Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-05-08 19:11:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Pull request for efi-2022-04-rc2-4

Browse source 
Documentation:
 
 * mkeficapsule man-page
 
 UEFI changes:
 
 * add support for signing images to mkeficapsule
 * add support for user define capsule GUID
 * adjust unit tests for capsules
 * fix UEFI image signature validation in case of multiple signatures
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmIGtKEACgkQxIHbvCwF
 GsSWlg//Vr61dpbpPVuczl18OtojpUzMg8bwqc4tJQRQrOGMGjmPqrGZJCm1pmMH
 Q5ZD4QCAdycbRqAqcpdX9FXHmD5R0HvGmhlC9TnXxo4nKaOcphMMC3PFjBQZlhPJ
 KPc7jjoIcycz+fRqbd4CGRFXNGJAecK++4uM6v6WCNF3Dq16r0ws1aUTG7YPlaJF
 JNo3/4eEQpRsplNXpJsqVPQhbfLuaiCOJc8VUWYNylRdhBC7Dx8yI7m1FHOSBbKb
 Pk4tbysEhowcSc2Duc9muxkaVAkSy/mIHj1I8Z2VzpzH8zXcaiHMjROqMGOE+vwx
 raDzJI0ZcEV/MEbm/QLCALlCKqN3d1NRmZLAvXPYN4+ioA8lzPAEnqEywXRPY/Yk
 KnkDWaF1KEKzDaY52oqkh2LkasY9wzluvb1sm+oW9bh/kn4wKLr0Z1oSl92/vvci
 S/ztLqxhqlXpWx0NzOFnNvUUkEl0VN6IM/+Bsg5AoO7mdWe7MC3iSPOU1Ge5wRU9
 R9BLaTrr61/+soc2jrJL5PQr3Rqtyo1qLpIusMFT88jeFp0b8AIUL2AUlJsAUXYg
 a2NV7qGUsZN/Ur488N1t7DixTkjGdStHKRk06bSTPrOpfA2oembdA2/H/HECoJMP
 JzdwMeZM0qcxFGTbC7c3yO3cTVVYPyIDGh1YEBYjCzfL6AuR2uU=
 =AAdJ
 -----END PGP SIGNATURE-----

Merge tag 'efi-2022-04-rc2-4' of https://source.denx.de/u-boot/custodians/u-boot-efi

Pull request for efi-2022-04-rc2-4

Documentation:

* mkeficapsule man-page

UEFI changes:

* add support for signing images to mkeficapsule
* add support for user define capsule GUID
* adjust unit tests for capsules
* fix UEFI image signature validation in case of multiple signatures
This commit is contained in:
Tom Rini 2022-02-11 15:07:49 -05:00
commit 162c22bfbc
17 changed files with 1186 additions and 217 deletions
Download patch file Download diff file Expand all files Collapse all files

5
test/py/tests/test_efi_capsule/capsule_defs.py
View file

@ -3,3 +3,8 @@
# Directories
CAPSULE_DATA_DIR = '/EFI/CapsuleTestData'
CAPSULE_INSTALL_DIR = '/EFI/UpdateCapsule'
# v1.5.1 or earlier of efitools has a bug in sha256 calculation, and
# you need build a newer version on your own.
# The path must terminate with '/' if it is not null.
EFITOOLS_PATH = ''

59
test/py/tests/test_efi_capsule/conftest.py
View file

@ -10,13 +10,13 @@ import pytest
from capsule_defs import *
#
# Fixture for UEFI secure boot test
# Fixture for UEFI capsule test
#
@pytest.fixture(scope='session')
def efi_capsule_data(request, u_boot_config):
"""Set up a file system to be used in UEFI capsule test.
"""Set up a file system to be used in UEFI capsule and
authentication test.
Args:
request: Pytest request object.
@ -40,6 +40,36 @@ def efi_capsule_data(request, u_boot_config):
check_call('mkdir -p %s' % data_dir, shell=True)
check_call('mkdir -p %s' % install_dir, shell=True)
capsule_auth_enabled = u_boot_config.buildconfig.get(
'config_efi_capsule_authenticate')
if capsule_auth_enabled:
# Create private key (SIGNER.key) and certificate (SIGNER.crt)
check_call('cd %s; '
'openssl req -x509 -sha256 -newkey rsa:2048 '
'-subj /CN=TEST_SIGNER/ -keyout SIGNER.key '
'-out SIGNER.crt -nodes -days 365'
% data_dir, shell=True)
check_call('cd %s; %scert-to-efi-sig-list SIGNER.crt SIGNER.esl'
% (data_dir, EFITOOLS_PATH), shell=True)
# Update dtb adding capsule certificate
check_call('cd %s; '
'cp %s/test/py/tests/test_efi_capsule/signature.dts .'
% (data_dir, u_boot_config.source_dir), shell=True)
check_call('cd %s; '
'dtc -@ -I dts -O dtb -o signature.dtbo signature.dts; '
'fdtoverlay -i %s/arch/sandbox/dts/test.dtb '
'-o test_sig.dtb signature.dtbo'
% (data_dir, u_boot_config.build_dir), shell=True)
# Create *malicious* private key (SIGNER2.key) and certificate
# (SIGNER2.crt)
check_call('cd %s; '
'openssl req -x509 -sha256 -newkey rsa:2048 '
'-subj /CN=TEST_SIGNER/ -keyout SIGNER2.key '
'-out SIGNER2.crt -nodes -days 365'
% data_dir, shell=True)
# Create capsule files
# two regions: one for u-boot.bin and the other for u-boot.env
check_call('cd %s; echo -n u-boot:Old > u-boot.bin.old; echo -n u-boot:New > u-boot.bin.new; echo -n u-boot-env:Old -> u-boot.env.old; echo -n u-boot-env:New > u-boot.env.new' % data_dir,
@ -50,12 +80,31 @@ def efi_capsule_data(request, u_boot_config):
check_call('cd %s; %s/tools/mkimage -f uboot_bin_env.its uboot_bin_env.itb' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --fit uboot_bin_env.itb --index 1 Test01' %
check_call('cd %s; %s/tools/mkeficapsule --index 1 --fit uboot_bin_env.itb Test01' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --raw u-boot.bin.new --index 1 Test02' %
check_call('cd %s; %s/tools/mkeficapsule --index 1 --raw u-boot.bin.new Test02' %
(data_dir, u_boot_config.build_dir),
shell=True)
check_call('cd %s; %s/tools/mkeficapsule --index 1 --guid E2BB9C06-70E9-4B14-97A3-5A7913176E3F u-boot.bin.new Test03' %
(data_dir, u_boot_config.build_dir),
shell=True)
if capsule_auth_enabled:
# firmware signed with proper key
check_call('cd %s; '
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
'--private-key SIGNER.key --certificate SIGNER.crt '
'--raw u-boot.bin.new Test11'
% (data_dir, u_boot_config.build_dir),
shell=True)
# firmware signed with *mal* key
check_call('cd %s; '
'%s/tools/mkeficapsule --index 1 --monotonic-count 1 '
'--private-key SIGNER2.key '
'--certificate SIGNER2.crt '
'--raw u-boot.bin.new Test12'
% (data_dir, u_boot_config.build_dir),
shell=True)
# Create a disk image with EFI system partition
check_call('virt-make-fs --partition=gpt --size=+1M --type=vfat %s %s' %

10
test/py/tests/test_efi_capsule/signature.dts Normal file
View file

@ -0,0 +1,10 @@
// SPDX-License-Identifier: GPL-2.0+
/dts-v1/;
/plugin/;
&{/} {
signature {
capsule-key = /incbin/("SIGNER.esl");
};
};

91
test/py/tests/test_efi_capsule/test_capsule_firmware.py
View file

@ -148,6 +148,8 @@ class TestEfiCapsuleFirmwareFit(object):
capsule_early = u_boot_config.buildconfig.get(
'config_efi_capsule_on_disk_early')
capsule_auth = u_boot_config.buildconfig.get(
'config_efi_capsule_authenticate')
with u_boot_console.log.section('Test Case 2-b, after reboot'):
if not capsule_early:
# make sure that dfu_alt_info exists even persistent variables
@ -171,12 +173,18 @@ class TestEfiCapsuleFirmwareFit(object):
'sf probe 0:0',
'sf read 4000000 100000 10',
'md.b 4000000 10'])
assert 'u-boot:New' in ''.join(output)
if capsule_auth:
assert 'u-boot:Old' in ''.join(output)
else:
assert 'u-boot:New' in ''.join(output)
output = u_boot_console.run_command_list([
'sf read 4000000 150000 10',
'md.b 4000000 10'])
assert 'u-boot-env:New' in ''.join(output)
if capsule_auth:
assert 'u-boot-env:Old' in ''.join(output)
else:
assert 'u-boot-env:New' in ''.join(output)
def test_efi_capsule_fw3(
self, u_boot_config, u_boot_console, efi_capsule_data):
@ -215,6 +223,8 @@ class TestEfiCapsuleFirmwareFit(object):
capsule_early = u_boot_config.buildconfig.get(
'config_efi_capsule_on_disk_early')
capsule_auth = u_boot_config.buildconfig.get(
'config_efi_capsule_authenticate')
with u_boot_console.log.section('Test Case 3-b, after reboot'):
if not capsule_early:
# make sure that dfu_alt_info exists even persistent variables
@ -246,4 +256,79 @@ class TestEfiCapsuleFirmwareFit(object):
'sf probe 0:0',
'sf read 4000000 100000 10',
'md.b 4000000 10'])
assert 'u-boot:New' in ''.join(output)
if capsule_auth:
assert 'u-boot:Old' in ''.join(output)
else:
assert 'u-boot:New' in ''.join(output)
def test_efi_capsule_fw4(
self, u_boot_config, u_boot_console, efi_capsule_data):
"""
Test Case 4 - Test "--guid" option of mkeficapsule
The test scenario is the same as Case 3.
"""
disk_img = efi_capsule_data
with u_boot_console.log.section('Test Case 4-a, before reboot'):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi -s ""',
'efidebug boot order 1',
'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
'env save'])
# initialize content
output = u_boot_console.run_command_list([
'sf probe 0:0',
'fatload host 0:1 4000000 %s/u-boot.bin.old' % CAPSULE_DATA_DIR,
'sf write 4000000 100000 10',
'sf read 5000000 100000 10',
'md.b 5000000 10'])
assert 'Old' in ''.join(output)
# place a capsule file
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 %s/Test03' % CAPSULE_DATA_DIR,
'fatwrite host 0:1 4000000 %s/Test03 $filesize' % CAPSULE_INSTALL_DIR,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test03' in ''.join(output)
# reboot
u_boot_console.restart_uboot()
capsule_early = u_boot_config.buildconfig.get(
'config_efi_capsule_on_disk_early')
capsule_auth = u_boot_config.buildconfig.get(
'config_efi_capsule_authenticate')
with u_boot_console.log.section('Test Case 4-b, after reboot'):
if not capsule_early:
# make sure that dfu_alt_info exists even persistent variables
# are not available.
output = u_boot_console.run_command_list([
'env set dfu_alt_info "sf 0:0=u-boot-bin raw 0x100000 0x50000;u-boot-env raw 0x150000 0x200000"',
'host bind 0 %s' % disk_img,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test03' in ''.join(output)
# need to run uefi command to initiate capsule handling
output = u_boot_console.run_command(
'env print -e Capsule0000')
output = u_boot_console.run_command_list(['efidebug capsule esrt'])
# ensure that EFI_FIRMWARE_IMAGE_TYPE_UBOOT_RAW_GUID is in the ESRT.
assert 'E2BB9C06-70E9-4B14-97A3-5A7913176E3F' in ''.join(output)
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test03' not in ''.join(output)
output = u_boot_console.run_command_list([
'sf probe 0:0',
'sf read 4000000 100000 10',
'md.b 4000000 10'])
if capsule_auth:
assert 'u-boot:Old' in ''.join(output)
else:
assert 'u-boot:New' in ''.join(output)

254
test/py/tests/test_efi_capsule/test_capsule_firmware_signed.py Normal file
View file

@ -0,0 +1,254 @@
# SPDX-License-Identifier: GPL-2.0+
# Copyright (c) 2021, Linaro Limited
# Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
#
# U-Boot UEFI: Firmware Update (Signed capsule) Test
"""
This test verifies capsule-on-disk firmware update
with signed capsule files
"""
import pytest
from capsule_defs import CAPSULE_DATA_DIR, CAPSULE_INSTALL_DIR
@pytest.mark.boardspec('sandbox')
@pytest.mark.buildconfigspec('efi_capsule_firmware_raw')
@pytest.mark.buildconfigspec('efi_capsule_authenticate')
@pytest.mark.buildconfigspec('dfu')
@pytest.mark.buildconfigspec('dfu_sf')
@pytest.mark.buildconfigspec('cmd_efidebug')
@pytest.mark.buildconfigspec('cmd_fat')
@pytest.mark.buildconfigspec('cmd_memory')
@pytest.mark.buildconfigspec('cmd_nvedit_efi')
@pytest.mark.buildconfigspec('cmd_sf')
@pytest.mark.slow
class TestEfiCapsuleFirmwareSigned(object):
def test_efi_capsule_auth1(
self, u_boot_config, u_boot_console, efi_capsule_data):
"""
Test Case 1 - Update U-Boot on SPI Flash, raw image format
0x100000-0x150000: U-Boot binary (but dummy)
If the capsule is properly signed, the authentication
should pass and the firmware be updated.
"""
disk_img = efi_capsule_data
with u_boot_console.log.section('Test Case 1-a, before reboot'):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
'efidebug boot order 1',
'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
'env set dfu_alt_info '
'"sf 0:0=u-boot-bin raw 0x100000 '
'0x50000;u-boot-env raw 0x150000 0x200000"',
'env save'])
# initialize content
output = u_boot_console.run_command_list([
'sf probe 0:0',
'fatload host 0:1 4000000 %s/u-boot.bin.old'
% CAPSULE_DATA_DIR,
'sf write 4000000 100000 10',
'sf read 5000000 100000 10',
'md.b 5000000 10'])
assert 'Old' in ''.join(output)
# place a capsule file
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 %s/Test11' % CAPSULE_DATA_DIR,
'fatwrite host 0:1 4000000 %s/Test11 $filesize'
% CAPSULE_INSTALL_DIR,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test11' in ''.join(output)
# reboot
mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
+ '/test_sig.dtb'
u_boot_console.restart_uboot()
capsule_early = u_boot_config.buildconfig.get(
'config_efi_capsule_on_disk_early')
with u_boot_console.log.section('Test Case 1-b, after reboot'):
if not capsule_early:
# make sure that dfu_alt_info exists even persistent variables
# are not available.
output = u_boot_console.run_command_list([
'env set dfu_alt_info '
'"sf 0:0=u-boot-bin raw 0x100000 '
'0x50000;u-boot-env raw 0x150000 0x200000"',
'host bind 0 %s' % disk_img,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test11' in ''.join(output)
# need to run uefi command to initiate capsule handling
output = u_boot_console.run_command(
'env print -e Capsule0000')
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test11' not in ''.join(output)
output = u_boot_console.run_command_list([
'sf probe 0:0',
'sf read 4000000 100000 10',
'md.b 4000000 10'])
assert 'u-boot:New' in ''.join(output)
def test_efi_capsule_auth2(
self, u_boot_config, u_boot_console, efi_capsule_data):
"""
Test Case 2 - Update U-Boot on SPI Flash, raw image format
0x100000-0x150000: U-Boot binary (but dummy)
If the capsule is signed but with an invalid key,
the authentication should fail and the firmware
not be updated.
"""
disk_img = efi_capsule_data
with u_boot_console.log.section('Test Case 2-a, before reboot'):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
'efidebug boot order 1',
'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
'env set dfu_alt_info '
'"sf 0:0=u-boot-bin raw 0x100000 '
'0x50000;u-boot-env raw 0x150000 0x200000"',
'env save'])
# initialize content
output = u_boot_console.run_command_list([
'sf probe 0:0',
'fatload host 0:1 4000000 %s/u-boot.bin.old'
% CAPSULE_DATA_DIR,
'sf write 4000000 100000 10',
'sf read 5000000 100000 10',
'md.b 5000000 10'])
assert 'Old' in ''.join(output)
# place a capsule file
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 %s/Test12' % CAPSULE_DATA_DIR,
'fatwrite host 0:1 4000000 %s/Test12 $filesize'
% CAPSULE_INSTALL_DIR,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test12' in ''.join(output)
# reboot
mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
+ '/test_sig.dtb'
u_boot_console.restart_uboot()
capsule_early = u_boot_config.buildconfig.get(
'config_efi_capsule_on_disk_early')
with u_boot_console.log.section('Test Case 2-b, after reboot'):
if not capsule_early:
# make sure that dfu_alt_info exists even persistent variables
# are not available.
output = u_boot_console.run_command_list([
'env set dfu_alt_info '
'"sf 0:0=u-boot-bin raw 0x100000 '
'0x50000;u-boot-env raw 0x150000 0x200000"',
'host bind 0 %s' % disk_img,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test12' in ''.join(output)
# need to run uefi command to initiate capsule handling
output = u_boot_console.run_command(
'env print -e Capsule0000')
# deleted any way
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test12' not in ''.join(output)
# TODO: check CapsuleStatus in CapsuleXXXX
output = u_boot_console.run_command_list([
'sf probe 0:0',
'sf read 4000000 100000 10',
'md.b 4000000 10'])
assert 'u-boot:Old' in ''.join(output)
def test_efi_capsule_auth3(
self, u_boot_config, u_boot_console, efi_capsule_data):
"""
Test Case 3 - Update U-Boot on SPI Flash, raw image format
0x100000-0x150000: U-Boot binary (but dummy)
If the capsule is not signed, the authentication
should fail and the firmware not be updated.
"""
disk_img = efi_capsule_data
with u_boot_console.log.section('Test Case 3-a, before reboot'):
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'efidebug boot add -b 1 TEST host 0:1 /helloworld.efi',
'efidebug boot order 1',
'env set -e -nv -bs -rt OsIndications =0x0000000000000004',
'env set dfu_alt_info '
'"sf 0:0=u-boot-bin raw 0x100000 '
'0x50000;u-boot-env raw 0x150000 0x200000"',
'env save'])
# initialize content
output = u_boot_console.run_command_list([
'sf probe 0:0',
'fatload host 0:1 4000000 %s/u-boot.bin.old'
% CAPSULE_DATA_DIR,
'sf write 4000000 100000 10',
'sf read 5000000 100000 10',
'md.b 5000000 10'])
assert 'Old' in ''.join(output)
# place a capsule file
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 %s/Test02' % CAPSULE_DATA_DIR,
'fatwrite host 0:1 4000000 %s/Test02 $filesize'
% CAPSULE_INSTALL_DIR,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test02' in ''.join(output)
# reboot
mnt_point = u_boot_config.persistent_data_dir + '/test_efi_capsule'
u_boot_console.config.dtb = mnt_point + CAPSULE_DATA_DIR \
+ '/test_sig.dtb'
u_boot_console.restart_uboot()
capsule_early = u_boot_config.buildconfig.get(
'config_efi_capsule_on_disk_early')
with u_boot_console.log.section('Test Case 3-b, after reboot'):
if not capsule_early:
# make sure that dfu_alt_info exists even persistent variables
# are not available.
output = u_boot_console.run_command_list([
'env set dfu_alt_info '
'"sf 0:0=u-boot-bin raw 0x100000 '
'0x50000;u-boot-env raw 0x150000 0x200000"',
'host bind 0 %s' % disk_img,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test02' in ''.join(output)
# need to run uefi command to initiate capsule handling
output = u_boot_console.run_command(
'env print -e Capsule0000')
# deleted any way
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatls host 0:1 %s' % CAPSULE_INSTALL_DIR])
assert 'Test02' not in ''.join(output)
# TODO: check CapsuleStatus in CapsuleXXXX
output = u_boot_console.run_command_list([
'sf probe 0:0',
'sf read 4000000 100000 10',
'md.b 4000000 10'])
assert 'u-boot:Old' in ''.join(output)

30
test/py/tests/test_efi_secboot/test_signed.py
View file

@ -186,7 +186,7 @@ class TestEfiSignedImage(object):
assert 'Hello, world!' in ''.join(output)
with u_boot_console.log.section('Test Case 5c'):
# Test Case 5c, not rejected if one of signatures (digest of
# Test Case 5c, rejected if one of signatures (digest of
# certificate) is revoked
output = u_boot_console.run_command_list([
'fatload host 0:1 4000000 dbx_hash.auth',
@ -195,7 +195,8 @@ class TestEfiSignedImage(object):
output = u_boot_console.run_command_list([
'efidebug boot next 1',
'efidebug test bootmgr'])
assert 'Hello, world!' in ''.join(output)
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
with u_boot_console.log.section('Test Case 5d'):
# Test Case 5d, rejected if both of signatures are revoked
@ -209,6 +210,31 @@ class TestEfiSignedImage(object):
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
# Try rejection in reverse order.
u_boot_console.restart_uboot()
with u_boot_console.log.section('Test Case 5e'):
# Test Case 5e, authenticated even if only one of signatures
# is verified. Same as before but reject dbx_hash1.auth only
output = u_boot_console.run_command_list([
'host bind 0 %s' % disk_img,
'fatload host 0:1 4000000 db.auth',
'setenv -e -nv -bs -rt -at -i 4000000:$filesize db',
'fatload host 0:1 4000000 KEK.auth',
'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK',
'fatload host 0:1 4000000 PK.auth',
'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK',
'fatload host 0:1 4000000 db1.auth',
'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db',
'fatload host 0:1 4000000 dbx_hash1.auth',
'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx'])
assert 'Failed to set EFI variable' not in ''.join(output)
output = u_boot_console.run_command_list([
'efidebug boot add -b 1 HELLO host 0:1 /helloworld.efi.signed_2sigs -s ""',
'efidebug boot next 1',
'efidebug test bootmgr'])
assert '\'HELLO\' failed' in ''.join(output)
assert 'efi_start_image() returned: 26' in ''.join(output)
def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env):
"""
Test Case 6 - using digest of signed image in database