Add vbutil_what_keys utility to figure out how a disk image is signed.

BUG=none
TEST=none

Change-Id: I8a2e0d07384f0437064b964c6b292af9c3a67ea1
Reviewed-on: http://gerrit.chromium.org/gerrit/2802
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Tested-by: Bill Richardson <wfrichar@chromium.org>

3 files changed, 89 insertions, 2 deletions

diff --git a/cgpt/cmd_find.c b/cgpt/cmd_find.c
index 487ecf61..7a0523ff 100644
--- a/cgpt/cmd_find.c
+++ b/cgpt/cmd_find.c
@@ -149,7 +149,10 @@ static void showmatch(char *filename, int partnum, GptEntry *entry) {
   char * format = "%s%d\n";
   if (strncmp("/dev/mmcblk", filename, 11) == 0)
     format = "%sp%d\n";
-  printf(format, filename, partnum);
+  if (numeric)
+    printf("%d\n", partnum);
+  else
+    printf(format, filename, partnum);
   if (verbose > 0)
     EntryDetails(entry, partnum - 1, numeric);
 }
diff --git a/utility/Makefile b/utility/Makefile
index a60ef21a..9ae4d28c 100644
--- a/utility/Makefile
+++ b/utility/Makefile
@@ -37,7 +37,8 @@ TARGET_NAMES = crossystem \
 		dev_sign_file \
 		dump_fmap \
 		dev_debug_vboot \
-		pack_firmware_image
+		pack_firmware_image \
+		vbutil_what_keys
 
 ifeq ($(MINIMAL),)
 TARGET_NAMES += bmpblk_utility eficompress efidecompress
@@ -131,6 +132,10 @@ ${BUILD_ROOT}/dev_debug_vboot: dev_debug_vboot
 	cp -f $< $@
 	chmod +x $@
 
+${BUILD_ROOT}/vbutil_what_keys: vbutil_what_keys
+	cp -f $< $@
+	chmod +x $@
+
 ${BUILD_ROOT}/tpmc: tpmc.c $(LIBS)
 	$(CC) $(CFLAGS) $< -o $@ $(LIBS)
 
diff --git a/utility/vbutil_what_keys b/utility/vbutil_what_keys
new file mode 100755
index 00000000..9655e75a
--- /dev/null
+++ b/utility/vbutil_what_keys
@@ -0,0 +1,79 @@
+#!/bin/bash -u
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+if [ -z "$*" ]; then
+  cat <<EOF 1>&2
+
+Usage:  vbutil_what_keys IMAGE [IMAGE...]
+
+Given a ChromiumOS disk image, try to figure out how it's signed. Note that
+this does not verify the signature, it just reports which keyblock was used to
+create the signature.
+
+EOF
+  exit 1
+fi
+
+
+# We'll look up the known kernel.keyblock and recovery_kernel.keyblock sha1sums
+# right here. Obtain them by running this script on images you know have been
+# signed correctly (since the keys themselves are inside the HSM).
+#
+# e78ce746a037837155388a1096212ded04fb86eb  recovery dev-key
+# d6170aa480136f1f29cf339a5ab1b960585fa444    normal dev-key
+#
+# 20f3e8b77da6577706c91feefb203f98ee20d479  recovery ZGB MP
+# 7b7ae8652775ad7305f565161b3acc00fcc8ea22    normal ZGB MP
+#
+# 03172b08f0b99172c73d947f51e8ca23d418bcbf  recovery Alex MP
+# af24e46b6c3805869616e71c002c9a2a847ad266    normal Alex MP
+#
+# f6fadd7e31eebf4bcc4eb8d2dd512e3a2313627f  recovery Cr-48 MP
+# a1454fcecb98a6f33b38638564bdfc20161a7b04    normal Cr-48 MP
+#
+
+TMPFILE=$(mktemp /tmp/keyblock_XXXXXXXXX)
+trap "rm -f $TMPFILE" EXIT
+
+dofile() {
+  file="$1"
+  echo "$file"
+
+  for pnum in $(cgpt find -n -t kernel "$file" 2>/dev/null); do
+
+    psize=$(cgpt show -s -i "$pnum" "$file")
+    if [ "$psize" -ge 128 ]; then
+
+      pstart=$(cgpt show -b -i "$pnum" "$file")
+      dd if="$file" of="$TMPFILE" bs=512 count=128 skip="$pstart" 2>/dev/null
+
+      psum=$(vbutil_keyblock --unpack "$TMPFILE" 2>/dev/null | \
+        grep sha1sum | sed -e 's/^.*: *//')
+
+      if [ -n "$psum" ]; then
+        match=$(grep "$psum" "$0" 2>/dev/null | sed -e 's/^# //')
+        flags=$(vbutil_keyblock --unpack "$TMPFILE" 2>/dev/null | \
+          grep Flags: | sed -e 's/^.*:[ 0-9]*//')
+      else
+        match=""
+        psum="--invalid--"
+        flags=""
+      fi
+
+      if [ -n "$match" ]; then
+        echo "  part $pnum: $match ($flags)"
+      else
+        echo "  part $pnum: $psum ($flags)"
+      fi
+    fi
+
+  done
+}
+
+
+for file in "$@"; do
+  dofile $file
+done
+