From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Wed, 22 Oct 2025 12:05:29 +0200
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <barebox-bounces+lore=pengutronix.de@lists.infradead.org>)
	id 1vBVij-00AZCj-2P
	for lore@lore.pengutronix.de;
	Wed, 22 Oct 2025 12:05:29 +0200
Received: from bombadil.infradead.org ([2607:7c80:54:3::133])
	by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <barebox-bounces+lore=pengutronix.de@lists.infradead.org>)
	id 1vBVii-00059u-Gh
	for lore@pengutronix.de; Wed, 22 Oct 2025 12:05:29 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help
	:List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding:
	Content-Type:In-Reply-To:From:References:To:Subject:MIME-Version:Date:
	Message-ID:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From
	:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=s1mK25PQgGaq9ayvGnKc/qUxb0s5AQHJ2Eph1ren7gk=; b=aSTHK7gw57MtwnjyNS7Y+hy5PX
	3Lj4IiYdZQ3hTr/Ny1sxhJX1EB/CJ3/8e17/RzK2GuYd2ST+6OAl9Qvwq6w1Hf8WdPsdCFlOaTOnv
	t9ZHQVQNsiog4Ceb08I0nEi24Qj7kQlDwCS8+POcWE57k5779UaY0WlkQ9lp/xgYtaDUB9gEsQBJF
	Ykfyn4zPn41VZ/Vf0g87wFsoCKCtxgGbyBHQfWKFR0YQ5PAmD7tKyQUgOsZW4p+VB4CSd6WhxxvD8
	XpFyprZebg7Vdqhr/XGMayzDgftkiecUhTXC2IzsoFk5GaE4VGbpoH8MpiukcYKcIAYJR7JQGybE5
	dmYXoD6g==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))
	id 1vBViB-00000002OWh-1p6A;
	Wed, 22 Oct 2025 10:04:55 +0000
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))
	id 1vBVi2-00000002OSu-2pJa
	for barebox@lists.infradead.org;
	Wed, 22 Oct 2025 10:04:48 +0000
Received: from ptz.office.stw.pengutronix.de ([2a0a:edc0:0:900:1d::77] helo=[127.0.0.1])
	by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <a.fatoum@pengutronix.de>)
	id 1vBVi1-00051x-5R; Wed, 22 Oct 2025 12:04:45 +0200
Message-ID: <703f28ed-2d8a-4784-a850-ae577119f56e@pengutronix.de>
Date: Wed, 22 Oct 2025 12:04:44 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Jonas Rebmann <jre@pengutronix.de>, Sascha Hauer
 <s.hauer@pengutronix.de>, BAREBOX <barebox@lists.infradead.org>
References: <20251014-tlv-signature-v1-0-7a8aaf95081c@pengutronix.de>
 <20251014-tlv-signature-v1-12-7a8aaf95081c@pengutronix.de>
Content-Language: en-US, de-DE, de-BE
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
In-Reply-To: <20251014-tlv-signature-v1-12-7a8aaf95081c@pengutronix.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20251022_030447_032353_BAFBC0D0 
X-CRM114-Status: GOOD (  21.79  )
X-BeenThere: barebox@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <barebox.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/barebox>,
 <mailto:barebox-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/barebox/>
List-Post: <mailto:barebox@lists.infradead.org>
List-Help: <mailto:barebox-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/barebox>,
 <mailto:barebox-request@lists.infradead.org?subject=subscribe>
Sender: "barebox" <barebox-bounces@lists.infradead.org>
X-SA-Exim-Connect-IP: 2607:7c80:54:3::133
X-SA-Exim-Mail-From: barebox-bounces+lore=pengutronix.de@lists.infradead.org
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	metis.whiteo.stw.pengutronix.de
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=4.0 tests=AWL,BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_NONE autolearn=unavailable
	autolearn_force=no version=3.4.2
Subject: Re: [PATCH 12/15] test: py: add signature to TLV integration tests
X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000)
X-SA-Exim-Scanned: Yes (on metis.whiteo.stw.pengutronix.de)

Hi,

On 10/14/25 1:03 PM, Jonas Rebmann wrote:
> Add TLV signature to TLV integration tests:
>  - Signed TLV using development RSA key
>  - Modify payload and fix CRC for a "tampered" tlv
>  - Include both cases in generator and tlv-command tests.
> 
> Use the keys selected by CRYPTO_BUILTIN_DEVELOPMENT_KEYS for all TLV
> testing. Consequentially add the matching private keys from the public
> repository at [1].
> 
> [1]: https://git.pengutronix.de/cgit/ptx-code-signing-dev/
> 
> Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
> ---
>  crypto/fit-4096-development.key  |  51 ++++++++++
>  crypto/fit-ecdsa-development.key |   5 +

Move this into test/?

>  test/py/test_tlv.py              | 205 +++++++++++++++++++++++++++++++--------
>  3 files changed, 219 insertions(+), 42 deletions(-)
> 
> diff --git a/crypto/fit-4096-development.key b/crypto/fit-4096-development.key
> new file mode 100644
> index 0000000000..526cdfc2b5
> --- /dev/null
> +++ b/crypto/fit-4096-development.key
> @@ -0,0 +1,51 @@
> +-----BEGIN RSA PRIVATE KEY-----
> +MIIJKgIBAAKCAgEAyZHkijUfqoAvEELaxSLnjyqhTprEilnf7JqvSCMDUUXv2dEl
> +k1r4RwiBowJp/4W3sOx4gASEHM2xlDWyPYZUR/1btZeVJvOIRPWfw8JoLT3tbbST
> +OIw04Bk6MUh3LbgBtxbbKGGkFewq3Ob1XQOWcY3ZAzfLFuooPWJQ6X+IiczkrA0r
> +GnwpuhHlb8tOdQZRjDevIVVvEkRjRiqrAw5pKTy/Mt/SJJ/yC7qJptIQskQ42y3R
> +qHeCVmP6ZF6VV1scNmHr8+kRD19DhCos6DLWq2pCFPwnSmgM4T0FWcJsMiNta+rt
> +Rq+kG7RjOOYbbqvuk3vkMrQTRQeAYfdnuOGimGQYxiVh9quOMVG6NJ2hylTa0S/E
> +PKQUQvK9A8bnDul522XPmMVHOtLXVGtwKx9xQUx/2D7aoqlmVJSGQeAMNi0NEFhq
> +buGdXuJ/2cKwtobClkz0WbbMlI4UBM7V4qP3JSkxiojRKhtNHtdE3KtF3ronRJaU
> ++yDggNobWLiJ4TtQ0OAC1REEJGq7s9k8ASi+6s+VX7yVtlGWMIjbBGAl8lqgXXsA
> +prRrmtofaQgEPVvcSAIbuch/JqpHhs8vHBiWb/KZdOe/vMiYQE/d9/KY8rybZa3D
> +hKvzN7X59ymOYLILHB73Xxi5bQA61DaeYE4KnPiJaEDrUccrlFjMBIwGrosCAwEA
> +AQKCAgEApVkIIFdzommEMdKloxD+4nIV4GUU1GjlRzGcl5AhKIo2NndaW4ZEJADW
> +VuGkEfeet4NDVcBen0IcaXeivtVyTZuHn2646zrajbbvV6Yhzvr9yQBXxAs/VJVd
> +JxBKszY+MfKN1JJEB7ezcYIDxEktH/k8C2e5MRLj73a26NO1LVTmQDyNHyy7Deeg
> +ThR4R4bnXh5PiwiKFHIE/YoCvn8TxMAQF6uCtoh+BSD/ydiH2bQc766mTYu7XyKk
> +Q7FS0FXszq+E3pBRbkq3F7OBIviRIAwKKSyvDlpMNnfX68mQ95AYMm6ENXffJtrS
> +ido4ppBjJJh8mRses4FzzukkLITq2qBoZQn+3XfR12+YbWKbCFIAXSu1b4tJetLC
> +wYUp6EuGKCS2XK8OJXbY4M2D1t7bCVlRpptZBBiD7romkLYQ+jRwPbWhjUY6Ktw3
> +ceUf9XJtNVKjHMp7n6C3gdxe2ivK02RYscT3brRq7TUjSzGjH1z/HUQSwr31+tXD
> +dw2fkb2qQn2KUB5hjKcqU/Dxrqjorvf+kjGwXTtAD01Y4r8xRD3HK31zKAgrheN6
> +15shoKRM4imKCD+fTBQjBBVZpTT8xNbo1m+y0joFEeDW0U5Lc3A/DhyTUsfHj4Im
> +H02Cg4wiXXGyJ57fSyyNFKaa0EuLSdOl0zT1bXiy2TxiyTrsgAECggEBAPz+DcTO
> +OvWtU/f+SyAfP86xd3bSnQzBXtoK2iI49uGAAkIXLU881V5sFz41UWJ6g1G0PjKy
> +FWjxTCJytgso9TkISC42TOTE9VUqL4Y4KHhY93nnMAzKNLJC04onqmimDjn1I5Di
> +DD3k3yCYPQEPInz84tdZyB+mRSncdsOL0Mpzhl5fjgGy+pi78K3/B4PUepR3n+Wl
> +4JqKP4SeIL189+ChnSrgVsLzdvpOWJ2cu8DO9qGfz7F0ufJlehUILWPfhYlWUZ/c
> +AUja5QWJEuSQHsKcOJSD4fpjuBWy3ASKlDy7BQSSoASibsl8FfQ/WmQBd3H8Y5/U
> +20psjFuOa/02TusCggEBAMv3V4ccYieiUNkzi6WyyzlR9sULtAG4Cvi1HRw+o6mV
> +VeNFNo8hw+g8f26URvuB06xXyuZepk+oMtEPiFfGYFFg4s22QJRGzqBfC5+8//Mf
> +rcIsU88S75JCZjPDSxOFgzSDAG1gPfX4i8BZHgqaT749TewbeLc0ehvVrcLnXMwB
> +3JpDNmiuNzA2pJAWbLezKazhW6XbpkTtHDqZTswDK+3AFBm7j/cqqeXojd93EbrV
> +0ggyiNMx/O42DHVwZ+51HdJ+C7KDHR0wzgFMu24zyoymzZOaiKjm2rQi/B4mJ9Er
> +oCaCfhVGo/Kq7Y5V7G+x4gag8oVQNCJh/lERrvgBduECggEAT5tpnbn/F3tY5rof
> +zZXHsDRrkPoo7PCT9ixgA1DFbqOnEkDUwxAzW6jLj4mbeE9wru72e2FKF2GGQXiz
> +C8PxleajP9daTsojII9LsQJOyb/E75jtp7ig6E7a3agpmRBXfalDbb2TeI5iH5GH
> +8KNgiM/SWU0pCbx6GvgCbvm501qSt3N97c7xx8mrrDSJmtPrVnhl2g9eI4LJBeP0
> +DWwbW5W/LNS2uFV/5Ldubvn4omz9clIlOoOuVzXTOnb+QWT+Uf7VZGYICXLHifxd
> +84neBALAUwtEulNSg5FqZgttJcb7hzrUG2E5VzEyf07IFJvZiAaRGqQR9NM/PzgL
> +hvvlzQKCAQEAi/wmy2kUiKUjHd79oexzA9UYKyacFW3twcHzx7XJ95Kxjriq+FMx
> +NIuI3ijQCr+QukDK1Y7yT8tdjRQ+/Bb/dfqrzomeCuYJ3BE/VhOOCpucUp6/qmgR
> +mm0N3crUFQLWCM08FtUt0UoTCCFht98uiZ9jgn9cO0i94aqmhhTqIG3KrOkiR3gC
> +Eon+KZHqba1+FdPZZZy5oaamcCVV6jjnBlaEtSCAbx+N2WfhLxR2S6eCbfPY6jHt
> +qMPZiyRpgERLAnNVrd/EtIsRZ9z06m6LPjsg7oPp9Rnz0hwMsth3DV0GnkeDJzED
> +RoI/ZifcjNAmE2yU5iAkl9Bvjc44Kqg+oQKCAQEAvSi4W2kVUoIwlmBHGLge/Rng
> +YyScmAoG4Cavy0Ie6AHPtHayHFdI/rAyiVFnKU5Xuj4qgB54dLa94bQrIu451wls
> +3Jyy/J8WkcW9r/dZFMN6gMoZ0u+xt6KdYe2tQnyW/CG4svDyfckcW2VHdh2A3vqH
> +xlGNmo/HaOeovxWNQkQGQeuXnIcrUvwaFTmGIxLdEO5TAQzLeWSrXldMtVBUAMaJ
> +LClOqNIGRxMRYhZOPVnkedEQmJqgxvcrn8F/91mXQHVnQBOvsgyQDgtS3V0EIAOD
> +rWePjgB8twJknHuab8qH/1z3cQ5QRxQ6lffcIoWgXS59QBBT+jIqMT2oKyGkPw==
> +-----END RSA PRIVATE KEY-----
> diff --git a/crypto/fit-ecdsa-development.key b/crypto/fit-ecdsa-development.key
> new file mode 100644
> index 0000000000..2b13c877a3
> --- /dev/null
> +++ b/crypto/fit-ecdsa-development.key
> @@ -0,0 +1,5 @@
> +-----BEGIN EC PRIVATE KEY-----
> +MHcCAQEEIEsUW5DEOhD1CYHCnPfDULwbRQO9Yjt2/xM5SoY2GUQtoAoGCCqGSM49
> +AwEHoUQDQgAEowCa2OYfPdGRr1JpSYONOA3N2jwJjGbPbfG6uBzKg1VqOOk0a/Vf
> +BfEbQev6X96HCd6zvvC2tjBgvICW8UB0TQ==
> +-----END EC PRIVATE KEY-----
> diff --git a/test/py/test_tlv.py b/test/py/test_tlv.py
> index 79f9f9d01b..1200281dbc 100644
> --- a/test/py/test_tlv.py
> +++ b/test/py/test_tlv.py
> @@ -1,6 +1,7 @@
>  import os
>  import re
>  import subprocess
> +import struct
>  from pathlib import Path
>  from .helper import skip_disabled
>  
> @@ -8,71 +9,191 @@ import pytest
>  
>  
>  class _TLV_Testdata:
> -    def generator(self, args, check=True):
> +    def generator(self, args, expect_failure=False, input=None):
>          cmd = [os.sys.executable, str(self.generator_py)] + args
> -        res = subprocess.run(cmd, text=True)
> +        res = subprocess.run(cmd, text=True, input=input, encoding="utf-8", capture_output=True)
>          if res.returncode == 127:
>              pytest.skip("test skipped due to missing host dependencies")
> -
> -        if check and res.returncode != 0:
> -            raise RuntimeError(f"generator failed ({res.returncode}): {res.stdout}\n{res.stderr}")
> +        if res.returncode == 0 and expect_failure:
> +            raise RuntimeError(
> +                f"`{' '.join(cmd)}` succeded unexpectedly:\n{res.stderr}\n{res.stdout}"
> +            )
> +        elif res.returncode != 0 and not expect_failure:
> +            raise RuntimeError(
> +                f"`{' '.join(cmd)}` failed unexpectedly with {res.returncode}:\n{res.stderr}\n{res.stdout}"
> +            )
>          return res
>  
> +    def overwrite_magic(self, new_magic):
> +        with open(self.schema, "r", encoding="utf-8") as f:
> +            patched_schema = "".join(
> +                re.sub(r"^magic:\s*0x[a-fA-F0-9]{8}\s*$", f"magic: {new_magic}\n", line)
> +                for line in f
> +            )
> +        return patched_schema
> +
> +    def tlv_gen(self, outfile, magic=None, sign=None):
> +        param = ["--input-data", str(self.data)]
> +        if sign:
> +            param += ["--sign", str(sign)]
> +        if magic:
> +            param += ["/dev/stdin"]
> +        else:
> +            param += [str(self.schema)]
> +        param += [str(outfile)]
> +        ret = self.generator(param, input=self.overwrite_magic(magic) if magic else None)
> +        assert outfile.exists(), f"TLV {outfile} not created from {' '.join(param)}"
> +        return ret
> +
> +    def tlv_read(self, binfile, magic=None, verify=None, expect_failure=False):
> +        param = ["--output-data", "/dev/null"]
> +        if verify:
> +            param += ["--verify", str(verify)]
> +        if magic:
> +            param += ["/dev/stdin"]
> +        else:
> +            param += [str(self.schema)]
> +        param += [str(binfile)]
> +        ret = self.generator(
> +            param,
> +            input=self.overwrite_magic(magic) if magic else None,
> +            expect_failure=expect_failure,
> +        )
> +        return ret
> +
> +    def corrupt(self, fnin, fnout, fix_crc=False):
> +        try:
> +            from crcmod.predefined import mkPredefinedCrcFun
> +        except ModuleNotFoundError:
> +            pytest.skip("test skipped due to missing dependency python-crcmod")
> +            return
> +
> +        _crc32_mpeg = mkPredefinedCrcFun("crc-32-mpeg")
> +
> +        with open(fnin, "r+b") as f:
> +            data = bytearray(f.read())
> +        data[0x20] ^= 1
> +        if fix_crc:
> +            crc_raw = _crc32_mpeg(data[:-4])
> +            crc = struct.pack(">I", crc_raw)
> +            data[-4:] = crc
> +        with open(fnout, "wb") as f:
> +            f.write(data)
> +
>      def __init__(self, testfs):
>          self.dir = Path(testfs)
>          self.scripts_dir = Path("scripts/bareboxtlv-generator")
>          self.data = self.scripts_dir / "data-example.yaml"
>          self.schema = self.scripts_dir / "schema-example.yaml"
>          self.generator_py = self.scripts_dir / "bareboxtlv-generator.py"
> -        self.unsigned_bin = self.dir / 'unsigned.tlv'
> -        self.corrupted_bin = self.dir / 'unsigned_corrupted.tlv'
> +        self.privkey_rsa = Path("crypto/fit-4096-development.key")
> +        self.pubkey_rsa = Path("crypto/fit-4096-development.crt")
> +        self.privkey_ecdsa = Path("crypto/fit-ecdsa-development.key")
> +        self.pubkey_ecdsa = Path("crypto/fit-ecdsa-development.crt")
> +        self.unsigned_bin = self.dir / "unsigned.tlv"
> +        self.corrupted_bin = self.dir / "unsigned_corrupted.tlv"
> +        self.signed_bin = self.dir / "signed.tlv"
> +        self.ecdsa_signed_bin = self.dir / "ecdsa-signed.tlv"
> +        self.tampered_bin = self.dir / "signed-tampered.tlv"
> +        self.tampered_ecdsa_bin = self.dir / "ecdsa-signed-tampered.tlv"
> +
>  
>  @pytest.fixture(scope="module")
>  def tlv_testdata(testfs):
>      t = _TLV_Testdata(testfs)
> -    t.generator(["--input-data", str(t.data), str(t.schema), str(t.unsigned_bin)])
> -    assert t.unsigned_bin.exists(), "unsigned TLV not created"
>  
> -    with open(t.unsigned_bin, 'r+b') as f:
> -        data = bytearray(f.read())
> -    data[0x20] ^= 1
> -    with open(t.corrupted_bin, "wb") as f:
> -        f.write(data)
> +    t.tlv_gen(t.unsigned_bin)
> +    t.tlv_gen(t.signed_bin, sign=t.privkey_rsa, magic="0x61bb95f3")
> +    t.tlv_gen(t.ecdsa_signed_bin, sign=t.privkey_ecdsa, magic="0x61bb95f3")
> +
> +    t.corrupt(t.unsigned_bin, t.corrupted_bin)
> +    t.corrupt(t.signed_bin, t.tampered_bin, fix_crc=True)
> +    t.corrupt(t.ecdsa_signed_bin, t.tampered_ecdsa_bin, fix_crc=True)
>  
>      return t
>  
> +
>  def test_tlv_generator(tlv_testdata):
>      t = tlv_testdata
> -    out_yaml = t.dir / 'out.yaml'
> +    out_yaml = t.dir / "out.yaml"
>  
> +    t.tlv_read(t.unsigned_bin)
> +    t.tlv_read(t.signed_bin, verify=t.pubkey_rsa, magic="0x61bb95f3")
> +    t.tlv_read(t.ecdsa_signed_bin, verify=t.pubkey_ecdsa, magic="0x61bb95f3")
>  
> -    good = t.generator(["--output-data", str(out_yaml), str(t.schema), str(t.unsigned_bin)], check=False)
> -    assert good.returncode == 0, f"valid unsigned TLV failed to decode: {good.stderr}\n{good.stdout}"
> +    t.tlv_read(t.corrupted_bin, expect_failure=True)
> +    t.tlv_read(t.tampered_bin, verify=t.pubkey_rsa, magic="0x61bb95f3", expect_failure=True)
> +    t.tlv_read(t.tampered_ecdsa_bin, verify=t.pubkey_ecdsa, magic="0x61bb95f3", expect_failure=True)
>  
> -    bad = t.generator(["--output-data", str(t.dir / 'bad.yaml'), str(t.schema), str(t.corrupted_bin)], check=False)
> -    assert bad.returncode != 0, "unsigned TLV with invalid CRC unexpectedly decoded successfully"
>  
> -def test_tlv_command(barebox, barebox_config, tlv_testdata):
> +@pytest.fixture(scope="module")
> +def tlv_cmdtest(barebox_config, tlv_testdata):
>      skip_disabled(barebox_config, "CONFIG_CMD_TLV")
> -    t = tlv_testdata
> -    with open(t.data, 'r', encoding='utf-8') as f:
> -        yaml_lines = [l.strip() for l in f if l.strip() and not l.strip().startswith('#')]
> -
> -    stdout = barebox.run_check(f"tlv /mnt/9p/testfs/{t.unsigned_bin.name}")
> -
> -    # work around 9pfs printing here after a failed network test
> -    tlv_offset = next((i for i, line in enumerate(stdout) if line.startswith("tlv")), None)
> -    tlv_lines = stdout[tlv_offset + 1:-1]
> -
> -    assert len(yaml_lines) == len(tlv_lines), \
> -        f"YAML and TLV output line count mismatch for {t.unsigned_bin.name}"
> -
> -    for yline, tline in zip(yaml_lines, tlv_lines):
> -        m = re.match(r'^\s*([^=]+) = "(.*)";$', tline)
> -        assert m, f"malformed tlv line: {tline}"
> -        tkey, tval = m.group(1), m.group(2)
> -        m = re.match(r'^([^:]+):\s*(?:"([^"]*)"\s*|(.*))$', yline)
> -        assert m, f"malformed yaml line: {yline}"
> -        ykey, yval = m.group(1), m.group(2) or m.group(3)
> -        assert ykey == tkey, f"key mismatch: {ykey} != {tkey}"
> -        assert str(yval) == str(tval), f"value mismatch for {ykey}: {yval} != {tval}"
> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS")
> +
> +    class _TLV_Cmdtest:
> +        def __init__(self, tlv_testdata):
> +            self.t = tlv_testdata
> +            with open(tlv_testdata.data, "r", encoding="utf-8") as f:
> +                self.yaml_lines = [
> +                    l.strip() for l in f if l.strip() and not l.strip().startswith("#")
> +                ]
> +
> +        def test(self, barebox, fn, fail=False):
> +            cmd = f"tlv /mnt/9p/testfs/{fn}"
> +            stdout, stderr, exitcode = barebox.run(cmd, timeout=2)
> +            if fail:
> +                assert exitcode != 0
> +                return
> +            elif exitcode != 0:
> +                raise RuntimeError(f"`{cmd}` failed with exitcode {exitcode}:\n{stderr}\n{stdout}")
> +
> +            # work around a corner case of 9pfs printing here (after a failed network test?)
> +            tlv_offset = next((i for i, line in enumerate(stdout) if line.startswith("tlv")), None)
> +            tlv_lines = stdout[tlv_offset + 1 : -1]
> +
> +            assert len(self.yaml_lines) == len(tlv_lines), (
> +                f"YAML and TLV output line count mismatch for {fn}"
> +            )
> +
> +            for yline, tline in zip(self.yaml_lines, tlv_lines):
> +                m = re.match(r'^\s*([^=]+) = "(.*)";$', tline)
> +                assert m, f"malformed tlv line: {tline}"
> +                tkey, tval = m.group(1), m.group(2)
> +                m = re.match(r'^([^:]+):\s*(?:"([^"]*)"\s*|(.*))$', yline)
> +                assert m, f"malformed yaml line: {yline}"
> +                ykey, yval = m.group(1), m.group(2) or m.group(3)
> +                assert ykey == tkey, f"key mismatch: {ykey} != {tkey}"
> +                assert str(yval) == str(tval), f"value mismatch for {ykey}: {yval} != {tval}"
> +
> +    return _TLV_Cmdtest(tlv_testdata)
> +
> +
> +def test_tlv_cmd_unsigned(barebox, barebox_config, tlv_cmdtest):
> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_RSA")
> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.unsigned_bin.name)
> +
> +
> +def test_tlv_cmd_signed(barebox, barebox_config, tlv_cmdtest):
> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_RSA")
> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.signed_bin.name)
> +
> +
> +def test_tlv_cmd_ecdsa_signed(barebox, barebox_config, tlv_cmdtest):
> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_ECDSA")
> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.ecdsa_signed_bin.name)
> +
> +
> +def test_tlv_cmd_corrupted(barebox, barebox_config, tlv_cmdtest):
> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_RSA")
> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.corrupted_bin.name, fail=True)
> +
> +
> +def test_tlv_cmd_tampered(barebox, barebox_config, tlv_cmdtest):
> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_RSA")
> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.tampered_bin.name, fail=True)
> +
> +
> +def test_tlv_cmd_ecdsa_tampered(barebox, barebox_config, tlv_cmdtest):
> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_ECDSA")
> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.tampered_ecdsa_bin.name, fail=True)
> 

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |