<feed xmlns='http://www.w3.org/2005/Atom'>
<title>u-boot.git/test/py/tests/test_efi_secboot/conftest.py, branch v2024.07</title>
<subtitle>Unnamed repository; edit this file 'description' to name the repository.</subtitle>
<id>http://cgit.235523.xyz/u-boot.git/atom/test/py/tests/test_efi_secboot/conftest.py?h=v2024.07</id>
<link rel='self' href='http://cgit.235523.xyz/u-boot.git/atom/test/py/tests/test_efi_secboot/conftest.py?h=v2024.07'/>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/'/>
<updated>2024-06-10T13:01:44Z</updated>
<entry>
<title>efi_loader: Fix EFI_VARIABLE_APPEND_WRITE hash check</title>
<updated>2024-06-10T13:01:44Z</updated>
<author>
<name>Weizhao Ouyang</name>
<email>o451686892@gmail.com</email>
</author>
<published>2024-05-08T11:13:12Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=3b7d26eb2b88bf2be5a4a32ece1fca61b57e7721'/>
<id>urn:sha1:3b7d26eb2b88bf2be5a4a32ece1fca61b57e7721</id>
<content type='text'>
According to UEFI v2.10 spec section 8.2.6, if a caller invokes the
SetVariables() service, it will produce a digest from hash(VariableName,
VendorGuid, Attributes, TimeStamp, DataNew_variable_content), then the
firmware that implements the SetVariable() service will compare the
digest with the result of applying the signer’s public key to the
signature. For EFI variable append write, efitools sign-efi-sig-list has
an option "-a" to add EFI_VARIABLE_APPEND_WRITE attr, and u-boot will
drop this attribute in efi_set_variable_int(). So if a caller uses
"sign-efi-sig-list -a" to create the authenticated variable, this append
write will fail in the u-boot due to "hash check failed".

This patch resumes writing the EFI_VARIABLE_APPEND_WRITE attr to ensure
that the hash check is correct. And also update the "test_efi_secboot"
test case to compliance with the change.

Signed-off-by: Weizhao Ouyang &lt;o451686892@gmail.com&gt;
</content>
</entry>
<entry>
<title>global: Use proper project name U-Boot</title>
<updated>2023-06-12T11:24:31Z</updated>
<author>
<name>Michal Simek</name>
<email>michal.simek@amd.com</email>
</author>
<published>2023-05-17T07:17:16Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=1be82afa807cc3cfacab29e3de0975d2cd99fa5d'/>
<id>urn:sha1:1be82afa807cc3cfacab29e3de0975d2cd99fa5d</id>
<content type='text'>
Use proper project name in comments, Kconfig, readmes.

Reviewed-by: Neil Armstrong &lt;neil.armstrong@linaro.org&gt;
Acked-by: Ilias Apalodimas &lt;ilias.apalodimas@linaro.org&gt;
Reviewed-by: Stefan Roese &lt;sr@denx.de&gt;
Reviewed-by: Qu Wenruo &lt;wqu@suse.com&gt;
Signed-off-by: Michal Simek &lt;michal.simek@amd.com&gt;
Link: https://lore.kernel.org/r/0dbdf0432405c1c38ffca55703b6737a48219e79.1684307818.git.michal.simek@amd.com
</content>
</entry>
<entry>
<title>test: fix pydoc issues for EFI tests</title>
<updated>2023-05-04T07:57:43Z</updated>
<author>
<name>Heinrich Schuchardt</name>
<email>heinrich.schuchardt@canonical.com</email>
</author>
<published>2023-05-03T05:08:05Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=bd730aa05baf1a6c5e61dc1f2e38b48f48a06b05'/>
<id>urn:sha1:bd730aa05baf1a6c5e61dc1f2e38b48f48a06b05</id>
<content type='text'>
Fix issues reported by pydocstyle.

Signed-off-by: Heinrich Schuchardt &lt;heinrich.schuchardt@canonical.com&gt;
Acked-by: Ilias Apalodimas &lt;ilias.apalodimas@linaro.org&gt;
</content>
</entry>
<entry>
<title>test/py: efi_secboot: Remove unnecessary cert-to-efi-hash-list option</title>
<updated>2022-11-06T09:50:04Z</updated>
<author>
<name>Masahisa Kojima</name>
<email>masahisa.kojima@linaro.org</email>
</author>
<published>2022-10-03T07:12:15Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=0b4cbeba593058104349a437ceb4d615e99b4019'/>
<id>urn:sha1:0b4cbeba593058104349a437ceb4d615e99b4019</id>
<content type='text'>
'cert-to-efi-hash-list -t 0' does not work as expected, it produces
indeterminate timestamp.

  $ cert-to-efi-hash-list -t 0 -s 256 db.crt dbx_hash.crl
  TimeOfRevocation is 0-113-0 00:00:255

If we need the CRL revoked for all the time, just don't specify
'-t' option.

  $ cert-to-efi-hash-list -s 256 db.crt dbx_hash.crl
  TimeOfRevocation is 0-0-0 00:00:00

Signed-off-by: Masahisa Kojima &lt;masahisa.kojima@linaro.org&gt;
Acked-by: Ilias Apalodimas &lt;ilias.apalodimas@linaro.org&gt;
</content>
</entry>
<entry>
<title>test: fix some pylint errors in test_efi_secboot</title>
<updated>2022-10-06T20:54:57Z</updated>
<author>
<name>Heinrich Schuchardt</name>
<email>heinrich.schuchardt@canonical.com</email>
</author>
<published>2022-10-01T18:55:14Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=874490c7ec7a05a429b951720f11a3b966ec0572'/>
<id>urn:sha1:874490c7ec7a05a429b951720f11a3b966ec0572</id>
<content type='text'>
* Remove unused import
* Provide module docstring

Signed-off-by: Heinrich Schuchardt &lt;heinrich.schuchardt@canonical.com&gt;
Acked-by: Ilias Apalodimas &lt;ilias.apalodimas@linaro.org&gt;
</content>
</entry>
<entry>
<title>test/py: efi_secboot: add a test for a forged signed image</title>
<updated>2022-07-05T12:37:16Z</updated>
<author>
<name>AKASHI Takahiro</name>
<email>takahiro.akashi@linaro.org</email>
</author>
<published>2022-07-05T05:48:15Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=8fb9dbdea716ab764c7a3c544569f903cbfdd744'/>
<id>urn:sha1:8fb9dbdea716ab764c7a3c544569f903cbfdd744</id>
<content type='text'>
In this test case, a image binary, helloworld.efi.signed, is willfully
modified to print a corrupted message while the signature itself is
unchanged.

This binary must be rejected under secure boot mode.

Signed-off-by: AKASHI Takahiro &lt;takahiro.akashi@linaro.org&gt;
</content>
</entry>
<entry>
<title>test/py: Add more test cases for rejecting an EFI image</title>
<updated>2022-05-07T21:17:26Z</updated>
<author>
<name>Ilias Apalodimas</name>
<email>ilias.apalodimas@linaro.org</email>
</author>
<published>2022-05-06T12:36:01Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=4b494770577cc61c3c1a4b57ced2fc98d87957dc'/>
<id>urn:sha1:4b494770577cc61c3c1a4b57ced2fc98d87957dc</id>
<content type='text'>
The previous patch adds support for rejecting images when the sha384/512
of an x.509 certificate is present in dbx.  Update the sandbox selftests

Signed-off-by: Ilias Apalodimas &lt;ilias.apalodimas@linaro.org&gt;
</content>
</entry>
<entry>
<title>test/py: efi_secboot: modify 'multiple signatures' test case</title>
<updated>2020-08-14T10:34:33Z</updated>
<author>
<name>AKASHI Takahiro</name>
<email>takahiro.akashi@linaro.org</email>
</author>
<published>2020-08-14T05:39:24Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=0274e50e057e1969876c9d1ef6e2a530688cf5ee'/>
<id>urn:sha1:0274e50e057e1969876c9d1ef6e2a530688cf5ee</id>
<content type='text'>
The test case 5 in test_signed (multiple signatures) must be modified
and aligned with the change introduced in the previous commit
("efi_loader: signature: correct a behavior against multiple signatures").

Signed-off-by: AKASHI Takahiro &lt;takahiro.akashi@linaro.org&gt;
</content>
</entry>
<entry>
<title>test/py: efi_secboot: add test for intermediate certificates</title>
<updated>2020-08-13T20:37:36Z</updated>
<author>
<name>AKASHI Takahiro</name>
<email>takahiro.akashi@linaro.org</email>
</author>
<published>2020-07-21T10:35:24Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=e1174c566a61c863db1b782935269acba00e9281'/>
<id>urn:sha1:e1174c566a61c863db1b782935269acba00e9281</id>
<content type='text'>
In this test case, an image may have a signature with additional
intermediate certificates. A chain of trust will be followed and all
the certificates in the middle of chain must be verified before loading.

Signed-off-by: AKASHI Takahiro &lt;takahiro.akashi@linaro.org&gt;
</content>
</entry>
<entry>
<title>test/py: efi_secboot: small rework for adding a new test</title>
<updated>2020-08-13T20:37:36Z</updated>
<author>
<name>AKASHI Takahiro</name>
<email>takahiro.akashi@linaro.org</email>
</author>
<published>2020-07-21T10:35:23Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=57be8cdce35189ea063ebadb9338ef510289116f'/>
<id>urn:sha1:57be8cdce35189ea063ebadb9338ef510289116f</id>
<content type='text'>
It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME
under the current code base. So just remove them.

Signed-off-by: AKASHI Takahiro &lt;takahiro.akashi@linaro.org&gt;
</content>
</entry>
</feed>
