1 # SPDX-License-Identifier: GPL-2.0+
2 # Copyright (c) 2019, Linaro Limited
3 # Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
5 # U-Boot UEFI: Variable Authentication Test
8 This test verifies variable authentication
14 @pytest.mark.boardspec('sandbox')
15 @pytest.mark.buildconfigspec('efi_secure_boot')
16 @pytest.mark.buildconfigspec('cmd_fat')
17 @pytest.mark.buildconfigspec('cmd_nvedit_efi')
19 class TestEfiAuthVar(object):
20 def test_efi_var_auth1(self, u_boot_console, efi_boot_env):
22 Test Case 1 - Install signature database
24 u_boot_console.restart_uboot()
25 disk_img = efi_boot_env
26 with u_boot_console.log.section('Test Case 1a'):
27 # Test Case 1a, Initial secure state
28 output = u_boot_console.run_command_list([
29 'host bind 0 %s' % disk_img,
30 'printenv -e SecureBoot'])
31 assert '00000000: 00' in ''.join(output)
33 output = u_boot_console.run_command(
34 'printenv -e SetupMode')
35 assert '00000000: 01' in output
37 with u_boot_console.log.section('Test Case 1b'):
38 # Test Case 1b, PK without AUTHENTICATED_WRITE_ACCESS
39 output = u_boot_console.run_command_list([
40 'fatload host 0:1 4000000 PK.auth',
41 'setenv -e -nv -bs -rt -i 4000000:$filesize PK'])
42 assert 'Failed to set EFI variable' in ''.join(output)
44 with u_boot_console.log.section('Test Case 1c'):
45 # Test Case 1c, install PK
46 output = u_boot_console.run_command_list([
47 'fatload host 0:1 4000000 PK.auth',
48 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
50 assert 'PK:' in ''.join(output)
52 output = u_boot_console.run_command(
53 'printenv -e SecureBoot')
54 assert '00000000: 01' in output
55 output = u_boot_console.run_command(
56 'printenv -e SetupMode')
57 assert '00000000: 00' in output
59 with u_boot_console.log.section('Test Case 1d'):
60 # Test Case 1d, db/dbx without KEK
61 output = u_boot_console.run_command_list([
62 'fatload host 0:1 4000000 db.auth',
63 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db'])
64 assert 'Failed to set EFI variable' in ''.join(output)
66 output = u_boot_console.run_command_list([
67 'fatload host 0:1 4000000 db.auth',
68 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
69 assert 'Failed to set EFI variable' in ''.join(output)
71 with u_boot_console.log.section('Test Case 1e'):
72 # Test Case 1e, install KEK
73 output = u_boot_console.run_command_list([
74 'fatload host 0:1 4000000 KEK.auth',
75 'setenv -e -nv -bs -rt -i 4000000:$filesize KEK'])
76 assert 'Failed to set EFI variable' in ''.join(output)
78 output = u_boot_console.run_command_list([
79 'fatload host 0:1 4000000 KEK.auth',
80 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
81 'printenv -e -n KEK'])
82 assert 'KEK:' in ''.join(output)
84 output = u_boot_console.run_command(
85 'printenv -e SecureBoot')
86 assert '00000000: 01' in output
88 with u_boot_console.log.section('Test Case 1f'):
89 # Test Case 1f, install db
90 output = u_boot_console.run_command_list([
91 'fatload host 0:1 4000000 db.auth',
92 'setenv -e -nv -bs -rt -i 4000000:$filesize db'])
93 assert 'Failed to set EFI variable' in ''.join(output)
95 output = u_boot_console.run_command_list([
96 'fatload host 0:1 4000000 db.auth',
97 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
98 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
99 assert 'Failed to set EFI variable' not in ''.join(output)
100 assert 'db:' in ''.join(output)
102 output = u_boot_console.run_command(
103 'printenv -e SecureBoot')
104 assert '00000000: 01' in output
106 with u_boot_console.log.section('Test Case 1g'):
107 # Test Case 1g, install dbx
108 output = u_boot_console.run_command_list([
109 'fatload host 0:1 4000000 dbx.auth',
110 'setenv -e -nv -bs -rt -i 4000000:$filesize dbx'])
111 assert 'Failed to set EFI variable' in ''.join(output)
113 output = u_boot_console.run_command_list([
114 'fatload host 0:1 4000000 dbx.auth',
115 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx',
116 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f dbx'])
117 assert 'Failed to set EFI variable' not in ''.join(output)
118 assert 'dbx:' in ''.join(output)
120 output = u_boot_console.run_command(
121 'printenv -e SecureBoot')
122 assert '00000000: 01' in output
124 def test_efi_var_auth2(self, u_boot_console, efi_boot_env):
126 Test Case 2 - Update database by overwriting
128 u_boot_console.restart_uboot()
129 disk_img = efi_boot_env
130 with u_boot_console.log.section('Test Case 2a'):
131 # Test Case 2a, update without AUTHENTICATED_WRITE_ACCESS
132 output = u_boot_console.run_command_list([
133 'host bind 0 %s' % disk_img,
134 'fatload host 0:1 4000000 PK.auth',
135 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
136 'fatload host 0:1 4000000 KEK.auth',
137 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
138 'fatload host 0:1 4000000 db.auth',
139 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
140 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
141 assert 'Failed to set EFI variable' not in ''.join(output)
142 assert 'db:' in ''.join(output)
144 output = u_boot_console.run_command_list([
145 'fatload host 0:1 4000000 db1.auth',
146 'setenv -e -nv -bs -rt -i 4000000:$filesize db'])
147 assert 'Failed to set EFI variable' in ''.join(output)
149 with u_boot_console.log.section('Test Case 2b'):
150 # Test Case 2b, update without correct signature
151 output = u_boot_console.run_command_list([
152 'fatload host 0:1 4000000 db.esl',
153 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db'])
154 assert 'Failed to set EFI variable' in ''.join(output)
156 with u_boot_console.log.section('Test Case 2c'):
157 # Test Case 2c, update with correct signature
158 output = u_boot_console.run_command_list([
159 'fatload host 0:1 4000000 db1.auth',
160 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
161 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
162 assert 'Failed to set EFI variable' not in ''.join(output)
163 assert 'db:' in ''.join(output)
165 def test_efi_var_auth3(self, u_boot_console, efi_boot_env):
167 Test Case 3 - Append database
169 u_boot_console.restart_uboot()
170 disk_img = efi_boot_env
171 with u_boot_console.log.section('Test Case 3a'):
172 # Test Case 3a, update without AUTHENTICATED_WRITE_ACCESS
173 output = u_boot_console.run_command_list([
174 'host bind 0 %s' % disk_img,
175 'fatload host 0:1 4000000 PK.auth',
176 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
177 'fatload host 0:1 4000000 KEK.auth',
178 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
179 'fatload host 0:1 4000000 db.auth',
180 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
181 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
182 assert 'Failed to set EFI variable' not in ''.join(output)
183 assert 'db:' in ''.join(output)
185 output = u_boot_console.run_command_list([
186 'fatload host 0:1 4000000 db1.auth',
187 'setenv -e -nv -bs -rt -a -i 4000000:$filesize db'])
188 assert 'Failed to set EFI variable' in ''.join(output)
190 with u_boot_console.log.section('Test Case 3b'):
191 # Test Case 3b, update without correct signature
192 output = u_boot_console.run_command_list([
193 'fatload host 0:1 4000000 db.esl',
194 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db'])
195 assert 'Failed to set EFI variable' in ''.join(output)
197 with u_boot_console.log.section('Test Case 3c'):
198 # Test Case 3c, update with correct signature
199 output = u_boot_console.run_command_list([
200 'fatload host 0:1 4000000 db1.auth',
201 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
202 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
203 assert 'Failed to set EFI variable' not in ''.join(output)
204 assert 'db:' in ''.join(output)
206 def test_efi_var_auth4(self, u_boot_console, efi_boot_env):
208 Test Case 4 - Delete database without authentication
210 u_boot_console.restart_uboot()
211 disk_img = efi_boot_env
212 with u_boot_console.log.section('Test Case 4a'):
213 # Test Case 4a, update without AUTHENTICATED_WRITE_ACCESS
214 output = u_boot_console.run_command_list([
215 'host bind 0 %s' % disk_img,
216 'fatload host 0:1 4000000 PK.auth',
217 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
218 'fatload host 0:1 4000000 KEK.auth',
219 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
220 'fatload host 0:1 4000000 db.auth',
221 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
222 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
223 assert 'Failed to set EFI variable' not in ''.join(output)
224 assert 'db:' in ''.join(output)
226 output = u_boot_console.run_command_list([
227 'setenv -e -nv -bs -rt db',
228 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
229 assert 'Failed to set EFI variable' in ''.join(output)
230 assert 'db:' in ''.join(output)
232 with u_boot_console.log.section('Test Case 4b'):
233 # Test Case 4b, update without correct signature/data
234 output = u_boot_console.run_command_list([
235 'setenv -e -nv -bs -rt -at db',
236 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db'])
237 assert 'Failed to set EFI variable' in ''.join(output)
238 assert 'db:' in ''.join(output)
240 def test_efi_var_auth5(self, u_boot_console, efi_boot_env):
242 Test Case 5 - Uninstall(delete) PK
244 u_boot_console.restart_uboot()
245 disk_img = efi_boot_env
246 with u_boot_console.log.section('Test Case 5a'):
247 # Test Case 5a, Uninstall PK without correct signature
248 output = u_boot_console.run_command_list([
249 'host bind 0 %s' % disk_img,
250 'fatload host 0:1 4000000 PK.auth',
251 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
252 'fatload host 0:1 4000000 KEK.auth',
253 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
254 'fatload host 0:1 4000000 db.auth',
255 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
256 'printenv -e -n PK'])
257 assert 'Failed to set EFI variable' not in ''.join(output)
258 assert 'PK:' in ''.join(output)
260 output = u_boot_console.run_command_list([
261 'fatload host 0:1 4000000 PK_null.esl',
262 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
263 'printenv -e -n PK'])
264 assert 'Failed to set EFI variable' in ''.join(output)
265 assert 'PK:' in ''.join(output)
267 with u_boot_console.log.section('Test Case 5b'):
268 # Test Case 5b, Uninstall PK with correct signature
269 output = u_boot_console.run_command_list([
270 'fatload host 0:1 4000000 PK_null.auth',
271 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
272 'printenv -e -n PK'])
273 assert 'Failed to set EFI variable' not in ''.join(output)
274 assert '\"PK\" not defined' in ''.join(output)
276 output = u_boot_console.run_command(
277 'printenv -e SecureBoot')
278 assert '00000000: 00' in output
279 output = u_boot_console.run_command(
280 'printenv -e SetupMode')
281 assert '00000000: 01' in output