test/py/tests/test_vboot.py

   1 # Copyright (c) 2013, Google Inc.
   2 #
   3 # SPDX-License-Identifier:      GPL-2.0+
   4 #
   5 # U-Boot Verified Boot Test
   6
   7 """
   8 This tests verified boot in the following ways:
   9
  10 For image verification:
  11 - Create FIT (unsigned) with mkimage
  12 - Check that verification shows that no keys are verified
  13 - Sign image
  14 - Check that verification shows that a key is now verified
  15
  16 For configuration verification:
  17 - Corrupt signature and check for failure
  18 - Create FIT (with unsigned configuration) with mkimage
  19 - Check that image veriication works
  20 - Sign the FIT and mark the key as 'required' for verification
  21 - Check that image verification works
  22 - Corrupt the signature
  23 - Check that image verification no-longer works
  24
  25 Tests run with both SHA1 and SHA256 hashing.
  26 """
  27
  28 import pytest
  29 import sys
  30 import u_boot_utils as util
  31
  32 @pytest.mark.buildconfigspec('fit_signature')
  33 def test_vboot(u_boot_console):
  34     """Test verified boot signing with mkimage and verification with 'bootm'.
  35
  36     This works using sandbox only as it needs to update the device tree used
  37     by U-Boot to hold public keys from the signing process.
  38
  39     The SHA1 and SHA256 tests are combined into a single test since the
  40     key-generation process is quite slow and we want to avoid doing it twice.
  41     """
  42     def dtc(dts):
  43         """Run the device-tree compiler to compile a .dts file
  44
  45         The output file will be the same as the input file but with a .dtb
  46         extension.
  47
  48         Args:
  49             dts: Device tree file to compile.
  50         """
  51         dtb = dts.replace('.dts', '.dtb')
  52         util.cmd(cons, 'dtc %s %s%s -O dtb '
  53                        '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb))
  54
  55     def run_bootm(test_type, expect_string):
  56         """Run a 'bootm' command U-Boot.
  57
  58         This always starts a fresh U-Boot instance since the device tree may
  59         contain a new public key.
  60
  61         Args:
  62             test_type: A string identifying the test type
  63             expect_string: A string which is expected in the output
  64         """
  65         cons.cleanup_spawn()
  66         cons.ensure_spawned()
  67         cons.log.action('%s: Test Verified Boot Run: %s' % (algo, test_type))
  68         output = cons.run_command_list(
  69             ['sb load hostfs - 100 %stest.fit' % tmpdir,
  70              'fdt addr 100',
  71              'bootm 100'])
  72         assert(expect_string in output)
  73
  74     def make_fit(its):
  75         """Make a new FIT from the .its source file
  76
  77         This runs 'mkimage -f' to create a new FIT.
  78
  79         Args:
  80             its: Filename containing .its source
  81         """
  82         util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
  83                                 '%s%s' % (datadir, its), fit])
  84
  85     def sign_fit():
  86         """Sign the FIT
  87
  88         Signs the FIT and writes the signature into it. It also writes the
  89         public key into the dtb.
  90         """
  91         cons.log.action('%s: Sign images' % algo)
  92         util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
  93                                 '-r', fit])
  94
  95     def test_with_algo(sha):
  96         """Test verified boot with the given hash algorithm
  97
  98         This is the main part of the test code. The same procedure is followed
  99         for both hashing algorithms.
 100
 101         Args:
 102             sha: Either 'sha1' or 'sha256', to select the algorithm to use
 103         """
 104         global algo
 105
 106         algo = sha
 107
 108         # Compile our device tree files for kernel and U-Boot
 109         dtc('sandbox-kernel.dts')
 110         dtc('sandbox-u-boot.dts')
 111
 112         # Build the FIT, but don't sign anything yet
 113         cons.log.action('%s: Test FIT with signed images' % algo)
 114         make_fit('sign-images-%s.its' % algo)
 115         run_bootm('unsigned images', 'dev-')
 116
 117         # Sign images with our dev keys
 118         sign_fit()
 119         run_bootm('signed images', 'dev+')
 120
 121         # Create a fresh .dtb without the public keys
 122         dtc('sandbox-u-boot.dts')
 123
 124         cons.log.action('%s: Test FIT with signed configuration' % algo)
 125         make_fit('sign-configs-%s.its' % algo)
 126         run_bootm('unsigned config', '%s+ OK' % algo)
 127
 128         # Sign images with our dev keys
 129         sign_fit()
 130         run_bootm('signed config', 'dev+')
 131
 132         cons.log.action('%s: Check signed config on the host' % algo)
 133
 134         util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
 135                                 '-k', dtb])
 136
 137         # Increment the first byte of the signature, which should cause failure
 138         sig = util.cmd(cons, 'fdtget -t bx %s %s value' % (fit, sig_node))
 139         byte_list = sig.split()
 140         byte = int(byte_list[0], 16)
 141         byte_list = ['%x' % (byte + 1)] + byte_list[1:]
 142         sig = ' '.join(byte_list)
 143         util.cmd(cons, 'fdtput -t bx %s %s value %s' % (fit, sig_node, sig))
 144
 145         run_bootm('Signed config with bad hash', 'Bad Data Hash')
 146
 147         cons.log.action('%s: Check bad config on the host' % algo)
 148         util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
 149                 '-k', dtb], 1, 'Failed to verify required signature')
 150
 151     cons = u_boot_console
 152     tmpdir = cons.config.result_dir + '/'
 153     tmp = tmpdir + 'vboot.tmp'
 154     datadir = 'test/py/tests/vboot/'
 155     fit = '%stest.fit' % tmpdir
 156     mkimage = cons.config.build_dir + '/tools/mkimage'
 157     fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
 158     dtc_args = '-I dts -O dtb -i %s' % tmpdir
 159     dtb = '%ssandbox-u-boot.dtb' % tmpdir
 160     sig_node = '/configurations/conf@1/signature@1'
 161
 162     # Create an RSA key pair
 163     public_exponent = 65537
 164     util.cmd(cons, 'openssl genpkey -algorithm RSA -out %sdev.key '
 165                    '-pkeyopt rsa_keygen_bits:2048 '
 166                    '-pkeyopt rsa_keygen_pubexp:%d '
 167                    '2>/dev/null'  % (tmpdir, public_exponent))
 168
 169     # Create a certificate containing the public key
 170     util.cmd(cons, 'openssl req -batch -new -x509 -key %sdev.key -out '
 171                    '%sdev.crt' % (tmpdir, tmpdir))
 172
 173     # Create a number kernel image with zeroes
 174     with open('%stest-kernel.bin' % tmpdir, 'w') as fd:
 175         fd.write(5000 * chr(0))
 176
 177     try:
 178         # We need to use our own device tree file. Remember to restore it
 179         # afterwards.
 180         old_dtb = cons.config.dtb
 181         cons.config.dtb = dtb
 182         test_with_algo('sha1')
 183         test_with_algo('sha256')
 184     finally:
 185         cons.config.dtb = old_dtb