def test_with_algo(sha_algo):
"""Test verified boot with the given hash algorithm.
This is the main part of the test code. The same procedure is followed
for both hashing algorithms.
Args:
sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
use.
"""
# Compile our device tree files for kernel and U-Boot. These are
# regenerated here since mkimage will modify them (by adding a
# public key) below.
dtc('sandbox-kernel.dts')
dtc('sandbox-u-boot.dts')
# Build the FIT, but don't sign anything yet
cons.log.action('%s: Test FIT with signed images' % sha_algo)
make_fit('sign-images-%s.its' % sha_algo)
run_bootm(sha_algo, 'unsigned images', 'dev-', True)
# Sign images with our dev keys
sign_fit(sha_algo)
run_bootm(sha_algo, 'signed images', 'dev+', True)
# Create a fresh .dtb without the public keys
dtc('sandbox-u-boot.dts')
cons.log.action('%s: Test FIT with signed configuration' % sha_algo)
make_fit('sign-configs-%s.its' % sha_algo)
run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)
# Sign images with our dev keys
sign_fit(sha_algo)
run_bootm(sha_algo, 'signed config', 'dev+', True)
cons.log.action('%s: Check signed config on the host' % sha_algo)
util.run_and_log(cons,
[fit_check_sign, '-f', fit, '-k', tmpdir, '-k', dtb])
# Increment the first byte of the signature, which should cause failure
sig = util.run_and_log(cons,
'fdtget -t bx %s %s value' % (fit, sig_node))
byte_list = sig.split()
byte = int(byte_list[0], 16)
byte_list[0] = '%x' % (byte + 1)
sig = ' '.join(byte_list)
util.run_and_log(cons,
'fdtput -t bx %s %s value %s' % (fit, sig_node, sig))
run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash',
False)
cons.log.action('%s: Check bad config on the host' % sha_algo)
util.run_and_log_expect_exception(
cons, [fit_check_sign, '-f', fit, '-k', dtb], 1,
'Failed to verify required signature')
def test_with_algo(sha_algo):
"""Test verified boot with the given hash algorithm.
This is the main part of the test code. The same procedure is followed
for both hashing algorithms.
Args:
sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
use.
"""
# Compile our device tree files for kernel and U-Boot. These are
# regenerated here since mkimage will modify them (by adding a
# public key) below.
dtc('sandbox-kernel.dts')
dtc('sandbox-u-boot.dts')
# Build the FIT, but don't sign anything yet
cons.log.action('%s: Test FIT with signed images' % sha_algo)
make_fit('sign-images-%s.its' % sha_algo)
run_bootm(sha_algo, 'unsigned images', 'dev-', True)
# Sign images with our dev keys
sign_fit(sha_algo)
run_bootm(sha_algo, 'signed images', 'dev+', True)
# Create a fresh .dtb without the public keys
dtc('sandbox-u-boot.dts')
cons.log.action('%s: Test FIT with signed configuration' % sha_algo)
make_fit('sign-configs-%s.its' % sha_algo)
run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)
# Sign images with our dev keys
sign_fit(sha_algo)
run_bootm(sha_algo, 'signed config', 'dev+', True)
cons.log.action('%s: Check signed config on the host' % sha_algo)
util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
'-k', dtb])
# Increment the first byte of the signature, which should cause failure
sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
(fit, sig_node))
byte_list = sig.split()
byte = int(byte_list[0], 16)
byte_list[0] = '%x' % (byte + 1)
sig = ' '.join(byte_list)
util.run_and_log(cons, 'fdtput -t bx %s %s value %s' %
(fit, sig_node, sig))
run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False)
cons.log.action('%s: Check bad config on the host' % sha_algo)
util.run_and_log_expect_exception(cons, [fit_check_sign, '-f', fit,
'-k', dtb], 1, 'Failed to verify required signature')
def test_with_algo(sha_algo, padding, sign_options):
"""Test verified boot with the given hash algorithm.
This is the main part of the test code. The same procedure is followed
for both hashing algorithms.
Args:
sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
use.
padding: Either '' or '-pss', to select the padding to use for the
rsa signature algorithm.
sign_options: Options to mkimage when signing a fit image.
"""
# Compile our device tree files for kernel and U-Boot. These are
# regenerated here since mkimage will modify them (by adding a
# public key) below.
dtc('sandbox-kernel.dts')
dtc('sandbox-u-boot.dts')
# Build the FIT, but don't sign anything yet
cons.log.action('%s: Test FIT with signed images' % sha_algo)
make_fit('sign-images-%s%s.its' % (sha_algo, padding))
run_bootm(sha_algo, 'unsigned images', 'dev-', True)
# Sign images with our dev keys
sign_fit(sha_algo, sign_options)
run_bootm(sha_algo, 'signed images', 'dev+', True)
# Create a fresh .dtb without the public keys
dtc('sandbox-u-boot.dts')
cons.log.action('%s: Test FIT with signed configuration' % sha_algo)
make_fit('sign-configs-%s%s.its' % (sha_algo, padding))
run_bootm(sha_algo, 'unsigned config', '%s+ OK' % sha_algo, True)
# Sign images with our dev keys
sign_fit(sha_algo, sign_options)
run_bootm(sha_algo, 'signed config', 'dev+', True)
cons.log.action('%s: Check signed config on the host' % sha_algo)
util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])
if full_test:
# Make sure that U-Boot checks that the config is in the list of
# hashed nodes. If it isn't, a security bypass is possible.
ffit = '%stest.forged.fit' % tmpdir
shutil.copyfile(fit, ffit)
with open(ffit, 'rb') as fd:
root, strblock = vboot_forge.read_fdt(fd)
root, strblock = vboot_forge.manipulate(root, strblock)
with open(ffit, 'w+b') as fd:
vboot_forge.write_fdt(root, strblock, fd)
util.run_and_log_expect_exception(
cons, [fit_check_sign, '-f', ffit, '-k', dtb], 1,
'Failed to verify required signature')
run_bootm(sha_algo, 'forged config', 'Bad Data Hash', False, ffit)
# Try adding an evil root node. This should be detected.
efit = '%stest.evilf.fit' % tmpdir
shutil.copyfile(fit, efit)
vboot_evil.add_evil_node(fit, efit, evil_kernel, 'fakeroot')
util.run_and_log_expect_exception(
cons, [fit_check_sign, '-f', efit, '-k', dtb], 1,
'Failed to verify required signature')
run_bootm(sha_algo, 'evil fakeroot', 'Bad FIT kernel image format',
False, efit)
# Try adding an @ to the kernel node name. This should be detected.
efit = '%stest.evilk.fit' % tmpdir
shutil.copyfile(fit, efit)
vboot_evil.add_evil_node(fit, efit, evil_kernel, 'kernel@')
msg = 'Signature checking prevents use of unit addresses (@) in nodes'
util.run_and_log_expect_exception(
cons, [fit_check_sign, '-f', efit, '-k', dtb], 1, msg)
run_bootm(sha_algo, 'evil kernel@', msg, False, efit)
# Create a new properly signed fit and replace header bytes
make_fit('sign-configs-%s%s.its' % (sha_algo, padding))
sign_fit(sha_algo, sign_options)
bcfg = u_boot_console.config.buildconfig
max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000),
0)
existing_size = replace_fit_totalsize(max_size + 1)
run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash',
False)
cons.log.action('%s: Check overflowed FIT header totalsize' % sha_algo)
# Replace with existing header bytes
replace_fit_totalsize(existing_size)
run_bootm(sha_algo, 'signed config', 'dev+', True)
cons.log.action('%s: Check default FIT header totalsize' % sha_algo)
# Increment the first byte of the signature, which should cause failure
sig = util.run_and_log(cons,
'fdtget -t bx %s %s value' % (fit, sig_node))
byte_list = sig.split()
byte = int(byte_list[0], 16)
byte_list[0] = '%x' % (byte + 1)
sig = ' '.join(byte_list)
util.run_and_log(cons,
'fdtput -t bx %s %s value %s' % (fit, sig_node, sig))
run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash',
False)
cons.log.action('%s: Check bad config on the host' % sha_algo)
util.run_and_log_expect_exception(
cons, [fit_check_sign, '-f', fit, '-k', dtb], 1,
'Failed to verify required signature')
