From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 51F7CC433FE for ; Mon, 28 Mar 2022 21:00:02 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 490B083FC5; Mon, 28 Mar 2022 22:58:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=softathome.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=softathome1.onmicrosoft.com header.i=@softathome1.onmicrosoft.com header.b="mcjQ//Vw"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BA90283F9E; Mon, 28 Mar 2022 22:57:38 +0200 (CEST) Received: from FRA01-MR2-obe.outbound.protection.outlook.com (mail-mr2fra01on062e.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e19::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 94D9A83F93 for ; Mon, 28 Mar 2022 22:57:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=softathome.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=philippe.reynes@softathome.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=S7sMGH5Sw2v8V4xksWcRatMMNK2uaTUEi1TtAJ/T3SFBan6U5nOvOnD/pTwoWWBWOeM0Lq5lC9j5HGS0g7htWuie6oGJLBtmjyddom+xlS6FvXPMn5H4M5jnj0KMD2uELjdE17/bxM3rdqlkK7zP6lSynV8CKHgy2cRJJuIVRK8cu0wBAYgKsqBoUkIy5wPdpRcdwGDMXkZ8290HN0dtiwR29hwzDNTxWwYmSzPU2KsEqGADsitlSWVHMWZS8Thm/ddgzxBsFaLAtjYdIlsZd/kPVGaCP+ppzNjlRZAumaL0eAHfmLr7bvIKEkW8ZeQrawnDHnViQL8tXsrDaEvtOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8Z7mhcA5YlkMNEKsHTHg/iCNoL+uveWtuSrIHsqI1Zg=; b=LvRwX+CbGZkyx2U6hbt2+i1YUTKPUbw774cBohQuwg2m+3hRgOwgMmfm2/Z1g/V3hJXXR4czEdPFHChxdtR+eZQGwMCgZmzDOI3VCht+odUcVe9qWfsPbVfvAIbuHDVltYo4L62gMMqs8T4hi1axK9DTLg8tQ9nk8TM+GWDg+v3Qzw9HYqx1nN5XJTgPTucETPkNdXaeTp2jqzgJUSrXNgiJ/+bw7bF/ghAp0NkoukK4lfRMHBitQ6YnkofA5hT483hHO4FotgiPz1j5+AfM0hPzkpFuyzQRabZPyZmdC88B97v+AqAsdsoZGtyLGvLEN94+TfmXCWxVh4NPYYkm6A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 149.6.166.170) smtp.rcpttodomain=chromium.org smtp.mailfrom=softathome.com; dmarc=bestguesspass action=none header.from=softathome.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=softathome1.onmicrosoft.com; s=selector1-softathome1-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8Z7mhcA5YlkMNEKsHTHg/iCNoL+uveWtuSrIHsqI1Zg=; b=mcjQ//Vw8HbZb6REnHJAMGmymRYR7EvyhZMOzHpWfD+iQKKl7MJ2/sZ7M6XOcqEfSobw5jRK3of406l8/HodhvVAFDneJb7HL/2psUKYDL+bVW8wJTZnnoGmYb26e1Kje/9ewsxVfGy6nSdiVRx4N6MbzZkiqHDEDGzEZvHpfe43v8vDx069T+V6c0L0GPQEegBTc7eAmkjcKN+ThJu6DfBh9pc1meITQ9SXEtpcIb8s0YRsE0Q1cDVT+QJipR/2tk5I6JDapFFs2AY7JgJiD+0ZZ26SHBlzlWOaEab4qGiO1p48wKKgnn4ICdt4xpTQEmZs6vQHVWhTVokm9PDhTQ== Received: from AM6PR04CA0046.eurprd04.prod.outlook.com (2603:10a6:20b:f0::23) by MR1P264MB2020.FRAP264.PROD.OUTLOOK.COM (2603:10a6:501:13::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.16; Mon, 28 Mar 2022 20:57:14 +0000 Received: from PR2FRA01FT001.eop-fra01.prod.protection.outlook.com (2603:10a6:20b:f0:cafe::1a) by AM6PR04CA0046.outlook.office365.com (2603:10a6:20b:f0::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.17 via Frontend Transport; Mon, 28 Mar 2022 20:57:14 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 149.6.166.170) smtp.mailfrom=softathome.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=softathome.com; Received-SPF: Pass (protection.outlook.com: domain of softathome.com designates 149.6.166.170 as permitted sender) receiver=protection.outlook.com; client-ip=149.6.166.170; helo=proxy.softathome.com; Received: from proxy.softathome.com (149.6.166.170) by PR2FRA01FT001.mail.protection.outlook.com (10.152.48.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.17 via Frontend Transport; Mon, 28 Mar 2022 20:57:13 +0000 Received: from localhost.localdomain (unknown [192.168.72.32]) by proxy.softathome.com (Postfix) with ESMTPSA id 5692720077; Mon, 28 Mar 2022 22:57:13 +0200 (CEST) From: Philippe Reynes To: sjg@chromium.org, rasmus.villemoes@prevas.dk Cc: u-boot@lists.denx.de, Philippe Reynes Subject: [PATCH v8 14/15] test: py: vboot: add test for global image signature Date: Mon, 28 Mar 2022 22:57:06 +0200 Message-Id: <20220328205707.348270-15-philippe.reynes@softathome.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220328205707.348270-1-philippe.reynes@softathome.com> References: <20220328205707.348270-1-philippe.reynes@softathome.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email Content-Type: text/plain X-MS-Office365-Filtering-Correlation-Id: f80be226-c8af-47d5-c95c-08da10fd891e X-MS-TrafficTypeDiagnostic: MR1P264MB2020:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: SYPZWJGU0/+JyWrmyakziLzjTt950K7L+0szgzvg5xXGPN2tfVG6VwEx46ikBMToW0d9BkTlVhfkogaahfIOenBGJg3i/yCqWFFzBxR4sZ5hgxtiGWpLht+IF9PzaHxbingNNyCsFHK4GLLD8jYVctub3+2kHcpqpTm8/OsXRKzz0zlXTVxTCN4zTOXAog8z/TPRbu9LhpPYbegFqB0RQbGnGlpQXfi4EEdJfWS0LDOmjFC0PDwHRPuFTyvt/1J4yZG0FqmyHJF38/PQwLZBnCTIaxT8N03ZHxpvu5dCw9wWks1jxqSGuC+zpjuuHfm2rCsztdfkVHXuJQbTgauGNYGy/NMGjNg5/horHSUxC+4IbHhI0CzqAbe+bVoyQ7IYfL0Md64bL0BKwVvH6WWpvWPKtAV8DnSWaWmZDlx6Yi5jQx8XkMZJ+7ipvwSEKZTNuuJDAAFETTVF24ieaM510iX4NOFP6bOehJj1etfI5sFNaT/k3L2FkRg+LGqzuzL5FBgA5gjUcfUTKYM3mB6YJLO1yzzYSxUEBpiHNPNG491xSMBSo4THij8TS/BVEEtvtJpl7o+B9GY/K+o+XTkXE/DbpbjiA4/GiXjYYCW4EDNFB5xxMGQGxGA6m0qHzWtFOU3laTBhZKF943PW8ReuBd4gDu4IDfBGyUlCFn6uTkDp2wfvnvRnpk7NWrR+WRt5zXcqqzjhBu9q2cDb3YopuA== X-Forefront-Antispam-Report: CIP:149.6.166.170; CTRY:FR; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:proxy.softathome.com; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(13230001)(4636009)(36840700001)(40470700004)(46966006)(508600001)(6666004)(36860700001)(8936002)(5660300002)(82310400004)(44832011)(40460700003)(2906002)(86362001)(30864003)(82960400001)(8676002)(81166007)(1076003)(6966003)(356005)(4326008)(316002)(83380400001)(47076005)(36756003)(6266002)(2616005)(26005)(70586007)(426003)(70206006)(107886003)(186003)(336012)(36900700001); DIR:OUT; SFP:1101; X-OriginatorOrg: softathome.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Mar 2022 20:57:13.9144 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f80be226-c8af-47d5-c95c-08da10fd891e X-MS-Exchange-CrossTenant-Id: aa10e044-e405-4c10-8353-36b4d0cce511 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=aa10e044-e405-4c10-8353-36b4d0cce511; Ip=[149.6.166.170]; Helo=[proxy.softathome.com] X-MS-Exchange-CrossTenant-AuthSource: PR2FRA01FT001.eop-fra01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MR1P264MB2020 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Adds test units for the pre-load header signature. Signed-off-by: Philippe Reynes --- test/py/tests/test_vboot.py | 148 ++++++++++++++++-- test/py/tests/vboot/sandbox-binman-pss.dts | 25 +++ test/py/tests/vboot/sandbox-binman.dts | 24 +++ .../tests/vboot/sandbox-u-boot-global-pss.dts | 28 ++++ test/py/tests/vboot/sandbox-u-boot-global.dts | 27 ++++ test/py/tests/vboot/simple-images.its | 36 +++++ 6 files changed, 272 insertions(+), 16 deletions(-) create mode 100644 test/py/tests/vboot/sandbox-binman-pss.dts create mode 100644 test/py/tests/vboot/sandbox-binman.dts create mode 100644 test/py/tests/vboot/sandbox-u-boot-global-pss.dts create mode 100644 test/py/tests/vboot/sandbox-u-boot-global.dts create mode 100644 test/py/tests/vboot/simple-images.its diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index ac8ed9f114..040147d88b 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -21,6 +21,14 @@ For configuration verification: - Corrupt the signature - Check that image verification no-longer works +For pre-load header verification: +- Create FIT image with a pre-load header +- Check that signature verification succeeds +- Corrupt the FIT image +- Check that signature verification fails +- Launch an FIT image without a pre-load header +- Check that image verification fails + Tests run with both SHA1 and SHA256 hashing. """ @@ -35,19 +43,21 @@ import vboot_evil # Only run the full suite on a few combinations, since it doesn't add any more # test coverage. TESTDATA = [ - ['sha1-basic', 'sha1', '', None, False, True, False], - ['sha1-pad', 'sha1', '', '-E -p 0x10000', False, False, False], - ['sha1-pss', 'sha1', '-pss', None, False, False, False], - ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False, False, False], - ['sha256-basic', 'sha256', '', None, False, False, False], - ['sha256-pad', 'sha256', '', '-E -p 0x10000', False, False, False], - ['sha256-pss', 'sha256', '-pss', None, False, False, False], - ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False, False], - ['sha256-pss-required', 'sha256', '-pss', None, True, False, False], - ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True, False], - ['sha384-basic', 'sha384', '', None, False, False, False], - ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False, False], - ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', False, False, True], + ['sha1-basic', 'sha1', '', None, False, True, False, False], + ['sha1-pad', 'sha1', '', '-E -p 0x10000', False, False, False, False], + ['sha1-pss', 'sha1', '-pss', None, False, False, False, False], + ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False, False, False, False], + ['sha256-basic', 'sha256', '', None, False, False, False, False], + ['sha256-pad', 'sha256', '', '-E -p 0x10000', False, False, False, False], + ['sha256-pss', 'sha256', '-pss', None, False, False, False, False], + ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False, False, False], + ['sha256-pss-required', 'sha256', '-pss', None, True, False, False, False], + ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True, False, False], + ['sha384-basic', 'sha384', '', None, False, False, False, False], + ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False, False, False], + ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', False, False, True, False], + ['sha256-global-sign', 'sha256', '', '', False, False, False, True], + ['sha256-global-sign-pss', 'sha256', '-pss', '', False, False, False, True], ] @pytest.mark.boardspec('sandbox') @@ -56,10 +66,10 @@ TESTDATA = [ @pytest.mark.requiredtool('fdtget') @pytest.mark.requiredtool('fdtput') @pytest.mark.requiredtool('openssl') -@pytest.mark.parametrize("name,sha_algo,padding,sign_options,required,full_test,algo_arg", +@pytest.mark.parametrize("name,sha_algo,padding,sign_options,required,full_test,algo_arg,global_sign", TESTDATA) def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, - full_test, algo_arg): + full_test, algo_arg, global_sign): """Test verified boot signing with mkimage and verification with 'bootm'. This works using sandbox only as it needs to update the device tree used @@ -81,6 +91,33 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, util.run_and_log(cons, 'dtc %s %s%s -O dtb ' '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb)) + def dtc_options(dts, options): + """Run the device tree compiler to compile a .dts file + + The output file will be the same as the input file but with a .dtb + extension. + + Args: + dts: Device tree file to compile. + options: Options provided to the compiler. + """ + dtb = dts.replace('.dts', '.dtb') + util.run_and_log(cons, 'dtc %s %s%s -O dtb ' + '-o %s%s %s' % (dtc_args, datadir, dts, tmpdir, dtb, options)) + + def run_binman(dtb): + """Run binman to build an image + + Args: + dtb: Device tree file used as input file. + """ + pythonpath = os.environ.get('PYTHONPATH', '') + os.environ['PYTHONPATH'] = pythonpath + ':' + '%s/../scripts/dtc/pylibfdt' % tmpdir + util.run_and_log(cons, [binman, 'build', '-d', "%s/%s" % (tmpdir,dtb), + '-a', "pre-load-key-path=%s" % tmpdir, '-O', + tmpdir, '-I', tmpdir]) + os.environ['PYTHONPATH'] = pythonpath + def run_bootm(sha_algo, test_type, expect_string, boots, fit=None): """Run a 'bootm' command U-Boot. @@ -139,6 +176,23 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, cons.log.action('%s: Sign images' % sha_algo) util.run_and_log(cons, args) + def sign_fit_dtb(sha_algo, options, dtb): + """Sign the FIT + + Signs the FIT and writes the signature into it. It also writes the + public key into the dtb. + + Args: + sha_algo: Either 'sha1' or 'sha256', to select the algorithm to + use. + options: Options to provide to mkimage. + """ + args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, '-r', fit] + if options: + args += options.split(' ') + cons.log.action('%s: Sign images' % sha_algo) + util.run_and_log(cons, args) + def sign_fit_norequire(sha_algo, options): """Sign the FIT @@ -176,6 +230,20 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, handle.write(struct.pack(">I", size)) return struct.unpack(">I", total_size)[0] + def corrupt_file(fit, offset, value): + """Corrupt a file + + To corrupt a file, a value is written at the specified offset + + Args: + fit: The file to corrupt + offset: Offset to write + value: Value written + """ + with open(fit, 'r+b') as handle: + handle.seek(offset) + handle.write(struct.pack(">I", value)) + def create_rsa_pair(name): """Generate a new RSA key paid and certificate @@ -374,6 +442,51 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, (dtb)) run_bootm(sha_algo, 'multi required key', '', False) + def test_global_sign(sha_algo, padding, sign_options): + """Test global image signature with the given hash algorithm and padding. + + Args: + sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use + padding: Either '' or '-pss', to select the padding to use for the + rsa signature algorithm. + """ + + dtb = '%ssandbox-u-boot-global%s.dtb' % (tmpdir, padding) + cons.config.dtb = dtb + + # Compile our device tree files for kernel and U-Boot. These are + # regenerated here since mkimage will modify them (by adding a + # public key) below. + dtc('sandbox-kernel.dts') + dtc_options('sandbox-u-boot-global%s.dts' % padding, '-p 1024') + + # Build the FIT with dev key (keys NOT required). This adds the + # signature into sandbox-u-boot.dtb, NOT marked 'required'. + make_fit('simple-images.its') + sign_fit_dtb(sha_algo, '', dtb) + + # Build the dtb for binman that define the pre-load header + # with the global sigature. + dtc('sandbox-binman%s.dts' % padding) + + # Run binman to create the final image with the not signed fit + # and the pre-load header that contains the global signature. + run_binman('sandbox-binman%s.dtb' % padding) + + # Check that the signature is correctly verified by u-boot + run_bootm(sha_algo, 'global image signature', + 'signature check has succeed', True, "%ssandbox.img" % tmpdir) + + # Corrupt the image (just one byte after the pre-load header) + corrupt_file("%ssandbox.img" % tmpdir, 4096, 255); + + # Check that the signature verification fails + run_bootm(sha_algo, 'global image signature', + 'signature check has failed', False, "%ssandbox.img" % tmpdir) + + # Check that the boot fails if the global signature is not provided + run_bootm(sha_algo, 'global image signature', 'signature is mandatory', False) + cons = u_boot_console tmpdir = os.path.join(cons.config.result_dir, name) + '/' if not os.path.exists(tmpdir): @@ -381,6 +494,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, datadir = cons.config.source_dir + '/test/py/tests/vboot/' fit = '%stest.fit' % tmpdir mkimage = cons.config.build_dir + '/tools/mkimage' + binman = cons.config.source_dir + '/tools/binman/binman' fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign' dtc_args = '-I dts -O dtb -i %s' % tmpdir dtb = '%ssandbox-u-boot.dtb' % tmpdir @@ -403,7 +517,9 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required, # afterwards. old_dtb = cons.config.dtb cons.config.dtb = dtb - if required: + if global_sign: + test_global_sign(sha_algo, padding, sign_options) + elif required: test_required_key(sha_algo, padding, sign_options) else: test_with_algo(sha_algo, padding, sign_options) diff --git a/test/py/tests/vboot/sandbox-binman-pss.dts b/test/py/tests/vboot/sandbox-binman-pss.dts new file mode 100644 index 0000000000..56e3a42fa6 --- /dev/null +++ b/test/py/tests/vboot/sandbox-binman-pss.dts @@ -0,0 +1,25 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + filename = "sandbox.img"; + + pre-load { + content = <&image>; + algo-name = "sha256,rsa2048"; + padding-name = "pss"; + key-name = "dev.key"; + header-size = <4096>; + version = <1>; + }; + + image: blob-ext { + filename = "test.fit"; + }; + }; +}; diff --git a/test/py/tests/vboot/sandbox-binman.dts b/test/py/tests/vboot/sandbox-binman.dts new file mode 100644 index 0000000000..b24aeba0fa --- /dev/null +++ b/test/py/tests/vboot/sandbox-binman.dts @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + filename = "sandbox.img"; + + pre-load { + content = <&image>; + algo-name = "sha256,rsa2048"; + key-name = "dev.key"; + header-size = <4096>; + version = <1>; + }; + + image: blob-ext { + filename = "test.fit"; + }; + }; +}; diff --git a/test/py/tests/vboot/sandbox-u-boot-global-pss.dts b/test/py/tests/vboot/sandbox-u-boot-global-pss.dts new file mode 100644 index 0000000000..c59a68221b --- /dev/null +++ b/test/py/tests/vboot/sandbox-u-boot-global-pss.dts @@ -0,0 +1,28 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + model = "Sandbox Verified Boot Test"; + compatible = "sandbox"; + + binman { + }; + + reset@0 { + compatible = "sandbox,reset"; + }; + + image { + pre-load { + sig { + algo-name = "sha256,rsa2048"; + padding-name = "pss"; + signature-size = <256>; + mandatory = "yes"; + + key-name = "dev"; + }; + }; + }; +}; diff --git a/test/py/tests/vboot/sandbox-u-boot-global.dts b/test/py/tests/vboot/sandbox-u-boot-global.dts new file mode 100644 index 0000000000..1409f9e1a1 --- /dev/null +++ b/test/py/tests/vboot/sandbox-u-boot-global.dts @@ -0,0 +1,27 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + model = "Sandbox Verified Boot Test"; + compatible = "sandbox"; + + binman { + }; + + reset@0 { + compatible = "sandbox,reset"; + }; + + image { + pre-load { + sig { + algo-name = "sha256,rsa2048"; + signature-size = <256>; + mandatory = "yes"; + + key-name = "dev"; + }; + }; + }; +}; diff --git a/test/py/tests/vboot/simple-images.its b/test/py/tests/vboot/simple-images.its new file mode 100644 index 0000000000..f62786456b --- /dev/null +++ b/test/py/tests/vboot/simple-images.its @@ -0,0 +1,36 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + description = "Chrome OS kernel image with one or more FDT blobs"; + #address-cells = <1>; + + images { + kernel { + data = /incbin/("test-kernel.bin"); + type = "kernel_noload"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x4>; + entry = <0x8>; + kernel-version = <1>; + }; + fdt-1 { + description = "snow"; + data = /incbin/("sandbox-kernel.dtb"); + type = "flat_dt"; + arch = "sandbox"; + compression = "none"; + fdt-version = <1>; + }; + }; + configurations { + default = "conf-1"; + conf-1 { + kernel = "kernel"; + fdt = "fdt-1"; + }; + }; +}; -- 2.25.1