aboutsummaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
Diffstat (limited to 'test')
-rw-r--r--test/py/tests/test_fit_hashes.py111
-rw-r--r--test/py/tests/test_hush_if_test.py20
-rw-r--r--test/py/tests/test_tpm2.py52
-rw-r--r--test/py/tests/test_vboot.py29
-rw-r--r--test/py/tests/vboot/hash-images.its76
5 files changed, 255 insertions, 33 deletions
diff --git a/test/py/tests/test_fit_hashes.py b/test/py/tests/test_fit_hashes.py
new file mode 100644
index 00000000000..e228ea96d31
--- /dev/null
+++ b/test/py/tests/test_fit_hashes.py
@@ -0,0 +1,111 @@
+# SPDX-License-Identifier: GPL-2.0+
+#
+# Copyright (c) 2021 Alexandru Gagniuc <mr.nuke.me@gmail.com>
+
+"""
+Check hashes produced by mkimage against known values
+
+This test checks the correctness of mkimage's hashes. by comparing the mkimage
+output of a fixed data block with known good hashes.
+This test doesn't run the sandbox. It only checks the host tool 'mkimage'
+"""
+
+import pytest
+import u_boot_utils as util
+
+kernel_hashes = {
+ "sha512" : "f18c1486a2c29f56360301576cdfce4dfd8e8e932d0ed8e239a1f314b8ae1d77b2a58cd7fe32e4075e69448e623ce53b0b6aa6ce5626d2c189a5beae29a68d93",
+ "sha384" : "16e28976740048485d08d793d8bf043ebc7826baf2bc15feac72825ad67530ceb3d09e0deb6932c62a5a0e9f3936baf4",
+ "sha256" : "2955c56bc1e5050c111ba6e089e0f5342bb47dedf77d87e3f429095feb98a7e5",
+ "sha1" : "652383e1a6d946953e1f65092c9435f6452c2ab7",
+ "md5" : "4879e5086e4c76128e525b5fe2af55f1",
+ "crc32" : "32eddfdf",
+ "crc16-ccitt" : "d4be"
+}
+
+class ReadonlyFitImage(object):
+ """ Helper to manipulate a FIT image on disk """
+ def __init__(self, cons, file_name):
+ self.fit = file_name
+ self.cons = cons
+ self.hashable_nodes = set()
+
+ def __fdt_list(self, path):
+ return util.run_and_log(self.cons, f'fdtget -l {self.fit} {path}')
+
+ def __fdt_get(self, node, prop):
+ val = util.run_and_log(self.cons, f'fdtget {self.fit} {node} {prop}')
+ return val.rstrip('\n')
+
+ def __fdt_get_sexadecimal(self, node, prop):
+ numbers = util.run_and_log(self.cons, f'fdtget -tbx {self.fit} {node} {prop}')
+
+ sexadecimal = ''
+ for num in numbers.rstrip('\n').split(' '):
+ sexadecimal += num.zfill(2)
+ return sexadecimal
+
+ def find_hashable_image_nodes(self):
+ for node in self.__fdt_list('/images').split():
+ # We only have known hashes for the kernel node
+ if 'kernel' not in node:
+ continue
+ self.hashable_nodes.add(f'/images/{node}')
+
+ return self.hashable_nodes
+
+ def verify_hashes(self):
+ for image in self.hashable_nodes:
+ algos = set()
+ for node in self.__fdt_list(image).split():
+ if "hash-" not in node:
+ continue
+
+ raw_hash = self.__fdt_get_sexadecimal(f'{image}/{node}', 'value')
+ algo = self.__fdt_get(f'{image}/{node}', 'algo')
+ algos.add(algo)
+
+ good_hash = kernel_hashes[algo]
+ if good_hash != raw_hash:
+ raise ValueError(f'{image} Borked hash: {algo}');
+
+ # Did we test all the hashes we set out to test?
+ missing_algos = kernel_hashes.keys() - algos
+ if (missing_algos):
+ raise ValueError(f'Missing hashes from FIT: {missing_algos}')
+
+
+@pytest.mark.buildconfigspec('hash')
+@pytest.mark.requiredtool('dtc')
+@pytest.mark.requiredtool('fdtget')
+@pytest.mark.requiredtool('fdtput')
+def test_mkimage_hashes(u_boot_console):
+ """ Test that hashes generated by mkimage are correct. """
+
+ def assemble_fit_image(dest_fit, its, destdir):
+ dtc_args = f'-I dts -O dtb -i {destdir}'
+ util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f', its, dest_fit])
+
+ def dtc(dts):
+ dtb = dts.replace('.dts', '.dtb')
+ util.run_and_log(cons, f'dtc {datadir}/{dts} -O dtb -o {tempdir}/{dtb}')
+
+ cons = u_boot_console
+ mkimage = cons.config.build_dir + '/tools/mkimage'
+ datadir = cons.config.source_dir + '/test/py/tests/vboot/'
+ tempdir = cons.config.result_dir
+ fit_file = f'{tempdir}/test.fit'
+ dtc('sandbox-kernel.dts')
+
+ # Create a fake kernel image -- Avoid zeroes or crc16 will be zero
+ with open(f'{tempdir}/test-kernel.bin', 'w') as fd:
+ fd.write(500 * chr(0xa5))
+
+ assemble_fit_image(fit_file, f'{datadir}/hash-images.its', tempdir)
+
+ fit = ReadonlyFitImage(cons, fit_file)
+ nodes = fit.find_hashable_image_nodes()
+ if len(nodes) == 0:
+ raise ValueError('FIT image has no "/image" nodes with "hash-..."')
+
+ fit.verify_hashes()
diff --git a/test/py/tests/test_hush_if_test.py b/test/py/tests/test_hush_if_test.py
index d117921a6ac..37c1608bb22 100644
--- a/test/py/tests/test_hush_if_test.py
+++ b/test/py/tests/test_hush_if_test.py
@@ -119,11 +119,6 @@ subtests = (
('test ! ! aaa != aaa -o ! ! bbb = bbb', True),
('test ! ! aaa = aaa -o ! ! bbb != bbb', True),
('test ! ! aaa = aaa -o ! ! bbb = bbb', True),
-
- # -z operator.
-
- ('test -z "$ut_var_nonexistent"', True),
- ('test -z "$ut_var_exists"', False),
)
def exec_hush_if(u_boot_console, expr, result):
@@ -141,12 +136,6 @@ def exec_hush_if(u_boot_console, expr, result):
response = u_boot_console.run_command(cmd)
assert response.strip() == str(result).lower()
-def test_hush_if_test_setup(u_boot_console):
- """Set up environment variables used during the "if" tests."""
-
- u_boot_console.run_command('setenv ut_var_nonexistent')
- u_boot_console.run_command('setenv ut_var_exists 1')
-
@pytest.mark.buildconfigspec('cmd_echo')
@pytest.mark.parametrize('expr,result', subtests)
def test_hush_if_test(u_boot_console, expr, result):
@@ -154,9 +143,12 @@ def test_hush_if_test(u_boot_console, expr, result):
exec_hush_if(u_boot_console, expr, result)
-def test_hush_if_test_teardown(u_boot_console):
- """Clean up environment variables used during the "if" tests."""
-
+def test_hush_z(u_boot_console):
+ """Test the -z operator"""
+ u_boot_console.run_command('setenv ut_var_nonexistent')
+ u_boot_console.run_command('setenv ut_var_exists 1')
+ exec_hush_if(u_boot_console, 'test -z "$ut_var_nonexistent"', True)
+ exec_hush_if(u_boot_console, 'test -z "$ut_var_exists"', False)
u_boot_console.run_command('setenv ut_var_exists')
# We might test this on real filesystems via UMS, DFU, 'save', etc.
diff --git a/test/py/tests/test_tpm2.py b/test/py/tests/test_tpm2.py
index c7a9dc19bd4..7c89f5f2937 100644
--- a/test/py/tests/test_tpm2.py
+++ b/test/py/tests/test_tpm2.py
@@ -52,14 +52,17 @@ def force_init(u_boot_console, force=False):
u_boot_console.run_command('tpm2 clear TPM2_RH_PLATFORM')
u_boot_console.run_command('echo --- end of init ---')
+def is_sandbox(cons):
+ # Array slice removes leading/trailing quotes.
+ sys_arch = cons.config.buildconfig.get('config_sys_arch', '"sandbox"')[1:-1]
+ return sys_arch == 'sandbox'
+
@pytest.mark.buildconfigspec('cmd_tpm_v2')
def test_tpm2_init(u_boot_console):
"""Init the software stack to use TPMv2 commands."""
-
skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
if skip_test:
pytest.skip('skip TPM device test')
-
u_boot_console.run_command('tpm2 init')
output = u_boot_console.run_command('echo $?')
assert output.endswith('0')
@@ -70,6 +73,19 @@ def test_tpm2_startup(u_boot_console):
Initiate the TPM internal state machine.
"""
+ u_boot_console.run_command('tpm2 startup TPM2_SU_CLEAR')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+def tpm2_sandbox_init(u_boot_console):
+ """Put sandbox back into a known state so we can run a test
+
+ This allows all tests to run in parallel, since no test depends on another.
+ """
+ u_boot_console.restart_uboot()
+ u_boot_console.run_command('tpm2 init')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
if skip_test:
@@ -78,12 +94,25 @@ def test_tpm2_startup(u_boot_console):
output = u_boot_console.run_command('echo $?')
assert output.endswith('0')
+ u_boot_console.run_command('tpm2 self_test full')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
@pytest.mark.buildconfigspec('cmd_tpm_v2')
-def test_tpm2_self_test_full(u_boot_console):
+def test_tpm2_sandbox_self_test_full(u_boot_console):
"""Execute a TPM2_SelfTest (full) command.
Ask the TPM to perform all self tests to also enable full capabilities.
"""
+ if is_sandbox(u_boot_console):
+ u_boot_console.restart_uboot()
+ u_boot_console.run_command('tpm2 init')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
+
+ u_boot_console.run_command('tpm2 startup TPM2_SU_CLEAR')
+ output = u_boot_console.run_command('echo $?')
+ assert output.endswith('0')
skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
if skip_test:
@@ -103,6 +132,8 @@ def test_tpm2_continue_self_test(u_boot_console):
skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
if skip_test:
pytest.skip('skip TPM device test')
+ if is_sandbox(u_boot_console):
+ tpm2_sandbox_init(u_boot_console)
u_boot_console.run_command('tpm2 self_test continue')
output = u_boot_console.run_command('echo $?')
assert output.endswith('0')
@@ -119,6 +150,8 @@ def test_tpm2_clear(u_boot_console):
not have a password set, otherwise this test will fail. ENDORSEMENT and
PLATFORM hierarchies are also available.
"""
+ if is_sandbox(u_boot_console):
+ tpm2_sandbox_init(u_boot_console)
skip_test = u_boot_console.config.env.get('env__tpm_device_test_skip', False)
if skip_test:
@@ -140,7 +173,8 @@ def test_tpm2_change_auth(u_boot_console):
Use the LOCKOUT hierarchy for this. ENDORSEMENT and PLATFORM hierarchies are
also available.
"""
-
+ if is_sandbox(u_boot_console):
+ tpm2_sandbox_init(u_boot_console)
force_init(u_boot_console)
u_boot_console.run_command('tpm2 change_auth TPM2_RH_LOCKOUT unicorn')
@@ -164,6 +198,8 @@ def test_tpm2_get_capability(u_boot_console):
There is no expected default values because it would depend on the chip
used. We can still save them in order to check they have changed later.
"""
+ if is_sandbox(u_boot_console):
+ tpm2_sandbox_init(u_boot_console)
force_init(u_boot_console)
ram = u_boot_utils.find_ram_base(u_boot_console)
@@ -186,7 +222,8 @@ def test_tpm2_dam_parameters(u_boot_console):
the authentication, otherwise the lockout will be engaged after the first
failed authentication attempt.
"""
-
+ if is_sandbox(u_boot_console):
+ tpm2_sandbox_init(u_boot_console)
force_init(u_boot_console)
ram = u_boot_utils.find_ram_base(u_boot_console)
@@ -209,6 +246,8 @@ def test_tpm2_pcr_read(u_boot_console):
Perform a PCR read of the 0th PCR. Must be zero.
"""
+ if is_sandbox(u_boot_console):
+ tpm2_sandbox_init(u_boot_console)
force_init(u_boot_console)
ram = u_boot_utils.find_ram_base(u_boot_console)
@@ -236,7 +275,8 @@ def test_tpm2_pcr_extend(u_boot_console):
No authentication mechanism is used here, not protecting against packet
replay, yet.
"""
-
+ if is_sandbox(u_boot_console):
+ tpm2_sandbox_init(u_boot_console)
force_init(u_boot_console)
ram = u_boot_utils.find_ram_base(u_boot_console)
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index 6dff6779d17..095e00cce36 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -24,6 +24,7 @@ For configuration verification:
Tests run with both SHA1 and SHA256 hashing.
"""
+import os
import shutil
import struct
import pytest
@@ -34,16 +35,16 @@ import vboot_evil
# Only run the full suite on a few combinations, since it doesn't add any more
# test coverage.
TESTDATA = [
- ['sha1', '', None, False, True],
- ['sha1', '', '-E -p 0x10000', False, False],
- ['sha1', '-pss', None, False, False],
- ['sha1', '-pss', '-E -p 0x10000', False, False],
- ['sha256', '', None, False, False],
- ['sha256', '', '-E -p 0x10000', False, False],
- ['sha256', '-pss', None, False, False],
- ['sha256', '-pss', '-E -p 0x10000', False, False],
- ['sha256', '-pss', None, True, False],
- ['sha256', '-pss', '-E -p 0x10000', True, True],
+ ['sha1-basic', 'sha1', '', None, False, True],
+ ['sha1-pad', 'sha1', '', '-E -p 0x10000', False, False],
+ ['sha1-pss', 'sha1', '-pss', None, False, False],
+ ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False, False],
+ ['sha256-basic', 'sha256', '', None, False, False],
+ ['sha256-pad', 'sha256', '', '-E -p 0x10000', False, False],
+ ['sha256-pss', 'sha256', '-pss', None, False, False],
+ ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False],
+ ['sha256-pss-required', 'sha256', '-pss', None, True, False],
+ ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True],
]
@pytest.mark.boardspec('sandbox')
@@ -52,9 +53,9 @@ TESTDATA = [
@pytest.mark.requiredtool('fdtget')
@pytest.mark.requiredtool('fdtput')
@pytest.mark.requiredtool('openssl')
-@pytest.mark.parametrize("sha_algo,padding,sign_options,required,full_test",
+@pytest.mark.parametrize("name,sha_algo,padding,sign_options,required,full_test",
TESTDATA)
-def test_vboot(u_boot_console, sha_algo, padding, sign_options, required,
+def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
full_test):
"""Test verified boot signing with mkimage and verification with 'bootm'.
@@ -365,7 +366,9 @@ def test_vboot(u_boot_console, sha_algo, padding, sign_options, required,
run_bootm(sha_algo, 'multi required key', '', False)
cons = u_boot_console
- tmpdir = cons.config.result_dir + '/'
+ tmpdir = os.path.join(cons.config.result_dir, name) + '/'
+ if not os.path.exists(tmpdir):
+ os.mkdir(tmpdir)
datadir = cons.config.source_dir + '/test/py/tests/vboot/'
fit = '%stest.fit' % tmpdir
mkimage = cons.config.build_dir + '/tools/mkimage'
diff --git a/test/py/tests/vboot/hash-images.its b/test/py/tests/vboot/hash-images.its
new file mode 100644
index 00000000000..3ff797288c2
--- /dev/null
+++ b/test/py/tests/vboot/hash-images.its
@@ -0,0 +1,76 @@
+/dts-v1/;
+
+/ {
+ description = "Chrome OS kernel image with one or more FDT blobs";
+ #address-cells = <1>;
+
+ images {
+ kernel {
+ data = /incbin/("test-kernel.bin");
+ type = "kernel_noload";
+ arch = "sandbox";
+ os = "linux";
+ compression = "none";
+ load = <0x4>;
+ entry = <0x8>;
+ kernel-version = <1>;
+ hash-0 {
+ algo = "crc16-ccitt";
+ };
+ hash-1 {
+ algo = "crc32";
+ };
+ hash-2 {
+ algo = "md5";
+ };
+ hash-3 {
+ algo = "sha1";
+ };
+ hash-4 {
+ algo = "sha256";
+ };
+ hash-5 {
+ algo = "sha384";
+ };
+ hash-6 {
+ algo = "sha512";
+ };
+ };
+ fdt-1 {
+ description = "snow";
+ data = /incbin/("sandbox-kernel.dtb");
+ type = "flat_dt";
+ arch = "sandbox";
+ compression = "none";
+ fdt-version = <1>;
+ hash-0 {
+ algo = "crc16-ccitt";
+ };
+ hash-1 {
+ algo = "crc32";
+ };
+ hash-2 {
+ algo = "md5";
+ };
+ hash-3 {
+ algo = "sha1";
+ };
+ hash-4 {
+ algo = "sha256";
+ };
+ hash-5 {
+ algo = "sha384";
+ };
+ hash-6 {
+ algo = "sha512";
+ };
+ };
+ };
+ configurations {
+ default = "conf-1";
+ conf-1 {
+ kernel = "kernel";
+ fdt = "fdt-1";
+ };
+ };
+};
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-15 20:53:28 +0000