The vboot tests only consider rsa algo for signature. To prepare the integration of ecdsa test, the signature algo is now explicit.
Signed-off-by: Philippe Reynes <[email protected]> --- v2: - initial version test/py/tests/test_fit_ecdsa.py | 2 +- test/py/tests/test_vboot.py | 99 ++++++++++--------- ....its => sign-configs-sha1-rsa2048-pss.its} | 0 ...sha1.its => sign-configs-sha1-rsa2048.its} | 0 ... sign-configs-sha256-rsa2048-pss-prod.its} | 0 ...ts => sign-configs-sha256-rsa2048-pss.its} | 0 ...56.its => sign-configs-sha256-rsa2048.its} | 0 ...84.its => sign-configs-sha384-rsa3072.its} | 0 ...s.its => sign-images-sha1-rsa2048-pss.its} | 0 ...-sha1.its => sign-images-sha1-rsa2048.its} | 0 ...its => sign-images-sha256-rsa2048-pss.its} | 0 ...256.its => sign-images-sha256-rsa2048.its} | 0 ...384.its => sign-images-sha384-rsa3072.its} | 0 13 files changed, 51 insertions(+), 50 deletions(-) rename test/py/tests/vboot/{sign-configs-sha1-pss.its => sign-configs-sha1-rsa2048-pss.its} (100%) rename test/py/tests/vboot/{sign-configs-sha1.its => sign-configs-sha1-rsa2048.its} (100%) rename test/py/tests/vboot/{sign-configs-sha256-pss-prod.its => sign-configs-sha256-rsa2048-pss-prod.its} (100%) rename test/py/tests/vboot/{sign-configs-sha256-pss.its => sign-configs-sha256-rsa2048-pss.its} (100%) rename test/py/tests/vboot/{sign-configs-sha256.its => sign-configs-sha256-rsa2048.its} (100%) rename test/py/tests/vboot/{sign-configs-sha384.its => sign-configs-sha384-rsa3072.its} (100%) rename test/py/tests/vboot/{sign-images-sha1-pss.its => sign-images-sha1-rsa2048-pss.its} (100%) rename test/py/tests/vboot/{sign-images-sha1.its => sign-images-sha1-rsa2048.its} (100%) rename test/py/tests/vboot/{sign-images-sha256-pss.its => sign-images-sha256-rsa2048-pss.its} (100%) rename test/py/tests/vboot/{sign-images-sha256.its => sign-images-sha256-rsa2048.its} (100%) rename test/py/tests/vboot/{sign-images-sha384.its => sign-images-sha384-rsa3072.its} (100%) diff --git a/test/py/tests/test_fit_ecdsa.py b/test/py/tests/test_fit_ecdsa.py index 3e816d68eb6..e59390374af 100644 --- a/test/py/tests/test_fit_ecdsa.py +++ b/test/py/tests/test_fit_ecdsa.py @@ -102,7 +102,7 @@ def test_fit_ecdsa(ubman): with open(key_file, 'w') as f: f.write(key.export_key(format='PEM')) - assemble_fit_image(fit_file, f'{datadir}/sign-images-sha256.its', tempdir) + assemble_fit_image(fit_file, f'{datadir}/sign-images-sha256-rsa2048.its', tempdir) fit = SignableFitImage(ubman, fit_file) nodes = fit.find_signable_image_nodes() diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index 7a7f9c379de..fd1bf6eb8aa 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -84,21 +84,21 @@ def make_fit(its, ubman, mkimage, dtc_args, datadir, fit): # Only run the full suite on a few combinations, since it doesn't add any more # test coverage. TESTDATA_IN = [ - ['sha1-basic', 'sha1', '', None, False, True, False, False], - ['sha1-pad', 'sha1', '', '-E -p 0x10000', False, False, False, False], - ['sha1-pss', 'sha1', '-pss', None, False, False, False, False], - ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False, False, False, False], - ['sha256-basic', 'sha256', '', None, False, False, False, False], - ['sha256-pad', 'sha256', '', '-E -p 0x10000', False, False, False, False], - ['sha256-pss', 'sha256', '-pss', None, False, False, False, False], - ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False, False, False], - ['sha256-pss-required', 'sha256', '-pss', None, True, False, False, False], - ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True, False, False], - ['sha384-basic', 'sha384', '', None, False, False, False, False], - ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False, False, False], - ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', False, False, True, False], - ['sha256-global-sign', 'sha256', '', '', False, False, False, True], - ['sha256-global-sign-pss', 'sha256', '-pss', '', False, False, False, True], + ['sha1-basic', 'sha1', '-rsa2048', '', None, False, True, False, False], + ['sha1-pad', 'sha1', '-rsa2048', '', '-E -p 0x10000', False, False, False, False], + ['sha1-pss', 'sha1', '-rsa2048', '-pss', None, False, False, False, False], + ['sha1-pss-pad', 'sha1', '-rsa2048', '-pss', '-E -p 0x10000', False, False, False, False], + ['sha256-basic', 'sha256', '-rsa2048', '', None, False, False, False, False], + ['sha256-pad', 'sha256', '-rsa2048', '', '-E -p 0x10000', False, False, False, False], + ['sha256-pss', 'sha256', '-rsa2048', '-pss', None, False, False, False, False], + ['sha256-pss-pad', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', False, False, False, False], + ['sha256-pss-required', 'sha256', '-rsa2048', '-pss', None, True, False, False, False], + ['sha256-pss-pad-required', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', True, True, False, False], + ['sha384-basic', 'sha384', '-rsa3072', '', None, False, False, False, False], + ['sha384-pad', 'sha384', '-rsa3072', '', '-E -p 0x10000', False, False, False, False], + ['algo-arg', 'algo-arg', '', '', '-o sha256,rsa2048', False, False, True, False], + ['sha256-global-sign', 'sha256', '-rsa2048', '', '', False, False, False, True], + ['sha256-global-sign-pss', 'sha256', '-rsa2048', '-pss', '', False, False, False, True], ] # Mark all but the first test as slow, so they are not run with '-k not slow' @@ -111,9 +111,9 @@ TESTDATA += [pytest.param(*v, marks=pytest.mark.slow) for v in TESTDATA_IN[1:]] @pytest.mark.requiredtool('fdtget') @pytest.mark.requiredtool('fdtput') @pytest.mark.requiredtool('openssl') [email protected]("name,sha_algo,padding,sign_options,required,full_test,algo_arg,global_sign", [email protected]("name,sha_algo,sig_algo,padding,sign_options,required,full_test,algo_arg,global_sign", TESTDATA) -def test_vboot(ubman, name, sha_algo, padding, sign_options, required, +def test_vboot(ubman, name, sha_algo, sig_algo, padding, sign_options, required, full_test, algo_arg, global_sign): """Test verified boot signing with mkimage and verification with 'bootm'. @@ -287,7 +287,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, utils.run_and_log(ubman, 'openssl req -batch -new -x509 -key %s%s.key ' '-out %s%s.crt' % (tmpdir, name, tmpdir, name)) - def test_with_algo(sha_algo, padding, sign_options): + def test_with_algo(sha_algo, sig_algo, padding, sign_options): """Test verified boot with the given hash algorithm. This is the main part of the test code. The same procedure is followed @@ -308,7 +308,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, # Build the FIT, but don't sign anything yet ubman.log.action('%s: Test FIT with signed images' % sha_algo) - make_fit('sign-images-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit) + make_fit('sign-images-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit) run_bootm(sha_algo, 'unsigned images', ' - OK' if algo_arg else 'dev-', True) # Sign images with our dev keys @@ -319,7 +319,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, dtc('sandbox-u-boot.dts', ubman, dtc_args, datadir, tmpdir, dtb) ubman.log.action('%s: Test FIT with signed configuration' % sha_algo) - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit) + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit) run_bootm(sha_algo, 'unsigned config', '%s+ OK' % ('sha256' if algo_arg else sha_algo), True) # Sign images with our dev keys @@ -369,7 +369,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, run_bootm(sha_algo, 'evil kernel@', msg, False, efit) # Create a new properly signed fit and replace header bytes - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit) + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit) sign_fit(sha_algo, sign_options) bcfg = ubman.config.buildconfig max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0) @@ -401,7 +401,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, ubman, [fit_check_sign, '-f', fit, '-k', dtb], 1, 'Failed to verify required signature') - def test_required_key(sha_algo, padding, sign_options): + def test_required_key(sha_algo, sig_algo, padding, sign_options): """Test verified boot with the given hash algorithm. This function tests if U-Boot rejects an image when a required key isn't @@ -423,12 +423,12 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, # Build the FIT with prod key (keys required) and sign it. This puts the # signature into sandbox-u-boot.dtb, marked 'required' - make_fit('sign-configs-%s%s-prod.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit) + make_fit('sign-configs-%s%s%s-prod.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit) sign_fit(sha_algo, sign_options) # Build the FIT with dev key (keys NOT required). This adds the # signature into sandbox-u-boot.dtb, NOT marked 'required'. - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit) + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit) sign_fit_norequire(sha_algo, sign_options) # So now sandbox-u-boot.dtb two signatures, for the prod and dev keys. @@ -440,7 +440,7 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, # Build the FIT with dev key (keys required) and sign it. This puts the # signature into sandbox-u-boot.dtb, marked 'required'. - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit) + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit) sign_fit(sha_algo, sign_options) # Set the required-mode policy to "any". @@ -520,8 +520,9 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, dtb = '%ssandbox-u-boot.dtb' % tmpdir sig_node = '/configurations/conf-1/signature' - create_rsa_pair('dev') - create_rsa_pair('prod') + if sig_algo == "-rsa2048" or sig_algo == "-rsa3072" or sig_algo == "": + create_rsa_pair('dev') + create_rsa_pair('prod') # Create a number kernel image with zeroes with open('%stest-kernel.bin' % tmpdir, 'wb') as fd: @@ -540,9 +541,9 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, if global_sign: test_global_sign(sha_algo, padding, sign_options) elif required: - test_required_key(sha_algo, padding, sign_options) + test_required_key(sha_algo, sig_algo, padding, sign_options) else: - test_with_algo(sha_algo, padding, sign_options) + test_with_algo(sha_algo, sig_algo, padding, sign_options) finally: # Go back to the original U-Boot with the correct dtb. ubman.config.dtb = old_dtb @@ -550,21 +551,21 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, TESTDATA_IN = [ - ['sha1-basic', 'sha1', '', None, False], - ['sha1-pad', 'sha1', '', '-E -p 0x10000', False], - ['sha1-pss', 'sha1', '-pss', None, False], - ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False], - ['sha256-basic', 'sha256', '', None, False], - ['sha256-pad', 'sha256', '', '-E -p 0x10000', False], - ['sha256-pss', 'sha256', '-pss', None, False], - ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False], - ['sha256-pss-required', 'sha256', '-pss', None, False], - ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', False], - ['sha384-basic', 'sha384', '', None, False], - ['sha384-pad', 'sha384', '', '-E -p 0x10000', False], - ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', True], - ['sha256-global-sign', 'sha256', '', '', False], - ['sha256-global-sign-pss', 'sha256', '-pss', '', False], + ['sha1-basic', 'sha1', '-rsa2048', '', None, False], + ['sha1-pad', 'sha1', '-rsa2048', '', '-E -p 0x10000', False], + ['sha1-pss', 'sha1', '-rsa2048', '-pss', None, False], + ['sha1-pss-pad', 'sha1', '-rsa2048', '-pss', '-E -p 0x10000', False], + ['sha256-basic', 'sha256', '-rsa2048', '', None, False], + ['sha256-pad', 'sha256', '-rsa2048', '', '-E -p 0x10000', False], + ['sha256-pss', 'sha256', '-rsa2048', '-pss', None, False], + ['sha256-pss-pad', 'sha256', '-rsa2048', '-pss', '-E -p 0x10000', False], + ['sha256-pss-required', 'sha256', '-rsa2048', '-pss', None, False], + ['sha256-pss-pad-required', 'sha256', '-rsa2048' , '-pss', '-E -p 0x10000', False], + ['sha384-basic', 'sha384', '-rsa3072', '', None, False], + ['sha384-pad', 'sha384', '-rsa3072', '', '-E -p 0x10000', False], + ['algo-arg', 'algo-arg', '', '', '-o sha256,rsa2048', True], + ['sha256-global-sign', 'sha256', '-rsa2048', '', '', False], + ['sha256-global-sign-pss', 'sha256', '-rsa2048', '-pss', '', False], ] # Mark all but the first test as slow, so they are not run with '-k not slow' @@ -575,8 +576,8 @@ TESTDATA += [pytest.param(*v, marks=pytest.mark.slow) for v in TESTDATA_IN[1:]] @pytest.mark.buildconfigspec('fit_signature') @pytest.mark.requiredtool('dtc') @pytest.mark.requiredtool('openssl') [email protected]("name,sha_algo,padding,sign_options,algo_arg", TESTDATA) -def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg): [email protected]("name,sha_algo,sig_algo,padding,sign_options,algo_arg", TESTDATA) +def test_fdt_add_pubkey(ubman, name, sha_algo, sig_algo, padding, sign_options, algo_arg): """Test fdt_add_pubkey utility with bunch of different algo options.""" def sign_fit(sha_algo, options): @@ -595,7 +596,7 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg): ubman.log.action('%s: Sign images' % sha_algo) utils.run_and_log(ubman, args) - def test_add_pubkey(sha_algo, padding, sign_options): + def test_add_pubkey(sha_algo, sig_algo, padding, sign_options): """Test fdt_add_pubkey utility with given hash algorithm and padding. This function tests if fdt_add_pubkey utility may add public keys into dtb. @@ -618,7 +619,7 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg): 'rsa3072' if sha_algo == 'sha384' else 'rsa2048'), '-k', tmpdir, '-n', 'dev', '-r', 'conf', dtb]) - make_fit('sign-configs-%s%s.its' % (sha_algo, padding), ubman, mkimage, dtc_args, datadir, fit) + make_fit('sign-configs-%s%s%s.its' % (sha_algo, sig_algo, padding), ubman, mkimage, dtc_args, datadir, fit) # Sign images with our dev keys sign_fit(sha_algo, sign_options) @@ -640,4 +641,4 @@ def test_fdt_add_pubkey(ubman, name, sha_algo, padding, sign_options, algo_arg): # keys created in test_vboot test - test_add_pubkey(sha_algo, padding, sign_options) + test_add_pubkey(sha_algo, sig_algo, padding, sign_options) diff --git a/test/py/tests/vboot/sign-configs-sha1-pss.its b/test/py/tests/vboot/sign-configs-sha1-rsa2048-pss.its similarity index 100% rename from test/py/tests/vboot/sign-configs-sha1-pss.its rename to test/py/tests/vboot/sign-configs-sha1-rsa2048-pss.its diff --git a/test/py/tests/vboot/sign-configs-sha1.its b/test/py/tests/vboot/sign-configs-sha1-rsa2048.its similarity index 100% rename from test/py/tests/vboot/sign-configs-sha1.its rename to test/py/tests/vboot/sign-configs-sha1-rsa2048.its diff --git a/test/py/tests/vboot/sign-configs-sha256-pss-prod.its b/test/py/tests/vboot/sign-configs-sha256-rsa2048-pss-prod.its similarity index 100% rename from test/py/tests/vboot/sign-configs-sha256-pss-prod.its rename to test/py/tests/vboot/sign-configs-sha256-rsa2048-pss-prod.its diff --git a/test/py/tests/vboot/sign-configs-sha256-pss.its b/test/py/tests/vboot/sign-configs-sha256-rsa2048-pss.its similarity index 100% rename from test/py/tests/vboot/sign-configs-sha256-pss.its rename to test/py/tests/vboot/sign-configs-sha256-rsa2048-pss.its diff --git a/test/py/tests/vboot/sign-configs-sha256.its b/test/py/tests/vboot/sign-configs-sha256-rsa2048.its similarity index 100% rename from test/py/tests/vboot/sign-configs-sha256.its rename to test/py/tests/vboot/sign-configs-sha256-rsa2048.its diff --git a/test/py/tests/vboot/sign-configs-sha384.its b/test/py/tests/vboot/sign-configs-sha384-rsa3072.its similarity index 100% rename from test/py/tests/vboot/sign-configs-sha384.its rename to test/py/tests/vboot/sign-configs-sha384-rsa3072.its diff --git a/test/py/tests/vboot/sign-images-sha1-pss.its b/test/py/tests/vboot/sign-images-sha1-rsa2048-pss.its similarity index 100% rename from test/py/tests/vboot/sign-images-sha1-pss.its rename to test/py/tests/vboot/sign-images-sha1-rsa2048-pss.its diff --git a/test/py/tests/vboot/sign-images-sha1.its b/test/py/tests/vboot/sign-images-sha1-rsa2048.its similarity index 100% rename from test/py/tests/vboot/sign-images-sha1.its rename to test/py/tests/vboot/sign-images-sha1-rsa2048.its diff --git a/test/py/tests/vboot/sign-images-sha256-pss.its b/test/py/tests/vboot/sign-images-sha256-rsa2048-pss.its similarity index 100% rename from test/py/tests/vboot/sign-images-sha256-pss.its rename to test/py/tests/vboot/sign-images-sha256-rsa2048-pss.its diff --git a/test/py/tests/vboot/sign-images-sha256.its b/test/py/tests/vboot/sign-images-sha256-rsa2048.its similarity index 100% rename from test/py/tests/vboot/sign-images-sha256.its rename to test/py/tests/vboot/sign-images-sha256-rsa2048.its diff --git a/test/py/tests/vboot/sign-images-sha384.its b/test/py/tests/vboot/sign-images-sha384-rsa3072.its similarity index 100% rename from test/py/tests/vboot/sign-images-sha384.its rename to test/py/tests/vboot/sign-images-sha384-rsa3072.its -- 2.43.0
