xref: /openbmc/u-boot/test/py/tests/test_vboot.py (revision 87a62bce)
1# SPDX-License-Identifier:	GPL-2.0+
2# Copyright (c) 2016, Google Inc.
3#
4# U-Boot Verified Boot Test
5
6"""
7This tests verified boot in the following ways:
8
9For image verification:
10- Create FIT (unsigned) with mkimage
11- Check that verification shows that no keys are verified
12- Sign image
13- Check that verification shows that a key is now verified
14
15For configuration verification:
16- Corrupt signature and check for failure
17- Create FIT (with unsigned configuration) with mkimage
18- Check that image verification works
19- Sign the FIT and mark the key as 'required' for verification
20- Check that image verification works
21- Corrupt the signature
22- Check that image verification no-longer works
23
24Tests run with both SHA1 and SHA256 hashing.
25"""
26
27import pytest
28import sys
29import u_boot_utils as util
30
31@pytest.mark.boardspec('sandbox')
32@pytest.mark.buildconfigspec('fit_signature')
33@pytest.mark.requiredtool('dtc')
34@pytest.mark.requiredtool('fdtget')
35@pytest.mark.requiredtool('fdtput')
36@pytest.mark.requiredtool('openssl')
37def test_vboot(u_boot_console):
38    """Test verified boot signing with mkimage and verification with 'bootm'.
39
40    This works using sandbox only as it needs to update the device tree used
41    by U-Boot to hold public keys from the signing process.
42
43    The SHA1 and SHA256 tests are combined into a single test since the
44    key-generation process is quite slow and we want to avoid doing it twice.
45    """
46    def dtc(dts):
47        """Run the device tree compiler to compile a .dts file
48
49        The output file will be the same as the input file but with a .dtb
50        extension.
51
52        Args:
53            dts: Device tree file to compile.
54        """
55        dtb = dts.replace('.dts', '.dtb')
56        util.run_and_log(cons, 'dtc %s %s%s -O dtb '
57                         '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb))
58
59    def run_bootm(sha_algo, test_type, expect_string, boots):
60        """Run a 'bootm' command U-Boot.
61
62        This always starts a fresh U-Boot instance since the device tree may
63        contain a new public key.
64
65        Args:
66            test_type: A string identifying the test type.
67            expect_string: A string which is expected in the output.
68            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
69                    use.
70            boots: A boolean that is True if Linux should boot and False if
71                    we are expected to not boot
72        """
73        cons.restart_uboot()
74        with cons.log.section('Verified boot %s %s' % (sha_algo, test_type)):
75            output = cons.run_command_list(
76                ['sb load hostfs - 100 %stest.fit' % tmpdir,
77                'fdt addr 100',
78                'bootm 100'])
79        assert(expect_string in ''.join(output))
80        if boots:
81            assert('sandbox: continuing, as we cannot run' in ''.join(output))
82
83    def make_fit(its):
84        """Make a new FIT from the .its source file.
85
86        This runs 'mkimage -f' to create a new FIT.
87
88        Args:
89            its: Filename containing .its source.
90        """
91        util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
92                                '%s%s' % (datadir, its), fit])
93
94    def sign_fit(sha_algo):
95        """Sign the FIT
96
97        Signs the FIT and writes the signature into it. It also writes the
98        public key into the dtb.
99
100        Args:
101            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
102                    use.
103        """
104        cons.log.action('%s: Sign images' % sha_algo)
105        util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
106                                '-r', fit])
107
108    def test_with_algo(sha_algo):
109        """Test verified boot with the given hash algorithm.
110
111        This is the main part of the test code. The same procedure is followed
112        for both hashing algorithms.
113
114        Args:
115            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
116                    use.
117        """
118        # Compile our device tree files for kernel and U-Boot. These are
119        # regenerated here since mkimage will modify them (by adding a
120        # public key) below.
121        dtc('sandbox-kernel.dts')
122        dtc('sandbox-u-boot.dts')
123
124        # Build the FIT, but don't sign anything yet
125        cons.log.action('%s: Test FIT with signed images' % sha_algo)
126        make_fit('sign-images-%s.its' % sha_algo)
127        run_bootm(sha_algo, 'unsigned images', 'dev-', True)
128
129        # Sign images with our dev keys
130        sign_fit(sha_algo)
131        run_bootm(sha_algo, 'signed images', 'dev+', True)
132
133        # Create a fresh .dtb without the public keys
134        dtc('sandbox-u-boot.dts')
135
136        cons.log.action('%s: Test FIT with signed configuration' % sha_algo)
137        make_fit('sign-configs-%s.its' % sha_algo)
138        run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)
139
140        # Sign images with our dev keys
141        sign_fit(sha_algo)
142        run_bootm(sha_algo, 'signed config', 'dev+', True)
143
144        cons.log.action('%s: Check signed config on the host' % sha_algo)
145
146        util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
147                                '-k', dtb])
148
149        # Increment the first byte of the signature, which should cause failure
150        sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
151                               (fit, sig_node))
152        byte_list = sig.split()
153        byte = int(byte_list[0], 16)
154        byte_list[0] = '%x' % (byte + 1)
155        sig = ' '.join(byte_list)
156        util.run_and_log(cons, 'fdtput -t bx %s %s value %s' %
157                         (fit, sig_node, sig))
158
159        run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False)
160
161        cons.log.action('%s: Check bad config on the host' % sha_algo)
162        util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
163                '-k', dtb], 1, 'Failed to verify required signature')
164
165    cons = u_boot_console
166    tmpdir = cons.config.result_dir + '/'
167    tmp = tmpdir + 'vboot.tmp'
168    datadir = cons.config.source_dir + '/test/py/tests/vboot/'
169    fit = '%stest.fit' % tmpdir
170    mkimage = cons.config.build_dir + '/tools/mkimage'
171    fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
172    dtc_args = '-I dts -O dtb -i %s' % tmpdir
173    dtb = '%ssandbox-u-boot.dtb' % tmpdir
174    sig_node = '/configurations/conf@1/signature@1'
175
176    # Create an RSA key pair
177    public_exponent = 65537
178    util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %sdev.key '
179                     '-pkeyopt rsa_keygen_bits:2048 '
180                     '-pkeyopt rsa_keygen_pubexp:%d '
181                     '2>/dev/null'  % (tmpdir, public_exponent))
182
183    # Create a certificate containing the public key
184    util.run_and_log(cons, 'openssl req -batch -new -x509 -key %sdev.key -out '
185                     '%sdev.crt' % (tmpdir, tmpdir))
186
187    # Create a number kernel image with zeroes
188    with open('%stest-kernel.bin' % tmpdir, 'w') as fd:
189        fd.write(5000 * chr(0))
190
191    try:
192        # We need to use our own device tree file. Remember to restore it
193        # afterwards.
194        old_dtb = cons.config.dtb
195        cons.config.dtb = dtb
196        test_with_algo('sha1')
197        test_with_algo('sha256')
198    finally:
199        # Go back to the original U-Boot with the correct dtb.
200        cons.config.dtb = old_dtb
201        cons.restart_uboot()
202