Hi Sughosh,
On Tue, 25 Jul 2023 at 02:58, Sughosh Ganu <sughosh.g...@linaro.org> wrote:
>
> Support has being added through earlier commits to build capsules and
> embed the public key needed for capsule authentication as part of
> u-boot build.
>
> From the testing point-of-view, this means the input files needed for
> the above have to be setup before invoking the build. Set this up in
> the pytest configuration file for testing the capsule update feature.
>
> Signed-off-by: Sughosh Ganu <sughosh.g...@linaro.org>
> Reviewed-by: Simon Glass <s...@chromium.org>
> ---
> Changes since V4: None
>
> test/py/conftest.py | 84 +++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 84 insertions(+)
>
> diff --git a/test/py/conftest.py b/test/py/conftest.py
> index fc9dd3a83f..1092cb713b 100644
> --- a/test/py/conftest.py
> +++ b/test/py/conftest.py
> @@ -80,6 +80,86 @@ def pytest_addoption(parser):
> help='Run sandbox under gdbserver. The argument is the channel '+
> 'over which gdbserver should communicate, e.g. localhost:1234')
>
> +def setup_capsule_build(source_dir, build_dir, board_type, log):
> + """Setup the platform's build for testing capsule updates
> +
> + This generates the payload/input files needed for testing the
> + capsule update functionality, along with the keys for signing
> + the capsules. An EFI Signature List(ESL) file, which houses the
> + public key for capsule authentication is generated as
> + well.
> +
> + The ESL file is subsequently embedded into the platform's
> + dtb during the u-boot build, to be used for capsule
> + authentication.
> +
> + Two sets of keys are generated, namely SIGNER and SIGNER2.
> + The SIGNER2 key pair is used as a malicious key for testing the
> + the capsule authentication functionality.
> +
> + All the generated files are placed under the /tmp/capsules/
> + directory.
> +
> + Args:
> + soruce_dir (str): Directory containing source code
> + build_dir (str): Directory to build in
> + board_type (str): board_type parameter (e.g. 'sandbox')
> + log (Logfile): Log file to use
> +
> + Returns:
> + Nothing.
> + """
> + def run_command(name, cmd, source_dir):
> + with log.section(name):
> + if isinstance(cmd, str):
> + cmd = cmd.split()
> + runner = log.get_runner(name, None)
> + runner.run(cmd, cwd=source_dir)
> + runner.close()
> + log.status_pass('OK')
> +
> + def gen_capsule_payloads(capsule_dir):
> + fname = f'{capsule_dir}u-boot.bin.old'
> + with open(fname, 'w') as fd:
> + fd.write('u-boot:Old')
> +
> + fname = f'{capsule_dir}u-boot.bin.new'
> + with open(fname, 'w') as fd:
> + fd.write('u-boot:New')
> +
> + fname = f'{capsule_dir}u-boot.env.old'
> + with open(fname, 'w') as fd:
> + fd.write('u-boot-env:Old')
> +
> + fname = f'{capsule_dir}u-boot.env.new'
> + with open(fname, 'w') as fd:
> + fd.write('u-boot-env:New')
> +
> + capsule_sig_dir = '/tmp/capsules/'
> + sig_name = 'SIGNER'
> + mkdir_p(capsule_sig_dir)
> + name = 'openssl'
> + cmd = ( 'openssl req -x509 -sha256 -newkey rsa:2048 '
> + '-subj /CN=TEST_SIGNER/ -keyout '
> + f'{capsule_sig_dir}{sig_name}.key '
> + f'-out {capsule_sig_dir}{sig_name}.crt -nodes -days 365' )
> + run_command(name, cmd, source_dir)
Can you drop this now that the docker file does it?
> +
> + name = 'cert-to-efi-sig-list'
> + cmd = ( f'cert-to-efi-sig-list {capsule_sig_dir}{sig_name}.crt '
> + f'{capsule_sig_dir}{sig_name}.esl' )
> + run_command(name, cmd, source_dir)
> +
> + sig_name = 'SIGNER2'
> + name = 'openssl'
> + cmd = ( 'openssl req -x509 -sha256 -newkey rsa:2048 '
> + '-subj /CN=TEST_SIGNER/ -keyout '
> + f'{capsule_sig_dir}{sig_name}.key '
> + f'-out {capsule_sig_dir}{sig_name}.crt -nodes -days 365' )
> + run_command(name, cmd, source_dir)
> +
> + gen_capsule_payloads(capsule_sig_dir)
> +
> def run_build(config, source_dir, build_dir, board_type, log):
> """run_build: Build U-Boot
>
> @@ -90,6 +170,10 @@ def run_build(config, source_dir, build_dir, board_type,
> log):
> board_type (str): board_type parameter (e.g. 'sandbox')
> log (Logfile): Log file to use
> """
> + capsule_boards = ( 'sandbox', 'sandbox64', 'sandbox_flattree' )
> + if board_type in capsule_boards:
> + setup_capsule_build(source_dir, build_dir, board_type, log)
> +
> if config.getoption('buildman'):
> if build_dir != source_dir:
> dest_args = ['-o', build_dir, '-w']
> --
> 2.34.1
>
Regards,
Simon
