1# SPDX-License-Identifier: GPL-2.0+ 2# Copyright (c) 2020, Linaro Limited 3# Author: AKASHI Takahiro <takahiro.akashi@linaro.org> 4# 5# U-Boot UEFI: Image Authentication Test (signature with certificates chain) 6 7""" 8This test verifies image authentication for a signed image which is signed 9by user certificate and contains additional intermediate certificates in its 10signature. 11""" 12 13import pytest 14 15 16@pytest.mark.boardspec('sandbox') 17@pytest.mark.buildconfigspec('efi_secure_boot') 18@pytest.mark.buildconfigspec('cmd_efidebug') 19@pytest.mark.buildconfigspec('cmd_fat') 20@pytest.mark.buildconfigspec('cmd_nvedit_efi') 21@pytest.mark.slow 22class TestEfiSignedImageIntca(object): 23 def test_efi_signed_image_intca1(self, u_boot_console, efi_boot_env_intca): 24 """ 25 Test Case 1 - authenticated by root CA in db 26 """ 27 u_boot_console.restart_uboot() 28 disk_img = efi_boot_env_intca 29 with u_boot_console.log.section('Test Case 1a'): 30 # Test Case 1a, with no Int CA and not authenticated by root CA 31 output = u_boot_console.run_command_list([ 32 'host bind 0 %s' % disk_img, 33 'fatload host 0:1 4000000 db_c.auth', 34 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 35 'fatload host 0:1 4000000 KEK.auth', 36 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 37 'fatload host 0:1 4000000 PK.auth', 38 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) 39 assert 'Failed to set EFI variable' not in ''.join(output) 40 41 output = u_boot_console.run_command_list([ 42 'efidebug boot add 1 HELLO_a host 0:1 /helloworld.efi.signed_a ""', 43 'efidebug boot next 1', 44 'efidebug test bootmgr']) 45 assert '\'HELLO_a\' failed' in ''.join(output) 46 assert 'efi_start_image() returned: 26' in ''.join(output) 47 48 with u_boot_console.log.section('Test Case 1b'): 49 # Test Case 1b, signed and authenticated by root CA 50 output = u_boot_console.run_command_list([ 51 'efidebug boot add 2 HELLO_ab host 0:1 /helloworld.efi.signed_ab ""', 52 'efidebug boot next 2', 53 'bootefi bootmgr']) 54 assert 'Hello, world!' in ''.join(output) 55 56 def test_efi_signed_image_intca2(self, u_boot_console, efi_boot_env_intca): 57 """ 58 Test Case 2 - authenticated by root CA in db 59 """ 60 u_boot_console.restart_uboot() 61 disk_img = efi_boot_env_intca 62 with u_boot_console.log.section('Test Case 2a'): 63 # Test Case 2a, unsigned and not authenticated by root CA 64 output = u_boot_console.run_command_list([ 65 'host bind 0 %s' % disk_img, 66 'fatload host 0:1 4000000 KEK.auth', 67 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 68 'fatload host 0:1 4000000 PK.auth', 69 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) 70 assert 'Failed to set EFI variable' not in ''.join(output) 71 72 output = u_boot_console.run_command_list([ 73 'efidebug boot add 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc ""', 74 'efidebug boot next 1', 75 'efidebug test bootmgr']) 76 assert '\'HELLO_abc\' failed' in ''.join(output) 77 assert 'efi_start_image() returned: 26' in ''.join(output) 78 79 with u_boot_console.log.section('Test Case 2b'): 80 # Test Case 2b, signed and authenticated by root CA 81 output = u_boot_console.run_command_list([ 82 'fatload host 0:1 4000000 db_b.auth', 83 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 84 'efidebug boot next 1', 85 'efidebug test bootmgr']) 86 assert '\'HELLO_abc\' failed' in ''.join(output) 87 assert 'efi_start_image() returned: 26' in ''.join(output) 88 89 with u_boot_console.log.section('Test Case 2c'): 90 # Test Case 2c, signed and authenticated by root CA 91 output = u_boot_console.run_command_list([ 92 'fatload host 0:1 4000000 db_c.auth', 93 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 94 'efidebug boot next 1', 95 'efidebug test bootmgr']) 96 assert 'Hello, world!' in ''.join(output) 97 98 def test_efi_signed_image_intca3(self, u_boot_console, efi_boot_env_intca): 99 """ 100 Test Case 3 - revoked by dbx 101 """ 102 u_boot_console.restart_uboot() 103 disk_img = efi_boot_env_intca 104 with u_boot_console.log.section('Test Case 3a'): 105 # Test Case 3a, revoked by int CA in dbx 106 output = u_boot_console.run_command_list([ 107 'host bind 0 %s' % disk_img, 108 'fatload host 0:1 4000000 dbx_b.auth', 109 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', 110 'fatload host 0:1 4000000 db_c.auth', 111 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 112 'fatload host 0:1 4000000 KEK.auth', 113 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 114 'fatload host 0:1 4000000 PK.auth', 115 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) 116 assert 'Failed to set EFI variable' not in ''.join(output) 117 118 output = u_boot_console.run_command_list([ 119 'efidebug boot add 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc ""', 120 'efidebug boot next 1', 121 'efidebug test bootmgr']) 122 assert 'Hello, world!' in ''.join(output) 123 # Or, 124 # assert '\'HELLO_abc\' failed' in ''.join(output) 125 # assert 'efi_start_image() returned: 26' in ''.join(output) 126 127 with u_boot_console.log.section('Test Case 3b'): 128 # Test Case 3b, revoked by root CA in dbx 129 output = u_boot_console.run_command_list([ 130 'fatload host 0:1 4000000 dbx_c.auth', 131 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', 132 'efidebug boot next 1', 133 'efidebug test bootmgr']) 134 assert '\'HELLO_abc\' failed' in ''.join(output) 135 assert 'efi_start_image() returned: 26' in ''.join(output) 136