xref: /openbmc/u-boot/test/py/tests/test_vboot.py (revision 5c8fd32b)
1# SPDX-License-Identifier:	GPL-2.0+
2# Copyright (c) 2016, Google Inc.
3#
4# U-Boot Verified Boot Test
5
6"""
7This tests verified boot in the following ways:
8
9For image verification:
10- Create FIT (unsigned) with mkimage
11- Check that verification shows that no keys are verified
12- Sign image
13- Check that verification shows that a key is now verified
14
15For configuration verification:
16- Corrupt signature and check for failure
17- Create FIT (with unsigned configuration) with mkimage
18- Check that image verification works
19- Sign the FIT and mark the key as 'required' for verification
20- Check that image verification works
21- Corrupt the signature
22- Check that image verification no-longer works
23
24Tests run with both SHA1 and SHA256 hashing.
25"""
26
27import pytest
28import sys
29import struct
30import u_boot_utils as util
31
32@pytest.mark.boardspec('sandbox')
33@pytest.mark.buildconfigspec('fit_signature')
34@pytest.mark.requiredtool('dtc')
35@pytest.mark.requiredtool('fdtget')
36@pytest.mark.requiredtool('fdtput')
37@pytest.mark.requiredtool('openssl')
38def test_vboot(u_boot_console):
39    """Test verified boot signing with mkimage and verification with 'bootm'.
40
41    This works using sandbox only as it needs to update the device tree used
42    by U-Boot to hold public keys from the signing process.
43
44    The SHA1 and SHA256 tests are combined into a single test since the
45    key-generation process is quite slow and we want to avoid doing it twice.
46    """
47    def dtc(dts):
48        """Run the device tree compiler to compile a .dts file
49
50        The output file will be the same as the input file but with a .dtb
51        extension.
52
53        Args:
54            dts: Device tree file to compile.
55        """
56        dtb = dts.replace('.dts', '.dtb')
57        util.run_and_log(cons, 'dtc %s %s%s -O dtb '
58                         '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb))
59
60    def run_bootm(sha_algo, test_type, expect_string, boots):
61        """Run a 'bootm' command U-Boot.
62
63        This always starts a fresh U-Boot instance since the device tree may
64        contain a new public key.
65
66        Args:
67            test_type: A string identifying the test type.
68            expect_string: A string which is expected in the output.
69            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
70                    use.
71            boots: A boolean that is True if Linux should boot and False if
72                    we are expected to not boot
73        """
74        cons.restart_uboot()
75        with cons.log.section('Verified boot %s %s' % (sha_algo, test_type)):
76            output = cons.run_command_list(
77                ['sb load hostfs - 100 %stest.fit' % tmpdir,
78                'fdt addr 100',
79                'bootm 100'])
80        assert(expect_string in ''.join(output))
81        if boots:
82            assert('sandbox: continuing, as we cannot run' in ''.join(output))
83
84    def make_fit(its):
85        """Make a new FIT from the .its source file.
86
87        This runs 'mkimage -f' to create a new FIT.
88
89        Args:
90            its: Filename containing .its source.
91        """
92        util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
93                                '%s%s' % (datadir, its), fit])
94
95    def sign_fit(sha_algo):
96        """Sign the FIT
97
98        Signs the FIT and writes the signature into it. It also writes the
99        public key into the dtb.
100
101        Args:
102            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
103                    use.
104        """
105        cons.log.action('%s: Sign images' % sha_algo)
106        util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
107                                '-r', fit])
108
109    def replace_fit_totalsize(size):
110        """Replace FIT header's totalsize with something greater.
111
112        The totalsize must be less than or equal to FIT_SIGNATURE_MAX_SIZE.
113        If the size is greater, the signature verification should return false.
114
115        Args:
116            size: The new totalsize of the header
117
118        Returns:
119            prev_size: The previous totalsize read from the header
120        """
121        total_size = 0
122        with open(fit, 'r+b') as handle:
123            handle.seek(4)
124            total_size = handle.read(4)
125            handle.seek(4)
126            handle.write(struct.pack(">I", size))
127        return struct.unpack(">I", total_size)[0]
128
129    def test_with_algo(sha_algo):
130        """Test verified boot with the given hash algorithm.
131
132        This is the main part of the test code. The same procedure is followed
133        for both hashing algorithms.
134
135        Args:
136            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
137                    use.
138        """
139        # Compile our device tree files for kernel and U-Boot. These are
140        # regenerated here since mkimage will modify them (by adding a
141        # public key) below.
142        dtc('sandbox-kernel.dts')
143        dtc('sandbox-u-boot.dts')
144
145        # Build the FIT, but don't sign anything yet
146        cons.log.action('%s: Test FIT with signed images' % sha_algo)
147        make_fit('sign-images-%s.its' % sha_algo)
148        run_bootm(sha_algo, 'unsigned images', 'dev-', True)
149
150        # Sign images with our dev keys
151        sign_fit(sha_algo)
152        run_bootm(sha_algo, 'signed images', 'dev+', True)
153
154        # Create a fresh .dtb without the public keys
155        dtc('sandbox-u-boot.dts')
156
157        cons.log.action('%s: Test FIT with signed configuration' % sha_algo)
158        make_fit('sign-configs-%s.its' % sha_algo)
159        run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)
160
161        # Sign images with our dev keys
162        sign_fit(sha_algo)
163        run_bootm(sha_algo, 'signed config', 'dev+', True)
164
165        cons.log.action('%s: Check signed config on the host' % sha_algo)
166
167        util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
168                                '-k', dtb])
169
170        # Replace header bytes
171        bcfg = u_boot_console.config.buildconfig
172        max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0)
173        existing_size = replace_fit_totalsize(max_size + 1)
174        run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False)
175        cons.log.action('%s: Check overflowed FIT header totalsize' % sha_algo)
176
177        # Replace with existing header bytes
178        replace_fit_totalsize(existing_size)
179        run_bootm(sha_algo, 'signed config', 'dev+', True)
180        cons.log.action('%s: Check default FIT header totalsize' % sha_algo)
181
182        # Increment the first byte of the signature, which should cause failure
183        sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
184                               (fit, sig_node))
185        byte_list = sig.split()
186        byte = int(byte_list[0], 16)
187        byte_list[0] = '%x' % (byte + 1)
188        sig = ' '.join(byte_list)
189        util.run_and_log(cons, 'fdtput -t bx %s %s value %s' %
190                         (fit, sig_node, sig))
191
192        run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False)
193
194        cons.log.action('%s: Check bad config on the host' % sha_algo)
195        util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
196                '-k', dtb], 1, 'Failed to verify required signature')
197
198    cons = u_boot_console
199    tmpdir = cons.config.result_dir + '/'
200    tmp = tmpdir + 'vboot.tmp'
201    datadir = cons.config.source_dir + '/test/py/tests/vboot/'
202    fit = '%stest.fit' % tmpdir
203    mkimage = cons.config.build_dir + '/tools/mkimage'
204    fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
205    dtc_args = '-I dts -O dtb -i %s' % tmpdir
206    dtb = '%ssandbox-u-boot.dtb' % tmpdir
207    sig_node = '/configurations/conf@1/signature@1'
208
209    # Create an RSA key pair
210    public_exponent = 65537
211    util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %sdev.key '
212                     '-pkeyopt rsa_keygen_bits:2048 '
213                     '-pkeyopt rsa_keygen_pubexp:%d' %
214                     (tmpdir, public_exponent))
215
216    # Create a certificate containing the public key
217    util.run_and_log(cons, 'openssl req -batch -new -x509 -key %sdev.key -out '
218                     '%sdev.crt' % (tmpdir, tmpdir))
219
220    # Create a number kernel image with zeroes
221    with open('%stest-kernel.bin' % tmpdir, 'w') as fd:
222        fd.write(5000 * chr(0))
223
224    try:
225        # We need to use our own device tree file. Remember to restore it
226        # afterwards.
227        old_dtb = cons.config.dtb
228        cons.config.dtb = dtb
229        test_with_algo('sha1')
230        test_with_algo('sha256')
231    finally:
232        # Go back to the original U-Boot with the correct dtb.
233        cons.config.dtb = old_dtb
234        cons.restart_uboot()
235