From f764e51552d742798ddae7981c1f0565381710a5 Mon Sep 17 00:00:00 2001
From: Denis Pynkin <denis.pynkin@collabora.com>
Date: Tue, 14 Apr 2020 15:29:32 +0300
Subject: [PATCH] secure-boot-imx6: allow limited testing with open DUT
Allow to use the board without fused Apertis SRK for limited
testing -- without validation of signed U-Boot.
Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
---
test-cases/secure-boot-imx6.yaml | 37 +++++++++++++++++++++++++-------
1 file changed, 29 insertions(+), 8 deletions(-)
diff --git a/test-cases/secure-boot-imx6.yaml b/test-cases/secure-boot-imx6.yaml
index 2f8b1fa..6d4e908 100644
--- a/test-cases/secure-boot-imx6.yaml
+++ b/test-cases/secure-boot-imx6.yaml
@@ -17,13 +17,14 @@ metadata:
as provided since version 2019.01+dfsg-7co6. U-Boot could be installed with
[public U-Boot installer v2021dev1.0](https://images.apertis.org/release/v2021dev1/v2021dev1.0/installer/mx6qsabrelite-uboot/)
or any newer version."
- - "Requires a DUT with fused SRK hash (it's a irreversible operation! Please refer to the documentation)"
+ - "Requires a DUT with fused SRK hash (it's a irreversible operation! Please refer to the documentation).
+ Or use additional step for 'emulation' if fusing is not possible. Skip it if the board has fused SRK."
- 'It is expected that DUT is working in "open" HAB mode'
- "In addition need to use image without signed kernel, for example older OSTree-based image
from [v2019 release](https://images.apertis.org/release/v2019/v2019.2/armhf/minimal/)"
expected:
- - "U-Boot is booted without HAB validation errors"
+ - "Only for devices with fused SRK: U-Boot is signed with a proper signature and ready to be flashed to closed dvices"
- "U-Boot is able to verify and boot signed FIT image"
- 'U-Boot hangs in "closed" state trying to boot with unsigned image'
@@ -34,10 +35,22 @@ metadata:
run:
steps:
- "Stop in U-Boot prompt"
+ - "**This step is needed only for devices without fused SRK hash** -- emulate the fused Apertis SRK:"
+ - |
+ >fuse override 3 0 0xAABBCCDD
+ fuse override 3 1 0x519690F5
+ fuse override 3 2 0xE844EB48
+ fuse override 3 3 0x179B1826
+ fuse override 3 4 0xEC0F8D7C
+ fuse override 3 5 0x2F209598
+ fuse override 3 6 0x9A98BE3
+ fuse override 3 7 0xAAD9B3D6
+ - "Emulate that device is in 'closed' state:"
+ - $ fuse override 0 6 0x2
- "Check if flashed U-Boot have HAB support and correct SRK hash fused"
- $ hab_status
- |
- >Secure boot disabled
+ >Secure boot enabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
@@ -46,19 +59,27 @@ run:
- "The output must contain following output while loading the image, meaning the Secure Boot is enabled and the image
is signed with the proper signature"
- |
- >hab fuse not enabled
+ >Authenticate image from DDR location 0x12000000...
- Authenticate image from DDR location 0x12000000...
-
- Secure boot disabled
+ Secure boot enabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
-
+
i.MX HAB verification: image verification passed
## Loading kernel from FIT Image at 12000000 ...
- "Switch off the DUT to clear any signature-related artifacts from the memory"
- "Power on the device and stop in U-Boot prompt"
+ - "**This step is needed only for devices without fused SRK hash** -- emulate the fused Apertis SRK:"
+ - |
+ >fuse override 3 0 0xAABBCCDD
+ fuse override 3 1 0x519690F5
+ fuse override 3 2 0xE844EB48
+ fuse override 3 3 0x179B1826
+ fuse override 3 4 0xEC0F8D7C
+ fuse override 3 5 0x2F209598
+ fuse override 3 6 0x9A98BE3
+ fuse override 3 7 0xAAD9B3D6
- "Emulate that device is in 'closed' state:"
- $ fuse override 0 6 0x2
- "Swap the SD-card to another one with flashed old Apertis armhf image with the unsigned kernel, and start the boot process"
--
GitLab