From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3ED73C433EF for ; Fri, 5 Nov 2021 01:21:18 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0779B61220 for ; Fri, 5 Nov 2021 01:21:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0779B61220 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CA86383686; Fri, 5 Nov 2021 02:21:14 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="r3/6OsUZ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0B2078355C; Fri, 5 Nov 2021 02:21:13 +0100 (CET) Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9404883686 for ; Fri, 5 Nov 2021 02:21:08 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pg1-x531.google.com with SMTP id j9so6999080pgh.1 for ; Thu, 04 Nov 2021 18:21:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to; bh=SljVq8flzrr0yrqPqoPqSVKUnrOJNGLU91aimOTjEVA=; b=r3/6OsUZuEIYNyzGoXfWo/VziPqpxkTjxFfQtgEb7D7YAyUpNO9T8ZUkBKNN4kbcVC KfePYprM++tX5ST/74vTHPWQDZijcpejZC1K0Wv/zx95SrTKgyolaoI68pOeAW2Ulxet zN2GyZm8sWtOCh8Dd/qgadvvgPN0+IqhOzs+rRJgJXJZBWOWYUt5Zzplu+4rb5guy+3T 3FPAOwTTE6jdsNQfZyRHgrFP8EcnUlA8RqgFoaMYLqBCAEk79VC4Bcr7ADfQXnLFZU/4 SZgKqzUHRiAxiCJGU7MXSBf24Xcz77V7rsDTYmZ1nxoa1krR0tJ9aA0sV2s9uMjVa/vD 8CZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to; bh=SljVq8flzrr0yrqPqoPqSVKUnrOJNGLU91aimOTjEVA=; b=jnP11rOT+XuwVpnS+QKOA030MezWO8dPcsRso9/pJcpKWKsvqIvPerphbP0r3yG63H dtI4/cmcBTZAek3GYXQyOO069e7dMcjpFhdkx4+2KRxxUmamALPFOe1OWbHTV5tFWTqm a15LUg65mriNLjb2UZNeYNgNSe5k9b9Av19ixZW7XX48oCg+g5Zo8VOkvyA187by8Kqo y+mO4M3HXgwtywJoqFQnL922vdwVBZiU8kbfHXYpc6hMGiJRQh3hBKr1Jk/pxdi41cfz +3bASM5YpgPQ89LauDAoAuatARNdUGPwOoUT121XGvyweqnYHBIn1ck1gd6HIzZi+END ofgg== X-Gm-Message-State: AOAM531K11534/4Ue75jlayl+MsqR4p2s5TtAjgAB813TIKOoCUv0+MN JsLvcNDXxA7H6jRbAx+NvRTEnw== X-Google-Smtp-Source: ABdhPJwl54jpcqwHHHnU7c8vf2ztoq0H/pGo0ut8E8StZOjCMsHAZZzH+A3mhhKsCcGP5rj3aXUe2g== X-Received: by 2002:a05:6a00:1693:b0:44c:64a3:d318 with SMTP id k19-20020a056a00169300b0044c64a3d318mr56179084pfc.81.1636075266647; Thu, 04 Nov 2021 18:21:06 -0700 (PDT) Received: from laputa ([2400:4050:c3e1:100:844c:5534:2811:8a4d]) by smtp.gmail.com with ESMTPSA id s7sm6148709pfu.139.2021.11.04.18.21.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Nov 2021 18:21:06 -0700 (PDT) Date: Fri, 5 Nov 2021 10:21:02 +0900 From: AKASHI Takahiro To: Simon Glass Cc: Heinrich Schuchardt , Alex Graf , Ilias Apalodimas , Sughosh Ganu , Masami Hiramatsu , U-Boot Mailing List Subject: Re: [PATCH v5 05/11] test/py: efi_capsule: add image authentication test Message-ID: <20211105012102.GB27316@laputa> Mail-Followup-To: AKASHI Takahiro , Simon Glass , Heinrich Schuchardt , Alex Graf , Ilias Apalodimas , Sughosh Ganu , Masami Hiramatsu , U-Boot Mailing List References: <20211028062356.98224-1-takahiro.akashi@linaro.org> <20211028062356.98224-6-takahiro.akashi@linaro.org> <20211029052539.GC33977@laputa> <20211104020403.GB46422@laputa> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean On Wed, Nov 03, 2021 at 08:49:04PM -0600, Simon Glass wrote: > Hi Takahiro, > > On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro wrote: > > > > On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote: > > > Hi Takahiro, > > > > > > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro > > > wrote: > > > > > > > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote: > > > > > Hi Takahiro, > > > > > > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro > > > > > wrote: > > > > > > > > > > > > Add a couple of test cases against capsule image authentication > > > > > > for capsule-on-disk, where only a signed capsule file with the verified > > > > > > signature will be applied to the system. > > > > > > > > > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot > > > > > > binary during pytest setup time, all the keys/certificates are pre-created. > > > > > > > > > > > > Signed-off-by: AKASHI Takahiro > > > > > > --- > > > > > > .../py/tests/test_efi_capsule/capsule_defs.py | 5 + > > > > > > test/py/tests/test_efi_capsule/conftest.py | 35 ++- > > > > > > test/py/tests/test_efi_capsule/signature.dts | 10 + > > > > > > .../test_capsule_firmware_signed.py | 233 ++++++++++++++++++ > > > > > > 4 files changed, 280 insertions(+), 3 deletions(-) > > > > > > create mode 100644 test/py/tests/test_efi_capsule/signature.dts > > > > > > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py > > > > > > > > > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py > > > > > > index 4fd6353c2040..aa9bf5eee3aa 100644 > > > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py > > > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py > > > > > > @@ -3,3 +3,8 @@ > > > > > > # Directories > > > > > > CAPSULE_DATA_DIR = '/EFI/CapsuleTestData' > > > > > > CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule' > > > > > > + > > > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and > > > > > > +# you need build a newer version on your own. > > > > > > +# The path must terminate with '/'. > > > > > > +EFITOOLS_PATH = '' > > > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py > > > > > > index 6ad5608cd71c..b0e84dec4931 100644 > > > > > > --- a/test/py/tests/test_efi_capsule/conftest.py > > > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py > > > > > > @@ -10,13 +10,13 @@ import pytest > > > > > > from capsule_defs import * > > > > > > > > > > > > # > > > > > > -# Fixture for UEFI secure boot test > > > > > > +# Fixture for UEFI capsule test > > > > > > # > > > > > > > > > > > > - > > > > > > @pytest.fixture(scope='session') > > > > > > def efi_capsule_data(request, u_boot_config): > > > > > > - """Set up a file system to be used in UEFI capsule test. > > > > > > + """Set up a file system to be used in UEFI capsule and > > > > > > + authentication test. > > > > > > > > > > > > Args: > > > > > > request: Pytest request object. > > > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config): > > > > > > check_call('mkdir -p %s' % data_dir, shell=True) > > > > > > check_call('mkdir -p %s' % install_dir, shell=True) > > > > > > > > > > > > + capsule_auth_enabled = u_boot_config.buildconfig.get( > > > > > > + 'config_efi_capsule_authenticate') > > > > > > + if capsule_auth_enabled: > > > > > > + # Create private key (SIGNER.key) and certificate (SIGNER.crt) > > > > > > + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365' > > > > > > + % data_dir, shell=True) > > > > > > > > > > run_and_log()? > > > > > > > > I have always used this style of coding in this file as well as > > > > other my pytests in test/py/tests (filesystem and secure boot). > > > > > > > > So, at least in this patch, I don't want to have mixed styles. > > > > > > I don't mind about the style. > > > > > > Does the command appear in the test log? > > > > I don't think so as it is invoked in conftest.py. > > If the command fails, the tests will skip, and if it generates > > a improper signature, the tests will fail. > > Well that is what I am getting at. Can you check? Yes. > The test log is supposed to show everything that happened. It does > that with other tests It does? (I don't think so.) > and I worry that using this function to run > things will mean that no one will be able to debug your test in CI. What is missing in general is that confest.py doesn't generate line-by-line trace logs if needed. It's not my test specific. -Takahiro Akashi > Regards, > Simon