diff options
| author | Tom Rini <[email protected]> | 2025-12-06 11:46:15 -0600 |
|---|---|---|
| committer | Tom Rini <[email protected]> | 2025-12-06 11:46:15 -0600 |
| commit | 17d1e039e1c41a7bd3ca04756a7dd647744db9eb (patch) | |
| tree | 0d3048754042ae1b4deacb1b48012c6ccfa8e0ee /test/py | |
| parent | 7f053fc40ae6e3c96758b4f3a7dbe702fc2bde65 (diff) | |
| parent | 22aa122eee021a631e1b92c761ff1a434d46890e (diff) | |
Merge patch series "test/py: fit: Deduplicate the test"
This series from Marek Vasut <[email protected]> cleans up some of
the FIT pytests we have and then extends mkimage to support including
the TEE in FIT images when using "-f auto" to create the resulting FIT.
Link: https://lore.kernel.org/r/[email protected]
Diffstat (limited to 'test/py')
| -rw-r--r-- | test/py/tests/test_fit_auto_signed.py | 158 |
1 files changed, 94 insertions, 64 deletions
diff --git a/test/py/tests/test_fit_auto_signed.py b/test/py/tests/test_fit_auto_signed.py index 0b5dbd5401c..eb162f785ac 100644 --- a/test/py/tests/test_fit_auto_signed.py +++ b/test/py/tests/test_fit_auto_signed.py @@ -117,27 +117,57 @@ class SignedFitHelper(object): algo = self.__fdt_get_string(f'{node}/signature', 'algo') assert algo == sign_algo + "\n", "Missing expected signature algo!" - def check_fit_loadables(self, present): - """Test that loadables contains both kernel and TFA BL31 entries. + def check_fit_loadables(self, bl31present, teepresent): + """Test that loadables contains both kernel, TFA BL31, TEE entries. Each configuration must have a loadables property which lists both - kernel-1 and tfa-bl31-1 strings in the string list. + kernel-1, tfa-bl31-1 and tee-1 strings in the string list. """ - if present: + if bl31present: assert "/images/tfa-bl31-1" in self.images_nodes else: assert "/images/tfa-bl31-1" not in self.images_nodes + if teepresent: + assert "/images/tee-1" in self.images_nodes + else: + assert "/images/tee-1" not in self.images_nodes for node in self.confgs_nodes: loadables = self.__fdt_get_string(f'{node}', 'loadables') assert "kernel-1" in loadables - if present: + if bl31present: assert "tfa-bl31-1" in loadables else: assert "tfa-bl31-1" not in loadables + if teepresent: + assert "tee-1" in loadables + else: + assert "tee-1" not in loadables @pytest.mark.buildconfigspec('fit_signature') @pytest.mark.requiredtool('fdtget') def test_fit_auto_signed(ubman): + def generate_and_check_fit_image(cmd, crc=False, simgs=False, scfgs=False, bl31present=False, teepresent=False, key_name="", sign_algo="", verifier=""): + """Generate fitImage and test for expected entries. + + Generate a fitImage and test whether suitable entries are part of + the generated fitImage. Test whether checksums and signatures are + part of the generated fitImage. + """ + mkimage = ubman.config.build_dir + '/tools/mkimage' + utils.run_and_log(ubman, mkimage + cmd) + + fit = SignedFitHelper(ubman, fit_file) + if fit.build_nodes_sets() == 0: + raise ValueError(f'FIT has no "/image" nor "/configuration" nodes, test settings: cmd={cmd} crc={crc} simgs={simgs} scfgs={scfgs} bl31present={bl31present} teepresent={teepresent} key_name={key_name} sign_algo={sign_algo} verifier={verifier}') + if crc: + fit.check_fit_crc32_images() + if simgs: + fit.check_fit_signed_images(key_name, sign_algo, verifier) + if scfgs: + fit.check_fit_signed_confgs(key_name, sign_algo) + + fit.check_fit_loadables(bl31present, teepresent) + """Test that mkimage generates auto-FIT with signatures/hashes as expected. The mkimage tool can create auto generated (i.e. without an ITS file @@ -150,13 +180,13 @@ def test_fit_auto_signed(ubman): The test does not run the sandbox. It only checks the host tool mkimage. """ - mkimage = ubman.config.build_dir + '/tools/mkimage' tempdir = os.path.join(ubman.config.result_dir, 'auto_fit') os.makedirs(tempdir, exist_ok=True) kernel_file = f'{tempdir}/vmlinuz' dt1_file = f'{tempdir}/dt-1.dtb' dt2_file = f'{tempdir}/dt-2.dtb' tfa_file = f'{tempdir}/tfa-bl31.bin' + tee_file = f'{tempdir}/tee.bin' key_name = 'sign-key' sign_algo = 'sha256,rsa4096' key_file = f'{tempdir}/{key_name}.key' @@ -175,6 +205,9 @@ def test_fit_auto_signed(ubman): with open(tfa_file, 'wb') as fd: fd.write(os.urandom(256)) + with open(tee_file, 'wb') as fd: + fd.write(os.urandom(256)) + # Create 4096 RSA key and write to file to be read by mkimage key = RSA.generate(bits=4096) verifier = pkcs1_15.new(key) @@ -186,39 +219,18 @@ def test_fit_auto_signed(ubman): s_args = " -k" + tempdir + " -g" + key_name + " -o" + sign_algo # 1 - Create auto FIT with images crc32 checksum, and verify it - utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + " " + fit_file) - - fit = SignedFitHelper(ubman, fit_file) - if fit.build_nodes_sets() == 0: - raise ValueError('FIT-1 has no "/image" nor "/configuration" nodes') - - fit.check_fit_crc32_images() - - fit.check_fit_loadables(present=False) + generate_and_check_fit_image(' -fauto' + b_args + " " + fit_file, + crc=True) # 2 - Create auto FIT with signed images, and verify it - utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + s_args + " " + - fit_file) - - fit = SignedFitHelper(ubman, fit_file) - if fit.build_nodes_sets() == 0: - raise ValueError('FIT-2 has no "/image" nor "/configuration" nodes') - - fit.check_fit_signed_images(key_name, sign_algo, verifier) - - fit.check_fit_loadables(present=False) + generate_and_check_fit_image(' -fauto' + b_args + s_args + " " + fit_file, + simgs=True, + key_name=key_name, sign_algo=sign_algo, verifier=verifier) # 3 - Create auto FIT with signed configs and hashed images, and verify it - utils.run_and_log(ubman, mkimage + ' -fauto-conf' + b_args + s_args + " " + - fit_file) - - fit = SignedFitHelper(ubman, fit_file) - if fit.build_nodes_sets() == 0: - raise ValueError('FIT-3 has no "/image" nor "/configuration" nodes') - - fit.check_fit_signed_confgs(key_name, sign_algo) - - fit.check_fit_loadables(present=False) + generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file, + scfgs=True, + key_name=key_name, sign_algo=sign_algo) # Run the same tests as 1/2/3 above, but this time with TFA BL31 # options -y tfa-bl31.bin -Y 0x12340000 to cover both mkimage with @@ -226,36 +238,54 @@ def test_fit_auto_signed(ubman): b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -y" + tfa_file + " -Y 0x12340000" # 4 - Create auto FIT with images crc32 checksum, and verify it - utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + " " + fit_file) - - fit = SignedFitHelper(ubman, fit_file) - if fit.build_nodes_sets() == 0: - raise ValueError('FIT-4 has no "/image" nor "/configuration" nodes') - - fit.check_fit_crc32_images() - - fit.check_fit_loadables(present=True) + generate_and_check_fit_image(' -fauto' + b_args + " " + fit_file, + crc=True, bl31present=True) # 5 - Create auto FIT with signed images, and verify it - utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + s_args + " " + - fit_file) - - fit = SignedFitHelper(ubman, fit_file) - if fit.build_nodes_sets() == 0: - raise ValueError('FIT-5 has no "/image" nor "/configuration" nodes') - - fit.check_fit_signed_images(key_name, sign_algo, verifier) - - fit.check_fit_loadables(present=True) + generate_and_check_fit_image(' -fauto' + b_args + s_args + " " + fit_file, + simgs=True, bl31present=True, + key_name=key_name, sign_algo=sign_algo, verifier=verifier) # 6 - Create auto FIT with signed configs and hashed images, and verify it - utils.run_and_log(ubman, mkimage + ' -fauto-conf' + b_args + s_args + " " + - fit_file) - - fit = SignedFitHelper(ubman, fit_file) - if fit.build_nodes_sets() == 0: - raise ValueError('FIT-6 has no "/image" nor "/configuration" nodes') - - fit.check_fit_signed_confgs(key_name, sign_algo) - - fit.check_fit_loadables(present=True) + generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file, + scfgs=True, bl31present=True, + key_name=key_name, sign_algo=sign_algo) + + # Run the same tests as 1/2/3 above, but this time with TEE + # options -z tee.bin -Z 0x56780000 to cover both mkimage with + # and without TEE use cases. + b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -z" + tee_file + " -Z 0x56780000" + + # 7 - Create auto FIT with images crc32 checksum, and verify it + generate_and_check_fit_image(' -fauto' + b_args + " " + fit_file, + crc=True, teepresent=True) + + # 8 - Create auto FIT with signed images, and verify it + generate_and_check_fit_image(' -fauto' + b_args + s_args + " " + fit_file, + simgs=True, teepresent=True, + key_name=key_name, sign_algo=sign_algo, verifier=verifier) + + # 9 - Create auto FIT with signed configs and hashed images, and verify it + generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file, + scfgs=True, teepresent=True, + key_name=key_name, sign_algo=sign_algo) + + # Run the same tests as 1/2/3 above, but this time with both + # TFA BL31 and TEE options -y tfa-bl31.bin -Y 0x12340000 and + # -z tee.bin -Z 0x56780000 to cover both mkimage with and + # without both TFA BL31 and TEE use cases. + b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -y" + tfa_file + " -Y 0x12340000" + " -z" + tee_file + " -Z 0x56780000" + + # 10 - Create auto FIT with images crc32 checksum, and verify it + generate_and_check_fit_image(' -fauto' + b_args + " " + fit_file, + crc=True, bl31present=True, teepresent=True) + + # 11 - Create auto FIT with signed images, and verify it + generate_and_check_fit_image(' -fauto' + b_args + s_args + " " + fit_file, + simgs=True, bl31present=True, teepresent=True, + key_name=key_name, sign_algo=sign_algo, verifier=verifier) + + # 12 - Create auto FIT with signed configs and hashed images, and verify it + generate_and_check_fit_image(' -fauto-conf' + b_args + s_args + " " + fit_file, + scfgs=True, bl31present=True, teepresent=True, + key_name=key_name, sign_algo=sign_algo) |