172f52268SSimon Glass# Copyright (c) 2016, Google Inc. 28729d582SSimon Glass# 38729d582SSimon Glass# SPDX-License-Identifier: GPL-2.0+ 48729d582SSimon Glass# 58729d582SSimon Glass# U-Boot Verified Boot Test 68729d582SSimon Glass 78729d582SSimon Glass""" 88729d582SSimon GlassThis tests verified boot in the following ways: 98729d582SSimon Glass 108729d582SSimon GlassFor image verification: 118729d582SSimon Glass- Create FIT (unsigned) with mkimage 128729d582SSimon Glass- Check that verification shows that no keys are verified 138729d582SSimon Glass- Sign image 148729d582SSimon Glass- Check that verification shows that a key is now verified 158729d582SSimon Glass 168729d582SSimon GlassFor configuration verification: 178729d582SSimon Glass- Corrupt signature and check for failure 188729d582SSimon Glass- Create FIT (with unsigned configuration) with mkimage 1972f52268SSimon Glass- Check that image verification works 208729d582SSimon Glass- Sign the FIT and mark the key as 'required' for verification 218729d582SSimon Glass- Check that image verification works 228729d582SSimon Glass- Corrupt the signature 238729d582SSimon Glass- Check that image verification no-longer works 248729d582SSimon Glass 258729d582SSimon GlassTests run with both SHA1 and SHA256 hashing. 268729d582SSimon Glass""" 278729d582SSimon Glass 288729d582SSimon Glassimport pytest 298729d582SSimon Glassimport sys 308729d582SSimon Glassimport u_boot_utils as util 318729d582SSimon Glass 3204a4786cSMichal Simek@pytest.mark.boardspec('sandbox') 338729d582SSimon Glass@pytest.mark.buildconfigspec('fit_signature') 348729d582SSimon Glassdef test_vboot(u_boot_console): 358729d582SSimon Glass """Test verified boot signing with mkimage and verification with 'bootm'. 368729d582SSimon Glass 378729d582SSimon Glass This works using sandbox only as it needs to update the device tree used 388729d582SSimon Glass by U-Boot to hold public keys from the signing process. 398729d582SSimon Glass 408729d582SSimon Glass The SHA1 and SHA256 tests are combined into a single test since the 418729d582SSimon Glass key-generation process is quite slow and we want to avoid doing it twice. 428729d582SSimon Glass """ 438729d582SSimon Glass def dtc(dts): 4472f52268SSimon Glass """Run the device tree compiler to compile a .dts file 458729d582SSimon Glass 468729d582SSimon Glass The output file will be the same as the input file but with a .dtb 478729d582SSimon Glass extension. 488729d582SSimon Glass 498729d582SSimon Glass Args: 508729d582SSimon Glass dts: Device tree file to compile. 518729d582SSimon Glass """ 528729d582SSimon Glass dtb = dts.replace('.dts', '.dtb') 53*ec70f8a9SSimon Glass util.run_and_log(cons, 'dtc %s %s%s -O dtb ' 548729d582SSimon Glass '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb)) 558729d582SSimon Glass 568729d582SSimon Glass def run_bootm(test_type, expect_string): 578729d582SSimon Glass """Run a 'bootm' command U-Boot. 588729d582SSimon Glass 598729d582SSimon Glass This always starts a fresh U-Boot instance since the device tree may 608729d582SSimon Glass contain a new public key. 618729d582SSimon Glass 628729d582SSimon Glass Args: 638729d582SSimon Glass test_type: A string identifying the test type 648729d582SSimon Glass expect_string: A string which is expected in the output 658729d582SSimon Glass """ 668729d582SSimon Glass cons.cleanup_spawn() 678729d582SSimon Glass cons.ensure_spawned() 688729d582SSimon Glass cons.log.action('%s: Test Verified Boot Run: %s' % (algo, test_type)) 698729d582SSimon Glass output = cons.run_command_list( 708729d582SSimon Glass ['sb load hostfs - 100 %stest.fit' % tmpdir, 718729d582SSimon Glass 'fdt addr 100', 728729d582SSimon Glass 'bootm 100']) 738729d582SSimon Glass assert(expect_string in output) 748729d582SSimon Glass 758729d582SSimon Glass def make_fit(its): 7672f52268SSimon Glass """Make a new FIT from the .its source file. 778729d582SSimon Glass 788729d582SSimon Glass This runs 'mkimage -f' to create a new FIT. 798729d582SSimon Glass 808729d582SSimon Glass Args: 8172f52268SSimon Glass its: Filename containing .its source. 828729d582SSimon Glass """ 838729d582SSimon Glass util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f', 848729d582SSimon Glass '%s%s' % (datadir, its), fit]) 858729d582SSimon Glass 868729d582SSimon Glass def sign_fit(): 878729d582SSimon Glass """Sign the FIT 888729d582SSimon Glass 898729d582SSimon Glass Signs the FIT and writes the signature into it. It also writes the 908729d582SSimon Glass public key into the dtb. 918729d582SSimon Glass """ 928729d582SSimon Glass cons.log.action('%s: Sign images' % algo) 938729d582SSimon Glass util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb, 948729d582SSimon Glass '-r', fit]) 958729d582SSimon Glass 968729d582SSimon Glass def test_with_algo(sha): 9772f52268SSimon Glass """Test verified boot with the given hash algorithm. 988729d582SSimon Glass 998729d582SSimon Glass This is the main part of the test code. The same procedure is followed 1008729d582SSimon Glass for both hashing algorithms. 1018729d582SSimon Glass 1028729d582SSimon Glass Args: 1038729d582SSimon Glass sha: Either 'sha1' or 'sha256', to select the algorithm to use 1048729d582SSimon Glass """ 1058729d582SSimon Glass global algo 1068729d582SSimon Glass 1078729d582SSimon Glass algo = sha 1088729d582SSimon Glass 109bcbd0c8fSSimon Glass # Compile our device tree files for kernel and U-Boot. These are 110bcbd0c8fSSimon Glass # regenerated here since mkimage will modify them (by adding a 111bcbd0c8fSSimon Glass # public key) below. 1128729d582SSimon Glass dtc('sandbox-kernel.dts') 1138729d582SSimon Glass dtc('sandbox-u-boot.dts') 1148729d582SSimon Glass 1158729d582SSimon Glass # Build the FIT, but don't sign anything yet 1168729d582SSimon Glass cons.log.action('%s: Test FIT with signed images' % algo) 1178729d582SSimon Glass make_fit('sign-images-%s.its' % algo) 1188729d582SSimon Glass run_bootm('unsigned images', 'dev-') 1198729d582SSimon Glass 1208729d582SSimon Glass # Sign images with our dev keys 1218729d582SSimon Glass sign_fit() 1228729d582SSimon Glass run_bootm('signed images', 'dev+') 1238729d582SSimon Glass 1248729d582SSimon Glass # Create a fresh .dtb without the public keys 1258729d582SSimon Glass dtc('sandbox-u-boot.dts') 1268729d582SSimon Glass 1278729d582SSimon Glass cons.log.action('%s: Test FIT with signed configuration' % algo) 1288729d582SSimon Glass make_fit('sign-configs-%s.its' % algo) 1298729d582SSimon Glass run_bootm('unsigned config', '%s+ OK' % algo) 1308729d582SSimon Glass 1318729d582SSimon Glass # Sign images with our dev keys 1328729d582SSimon Glass sign_fit() 1338729d582SSimon Glass run_bootm('signed config', 'dev+') 1348729d582SSimon Glass 1358729d582SSimon Glass cons.log.action('%s: Check signed config on the host' % algo) 1368729d582SSimon Glass 1378729d582SSimon Glass util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir, 1388729d582SSimon Glass '-k', dtb]) 1398729d582SSimon Glass 1408729d582SSimon Glass # Increment the first byte of the signature, which should cause failure 141*ec70f8a9SSimon Glass sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' % 142*ec70f8a9SSimon Glass (fit, sig_node)) 1438729d582SSimon Glass byte_list = sig.split() 1448729d582SSimon Glass byte = int(byte_list[0], 16) 145bcbd0c8fSSimon Glass byte_list[0] = '%x' % (byte + 1) 1468729d582SSimon Glass sig = ' '.join(byte_list) 147*ec70f8a9SSimon Glass util.run_and_log(cons, 'fdtput -t bx %s %s value %s' % 148*ec70f8a9SSimon Glass (fit, sig_node, sig)) 1498729d582SSimon Glass 1508729d582SSimon Glass run_bootm('Signed config with bad hash', 'Bad Data Hash') 1518729d582SSimon Glass 1528729d582SSimon Glass cons.log.action('%s: Check bad config on the host' % algo) 1538729d582SSimon Glass util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit, 1548729d582SSimon Glass '-k', dtb], 1, 'Failed to verify required signature') 1558729d582SSimon Glass 1568729d582SSimon Glass cons = u_boot_console 1578729d582SSimon Glass tmpdir = cons.config.result_dir + '/' 1588729d582SSimon Glass tmp = tmpdir + 'vboot.tmp' 159c9ba60c4SStephen Warren datadir = cons.config.source_dir + '/test/py/tests/vboot/' 1608729d582SSimon Glass fit = '%stest.fit' % tmpdir 1618729d582SSimon Glass mkimage = cons.config.build_dir + '/tools/mkimage' 1628729d582SSimon Glass fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign' 1638729d582SSimon Glass dtc_args = '-I dts -O dtb -i %s' % tmpdir 1648729d582SSimon Glass dtb = '%ssandbox-u-boot.dtb' % tmpdir 1658729d582SSimon Glass sig_node = '/configurations/conf@1/signature@1' 1668729d582SSimon Glass 1678729d582SSimon Glass # Create an RSA key pair 1688729d582SSimon Glass public_exponent = 65537 169*ec70f8a9SSimon Glass util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %sdev.key ' 1708729d582SSimon Glass '-pkeyopt rsa_keygen_bits:2048 ' 1718729d582SSimon Glass '-pkeyopt rsa_keygen_pubexp:%d ' 1728729d582SSimon Glass '2>/dev/null' % (tmpdir, public_exponent)) 1738729d582SSimon Glass 1748729d582SSimon Glass # Create a certificate containing the public key 175*ec70f8a9SSimon Glass util.run_and_log(cons, 'openssl req -batch -new -x509 -key %sdev.key -out ' 1768729d582SSimon Glass '%sdev.crt' % (tmpdir, tmpdir)) 1778729d582SSimon Glass 1788729d582SSimon Glass # Create a number kernel image with zeroes 1798729d582SSimon Glass with open('%stest-kernel.bin' % tmpdir, 'w') as fd: 1808729d582SSimon Glass fd.write(5000 * chr(0)) 1818729d582SSimon Glass 1828729d582SSimon Glass try: 1838729d582SSimon Glass # We need to use our own device tree file. Remember to restore it 1848729d582SSimon Glass # afterwards. 1858729d582SSimon Glass old_dtb = cons.config.dtb 1868729d582SSimon Glass cons.config.dtb = dtb 1878729d582SSimon Glass test_with_algo('sha1') 1888729d582SSimon Glass test_with_algo('sha256') 1898729d582SSimon Glass finally: 1908729d582SSimon Glass cons.config.dtb = old_dtb 191