Re: [PATCH v5 05/11] test/py: efi_capsule: add image authentication test

From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Simon Glass <sjg@chromium.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
	Alex Graf <agraf@csgraf.de>,
	Ilias Apalodimas <ilias.apalodimas@linaro.org>,
	Sughosh Ganu <sughosh.ganu@linaro.org>,
	Masami Hiramatsu <masami.hiramatsu@linaro.org>,
	U-Boot Mailing List <u-boot@lists.denx.de>
Subject: Re: [PATCH v5 05/11] test/py: efi_capsule: add image authentication test
Date: Fri, 5 Nov 2021 10:21:02 +0900	[thread overview]
Message-ID: <20211105012102.GB27316@laputa> (raw)
In-Reply-To: <CAPnjgZ1jekmz_mGCRFvTzWYQG9zOro67GN3hLG9q023Nn67zEg@mail.gmail.com>

On Wed, Nov 03, 2021 at 08:49:04PM -0600, Simon Glass wrote:
> Hi Takahiro,
> 
> On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> >
> > On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote:
> > > Hi Takahiro,
> > >
> > > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro
> > > <takahiro.akashi@linaro.org> wrote:
> > > >
> > > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:
> > > > > Hi Takahiro,
> > > > >
> > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro
> > > > > <takahiro.akashi@linaro.org> wrote:
> > > > > >
> > > > > > Add a couple of test cases against capsule image authentication
> > > > > > for capsule-on-disk, where only a signed capsule file with the verified
> > > > > > signature will be applied to the system.
> > > > > >
> > > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot
> > > > > > binary during pytest setup time, all the keys/certificates are pre-created.
> > > > > >
> > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > > > > ---
> > > > > >  .../py/tests/test_efi_capsule/capsule_defs.py |   5 +
> > > > > >  test/py/tests/test_efi_capsule/conftest.py    |  35 ++-
> > > > > >  test/py/tests/test_efi_capsule/signature.dts  |  10 +
> > > > > >  .../test_capsule_firmware_signed.py           | 233 ++++++++++++++++++
> > > > > >  4 files changed, 280 insertions(+), 3 deletions(-)
> > > > > >  create mode 100644 test/py/tests/test_efi_capsule/signature.dts
> > > > > >  create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> > > > > >
> > > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > index 4fd6353c2040..aa9bf5eee3aa 100644
> > > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > @@ -3,3 +3,8 @@
> > > > > >  # Directories
> > > > > >  CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
> > > > > >  CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
> > > > > > +
> > > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
> > > > > > +# you need build a newer version on your own.
> > > > > > +# The path must terminate with '/'.
> > > > > > +EFITOOLS_PATH = ''
> > > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
> > > > > > index 6ad5608cd71c..b0e84dec4931 100644
> > > > > > --- a/test/py/tests/test_efi_capsule/conftest.py
> > > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py
> > > > > > @@ -10,13 +10,13 @@ import pytest
> > > > > >  from capsule_defs import *
> > > > > >
> > > > > >  #
> > > > > > -# Fixture for UEFI secure boot test
> > > > > > +# Fixture for UEFI capsule test
> > > > > >  #
> > > > > >
> > > > > > -
> > > > > >  @pytest.fixture(scope='session')
> > > > > >  def efi_capsule_data(request, u_boot_config):
> > > > > > -    """Set up a file system to be used in UEFI capsule test.
> > > > > > +    """Set up a file system to be used in UEFI capsule and
> > > > > > +       authentication test.
> > > > > >
> > > > > >      Args:
> > > > > >          request: Pytest request object.
> > > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):
> > > > > >          check_call('mkdir -p %s' % data_dir, shell=True)
> > > > > >          check_call('mkdir -p %s' % install_dir, shell=True)
> > > > > >
> > > > > > +        capsule_auth_enabled = u_boot_config.buildconfig.get(
> > > > > > +                    'config_efi_capsule_authenticate')
> > > > > > +        if capsule_auth_enabled:
> > > > > > +            # Create private key (SIGNER.key) and certificate (SIGNER.crt)
> > > > > > +            check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'
> > > > > > +                       % data_dir, shell=True)
> > > > >
> > > > > run_and_log()?
> > > >
> > > > I have always used this style of coding in this file as well as
> > > > other my pytests in test/py/tests (filesystem and secure boot).
> > > >
> > > > So, at least in this patch, I don't want to have mixed styles.
> > >
> > > I don't mind about the style.
> > >
> > > Does the command appear in the test log?
> >
> > I don't think so as it is invoked in conftest.py.
> > If the command fails, the tests will skip, and if it generates
> > a improper signature, the tests will fail.
> 
> Well that is what I am getting at. Can you check?

Yes.

> The test log is supposed to show everything that happened. It does
> that with other tests

It does?
(I don't think so.)

> and I worry that using this function to run
> things will mean that no one will be able to debug your test in CI.

What is missing in general is that confest.py doesn't generate
line-by-line trace logs if needed.
It's not my test specific.

-Takahiro Akashi

> Regards,
> Simon