aboutsummaryrefslogtreecommitdiffstats
path: root/roms/skiboot/libstb/secvar/test/secvar-test-edk2-compat.c
diff options
context:
space:
mode:
Diffstat (limited to 'roms/skiboot/libstb/secvar/test/secvar-test-edk2-compat.c')
-rw-r--r--roms/skiboot/libstb/secvar/test/secvar-test-edk2-compat.c617
1 files changed, 617 insertions, 0 deletions
diff --git a/roms/skiboot/libstb/secvar/test/secvar-test-edk2-compat.c b/roms/skiboot/libstb/secvar/test/secvar-test-edk2-compat.c
new file mode 100644
index 000000000..00745a5dd
--- /dev/null
+++ b/roms/skiboot/libstb/secvar/test/secvar-test-edk2-compat.c
@@ -0,0 +1,617 @@
+// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+/* Copyright 2020 IBM Corp. */
+
+#define MBEDTLS_PKCS7_C
+#include "secvar_common_test.c"
+#include "../backend/edk2-compat.c"
+#include "../backend/edk2-compat-process.c"
+#include "../secvar_util.c"
+#include "../../crypto/pkcs7/pkcs7.c"
+#include "./data/PK.h"
+#include "./data/noPK.h"
+#include "./data/KEK.h"
+#include "./data/invalidkek.h"
+#include "./data/malformedkek.h"
+#include "./data/trimmedKEK.h"
+#include "./data/KEKeslcorrupt.h"
+#include "./data/KEKpkcs7corrupt.h"
+#include "./data/db.h"
+#include "./data/dbsigneddata.h"
+#include "./data/OldTSKEK.h"
+#include "./data/multipleKEK.h"
+#include "./data/multipletrimmedKEK.h"
+#include "./data/multipleDB.h"
+#include "./data/multiplePK.h"
+#include "./data/dbx.h"
+#include "./data/dbxcert.h"
+#include "./data/dbxsha512.h"
+#include "./data/dbxmalformed.h"
+#include "./data/pkcs7_sha512.h"
+
+bool test_hw_key_hash = false;
+
+/* Hardcoding HW KEY HASH to avoid emulating device-tree in unit-tests. */
+const unsigned char hw_key_hash[64] = {
+0xb6, 0xdf, 0xfe, 0x75, 0x53, 0xf9, 0x2e, 0xcb, 0x2b, 0x05, 0x55, 0x35, 0xd7, 0xda, 0xfe, 0x32, \
+0x98, 0x93, 0x35, 0x1e, 0xd7, 0x4b, 0xbb, 0x21, 0x6b, 0xa0, 0x56, 0xa7, 0x1e, 0x3c, 0x0b, 0x56, \
+0x6f, 0x0c, 0x4d, 0xbe, 0x31, 0x42, 0x13, 0x68, 0xcb, 0x32, 0x11, 0x6f, 0x13, 0xbb, 0xdd, 0x9e, \
+0x4f, 0xe3, 0x83, 0x8b, 0x1c, 0x6a, 0x2e, 0x07, 0xdb, 0x95, 0x16, 0xc9, 0x33, 0xaa, 0x20, 0xef
+};
+
+const unsigned char new_hw_key_hash[64] = {
+0xa6, 0xdf, 0xfe, 0x75, 0x53, 0xf9, 0x2e, 0xcb, 0x2b, 0x05, 0x55, 0x35, 0xd7, 0xda, 0xfe, 0x32, \
+0x98, 0x93, 0x35, 0x1e, 0xd7, 0x4b, 0xbb, 0x21, 0x6b, 0xa0, 0x56, 0xa7, 0x1e, 0x3c, 0x0b, 0x56, \
+0x6f, 0x0c, 0x4d, 0xbe, 0x31, 0x42, 0x13, 0x68, 0xcb, 0x32, 0x11, 0x6f, 0x13, 0xbb, 0xdd, 0x9e, \
+0x4f, 0xe3, 0x83, 0x8b, 0x1c, 0x6a, 0x2e, 0x07, 0xdb, 0x95, 0x16, 0xc9, 0x33, 0xaa, 0x20, 0xef
+};
+
+int reset_keystore(struct list_head *bank __unused) { return 0; }
+int verify_hw_key_hash(void)
+{
+
+ /* This check is added just to simulate mismatch of hashes. */
+ if (test_hw_key_hash)
+ if (memcmp(new_hw_key_hash, hw_key_hash, 64) != 0)
+ return OPAL_PERMISSION;
+
+ return OPAL_SUCCESS;
+}
+
+
+int add_hw_key_hash(struct list_head *bank)
+{
+ struct secvar *var;
+ uint32_t hw_key_hash_size = 64;
+
+ var = new_secvar("HWKH", 5, hw_key_hash,
+ hw_key_hash_size, SECVAR_FLAG_PROTECTED);
+ list_add_tail(bank, &var->link);
+
+ return OPAL_SUCCESS;
+}
+
+int delete_hw_key_hash(struct list_head *bank)
+{
+ struct secvar *var;
+
+ var = find_secvar("HWKH", 5, bank);
+ if (!var)
+ return OPAL_SUCCESS;
+
+ list_del(&var->link);
+ dealloc_secvar(var);
+
+ return OPAL_SUCCESS;
+}
+
+const char *secvar_test_name = "edk2-compat";
+
+int secvar_set_secure_mode(void) { return 0; };
+
+int run_test()
+{
+ int rc = -1;
+ struct secvar *tmp;
+ size_t tmp_size;
+ char empty[64] = {0};
+ void *data;
+
+ /* The sequence of test cases here is important to ensure that
+ * timestamp checks work as expected. */
+
+ /* Check pre-process creates the empty variables. */
+ ASSERT(0 == list_length(&variable_bank));
+ rc = edk2_compat_pre_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_SUCCESS == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ tmp = find_secvar("TS", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(64 == tmp->data_size);
+ ASSERT(!(memcmp(tmp->data, empty, 64)));
+
+ /* Add test to verify hw_key_hash.
+ * This is to ensure that mismatch of test happens.
+ * The test uses test_hw_key_hash variable to ensure that
+ * mismatch happens. For all next tests, test_hw_key_hash variable
+ * should be zero to avoid hard-coded mismatch.
+ */
+ test_hw_key_hash = 1;
+ setup_mode = false;
+ printf("Add PK");
+ tmp = new_secvar("PK", 3, PK_auth, PK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ printf("rc is %04x %d\n", rc, rc);
+ ASSERT(OPAL_SUCCESS == rc);
+ ASSERT(0 == list_length(&update_bank));
+ ASSERT(setup_mode);
+
+ /* Set test_hw_key_hash to zero to avoid hardcoded mismatch. */
+ test_hw_key_hash = 0;
+
+ /* Add PK and a failed update. */
+ printf("Add PK and failed dbx");
+ tmp = new_secvar("PK", 3, PK_auth, PK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ tmp = new_secvar("dbx", 4, wrongdbxauth, wrong_dbx_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(2 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PARAMETER == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ rc = edk2_compat_post_process(&variable_bank, &update_bank);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(setup_mode);
+
+ /* Add PK and db, db update should fail, so all updates fail. */
+ printf("Add PK");
+ tmp = new_secvar("PK", 3, PK_auth, PK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+ printf("Add db");
+ tmp = new_secvar("db", 3, DB_auth, sizeof(DB_auth), 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(2 == list_length(&update_bank));
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PERMISSION == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ rc = edk2_compat_post_process(&variable_bank, &update_bank);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(setup_mode);
+
+ /* Add PK with bad ESL. should fail since data is not big enough to be ESL*/
+ printf("Add PK with invalid appended ESL");
+ /* 1014 is length of appended ESL Header and its data */
+ tmp = new_secvar("PK", 3, PK_auth, PK_auth_len - 1014 + sizeof(EFI_SIGNATURE_LIST) - 1, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ rc = edk2_compat_post_process(&variable_bank, &update_bank);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(setup_mode);
+
+
+ /* Add PK to update and .process(). */
+ printf("Add PK");
+ tmp = new_secvar("PK", 3, PK_auth, PK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_SUCCESS == rc);
+ ASSERT(6 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ rc = edk2_compat_post_process(&variable_bank, &update_bank);
+ ASSERT(5 == list_length(&variable_bank));
+ tmp = find_secvar("PK", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+ ASSERT(PK_auth_len > tmp->data_size); /* esl should be smaller without auth. */
+ ASSERT(!setup_mode);
+
+ /* Add db, should fail with no KEK. */
+ printf("Add db");
+ tmp = new_secvar("db", 3, DB_auth, DB_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PERMISSION == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("db", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+
+ /* Add db, should fail with no KEK and invalid PK size */
+ printf("Add db, corrupt PK");
+ /* Somehow PK gets assigned wrong size */
+ tmp = find_secvar("PK", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ tmp_size = tmp->data_size;
+ tmp->data_size = sizeof(EFI_SIGNATURE_LIST) - 1;
+ tmp = new_secvar("db", 3, DB_auth, DB_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_INTERNAL_ERROR == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("db", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 == tmp->data_size);
+ /* Restore PK data size */
+ tmp = find_secvar("PK", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ tmp->data_size = tmp_size;
+
+ /* Add trimmed KEK, .process(), should fail. */
+ printf("Add trimmed KEK\n");
+ tmp = new_secvar("KEK", 4, trimmedKEK_auth, trimmedKEK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PARAMETER == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("KEK", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 == tmp->data_size);
+
+ printf("Try truncated KEK < size of auth structure:\n");
+ data = malloc(1467);
+ memcpy(data, KEK_auth, 1467);
+ tmp = new_secvar("KEK", 4, data, 1467, 0);
+ rc = edk2_compat_validate(tmp);
+ ASSERT(0 == rc);
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(0 != rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("KEK", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 == tmp->data_size);
+ free(data);
+
+ /* KEK with corrupted ESL SignatureSize */
+ printf("KEK with corrupt ESL SignatureSize\n");
+ tmp = new_secvar("KEK", 4, KEKeslcorrupt_auth, KEKeslcorrupt_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ /* If we don't catch the error, we get OPAL_NO_MEM instead */
+ ASSERT(OPAL_PARAMETER == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("KEK", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 == tmp->data_size);
+
+ /* KEK with corrupted pkcs7, used to leak memory */
+ printf("KEK with corrupt PKCS#7 message\n");
+ tmp = new_secvar("KEK", 4, KEKpkcs7corrupt_auth, KEKpkcs7corrupt_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PARAMETER == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("KEK", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 == tmp->data_size);
+
+ /* Add valid KEK, .process(), succeeds. */
+ printf("Add KEK");
+ tmp = new_secvar("KEK", 4, KEK_auth, KEK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_SUCCESS == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("KEK", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+
+ /* Add valid KEK, .process(), timestamp check fails. */
+ tmp = new_secvar("KEK", 4, OldTS_KEK_auth, OldTS_KEK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PERMISSION == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("KEK", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+
+ /* Add db, .process(), should succeed. */
+ printf("Add db again\n");
+ tmp = new_secvar("db", 3, DB_auth, DB_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_SUCCESS == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("db", 3, &variable_bank);
+ printf("tmp is %s\n", tmp->key);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+
+ /* Add db, .process(), should fail because of timestamp. */
+ printf("Add db again\n");
+ tmp = new_secvar("db", 3, DB_auth, DB_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PERMISSION == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("db", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+
+ /* Add valid sha256 dbx. */
+ printf("Add sha256 dbx\n");
+ tmp = new_secvar("dbx", 4, dbxauth, dbx_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_SUCCESS == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("db", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+
+ /* Add invalid KEK, .process(), should fail. Timestamp check failure. */
+ printf("Add invalid KEK\n");
+ tmp = new_secvar("KEK", 4, InvalidKEK_auth, InvalidKEK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PERMISSION == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("KEK", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+
+ /* Add ill formatted KEK, .process(), should fail. */
+ printf("Add invalid KEK\n");
+ tmp = new_secvar("KEK", 4, MalformedKEK_auth, MalformedKEK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PARAMETER == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("KEK", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+
+ /* Add multiple db and then multiple KEKs.
+ * The db should be signed with a KEK yet to be added.
+ */
+ printf("Add multiple db\n");
+ tmp = new_secvar("db", 3, multipleDB_auth, multipleDB_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+ printf("Add multiple KEK\n");
+ tmp = new_secvar("KEK", 4, multipleKEK_auth, multipleKEK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(2 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PERMISSION == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+
+ /* Add multiple KEK ESLs with w one missing 5 bytes */
+ printf("Add multiple KEK with one trimmed\n");
+ tmp = new_secvar("KEK", 4, multipletrimmedKEK_auth, multipletrimmedKEK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PARAMETER == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("KEK", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+
+ /* Add multiple KEK ESLs, one of them should sign the db. */
+ printf("Add multiple KEK\n");
+ tmp = new_secvar("KEK", 4, multipleKEK_auth, multipleKEK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+ printf("Add multiple db\n");
+ tmp = new_secvar("db", 3, multipleDB_auth, multipleDB_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(2 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_SUCCESS == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("KEK", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+ tmp = find_secvar("db", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+
+ /* Add db with signeddata PKCS7 format. */
+ printf("DB with signed data\n");
+ tmp = new_secvar("db", 3, dbsigneddata_auth, dbsigneddata_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_SUCCESS == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("db", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+
+ /* Delete PK and invalid dbx - to test queued updates for deleting PK. */
+ printf("Delete PK\n");
+ /* Add hw_key_hash explicitly to ensure it is deleted as part of PK deletion. */
+ add_hw_key_hash(&variable_bank);
+ ASSERT(6 == list_length(&variable_bank));
+ tmp = new_secvar("PK", 3, noPK_auth, noPK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+ printf("Add invalid dbx\n");
+ tmp = new_secvar("dbx", 4, wrongdbxauth, wrong_dbx_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(2 == list_length(&update_bank));
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PARAMETER == rc);
+ ASSERT(6 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ rc = edk2_compat_post_process(&variable_bank, &update_bank);
+ ASSERT(5 == list_length(&variable_bank));
+ tmp = find_secvar("PK", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+ ASSERT(!setup_mode);
+
+ /* updates with pkcs#7 messages with sha512 hashes should be rejected */
+ printf("Add db where auth has sha512 in PKCS#7\n");
+ tmp = new_secvar("db", 3, pkcs7_sha512, pkcs7_sha512_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PARAMETER == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+
+ /* Delete PK. */
+ printf("Delete PK\n");
+ /* Add hw_key_hash explicitly to ensure it is deleted as part of PK deletion. */
+ add_hw_key_hash(&variable_bank);
+ ASSERT(6 == list_length(&variable_bank));
+ tmp = new_secvar("PK", 3, noPK_auth, noPK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_SUCCESS == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ rc = edk2_compat_post_process(&variable_bank, &update_bank);
+ ASSERT(5 == list_length(&variable_bank));
+ tmp = find_secvar("PK", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 == tmp->data_size);
+ ASSERT(setup_mode);
+
+ /* Add multiple PK. */
+ printf("Multiple PK\n");
+ tmp = new_secvar("PK", 3, multiplePK_auth, multiplePK_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PARAMETER == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("PK", 3, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 == tmp->data_size);
+ ASSERT(setup_mode);
+
+ /* Add invalid dbx like with wrong GUID. */
+ printf("Add invalid dbx\n");
+ tmp = new_secvar("dbx", 4, wrongdbxauth, wrong_dbx_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PARAMETER == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+
+ /* Ensure sha512 dbx is considered as valid. */
+ printf("Add sha512 dbx\n");
+ tmp = new_secvar("dbx", 4, dbx512, dbx512_auth_len, 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_SUCCESS == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+ tmp = find_secvar("dbx", 4, &variable_bank);
+ ASSERT(NULL != tmp);
+ ASSERT(0 != tmp->data_size);
+
+ /* We do not support cert as dbx. */
+ printf("Add db(cert) as dbx\n");
+ tmp = new_secvar("dbx", 4, dbx_cert_auth, sizeof(dbx_cert_auth), 0);
+ ASSERT(0 == edk2_compat_validate(tmp));
+ list_add_tail(&update_bank, &tmp->link);
+ ASSERT(1 == list_length(&update_bank));
+
+ rc = edk2_compat_process(&variable_bank, &update_bank);
+ ASSERT(OPAL_PARAMETER == rc);
+ ASSERT(5 == list_length(&variable_bank));
+ ASSERT(0 == list_length(&update_bank));
+
+ return 0;
+}
+
+int main(void)
+{
+ int rc;
+
+ list_head_init(&variable_bank);
+ list_head_init(&update_bank);
+
+ secvar_storage.max_var_size = 4096;
+
+ rc = run_test();
+
+ clear_bank_list(&variable_bank);
+ clear_bank_list(&update_bank);
+
+ return rc;
+}