diff options
author | Heinrich Schuchardt <heinrich.schuchardt@canonical.com> | 2024-04-22 11:41:00 +0300 |
---|---|---|
committer | Heinrich Schuchardt <heinrich.schuchardt@canonical.com> | 2024-05-01 08:38:29 +0300 |
commit | 566f067349a8f6136cf62d907019efdf1e250ce5 (patch) | |
tree | 7d5ab6ecdfed4757638c97aa46bbf1a3aea1a505 /test | |
parent | 84aab11d3503a555ca6349da76efa4f4aedfc136 (diff) | |
download | u-boot-566f067349a8f6136cf62d907019efdf1e250ce5.tar.xz |
efi_loader: improve error handling in try_load_entry()
The image is not unloaded if a security violation occurs.
If efi_set_load_options() fails, we do not free the memory allocated for
the optional data. We do not unload the image.
* Unload the image if a security violation occurs.
* Free load_options if efi_set_load_options() fails.
* Unload the image if efi_set_load_options() fails.
Fixes: 53f6a5aa8626 ("efi_loader: Replace config option for initrd loading")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Diffstat (limited to 'test')
-rw-r--r-- | test/py/tests/test_efi_secboot/test_signed.py | 28 | ||||
-rw-r--r-- | test/py/tests/test_efi_secboot/test_signed_intca.py | 10 | ||||
-rw-r--r-- | test/py/tests/test_efi_secboot/test_unsigned.py | 6 |
3 files changed, 22 insertions, 22 deletions
diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 2f862a259a..5000a4ab7b 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -62,13 +62,13 @@ class TestEfiSignedImage(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert('\'HELLO1\' failed' in ''.join(output)) - assert('efi_start_image() returned: 26' in ''.join(output)) + assert('efi_bootmgr_load() returned: 26' in ''.join(output)) output = u_boot_console.run_command_list([ 'efidebug boot add -b 2 HELLO2 host 0:1 /helloworld.efi -s ""', 'efidebug boot order 2', 'efidebug test bootmgr']) assert '\'HELLO2\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) with u_boot_console.log.section('Test Case 2b'): # Test Case 2b, authenticated by db @@ -80,7 +80,7 @@ class TestEfiSignedImage(object): 'efidebug boot order 2', 'efidebug test bootmgr']) assert '\'HELLO2\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot order 1', 'bootefi bootmgr']) @@ -108,7 +108,7 @@ class TestEfiSignedImage(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) with u_boot_console.log.section('Test Case 3b'): # Test Case 3b, rejected by dbx even if db allows @@ -120,7 +120,7 @@ class TestEfiSignedImage(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) def test_efi_signed_image_auth4(self, u_boot_console, efi_boot_env): """ @@ -146,7 +146,7 @@ class TestEfiSignedImage(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) def test_efi_signed_image_auth5(self, u_boot_console, efi_boot_env): """ @@ -196,7 +196,7 @@ class TestEfiSignedImage(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) with u_boot_console.log.section('Test Case 5d'): # Test Case 5d, rejected if both of signatures are revoked @@ -208,7 +208,7 @@ class TestEfiSignedImage(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) # Try rejection in reverse order. u_boot_console.restart_uboot() @@ -233,7 +233,7 @@ class TestEfiSignedImage(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) def test_efi_signed_image_auth6(self, u_boot_console, efi_boot_env): """ @@ -268,7 +268,7 @@ class TestEfiSignedImage(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) with u_boot_console.log.section('Test Case 6c'): # Test Case 6c, rejected by image's digest in dbx @@ -282,7 +282,7 @@ class TestEfiSignedImage(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) def test_efi_signed_image_auth7(self, u_boot_console, efi_boot_env): """ @@ -310,7 +310,7 @@ class TestEfiSignedImage(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) # sha512 of an x509 cert in dbx u_boot_console.restart_uboot() @@ -333,7 +333,7 @@ class TestEfiSignedImage(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) def test_efi_signed_image_auth8(self, u_boot_console, efi_boot_env): """ @@ -368,4 +368,4 @@ class TestEfiSignedImage(object): 'efidebug test bootmgr']) assert(not 'hELLO, world!' in ''.join(output)) assert('\'HELLO1\' failed' in ''.join(output)) - assert('efi_start_image() returned: 26' in ''.join(output)) + assert('efi_bootmgr_load() returned: 26' in ''.join(output)) diff --git a/test/py/tests/test_efi_secboot/test_signed_intca.py b/test/py/tests/test_efi_secboot/test_signed_intca.py index 8d9a5f3e7f..cf906205bc 100644 --- a/test/py/tests/test_efi_secboot/test_signed_intca.py +++ b/test/py/tests/test_efi_secboot/test_signed_intca.py @@ -43,7 +43,7 @@ class TestEfiSignedImageIntca(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO_a\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) with u_boot_console.log.section('Test Case 1b'): # Test Case 1b, signed and authenticated by root CA @@ -74,7 +74,7 @@ class TestEfiSignedImageIntca(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO_abc\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) with u_boot_console.log.section('Test Case 2b'): # Test Case 2b, signed and authenticated by root CA @@ -84,7 +84,7 @@ class TestEfiSignedImageIntca(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO_abc\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) with u_boot_console.log.section('Test Case 2c'): # Test Case 2c, signed and authenticated by root CA @@ -122,7 +122,7 @@ class TestEfiSignedImageIntca(object): assert 'Hello, world!' in ''.join(output) # Or, # assert '\'HELLO_abc\' failed' in ''.join(output) - # assert 'efi_start_image() returned: 26' in ''.join(output) + # assert 'efi_bootmgr_load() returned: 26' in ''.join(output) with u_boot_console.log.section('Test Case 3b'): # Test Case 3b, revoked by root CA in dbx @@ -132,4 +132,4 @@ class TestEfiSignedImageIntca(object): 'efidebug boot order 1', 'efidebug test bootmgr']) assert '\'HELLO_abc\' failed' in ''.join(output) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py index 7c078f220d..b4320ae405 100644 --- a/test/py/tests/test_efi_secboot/test_unsigned.py +++ b/test/py/tests/test_efi_secboot/test_unsigned.py @@ -42,7 +42,7 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'efidebug boot order 1', 'efidebug test bootmgr']) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) assert 'Hello, world!' not in ''.join(output) def test_efi_unsigned_image_auth2(self, u_boot_console, efi_boot_env): @@ -95,7 +95,7 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'efidebug boot order 1', 'efidebug test bootmgr']) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) assert 'Hello, world!' not in ''.join(output) with u_boot_console.log.section('Test Case 3b'): @@ -113,5 +113,5 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'efidebug boot order 1', 'efidebug test bootmgr']) - assert 'efi_start_image() returned: 26' in ''.join(output) + assert 'efi_bootmgr_load() returned: 26' in ''.join(output) assert 'Hello, world!' not in ''.join(output) |