xref: /openbmc/u-boot/test/py/tests/test_vboot.py (revision baefb63a) 
1# Copyright (c) 2016, Google Inc.
2#
3# SPDX-License-Identifier:	GPL-2.0+
4#
5# U-Boot Verified Boot Test
6
7"""
8This tests verified boot in the following ways:
9
10For image verification:
11- Create FIT (unsigned) with mkimage
12- Check that verification shows that no keys are verified
13- Sign image
14- Check that verification shows that a key is now verified
15
16For configuration verification:
17- Corrupt signature and check for failure
18- Create FIT (with unsigned configuration) with mkimage
19- Check that image verification works
20- Sign the FIT and mark the key as 'required' for verification
21- Check that image verification works
22- Corrupt the signature
23- Check that image verification no-longer works
24
25Tests run with both SHA1 and SHA256 hashing.
26"""
27
28import pytest
29import sys
30import u_boot_utils as util
31
32@pytest.mark.boardspec('sandbox')
33@pytest.mark.buildconfigspec('fit_signature')
34@pytest.mark.requiredtool('dtc')
35@pytest.mark.requiredtool('fdtget')
36@pytest.mark.requiredtool('fdtput')
37@pytest.mark.requiredtool('openssl')
38def test_vboot(u_boot_console):
39    """Test verified boot signing with mkimage and verification with 'bootm'.
40
41    This works using sandbox only as it needs to update the device tree used
42    by U-Boot to hold public keys from the signing process.
43
44    The SHA1 and SHA256 tests are combined into a single test since the
45    key-generation process is quite slow and we want to avoid doing it twice.
46    """
47    def dtc(dts):
48        """Run the device tree compiler to compile a .dts file
49
50        The output file will be the same as the input file but with a .dtb
51        extension.
52
53        Args:
54            dts: Device tree file to compile.
55        """
56        dtb = dts.replace('.dts', '.dtb')
57        util.run_and_log(cons, 'dtc %s %s%s -O dtb '
58                         '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb))
59
60    def run_bootm(sha_algo, test_type, expect_string, boots):
61        """Run a 'bootm' command U-Boot.
62
63        This always starts a fresh U-Boot instance since the device tree may
64        contain a new public key.
65
66        Args:
67            test_type: A string identifying the test type.
68            expect_string: A string which is expected in the output.
69            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
70                    use.
71            boots: A boolean that is True if Linux should boot and False if
72                    we are expected to not boot
73        """
74        cons.restart_uboot()
75        with cons.log.section('Verified boot %s %s' % (sha_algo, test_type)):
76            output = cons.run_command_list(
77                ['sb load hostfs - 100 %stest.fit' % tmpdir,
78                'fdt addr 100',
79                'bootm 100'])
80        assert(expect_string in ''.join(output))
81        if boots:
82            assert('sandbox: continuing, as we cannot run' in ''.join(output))
83
84    def make_fit(its):
85        """Make a new FIT from the .its source file.
86
87        This runs 'mkimage -f' to create a new FIT.
88
89        Args:
90            its: Filename containing .its source.
91        """
92        util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
93                                '%s%s' % (datadir, its), fit])
94
95    def sign_fit(sha_algo):
96        """Sign the FIT
97
98        Signs the FIT and writes the signature into it. It also writes the
99        public key into the dtb.
100
101        Args:
102            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
103                    use.
104        """
105        cons.log.action('%s: Sign images' % sha_algo)
106        util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
107                                '-r', fit])
108
109    def test_with_algo(sha_algo):
110        """Test verified boot with the given hash algorithm.
111
112        This is the main part of the test code. The same procedure is followed
113        for both hashing algorithms.
114
115        Args:
116            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
117                    use.
118        """
119        # Compile our device tree files for kernel and U-Boot. These are
120        # regenerated here since mkimage will modify them (by adding a
121        # public key) below.
122        dtc('sandbox-kernel.dts')
123        dtc('sandbox-u-boot.dts')
124
125        # Build the FIT, but don't sign anything yet
126        cons.log.action('%s: Test FIT with signed images' % sha_algo)
127        make_fit('sign-images-%s.its' % sha_algo)
128        run_bootm(sha_algo, 'unsigned images', 'dev-', True)
129
130        # Sign images with our dev keys
131        sign_fit(sha_algo)
132        run_bootm(sha_algo, 'signed images', 'dev+', True)
133
134        # Create a fresh .dtb without the public keys
135        dtc('sandbox-u-boot.dts')
136
137        cons.log.action('%s: Test FIT with signed configuration' % sha_algo)
138        make_fit('sign-configs-%s.its' % sha_algo)
139        run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)
140
141        # Sign images with our dev keys
142        sign_fit(sha_algo)
143        run_bootm(sha_algo, 'signed config', 'dev+', True)
144
145        cons.log.action('%s: Check signed config on the host' % sha_algo)
146
147        util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
148                                '-k', dtb])
149
150        # Increment the first byte of the signature, which should cause failure
151        sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
152                               (fit, sig_node))
153        byte_list = sig.split()
154        byte = int(byte_list[0], 16)
155        byte_list[0] = '%x' % (byte + 1)
156        sig = ' '.join(byte_list)
157        util.run_and_log(cons, 'fdtput -t bx %s %s value %s' %
158                         (fit, sig_node, sig))
159
160        run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False)
161
162        cons.log.action('%s: Check bad config on the host' % sha_algo)
163        util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
164                '-k', dtb], 1, 'Failed to verify required signature')
165
166    cons = u_boot_console
167    tmpdir = cons.config.result_dir + '/'
168    tmp = tmpdir + 'vboot.tmp'
169    datadir = cons.config.source_dir + '/test/py/tests/vboot/'
170    fit = '%stest.fit' % tmpdir
171    mkimage = cons.config.build_dir + '/tools/mkimage'
172    fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
173    dtc_args = '-I dts -O dtb -i %s' % tmpdir
174    dtb = '%ssandbox-u-boot.dtb' % tmpdir
175    sig_node = '/configurations/conf@1/signature@1'
176
177    # Create an RSA key pair
178    public_exponent = 65537
179    util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %sdev.key '
180                     '-pkeyopt rsa_keygen_bits:2048 '
181                     '-pkeyopt rsa_keygen_pubexp:%d '
182                     '2>/dev/null'  % (tmpdir, public_exponent))
183
184    # Create a certificate containing the public key
185    util.run_and_log(cons, 'openssl req -batch -new -x509 -key %sdev.key -out '
186                     '%sdev.crt' % (tmpdir, tmpdir))
187
188    # Create a number kernel image with zeroes
189    with open('%stest-kernel.bin' % tmpdir, 'w') as fd:
190        fd.write(5000 * chr(0))
191
192    try:
193        # We need to use our own device tree file. Remember to restore it
194        # afterwards.
195        old_dtb = cons.config.dtb
196        cons.config.dtb = dtb
197        test_with_algo('sha1')
198        test_with_algo('sha256')
199    finally:
200        # Go back to the original U-Boot with the correct dtb.
201        cons.config.dtb = old_dtb
202        cons.restart_uboot()
203