From ff5618c7c030990974bd9c479d4ca4e9d5a721b6 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Mon, 8 May 2023 08:23:11 -0400 Subject: src/ukify/test/test_ukify: add pesign unit test Signed-off-by: Emanuele Giuseppe Esposito --- src/ukify/test/test_ukify.py | 55 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 2 deletions(-) (limited to 'src/ukify') diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py index d221825019..7af4c7d0c2 100755 --- a/src/ukify/test/test_ukify.py +++ b/src/ukify/test/test_ukify.py @@ -219,12 +219,15 @@ def test_config_priority(tmp_path): DeviceTree = some/path2 Splash = some/path3 Uname = 1.2.3 - EFIArch=arm + EFIArch = arm Stub = some/path4 PCRBanks = sha512,sha1 SigningEngine = engine1 + SignTool = pesign SecureBootPrivateKey = some/path5 SecureBootCertificate = some/path6 + SecureBootCertificateDir = some/path7 + SecureBootCertificateName = some/name1 SignKernel = no [PCRSignature:NAME] @@ -246,8 +249,11 @@ def test_config_priority(tmp_path): '--pcr-public-key=PKEY2', '--pcr-banks=SHA1,SHA256', '--signing-engine=ENGINE', + '--signtool=pesign', '--secureboot-private-key=SBKEY', '--secureboot-certificate=SBCERT', + '--secureboot-certificate-dir=SBPATH', + '--secureboot-certificate-name=SBNAME', '--sign-kernel', '--no-sign-kernel', '--tools=TOOLZ///', @@ -277,8 +283,11 @@ def test_config_priority(tmp_path): pathlib.Path('some/path8')] assert opts.pcr_banks == ['SHA1', 'SHA256'] assert opts.signing_engine == 'ENGINE' + assert opts.signtool == 'pesign' assert opts.sb_key == 'SBKEY' assert opts.sb_cert == 'SBCERT' + assert opts.sb_certdir == 'SBPATH' + assert opts.sb_cert_name == 'SBNAME' assert opts.sign_kernel is False assert opts.tools == [pathlib.Path('TOOLZ/')] assert opts.output == pathlib.Path('OUTPUT') @@ -408,7 +417,7 @@ def test_uname_scraping(kernel_initrd): uname = ukify.Uname.scrape(kernel_initrd[0]) assert re.match(r'\d+\.\d+\.\d+', uname) -def test_efi_signing(kernel_initrd, tmpdir): +def test_efi_signing_sbsign(kernel_initrd, tmpdir): if kernel_initrd is None: pytest.skip('linux+initrd not found') if not shutil.which('sbsign'): @@ -445,6 +454,48 @@ def test_efi_signing(kernel_initrd, tmpdir): assert 'Signature verification OK' in dump +def test_efi_signing_pesign(kernel_initrd, tmpdir): + if kernel_initrd is None: + pytest.skip('linux+initrd not found') + if not shutil.which('pesign'): + pytest.skip('pesign not found') + + nss_db = f'{tmpdir}/nss_db' + name = 'Test_Secureboot' + author = 'systemd' + + subprocess.check_call(['mkdir', '-p', nss_db]) + cmd = f'certutil -N --empty-password -d {nss_db}'.split(' ') + subprocess.check_call(cmd) + cmd = f'efikeygen -d {nss_db} -S -k -c CN={author} -n {name}'.split(' ') + subprocess.check_call(cmd) + + output = f'{tmpdir}/signed.efi' + opts = ukify.parse_args([ + *kernel_initrd, + f'--output={output}', + '--uname=1.2.3', + '--signtool=pesign', + '--cmdline=ARG1 ARG2 ARG3', + f'--secureboot-certificate-name={name}', + f'--secureboot-certificate-dir={nss_db}', + ]) + + try: + ukify.check_inputs(opts) + except OSError as e: + pytest.skip(str(e)) + + ukify.make_uki(opts) + + # let's check that sbverify likes the resulting file + dump = subprocess.check_output([ + 'pesign', '-S', + '-i', output, + ], text=True) + + assert f"The signer's common name is {author}" in dump + def test_pcr_signing(kernel_initrd, tmpdir): if kernel_initrd is None: pytest.skip('linux+initrd not found') -- cgit v1.2.1