diff options
| author | Vadim Bendebury <vbendeb@google.com> | 2022-11-16 15:14:13 -0800 |
|---|---|---|
| committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-11-26 02:08:07 +0000 |
| commit | 56ca7296a0c35ca8a7b06584d7f714551c918bef (patch) | |
| tree | 461a8bb72c28e6841a25a07e8aae18437c502785 | |
| parent | 5bbd123cac5650dba0db6cc3c40c7cf33bfd7efc (diff) | |
| download | vboot-56ca7296a0c35ca8a7b06584d7f714551c918bef.tar.gz | |
sign_gsc_firmware: check ti50 images for prohibited blobs
We want to add an additional layer of protection against accidental
releasing of prod signed images with dev public keys and hashes for
which private keys are not secret.
The blobs of the keys and hashes to avoid are available in the Ti50
tarball, this patch adds a check and fails the signing process each
time the prohibited blob is found in the Ti50 binary.
BRANCH=none
BUG=b:254059627
TEST=invoked the script to sign Ti50 images built with and without
'ALLOW_AP_RO_DEV_SIGNING_KEY=1 TI50_DEV=1' defined, Observed
signer failure when signing the image with either variable
defined, reporting the presence of the appropriate blob.
Change-Id: I8497e749807f862f6d20cf33cad4657008a6372a
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4032539
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Allen Webb <allenwebb@google.com>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Jett Rink <jettrink@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_gsc_firmware.sh | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/scripts/image_signing/sign_gsc_firmware.sh b/scripts/image_signing/sign_gsc_firmware.sh index 52091650..5ef25081 100755 --- a/scripts/image_signing/sign_gsc_firmware.sh +++ b/scripts/image_signing/sign_gsc_firmware.sh @@ -340,6 +340,7 @@ sign_rw() { local rma_key_base="" local signer_command_params local temp_dir + local prohibited_blobs=() temp_dir="$(make_temp_dir)" signer_command_params=(-x "${fuses_file}" --key "${key_file}") @@ -375,6 +376,12 @@ sign_rw() { # Indicate D1 signing. signer_command_params+=( "--dauntless" "--ihex" ) base_name="ti50" + # Key and hashes used in dev, must not leak into prod signed images. + prohibited_blobs=( + "${rma_key_dir}/rma_test_pub_key.bin" + "${rma_key_dir}/arv_2k_test_key_hash.bin" + "${rma_key_dir}/arv_4k_test_key_hash.bin" + ) ;; (*) die "Unknown generation value \"${generation}\"" @@ -392,6 +399,7 @@ sign_rw() { local hex_signed="${temp_dir}/hex_signed" local bin_signed="${temp_dir}/bin_signed" local hex_base + local blob # Make sure output files are not owned by root. touch "${bin_signed}" "${hex_signed}" @@ -415,6 +423,15 @@ sign_rw() { fi fi + for blob in "${prohibited_blobs[@]}"; do + if [[ ! -f ${blob} ]]; then + die "${blob} not found in the GSC tarball" + fi + if find_blob_in_blob "${bin_signed}" "${blob}"; then + die "${blob} found in signed image" + fi + done + hex_base="$(get_hex_base "${hex_signed}")" paste_bin "${result_file}" "${bin_signed}" "${image_base}" "${hex_base}" done |