Merge branch 'next'

Signed-off-by: Tom Rini <trini@konsulko.com>

14 files changed, 524 insertions, 22 deletions

diff --git a/test/py/tests/test_android/test_avb.py b/test/py/tests/test_android/test_avb.py
index a04a7ff264..a3f883136b 100644
--- a/test/py/tests/test_android/test_avb.py
+++ b/test/py/tests/test_android/test_avb.py
@@ -66,7 +66,7 @@ def test_avb_mmc_uuid(u_boot_console):
             part_list[cur_partname] = guid_to_check[1]
 
     # lets check all guids with avb get_guid
-    for part, guid in part_list.iteritems():
+    for part, guid in part_list.items():
         avb_guid_resp = u_boot_console.run_command('avb get_uuid %s' % part)
         assert guid == avb_guid_resp.split('UUID: ')[1]
 
diff --git a/test/py/tests/test_bind.py b/test/py/tests/test_bind.py
index 9f234fb635..8ad277da19 100644
--- a/test/py/tests/test_bind.py
+++ b/test/py/tests/test_bind.py
@@ -131,7 +131,7 @@ def test_bind_unbind_with_uclass(u_boot_console):
 	child2_index = int(child2_line[0].split()[1])
 
 	#bind simple_bus as a child of bind-test-child2
-	response = u_boot_console.run_command('bind  {} {} simple_bus'.format(child2_uclass, child2_index, 'simple_bus'))
+	response = u_boot_console.run_command('bind  {} {} simple_bus'.format(child2_uclass, child2_index))
 
 	#check that the child is there and its uclass/index pair is right
 	tree = u_boot_console.run_command('dm tree')
@@ -152,7 +152,7 @@ def test_bind_unbind_with_uclass(u_boot_console):
 	assert child_of_child2_line == ''
 
 	#bind simple_bus as a child of bind-test-child2
-	response = u_boot_console.run_command('bind  {} {} simple_bus'.format(child2_uclass, child2_index, 'simple_bus'))
+	response = u_boot_console.run_command('bind  {} {} simple_bus'.format(child2_uclass, child2_index))
 
 	#check that the child is there and its uclass/index pair is right
 	tree = u_boot_console.run_command('dm tree')
@@ -165,7 +165,7 @@ def test_bind_unbind_with_uclass(u_boot_console):
 	assert child_of_child2_index == child2_index + 1
 
 	#unbind the child and check it has been removed
-	response = u_boot_console.run_command('unbind  {} {} simple_bus'.format(child2_uclass, child2_index, 'simple_bus'))
+	response = u_boot_console.run_command('unbind  {} {} simple_bus'.format(child2_uclass, child2_index))
 	assert response == ''
 
 	tree = u_boot_console.run_command('dm tree')
@@ -176,7 +176,7 @@ def test_bind_unbind_with_uclass(u_boot_console):
 
 	#unbind the child again and check it doesn't change the tree
 	tree_old = u_boot_console.run_command('dm tree')
-	response = u_boot_console.run_command('unbind  {} {} simple_bus'.format(child2_uclass, child2_index, 'simple_bus'))
+	response = u_boot_console.run_command('unbind  {} {} simple_bus'.format(child2_uclass, child2_index))
 	tree_new = u_boot_console.run_command('dm tree')
 
 	assert response == ''
diff --git a/test/py/tests/test_event_dump.py b/test/py/tests/test_event_dump.py
new file mode 100644
index 0000000000..b753e804ac
--- /dev/null
+++ b/test/py/tests/test_event_dump.py
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright 2021 Google LLC
+# Written by Simon Glass <sjg@chromium.org>
+
+import pytest
+import re
+import u_boot_utils as util
+
+# This is only a partial test - coverting 64-bit sandbox. It does not test
+# big-endian images, nor 32-bit images
+@pytest.mark.boardspec('sandbox')
+def test_event_dump(u_boot_console):
+    """Test that the "help" command can be executed."""
+    cons = u_boot_console
+    sandbox = cons.config.build_dir + '/u-boot'
+    out = util.run_and_log(cons, ['scripts/event_dump.py', sandbox])
+    expect = '''.*Event type            Id                              Source location
+--------------------  ------------------------------  ------------------------------
+EVT_MISC_INIT_F       sandbox_misc_init_f             .*arch/sandbox/cpu/start.c:'''
+    assert re.match(expect, out, re.MULTILINE) is not None
diff --git a/test/py/tests/test_fit.py b/test/py/tests/test_fit.py
index 6d5b43c3ba..5856960be2 100755
--- a/test/py/tests/test_fit.py
+++ b/test/py/tests/test_fit.py
@@ -89,6 +89,9 @@ base_fdt = '''
 	model = "Sandbox Verified Boot Test";
 	compatible = "sandbox";
 
+	binman {
+	};
+
 	reset@0 {
 		compatible = "sandbox,reset";
 		reg = <0>;
diff --git a/test/py/tests/test_fs/test_erofs.py b/test/py/tests/test_fs/test_erofs.py
new file mode 100644
index 0000000000..458a52ba79
--- /dev/null
+++ b/test/py/tests/test_fs/test_erofs.py
@@ -0,0 +1,211 @@
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (C) 2022 Huang Jianan <jnhuang95@gmail.com>
+# Author: Huang Jianan <jnhuang95@gmail.com>
+
+import os
+import pytest
+import shutil
+import subprocess
+
+EROFS_SRC_DIR = 'erofs_src_dir'
+EROFS_IMAGE_NAME = 'erofs.img'
+
+def generate_file(name, size):
+    """
+    Generates a file filled with 'x'.
+    """
+    content = 'x' * size
+    file = open(name, 'w')
+    file.write(content)
+    file.close()
+
+def make_erofs_image(build_dir):
+    """
+    Makes the EROFS images used for the test.
+
+    The image is generated at build_dir with the following structure:
+    erofs_src_dir/
+    ├── f4096
+    ├── f7812
+    ├── subdir/
+    │   └── subdir-file
+    ├── symdir -> subdir
+    └── symfile -> f5096
+    """
+    root = os.path.join(build_dir, EROFS_SRC_DIR)
+    os.makedirs(root)
+
+    # 4096: uncompressed file
+    generate_file(os.path.join(root, 'f4096'), 4096)
+
+    # 7812: Compressed file
+    generate_file(os.path.join(root, 'f7812'), 7812)
+
+    # sub-directory with a single file inside
+    subdir_path = os.path.join(root, 'subdir')
+    os.makedirs(subdir_path)
+    generate_file(os.path.join(subdir_path, 'subdir-file'), 100)
+
+    # symlink
+    os.symlink('subdir', os.path.join(root, 'symdir'))
+    os.symlink('f7812', os.path.join(root, 'symfile'))
+
+    input_path = os.path.join(build_dir, EROFS_SRC_DIR)
+    output_path = os.path.join(build_dir, EROFS_IMAGE_NAME)
+    args = ' '.join([output_path, input_path])
+    subprocess.run(['mkfs.erofs -zlz4 ' + args], shell=True, check=True,
+                   stdout=subprocess.DEVNULL)
+
+def clean_erofs_image(build_dir):
+    """
+    Deletes the image and src_dir at build_dir.
+    """
+    path = os.path.join(build_dir, EROFS_SRC_DIR)
+    shutil.rmtree(path)
+    image_path = os.path.join(build_dir, EROFS_IMAGE_NAME)
+    os.remove(image_path)
+
+def erofs_ls_at_root(u_boot_console):
+    """
+    Test if all the present files and directories were listed.
+    """
+    no_slash = u_boot_console.run_command('erofsls host 0')
+    slash = u_boot_console.run_command('erofsls host 0 /')
+    assert no_slash == slash
+
+    expected_lines = ['./', '../', '4096   f4096', '7812   f7812', 'subdir/',
+                      '<SYM>   symdir', '<SYM>   symfile', '4 file(s), 3 dir(s)']
+
+    output = u_boot_console.run_command('erofsls host 0')
+    for line in expected_lines:
+        assert line in output
+
+def erofs_ls_at_subdir(u_boot_console):
+    """
+    Test if the path resolution works.
+    """
+    expected_lines = ['./', '../', '100   subdir-file', '1 file(s), 2 dir(s)']
+    output = u_boot_console.run_command('erofsls host 0 subdir')
+    for line in expected_lines:
+        assert line in output
+
+def erofs_ls_at_symlink(u_boot_console):
+    """
+    Test if the symbolic link's target resolution works.
+    """
+    output = u_boot_console.run_command('erofsls host 0 symdir')
+    output_subdir = u_boot_console.run_command('erofsls host 0 subdir')
+    assert output == output_subdir
+
+    expected_lines = ['./', '../', '100   subdir-file', '1 file(s), 2 dir(s)']
+    for line in expected_lines:
+        assert line in output
+
+def erofs_ls_at_non_existent_dir(u_boot_console):
+    """
+    Test if the EROFS support will crash when get a nonexistent directory.
+    """
+    out_non_existent = u_boot_console.run_command('erofsls host 0 fff')
+    out_not_dir = u_boot_console.run_command('erofsls host 0 f1000')
+    assert out_non_existent == out_not_dir
+    assert '' in out_non_existent
+
+def erofs_load_files(u_boot_console, files, sizes, address):
+    """
+    Loads files and asserts their checksums.
+    """
+    build_dir = u_boot_console.config.build_dir
+    for (file, size) in zip(files, sizes):
+        out = u_boot_console.run_command('erofsload host 0 {} {}'.format(address, file))
+
+        # check if the right amount of bytes was read
+        assert size in out
+
+        # calculate u-boot file's checksum
+        out = u_boot_console.run_command('md5sum {} {}'.format(address, hex(int(size))))
+        u_boot_checksum = out.split()[-1]
+
+        # calculate original file's checksum
+        original_file_path = os.path.join(build_dir, EROFS_SRC_DIR + '/' + file)
+        out = subprocess.run(['md5sum ' + original_file_path], shell=True, check=True,
+                             capture_output=True, text=True)
+        original_checksum = out.stdout.split()[0]
+
+        # compare checksum
+        assert u_boot_checksum == original_checksum
+
+def erofs_load_files_at_root(u_boot_console):
+    """
+    Test load file from the root directory.
+    """
+    files = ['f4096', 'f7812']
+    sizes = ['4096', '7812']
+    address = '$kernel_addr_r'
+    erofs_load_files(u_boot_console, files, sizes, address)
+
+def erofs_load_files_at_subdir(u_boot_console):
+    """
+    Test load file from the subdirectory.
+    """
+    files = ['subdir/subdir-file']
+    sizes = ['100']
+    address = '$kernel_addr_r'
+    erofs_load_files(u_boot_console, files, sizes, address)
+
+def erofs_load_files_at_symlink(u_boot_console):
+    """
+    Test load file from the symlink.
+    """
+    files = ['symfile']
+    sizes = ['7812']
+    address = '$kernel_addr_r'
+    erofs_load_files(u_boot_console, files, sizes, address)
+
+def erofs_load_non_existent_file(u_boot_console):
+    """
+    Test if the EROFS support will crash when load a nonexistent file.
+    """
+    address = '$kernel_addr_r'
+    file = 'non-existent'
+    out = u_boot_console.run_command('erofsload host 0 {} {}'.format(address, file))
+    assert 'Failed to load' in out
+
+def erofs_run_all_tests(u_boot_console):
+    """
+    Runs all test cases.
+    """
+    erofs_ls_at_root(u_boot_console)
+    erofs_ls_at_subdir(u_boot_console)
+    erofs_ls_at_symlink(u_boot_console)
+    erofs_ls_at_non_existent_dir(u_boot_console)
+    erofs_load_files_at_root(u_boot_console)
+    erofs_load_files_at_subdir(u_boot_console)
+    erofs_load_files_at_symlink(u_boot_console)
+    erofs_load_non_existent_file(u_boot_console)
+
+@pytest.mark.boardspec('sandbox')
+@pytest.mark.buildconfigspec('cmd_fs_generic')
+@pytest.mark.buildconfigspec('cmd_erofs')
+@pytest.mark.buildconfigspec('fs_erofs')
+@pytest.mark.requiredtool('mkfs.erofs')
+@pytest.mark.requiredtool('md5sum')
+
+def test_erofs(u_boot_console):
+    """
+    Executes the erofs test suite.
+    """
+    build_dir = u_boot_console.config.build_dir
+
+    try:
+        # setup test environment
+        make_erofs_image(build_dir)
+        image_path = os.path.join(build_dir, EROFS_IMAGE_NAME)
+        u_boot_console.run_command('host bind 0 {}'.format(image_path))
+        # run all tests
+        erofs_run_all_tests(u_boot_console)
+    except:
+        clean_erofs_image(build_dir)
+        raise AssertionError
+
+    # clean test environment
+    clean_erofs_image(build_dir)
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index ac8ed9f114..040147d88b 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -21,6 +21,14 @@ For configuration verification:
 - Corrupt the signature
 - Check that image verification no-longer works
 
+For pre-load header verification:
+- Create FIT image with a pre-load header
+- Check that signature verification succeeds
+- Corrupt the FIT image
+- Check that signature verification fails
+- Launch an FIT image without a pre-load header
+- Check that image verification fails
+
 Tests run with both SHA1 and SHA256 hashing.
 """
 
@@ -35,19 +43,21 @@ import vboot_evil
 # Only run the full suite on a few combinations, since it doesn't add any more
 # test coverage.
 TESTDATA = [
-    ['sha1-basic', 'sha1', '', None, False, True, False],
-    ['sha1-pad', 'sha1', '', '-E -p 0x10000', False, False, False],
-    ['sha1-pss', 'sha1', '-pss', None, False, False, False],
-    ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False, False, False],
-    ['sha256-basic', 'sha256', '', None, False, False, False],
-    ['sha256-pad', 'sha256', '', '-E -p 0x10000', False, False, False],
-    ['sha256-pss', 'sha256', '-pss', None, False, False, False],
-    ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False, False],
-    ['sha256-pss-required', 'sha256', '-pss', None, True, False, False],
-    ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True, False],
-    ['sha384-basic', 'sha384', '', None, False, False, False],
-    ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False, False],
-    ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', False, False, True],
+    ['sha1-basic', 'sha1', '', None, False, True, False, False],
+    ['sha1-pad', 'sha1', '', '-E -p 0x10000', False, False, False, False],
+    ['sha1-pss', 'sha1', '-pss', None, False, False, False, False],
+    ['sha1-pss-pad', 'sha1', '-pss', '-E -p 0x10000', False, False, False, False],
+    ['sha256-basic', 'sha256', '', None, False, False, False, False],
+    ['sha256-pad', 'sha256', '', '-E -p 0x10000', False, False, False, False],
+    ['sha256-pss', 'sha256', '-pss', None, False, False, False, False],
+    ['sha256-pss-pad', 'sha256', '-pss', '-E -p 0x10000', False, False, False, False],
+    ['sha256-pss-required', 'sha256', '-pss', None, True, False, False, False],
+    ['sha256-pss-pad-required', 'sha256', '-pss', '-E -p 0x10000', True, True, False, False],
+    ['sha384-basic', 'sha384', '', None, False, False, False, False],
+    ['sha384-pad', 'sha384', '', '-E -p 0x10000', False, False, False, False],
+    ['algo-arg', 'algo-arg', '', '-o sha256,rsa2048', False, False, True, False],
+    ['sha256-global-sign', 'sha256', '', '', False, False, False, True],
+    ['sha256-global-sign-pss', 'sha256', '-pss', '', False, False, False, True],
 ]
 
 @pytest.mark.boardspec('sandbox')
@@ -56,10 +66,10 @@ TESTDATA = [
 @pytest.mark.requiredtool('fdtget')
 @pytest.mark.requiredtool('fdtput')
 @pytest.mark.requiredtool('openssl')
-@pytest.mark.parametrize("name,sha_algo,padding,sign_options,required,full_test,algo_arg",
+@pytest.mark.parametrize("name,sha_algo,padding,sign_options,required,full_test,algo_arg,global_sign",
                          TESTDATA)
 def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
-               full_test, algo_arg):
+               full_test, algo_arg, global_sign):
     """Test verified boot signing with mkimage and verification with 'bootm'.
 
     This works using sandbox only as it needs to update the device tree used
@@ -81,6 +91,33 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
         util.run_and_log(cons, 'dtc %s %s%s -O dtb '
                          '-o %s%s' % (dtc_args, datadir, dts, tmpdir, dtb))
 
+    def dtc_options(dts, options):
+        """Run the device tree compiler to compile a .dts file
+
+        The output file will be the same as the input file but with a .dtb
+        extension.
+
+        Args:
+            dts: Device tree file to compile.
+            options: Options provided to the compiler.
+        """
+        dtb = dts.replace('.dts', '.dtb')
+        util.run_and_log(cons, 'dtc %s %s%s -O dtb '
+                         '-o %s%s %s' % (dtc_args, datadir, dts, tmpdir, dtb, options))
+
+    def run_binman(dtb):
+        """Run binman to build an image
+
+        Args:
+            dtb: Device tree file used as input file.
+        """
+        pythonpath = os.environ.get('PYTHONPATH', '')
+        os.environ['PYTHONPATH'] = pythonpath + ':' + '%s/../scripts/dtc/pylibfdt' % tmpdir
+        util.run_and_log(cons, [binman, 'build', '-d', "%s/%s" % (tmpdir,dtb),
+                                '-a', "pre-load-key-path=%s" % tmpdir, '-O',
+                                tmpdir, '-I', tmpdir])
+        os.environ['PYTHONPATH'] = pythonpath
+
     def run_bootm(sha_algo, test_type, expect_string, boots, fit=None):
         """Run a 'bootm' command U-Boot.
 
@@ -139,6 +176,23 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
         cons.log.action('%s: Sign images' % sha_algo)
         util.run_and_log(cons, args)
 
+    def sign_fit_dtb(sha_algo, options, dtb):
+        """Sign the FIT
+
+        Signs the FIT and writes the signature into it. It also writes the
+        public key into the dtb.
+
+        Args:
+            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to
+                    use.
+            options: Options to provide to mkimage.
+        """
+        args = [mkimage, '-F', '-k', tmpdir, '-K', dtb, '-r', fit]
+        if options:
+            args += options.split(' ')
+        cons.log.action('%s: Sign images' % sha_algo)
+        util.run_and_log(cons, args)
+
     def sign_fit_norequire(sha_algo, options):
         """Sign the FIT
 
@@ -176,6 +230,20 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
             handle.write(struct.pack(">I", size))
         return struct.unpack(">I", total_size)[0]
 
+    def corrupt_file(fit, offset, value):
+        """Corrupt a file
+
+        To corrupt a file, a value is written at the specified offset
+
+        Args:
+            fit: The file to corrupt
+            offset: Offset to write
+            value: Value written
+        """
+        with open(fit, 'r+b') as handle:
+            handle.seek(offset)
+            handle.write(struct.pack(">I", value))
+
     def create_rsa_pair(name):
         """Generate a new RSA key paid and certificate
 
@@ -374,6 +442,51 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
                          (dtb))
         run_bootm(sha_algo, 'multi required key', '', False)
 
+    def test_global_sign(sha_algo, padding, sign_options):
+        """Test global image signature with the given hash algorithm and padding.
+
+        Args:
+            sha_algo: Either 'sha1' or 'sha256', to select the algorithm to use
+            padding: Either '' or '-pss', to select the padding to use for the
+                    rsa signature algorithm.
+        """
+
+        dtb = '%ssandbox-u-boot-global%s.dtb' % (tmpdir, padding)
+        cons.config.dtb = dtb
+
+        # Compile our device tree files for kernel and U-Boot. These are
+        # regenerated here since mkimage will modify them (by adding a
+        # public key) below.
+        dtc('sandbox-kernel.dts')
+        dtc_options('sandbox-u-boot-global%s.dts' % padding, '-p 1024')
+
+        # Build the FIT with dev key (keys NOT required). This adds the
+        # signature into sandbox-u-boot.dtb, NOT marked 'required'.
+        make_fit('simple-images.its')
+        sign_fit_dtb(sha_algo, '', dtb)
+
+        # Build the dtb for binman that define the pre-load header
+        # with the global sigature.
+        dtc('sandbox-binman%s.dts' % padding)
+
+        # Run binman to create the final image with the not signed fit
+        # and the pre-load header that contains the global signature.
+        run_binman('sandbox-binman%s.dtb' % padding)
+
+        # Check that the signature is correctly verified by u-boot
+        run_bootm(sha_algo, 'global image signature',
+                  'signature check has succeed', True, "%ssandbox.img" % tmpdir)
+
+        # Corrupt the image (just one byte after the pre-load header)
+        corrupt_file("%ssandbox.img" % tmpdir, 4096, 255);
+
+        # Check that the signature verification fails
+        run_bootm(sha_algo, 'global image signature',
+                  'signature check has failed', False, "%ssandbox.img" % tmpdir)
+
+        # Check that the boot fails if the global signature is not provided
+        run_bootm(sha_algo, 'global image signature', 'signature is mandatory', False)
+
     cons = u_boot_console
     tmpdir = os.path.join(cons.config.result_dir, name) + '/'
     if not os.path.exists(tmpdir):
@@ -381,6 +494,7 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
     datadir = cons.config.source_dir + '/test/py/tests/vboot/'
     fit = '%stest.fit' % tmpdir
     mkimage = cons.config.build_dir + '/tools/mkimage'
+    binman = cons.config.source_dir + '/tools/binman/binman'
     fit_check_sign = cons.config.build_dir + '/tools/fit_check_sign'
     dtc_args = '-I dts -O dtb -i %s' % tmpdir
     dtb = '%ssandbox-u-boot.dtb' % tmpdir
@@ -403,7 +517,9 @@ def test_vboot(u_boot_console, name, sha_algo, padding, sign_options, required,
         # afterwards.
         old_dtb = cons.config.dtb
         cons.config.dtb = dtb
-        if required:
+        if global_sign:
+            test_global_sign(sha_algo, padding, sign_options)
+        elif required:
             test_required_key(sha_algo, padding, sign_options)
         else:
             test_with_algo(sha_algo, padding, sign_options)
diff --git a/test/py/tests/vboot/sandbox-binman-pss.dts b/test/py/tests/vboot/sandbox-binman-pss.dts
new file mode 100644
index 0000000000..56e3a42fa6
--- /dev/null
+++ b/test/py/tests/vboot/sandbox-binman-pss.dts
@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+	#address-cells = <1>;
+	#size-cells = <1>;
+
+	binman {
+		filename = "sandbox.img";
+
+		pre-load {
+			 content = <&image>;
+			 algo-name = "sha256,rsa2048";
+			 padding-name = "pss";
+			 key-name = "dev.key";
+			 header-size = <4096>;
+			 version = <1>;
+		};
+
+		image: blob-ext {
+			 filename = "test.fit";
+		};
+	};
+};
diff --git a/test/py/tests/vboot/sandbox-binman.dts b/test/py/tests/vboot/sandbox-binman.dts
new file mode 100644
index 0000000000..b24aeba0fa
--- /dev/null
+++ b/test/py/tests/vboot/sandbox-binman.dts
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+	#address-cells = <1>;
+	#size-cells = <1>;
+
+	binman {
+		filename = "sandbox.img";
+
+		pre-load {
+			 content = <&image>;
+			 algo-name = "sha256,rsa2048";
+			 key-name = "dev.key";
+			 header-size = <4096>;
+			 version = <1>;
+		};
+
+		image: blob-ext {
+			 filename = "test.fit";
+		};
+	};
+};
diff --git a/test/py/tests/vboot/sandbox-u-boot-global-pss.dts b/test/py/tests/vboot/sandbox-u-boot-global-pss.dts
new file mode 100644
index 0000000000..c59a68221b
--- /dev/null
+++ b/test/py/tests/vboot/sandbox-u-boot-global-pss.dts
@@ -0,0 +1,28 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+	model = "Sandbox Verified Boot Test";
+	compatible = "sandbox";
+
+	binman {
+	};
+
+	reset@0 {
+		compatible = "sandbox,reset";
+	};
+
+	image {
+		pre-load {
+			sig {
+				algo-name = "sha256,rsa2048";
+				padding-name = "pss";
+				signature-size = <256>;
+				mandatory = "yes";
+
+				key-name = "dev";
+			};
+		};
+	};
+};
diff --git a/test/py/tests/vboot/sandbox-u-boot-global.dts b/test/py/tests/vboot/sandbox-u-boot-global.dts
new file mode 100644
index 0000000000..1409f9e1a1
--- /dev/null
+++ b/test/py/tests/vboot/sandbox-u-boot-global.dts
@@ -0,0 +1,27 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+	model = "Sandbox Verified Boot Test";
+	compatible = "sandbox";
+
+	binman {
+	};
+
+	reset@0 {
+		compatible = "sandbox,reset";
+	};
+
+	image {
+		pre-load {
+			sig {
+				algo-name = "sha256,rsa2048";
+				signature-size = <256>;
+				mandatory = "yes";
+
+				key-name = "dev";
+			};
+		};
+	};
+};
diff --git a/test/py/tests/vboot/sandbox-u-boot.dts b/test/py/tests/vboot/sandbox-u-boot.dts
index 63f8f401de..5809c62fc1 100644
--- a/test/py/tests/vboot/sandbox-u-boot.dts
+++ b/test/py/tests/vboot/sandbox-u-boot.dts
@@ -4,6 +4,9 @@
 	model = "Sandbox Verified Boot Test";
 	compatible = "sandbox";
 
+	binman {
+	};
+
 	reset@0 {
 		compatible = "sandbox,reset";
 	};
diff --git a/test/py/tests/vboot/simple-images.its b/test/py/tests/vboot/simple-images.its
new file mode 100644
index 0000000000..f62786456b
--- /dev/null
+++ b/test/py/tests/vboot/simple-images.its
@@ -0,0 +1,36 @@
+// SPDX-License-Identifier: GPL-2.0+
+
+/dts-v1/;
+
+/ {
+	description = "Chrome OS kernel image with one or more FDT blobs";
+	#address-cells = <1>;
+
+	images {
+		kernel {
+			data = /incbin/("test-kernel.bin");
+			type = "kernel_noload";
+			arch = "sandbox";
+			os = "linux";
+			compression = "none";
+			load = <0x4>;
+			entry = <0x8>;
+			kernel-version = <1>;
+		};
+		fdt-1 {
+			description = "snow";
+			data = /incbin/("sandbox-kernel.dtb");
+			type = "flat_dt";
+			arch = "sandbox";
+			compression = "none";
+			fdt-version = <1>;
+		};
+	};
+	configurations {
+		default = "conf-1";
+		conf-1 {
+			kernel = "kernel";
+			fdt = "fdt-1";
+		};
+	};
+};
diff --git a/test/py/tests/vboot_evil.py b/test/py/tests/vboot_evil.py
index 9825c21716..e2b0cd6546 100644
--- a/test/py/tests/vboot_evil.py
+++ b/test/py/tests/vboot_evil.py
@@ -482,4 +482,5 @@ if __name__ == '__main__':
         print('valid attack names: [fakeroot, kernel@]')
         sys.exit(1)
 
-    add_evil_node(sys.argv[1:])
+    in_fname, out_fname, kernel_fname, attack = sys.argv[1:]
+    add_evil_node(in_fname, out_fname, kernel_fname, attack)
diff --git a/test/py/u_boot_console_base.py b/test/py/u_boot_console_base.py
index 3938ec1302..58ec859b34 100644
--- a/test/py/u_boot_console_base.py
+++ b/test/py/u_boot_console_base.py
@@ -115,6 +115,14 @@ class ConsoleBase(object):
         self.at_prompt = False
         self.at_prompt_logevt = None
 
+    def get_spawn(self):
+        # This is not called, ssubclass must define this.
+        # Return a value to avoid:
+        #   u_boot_console_base.py:348:12: E1128: Assigning result of a function
+        #   call, where the function returns None (assignment-from-none)
+        return u_boot_spawn.Spawn([])
+
+
     def eval_bad_patterns(self):
         self.bad_patterns = [pat[PAT_RE] for pat in bad_pattern_defs \
             if self.disable_check_count[pat[PAT_ID]] == 0]