test/py: efi_secboot: modify 'multiple signatures' test case

The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: N AKASHI Takahiro <takahiro.akashi@linaro.org>

test/py: efi_secboot: modify 'multiple signatures' test case
The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: N AKASHI Takahiro <takahiro.akashi@linaro.org>
0274e50e · AKASHI Takahiro · Heinrich Schuchardt · 52956e53 · 0274e50e · 0274e50e
Showing with 19 addition and 12 deletion

test/py/tests/test_efi_secboot/conftest.py test/py/tests/test_efi_secboot/conftest.py +1 -4

test/py/tests/test_efi_secboot/test_signed.py test/py/tests/test_efi_secboot/test_signed.py +18 -8

未找到文件。
--- a/test/py/tests/test_efi_secboot/conftest.py
+++ b/test/py/tests/test_efi_secboot/conftest.py
@@ -70,9 +70,6 @@ def efi_boot_env(request, u_boot_config):
        check_call('cd %s; %scert-to-efi-sig-list -g %s db1.crt db1.esl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key db db1.esl db1.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
-        # db1-update
-        check_call('cd %s; %ssign-efi-sig-list -t "2020-04-06" -a -c KEK.crt -k KEK.key db db1.esl db1-update.auth'
-                   % (mnt_point, EFITOOLS_PATH), shell=True)
        # dbx (TEST_dbx certificate)
        check_call('cd %s; openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_dbx/ -keyout dbx.key -out dbx.crt -nodes -days 365'
                   % mnt_point, shell=True)
@@ -84,7 +81,7 @@ def efi_boot_env(request, u_boot_config):
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        # dbx_hash1 (digest of TEST_db1 certificate)
-        check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-05" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
+        check_call('cd %s; %scert-to-efi-hash-list -g %s -t 0 -s 256 db1.crt dbx_hash1.crl; %ssign-efi-sig-list -t "2020-04-06" -c KEK.crt -k KEK.key dbx dbx_hash1.crl dbx_hash1.auth'
                   % (mnt_point, EFITOOLS_PATH, GUID, EFITOOLS_PATH),
                   shell=True)
        # dbx_db (with TEST_db certificate)

--- a/test/py/tests/test_efi_secboot/test_signed.py
+++ b/test/py/tests/test_efi_secboot/test_signed.py
@@ -157,7 +157,8 @@ class TestEfiSignedImage(object):
        u_boot_console.restart_uboot()
        disk_img = efi_boot_env
        with u_boot_console.log.section('Test Case 5a'):
-            # Test Case 5a, rejected if any of signatures is not verified
+            # Test Case 5a, authenticated even if only one of signatures
+            # is verified
            output = u_boot_console.run_command_list([
                'host bind 0 %s' % disk_img,
                'fatload host 0:1 4000000 db.auth',
@@ -171,8 +172,7 @@ class TestEfiSignedImage(object):
                'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
                'efidebug boot next 1',
                'efidebug test bootmgr'])
-            assert '\'HELLO\' failed' in ''.join(output)
-            assert 'efi_start_image() returned: 26' in ''.join(output)
+            assert 'Hello, world!' in ''.join(output)

        with u_boot_console.log.section('Test Case 5b'):
            # Test Case 5b, authenticated if both signatures are verified
@@ -181,19 +181,29 @@ class TestEfiSignedImage(object):
                'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db'])
            assert 'Failed to set EFI variable' not in ''.join(output)
            output = u_boot_console.run_command_list([
-                'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
                'efidebug boot next 1',
-                'bootefi bootmgr'])
+                'efidebug test bootmgr'])
            assert 'Hello, world!' in ''.join(output)

        with u_boot_console.log.section('Test Case 5c'):
-            # Test Case 5c, rejected if any of signatures is revoked
+            # Test Case 5c, not rejected if one of signatures (digest of
+            # certificate) is revoked
            output = u_boot_console.run_command_list([
-                'fatload host 0:1 4000000 dbx_hash1.auth',
+                'fatload host 0:1 4000000 dbx_hash.auth',
                'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx'])
            assert 'Failed to set EFI variable' not in ''.join(output)
            output = u_boot_console.run_command_list([
-                'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""',
+                'efidebug boot next 1',
+                'efidebug test bootmgr'])
+            assert 'Hello, world!' in ''.join(output)
+
+        with u_boot_console.log.section('Test Case 5d'):
+            # Test Case 5d, rejected if both of signatures are revoked
+            output = u_boot_console.run_command_list([
+                'fatload host 0:1 4000000 dbx_hash1.auth',
+                'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize dbx'])
+            assert 'Failed to set EFI variable' not in ''.join(output)
+            output = u_boot_console.run_command_list([
                'efidebug boot next 1',
                'efidebug test bootmgr'])
            assert '\'HELLO\' failed' in ''.join(output)