Test pkcs11 URI support for UEFI capsule generation. For simplicity only private key is defined in binman section as softhsm tool doesn't support certificate import (yet).
Signed-off-by: Wojciech Dubowik <[email protected]> Reviewed-by: Simon Glass <[email protected]> --- tools/binman/ftest.py | 53 +++++++++++++++++++ .../binman/test/351_capsule_signed_pkcs11.dts | 22 ++++++++ 2 files changed, 75 insertions(+) create mode 100644 tools/binman/test/351_capsule_signed_pkcs11.dts diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py index 21ec48d86fd1..a005a167e414 100644 --- a/tools/binman/ftest.py +++ b/tools/binman/ftest.py @@ -7,6 +7,7 @@ # python -m unittest func_test.TestFunctional.testHelp import collections +import configparser import glob import gzip import hashlib @@ -7532,6 +7533,58 @@ fdt fdtmap Extract the devicetree blob from the fdtmap self._CheckCapsule(data, signed_capsule=True) + def testPkcs11SignedCapsuleGen(self): + """Test generation of EFI capsule (with PKCS11)""" + data = tools.read_file(self.TestFile("key.key")) + private_key = self._MakeInputFile("key.key", data) + data = tools.read_file(self.TestFile("key.pem")) + cert_file = self._MakeInputFile("key.crt", data) + + softhsm2_util = bintool.Bintool.create('softhsm2_util') + self._CheckBintool(softhsm2_util) + + prefix = "testPkcs11SignedCapsuleGen." + # Configure SoftHSMv2 + data = tools.read_file(self.TestFile('340_softhsm2.conf')) + softhsm2_conf = self._MakeInputFile(f'{prefix}softhsm2.conf', data) + softhsm2_tokens_dir = self._MakeInputDir(f'{prefix}softhsm2.tokens') + tools.write_file(softhsm2_conf, data + + f'\ndirectories.tokendir = \ + {softhsm2_tokens_dir}\n'.encode("utf-8")) + + p11_kit_config = configparser.ConfigParser() + out = tools.run('p11-kit', 'print-config') + p11_kit_config.read_string(out) + softhsm2_lib = p11_kit_config['softhsm2']['module'] + + os.environ['SOFTHSM2_CONF'] = softhsm2_conf + tools.run('softhsm2-util', '--init-token', '--free', '--label', + 'U-Boot token', '--pin', '1111', '--so-pin', + '222222') + tools.run('softhsm2-util', '--import', private_key, '--token', + 'U-Boot token', '--label', 'test_key', '--id', '999999', + '--pin', '1111') + + os.environ['PKCS11_MODULE_PATH'] = softhsm2_lib + data = self._DoReadFile('351_capsule_signed_pkcs11.dts') + + self._CheckCapsule(data, signed_capsule=True) + + # Verify signed capsule + hdr = self._GetCapsuleHeaders(data) + monotonic_count = hdr['EFI_FIRMWARE_IMAGE_AUTH.MONOTONIC_COUNT'] + + with open(self._indir + '/capsule_input.bin', 'ab') as f: + f.write(struct.pack('<Q', int(monotonic_count, 16))) + + try: + tools.run('openssl', 'smime', '-verify', '-inform', 'DER', + '-in', tools.get_output_dir() + '/capsule.efi-capsule.p7', + '-content', self._indir + '/capsule_input.bin', + '-CAfile', cert_file, '-no_check_time') + except ValueError: + self.assertIn('UEFI Capsule verification failed') + def testCapsuleGenVersionSupport(self): """Test generation of EFI capsule with version support""" data = self._DoReadFile('313_capsule_version.dts') diff --git a/tools/binman/test/351_capsule_signed_pkcs11.dts b/tools/binman/test/351_capsule_signed_pkcs11.dts new file mode 100644 index 000000000000..ae93bf83936f --- /dev/null +++ b/tools/binman/test/351_capsule_signed_pkcs11.dts @@ -0,0 +1,22 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + binman { + efi-capsule { + image-index = <0x1>; + /* Image GUID for testing capsule update */ + image-guid = "binman-test"; + hardware-instance = <0x0>; + monotonic-count = <0x1>; + dump-signature; + private-key = "pkcs11:token=U-Boot%20token;object=test_key;type=private;pin-value=1111"; + public-key-cert = "key.crt"; + + blob { + filename = "capsule_input.bin"; + }; + }; + }; +}; -- 2.47.3
