def test_with_algo(sha_algo): """Test verified boot with the given hash algorithm. This is the main part of the test code. The same procedure is followed for both hashing algorithms. Args: sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use. """ # Compile our device tree files for kernel and U-Boot. These are # regenerated here since mkimage will modify them (by adding a # public key) below. dtc('sandbox-kernel.dts') dtc('sandbox-u-boot.dts') # Build the FIT, but don't sign anything yet cons.log.action('%s: Test FIT with signed images' % sha_algo) make_fit('sign-images-%s.its' % sha_algo) run_bootm(sha_algo, 'unsigned images', 'dev-', True) # Sign images with our dev keys sign_fit(sha_algo) run_bootm(sha_algo, 'signed images', 'dev+', True) # Create a fresh .dtb without the public keys dtc('sandbox-u-boot.dts') cons.log.action('%s: Test FIT with signed configuration' % sha_algo) make_fit('sign-configs-%s.its' % sha_algo) run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True) # Sign images with our dev keys sign_fit(sha_algo) run_bootm(sha_algo, 'signed config', 'dev+', True) cons.log.action('%s: Check signed config on the host' % sha_algo) util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir, '-k', dtb]) # Increment the first byte of the signature, which should cause failure sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' % (fit, sig_node)) byte_list = sig.split() byte = int(byte_list[0], 16) byte_list[0] = '%x' % (byte + 1) sig = ' '.join(byte_list) util.run_and_log(cons, 'fdtput -t bx %s %s value %s' % (fit, sig_node, sig)) run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False) cons.log.action('%s: Check bad config on the host' % sha_algo) util.run_and_log_expect_exception( cons, [fit_check_sign, '-f', fit, '-k', dtb], 1, 'Failed to verify required signature')
def test_with_algo(sha_algo): """Test verified boot with the given hash algorithm. This is the main part of the test code. The same procedure is followed for both hashing algorithms. Args: sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use. """ # Compile our device tree files for kernel and U-Boot. These are # regenerated here since mkimage will modify them (by adding a # public key) below. dtc('sandbox-kernel.dts') dtc('sandbox-u-boot.dts') # Build the FIT, but don't sign anything yet cons.log.action('%s: Test FIT with signed images' % sha_algo) make_fit('sign-images-%s.its' % sha_algo) run_bootm(sha_algo, 'unsigned images', 'dev-', True) # Sign images with our dev keys sign_fit(sha_algo) run_bootm(sha_algo, 'signed images', 'dev+', True) # Create a fresh .dtb without the public keys dtc('sandbox-u-boot.dts') cons.log.action('%s: Test FIT with signed configuration' % sha_algo) make_fit('sign-configs-%s.its' % sha_algo) run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True) # Sign images with our dev keys sign_fit(sha_algo) run_bootm(sha_algo, 'signed config', 'dev+', True) cons.log.action('%s: Check signed config on the host' % sha_algo) util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir, '-k', dtb]) # Increment the first byte of the signature, which should cause failure sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' % (fit, sig_node)) byte_list = sig.split() byte = int(byte_list[0], 16) byte_list[0] = '%x' % (byte + 1) sig = ' '.join(byte_list) util.run_and_log(cons, 'fdtput -t bx %s %s value %s' % (fit, sig_node, sig)) run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False) cons.log.action('%s: Check bad config on the host' % sha_algo) util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit, '-k', dtb], 1, 'Failed to verify required signature')
def test_with_algo(sha_algo, padding, sign_options): """Test verified boot with the given hash algorithm. This is the main part of the test code. The same procedure is followed for both hashing algorithms. Args: sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use. padding: Either '' or '-pss', to select the padding to use for the rsa signature algorithm. sign_options: Options to mkimage when signing a fit image. """ # Compile our device tree files for kernel and U-Boot. These are # regenerated here since mkimage will modify them (by adding a # public key) below. dtc('sandbox-kernel.dts') dtc('sandbox-u-boot.dts') # Build the FIT, but don't sign anything yet cons.log.action('%s: Test FIT with signed images' % sha_algo) make_fit('sign-images-%s%s.its' % (sha_algo, padding)) run_bootm(sha_algo, 'unsigned images', 'dev-', True) # Sign images with our dev keys sign_fit(sha_algo, sign_options) run_bootm(sha_algo, 'signed images', 'dev+', True) # Create a fresh .dtb without the public keys dtc('sandbox-u-boot.dts') cons.log.action('%s: Test FIT with signed configuration' % sha_algo) make_fit('sign-configs-%s%s.its' % (sha_algo, padding)) run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True) # Sign images with our dev keys sign_fit(sha_algo, sign_options) run_bootm(sha_algo, 'signed config', 'dev+', True) cons.log.action('%s: Check signed config on the host' % sha_algo) util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb]) if full_test: # Make sure that U-Boot checks that the config is in the list of # hashed nodes. If it isn't, a security bypass is possible. ffit = '%stest.forged.fit' % tmpdir shutil.copyfile(fit, ffit) with open(ffit, 'rb') as fd: root, strblock = vboot_forge.read_fdt(fd) root, strblock = vboot_forge.manipulate(root, strblock) with open(ffit, 'w+b') as fd: vboot_forge.write_fdt(root, strblock, fd) util.run_and_log_expect_exception( cons, [fit_check_sign, '-f', ffit, '-k', dtb], 1, 'Failed to verify required signature') run_bootm(sha_algo, 'forged config', 'Bad Data Hash', False, ffit) # Try adding an evil root node. This should be detected. efit = '%stest.evilf.fit' % tmpdir shutil.copyfile(fit, efit) vboot_evil.add_evil_node(fit, efit, evil_kernel, 'fakeroot') util.run_and_log_expect_exception( cons, [fit_check_sign, '-f', efit, '-k', dtb], 1, 'Failed to verify required signature') run_bootm(sha_algo, 'evil fakeroot', 'Bad FIT kernel image format', False, efit) # Try adding an @ to the kernel node name. This should be detected. efit = '%stest.evilk.fit' % tmpdir shutil.copyfile(fit, efit) vboot_evil.add_evil_node(fit, efit, evil_kernel, 'kernel@') msg = 'Signature checking prevents use of unit addresses (@) in nodes' util.run_and_log_expect_exception( cons, [fit_check_sign, '-f', efit, '-k', dtb], 1, msg) run_bootm(sha_algo, 'evil kernel@', msg, False, efit) # Create a new properly signed fit and replace header bytes make_fit('sign-configs-%s%s.its' % (sha_algo, padding)) sign_fit(sha_algo, sign_options) bcfg = u_boot_console.config.buildconfig max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0) existing_size = replace_fit_totalsize(max_size + 1) run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False) cons.log.action('%s: Check overflowed FIT header totalsize' % sha_algo) # Replace with existing header bytes replace_fit_totalsize(existing_size) run_bootm(sha_algo, 'signed config', 'dev+', True) cons.log.action('%s: Check default FIT header totalsize' % sha_algo) # Increment the first byte of the signature, which should cause failure sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' % (fit, sig_node)) byte_list = sig.split() byte = int(byte_list[0], 16) byte_list[0] = '%x' % (byte + 1) sig = ' '.join(byte_list) util.run_and_log(cons, 'fdtput -t bx %s %s value %s' % (fit, sig_node, sig)) run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False) cons.log.action('%s: Check bad config on the host' % sha_algo) util.run_and_log_expect_exception( cons, [fit_check_sign, '-f', fit, '-k', dtb], 1, 'Failed to verify required signature')