u-boot.git/test/py/tests/test_vboot.py, branch v2021.10 Unnamed repository; edit this file 'description' to name the repository. image: Check for unit addresses in FITs 2021-02-16T03:31:54+00:00 Simon Glass sjg@chromium.org 2021-02-16T00:08:12+00:00 3f04db891a353f4b127ed57279279f851c6b4917 Using unit addresses in a FIT is a security risk. Add a check for this and disallow it. CVE-2021-27138 Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com> 
Using unit addresses in a FIT is a security risk. Add a check for this
and disallow it.

CVE-2021-27138

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
libfdt: Check for multiple/invalid root nodes 2021-02-16T03:31:53+00:00 Simon Glass sjg@chromium.org 2021-02-16T00:08:11+00:00 124c255731c76a2b09587378b2bcce561bcd3f2d It is possible to construct a devicetree blob with multiple root nodes. Update fdt_check_full() to check for this, along with a root node with an invalid name. CVE-2021-27097 Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com> 
It is possible to construct a devicetree blob with multiple root nodes.
Update fdt_check_full() to check for this, along with a root node with an
invalid name.

CVE-2021-27097

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
test: Add tests for the 'evil' vboot attacks 2021-02-16T00:17:33+00:00 Simon Glass sjg@chromium.org 2021-02-16T00:08:08+00:00 d5f3aadacbc63df3b690d6fd9f0aa3f575b43356 Add tests to check that these two attacks are mitigated by recent patches. Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com> 
Add tests to check that these two attacks are mitigated by recent patches.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
test: vboot: add tests for multiple required keys 2020-10-13T01:30:37+00:00 Thirupathaiah Annapureddy thiruan@linux.microsoft.com 2020-08-17T06:01:10+00:00 feaeee8b5ff59477e0372ae7b9a655ecca05b24a This patch adds vboot tests to verify the support for multiple required keys using new required-mode DTB policy. This patch also fixes existing test where dev key is assumed to be marked as not required, although it is marked as required. Note that this patch re-added sign_fit_norequire(). sign_fit_norequire() was removed as part of the following: commit b008677daf2a ("test: vboot: Fix pylint errors"). This patch leverages sign_fit_norequire() to fix the existing bug. Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
This patch adds vboot tests to verify the support for multiple
required keys using new required-mode DTB policy.

This patch also fixes existing test where dev
key is assumed to be marked as not required, although
it is marked as required.

Note that this patch re-added sign_fit_norequire().
sign_fit_norequire() was removed as part of the following:
commit b008677daf2a ("test: vboot: Fix pylint errors").
This patch leverages sign_fit_norequire() to fix the
existing bug.

Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
test/py: vboot: add a test to check fit signature on fit with padding 2020-05-01T15:34:01+00:00 Philippe Reynes philippe.reynes@softathome.com 2020-04-29T13:26:16+00:00 eb7690e81f527ae36ecc05e567848606ccebde01 The pytest vboot does all his tests on fit without padding. We add the same tests on fit with padding. Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> 
The pytest vboot does all his tests on fit without padding.
We add the same tests on fit with padding.

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
test: vboot: Reduce fake kernel size to 500 bytes 2020-04-01T13:45:09+00:00 Simon Glass sjg@chromium.org 2020-03-18T17:44:08+00:00 0e29648f8e7e0aa60c0f7efe9d2efed98f8c0c6e We don't need 5KB to test things out. A smaller size makes it easier to look at the FIT with fdtdump. Signed-off-by: Simon Glass <sjg@chromium.org> 
We don't need 5KB to test things out. A smaller size makes it easier to
look at the FIT with fdtdump.

Signed-off-by: Simon Glass <sjg@chromium.org>
test: vboot: Move key creation into a function 2020-04-01T13:45:09+00:00 Simon Glass sjg@chromium.org 2020-03-18T17:44:07+00:00 da76ed2795f2679ff0fa3c43f2b906157ec7c0b0 This code is repeated so move it into a function with a parameter. Signed-off-by: Simon Glass <sjg@chromium.org> 
This code is repeated so move it into a function with a parameter.

Signed-off-by: Simon Glass <sjg@chromium.org>
test: vboot: Fix pylint errors 2020-04-01T13:45:09+00:00 Simon Glass sjg@chromium.org 2020-03-18T17:44:05+00:00 b008677daf2a9dc0335260c7c4e24390487fe0ca Fix various minor things noticed by pylint. Signed-off-by: Simon Glass <sjg@chromium.org> 
Fix various minor things noticed by pylint.

Signed-off-by: Simon Glass <sjg@chromium.org>
test: vboot: Tidy up the code a little 2020-04-01T13:45:09+00:00 Simon Glass sjg@chromium.org 2020-03-18T17:44:04+00:00 3156ee35a3f11e578442ec7f2f3b96179cb07c94 Fix some long lines and comments. Use a distinct name for the 'required key' test. Signed-off-by: Simon Glass <sjg@chromium.org> 
Fix some long lines and comments. Use a distinct name for the
'required key' test.

Signed-off-by: Simon Glass <sjg@chromium.org>
test: vboot: Parameterise the test 2020-04-01T13:45:09+00:00 Simon Glass sjg@chromium.org 2020-03-18T17:44:00+00:00 1b090032029b35080a5a87c9f1047882d894ab37 This test is actually made up of five separate tests. Split them out so that they appear as separate tests. Unfortunately this restarts U-Boot multiple times which adds about a second to the already-long vboot test, about 8 seconds total on my machine. We could add a special 'teardown' test afterwards but if the tests are executed out of order that would not work. Changing test_vboot into a class causes it not to be discovered and makes it different from all other tests. Signed-off-by: Simon Glass <sjg@chromium.org> 
This test is actually made up of five separate tests. Split them out so
that they appear as separate tests.

Unfortunately this restarts U-Boot multiple times which adds about a
second to the already-long vboot test, about 8 seconds total on my
machine. We could add a special 'teardown' test afterwards but if the
tests are executed out of order that would not work.

Changing test_vboot into a class causes it not to be discovered and makes
it different from all other tests.

Signed-off-by: Simon Glass <sjg@chromium.org>