xref: /rk3399_rockchip-uboot/test/py/tests/test_vboot.py (revision ac9a23cffc517ac5b8648f97683c66f4e55175f6) 
1# Copyright (c) 2016, Google Inc.
2#
3# SPDX-License-Identifier:	GPL-2.0+
4#
5# U-Boot Verified Boot Test
6
7"""
8This tests verified boot in the following ways:
9
10For image verification:
11- Create FIT (unsigned) with mkimage
12- Check that verification shows that no keys are verified
13- Sign image
14- Check that verification shows that a key is now verified
15
16For configuration verification:
17- Corrupt signature and check for failure
18- Create FIT (with unsigned configuration) with mkimage
19- Check that image verification works
20- Sign the FIT and mark the key as 'required' for verification
21- Check that image verification works
22- Corrupt the signature
23- Check that image verification no-longer works
24
25Tests run with both SHA1 and SHA256 hashing.
26"""
27
28import pytest
29import sys
30import u_boot_utils as util
31
32@pytest.mark.boardspec('sandbox')
33@pytest.mark.buildconfigspec('fit_signature')
34def test_vboot(u_boot_console):
35    """Test verified boot signing with mkimage and verification with 'bootm'.
36
37    This works using sandbox only as it needs to update the device tree used
38    by U-Boot to hold public keys from the signing process.
39
40    The SHA1 and SHA256 tests are combined into a single test since the
41    key-generation process is quite slow and we want to avoid doing it twice.
42    """
43    def dtc(dts):
44        """Run the device tree compiler to compile a .dts file
45
46        The output file will be the same as the input file but with a .dtb
47        extension.
48
49        Args:
50            dts: Device tree file to compile.
51        """
52        dtb = dts.replace('.dts', '.dtb')
53        util.run_and_log(cons, 'dtc %s %s%s -O dtb '
54                         '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb))
55
56    def run_bootm(sha_algo, test_type, expect_string):
57        """Run a 'bootm' command U-Boot.
58
59        This always starts a fresh U-Boot instance since the device tree may
60        contain a new public key.
61
62        Args:
63            test_type: A string identifying the test type.
64            expect_string: A string which is expected in the output.
65            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
66                    use.
67        """
68        cons.cleanup_spawn()
69        cons.ensure_spawned()
70        cons.log.action('%s: Test Verified Boot Run: %s' % (sha_algo, test_type))
71        output = cons.run_command_list(
72            ['sb load hostfs - 100 %stest.fit' % tmpdir,
73             'fdt addr 100',
74             'bootm 100'])
75        assert(expect_string in output)
76
77    def make_fit(its):
78        """Make a new FIT from the .its source file.
79
80        This runs 'mkimage -f' to create a new FIT.
81
82        Args:
83            its: Filename containing .its source.
84        """
85        util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
86                                '%s%s' % (datadir, its), fit])
87
88    def sign_fit(sha_algo):
89        """Sign the FIT
90
91        Signs the FIT and writes the signature into it. It also writes the
92        public key into the dtb.
93
94        Args:
95            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
96                    use.
97        """
98        cons.log.action('%s: Sign images' % sha_algo)
99        util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
100                                '-r', fit])
101
102    def test_with_algo(sha_algo):
103        """Test verified boot with the given hash algorithm.
104
105        This is the main part of the test code. The same procedure is followed
106        for both hashing algorithms.
107
108        Args:
109            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
110                    use.
111        """
112        # Compile our device tree files for kernel and U-Boot. These are
113        # regenerated here since mkimage will modify them (by adding a
114        # public key) below.
115        dtc('sandbox-kernel.dts')
116        dtc('sandbox-u-boot.dts')
117
118        # Build the FIT, but don't sign anything yet
119        cons.log.action('%s: Test FIT with signed images' % sha_algo)
120        make_fit('sign-images-%s.its' % sha_algo)
121        run_bootm(sha_algo, 'unsigned images', 'dev-')
122
123        # Sign images with our dev keys
124        sign_fit(sha_algo)
125        run_bootm(sha_algo, 'signed images', 'dev+')
126
127        # Create a fresh .dtb without the public keys
128        dtc('sandbox-u-boot.dts')
129
130        cons.log.action('%s: Test FIT with signed configuration' % sha_algo)
131        make_fit('sign-configs-%s.its' % sha_algo)
132        run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo)
133
134        # Sign images with our dev keys
135        sign_fit(sha_algo)
136        run_bootm(sha_algo, 'signed config', 'dev+')
137
138        cons.log.action('%s: Check signed config on the host' % sha_algo)
139
140        util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
141                                '-k', dtb])
142
143        # Increment the first byte of the signature, which should cause failure
144        sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
145                               (fit, sig_node))
146        byte_list = sig.split()
147        byte = int(byte_list[0], 16)
148        byte_list[0] = '%x' % (byte + 1)
149        sig = ' '.join(byte_list)
150        util.run_and_log(cons, 'fdtput -t bx %s %s value %s' %
151                         (fit, sig_node, sig))
152
153        run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash')
154
155        cons.log.action('%s: Check bad config on the host' % sha_algo)
156        util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
157                '-k', dtb], 1, 'Failed to verify required signature')
158
159    cons = u_boot_console
160    tmpdir = cons.config.result_dir + '/'
161    tmp = tmpdir + 'vboot.tmp'
162    datadir = cons.config.source_dir + '/test/py/tests/vboot/'
163    fit = '%stest.fit' % tmpdir
164    mkimage = cons.config.build_dir + '/tools/mkimage'
165    fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
166    dtc_args = '-I dts -O dtb -i %s' % tmpdir
167    dtb = '%ssandbox-u-boot.dtb' % tmpdir
168    sig_node = '/configurations/conf@1/signature@1'
169
170    # Create an RSA key pair
171    public_exponent = 65537
172    util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %sdev.key '
173                     '-pkeyopt rsa_keygen_bits:2048 '
174                     '-pkeyopt rsa_keygen_pubexp:%d '
175                     '2>/dev/null'  % (tmpdir, public_exponent))
176
177    # Create a certificate containing the public key
178    util.run_and_log(cons, 'openssl req -batch -new -x509 -key %sdev.key -out '
179                     '%sdev.crt' % (tmpdir, tmpdir))
180
181    # Create a number kernel image with zeroes
182    with open('%stest-kernel.bin' % tmpdir, 'w') as fd:
183        fd.write(5000 * chr(0))
184
185    try:
186        # We need to use our own device tree file. Remember to restore it
187        # afterwards.
188        old_dtb = cons.config.dtb
189        cons.config.dtb = dtb
190        test_with_algo('sha1')
191        test_with_algo('sha256')
192    finally:
193        cons.config.dtb = old_dtb
194