u-boot.git/test/py/tests/test_vboot.py, branch v2023.07 Unnamed repository; edit this file 'description' to name the repository. test_vboot.py: include test of fdt_add_pubkey tool 2023-04-02T05:39:41+00:00 Roman Kopytin Roman.Kopytin@kaspersky.com 2023-03-20T03:28:13+00:00 90999b456902a7fe760e74f09b88b55141e7c20f Add test_fdt_add_pubkey test which provides simple functionality test which contains such steps: create DTB and FIT files add keys with fdt_add_pubkey to DTB sign FIT image check with fit_check_sign that keys properly added to DTB file Signed-off-by: Roman Kopytin <Roman.Kopytin@kaspersky.com> Signed-off-by: Ivan Mikhaylov <fr0st61te@gmail.com> Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk> 
Add test_fdt_add_pubkey test which provides simple functionality test
which contains such steps:
 create DTB and FIT files
 add keys with fdt_add_pubkey to DTB
 sign FIT image
 check with fit_check_sign that keys properly added to DTB file

Signed-off-by: Roman Kopytin <Roman.Kopytin@kaspersky.com>
Signed-off-by: Ivan Mikhaylov <fr0st61te@gmail.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
test: Mark all but the first vboot test as slow 2022-09-12T22:06:36+00:00 Simon Glass sjg@chromium.org 2022-08-06T23:51:52+00:00 c7c113dc133b0833cde1366820ecfcc3c3869fad When doing a quick check we don't need to run all the vboot tests. Just run the first one, which is enough to catch most problems. Signed-off-by: Simon Glass <sjg@chromium.org> 
When doing a quick check we don't need to run all the vboot tests. Just
run the first one, which is enough to catch most problems.

Signed-off-by: Simon Glass <sjg@chromium.org>
test: py: vboot: add test for global image signature 2022-03-31T18:12:23+00:00 Philippe Reynes philippe.reynes@softathome.com 2022-03-28T20:57:06+00:00 776db4fa96bb606b88740ea2017c3c66a8394e86 Adds test units for the pre-load header signature. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> 
Adds test units for the pre-load header signature.

Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
test/py: Add test case for mkimage -o argument 2022-02-11T15:52:24+00:00 Jan Kiszka jan.kiszka@siemens.com 2022-02-03T20:43:50+00:00 7ace56ae0321a0333d333df40e1e02aa17fa2dae Stress the '-o algo_name' argument of mkimage by expanding the vboot test. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by: Simon Glass <sjg@chromium.org> [trini: Update scripts/pylint.base] 
Stress the '-o algo_name' argument of mkimage by expanding the vboot
test.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
[trini: Update scripts/pylint.base]
rsa: adds rsa3072 algorithm 2022-01-28T22:58:41+00:00 Jamin Lin jamin_lin@aspeedtech.com 2022-01-19T08:23:21+00:00 2a4b0d5890deb0c973f8db7bb03adad96aff1050 Add to support rsa 3072 bits algorithm in tools for image sign at host side and adds rsa 3072 bits verification in the image binary. Add test case in vboot for sha384 with rsa3072 algorithm testing. Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
Add to support rsa 3072 bits algorithm in tools
for image sign at host side and adds rsa 3072 bits
verification in the image binary.

Add test case in vboot for sha384 with rsa3072 algorithm testing.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
test: Allow vboot tests to run in parallel 2021-10-05T12:50:15+00:00 Simon Glass sjg@chromium.org 2021-09-19T21:14:48+00:00 cfb83f36666154d6eba51c03a5080a91be26f664 Update the tests to use separate working directories, so we can run them in parallel. It also makes it possible to see the individual output files after the tests have completed. Signed-off-by: Simon Glass <sjg@chromium.org> 
Update the tests to use separate working directories, so we can run them
in parallel. It also makes it possible to see the individual output files
after the tests have completed.

Signed-off-by: Simon Glass <sjg@chromium.org>
image: Check for unit addresses in FITs 2021-02-16T03:31:54+00:00 Simon Glass sjg@chromium.org 2021-02-16T00:08:12+00:00 3f04db891a353f4b127ed57279279f851c6b4917 Using unit addresses in a FIT is a security risk. Add a check for this and disallow it. CVE-2021-27138 Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com> 
Using unit addresses in a FIT is a security risk. Add a check for this
and disallow it.

CVE-2021-27138

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
libfdt: Check for multiple/invalid root nodes 2021-02-16T03:31:53+00:00 Simon Glass sjg@chromium.org 2021-02-16T00:08:11+00:00 124c255731c76a2b09587378b2bcce561bcd3f2d It is possible to construct a devicetree blob with multiple root nodes. Update fdt_check_full() to check for this, along with a root node with an invalid name. CVE-2021-27097 Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com> 
It is possible to construct a devicetree blob with multiple root nodes.
Update fdt_check_full() to check for this, along with a root node with an
invalid name.

CVE-2021-27097

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
test: Add tests for the 'evil' vboot attacks 2021-02-16T00:17:33+00:00 Simon Glass sjg@chromium.org 2021-02-16T00:08:08+00:00 d5f3aadacbc63df3b690d6fd9f0aa3f575b43356 Add tests to check that these two attacks are mitigated by recent patches. Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com> 
Add tests to check that these two attacks are mitigated by recent patches.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
test: vboot: add tests for multiple required keys 2020-10-13T01:30:37+00:00 Thirupathaiah Annapureddy thiruan@linux.microsoft.com 2020-08-17T06:01:10+00:00 feaeee8b5ff59477e0372ae7b9a655ecca05b24a This patch adds vboot tests to verify the support for multiple required keys using new required-mode DTB policy. This patch also fixes existing test where dev key is assumed to be marked as not required, although it is marked as required. Note that this patch re-added sign_fit_norequire(). sign_fit_norequire() was removed as part of the following: commit b008677daf2a ("test: vboot: Fix pylint errors"). This patch leverages sign_fit_norequire() to fix the existing bug. Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
This patch adds vboot tests to verify the support for multiple
required keys using new required-mode DTB policy.

This patch also fixes existing test where dev
key is assumed to be marked as not required, although
it is marked as required.

Note that this patch re-added sign_fit_norequire().
sign_fit_norequire() was removed as part of the following:
commit b008677daf2a ("test: vboot: Fix pylint errors").
This patch leverages sign_fit_norequire() to fix the
existing bug.

Signed-off-by: Thirupathaiah Annapureddy <thiruan@linux.microsoft.com>
Reviewed-by: Simon Glass <sjg@chromium.org>