Strona główna Odkrywaj Pomoc
Zaloguj się
RT-Thread-packages
/
esp-idf
kopia lustrzana https://github-proxy.rt-thread.io/RT-Thread-packages/esp-idf.git
2
0
Forkuj 0
Pliki Problemy 0 Wiki
Gałąź: master
Gałęzie Tagi
esp-idf
/
tools
/
test_apps
/
security
/
secure_boot
/
pytest_secure_boot.py

pytest_secure_boot.py 8.1 KB
Bezpośredni odnośnik Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218 
  1. # SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
    2. 

  2. # SPDX-License-Identifier: Unlicense OR CC0-1.0
    3. 

  3. from __future__ import print_function
    4. 

  4. 

  5. import os
    6. 

  6. import struct
    7. 

  7. import zlib
    8. 

  8. 

  9. import pytest
    10. 

  10. from pytest_embedded import Dut
    11. 

  11. 

  12. # To prepare a runner for these tests,
    13. 

  13. # 1. Connect an FPGA with C3 image
    14. 

  14. # 2. Use a COM port for programming and export it as ESPPORT
    15. 

  15. #    e.g export ESPPORT=/dev/ttyUSB0
    16. 

  16. # 3. Use another COM port for resetting efuses and connect its DTR pin to efuse reset pin on the FPGA board.
    17. 

  17. #    Export it as EFUSEPORT
    18. 

  18. #    e.g export EFUSEPORT=/dev/ttyUSB1
    19. 

  19. # 4. Run these tests
    20. 

  20. 

  21. 

  22. def corrupt_signature(signed_bootloader, seed=0, corrupt_sig=True, corrupt_crc=False, corrupt_single_block=None):
    23. 

  23.     # type: (bytes, int, bool, bool, int) -> bytes
    24. 

  24.     image = signed_bootloader[:-4096]
    25. 

  25.     signature = signed_bootloader[-4096:]
    26. 

  26.     sig_blocks = (signature[0:1216], signature[1216:2432], signature[2432:3648])
    27. 

  27.     new_blocks = tuple(corrupt_sig_block(s, seed, corrupt_sig, corrupt_crc) for s in sig_blocks)
    28. 

  28. 

  29.     # if corrupt_single_block is None, corrupt all blocks
    30. 

  30.     # otherwise, only corrupt the one with that index set
    31. 

  31.     corr_sig_blocks = tuple(new_blocks[n] if corrupt_single_block in [None, n] else sig_blocks[n] for n in range(3))
    32. 

  32. 

  33.     return image + b''.join(corr_sig_blocks) + signature[3648:]
    34. 

  34. 

  35. 

  36. def corrupt_sig_block(sig_block, seed=0, corrupt_sig=True, corrupt_crc=False):
    37. 

  37.     # type: (bytes, int, bool, bool) -> bytes
    38. 

  38.     assert len(sig_block) == 1216
    39. 

  39.     magic = sig_block[0]
    40. 

  40.     assert magic in [0xe7, 0xff]
    41. 

  41.     if magic != 0xe7:
    42. 

  42.         return sig_block  # not valid
    43. 

  43.     data = sig_block[:812]
    44. 

  44.     new_sig = sig = sig_block[812:1196]
    45. 

  45.     crc = sig_block[1196:1200]
    46. 

  46.     padding = sig_block[1200:1216]
    47. 

  47. 

  48.     if corrupt_sig:
    49. 

  49.         corrupt_idx = seed % len(sig)
    50. 

  50.         corrupt_delta = zlib.crc32(bytes(seed)) & 0xFF
    51. 

  51.         if corrupt_delta == 0:
    52. 

  52.             corrupt_delta = 1
    53. 

  53. 

  54.         new_byte = sig[corrupt_idx] ^ corrupt_delta
    55. 

  55. 

  56.         new_sig = sig[0:corrupt_idx] + bytes([new_byte]) + sig[corrupt_idx + 1:]
    57. 

  57. 

  58.         assert new_sig != sig
    59. 

  59. 

  60.     if not corrupt_crc:
    61. 

  61.         crc = struct.pack('<I', zlib.crc32(data + new_sig) & 0xffffffff)
    62. 

  62.     else:
    63. 

  63.         crc = struct.pack('<I', zlib.crc32(crc))
    64. 

  64. 

  65.     result = data + new_sig + crc + padding
    66. 

  66.     assert len(result) == len(sig_block)
    67. 

  67.     return result
    68. 

  68. 

  69. 

  70. def dut_start_secure_app(dut: Dut) -> None:
    71. 

  71.     dut.serial.erase_app_header()
    72. 

  72.     dut.serial.reset_efuses()
    73. 

  73.     dut.burn_wafer_version()
    74. 

  74. 

  75.     dut.serial.bootloader_flash(os.path.join(dut.app.binary_path, 'bootloader/bootloader.bin'))
    76. 

  76.     dut.serial.partition_table_flash(os.path.join(dut.app.binary_path, 'partition_table/partition-table.bin'))
    77. 

  77.     dut.serial.app_flash(os.path.join(dut.app.binary_path, 'secure_boot.bin'))
    78. 

  78. 

  79. 

  80. # Test secure boot flow.
    81. 

  81. # Correctly signed bootloader + correctly signed app should work
    82. 

  82. @pytest.mark.esp32c3
    83. 

  83. @pytest.mark.esp32s3
    84. 

  84. @pytest.mark.esp32p4
    85. 

  85. def test_examples_security_secure_boot(dut: Dut) -> None:
    86. 

  86.     dut_start_secure_app(dut)
    87. 

  87.     dut.expect('Secure Boot is enabled', timeout=10)
    88. 

  88.     dut.serial.reset_efuses()
    89. 

  89.     dut.burn_wafer_version()
    90. 

  90. 

  91. 

  92. # Test efuse key index and key block combination.
    93. 

  93. # Any key index can be written to any key block and should work
    94. 

  94. @pytest.mark.esp32c3
    95. 

  95. @pytest.mark.esp32s3
    96. 

  96. @pytest.mark.esp32p4
    97. 

  97. # Increasing the test timeout to 1200s as the test runs for 18 iterations
    98. 

  98. # and thus the default 600s timeout is not sufficient
    99. 

  99. @pytest.mark.timeout(1200)
    100. 

  100. def test_examples_security_secure_boot_key_combo(dut: Dut) -> None:
    101. 

  101.     dut_start_secure_app(dut)
    102. 

  102.     dut.expect('Secure Boot is enabled', timeout=10)
    103. 

  103.     for index in range(3):
    104. 

  104.         for block in range(6):
    105. 

  105.             dut.serial.reset_efuses()
    106. 

  106.             dut.burn_wafer_version()
    107. 

  107.             dut.secure_boot_burn_en_bit()
    108. 

  108.             dut.secure_boot_burn_digest('test_rsa_3072_key.pem', index, block)
    109. 

  109.             dut.expect('Secure Boot is enabled', timeout=10)
    110. 

  110.     dut.serial.reset_efuses()
    111. 

  111.     dut.burn_wafer_version()
    112. 

  112. 

  113. 

  114. # Test secure boot key revoke.
    115. 

  115. # If a key is revoked, bootloader signed with that key should fail verification
    116. 

  116. @pytest.mark.esp32c3
    117. 

  117. @pytest.mark.esp32s3
    118. 

  118. @pytest.mark.esp32p4
    119. 

  119. def test_examples_security_secure_boot_key_revoke(dut: Dut) -> None:
    120. 

  120.     dut_start_secure_app(dut)
    121. 

  121.     dut.expect('Secure Boot is enabled', timeout=10)
    122. 

  122.     for index in range(3):
    123. 

  123.         dut.serial.reset_efuses()
    124. 

  124.         dut.burn_wafer_version()
    125. 

  125.         dut.secure_boot_burn_en_bit()
    126. 

  126.         dut.serial.burn_efuse('SECURE_BOOT_KEY_REVOKE%d' % index, 1)
    127. 

  127.         dut.secure_boot_burn_digest('test_rsa_3072_key.pem', index, 0)
    128. 

  128.         dut.expect('secure boot verification failed', timeout=5)
    129. 

  129.     dut.serial.reset_efuses()
    130. 

  130.     dut.burn_wafer_version()
    131. 

  131. 

  132. 

  133. # Test bootloader signature corruption.
    134. 

  134. # Corrupt one byte at a time of bootloader signature and test that the verification fails
    135. 

  135. @pytest.mark.esp32c3
    136. 

  136. @pytest.mark.esp32s3
    137. 

  137. @pytest.mark.esp32p4
    138. 

  138. @pytest.mark.timeout(18000)
    139. 

  139. # Increasing the test timeout to 18000s as the test runs for 384 iterations
    140. 

  140. # and thus the default 600s timeout is not sufficient
    141. 

  141. def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut) -> None:
    142. 

  142.     dut_start_secure_app(dut)
    143. 

  143.     dut.expect('Secure Boot is enabled', timeout=10)
    144. 

  144. 

  145.     bootloader_bin = os.path.join(dut.app.binary_path, 'bootloader/bootloader.bin')
    146. 

  146.     with open(bootloader_bin, 'rb') as f:
    147. 

  147.         signed_bl = f.read()
    148. 

  148. 

  149.     seeds = range(0, 384)
    150. 

  150.     max_seed = max(seeds)
    151. 

  151. 

  152.     for seed in seeds:
    153. 

  153.         print('Case %d / %d' % (seed, max_seed))
    154. 

  154.         corrupt_bl = corrupt_signature(signed_bl, seed=seed)
    155. 

  155.         with open('corrupt_bl.bin', 'wb') as corrupt_file:
    156. 

  156.             corrupt_file.write(corrupt_bl)
    157. 

  157.         dut.serial.reset_efuses()
    158. 

  158.         dut.burn_wafer_version()
    159. 

  159.         dut.serial.bootloader_flash('corrupt_bl.bin')
    160. 

  160.         dut.secure_boot_burn_en_bit()
    161. 

  161.         dut.secure_boot_burn_digest('test_rsa_3072_key.pem', 0, 0)
    162. 

  162.         # Though the order of flashing and burning efuse would not effect the test,
    163. 

  163.         # if we flash bootlader before burning en bit, even with no_stub = True
    164. 

  164.         # it still calls run_stub() and throws an error as it fails to start stub.
    165. 

  165.         dut.expect('Signature Check Failed', timeout=10)
    166. 

  166.     dut.serial.reset_efuses()
    167. 

  167.     dut.burn_wafer_version()
    168. 

  168. 

  169. 

  170. # Test app signature corruption.
    171. 

  171. # Corrupt app signature, one byte at a time, and test that the verification fails
    172. 

  172. @pytest.mark.esp32c3
    173. 

  173. @pytest.mark.esp32s3
    174. 

  174. @pytest.mark.esp32p4
    175. 

  175. @pytest.mark.timeout(18000)
    176. 

  176. # Increasing the test timeout to 18000s as the test runs for 385 iterations
    177. 

  177. # and thus the default 600s timeout is not sufficient
    178. 

  178. def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut) -> None:
    179. 

  179.     dut_start_secure_app(dut)
    180. 

  180.     dut.expect('Secure Boot is enabled', timeout=10)
    181. 

  181. 

  182.     app_bin = os.path.join(dut.app.binary_path, 'secure_boot.bin')
    183. 

  183.     with open(app_bin, 'rb') as f:
    184. 

  184.         signed_app = f.read()
    185. 

  185. 

  186.     seeds = range(0, 384)
    187. 

  187.     max_seed = max(seeds)
    188. 

  188. 

  189.     for seed in seeds:
    190. 

  190.         print('Case %d / %d' % (seed, max_seed))
    191. 

  191.         corrupt_app = corrupt_signature(signed_app, seed=seed)
    192. 

  192.         with open('corrupt_app.bin', 'wb') as corrupt_file:
    193. 

  193.             corrupt_file.write(corrupt_app)
    194. 

  194.         dut.serial.reset_efuses()
    195. 

  195.         dut.burn_wafer_version()
    196. 

  196.         dut.serial.app_flash('corrupt_app.bin')
    197. 

  197.         dut.secure_boot_burn_en_bit()
    198. 

  198.         dut.secure_boot_burn_digest('test_rsa_3072_key.pem', 0, 0)
    199. 

  199.         dut.expect('Signature Check Failed', timeout=10)
    200. 

  200.         dut.expect('image valid, signature bad', timeout=2)
    201. 

  201. 

  202.     print('Testing invalid CRC...')
    203. 

  203.     # Valid signature but invalid CRC
    204. 

  204.     dut.serial.reset_efuses()
    205. 

  205.     dut.burn_wafer_version()
    206. 

  206. 

  207.     corrupt_app = corrupt_signature(signed_app, corrupt_sig=False, corrupt_crc=True)
    208. 

  208.     with open('corrupt_app.bin', 'wb') as corrupt_file:
    209. 

  209.         corrupt_file.write(corrupt_app)
    210. 

  210. 

  211.     dut.serial.app_flash('corrupt_app.bin')
    212. 

  212. 

  213.     dut.secure_boot_burn_en_bit()
    214. 

  214.     dut.secure_boot_burn_digest('test_rsa_3072_key.pem', 0, 0)
    215. 

  215. 

  216.     dut.expect('Sig block 0 invalid: {}'.format('CRC mismatch' if dut.target == 'esp32p4' else 'Stored CRC ends'), timeout=2)
    217. 

  217.     dut.expect('Secure boot signature verification failed', timeout=2)
    218. 

  218.     dut.expect('No bootable app partitions in the partition table', timeout=2)
    219.