Re: [PATCH v2 5/5] test_vboot.py: include test of fdt_add_pubkey tool

Fri, 10 Mar 2023 17:47:04 -0800 

Hi Ivan,

On Tue, 7 Mar 2023 at 14:13, Ivan Mikhaylov <fr0st6...@gmail.com> wrote:
>
> From: Roman Kopytin <roman.kopy...@kaspersky.com>
>
> Signed-off-by: Roman Kopytin <roman.kopy...@kaspersky.com>
> Cc: Rasmus Villemoes <rasmus.villem...@prevas.dk>
> ---
>  test/py/tests/test_vboot.py | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
> index e3e7ca4b21..956b8fcd43 100644
> --- a/test/py/tests/test_vboot.py
> +++ b/test/py/tests/test_vboot.py
> @@ -313,6 +313,13 @@ def test_vboot(u_boot_console, name, sha_algo, padding, 
> sign_options, required,
>
>          util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])
>
> +        # Create a fresh .dtb without the public keys
> +        dtc('sandbox-u-boot.dts')
> +        # Then add the dev key via the fdt_add_pubkey tool
> +        util.run_and_log(cons, [fdt_add_pubkey, '-a', '%s,rsa2048' % 
> sha_algo,
> +                                '-k', tmpdir, '-n', 'dev', '-r', 'conf', 
> dtb])
> +        util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', dtb])
> +
>          if full_test:
>              # Make sure that U-Boot checks that the config is in the list of
>              # hashed nodes. If it isn't, a security bypass is possible.
> @@ -500,6 +507,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, 
> sign_options, required,
>      mkimage = cons.config.build_dir + '/tools/mkimage'
>      binman = cons.config.source_dir + '/tools/binman/binman'
>      fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
> +    fdt_add_pubkey = cons.config.build_dir + '/tools/fdt_add_pubkey'
>      dtc_args = '-I dts -O dtb -i %s' % tmpdir
>      dtb = '%ssandbox-u-boot.dtb' % tmpdir
>      sig_node = '/configurations/conf-1/signature'
> --
> 2.39.1
>

Unfortunately this test fails on sandbox:

https://source.denx.de/u-boot/custodians/u-boot-dm/-/jobs/591975

I think it would be better to put it in its own test (perhaps in the
same file) so we are not doing it on every test run. Also you could
check (in a very basic way) that it adds the key correctly since we
don't really need another test of the logic of doing that. We are just
checking that your tool calls that logic correctly.

I'll drop this one when applying, for now. Please take a look.

Regards,
Simon

Reply via email to