1 # SPDX-License-Identifier: GPL-2.0+
2 # Copyright (c) 2019, Linaro Limited
3 # Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
5 # U-Boot UEFI: Signed Image Authentication Test
8 This test verifies image authentication for signed images.
14 @pytest.mark.boardspec('sandbox')
15 @pytest.mark.buildconfigspec('efi_secure_boot')
16 @pytest.mark.buildconfigspec('cmd_efidebug')
17 @pytest.mark.buildconfigspec('cmd_fat')
18 @pytest.mark.buildconfigspec('cmd_nvedit_efi')
20 class TestEfiSignedImage(object):
21 def test_efi_signed_image_auth1(self, u_boot_console, efi_boot_env):
23 Test Case 1 - Secure boot is not in force
25 u_boot_console.restart_uboot()
26 disk_img = efi_boot_env
27 with u_boot_console.log.section('Test Case 1a'):
28 # Test Case 1a, run signed image if no PK
29 output = u_boot_console.run_command_list([
30 'host bind 0 %s' % disk_img,
31 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""',
32 'efidebug boot next 1',
34 assert 'Hello, world!' in ''.join(output)
36 with u_boot_console.log.section('Test Case 1b'):
37 # Test Case 1b, run unsigned image if no PK
38 output = u_boot_console.run_command_list([
39 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""',
40 'efidebug boot next 2',
42 assert 'Hello, world!' in ''.join(output)
44 def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env):
46 Test Case 2 - Secure boot is in force,
47 authenticated by db (TEST_db certificate in db)
49 u_boot_console.restart_uboot()
50 disk_img = efi_boot_env
51 with u_boot_console.log.section('Test Case 2a'):
52 # Test Case 2a, db is not yet installed
53 output = u_boot_console.run_command_list([
54 'host bind 0 %s' % disk_img,
55 'fatload host 0:1 4000000 KEK.auth',
56 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
57 'fatload host 0:1 4000000 PK.auth',
58 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
59 assert 'Failed to set EFI variable' not in ''.join(output)
60 output = u_boot_console.run_command_list([
61 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""',
62 'efidebug boot next 1',
63 'efidebug test bootmgr'])
64 assert('\'HELLO1\' failed' in ''.join(output))
65 assert('efi_start_image() returned: 26' in ''.join(output))
66 output = u_boot_console.run_command_list([
67 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""',
68 'efidebug boot next 2',
69 'efidebug test bootmgr'])
70 assert '\'HELLO2\' failed' in ''.join(output)
71 assert 'efi_start_image() returned: 26' in ''.join(output)
73 with u_boot_console.log.section('Test Case 2b'):
74 # Test Case 2b, authenticated by db
75 output = u_boot_console.run_command_list([
76 'fatload host 0:1 4000000 db.auth',
77 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
78 assert 'Failed to set EFI variable' not in ''.join(output)
79 output = u_boot_console.run_command_list([
80 'efidebug boot next 2',
81 'efidebug test bootmgr'])
82 assert '\'HELLO2\' failed' in ''.join(output)
83 assert 'efi_start_image() returned: 26' in ''.join(output)
84 output = u_boot_console.run_command_list([
85 'efidebug boot next 1',
87 assert 'Hello, world!' in ''.join(output)
89 def test_efi_signed_image_auth3(self, u_boot_console, efi_boot_env):
91 Test Case 3 - rejected by dbx (TEST_db certificate in dbx)
93 u_boot_console.restart_uboot()
94 disk_img = efi_boot_env
95 with u_boot_console.log.section('Test Case 3a'):
96 # Test Case 3a, rejected by dbx
97 output = u_boot_console.run_command_list([
98 'host bind 0 %s' % disk_img,
99 'fatload host 0:1 4000000 db.auth',
100 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
101 'fatload host 0:1 4000000 KEK.auth',
102 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
103 'fatload host 0:1 4000000 PK.auth',
104 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
105 assert 'Failed to set EFI variable' not in ''.join(output)
106 output = u_boot_console.run_command_list([
107 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
108 'efidebug boot next 1',
109 'efidebug test bootmgr'])
110 assert '\'HELLO\' failed' in ''.join(output)
111 assert 'efi_start_image() returned: 26' in ''.join(output)
113 with u_boot_console.log.section('Test Case 3b'):
114 # Test Case 3b, rejected by dbx even if db allows
115 output = u_boot_console.run_command_list([
116 'fatload host 0:1 4000000 db.auth',
117 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
118 assert 'Failed to set EFI variable' not in ''.join(output)
119 output = u_boot_console.run_command_list([
120 'efidebug boot next 1',
121 'efidebug test bootmgr'])
122 assert '\'HELLO\' failed' in ''.join(output)
123 assert 'efi_start_image() returned: 26' in ''.join(output)
125 def test_efi_signed_image_auth4(self, u_boot_console, efi_boot_env):
127 Test Case 4 - revoked by dbx (digest of TEST_db certificate in dbx)
129 u_boot_console.restart_uboot()
130 disk_img = efi_boot_env
131 with u_boot_console.log.section('Test Case 4'):
132 # Test Case 4, rejected by dbx
133 output = u_boot_console.run_command_list([
134 'host bind 0 %s' % disk_img,
135 'fatload host 0:1 4000000 dbx_hash.auth',
136 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
137 'fatload host 0:1 4000000 db.auth',
138 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
139 'fatload host 0:1 4000000 KEK.auth',
140 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
141 'fatload host 0:1 4000000 PK.auth',
142 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
143 assert 'Failed to set EFI variable' not in ''.join(output)
144 output = u_boot_console.run_command_list([
145 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
146 'efidebug boot next 1',
147 'efidebug test bootmgr'])
148 assert '\'HELLO\' failed' in ''.join(output)
149 assert 'efi_start_image() returned: 26' in ''.join(output)
151 def test_efi_signed_image_auth5(self, u_boot_console, efi_boot_env):
153 Test Case 5 - multiple signatures
154 one signed with TEST_db, and
155 one signed with TEST_db1
157 u_boot_console.restart_uboot()
158 disk_img = efi_boot_env
159 with u_boot_console.log.section('Test Case 5a'):
160 # Test Case 5a, rejected if any of signatures is not verified
161 output = u_boot_console.run_command_list([
162 'host bind 0 %s' % disk_img,
163 'fatload host 0:1 4000000 db.auth',
164 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
165 'fatload host 0:1 4000000 KEK.auth',
166 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
167 'fatload host 0:1 4000000 PK.auth',
168 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
169 assert 'Failed to set EFI variable' not in ''.join(output)
170 output = u_boot_console.run_command_list([
171 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
172 'efidebug boot next 1',
173 'efidebug test bootmgr'])
174 assert '\'HELLO\' failed' in ''.join(output)
175 assert 'efi_start_image() returned: 26' in ''.join(output)
177 with u_boot_console.log.section('Test Case 5b'):
178 # Test Case 5b, authenticated if both signatures are verified
179 output = u_boot_console.run_command_list([
180 'fatload host 0:1 4000000 db1.auth',
181 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db'])
182 assert 'Failed to set EFI variable' not in ''.join(output)
183 output = u_boot_console.run_command_list([
184 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
185 'efidebug boot next 1',
187 assert 'Hello, world!' in ''.join(output)
189 with u_boot_console.log.section('Test Case 5c'):
190 # Test Case 5c, rejected if any of signatures is revoked
191 output = u_boot_console.run_command_list([
192 'fatload host 0:1 4000000 dbx_hash1.auth',
193 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
194 assert 'Failed to set EFI variable' not in ''.join(output)
195 output = u_boot_console.run_command_list([
196 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
197 'efidebug boot next 1',
198 'efidebug test bootmgr'])
199 assert '\'HELLO\' failed' in ''.join(output)
200 assert 'efi_start_image() returned: 26' in ''.join(output)
202 def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
204 Test Case 6 - using digest of signed image in database
206 u_boot_console.restart_uboot()
207 disk_img = efi_boot_env
208 with u_boot_console.log.section('Test Case 6a'):
209 # Test Case 6a, verified by image's digest in db
210 output = u_boot_console.run_command_list([
211 'host bind 0 %s' % disk_img,
212 'fatload host 0:1 4000000 db_hello_signed.auth',
213 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
214 'fatload host 0:1 4000000 KEK.auth',
215 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
216 'fatload host 0:1 4000000 PK.auth',
217 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
218 assert 'Failed to set EFI variable' not in ''.join(output)
219 output = u_boot_console.run_command_list([
220 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
221 'efidebug boot next 1',
223 assert 'Hello, world!' in ''.join(output)
225 with u_boot_console.log.section('Test Case 6b'):
226 # Test Case 6b, rejected by TEST_db certificate in dbx
227 output = u_boot_console.run_command_list([
228 'fatload host 0:1 4000000 dbx_db.auth',
229 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
230 assert 'Failed to set EFI variable' not in ''.join(output)
231 output = u_boot_console.run_command_list([
232 'efidebug boot next 1',
233 'efidebug test bootmgr'])
234 assert '\'HELLO\' failed' in ''.join(output)
235 assert 'efi_start_image() returned: 26' in ''.join(output)
237 with u_boot_console.log.section('Test Case 6c'):
238 # Test Case 6c, rejected by image's digest in dbx
239 output = u_boot_console.run_command_list([
240 'fatload host 0:1 4000000 db.auth',
241 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
242 'fatload host 0:1 4000000 dbx_hello_signed.auth',
243 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
244 assert 'Failed to set EFI variable' not in ''.join(output)
245 output = u_boot_console.run_command_list([
246 'efidebug boot next 1',
247 'efidebug test bootmgr'])
248 assert '\'HELLO\' failed' in ''.join(output)
249 assert 'efi_start_image() returned: 26' in ''.join(output)