diff options
author | Simon Glass <sjg@chromium.org> | 2020-03-18 11:43:59 -0600 |
---|---|---|
committer | Simon Glass <sjg@chromium.org> | 2020-04-01 07:45:09 -0600 |
commit | c021971e132234667eb80bc29bdd4ad6c8d04458 (patch) | |
tree | 4bed6e4008fb14eae395eac9971dde1efed647a9 /test/py/tests/test_vboot.py | |
parent | 477f559edf1144f95e29173d290818250aa57ef8 (diff) |
test: vboot: Add a test for a forged configuration
Add a check to make sure that it is not possible to add a new
configuration and use the hashed nodes and hash of another configuration.
Signed-off-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'test/py/tests/test_vboot.py')
-rw-r--r-- | test/py/tests/test_vboot.py | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index 3dd8e3cb664..22c79ef3136 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -28,6 +28,7 @@ import pytest import sys import struct import u_boot_utils as util +import vboot_forge @pytest.mark.boardspec('sandbox') @pytest.mark.buildconfigspec('fit_signature') @@ -182,7 +183,22 @@ def test_vboot(u_boot_console): util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb]) - # Replace header bytes + # Make sure that U-Boot checks that the config is in the list of hashed + # nodes. If it isn't, a security bypass is possible. + with open(fit, 'rb') as fp: + root, strblock = vboot_forge.read_fdt(fp) + root, strblock = vboot_forge.manipulate(root, strblock) + with open(fit, 'w+b') as fp: + vboot_forge.write_fdt(root, strblock, fp) + util.run_and_log_expect_exception(cons, + [fit_check_sign, '-f', fit, '-k', dtb], + 1, 'Failed to verify required signature') + + run_bootm(sha_algo, 'forged config', 'Bad Data Hash', False) + + # Create a new properly signed fit and replace header bytes + make_fit('sign-configs-%s%s.its' % (sha_algo, padding)) + sign_fit(sha_algo) bcfg = u_boot_console.config.buildconfig max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0) existing_size = replace_fit_totalsize(max_size + 1) |