1 # SPDX-License-Identifier: GPL-2.0+
2 # Copyright (c) 2019, Linaro Limited
3 # Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
5 # U-Boot UEFI: Signed Image Authentication Test
8 This test verifies image authentication for signed images.
15 @pytest.mark.boardspec('sandbox')
16 @pytest.mark.buildconfigspec('efi_secure_boot')
17 @pytest.mark.buildconfigspec('cmd_efidebug')
18 @pytest.mark.buildconfigspec('cmd_fat')
19 @pytest.mark.buildconfigspec('cmd_nvedit_efi')
21 class TestEfiSignedImage(object):
22 def test_efi_signed_image_auth1(self, u_boot_console, efi_boot_env):
24 Test Case 1 - authenticated by db
26 u_boot_console.restart_uboot()
27 disk_img = efi_boot_env
28 with u_boot_console.log.section('Test Case 1a'):
29 # Test Case 1a, run signed image if no db/dbx
30 output = u_boot_console.run_command_list([
31 'host bind 0 %s' % disk_img,
32 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""',
33 'efidebug boot next 1',
35 assert('Hello, world!' in ''.join(output))
37 with u_boot_console.log.section('Test Case 1b'):
38 # Test Case 1b, run unsigned image if no db/dbx
39 output = u_boot_console.run_command_list([
40 'efidebug boot add 2 HELLO2 host 0:1 /helloworld.efi ""',
41 'efidebug boot next 2',
43 assert('Hello, world!' in ''.join(output))
45 with u_boot_console.log.section('Test Case 1c'):
46 # Test Case 1c, not authenticated by db
47 output = u_boot_console.run_command_list([
48 'fatload host 0:1 4000000 db.auth',
49 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db',
50 'fatload host 0:1 4000000 KEK.auth',
51 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
52 'fatload host 0:1 4000000 PK.auth',
53 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
54 assert(not 'Failed to set EFI variable' in ''.join(output))
55 output = u_boot_console.run_command_list([
56 'efidebug boot next 2',
58 assert('\'HELLO2\' failed' in ''.join(output))
59 output = u_boot_console.run_command_list([
60 'efidebug boot next 2',
61 'efidebug test bootmgr'])
62 assert('efi_start_image() returned: 26' in ''.join(output))
63 assert(not 'Hello, world!' in ''.join(output))
65 with u_boot_console.log.section('Test Case 1d'):
66 # Test Case 1d, authenticated by db
67 output = u_boot_console.run_command_list([
68 'efidebug boot next 1',
70 assert('Hello, world!' in ''.join(output))
72 def test_efi_signed_image_auth2(self, u_boot_console, efi_boot_env):
74 Test Case 2 - rejected by dbx
76 u_boot_console.restart_uboot()
77 disk_img = efi_boot_env
78 with u_boot_console.log.section('Test Case 2a'):
79 # Test Case 2a, rejected by dbx
80 output = u_boot_console.run_command_list([
81 'host bind 0 %s' % disk_img,
82 'fatload host 0:1 4000000 db.auth',
83 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx',
84 'fatload host 0:1 4000000 KEK.auth',
85 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK',
86 'fatload host 0:1 4000000 PK.auth',
87 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK'])
88 assert(not 'Failed to set EFI variable' in ''.join(output))
89 output = u_boot_console.run_command_list([
90 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""',
91 'efidebug boot next 1',
93 assert('\'HELLO\' failed' in ''.join(output))
94 output = u_boot_console.run_command_list([
95 'efidebug boot next 1',
96 'efidebug test bootmgr'])
97 assert('efi_start_image() returned: 26' in ''.join(output))
98 assert(not 'Hello, world!' in ''.join(output))
100 with u_boot_console.log.section('Test Case 2b'):
101 # Test Case 2b, rejected by dbx even if db allows
102 output = u_boot_console.run_command_list([
103 'fatload host 0:1 4000000 db.auth',
104 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db'])
105 assert(not 'Failed to set EFI variable' in ''.join(output))
106 output = u_boot_console.run_command_list([
107 'efidebug boot next 1',
109 assert('\'HELLO\' failed' in ''.join(output))
110 output = u_boot_console.run_command_list([
111 'efidebug boot next 1',
112 'efidebug test bootmgr'])
113 assert('efi_start_image() returned: 26' in ''.join(output))
114 assert(not 'Hello, world!' in ''.join(output))