1 # SPDX-License-Identifier: GPL-2.0+
2 # Copyright (c) 2019, Linaro Limited
3 # Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
5 # U-Boot UEFI: Signed Image Authentication Test
8 This test verifies image authentication for signed images.
14 @pytest.mark.boardspec('sandbox')
15 @pytest.mark.buildconfigspec('efi_secure_boot')
16 @pytest.mark.buildconfigspec('cmd_efidebug')
17 @pytest.mark.buildconfigspec('cmd_fat')
18 @pytest.mark.buildconfigspec('cmd_nvedit_efi')
20 class TestEfiSignedImage(object):
21 def test_efi_signed_image_auth1(self, u_boot_console, efi_boot_env):
23 Test Case 1 - authenticated by db
25 u_boot_console.restart_uboot()
26 disk_img = efi_boot_env
27 with u_boot_console.log.section('Test Case 1a'):
28 # Test Case 1a, run signed image if no db/dbx
29 output = u_boot_console.run_command_list([
30 'host bind 0 %s' % disk_img,
31 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""',
32 'efidebug boot next 1',
34 assert('Hello, world!' in ''.join(output))
36 with u_boot_console.log.section('Test Case 1b'):
37 # Test Case 1b, run unsigned image if no db/dbx
38 output = u_boot_console.run_command_list([
39 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""',
40 'efidebug boot next 2',
42 assert('Hello, world!' in ''.join(output))
44 with u_boot_console.log.section('Test Case 1c'):
45 # Test Case 1c, not authenticated by db
46 output = u_boot_console.run_command_list([
47 'fatload host 0:1 4000000 db.auth',
48 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
49 'fatload host 0:1 4000000 KEK.auth',
50 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
51 'fatload host 0:1 4000000 PK.auth',
52 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
53 assert(not 'Failed to set EFI variable' in ''.join(output))
54 output = u_boot_console.run_command_list([
55 'efidebug boot next 2',
57 assert('\'HELLO2\' failed' in ''.join(output))
58 output = u_boot_console.run_command_list([
59 'efidebug boot next 2',
60 'efidebug test bootmgr'])
61 assert('efi_start_image() returned: 26' in ''.join(output))
62 assert(not 'Hello, world!' in ''.join(output))
64 with u_boot_console.log.section('Test Case 1d'):
65 # Test Case 1d, authenticated by db
66 output = u_boot_console.run_command_list([
67 'efidebug boot next 1',
69 assert('Hello, world!' in ''.join(output))
71 def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env):
73 Test Case 2 - rejected by dbx
75 u_boot_console.restart_uboot()
76 disk_img = efi_boot_env
77 with u_boot_console.log.section('Test Case 2a'):
78 # Test Case 2a, rejected by dbx
79 output = u_boot_console.run_command_list([
80 'host bind 0 %s' % disk_img,
81 'fatload host 0:1 4000000 db.auth',
82 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
83 'fatload host 0:1 4000000 KEK.auth',
84 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
85 'fatload host 0:1 4000000 PK.auth',
86 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
87 assert(not 'Failed to set EFI variable' in ''.join(output))
88 output = u_boot_console.run_command_list([
89 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
90 'efidebug boot next 1',
92 assert('\'HELLO\' failed' in ''.join(output))
93 output = u_boot_console.run_command_list([
94 'efidebug boot next 1',
95 'efidebug test bootmgr'])
96 assert('efi_start_image() returned: 26' in ''.join(output))
97 assert(not 'Hello, world!' in ''.join(output))
99 with u_boot_console.log.section('Test Case 2b'):
100 # Test Case 2b, rejected by dbx even if db allows
101 output = u_boot_console.run_command_list([
102 'fatload host 0:1 4000000 db.auth',
103 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
104 assert(not 'Failed to set EFI variable' in ''.join(output))
105 output = u_boot_console.run_command_list([
106 'efidebug boot next 1',
108 assert('\'HELLO\' failed' in ''.join(output))
109 output = u_boot_console.run_command_list([
110 'efidebug boot next 1',
111 'efidebug test bootmgr'])
112 assert('efi_start_image() returned: 26' in ''.join(output))
113 assert(not 'Hello, world!' in ''.join(output))