1# Copyright (c) 2016, Google Inc. 2# 3# SPDX-License-Identifier: GPL-2.0+ 4# 5# U-Boot Verified Boot Test 6 7""" 8This tests verified boot in the following ways: 9 10For image verification: 11- Create FIT (unsigned) with mkimage 12- Check that verification shows that no keys are verified 13- Sign image 14- Check that verification shows that a key is now verified 15 16For configuration verification: 17- Corrupt signature and check for failure 18- Create FIT (with unsigned configuration) with mkimage 19- Check that image verification works 20- Sign the FIT and mark the key as 'required' for verification 21- Check that image verification works 22- Corrupt the signature 23- Check that image verification no-longer works 24 25Tests run with both SHA1 and SHA256 hashing. 26""" 27 28import pytest 29import sys 30import u_boot_utils as util 31 32@pytest.mark.boardspec('sandbox') 33@pytest.mark.buildconfigspec('fit_signature') 34def test_vboot(u_boot_console): 35 """Test verified boot signing with mkimage and verification with 'bootm'. 36 37 This works using sandbox only as it needs to update the device tree used 38 by U-Boot to hold public keys from the signing process. 39 40 The SHA1 and SHA256 tests are combined into a single test since the 41 key-generation process is quite slow and we want to avoid doing it twice. 42 """ 43 def dtc(dts): 44 """Run the device tree compiler to compile a .dts file 45 46 The output file will be the same as the input file but with a .dtb 47 extension. 48 49 Args: 50 dts: Device tree file to compile. 51 """ 52 dtb = dts.replace('.dts', '.dtb') 53 util.run_and_log(cons, 'dtc %s %s%s -O dtb ' 54 '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb)) 55 56 def run_bootm(test_type, expect_string): 57 """Run a 'bootm' command U-Boot. 58 59 This always starts a fresh U-Boot instance since the device tree may 60 contain a new public key. 61 62 Args: 63 test_type: A string identifying the test type 64 expect_string: A string which is expected in the output 65 """ 66 cons.cleanup_spawn() 67 cons.ensure_spawned() 68 cons.log.action('%s: Test Verified Boot Run: %s' % (algo, test_type)) 69 output = cons.run_command_list( 70 ['sb load hostfs - 100 %stest.fit' % tmpdir, 71 'fdt addr 100', 72 'bootm 100']) 73 assert(expect_string in output) 74 75 def make_fit(its): 76 """Make a new FIT from the .its source file. 77 78 This runs 'mkimage -f' to create a new FIT. 79 80 Args: 81 its: Filename containing .its source. 82 """ 83 util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f', 84 '%s%s' % (datadir, its), fit]) 85 86 def sign_fit(): 87 """Sign the FIT 88 89 Signs the FIT and writes the signature into it. It also writes the 90 public key into the dtb. 91 """ 92 cons.log.action('%s: Sign images' % algo) 93 util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb, 94 '-r', fit]) 95 96 def test_with_algo(sha): 97 """Test verified boot with the given hash algorithm. 98 99 This is the main part of the test code. The same procedure is followed 100 for both hashing algorithms. 101 102 Args: 103 sha: Either 'sha1' or 'sha256', to select the algorithm to use 104 """ 105 global algo 106 107 algo = sha 108 109 # Compile our device tree files for kernel and U-Boot. These are 110 # regenerated here since mkimage will modify them (by adding a 111 # public key) below. 112 dtc('sandbox-kernel.dts') 113 dtc('sandbox-u-boot.dts') 114 115 # Build the FIT, but don't sign anything yet 116 cons.log.action('%s: Test FIT with signed images' % algo) 117 make_fit('sign-images-%s.its' % algo) 118 run_bootm('unsigned images', 'dev-') 119 120 # Sign images with our dev keys 121 sign_fit() 122 run_bootm('signed images', 'dev+') 123 124 # Create a fresh .dtb without the public keys 125 dtc('sandbox-u-boot.dts') 126 127 cons.log.action('%s: Test FIT with signed configuration' % algo) 128 make_fit('sign-configs-%s.its' % algo) 129 run_bootm('unsigned config', '%s+ OK' % algo) 130 131 # Sign images with our dev keys 132 sign_fit() 133 run_bootm('signed config', 'dev+') 134 135 cons.log.action('%s: Check signed config on the host' % algo) 136 137 util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir, 138 '-k', dtb]) 139 140 # Increment the first byte of the signature, which should cause failure 141 sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' % 142 (fit, sig_node)) 143 byte_list = sig.split() 144 byte = int(byte_list[0], 16) 145 byte_list[0] = '%x' % (byte + 1) 146 sig = ' '.join(byte_list) 147 util.run_and_log(cons, 'fdtput -t bx %s %s value %s' % 148 (fit, sig_node, sig)) 149 150 run_bootm('Signed config with bad hash', 'Bad Data Hash') 151 152 cons.log.action('%s: Check bad config on the host' % algo) 153 util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit, 154 '-k', dtb], 1, 'Failed to verify required signature') 155 156 cons = u_boot_console 157 tmpdir = cons.config.result_dir + '/' 158 tmp = tmpdir + 'vboot.tmp' 159 datadir = cons.config.source_dir + '/test/py/tests/vboot/' 160 fit = '%stest.fit' % tmpdir 161 mkimage = cons.config.build_dir + '/tools/mkimage' 162 fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign' 163 dtc_args = '-I dts -O dtb -i %s' % tmpdir 164 dtb = '%ssandbox-u-boot.dtb' % tmpdir 165 sig_node = '/configurations/conf@1/signature@1' 166 167 # Create an RSA key pair 168 public_exponent = 65537 169 util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %sdev.key ' 170 '-pkeyopt rsa_keygen_bits:2048 ' 171 '-pkeyopt rsa_keygen_pubexp:%d ' 172 '2>/dev/null' % (tmpdir, public_exponent)) 173 174 # Create a certificate containing the public key 175 util.run_and_log(cons, 'openssl req -batch -new -x509 -key %sdev.key -out ' 176 '%sdev.crt' % (tmpdir, tmpdir)) 177 178 # Create a number kernel image with zeroes 179 with open('%stest-kernel.bin' % tmpdir, 'w') as fd: 180 fd.write(5000 * chr(0)) 181 182 try: 183 # We need to use our own device tree file. Remember to restore it 184 # afterwards. 185 old_dtb = cons.config.dtb 186 cons.config.dtb = dtb 187 test_with_algo('sha1') 188 test_with_algo('sha256') 189 finally: 190 cons.config.dtb = old_dtb 191