Merge branch 'tests' into 'master'

Tests

See merge request efi-team/shim!14

1 files changed, 91 insertions, 0 deletions

diff --git a/debian/tests/05_signature_tests.py b/debian/tests/05_signature_tests.py
new file mode 100755
index 00000000..1d9f8e70
--- /dev/null
+++ b/debian/tests/05_signature_tests.py
@@ -0,0 +1,91 @@
+#
+# UEFI signature validation
+#
+# Copyright (C) 2019 Canonical, Ltd.
+# Author: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 3.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import subprocess
+import sys
+import unittest
+import tempfile
+
+from pathlib import Path
+
+from uefi_tests_base import UEFITestsBase
+
+
+class TestSignatures(UEFITestsBase):
+    """
+    Validate UEFI signatures for common problems
+    """
+    @classmethod
+    def setUpClass(klass):
+        UEFITestsBase.setUpClass()
+
+
+    def testInstalledGrubIsSigned(self):
+        """Check that the GRUB copy we installed is correctly signed"""
+        installed_grub_file = Path(self.signed_grub_path)
+        self.assertTrue(installed_grub_file.exists())
+        signed_out = subprocess.run(['sbverify', '--list', self.signed_grub_path],
+                                    stdout=subprocess.PIPE)
+        self.assertIn(b'image signature issuers:', signed_out.stdout)
+
+    def testGrubSignatureValid(self):
+        return
+        """Ensure the installed GRUB binary from packaging is signed with the expected key"""
+        self.assertSignatureOK(self.ca, self.signed_grub_path)
+
+    def testInstalledShimIsSigned(self):
+        """Check that the installed shim is signed"""
+        installed_shim_file = Path(self.signed_shim_path)
+        self.assertTrue(installed_shim_file.exists())
+        signed_out = subprocess.run(['sbverify', '--list', self.signed_shim_path],
+                                    stdout=subprocess.PIPE)
+        self.assertIn(b'image signature issuers:', signed_out.stdout)
+
+    def testHaveSignedShimOnESP(self):
+        """Verify that packaging has provided a signed shim"""
+        return
+        signed_shim_file = Path(self.installed_shim)
+        self.assertTrue(signed_shim_file.exists())
+
+    def testSignaturesExist(self):
+        """Validate that a binary has non-zero signatures"""
+        unsigned_out = subprocess.run(['sbverify', '--list', self.unsigned_shim_path],
+                                      stderr=subprocess.PIPE, stdout=subprocess.PIPE)
+        self.assertIn(b'No signature table present', unsigned_out.stderr)
+        signed_out = subprocess.run(['sbverify', '--list', self.signed_shim_path],
+                                    stderr=subprocess.PIPE, stdout=subprocess.PIPE)
+        self.assertIn(b'image signature issuers:', signed_out.stdout)
+
+    def testSignatureIsReplayable(self):
+        """Attest that signature is retrievable from a binary and can be replayed"""
+        with tempfile.TemporaryDirectory() as tmpdirname:
+            subprocess.call(['sbattach',
+                             '--detach', os.path.join(tmpdirname, 'sig.pkcs7'),
+                             self.signed_shim_path])
+            pkcs7_certs = subprocess.run(['openssl', 'pkcs7',
+                                          '-inform', 'der',
+                                          '-in', os.path.join(tmpdirname, 'sig.pkcs7'),
+                                          '-print_certs'],
+                                          stdout=subprocess.PIPE)
+            with open(os.path.join(tmpdirname, 'out.crt'), 'ab+') as certstore:
+                certstore.write(pkcs7_certs.stdout)
+                self.assertSignatureOK(os.path.join(tmpdirname, 'out.crt'), self.signed_shim_path)
+
+
+unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout, verbosity=2))