#
1be82afa |
|
17-May-2023 |
Michal Simek <michal.simek@amd.com> |
global: Use proper project name U-Boot Use proper project name in comments, Kconfig, readmes. Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Stefan Roese <sr@denx.de> Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Michal Simek <michal.simek@amd.com> Link: https://lore.kernel.org/r/0dbdf0432405c1c38ffca55703b6737a48219e79.1684307818.git.michal.simek@amd.com |
#
bd730aa0 |
|
02-May-2023 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: fix pydoc issues for EFI tests Fix issues reported by pydocstyle. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
0b4cbeba |
|
03-Oct-2022 |
Masahisa Kojima <masahisa.kojima@linaro.org> |
test/py: efi_secboot: Remove unnecessary cert-to-efi-hash-list option 'cert-to-efi-hash-list -t 0' does not work as expected, it produces indeterminate timestamp. $ cert-to-efi-hash-list -t 0 -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-113-0 00:00:255 If we need the CRL revoked for all the time, just don't specify '-t' option. $ cert-to-efi-hash-list -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-0-0 00:00:00 Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
874490c7 |
|
01-Oct-2022 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: fix some pylint errors in test_efi_secboot * Remove unused import * Provide module docstring Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
8fb9dbde |
|
04-Jul-2022 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for a forged signed image In this test case, a image binary, helloworld.efi.signed, is willfully modified to print a corrupted message while the signature itself is unchanged. This binary must be rejected under secure boot mode. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
4b494770 |
|
06-May-2022 |
Ilias Apalodimas <ilias.apalodimas@linaro.org> |
test/py: Add more test cases for rejecting an EFI image The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
bd730aa0 |
|
02-May-2023 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: fix pydoc issues for EFI tests Fix issues reported by pydocstyle. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
0b4cbeba |
|
03-Oct-2022 |
Masahisa Kojima <masahisa.kojima@linaro.org> |
test/py: efi_secboot: Remove unnecessary cert-to-efi-hash-list option 'cert-to-efi-hash-list -t 0' does not work as expected, it produces indeterminate timestamp. $ cert-to-efi-hash-list -t 0 -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-113-0 00:00:255 If we need the CRL revoked for all the time, just don't specify '-t' option. $ cert-to-efi-hash-list -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-0-0 00:00:00 Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
874490c7 |
|
01-Oct-2022 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: fix some pylint errors in test_efi_secboot * Remove unused import * Provide module docstring Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
8fb9dbde |
|
04-Jul-2022 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for a forged signed image In this test case, a image binary, helloworld.efi.signed, is willfully modified to print a corrupted message while the signature itself is unchanged. This binary must be rejected under secure boot mode. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
4b494770 |
|
06-May-2022 |
Ilias Apalodimas <ilias.apalodimas@linaro.org> |
test/py: Add more test cases for rejecting an EFI image The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
0b4cbeba |
|
03-Oct-2022 |
Masahisa Kojima <masahisa.kojima@linaro.org> |
test/py: efi_secboot: Remove unnecessary cert-to-efi-hash-list option 'cert-to-efi-hash-list -t 0' does not work as expected, it produces indeterminate timestamp. $ cert-to-efi-hash-list -t 0 -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-113-0 00:00:255 If we need the CRL revoked for all the time, just don't specify '-t' option. $ cert-to-efi-hash-list -s 256 db.crt dbx_hash.crl TimeOfRevocation is 0-0-0 00:00:00 Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
874490c7 |
|
01-Oct-2022 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: fix some pylint errors in test_efi_secboot * Remove unused import * Provide module docstring Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
8fb9dbde |
|
04-Jul-2022 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for a forged signed image In this test case, a image binary, helloworld.efi.signed, is willfully modified to print a corrupted message while the signature itself is unchanged. This binary must be rejected under secure boot mode. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
4b494770 |
|
06-May-2022 |
Ilias Apalodimas <ilias.apalodimas@linaro.org> |
test/py: Add more test cases for rejecting an EFI image The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
874490c7 |
|
01-Oct-2022 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: fix some pylint errors in test_efi_secboot * Remove unused import * Provide module docstring Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
8fb9dbde |
|
04-Jul-2022 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for a forged signed image In this test case, a image binary, helloworld.efi.signed, is willfully modified to print a corrupted message while the signature itself is unchanged. This binary must be rejected under secure boot mode. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
4b494770 |
|
06-May-2022 |
Ilias Apalodimas <ilias.apalodimas@linaro.org> |
test/py: Add more test cases for rejecting an EFI image The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
8fb9dbde |
|
04-Jul-2022 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for a forged signed image In this test case, a image binary, helloworld.efi.signed, is willfully modified to print a corrupted message while the signature itself is unchanged. This binary must be rejected under secure boot mode. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
4b494770 |
|
06-May-2022 |
Ilias Apalodimas <ilias.apalodimas@linaro.org> |
test/py: Add more test cases for rejecting an EFI image The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
4b494770 |
|
06-May-2022 |
Ilias Apalodimas <ilias.apalodimas@linaro.org> |
test/py: Add more test cases for rejecting an EFI image The previous patch adds support for rejecting images when the sha384/512 of an x.509 certificate is present in dbx. Update the sandbox selftests Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> |
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> |
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
0274e50e |
|
13-Aug-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: modify 'multiple signatures' test case The test case 5 in test_signed (multiple signatures) must be modified and aligned with the change introduced in the previous commit ("efi_loader: signature: correct a behavior against multiple signatures"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
e1174c56 |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add test for intermediate certificates In this test case, an image may have a signature with additional intermediate certificates. A chain of trust will be followed and all the certificates in the middle of chain must be verified before loading. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
57be8cdc |
|
21-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: small rework for adding a new test It won't be very useful to customize HELLO_PATH and EFI_SECBOOT_IMAGE_NAME under the current code base. So just remove them. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
a58dfd29 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: fix additional pylint errors This is a fixup by autopep8 after the commit ("test/py: efi_secboot: apply autopep8"). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d09745b1 |
|
20-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: remove unused function 'tool_is_in_path' function is no longer used anywhere after Heinrich has removed 'sudo' version of fixture setup. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
53ce9a6e |
|
11-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: use virt-make-fs to build image Avoid sudo for test/py/tests/test_efi_secboot by using virt-make-fs. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
7fdc02b3 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for verifying with digest of signed image Signature database (db or dbx) may have not only certificates that contain a public key for RSA decryption, but also digests of signed images. In this test case, if database has an image's digest (EFI_CERT_SHA256_GUID) and if the value matches to a hash value calculated from image's binary, authentication should pass in case of db, and fail in case of dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Use defined time stamps for sign-efi-sig-list. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
0c7772d4 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test for multiple signatures In this test case, an image is signed multiple times with different keys. If any of signatures contained is not verified, the whole authentication check should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Provide a defined time stamp for dbx_hash1.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
c6361e73 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: add a test against certificate revocation Revocation database (dbx) may have not only certificates, but also message digests of certificates with revocation time (EFI_CERT_X509_SHA256_GUILD). In this test case, if the database has such a digest and if the value matches to a certificate that created a given image's signature, authentication should fail. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Set defined time stamp for dbx_hash.auth. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
d863b307 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: more fixes against pylint More fixes against pylint warnings that autopep8 didn't handle in the previous commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
91d2b621 |
|
07-Jul-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
test/py: efi_secboot: apply autopep8 Python's autopep8 can automatically correct some of warnings from pylint and rewrite the code in a pretty print format. So just do it. Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
bc246c69 |
|
02-Jul-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test: correct time stamps for UEFI authentication A time authenticated variable cannot be overwritten with another value with the same time stamp. So we must ensure the correct sequence of time stamps when generating out test data. Using parameter -t for sign-efi-sig-list gives reproducible results and avoids sleep statements. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
b32ac16f |
|
21-Apr-2020 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
test/py: fix test_efi_secboot/conftest.py If udisksctl is present test/py/tests/test_efi_secboot/conftest.py fails because the disk image is never mounted. Normal users can only mount fuse file systems. Unfortunately fusefat is still in an experimental state and seems not to work here correctly. So as we have to be root or use the sudo command anyway delete all coding referring to udisksctl. -- We should not use mount point /mnt as this directory or one of its sub-directories might already be in use as active mount points. Instead create a new directory in the build root as mount point. -- Remove debug print statements that have been commented out. print without parentheses is anyway invalid in Python 3. And pytest anyway filters out the output if there is no exception reported. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|
#
fe6ca4d5 |
|
13-Apr-2020 |
AKASHI Takahiro <takahiro.akashi@linaro.org> |
efi_loader, pytest: set up secure boot environment A fixture for UEFI secure boot tests (image authentication and variable authentication) is defined. A small file system with test data in a single partition formatted in fat is created. This test requires efitools v1.5.2 or later. If the system's efitools is older, you have to build it on your own and define EFITOOLS_PATH. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
|