From patchwork Mon Dec 8 12:39:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 855 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765197629; bh=Jkn9owtvfPNW+Wmu0VCeRYkkBZH/JiWMbe5OSGhR9bY=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=pEVZdSpv5C0sm63Yj1mAhDBSGmX9nCG9G15Dpf15q66ntbgu+C4MYUpPsjj6Jb9lT kao2xHL+pWsooz9L2ibku+M/yMicY5yuXGHrCC4oJ3kbd0V9nWNYG9fsJ1rTMW2z/R Jvw0YAv7CwcN9f0h2iqZjJiBwrvFtcNF/A4LyW6XGcqvYkayjC0gFHer65RL5c7Sdm 0b1Ackx1DS8zBlJNGC3nrtRvoN+n9rFy80PgEEiZ+QwcqbkVc4d/A0HWEFx05gMqIM UMVwEjRf8AtZmQaaaFQholP9lbOaSR+2pnm4vMETNcjBhS/r9K0BykltrSUrzztVQ9 8EPPrmg2AdGBw== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 2AFD7689FA for ; Mon, 8 Dec 2025 05:40:29 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id k5r37YiPgxxh for ; Mon, 8 Dec 2025 05:40:29 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765197629; bh=Jkn9owtvfPNW+Wmu0VCeRYkkBZH/JiWMbe5OSGhR9bY=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=pEVZdSpv5C0sm63Yj1mAhDBSGmX9nCG9G15Dpf15q66ntbgu+C4MYUpPsjj6Jb9lT kao2xHL+pWsooz9L2ibku+M/yMicY5yuXGHrCC4oJ3kbd0V9nWNYG9fsJ1rTMW2z/R Jvw0YAv7CwcN9f0h2iqZjJiBwrvFtcNF/A4LyW6XGcqvYkayjC0gFHer65RL5c7Sdm 0b1Ackx1DS8zBlJNGC3nrtRvoN+n9rFy80PgEEiZ+QwcqbkVc4d/A0HWEFx05gMqIM UMVwEjRf8AtZmQaaaFQholP9lbOaSR+2pnm4vMETNcjBhS/r9K0BykltrSUrzztVQ9 8EPPrmg2AdGBw== Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 19AB06895C for ; Mon, 8 Dec 2025 05:40:29 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765197627; bh=OeEIRsysF8LXx7OaY6pGemP5pU6RCx24+8Y2FVwQg5Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qQq2E9igLnXNsfRbRnTVNuhU/Z/q87lR1d2DPGL7BwJMgJn3GzPlwP4CIqLEsIW5F xd/RxV48HHq3qQh+01x+d+l79bw1PvMdFMUxAczPUH2pC4QHGd6kW/NM863Wh9I6Da oJ9s9mZ2j+H3cjUNRR3Sxlx1p3atmytkM21hY2FAcJbWJGQNwpRy+04Fyi37k+YHtZ ba63PPev4RSp4VVxWWoju79a+28N6ycK4bO6EewE2gGelVWH+ytP392yZ2C65ItPoS MM8hO5LorqYEdzWsyj4hNaAHBXEgDuoHzib+JfToYK6MMRcG5ybF/JSVJe2wl8BEx6 dJC+ExWqswDZg== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 1D05F6895C; Mon, 8 Dec 2025 05:40:27 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP id fZnEyC_Qs0Bc; Mon, 8 Dec 2025 05:40:27 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1765197622; bh=pLiD9ls7yypvSpYNruofkmfQcaui/XmYLUW8KBufnVw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=D1mNrWF4paFYKgvrN5fEmZfTNENNcJnSLS+APE96dlmc014WI/Qg5Uds7fiGB0Ata KX2iOfxqrsPMMPnJKhaRZX/Ki6Jf0iKC/cCpj/2+p2hLSBZvpWWlRAbiYRqy26kkk2 IwVCrQD6ra9oMaPAR2AwJItCBrScyS36K4FuI9O/3FYAujewQdT8/YSeVs8TdKTj1/ alimfcqVPfCOHwsg0vYeSrl9AzMljriSoOmOH8Jn9gij6AZj5xp4eWl2YP0CGhaGAY 2ZF9u997VHFhCL7C9WjgAGARLQzjyXj6u7aQzseR8tM5Pa/bt6/NS1wGUAfS0ceLme McVx7dI3Uq6gw== Received: from u-boot.org (unknown [73.34.74.121]) by mail.u-boot.org (Postfix) with ESMTPSA id 45108689FF; Mon, 8 Dec 2025 05:40:22 -0700 (MST) From: Simon Glass To: U-Boot Concept Date: Mon, 8 Dec 2025 05:39:52 -0700 Message-ID: <20251208124001.775057-4-sjg@u-boot.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251208124001.775057-1-sjg@u-boot.org> References: <20251208124001.775057-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: T7LTX55V56776MK4TUTEUFWFF5LZ23TK X-Message-ID-Hash: T7LTX55V56776MK4TUTEUFWFF5LZ23TK X-MailFrom: sjg@u-boot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Simon Glass , Claude X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH 3/7] test: Add mmc13 and mmc14 devices for TKey and pre-derived List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Simon Glass Add two new MMC test devices: - mmc13: LUKS2 encrypted with TKey-derived key, for testing TKey-based disk encryption unlock - mmc14: LUKS2 encrypted with a known master key, for testing the pre-derived master key unlock path The test setup generates keys matching the TKey emulator's deterministic output. An override.bin file can be used to test with a physical TKey. Co-developed-by: Claude Signed-off-by: Simon Glass --- arch/sandbox/dts/test.dts | 16 ++++++++++++++++ test/py/tests/test_ut.py | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/arch/sandbox/dts/test.dts b/arch/sandbox/dts/test.dts index 7fef23a9285..7a67565e4a9 100644 --- a/arch/sandbox/dts/test.dts +++ b/arch/sandbox/dts/test.dts @@ -50,6 +50,8 @@ mmc10 = "/mmc10"; mmc11 = "/mmc11"; mmc12 = "/mmc12"; + mmc13 = "/mmc13"; + mmc14 = "/mmc14"; pci0 = &pci0; pci1 = &pci1; pci2 = &pci2; @@ -1220,6 +1222,20 @@ filename = "mmc12.img"; }; + /* This is used for LUKS version 2 tests with TKey */ + mmc13 { + status = "disabled"; + compatible = "sandbox,mmc"; + filename = "mmc13.img"; + }; + + /* This is used for LUKS version 2 tests with pre-derived master key */ + mmc14 { + status = "disabled"; + compatible = "sandbox,mmc"; + filename = "mmc14.img"; + }; + pch { compatible = "sandbox,pch"; }; diff --git a/test/py/tests/test_ut.py b/test/py/tests/test_ut.py index e2b4d49a2e0..b9ba240c848 100644 --- a/test/py/tests/test_ut.py +++ b/test/py/tests/test_ut.py @@ -9,6 +9,7 @@ test one at a time, as well setting up some files needed by the tests. """ import collections import gzip +import hashlib import os import os.path import pytest @@ -83,9 +84,40 @@ def test_ut_dm_init_bootstd(u_boot_config, u_boot_log): setup_ubuntu_image(u_boot_config, u_boot_log, 3, 'flash', '25.04') setup_localboot_image(u_boot_config, u_boot_log) setup_vbe_image(u_boot_config, u_boot_log) + + # Generate TKey emulator disk key for LUKS encryption + # The emulator generates pubkey as 0x50 + (i & 0xf) for i in range(32) + # Disk key = SHA256(hex_string_of_pubkey), matching tkey_derive_disk_key() + # Allow override via external key file for testing with real keys + override_keyfile = os.path.join(u_boot_config.source_dir, 'override.bin') + if os.path.exists(override_keyfile): + keyfile = override_keyfile + u_boot_log.action(f'Using override TKey key: {keyfile}') + else: + pubkey = bytes([0x50 + (i & 0xf) for i in range(32)]) + disk_key = hashlib.sha256(pubkey.hex().encode()).digest() + keyfile = os.path.join(u_boot_config.persistent_data_dir, 'tkey_emul.key') + with open(keyfile, 'wb') as f: + f.write(disk_key) + u_boot_log.action(f'Generated TKey emulator disk key: {keyfile}') + setup_ubuntu_image(u_boot_config, u_boot_log, 11, 'mmc', use_fde=1) setup_ubuntu_image(u_boot_config, u_boot_log, 12, 'mmc', use_fde=2, luks_kdf='argon2id') + setup_ubuntu_image(u_boot_config, u_boot_log, 13, 'mmc', use_fde=2, + luks_kdf='argon2id', encrypt_keyfile=keyfile) + + # Create mmc14 with a known master key for pre_derived unlock testing + # For LUKS2 with aes-xts-plain64, we need a 64-byte (512-bit) master key + master_key = bytes([0x20 + (i & 0x3f) for i in range(64)]) + master_keyfile = os.path.join(u_boot_config.persistent_data_dir, + 'luks_master.key') + with open(master_keyfile, 'wb') as f: + f.write(master_key) + u_boot_log.action(f'Generated LUKS master key: {master_keyfile}') + setup_ubuntu_image(u_boot_config, u_boot_log, 14, 'mmc', use_fde=2, + luks_kdf='argon2id', encrypt_keyfile=keyfile, + master_keyfile=master_keyfile) def test_ut(ubman, ut_subtest): """Execute a "ut" subtest.