1 # SPDX-License-Identifier: GPL-2.0+
2 # Copyright (c) 2020, Linaro Limited
3 # Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
5 """Fixture for UEFI capsule test
8 from subprocess import call, check_call, CalledProcessError
10 from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR, EFITOOLS_PATH
12 @pytest.fixture(scope='session')
13 def efi_capsule_data(request, u_boot_config):
14 """Set up a file system to be used in UEFI capsule and authentication test
15 and return a ath to disk image to be used for testing
17 request -- Pytest request object.
18 u_boot_config -- U-boot configuration.
21 mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
22 data_dir = mnt_point + CAPSULE_DATA_DIR
23 install_dir = mnt_point + CAPSULE_INSTALL_DIR
24 image_path = u_boot_config.persistent_data_dir + '/test_efi_capsule.img'
27 # Create a target device
28 check_call('dd if=/dev/zero of=./spi.bin bs=1MiB count=16', shell=True)
30 check_call('rm -rf %s' % mnt_point, shell=True)
31 check_call('mkdir -p %s' % data_dir, shell=True)
32 check_call('mkdir -p %s' % install_dir, shell=True)
34 capsule_auth_enabled = u_boot_config.buildconfig.get(
35 'config_efi_capsule_authenticate')
36 if capsule_auth_enabled:
37 # Create private key (SIGNER.key) and certificate (SIGNER.crt)
39 'openssl req -x509 -sha256 -newkey rsa:2048 '
40 '-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
41 '-out SIGNER.crt -nodes -days 365'
42 % data_dir, shell=True)
43 check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
44 % (data_dir, EFITOOLS_PATH), shell=True)
46 # Update dtb adding capsule certificate
48 'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
49 % (data_dir, u_boot_config.source_dir), shell=True)
51 'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
52 'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
53 '-o test_sig.dtb signature.dtbo'
54 % (data_dir, u_boot_config.build_dir), shell=True)
56 # Create *malicious* private key (SIGNER2.key) and certificate
59 'openssl req -x509 -sha256 -newkey rsa:2048 '
60 '-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
61 '-out SIGNER2.crt -nodes -days 365'
62 % data_dir, shell=True)
64 # Create capsule files
65 # two regions: one for u-boot.bin and the other for u-boot.env
66 check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old > u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
68 check_call('sed -e \"s?BINFILE1?u-boot.bin.new?\" -e \"s?BINFILE2?u-boot.env.new?\" %s/test/py/tests/test_efi_capsule/uboot_bin_env.its > %s/uboot_bin_env.its' %
69 (u_boot_config.source_dir, data_dir),
71 check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' %
72 (data_dir, u_boot_config.build_dir),
74 check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 u-boot.bin.new Test01' %
75 (data_dir, u_boot_config.build_dir),
77 check_call('cd %s; %s/tools/mkeficapsule --index 2 --guid 5A7021F5-FEF2-48B4-AABA-832E777418C0 u-boot.env.new Test02' %
78 (data_dir, u_boot_config.build_dir),
80 check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 u-boot.bin.new Test03' %
81 (data_dir, u_boot_config.build_dir),
83 check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 uboot_bin_env.itb Test04' %
84 (data_dir, u_boot_config.build_dir),
86 check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid 058B7D83-50D5-4C47-A195-60D86AD341C4 uboot_bin_env.itb Test05' %
87 (data_dir, u_boot_config.build_dir),
90 if capsule_auth_enabled:
91 # raw firmware signed with proper key
93 '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
94 '--private-key SIGNER.key --certificate SIGNER.crt '
95 '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
96 'u-boot.bin.new Test11'
97 % (data_dir, u_boot_config.build_dir),
99 # raw firmware signed with *mal* key
101 '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
102 '--private-key SIGNER2.key '
103 '--certificate SIGNER2.crt '
104 '--guid 09D7CF52-0720-4710-91D1-08469B7FE9C8 '
105 'u-boot.bin.new Test12'
106 % (data_dir, u_boot_config.build_dir),
108 # FIT firmware signed with proper key
110 '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
111 '--private-key SIGNER.key --certificate SIGNER.crt '
112 '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
113 'uboot_bin_env.itb Test13'
114 % (data_dir, u_boot_config.build_dir),
116 # FIT firmware signed with *mal* key
118 '%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
119 '--private-key SIGNER2.key '
120 '--certificate SIGNER2.crt '
121 '--guid 3673B45D-6A7C-46F3-9E60-ADABB03F7937 '
122 'uboot_bin_env.itb Test14'
123 % (data_dir, u_boot_config.build_dir),
126 # Create a disk image with EFI system partition
127 check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %
128 (mnt_point, image_path), shell=True)
129 check_call('sgdisk %s -A 1:set:0 -t 1:C12A7328-F81F-11D2-BA4B-00A0C93EC93B' %
130 image_path, shell=True)
132 except CalledProcessError as exception:
133 pytest.skip('Setup failed: %s' % exception.cmd)
138 call('rm -rf %s' % mnt_point, shell=True)
139 call('rm -f %s' % image_path, shell=True)
140 call('rm -f ./spi.bin', shell=True)