util/broadcom/secimage: Add HMAC test

One of responsibilities of the `secimage` tool is signing the image
using the HMAC-SHA256 algorithm. The test being added verifies that
secimage's internal call yields same result as the according openssl
tool does.

Change-Id: I8de4328f435af56901a861e3d5e733657c3c7f78
Signed-off-by: Alex Thiessen <alex.thiessen.de+coreboot@gmail.com>
Reviewed-on: https://review.coreboot.org/23474
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>

util/broadcom/secimage/test/hmac.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+
+##
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2003-2018 Alex Thiessen <alex.thiessen.de+coreboot@gmail.com>
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 3 or later of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+## SPDX-License-Identifier: GPL-3.0-or-later
+## <https://spdx.org/licenses/GPL-3.0-or-later.html>
+##
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# static analysis
+if command -v shellcheck 1>/dev/null; then
+	shellcheck "${BASH_SOURCE[0]}"
+else
+       echo "shellcheck not found, running unchecked" >&2
+fi
+
+# dependency check
+dependencies=(basename diff dirname head mkdir mktemp openssl rm tail xxd)
+for dependency in "${dependencies[@]}"; do
+	if ! command -v "${dependency}" 1>/dev/null; then
+		echo "missing ${dependency}, test skipped" >&2
+		exit 0
+	fi
+done
+
+# parameters
+if [ ${#} -ne 1 ]; then
+	echo "usage: '${0}' <testee>"
+	exit 1
+fi
+
+# setup
+testee="${1}"
+declare -i header_len=16 signature_len=32
+tmp_dir="$(mktemp --directory --tmpdir secimage-test-XXXXXXXX)"
+shopt -s globstar nullglob
+for dump_file in test/data/**/*.xxdump; do
+	bin_file_dir="${tmp_dir}/$(dirname "${dump_file#test/data/}")"
+	mkdir --parents "${bin_file_dir}"
+	xxd -r "${dump_file}" \
+	       "${bin_file_dir}/$(basename "${dump_file}" .xxdump)"
+done
+tail --bytes=+$((header_len + 1)) "${tmp_dir}/expected/binary" \
+	| head --bytes=-${signature_len} \
+	| openssl dgst -sha256 -mac hmac \
+		-macopt hexkey:"$(xxd -c$((signature_len * 2)) -ps \
+			"${tmp_dir}/input/hmac_binary_key")" \
+		-binary \
+		> "${tmp_dir}/expected/signature"
+mkdir "${tmp_dir}/actual"
+
+# test
+"${testee}" \
+	-out "${tmp_dir}/actual/binary" \
+	-config "${tmp_dir}/input/configfile" \
+	-hmac "${tmp_dir}/input/hmac_binary_key" \
+	-bl "${tmp_dir}/input/binary"
+tail --bytes=${signature_len} "${tmp_dir}/actual/binary" \
+	> "${tmp_dir}/actual/signature"
+diff --recursive "${tmp_dir}/actual" "${tmp_dir}/expected" 1>/dev/null
+
+# teardown
+rm --force --recursive "${tmp_dir}"