Add tests for the bootctl passphrase entry UI and TKey-based LUKS
unlock flow:
- check_passphrase(): Tests the passphrase textline widget, verifying
character input, backspace handling, and passphrase retrieval
- prepare_tkey_test(): Sets up the TKey emulator with a test pubkey
and configures app mode to test replugging scenarios
- try_tkey_unlock(): Tests the complete TKey unlock flow including
passphrase entry and LUKS partition decryption
- bootctl_logic_tkey: Full integration test for TKey-based encrypted
boot with mouse click interactions
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add a test for the LUKS pre-derived master key unlock path using mmc14.
The test verifies that:
- A LUKS partition can be unlocked with the correct pre-derived key
- Files can be read from the decrypted filesystem
- Unlock fails with an incorrect pre-derived key
This exercises the -p flag path in the luks unlock command.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Enable the bootctl tests (only for the sandbox board) so we can keep
this functionality working.
Series-to: concept
Cover-letter:
bootctl: Continue development with TKey functionality
This series integrates the TKey disk-unlock features into the bootctl
UI, as a demonstration of how this might work. The user is prompted for
a passphrase, which is then used as a user-supplied secret (USS) for the
TKey.
This series includes support for using a pre-derived master key, so that
the TKey emulator can be used in tests.
Future work will continue this effort.
END
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The bootctl tests are currently disabled due to some image
incompatibilities: the multi UI uses one image and the simple UI uses a
different one.
Update the logic to switch between these logos when the layout changes.
For now, use the U-Boot logo in both cases.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add a test that creates a textline in a non-popup expo, renders it,
opens it, sends keypresses to edit text (including cursor movement
with Ctrl+B and character deletion with Ctrl+D), and verifies the
text is saved when the textline is closed.
Series-to: concept
Series-cc: heinrich
Cover-letter:
expo: Expand docs, dump and textlines in non-popup expos
So far textlines are mostly used in cedits as a way to enter textual
information.
For non-popup expos, textlines are not yet fully plumbed in.
This series adds a way to send keypresses to a highlighted textline,
adds a test for this case and fixes various minor issues to make this
all work.
One noteable change is renumbering the BKEY enum. At present the values
conflict with the control keys used by CLI processing, so for example,
expo is unable to distinguish an up-arrow from a backspace.
Tests which use textedits mostly need to run with the console active,
since a silent console suppresses output of the text in the textedit.
In fact, at present cedit_render_lineedit() does not work unless the
previous test ran first. A new UTF_NO_SILENT test flag is added to make
this problem easier to discover/debug.
This series also resolves an issue where the 'cedit dump' is never
enabled due to a typo in the Kconfig item. With that fixed, the dump
format is converted to use hex (U-Boot convention). The expo menu and
cedit implementations are updated to use better names for objects.
This series also includes some documentation updates, since much of the
debugging methods used are not explicitly described. This should make it
easier for others to make improvements.
With all of this complete, it is possible to have a password field in a
menu item and to enter text into it, even with a non-popup expo. It also
becomes easier to debug such issues in future.
END
Co-developed-by: Claude <claude@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
This test works as part of the bootstd suite but currently fails if run
by itself. The problem is that the console is silenced, so use the new
UTF_NO_SILENT flag to fix this.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Use the UTF_NO_SILENT flag for cedit_render() instead of manually
calling ut_unsilence_console()/ut_silence_console(). This is makes it
more obvious that the test needs this handling.
Co-developed-by: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Use the parent object name as a prefix for child objects, so they
have descriptive names like "cpu-speed.title" instead of generic
"title". This makes debugging easier when multiple objects exist.
Update add_txt_str() and add_txt_str_list() to take separate
property name and object name parameters.
Also set the scene's prompt_id when building from devicetree.
Co-developed-by: Claude <claude@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The word 'lineedit' has crept into one of the tests, but it is not
correct. Use 'textline' instead.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Line up the values witht the FIT Description and Created items at the
top. This looks a little nicer.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add a test to verify that fit_print_contents() correctly handles a FIT
image with a missing description property.
To handle this a new FIT created with the description removed after
mkimage has processed it, since mkimage will fail if the description is
missing.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add support for testing the loadables, fpga, compatible properties and
unavailable/error conditions in FIT configurations.
With this, most of the FIT-printing code is covered by tests.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Update the FDT fdt to include two separate FDT images, referenced by the
two configurations.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add a signature node to the FIT configuration in the ITS template, using
a fixed RSA-2048 private key for reproducible signatures. Use the default
'pkcs-1.5' padding.
Use mkimage to sign it.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The code for printing FITs is quite messy, with lots of separate
printf() calls, an indentation string, etc.
It also has no tests.
In preparation for refactoring this code, add a test. Use Python code
to create the test image and C code to test it.
The test covers FIT description, image details (type, architecture, OS,
addresses), and configuration details.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Update luks_unlock() to support a pre-derived key, such as that obtained
from a TKey. This must match the key_size of the LUKS partition,
otherwise it will fail to unlock.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Update luks_unlock() to accept a binary passphrase, to match the LUKS2
implementation.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
We don't have an explicit indication of whether the root disk is
encrypted or not. For now, try to detect it and set the flag if
found.
Series-to: concept
Cover-letter:
Continue TKey development
This series adds the ability to provide a user-supplied secret to the
TKey and use that to obtain a disk-encryption key.
Expo is enhanced to support password entry and bootflows can now record
whether the root disk is encrypted or not.
Further work will enable the TKey in the UI and actually unlock an
encrypted disk.
END
Signed-off-by: Simon Glass <simon.glass@canonical.com>
We don't support storing the OS on an encrypted partition, but in some
cases the root partition may be encrypted. Add an indication of this
when listing the bootflows.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The header and the extlinux image on mmc1 appear in several tests. Add
a shared constant for this.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Some fields may have sensitive information. Allow it to be obscured
during entry, in case someone is watching the display nearby.
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add support for AES-XTS cipher mode in addition to the existing
AES-CBC-ESSIV support. This is the default cipher for LUKS2 volumes.
The cipher mode (CBC/XTS) is obtained from the LUKS1 cipher_mode or
LUKS2 encryption metadata.
XTS mode uses 512-byte block numbers for IV generation (plain64),
matching dm-crypt behavior. LUKS2 typically uses 4096-byte sectors
for XTS encryption but the IV is based on 512-byte block numbers.
Fix the blkmap-size calculation to exclude the LUKS header/payload
offset.
Update the LUKSv2 test to check reading a file.
Series-to: concept
Cover-letter:
luks: Support the AES-XTS cipher mode
This series finishes off the implementation of LUKSv2, adding support
for the common cipher mode and testing that files can be read from the
disk.
It includes a fix for using the correct size when mapping the crypt, as
well as some refactoring to split up the code a little better.
END
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
The current tests check that decryption happens but don't go so far as
reading a file. Add the logic for this. Since this currently fails for
LUKSv2, leave the last part of that test out for now.
Use direct filesystem calls for LUKSv2 since it is easier to check for
the current error.
Add more information on the errors returned by luks_unlock() so we can
check for the correct one.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Add documentation for the new LUKSv2 feature and update LUKSv1 to
mention the more common algorithm.
Update the tests to use LUKSv2 for mmc12
Series-to: concept
Series-cc: heinrich
Cover-letter:
luks: Provide support for LUKSv2
Modern systems mostly use LUKSv2 as it is more secure that v1. This
series provides an implementation of this feature, making use of the
existing 'luks unlock' command.
One interesting part of this series is a converter from JSON to FDT, so
that U-Boot's existing ofnode interface can be used to access the
hierarchical data in JSON text. This obviously results in quite a bit
of new code, but it is more robust than trying to parse the text
directly using strstr(), etc. The choice of JSON for LUKS was presumably
made with larger code bases in mind, rather than a firmware
implementation.
END
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Series-links: 1:58
Provide a new 'luks unlock' command which can unlock a LUKS1 partition,
given a passphrase.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
Extract the full information for version 2, which is JSON format. Show
this with the 'luks info' command.
Use the mmc12 disk to check this.
Require the JSON for LUKS.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a 'luks' command which allows querying a partition to see if it is
encrypted using LUKS, as well as showing information about a LUKS
partition.
Provide some documentation and a test.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
Linux Unified Key Setup (LUKS) provides a way to encryption a disk
partition with a a key an later unlock it. There are two versions (1 and
2).
Add a definition of the main structures and the ability to detect a LUKS
partition.
Enable this for the sandbox board.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a test which switches between the simple and the mouse-based UI.
For now the tests are not enabled, due to an integration problem which
causes bootflow_efi() to detect and invalid free()
Signed-off-by: Simon Glass <sjg@chromium.org>
At present only highlightable objects can be clicked on, i.e. menus and
textlines. Update scene_find_obj_within() so that it can find any type
of object, if requested. Update all the callers to false, so things work
the same.
Since the scene is drawn by iterating through the list of objects, when
the user clicks somewhere we should look at the top-most object under
the mouse first. So reverse the direction of the object search.
Update the tests to cover this new feature.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
Since the scene is drawn by iterating through the list of objects, when
the user clicks somewhere we should look at the top-most object under
the mouse first.
This is not true when a menu is popped up, since we only care about the
menu in that case.
Add a way to reverse the direction of the object search. For now there
are no new test cases, since OBJ_OVERLAP is a text object and cannot
currently be clicked on.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
It is easier to test this function directly than via click_check(). Set up
a test expo with an extra overlapping object and add some tests.
Update the existing render test to take account of the new object.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
For debugging it is sometimes helpful to dump an expo. Add an
implementation of this, writing to a membuf.
Add a MAINTAINERS entry for expo, including this next file.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a few functions which can convert a flag and an object type to
strings.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
In test mode, show the FPS (frames per second) below the frame count.
This is helpful for performance monitoring during development.
The FPS calculation averages over the last 5 seconds to provide a
stable reading.
Add a test for the FPS calculation logic as well.
Mention expo's test mode in the documentation.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
When expo-test is enabled, show the frame count in the top right of the
display. This allows an easy visual check that expo is working correctly,
and provides an indication of performance.
Add a test for this also.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a flag to indicate that am object must be redrawn. Set this flag
when an object's bounding box changes.
Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
At present the EFI bootmgr scans all devices in the system before
deciding which one to boot. Ideally it would use the bootstd iterator
for this, but in the meantime, give it a lower priority, so it runs
just before the network devices.
Note that if there are no hunted network devices hunted, then it will
run at the end, after all bootdevs are exhausted. In other words, it
will always run.
Series-changes: 2
- Update commit message to indicate the bootmeth will always run
- Document how the priority was chosen
Signed-off-by: Simon Glass <sjg@chromium.org>
At present before scanning global bootmeths, the iterator sets the
method count to the index of the first global bootmeth. Now that we
support scanning the global bootmeths multiple times, we must leave this
count alone.
Check against have_global and first_glob_method instead.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a bitfield which tracks when bootmeths have been used. This will be
needed when global bootmeths can be used later in the iteration.
Fix a missing bootflow_free() while here.
Signed-off-by: Simon Glass <sjg@chromium.org>
The current 'doing_global' refers to being in the state of processing
global bootmeths. Since global bootmeths are currently used once at the
start, it becomes false once the last global bootmeth has been used.
In preparation for allowing bootmeths to run at other points in the
bootstd interation, add a new 'have_global' flag which tracks whether
there are any global bootmeths in the method_order[] list. It is set up
when iteration starts. Unlike doing_global which resets back to false
after the global bootmeths have been handled, once have_global is set to
true, it remains true for the entire iteration process. This provides a
quick check as to whether global-bootmeth processing is needed.
Signed-off-by: Simon Glass <sjg@chromium.org>
For now we only support dropping non-global bootmeths from the
iteration. Update first_glob_method in that case and add a few checks
that things are correct.
Signed-off-by: Simon Glass <sjg@chromium.org>
These have different behaviour from normal bootmeths and we are about to
enhance it. So add a test and also an extra check in bootflow_iter()
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a few comments about global bootmeths and first_glob_method
Fix a broken line in bootmeth_setup_iter_order() while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Check the behaviour of non-popup menus with a mouse.
Series-to: concept
Series-cc: heinrich
Cover-letter:
expo: Support interactions with a mouse or touchpad
So far expo only supports user interaction with a keyboard. This is the
common case, but for PC devices it is typical to have a mouse or
touchpad available as well.
Particularly for the configuration editor, these devices are often more
convenient for selecting options than moving up and down with with the
keyboard.
This series adds mouse support to expo, providing a function to process
a click similar to processing of a keypress. The core of this is a new
expo_send_click() function. Within scenes, the logic to search for
objects by and x and y position is provided.
As with keypresses, expo provides clear separation between the
processing of a click (which may or may not produce an action) and the
handling of that action. This allows expo to be used within an existing
event loop.
Expo uses a mouse by default if available.
This series also includes a few other minor improvements, including some
code tidy-ups and support for filled boxes.
END
Signed-off-by: Simon Glass <sjg@chromium.org>
Series-links: 1:34
Add a test which checks the various expected features of a cedit when
used with a mouse. This includes clicking on menu items and textlines.
For now, textedit is not supported.
Signed-off-by: Simon Glass <sjg@chromium.org>
