espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-03 20:54:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

ci(security): Security test app updated yml

Browse Source 
- Also fixes the errors generated by the check-test-scripts command
This commit is contained in:
harshal.patil
2025-07-15 11:36:34 +05:30
parent dbcaddb745
commit 94019776bd
2 changed files with 30 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
tools/test_apps/security/.build-test-rules.yml
View File

@@ -1,16 +1,12 @@
# Documentation: .gitlab/ci/README.md#manifest-file-to-control-the-buildtest-apps # Documentation: .gitlab/ci/README.md#manifest-file-to-control-the-buildtest-apps
tools/test_apps/security/secure_boot: tools/test_apps/security/secure_boot:
disable: enable:
- if: CONFIG_NAME == "ecdsa_p192" - if: CONFIG_NAME == "qemu"
reason: Building the application for secure boot using ECDSA P192 scheme can be skipped in the CI.
disable_test:
- if: CONFIG_NAME != "qemu"
reason: the test can only run on an FPGA as efuses need to be reset during the test. reason: the test can only run on an FPGA as efuses need to be reset during the test.
disable_test: disable:
- if: IDF_TARGET in ["esp32", "esp32c2", "esp32c6", "esp32h2", "esp32s2", "esp32c61", "esp32p4", "esp32s3"] - if: CONFIG_NAME != "qemu" or IDF_TARGET == "linux"
temporary: true reason: Skipping redundant CI builds for all the targets.
reason: Can't use Kconfig option IDF_ENV_FPGA in `disable`. IDFCI-2992
tools/test_apps/security/signed_app_no_secure_boot: tools/test_apps/security/signed_app_no_secure_boot:
enable: enable:

41
tools/test_apps/security/secure_boot/pytest_secure_boot.py
View File

@@ -142,7 +142,7 @@ def dut_start_secure_app(dut: Dut) -> None:
dut.serial.app_flash(os.path.join(dut.app.binary_path, 'secure_boot.bin')) dut.serial.app_flash(os.path.join(dut.app.binary_path, 'secure_boot.bin'))
def test_examples_security_secure_boot(dut: Dut) -> None: def _examples_security_secure_boot(dut: Dut) -> None:
dut_start_secure_app(dut) dut_start_secure_app(dut)
dut.expect('Secure Boot is enabled', timeout=10) dut.expect('Secure Boot is enabled', timeout=10)
dut.serial.reset_efuses() dut.serial.reset_efuses()
@@ -151,14 +151,16 @@ def test_examples_security_secure_boot(dut: Dut) -> None:
# Test secure boot flow. # Test secure boot flow.
# Correctly signed bootloader + correctly signed app should work # Correctly signed bootloader + correctly signed app should work
@pytest.mark.generic
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
def test_examples_security_secure_boot_rsa(dut: Dut) -> None: def test_examples_security_secure_boot_rsa(dut: Dut) -> None:
test_examples_security_secure_boot(dut) _examples_security_secure_boot(dut)
@pytest.mark.generic
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
def test_examples_security_secure_boot_ecdsa(dut: Dut) -> None: def test_examples_security_secure_boot_ecdsa(dut: Dut) -> None:
test_examples_security_secure_boot(dut) _examples_security_secure_boot(dut)
# Test secure boot flow. # Test secure boot flow.
@@ -175,7 +177,6 @@ def test_examples_security_secure_boot_ecdsa(dut: Dut) -> None:
], ],
indirect=True, indirect=True,
) )
@pytest.mark.parametrize('target', ['esp32c3'], indirect=True)
@pytest.mark.parametrize('config', ['qemu'], indirect=True) @pytest.mark.parametrize('config', ['qemu'], indirect=True)
@idf_parametrize('target', ['esp32c3'], indirect=['target']) @idf_parametrize('target', ['esp32c3'], indirect=['target'])
def test_examples_security_secure_boot_qemu(dut: Dut) -> None: def test_examples_security_secure_boot_qemu(dut: Dut) -> None:
@@ -193,7 +194,7 @@ def test_examples_security_secure_boot_qemu(dut: Dut) -> None:
efuse_file.write(bytearray.fromhex(esp32c3_efuses)) efuse_file.write(bytearray.fromhex(esp32c3_efuses))
def test_examples_security_secure_boot_key_combo(dut: Dut) -> None: def _examples_security_secure_boot_key_combo(dut: Dut) -> None:
dut_start_secure_app(dut) dut_start_secure_app(dut)
dut.expect('Secure Boot is enabled', timeout=10) dut.expect('Secure Boot is enabled', timeout=10)
efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS') efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS')
@@ -214,9 +215,10 @@ def test_examples_security_secure_boot_key_combo(dut: Dut) -> None:
# Increasing the test timeout to 1200s as the test runs for 18 iterations # Increasing the test timeout to 1200s as the test runs for 18 iterations
# and thus the default 600s timeout is not sufficient # and thus the default 600s timeout is not sufficient
@pytest.mark.timeout(1200) @pytest.mark.timeout(1200)
@pytest.mark.generic
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
def test_examples_security_secure_boot_key_combo_rsa(dut: Dut) -> None: def test_examples_security_secure_boot_key_combo_rsa(dut: Dut) -> None:
test_examples_security_secure_boot_key_combo(dut) _examples_security_secure_boot_key_combo(dut)
# Test efuse key index and key block combination. # Test efuse key index and key block combination.
@@ -224,12 +226,13 @@ def test_examples_security_secure_boot_key_combo_rsa(dut: Dut) -> None:
# Increasing the test timeout to 1200s as the test runs for 18 iterations # Increasing the test timeout to 1200s as the test runs for 18 iterations
# and thus the default 600s timeout is not sufficient # and thus the default 600s timeout is not sufficient
@pytest.mark.timeout(1200) @pytest.mark.timeout(1200)
@pytest.mark.generic
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
def test_examples_security_secure_boot_key_combo_ecdsa(dut: Dut) -> None: def test_examples_security_secure_boot_key_combo_ecdsa(dut: Dut) -> None:
test_examples_security_secure_boot_key_combo(dut) _examples_security_secure_boot_key_combo(dut)
def test_examples_security_secure_boot_key_revoke(dut: Dut) -> None: def _examples_security_secure_boot_key_revoke(dut: Dut) -> None:
dut_start_secure_app(dut) dut_start_secure_app(dut)
dut.expect('Secure Boot is enabled', timeout=10) dut.expect('Secure Boot is enabled', timeout=10)
efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS') efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS')
@@ -248,16 +251,18 @@ def test_examples_security_secure_boot_key_revoke(dut: Dut) -> None:
# Test secure boot key revoke. # Test secure boot key revoke.
# If a key is revoked, bootloader signed with that key should fail verification # If a key is revoked, bootloader signed with that key should fail verification
@pytest.mark.generic
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
def test_examples_security_secure_boot_key_revoke_rsa(dut: Dut) -> None: def test_examples_security_secure_boot_key_revoke_rsa(dut: Dut) -> None:
test_examples_security_secure_boot_key_revoke(dut) _examples_security_secure_boot_key_revoke(dut)
# Test secure boot key revoke. # Test secure boot key revoke.
# If a key is revoked, bootloader signed with that key should fail verification # If a key is revoked, bootloader signed with that key should fail verification
@pytest.mark.generic
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
def test_examples_security_secure_boot_key_revoke_ecdsa(dut: Dut) -> None: def test_examples_security_secure_boot_key_revoke_ecdsa(dut: Dut) -> None:
test_examples_security_secure_boot_key_revoke(dut) _examples_security_secure_boot_key_revoke(dut)
def get_signature_type_size(dut: Dut, signature_type: int) -> int: def get_signature_type_size(dut: Dut, signature_type: int) -> int:
@@ -278,7 +283,7 @@ def get_signature_type_size(dut: Dut, signature_type: int) -> int:
return signature_type_size return signature_type_size
def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut, signature_type: int) -> None: def _examples_security_secure_boot_corrupt_bl_sig(dut: Dut, signature_type: int) -> None:
dut_start_secure_app(dut) dut_start_secure_app(dut)
dut.expect('Secure Boot is enabled', timeout=10) dut.expect('Secure Boot is enabled', timeout=10)
@@ -314,9 +319,10 @@ def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut, signature_type:
@pytest.mark.timeout(18000) @pytest.mark.timeout(18000)
# Increasing the test timeout to 18000s as the test runs for 384 iterations # Increasing the test timeout to 18000s as the test runs for 384 iterations
# and thus the default 600s timeout is not sufficient # and thus the default 600s timeout is not sufficient
@pytest.mark.generic
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
def test_examples_security_secure_boot_corrupt_bl_sig_rsa(dut: Dut) -> None: def test_examples_security_secure_boot_corrupt_bl_sig_rsa(dut: Dut) -> None:
test_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_RSA) _examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_RSA)
# Test bootloader signature corruption. # Test bootloader signature corruption.
@@ -324,12 +330,13 @@ def test_examples_security_secure_boot_corrupt_bl_sig_rsa(dut: Dut) -> None:
@pytest.mark.timeout(18000) @pytest.mark.timeout(18000)
# Increasing the test timeout to 18000s as the test runs for 384 iterations # Increasing the test timeout to 18000s as the test runs for 384 iterations
# and thus the default 600s timeout is not sufficient # and thus the default 600s timeout is not sufficient
@pytest.mark.generic
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
def test_examples_security_secure_boot_corrupt_bl_sig_ecdsa(dut: Dut) -> None: def test_examples_security_secure_boot_corrupt_bl_sig_ecdsa(dut: Dut) -> None:
test_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA) _examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA)
def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut, signature_type: int) -> None: def _examples_security_secure_boot_corrupt_app_sig(dut: Dut, signature_type: int) -> None:
dut_start_secure_app(dut) dut_start_secure_app(dut)
dut.expect('Secure Boot is enabled', timeout=10) dut.expect('Secure Boot is enabled', timeout=10)
@@ -383,9 +390,10 @@ def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut, signature_type:
@pytest.mark.timeout(18000) @pytest.mark.timeout(18000)
# Increasing the test timeout to 18000s as the test runs for 385 iterations # Increasing the test timeout to 18000s as the test runs for 385 iterations
# and thus the default 600s timeout is not sufficient # and thus the default 600s timeout is not sufficient
@pytest.mark.generic
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target']) @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
def test_examples_security_secure_boot_corrupt_app_sig_rsa(dut: Dut) -> None: def test_examples_security_secure_boot_corrupt_app_sig_rsa(dut: Dut) -> None:
test_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_RSA) _examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_RSA)
# Test app signature corruption. # Test app signature corruption.
@@ -393,6 +401,7 @@ def test_examples_security_secure_boot_corrupt_app_sig_rsa(dut: Dut) -> None:
@pytest.mark.timeout(18000) @pytest.mark.timeout(18000)
# Increasing the test timeout to 18000s as the test runs for 385 iterations # Increasing the test timeout to 18000s as the test runs for 385 iterations
# and thus the default 600s timeout is not sufficient # and thus the default 600s timeout is not sufficient
@pytest.mark.generic
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target']) @idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
def test_examples_security_secure_boot_corrupt_app_sig_ecdsa(dut: Dut) -> None: def test_examples_security_secure_boot_corrupt_app_sig_ecdsa(dut: Dut) -> None:
test_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA) _examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA)