tests: Add a few simple tests

Add a few tests for the sign, verify, attach and detach code. These
require some additional infrastructure to create a sample PE/COFF
executable, plus a key & cert for testing.

Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>

9 files changed, 158 insertions, 2 deletions

diff --git a/Makefile.am b/Makefile.am
index a87cb5a..74b561d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -29,4 +29,4 @@ $(top_builddir)/docs/%.1: $(srcdir)/docs/%.1.in $(top_builddir)/%
 	$(MKDIR_P) $(@D)
 	$(HELP2MAN) --no-info -i $< -o $@ $(top_builddir)/$*
 
-SUBDIRS = lib/ccan
+SUBDIRS = lib/ccan . tests
diff --git a/configure.ac b/configure.ac
index 669b027..e48b9f2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -7,12 +7,16 @@ AC_PREREQ(2.60)
 AC_CONFIG_HEADERS(config.h)
 AC_CONFIG_SRCDIR(sbsign.c)
 
+AM_PROG_AS
 AC_PROG_CC
 AM_PROG_CC_C_O
 AC_PROG_CPP
 AC_PROG_RANLIB
 AC_PROG_MKDIR_P
 
+AC_CHECK_TOOL(OBJCOPY, [objcopy])
+AC_CHECK_TOOL(STRIP, [strip])
+
 if test $cross_compiling = no; then
   AM_MISSING_PROG(HELP2MAN, help2man)
 else
@@ -51,5 +55,5 @@ PKG_CHECK_MODULES(libcrypto, libcrypto,
     [],
     AC_MSG_ERROR([libcrypto (from the OpenSSL package) is required]))
 
-AC_CONFIG_FILES([Makefile lib/ccan/Makefile])
+AC_CONFIG_FILES([Makefile lib/ccan/Makefile tests/Makefile])
 AC_OUTPUT
diff --git a/tests/Makefile.am b/tests/Makefile.am
new file mode 100644
index 0000000..0c40a38
--- /dev/null
+++ b/tests/Makefile.am
@@ -0,0 +1,43 @@
+
+test_key = private-key.rsa
+test_cert = public-cert.pem
+test_image = test.pecoff
+
+check_PROGRAMS = test.pecoff
+check_DATA = $(test_key) $(test_cert)
+check_SCRIPTS = common.sh
+
+test_image_arch = x86-64
+test_lds = $(srcdir)/test.lds
+
+test_pecoff_SOURCES =
+
+test.pecoff: test.elf
+	$(OBJCOPY) -j .text -j .sdata -j .data \
+		-j .dynamic -j .dynsym  -j .rel \
+		-j .rela -j .reloc \
+		--target=efi-app-$(test_image_arch) $^ $@
+	$(STRIP) $@
+
+test.elf: LDFLAGS = -nostdlib -T $(test_lds) -m64
+test.elf: test.$(OBJEXT) $(test_lds)
+	$(LINK) $<
+
+.INTERMEDIATE: test.elf
+
+test.$(OBJEXT): ASFLAGS = -m64
+test.$(OBJEXT): $(srcdir)/test.S
+	$(AS) -o $@ $^
+
+$(test_key): Makefile
+	openssl genrsa -out $@ 2048
+
+$(test_cert): $(test_key) Makefile
+	openssl req -x509 -sha256 -subj '/' -new -key $< -out $@
+
+TESTS = sign-verify.sh \
+	sign-verify-detached.sh \
+	sign-attach-verify.sh
+
+EXTRA_DIST = $(test_lds) test.S $(TESTS) $(check_SCRIPTS)
+CLEANFILES = $(test_key) $(test_cert) $(test_image)
diff --git a/tests/common.sh b/tests/common.sh
new file mode 100644
index 0000000..af60285
--- /dev/null
+++ b/tests/common.sh
@@ -0,0 +1,12 @@
+
+basedir=..
+testdir="$basedir/tests"
+bindir="$basedir"
+
+sbsign=$bindir/sbsign
+sbverify=$bindir/sbverify
+sbattach=$bindir/sbattach
+
+key="$testdir/private-key.rsa"
+cert="$testdir/public-cert.pem"
+image="$testdir/test.pecoff"
diff --git a/tests/sign-attach-verify.sh b/tests/sign-attach-verify.sh
new file mode 100755
index 0000000..333308e
--- /dev/null
+++ b/tests/sign-attach-verify.sh
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+. "$srcdir/common.sh"
+
+sig=test.sig
+signed=test.signed
+
+trap 'rm -f "$sig" "$signed"' EXIT
+
+"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image"
+"$sbattach" --attach $sig $signed
+"$sbverify" --cert "$cert" "$signed"
diff --git a/tests/sign-verify-detached.sh b/tests/sign-verify-detached.sh
new file mode 100755
index 0000000..02c583e
--- /dev/null
+++ b/tests/sign-verify-detached.sh
@@ -0,0 +1,10 @@
+#!/bin/bash -e
+
+. "$srcdir/common.sh"
+
+sig=test.sig
+
+trap 'rm -f "$sig"' EXIT
+
+"$sbsign" --cert "$cert" --key "$key" --detached --output $sig "$image"
+"$sbverify" --cert "$cert" --detached $sig "$image"
diff --git a/tests/sign-verify.sh b/tests/sign-verify.sh
new file mode 100755
index 0000000..bc9bceb
--- /dev/null
+++ b/tests/sign-verify.sh
@@ -0,0 +1,6 @@
+#!/bin/bash -e
+
+. "$srcdir/common.sh"
+
+"$sbsign" --cert "$cert" --key "$key" --output test.signed "$image"
+"$sbverify" --cert "$cert" test.signed
diff --git a/tests/test.S b/tests/test.S
new file mode 100644
index 0000000..67384a6
--- /dev/null
+++ b/tests/test.S
@@ -0,0 +1,9 @@
+
+.text
+.globl _start
+_start:
+	nop
+
+.data
+data:
+	.long	0x0
diff --git a/tests/test.lds b/tests/test.lds
new file mode 100644
index 0000000..e4eb6ae
--- /dev/null
+++ b/tests/test.lds
@@ -0,0 +1,60 @@
+/* Same as elf_x86_64_fbsd_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */
+OUTPUT_FORMAT("elf64-x86-64", "elf64-x86-64", "elf64-x86-64")
+OUTPUT_ARCH(i386:x86-64)
+ENTRY(_start)
+SECTIONS
+{
+  . = 0;
+  ImageBase = .;
+  .hash : { *(.hash) }	/* this MUST come first! */
+  . = ALIGN(4096);
+  .eh_frame :
+  {
+    *(.eh_frame)
+  }
+  . = ALIGN(4096);
+  .text :
+  {
+   *(.text)
+  }
+  . = ALIGN(4096);
+  .reloc :
+  {
+   *(.reloc)
+  }
+  . = ALIGN(4096);
+  .data :
+  {
+   *(.rodata*)
+   *(.got.plt)
+   *(.got)
+   *(.data*)
+   *(.sdata)
+   /* the EFI loader doesn't seem to like a .bss section, so we stick
+      it all into .data: */
+   *(.sbss)
+   *(.scommon)
+   *(.dynbss)
+   *(.bss)
+   *(COMMON)
+   *(.rel.local)
+  }
+  . = ALIGN(4096);
+  .dynamic  : { *(.dynamic) }
+  . = ALIGN(4096);
+  .rela :
+  {
+    *(.rela.data*)
+    *(.rela.got)
+    *(.rela.stab)
+  }
+  . = ALIGN(4096);
+  .dynsym   : { *(.dynsym) }
+  . = ALIGN(4096);
+  .dynstr   : { *(.dynstr) }
+  . = ALIGN(4096);
+  .ignored.reloc :
+  {
+    *(.rela.reloc)
+  }
+}