diff options
author | Tom Wai-Hong Tam <waihong@chromium.org> | 2011-08-22 18:45:31 +0800 |
---|---|---|
committer | Tom Wai-Hong Tam <waihong@chromium.org> | 2011-08-23 20:19:12 -0700 |
commit | efea801390caff45c2ef6083fde5f253f03bc395 (patch) | |
tree | 2a46ec69200bf457e98d878ad7b2c66e7474519c | |
parent | 69b88dc99b0c3ed12ad66f8df7b65ecc3682204f (diff) | |
download | vboot-efea801390caff45c2ef6083fde5f253f03bc395.tar.gz |
Don't check the firmware body when USE_RO_NORMAL preamble flag is presented.
Since the firmware supporting RO normal boot doesn't contains any valid RW
firmware body. Skipping the check avoids unnecessary failure.
BUG=chromium-os:19451
TEST=manual
Picked a firmware supporting RO normal boot and extracted its sections. Ran:
$ vbutil_firmware --verify VBLOCK_A --signpubkey \
> /usr/share/vboot/devkeys/root_key.vbpubk --fv RW_SECTION_A
Key block:
Size: 2232
Flags: 7 (ignored)
Data key algorithm: 7 RSA4096 SHA256
Data key version: 1
Data key sha1sum: e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450
Preamble:
Size: 2164
Header version: 2.1
Firmware version: 1
Kernel key algorithm: 7 RSA4096 SHA256
Kernel key version: 1
Kernel key sha1sum: 5d2b220899c4403d564092ada3f12d3cc4483223
Firmware body size: 456411
Preamble flags: 1
Preamble requests USE_RO_NORMAL; skipping body verification.
Change-Id: I8b81e679016f2946198396c5627415fe979c0a4f
Reviewed-on: http://gerrit.chromium.org/gerrit/6396
Tested-by: Tom Wai-Hong Tam <waihong@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
-rw-r--r-- | utility/vbutil_firmware.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/utility/vbutil_firmware.c b/utility/vbutil_firmware.c index 76d46c6b..f6a547d6 100644 --- a/utility/vbutil_firmware.c +++ b/utility/vbutil_firmware.c @@ -180,6 +180,7 @@ static int Verify(const char* infile, const char* signpubkey, uint8_t* fv_data; uint64_t fv_size; uint64_t now = 0; + uint32_t flags; if (!infile || !signpubkey || !fv_file) { VbExError("Must specify filename, signpubkey, and fv\n"); @@ -243,6 +244,7 @@ static int Verify(const char* infile, const char* signpubkey, } now += preamble->preamble_size; + flags = VbGetFirmwarePreambleFlags(preamble); printf("Preamble:\n"); printf(" Size: %" PRIu64 "\n", preamble->preamble_size); printf(" Header version: %" PRIu32 ".%" PRIu32"\n", @@ -260,17 +262,20 @@ static int Verify(const char* infile, const char* signpubkey, printf("\n"); printf(" Firmware body size: %" PRIu64 "\n", preamble->body_signature.data_size); - printf(" Preamble flags: %" PRIu32 "\n", - VbGetFirmwarePreambleFlags(preamble)); + printf(" Preamble flags: %" PRIu32 "\n", flags); /* TODO: verify body size same as signature size */ /* Verify body */ - if (0 != VerifyData(fv_data, fv_size, &preamble->body_signature, rsa)) { - VbExError("Error verifying firmware body.\n"); - return 1; + if (flags & VB_FIRMWARE_PREAMBLE_USE_RO_NORMAL) { + printf("Preamble requests USE_RO_NORMAL; skipping body verification.\n"); + } else { + if (0 != VerifyData(fv_data, fv_size, &preamble->body_signature, rsa)) { + VbExError("Error verifying firmware body.\n"); + return 1; + } + printf("Body verification succeeded.\n"); } - printf("Body verification succeeded.\n"); if (kernelkey_file) { if (0 != PublicKeyWrite(kernelkey_file, kernel_subkey)) { |