diff options
| author | Julius Werner <jwerner@chromium.org> | 2019-12-13 17:57:48 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-01-16 17:55:55 +0000 |
| commit | d7a931063328ce9a0ff40961ec65eae119b27cd8 (patch) | |
| tree | ecc7f24cbc65eeb7e3461152b7894c5f1a32d9cf | |
| parent | eb609d26ea32e5a6c8b5c4ec1c090471184e380b (diff) | |
| download | vboot-d7a931063328ce9a0ff40961ec65eae119b27cd8.tar.gz | |
tests/vb2_firmware_tests: Improve workbuffer usage test
This patch changes vb2_firmware_tests to run multiple times with
different combinations of signature and hash algorithms. The goal is to
have more confidence that our recommended work buffer size is still big
enough even if we changed algorithm combinations in an RW update. It
also changes the underlying vb20_verify_fw to not just print the amount
of work buffer used at the end, but to detect the actual high water mark
of work buffer used during the test.
Also add some fallback definitions for undefined environment variables
to tests/common.sh which helps running individual test scripts without
the Makefile harness.
BRANCH=None
BUG=None
TEST=make runtests
Change-Id: I14519cd7c76a9886bd11ebf5312458ab658e6f75
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1967976
Reviewed-by: Joel Kitching <kitching@chromium.org>
| -rw-r--r-- | tests/common.sh | 5 | ||||
| -rw-r--r-- | tests/vb20_verify_fw.c | 13 | ||||
| -rwxr-xr-x | tests/vb2_firmware_tests.sh | 107 |
3 files changed, 89 insertions, 36 deletions
diff --git a/tests/common.sh b/tests/common.sh index 8cc1498d..70743fc7 100644 --- a/tests/common.sh +++ b/tests/common.sh @@ -6,8 +6,11 @@ # Determine script directory. SCRIPT_DIR=$(dirname $(readlink -f "$0")) - ROOT_DIR="$(dirname ${SCRIPT_DIR})" +SRCDIR="${SRCDIR:-${ROOT_DIR}}" +BUILD="${BUILD:-${ROOT_DIR}/build}" +BUILD_RUN="${BUILD_RUN:-${BUILD}}" +SRC_RUN="${SRC_RUN:-${SRCDIR}}" BUILD_DIR="${BUILD}" BIN_DIR=${BUILD_DIR}/install_for_test/bin FUTILITY=${BIN_DIR}/futility diff --git a/tests/vb20_verify_fw.c b/tests/vb20_verify_fw.c index 4e107cf1..e2a54718 100644 --- a/tests/vb20_verify_fw.c +++ b/tests/vb20_verify_fw.c @@ -146,7 +146,8 @@ static void print_help(const char *progname) int main(int argc, char *argv[]) { - uint8_t workbuf[16384] __attribute__((aligned(VB2_WORKBUF_ALIGN))); + uint8_t workbuf[VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE] + __attribute__((aligned(VB2_WORKBUF_ALIGN))); struct vb2_context *ctx; struct vb2_shared_data *sd; vb2_error_t rv; @@ -161,6 +162,11 @@ int main(int argc, char *argv[]) vblock_fname = argv[2]; body_fname = argv[3]; + /* Intialize workbuf with sentinel value to see how much we'll use. */ + uint32_t *ptr = (uint32_t *)workbuf; + while ((uint8_t *)ptr + sizeof(*ptr) <= workbuf + sizeof(workbuf)) + *ptr++ = 0xbeefdead; + /* Set up context */ if (vb2api_init(workbuf, sizeof(workbuf), &ctx)) { printf("Failed to initialize workbuf.\n"); @@ -211,7 +217,10 @@ int main(int argc, char *argv[]) printf("Yaay!\n"); - printf("Workbuf used = %d bytes\n", sd->workbuf_used); + while ((uint8_t *)ptr > workbuf && *--ptr == 0xbeefdead) + /* find last used workbuf offset */; + printf("Workbuf used = %d bytes, high watermark = %zu bytes\n", + sd->workbuf_used, (uint8_t *)ptr + sizeof(*ptr) - workbuf); return 0; } diff --git a/tests/vb2_firmware_tests.sh b/tests/vb2_firmware_tests.sh index 00f3afdb..88b6e6a8 100755 --- a/tests/vb2_firmware_tests.sh +++ b/tests/vb2_firmware_tests.sh @@ -23,36 +23,77 @@ cd "$DIR" echo 'This is a test firmware body. This is only a test. Lalalalala' \ > body.test -# Pack keys using original vboot utilities -${FUTILITY} vbutil_key --pack rootkey.test \ - --key ${TESTKEY_DIR}/key_rsa8192.keyb --algorithm 11 -${FUTILITY} vbutil_key --pack fwsubkey.test \ - --key ${TESTKEY_DIR}/key_rsa4096.keyb --algorithm 7 -${FUTILITY} vbutil_key --pack kernkey.test \ - --key ${TESTKEY_DIR}/key_rsa2048.keyb --algorithm 4 - -# Create a GBB with the root key -${FUTILITY} gbb -c 128,2400,0,0 gbb.test -${FUTILITY} gbb gbb.test -s --hwid='Test GBB' \ - --rootkey=rootkey.test - -# Keyblock with firmware subkey is signed by root key -${FUTILITY} vbutil_keyblock --pack keyblock.test \ - --datapubkey fwsubkey.test \ - --signprivate ${TESTKEY_DIR}/key_rsa8192.sha512.vbprivk - -# Firmware preamble is signed with the firmware subkey -${FUTILITY} vbutil_firmware \ - --vblock vblock.test \ - --keyblock keyblock.test \ - --signprivate ${TESTKEY_DIR}/key_rsa4096.sha256.vbprivk \ - --fv body.test \ - --version 1 \ - --kernelkey kernkey.test - -echo 'Verifying test firmware using vb2_verify_fw' - -# Verify the firmware using vboot2 checks -${BUILD_RUN}/tests/vb20_verify_fw gbb.test vblock.test body.test - -happy 'vb2_verify_fw succeeded' +algo_to_rsa() +{ + case $1 in + 0|1|2) printf "rsa1024";; + 3|4|5) printf "rsa2048";; + 6|7|8) printf "rsa4096";; + 9|10|11) printf "rsa8192";; + *) exit 1;; + esac +} + +algo_to_sha() +{ + case $1 in + 0|3|6|9) printf "sha1";; + 1|4|7|10) printf "sha256";; + 2|5|8|11) printf "sha512";; + *) exit 1;; + esac +} + +run_test() +{ + local root_algo=$1 + local fw_algo=$2 + local kern_algo=$3 + + local root_rsa="$(algo_to_rsa ${root_algo})" + local fw_rsa="$(algo_to_rsa ${fw_algo})" + local kern_rsa="$(algo_to_rsa ${kern_algo})" + + local root_sha="$(algo_to_sha ${root_algo})" + local fw_sha="$(algo_to_sha ${fw_algo})" + local kern_sha="$(algo_to_sha ${kern_algo})" + + # Pack keys using original vboot utilities + ${FUTILITY} vbutil_key --pack rootkey.test \ + --key "${TESTKEY_DIR}/key_${root_rsa}.keyb" --algorithm ${root_algo} + ${FUTILITY} vbutil_key --pack fwsubkey.test \ + --key "${TESTKEY_DIR}/key_${fw_rsa}.keyb" --algorithm ${fw_algo} + ${FUTILITY} vbutil_key --pack kernkey.test \ + --key "${TESTKEY_DIR}/key_${kern_rsa}.keyb" --algorithm ${kern_algo} + + # Create a GBB with the root key + ${FUTILITY} gbb -c 128,2400,0,0 gbb.test + ${FUTILITY} gbb gbb.test -s --hwid='Test GBB' \ + --rootkey=rootkey.test + + # Keyblock with firmware subkey is signed by root key + ${FUTILITY} vbutil_keyblock --pack keyblock.test \ + --datapubkey fwsubkey.test \ + --signprivate "${TESTKEY_DIR}/key_${root_rsa}.${root_sha}.vbprivk" + + # Firmware preamble is signed with the firmware subkey + ${FUTILITY} vbutil_firmware \ + --vblock vblock.test \ + --keyblock keyblock.test \ + --signprivate "${TESTKEY_DIR}/key_${fw_rsa}.${fw_sha}.vbprivk" \ + --fv body.test \ + --version 1 \ + --kernelkey kernkey.test + + echo "Verifying test firmware using vb2_verify_fw" \ + "(root=${root_algo}, fw=${fw_algo}, kernel=${kern_algo})" + + # Verify the firmware using vboot2 checks + ${BUILD_RUN}/tests/vb20_verify_fw gbb.test vblock.test body.test + + happy 'vb2_verify_fw succeeded' +} + +run_test 11 7 4 +run_test 11 11 11 +run_test 1 1 1 |