]>
git.proxmox.com Git - efi-boot-shim.git/blob - debian/tests/05_signature_tests.py
2 # UEFI signature validation
4 # Copyright (C) 2019 Canonical, Ltd.
5 # Author: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
7 # This program is free software; you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; version 3.
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
25 from pathlib
import Path
27 from uefi_tests_base
import UEFITestsBase
30 class TestSignatures(UEFITestsBase
):
32 Validate UEFI signatures for common problems
35 def setUpClass(klass
):
36 UEFITestsBase
.setUpClass()
39 def testInstalledGrubIsSigned(self
):
40 """Check that the GRUB copy we installed is correctly signed"""
41 installed_grub_file
= Path(self
.signed_grub_path
)
42 self
.assertTrue(installed_grub_file
.exists())
43 signed_out
= subprocess
.run(['sbverify', '--list', self
.signed_grub_path
],
44 stdout
=subprocess
.PIPE
)
45 self
.assertIn(b
'image signature issuers:', signed_out
.stdout
)
47 def testGrubSignatureValid(self
):
48 """Ensure the installed GRUB binary from packaging is signed with the expected key"""
49 self
.assertSignatureOK(self
.canonical_ca
, self
.signed_grub_path
)
51 def testInstalledShimIsSigned(self
):
52 """Check that the installed shim is signed"""
53 installed_shim_file
= Path(self
.signed_shim_path
)
54 self
.assertTrue(installed_shim_file
.exists())
55 signed_out
= subprocess
.run(['sbverify', '--list', self
.signed_shim_path
],
56 stdout
=subprocess
.PIPE
)
57 self
.assertIn(b
'image signature issuers:', signed_out
.stdout
)
59 def testHaveSignedShimOnESP(self
):
60 """Verify that packaging has provided a signed shim"""
61 signed_shim_file
= Path(self
.installed_shim
)
62 self
.assertTrue(signed_shim_file
.exists())
64 def testSignaturesExist(self
):
65 """Validate that a binary has non-zero signatures"""
66 unsigned_out
= subprocess
.run(['sbverify', '--list', self
.unsigned_shim_path
],
67 stderr
=subprocess
.PIPE
, stdout
=subprocess
.PIPE
)
68 self
.assertIn(b
'No signature table present', unsigned_out
.stderr
)
69 signed_out
= subprocess
.run(['sbverify', '--list', self
.signed_shim_path
],
70 stderr
=subprocess
.PIPE
, stdout
=subprocess
.PIPE
)
71 self
.assertIn(b
'image signature issuers:', signed_out
.stdout
)
73 def testSignatureIsReplayable(self
):
74 """Attest that signature is retrievable from a binary and can be replayed"""
75 with tempfile
.TemporaryDirectory() as tmpdirname
:
76 subprocess
.call(['sbattach',
77 '--detach', os
.path
.join(tmpdirname
, 'sig.pkcs7'),
78 self
.signed_shim_path
])
79 pkcs7_certs
= subprocess
.run(['openssl', 'pkcs7',
81 '-in', os
.path
.join(tmpdirname
, 'sig.pkcs7'),
83 stdout
=subprocess
.PIPE
)
84 with
open(os
.path
.join(tmpdirname
, 'out.crt'), 'ab+') as certstore
:
85 certstore
.write(pkcs7_certs
.stdout
)
86 self
.assertSignatureOK(os
.path
.join(tmpdirname
, 'out.crt'), self
.signed_shim_path
)
89 unittest
.main(testRunner
=unittest
.TextTestRunner(stream
=sys
.stdout
, verbosity
=2))