test/py/tests/test_vboot.py

   1 # Copyright (c) 2016, Google Inc.
   2 #
   3 # SPDX-License-Identifier:      GPL-2.0+
   4 #
   5 # U-Boot Verified Boot Test
   6
   7 """
   8 This tests verified boot in the following ways:
   9
  10 For image verification:
  11 - Create FIT (unsigned) with mkimage
  12 - Check that verification shows that no keys are verified
  13 - Sign image
  14 - Check that verification shows that a key is now verified
  15
  16 For configuration verification:
  17 - Corrupt signature and check for failure
  18 - Create FIT (with unsigned configuration) with mkimage
  19 - Check that image verification works
  20 - Sign the FIT and mark the key as 'required' for verification
  21 - Check that image verification works
  22 - Corrupt the signature
  23 - Check that image verification no-longer works
  24
  25 Tests run with both SHA1 and SHA256 hashing.
  26 """
  27
  28 import pytest
  29 import sys
  30 import u_boot_utils as util
  31
  32 @pytest.mark.boardspec('sandbox')
  33 @pytest.mark.buildconfigspec('fit_signature')
  34 def test_vboot(u_boot_console):
  35     """Test verified boot signing with mkimage and verification with 'bootm'.
  36
  37     This works using sandbox only as it needs to update the device tree used
  38     by U-Boot to hold public keys from the signing process.
  39
  40     The SHA1 and SHA256 tests are combined into a single test since the
  41     key-generation process is quite slow and we want to avoid doing it twice.
  42     """
  43     def dtc(dts):
  44         """Run the device tree compiler to compile a .dts file
  45
  46         The output file will be the same as the input file but with a .dtb
  47         extension.
  48
  49         Args:
  50             dts: Device tree file to compile.
  51         """
  52         dtb = dts.replace('.dts', '.dtb')
  53         util.run_and_log(cons, 'dtc %s %s%s -O dtb '
  54                          '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb))
  55
  56     def run_bootm(sha_algo, test_type, expect_string):
  57         """Run a 'bootm' command U-Boot.
  58
  59         This always starts a fresh U-Boot instance since the device tree may
  60         contain a new public key.
  61
  62         Args:
  63             test_type: A string identifying the test type.
  64             expect_string: A string which is expected in the output.
  65             sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
  66                     use.
  67         """
  68         cons.restart_uboot()
  69         with cons.log.section('Verified boot %s %s' % (sha_algo, test_type)):
  70             output = cons.run_command_list(
  71                 ['sb load hostfs - 100 %stest.fit' % tmpdir,
  72                 'fdt addr 100',
  73                 'bootm 100'])
  74         assert(expect_string in ''.join(output))
  75
  76     def make_fit(its):
  77         """Make a new FIT from the .its source file.
  78
  79         This runs 'mkimage -f' to create a new FIT.
  80
  81         Args:
  82             its: Filename containing .its source.
  83         """
  84         util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
  85                                 '%s%s' % (datadir, its), fit])
  86
  87     def sign_fit(sha_algo):
  88         """Sign the FIT
  89
  90         Signs the FIT and writes the signature into it. It also writes the
  91         public key into the dtb.
  92
  93         Args:
  94             sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
  95                     use.
  96         """
  97         cons.log.action('%s: Sign images' % sha_algo)
  98         util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
  99                                 '-r', fit])
 100
 101     def test_with_algo(sha_algo):
 102         """Test verified boot with the given hash algorithm.
 103
 104         This is the main part of the test code. The same procedure is followed
 105         for both hashing algorithms.
 106
 107         Args:
 108             sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
 109                     use.
 110         """
 111         # Compile our device tree files for kernel and U-Boot. These are
 112         # regenerated here since mkimage will modify them (by adding a
 113         # public key) below.
 114         dtc('sandbox-kernel.dts')
 115         dtc('sandbox-u-boot.dts')
 116
 117         # Build the FIT, but don't sign anything yet
 118         cons.log.action('%s: Test FIT with signed images' % sha_algo)
 119         make_fit('sign-images-%s.its' % sha_algo)
 120         run_bootm(sha_algo, 'unsigned images', 'dev-')
 121
 122         # Sign images with our dev keys
 123         sign_fit(sha_algo)
 124         run_bootm(sha_algo, 'signed images', 'dev+')
 125
 126         # Create a fresh .dtb without the public keys
 127         dtc('sandbox-u-boot.dts')
 128
 129         cons.log.action('%s: Test FIT with signed configuration' % sha_algo)
 130         make_fit('sign-configs-%s.its' % sha_algo)
 131         run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo)
 132
 133         # Sign images with our dev keys
 134         sign_fit(sha_algo)
 135         run_bootm(sha_algo, 'signed config', 'dev+')
 136
 137         cons.log.action('%s: Check signed config on the host' % sha_algo)
 138
 139         util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
 140                                 '-k', dtb])
 141
 142         # Increment the first byte of the signature, which should cause failure
 143         sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
 144                                (fit, sig_node))
 145         byte_list = sig.split()
 146         byte = int(byte_list[0], 16)
 147         byte_list[0] = '%x' % (byte + 1)
 148         sig = ' '.join(byte_list)
 149         util.run_and_log(cons, 'fdtput -t bx %s %s value %s' %
 150                          (fit, sig_node, sig))
 151
 152         run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash')
 153
 154         cons.log.action('%s: Check bad config on the host' % sha_algo)
 155         util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
 156                 '-k', dtb], 1, 'Failed to verify required signature')
 157
 158     cons = u_boot_console
 159     tmpdir = cons.config.result_dir + '/'
 160     tmp = tmpdir + 'vboot.tmp'
 161     datadir = cons.config.source_dir + '/test/py/tests/vboot/'
 162     fit = '%stest.fit' % tmpdir
 163     mkimage = cons.config.build_dir + '/tools/mkimage'
 164     fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
 165     dtc_args = '-I dts -O dtb -i %s' % tmpdir
 166     dtb = '%ssandbox-u-boot.dtb' % tmpdir
 167     sig_node = '/configurations/conf@1/signature@1'
 168
 169     # Create an RSA key pair
 170     public_exponent = 65537
 171     util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %sdev.key '
 172                      '-pkeyopt rsa_keygen_bits:2048 '
 173                      '-pkeyopt rsa_keygen_pubexp:%d '
 174                      '2>/dev/null'  % (tmpdir, public_exponent))
 175
 176     # Create a certificate containing the public key
 177     util.run_and_log(cons, 'openssl req -batch -new -x509 -key %sdev.key -out '
 178                      '%sdev.crt' % (tmpdir, tmpdir))
 179
 180     # Create a number kernel image with zeroes
 181     with open('%stest-kernel.bin' % tmpdir, 'w') as fd:
 182         fd.write(5000 * chr(0))
 183
 184     try:
 185         # We need to use our own device tree file. Remember to restore it
 186         # afterwards.
 187         old_dtb = cons.config.dtb
 188         cons.config.dtb = dtb
 189         test_with_algo('sha1')
 190         test_with_algo('sha256')
 191     finally:
 192         # Go back to the original U-Boot with the correct dtb.
 193         cons.config.dtb = old_dtb
 194         cons.restart_uboot()