From df2a0fcccf42028449aa59cd8f755e8e85f5af6d Mon Sep 17 00:00:00 2001
From: Denis Pynkin <denis.pynkin@collabora.com>
Date: Tue, 10 Mar 2020 19:47:41 +0300
Subject: [PATCH] Add manual test of SabreLite secure boot

This test ensures:
- U-Boot is compiled with HAB and FIT support
- SRK hash is fused and U-Boot is signed ('hab_status' call)
- U-Boot is able to verify signed OS image in FIT format
- U-Boot hangs in case if we try to boot with unsigned binary

Unfortunately the DUT in "open" mode assume any signature as valid,
hence it is not possible to check the boot hang for FIT image signed
with incorrect key -- the HW return 'success' while checking signature.

If the system is in 'closed' state then it is able to use incorrect
signature for the image, for example taken from document
"High Assurance Boot (HAB) for dummies" by Boundary Devises:
https://boundarydevices.com/high-assurance-boot-hab-dummies/

To check if the system is in "closed" state:
  => fuse read 0 6
     Reading bank 0:

     Word 0x00000006: 00000012

the last digit must be "2".

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>
---
 test-cases/secure-boot-imx6.yaml | 70 ++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 test-cases/secure-boot-imx6.yaml

diff --git a/test-cases/secure-boot-imx6.yaml b/test-cases/secure-boot-imx6.yaml
new file mode 100644
index 0000000..2f8b1fa
--- /dev/null
+++ b/test-cases/secure-boot-imx6.yaml
@@ -0,0 +1,70 @@
+metadata:
+  name: secure-boot-imx6
+  format: "Apertis Test Definition 1.0"
+  image-types:
+    minimal: [ armhf ]
+  image-deployment:
+    - OSTree
+  type: functional
+  exec-type: manual
+  priority: medium
+  maintainer: "Apertis Project"
+  description: "Test that Secure Boot via HAB on the SabreLite board works for bootloader and
+                initial OS image in FIT format."
+
+  pre-conditions:
+    - "Requires the DUT to be flashed with a signed U-Boot built with HAB and FIT image support
+      as provided since version 2019.01+dfsg-7co6. U-Boot could be installed with
+      [public U-Boot installer v2021dev1.0](https://images.apertis.org/release/v2021dev1/v2021dev1.0/installer/mx6qsabrelite-uboot/)
+      or any newer version."
+    - "Requires a DUT with fused SRK hash (it's a irreversible operation! Please refer to the documentation)"
+    - 'It is expected that DUT is working in "open" HAB mode'
+    - "In addition need to use image without signed kernel, for example older OSTree-based image
+      from [v2019 release](https://images.apertis.org/release/v2019/v2019.2/armhf/minimal/)"
+
+  expected:
+    - "U-Boot is booted without HAB validation errors"
+    - "U-Boot is able to verify and boot signed FIT image"
+    - 'U-Boot hangs in "closed" state trying to boot with unsigned image'
+
+  notes:
+    - 'All commands should be typed in U-Boot CLI'
+    - 'In the "open" mode HAB will accept the FIT image signed with any signature'
+
+run:
+  steps:
+    - "Stop in U-Boot prompt"
+    - "Check if flashed U-Boot have HAB support and correct SRK hash fused"
+    - $ hab_status
+    - |
+        >Secure boot disabled
+
+        HAB Configuration: 0xf0, HAB State: 0x66
+        No HAB Events Found!
+    - "Insert SD-card with flashed Apertis OSTree-based armhf image and start the boot process"
+    - $ run bootcmd
+    - "The output must contain following output while loading the image, meaning the Secure Boot is enabled and the image
+       is signed with the proper signature"
+    - |
+        >hab fuse not enabled
+
+        Authenticate image from DDR location 0x12000000...
+
+        Secure boot disabled
+
+        HAB Configuration: 0xf0, HAB State: 0x66
+        No HAB Events Found!
+
+        i.MX HAB verification: image verification passed
+        ## Loading kernel from FIT Image at 12000000 ...
+    - "Switch off the DUT to clear any signature-related artifacts from the memory"
+    - "Power on the device and stop in U-Boot prompt"
+    - "Emulate that device is in 'closed' state:"
+    - $ fuse override 0 6 0x2
+    - "Swap the SD-card to another one with flashed old Apertis armhf image with the unsigned kernel, and start the boot process"
+    - $ run bootcmd
+    - "The system should be stopped just after kernel load with error below"
+    - |
+        >i.MX HAB verification: IVT not found
+        ### ERROR ### Please RESET the board ###
+
-- 
GitLab