test: Add mmc13 and mmc14 devices for TKey and pre-derived

Add two new MMC test devices:

- mmc13: LUKS2 encrypted with TKey-derived key, for testing TKey-based
  disk encryption unlock
- mmc14: LUKS2 encrypted with a known master key, for testing the
  pre-derived master key unlock path

The test setup generates keys matching the TKey emulator's deterministic
output. An override.bin file can be used to test with a physical TKey.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>

arch/sandbox/dts/test.dts

@@ -50,6 +50,8 @@
 		mmc10 = "/mmc10";
 		mmc11 = "/mmc11";
 		mmc12 = "/mmc12";
+		mmc13 = "/mmc13";
+		mmc14 = "/mmc14";
 		pci0 = &pci0;
 		pci1 = &pci1;
 		pci2 = &pci2;
@@ -1220,6 +1222,20 @@
 		filename = "mmc12.img";
 	};
 
+	/* This is used for LUKS version 2 tests with TKey */
+	mmc13 {
+		status = "disabled";
+		compatible = "sandbox,mmc";
+		filename = "mmc13.img";
+	};
+
+	/* This is used for LUKS version 2 tests with pre-derived master key */
+	mmc14 {
+		status = "disabled";
+		compatible = "sandbox,mmc";
+		filename = "mmc14.img";
+	};
+
 	pch {
 		compatible = "sandbox,pch";
 	};

test/py/tests/test_ut.py

@@ -9,6 +9,7 @@ test one at a time, as well setting up some files needed by the tests.
 """
 import collections
 import gzip
+import hashlib
 import os
 import os.path
 import pytest
@@ -83,9 +84,40 @@ def test_ut_dm_init_bootstd(u_boot_config, u_boot_log):
     setup_ubuntu_image(u_boot_config, u_boot_log, 3, 'flash', '25.04')
     setup_localboot_image(u_boot_config, u_boot_log)
     setup_vbe_image(u_boot_config, u_boot_log)
+
+    # Generate TKey emulator disk key for LUKS encryption
+    # The emulator generates pubkey as 0x50 + (i & 0xf) for i in range(32)
+    # Disk key = SHA256(hex_string_of_pubkey), matching tkey_derive_disk_key()
+    # Allow override via external key file for testing with real keys
+    override_keyfile = os.path.join(u_boot_config.source_dir, 'override.bin')
+    if os.path.exists(override_keyfile):
+        keyfile = override_keyfile
+        u_boot_log.action(f'Using override TKey key: {keyfile}')
+    else:
+        pubkey = bytes([0x50 + (i & 0xf) for i in range(32)])
+        disk_key = hashlib.sha256(pubkey.hex().encode()).digest()
+        keyfile = os.path.join(u_boot_config.persistent_data_dir, 'tkey_emul.key')
+        with open(keyfile, 'wb') as f:
+            f.write(disk_key)
+        u_boot_log.action(f'Generated TKey emulator disk key: {keyfile}')
+
     setup_ubuntu_image(u_boot_config, u_boot_log, 11, 'mmc', use_fde=1)
     setup_ubuntu_image(u_boot_config, u_boot_log, 12, 'mmc', use_fde=2,
                        luks_kdf='argon2id')
+    setup_ubuntu_image(u_boot_config, u_boot_log, 13, 'mmc', use_fde=2,
+                       luks_kdf='argon2id', encrypt_keyfile=keyfile)
+
+    # Create mmc14 with a known master key for pre_derived unlock testing
+    # For LUKS2 with aes-xts-plain64, we need a 64-byte (512-bit) master key
+    master_key = bytes([0x20 + (i & 0x3f) for i in range(64)])
+    master_keyfile = os.path.join(u_boot_config.persistent_data_dir,
+                                  'luks_master.key')
+    with open(master_keyfile, 'wb') as f:
+        f.write(master_key)
+    u_boot_log.action(f'Generated LUKS master key: {master_keyfile}')
+    setup_ubuntu_image(u_boot_config, u_boot_log, 14, 'mmc', use_fde=2,
+                       luks_kdf='argon2id', encrypt_keyfile=keyfile,
+                       master_keyfile=master_keyfile)
 
 def test_ut(ubman, ut_subtest):
     """Execute a "ut" subtest.