From af3cbe28889a549257604e366117227f9a4950e8 Mon Sep 17 00:00:00 2001
From: KonstantinKondrashov <konstantin@espressif.com>
Date: Mon, 15 Mar 2021 23:59:56 +0800
Subject: [PATCH] simple_ota_example: Adds configs to test
 on_update_no_secure_boot option (RSA&ECDSA)

---
 .gitlab/ci/target-test.yml                    |  6 ++
 .../ota/simple_ota_example/example_test.py    | 81 +++++++++++++++++++
 .../sdkconfig.ci.on_update_no_sb_ecdsa        | 22 +++++
 .../sdkconfig.ci.on_update_no_sb_rsa          | 23 ++++++
 .../test/secure_boot_signing_key.pem          | 39 +++++++++
 .../test/secure_boot_signing_key_ecdsa.pem    |  5 ++
 6 files changed, 176 insertions(+)
 create mode 100644 examples/system/ota/simple_ota_example/sdkconfig.ci.on_update_no_sb_ecdsa
 create mode 100644 examples/system/ota/simple_ota_example/sdkconfig.ci.on_update_no_sb_rsa
 create mode 100644 examples/system/ota/simple_ota_example/test/secure_boot_signing_key.pem
 create mode 100644 examples/system/ota/simple_ota_example/test/secure_boot_signing_key_ecdsa.pem

diff --git a/.gitlab/ci/target-test.yml b/.gitlab/ci/target-test.yml
index b55c157001..63442e75df 100644
--- a/.gitlab/ci/target-test.yml
+++ b/.gitlab/ci/target-test.yml
@@ -100,6 +100,12 @@ example_test_001B:
     - ESP32
     - Example_EthKitV1
 
+example_test_001B_V3:
+  extends: .example_test_esp32_template
+  tags:
+    - ESP32
+    - Example_EthKitV12
+
 example_test_001C:
   extends: .example_test_esp32_template
   parallel: 3
diff --git a/examples/system/ota/simple_ota_example/example_test.py b/examples/system/ota/simple_ota_example/example_test.py
index a69246109f..4647d85e19 100644
--- a/examples/system/ota/simple_ota_example/example_test.py
+++ b/examples/system/ota/simple_ota_example/example_test.py
@@ -234,6 +234,85 @@ def test_examples_protocol_simple_ota_example_with_flash_encryption_wifi(env, ex
     dut1.expect('Starting OTA example', timeout=30)
 
 
+@ttfw_idf.idf_example_test(env_tag='Example_EthKitV1')
+def test_examples_protocol_simple_ota_example_with_verify_app_signature_on_update_no_secure_boot_ecdsa(env, extra_data):
+    """
+    steps: |
+      1. join AP
+      2. Fetch OTA image over HTTPS
+      3. Reboot with the new OTA image
+    """
+    dut1 = env.get_dut('simple_ota_example', 'examples/system/ota/simple_ota_example', dut_class=ttfw_idf.ESP32DUT,
+                       app_config_name='on_update_no_sb_ecdsa')
+    # check and log bin size
+    binary_file = os.path.join(dut1.app.binary_path, 'simple_ota.bin')
+    bin_size = os.path.getsize(binary_file)
+    ttfw_idf.log_performance('simple_ota_bin_size', '{}KB'.format(bin_size // 1024))
+    # start test
+    host_ip = get_my_ip()
+    thread1 = Thread(target=start_https_server, args=(dut1.app.binary_path, host_ip, 8000))
+    thread1.daemon = True
+    thread1.start()
+    dut1.start_app()
+    dut1.expect('Loaded app from partition at offset 0x20000', timeout=30)
+    try:
+        ip_address = dut1.expect(re.compile(r' eth ip: ([^,]+),'), timeout=30)
+        print('Connected to AP with IP: {}'.format(ip_address))
+    except DUT.ExpectTimeout:
+        raise ValueError('ENV_TEST_FAILURE: Cannot connect to AP')
+    dut1.expect('Starting OTA example', timeout=30)
+
+    print('writing to device: {}'.format('https://' + host_ip + ':8000/simple_ota.bin'))
+    dut1.write('https://' + host_ip + ':8000/simple_ota.bin')
+    dut1.expect('Writing to partition subtype 16 at offset 0x120000', timeout=20)
+
+    dut1.expect('Verifying image signature...', timeout=60)
+
+    dut1.expect('Loaded app from partition at offset 0x120000', timeout=20)
+    dut1.expect('Starting OTA example', timeout=30)
+
+
+@ttfw_idf.idf_example_test(env_tag='Example_EthKitV12')
+def test_examples_protocol_simple_ota_example_with_verify_app_signature_on_update_no_secure_boot_rsa(env, extra_data):
+    """
+    steps: |
+      1. join AP
+      2. Fetch OTA image over HTTPS
+      3. Reboot with the new OTA image
+    """
+    dut1 = env.get_dut('simple_ota_example', 'examples/system/ota/simple_ota_example', dut_class=ttfw_idf.ESP32DUT,
+                       app_config_name='on_update_no_sb_rsa')
+    # check and log bin size
+    binary_file = os.path.join(dut1.app.binary_path, 'simple_ota.bin')
+    bin_size = os.path.getsize(binary_file)
+    ttfw_idf.log_performance('simple_ota_bin_size', '{}KB'.format(bin_size // 1024))
+    # start test
+    host_ip = get_my_ip()
+    thread1 = Thread(target=start_https_server, args=(dut1.app.binary_path, host_ip, 8000))
+    thread1.daemon = True
+    thread1.start()
+    dut1.start_app()
+    dut1.expect('Loaded app from partition at offset 0x20000', timeout=30)
+    try:
+        ip_address = dut1.expect(re.compile(r' eth ip: ([^,]+),'), timeout=30)
+        print('Connected to AP with IP: {}'.format(ip_address))
+    except DUT.ExpectTimeout:
+        raise ValueError('ENV_TEST_FAILURE: Cannot connect to AP')
+    dut1.expect('Starting OTA example', timeout=30)
+
+    print('writing to device: {}'.format('https://' + host_ip + ':8000/simple_ota.bin'))
+    dut1.write('https://' + host_ip + ':8000/simple_ota.bin')
+    dut1.expect('Writing to partition subtype 16 at offset 0x120000', timeout=20)
+
+    dut1.expect('Verifying image signature...', timeout=60)
+    dut1.expect('#0 app key digest == #0 trusted key digest', timeout=10)
+    dut1.expect('Verifying with RSA-PSS...', timeout=10)
+    dut1.expect('Signature verified successfully!', timeout=10)
+
+    dut1.expect('Loaded app from partition at offset 0x120000', timeout=20)
+    dut1.expect('Starting OTA example', timeout=30)
+
+
 if __name__ == '__main__':
     if sys.argv[2:]:    # if two or more arguments provided:
         # Usage: example_test.py <image_dir> <server_port> [cert_di>]
@@ -250,3 +329,5 @@ if __name__ == '__main__':
         test_examples_protocol_simple_ota_example_ethernet_with_spiram_config()
         test_examples_protocol_simple_ota_example_with_flash_encryption()
         test_examples_protocol_simple_ota_example_with_flash_encryption_wifi()
+        test_examples_protocol_simple_ota_example_with_verify_app_signature_on_update_no_secure_boot_ecdsa()
+        test_examples_protocol_simple_ota_example_with_verify_app_signature_on_update_no_secure_boot_rsa()
diff --git a/examples/system/ota/simple_ota_example/sdkconfig.ci.on_update_no_sb_ecdsa b/examples/system/ota/simple_ota_example/sdkconfig.ci.on_update_no_sb_ecdsa
new file mode 100644
index 0000000000..cc7392ecd5
--- /dev/null
+++ b/examples/system/ota/simple_ota_example/sdkconfig.ci.on_update_no_sb_ecdsa
@@ -0,0 +1,22 @@
+# ECDSA is available only in ESP32
+CONFIG_IDF_TARGET="esp32"
+
+CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL="FROM_STDIN"
+CONFIG_EXAMPLE_SKIP_COMMON_NAME_CHECK=y
+
+CONFIG_PARTITION_TABLE_OFFSET=0xC000
+
+CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y
+CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT=y
+CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME=y
+CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key_ecdsa.pem"
+
+CONFIG_EXAMPLE_CONNECT_ETHERNET=y
+CONFIG_EXAMPLE_CONNECT_WIFI=n
+CONFIG_EXAMPLE_USE_INTERNAL_ETHERNET=y
+CONFIG_EXAMPLE_ETH_PHY_IP101=y
+CONFIG_EXAMPLE_ETH_MDC_GPIO=23
+CONFIG_EXAMPLE_ETH_MDIO_GPIO=18
+CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
+CONFIG_EXAMPLE_ETH_PHY_ADDR=1
+CONFIG_EXAMPLE_CONNECT_IPV6=y
diff --git a/examples/system/ota/simple_ota_example/sdkconfig.ci.on_update_no_sb_rsa b/examples/system/ota/simple_ota_example/sdkconfig.ci.on_update_no_sb_rsa
new file mode 100644
index 0000000000..f1395e9e66
--- /dev/null
+++ b/examples/system/ota/simple_ota_example/sdkconfig.ci.on_update_no_sb_rsa
@@ -0,0 +1,23 @@
+# ESP32 supports SIGNED_APPS_RSA_SCHEME only in ECO3
+CONFIG_ESP32_REV_MIN_3=y
+CONFIG_ESP32_REV_MIN=3
+
+CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL="FROM_STDIN"
+CONFIG_EXAMPLE_SKIP_COMMON_NAME_CHECK=y
+
+CONFIG_PARTITION_TABLE_OFFSET=0xC000
+
+CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y
+CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT=y
+CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
+CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem"
+
+CONFIG_EXAMPLE_CONNECT_ETHERNET=y
+CONFIG_EXAMPLE_CONNECT_WIFI=n
+CONFIG_EXAMPLE_USE_INTERNAL_ETHERNET=y
+CONFIG_EXAMPLE_ETH_PHY_IP101=y
+CONFIG_EXAMPLE_ETH_MDC_GPIO=23
+CONFIG_EXAMPLE_ETH_MDIO_GPIO=18
+CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
+CONFIG_EXAMPLE_ETH_PHY_ADDR=1
+CONFIG_EXAMPLE_CONNECT_IPV6=y
diff --git a/examples/system/ota/simple_ota_example/test/secure_boot_signing_key.pem b/examples/system/ota/simple_ota_example/test/secure_boot_signing_key.pem
new file mode 100644
index 0000000000..da5fe069c0
--- /dev/null
+++ b/examples/system/ota/simple_ota_example/test/secure_boot_signing_key.pem
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4wIBAAKCAYEAzJUktQ+7wpPDfDGterxiMRx5w9n7PFaUSK3wnE+05ALsEF8F
+rUOC7/q0GutYYdWopdRM1FUKX2XVaryMViC+DHof42fEbpWYnfrCkYrDn8MLuMyK
+4uGunl8LUTIAZk3I3SZKJZy5FW9eb1XtkwfN1lAd6lEEGQKyoR6Bk/Rkisj0LP7R
+dyV9NKbJhxavZ1ohZXiXU5FW873iGdPIsloZoUK3QGRE1KRIH2woUGHATfXBCf5a
++e41wJzz7YHl5tjyxAbJ9PET52N14G73WoZKHu3QPShALrZVfjsk1oYdFvNdOBDL
+uU0vpyKl7mJHno11gM0UM0s9PrMxk9ffdAqMyS8YeLEk2Xl3AwPv7m9oeGIdSD/P
+okcISYcm4YAl5veqIG3RlkfpWjf5G15UYyLbgmn4GOkgr6ksB/dCFOMi9V1LjPah
+32A7gxqTlapQza+wNs30SYBIXrFde4bNnhFhj4Cbt34ADefWm26KLiZEHFHFN30Z
+IownitXz3rT7rmzBAgMBAAECggGBAK6bBA88dGWnM4rF42gDbFK6GPqdCp3+zuQR
+AHCIXrzT+aInV3L/Ubt730eyYWZusleGEGSQiB/PjAxjC+teWpXPjXPK1o4DQ5Rh
+trn9EuVB1LlOaaMmNqCYQdJ0uH6YGL0WtuXPEvBGcvTXA8MfQACPtFiN+M9XzBlT
+LgiW51DEHhJhEWl9J5VOXGXdaKru893kxFLgkrPI9jZQ2NPPrlxB0qE0csKBy8R1
+zRp9s2FWRAFBg2gYdOwFiPLGkO8rbM+jhXM+IUV1GgVYdxAC6zS9AiIAWuACDEwp
+Pzg3d3/5uyOFK1xTIPl/cG8CZyPQL1v/mUx0MZFaB1R1CVeDuMoFVz2YSbEaAVFv
+QIcJGDN/WlJbt0jwj7/RJKKTx0ipFlUdNbodzdaSl3Yg4N+evzR1nS8DvLJpwl/e
+ybu40IbavwYXWVzirH3wRg+P/NDsHLU5xASAyUwf1minsmObILayEZgfTA6TbrKL
+fZbJCvy2/IuCM6iqKZwSvYy0bJdaAQKBwQDzDVa/M4/sJV0GEbwegeN6Xf+XKkl3
+Gosjd+vQgv/0X1gbdMc0Ej9eYSU5/GYIHxDzDRkYIxtIfwaze1gGeNRHycMCmVkl
+09DMi48jLGE7wzObPu6MtBCSAGHaS9zMTVCYDYtRlykPzG2/1QNrRUDNACnpzneK
+MkWObzFYTIup1zh+JaD56vLIDdL7qM9apmEkq4O6y1BBPnCgRYJy5EU3BDZxz9fP
+47JtCZ47uVguoh/NVYY5uibdvI5iJ4SA/VECgcEA13srpwJppfTTFPRWgD+g7PdU
+Yg+ENBWygiJuwgGv6DyD4k73pxiyshNo7jxsdOLeGFA8hI3dvd/Ei6uUsGnWPy/a
+OwuBcOZrJZjyawNSiC+mrCSP0LGQrC5VjmuE8IU1d2hFWyV/NzkSLaXJ52Zkg3ee
+sSepBHtWEYpwH929u5FTKDKhL0qRH8E1EsULSjmkTa+cVDYgx8+2mb3vHRdJdvt3
+FZU9erKyDb4II5GJhyNQo/cxBosDzj4yIMKM/dxxAoHAE1r1lIZjqLeU/927sGZB
+mkYQC5a3gP+hIvLy2YkFHw3Us2MKVhA58ack0shRy8XFkMVzQSPSkWRkQTjKWsGW
+jhz4JaXWnpeOoite+7sWBy9VVcCeOKBCTY4wPLUb4T0q9ODnPlkeUP7Doqow+oLq
+VSj1LYReqqe0OFKMiG6YFK9p9UnD1wMp0FqheZ8I3DwxsjziYaa9PmTdjTXb3JBn
+Hql8OHYHxqtoUxyX+EObTSNmCvELnl8/pxrT7+cbuzXxAoHAfmNYb1US8qxvQtMu
+CXtIwLUxYXMIcCRp17qqjFDBBM657Hu09uWdqqWH3nTCiKyo6EnntTgg38XoWqQB
+SphJejZvIkLVYYtFPYBAcFQ6jHampEGtuRLtcJCczjRyfUEk4yzdwWB1BccLyop7
+qqZ8PkBjbDV/BYnyKcexjH9bUjEjPWi08jAifyWsI54/yQGWRZrDbwFwqMJEsFif
+b8jA5nEIoDgxH07A8R6NV499wy4LlqDeuJ/BU69XZ6+1UxGBAoHAXfb9t5ivdf9N
+ZbZj61GcrDLyYGDTotucy8HPNMr5P3ZmBR/5UzClpCbWVSaziK3CKzR0zURLw0W7
+rF4CySTjuD9FHOFFWjjlkS4KwOyYiy8fuMMLg1RmsCS8H+0L3Pm25PmRQ9TLjEf4
+0uFWf7fG4GQiciqGcvfaFH3w//d0Q7PSvIMNlM1Gc7JS1Qn4HoDF2Ux6drNb6nJL
+l6tdXNMkUFHBMtaQy0l9D/ex5NZlAniePT3xfMrQf6m0rVAAaAY0
+-----END RSA PRIVATE KEY-----
diff --git a/examples/system/ota/simple_ota_example/test/secure_boot_signing_key_ecdsa.pem b/examples/system/ota/simple_ota_example/test/secure_boot_signing_key_ecdsa.pem
new file mode 100644
index 0000000000..13a49c4ddc
--- /dev/null
+++ b/examples/system/ota/simple_ota_example/test/secure_boot_signing_key_ecdsa.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOvP45grF4dSM2fWbOAp4W8PgFm30HIZqtNEK13O5hVHoAoGCCqGSM49
+AwEHoUQDQgAE1IL73BARrNpkHj1jG50eHoF2LERCwz1BfbshuAeLcsED5aT92Xgu
+gJvq45LN9p6eBi62ZZwr6Z2ZfX3YB3/8KA==
+-----END EC PRIVATE KEY-----