check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key db db1.esl db1.auth'
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
shell=True)
- # db1-update
- check_call('cd %s; %ssign-efi-sig-list -t "2020-04-06" -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth'
- % (mnt_point, EFITOOLS_PATH), shell=True)
# dbx (TEST_dbx certificate)
check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365'
% mnt_point, shell=True)
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
shell=True)
# dbx_hash1 (digest of TEST_db1 certificate)
- check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
+ check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
% (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
shell=True)
# dbx_db (with TEST_db certificate)
u_boot_console.restart_uboot()
disk_img = efi_boot_env
with u_boot_console.log.section('Test Case 5a'):
- # Test Case 5a, rejected if any of signatures is not verified
+ # Test Case 5a, authenticated even if only one of signatures
+ # is verified
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 db.auth',
'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
'efidebug boot next 1',
'efidebug test bootmgr'])
- assert '\'HELLO\' failed' in ''.join(output)
- assert 'efi_start_image() returned: 26' in ''.join(output)
+ assert 'Hello, world!' in ''.join(output)
with u_boot_console.log.section('Test Case 5b'):
# Test Case 5b, authenticated if both signatures are verified
'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db'])
assert 'Failed to set EFI variable' not in ''.join(output)
output = u_boot_console.run_command_list([
- 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
'efidebug boot next 1',
- 'bootefi bootmgr'])
+ 'efidebug test bootmgr'])
assert 'Hello, world!' in ''.join(output)
with u_boot_console.log.section('Test Case 5c'):
- # Test Case 5c, rejected if any of signatures is revoked
+ # Test Case 5c, not rejected if one of signatures (digest of
+ # certificate) is revoked
output = u_boot_console.run_command_list([
- 'fatload host 0:1 4000000 dbx_hash1.auth',
+ 'fatload host 0:1 4000000 dbx_hash.auth',
'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
assert 'Failed to set EFI variable' not in ''.join(output)
output = u_boot_console.run_command_list([
- 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
+ 'efidebug boot next 1',
+ 'efidebug test bootmgr'])
+ assert 'Hello, world!' in ''.join(output)
+
+ with u_boot_console.log.section('Test Case 5d'):
+ # Test Case 5d, rejected if both of signatures are revoked
+ output = u_boot_console.run_command_list([
+ 'fatload host 0:1 4000000 dbx_hash1.auth',
+ 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize dbx'])
+ assert 'Failed to set EFI variable' not in ''.join(output)
+ output = u_boot_console.run_command_list([
'efidebug boot next 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)