xref: /openbmc/u-boot/test/py/tests/test_vboot.py (revision f225d39d)
1# Copyright (c) 2016, Google Inc.
2#
3# SPDX-License-Identifier:	GPL-2.0+
4#
5# U-Boot Verified Boot Test
6
7"""
8This tests verified boot in the following ways:
9
10For image verification:
11- Create FIT (unsigned) with mkimage
12- Check that verification shows that no keys are verified
13- Sign image
14- Check that verification shows that a key is now verified
15
16For configuration verification:
17- Corrupt signature and check for failure
18- Create FIT (with unsigned configuration) with mkimage
19- Check that image verification works
20- Sign the FIT and mark the key as 'required' for verification
21- Check that image verification works
22- Corrupt the signature
23- Check that image verification no-longer works
24
25Tests run with both SHA1 and SHA256 hashing.
26"""
27
28import pytest
29import sys
30import u_boot_utils as util
31
32@pytest.mark.boardspec('sandbox')
33@pytest.mark.buildconfigspec('fit_signature')
34def test_vboot(u_boot_console):
35    """Test verified boot signing with mkimage and verification with 'bootm'.
36
37    This works using sandbox only as it needs to update the device tree used
38    by U-Boot to hold public keys from the signing process.
39
40    The SHA1 and SHA256 tests are combined into a single test since the
41    key-generation process is quite slow and we want to avoid doing it twice.
42    """
43    def dtc(dts):
44        """Run the device tree compiler to compile a .dts file
45
46        The output file will be the same as the input file but with a .dtb
47        extension.
48
49        Args:
50            dts: Device tree file to compile.
51        """
52        dtb = dts.replace('.dts', '.dtb')
53        util.run_and_log(cons, 'dtc %s %s%s -O dtb '
54                         '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb))
55
56    def run_bootm(sha_algo, test_type, expect_string):
57        """Run a 'bootm' command U-Boot.
58
59        This always starts a fresh U-Boot instance since the device tree may
60        contain a new public key.
61
62        Args:
63            test_type: A string identifying the test type.
64            expect_string: A string which is expected in the output.
65            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
66                    use.
67        """
68        cons.restart_uboot()
69        with cons.log.section('Verified boot %s %s' % (sha_algo, test_type)):
70            output = cons.run_command_list(
71                ['sb load hostfs - 100 %stest.fit' % tmpdir,
72                'fdt addr 100',
73                'bootm 100'])
74        assert(expect_string in ''.join(output))
75
76    def make_fit(its):
77        """Make a new FIT from the .its source file.
78
79        This runs 'mkimage -f' to create a new FIT.
80
81        Args:
82            its: Filename containing .its source.
83        """
84        util.run_and_log(cons, [mkimage, '-D', dtc_args, '-f',
85                                '%s%s' % (datadir, its), fit])
86
87    def sign_fit(sha_algo):
88        """Sign the FIT
89
90        Signs the FIT and writes the signature into it. It also writes the
91        public key into the dtb.
92
93        Args:
94            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
95                    use.
96        """
97        cons.log.action('%s: Sign images' % sha_algo)
98        util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
99                                '-r', fit])
100
101    def test_with_algo(sha_algo):
102        """Test verified boot with the given hash algorithm.
103
104        This is the main part of the test code. The same procedure is followed
105        for both hashing algorithms.
106
107        Args:
108            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
109                    use.
110        """
111        # Compile our device tree files for kernel and U-Boot. These are
112        # regenerated here since mkimage will modify them (by adding a
113        # public key) below.
114        dtc('sandbox-kernel.dts')
115        dtc('sandbox-u-boot.dts')
116
117        # Build the FIT, but don't sign anything yet
118        cons.log.action('%s: Test FIT with signed images' % sha_algo)
119        make_fit('sign-images-%s.its' % sha_algo)
120        run_bootm(sha_algo, 'unsigned images', 'dev-')
121
122        # Sign images with our dev keys
123        sign_fit(sha_algo)
124        run_bootm(sha_algo, 'signed images', 'dev+')
125
126        # Create a fresh .dtb without the public keys
127        dtc('sandbox-u-boot.dts')
128
129        cons.log.action('%s: Test FIT with signed configuration' % sha_algo)
130        make_fit('sign-configs-%s.its' % sha_algo)
131        run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo)
132
133        # Sign images with our dev keys
134        sign_fit(sha_algo)
135        run_bootm(sha_algo, 'signed config', 'dev+')
136
137        cons.log.action('%s: Check signed config on the host' % sha_algo)
138
139        util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
140                                '-k', dtb])
141
142        # Increment the first byte of the signature, which should cause failure
143        sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
144                               (fit, sig_node))
145        byte_list = sig.split()
146        byte = int(byte_list[0], 16)
147        byte_list[0] = '%x' % (byte + 1)
148        sig = ' '.join(byte_list)
149        util.run_and_log(cons, 'fdtput -t bx %s %s value %s' %
150                         (fit, sig_node, sig))
151
152        run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash')
153
154        cons.log.action('%s: Check bad config on the host' % sha_algo)
155        util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
156                '-k', dtb], 1, 'Failed to verify required signature')
157
158    cons = u_boot_console
159    tmpdir = cons.config.result_dir + '/'
160    tmp = tmpdir + 'vboot.tmp'
161    datadir = cons.config.source_dir + '/test/py/tests/vboot/'
162    fit = '%stest.fit' % tmpdir
163    mkimage = cons.config.build_dir + '/tools/mkimage'
164    fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
165    dtc_args = '-I dts -O dtb -i %s' % tmpdir
166    dtb = '%ssandbox-u-boot.dtb' % tmpdir
167    sig_node = '/configurations/conf@1/signature@1'
168
169    # Create an RSA key pair
170    public_exponent = 65537
171    util.run_and_log(cons, 'openssl genpkey -algorithm RSA -out %sdev.key '
172                     '-pkeyopt rsa_keygen_bits:2048 '
173                     '-pkeyopt rsa_keygen_pubexp:%d '
174                     '2>/dev/null'  % (tmpdir, public_exponent))
175
176    # Create a certificate containing the public key
177    util.run_and_log(cons, 'openssl req -batch -new -x509 -key %sdev.key -out '
178                     '%sdev.crt' % (tmpdir, tmpdir))
179
180    # Create a number kernel image with zeroes
181    with open('%stest-kernel.bin' % tmpdir, 'w') as fd:
182        fd.write(5000 * chr(0))
183
184    try:
185        # We need to use our own device tree file. Remember to restore it
186        # afterwards.
187        old_dtb = cons.config.dtb
188        cons.config.dtb = dtb
189        test_with_algo('sha1')
190        test_with_algo('sha256')
191    finally:
192        # Go back to the original U-Boot with the correct dtb.
193        cons.config.dtb = old_dtb
194        cons.restart_uboot()
195