1 # SPDX-License-Identifier: GPL-2.0+
2 # Copyright (c) 2016, Google Inc.
4 # U-Boot Verified Boot Test
7 This tests verified boot in the following ways:
9 For image verification:
10 - Create FIT (unsigned) with mkimage
11 - Check that verification shows that no keys are verified
13 - Check that verification shows that a key is now verified
15 For configuration verification:
16 - Corrupt signature and check for failure
17 - Create FIT (with unsigned configuration) with mkimage
18 - Check that image verification works
19 - Sign the FIT and mark the key as 'required' for verification
20 - Check that image verification works
21 - Corrupt the signature
22 - Check that image verification no-longer works
24 Tests run with both SHA1 and SHA256 hashing.
29 import u_boot_utils as util
31 @pytest.mark.boardspec('sandbox')
32 @pytest.mark.buildconfigspec('fit_signature')
33 @pytest.mark.requiredtool('dtc')
34 @pytest.mark.requiredtool('fdtget')
35 @pytest.mark.requiredtool('fdtput')
36 @pytest.mark.requiredtool('openssl')
37 def test_vboot(u_boot_console):
38 """Test verified boot signing with mkimage and verification with 'bootm'.
40 This works using sandbox only as it needs to update the device tree used
41 by U-Boot to hold public keys from the signing process.
43 The SHA1 and SHA256 tests are combined into a single test since the
44 key-generation process is quite slow and we want to avoid doing it twice.
47 """Run the device tree compiler to compile a .dts file
49 The output file will be the same as the input file but with a .dtb
53 dts: Device tree file to compile.
55 dtb = dts.replace('.dts', '.dtb')
56 util.run_and_log(cons, 'dtc %s %s%s -O dtb '
57 '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb))
59 def run_bootm(sha_algo, test_type, expect_string, boots):
60 """Run a 'bootm' command U-Boot.
62 This always starts a fresh U-Boot instance since the device tree may
63 contain a new public key.
66 test_type: A string identifying the test type.
67 expect_string: A string which is expected in the output.
68 sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
70 boots: A boolean that is True if Linux should boot and False if
71 we are expected to not boot
74 with cons.log.section('Verified boot %s %s' % (sha_algo, test_type)):
75 output = cons.run_command_list(
76 ['sb load hostfs - 100 %stest.fit' % tmpdir,
79 assert(expect_string in ''.join(output))
81 assert('sandbox: continuing, as we cannot run' in ''.join(output))
84 """Make a new FIT from the .its source file.
86 This runs 'mkimage -f' to create a new FIT.
89 its: Filename containing .its source.
91 util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
92 '%s%s' % (datadir, its), fit])
94 def sign_fit(sha_algo):
97 Signs the FIT and writes the signature into it. It also writes the
98 public key into the dtb.
101 sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
104 cons.log.action('%s: Sign images' % sha_algo)
105 util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
108 def test_with_algo(sha_algo):
109 """Test verified boot with the given hash algorithm.
111 This is the main part of the test code. The same procedure is followed
112 for both hashing algorithms.
115 sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
118 # Compile our device tree files for kernel and U-Boot. These are
119 # regenerated here since mkimage will modify them (by adding a
121 dtc('sandbox-kernel.dts')
122 dtc('sandbox-u-boot.dts')
124 # Build the FIT, but don't sign anything yet
125 cons.log.action('%s: Test FIT with signed images' % sha_algo)
126 make_fit('sign-images-%s.its' % sha_algo)
127 run_bootm(sha_algo, 'unsigned images', 'dev-', True)
129 # Sign images with our dev keys
131 run_bootm(sha_algo, 'signed images', 'dev+', True)
133 # Create a fresh .dtb without the public keys
134 dtc('sandbox-u-boot.dts')
136 cons.log.action('%s: Test FIT with signed configuration' % sha_algo)
137 make_fit('sign-configs-%s.its' % sha_algo)
138 run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)
140 # Sign images with our dev keys
142 run_bootm(sha_algo, 'signed config', 'dev+', True)
144 cons.log.action('%s: Check signed config on the host' % sha_algo)
146 util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
149 # Increment the first byte of the signature, which should cause failure
150 sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
152 byte_list = sig.split()
153 byte = int(byte_list[0], 16)
154 byte_list[0] = '%x' % (byte + 1)
155 sig = ' '.join(byte_list)
156 util.run_and_log(cons, 'fdtput -t bx %s %s value %s' %
157 (fit, sig_node, sig))
159 run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False)
161 cons.log.action('%s: Check bad config on the host' % sha_algo)
162 util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
163 '-k', dtb], 1, 'Failed to verify required signature')
165 cons = u_boot_console
166 tmpdir = cons.config.result_dir + '/'
167 tmp = tmpdir + 'vboot.tmp'
168 datadir = cons.config.source_dir + '/test/py/tests/vboot/'
169 fit = '%stest.fit' % tmpdir
170 mkimage = cons.config.build_dir + '/tools/mkimage'
171 fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
172 dtc_args = '-I dts -O dtb -i %s' % tmpdir
173 dtb = '%ssandbox-u-boot.dtb' % tmpdir
174 sig_node = '/configurations/conf@1/signature@1'
176 # Create an RSA key pair
177 public_exponent = 65537
178 util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %sdev.key '
179 '-pkeyopt rsa_keygen_bits:2048 '
180 '-pkeyopt rsa_keygen_pubexp:%d' %
181 (tmpdir, public_exponent))
183 # Create a certificate containing the public key
184 util.run_and_log(cons, 'openssl req -batch -new -x509 -key %sdev.key -out '
185 '%sdev.crt' % (tmpdir, tmpdir))
187 # Create a number kernel image with zeroes
188 with open('%stest-kernel.bin' % tmpdir, 'w') as fd:
189 fd.write(5000 * chr(0))
192 # We need to use our own device tree file. Remember to restore it
194 old_dtb = cons.config.dtb
195 cons.config.dtb = dtb
196 test_with_algo('sha1')
197 test_with_algo('sha256')
199 # Go back to the original U-Boot with the correct dtb.
200 cons.config.dtb = old_dtb