From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Simon Glass <sjg@chromium.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
Alex Graf <agraf@csgraf.de>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Sughosh Ganu <sughosh.ganu@linaro.org>,
Masami Hiramatsu <masami.hiramatsu@linaro.org>,
U-Boot Mailing List <u-boot@lists.denx.de>
Subject: Re: [PATCH v5 05/11] test/py: efi_capsule: add image authentication test
Date: Mon, 8 Nov 2021 13:15:37 +0900 [thread overview]
Message-ID: <20211108041537.GA16401@laputa> (raw)
In-Reply-To: <CAPnjgZ31yA6SrpmtjUpBSyGhm_m1LL1wH4T-cdaJTHnQEdXX8Q@mail.gmail.com>
On Fri, Nov 05, 2021 at 10:12:20AM -0600, Simon Glass wrote:
> Hi Takahiro,
>
> On Thu, 4 Nov 2021 at 21:24, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> >
> > On Thu, Nov 04, 2021 at 08:02:37PM -0600, Simon Glass wrote:
> > > Hi Takahiro,
> > >
> > > On Thu, 4 Nov 2021 at 19:21, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> > > >
> > > > On Wed, Nov 03, 2021 at 08:49:04PM -0600, Simon Glass wrote:
> > > > > Hi Takahiro,
> > > > >
> > > > > On Wed, 3 Nov 2021 at 20:04, AKASHI Takahiro <takahiro.akashi@linaro.org> wrote:
> > > > > >
> > > > > > On Tue, Nov 02, 2021 at 08:58:15AM -0600, Simon Glass wrote:
> > > > > > > Hi Takahiro,
> > > > > > >
> > > > > > > On Thu, 28 Oct 2021 at 23:25, AKASHI Takahiro
> > > > > > > <takahiro.akashi@linaro.org> wrote:
> > > > > > > >
> > > > > > > > On Thu, Oct 28, 2021 at 09:17:49PM -0600, Simon Glass wrote:
> > > > > > > > > Hi Takahiro,
> > > > > > > > >
> > > > > > > > > On Thu, 28 Oct 2021 at 00:25, AKASHI Takahiro
> > > > > > > > > <takahiro.akashi@linaro.org> wrote:
> > > > > > > > > >
> > > > > > > > > > Add a couple of test cases against capsule image authentication
> > > > > > > > > > for capsule-on-disk, where only a signed capsule file with the verified
> > > > > > > > > > signature will be applied to the system.
> > > > > > > > > >
> > > > > > > > > > Due to the difficulty of embedding a public key (esl file) in U-Boot
> > > > > > > > > > binary during pytest setup time, all the keys/certificates are pre-created.
> > > > > > > > > >
> > > > > > > > > > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > > > > > > > > > ---
> > > > > > > > > > .../py/tests/test_efi_capsule/capsule_defs.py | 5 +
> > > > > > > > > > test/py/tests/test_efi_capsule/conftest.py | 35 ++-
> > > > > > > > > > test/py/tests/test_efi_capsule/signature.dts | 10 +
> > > > > > > > > > .../test_capsule_firmware_signed.py | 233 ++++++++++++++++++
> > > > > > > > > > 4 files changed, 280 insertions(+), 3 deletions(-)
> > > > > > > > > > create mode 100644 test/py/tests/test_efi_capsule/signature.dts
> > > > > > > > > > create mode 100644 test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py
> > > > > > > > > >
> > > > > > > > > > diff --git a/test/py/tests/test_efi_capsule/capsule_defs.py b/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > > > > > index 4fd6353c2040..aa9bf5eee3aa 100644
> > > > > > > > > > --- a/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > > > > > +++ b/test/py/tests/test_efi_capsule/capsule_defs.py
> > > > > > > > > > @@ -3,3 +3,8 @@
> > > > > > > > > > # Directories
> > > > > > > > > > CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
> > > > > > > > > > CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
> > > > > > > > > > +
> > > > > > > > > > +# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
> > > > > > > > > > +# you need build a newer version on your own.
> > > > > > > > > > +# The path must terminate with '/'.
> > > > > > > > > > +EFITOOLS_PATH = ''
> > > > > > > > > > diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py
> > > > > > > > > > index 6ad5608cd71c..b0e84dec4931 100644
> > > > > > > > > > --- a/test/py/tests/test_efi_capsule/conftest.py
> > > > > > > > > > +++ b/test/py/tests/test_efi_capsule/conftest.py
> > > > > > > > > > @@ -10,13 +10,13 @@ import pytest
> > > > > > > > > > from capsule_defs import *
> > > > > > > > > >
> > > > > > > > > > #
> > > > > > > > > > -# Fixture for UEFI secure boot test
> > > > > > > > > > +# Fixture for UEFI capsule test
> > > > > > > > > > #
> > > > > > > > > >
> > > > > > > > > > -
> > > > > > > > > > @pytest.fixture(scope='session')
> > > > > > > > > > def efi_capsule_data(request, u_boot_config):
> > > > > > > > > > - """Set up a file system to be used in UEFI capsule test.
> > > > > > > > > > + """Set up a file system to be used in UEFI capsule and
> > > > > > > > > > + authentication test.
> > > > > > > > > >
> > > > > > > > > > Args:
> > > > > > > > > > request: Pytest request object.
> > > > > > > > > > @@ -40,6 +40,26 @@ def efi_capsule_data(request, u_boot_config):
> > > > > > > > > > check_call('mkdir -p %s' % data_dir, shell=True)
> > > > > > > > > > check_call('mkdir -p %s' % install_dir, shell=True)
> > > > > > > > > >
> > > > > > > > > > + capsule_auth_enabled = u_boot_config.buildconfig.get(
> > > > > > > > > > + 'config_efi_capsule_authenticate')
> > > > > > > > > > + if capsule_auth_enabled:
> > > > > > > > > > + # Create private key (SIGNER.key) and certificate (SIGNER.crt)
> > > > > > > > > > + check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_SIGNER/ -keyout SIGNER.key -out SIGNER.crt -nodes -days 365'
> > > > > > > > > > + % data_dir, shell=True)
> > > > > > > > >
> > > > > > > > > run_and_log()?
> > > > > > > >
> > > > > > > > I have always used this style of coding in this file as well as
> > > > > > > > other my pytests in test/py/tests (filesystem and secure boot).
> > > > > > > >
> > > > > > > > So, at least in this patch, I don't want to have mixed styles.
> > > > > > >
> > > > > > > I don't mind about the style.
> > > > > > >
> > > > > > > Does the command appear in the test log?
> > > > > >
> > > > > > I don't think so as it is invoked in conftest.py.
> > > > > > If the command fails, the tests will skip, and if it generates
> > > > > > a improper signature, the tests will fail.
> > > > >
> > > > > Well that is what I am getting at. Can you check?
> > > >
> > > > Yes.
> > > >
> > > > > The test log is supposed to show everything that happened. It does
> > > > > that with other tests
> > > >
> > > > It does?
> > > > (I don't think so.)
> > > >
> > > > > and I worry that using this function to run
> > > > > things will mean that no one will be able to debug your test in CI.
> > > >
> > > > What is missing in general is that confest.py doesn't generate
> > > > line-by-line trace logs if needed.
> > > > It's not my test specific.
> > >
> > > Can you try checking test-log.html ?
> > >
> > > Here is an example with a vboot test. See the lines with 'openssl' and
> > > 'dtc' ? That is what I am talking about.
> > >
> > > Do you see this output with the command you are using?
> >
> > No. In your case, openssl and dtc are called in a test function,
> > while my tool is invoked as part of fixture in confest.py.
> >
> > What I requested is that command executions in fixtures be logged as well.
>
> OK, so it isn't possible to call run_and_log() in fixtures?
My fixtures are declared with the scope "session", and so we can't
use u_boot_console which has the scope "function".
Any workaround?
-Takahiro Akashi
> Regards,
> Simon
>
>
>
> >
> > -Takahiro Akashi
> >
> > >
> > > [-] Section: test_vboot[sha1-basic-sha1--None-False-True]
> > > TIME: NOW: 2021/11/04 19:52:55.916263
> > >
> > > TIME: SINCE-PREV: 0:00:00.429408
> > >
> > > TIME: SINCE-START: 0:00:00.429408
> > >
> > > [-] Section: test_vboot[sha1-basic-sha1--None-False-True]/Starting U-Boot
> > > TIME: NOW: 2021/11/04 19:52:55.916582
> > >
> > > TIME: SINCE-PREV: 0:00:00.000319
> > >
> > > TIME: SINCE-START: 0:00:00.429727
> > >
> > > [-] Stream: console
> > > Creating new bloblist size 400 at c000
> > > sandbox_serial serial: pinctrl_select_state_full:
> > > uclass_get_device_by_phandle_id: err=-19
> > >
> > >
> > > U-Boot 2021.10-00200-g458c5ec2f57-dirty (Nov 04 2021 - 19:52:48 -0600)
> > >
> > > Model: sandbox
> > > DRAM: 128 MiB
> > > Core: 246 devices, 88 uclasses, devicetree: board
> > > WDT: Not starting gpio-wdt
> > > WDT: Not starting wdt@0
> > > MMC: mmc2: 2 (SD), mmc1: 1 (SD), mmc0: 0 (SD)
> > > Loading Environment from nowhere... OK
> > > In: cros-ec-keyb
> > > Out: vidconsole
> > > Err: vidconsole
> > > Model: sandbox
> > > SCSI:
> > > Net: eth0: eth@10002000, eth5: eth@10003000, eth3: sbe5, eth6:
> > > eth@10004000, eth4: dsa-test-eth, eth2: lan0, eth7: lan1
> > > Hit any key to stop autoboot: 2 %08%08%08 0
> > > =>
> > > TIME: NOW: 2021/11/04 19:52:56.023596
> > >
> > > TIME: SINCE-PREV: 0:00:00.107014
> > >
> > > TIME: SINCE-START: 0:00:00.536741
> > >
> > > TIME: SINCE-SECTION: 0:00:00.107114
> > >
> > > [-] Stream: openssl
> > > +openssl genpkey -algorithm RSA -out /tmp/b/sandbox/sha1-basic/dev.key
> > > -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537
> > > ...................+++++
> > > ...............+++++
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.067325
> > >
> > > TIME: SINCE-PREV: 0:00:00.043729
> > >
> > > TIME: SINCE-START: 0:00:00.580470
> > >
> > > [-] Stream: openssl
> > > +openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/dev.key
> > > -out /tmp/b/sandbox/sha1-basic/dev.crt
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.077671
> > >
> > > TIME: SINCE-PREV: 0:00:00.010346
> > >
> > > TIME: SINCE-START: 0:00:00.590816
> > >
> > > [-] Stream: openssl
> > > +openssl genpkey -algorithm RSA -out
> > > /tmp/b/sandbox/sha1-basic/prod.key -pkeyopt rsa_keygen_bits:2048
> > > -pkeyopt rsa_keygen_pubexp:65537
> > > ...........................+++++
> > > ............+++++
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.127578
> > >
> > > TIME: SINCE-PREV: 0:00:00.049907
> > >
> > > TIME: SINCE-START: 0:00:00.640723
> > >
> > > [-] Stream: openssl
> > > +openssl req -batch -new -x509 -key /tmp/b/sandbox/sha1-basic/prod.key
> > > -out /tmp/b/sandbox/sha1-basic/prod.crt
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.136682
> > >
> > > TIME: SINCE-PREV: 0:00:00.009104
> > >
> > > TIME: SINCE-START: 0:00:00.649827
> > >
> > > [-] Stream: dtc
> > > +dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/
> > > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-kernel.dts
> > > -O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-kernel.dtb
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.142636
> > >
> > > TIME: SINCE-PREV: 0:00:00.005954
> > >
> > > TIME: SINCE-START: 0:00:00.655781
> > >
> > > [-] Stream: dtc
> > > +dtc -I dts -O dtb -i /tmp/b/sandbox/sha1-basic/
> > > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts
> > > -O dtb -o /tmp/b/sandbox/sha1-basic/sandbox-u-boot.dtb
> > > /scratch/sglass/cosarm/src/third_party/u-boot/files/test/py/tests/vboot/sandbox-u-boot.dts:7.10-9.4:
> > > Warning (unit_address_vs_reg): /reset@0: node has a unit name, but no
> > > reg or ranges property
> > >
> > > TIME: NOW: 2021/11/04 19:52:56.147797
> > >
> > > Regards,
> > > Simon
next prev parent reply other threads:[~2021-11-08 4:15 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-28 6:23 [PATCH v5 00/11] efi_loader: capsule: improve capsule authentication support AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 01/11] efi_loader: capsule: drop __weak from efi_get_public_key_data() AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 02/11] tools: mkeficapsule: add firmwware image signing AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-29 4:56 ` AKASHI Takahiro
2021-11-02 14:56 ` Simon Glass
2021-11-02 15:13 ` Mark Kettenis
2021-11-04 2:51 ` Simon Glass
2021-11-04 14:31 ` Mark Kettenis
2021-11-04 15:11 ` Simon Glass
2021-11-04 16:51 ` Mark Kettenis
2021-11-05 2:02 ` Simon Glass
2021-11-05 8:36 ` Mark Kettenis
2021-11-05 1:04 ` AKASHI Takahiro
2021-11-05 2:02 ` Simon Glass
2021-11-05 2:35 ` AKASHI Takahiro
2021-11-05 9:35 ` AKASHI Takahiro
2021-11-08 4:55 ` AKASHI Takahiro
2021-11-15 7:50 ` AKASHI Takahiro
2021-11-08 8:46 ` AKASHI Takahiro
2021-11-04 2:59 ` AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 03/11] tools: mkeficapsule: add man page AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 04/11] doc: update UEFI document for usage of mkeficapsule AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-29 5:20 ` AKASHI Takahiro
2021-11-02 14:57 ` Simon Glass
2021-11-04 1:49 ` AKASHI Takahiro
2021-11-04 15:11 ` Simon Glass
2021-11-05 3:15 ` AKASHI Takahiro
2021-11-05 16:12 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 05/11] test/py: efi_capsule: add image authentication test AKASHI Takahiro
2021-10-29 3:17 ` Simon Glass
2021-10-29 5:25 ` AKASHI Takahiro
2021-11-02 14:58 ` Simon Glass
2021-11-04 2:04 ` AKASHI Takahiro
2021-11-04 2:49 ` Simon Glass
2021-11-05 1:21 ` AKASHI Takahiro
2021-11-05 2:02 ` Simon Glass
2021-11-05 3:24 ` AKASHI Takahiro
2021-11-05 16:12 ` Simon Glass
2021-11-08 4:15 ` AKASHI Takahiro [this message]
2021-11-08 15:58 ` Simon Glass
2021-10-28 6:23 ` [PATCH v5 06/11] tools: mkeficapsule: allow for specifying GUID explicitly AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 07/11] test/py: efi_capsule: align with the syntax change of mkeficapsule AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 08/11] test/py: efi_capsule: add a test for "--guid" option AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 09/11] test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 10/11] (RFC) tools: add fdtsig.sh AKASHI Takahiro
2021-10-28 6:23 ` [PATCH v5 11/11] (RFC) efi_loader, dts: add public keys for capsules to device tree AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211108041537.GA16401@laputa \
--to=takahiro.akashi@linaro.org \
--cc=agraf@csgraf.de \
--cc=ilias.apalodimas@linaro.org \
--cc=masami.hiramatsu@linaro.org \
--cc=sjg@chromium.org \
--cc=sughosh.ganu@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.