From b0465eb88f0406ba286df9ee056b9a62c8ab9c80 Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Thu, 7 Aug 2025 11:08:14 +0300 Subject: test/py: Correctly restore the DT after capsule tests Some capsule tests are changing the sandbox DT to test various features, e.g authenticated capsule updates, versioning support etc. However, no one restores the original DT and the CI pops errors looking like /u-boot Bloblist at 100 not found (err=-2) Failed to find FDT file '/tmp/sandbox/persistent-data/scratch/EFI/CapsuleTestData/test_ver.dtb' initcall_run_f(): initcall fdtdec_setup() failed if sandbox is restarted. So let's restore the proper DT after done with the capsule testing. Signed-off-by: Ilias Apalodimas Reviewed-by: Tom Rini --- test/py/tests/test_efi_capsule/capsule_common.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'test/py') diff --git a/test/py/tests/test_efi_capsule/capsule_common.py b/test/py/tests/test_efi_capsule/capsule_common.py index 04dabc176c4..8c66411929e 100644 --- a/test/py/tests/test_efi_capsule/capsule_common.py +++ b/test/py/tests/test_efi_capsule/capsule_common.py @@ -137,6 +137,8 @@ def do_reboot_dtb_specified(u_boot_config, ubman, dtb_filename): dtb_filename -- DTB file name. """ mnt_point = u_boot_config.persistent_data_dir + '/scratch' + old_dtb = ubman.config.dtb ubman.config.dtb = mnt_point + CAPSULE_DATA_DIR \ + f'/{dtb_filename}' ubman.restart_uboot() + ubman.config.dtb = old_dtb -- cgit v1.2.3 From 5096f81bda1cfac2a8a325e850442bf463be2f00 Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Thu, 7 Aug 2025 11:08:15 +0300 Subject: test/py: Read from the correct offset when initializing capsules The current code writes values to a flash offset defined by a function argument. However, when reading it back we always read from a static offset. Adjust the reads to use the correct offset. Signed-off-by: Ilias Apalodimas Reviewed-by: Tom Rini --- test/py/tests/test_efi_capsule/capsule_common.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/py') diff --git a/test/py/tests/test_efi_capsule/capsule_common.py b/test/py/tests/test_efi_capsule/capsule_common.py index 8c66411929e..8aaddfc19d6 100644 --- a/test/py/tests/test_efi_capsule/capsule_common.py +++ b/test/py/tests/test_efi_capsule/capsule_common.py @@ -42,7 +42,7 @@ def init_content(ubman, target, filename, expected): 'sf probe 0:0', f'fatload host 0:1 4000000 {CAPSULE_DATA_DIR}/{filename}', f'sf write 4000000 {target} 10', - 'sf read 5000000 100000 10', + f'sf read 5000000 {target} 10', 'md.b 5000000 10']) assert expected in ''.join(output) -- cgit v1.2.3 From fa2a2e20d0b4d7af92ee118d66f3245055cc9ba3 Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Thu, 7 Aug 2025 11:08:16 +0300 Subject: test/py: Fix race conditions on EFI capsule tests efi_capsule_data() is called in each of the EFI tests to create and setup the files we need. However, it also recreates the spi.bin file that holds the SPI flash contents we rely on for the test validation. This leads to weird errors since reading from the flash returns 0, instead of the expected value if the file has been recreated. Always restart our sandbox instance if the files are recreated. Signed-off-by: Ilias Apalodimas --- test/py/tests/test_efi_capsule/conftest.py | 1 + 1 file changed, 1 insertion(+) (limited to 'test/py') diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 961d2e0b3c1..45c06c42fd2 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -103,6 +103,7 @@ def efi_capsule_data(request, ubman): pytest.skip('Setup failed: %s' % exception.cmd) return else: + ubman.restart_uboot() yield image_path finally: call('rm -rf %s' % mnt_point, shell=True) -- cgit v1.2.3 From fc2686d2a87391dd1b165e44ffd525b61c93e521 Mon Sep 17 00:00:00 2001 From: Ilias Apalodimas Date: Thu, 7 Aug 2025 11:08:17 +0300 Subject: test/py: Fix capsule update tests Capsule updates tests have been skipped since commit 659f97eb1fc3 ("scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file") Remove that check since it's not needed anymore and re-enable the tests. Fixes: 659f97eb1fc3 ("scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file") Signed-off-by: Ilias Apalodimas --- test/py/tests/test_efi_capsule/conftest.py | 2 -- 1 file changed, 2 deletions(-) (limited to 'test/py') diff --git a/test/py/tests/test_efi_capsule/conftest.py b/test/py/tests/test_efi_capsule/conftest.py index 45c06c42fd2..ad0cda59ebf 100644 --- a/test/py/tests/test_efi_capsule/conftest.py +++ b/test/py/tests/test_efi_capsule/conftest.py @@ -44,8 +44,6 @@ def efi_capsule_data(request, ubman): % (key_dir, data_dir), shell=True) check_call('cp %s/capsule_pub_key_good.crt %s/SIGNER.crt' % (key_dir, data_dir), shell=True) - check_call('cp %s/capsule_pub_esl_good.esl %s/SIGNER.esl' - % (key_dir, data_dir), shell=True) check_call('cp %s/capsule_priv_key_bad.key %s/SIGNER2.key' % (key_dir, data_dir), shell=True) -- cgit v1.2.3 From 6dfd14e1228e6e14462f377987bc896d6b7f1dd5 Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Wed, 3 Sep 2025 00:01:55 +0200 Subject: mkimage: Add support for bundling TFA BL31 in mkimage -f auto Introduce two new parameters to be used with mkimage -f auto to bundle TFA BL31 image into fitImage, using auto-generated fitImage. Add -y to specify TFA BL31 file name and -Y to specify TFA BL31 load and entry point address. This is meant to be used with systems which boot all of TFA BL31, Linux and its DT from a single fitImage, all booted by U-Boot. Example invocation: " $ mkimage -E -A arm64 -C none -e 0x50200000 -a 0x50200000 -f auto \ -d arch/arm64/boot/Image \ -b arch/arm64/boot/dts/renesas/r8a779g3-sparrow-hawk.dtb \ -y ../tfa/build/rcar_gen4/release/bl31.bin -Y 0x46400000 \ /path/to/output/fitImage " Documentation update and test are also included, the test validates both positive and negative test cases, where fitImage does not include TFA BL31 and does include TFA BL31 blobs. Signed-off-by: Marek Vasut --- test/py/tests/test_fit_auto_signed.py | 67 +++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) (limited to 'test/py') diff --git a/test/py/tests/test_fit_auto_signed.py b/test/py/tests/test_fit_auto_signed.py index cdfd341c6f5..0b5dbd5401c 100644 --- a/test/py/tests/test_fit_auto_signed.py +++ b/test/py/tests/test_fit_auto_signed.py @@ -117,6 +117,23 @@ class SignedFitHelper(object): algo = self.__fdt_get_string(f'{node}/signature', 'algo') assert algo == sign_algo + "\n", "Missing expected signature algo!" + def check_fit_loadables(self, present): + """Test that loadables contains both kernel and TFA BL31 entries. + + Each configuration must have a loadables property which lists both + kernel-1 and tfa-bl31-1 strings in the string list. + """ + if present: + assert "/images/tfa-bl31-1" in self.images_nodes + else: + assert "/images/tfa-bl31-1" not in self.images_nodes + for node in self.confgs_nodes: + loadables = self.__fdt_get_string(f'{node}', 'loadables') + assert "kernel-1" in loadables + if present: + assert "tfa-bl31-1" in loadables + else: + assert "tfa-bl31-1" not in loadables @pytest.mark.buildconfigspec('fit_signature') @pytest.mark.requiredtool('fdtget') @@ -139,6 +156,7 @@ def test_fit_auto_signed(ubman): kernel_file = f'{tempdir}/vmlinuz' dt1_file = f'{tempdir}/dt-1.dtb' dt2_file = f'{tempdir}/dt-2.dtb' + tfa_file = f'{tempdir}/tfa-bl31.bin' key_name = 'sign-key' sign_algo = 'sha256,rsa4096' key_file = f'{tempdir}/{key_name}.key' @@ -154,6 +172,9 @@ def test_fit_auto_signed(ubman): with open(dt2_file, 'wb') as fd: fd.write(os.urandom(256)) + with open(tfa_file, 'wb') as fd: + fd.write(os.urandom(256)) + # Create 4096 RSA key and write to file to be read by mkimage key = RSA.generate(bits=4096) verifier = pkcs1_15.new(key) @@ -173,6 +194,8 @@ def test_fit_auto_signed(ubman): fit.check_fit_crc32_images() + fit.check_fit_loadables(present=False) + # 2 - Create auto FIT with signed images, and verify it utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + s_args + " " + fit_file) @@ -183,6 +206,8 @@ def test_fit_auto_signed(ubman): fit.check_fit_signed_images(key_name, sign_algo, verifier) + fit.check_fit_loadables(present=False) + # 3 - Create auto FIT with signed configs and hashed images, and verify it utils.run_and_log(ubman, mkimage + ' -fauto-conf' + b_args + s_args + " " + fit_file) @@ -192,3 +217,45 @@ def test_fit_auto_signed(ubman): raise ValueError('FIT-3 has no "/image" nor "/configuration" nodes') fit.check_fit_signed_confgs(key_name, sign_algo) + + fit.check_fit_loadables(present=False) + + # Run the same tests as 1/2/3 above, but this time with TFA BL31 + # options -y tfa-bl31.bin -Y 0x12340000 to cover both mkimage with + # and without TFA BL31 use cases. + b_args = " -d" + kernel_file + " -b" + dt1_file + " -b" + dt2_file + " -y" + tfa_file + " -Y 0x12340000" + + # 4 - Create auto FIT with images crc32 checksum, and verify it + utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + " " + fit_file) + + fit = SignedFitHelper(ubman, fit_file) + if fit.build_nodes_sets() == 0: + raise ValueError('FIT-4 has no "/image" nor "/configuration" nodes') + + fit.check_fit_crc32_images() + + fit.check_fit_loadables(present=True) + + # 5 - Create auto FIT with signed images, and verify it + utils.run_and_log(ubman, mkimage + ' -fauto' + b_args + s_args + " " + + fit_file) + + fit = SignedFitHelper(ubman, fit_file) + if fit.build_nodes_sets() == 0: + raise ValueError('FIT-5 has no "/image" nor "/configuration" nodes') + + fit.check_fit_signed_images(key_name, sign_algo, verifier) + + fit.check_fit_loadables(present=True) + + # 6 - Create auto FIT with signed configs and hashed images, and verify it + utils.run_and_log(ubman, mkimage + ' -fauto-conf' + b_args + s_args + " " + + fit_file) + + fit = SignedFitHelper(ubman, fit_file) + if fit.build_nodes_sets() == 0: + raise ValueError('FIT-6 has no "/image" nor "/configuration" nodes') + + fit.check_fit_signed_confgs(key_name, sign_algo) + + fit.check_fit_loadables(present=True) -- cgit v1.2.3 From 8f3d3510e31ebc7b2057f431322a7174b6b60ea6 Mon Sep 17 00:00:00 2001 From: Aristo Chen Date: Sun, 14 Sep 2025 10:59:31 +0000 Subject: test: Add test case for FIT image load address overlap detection Add a new test case to verify that mkimage properly detects and reports memory region overlaps in FIT image configurations. The test creates a FIT image with kernel and FDT components that have the same load address (0x40000), which should trigger the overlap detection logic and cause mkimage to fail with an appropriate error message. Test verifies: - mkimage returns non-zero exit code when overlap is detected - Error message contains "Error: Overlap detected:" - Error message identifies the specific overlapping components (kernel@1 and fdt@1) This test ensures the overlap detection feature works correctly and prevents deployment of FIT images with conflicting memory layouts that could cause runtime failures. Signed-off-by: Aristo Chen --- test/py/tests/test_fit_mkimage_validate.py | 65 ++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) (limited to 'test/py') diff --git a/test/py/tests/test_fit_mkimage_validate.py b/test/py/tests/test_fit_mkimage_validate.py index 170b2a8cbbb..27299a58f33 100644 --- a/test/py/tests/test_fit_mkimage_validate.py +++ b/test/py/tests/test_fit_mkimage_validate.py @@ -103,3 +103,68 @@ def test_fit_invalid_default_config(ubman): assert result.returncode != 0, "mkimage should fail due to missing default config" assert re.search(r"Default configuration '.*' not found under /configurations", result.stderr) + +def test_fit_load_addr_overlap(ubman): + """Test that mkimage fails when load address overlap""" + + its_fname = fit_util.make_fname(ubman, "invalid.its") + itb_fname = fit_util.make_fname(ubman, "invalid.itb") + kernel = fit_util.make_kernel(ubman, 'kernel.bin', 'kernel') + fdt = fit_util.make_dtb(ubman, ''' +/dts-v1/; +/ { + model = "Test FDT"; + compatible = "test"; +}; +''', 'test') + + # Write ITS with an invalid reference to a nonexistent default config + its_text = ''' +/dts-v1/; + +/ { + images { + kernel@1 { + description = "Test Kernel"; + data = /incbin/("kernel.bin"); + type = "kernel"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x40000>; + entry = <0x40000>; + }; + fdt@1 { + description = "Test FDT"; + data = /incbin/("test.dtb"); + type = "flat_dt"; + arch = "sandbox"; + os = "linux"; + compression = "none"; + load = <0x40000>; + entry = <0x40000>; + }; + }; + + configurations { + default = "conf@1"; + conf@1 { + kernel = "kernel@1"; + fdt = "fdt@1"; + }; + }; +}; +''' + + with open(its_fname, 'w') as f: + f.write(its_text) + + mkimage = os.path.join(ubman.config.build_dir, 'tools/mkimage') + cmd = [mkimage, '-f', its_fname, itb_fname] + + result = subprocess.run(cmd, capture_output=True, text=True) + + assert result.returncode != 0, "mkimage should fail due to memory overlap" + assert "Error: Overlap detected:" in result.stderr + # Check that it identifies the specific overlapping components + assert "kernel@1" in result.stderr and "fdt@1" in result.stderr -- cgit v1.2.3 From e482fdbbca935de32400054eb532de45b1cc01cb Mon Sep 17 00:00:00 2001 From: Tom Rini Date: Wed, 24 Sep 2025 07:50:44 -0600 Subject: Revert "Merge patch series "mkimage: Detect FIT image load address overlaps and fix related test/DTS issues"" This reverts commit 4d84fa1261eb27d57687f2e4c404a78b8653c183, reversing changes made to b82a1fa7ddc7f3be2f3b75898d5dc44c34420bdd. I had missed some feedback on this series from earlier, and we have since had reports of regressions due to this as well. For now, revert this. Signed-off-by: Tom Rini --- test/py/tests/test_fit_mkimage_validate.py | 65 ------------------------------ 1 file changed, 65 deletions(-) (limited to 'test/py') diff --git a/test/py/tests/test_fit_mkimage_validate.py b/test/py/tests/test_fit_mkimage_validate.py index 27299a58f33..170b2a8cbbb 100644 --- a/test/py/tests/test_fit_mkimage_validate.py +++ b/test/py/tests/test_fit_mkimage_validate.py @@ -103,68 +103,3 @@ def test_fit_invalid_default_config(ubman): assert result.returncode != 0, "mkimage should fail due to missing default config" assert re.search(r"Default configuration '.*' not found under /configurations", result.stderr) - -def test_fit_load_addr_overlap(ubman): - """Test that mkimage fails when load address overlap""" - - its_fname = fit_util.make_fname(ubman, "invalid.its") - itb_fname = fit_util.make_fname(ubman, "invalid.itb") - kernel = fit_util.make_kernel(ubman, 'kernel.bin', 'kernel') - fdt = fit_util.make_dtb(ubman, ''' -/dts-v1/; -/ { - model = "Test FDT"; - compatible = "test"; -}; -''', 'test') - - # Write ITS with an invalid reference to a nonexistent default config - its_text = ''' -/dts-v1/; - -/ { - images { - kernel@1 { - description = "Test Kernel"; - data = /incbin/("kernel.bin"); - type = "kernel"; - arch = "sandbox"; - os = "linux"; - compression = "none"; - load = <0x40000>; - entry = <0x40000>; - }; - fdt@1 { - description = "Test FDT"; - data = /incbin/("test.dtb"); - type = "flat_dt"; - arch = "sandbox"; - os = "linux"; - compression = "none"; - load = <0x40000>; - entry = <0x40000>; - }; - }; - - configurations { - default = "conf@1"; - conf@1 { - kernel = "kernel@1"; - fdt = "fdt@1"; - }; - }; -}; -''' - - with open(its_fname, 'w') as f: - f.write(its_text) - - mkimage = os.path.join(ubman.config.build_dir, 'tools/mkimage') - cmd = [mkimage, '-f', its_fname, itb_fname] - - result = subprocess.run(cmd, capture_output=True, text=True) - - assert result.returncode != 0, "mkimage should fail due to memory overlap" - assert "Error: Overlap detected:" in result.stderr - # Check that it identifies the specific overlapping components - assert "kernel@1" in result.stderr and "fdt@1" in result.stderr -- cgit v1.2.3