On 4/14/20 4:51 AM, AKASHI Takahiro wrote: > A fixture for UEFI secure boot tests (image authentication and variable > authentication) is defined. A small file system with test data in a single > partition formatted in fat is created. > > This test requires efitools v1.5.2 or later. If the system's efitools > is older, you have to build it on your own and define EFITOOLS_PATH. > > Signed-off-by: AKASHI Takahiro <takahiro.aka...@linaro.org> > --- > test/py/README.md | 8 ++ > test/py/tests/test_efi_secboot/conftest.py | 151 +++++++++++++++++++++ > test/py/tests/test_efi_secboot/defs.py | 21 +++ > 3 files changed, 180 insertions(+) > create mode 100644 test/py/tests/test_efi_secboot/conftest.py > create mode 100644 test/py/tests/test_efi_secboot/defs.py > > diff --git a/test/py/README.md b/test/py/README.md > index 3cbe01b73e28..aa8a5607b064 100644 > --- a/test/py/README.md > +++ b/test/py/README.md > @@ -37,7 +37,15 @@ will be required. The following is an incomplete list: > | openssl | > | sudo OR guestmount | > | e2fsprogs | > +| util-linux | > +| coreutils | > | dosfstools | > +| efitools | > +| mount | > +| mtools | > +| sbsigntool | > +| udisks2 | > + > > Please use the apporirate commands for your distribution to match these tools > up with the package that provides them. > diff --git a/test/py/tests/test_efi_secboot/conftest.py > b/test/py/tests/test_efi_secboot/conftest.py > new file mode 100644 > index 000000000000..e542fef6e819 > --- /dev/null > +++ b/test/py/tests/test_efi_secboot/conftest.py > @@ -0,0 +1,151 @@ > +# SPDX-License-Identifier: GPL-2.0+ > +# Copyright (c) 2019, Linaro Limited > +# Author: AKASHI Takahiro <takahiro.aka...@linaro.org> > + > +import os > +import os.path > +import pytest > +import re > +from subprocess import call, check_call, check_output, CalledProcessError > +from defs import * > + > +# from test/py/conftest.py > +def tool_is_in_path(tool): > + for path in os.environ["PATH"].split(os.pathsep): > + fn = os.path.join(path, tool) > + if os.path.isfile(fn) and os.access(fn, os.X_OK): > + return True > + return False > + > +# > +# Fixture for UEFI secure boot test > +# > +@pytest.fixture(scope='session') > +def efi_boot_env(request, u_boot_config): > + """Set up a file system to be used in UEFI secure boot test. > + > + Args: > + request: Pytest request object. > + u_boot_config: U-boot configuration. > + > + Return: > + A path to disk image to be used for testing > + """ > + global HELLO_PATH > + > + image_path = u_boot_config.persistent_data_dir > + image_path = image_path + '/' + EFI_SECBOOT_IMAGE_NAME > + image_size = EFI_SECBOOT_IMAGE_SIZE > + part_size = EFI_SECBOOT_PART_SIZE > + fs_type = EFI_SECBOOT_FS_TYPE > + > + if HELLO_PATH == '': > + HELLO_PATH = u_boot_config.build_dir + > '/lib/efi_loader/helloworld.efi' > + > + try: > + non_root = tool_is_in_path('udisksctl') > + > + # create a disk/partition > + check_call('dd if=/dev/zero of=%s bs=1MiB count=%d' > + % (image_path, image_size), shell=True) > + check_call('sgdisk %s -n 1:0:+%dMiB' > + % (image_path, part_size), shell=True) > + # create a file system > + check_call('dd if=/dev/zero of=%s.tmp bs=1MiB count=%d' > + % (image_path, part_size), shell=True) > + check_call('mkfs -t %s %s.tmp' % (fs_type, image_path), shell=True) > + check_call('dd if=%s.tmp of=%s bs=1MiB seek=1 count=%d conv=notrunc' > + % (image_path, image_path, 1), shell=True) > + check_call('rm %s.tmp' % image_path, shell=True) > + if non_root: > + out_data = check_output('udisksctl loop-setup -f %s -o %d' > + % (image_path, 1048576), shell=True).decode() > + m = re.search('(?<= as )(.*)\.', out_data) > + loop_dev = m.group(1) > + # print 'loop device is: %s' % loop_dev > + out_data = check_output('udisksctl info -b %s' > + % loop_dev, shell=True).decode() > + m = re.search('MountPoints:[ \t]+(.*)', out_data) > + mnt_point = m.group(1) > + else: > + loop_dev = check_output('sudo losetup -o 1MiB --sizelimit %dMiB > --show -f %s | tr -d "\n"' > + % (part_size, image_path), > shell=True).decode() > + mnt_point = '/mnt'
This is not a good idea. On my systems I have a mount /mnt/iscsi and this is where I checked out the u-boot repository where I run 'make tests'. Other people may also have mounted something of importance in /mnt. Please, supply a followi up patch creating a directory in the build path for mounting. Best regards Heinrich > + check_output('sudo mount -t %s -o umask=000 %s %s' > + % (fs_type, loop_dev, mnt_point), shell=True) > + > + # print 'mount point is: %s' % mnt_point > + > + # suffix > + # *.key: RSA private key in PEM > + # *.crt: X509 certificate (self-signed) in PEM > + # *.esl: signature list > + # *.hash: message digest of image as signature list > + # *.auth: signed signature list in signature database format > + # *.efi: UEFI image > + # *.efi.signed: signed UEFI image > + > + # Create signature database > + ## PK > + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj > /CN=TEST_PK/ -keyout PK.key -out PK.crt -nodes -days 365' > + % mnt_point, shell=True) > + check_call('cd %s; %scert-to-efi-sig-list -g %s PK.crt PK.esl; > %ssign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth' > + % (mnt_point, EFITOOLS_PATH, GUID, > EFITOOLS_PATH), > + shell=True) > + ## PK_null for deletion > + check_call('cd %s; sleep 2; touch PK_null.esl; %ssign-efi-sig-list > -c PK.crt -k PK.key PK PK_null.esl PK_null.auth' > + % (mnt_point, EFITOOLS_PATH), shell=True) > + ## KEK > + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj > /CN=TEST_KEK/ -keyout KEK.key -out KEK.crt -nodes -days 365' > + % mnt_point, shell=True) > + check_call('cd %s; %scert-to-efi-sig-list -g %s KEK.crt KEK.esl; > %ssign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth' > + % (mnt_point, EFITOOLS_PATH, GUID, > EFITOOLS_PATH), > + shell=True) > + ## db > + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj > /CN=TEST_db/ -keyout db.key -out db.crt -nodes -days 365' > + % mnt_point, shell=True) > + check_call('cd %s; %scert-to-efi-sig-list -g %s db.crt db.esl; > %ssign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth' > + % (mnt_point, EFITOOLS_PATH, GUID, > EFITOOLS_PATH), > + shell=True) > + ## db1 > + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj > /CN=TEST_db1/ -keyout db1.key -out db1.crt -nodes -days 365' > + % mnt_point, shell=True) > + check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; > %ssign-efi-sig-list -c KEK.crt -k KEK.key db db1.esl db1.auth' > + % (mnt_point, EFITOOLS_PATH, GUID, > EFITOOLS_PATH), > + shell=True) > + ## db1-update > + check_call('cd %s; %ssign-efi-sig-list -a -c KEK.crt -k KEK.key db > db1.esl db1-update.auth' > + % (mnt_point, EFITOOLS_PATH), shell=True) > + ## dbx > + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj > /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365' > + % mnt_point, shell=True) > + check_call('cd %s; %scert-to-efi-sig-list -g %s dbx.crt dbx.esl; > %ssign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth' > + % (mnt_point, EFITOOLS_PATH, GUID, > EFITOOLS_PATH), > + shell=True) > + > + # Copy image > + check_call('cp %s %s' % (HELLO_PATH, mnt_point), shell=True) > + > + ## Sign image > + check_call('cd %s; sbsign --key db.key --cert db.crt helloworld.efi' > + % mnt_point, shell=True) > + ## Digest image > + check_call('cd %s; %shash-to-efi-sig-list helloworld.efi > db_hello.hash; %ssign-efi-sig-list -c KEK.crt -k KEK.key db db_hello.hash > db_hello.auth' > + % (mnt_point, EFITOOLS_PATH, EFITOOLS_PATH), > + shell=True) > + > + if non_root: > + check_call('udisksctl unmount -b %s' % loop_dev, shell=True) > + # not needed > + # check_call('udisksctl loop-delete -b %s' % loop_dev, > shell=True) > + else: > + check_call('sudo umount %s' % loop_dev, shell=True) > + check_call('sudo losetup -d %s' % loop_dev, shell=True) > + > + except CalledProcessError as e: > + pytest.skip('Setup failed: %s' % e.cmd) > + return > + else: > + yield image_path > + finally: > + call('rm -f %s' % image_path, shell=True) > diff --git a/test/py/tests/test_efi_secboot/defs.py > b/test/py/tests/test_efi_secboot/defs.py > new file mode 100644 > index 000000000000..d6222809c547 > --- /dev/null > +++ b/test/py/tests/test_efi_secboot/defs.py > @@ -0,0 +1,21 @@ > +# SPDX-License-Identifier: GPL-2.0+ > + > +# Disk image name > +EFI_SECBOOT_IMAGE_NAME='test_efi_secboot.img' > + > +# Size in MiB > +EFI_SECBOOT_IMAGE_SIZE=16 > +EFI_SECBOOT_PART_SIZE=8 > + > +# Partition file system type > +EFI_SECBOOT_FS_TYPE='vfat' > + > +# Owner guid > +GUID='11111111-2222-3333-4444-123456789abc' > + > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and > +# you need build a newer version on your own. > +EFITOOLS_PATH='' > + > +# Hello World application for sandbox > +HELLO_PATH='' >