From 94019776bdc293ea2c96a4ab8ae7fe7ef3c7ef3a Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Tue, 15 Jul 2025 11:36:34 +0530 Subject: [PATCH] ci(security): Security test app updated yml - Also fixes the errors generated by the check-test-scripts command --- .../test_apps/security/.build-test-rules.yml | 14 +++---- .../secure_boot/pytest_secure_boot.py | 41 +++++++++++-------- 2 files changed, 30 insertions(+), 25 deletions(-) diff --git a/tools/test_apps/security/.build-test-rules.yml b/tools/test_apps/security/.build-test-rules.yml index b20c53e61f..8ec9a97eb6 100644 --- a/tools/test_apps/security/.build-test-rules.yml +++ b/tools/test_apps/security/.build-test-rules.yml @@ -1,16 +1,12 @@ # Documentation: .gitlab/ci/README.md#manifest-file-to-control-the-buildtest-apps tools/test_apps/security/secure_boot: - disable: - - if: CONFIG_NAME == "ecdsa_p192" - reason: Building the application for secure boot using ECDSA P192 scheme can be skipped in the CI. - disable_test: - - if: CONFIG_NAME != "qemu" + enable: + - if: CONFIG_NAME == "qemu" reason: the test can only run on an FPGA as efuses need to be reset during the test. - disable_test: - - if: IDF_TARGET in ["esp32", "esp32c2", "esp32c6", "esp32h2", "esp32s2", "esp32c61", "esp32p4", "esp32s3"] - temporary: true - reason: Can't use Kconfig option IDF_ENV_FPGA in `disable`. IDFCI-2992 + disable: + - if: CONFIG_NAME != "qemu" or IDF_TARGET == "linux" + reason: Skipping redundant CI builds for all the targets. tools/test_apps/security/signed_app_no_secure_boot: enable: diff --git a/tools/test_apps/security/secure_boot/pytest_secure_boot.py b/tools/test_apps/security/secure_boot/pytest_secure_boot.py index 1f74fc7a78..36b5ce17f9 100644 --- a/tools/test_apps/security/secure_boot/pytest_secure_boot.py +++ b/tools/test_apps/security/secure_boot/pytest_secure_boot.py @@ -142,7 +142,7 @@ def dut_start_secure_app(dut: Dut) -> None: dut.serial.app_flash(os.path.join(dut.app.binary_path, 'secure_boot.bin')) -def test_examples_security_secure_boot(dut: Dut) -> None: +def _examples_security_secure_boot(dut: Dut) -> None: dut_start_secure_app(dut) dut.expect('Secure Boot is enabled', timeout=10) dut.serial.reset_efuses() @@ -151,14 +151,16 @@ def test_examples_security_secure_boot(dut: Dut) -> None: # Test secure boot flow. # Correctly signed bootloader + correctly signed app should work +@pytest.mark.generic @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) def test_examples_security_secure_boot_rsa(dut: Dut) -> None: - test_examples_security_secure_boot(dut) + _examples_security_secure_boot(dut) +@pytest.mark.generic @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) def test_examples_security_secure_boot_ecdsa(dut: Dut) -> None: - test_examples_security_secure_boot(dut) + _examples_security_secure_boot(dut) # Test secure boot flow. @@ -175,7 +177,6 @@ def test_examples_security_secure_boot_ecdsa(dut: Dut) -> None: ], indirect=True, ) -@pytest.mark.parametrize('target', ['esp32c3'], indirect=True) @pytest.mark.parametrize('config', ['qemu'], indirect=True) @idf_parametrize('target', ['esp32c3'], indirect=['target']) def test_examples_security_secure_boot_qemu(dut: Dut) -> None: @@ -193,7 +194,7 @@ def test_examples_security_secure_boot_qemu(dut: Dut) -> None: efuse_file.write(bytearray.fromhex(esp32c3_efuses)) -def test_examples_security_secure_boot_key_combo(dut: Dut) -> None: +def _examples_security_secure_boot_key_combo(dut: Dut) -> None: dut_start_secure_app(dut) dut.expect('Secure Boot is enabled', timeout=10) efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS') @@ -214,9 +215,10 @@ def test_examples_security_secure_boot_key_combo(dut: Dut) -> None: # Increasing the test timeout to 1200s as the test runs for 18 iterations # and thus the default 600s timeout is not sufficient @pytest.mark.timeout(1200) +@pytest.mark.generic @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) def test_examples_security_secure_boot_key_combo_rsa(dut: Dut) -> None: - test_examples_security_secure_boot_key_combo(dut) + _examples_security_secure_boot_key_combo(dut) # Test efuse key index and key block combination. @@ -224,12 +226,13 @@ def test_examples_security_secure_boot_key_combo_rsa(dut: Dut) -> None: # Increasing the test timeout to 1200s as the test runs for 18 iterations # and thus the default 600s timeout is not sufficient @pytest.mark.timeout(1200) +@pytest.mark.generic @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) def test_examples_security_secure_boot_key_combo_ecdsa(dut: Dut) -> None: - test_examples_security_secure_boot_key_combo(dut) + _examples_security_secure_boot_key_combo(dut) -def test_examples_security_secure_boot_key_revoke(dut: Dut) -> None: +def _examples_security_secure_boot_key_revoke(dut: Dut) -> None: dut_start_secure_app(dut) dut.expect('Secure Boot is enabled', timeout=10) efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS') @@ -248,16 +251,18 @@ def test_examples_security_secure_boot_key_revoke(dut: Dut) -> None: # Test secure boot key revoke. # If a key is revoked, bootloader signed with that key should fail verification +@pytest.mark.generic @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) def test_examples_security_secure_boot_key_revoke_rsa(dut: Dut) -> None: - test_examples_security_secure_boot_key_revoke(dut) + _examples_security_secure_boot_key_revoke(dut) # Test secure boot key revoke. # If a key is revoked, bootloader signed with that key should fail verification +@pytest.mark.generic @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) def test_examples_security_secure_boot_key_revoke_ecdsa(dut: Dut) -> None: - test_examples_security_secure_boot_key_revoke(dut) + _examples_security_secure_boot_key_revoke(dut) def get_signature_type_size(dut: Dut, signature_type: int) -> int: @@ -278,7 +283,7 @@ def get_signature_type_size(dut: Dut, signature_type: int) -> int: return signature_type_size -def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut, signature_type: int) -> None: +def _examples_security_secure_boot_corrupt_bl_sig(dut: Dut, signature_type: int) -> None: dut_start_secure_app(dut) dut.expect('Secure Boot is enabled', timeout=10) @@ -314,9 +319,10 @@ def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut, signature_type: @pytest.mark.timeout(18000) # Increasing the test timeout to 18000s as the test runs for 384 iterations # and thus the default 600s timeout is not sufficient +@pytest.mark.generic @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) def test_examples_security_secure_boot_corrupt_bl_sig_rsa(dut: Dut) -> None: - test_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_RSA) + _examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_RSA) # Test bootloader signature corruption. @@ -324,12 +330,13 @@ def test_examples_security_secure_boot_corrupt_bl_sig_rsa(dut: Dut) -> None: @pytest.mark.timeout(18000) # Increasing the test timeout to 18000s as the test runs for 384 iterations # and thus the default 600s timeout is not sufficient +@pytest.mark.generic @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) def test_examples_security_secure_boot_corrupt_bl_sig_ecdsa(dut: Dut) -> None: - test_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA) + _examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA) -def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut, signature_type: int) -> None: +def _examples_security_secure_boot_corrupt_app_sig(dut: Dut, signature_type: int) -> None: dut_start_secure_app(dut) dut.expect('Secure Boot is enabled', timeout=10) @@ -383,9 +390,10 @@ def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut, signature_type: @pytest.mark.timeout(18000) # Increasing the test timeout to 18000s as the test runs for 385 iterations # and thus the default 600s timeout is not sufficient +@pytest.mark.generic @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) def test_examples_security_secure_boot_corrupt_app_sig_rsa(dut: Dut) -> None: - test_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_RSA) + _examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_RSA) # Test app signature corruption. @@ -393,6 +401,7 @@ def test_examples_security_secure_boot_corrupt_app_sig_rsa(dut: Dut) -> None: @pytest.mark.timeout(18000) # Increasing the test timeout to 18000s as the test runs for 385 iterations # and thus the default 600s timeout is not sufficient +@pytest.mark.generic @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) def test_examples_security_secure_boot_corrupt_app_sig_ecdsa(dut: Dut) -> None: - test_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA) + _examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA)