github.com/linuxboot/fiano@v1.2.0/pkg/amd/psb/keys_test.go

github.com/linuxboot/fiano@v1.2.0/pkg/amd/psb/keys_test.go (about)

     1  // Copyright 2023 the LinuxBoot Authors. All rights reserved
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package psb
     6  
     7  import (
     8  	"bytes"
     9  	"crypto/sha256"
    10  	"testing"
    11  
    12  	"github.com/stretchr/testify/assert"
    13  	"github.com/stretchr/testify/require"
    14  	"github.com/stretchr/testify/suite"
    15  )
    16  
    17  // SHA256 of the common RSA exponent, 0x10001
    18  var (
    19  	rsaCommonExponentSHA256 = [32]uint8{0xc8, 0xa2, 0x22, 0xa2, 0x60, 0xf3, 0x57, 0xf5, 0xfd, 0x2b, 0x6d, 0x22, 0x49, 0x2, 0x2e, 0xef, 0xea, 0xa2, 0x8, 0xbd, 0x12, 0x13, 0x7, 0x89, 0xa2, 0x60, 0x0, 0x9b, 0x6a, 0xea, 0x58, 0xbb}
    20  	// Key ID of the root key belonging to AMD
    21  	rootKeyID = Buf16B{0x94, 0xc3, 0x8e, 0x41, 0x77, 0xd0, 0x47, 0x92, 0x92, 0xa7, 0xae, 0x67, 0x1d, 0x08, 0x3f, 0xb6}
    22  	// KeyID of the OEM signing key
    23  	oemKeyID = Buf16B{0xef, 0x99, 0x1d, 0xb4, 0x41, 0x42, 0x44, 0x67, 0x92, 0x65, 0x92, 0x3d, 0xe8, 0xbc, 0x51, 0xd8}
    24  	// KeyID of the signing key for SMU off chip (0x08, 0x12) firmware and MP5 firmware (0x2A)
    25  	smuSigningKeyID = Buf16B{0x6e, 0x97, 0xee, 0xe0, 0x86, 0xbd, 0x4b, 0x41, 0xb5, 0x82, 0x01, 0xce, 0x9f, 0xe3, 0x08, 0x73}
    26  	// KeyID of the signing key for PSP early secure unblock debug image
    27  	earlySecurePSPKeyID = Buf16B{0x80, 0xac, 0x38, 0xa7, 0x85, 0x99, 0x45, 0xf8, 0xba, 0x5f, 0xb9, 0xb4, 0xc7, 0xa5, 0x79, 0x8f}
    28  	// KeyID of the signing key for security policy binary
    29  	securityPolicyBinaryKeyID = Buf16B{0xf2, 0x4b, 0x7f, 0x7e, 0xdc, 0xe5, 0x45, 0xdd, 0x89, 0xb6, 0x5c, 0xd0, 0x7e, 0xf7, 0x40, 0x97}
    30  	// KeyID of the signing key for PSP AGESA Binary
    31  	agesaKeyID = Buf16B{0x28, 0x9a, 0xfe, 0x36, 0xf6, 0x3c, 0x4f, 0x88, 0xbc, 0x13, 0x85, 0xaa, 0x6d, 0x92, 0x38, 0x91}
    32  	// KeyID of the signing key for SEV Code (0x39)
    33  	sevCodeKeyID = Buf16B{0x03, 0x11, 0x7b, 0x7e, 0x60, 0xcb, 0x40, 0x3e, 0xbf, 0x9e, 0xcd, 0x55, 0x7e, 0xcb, 0x99, 0x71}
    34  	// KeyID of the signing key for DXIO PHY SRAM FW (0x42)
    35  	dxioKeyID = Buf16B{0xff, 0xfe, 0x23, 0x6b, 0x8b, 0xcc, 0x4a, 0x2b, 0xac, 0xbb, 0x85, 0x6e, 0x12, 0x03, 0x68, 0xfd}
    36  	// KeyID of the signing key DRTM TA (0x47)
    37  	drtmTaKeyID = Buf16B{0x25, 0x59, 0xbe, 0x9e, 0x7b, 0xef, 0x4c, 0x54, 0x99, 0x02, 0x42, 0xc4, 0xfa, 0xe1, 0x55, 0x22}
    38  
    39  	// Unknown keys (i.e. for which it is not clear what they sign)
    40  	unknownKey1 = Buf16B{0xea, 0x94, 0x0a, 0x66, 0x12, 0x38, 0x41, 0x2d, 0xb3, 0x9e, 0xab, 0xa2, 0x93, 0x4d, 0x4a, 0x9f}
    41  )
    42  
    43  type KeySuite struct {
    44  	suite.Suite
    45  }
    46  
    47  func (suite *KeySuite) TestKeySetAddKey() {
    48  
    49  	rootKey, err := NewRootKey(bytes.NewBuffer(amdRootKey))
    50  	assert.NoError(suite.T(), err)
    51  
    52  	keySet := NewKeySet()
    53  	err = keySet.AddKey(rootKey, AMDRootKey)
    54  	assert.NoError(suite.T(), err)
    55  
    56  	assert.Equal(suite.T(), 1, len(keySet.AllKeyIDs()))
    57  	assert.NotNil(suite.T(), keySet.GetKey(KeyID(rootKeyID)))
    58  
    59  }
    60  
    61  func (suite *KeySuite) TestRootKeyFields() {
    62  	key, err := NewRootKey(bytes.NewBuffer(amdRootKey))
    63  	assert.NoError(suite.T(), err)
    64  	assert.Equal(suite.T(), uint32(0x01), key.data.VersionID)
    65  
    66  	assert.Equal(suite.T(), KeyID(rootKeyID), key.data.KeyID)
    67  	assert.Equal(suite.T(), rootKeyID, key.data.CertifyingKeyID)
    68  	assert.Equal(suite.T(), SignAMDBootloaderPSPSMU, key.data.KeyUsageFlag)
    69  
    70  	assert.Equal(suite.T(), uint32(0x1000), key.data.ExponentSize)
    71  	assert.Equal(suite.T(), uint32(0x1000), key.data.ModulusSize)
    72  
    73  	hashExponent := sha256.Sum256(key.data.Exponent)
    74  	hashModulus := sha256.Sum256(key.data.Modulus)
    75  
    76  	expectedModulusHash := [32]uint8{0x87, 0xdb, 0xd4, 0x5, 0x40, 0x23, 0x7d, 0xf3, 0x9c, 0x7, 0x2e, 0xfc, 0x2b, 0xa9, 0x1e, 0xc2, 0x3a, 0xe, 0xe5, 0x7e, 0x2a, 0xf0, 0x74, 0xdd, 0xe8, 0x44, 0xa4, 0x61, 0x4d, 0xc4, 0x57, 0x7b}
    77  
    78  	assert.Equal(suite.T(), rsaCommonExponentSHA256, hashExponent)
    79  	assert.Equal(suite.T(), expectedModulusHash, hashModulus)
    80  
    81  }
    82  
    83  func (suite *KeySuite) TestOEMKeyFields() {
    84  	rootKey, err := NewRootKey(bytes.NewBuffer(amdRootKey))
    85  	assert.NoError(suite.T(), err)
    86  
    87  	// parse root key and use it to validate token key
    88  	keySet := NewKeySet()
    89  	err = keySet.AddKey(rootKey, AMDRootKey)
    90  	assert.NoError(suite.T(), err)
    91  
    92  	key, err := NewTokenKey(bytes.NewBuffer(oemSigningKey), keySet)
    93  	assert.NoError(suite.T(), err)
    94  	assert.Equal(suite.T(), uint32(0x01), key.data.VersionID)
    95  
    96  	assert.Equal(suite.T(), KeyID(oemKeyID), key.data.KeyID)
    97  	assert.Equal(suite.T(), rootKey.data.KeyID, KeyID(key.data.CertifyingKeyID))
    98  
    99  	assert.Equal(suite.T(), PSBSignBIOS, key.data.KeyUsageFlag)
   100  	platSignInfo, err := GetPlatformBindingInfo(key)
   101  	require.NoError(suite.T(), err)
   102  	assert.Equal(suite.T(), byte(0x8D), platSignInfo.VendorID)
   103  	assert.Zero(suite.T(), platSignInfo.KeyRevisionID)
   104  	assert.Zero(suite.T(), platSignInfo.PlatformModelID)
   105  
   106  	secutiryFeatures, err := GetSecurityFeatureVector(key)
   107  	require.NoError(suite.T(), err)
   108  	assert.False(suite.T(), secutiryFeatures.DisableAMDBIOSKeyUse)
   109  	assert.False(suite.T(), secutiryFeatures.DisableBIOSKeyAntiRollback)
   110  	assert.False(suite.T(), secutiryFeatures.DisableSecureDebugUnlock)
   111  
   112  	assert.Equal(suite.T(), uint32(0x1000), key.data.ExponentSize)
   113  	assert.Equal(suite.T(), uint32(0x1000), key.data.ModulusSize)
   114  
   115  	hashExponent := sha256.Sum256(key.data.Exponent)
   116  	hashModulus := sha256.Sum256(key.data.Modulus)
   117  
   118  	expectedModulusHash := [32]uint8{0x53, 0xbf, 0x68, 0xb9, 0x67, 0x97, 0xc5, 0x1f, 0xdd, 0xd3, 0xe6, 0x65, 0x2b, 0x2d, 0xdd, 0x2c, 0x6e, 0x57, 0x37, 0xee, 0x69, 0x6c, 0x50, 0x83, 0xa1, 0x25, 0xa9, 0x74, 0x24, 0xc1, 0xaf, 0x91}
   119  
   120  	assert.Equal(suite.T(), rsaCommonExponentSHA256, hashExponent)
   121  	assert.Equal(suite.T(), expectedModulusHash, hashModulus)
   122  }
   123  
   124  func (suite *KeySuite) TestKeyDBParsing() {
   125  
   126  	keySet := NewKeySet()
   127  	err := parseKeyDatabase(keyDB, keySet)
   128  	assert.NoError(suite.T(), err)
   129  
   130  	assert.Equal(suite.T(), 7, len(keySet.AllKeyIDs()))
   131  
   132  	// assert presence of all known keys
   133  	assert.NotNil(suite.T(), keySet.GetKey(KeyID(securityPolicyBinaryKeyID)))
   134  	assert.NotNil(suite.T(), keySet.GetKey(KeyID(sevCodeKeyID)))
   135  	assert.NotNil(suite.T(), keySet.GetKey(KeyID(smuSigningKeyID)))
   136  	assert.NotNil(suite.T(), keySet.GetKey(KeyID(earlySecurePSPKeyID)))
   137  	assert.NotNil(suite.T(), keySet.GetKey(KeyID(unknownKey1)))
   138  	assert.NotNil(suite.T(), keySet.GetKey(KeyID(dxioKeyID)))
   139  	assert.NotNil(suite.T(), keySet.GetKey(KeyID(drtmTaKeyID)))
   140  
   141  	// assert absence of keys which are not included in the key database
   142  	assert.Nil(suite.T(), keySet.GetKey(KeyID(oemKeyID)))
   143  	assert.Nil(suite.T(), keySet.GetKey(KeyID(agesaKeyID)))
   144  
   145  }
   146  
   147  func TestKeySuite(t *testing.T) {
   148  	suite.Run(t, new(KeySuite))
   149  }