]> git.proxmox.com Git - efi-boot-shim.git/blob - debian/tests/05_signature_tests.py
projects / efi-boot-shim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add ubuntu test
[efi-boot-shim.git] / debian / tests / 05_signature_tests.py
1 #
2 # UEFI signature validation
3 #
4 # Copyright (C) 2019 Canonical, Ltd.
5 # Author: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
6 #
7 # This program is free software; you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; version 3.
10 #
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18
19 import os
20 import subprocess
21 import sys
22 import unittest
23 import tempfile
24
25 from pathlib import Path
26
27 from uefi_tests_base import UEFITestsBase
28
29
30 class TestSignatures(UEFITestsBase):
31 """
32 Validate UEFI signatures for common problems
33 """
34 @classmethod
35 def setUpClass(klass):
36 UEFITestsBase.setUpClass()
37
38
39 def testInstalledGrubIsSigned(self):
40 """Check that the GRUB copy we installed is correctly signed"""
41 installed_grub_file = Path(self.signed_grub_path)
42 self.assertTrue(installed_grub_file.exists())
43 signed_out = subprocess.run(['sbverify', '--list', self.signed_grub_path],
44 stdout=subprocess.PIPE)
45 self.assertIn(b'image signature issuers:', signed_out.stdout)
46
47 def testGrubSignatureValid(self):
48 """Ensure the installed GRUB binary from packaging is signed with the expected key"""
49 self.assertSignatureOK(self.canonical_ca, self.signed_grub_path)
50
51 def testInstalledShimIsSigned(self):
52 """Check that the installed shim is signed"""
53 installed_shim_file = Path(self.signed_shim_path)
54 self.assertTrue(installed_shim_file.exists())
55 signed_out = subprocess.run(['sbverify', '--list', self.signed_shim_path],
56 stdout=subprocess.PIPE)
57 self.assertIn(b'image signature issuers:', signed_out.stdout)
58
59 def testHaveSignedShimOnESP(self):
60 """Verify that packaging has provided a signed shim"""
61 signed_shim_file = Path(self.installed_shim)
62 self.assertTrue(signed_shim_file.exists())
63
64 def testSignaturesExist(self):
65 """Validate that a binary has non-zero signatures"""
66 unsigned_out = subprocess.run(['sbverify', '--list', self.unsigned_shim_path],
67 stderr=subprocess.PIPE, stdout=subprocess.PIPE)
68 self.assertIn(b'No signature table present', unsigned_out.stderr)
69 signed_out = subprocess.run(['sbverify', '--list', self.signed_shim_path],
70 stderr=subprocess.PIPE, stdout=subprocess.PIPE)
71 self.assertIn(b'image signature issuers:', signed_out.stdout)
72
73 def testSignatureIsReplayable(self):
74 """Attest that signature is retrievable from a binary and can be replayed"""
75 with tempfile.TemporaryDirectory() as tmpdirname:
76 subprocess.call(['sbattach',
77 '--detach', os.path.join(tmpdirname, 'sig.pkcs7'),
78 self.signed_shim_path])
79 pkcs7_certs = subprocess.run(['openssl', 'pkcs7',
80 '-inform', 'der',
81 '-in', os.path.join(tmpdirname, 'sig.pkcs7'),
82 '-print_certs'],
83 stdout=subprocess.PIPE)
84 with open(os.path.join(tmpdirname, 'out.crt'), 'ab+') as certstore:
85 certstore.write(pkcs7_certs.stdout)
86 self.assertSignatureOK(os.path.join(tmpdirname, 'out.crt'), self.signed_shim_path)
87
88
89 unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout, verbosity=2))
shim, a first-stage UEFI bootloader adapted for Proxmox projects