From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Thu, 18 Jul 2024 12:48:37 +0000 (+0200)
Subject: test_ukify: use sha384 in the signing tests
X-Git-Tag: v257-rc1~881^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=87204601df305c270ffa05430081bc5b76dede04;p=thirdparty%2Fsystemd.git

test_ukify: use sha384 in the signing tests

On Fedora, with crypto policy TEST-FEDORA41, sha1 is not allowed:

$ SYSTEMD_LOG_LEVEL=debug build/systemd-measure sign
  --linux=/lib/modules/6.9.7-200.fc40.x86_64/vmlinuz
  --osrel=/tmp/tmp.osrelbl2sr77f
  --cmdline=/tmp/tmp.cmdlineouc7hqtj
  --uname=/tmp/tmp.unamecbjgesty
  --pcrpkey=/tmp/tmpufiadu8l
  --initrd=/boot/3a9d668b4db749398a4a5e78a03bffa5/6.9.7-200.fc40.x86_64/initrd
  --sbat=/tmp/tmp.sbataz9arpy0
  --private-key=/tmp/tmppyf0gx6w
  --public-key=/tmp/tmpufiadu8l
  --bank=sha1
Measuring boot phases: enter-initrd, enter-initrd:leave-initrd, enter-initrd:leave-initrd:sysinit, enter-initrd:leave-initrd:sysinit:ready
Loaded 'libtss2-esys.so.0' via dlopen()
Loaded 'libtss2-rc.so.0' via dlopen()
Loaded 'libtss2-mu.so.0' via dlopen()
PolicyPCR calculated digest: cec1a2ccb188ddd171a2be7bfa6b31cb9148776647354eb1069e0f891ed2dbe7
Failed to initialize signature context: error:03000098:digital envelope routines::invalid digest
Failed to sign PCR policy: Input/output error
---

diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
index 123f9eac053..60d6498d586 100755
--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@@ -689,7 +689,7 @@ def test_pcr_signing(kernel_initrd, tmp_path):
         '--uname=1.2.3',
         '--cmdline=ARG1 ARG2 ARG3',
         '--os-release=ID=foobar\n',
-        '--pcr-banks=sha1',   # use sha1 because it doesn't really matter
+        '--pcr-banks=sha384',   # sha1 might not be allowed, use something else
         f'--pcr-private-key={priv.name}',
     ] + arg_tools
 
@@ -732,8 +732,8 @@ def test_pcr_signing(kernel_initrd, tmp_path):
         assert open(tmp_path / 'out.cmdline').read() == 'ARG1 ARG2 ARG3'
         sig = open(tmp_path / 'out.pcrsig').read()
         sig = json.loads(sig)
-        assert list(sig.keys()) == ['sha1']
-        assert len(sig['sha1']) == 4   # four items for four phases
+        assert list(sig.keys()) == ['sha384']
+        assert len(sig['sha384']) == 4   # four items for four phases
 
     shutil.rmtree(tmp_path)
 
@@ -765,7 +765,7 @@ def test_pcr_signing2(kernel_initrd, tmp_path):
         '--uname=1.2.3',
         '--cmdline=ARG1 ARG2 ARG3',
         '--os-release=ID=foobar\n',
-        '--pcr-banks=sha1',
+        '--pcr-banks=sha384',
         f'--pcrpkey={pub2.name}',
         f'--pcr-public-key={pub.name}',
         f'--pcr-private-key={priv.name}',
@@ -805,8 +805,8 @@ def test_pcr_signing2(kernel_initrd, tmp_path):
 
     sig = open(tmp_path / 'out.pcrsig').read()
     sig = json.loads(sig)
-    assert list(sig.keys()) == ['sha1']
-    assert len(sig['sha1']) == 6   # six items for six phases paths
+    assert list(sig.keys()) == ['sha384']
+    assert len(sig['sha384']) == 6   # six items for six phases paths
 
     shutil.rmtree(tmp_path)