mirror of
https://github.com/espressif/esp-idf.git
synced 2025-08-03 12:44:33 +02:00
ci(security): Security test app updated yml
- Also fixes the errors generated by the check-test-scripts command
This commit is contained in:
harshal.patil
@@ -1,16 +1,12 @@
|
||||
# Documentation: .gitlab/ci/README.md#manifest-file-to-control-the-buildtest-apps
|
||||
|
||||
tools/test_apps/security/secure_boot:
|
||||
disable:
|
||||
- if: CONFIG_NAME == "ecdsa_p192"
|
||||
reason: Building the application for secure boot using ECDSA P192 scheme can be skipped in the CI.
|
||||
disable_test:
|
||||
- if: CONFIG_NAME != "qemu"
|
||||
enable:
|
||||
- if: CONFIG_NAME == "qemu"
|
||||
reason: the test can only run on an FPGA as efuses need to be reset during the test.
|
||||
disable_test:
|
||||
- if: IDF_TARGET in ["esp32", "esp32c2", "esp32c6", "esp32h2", "esp32s2", "esp32c61", "esp32p4", "esp32s3"]
|
||||
temporary: true
|
||||
reason: Can't use Kconfig option IDF_ENV_FPGA in `disable`. IDFCI-2992
|
||||
disable:
|
||||
- if: CONFIG_NAME != "qemu" or IDF_TARGET == "linux"
|
||||
reason: Skipping redundant CI builds for all the targets.
|
||||
|
||||
tools/test_apps/security/signed_app_no_secure_boot:
|
||||
enable:
|
||||
|
||||
@@ -142,7 +142,7 @@ def dut_start_secure_app(dut: Dut) -> None:
|
||||
dut.serial.app_flash(os.path.join(dut.app.binary_path, 'secure_boot.bin'))
|
||||
|
||||
|
||||
def test_examples_security_secure_boot(dut: Dut) -> None:
|
||||
def _examples_security_secure_boot(dut: Dut) -> None:
|
||||
dut_start_secure_app(dut)
|
||||
dut.expect('Secure Boot is enabled', timeout=10)
|
||||
dut.serial.reset_efuses()
|
||||
@@ -151,14 +151,16 @@ def test_examples_security_secure_boot(dut: Dut) -> None:
|
||||
|
||||
# Test secure boot flow.
|
||||
# Correctly signed bootloader + correctly signed app should work
|
||||
@pytest.mark.generic
|
||||
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
|
||||
def test_examples_security_secure_boot_rsa(dut: Dut) -> None:
|
||||
test_examples_security_secure_boot(dut)
|
||||
_examples_security_secure_boot(dut)
|
||||
|
||||
|
||||
@pytest.mark.generic
|
||||
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
|
||||
def test_examples_security_secure_boot_ecdsa(dut: Dut) -> None:
|
||||
test_examples_security_secure_boot(dut)
|
||||
_examples_security_secure_boot(dut)
|
||||
|
||||
|
||||
# Test secure boot flow.
|
||||
@@ -175,7 +177,6 @@ def test_examples_security_secure_boot_ecdsa(dut: Dut) -> None:
|
||||
],
|
||||
indirect=True,
|
||||
)
|
||||
@pytest.mark.parametrize('target', ['esp32c3'], indirect=True)
|
||||
@pytest.mark.parametrize('config', ['qemu'], indirect=True)
|
||||
@idf_parametrize('target', ['esp32c3'], indirect=['target'])
|
||||
def test_examples_security_secure_boot_qemu(dut: Dut) -> None:
|
||||
@@ -193,7 +194,7 @@ def test_examples_security_secure_boot_qemu(dut: Dut) -> None:
|
||||
efuse_file.write(bytearray.fromhex(esp32c3_efuses))
|
||||
|
||||
|
||||
def test_examples_security_secure_boot_key_combo(dut: Dut) -> None:
|
||||
def _examples_security_secure_boot_key_combo(dut: Dut) -> None:
|
||||
dut_start_secure_app(dut)
|
||||
dut.expect('Secure Boot is enabled', timeout=10)
|
||||
efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS')
|
||||
@@ -214,9 +215,10 @@ def test_examples_security_secure_boot_key_combo(dut: Dut) -> None:
|
||||
# Increasing the test timeout to 1200s as the test runs for 18 iterations
|
||||
# and thus the default 600s timeout is not sufficient
|
||||
@pytest.mark.timeout(1200)
|
||||
@pytest.mark.generic
|
||||
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
|
||||
def test_examples_security_secure_boot_key_combo_rsa(dut: Dut) -> None:
|
||||
test_examples_security_secure_boot_key_combo(dut)
|
||||
_examples_security_secure_boot_key_combo(dut)
|
||||
|
||||
|
||||
# Test efuse key index and key block combination.
|
||||
@@ -224,12 +226,13 @@ def test_examples_security_secure_boot_key_combo_rsa(dut: Dut) -> None:
|
||||
# Increasing the test timeout to 1200s as the test runs for 18 iterations
|
||||
# and thus the default 600s timeout is not sufficient
|
||||
@pytest.mark.timeout(1200)
|
||||
@pytest.mark.generic
|
||||
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
|
||||
def test_examples_security_secure_boot_key_combo_ecdsa(dut: Dut) -> None:
|
||||
test_examples_security_secure_boot_key_combo(dut)
|
||||
_examples_security_secure_boot_key_combo(dut)
|
||||
|
||||
|
||||
def test_examples_security_secure_boot_key_revoke(dut: Dut) -> None:
|
||||
def _examples_security_secure_boot_key_revoke(dut: Dut) -> None:
|
||||
dut_start_secure_app(dut)
|
||||
dut.expect('Secure Boot is enabled', timeout=10)
|
||||
efuse_secure_boot_key_digests = dut.app.sdkconfig.get('SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS')
|
||||
@@ -248,16 +251,18 @@ def test_examples_security_secure_boot_key_revoke(dut: Dut) -> None:
|
||||
|
||||
# Test secure boot key revoke.
|
||||
# If a key is revoked, bootloader signed with that key should fail verification
|
||||
@pytest.mark.generic
|
||||
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
|
||||
def test_examples_security_secure_boot_key_revoke_rsa(dut: Dut) -> None:
|
||||
test_examples_security_secure_boot_key_revoke(dut)
|
||||
_examples_security_secure_boot_key_revoke(dut)
|
||||
|
||||
|
||||
# Test secure boot key revoke.
|
||||
# If a key is revoked, bootloader signed with that key should fail verification
|
||||
@pytest.mark.generic
|
||||
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
|
||||
def test_examples_security_secure_boot_key_revoke_ecdsa(dut: Dut) -> None:
|
||||
test_examples_security_secure_boot_key_revoke(dut)
|
||||
_examples_security_secure_boot_key_revoke(dut)
|
||||
|
||||
|
||||
def get_signature_type_size(dut: Dut, signature_type: int) -> int:
|
||||
@@ -278,7 +283,7 @@ def get_signature_type_size(dut: Dut, signature_type: int) -> int:
|
||||
return signature_type_size
|
||||
|
||||
|
||||
def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut, signature_type: int) -> None:
|
||||
def _examples_security_secure_boot_corrupt_bl_sig(dut: Dut, signature_type: int) -> None:
|
||||
dut_start_secure_app(dut)
|
||||
dut.expect('Secure Boot is enabled', timeout=10)
|
||||
|
||||
@@ -314,9 +319,10 @@ def test_examples_security_secure_boot_corrupt_bl_sig(dut: Dut, signature_type:
|
||||
@pytest.mark.timeout(18000)
|
||||
# Increasing the test timeout to 18000s as the test runs for 384 iterations
|
||||
# and thus the default 600s timeout is not sufficient
|
||||
@pytest.mark.generic
|
||||
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
|
||||
def test_examples_security_secure_boot_corrupt_bl_sig_rsa(dut: Dut) -> None:
|
||||
test_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_RSA)
|
||||
_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_RSA)
|
||||
|
||||
|
||||
# Test bootloader signature corruption.
|
||||
@@ -324,12 +330,13 @@ def test_examples_security_secure_boot_corrupt_bl_sig_rsa(dut: Dut) -> None:
|
||||
@pytest.mark.timeout(18000)
|
||||
# Increasing the test timeout to 18000s as the test runs for 384 iterations
|
||||
# and thus the default 600s timeout is not sufficient
|
||||
@pytest.mark.generic
|
||||
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
|
||||
def test_examples_security_secure_boot_corrupt_bl_sig_ecdsa(dut: Dut) -> None:
|
||||
test_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA)
|
||||
_examples_security_secure_boot_corrupt_bl_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA)
|
||||
|
||||
|
||||
def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut, signature_type: int) -> None:
|
||||
def _examples_security_secure_boot_corrupt_app_sig(dut: Dut, signature_type: int) -> None:
|
||||
dut_start_secure_app(dut)
|
||||
dut.expect('Secure Boot is enabled', timeout=10)
|
||||
|
||||
@@ -383,9 +390,10 @@ def test_examples_security_secure_boot_corrupt_app_sig(dut: Dut, signature_type:
|
||||
@pytest.mark.timeout(18000)
|
||||
# Increasing the test timeout to 18000s as the test runs for 385 iterations
|
||||
# and thus the default 600s timeout is not sufficient
|
||||
@pytest.mark.generic
|
||||
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_RSA, indirect=['config', 'target'])
|
||||
def test_examples_security_secure_boot_corrupt_app_sig_rsa(dut: Dut) -> None:
|
||||
test_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_RSA)
|
||||
_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_RSA)
|
||||
|
||||
|
||||
# Test app signature corruption.
|
||||
@@ -393,6 +401,7 @@ def test_examples_security_secure_boot_corrupt_app_sig_rsa(dut: Dut) -> None:
|
||||
@pytest.mark.timeout(18000)
|
||||
# Increasing the test timeout to 18000s as the test runs for 385 iterations
|
||||
# and thus the default 600s timeout is not sufficient
|
||||
@pytest.mark.generic
|
||||
@idf_parametrize('config, target', CONFIGS_SECURE_BOOT_ECDSA, indirect=['config', 'target'])
|
||||
def test_examples_security_secure_boot_corrupt_app_sig_ecdsa(dut: Dut) -> None:
|
||||
test_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA)
|
||||
_examples_security_secure_boot_corrupt_app_sig(dut, signature_type=SIGNATURE_TYPE_ECDSA)
|
||||
|
||||
Reference in New Issue
Block a user