From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH RFC 17/17] test: py: add basic security policy test
Date: Thu, 14 Aug 2025 15:07:02 +0200 [thread overview]
Message-ID: <20250814130702.4039241-18-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20250814130702.4039241-1-a.fatoum@pengutronix.de>
This simple test checks that the security policies were added and that a
number of options that we expect to be there indeed change as expected.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
test/arm/virt32_secure_defconfig.yaml | 1 +
test/py/test_policies.py | 49 +++++++++++++++++++++++++++
2 files changed, 50 insertions(+)
create mode 100644 test/py/test_policies.py
diff --git a/test/arm/virt32_secure_defconfig.yaml b/test/arm/virt32_secure_defconfig.yaml
index a1537c634811..3a26e09ef683 100644
--- a/test/arm/virt32_secure_defconfig.yaml
+++ b/test/arm/virt32_secure_defconfig.yaml
@@ -15,6 +15,7 @@ targets:
BareboxTestStrategy: {}
features:
- virtio-mmio
+ - policies
images:
barebox-dt-2nd.img: !template "$LG_BUILDDIR/images/barebox-dt-2nd.img"
imports:
diff --git a/test/py/test_policies.py b/test/py/test_policies.py
new file mode 100644
index 000000000000..28ab16d2cf68
--- /dev/null
+++ b/test/py/test_policies.py
@@ -0,0 +1,49 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+import pytest
+
+
+def test_security_policies(barebox, env):
+ if 'policies' not in env.get_target_features():
+ pytest.skip('policies feature flag missing')
+
+ assert 'Active Policy: devel' in barebox.run_check('sconfig')
+
+ assert set(barebox.run_check('sconfig -l')) == \
+ set(['devel', 'factory', 'lockdown', 'tamper'])
+
+ assert barebox.run_check('varinfo global.bootm.verify') == \
+ ['bootm.verify: available (type: enum) '
+ '(values: "none", "hash", "signature", "available")']
+
+ barebox.run_check('sconfig -s factory')
+ assert 'Active Policy: factory' in barebox.run_check('sconfig')
+
+ stdout = barebox.run_check('sconfig -v -s devel')
+ assert set(['+SCONFIG_BOOT_UNSIGNED_IMAGES',
+ '+SCONFIG_CMD_GO']) <= set(stdout)
+ assert 'Active Policy: devel' in barebox.run_check('sconfig')
+
+ stdout, _, rc = barebox.run('go')
+ assert 'go - start application at address or file' in stdout
+ assert 'go: Operation not permitted' not in stdout
+ assert rc == 1
+
+ stdout = barebox.run_check('sconfig -v -s tamper')
+ assert set(['-SCONFIG_SECURITY_POLICY_SELECT',
+ '-SCONFIG_BOOT_UNSIGNED_IMAGES',
+ '-SCONFIG_RATP',
+ '-SCONFIG_CMD_GO']) <= set(stdout)
+ assert 'Active Policy: tamper' in barebox.run_check('sconfig')
+
+ _, _, rc = barebox.run('sconfig -s devel')
+ assert rc != 0
+ assert 'Active Policy: tamper' in barebox.run_check('sconfig')
+
+ stdout, _, rc = barebox.run('go')
+ assert 'go - start application at address or file' not in stdout
+ assert 'go: Operation not permitted' in stdout
+ assert rc == 127
+
+ assert barebox.run_check('varinfo global.bootm.verify') == \
+ ['bootm.verify: signature (type: enum)']
--
2.39.5
prev parent reply other threads:[~2025-08-14 15:16 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-14 13:06 [PATCH RFC 00/17] Add security policy support Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 01/17] kconfig: allow setting CONFIG_ from the outside Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 02/17] scripts: include scripts/include for all host tools Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 03/17] kbuild: implement loopable loop_cmd Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 04/17] Add security policy support Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 05/17] kbuild: allow security config use without source tree modification Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 06/17] defaultenv: update PS1 according to security policy Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 07/17] security: policy: support externally provided configs Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 08/17] commands: implement sconfig command Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 09/17] docs: security-policies: add documentation Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 10/17] commands: go: add security config option Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 11/17] console: ratp: " Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 12/17] bootm: support calling bootm_optional_signed_images at any time Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 13/17] bootm: make unsigned image support runtime configurable Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 14/17] ARM: configs: add virt32_secure_defconfig Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 15/17] boards: qemu-virt: add security policies Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 16/17] boards: qemu-virt: allow setting policy from command line Ahmad Fatoum
2025-08-14 13:07 ` Ahmad Fatoum [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250814130702.4039241-18-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox