Dear Simon Glass,
> Also please do check tests (make qcheck) since sandbox enables more
> options than most boards.
All tests passed, please check the detailed log in the attachment.
Best regards,
Rover Mo
At 2021-11-09 15:21:43, "Rover Mo" <myz...@126.com> wrote:
>To prevent booting unsigned images, don't enable the non-secure boot
>commands(booti, bootz .etc) by default if secure boot enabled.
>
>Signed-off-by: Rover Mo <myz...@126.com>
>Cc: Heinrich Schuchardt <xypron.g...@gmx.de>
>Cc: Simon Glass <s...@chromium.org>
>
>---
>
>Changes for v2:
> - Don't enable the non-secure boot commands too if !EFI_SECURE_BOOT
> - Update the help information
> - Changed commit title
>
> cmd/Kconfig | 11 +++++++++--
> common/Kconfig.boot | 2 +-
> 2 files changed, 10 insertions(+), 3 deletions(-)
>
>diff --git a/cmd/Kconfig b/cmd/Kconfig
>index 5b30b13e43..98c588e638 100644
>--- a/cmd/Kconfig
>+++ b/cmd/Kconfig
>@@ -203,15 +203,22 @@ config BOOTM_EFI
>
> config CMD_BOOTZ
> bool "bootz"
>+ default y if !FIT_SIGNATURE && !EFI_SECURE_BOOT
> help
> Boot the Linux zImage
>+ The bootz command is used for launching unsigned Linux zImage.
>+ If you want to have secure boot either via signed FIT images or via
>+ signed UEFI images, this option should be disabled.
>
> config CMD_BOOTI
> bool "booti"
> depends on ARM64 || RISCV
>- default y
>+ default y if !FIT_SIGNATURE && !EFI_SECURE_BOOT
> help
>- Boot an AArch64 Linux Kernel image from memory.
>+ Boot an AArch64/RISC-V Linux Kernel image from memory.
>+ The booti command is used for launching unsigned AArch64 and RISC-V
>+ Linux kernel images. If you want to have secure boot either via signed
>+ FIT images or via signed UEFI images, this option should be disabled.
>
> config BOOTM_LINUX
> bool "Support booting Linux OS images"
>diff --git a/common/Kconfig.boot b/common/Kconfig.boot
>index a8d4be23a9..574f35b42e 100644
>--- a/common/Kconfig.boot
>+++ b/common/Kconfig.boot
>@@ -283,7 +283,7 @@ endif # FIT
>
> config LEGACY_IMAGE_FORMAT
> bool "Enable support for the legacy image format"
>- default y if !FIT_SIGNATURE
>+ default y if !FIT_SIGNATURE && !EFI_SECURE_BOOT
> help
> This option enables the legacy image format. It is enabled by
> default for backward compatibility, unless FIT_SIGNATURE is
>--
>2.25.1
/work/open-source/bootloader/u-boot$ make qcheck
./test/run quick
sandbox: +make O=/work/open-source/bootloader/u-boot/build-sandbox -s
sandbox_defconfig
+make O=/work/open-source/bootloader/u-boot/build-sandbox -s -j8
================================================================= test session
starts ==================================================================
platform linux -- Python 3.8.10, pytest-6.2.5, py-1.10.0, pluggy-0.13.1
rootdir: /work/open-source/bootloader/u-boot/test/py, configfile: pytest.ini
collected 854 items / 111 deselected / 743 selected
test/py/tests/test_000_version.py .
[ 0%]
test/py/tests/test_bind.py ..
[ 0%]
test/py/tests/test_button.py ..
[ 0%]
test/py/tests/test_dfu.py s
[ 0%]
test/py/tests/test_dm.py ...
[ 1%]
test/py/tests/test_efi_fit.py .
[ 1%]
test/py/tests/test_efi_loader.py .sss.s
[ 2%]
test/py/tests/test_efi_selftest.py sssss
[ 2%]
test/py/tests/test_env.py ...............
[ 4%]
test/py/tests/test_extension.py .
[ 4%]
test/py/tests/test_fit.py .
[ 5%]
test/py/tests/test_fit_ecdsa.py .
[ 5%]
test/py/tests/test_fit_hashes.py .
[ 5%]
test/py/tests/test_fpga.py ssssssssssssssssssssssssssss
[ 9%]
test/py/tests/test_gpio.py ..
[ 9%]
test/py/tests/test_gpt.py .......
[ 10%]
test/py/tests/test_handoff.py s
[ 10%]
test/py/tests/test_help.py .
[ 10%]
test/py/tests/test_hush_if_test.py
....................................................................
[ 19%]
test/py/tests/test_log.py s.
[ 20%]
test/py/tests/test_lsblk.py .
[ 20%]
test/py/tests/test_md.py ..
[ 20%]
test/py/tests/test_mmc_rd.py ssss
[ 20%]
test/py/tests/test_mmc_wr.py s
[ 21%]
test/py/tests/test_net.py .sssss
[ 21%]
test/py/tests/test_ofplatdata.py s
[ 22%]
test/py/tests/test_part.py .
[ 22%]
test/py/tests/test_pinmux.py .......
[ 23%]
test/py/tests/test_pstore.py ...
[ 23%]
test/py/tests/test_qfw.py ..
[ 23%]
test/py/tests/test_sandbox_exit.py ..s.
[ 24%]
test/py/tests/test_scp03.py .
[ 24%]
test/py/tests/test_sf.py ssss
[ 25%]
test/py/tests/test_shell_basics.py ....
[ 25%]
test/py/tests/test_sleep.py s
[ 25%]
test/py/tests/test_spl.py s
[ 25%]
test/py/tests/test_stackprotector.py .
[ 25%]
test/py/tests/test_tpm2.py ...........
[ 27%]
test/py/tests/test_ums.py s
[ 27%]
test/py/tests/test_unknown_cmd.py .
[ 27%]
test/py/tests/test_ut.py
.......................................................................................................................
[ 43%]
................................................................................................................................................
[ 63%]
................................................................................................................................................
[ 82%]
.............................................................................................................
[ 97%]
test/py/tests/test_vboot.py ..........
[ 98%]
test/py/tests/test_android/test_ab.py .
[ 98%]
test/py/tests/test_android/test_abootimg.py .
[ 98%]
test/py/tests/test_android/test_avb.py ss..s.
[ 99%]
test/py/tests/test_fs/test_fs_cmd.py .
[ 99%]
test/py/tests/test_fs/test_squashfs/test_sqfs_load.py .
[ 99%]
test/py/tests/test_fs/test_squashfs/test_sqfs_ls.py .
[100%]
============================================== 681 passed, 62 skipped, 111
deselected in 63.16s (0:01:03) ==============================================
sandbox_spl: +make O=/work/open-source/bootloader/u-boot/build-sandbox_spl -s
sandbox_spl_defconfig
+make O=/work/open-source/bootloader/u-boot/build-sandbox_spl -s -j8
================================================================= test session
starts ==================================================================
platform linux -- Python 3.8.10, pytest-6.2.5, py-1.10.0, pluggy-0.13.1
rootdir: /work/open-source/bootloader/u-boot/test/py, configfile: pytest.ini
collected 798 items / 787 deselected / 11 selected
test/py/tests/test_handoff.py .
[ 9%]
test/py/tests/test_ofplatdata.py .
[ 18%]
test/py/tests/test_spl.py .........
[100%]
========================================================== 11 passed, 787
deselected in 6.47s ==========================================================
sandbox_spl: +make O=/work/open-source/bootloader/u-boot/build-sandbox_noinst
-s sandbox_noinst_defconfig
+make O=/work/open-source/bootloader/u-boot/build-sandbox_noinst -s -j8
================================================================= test session
starts ==================================================================
platform linux -- Python 3.8.10, pytest-6.2.5, py-1.10.0, pluggy-0.13.1
rootdir: /work/open-source/bootloader/u-boot/test/py, configfile: pytest.ini
collected 798 items / 787 deselected / 11 selected
test/py/tests/test_handoff.py s
[ 9%]
test/py/tests/test_ofplatdata.py s
[ 18%]
test/py/tests/test_spl.py .........
[100%]
===================================================== 9 passed, 2 skipped, 787
deselected in 6.44s =====================================================
sandbox_flattree: +make
O=/work/open-source/bootloader/u-boot/build-sandbox_flattree -s
sandbox_flattree_defconfig
+make O=/work/open-source/bootloader/u-boot/build-sandbox_flattree -s -j8
================================================================= test session
starts ==================================================================
platform linux -- Python 3.8.10, pytest-6.2.5, py-1.10.0, pluggy-0.13.1
rootdir: /work/open-source/bootloader/u-boot/test/py, configfile: pytest.ini
collected 794 items / 338 deselected / 456 selected
test/py/tests/test_ut.py
.......................................................................................................................
[ 26%]
................................................................................................................................................
[ 57%]
................................................................................................................................................
[ 89%]
.................................................
[100%]
========================================================= 456 passed, 338
deselected in 8.67s ==========================================================
binman: <unittest.result.TestResult run=322 errors=0 failures=0>
patman: <unittest.result.TestResult run=44 errors=0 failures=0>
buildman: <unittest.result.TestResult run=46 errors=0 failures=0>
fdt: <unittest.result.TestResult run=41 errors=0 failures=0>
dtoc: <unittest.result.TestResult run=62 errors=0 failures=0>
binman code coverage: <unittest.result.TestResult run=322 errors=0 failures=0>
100%
dtoc code coverage: <unittest.result.TestResult run=62 errors=0 failures=0>
100%
fdt code coverage: <unittest.result.TestResult run=41 errors=0 failures=0>
100%
Tests passed!
/work/open-source/bootloader/u-boot$
