def srk_table4(cpu_params: CpuParams) -> SrkTable:
"""Create SRK table with four root SRK keys
:param cpu_params: processor specific parameters of the test
:return: SrkTable instance
"""
result = SrkTable()
for cert_prefix in ['SRK1', 'SRK2', 'SRK3', 'SRK4']:
cert_data = load_binary(cpu_params.cert_data_dir, cert_prefix + '_sha256_2048_65537_v3_ca_crt.pem')
certificate = x509.load_pem_x509_certificate(cert_data, default_backend())
result.append(SrkItem.from_certificate(certificate))
return result
def test_srk_table_single_cert(srk_pem):
"""Smoke test that SrkTable with single certificate works"""
srk_table = SrkTable(version=0x40)
cert = x509.load_pem_x509_certificate(srk_pem[0], default_backend())
srk_table.append(SrkItem.from_certificate(cert))
# test export() returns any result
assert srk_table.export()
# test export_fuses() returns valid length
assert len(srk_table.export_fuses()) == 32
# test get_fuse() returns valid value
for fuse_index in range(8):
assert srk_table.get_fuse(fuse_index) >= 0
with pytest.raises(AssertionError):
srk_table.get_fuse(8)
# test info() returns non-empty text
assert srk_table.info() # test export returns any result
def test_rsa_srk_table_parser(data_dir):
with open(os.path.join(data_dir, "SRK_1_2_3_4_table.bin"), "rb") as f:
srk_table = SrkTable.parse(f.read())
assert len(srk_table) == 4
assert srk_table.size == 2112
with open(os.path.join(data_dir, "SRK_1_2_3_4_fuse.bin"), "rb") as f:
srk_fuses = f.read()
assert srk_table.export_fuses() == srk_fuses
def test_hashed_srk_table_parser(data_dir):
with open(os.path.join(data_dir, 'SRK_1_2_H3_H4_table.bin'), 'rb') as f:
srk_table = SrkTable.parse(f.read())
assert len(srk_table) == 4
assert srk_table.size == 1130
with open(os.path.join(data_dir, 'SRK_1_2_3_4_fuse.bin'), 'rb') as f:
srk_fuses = f.read()
assert srk_table.export_fuses() == srk_fuses
def test_prime256v1_srk_table_parser(data_dir):
"EC keys are not yet supported"
with open(os.path.join(data_dir, 'SRK_prime256v1_table.bin'), 'rb') as f:
srk_table = SrkTable.parse(f.read())
assert len(srk_table) == 4
assert srk_table.size == 308
with open(os.path.join(data_dir, 'SRK_prime256v1_fuse.bin'), 'rb') as f:
srk_fuses = f.read()
assert srk_table.export_fuses() == srk_fuses
def verify_srk_fuses(mboot: McuBoot, srk_table: SrkTable) -> bool:
"""Verify fuses in the processor
:param mboot: result of `init_flashloader()`
:param srk_table: Table of SRK root keys used to provide fuses value
:return: True if matches, False if does not match
"""
assert mboot.get_property(PropertyTag.CURRENT_VERSION)
for index, srk_index in enumerate(SRK_FUSES_INDEX):
val = mboot.efuse_read_once(srk_index)
exp_val = srk_table.get_fuse(index)
if val != exp_val:
return False
return True
def burn_srk_fuses(mboot: McuBoot, srk_table: SrkTable, enable_and_close_hab: bool) -> None:
"""Program SRK fuses into the processor; Not tested on hardware
:param mboot: result of `init_flashloader()`
:param srk_table: Table of SRK root keys used to provide fuses value
:param enable_and_close_hab: optional parameter to enable and close HAB
"""
assert mboot.get_property(PropertyTag.CURRENT_VERSION)
for index, srk_index in enumerate(SRK_FUSES_INDEX):
mboot.efuse_program_once(srk_index, srk_table.get_fuse(index))
if enable_and_close_hab:
# enable and close HAB
mboot.efuse_program_once(ENABLE_HAB_FUSE_INDEX, ENABLE_HAB_FUSE_MASK)
def test_srk_table_export(data_dir, srk_pem):
srk_table = SrkTable(version=0x40)
for pem_data in srk_pem:
cert = x509.load_pem_x509_certificate(pem_data, default_backend())
srk_table.append(SrkItem.from_certificate(cert))
with open(os.path.join(data_dir, 'SRK_1_2_3_4_table.bin'), 'rb') as f:
srk_table_data = f.read()
assert srk_table.export() == srk_table_data
assert srk_table == SrkTable.parse(srk_table_data)
def main() -> None:
"""Main function."""
cert_files = [f for f in os.listdir(DATA_DIR) if f.endswith(".pem")]
if not cert_files:
print(f'Add generated *.pem files into "{DATA_DIR}" directory')
sys.exit()
# Create SRK Table instance
srk_table = SrkTable(version=0x40)
for cert_file in cert_files:
with open(f"{DATA_DIR}/{cert_file}", "rb") as f:
certificate = x509.load_pem_x509_certificate(
f.read(), default_backend())
srk_item = SrkItem.from_certificate(certificate)
srk_table.append(srk_item)
with open(f"{DATA_DIR}/srk_fuses.bin", "wb") as f:
f.write(srk_table.export_fuses())
with open(f"{DATA_DIR}/srk_table.bin", "wb") as f:
f.write(srk_table.export())
def test_srk_table_cert_hashing(data_dir, srk_pem):
"""Recreate SRK_1_2_H3_H4 table from certificates"""
srk_table = SrkTable(version=0x40)
srk_table.append(
SrkItem.from_certificate(
x509.load_pem_x509_certificate(srk_pem[0], default_backend())))
srk_table.append(
SrkItem.from_certificate(
x509.load_pem_x509_certificate(srk_pem[1], default_backend())))
srk_table.append(
SrkItem.from_certificate(
x509.load_pem_x509_certificate(srk_pem[2],
default_backend())).hashed_entry())
srk_table.append(
SrkItem.from_certificate(
x509.load_pem_x509_certificate(srk_pem[3],
default_backend())).hashed_entry())
assert srk_table.export()
assert len(srk_table.export_fuses()) == 32
assert srk_table.info() # test export returns any result
with open(os.path.join(data_dir, 'SRK_1_2_H3_H4_table.bin'), 'rb') as f:
preimaged_srk_table_data = f.read()
assert srk_table.export() == preimaged_srk_table_data
assert srk_table == SrkTable.parse(preimaged_srk_table_data)
with open(os.path.join(data_dir, 'SRK_1_2_3_4_fuse.bin'), 'rb') as f:
srk_fuses = f.read()
assert srk_table.export_fuses() == srk_fuses
def test_srk_table_item_not_eq():
srk_table = SrkTable(version=0x40)
srk = SrkItemRSA(modulus=bytes(2048), exponent=bytes(4))
assert srk != srk_table
def test_srk_table_invalid_fuse():
srk_table = SrkTable(version=0x40)
with pytest.raises(SPSDKError, match="Incorrect index of the fuse"):
srk_table.get_fuse(index=9)