| Age | Commit message (Collapse) | Author |
|---|
|
Related to the problem resolved with commit 2092322b31cc ("boot: Add
fit_config_get_hash_list() to build signed node list"), add a testcase
for the problem as well.
Reported-by: Apple Security Engineering and Architecture (SEAR)
Signed-off-by: Tom Rini <[email protected]>
|
|
The hashed-nodes property in a FIT signature node lists which FDT paths
are included in the signature hash. It is intended as a hint so should
not be used for verification.
Add a function to build the node list from scratch by iterating the
configuration's image references. Skip properties known not to be image
references. For each image, collect the path plus all hash and cipher
subnodes.
Use the new function in fit_config_check_sig() instead of reading
'hashed-nodes'.
Update the test_vboot kernel@ test case: fit_check_sign now catches the
attack at signature-verification time (the @-suffixed node is hashed
instead of the real one, causing a mismatch) rather than at
fit_check_format() time.
Update the docs to cover this. The FIT spec can be updated separately.
Signed-off-by: Simon Glass <[email protected]>
Closes: https://lore.kernel.org/u-boot/[email protected]/
Reported-by: Apple Security Engineering and Architecture (SEAR)
Tested-by: Tom Rini <[email protected]>
|
|
Now that we have a shorter name, we don't need this sort of thing. Just
use ubman instead.
Signed-off-by: Simon Glass <[email protected]>
|
|
Now that we have a shorter name, we don't need this sort of thing.
Drop it.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Mattijs Korpershoek <[email protected]> # test_android
|
|
We know this is U-Boot so the prefix serves no purpose other than to
make things longer and harder to read. Drop it and rename the files.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Mattijs Korpershoek <[email protected]> # test_android / test_dfu
|
|
This fixture name is quite long and results in lots of verbose code.
We know this is U-Boot so the 'u_boot_' part is not necessary.
But it is also a bit of a misnomer, since it provides access to all the
information available to tests. It is not just the console.
It would be too confusing to use con as it would be confused with
config and it is probably too short.
So shorten it to 'ubman'.
Signed-off-by: Simon Glass <[email protected]>
Link: https://lore.kernel.org/u-boot/CAFLszTgPa4aT_J9h9pqeTtLCVn4x2JvLWRcWRD8NaN3uoSAtyA@mail.gmail.com/
|
|
old_dtb can only be assumed initialized in the finally block
if it is assigned a value before the try statement.
Avoid a pylint error reported by current pylint.
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Add test_fdt_add_pubkey test which provides simple functionality test
which contains such steps:
create DTB and FIT files
add keys with fdt_add_pubkey to DTB
sign FIT image
check with fit_check_sign that keys properly added to DTB file
Signed-off-by: Roman Kopytin <[email protected]>
Signed-off-by: Ivan Mikhaylov <[email protected]>
Cc: Rasmus Villemoes <[email protected]>
|
|
When doing a quick check we don't need to run all the vboot tests. Just
run the first one, which is enough to catch most problems.
Signed-off-by: Simon Glass <[email protected]>
|
|
Adds test units for the pre-load header signature.
Signed-off-by: Philippe Reynes <[email protected]>
|
|
Stress the '-o algo_name' argument of mkimage by expanding the vboot
test.
Signed-off-by: Jan Kiszka <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
[trini: Update scripts/pylint.base]
|
|
Add to support rsa 3072 bits algorithm in tools
for image sign at host side and adds rsa 3072 bits
verification in the image binary.
Add test case in vboot for sha384 with rsa3072 algorithm testing.
Signed-off-by: Jamin Lin <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Update the tests to use separate working directories, so we can run them
in parallel. It also makes it possible to see the individual output files
after the tests have completed.
Signed-off-by: Simon Glass <[email protected]>
|
|
Using unit addresses in a FIT is a security risk. Add a check for this
and disallow it.
CVE-2021-27138
Signed-off-by: Simon Glass <[email protected]>
Reported-by: Bruce Monroe <[email protected]>
Reported-by: Arie Haenel <[email protected]>
Reported-by: Julien Lenoir <[email protected]>
|
|
It is possible to construct a devicetree blob with multiple root nodes.
Update fdt_check_full() to check for this, along with a root node with an
invalid name.
CVE-2021-27097
Signed-off-by: Simon Glass <[email protected]>
Reported-by: Bruce Monroe <[email protected]>
Reported-by: Arie Haenel <[email protected]>
Reported-by: Julien Lenoir <[email protected]>
|
|
Add tests to check that these two attacks are mitigated by recent patches.
Signed-off-by: Simon Glass <[email protected]>
Reported-by: Bruce Monroe <[email protected]>
Reported-by: Arie Haenel <[email protected]>
Reported-by: Julien Lenoir <[email protected]>
|
|
This patch adds vboot tests to verify the support for multiple
required keys using new required-mode DTB policy.
This patch also fixes existing test where dev
key is assumed to be marked as not required, although
it is marked as required.
Note that this patch re-added sign_fit_norequire().
sign_fit_norequire() was removed as part of the following:
commit b008677daf2a ("test: vboot: Fix pylint errors").
This patch leverages sign_fit_norequire() to fix the
existing bug.
Signed-off-by: Thirupathaiah Annapureddy <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The pytest vboot does all his tests on fit without padding.
We add the same tests on fit with padding.
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Philippe Reynes <[email protected]>
|
|
We don't need 5KB to test things out. A smaller size makes it easier to
look at the FIT with fdtdump.
Signed-off-by: Simon Glass <[email protected]>
|
|
This code is repeated so move it into a function with a parameter.
Signed-off-by: Simon Glass <[email protected]>
|
|
Fix various minor things noticed by pylint.
Signed-off-by: Simon Glass <[email protected]>
|
|
Fix some long lines and comments. Use a distinct name for the
'required key' test.
Signed-off-by: Simon Glass <[email protected]>
|
|
This test is actually made up of five separate tests. Split them out so
that they appear as separate tests.
Unfortunately this restarts U-Boot multiple times which adds about a
second to the already-long vboot test, about 8 seconds total on my
machine. We could add a special 'teardown' test afterwards but if the
tests are executed out of order that would not work.
Changing test_vboot into a class causes it not to be discovered and makes
it different from all other tests.
Signed-off-by: Simon Glass <[email protected]>
|
|
Add a check to make sure that it is not possible to add a new
configuration and use the hashed nodes and hash of another configuration.
Signed-off-by: Simon Glass <[email protected]>
|
|
This tool only uses the last -k parameter provided. Drop the earlier one
since it has no effect.
Signed-off-by: Simon Glass <[email protected]>
|
|
This commit add a test in the vboot test to check that
when a required key is asked, only FIT signed with this
key is used/accepted by u-boot.
Signed-off-by: Philippe Reynes <[email protected]>
|
|
This update the its file used in vboot test to respect the new
node style name defined in doc/uImage.FIT (for example: replace
kernel@1 by kernel and fdt@1 by fdt-1)
Signed-off-by: Philippe Reynes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The padding pss is now supported for rsa signature.
This add test with padding pss on vboot test.
Signed-off-by: Philippe Reynes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The old 'sb' command was deprecated in 2015 and replaced with 'host'.
Remove the remaining users and the command, so that the name is available
for other purposes.
Signed-off-by: Simon Glass <[email protected]>
|
|
|
|
This adds a new config value FIT_SIGNATURE_MAX_SIZE, which controls the
max size of a FIT header's totalsize field. The field is checked before
signature checks are applied to protect from reading past the intended
FIT regions.
This field is not part of the vboot signature so it should be sanity
checked. If the field is corrupted then the structure or string region
reads may have unintended behavior, such as reading from device memory.
A default value of 256MB is set and intended to support most max storage
sizes.
Suggested-by: Simon Glass <[email protected]>
Signed-off-by: Teddy Reed <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The openssl command specified in test_with_algo() ultimately ends up
being run by RunAndLog::run(), which uses it to construct a Popen object
with the default shell=False. The stderr redirect in the command is
therefore simply passed to openssl as an argument. With at least openssl
1.1.0f this causes openssl, and therefore test_vboot, to fail with:
genpkey: Use -help for summary.
Exit code: 1
Any stderr output ought to be captured & stored in the RunAndLog
object's output field and returned from run() via run_and_log() to
test_with_algo() which then ignores it anyway, so we can drop the
shell-like redirection with no ill effects. With this fix test_vboot now
passes for me.
Signed-off-by: Paul Burton <[email protected]>
Reviewed-by: Stephen Warren <[email protected]>
|
|
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <[email protected]>
|
|
Some tests use external tools (executables) during their operation. Add
a test.py mark to indicate this. This allows those tests to be skipped if
the required tool is not present.
Signed-off-by: Stephen Warren <[email protected]>
|
|
Make sure that when we're telling bootm to boot an image, and we expect
the image to boot we get the output from sandbox that we attempted to
run Linux and that U-Boot completed its job.
Cc: Simon Glass <[email protected]>
Cc: Stephen Warren <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Acked-by: Stephen Warren <[email protected]>
|
|
Return one string for each command that was executed. This seems cleaner.
Suggested-by: Teddy Reed <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Stephen Warren <[email protected]>
|
|
Add a proper function for this rather than using internal functions. Use it
in the single call site.
Also, do a restart at the end of the vboot test to reset to the normal
device tree.
Signed-off-by: Simon Glass <[email protected]>
Suggested-by: Stephen Warren <[email protected]>
|
|
Use 'cons.log.section' feature to split up the test output. This makes it
easier to read.
Suggested-by: Stephen Warren <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
|
|
Rename this argument and pass it to each function that needs it, instead of
making it global.
Suggested-by: Stephen Warren <[email protected]>
Suggested-by: Teddy Reed <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
|
|
Instead of this, use the existing run_and_log() function, enhanced to
support a command string as well as a list of arguments.
Suggested-by: Stephen Warren <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
|
|
Fix some typos in various files introduced with the vboot test conversion.
Reported-by: Teddy Reed <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
|
|
Fix review comments that were missed at the time. Also explain why we need
to regenerate the device tree for each test.
Reported-by: Teddy Reed <[email protected]>
Suggested-by: Stephen Warren <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
Fixes: f6349c3c (test: Add a README)
|
|
Getting this error:
Zynq> sb load hostfs - 100
/home/monstr/data/disk/u-boot/build-zynq_zc706/test.fit
Unknown command 'sb' - try 'help'
because sb command is present only for Sandbox
obj-$(CONFIG_SANDBOX) += host.o
that's why mark this test to be run only at Sandbox
Signed-off-by: Michal Simek <[email protected]>
Acked-by: Simon Glass <[email protected]>
|
|
Without this, the test fails if the test is run with a cwd other than the
root of the U-Boot source tree.
Fixes: 8729d582595d ("test: Convert the vboot test to test/py")
Signed-off-by: Stephen Warren <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Now that we have a suitable test framework we should move all tests into it.
The vboot test is a suitable candidate. Rewrite it in Python and move the
data files into an appropriate directory.
Signed-off-by: Simon Glass <[email protected]>
|
