mirrors/u-boot
1
0
Fork 0
mirror of https://source.denx.de/u-boot/u-boot.git synced 2026-01-14 21:21:48 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
u-boot/tools/binman/test/Makefile
Quentin Schulz 564c6682fa tools: binman: fit: add tests for signing with an OpenSSL engine 
This adds a test that signs a FIT and verifies the signature with
fit_check_sign.

OpenSSL engines are typically for signing with external HW so it's not
that straight-forward to simulate.

For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA
4096 private key is made available. It can be selected by setting the
OpenSSL engine argument to dummy-rsa-engine. This can only be done if
the engine is detected by OpenSSL, which works by setting the
OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine
is properly implementing what is expected from an RSA engine, but it
seems to be enough for testing.

For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11
without specific hardware. The keypairs and tokens are generated on the
fly. The "prod" token is generated with a different PIN (1234 instead of
1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it.

Binman will not mess with the local SoftHSMv2 setup as it will only use
tokens from a per-test temporary directory enforced via the temporary
configuration file set via SOFTHSM2_CONF env variable in the tests. The
files created in the input dir should NOT be named the same as it is
shared between all tests in the same process (which is all tests when
running binman with -P 1 or with -T).

Once signed, it's checked with fit_check_sign with the associated
certificate.

Finally, a new softhsm2_util bintool is added so that we can initialize
the token and import keypairs. On Debian, the package also brings
libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It
is not the only package required though, as it also needs p11-kit and
libengine-pkcs11-openssl (the latter bringing the former). We can detect
if it's properly installed by running openssl engine dynamic -c pkcs11.
If that fails, we simply skip the test.
The package is installed in the CI container by default.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
2025-12-06 11:43:08 -06:00

104 lines
2.9 KiB
Makefile
Raw Permalink Blame History

#
# Builds test programs. This is launched from elf_test.BuildElfTestFiles()
#
# Copyright (C) 2017 Google, Inc
# Written by Simon Glass <sjg@chromium.org>
#
# SPDX-License-Identifier: GPL-2.0+
#
HOSTARCH := $(shell uname -m | sed -e s/i.86/x86/ )
ifeq ($(findstring $(HOSTARCH),"x86" "x86_64"),)
ifeq ($(findstring $(MAKECMDGOALS),"help" "clean"),)
ifndef CROSS_COMPILE
$(error Binman tests need to compile to x86, but the CPU arch of your \
machine is $(HOSTARCH). Set CROSS_COMPILE to a suitable cross compiler)
endif
endif
endif
CC = $(CROSS_COMPILE)gcc
OBJCOPY = $(CROSS_COMPILE)objcopy
VPATH := $(SRC)
CFLAGS := -march=i386 -m32 -nostdlib -I $(SRC)../../../include -I $(SRC) \
-Wl,--no-dynamic-linker
LDS_UCODE := -T $(SRC)u_boot_ucode_ptr.lds
LDS_BINMAN := -T $(SRC)u_boot_binman_syms.lds
LDS_BINMAN_BAD := -T $(SRC)u_boot_binman_syms_bad.lds
LDS_BINMAN_X86 := -T $(SRC)u_boot_binman_syms_x86.lds
LDS_BINMAN_EMBED := -T $(SRC)u_boot_binman_embed.lds
LDS_EFL_SECTIONS := -T $(SRC)elf_sections.lds
LDS_BLOB := -T $(SRC)blob_syms.lds
TARGETS = u_boot_ucode_ptr u_boot_no_ucode_ptr bss_data bss_data_zero \
u_boot_binman_syms u_boot_binman_syms.bin u_boot_binman_syms_bad \
u_boot_binman_syms_size u_boot_binman_syms_x86 embed_data \
u_boot_binman_embed u_boot_binman_embed_sm elf_sections blob_syms.bin \
dummy-rsa-engine.so
all: $(TARGETS)
u_boot_no_ucode_ptr: CFLAGS += $(LDS_UCODE)
u_boot_no_ucode_ptr: u_boot_no_ucode_ptr.c
u_boot_ucode_ptr: CFLAGS += $(LDS_UCODE)
u_boot_ucode_ptr: u_boot_ucode_ptr.c
bss_data: CFLAGS += $(SRC)bss_data.lds
bss_data: bss_data.c
bss_data_zero: CFLAGS += $(SRC)bss_data_zero.lds
bss_data_zero: bss_data_zero.c
embed_data: CFLAGS += $(SRC)embed_data.lds
embed_data: embed_data.c
u_boot_binman_syms.bin: u_boot_binman_syms
$(OBJCOPY) -O binary $< -R .note.gnu.build-id $@
u_boot_binman_syms: CFLAGS += $(LDS_BINMAN)
u_boot_binman_syms: u_boot_binman_syms.c
u_boot_binman_syms_x86: CFLAGS += $(LDS_BINMAN_X86)
u_boot_binman_syms_x86: u_boot_binman_syms_x86.c
u_boot_binman_syms_bad: CFLAGS += $(LDS_BINMAN_BAD)
u_boot_binman_syms_bad: u_boot_binman_syms_bad.c
u_boot_binman_syms_size: CFLAGS += $(LDS_BINMAN)
u_boot_binman_syms_size: u_boot_binman_syms_size.c
u_boot_binman_embed: CFLAGS += $(LDS_BINMAN_EMBED)
u_boot_binman_embed: u_boot_binman_embed.c
u_boot_binman_embed_sm: CFLAGS += $(LDS_BINMAN_EMBED)
u_boot_binman_embed_sm: u_boot_binman_embed_sm.c
blob_syms.bin: blob_syms
$(OBJCOPY) -O binary $< -R .note.gnu.build-id $@
blob_syms: CFLAGS += $(LDS_BLOB)
blob_syms: blob_syms.c
elf_sections: CFLAGS += $(LDS_EFL_SECTIONS)
elf_sections: elf_sections.c
dummy-rsa-engine.so: dummy-rsa-engine.c
$(CC) -fPIC -shared -lcrypto -lssl -o $@ $<
clean:
rm -f $(TARGETS)
help:
@echo "Makefile for binman test programs"
@echo
@echo "Intended for use on x86 hosts"
@echo
@echo "Targets:"
@echo
@echo -e "\thelp - Print help (this is it!)"
@echo -e "\tall - Builds test programs (default targget)"
@echo -e "\tclean - Delete output files"
Reference in New Issue View Git Blame Copy Permalink