u-boot.git/test/py/tests/test_efi_secboot, branch v2024.01 Unnamed repository; edit this file 'description' to name the repository. global: Use proper project name U-Boot 2023-06-12T11:24:31+00:00 Michal Simek michal.simek@amd.com 2023-05-17T07:17:16+00:00 1be82afa807cc3cfacab29e3de0975d2cd99fa5d Use proper project name in comments, Kconfig, readmes. Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Stefan Roese <sr@denx.de> Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Michal Simek <michal.simek@amd.com> Link: https://lore.kernel.org/r/0dbdf0432405c1c38ffca55703b6737a48219e79.1684307818.git.michal.simek@amd.com 
Use proper project name in comments, Kconfig, readmes.

Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Michal Simek <michal.simek@amd.com>
Link: https://lore.kernel.org/r/0dbdf0432405c1c38ffca55703b6737a48219e79.1684307818.git.michal.simek@amd.com
test: fix pydoc issues for EFI tests 2023-05-04T07:57:43+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2023-05-03T05:08:05+00:00 bd730aa05baf1a6c5e61dc1f2e38b48f48a06b05 Fix issues reported by pydocstyle. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Fix issues reported by pydocstyle.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
test/py: efi_secboot: Remove unnecessary cert-to-efi-hash-list option 2022-11-06T09:50:04+00:00 Masahisa Kojima masahisa.kojima@linaro.org 2022-10-03T07:12:15+00:00 0b4cbeba593058104349a437ceb4d615e99b4019 'cert-to-efi-hash-list -t 0' does not work as expected, it produces indeterminate timestamp. $ cert-to-efi-hash-list -t 0 -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-113-0 00:00:255 If we need the CRL revoked for all the time, just don't specify '-t' option. $ cert-to-efi-hash-list -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-0-0 00:00:00 Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
'cert-to-efi-hash-list -t 0' does not work as expected, it produces
indeterminate timestamp.

  $ cert-to-efi-hash-list -t 0 -s 256 db.crt dbx_hash.crl
  TimeOfRevocation is 0-113-0 00:00:255

If we need the CRL revoked for all the time, just don't specify
'-t' option.

  $ cert-to-efi-hash-list -s 256 db.crt dbx_hash.crl
  TimeOfRevocation is 0-0-0 00:00:00

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
test: fix some pylint errors in test_efi_secboot 2022-10-06T20:54:57+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2022-10-01T18:55:14+00:00 874490c7ec7a05a429b951720f11a3b966ec0572 * Remove unused import * Provide module docstring Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
* Remove unused import
* Provide module docstring

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
test/py: efi_secboot: add a test for a forged signed image 2022-07-05T12:37:16+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2022-07-05T05:48:15+00:00 8fb9dbdea716ab764c7a3c544569f903cbfdd744 In this test case, a image binary, helloworld.efi.signed, is willfully modified to print a corrupted message while the signature itself is unchanged. This binary must be rejected under secure boot mode. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
In this test case, a image binary, helloworld.efi.signed, is willfully
modified to print a corrupted message while the signature itself is
unchanged.

This binary must be rejected under secure boot mode.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
test/py: Add more test cases for rejecting an EFI image 2022-05-07T21:17:26+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2022-05-06T12:36:01+00:00 4b494770577cc61c3c1a4b57ced2fc98d87957dc The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The previous patch adds support for rejecting images when the sha384/512
of an x.509 certificate is present in dbx.  Update the sandbox selftests

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
test/py: efi_secboot: adjust secure boot tests to code changes 2022-02-11T19:07:55+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2022-02-11T07:37:50+00:00 72b509b7019878e2a5f69bcf7198a0927a77ad60 The previous patch is changing U-Boot's behavior wrt certificate based binary authentication. Specifically an image who's digest of a certificate is found in dbx is now rejected. Fix the test accordingly and add another one testing signatures in reverse order Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The previous patch is changing U-Boot's behavior wrt certificate based
binary authentication.  Specifically an image who's digest of a
certificate is found in dbx is now rejected.  Fix the test accordingly
and add another one testing signatures in reverse order

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
test/py: Fix efidebug related tests 2021-04-24T04:53:40+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2021-04-23T13:24:13+00:00 ce62b0f8f45f1b71fc03ddee84c0529cea228e24 commit cbea241e935e("efidebug: add multiple device path instances on Boot####") slightly tweaked the efidebug syntax adding -b, -i and -s for the boot image, initrd and optional data. The pytests using this command were adapted as well. However I completely missed the last "" argument, which at the time indicated the optional data and needed conversion as well. This patch is adding the missing -s flag and the tests are back to normal. Fixes: cbea241e935e("efidebug: add multiple device path instances on Boot####") Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviwed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
commit cbea241e935e("efidebug: add multiple device path instances on Boot####")
slightly tweaked the efidebug syntax adding -b, -i and -s for the boot
image, initrd and optional data.
The pytests using this command were adapted as well. However I completely
missed the last "" argument, which at the time indicated the optional data
and needed conversion as well.  This patch is adding the missing -s flag
and the tests are back to normal.

Fixes: cbea241e935e("efidebug: add multiple device path instances on Boot####")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviwed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efidebug: add multiple device path instances on Boot#### 2021-03-25T19:14:26+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2021-03-17T19:55:01+00:00 cbea241e935ec754df44d5de0ad20b801f2d3f90 The UEFI spec allows a packed array of UEFI device paths in the FilePathList[] of an EFI_LOAD_OPTION. The first file path must describe the loaded image but the rest are OS specific. Previous patches parse the device path and try to use the second member of the array as an initrd. So let's modify efidebug slightly and install the second file described in the command line as the initrd device path. Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The UEFI spec allows a packed array of UEFI device paths in the
FilePathList[] of an EFI_LOAD_OPTION. The first file path must
describe the loaded image but the rest are OS specific.

Previous patches parse the device path and try to use the second
member of the array as an initrd. So let's modify efidebug slightly
and install the second file described in the command line as the
initrd device path.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_loader: use ':' as separator for setenv -i 2020-08-24T14:37:53+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-24T06:27:49+00:00 2b3fbcb59f4174e455a6285eaddf1426ed3e76c5 setenv -e -i <address>,<filesize> can be used to set a UEFI variable from memory. For separating an address and a size we use ':' in most commands. Let's do the same for setenv -e -i. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
setenv -e -i <address>,<filesize> can be used to set a UEFI variable
from memory.

For separating an address and a size we use ':' in most commands.
Let's do the same for setenv -e -i.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>