diff options
| author | Tom Rini <trini@konsulko.com> | 2025-03-15 08:19:31 -0600 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2025-03-15 08:19:31 -0600 |
| commit | 0e1fc465fea62ebae91f2f56cb823e8b37ee1077 (patch) | |
| tree | 14ea0ca0ef443959df1ac5afa7b5114e6910bf77 /test/py/tests/test_efi_secboot/test_signed.py | |
| parent | 00dfb7038ea4dfe9d9667143bfecd11c05cab6fa (diff) | |
| parent | 13e8d14442a85a8556211a9950a5b6f80b447901 (diff) | |
Merge tag 'dm-pull-15mar25' of git://git.denx.de/u-boot-dm into next
Sync up on test renames
Diffstat (limited to 'test/py/tests/test_efi_secboot/test_signed.py')
| -rw-r--r-- | test/py/tests/test_efi_secboot/test_signed.py | 148 |
1 files changed, 74 insertions, 74 deletions
diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index f604138a356..e8aaef7090c 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -18,83 +18,83 @@ import pytest @pytest.mark.buildconfigspec('cmd_nvedit_efi') @pytest.mark.slow class TestEfiSignedImage(object): - def test_efi_signed_image_auth1(self, u_boot_console, efi_boot_env): + def test_efi_signed_image_auth1(self, ubman, efi_boot_env): """ Test Case 1 - Secure boot is not in force """ - u_boot_console.restart_uboot() + ubman.restart_uboot() disk_img = efi_boot_env - with u_boot_console.log.section('Test Case 1a'): + with ubman.log.section('Test Case 1a'): # Test Case 1a, run signed image if no PK - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'host bind 0 %s' % disk_img, 'efidebug boot add -b 1 HELLO1 host 0:1 /helloworld.efi.signed -s ""', 'efidebug boot order 1', 'bootefi bootmgr']) assert 'Hello, world!' in ''.join(output) - with u_boot_console.log.section('Test Case 1b'): + with ubman.log.section('Test Case 1b'): # Test Case 1b, run unsigned image if no PK - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot add -b 2 HELLO2 host 0:1 /helloworld.efi -s ""', 'efidebug boot order 2', 'bootefi bootmgr']) assert 'Hello, world!' in ''.join(output) - def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env): + def test_efi_signed_image_auth2(self, ubman, efi_boot_env): """ Test Case 2 - Secure boot is in force, authenticated by db (TEST_db certificate in db) """ - u_boot_console.restart_uboot() + ubman.restart_uboot() disk_img = efi_boot_env - with u_boot_console.log.section('Test Case 2a'): + with ubman.log.section('Test Case 2a'): # Test Case 2a, db is not yet installed - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 KEK.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot add -b 1 HELLO1 host 0:1 /helloworld.efi.signed -s ""', 'efidebug boot order 1', 'efidebug test bootmgr']) assert('\'HELLO1\' failed' in ''.join(output)) assert('efi_bootmgr_load() returned: 26' in ''.join(output)) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot add -b 2 HELLO2 host 0:1 /helloworld.efi -s ""', 'efidebug boot order 2', 'efidebug test bootmgr']) assert '\'HELLO2\' failed' in ''.join(output) assert 'efi_bootmgr_load() returned: 26' in ''.join(output) - with u_boot_console.log.section('Test Case 2b'): + with ubman.log.section('Test Case 2b'): # Test Case 2b, authenticated by db - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot order 2', 'efidebug test bootmgr']) assert '\'HELLO2\' failed' in ''.join(output) assert 'efi_bootmgr_load() returned: 26' in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot order 1', 'bootefi bootmgr']) assert 'Hello, world!' in ''.join(output) - def test_efi_signed_image_auth3(self, u_boot_console, efi_boot_env): + def test_efi_signed_image_auth3(self, ubman, efi_boot_env): """ Test Case 3 - rejected by dbx (TEST_db certificate in dbx) """ - u_boot_console.restart_uboot() + ubman.restart_uboot() disk_img = efi_boot_env - with u_boot_console.log.section('Test Case 3a'): + with ubman.log.section('Test Case 3a'): # Test Case 3a, rejected by dbx - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', @@ -103,34 +103,34 @@ class TestEfiSignedImage(object): 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed -s ""', 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_bootmgr_load() returned: 26' in ''.join(output) - with u_boot_console.log.section('Test Case 3b'): + with ubman.log.section('Test Case 3b'): # Test Case 3b, rejected by dbx even if db allows - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_bootmgr_load() returned: 26' in ''.join(output) - def test_efi_signed_image_auth4(self, u_boot_console, efi_boot_env): + def test_efi_signed_image_auth4(self, ubman, efi_boot_env): """ Test Case 4 - revoked by dbx (digest of TEST_db certificate in dbx) """ - u_boot_console.restart_uboot() + ubman.restart_uboot() disk_img = efi_boot_env - with u_boot_console.log.section('Test Case 4'): + with ubman.log.section('Test Case 4'): # Test Case 4, rejected by dbx - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 dbx_hash.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', @@ -141,25 +141,25 @@ class TestEfiSignedImage(object): 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed -s ""', 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_bootmgr_load() returned: 26' in ''.join(output) - def test_efi_signed_image_auth5(self, u_boot_console, efi_boot_env): + def test_efi_signed_image_auth5(self, ubman, efi_boot_env): """ Test Case 5 - multiple signatures one signed with TEST_db, and one signed with TEST_db1 """ - u_boot_console.restart_uboot() + ubman.restart_uboot() disk_img = efi_boot_env - with u_boot_console.log.section('Test Case 5a'): + with ubman.log.section('Test Case 5a'): # Test Case 5a, authenticated even if only one of signatures # is verified - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', @@ -168,54 +168,54 @@ class TestEfiSignedImage(object): 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', 'efidebug boot order 1', 'efidebug test bootmgr']) assert 'Hello, world!' in ''.join(output) - with u_boot_console.log.section('Test Case 5b'): + with ubman.log.section('Test Case 5b'): # Test Case 5b, authenticated if both signatures are verified - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'fatload host 0:1 4000000 db2.auth', 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot order 1', 'efidebug test bootmgr']) assert 'Hello, world!' in ''.join(output) - with u_boot_console.log.section('Test Case 5c'): + with ubman.log.section('Test Case 5c'): # Test Case 5c, rejected if one of signatures (digest of # certificate) is revoked - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'fatload host 0:1 4000000 dbx_hash.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_bootmgr_load() returned: 26' in ''.join(output) - with u_boot_console.log.section('Test Case 5d'): + with ubman.log.section('Test Case 5d'): # Test Case 5d, rejected if both of signatures are revoked - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'fatload host 0:1 4000000 dbx_hash2.auth', 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_bootmgr_load() returned: 26' in ''.join(output) # Try rejection in reverse order. - u_boot_console.restart_uboot() - with u_boot_console.log.section('Test Case 5e'): + ubman.restart_uboot() + with ubman.log.section('Test Case 5e'): # Test Case 5e, authenticated even if only one of signatures # is verified. Same as before but reject dbx_hash1.auth only - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', @@ -228,22 +228,22 @@ class TestEfiSignedImage(object): 'fatload host 0:1 4000000 dbx_hash1.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_bootmgr_load() returned: 26' in ''.join(output) - def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): + def test_efi_signed_image_auth6(self, ubman, efi_boot_env): """ Test Case 6 - using digest of signed image in database """ - u_boot_console.restart_uboot() + ubman.restart_uboot() disk_img = efi_boot_env - with u_boot_console.log.section('Test Case 6a'): + with ubman.log.section('Test Case 6a'): # Test Case 6a, verified by image's digest in db - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db_hello_signed.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', @@ -252,47 +252,47 @@ class TestEfiSignedImage(object): 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed -s ""', 'efidebug boot order 1', 'bootefi bootmgr']) assert 'Hello, world!' in ''.join(output) - with u_boot_console.log.section('Test Case 6b'): + with ubman.log.section('Test Case 6b'): # Test Case 6b, rejected by TEST_db certificate in dbx - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'fatload host 0:1 4000000 dbx_db.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_bootmgr_load() returned: 26' in ''.join(output) - with u_boot_console.log.section('Test Case 6c'): + with ubman.log.section('Test Case 6c'): # Test Case 6c, rejected by image's digest in dbx - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'fatload host 0:1 4000000 dbx_hello_signed.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_bootmgr_load() returned: 26' in ''.join(output) - def test_efi_signed_image_auth7(self, u_boot_console, efi_boot_env): + def test_efi_signed_image_auth7(self, ubman, efi_boot_env): """ Test Case 7 - Reject images based on the sha384/512 of their x509 cert """ # sha384 of an x509 cert in dbx - u_boot_console.restart_uboot() + ubman.restart_uboot() disk_img = efi_boot_env - with u_boot_console.log.section('Test Case 7a'): - output = u_boot_console.run_command_list([ + with ubman.log.section('Test Case 7a'): + output = ubman.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', @@ -305,7 +305,7 @@ class TestEfiSignedImage(object): 'fatload host 0:1 4000000 dbx_hash384.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', 'efidebug boot order 1', 'efidebug test bootmgr']) @@ -313,9 +313,9 @@ class TestEfiSignedImage(object): assert 'efi_bootmgr_load() returned: 26' in ''.join(output) # sha512 of an x509 cert in dbx - u_boot_console.restart_uboot() - with u_boot_console.log.section('Test Case 7b'): - output = u_boot_console.run_command_list([ + ubman.restart_uboot() + with ubman.log.section('Test Case 7b'): + output = ubman.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', @@ -328,34 +328,34 @@ class TestEfiSignedImage(object): 'fatload host 0:1 4000000 dbx_hash512.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""', 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) assert 'efi_bootmgr_load() returned: 26' in ''.join(output) - def test_efi_signed_image_auth8(self, u_boot_console, efi_boot_env): + def test_efi_signed_image_auth8(self, ubman, efi_boot_env): """ Test Case 8 - Secure boot is in force, Same as Test Case 2 but the image binary to be loaded was willfully modified (forged) Must be rejected. """ - u_boot_console.restart_uboot() + ubman.restart_uboot() disk_img = efi_boot_env - with u_boot_console.log.section('Test Case 8a'): + with ubman.log.section('Test Case 8a'): # Test Case 8a, Secure boot is not yet forced - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'host bind 0 %s' % disk_img, 'efidebug boot add -b 1 HELLO1 host 0:1 /helloworld_forged.efi.signed -s ""', 'efidebug boot order 1', 'efidebug test bootmgr']) assert('hELLO, world!' in ''.join(output)) - with u_boot_console.log.section('Test Case 8b'): + with ubman.log.section('Test Case 8b'): # Test Case 8b, Install signature database and verify the image - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'fatload host 0:1 4000000 db.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'fatload host 0:1 4000000 KEK.auth', @@ -363,7 +363,7 @@ class TestEfiSignedImage(object): 'fatload host 0:1 4000000 PK.auth', 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) - output = u_boot_console.run_command_list([ + output = ubman.run_command_list([ 'efidebug boot order 1', 'efidebug test bootmgr']) assert(not 'hELLO, world!' in ''.join(output)) |