def testSimple(self):
"""Test the normal path"""
self.rc.AddCmdResult(partial_mock.InOrder(
['dump_kernel_config', '/dev/loop9999p4']),
output=SAMPLE_KERNEL_CONFIG)
self.keyset.keys['keyA_kernel_data_key'] = keys.KeyPair(
'keyA_kernel_data_key', self.keytempdir.tempdir)
self.keyset.keys['kernel_data_key'] = keys.KeyPair(
'kernel_data_key', self.keytempdir.tempdir)
imagefile.UpdateRootfsHash(self.image,
self.image.GetPartitionDevName('KERN-A'),
self.keyset, 'keyA_')
self.assertEqual(5, self.rc.call_count)
expected_kernel_cmdline = kernel_cmdline.CommandLine(
'console= loglevel=7 init=/sbin/init cros_secure oops=panic panic=-1 '
'root=/dev/dm-0 rootwait ro dm_verity.error_behavior=3 '
'dm_verity.max_bios=-1 dm_verity.dev_wait=1 dm="1 vroot none ro 1,0 '
'800 verity alg=sha1" noinitrd cros_debug vt.global_cursor_default=0 '
'kern_guid=%U add_efi_memmap boot=local noresume noswap '
'i915.modeset=1 tpm_tis.force=1 tpm_tis.interrupts=0 '
'nmi_watchdog=panic,lapic disablevmx=off')
expected_calls = [
mock.call('/dev/loop9999p2', expected_kernel_cmdline,
self.keyset.keys['keyA_kernel_data_key']),
mock.call('/dev/loop9999p4', expected_kernel_cmdline,
self.keyset.keys['kernel_data_key']),
]
self.assertEqual(expected_calls, self.ukc.call_args_list)
def KeysetFromSigner(s, keydir, subdir='keyset'):
"""Returns a valid keyset containing required keys and keyblocks."""
ks = keys.Keyset()
keydir = os.path.join(keydir, subdir)
for key_name in s.required_keys:
key = keys.KeyPair(key_name, keydir=keydir)
ks.AddKey(key)
keys_unittest.CreateDummyKeys(key)
for key_name in s.required_keys_public:
key = keys.KeyPair(key_name, keydir=keydir)
ks.AddKey(key)
keys_unittest.CreateDummyPublic(key)
if key in s.required_keyblocks:
keys_unittest.CreateDummyKeyblock(key)
for key_name in s.required_keys_private:
key = keys.KeyPair(key_name, keydir=keydir)
ks.AddKey(key)
keys_unittest.CreateDummyPrivateKey(key)
for keyblock_name in s.required_keyblocks:
if keyblock_name not in ks.keys:
ks.AddKey(keys.KeyPair(keyblock_name, keydir=keydir))
key = ks.keys[keyblock_name]
keys_unittest.CreateDummyKeyblock(key)
return ks
def testSetsPubExtCorrectly(self):
"""Test init sets pub_ext correctly based on priv_ext argument."""
k1 = keys.KeyPair('k1', self.tempdir, priv_ext='.vbprivk')
k2 = keys.KeyPair('k2', self.tempdir, priv_ext='.vbprik2')
self.assertEqual(k1._pub_ext, '.vbpubk')
self.assertEqual(k2._pub_ext, '.vbpubk2')
self.assertEqual(k1.public, '%s/k1.vbpubk' % self.tempdir)
self.assertEqual(k2.public, '%s/k2.vbpubk2' % self.tempdir)
def testExistsWithPrivateKey(self):
k1 = keys.KeyPair('key1', self.tempdir)
CreateDummyPrivateKey(k1)
self.assertTrue(k1.Exists())
self.assertTrue(k1.Exists(require_private=True))
self.assertFalse(k1.Exists(require_public=True))
def testInitWithPrivExt(self):
"""Test init with priv_ext kwarg."""
k_ext = keys.KeyPair('k_ext', self.tempdir, priv_ext='.vbprik2')
self.assertEqual(k_ext.private,
os.path.join(self.tempdir, 'k_ext.vbprik2'))
self.assertEqual(k_ext.public,
os.path.join(self.tempdir, 'k_ext.vbpubk2'))
def testEqDiffrent(self):
kc1 = self._get_keyset()
kc2 = self._get_keyset()
kc2 = self._get_keyset()
kc2.AddKey(keys.KeyPair('Foo', self.tempdir))
self.assertFalse(kc1 == kc2)
def _get_keyset(self, has_loem_ini=True):
"""Returns keyset with a few keys."""
kc = KeysetMock(self.tempdir, has_loem_ini=has_loem_ini)
# Add a few more keys for this build.
for key_name in ['key1', 'key2', 'key3', 'key4']:
kc.AddKey(keys.KeyPair(key_name, self.tempdir))
return kc
def testSignWithMock(self):
foo_key = keys.KeyPair('foo', self.tempdir)
keys_unittest.CreateDummyKeys(foo_key)
keyset = keys.Keyset()
keyset.AddKey(foo_key)
fsm = MockFutilitySigner()
fsm.Sign(keyset, 'foo', 'bar')
self.assertCommandContains(['foo', 'bar'])
def testExistsWithBothKeys(self):
"""Exists() works correctly when private/public are both required."""
k1 = keys.KeyPair('key1', self.tempdir)
CreateDummyPrivateKey(k1)
CreateDummyPublic(k1)
self.assertTrue(k1.Exists())
self.assertTrue(k1.Exists(require_private=True))
self.assertTrue(k1.Exists(require_public=True))
self.assertTrue(k1.Exists(require_private=True, require_public=True))
def testGetSha1sumMockCmd(self):
"""Test GetSha1sum with mock cmd output."""
MockVbutilKey(self.rc)
k1 = keys.KeyPair('firmware_data_key', self.tempdir)
k1sum = k1.GetSHA1sum()
self.assertEqual(k1sum, MOCK_SHA1SUM)
self.assertCommandCalled(['vbutil_key', '--unpack', k1.public],
check=False,
encoding='utf-8')
def testSimple(self):
self.rc.SetDefaultCmdResult()
loop_kern = '/dev/loop9999p2'
cmd_line = kernel_cmdline.CommandLine(SAMPLE_KERNEL_CONFIG)
key = keys.KeyPair('key', '/keydir')
imagefile._UpdateKernelConfig(loop_kern, cmd_line, key)
self.assertEqual(1, self.rc.call_count)
expected_cmdA = [
'sudo', '--', 'vbutil_kernel', '--repack', loop_kern, '--keyblock',
'/keydir/key.keyblock', '--signprivate', '/keydir/key.vbprivk',
'--version', '1', '--oldblob', '/dev/loop9999p2', '--config',
mock.ANY
]
self.rc.assertCommandCalled(expected_cmdA)
def __init__(self, key_dir, has_loem_ini=True):
"""Create a Keyset with root_of_trust-specific keys, and populate it."""
# We do not actually create files for the KeyPairs, since the tests care.
# Create the key_dir.
osutils.SafeMakedirs(key_dir)
# This will create the Keyset without root_of_trust-specific keys, since
# that is determined by having loem.ini which does not exist yet.
super(KeysetMock, self).__init__(key_dir)
# Save key.versions.
self._versions.Save()
# By default, we have root_of_trust-specific keys, and want loem.ini. If
# not, don't create them.
if has_loem_ini:
self.WriteIniFile()
else:
self.KEYS_WITH_ROOT_OF_TRUST_ALIASES = ()
self.ROOT_OF_TRUST_ALIASES = ()
self.ROOT_OF_TRUST_NAMES = ()
# Create KeyPairs as appropriate for the Keyset we are mocking.
for key_name in KeysetMock.KEYS:
if key_name not in self.KEYS_WITH_ROOT_OF_TRUST_ALIASES:
self.AddKey(keys.KeyPair(key_name, key_dir))
for name in self.KEYS_WITH_ROOT_OF_TRUST_ALIASES:
for root_of_trust in self.ROOT_OF_TRUST_ALIASES:
key = keys.KeyPair('%s.%s' % (name, root_of_trust), key_dir)
self.AddRootOfTrustKey(name, root_of_trust, key)
for alias, root_of_trust in zip(self.ROOT_OF_TRUST_NAMES,
self.ROOT_OF_TRUST_ALIASES):
self.root_of_trust_map[alias] = root_of_trust
self.root_of_trust_map[root_of_trust] = root_of_trust
def testNoKernBHash(self):
"""Test no KERN-B hash case."""
self.rc.AddCmdResult(partial_mock.InOrder(
['dump_kernel_config', '/dev/loop9999p2']),
output=SAMPLE_KERNEL_CONFIG)
recovery = keys.KeyPair('recovery', self.keytempdir.tempdir, version=3)
self.keyset.keys['recovery'] = recovery
imagefile.UpdateRecoveryKernelHash(self.image, self.keyset)
self.rc.assertCommandCalled(
['sudo', '--', 'dump_kernel_config', '/dev/loop9999p2'],
capture_output=True,
print_cmd=False,
check=True,
encoding='utf-8')
new_cmdline = SAMPLE_KERNEL_CONFIG.strip()
self.loginfo.assert_called_once_with('New cmdline for kernel A is %s',
new_cmdline)
self.ukc.assert_called_once_with(
'/dev/loop9999p2', kernel_cmdline.CommandLine(new_cmdline),
recovery)
def testNoKernB(self):
"""Test the normal path"""
kernel_key = keys.KeyPair('kernel_data_key', self.keytempdir.tempdir)
self.keyset.keys['kernel_data_key'] = kernel_key
self.rc.AddCmdResult(partial_mock.InOrder(
['dump_kernel_config', '/dev/loop9999p4']),
returncode=1)
imagefile.UpdateStatefulPartitionVblock(self.image, self.keyset)
self.rc.assertCommandCalled(
['sudo', '--', 'dump_kernel_config', '/dev/loop9999p4'],
print_cmd=False,
capture_output=True,
check=False,
encoding='utf-8')
self.rc.assertCommandCalled([
'sudo', '--', 'vbutil_kernel', '--repack', mock.ANY, '--keyblock',
kernel_key.keyblock, '--signprivate', kernel_key.private,
'--oldblob', '/dev/loop9999p2', '--vblockonly'
])
self.rc.assertCommandCalled([
'sudo', '--', 'cp', mock.ANY,
'%s/dir-1/vmlinuz_hd.vblock' % self.tempdir
])
def testCmpDiff(self):
k1 = keys.KeyPair('key1', self.tempdir)
k2 = keys.KeyPair('key2', self.tempdir)
self.assertNotEqual(k1, k2)
def testKeyblockExists(self):
k1 = keys.KeyPair('key1', self.tempdir)
CreateDummyKeyblock(k1)
self.assertTrue(k1.KeyblockExists())
def testGetSha1sumEmpty(self):
"""Test GetSha1sum with bad cmd output."""
k1 = keys.KeyPair('key1', self.tempdir)
with self.assertRaises(keys.SignerKeyError):
k1.GetSHA1sum()
def testKeyblock(self):
k1 = keys.KeyPair('key1', self.tempdir)
self.assertEqual(k1.keyblock,
os.path.join(self.tempdir, 'key1' + '.keyblock'))
def testKeyblockExistsMissing(self):
k1 = keys.KeyPair('key1', self.tempdir)
self.assertFalse(k1.KeyblockExists())
def testExistEmptyRequirePublicRequirePrivate(self):
k1 = keys.KeyPair('key1', self.tempdir)
self.assertFalse(k1.Exists(require_private=True, require_public=True))
def testKeyblockWithSuffix(self):
k1 = keys.KeyPair('key1_data_key', self.tempdir)
self.assertEqual(k1.keyblock,
os.path.join(self.tempdir, 'key1' + '.keyblock'))
def testPublicKey(self):
k1 = keys.KeyPair('key1', self.tempdir)
self.assertEqual(k1.public,
os.path.join(self.tempdir, 'key1' + '.vbpubk'))
def testInitWithVersion(self):
"""Test init with version kwarg."""
k_ver = keys.KeyPair('k_ver', self.tempdir, version=2)
self.assertEqual(k_ver.version, 2)
def testAssertsValueErrorOnEmptyStringVersion(self):
with self.assertRaises(ValueError):
keys.KeyPair('key1', self.tempdir, version='')
def testAddKey(self):
ks0 = keys.Keyset()
key0 = keys.KeyPair('key0', self.tempdir)
ks0.AddKey(key0)
self.assertEqual(ks0.keys['key0'], key0)
def testRejectsInvalidPrivExt(self):
"""Test init with bad priv_ext argument."""
with self.assertRaises(ValueError):
keys.KeyPair('foo', self.tempdir, priv_ext='.bar')
def testExistsEmpty(self):
self.assertFalse(keys.KeyPair('key1', self.tempdir).Exists())
def testPrivateKey(self):
k1 = keys.KeyPair('key1', self.tempdir)
self.assertEqual(k1.private,
os.path.join(self.tempdir, 'key1' + '.vbprivk'))
def testAddRootOfTrustKey(self):
k9 = keys.KeyPair('root_key.loem9', self.tempdir)
ks0 = self._get_keyset()
ks0.AddRootOfTrustKey('root_key', 'loem9', k9)
self.assertEqual(ks0._root_of_trust_keys['loem9']['root_key'], k9)
def testCmpSame(self):
k1 = keys.KeyPair('key1', self.tempdir)
k2 = keys.KeyPair('key1', self.tempdir)
self.assertEqual(k1, k1)
self.assertEqual(k1, k2)