457d1c8fa2
One of responsibilities of the `secimage` tool is signing the image using the HMAC-SHA256 algorithm. The test being added verifies that secimage's internal call yields same result as the according openssl tool does. Change-Id: I8de4328f435af56901a861e3d5e733657c3c7f78 Signed-off-by: Alex Thiessen <alex.thiessen.de+coreboot@gmail.com> Reviewed-on: https://review.coreboot.org/23474 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Patrick Georgi <pgeorgi@google.com> Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
78 lines
2.3 KiB
Bash
Executable file
78 lines
2.3 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
##
|
|
## This file is part of the coreboot project.
|
|
##
|
|
## Copyright (C) 2003-2018 Alex Thiessen <alex.thiessen.de+coreboot@gmail.com>
|
|
##
|
|
## This program is free software; you can redistribute it and/or modify
|
|
## it under the terms of the GNU General Public License as published by
|
|
## the Free Software Foundation; version 3 or later of the License.
|
|
##
|
|
## This program is distributed in the hope that it will be useful,
|
|
## but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
## GNU General Public License for more details.
|
|
##
|
|
## SPDX-License-Identifier: GPL-3.0-or-later
|
|
## <https://spdx.org/licenses/GPL-3.0-or-later.html>
|
|
##
|
|
|
|
set -o errexit
|
|
set -o nounset
|
|
set -o pipefail
|
|
|
|
# static analysis
|
|
if command -v shellcheck 1>/dev/null; then
|
|
shellcheck "${BASH_SOURCE[0]}"
|
|
else
|
|
echo "shellcheck not found, running unchecked" >&2
|
|
fi
|
|
|
|
# dependency check
|
|
dependencies=(basename diff dirname head mkdir mktemp openssl rm tail xxd)
|
|
for dependency in "${dependencies[@]}"; do
|
|
if ! command -v "${dependency}" 1>/dev/null; then
|
|
echo "missing ${dependency}, test skipped" >&2
|
|
exit 0
|
|
fi
|
|
done
|
|
|
|
# parameters
|
|
if [ ${#} -ne 1 ]; then
|
|
echo "usage: '${0}' <testee>"
|
|
exit 1
|
|
fi
|
|
|
|
# setup
|
|
testee="${1}"
|
|
declare -i header_len=16 signature_len=32
|
|
tmp_dir="$(mktemp --directory --tmpdir secimage-test-XXXXXXXX)"
|
|
shopt -s globstar nullglob
|
|
for dump_file in test/data/**/*.xxdump; do
|
|
bin_file_dir="${tmp_dir}/$(dirname "${dump_file#test/data/}")"
|
|
mkdir --parents "${bin_file_dir}"
|
|
xxd -r "${dump_file}" \
|
|
"${bin_file_dir}/$(basename "${dump_file}" .xxdump)"
|
|
done
|
|
tail --bytes=+$((header_len + 1)) "${tmp_dir}/expected/binary" \
|
|
| head --bytes=-${signature_len} \
|
|
| openssl dgst -sha256 -mac hmac \
|
|
-macopt hexkey:"$(xxd -c$((signature_len * 2)) -ps \
|
|
"${tmp_dir}/input/hmac_binary_key")" \
|
|
-binary \
|
|
> "${tmp_dir}/expected/signature"
|
|
mkdir "${tmp_dir}/actual"
|
|
|
|
# test
|
|
"${testee}" \
|
|
-out "${tmp_dir}/actual/binary" \
|
|
-config "${tmp_dir}/input/configfile" \
|
|
-hmac "${tmp_dir}/input/hmac_binary_key" \
|
|
-bl "${tmp_dir}/input/binary"
|
|
tail --bytes=${signature_len} "${tmp_dir}/actual/binary" \
|
|
> "${tmp_dir}/actual/signature"
|
|
diff --recursive "${tmp_dir}/actual" "${tmp_dir}/expected" 1>/dev/null
|
|
|
|
# teardown
|
|
rm --force --recursive "${tmp_dir}"
|