From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Wed, 22 Oct 2025 12:12:17 +0200
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <barebox-bounces+lore=pengutronix.de@lists.infradead.org>)
	id 1vBVpI-00AZT2-36
	for lore@lore.pengutronix.de;
	Wed, 22 Oct 2025 12:12:16 +0200
Received: from bombadil.infradead.org ([2607:7c80:54:3::133])
	by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <barebox-bounces+lore=pengutronix.de@lists.infradead.org>)
	id 1vBVpH-0006Gy-Mh
	for lore@pengutronix.de; Wed, 22 Oct 2025 12:12:16 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help
	:List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding:
	Content-Type:In-Reply-To:References:To:From:Subject:MIME-Version:Date:
	Message-ID:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From
	:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	bh=RIIzuU/+eFdWpv6kSJbfJIlBbl8ekQAPLuo4bAxbHKg=; b=tDQvqs4u24ThUQo/eW15umYl/N
	4JYc3kIKLa/1aFCdmwcCz/QG21i5HrUJI+XfDAKivb9zahDmwrgXPnMngb7qMHL9mx6PLswVMzAb/
	X2YBJdf+4ISydadJdlrloiLUtVK9QVVLOV+ApolMuYEgZbsERODCRt9+3J98NW/CwDm6suZ3bbhPT
	7X2IQ9NHzsfW8j13uJKSe62NDBD7sjcjYOC3F41+4rMwM/FN7BgRKPgDpsYgOwztHbLGmJ/rfLLca
	LaA1dGBT9tdVW1AzwiJMkVkCUndH3w/k5NappYWHnXjfdy017Em2wOR5LLThdeueMPRdd7wW0hM1j
	FcgTauwQ==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))
	id 1vBVol-00000002QQa-0oj0;
	Wed, 22 Oct 2025 10:11:43 +0000
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))
	id 1vBVoe-00000002QMz-2EP0
	for barebox@lists.infradead.org;
	Wed, 22 Oct 2025 10:11:41 +0000
Received: from ptz.office.stw.pengutronix.de ([2a0a:edc0:0:900:1d::77] helo=[127.0.0.1])
	by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <a.fatoum@pengutronix.de>)
	id 1vBVoc-00065b-Ug; Wed, 22 Oct 2025 12:11:35 +0200
Message-ID: <f2e96d72-3d01-4845-a997-4926ea4bdee0@pengutronix.de>
Date: Wed, 22 Oct 2025 12:11:34 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Jonas Rebmann <jre@pengutronix.de>, Sascha Hauer
 <s.hauer@pengutronix.de>, BAREBOX <barebox@lists.infradead.org>
References: <20251014-tlv-signature-v1-0-7a8aaf95081c@pengutronix.de>
 <20251014-tlv-signature-v1-12-7a8aaf95081c@pengutronix.de>
 <703f28ed-2d8a-4784-a850-ae577119f56e@pengutronix.de>
Content-Language: en-US, de-DE, de-BE
In-Reply-To: <703f28ed-2d8a-4784-a850-ae577119f56e@pengutronix.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20251022_031136_974396_CA22EF2A 
X-CRM114-Status: GOOD (  18.70  )
X-BeenThere: barebox@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <barebox.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/barebox>,
 <mailto:barebox-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/barebox/>
List-Post: <mailto:barebox@lists.infradead.org>
List-Help: <mailto:barebox-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/barebox>,
 <mailto:barebox-request@lists.infradead.org?subject=subscribe>
Sender: "barebox" <barebox-bounces@lists.infradead.org>
X-SA-Exim-Connect-IP: 2607:7c80:54:3::133
X-SA-Exim-Mail-From: barebox-bounces+lore=pengutronix.de@lists.infradead.org
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	metis.whiteo.stw.pengutronix.de
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=4.0 tests=AWL,BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_NONE autolearn=unavailable
	autolearn_force=no version=3.4.2
Subject: Re: [PATCH 12/15] test: py: add signature to TLV integration tests
X-SA-Exim-Version: 4.2.1 (built Wed, 08 May 2019 21:11:16 +0000)
X-SA-Exim-Scanned: Yes (on metis.whiteo.stw.pengutronix.de)



On 10/22/25 12:04 PM, Ahmad Fatoum wrote:
> Hi,
> 
> On 10/14/25 1:03 PM, Jonas Rebmann wrote:
>> Add TLV signature to TLV integration tests:
>>  - Signed TLV using development RSA key
>>  - Modify payload and fix CRC for a "tampered" tlv
>>  - Include both cases in generator and tlv-command tests.
>>
>> Use the keys selected by CRYPTO_BUILTIN_DEVELOPMENT_KEYS for all TLV
>> testing. Consequentially add the matching private keys from the public
>> repository at [1].
>>
>> [1]: https://git.pengutronix.de/cgit/ptx-code-signing-dev/
>>
>> Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
>> ---
>>  crypto/fit-4096-development.key  |  51 ++++++++++
>>  crypto/fit-ecdsa-development.key |   5 +
> 
> Move this into test/?

Ah, I see the *.crt files are already in crypto...
Can't you concatenate the *.key and *.crt files into a single pem file?

That's what we do for test/self/development_rsa2048.pem and it works
there. Removes clutter a bit.

Cheers,
Ahmad

> 
>>  test/py/test_tlv.py              | 205 +++++++++++++++++++++++++++++++--------
>>  3 files changed, 219 insertions(+), 42 deletions(-)
>>
>> diff --git a/crypto/fit-4096-development.key b/crypto/fit-4096-development.key
>> new file mode 100644
>> index 0000000000..526cdfc2b5
>> --- /dev/null
>> +++ b/crypto/fit-4096-development.key
>> @@ -0,0 +1,51 @@
>> +-----BEGIN RSA PRIVATE KEY-----
>> +MIIJKgIBAAKCAgEAyZHkijUfqoAvEELaxSLnjyqhTprEilnf7JqvSCMDUUXv2dEl
>> +k1r4RwiBowJp/4W3sOx4gASEHM2xlDWyPYZUR/1btZeVJvOIRPWfw8JoLT3tbbST
>> +OIw04Bk6MUh3LbgBtxbbKGGkFewq3Ob1XQOWcY3ZAzfLFuooPWJQ6X+IiczkrA0r
>> +GnwpuhHlb8tOdQZRjDevIVVvEkRjRiqrAw5pKTy/Mt/SJJ/yC7qJptIQskQ42y3R
>> +qHeCVmP6ZF6VV1scNmHr8+kRD19DhCos6DLWq2pCFPwnSmgM4T0FWcJsMiNta+rt
>> +Rq+kG7RjOOYbbqvuk3vkMrQTRQeAYfdnuOGimGQYxiVh9quOMVG6NJ2hylTa0S/E
>> +PKQUQvK9A8bnDul522XPmMVHOtLXVGtwKx9xQUx/2D7aoqlmVJSGQeAMNi0NEFhq
>> +buGdXuJ/2cKwtobClkz0WbbMlI4UBM7V4qP3JSkxiojRKhtNHtdE3KtF3ronRJaU
>> ++yDggNobWLiJ4TtQ0OAC1REEJGq7s9k8ASi+6s+VX7yVtlGWMIjbBGAl8lqgXXsA
>> +prRrmtofaQgEPVvcSAIbuch/JqpHhs8vHBiWb/KZdOe/vMiYQE/d9/KY8rybZa3D
>> +hKvzN7X59ymOYLILHB73Xxi5bQA61DaeYE4KnPiJaEDrUccrlFjMBIwGrosCAwEA
>> +AQKCAgEApVkIIFdzommEMdKloxD+4nIV4GUU1GjlRzGcl5AhKIo2NndaW4ZEJADW
>> +VuGkEfeet4NDVcBen0IcaXeivtVyTZuHn2646zrajbbvV6Yhzvr9yQBXxAs/VJVd
>> +JxBKszY+MfKN1JJEB7ezcYIDxEktH/k8C2e5MRLj73a26NO1LVTmQDyNHyy7Deeg
>> +ThR4R4bnXh5PiwiKFHIE/YoCvn8TxMAQF6uCtoh+BSD/ydiH2bQc766mTYu7XyKk
>> +Q7FS0FXszq+E3pBRbkq3F7OBIviRIAwKKSyvDlpMNnfX68mQ95AYMm6ENXffJtrS
>> +ido4ppBjJJh8mRses4FzzukkLITq2qBoZQn+3XfR12+YbWKbCFIAXSu1b4tJetLC
>> +wYUp6EuGKCS2XK8OJXbY4M2D1t7bCVlRpptZBBiD7romkLYQ+jRwPbWhjUY6Ktw3
>> +ceUf9XJtNVKjHMp7n6C3gdxe2ivK02RYscT3brRq7TUjSzGjH1z/HUQSwr31+tXD
>> +dw2fkb2qQn2KUB5hjKcqU/Dxrqjorvf+kjGwXTtAD01Y4r8xRD3HK31zKAgrheN6
>> +15shoKRM4imKCD+fTBQjBBVZpTT8xNbo1m+y0joFEeDW0U5Lc3A/DhyTUsfHj4Im
>> +H02Cg4wiXXGyJ57fSyyNFKaa0EuLSdOl0zT1bXiy2TxiyTrsgAECggEBAPz+DcTO
>> +OvWtU/f+SyAfP86xd3bSnQzBXtoK2iI49uGAAkIXLU881V5sFz41UWJ6g1G0PjKy
>> +FWjxTCJytgso9TkISC42TOTE9VUqL4Y4KHhY93nnMAzKNLJC04onqmimDjn1I5Di
>> +DD3k3yCYPQEPInz84tdZyB+mRSncdsOL0Mpzhl5fjgGy+pi78K3/B4PUepR3n+Wl
>> +4JqKP4SeIL189+ChnSrgVsLzdvpOWJ2cu8DO9qGfz7F0ufJlehUILWPfhYlWUZ/c
>> +AUja5QWJEuSQHsKcOJSD4fpjuBWy3ASKlDy7BQSSoASibsl8FfQ/WmQBd3H8Y5/U
>> +20psjFuOa/02TusCggEBAMv3V4ccYieiUNkzi6WyyzlR9sULtAG4Cvi1HRw+o6mV
>> +VeNFNo8hw+g8f26URvuB06xXyuZepk+oMtEPiFfGYFFg4s22QJRGzqBfC5+8//Mf
>> +rcIsU88S75JCZjPDSxOFgzSDAG1gPfX4i8BZHgqaT749TewbeLc0ehvVrcLnXMwB
>> +3JpDNmiuNzA2pJAWbLezKazhW6XbpkTtHDqZTswDK+3AFBm7j/cqqeXojd93EbrV
>> +0ggyiNMx/O42DHVwZ+51HdJ+C7KDHR0wzgFMu24zyoymzZOaiKjm2rQi/B4mJ9Er
>> +oCaCfhVGo/Kq7Y5V7G+x4gag8oVQNCJh/lERrvgBduECggEAT5tpnbn/F3tY5rof
>> +zZXHsDRrkPoo7PCT9ixgA1DFbqOnEkDUwxAzW6jLj4mbeE9wru72e2FKF2GGQXiz
>> +C8PxleajP9daTsojII9LsQJOyb/E75jtp7ig6E7a3agpmRBXfalDbb2TeI5iH5GH
>> +8KNgiM/SWU0pCbx6GvgCbvm501qSt3N97c7xx8mrrDSJmtPrVnhl2g9eI4LJBeP0
>> +DWwbW5W/LNS2uFV/5Ldubvn4omz9clIlOoOuVzXTOnb+QWT+Uf7VZGYICXLHifxd
>> +84neBALAUwtEulNSg5FqZgttJcb7hzrUG2E5VzEyf07IFJvZiAaRGqQR9NM/PzgL
>> +hvvlzQKCAQEAi/wmy2kUiKUjHd79oexzA9UYKyacFW3twcHzx7XJ95Kxjriq+FMx
>> +NIuI3ijQCr+QukDK1Y7yT8tdjRQ+/Bb/dfqrzomeCuYJ3BE/VhOOCpucUp6/qmgR
>> +mm0N3crUFQLWCM08FtUt0UoTCCFht98uiZ9jgn9cO0i94aqmhhTqIG3KrOkiR3gC
>> +Eon+KZHqba1+FdPZZZy5oaamcCVV6jjnBlaEtSCAbx+N2WfhLxR2S6eCbfPY6jHt
>> +qMPZiyRpgERLAnNVrd/EtIsRZ9z06m6LPjsg7oPp9Rnz0hwMsth3DV0GnkeDJzED
>> +RoI/ZifcjNAmE2yU5iAkl9Bvjc44Kqg+oQKCAQEAvSi4W2kVUoIwlmBHGLge/Rng
>> +YyScmAoG4Cavy0Ie6AHPtHayHFdI/rAyiVFnKU5Xuj4qgB54dLa94bQrIu451wls
>> +3Jyy/J8WkcW9r/dZFMN6gMoZ0u+xt6KdYe2tQnyW/CG4svDyfckcW2VHdh2A3vqH
>> +xlGNmo/HaOeovxWNQkQGQeuXnIcrUvwaFTmGIxLdEO5TAQzLeWSrXldMtVBUAMaJ
>> +LClOqNIGRxMRYhZOPVnkedEQmJqgxvcrn8F/91mXQHVnQBOvsgyQDgtS3V0EIAOD
>> +rWePjgB8twJknHuab8qH/1z3cQ5QRxQ6lffcIoWgXS59QBBT+jIqMT2oKyGkPw==
>> +-----END RSA PRIVATE KEY-----
>> diff --git a/crypto/fit-ecdsa-development.key b/crypto/fit-ecdsa-development.key
>> new file mode 100644
>> index 0000000000..2b13c877a3
>> --- /dev/null
>> +++ b/crypto/fit-ecdsa-development.key
>> @@ -0,0 +1,5 @@
>> +-----BEGIN EC PRIVATE KEY-----
>> +MHcCAQEEIEsUW5DEOhD1CYHCnPfDULwbRQO9Yjt2/xM5SoY2GUQtoAoGCCqGSM49
>> +AwEHoUQDQgAEowCa2OYfPdGRr1JpSYONOA3N2jwJjGbPbfG6uBzKg1VqOOk0a/Vf
>> +BfEbQev6X96HCd6zvvC2tjBgvICW8UB0TQ==
>> +-----END EC PRIVATE KEY-----
>> diff --git a/test/py/test_tlv.py b/test/py/test_tlv.py
>> index 79f9f9d01b..1200281dbc 100644
>> --- a/test/py/test_tlv.py
>> +++ b/test/py/test_tlv.py
>> @@ -1,6 +1,7 @@
>>  import os
>>  import re
>>  import subprocess
>> +import struct
>>  from pathlib import Path
>>  from .helper import skip_disabled
>>  
>> @@ -8,71 +9,191 @@ import pytest
>>  
>>  
>>  class _TLV_Testdata:
>> -    def generator(self, args, check=True):
>> +    def generator(self, args, expect_failure=False, input=None):
>>          cmd = [os.sys.executable, str(self.generator_py)] + args
>> -        res = subprocess.run(cmd, text=True)
>> +        res = subprocess.run(cmd, text=True, input=input, encoding="utf-8", capture_output=True)
>>          if res.returncode == 127:
>>              pytest.skip("test skipped due to missing host dependencies")
>> -
>> -        if check and res.returncode != 0:
>> -            raise RuntimeError(f"generator failed ({res.returncode}): {res.stdout}\n{res.stderr}")
>> +        if res.returncode == 0 and expect_failure:
>> +            raise RuntimeError(
>> +                f"`{' '.join(cmd)}` succeded unexpectedly:\n{res.stderr}\n{res.stdout}"
>> +            )
>> +        elif res.returncode != 0 and not expect_failure:
>> +            raise RuntimeError(
>> +                f"`{' '.join(cmd)}` failed unexpectedly with {res.returncode}:\n{res.stderr}\n{res.stdout}"
>> +            )
>>          return res
>>  
>> +    def overwrite_magic(self, new_magic):
>> +        with open(self.schema, "r", encoding="utf-8") as f:
>> +            patched_schema = "".join(
>> +                re.sub(r"^magic:\s*0x[a-fA-F0-9]{8}\s*$", f"magic: {new_magic}\n", line)
>> +                for line in f
>> +            )
>> +        return patched_schema
>> +
>> +    def tlv_gen(self, outfile, magic=None, sign=None):
>> +        param = ["--input-data", str(self.data)]
>> +        if sign:
>> +            param += ["--sign", str(sign)]
>> +        if magic:
>> +            param += ["/dev/stdin"]
>> +        else:
>> +            param += [str(self.schema)]
>> +        param += [str(outfile)]
>> +        ret = self.generator(param, input=self.overwrite_magic(magic) if magic else None)
>> +        assert outfile.exists(), f"TLV {outfile} not created from {' '.join(param)}"
>> +        return ret
>> +
>> +    def tlv_read(self, binfile, magic=None, verify=None, expect_failure=False):
>> +        param = ["--output-data", "/dev/null"]
>> +        if verify:
>> +            param += ["--verify", str(verify)]
>> +        if magic:
>> +            param += ["/dev/stdin"]
>> +        else:
>> +            param += [str(self.schema)]
>> +        param += [str(binfile)]
>> +        ret = self.generator(
>> +            param,
>> +            input=self.overwrite_magic(magic) if magic else None,
>> +            expect_failure=expect_failure,
>> +        )
>> +        return ret
>> +
>> +    def corrupt(self, fnin, fnout, fix_crc=False):
>> +        try:
>> +            from crcmod.predefined import mkPredefinedCrcFun
>> +        except ModuleNotFoundError:
>> +            pytest.skip("test skipped due to missing dependency python-crcmod")
>> +            return
>> +
>> +        _crc32_mpeg = mkPredefinedCrcFun("crc-32-mpeg")
>> +
>> +        with open(fnin, "r+b") as f:
>> +            data = bytearray(f.read())
>> +        data[0x20] ^= 1
>> +        if fix_crc:
>> +            crc_raw = _crc32_mpeg(data[:-4])
>> +            crc = struct.pack(">I", crc_raw)
>> +            data[-4:] = crc
>> +        with open(fnout, "wb") as f:
>> +            f.write(data)
>> +
>>      def __init__(self, testfs):
>>          self.dir = Path(testfs)
>>          self.scripts_dir = Path("scripts/bareboxtlv-generator")
>>          self.data = self.scripts_dir / "data-example.yaml"
>>          self.schema = self.scripts_dir / "schema-example.yaml"
>>          self.generator_py = self.scripts_dir / "bareboxtlv-generator.py"
>> -        self.unsigned_bin = self.dir / 'unsigned.tlv'
>> -        self.corrupted_bin = self.dir / 'unsigned_corrupted.tlv'
>> +        self.privkey_rsa = Path("crypto/fit-4096-development.key")
>> +        self.pubkey_rsa = Path("crypto/fit-4096-development.crt")
>> +        self.privkey_ecdsa = Path("crypto/fit-ecdsa-development.key")
>> +        self.pubkey_ecdsa = Path("crypto/fit-ecdsa-development.crt")
>> +        self.unsigned_bin = self.dir / "unsigned.tlv"
>> +        self.corrupted_bin = self.dir / "unsigned_corrupted.tlv"
>> +        self.signed_bin = self.dir / "signed.tlv"
>> +        self.ecdsa_signed_bin = self.dir / "ecdsa-signed.tlv"
>> +        self.tampered_bin = self.dir / "signed-tampered.tlv"
>> +        self.tampered_ecdsa_bin = self.dir / "ecdsa-signed-tampered.tlv"
>> +
>>  
>>  @pytest.fixture(scope="module")
>>  def tlv_testdata(testfs):
>>      t = _TLV_Testdata(testfs)
>> -    t.generator(["--input-data", str(t.data), str(t.schema), str(t.unsigned_bin)])
>> -    assert t.unsigned_bin.exists(), "unsigned TLV not created"
>>  
>> -    with open(t.unsigned_bin, 'r+b') as f:
>> -        data = bytearray(f.read())
>> -    data[0x20] ^= 1
>> -    with open(t.corrupted_bin, "wb") as f:
>> -        f.write(data)
>> +    t.tlv_gen(t.unsigned_bin)
>> +    t.tlv_gen(t.signed_bin, sign=t.privkey_rsa, magic="0x61bb95f3")
>> +    t.tlv_gen(t.ecdsa_signed_bin, sign=t.privkey_ecdsa, magic="0x61bb95f3")
>> +
>> +    t.corrupt(t.unsigned_bin, t.corrupted_bin)
>> +    t.corrupt(t.signed_bin, t.tampered_bin, fix_crc=True)
>> +    t.corrupt(t.ecdsa_signed_bin, t.tampered_ecdsa_bin, fix_crc=True)
>>  
>>      return t
>>  
>> +
>>  def test_tlv_generator(tlv_testdata):
>>      t = tlv_testdata
>> -    out_yaml = t.dir / 'out.yaml'
>> +    out_yaml = t.dir / "out.yaml"
>>  
>> +    t.tlv_read(t.unsigned_bin)
>> +    t.tlv_read(t.signed_bin, verify=t.pubkey_rsa, magic="0x61bb95f3")
>> +    t.tlv_read(t.ecdsa_signed_bin, verify=t.pubkey_ecdsa, magic="0x61bb95f3")
>>  
>> -    good = t.generator(["--output-data", str(out_yaml), str(t.schema), str(t.unsigned_bin)], check=False)
>> -    assert good.returncode == 0, f"valid unsigned TLV failed to decode: {good.stderr}\n{good.stdout}"
>> +    t.tlv_read(t.corrupted_bin, expect_failure=True)
>> +    t.tlv_read(t.tampered_bin, verify=t.pubkey_rsa, magic="0x61bb95f3", expect_failure=True)
>> +    t.tlv_read(t.tampered_ecdsa_bin, verify=t.pubkey_ecdsa, magic="0x61bb95f3", expect_failure=True)
>>  
>> -    bad = t.generator(["--output-data", str(t.dir / 'bad.yaml'), str(t.schema), str(t.corrupted_bin)], check=False)
>> -    assert bad.returncode != 0, "unsigned TLV with invalid CRC unexpectedly decoded successfully"
>>  
>> -def test_tlv_command(barebox, barebox_config, tlv_testdata):
>> +@pytest.fixture(scope="module")
>> +def tlv_cmdtest(barebox_config, tlv_testdata):
>>      skip_disabled(barebox_config, "CONFIG_CMD_TLV")
>> -    t = tlv_testdata
>> -    with open(t.data, 'r', encoding='utf-8') as f:
>> -        yaml_lines = [l.strip() for l in f if l.strip() and not l.strip().startswith('#')]
>> -
>> -    stdout = barebox.run_check(f"tlv /mnt/9p/testfs/{t.unsigned_bin.name}")
>> -
>> -    # work around 9pfs printing here after a failed network test
>> -    tlv_offset = next((i for i, line in enumerate(stdout) if line.startswith("tlv")), None)
>> -    tlv_lines = stdout[tlv_offset + 1:-1]
>> -
>> -    assert len(yaml_lines) == len(tlv_lines), \
>> -        f"YAML and TLV output line count mismatch for {t.unsigned_bin.name}"
>> -
>> -    for yline, tline in zip(yaml_lines, tlv_lines):
>> -        m = re.match(r'^\s*([^=]+) = "(.*)";$', tline)
>> -        assert m, f"malformed tlv line: {tline}"
>> -        tkey, tval = m.group(1), m.group(2)
>> -        m = re.match(r'^([^:]+):\s*(?:"([^"]*)"\s*|(.*))$', yline)
>> -        assert m, f"malformed yaml line: {yline}"
>> -        ykey, yval = m.group(1), m.group(2) or m.group(3)
>> -        assert ykey == tkey, f"key mismatch: {ykey} != {tkey}"
>> -        assert str(yval) == str(tval), f"value mismatch for {ykey}: {yval} != {tval}"
>> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS")
>> +
>> +    class _TLV_Cmdtest:
>> +        def __init__(self, tlv_testdata):
>> +            self.t = tlv_testdata
>> +            with open(tlv_testdata.data, "r", encoding="utf-8") as f:
>> +                self.yaml_lines = [
>> +                    l.strip() for l in f if l.strip() and not l.strip().startswith("#")
>> +                ]
>> +
>> +        def test(self, barebox, fn, fail=False):
>> +            cmd = f"tlv /mnt/9p/testfs/{fn}"
>> +            stdout, stderr, exitcode = barebox.run(cmd, timeout=2)
>> +            if fail:
>> +                assert exitcode != 0
>> +                return
>> +            elif exitcode != 0:
>> +                raise RuntimeError(f"`{cmd}` failed with exitcode {exitcode}:\n{stderr}\n{stdout}")
>> +
>> +            # work around a corner case of 9pfs printing here (after a failed network test?)
>> +            tlv_offset = next((i for i, line in enumerate(stdout) if line.startswith("tlv")), None)
>> +            tlv_lines = stdout[tlv_offset + 1 : -1]
>> +
>> +            assert len(self.yaml_lines) == len(tlv_lines), (
>> +                f"YAML and TLV output line count mismatch for {fn}"
>> +            )
>> +
>> +            for yline, tline in zip(self.yaml_lines, tlv_lines):
>> +                m = re.match(r'^\s*([^=]+) = "(.*)";$', tline)
>> +                assert m, f"malformed tlv line: {tline}"
>> +                tkey, tval = m.group(1), m.group(2)
>> +                m = re.match(r'^([^:]+):\s*(?:"([^"]*)"\s*|(.*))$', yline)
>> +                assert m, f"malformed yaml line: {yline}"
>> +                ykey, yval = m.group(1), m.group(2) or m.group(3)
>> +                assert ykey == tkey, f"key mismatch: {ykey} != {tkey}"
>> +                assert str(yval) == str(tval), f"value mismatch for {ykey}: {yval} != {tval}"
>> +
>> +    return _TLV_Cmdtest(tlv_testdata)
>> +
>> +
>> +def test_tlv_cmd_unsigned(barebox, barebox_config, tlv_cmdtest):
>> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_RSA")
>> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.unsigned_bin.name)
>> +
>> +
>> +def test_tlv_cmd_signed(barebox, barebox_config, tlv_cmdtest):
>> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_RSA")
>> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.signed_bin.name)
>> +
>> +
>> +def test_tlv_cmd_ecdsa_signed(barebox, barebox_config, tlv_cmdtest):
>> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_ECDSA")
>> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.ecdsa_signed_bin.name)
>> +
>> +
>> +def test_tlv_cmd_corrupted(barebox, barebox_config, tlv_cmdtest):
>> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_RSA")
>> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.corrupted_bin.name, fail=True)
>> +
>> +
>> +def test_tlv_cmd_tampered(barebox, barebox_config, tlv_cmdtest):
>> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_RSA")
>> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.tampered_bin.name, fail=True)
>> +
>> +
>> +def test_tlv_cmd_ecdsa_tampered(barebox, barebox_config, tlv_cmdtest):
>> +    skip_disabled(barebox_config, "CONFIG_CRYPTO_ECDSA")
>> +    tlv_cmdtest.test(barebox, tlv_cmdtest.t.tampered_ecdsa_bin.name, fail=True)
>>
> 

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |