[PATCH RFC 17/17] test: py: add basic security policy test

Ahmad Fatoum a.fatoum at pengutronix.de
Thu Aug 14 06:07:02 PDT 2025 

This simple test checks that the security policies were added and that a
number of options that we expect to be there indeed change as expected.

Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 test/arm/virt32_secure_defconfig.yaml |  1 +
 test/py/test_policies.py              | 49 +++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 test/py/test_policies.py

diff --git a/test/arm/virt32_secure_defconfig.yaml b/test/arm/virt32_secure_defconfig.yaml
index a1537c634811..3a26e09ef683 100644
--- a/test/arm/virt32_secure_defconfig.yaml
+++ b/test/arm/virt32_secure_defconfig.yaml
@@ -15,6 +15,7 @@ targets:
       BareboxTestStrategy: {}
     features:
       - virtio-mmio
+      - policies
 images:
   barebox-dt-2nd.img: !template "$LG_BUILDDIR/images/barebox-dt-2nd.img"
 imports:
diff --git a/test/py/test_policies.py b/test/py/test_policies.py
new file mode 100644
index 000000000000..28ab16d2cf68
--- /dev/null
+++ b/test/py/test_policies.py
@@ -0,0 +1,49 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+import pytest
+
+
+def test_security_policies(barebox, env):
+    if 'policies' not in env.get_target_features():
+        pytest.skip('policies feature flag missing')
+
+    assert 'Active Policy: devel' in barebox.run_check('sconfig')
+
+    assert set(barebox.run_check('sconfig -l')) == \
+           set(['devel', 'factory', 'lockdown', 'tamper'])
+
+    assert barebox.run_check('varinfo global.bootm.verify') == \
+        ['bootm.verify: available (type: enum) '
+         '(values: "none", "hash", "signature", "available")']
+
+    barebox.run_check('sconfig -s factory')
+    assert 'Active Policy: factory' in barebox.run_check('sconfig')
+
+    stdout = barebox.run_check('sconfig -v -s devel')
+    assert set(['+SCONFIG_BOOT_UNSIGNED_IMAGES',
+                '+SCONFIG_CMD_GO']) <= set(stdout)
+    assert 'Active Policy: devel' in barebox.run_check('sconfig')
+
+    stdout, _, rc = barebox.run('go')
+    assert 'go - start application at address or file' in stdout
+    assert 'go: Operation not permitted' not in stdout
+    assert rc == 1
+
+    stdout = barebox.run_check('sconfig -v -s tamper')
+    assert set(['-SCONFIG_SECURITY_POLICY_SELECT',
+                '-SCONFIG_BOOT_UNSIGNED_IMAGES',
+                '-SCONFIG_RATP',
+                '-SCONFIG_CMD_GO']) <= set(stdout)
+    assert 'Active Policy: tamper' in barebox.run_check('sconfig')
+
+    _, _, rc = barebox.run('sconfig -s devel')
+    assert rc != 0
+    assert 'Active Policy: tamper' in barebox.run_check('sconfig')
+
+    stdout, _, rc = barebox.run('go')
+    assert 'go - start application at address or file' not in stdout
+    assert 'go: Operation not permitted' in stdout
+    assert rc == 127
+
+    assert barebox.run_check('varinfo global.bootm.verify') == \
+        ['bootm.verify: signature (type: enum)']
-- 
2.39.5

More information about the barebox mailing list