u-boot.git/test/py/tests/test_efi_secboot/conftest.py, branch master Unnamed repository; edit this file 'description' to name the repository. test: uninstall PK after secboot tests 2025-10-17T00:02:19+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2025-10-10T20:29:26+00:00 ede1186f2094f5709f4c4cd081a388873680139d The EFI secure boot tests install a security data base. Other EFI tests assume that secure boot is not enabled. Add the missing tear-down at the end of each secboot test sequence. Reported-by: Tom Rini <trini@konsulko.com> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Tested-by: Tom Rini <trini@konsulko.com> 
The EFI secure boot tests install a security data base.
Other EFI tests assume that secure boot is not enabled.
Add the missing tear-down at the end of each secboot test sequence.

Reported-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Tested-by: Tom Rini <trini@konsulko.com>
test/py: Rework test_efi_secboot to not use virt-make-fs 2025-04-08T19:51:09+00:00 Tom Rini trini@konsulko.com 2025-03-20T13:59:29+00:00 7bf75f3e36d0907e83c84ed252c8f24b1659985c The problem with using "virt-make-fs" to make a filesystem image is that it is extremely slow. Switch to using the fs_helper functions we have instead from the filesystem tests as these can add files to images and are significantly faster and still do not require root access. Signed-off-by: Tom Rini <trini@konsulko.com> 
The problem with using "virt-make-fs" to make a filesystem image is that
it is extremely slow. Switch to using the fs_helper functions we have
instead from the filesystem tests as these can add files to images and
are significantly faster and still do not require root access.

Signed-off-by: Tom Rini <trini@konsulko.com>
efi_loader: Fix EFI_VARIABLE_APPEND_WRITE hash check 2024-06-10T13:01:44+00:00 Weizhao Ouyang o451686892@gmail.com 2024-05-08T11:13:12+00:00 3b7d26eb2b88bf2be5a4a32ece1fca61b57e7721 According to UEFI v2.10 spec section 8.2.6, if a caller invokes the SetVariables() service, it will produce a digest from hash(VariableName, VendorGuid, Attributes, TimeStamp, DataNew_variable_content), then the firmware that implements the SetVariable() service will compare the digest with the result of applying the signer’s public key to the signature. For EFI variable append write, efitools sign-efi-sig-list has an option "-a" to add EFI_VARIABLE_APPEND_WRITE attr, and u-boot will drop this attribute in efi_set_variable_int(). So if a caller uses "sign-efi-sig-list -a" to create the authenticated variable, this append write will fail in the u-boot due to "hash check failed". This patch resumes writing the EFI_VARIABLE_APPEND_WRITE attr to ensure that the hash check is correct. And also update the "test_efi_secboot" test case to compliance with the change. Signed-off-by: Weizhao Ouyang <o451686892@gmail.com> 
According to UEFI v2.10 spec section 8.2.6, if a caller invokes the
SetVariables() service, it will produce a digest from hash(VariableName,
VendorGuid, Attributes, TimeStamp, DataNew_variable_content), then the
firmware that implements the SetVariable() service will compare the
digest with the result of applying the signer’s public key to the
signature. For EFI variable append write, efitools sign-efi-sig-list has
an option "-a" to add EFI_VARIABLE_APPEND_WRITE attr, and u-boot will
drop this attribute in efi_set_variable_int(). So if a caller uses
"sign-efi-sig-list -a" to create the authenticated variable, this append
write will fail in the u-boot due to "hash check failed".

This patch resumes writing the EFI_VARIABLE_APPEND_WRITE attr to ensure
that the hash check is correct. And also update the "test_efi_secboot"
test case to compliance with the change.

Signed-off-by: Weizhao Ouyang <o451686892@gmail.com>
global: Use proper project name U-Boot 2023-06-12T11:24:31+00:00 Michal Simek michal.simek@amd.com 2023-05-17T07:17:16+00:00 1be82afa807cc3cfacab29e3de0975d2cd99fa5d Use proper project name in comments, Kconfig, readmes. Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Stefan Roese <sr@denx.de> Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Michal Simek <michal.simek@amd.com> Link: https://lore.kernel.org/r/0dbdf0432405c1c38ffca55703b6737a48219e79.1684307818.git.michal.simek@amd.com 
Use proper project name in comments, Kconfig, readmes.

Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Michal Simek <michal.simek@amd.com>
Link: https://lore.kernel.org/r/0dbdf0432405c1c38ffca55703b6737a48219e79.1684307818.git.michal.simek@amd.com
test: fix pydoc issues for EFI tests 2023-05-04T07:57:43+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2023-05-03T05:08:05+00:00 bd730aa05baf1a6c5e61dc1f2e38b48f48a06b05 Fix issues reported by pydocstyle. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Fix issues reported by pydocstyle.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
test/py: efi_secboot: Remove unnecessary cert-to-efi-hash-list option 2022-11-06T09:50:04+00:00 Masahisa Kojima masahisa.kojima@linaro.org 2022-10-03T07:12:15+00:00 0b4cbeba593058104349a437ceb4d615e99b4019 'cert-to-efi-hash-list -t 0' does not work as expected, it produces indeterminate timestamp. $ cert-to-efi-hash-list -t 0 -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-113-0 00:00:255 If we need the CRL revoked for all the time, just don't specify '-t' option. $ cert-to-efi-hash-list -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-0-0 00:00:00 Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
'cert-to-efi-hash-list -t 0' does not work as expected, it produces
indeterminate timestamp.

  $ cert-to-efi-hash-list -t 0 -s 256 db.crt dbx_hash.crl
  TimeOfRevocation is 0-113-0 00:00:255

If we need the CRL revoked for all the time, just don't specify
'-t' option.

  $ cert-to-efi-hash-list -s 256 db.crt dbx_hash.crl
  TimeOfRevocation is 0-0-0 00:00:00

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
test: fix some pylint errors in test_efi_secboot 2022-10-06T20:54:57+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2022-10-01T18:55:14+00:00 874490c7ec7a05a429b951720f11a3b966ec0572 * Remove unused import * Provide module docstring Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
* Remove unused import
* Provide module docstring

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
test/py: efi_secboot: add a test for a forged signed image 2022-07-05T12:37:16+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2022-07-05T05:48:15+00:00 8fb9dbdea716ab764c7a3c544569f903cbfdd744 In this test case, a image binary, helloworld.efi.signed, is willfully modified to print a corrupted message while the signature itself is unchanged. This binary must be rejected under secure boot mode. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
In this test case, a image binary, helloworld.efi.signed, is willfully
modified to print a corrupted message while the signature itself is
unchanged.

This binary must be rejected under secure boot mode.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
test/py: Add more test cases for rejecting an EFI image 2022-05-07T21:17:26+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2022-05-06T12:36:01+00:00 4b494770577cc61c3c1a4b57ced2fc98d87957dc The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The previous patch adds support for rejecting images when the sha384/512
of an x.509 certificate is present in dbx.  Update the sandbox selftests

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
test/py: efi_secboot: modify 'multiple signatures' test case 2020-08-14T10:34:33+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-08-14T05:39:24+00:00 0274e50e057e1969876c9d1ef6e2a530688cf5ee The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
The test case 5 in test_signed (multiple signatures) must be modified
and aligned with the change introduced in the previous commit
("efi_loader: signature: correct a behavior against multiple signatures").

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>