tools, fit_check_sign: verify a signed fit image

[people/ms/u-boot.git] / test / vboot / vboot_test.sh

diff --git a/test/vboot/vboot_test.sh b/test/vboot/vboot_test.sh
index 3e2856ed1ff92c2198cea4d24ab54e8fcf6853ab..3c6efa774ec72c3dbd790b31e2946a063eabcfb1 100755 (executable)
--- a/test/vboot/vboot_test.sh
+++ b/test/vboot/vboot_test.sh
@@ -47,6 +47,7 @@ O=$(readlink -f ${O})
 dtc="-I dts -O dtb -p 2000"
 uboot="${O}/u-boot"
 mkimage="${O}/tools/mkimage"
+fit_check_sign="${O}/tools/fit_check_sign"
 keys="${dir}/dev-keys"
 echo ${mkimage} -D "${dtc}"
 
@@ -99,6 +100,25 @@ function do_test {
 
        run_uboot "signed config" "dev+"
 
+       echo check signed config on the host
+       if ! ${fit_check_sign} -f test.fit -k sandbox-u-boot.dtb >${tmp}; then
+               echo
+               echo "Verified boot key check on host failed, output follows:"
+               cat ${tmp}
+               false
+       else
+               if ! grep -q "dev+" ${tmp}; then
+                       echo
+                       echo "Verified boot key check failed, output follows:"
+                       cat ${tmp}
+                       false
+               else
+                       echo "OK"
+               fi
+       fi
+
+       run_uboot "signed config" "dev+"
+
        # Increment the first byte of the signature, which should cause failure
        sig=$(fdtget -t bx test.fit /configurations/conf@1/signature@1 value)
        newbyte=$(printf %x $((0x${sig:0:2} + 1)))