U-Boot to hold public keys from the signing process. |
| 39 | |
| 40 | The SHA1 and SHA256 tests are combined into a single test since the |
| 41 | key-generation process is quite slow and we want to avoid doing it twice. |
| 42 | """ |
| 43 | def dtc(dts): |
| 44 | """Run the device-tree compiler to compile a .dts file |
| 45 | |
| 46 | The output file will be the same as the input file but with a .dtb |
| 47 | extension. |
| 48 | |
| 49 | Args: |
| 50 | dts: Device tree file to compile. |
| 51 | """ |
| 52 | dtb = dts.replace('.dts', '.dtb') |
| 53 | util.cmd(cons, 'dtc %s %s%s -O dtb ' |
| 54 | '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb)) |
| 55 | |
| 56 | def run_bootm(test_type, expect_string): |
| 57 | """Run a 'bootm' command U-Boot. |
| 58 | |
| 59 | This always starts a fresh U-Boot instance since the device tree may |
| 60 | contain a new public key. |
| 61 | |
| 62 | Args: |
| 63 | test_type: A string identifying the test type |
| 64 | expect_string: A string which is expected in the output |
| 65 | """ |
| 66 | cons.cleanup_spawn() |
| 67 | cons.ensure_spawned() |
| 68 | cons.log.action('%s: Test Verified Boot Run: %s' % (algo, test_type)) |
| 69 | output = cons.run_command_list( |
| 70 | ['sb load hostfs - 100 %stest.fit' % tmpdir, |
| 71 | 'fdt addr 100', |
| 72 | 'bootm 100']) |
| 73 | assert(expect_string in output) |
| 74 | |
| 75 | def make_fit(its): |
| 76 | """Make a new FIT from the .its source file |
| 77 | |
| 78 | This runs 'mkimage -f' to create a new FIT. |
| 79 | |
| 80 | Args: |
| 81 | its: Filename containing .its source |
| 82 | """ |
| 83 | util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f', |
| 84 | '%s%s' % (datadir, its), fit]) |
| 85 | |
| 86 | def sign_fit(): |
| 87 | """Sign the FIT |
| 88 | |
| 89 | Signs the FIT and writes the signature into it. It also writes the |
| 90 | public key into the dtb. |
| 91 | """ |
| 92 | cons.log.action('%s: Sign images' % algo) |
| 93 | util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb, |
| 94 | '-r', fit]) |
| 95 | |
| 96 | def test_with_algo(sha): |
| 97 | """Test verified boot with the given hash algorithm |
| 98 | |
| 99 | This is the main part of the test code. The same procedure is followed |
| 100 | for both hashing algorithms. |
| 101 | |
| 102 | Args: |
| 103 | sha: Either 'sha1' or 'sha256', to select the algorithm to use |
| 104 | """ |
| 105 | global algo |
| 106 | |
| 107 | algo = sha |
| 108 | |
| 109 | # Compile our device tree files for kernel and U-Boot |
| 110 | dtc('sandbox-kernel.dts') |
| 111 | dtc('sandbox-u-boot.dts') |
| 112 | |
| 113 | # Build the FIT, but don't sign anything yet |
| 114 | cons.log.action('%s: Test FIT with signed images' % algo) |
| 115 | make_fit('sign-images-%s.its' % algo) |
| 116 | run_bootm('unsigned images', 'dev-') |
| 117 | |
| 118 | # Sign images with our dev keys |
| 119 | sign_fit() |
| 120 | run_bootm('signed images', 'dev+') |
| 121 | |
| 122 | # Create a fresh .dtb without the public keys |
| 123 | dtc('sandbox-u-boot.dts') |
| 124 | |
| 125 | cons.log.action('%s: Test FIT with signed configuration' % algo) |
| 126 | make_fit('sign-configs-%s.its' % algo) |
| 127 | run_bootm('unsigned config', '%s+ OK' % algo) |
| 128 | |
| 129 | # Sign images with our dev keys |
| 130 | sign_fit() |
| 131 | run_bootm('signed config', 'dev+') |
| 132 | |
| 133 | cons.log.action('%s: Check signed config on the host' % algo) |
| 134 | |
| 135 | util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir, |
| 136 | '-k', dtb]) |
| 137 | |
| 138 | # Increment the first byte of the signature, which should cause failure |
| 139 | sig = util.cmd(cons, 'fdtget -t bx %s %s value' % (fit, sig_node)) |
| 140 | byte_list = sig.split() |
| 141 | byte = int(byte_list[0], 16) |
| 142 | byte_list = ['%x' % (byte + 1)] + byte_list[1:] |
| 143 | sig = ' '.join(byte_list) |
| 144 | util.cmd(cons, 'fdtput -t bx %s %s value %s' % (fit, sig_node, sig)) |
| 145 | |
| 146 | run_bootm('Signed config with bad hash', 'Bad Data Hash') |
| 147 | |
| 148 | cons.log.action('%s: Check bad config on the host' % algo) |
| 149 | util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit, |
| 150 | '-k', dtb], 1, 'Failed to verify required signature') |
| 151 | |
| 152 | cons = u_boot_console |
| 153 | tmpdir = cons.config.result_dir + '/' |
| 154 | tmp = tmpdir + 'vboot.tmp' |
| Stephen Warren | c9ba60c | 2016-07-18 10:07:25 -0600 | [diff] [blame] | 155 | datadir = cons.config.source_dir + '/test/py/tests/vboot/' |
| Simon Glass | 8729d58 | 2016-07-03 09:40:46 -0600 | [diff] [blame] | 156 | fit = '%stest.fit' % tmpdir |
| 157 | mkimage = cons.config.build_dir + '/tools/mkimage' |
| 158 | fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign' |
| 159 | dtc_args = '-I dts -O dtb -i %s' % tmpdir |
| 160 | dtb = '%ssandbox-u-boot.dtb' % tmpdir |
| 161 | sig_node = '/configurations/conf@1/signature@1' |
| 162 | |
| 163 | # Create an RSA key pair |
| 164 | public_exponent = 65537 |
| 165 | util.cmd(cons, 'openssl genpkey -algorithm RSA -out %sdev.key ' |
| 166 | '-pkeyopt rsa_keygen_bits:2048 ' |
| 167 | '-pkeyopt rsa_keygen_pubexp:%d ' |
| 168 | '2>/dev/null' % (tmpdir, public_exponent)) |
| 169 | |
| 170 | # Create a certificate containing the public key |
| 171 | util.cmd(cons, 'openssl req -batch -new -x509 -key %sdev.key -out ' |
| 172 | '%sdev.crt' % (tmpdir, tmpdir)) |
| 173 | |
| 174 | # Create a number kernel image with zeroes |
| 175 | with open('%stest-kernel.bin' % tmpdir, 'w') as fd: |
| 176 | fd.write(5000 * chr(0)) |
| 177 | |
| 178 | try: |
| 179 | # We need to use our own device tree file. Remember to restore it |
| 180 | # afterwards. |
| 181 | old_dtb = cons.config.dtb |
| 182 | cons.config.dtb = dtb |
| 183 | test_with_algo('sha1') |
| 184 | test_with_algo('sha256') |
| 185 | finally: |
| 186 | cons.config.dtb = old_dtb |