test/py/tests/test_efi_capsule/conftest.py

   1 # SPDX-License-Identifier:      GPL-2.0+
   2 # Copyright (c) 2020, Linaro Limited
   3 # Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
   4
   5 """Fixture for UEFI capsule test
   6 """
   7
   8 from subprocess import call, check_call, CalledProcessError
   9 import pytest
  10 from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR, EFITOOLS_PATH
  11
  12 @pytest.fixture(scope='session')
  13 def efi_capsule_data(request, u_boot_config):
  14     """Set up a file system to be used in UEFI capsule and authentication test
  15     and return a ath to disk image to be used for testing
  16
  17     request -- Pytest request object.
  18     u_boot_config -- U-boot configuration.
  19     """
  20
  21     mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
  22     data_dir = mnt_point + CAPSULE_DATA_DIR
  23     install_dir = mnt_point + CAPSULE_INSTALL_DIR
  24     image_path = u_boot_config.persistent_data_dir + '/test_efi_capsule.img'
  25
  26     try:
  27         # Create a target device
  28         check_call('dd if=/dev/zero of=./spi.bin bs=1MiB count=16', shell=True)
  29
  30         check_call('rm -rf %s' % mnt_point, shell=True)
  31         check_call('mkdir -p %s' % data_dir, shell=True)
  32         check_call('mkdir -p %s' % install_dir, shell=True)
  33
  34         capsule_auth_enabled = u_boot_config.buildconfig.get(
  35                     'config_efi_capsule_authenticate')
  36         if capsule_auth_enabled:
  37             # Create private key (SIGNER.key) and certificate (SIGNER.crt)
  38             check_call('cd %s; '
  39                        'openssl req -x509 -sha256 -newkey rsa:2048 '
  40                             '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
  41                             '-out SIGNER.crt -nodes -days 365'
  42                        % data_dir, shell=True)
  43             check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
  44                        % (data_dir, EFITOOLS_PATH), shell=True)
  45
  46             # Update dtb adding capsule certificate
  47             check_call('cd %s; '
  48                        'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
  49                        % (data_dir, u_boot_config.source_dir), shell=True)
  50             check_call('cd %s; '
  51                        'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
  52                        'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
  53                             '-o test_sig.dtb signature.dtbo'
  54                        % (data_dir, u_boot_config.build_dir), shell=True)
  55
  56             # Create *malicious* private key (SIGNER2.key) and certificate
  57             # (SIGNER2.crt)
  58             check_call('cd %s; '
  59                        'openssl req -x509 -sha256 -newkey rsa:2048 '
  60                             '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
  61                             '-out SIGNER2.crt -nodes -days 365'
  62                        % data_dir, shell=True)
  63
  64         # Create capsule files
  65         # two regions: one for u-boot.bin and the other for u-boot.env
  66         check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
  67                    shell=True)
  68         check_call('sed -e \"s?BINFILE1?u-boot.bin.new?\" -e \"s?BINFILE2?u-boot.env.new?\" %s/test/py/tests/test_efi_capsule/uboot_bin_env.its > %s/uboot_bin_env.its' %
  69                    (u_boot_config.source_dir, data_dir),
  70                    shell=True)
  71         check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' %
  72                    (data_dir, u_boot_config.build_dir),
  73                    shell=True)
  74         check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test01' %
  75                    (data_dir, u_boot_config.build_dir),
  76                    shell=True)
  77         check_call('cd %s; %s/tools/mkeficapsule --index 2 --guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test02' %
  78                    (data_dir, u_boot_config.build_dir),
  79                    shell=True)
  80         check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 u-boot.bin.new Test03' %
  81                    (data_dir, u_boot_config.build_dir),
  82                    shell=True)
  83         check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test04' %
  84                    (data_dir, u_boot_config.build_dir),
  85                    shell=True)
  86         check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid  058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' %
  87                    (data_dir, u_boot_config.build_dir),
  88                    shell=True)
  89
  90         if capsule_auth_enabled:
  91             # raw firmware signed with proper key
  92             check_call('cd %s; '
  93                        '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
  94                             '--private-key SIGNER.key --certificate SIGNER.crt '
  95                             '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
  96                             'u-boot.bin.new Test11'
  97                        % (data_dir, u_boot_config.build_dir),
  98                        shell=True)
  99             # raw firmware signed with *mal* key
 100             check_call('cd %s; '
 101                        '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
 102                             '--private-key SIGNER2.key '
 103                             '--certificate SIGNER2.crt '
 104                             '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
 105                             'u-boot.bin.new Test12'
 106                        % (data_dir, u_boot_config.build_dir),
 107                        shell=True)
 108             # FIT firmware signed with proper key
 109             check_call('cd %s; '
 110                        '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
 111                             '--private-key SIGNER.key --certificate SIGNER.crt '
 112                             '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
 113                             'uboot_bin_env.itb Test13'
 114                        % (data_dir, u_boot_config.build_dir),
 115                        shell=True)
 116             # FIT firmware signed with *mal* key
 117             check_call('cd %s; '
 118                        '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
 119                             '--private-key SIGNER2.key '
 120                             '--certificate SIGNER2.crt '
 121                             '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
 122                             'uboot_bin_env.itb Test14'
 123                        % (data_dir, u_boot_config.build_dir),
 124                        shell=True)
 125
 126         # Create a disk image with EFI system partition
 127         check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
 128                    (mnt_point, image_path), shell=True)
 129         check_call('sgdisk %s -A 1:set:0 -t 1:C12A7328-F81F-11D2-BA4B-00A0C93EC93B' %
 130                    image_path, shell=True)
 131
 132     except CalledProcessError as exception:
 133         pytest.skip('Setup failed: %s' % exception.cmd)
 134         return
 135     else:
 136         yield image_path
 137     finally:
 138         call('rm -rf %s' % mnt_point, shell=True)
 139         call('rm -f %s' % image_path, shell=True)
 140         call('rm -f ./spi.bin', shell=True)