diff options
| author | Jakub Czapiga <jacz@semihalf.com> | 2022-06-08 13:35:46 +0200 |
|---|---|---|
| committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-06-23 19:26:12 +0000 |
| commit | a729c3f95d6c6d98c4e4d3500cc7535bf2ceee8a (patch) | |
| tree | 71162c877dbd7c6aeb7246f3d0426fa91bc4c7a5 | |
| parent | 6bcf9f7b7913604368cde04f681ece204779c240 (diff) | |
| download | vboot-a729c3f95d6c6d98c4e4d3500cc7535bf2ceee8a.tar.gz | |
tests: Fix most of errors reported by shellcheck
BUG=none
BRANCH=none
TEST=make runtests
Signed-off-by: Jakub Czapiga <czapiga@google.com>
Change-Id: I364ac6ace35705f1cfdaec71297523d4c2132b75
Disallow-Recycled-Builds: test-failures
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3695417
Reviewed-by: Julius Werner <jwerner@chromium.org>
32 files changed, 929 insertions, 899 deletions
diff --git a/tests/common.sh b/tests/common.sh index e69692b6..a2079228 100644 --- a/tests/common.sh +++ b/tests/common.sh @@ -5,7 +5,7 @@ # found in the LICENSE file. # Determine script directory. -SCRIPT_DIR="$(dirname $(realpath "${BASH_SOURCE[0]}"))" +SCRIPT_DIR="$(dirname "$(realpath "${BASH_SOURCE[0]}")")" ROOT_DIR="$(dirname "${SCRIPT_DIR}")" SRCDIR="${SRCDIR:-${ROOT_DIR}}" BUILD="${BUILD:-${ROOT_DIR}/build}" @@ -19,8 +19,8 @@ TESTKEY_DIR="${SCRIPT_DIR}/testkeys" TESTCASE_DIR="${SCRIPT_DIR}/testcases" TESTKEY_SCRATCH_DIR="${TEST_DIR}/testkeys" -if [ ! -d ${TESTKEY_SCRATCH_DIR} ]; then - mkdir -p ${TESTKEY_SCRATCH_DIR} +if [ ! -d "${TESTKEY_SCRATCH_DIR}" ]; then + mkdir -p "${TESTKEY_SCRATCH_DIR}" fi # Color output encodings. @@ -53,7 +53,8 @@ function error { *) lev=0 ;; esac - local x=$(caller $lev) + local x + x=$(caller $lev) local cline=${x%% *} local cfunc=${x#* } cfunc=${cfunc##*/} @@ -65,7 +66,6 @@ function error { } function check_test_keys { - [ -d ${TESTKEY_DIR} ] || \ + [ -d "${TESTKEY_DIR}" ] || \ error 1 "You must run gen_test_keys.sh to generate test keys first." } - diff --git a/tests/external_rsa_signer.sh b/tests/external_rsa_signer.sh index 0724b878..405df420 100755 --- a/tests/external_rsa_signer.sh +++ b/tests/external_rsa_signer.sh @@ -1,9 +1,13 @@ #!/bin/bash +# Copyright (c) 2010 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + if [ $# -ne 1 ]; then echo "Usage: $0 <private_key_pem_file>" echo "Reads data to sign from stdin, encrypted data is output to stdout" exit 1 fi -openssl rsautl -sign -inkey $1 +openssl rsautl -sign -inkey "$1" diff --git a/tests/futility/run_test_scripts.sh b/tests/futility/run_test_scripts.sh index f224bdf1..aeb3477b 100755 --- a/tests/futility/run_test_scripts.sh +++ b/tests/futility/run_test_scripts.sh @@ -62,11 +62,11 @@ for i in $TESTS; do if [ ! "$rc" ]; then echo -e "${COL_GREEN}PASSED${COL_STOP}" : $(( pass++ )) - rm -f ${OUTDIR}/$j.{stdout,stderr,return} + rm -f "${OUTDIR}/$j".{stdout,stderr,return} else echo -e "${COL_RED}FAILED (${rc:-0}). Stdout is recorded in" \ "${OUTDIR}/$j.stdout${COL_STOP}" - cat ${OUTDIR}/$j.stderr + cat "${OUTDIR}/$j.stderr" fi done diff --git a/tests/futility/test_create.sh b/tests/futility/test_create.sh index 55c648c4..77c7eb45 100755 --- a/tests/futility/test_create.sh +++ b/tests/futility/test_create.sh @@ -15,7 +15,7 @@ TESTKEYS=${SRCDIR}/tests/testkeys # Demonstrate that we can recreate the same vb1 keys without the .keyb files for sig in rsa1024 rsa2048 rsa4096 rsa8192; do for hash in sha1 sha256 sha512; do - ${FUTILITY} --vb1 create --hash_alg "${hash}" \ + "${FUTILITY}" --vb1 create --hash_alg "${hash}" \ "${TESTKEYS}/key_${sig}.pem" "${TMP}_key_${sig}.${hash}" cmp "${TESTKEYS}/key_${sig}.${hash}.vbprivk" \ "${TMP}_key_${sig}.${hash}.vbprivk" @@ -29,7 +29,7 @@ done # prove anything until we've used them to sign some stuff, though. for sig in rsa1024 rsa2048 rsa4096 rsa8192; do for hash in sha1 sha256 sha512; do - ${FUTILITY} --vb21 create --hash_alg "${hash}" \ + "${FUTILITY}" --vb21 create --hash_alg "${hash}" \ "${TESTKEYS}/key_${sig}.pem" "${TMP}_key_${sig}.${hash}" done done @@ -37,12 +37,12 @@ done # Demonstrate that the sha1sums are the same for all the keys created from the # same .pem files, both public and private, vb1 and vb21. for sig in rsa1024 rsa2048 rsa4096 rsa8192; do - pem_sum=$(${FUTILITY} show "${TESTKEYS}/key_${sig}.pem" | + pem_sum=$("${FUTILITY}" show "${TESTKEYS}/key_${sig}.pem" | awk '/sha1sum/ {print $3}') # expect only one - [ $(echo "$pem_sum" | wc -w) = 1 ] - num_keys=$(echo ${TMP}_key_${sig}.* | wc -w) - key_sums=$(${FUTILITY} show ${TMP}_key_${sig}.* | + [ "$(echo "$pem_sum" | wc -w)" = 1 ] + num_keys=$(echo "${TMP}_key_${sig}".* | wc -w) + key_sums=$("${FUTILITY}" show "${TMP}_key_${sig}".* | awk '/sha1sum:|ID:/ {print $NF}') num_sums=$(echo "$key_sums" | wc -w) # expect one sha1sum (or ID) line per file @@ -57,7 +57,7 @@ done # the private key. for sig in rsa1024 rsa2048 rsa4096 rsa8192; do for hash in sha1 sha256 sha512; do - ${FUTILITY} --vb21 create --hash_alg "${hash}" \ + "${FUTILITY}" --vb21 create --hash_alg "${hash}" \ "${TESTKEYS}/key_${sig}.pub.pem" "${TMP}_key_${sig}.pubonly.${hash}" cmp "${TMP}_key_${sig}.pubonly.${hash}.vbpubk2" \ "${TMP}_key_${sig}.${hash}.vbpubk2" @@ -65,5 +65,5 @@ for sig in rsa1024 rsa2048 rsa4096 rsa8192; do done # cleanup -rm -rf ${TMP}* +rm -rf "${TMP}"* exit 0 diff --git a/tests/futility/test_dump_fmap.sh b/tests/futility/test_dump_fmap.sh index 5ae2e974..b8e418af 100755 --- a/tests/futility/test_dump_fmap.sh +++ b/tests/futility/test_dump_fmap.sh @@ -51,5 +51,5 @@ cmp "${SCRIPT_DIR}/futility/data_fmap2_expect_hhH.txt" "$TMP" # cleanup -rm -f ${TMP}* FMAP SI_DESC FOO +rm -f "${TMP}"* FMAP SI_DESC FOO exit 0 diff --git a/tests/futility/test_file_types.sh b/tests/futility/test_file_types.sh index c51e38f2..313e4087 100755 --- a/tests/futility/test_file_types.sh +++ b/tests/futility/test_file_types.sh @@ -16,13 +16,13 @@ cd "$OUTDIR" # Args are <expected_type>, <file_to_probe> test_case() { local result - result=$(${FUTILITY} show -t "${SRCDIR}/$2" | awk '{print $NF}') + result=$("${FUTILITY}" show -t "${SRCDIR}/$2" | awk '{print $NF}') [ "$1" = "$result" ] } # Arg is <file_to_probe> fail_case() { - if ${FUTILITY} show -t "$1" ; then false; else true; fi + if "${FUTILITY}" show -t "$1" ; then false; else true; fi } # Known types @@ -54,22 +54,23 @@ fail_case "/dev/zero" # often won't work, but it certainly shouldn't core dump. # We'll ask futility to tell us what types it supports -TYPES=$(${FUTILITY} show --type help | awk '/^ +/ {print $1}') +TYPES=$("${FUTILITY}" show --type help | awk '/^ +/ {print $1}') # And we'll just reuse the same files above. -FILES=$(awk '/^test_case / {print $NF}' $0 | tr -d '"') +FILES=$(awk '/^test_case / {print $NF}' "$0" | tr -d '"') # futility should normally exit with either 0 or 1. Make sure that happens. # NOTE: /bin/bash returns values > 125 for special problems like signals. # I welcome patches to do this more portably. for type in $TYPES; do for file in $FILES; do - ${FUTILITY} show --type ${type} "${SRCDIR}/${file}" && rc=$? || rc=$? + "${FUTILITY}" show --type "${type}" "${SRCDIR}/${file}" && \ + rc=$? || rc=$? [ "$rc" -le 2 ] done done # cleanup -rm -rf ${TMP}* +rm -rf "${TMP}"* exit 0 diff --git a/tests/futility/test_gbb_utility.sh b/tests/futility/test_gbb_utility.sh index bdfa2628..5b783c42 100755 --- a/tests/futility/test_gbb_utility.sh +++ b/tests/futility/test_gbb_utility.sh @@ -15,56 +15,58 @@ REPLACE="${BUILD_RUN}/tests/futility/binary_editor" # First, let's test the basic functionality # For simplicity, we'll use the same size for all properties. -${FUTILITY} gbb -c 16,0x10,16,0x10 ${TMP}.blob +"${FUTILITY}" gbb -c 16,0x10,16,0x10 "${TMP}.blob" # Flags -${FUTILITY} gbb -s --flags=0xdeadbeef ${TMP}.blob -${FUTILITY} gbb -g --flags ${TMP}.blob | grep -i 0xdeadbeef +"${FUTILITY}" gbb -s --flags=0xdeadbeef "${TMP}.blob" +"${FUTILITY}" gbb -g --flags "${TMP}.blob" | grep -i 0xdeadbeef # HWID length should include the terminating null - this is too long -if ${FUTILITY} gbb -s --hwid="0123456789ABCDEF" ${TMP}.blob; then +if "${FUTILITY}" gbb -s --hwid="0123456789ABCDEF" "${TMP}.blob"; then false; fi # This works -${FUTILITY} gbb -s --hwid="0123456789ABCDE" ${TMP}.blob +"${FUTILITY}" gbb -s --hwid="0123456789ABCDE" "${TMP}.blob" # Read it back? -${FUTILITY} gbb -g ${TMP}.blob | grep "0123456789ABCDE" +"${FUTILITY}" gbb -g "${TMP}.blob" | grep "0123456789ABCDE" # Same kind of tests for the other fields, but they need binary files. # too long -dd if=/dev/urandom bs=17 count=1 of=${TMP}.data1.toolong -dd if=/dev/urandom bs=17 count=1 of=${TMP}.data2.toolong -if ${FUTILITY} gbb -s --rootkey ${TMP}.data1.toolong ${TMP}.blob; then false; fi -if ${FUTILITY} gbb -s --recoverykey ${TMP}.data2.toolong ${TMP}.blob; then false; fi +dd if=/dev/urandom bs=17 count=1 of="${TMP}.data1.toolong" +dd if=/dev/urandom bs=17 count=1 of="${TMP}.data2.toolong" +if "${FUTILITY}" gbb -s --rootkey "${TMP}.data1.toolong" "${TMP}.blob"; + then false; fi +if "${FUTILITY}" gbb -s --recoverykey "${TMP}.data2.toolong" "${TMP}.blob"; + then false; fi # shorter than max should be okay, though -dd if=/dev/urandom bs=10 count=1 of=${TMP}.data1.short -dd if=/dev/urandom bs=10 count=1 of=${TMP}.data2.short -${FUTILITY} gbb -s \ - --rootkey ${TMP}.data1.short \ - --recoverykey ${TMP}.data2.short ${TMP}.blob +dd if=/dev/urandom bs=10 count=1 of="${TMP}.data1.short" +dd if=/dev/urandom bs=10 count=1 of="${TMP}.data2.short" +"${FUTILITY}" gbb -s \ + --rootkey "${TMP}.data1.short" \ + --recoverykey "${TMP}.data2.short" "${TMP}.blob" # read 'em back -${FUTILITY} gbb -g \ - --rootkey ${TMP}.read1 \ - --recoverykey ${TMP}.read2 ${TMP}.blob +"${FUTILITY}" gbb -g \ + --rootkey "${TMP}.read1" \ + --recoverykey "${TMP}.read2" "${TMP}.blob" # Verify (but remember, it's short) -cmp -n 10 ${TMP}.data1.short ${TMP}.read1 -cmp -n 10 ${TMP}.data2.short ${TMP}.read2 +cmp -n 10 "${TMP}.data1.short" "${TMP}.read1" +cmp -n 10 "${TMP}.data2.short" "${TMP}.read2" # Okay -dd if=/dev/urandom bs=16 count=1 of=${TMP}.data1 -dd if=/dev/urandom bs=16 count=1 of=${TMP}.data2 -dd if=/dev/urandom bs=16 count=1 of=${TMP}.data3 -${FUTILITY} gbb -s --rootkey ${TMP}.data1 ${TMP}.blob -${FUTILITY} gbb -s --recoverykey ${TMP}.data2 ${TMP}.blob +dd if=/dev/urandom bs=16 count=1 of="${TMP}.data1" +dd if=/dev/urandom bs=16 count=1 of="${TMP}.data2" +dd if=/dev/urandom bs=16 count=1 of="${TMP}.data3" +"${FUTILITY}" gbb -s --rootkey "${TMP}.data1" "${TMP}.blob" +"${FUTILITY}" gbb -s --recoverykey "${TMP}.data2" "${TMP}.blob" # Read 'em back. -${FUTILITY} gbb -g --rootkey ${TMP}.read1 ${TMP}.blob -${FUTILITY} gbb -g --recoverykey ${TMP}.read2 ${TMP}.blob +"${FUTILITY}" gbb -g --rootkey "${TMP}.read1" "${TMP}.blob" +"${FUTILITY}" gbb -g --recoverykey "${TMP}.read2" "${TMP}.blob" # Verify -cmp ${TMP}.data1 ${TMP}.read1 -cmp ${TMP}.data2 ${TMP}.read2 +cmp "${TMP}.data1" "${TMP}.read1" +cmp "${TMP}.data2" "${TMP}.read2" # Okay, creating GBB blobs seems to work. Now let's make sure that corrupted @@ -100,82 +102,85 @@ cmp ${TMP}.data2 ${TMP}.read2 # # bad major_version -cat ${TMP}.blob | ${REPLACE} 0x4 2 > ${TMP}.blob.bad -if ${FUTILITY} gbb ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x4 2 < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb "${TMP}.blob.bad"; then false; fi # header size too large -cat ${TMP}.blob | ${REPLACE} 0x8 0x81 > ${TMP}.blob.bad -if ${FUTILITY} gbb ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x8 0x81 < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb "${TMP}.blob.bad"; then false; fi # header size too small -cat ${TMP}.blob | ${REPLACE} 0x8 0x7f > ${TMP}.blob.bad -if ${FUTILITY} gbb ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x8 0x7f < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb "${TMP}.blob.bad"; then false; fi # HWID not null-terminated is invalid -cat ${TMP}.blob | ${REPLACE} 0x8f 0x41 > ${TMP}.blob.bad -if ${FUTILITY} gbb ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x8f 0x41 < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb "${TMP}.blob.bad"; then false; fi # HWID of length zero is okay -cat ${TMP}.blob | ${REPLACE} 0x14 0x00 > ${TMP}.blob.ok -${FUTILITY} gbb ${TMP}.blob.ok +"${REPLACE}" 0x14 0x00 < "${TMP}.blob" > "${TMP}.blob.ok" +"${FUTILITY}" gbb "${TMP}.blob.ok" # And HWID of length 1 consisting only of '\0' is okay, too. -cat ${TMP}.blob | ${REPLACE} 0x14 0x01 | ${REPLACE} 0x80 0x00 > ${TMP}.blob.ok -${FUTILITY} gbb ${TMP}.blob.ok +"${REPLACE}" 0x14 0x01 < "${TMP}.blob" | "${REPLACE}" 0x80 0x00 \ + > "${TMP}.blob.ok" +"${FUTILITY}" gbb "${TMP}.blob.ok" # zero-length HWID not null-terminated is invalid -cat ${TMP}.blob | ${REPLACE} 0x8f 0x41 > ${TMP}.blob.bad -if ${FUTILITY} gbb ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x8f 0x41 < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb "${TMP}.blob.bad"; then false; fi # hwid_offset < GBB_HEADER_SIZE is invalid -cat ${TMP}.blob | ${REPLACE} 0x10 0x7f > ${TMP}.blob.bad -if ${FUTILITY} gbb ${TMP}.blob.bad; then false; fi -cat ${TMP}.blob | ${REPLACE} 0x10 0x00 > ${TMP}.blob.bad -if ${FUTILITY} gbb ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x10 0x7f < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb "${TMP}.blob.bad"; then false; fi +"${REPLACE}" 0x10 0x00 < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb "${TMP}.blob.bad"; then false; fi # rootkey_offset < GBB_HEADER_SIZE is invalid -cat ${TMP}.blob | ${REPLACE} 0x18 0x7f > ${TMP}.blob.bad -if ${FUTILITY} gbb ${TMP}.blob.bad; then false; fi -cat ${TMP}.blob | ${REPLACE} 0x18 0x00 > ${TMP}.blob.bad -if ${FUTILITY} gbb ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x18 0x7f < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb "${TMP}.blob.bad"; then false; fi +"${REPLACE}" 0x18 0x00 < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb "${TMP}.blob.bad"; then false; fi # recovery_key_offset < GBB_HEADER_SIZE is invalid -cat ${TMP}.blob | ${REPLACE} 0x28 0x7f > ${TMP}.blob.bad -if ${FUTILITY} gbb ${TMP}.blob.bad; then false; fi -cat ${TMP}.blob | ${REPLACE} 0x28 0x00 > ${TMP}.blob.bad -if ${FUTILITY} gbb ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x28 0x7f < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb "${TMP}.blob.bad"; then false; fi +"${REPLACE}" 0x28 0x00 < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb "${TMP}.blob.bad"; then false; fi # hwid: offset + size == end of file is okay; beyond is invalid -cat ${TMP}.blob | ${REPLACE} 0x14 0x40 > ${TMP}.blob.bad -${FUTILITY} gbb -g ${TMP}.blob.bad -cat ${TMP}.blob | ${REPLACE} 0x14 0x41 > ${TMP}.blob.bad -if ${FUTILITY} gbb -g ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x14 0x40 < "${TMP}.blob" > "${TMP}.blob.bad" +"${FUTILITY}" gbb -g "${TMP}.blob.bad" +"${REPLACE}" 0x14 0x41 < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb -g "${TMP}.blob.bad"; then false; fi # rootkey: offset + size == end of file is okay; beyond is invalid -cat ${TMP}.blob | ${REPLACE} 0x1c 0x30 > ${TMP}.blob.bad -${FUTILITY} gbb -g ${TMP}.blob.bad -cat ${TMP}.blob | ${REPLACE} 0x1c 0x31 > ${TMP}.blob.bad -if ${FUTILITY} gbb -g ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x1c 0x30 < "${TMP}.blob" > "${TMP}.blob.bad" +"${FUTILITY}" gbb -g "${TMP}.blob.bad" +"${REPLACE}" 0x1c 0x31 < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb -g "${TMP}.blob.bad"; then false; fi # recovery_key: offset + size == end of file is okay; beyond is invalid -cat ${TMP}.blob | ${REPLACE} 0x2c 0x10 > ${TMP}.blob.bad -${FUTILITY} gbb -g ${TMP}.blob.bad -cat ${TMP}.blob | ${REPLACE} 0x2c 0x11 > ${TMP}.blob.bad -if ${FUTILITY} gbb -g ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x2c 0x10 < "${TMP}.blob" > "${TMP}.blob.bad" +"${FUTILITY}" gbb -g "${TMP}.blob.bad" +"${REPLACE}" 0x2c 0x11 < "${TMP}.blob" > "${TMP}.blob.bad" +if "${FUTILITY}" gbb -g "${TMP}.blob.bad"; then false; fi # hwid_size == 0 doesn't complain, but can't be set -cat ${TMP}.blob | ${REPLACE} 0x14 0x00 > ${TMP}.blob.bad -${FUTILITY} gbb -g ${TMP}.blob.bad -if ${FUTILITY} gbb -s --hwid="A" ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x14 0x00 < "${TMP}.blob" > "${TMP}.blob.bad" +"${FUTILITY}" gbb -g "${TMP}.blob.bad" +if "${FUTILITY}" gbb -s --hwid="A" "${TMP}.blob.bad"; then false; fi # rootkey_size == 0 gives warning, gets nothing, can't be set -cat ${TMP}.blob | ${REPLACE} 0x1c 0x00 > ${TMP}.blob.bad -${FUTILITY} gbb -g --rootkey ${TMP}.read1 ${TMP}.blob.bad -if ${FUTILITY} gbb -s --rootkey ${TMP}.data1 ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x1c 0x00 < "${TMP}.blob" > "${TMP}.blob.bad" +"${FUTILITY}" gbb -g --rootkey "${TMP}.read1" "${TMP}.blob.bad" +if "${FUTILITY}" gbb -s --rootkey "${TMP}.data1" "${TMP}.blob.bad"; + then false; fi # recovery_key_size == 0 gives warning, gets nothing, can't be set -cat ${TMP}.blob | ${REPLACE} 0x2c 0x00 > ${TMP}.blob.bad -${FUTILITY} gbb -g --recoverykey ${TMP}.read2 ${TMP}.blob.bad -if ${FUTILITY} gbb -s --recoverykey ${TMP}.data2 ${TMP}.blob.bad; then false; fi +"${REPLACE}" 0x2c 0x00 < "${TMP}.blob" > "${TMP}.blob.bad" +"${FUTILITY}" gbb -g --recoverykey "${TMP}.read2" "${TMP}.blob.bad" +if "${FUTILITY}" gbb -s --recoverykey "${TMP}.data2" "${TMP}.blob.bad"; + then false; fi # GBB v1.2 adds a sha256 digest field in what was previously padding: @@ -189,21 +194,21 @@ if ${FUTILITY} gbb -s --recoverykey ${TMP}.data2 ${TMP}.blob.bad; then false; fi # See that the digest is updated properly. hwid="123456789ABCDEF" -${FUTILITY} gbb -s --hwid=${hwid} ${TMP}.blob +"${FUTILITY}" gbb -s --hwid="${hwid}" "${TMP}.blob" expect=$(echo -n "$hwid" | sha256sum | cut -d ' ' -f 1) -[ $(echo -n ${expect} | wc -c) == "64" ] -${FUTILITY} gbb -g --digest ${TMP}.blob | grep ${expect} +[ "$(echo -n "${expect}" | wc -c)" == "64" ] +"${FUTILITY}" gbb -g --digest "${TMP}.blob" | grep "${expect}" # Garble the digest, see that it's noticed. # (assuming these zeros aren't present) -cat ${TMP}.blob | ${REPLACE} 0x33 0x00 0x00 0x00 0x00 0x00 > ${TMP}.blob.bad -${FUTILITY} gbb -g --digest ${TMP}.blob.bad | grep '0000000000' -${FUTILITY} gbb -g --digest ${TMP}.blob.bad | grep 'invalid' +"${REPLACE}" 0x33 0x00 0x00 0x00 0x00 0x00 < "${TMP}.blob" > "${TMP}.blob.bad" +"${FUTILITY}" gbb -g --digest "${TMP}.blob.bad" | grep '0000000000' +"${FUTILITY}" gbb -g --digest "${TMP}.blob.bad" | grep 'invalid' # Garble the HWID. The digest is unchanged, but now invalid. -cat ${TMP}.blob | ${REPLACE} 0x84 0x70 0x71 0x72 > ${TMP}.blob.bad -${FUTILITY} gbb -g --digest ${TMP}.blob.bad | grep 'invalid' +"${REPLACE}" 0x84 0x70 0x71 0x72 < "${TMP}.blob" > "${TMP}.blob.bad" +"${FUTILITY}" gbb -g --digest "${TMP}.blob.bad" | grep 'invalid' # cleanup -rm -f ${TMP}* +rm -f "${TMP}"* exit 0 diff --git a/tests/futility/test_load_fmap.sh b/tests/futility/test_load_fmap.sh index a93b71f5..78212431 100755 --- a/tests/futility/test_load_fmap.sh +++ b/tests/futility/test_load_fmap.sh @@ -10,34 +10,34 @@ TMP="$me.tmp" cd "$OUTDIR" -IN=${SCRIPT_DIR}/futility/data/bios_link_mp.bin -BIOS=${TMP}.bios.bin +IN="${SCRIPT_DIR}/futility/data/bios_link_mp.bin" +BIOS="${TMP}.bios.bin" -cp ${IN} ${BIOS} - -AREAS="RW_SECTION_A VBLOCK_B BOOT_STUB" +cp "${IN}" "${BIOS}" +AREAS=(RW_SECTION_A VBLOCK_B BOOT_STUB) +set -x # Extract good blobs first -${FUTILITY} dump_fmap -x ${BIOS} ${AREAS} +"${FUTILITY}" dump_fmap -x "${BIOS}" "${AREAS[@]}" # Save the good blobs, make same-size random blobs, create command -CMDS="" -for a in ${AREAS}; do - size=$(stat -c '%s' $a) - mv $a $a.good - dd if=/dev/urandom of=$a.rand bs=$size count=1 - CMDS="$CMDS $a:$a.rand" +CMDS=( ) +for a in "${AREAS[@]}"; do + size=$(stat -c '%s' "$a") + mv "$a" "$a.good" + dd if=/dev/urandom of="$a.rand" bs="$size" count=1 + CMDS+=("$a:$a.rand") done # Poke the new blobs in -${FUTILITY} load_fmap ${BIOS} ${CMDS} +"${FUTILITY}" load_fmap "${BIOS}" "${CMDS[@]}" # Pull them back out and see if they match -${FUTILITY} dump_fmap -x ${BIOS} ${AREAS} -for a in ${AREAS}; do - cmp $a $a.rand +"${FUTILITY}" dump_fmap -x "${BIOS}" "${AREAS[@]}" +for a in "${AREAS[@]}"; do + cmp "$a" "$a.rand" done # cleanup -rm -f ${TMP}* ${AREAS} *.rand *.good +rm -f "${TMP}"* "${AREAS[@]}" ./*.rand ./*.good exit 0 diff --git a/tests/futility/test_main.sh b/tests/futility/test_main.sh index 2e5f4dc4..725abe3a 100755 --- a/tests/futility/test_main.sh +++ b/tests/futility/test_main.sh @@ -10,55 +10,57 @@ TMP="$me.tmp" cd "$OUTDIR" # No args returns nonzero exit code -${FUTILITY} && false +"${FUTILITY}" && false # It's weird but okay if the command is a full path. -${FUTILITY} /fake/path/to/help > "$TMP" +"${FUTILITY}" /fake/path/to/help > "$TMP" grep Usage "$TMP" # Make sure logging does something. LOG="/tmp/futility.log" -[ -f ${LOG} ] && mv ${LOG} ${LOG}.backup -touch ${LOG} -${FUTILITY} help -grep ${FUTILITY} ${LOG} -rm -f ${LOG} -[ -f ${LOG}.backup ] && mv ${LOG}.backup ${LOG} +[ -f "${LOG}" ] && mv "${LOG}" "${LOG}.backup" +touch "${LOG}" +"${FUTILITY}" help +grep "${FUTILITY}" "${LOG}" +rm -f "${LOG}" +[ -f "${LOG}.backup" ] && mv "${LOG}.backup" "${LOG}" # Use some known digests to verify that things work... -DEVKEYS=${SRCDIR}/tests/devkeys +DEVKEYS="${SRCDIR}/tests/devkeys" SHA=e78ce746a037837155388a1096212ded04fb86eb # all progs in the pipelines should work set -o pipefail # If it's invoked as the name of a command we know, it should do that command -ln -sf ${FUTILITY} vbutil_key -./vbutil_key --unpack ${DEVKEYS}/installer_kernel_data_key.vbpubk | grep ${SHA} -ln -sf ${FUTILITY} vbutil_keyblock -./vbutil_keyblock --unpack ${DEVKEYS}/installer_kernel.keyblock | grep ${SHA} -cp ${FUTILITY} show -./show ${SCRIPT_DIR}/futility/data/rec_kernel_part.bin | grep ${SHA} +ln -sf "${FUTILITY}" vbutil_key +./vbutil_key --unpack "${DEVKEYS}/installer_kernel_data_key.vbpubk" | \ + grep "${SHA}" +ln -sf "${FUTILITY}" vbutil_keyblock +./vbutil_keyblock --unpack "${DEVKEYS}/installer_kernel.keyblock" | \ + grep "${SHA}" +cp "${FUTILITY}" show +./show "${SCRIPT_DIR}/futility/data/rec_kernel_part.bin" | grep "${SHA}" # If it's invoked by any other name, expect the command to be the first arg. -ln -sf ${FUTILITY} muggle -./muggle vbutil_key --unpack ${DEVKEYS}/installer_kernel_data_key.vbpubk \ - | grep ${SHA} -ln -sf ${FUTILITY} buggle -./buggle vbutil_keyblock --unpack ${DEVKEYS}/installer_kernel.keyblock \ - | grep ${SHA} -cp ${FUTILITY} boo -./boo show ${SCRIPT_DIR}/futility/data/rec_kernel_part.bin | grep ${SHA} +ln -sf "${FUTILITY}" muggle +./muggle vbutil_key --unpack "${DEVKEYS}/installer_kernel_data_key.vbpubk" \ + | grep "${SHA}" +ln -sf "${FUTILITY}" buggle +./buggle vbutil_keyblock --unpack "${DEVKEYS}/installer_kernel.keyblock" \ + | grep "${SHA}" +cp "${FUTILITY}" boo +./boo show "${SCRIPT_DIR}/futility/data/rec_kernel_part.bin" | grep "${SHA}" # we expect the first command fail, but the output to match anyway set +o pipefail # If it can't figure out the command at all, it should complain. -${FUTILITY} muggle | grep Usage: +"${FUTILITY}" muggle | grep Usage: ./buggle futility | grep Usage: ./boo | grep Usage: # cleanup -rm -f ${TMP}* vbutil_key vbutil_keyblock show muggle buggle boo +rm -f "${TMP}"* vbutil_key vbutil_keyblock show muggle buggle boo exit 0 diff --git a/tests/futility/test_rwsig.sh b/tests/futility/test_rwsig.sh index 2bd70ce5..3a0a6e39 100755 --- a/tests/futility/test_rwsig.sh +++ b/tests/futility/test_rwsig.sh @@ -10,7 +10,7 @@ TMP="$me.tmp" cd "$OUTDIR" DATADIR="${SCRIPT_DIR}/futility/data" -TESTKEYS=${SRCDIR}/tests/testkeys +TESTKEYS="${SRCDIR}/tests/testkeys" SIGS="1024 2048 2048_exp3 3072_exp3 4096 8192" HASHES="SHA1 SHA256 SHA512" @@ -18,13 +18,13 @@ EC_RW="EC_RW.bin" set -o pipefail -infile=${DATADIR}/hammer_dev.bin -outfile=${TMP}.hammer_dev.bin -cp ${infile} ${outfile} +infile="${DATADIR}/hammer_dev.bin" +outfile="${TMP}.hammer_dev.bin" +cp "${infile}" "${outfile}" # Signing without private key should extract EC_RW.bin -${FUTILITY} sign --type rwsig --version 2 ${outfile} -cmp ${infile} ${outfile} -cmp ${EC_RW} ${DATADIR}/${EC_RW} +"${FUTILITY}" sign --type rwsig --version 2 "${outfile}" +cmp "${infile}" "${outfile}" +cmp "${EC_RW}" "${DATADIR}/${EC_RW}" for s in $SIGS; do echo -n "$s " 1>&3 @@ -34,31 +34,32 @@ for s in $SIGS; do outkeys=${TMP}.${s}_${h} outfile=${TMP}.${s}_${h}.bin - ${FUTILITY} create --desc "Test key" --hash_alg ${h} \ - ${pemfile} ${outkeys} + "${FUTILITY}" create --desc "Test key" --hash_alg "${h}" \ + "${pemfile}" "${outkeys}" # The input file should be correctly signed to start with - ${FUTILITY} show --type rwsig ${infile} + "${FUTILITY}" show --type rwsig "${infile}" # Using the wrong key to verify it should fail - if ${FUTILITY} show --type rwsig --pubkey ${outkeys}.vbpubk2 \ - ${infile}; then + if "${FUTILITY}" show --type rwsig --pubkey "${outkeys}.vbpubk2" \ + "${infile}"; then exit 1 fi - cp ${infile} ${outfile} + cp "${infile}" "${outfile}" # Sign ec.bin with a new private key - ${FUTILITY} sign --type rwsig --prikey ${outkeys}.vbprik2 \ - --version 2 ${outfile} + "${FUTILITY}" sign --type rwsig --prikey "${outkeys}.vbprik2" \ + --version 2 "${outfile}" # Check EC_RW.bin is produced - [[ -e ${EC_RW} ]] + [[ -e "${EC_RW}" ]] - ${FUTILITY} show --type rwsig --pubkey ${outkeys}.vbpubk2 ${outfile} - ${FUTILITY} show --type rwsig ${outfile} + "${FUTILITY}" show --type rwsig --pubkey "${outkeys}.vbpubk2" \ + "${outfile}" + "${FUTILITY}" show --type rwsig "${outfile}" done done # cleanup -rm -rf ${TMP}* +rm -rf "${TMP}"* exit 0 diff --git a/tests/futility/test_show_contents.sh b/tests/futility/test_show_contents.sh index fddebe81..9b3431d2 100755 --- a/tests/futility/test_show_contents.sh +++ b/tests/futility/test_show_contents.sh @@ -28,7 +28,7 @@ for file in $SHOW_FILES; do outfile="show.${file//\//_}" gotfile="${OUTDIR}/${outfile}" wantfile="${SRCDIR}/tests/futility/expect_output/${outfile}" - ( cd "${SRCDIR}" && ${FUTILITY} show "${file}" ) | tee "${gotfile}" + ( cd "${SRCDIR}" && "${FUTILITY}" show "${file}" ) | tee "${gotfile}" # Uncomment this to update the expected output #cp "${gotfile}" "${wantfile}" @@ -47,7 +47,7 @@ for file in $VBUTIL_KEY_FILES; do outfile="vbutil_key.${file//\//_}" gotfile="${OUTDIR}/${outfile}" wantfile="${SRCDIR}/tests/futility/expect_output/${outfile}" - ( cd "${SRCDIR}" && ${FUTILITY} vbutil_key --unpack "${file}" ) \ + ( cd "${SRCDIR}" && "${FUTILITY}" vbutil_key --unpack "${file}" ) \ | tee "${gotfile}" # Uncomment this to update the expected output @@ -62,7 +62,7 @@ file="tests/devkeys/kernel.keyblock" outfile="vbutil_keyblock.${file//\//_}" gotfile="${OUTDIR}/${outfile}" wantfile="${SRCDIR}/tests/futility/expect_output/${outfile}" -( cd "${SRCDIR}" && ${FUTILITY} vbutil_keyblock --unpack "${file}" \ +( cd "${SRCDIR}" && "${FUTILITY}" vbutil_keyblock --unpack "${file}" \ --signpubkey "tests/devkeys/kernel_subkey.vbpubk" ) \ | tee "${gotfile}" @@ -82,7 +82,7 @@ wantfile="${SRCDIR}/tests/futility/expect_output/${outfile}" # arbitrary non-zero numbers so we can verify they're printed # properly. dd bs=1024 count=16 if=/dev/urandom of="${TMP}.fw_main" -${FUTILITY} vbutil_firmware --vblock "${TMP}.vblock.old" \ +"${FUTILITY}" vbutil_firmware --vblock "${TMP}.vblock.old" \ --keyblock "${KEYDIR}/firmware.keyblock" \ --signprivate "${KEYDIR}/firmware_data_key.vbprivk" \ --version 12 \ @@ -91,7 +91,7 @@ ${FUTILITY} vbutil_firmware --vblock "${TMP}.vblock.old" \ --flags 42 # Verify -${FUTILITY} vbutil_firmware --verify "${TMP}.vblock.old" \ +"${FUTILITY}" vbutil_firmware --verify "${TMP}.vblock.old" \ --signpubkey "${KEYDIR}/root_key.vbpubk" \ --fv "${TMP}.fw_main" | tee "${gotfile}" @@ -102,5 +102,5 @@ diff "${wantfile}" "${gotfile}" # cleanup -rm -rf "${TMP}*" +rm -rf "${TMP}"* exit 0 diff --git a/tests/futility/test_show_kernel.sh b/tests/futility/test_show_kernel.sh index 151cf463..f2610a39 100755 --- a/tests/futility/test_show_kernel.sh +++ b/tests/futility/test_show_kernel.sh @@ -9,52 +9,52 @@ TMP="$me.tmp" # Work in scratch directory cd "$OUTDIR" -DEVKEYS=${SRCDIR}/tests/devkeys -TESTKEYS=${SRCDIR}/tests/testkeys +DEVKEYS="${SRCDIR}/tests/devkeys" +TESTKEYS="${SRCDIR}/tests/testkeys" echo 'Creating test kernel' # Dummy kernel data -echo "hi there" > ${TMP}.config.txt -dd if=/dev/urandom bs=16384 count=1 of=${TMP}.bootloader.bin -dd if=/dev/urandom bs=32768 count=1 of=${TMP}.kernel.bin +echo "hi there" > "${TMP}.config.txt" +dd if=/dev/urandom bs=16384 count=1 of="${TMP}.bootloader.bin" +dd if=/dev/urandom bs=32768 count=1 of="${TMP}.kernel.bin" # Pack kernel data key using original vboot utilities. -${FUTILITY} vbutil_key --pack ${TMP}.datakey.test \ - --key ${TESTKEYS}/key_rsa2048.keyb --algorithm 4 +"${FUTILITY}" vbutil_key --pack "${TMP}.datakey.test" \ + --key "${TESTKEYS}/key_rsa2048.keyb" --algorithm 4 # Keyblock with kernel data key is signed by kernel subkey # Flags=5 means dev=0 rec=0 -${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock.test \ - --datapubkey ${TMP}.datakey.test \ +"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock.test" \ + --datapubkey "${TMP}.datakey.test" \ --flags 5 \ - --signprivate ${DEVKEYS}/kernel_subkey.vbprivk + --signprivate "${DEVKEYS}/kernel_subkey.vbprivk" # Kernel preamble is signed with the kernel data key -${FUTILITY} vbutil_kernel \ - --pack ${TMP}.kernel.test \ - --keyblock ${TMP}.keyblock.test \ - --signprivate ${TESTKEYS}/key_rsa2048.sha256.vbprivk \ +"${FUTILITY}" vbutil_kernel \ + --pack "${TMP}.kernel.test" \ + --keyblock "${TMP}.keyblock.test" \ + --signprivate "${TESTKEYS}/key_rsa2048.sha256.vbprivk" \ --version 1 \ --arch arm \ - --vmlinuz ${TMP}.kernel.bin \ - --bootloader ${TMP}.bootloader.bin \ - --config ${TMP}.config.txt + --vmlinuz "${TMP}.kernel.bin" \ + --bootloader "${TMP}.bootloader.bin" \ + --config "${TMP}.config.txt" echo 'Verifying test kernel' # Verify the kernel -${FUTILITY} show ${TMP}.kernel.test \ - --publickey ${DEVKEYS}/kernel_subkey.vbpubk \ - | egrep 'Signature.*valid' +"${FUTILITY}" show "${TMP}.kernel.test" \ + --publickey "${DEVKEYS}/kernel_subkey.vbpubk" \ + | grep -E 'Signature.*valid' echo 'Test kernel blob looks good' # Mess up the padding, make sure it fails. rc=0 -${FUTILITY} show ${TMP}.kernel.test \ +"${FUTILITY}" show "${TMP}.kernel.test" \ --pad 0x100 \ - --publickey ${DEVKEYS}/kernel_subkey.vbpubk \ + --publickey "${DEVKEYS}/kernel_subkey.vbpubk" \ || rc=$? [ $rc -ne 0 ] [ $rc -lt 128 ] @@ -63,9 +63,9 @@ echo 'Invalid args are invalid' # Look waaaaaay off the end of the file, make sure it fails. rc=0 -${FUTILITY} show ${TMP}.kernel.test \ +"${FUTILITY}" show "${TMP}.kernel.test" \ --pad 0x100000 \ - --publickey ${DEVKEYS}/kernel_subkey.vbpubk \ + --publickey "${DEVKEYS}/kernel_subkey.vbpubk" \ || rc=$? [ $rc -ne 0 ] [ $rc -lt 128 ] @@ -73,5 +73,5 @@ ${FUTILITY} show ${TMP}.kernel.test \ echo 'Really invalid args are still invalid' # cleanup -rm -rf ${TMP}* +rm -rf "${TMP}"* exit 0 diff --git a/tests/futility/test_show_usbpd1.sh b/tests/futility/test_show_usbpd1.sh index b5553aae..3998fa77 100755 --- a/tests/futility/test_show_usbpd1.sh +++ b/tests/futility/test_show_usbpd1.sh @@ -24,23 +24,24 @@ for s in $SIGS; do for test in $TESTS; do - infile=${DATADIR}/${test}.unsigned + infile="${DATADIR}/${test}.unsigned" for h in $HASHES; do - pemfile=${TESTKEYS}/key_rsa${s}.pem - outfile=${TMP}.${test}_${s}_${h}.new + pemfile="${TESTKEYS}/key_rsa${s}.pem" + outfile="${TMP}.${test}_${s}_${h}.new" # sign it - ${FUTILITY} sign --type usbpd1 --pem ${pemfile} ${infile} ${outfile} + "${FUTILITY}" sign --type usbpd1 --pem "${pemfile}" "${infile}" \ + "${outfile}" # make sure it identifies correctly - ${FUTILITY} verify ${outfile} + "${FUTILITY}" verify "${outfile}" done done done # cleanup -rm -rf ${TMP}* +rm -rf "${TMP}"* exit 0 diff --git a/tests/futility/test_show_vs_verify.sh b/tests/futility/test_show_vs_verify.sh index 4981a38d..c0c0872c 100755 --- a/tests/futility/test_show_vs_verify.sh +++ b/tests/futility/test_show_vs_verify.sh @@ -10,67 +10,67 @@ TMP="$me.tmp" cd "$OUTDIR" # some stuff we'll need -DEVKEYS=${SRCDIR}/tests/devkeys +DEVKEYS="${SRCDIR}/tests/devkeys" # The show command exits with 0 if the data is consistent. # The verify command exits with 0 only if all the data is verified. #### keyblock -${FUTILITY} show ${DEVKEYS}/firmware.keyblock +"${FUTILITY}" show "${DEVKEYS}/firmware.keyblock" -if ${FUTILITY} verify ${DEVKEYS}/firmware.keyblock ; then false; fi +if "${FUTILITY}" verify "${DEVKEYS}/firmware.keyblock" ; then false; fi -${FUTILITY} verify ${DEVKEYS}/firmware.keyblock \ - --publickey ${DEVKEYS}/root_key.vbpubk +"${FUTILITY}" verify "${DEVKEYS}/firmware.keyblock" \ + --publickey "${DEVKEYS}/root_key.vbpubk" #### firmware vblock # Get some bits to look at -${FUTILITY} dump_fmap -x ${SCRIPT_DIR}/futility/data/bios_peppy_mp.bin \ - GBB:${TMP}.gbb VBLOCK_A:${TMP}.vblock_a FW_MAIN_A:${TMP}.fw_main_a -${FUTILITY} gbb -g -k ${TMP}.rootkey ${TMP}.gbb +"${FUTILITY}" dump_fmap -x "${SCRIPT_DIR}/futility/data/bios_peppy_mp.bin" \ + "GBB:${TMP}.gbb" "VBLOCK_A:${TMP}.vblock_a" "FW_MAIN_A:${TMP}.fw_main_a" +"${FUTILITY}" gbb -g -k "${TMP}.rootkey" "${TMP}.gbb" -${FUTILITY} show ${TMP}.vblock_a +"${FUTILITY}" show "${TMP}.vblock_a" -${FUTILITY} show ${TMP}.vblock_a --publickey ${TMP}.rootkey +"${FUTILITY}" show "${TMP}.vblock_a" --publickey "${TMP}.rootkey" -${FUTILITY} show ${TMP}.vblock_a \ - --publickey ${TMP}.rootkey \ - --fv ${TMP}.fw_main_a +"${FUTILITY}" show "${TMP}.vblock_a" \ + --publickey "${TMP}.rootkey" \ + --fv "${TMP}.fw_main_a" -if ${FUTILITY} verify ${TMP}.vblock_a ; then false ; fi +if "${FUTILITY}" verify "${TMP}.vblock_a" ; then false ; fi -if ${FUTILITY} verify ${TMP}.vblock_a \ - --publickey ${TMP}.rootkey ; then false ; fi +if "${FUTILITY}" verify "${TMP}.vblock_a" \ + --publickey "${TMP}.rootkey" ; then false ; fi -${FUTILITY} verify ${TMP}.vblock_a \ - --publickey ${TMP}.rootkey \ - --fv ${TMP}.fw_main_a +"${FUTILITY}" verify "${TMP}.vblock_a" \ + --publickey "${TMP}.rootkey" \ + --fv "${TMP}.fw_main_a" #### kernel partition -${FUTILITY} show ${SCRIPT_DIR}/futility/data/rec_kernel_part.bin +"${FUTILITY}" show "${SCRIPT_DIR}/futility/data/rec_kernel_part.bin" -${FUTILITY} show ${SCRIPT_DIR}/futility/data/rec_kernel_part.bin \ - --publickey ${DEVKEYS}/kernel_subkey.vbpubk +"${FUTILITY}" show "${SCRIPT_DIR}/futility/data/rec_kernel_part.bin" \ + --publickey "${DEVKEYS}/kernel_subkey.vbpubk" -${FUTILITY} show ${SCRIPT_DIR}/futility/data/rec_kernel_part.bin \ - --publickey ${DEVKEYS}/recovery_key.vbpubk +"${FUTILITY}" show "${SCRIPT_DIR}/futility/data/rec_kernel_part.bin" \ + --publickey "${DEVKEYS}/recovery_key.vbpubk" -if ${FUTILITY} verify ${SCRIPT_DIR}/futility/data/rec_kernel_part.bin ; \ +if "${FUTILITY}" verify "${SCRIPT_DIR}/futility/data/rec_kernel_part.bin" ; \ then false ; fi -if ${FUTILITY} verify ${SCRIPT_DIR}/futility/data/rec_kernel_part.bin \ - --publickey ${DEVKEYS}/kernel_subkey.vbpubk ; then false ; fi +if "${FUTILITY}" verify "${SCRIPT_DIR}/futility/data/rec_kernel_part.bin" \ + --publickey "${DEVKEYS}/kernel_subkey.vbpubk" ; then false ; fi -${FUTILITY} verify ${SCRIPT_DIR}/futility/data/rec_kernel_part.bin \ - --publickey ${DEVKEYS}/recovery_key.vbpubk +"${FUTILITY}" verify "${SCRIPT_DIR}/futility/data/rec_kernel_part.bin" \ + --publickey "${DEVKEYS}/recovery_key.vbpubk" # cleanup -rm -rf ${TMP}* +rm -rf "${TMP}"* exit 0 diff --git a/tests/futility/test_sign_firmware.sh b/tests/futility/test_sign_firmware.sh index 04eb385f..587eed9f 100755 --- a/tests/futility/test_sign_firmware.sh +++ b/tests/futility/test_sign_firmware.sh @@ -3,13 +3,13 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -me=${0##*/} -TMP="$me.tmp" +me="${0##*/}" +TMP="${me}.tmp" # Work in scratch directory cd "$OUTDIR" -KEYDIR=${SRCDIR}/tests/devkeys +KEYDIR="${SRCDIR}/tests/devkeys" # The input BIOS images are all signed with MP keys. We resign them with dev # keys, which means we can precalculate the expected results. Note that the @@ -22,10 +22,10 @@ ${SCRIPT_DIR}/futility/data/bios_peppy_mp.bin # We also want to test that we can sign an image without any valid firmware # preambles. That one won't be able to tell how much of the FW_MAIN region is # the valid firmware, so it'll have to sign the entire region. -GOOD_VBLOCKS=${SCRIPT_DIR}/futility/data/bios_peppy_mp.bin +GOOD_VBLOCKS="${SCRIPT_DIR}/futility/data/bios_peppy_mp.bin" ONEMORE=bios_peppy_mp_no_vblock.bin -cp ${GOOD_VBLOCKS} ${ONEMORE} -${FUTILITY} load_fmap ${ONEMORE} VBLOCK_A:/dev/urandom VBLOCK_B:/dev/zero +cp "${GOOD_VBLOCKS}" "${ONEMORE}" +"${FUTILITY}" load_fmap "${ONEMORE}" VBLOCK_A:/dev/urandom VBLOCK_B:/dev/zero INFILES="${INFILES} ${ONEMORE}" set -o pipefail @@ -36,13 +36,13 @@ for infile in $INFILES; do base=${infile##*/} : $(( count++ )) - echo -n "$count " 1>&3 + echo -n "${count} " 1>&3 - outfile=${TMP}.${base}.new + outfile="${TMP}.${base}.new" loemid="loem" - loemdir=${TMP}.${base}_dir + loemdir="${TMP}.${base}_dir" - mkdir -p ${loemdir} + mkdir -p "${loemdir}" # resign_firmwarefd.sh works on BIOS image files. The args are: # @@ -71,102 +71,103 @@ for infile in $INFILES; do #OLD ${loemdir} \ #OLD ${loemid} - ${FUTILITY} sign \ - -s ${KEYDIR}/firmware_data_key.vbprivk \ - -b ${KEYDIR}/firmware.keyblock \ - -k ${KEYDIR}/kernel_subkey.vbpubk \ + "${FUTILITY}" sign \ + -s "${KEYDIR}/firmware_data_key.vbprivk" \ + -b "${KEYDIR}/firmware.keyblock" \ + -k "${KEYDIR}/kernel_subkey.vbpubk" \ -v 14 \ -f 8 \ - -d ${loemdir} \ - -l ${loemid} \ - ${infile} ${outfile} + -d "${loemdir}" \ + -l "${loemid}" \ + "${infile}" "${outfile}" # check the firmware version and preamble flags - m=$(${FUTILITY} verify --publickey ${KEYDIR}/root_key.vbpubk ${outfile} \ - | egrep 'Firmware version: +14$|Preamble flags: +8$' | wc -l) - [ "$m" = "4" ] + m=$("${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" \ + "${outfile}" | grep -c -E 'Firmware version: +14$|Preamble flags: +8$') + [ "${m}" = "4" ] # check the sha1sums - ${FUTILITY} verify --publickey ${KEYDIR}/root_key.vbpubk ${outfile} \ + "${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" "${outfile}" \ | grep sha1sum \ - | sed -e 's/.*: \+//' > ${TMP}.${base}.sha.new - cmp ${SCRIPT_DIR}/futility/data_${base}_expect.txt ${TMP}.${base}.sha.new + | sed -e 's/.*: \+//' > "${TMP}.${base}.sha.new" + cmp "${SCRIPT_DIR}/futility/data_${base}_expect.txt" "${TMP}.${base}.sha.new" # and the LOEM stuff - ${FUTILITY} dump_fmap -x ${outfile} \ - FW_MAIN_A:${loemdir}/fw_main_A FW_MAIN_B:${loemdir}/fw_main_B \ - "Firmware A Data":${loemdir}/fw_main_A \ - "Firmware B Data":${loemdir}/fw_main_B + "${FUTILITY}" dump_fmap -x "${outfile}" \ + "FW_MAIN_A:${loemdir}/fw_main_A" "FW_MAIN_B:${loemdir}/fw_main_B" \ + "Firmware A Data:${loemdir}/fw_main_A" \ + "Firmware B Data:${loemdir}/fw_main_B" - ${FUTILITY} verify --publickey ${KEYDIR}/root_key.vbpubk \ - --fv ${loemdir}/fw_main_A \ - ${loemdir}/vblock_A.${loemid} | grep sha1sum \ - | sed -e 's/.*: \+//' > ${loemdir}/loem.sha.new - ${FUTILITY} verify --publickey ${KEYDIR}/root_key.vbpubk \ - --fv ${loemdir}/fw_main_B \ - ${loemdir}/vblock_B.${loemid} | grep sha1sum \ - | sed -e 's/.*: \+//' >> ${loemdir}/loem.sha.new + "${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" \ + --fv "${loemdir}/fw_main_A" \ + "${loemdir}/vblock_A.${loemid}" | grep sha1sum \ + | sed -e 's/.*: \+//' > "${loemdir}/loem.sha.new" + "${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" \ + --fv "${loemdir}/fw_main_B" \ + "${loemdir}/vblock_B.${loemid}" | grep sha1sum \ + | sed -e 's/.*: \+//' >> "${loemdir}/loem.sha.new" # the vblocks don't have root or recovery keys - tail -4 ${SCRIPT_DIR}/futility/data_${base}_expect.txt > ${loemdir}/sha.expect - cmp ${loemdir}/sha.expect ${loemdir}/loem.sha.new + tail -4 "${SCRIPT_DIR}/futility/data_${base}_expect.txt" \ + > "${loemdir}/sha.expect" + cmp "${loemdir}/sha.expect" "${loemdir}/loem.sha.new" done # Make sure that the BIOS with the good vblocks signed the right size. -GOOD_OUT=${TMP}.${GOOD_VBLOCKS##*/}.new -MORE_OUT=${TMP}.${ONEMORE##*/}.new +GOOD_OUT="${TMP}.${GOOD_VBLOCKS##*/}.new" +MORE_OUT="${TMP}.${ONEMORE##*/}.new" -${FUTILITY} verify --publickey ${KEYDIR}/root_key.vbpubk ${GOOD_OUT} \ - | awk '/Firmware body size:/ {print $4}' > ${TMP}.good.body -${FUTILITY} dump_fmap -p ${GOOD_OUT} \ - | awk '/FW_MAIN_/ {print $3}' > ${TMP}.good.fw_main +"${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" "${GOOD_OUT}" \ + | awk '/Firmware body size:/ {print $4}' > "${TMP}.good.body" +"${FUTILITY}" dump_fmap -p "${GOOD_OUT}" \ + | awk '/FW_MAIN_/ {print $3}' > "${TMP}.good.fw_main" # This should fail because they're different -if cmp ${TMP}.good.body ${TMP}.good.fw_main; then false; fi +if cmp "${TMP}.good.body" "${TMP}.good.fw_main"; then false; fi # Make sure that the BIOS with the bad vblocks signed the whole fw body -${FUTILITY} verify --publickey ${KEYDIR}/root_key.vbpubk ${MORE_OUT} \ - | awk '/Firmware body size:/ {print $4}' > ${TMP}.onemore.body -${FUTILITY} dump_fmap -p ${MORE_OUT} \ - | awk '/FW_MAIN_/ {print $3}' > ${TMP}.onemore.fw_main +"${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" "${MORE_OUT}" \ + | awk '/Firmware body size:/ {print $4}' > "${TMP}.onemore.body" +"${FUTILITY}" dump_fmap -p "${MORE_OUT}" \ + | awk '/FW_MAIN_/ {print $3}' > "${TMP}.onemore.fw_main" # These should match -cmp ${TMP}.onemore.body ${TMP}.onemore.fw_main -cmp ${TMP}.onemore.body ${TMP}.good.fw_main +cmp "${TMP}.onemore.body" "${TMP}.onemore.fw_main" +cmp "${TMP}.onemore.body" "${TMP}.good.fw_main" # Sign the last one again but don't specify the version or the preamble flags. # The version should default to 1, but the preamble flags should be preserved. : $(( count++ )) -echo -n "$count " 1>&3 +echo -n "${count} " 1>&3 -${FUTILITY} sign \ - -s ${KEYDIR}/firmware_data_key.vbprivk \ - -b ${KEYDIR}/firmware.keyblock \ - -k ${KEYDIR}/kernel_subkey.vbpubk \ - ${MORE_OUT} ${MORE_OUT}.2 +"${FUTILITY}" sign \ + -s "${KEYDIR}/firmware_data_key.vbprivk" \ + -b "${KEYDIR}/firmware.keyblock" \ + -k "${KEYDIR}/kernel_subkey.vbpubk" \ + "${MORE_OUT}" "${MORE_OUT}.2" -m=$(${FUTILITY} verify --publickey ${KEYDIR}/root_key.vbpubk ${MORE_OUT}.2 \ - | egrep 'Firmware version: +1$|Preamble flags: +8$' | wc -l) -[ "$m" = "4" ] +m=$("${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" \ + "${MORE_OUT}.2" | grep -c -E 'Firmware version: +1$|Preamble flags: +8$') +[ "${m}" = "4" ] # If the original preamble is not present, the preamble flags should be zero. : $(( count++ )) -echo -n "$count " 1>&3 +echo -n "${count} " 1>&3 -${FUTILITY} load_fmap ${MORE_OUT} VBLOCK_A:/dev/urandom VBLOCK_B:/dev/zero -${FUTILITY} sign \ - -s ${KEYDIR}/firmware_data_key.vbprivk \ - -b ${KEYDIR}/firmware.keyblock \ - -k ${KEYDIR}/kernel_subkey.vbpubk \ - ${MORE_OUT} ${MORE_OUT}.3 +"${FUTILITY}" load_fmap "${MORE_OUT}" VBLOCK_A:/dev/urandom VBLOCK_B:/dev/zero +"${FUTILITY}" sign \ + -s "${KEYDIR}/firmware_data_key.vbprivk" \ + -b "${KEYDIR}/firmware.keyblock" \ + -k "${KEYDIR}/kernel_subkey.vbpubk" \ + "${MORE_OUT}" "${MORE_OUT}.3" -m=$(${FUTILITY} verify --publickey ${KEYDIR}/root_key.vbpubk ${MORE_OUT}.3 \ - | egrep 'Firmware version: +1$|Preamble flags: +0$' | wc -l) -[ "$m" = "4" ] +m=$("${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" \ + "${MORE_OUT}.3" | grep -c -E 'Firmware version: +1$|Preamble flags: +0$') +[ "${m}" = "4" ] # cleanup -rm -rf ${TMP}* ${ONEMORE} +rm -rf "${TMP}"* "${ONEMORE}" exit 0 diff --git a/tests/futility/test_sign_fw_main.sh b/tests/futility/test_sign_fw_main.sh index face8016..6ab2083b 100755 --- a/tests/futility/test_sign_fw_main.sh +++ b/tests/futility/test_sign_fw_main.sh @@ -9,38 +9,38 @@ TMP="$me.tmp" # Work in scratch directory cd "$OUTDIR" -KEYDIR=${SRCDIR}/tests/devkeys +KEYDIR="${SRCDIR}/tests/devkeys" # create a firmware blob -dd bs=1024 count=16 if=/dev/urandom of=${TMP}.fw_main +dd bs=1024 count=16 if=/dev/urandom of="${TMP}.fw_main" # try the old way -${FUTILITY} vbutil_firmware --vblock ${TMP}.vblock.old \ - --keyblock ${KEYDIR}/firmware.keyblock \ - --signprivate ${KEYDIR}/firmware_data_key.vbprivk \ +"${FUTILITY}" vbutil_firmware --vblock "${TMP}.vblock.old" \ + --keyblock "${KEYDIR}/firmware.keyblock" \ + --signprivate "${KEYDIR}/firmware_data_key.vbprivk" \ --version 12 \ - --fv ${TMP}.fw_main \ - --kernelkey ${KEYDIR}/kernel_subkey.vbpubk \ + --fv "${TMP}.fw_main" \ + --kernelkey "${KEYDIR}/kernel_subkey.vbpubk" \ --flags 42 # verify -${FUTILITY} vbutil_firmware --verify ${TMP}.vblock.old \ - --signpubkey ${KEYDIR}/root_key.vbpubk \ - --fv ${TMP}.fw_main +"${FUTILITY}" vbutil_firmware --verify "${TMP}.vblock.old" \ + --signpubkey "${KEYDIR}/root_key.vbpubk" \ + --fv "${TMP}.fw_main" # and the new way -${FUTILITY} --debug sign \ - --signprivate ${KEYDIR}/firmware_data_key.vbprivk \ - --keyblock ${KEYDIR}/firmware.keyblock \ - --kernelkey ${KEYDIR}/kernel_subkey.vbpubk \ +"${FUTILITY}" --debug sign \ + --signprivate "${KEYDIR}/firmware_data_key.vbprivk" \ + --keyblock "${KEYDIR}/firmware.keyblock" \ + --kernelkey "${KEYDIR}/kernel_subkey.vbpubk" \ --version 12 \ - --fv ${TMP}.fw_main \ + --fv "${TMP}.fw_main" \ --flags 42 \ - ${TMP}.vblock.new + "${TMP}.vblock.new" # They should match -cmp ${TMP}.vblock.old ${TMP}.vblock.new +cmp "${TMP}.vblock.old" "${TMP}.vblock.new" # cleanup -rm -rf ${TMP}* +rm -rf "${TMP}"* exit 0 diff --git a/tests/futility/test_sign_kernel.sh b/tests/futility/test_sign_kernel.sh index d2527453..61b1c5aa 100755 --- a/tests/futility/test_sign_kernel.sh +++ b/tests/futility/test_sign_kernel.sh @@ -11,11 +11,11 @@ cd "$OUTDIR" DEVKEYS=${SRCDIR}/tests/devkeys -echo "hi there" > ${TMP}.config.txt -echo "hello boys" > ${TMP}.config2.txt -dd if=/dev/urandom bs=512 count=1 of=${TMP}.bootloader.bin -dd if=/dev/urandom bs=512 count=1 of=${TMP}.bootloader2.bin -dd if=/dev/urandom bs=1M count=16 of=${TMP}.kern_partition +echo "hi there" > "${TMP}.config.txt" +echo "hello boys" > "${TMP}.config2.txt" +dd if=/dev/urandom bs=512 count=1 of="${TMP}.bootloader.bin" +dd if=/dev/urandom bs=512 count=1 of="${TMP}.bootloader2.bin" +dd if=/dev/urandom bs=1M count=16 of="${TMP}.kern_partition" # default padding padding=49152 @@ -26,273 +26,279 @@ try_arch () { echo -n "${arch}: 1 " 1>&3 # pack it up the old way - ${FUTILITY} --debug vbutil_kernel \ - --pack ${TMP}.blob1.${arch} \ - --keyblock ${DEVKEYS}/recovery_kernel.keyblock \ - --signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \ + "${FUTILITY}" --debug vbutil_kernel \ + --pack "${TMP}.blob1.${arch}" \ + --keyblock "${DEVKEYS}/recovery_kernel.keyblock" \ + --signprivate "${DEVKEYS}/recovery_kernel_data_key.vbprivk" \ --version 1 \ - --config ${TMP}.config.txt \ - --bootloader ${TMP}.bootloader.bin \ - --vmlinuz ${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin \ - --arch ${arch} \ - --pad ${padding} \ + --config "${TMP}.config.txt" \ + --bootloader "${TMP}.bootloader.bin" \ + --vmlinuz "${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin" \ + --arch "${arch}" \ + --pad "${padding}" \ --kloadaddr 0x11000 # verify the old way - ${FUTILITY} vbutil_kernel --verify ${TMP}.blob1.${arch} \ - --pad ${padding} \ - --signpubkey ${DEVKEYS}/recovery_key.vbpubk > ${TMP}.verify1 + "${FUTILITY}" vbutil_kernel --verify "${TMP}.blob1.${arch}" \ + --pad "${padding}" \ + --signpubkey "${DEVKEYS}/recovery_key.vbpubk" > "${TMP}.verify1" # pack it up the new way - ${FUTILITY} --debug sign \ - --keyblock ${DEVKEYS}/recovery_kernel.keyblock \ - --signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \ + "${FUTILITY}" --debug sign \ + --keyblock "${DEVKEYS}/recovery_kernel.keyblock" \ + --signprivate "${DEVKEYS}/recovery_kernel_data_key.vbprivk" \ --version 1 \ - --config ${TMP}.config.txt \ - --bootloader ${TMP}.bootloader.bin \ - --vmlinuz ${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin \ - --arch ${arch} \ - --pad ${padding} \ + --config "${TMP}.config.txt" \ + --bootloader "${TMP}.bootloader.bin" \ + --vmlinuz "${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin" \ + --arch "${arch}" \ + --pad "${padding}" \ --kloadaddr 0x11000 \ - --outfile ${TMP}.blob2.${arch} + --outfile "${TMP}.blob2.${arch}" - ${FUTILITY} vbutil_kernel --verify ${TMP}.blob2.${arch} \ - --pad ${padding} \ - --signpubkey ${DEVKEYS}/recovery_key.vbpubk > ${TMP}.verify2 + "${FUTILITY}" vbutil_kernel --verify "${TMP}.blob2.${arch}" \ + --pad "${padding}" \ + --signpubkey "${DEVKEYS}/recovery_key.vbpubk" > "${TMP}.verify2" # they should be identical - cmp ${TMP}.blob1.${arch} ${TMP}.blob2.${arch} - diff ${TMP}.verify1 ${TMP}.verify2 + cmp "${TMP}.blob1.${arch}" "${TMP}.blob2.${arch}" + diff "${TMP}.verify1" "${TMP}.verify2" echo -n "2 " 1>&3 # repack it the old way - ${FUTILITY} --debug vbutil_kernel \ - --repack ${TMP}.blob3.${arch} \ - --oldblob ${TMP}.blob1.${arch} \ - --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ - --keyblock ${DEVKEYS}/kernel.keyblock \ + "${FUTILITY}" --debug vbutil_kernel \ + --repack "${TMP}.blob3.${arch}" \ + --oldblob "${TMP}.blob1.${arch}" \ + --signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \ + --keyblock "${DEVKEYS}/kernel.keyblock" \ --version 2 \ - --pad ${padding} \ - --config ${TMP}.config2.txt \ - --bootloader ${TMP}.bootloader2.bin + --pad "${padding}" \ + --config "${TMP}.config2.txt" \ + --bootloader "${TMP}.bootloader2.bin" # verify the old way - ${FUTILITY} vbutil_kernel --verify ${TMP}.blob3.${arch} \ - --pad ${padding} \ - --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk > ${TMP}.verify3 + "${FUTILITY}" vbutil_kernel --verify "${TMP}.blob3.${arch}" \ + --pad "${padding}" \ + --signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify3" # repack it the new way - ${FUTILITY} --debug sign \ - --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ - --keyblock ${DEVKEYS}/kernel.keyblock \ + "${FUTILITY}" --debug sign \ + --signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \ + --keyblock "${DEVKEYS}/kernel.keyblock" \ --version 2 \ - --pad ${padding} \ - --config ${TMP}.config2.txt \ - --bootloader ${TMP}.bootloader2.bin \ - ${TMP}.blob2.${arch} \ - ${TMP}.blob4.${arch} + --pad "${padding}" \ + --config "${TMP}.config2.txt" \ + --bootloader "${TMP}.bootloader2.bin" \ + "${TMP}.blob2.${arch}" \ + "${TMP}.blob4.${arch}" - ${FUTILITY} vbutil_kernel --verify ${TMP}.blob4.${arch} \ - --pad ${padding} \ - --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk > ${TMP}.verify4 + "${FUTILITY}" vbutil_kernel --verify "${TMP}.blob4.${arch}" \ + --pad "${padding}" \ + --signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify4" # they should be identical - cmp ${TMP}.blob3.${arch} ${TMP}.blob4.${arch} - diff ${TMP}.verify3 ${TMP}.verify4 + cmp "${TMP}.blob3.${arch}" "${TMP}.blob4.${arch}" + diff "${TMP}.verify3" "${TMP}.verify4" echo -n "3 " 1>&3 # repack it the new way, in-place - cp ${TMP}.blob2.${arch} ${TMP}.blob5.${arch} - ${FUTILITY} --debug sign \ - --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ - --keyblock ${DEVKEYS}/kernel.keyblock \ + cp "${TMP}.blob2.${arch}" "${TMP}.blob5.${arch}" + "${FUTILITY}" --debug sign \ + --signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \ + --keyblock "${DEVKEYS}/kernel.keyblock" \ --version 2 \ - --pad ${padding} \ - --config ${TMP}.config2.txt \ - --bootloader ${TMP}.bootloader2.bin \ - ${TMP}.blob5.${arch} + --pad "${padding}" \ + --config "${TMP}.config2.txt" \ + --bootloader "${TMP}.bootloader2.bin" \ + "${TMP}.blob5.${arch}" - ${FUTILITY} vbutil_kernel --verify ${TMP}.blob5.${arch} \ - --pad ${padding} \ - --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk > ${TMP}.verify5 + "${FUTILITY}" vbutil_kernel --verify "${TMP}.blob5.${arch}" \ + --pad "${padding}" \ + --signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify5" # they should be identical - cmp ${TMP}.blob3.${arch} ${TMP}.blob5.${arch} - diff ${TMP}.verify3 ${TMP}.verify5 + cmp "${TMP}.blob3.${arch}" "${TMP}.blob5.${arch}" + diff "${TMP}.verify3" "${TMP}.verify5" # and now just the vblocks... echo -n "4 " 1>&3 # pack the old way - ${FUTILITY} vbutil_kernel \ - --pack ${TMP}.blob1.${arch}.vb1 \ + "${FUTILITY}" vbutil_kernel \ + --pack "${TMP}.blob1.${arch}.vb1" \ --vblockonly \ - --keyblock ${DEVKEYS}/recovery_kernel.keyblock \ - --signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \ + --keyblock "${DEVKEYS}/recovery_kernel.keyblock" \ + --signprivate "${DEVKEYS}/recovery_kernel_data_key.vbprivk" \ --version 1 \ - --config ${TMP}.config.txt \ - --bootloader ${TMP}.bootloader.bin \ - --vmlinuz ${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin \ - --arch ${arch} \ - --pad ${padding} \ + --config "${TMP}.config.txt" \ + --bootloader "${TMP}.bootloader.bin" \ + --vmlinuz "${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin" \ + --arch "${arch}" \ + --pad "${padding}" \ --kloadaddr 0x11000 # compare this new vblock with the one from the full pack - dd bs=${padding} count=1 if=${TMP}.blob1.${arch} of=${TMP}.blob1.${arch}.vb0 - cmp ${TMP}.blob1.${arch}.vb0 ${TMP}.blob1.${arch}.vb1 + dd bs="${padding}" count=1 if="${TMP}.blob1.${arch}" \ + of="${TMP}.blob1.${arch}.vb0" + cmp "${TMP}.blob1.${arch}.vb0" "${TMP}.blob1.${arch}.vb1" # pack the new way - ${FUTILITY} --debug sign \ - --keyblock ${DEVKEYS}/recovery_kernel.keyblock \ - --signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \ + "${FUTILITY}" --debug sign \ + --keyblock "${DEVKEYS}/recovery_kernel.keyblock" \ + --signprivate "${DEVKEYS}/recovery_kernel_data_key.vbprivk" \ --version 1 \ - --config ${TMP}.config.txt \ - --bootloader ${TMP}.bootloader.bin \ - --vmlinuz ${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin \ - --arch ${arch} \ - --pad ${padding} \ + --config "${TMP}.config.txt" \ + --bootloader "${TMP}.bootloader.bin" \ + --vmlinuz "${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin" \ + --arch "${arch}" \ + --pad "${padding}" \ --kloadaddr 0x11000 \ --vblockonly \ - ${TMP}.blob2.${arch}.vb1 + "${TMP}.blob2.${arch}.vb1" # compare this new vblock with the one from the full pack - dd bs=${padding} count=1 if=${TMP}.blob2.${arch} of=${TMP}.blob2.${arch}.vb0 - cmp ${TMP}.blob2.${arch}.vb0 ${TMP}.blob2.${arch}.vb1 + dd bs="${padding}" count=1 if="${TMP}.blob2.${arch}" \ + of="${TMP}.blob2.${arch}.vb0" + cmp "${TMP}.blob2.${arch}.vb0" "${TMP}.blob2.${arch}.vb1" echo -n "5 " 1>&3 # now repack the old way, again emitting just the vblock - ${FUTILITY} vbutil_kernel \ - --repack ${TMP}.blob3.${arch}.vb1 \ + "${FUTILITY}" vbutil_kernel \ + --repack "${TMP}.blob3.${arch}.vb1" \ --vblockonly \ - --oldblob ${TMP}.blob1.${arch} \ - --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ - --keyblock ${DEVKEYS}/kernel.keyblock \ + --oldblob "${TMP}.blob1.${arch}" \ + --signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \ + --keyblock "${DEVKEYS}/kernel.keyblock" \ --version 2 \ - --pad ${padding} \ - --config ${TMP}.config2.txt \ - --bootloader ${TMP}.bootloader2.bin + --pad "${padding}" \ + --config "${TMP}.config2.txt" \ + --bootloader "${TMP}.bootloader2.bin" # compare the full repacked vblock with the new repacked vblock - dd bs=${padding} count=1 if=${TMP}.blob3.${arch} of=${TMP}.blob3.${arch}.vb0 - cmp ${TMP}.blob3.${arch}.vb0 ${TMP}.blob3.${arch}.vb1 + dd bs="${padding}" count=1 if="${TMP}.blob3.${arch}" \ + of="${TMP}.blob3.${arch}.vb0" + cmp "${TMP}.blob3.${arch}.vb0" "${TMP}.blob3.${arch}.vb1" # extract just the kernel blob - dd bs=${padding} skip=1 if=${TMP}.blob3.${arch} of=${TMP}.blob3.${arch}.kb0 + dd bs="${padding}" skip=1 if="${TMP}.blob3.${arch}" \ + of="${TMP}.blob3.${arch}.kb0" # and verify it using the new vblock (no way to do that with vbutil_kernel) - ${FUTILITY} --debug verify \ - --pad ${padding} \ - --publickey ${DEVKEYS}/kernel_subkey.vbpubk \ - --fv ${TMP}.blob3.${arch}.kb0 \ - ${TMP}.blob3.${arch}.vb1 > ${TMP}.verify3v + "${FUTILITY}" --debug verify \ + --pad "${padding}" \ + --publickey "${DEVKEYS}/kernel_subkey.vbpubk" \ + --fv "${TMP}.blob3.${arch}.kb0" \ + "${TMP}.blob3.${arch}.vb1" > "${TMP}.verify3v" # repack the new way - ${FUTILITY} --debug sign \ - --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ - --keyblock ${DEVKEYS}/kernel.keyblock \ + "${FUTILITY}" --debug sign \ + --signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \ + --keyblock "${DEVKEYS}/kernel.keyblock" \ --version 2 \ - --config ${TMP}.config2.txt \ - --bootloader ${TMP}.bootloader2.bin \ - --pad ${padding} \ + --config "${TMP}.config2.txt" \ + --bootloader "${TMP}.bootloader2.bin" \ + --pad "${padding}" \ --vblockonly \ - ${TMP}.blob2.${arch} \ - ${TMP}.blob4.${arch}.vb1 \ + "${TMP}.blob2.${arch}" \ + "${TMP}.blob4.${arch}.vb1" \ # compare the full repacked vblock with the new repacked vblock - dd bs=${padding} count=1 if=${TMP}.blob4.${arch} of=${TMP}.blob4.${arch}.vb0 - cmp ${TMP}.blob4.${arch}.vb0 ${TMP}.blob4.${arch}.vb1 + dd bs="${padding}" count=1 if="${TMP}.blob4.${arch}" \ + of="${TMP}.blob4.${arch}.vb0" + cmp "${TMP}.blob4.${arch}.vb0" "${TMP}.blob4.${arch}.vb1" # extract just the kernel blob - dd bs=${padding} skip=1 if=${TMP}.blob4.${arch} of=${TMP}.blob4.${arch}.kb0 + dd bs="${padding}" skip=1 if="${TMP}.blob4.${arch}" \ + of="${TMP}.blob4.${arch}.kb0" # and verify it using the new vblock (no way to do that with vbutil_kernel) - ${FUTILITY} --debug verify \ - --pad ${padding} \ - --publickey ${DEVKEYS}/kernel_subkey.vbpubk \ - --fv ${TMP}.blob4.${arch}.kb0 \ - ${TMP}.blob4.${arch}.vb1 > ${TMP}.verify4v + "${FUTILITY}" --debug verify \ + --pad "${padding}" \ + --publickey "${DEVKEYS}/kernel_subkey.vbpubk" \ + --fv "${TMP}.blob4.${arch}.kb0" \ + "${TMP}.blob4.${arch}.vb1" > "${TMP}.verify4v" echo -n "6 " 1>&3 # Now lets repack some kernel partitions, not just blobs. - cp ${TMP}.kern_partition ${TMP}.part1.${arch} - dd if=${TMP}.blob1.${arch} of=${TMP}.part1.${arch} conv=notrunc + cp "${TMP}.kern_partition" "${TMP}.part1.${arch}" + dd if="${TMP}.blob1.${arch}" of="${TMP}.part1.${arch}" conv=notrunc # Make sure the partitions verify - ${FUTILITY} vbutil_kernel --verify ${TMP}.part1.${arch} \ - --pad ${padding} \ - --signpubkey ${DEVKEYS}/recovery_key.vbpubk > ${TMP}.verify6 + "${FUTILITY}" vbutil_kernel --verify "${TMP}.part1.${arch}" \ + --pad "${padding}" \ + --signpubkey "${DEVKEYS}/recovery_key.vbpubk" > "${TMP}.verify6" # The partition should verify the same way as the blob - diff ${TMP}.verify1 ${TMP}.verify6 + diff "${TMP}.verify1" "${TMP}.verify6" # repack it the old way - ${FUTILITY} --debug vbutil_kernel \ - --repack ${TMP}.part6.${arch} \ - --oldblob ${TMP}.part1.${arch} \ - --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ - --keyblock ${DEVKEYS}/kernel.keyblock \ + "${FUTILITY}" --debug vbutil_kernel \ + --repack "${TMP}.part6.${arch}" \ + --oldblob "${TMP}.part1.${arch}" \ + --signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \ + --keyblock "${DEVKEYS}/kernel.keyblock" \ --version 2 \ - --pad ${padding} \ - --config ${TMP}.config2.txt \ - --bootloader ${TMP}.bootloader2.bin + --pad "${padding}" \ + --config "${TMP}.config2.txt" \ + --bootloader "${TMP}.bootloader2.bin" # verify the old way - ${FUTILITY} vbutil_kernel --verify ${TMP}.part6.${arch} \ - --pad ${padding} \ - --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk > ${TMP}.verify6.old + "${FUTILITY}" vbutil_kernel --verify "${TMP}.part6.${arch}" \ + --pad "${padding}" \ + --signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify6.old" # this "partition" should actually be the same as the old-way blob - cmp ${TMP}.blob3.${arch} ${TMP}.part6.${arch} + cmp "${TMP}.blob3.${arch}" "${TMP}.part6.${arch}" # repack it the new way, in-place - cp ${TMP}.part1.${arch} ${TMP}.part6.${arch}.new1 - ${FUTILITY} --debug sign \ - --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ - --keyblock ${DEVKEYS}/kernel.keyblock \ + cp "${TMP}.part1.${arch}" "${TMP}.part6.${arch}.new1" + "${FUTILITY}" --debug sign \ + --signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \ + --keyblock "${DEVKEYS}/kernel.keyblock" \ --version 2 \ - --pad ${padding} \ - --config ${TMP}.config2.txt \ - --bootloader ${TMP}.bootloader2.bin \ - ${TMP}.part6.${arch}.new1 + --pad "${padding}" \ + --config "${TMP}.config2.txt" \ + --bootloader "${TMP}.bootloader2.bin" \ + "${TMP}.part6.${arch}.new1" - ${FUTILITY} vbutil_kernel --verify ${TMP}.part6.${arch}.new1 \ - --pad ${padding} \ - --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk > ${TMP}.verify6.new1 + "${FUTILITY}" vbutil_kernel --verify "${TMP}.part6.${arch}.new1" \ + --pad "${padding}" \ + --signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify6.new1" # The verification should be indentical - diff ${TMP}.verify6.old ${TMP}.verify6.new1 + diff "${TMP}.verify6.old" "${TMP}.verify6.new1" # But the content should only match up to the size of the kernel blob, since # we're modifying an entire partition in-place. - blobsize=$(stat -c '%s' ${TMP}.part6.${arch}) - cmp -n ${blobsize} ${TMP}.part6.${arch} ${TMP}.part6.${arch}.new1 + blobsize=$(stat -c '%s' "${TMP}.part6.${arch}") + cmp -n "${blobsize}" "${TMP}.part6.${arch}" "${TMP}.part6.${arch}.new1" # The rest of the partition should be unchanged. - cmp -i ${blobsize} ${TMP}.part1.${arch} ${TMP}.part6.${arch}.new1 + cmp -i "${blobsize}" "${TMP}.part1.${arch}" "${TMP}.part6.${arch}.new1" # repack it the new way, from input to output - cp ${TMP}.part1.${arch} ${TMP}.part1.${arch}.in - ${FUTILITY} --debug sign \ - --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ - --keyblock ${DEVKEYS}/kernel.keyblock \ + cp "${TMP}.part1.${arch}" "${TMP}.part1.${arch}.in" + "${FUTILITY}" --debug sign \ + --signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \ + --keyblock "${DEVKEYS}/kernel.keyblock" \ --version 2 \ - --pad ${padding} \ - --config ${TMP}.config2.txt \ - --bootloader ${TMP}.bootloader2.bin \ - ${TMP}.part1.${arch}.in \ - ${TMP}.part6.${arch}.new2 + --pad "${padding}" \ + --config "${TMP}.config2.txt" \ + --bootloader "${TMP}.bootloader2.bin" \ + "${TMP}.part1.${arch}.in" \ + "${TMP}.part6.${arch}.new2" - ${FUTILITY} vbutil_kernel --verify ${TMP}.part6.${arch}.new2 \ - --pad ${padding} \ - --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk > ${TMP}.verify6.new2 + "${FUTILITY}" vbutil_kernel --verify "${TMP}.part6.${arch}.new2" \ + --pad "${padding}" \ + --signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify6.new2" # The input file should not have changed (just being sure). - cmp ${TMP}.part1.${arch} ${TMP}.part1.${arch}.in + cmp "${TMP}.part1.${arch}" "${TMP}.part1.${arch}.in" # The verification should be indentical - diff ${TMP}.verify6.old ${TMP}.verify6.new2 + diff "${TMP}.verify6.old" "${TMP}.verify6.new2" # And creating a new output file should only emit a blob's worth - cmp ${TMP}.part6.${arch} ${TMP}.part6.${arch}.new2 + cmp "${TMP}.part6.${arch}" "${TMP}.part6.${arch}.new2" # Note: We specifically do not test repacking with a different --kloadaddr, # because the old way has a bug and does not update params->cmd_line_ptr to @@ -304,5 +310,5 @@ try_arch amd64 try_arch arm # cleanup -rm -rf ${TMP}* +rm -rf "${TMP}"* exit 0 diff --git a/tests/futility/test_sign_keyblocks.sh b/tests/futility/test_sign_keyblocks.sh index f689c89c..75d367d0 100755 --- a/tests/futility/test_sign_keyblocks.sh +++ b/tests/futility/test_sign_keyblocks.sh @@ -16,95 +16,95 @@ SIGNER=${SRCDIR}/tests/external_rsa_signer.sh # Create a copy of an existing keyblock, using the old way -${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \ - --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ +"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \ + --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \ --flags 23 \ - --signprivate ${DEVKEYS}/root_key.vbprivk + --signprivate "${DEVKEYS}/root_key.vbprivk" # Check it. -${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock0 \ - --signpubkey ${DEVKEYS}/root_key.vbpubk +"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock0" \ + --signpubkey "${DEVKEYS}/root_key.vbpubk" # It should be the same as the dev-key firmware keyblock -cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock0 +cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock0" # Now create it the new way -${FUTILITY} --debug sign \ - --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ +"${FUTILITY}" --debug sign \ + --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \ --flags 23 \ - --signprivate ${DEVKEYS}/root_key.vbprivk \ - --outfile ${TMP}.keyblock1 + --signprivate "${DEVKEYS}/root_key.vbprivk" \ + --outfile "${TMP}.keyblock1" # It should be the same too. -cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock1 +cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock1" # Create a keyblock without signing it. # old way -${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \ - --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ +"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \ + --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \ --flags 14 # new way -${FUTILITY} --debug sign \ +"${FUTILITY}" --debug sign \ --flags 14 \ - ${DEVKEYS}/firmware_data_key.vbpubk \ - ${TMP}.keyblock1 + "${DEVKEYS}/firmware_data_key.vbpubk" \ + "${TMP}.keyblock1" -cmp ${TMP}.keyblock0 ${TMP}.keyblock1 +cmp "${TMP}.keyblock0" "${TMP}.keyblock1" # Create one using PEM args # old way -${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock2 \ - --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ - --signprivate_pem ${TESTKEYS}/key_rsa4096.pem \ +"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock2" \ + --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \ + --signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \ --pem_algorithm 8 \ --flags 9 # verify it -${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock2 \ - --signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk +"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock2" \ + --signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk" # new way -${FUTILITY} --debug sign \ - --pem_signpriv ${TESTKEYS}/key_rsa4096.pem \ +"${FUTILITY}" --debug sign \ + --pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \ --pem_algo 8 \ --flags 9 \ - ${DEVKEYS}/firmware_data_key.vbpubk \ - ${TMP}.keyblock3 + "${DEVKEYS}/firmware_data_key.vbpubk" \ + "${TMP}.keyblock3" -cmp ${TMP}.keyblock2 ${TMP}.keyblock3 +cmp "${TMP}.keyblock2" "${TMP}.keyblock3" # Try it with an external signer # old way -${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock4 \ - --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ - --signprivate_pem ${TESTKEYS}/key_rsa4096.pem \ +"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock4" \ + --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \ + --signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \ --pem_algorithm 8 \ --flags 19 \ - --externalsigner ${SIGNER} + --externalsigner "${SIGNER}" # verify it -${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock4 \ - --signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk +"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock4" \ + --signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk" # new way -${FUTILITY} --debug sign \ - --pem_signpriv ${TESTKEYS}/key_rsa4096.pem \ +"${FUTILITY}" --debug sign \ + --pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \ --pem_algo 8 \ - --pem_external ${SIGNER} \ + --pem_external "${SIGNER}" \ --flags 19 \ - ${DEVKEYS}/firmware_data_key.vbpubk \ - ${TMP}.keyblock5 + "${DEVKEYS}/firmware_data_key.vbpubk" \ + "${TMP}.keyblock5" -cmp ${TMP}.keyblock4 ${TMP}.keyblock5 +cmp "${TMP}.keyblock4" "${TMP}.keyblock5" # cleanup -rm -rf ${TMP}* +rm -rf "${TMP}"* exit 0 diff --git a/tests/futility/test_sign_usbpd1.sh b/tests/futility/test_sign_usbpd1.sh index 48e64eb1..2324fae1 100755 --- a/tests/futility/test_sign_usbpd1.sh +++ b/tests/futility/test_sign_usbpd1.sh @@ -24,33 +24,33 @@ for test in $TESTS; do : $(( count++ )) echo -n "$count " 1>&3 - pemfile=${DATADIR}/${test}.pem - infile=${DATADIR}/${test}.unsigned - goodfile=${DATADIR}/${test}.signed - outfile=${TMP}.${test}.new + pemfile="${DATADIR}/${test}.pem" + infile="${DATADIR}/${test}.unsigned" + goodfile="${DATADIR}/${test}.signed" + outfile="${TMP}.${test}.new" # Signing the whole thing with futility should produce identical results - ${FUTILITY} sign --type usbpd1 --pem ${pemfile} ${infile} ${outfile} - cmp ${goodfile} ${outfile} + "${FUTILITY}" sign --type usbpd1 --pem "${pemfile}" "${infile}" "${outfile}" + cmp "${goodfile}" "${outfile}" # Now try signing just the RW part - size=$(stat -c '%s' ${infile}) + size=$(stat -c '%s' "${infile}") half=$(( size / 2 )) - newin=${TMP}.${test}.rw_in - dd if=${infile} bs=${half} count=1 skip=1 of=${newin} + newin="${TMP}.${test}.rw_in" + dd if="${infile}" bs="${half}" count=1 skip=1 of="${newin}" newgood=${TMP}.${test}.rw_ok - dd if=${goodfile} bs=${half} count=1 skip=1 of=${newgood} - newout=${TMP}.${test}.rw_out + dd if="${goodfile}" bs="${half}" count=1 skip=1 of="${newgood}" + newout="${TMP}.${test}.rw_out" # Sign the RW part alone - ${FUTILITY} sign --type usbpd1 --pem ${pemfile} \ + "${FUTILITY}" sign --type usbpd1 --pem "${pemfile}" \ --ro_size 0 \ - ${newin} ${newout} - cmp ${newgood} ${newout} + "${newin}" "${newout}" + cmp "${newgood}" "${newout}" done # cleanup -rm -rf ${TMP}* +rm -rf "${TMP}"* exit 0 diff --git a/tests/futility/test_update.sh b/tests/futility/test_update.sh index e6360c35..8d8a559e 100755 --- a/tests/futility/test_update.sh +++ b/tests/futility/test_update.sh @@ -40,12 +40,12 @@ cd "$OUTDIR" set -o pipefail # In all the test scenario, we want to test "updating from PEPPY to LINK". -TO_IMAGE=${TMP}.src.link -FROM_IMAGE=${TMP}.src.peppy +TO_IMAGE="${TMP}.src.link" +FROM_IMAGE="${TMP}.src.peppy" TO_HWID="X86 LINK TEST 6638" FROM_HWID="X86 PEPPY TEST 4211" -cp -f ${LINK_BIOS} ${TO_IMAGE} -cp -f ${PEPPY_BIOS} ${FROM_IMAGE} +cp -f "${LINK_BIOS}" "${TO_IMAGE}" +cp -f "${PEPPY_BIOS}" "${FROM_IMAGE}" "${FUTILITY}" load_fmap "${FROM_IMAGE}" \ RO_VPD:"${RO_VPD_BLOB}" RW_VPD:"${RO_VPD_BLOB}" cp -f "${FROM_IMAGE}" "${FROM_IMAGE}".unpatched @@ -57,29 +57,34 @@ patch_file() { local data="$4" # NAME OFFSET SIZE - local fmap_info="$(${FUTILITY} dump_fmap -p ${file} ${section})" - local base="$(echo "${fmap_info}" | sed 's/^[^ ]* //; s/ [^ ]*$//')" - local offset=$((base + section_offset)) + local fmap_info + local base + local offset + + fmap_info="$("${FUTILITY}" dump_fmap -p "${file}" "${section}")" + base="$(echo "${fmap_info}" | sed 's/^[^ ]* //; s/ [^ ]*$//')" + offset=$((base + section_offset)) echo "offset: ${offset}" - printf "${data}" | dd of="${file}" bs=1 seek="${offset}" conv=notrunc + printf "%b" "${data}" | dd of="${file}" bs=1 seek="${offset}" \ + conv=notrunc } # PEPPY and LINK have different platform element ("Google_Link" and # "Google_Peppy") in firmware ID so we want to hack them by changing # "Google_" to "Google.". -patch_file ${TO_IMAGE} RW_FWID_A 0 Google. -patch_file ${TO_IMAGE} RW_FWID_B 0 Google. -patch_file ${TO_IMAGE} RO_FRID 0 Google. -patch_file ${FROM_IMAGE} RW_FWID_A 0 Google. -patch_file ${FROM_IMAGE} RW_FWID_B 0 Google. -patch_file ${FROM_IMAGE} RO_FRID 0 Google. +patch_file "${TO_IMAGE}" RW_FWID_A 0 Google. +patch_file "${TO_IMAGE}" RW_FWID_B 0 Google. +patch_file "${TO_IMAGE}" RO_FRID 0 Google. +patch_file "${FROM_IMAGE}" RW_FWID_A 0 Google. +patch_file "${FROM_IMAGE}" RW_FWID_B 0 Google. +patch_file "${FROM_IMAGE}" RO_FRID 0 Google. unpack_image() { local folder="${TMP}.$1" local image="$2" mkdir -p "${folder}" - (cd "${folder}" && ${FUTILITY} dump_fmap -x "../${image}") - ${FUTILITY} gbb -g --rootkey="${folder}/rootkey" "${image}" + (cd "${folder}" && "${FUTILITY}" dump_fmap -x "../${image}") + "${FUTILITY}" gbb -g --rootkey="${folder}/rootkey" "${image}" } # Unpack images so we can prepare expected results by individual sections. @@ -114,19 +119,19 @@ cp -f "${FROM_IMAGE}" "${TMP}.expected.b" cp -f "${FROM_IMAGE}" "${TMP}.expected.legacy" "${FUTILITY}" gbb -s --hwid="${FROM_HWID}" "${TMP}.expected.full" "${FUTILITY}" load_fmap "${TMP}.expected.full" \ - RW_VPD:${TMP}.from/RW_VPD \ - RO_VPD:${TMP}.from/RO_VPD + "RW_VPD:${TMP}.from/RW_VPD" \ + "RO_VPD:${TMP}.from/RO_VPD" "${FUTILITY}" load_fmap "${TMP}.expected.rw" \ - RW_SECTION_A:${TMP}.to/RW_SECTION_A \ - RW_SECTION_B:${TMP}.to/RW_SECTION_B \ - RW_SHARED:${TMP}.to/RW_SHARED \ - RW_LEGACY:${TMP}.to/RW_LEGACY + "RW_SECTION_A:${TMP}.to/RW_SECTION_A" \ + "RW_SECTION_B:${TMP}.to/RW_SECTION_B" \ + "RW_SHARED:${TMP}.to/RW_SHARED" \ + "RW_LEGACY:${TMP}.to/RW_LEGACY" "${FUTILITY}" load_fmap "${TMP}.expected.a" \ - RW_SECTION_A:${TMP}.to/RW_SECTION_A + "RW_SECTION_A:${TMP}.to/RW_SECTION_A" "${FUTILITY}" load_fmap "${TMP}.expected.b" \ - RW_SECTION_B:${TMP}.to/RW_SECTION_B + "RW_SECTION_B:${TMP}.to/RW_SECTION_B" "${FUTILITY}" load_fmap "${TMP}.expected.legacy" \ - RW_LEGACY:${TMP}.to/RW_LEGACY + "RW_LEGACY:${TMP}.to/RW_LEGACY" cp -f "${TMP}.expected.full" "${TMP}.expected.full.gbb12" patch_file "${TMP}.expected.full.gbb12" GBB 6 "\x02" "${FUTILITY}" gbb -s --hwid="${FROM_HWID}" "${TMP}.expected.full.gbb12" @@ -149,7 +154,7 @@ cp -f "${TMP}.expected.full" "${TMP}.expected.me_preserved" # FMAP_AREA_PRESERVE (\010=0x08). TO_IMAGE_WIPE_RW_VPD="${TO_IMAGE}.wipe_rw_vpd" cp -f "${TO_IMAGE}" "${TO_IMAGE_WIPE_RW_VPD}" -patch_file ${TO_IMAGE_WIPE_RW_VPD} FMAP 0x3fc "$(printf '\010')" +patch_file "${TO_IMAGE_WIPE_RW_VPD}" FMAP 0x3fc "$(printf '\010')" cp -f "${TMP}.expected.full" "${TMP}.expected.full.empty_rw_vpd" "${FUTILITY}" load_fmap "${TMP}.expected.full.empty_rw_vpd" \ RW_VPD:"${TMP}.to/RW_VPD" @@ -374,17 +379,17 @@ test_update "Full update (--quirks preserve_me)" \ # Test archive and manifest. CL_TAG is for custom_label_tag. A="${TMP}.archive" mkdir -p "${A}/bin" -echo 'echo "${CL_TAG}"' >"${A}/bin/vpd" +echo "echo \"\${CL_TAG}\"" >"${A}/bin/vpd" chmod +x "${A}/bin/vpd" cp -f "${LINK_BIOS}" "${A}/bios.bin" echo "TEST: Manifest (--manifest, bios.bin)" -${FUTILITY} update -a "${A}" --manifest >"${TMP}.json.out" +"${FUTILITY}" update -a "${A}" --manifest >"${TMP}.json.out" cmp "${TMP}.json.out" "${SCRIPT_DIR}/futility/link_bios.manifest.json" mv -f "${A}/bios.bin" "${A}/image.bin" echo "TEST: Manifest (--manifest, image.bin)" -${FUTILITY} update -a "${A}" --manifest >"${TMP}.json.out" +"${FUTILITY}" update -a "${A}" --manifest >"${TMP}.json.out" cmp "${TMP}.json.out" "${SCRIPT_DIR}/futility/link_image.manifest.json" @@ -395,7 +400,8 @@ test_update "Full update (--archive, single package)" \ echo "TEST: Output (--mode=output)" mkdir -p "${TMP}.output" -${FUTILITY} update -i "${LINK_BIOS}" --mode=output --output_dir="${TMP}.output" +"${FUTILITY}" update -i "${LINK_BIOS}" --mode=output \ + --output_dir="${TMP}.output" cmp "${LINK_BIOS}" "${TMP}.output/image.bin" mkdir -p "${A}/keyset" @@ -403,9 +409,9 @@ cp -f "${LINK_BIOS}" "${A}/image.bin" cp -f "${TMP}.to/rootkey" "${A}/keyset/rootkey.CL" cp -f "${TMP}.to/VBLOCK_A" "${A}/keyset/vblock_A.CL" cp -f "${TMP}.to/VBLOCK_B" "${A}/keyset/vblock_B.CL" -${FUTILITY} gbb -s --rootkey="${TMP}.from/rootkey" "${A}/image.bin" -${FUTILITY} load_fmap "${A}/image.bin" VBLOCK_A:"${TMP}.from/VBLOCK_A" -${FUTILITY} load_fmap "${A}/image.bin" VBLOCK_B:"${TMP}.from/VBLOCK_B" +"${FUTILITY}" gbb -s --rootkey="${TMP}.from/rootkey" "${A}/image.bin" +"${FUTILITY}" load_fmap "${A}/image.bin" VBLOCK_A:"${TMP}.from/VBLOCK_A" +"${FUTILITY}" load_fmap "${A}/image.bin" VBLOCK_B:"${TMP}.from/VBLOCK_B" test_update "Full update (--archive, custom label, no VPD)" \ "${A}/image.bin" "!Need VPD set for custom" \ @@ -433,7 +439,7 @@ echo "TEST: Output (-a, --mode=output)" mkdir -p "${TMP}.outa" cp -f "${A}/image.bin" "${TMP}.emu" CL_TAG="CL" PATH="${A}/bin:${PATH}" \ - ${FUTILITY} update -a "${A}" --mode=output --emu="${TMP}.emu" \ + "${FUTILITY}" update -a "${A}" --mode=output --emu="${TMP}.emu" \ --output_dir="${TMP}.outa" cmp "${LINK_BIOS}" "${TMP}.outa/image.bin" @@ -448,8 +454,8 @@ cp -f "${TMP}.to/VBLOCK_A" "${A}/keyset/vblock_A.customtip-cl" cp -f "${TMP}.to/VBLOCK_B" "${A}/keyset/vblock_B.customtip-cl" cp -f "${PEPPY_BIOS}" "${FROM_IMAGE}.ap" cp -f "${LINK_BIOS}" "${FROM_IMAGE}.al" -patch_file ${FROM_IMAGE}.ap FW_MAIN_A 0 "corrupted" -patch_file ${FROM_IMAGE}.al FW_MAIN_A 0 "corrupted" +patch_file "${FROM_IMAGE}.ap" FW_MAIN_A 0 "corrupted" +patch_file "${FROM_IMAGE}.al" FW_MAIN_A 0 "corrupted" test_update "Full update (--archive, model=link)" \ "${FROM_IMAGE}.al" "${LINK_BIOS}" \ -a "${A}" --wp=0 --sys_props 0,0x10001,1,3 --model=link @@ -508,13 +514,16 @@ if type cbfstool >/dev/null 2>&1; then echo "min_platform_version=3" >"${TMP}.quirk" cp -f "${TO_IMAGE}" "${TO_IMAGE}.quirk" - ${FUTILITY} dump_fmap -x "${TO_IMAGE}" "BOOT_STUB:${TMP}.cbfs" + "${FUTILITY}" dump_fmap -x "${TO_IMAGE}" "BOOT_STUB:${TMP}.cbfs" # Create a fake CBFS using FW_MAIN_A size. truncate -s $((0x000dffc0)) "${TMP}.cbfs" - ${FUTILITY} load_fmap "${TO_IMAGE}.quirk" "FW_MAIN_A:${TMP}.cbfs" + "${FUTILITY}" load_fmap "${TO_IMAGE}.quirk" "FW_MAIN_A:${TMP}.cbfs" cbfstool "${TO_IMAGE}.quirk" add -r FW_MAIN_A -n updater_quirks \ -f "${TMP}.quirk" -t raw test_update "Full update (failure by CBFS quirks)" \ "${FROM_IMAGE}" "!Need platform version >= 3 (current is 2)" \ -i "${TO_IMAGE}.quirk" --wp=0 --sys_props 0,0x10001,1,2 fi + +rm -rf "${TMP}"* +exit 0 diff --git a/tests/gen_fuzz_test_cases.sh b/tests/gen_fuzz_test_cases.sh index 2b4255de..3e4ca992 100755 --- a/tests/gen_fuzz_test_cases.sh +++ b/tests/gen_fuzz_test_cases.sh @@ -12,7 +12,7 @@ set -e . "$(dirname "$0")/common.sh" # Use a different directory for fuzzing test cases. -TESTKEY_DIR=${TESTKEY_DIR:-$(realpath ${SCRIPT_DIR}/../tests/testkeys)} +TESTKEY_DIR=${TESTKEY_DIR:-$(realpath "${SCRIPT_DIR}"/../tests/testkeys)} TESTCASE_DIR=${BUILD_DIR}/fuzz_testcases TEST_IMAGE_FILE=${TESTCASE_DIR}/testimage TEST_IMAGE_SIZE=500000 @@ -26,42 +26,43 @@ function generate_fuzzing_images { echo "Generating keyblocks..." # Firmware keyblock - RSA8192/SHA512 root key, RSA4096/SHA512 firmware # signing key. - ${FUTILITY} vbutil_keyblock \ - --pack ${TESTCASE_DIR}/firmware.keyblock \ - --datapubkey ${TESTKEY_DIR}/key_rsa4096.sha512.vbpubk \ - --signprivate ${TESTKEY_DIR}/key_rsa8192.sha1.vbprivk + "${FUTILITY}" vbutil_keyblock \ + --pack "${TESTCASE_DIR}/firmware.keyblock" \ + --datapubkey "${TESTKEY_DIR}/key_rsa4096.sha512.vbpubk" \ + --signprivate "${TESTKEY_DIR}/key_rsa8192.sha1.vbprivk" # Kernel keyblock - RSA4096/SHA512 kernel signing subkey, RSA4096/SHA512 # kernel signing key. - ${FUTILITY} vbutil_keyblock \ - --pack ${TESTCASE_DIR}/kernel.keyblock \ - --datapubkey ${TESTKEY_DIR}/key_rsa4096.sha512.vbpubk \ - --signprivate ${TESTKEY_DIR}/key_rsa4096.sha1.vbprivk \ + "${FUTILITY}" vbutil_keyblock \ + --pack "${TESTCASE_DIR}/kernel.keyblock" \ + --datapubkey "${TESTKEY_DIR}/key_rsa4096.sha512.vbpubk" \ + --signprivate "${TESTKEY_DIR}/key_rsa4096.sha1.vbprivk" \ --flags 15 echo "Generating signed firmware test image..." - ${FUTILITY} vbutil_firmware \ - --vblock ${TESTCASE_DIR}/firmware.vblock \ - --keyblock ${TESTCASE_DIR}/firmware.keyblock\ - --signprivate ${TESTKEY_DIR}/key_rsa4096.sha256.vbprivk \ + "${FUTILITY}" vbutil_firmware \ + --vblock "${TESTCASE_DIR}/firmware.vblock" \ + --keyblock "${TESTCASE_DIR}/firmware.keyblock" \ + --signprivate "${TESTKEY_DIR}/key_rsa4096.sha256.vbprivk" \ --version 1 \ - --fv $1 \ - --kernelkey ${TESTKEY_DIR}/key_rsa4096.sha512.vbpubk + --fv "$1" \ + --kernelkey "${TESTKEY_DIR}/key_rsa4096.sha512.vbpubk" # TODO(gauravsh): ALso test with (optional) flags. - cp ${TESTKEY_DIR}/key_rsa8192.sha512.vbpubk ${TESTCASE_DIR}/root_key.vbpubk + cp "${TESTKEY_DIR}/key_rsa8192.sha512.vbpubk" \ + "${TESTCASE_DIR}/root_key.vbpubk" echo "Generating signed kernel test image..." - ${FUTILITY} vbutil_kernel \ - --pack ${TESTCASE_DIR}/kernel.vblock.image \ - --keyblock ${TESTCASE_DIR}/kernel.keyblock \ - --signprivate ${TESTKEY_DIR}/key_rsa4096.sha256.vbprivk \ + "${FUTILITY}" vbutil_kernel \ + --pack "${TESTCASE_DIR}/kernel.vblock.image" \ + --keyblock "${TESTCASE_DIR}/kernel.keyblock" \ + --signprivate "${TESTKEY_DIR}/key_rsa4096.sha256.vbprivk" \ --version 1 \ - --vmlinuz ${TEST_IMAGE_FILE} \ - --bootloader ${TEST_BOOTLOADER_FILE} \ - --config ${TEST_CONFIG_FILE} + --vmlinuz "${TEST_IMAGE_FILE}" \ + --bootloader "${TEST_BOOTLOADER_FILE}" \ + --config "${TEST_CONFIG_FILE}" # TODO(gauravsh): Also test with (optional) padding. - cp ${TESTKEY_DIR}/key_rsa4096.sha512.vbpubk \ - ${TESTCASE_DIR}/firmware_key.vbpubk + cp "${TESTKEY_DIR}/key_rsa4096.sha512.vbpubk" \ + "${TESTCASE_DIR}/firmware_key.vbpubk" } function pre_work { @@ -69,18 +70,17 @@ function pre_work { # NOTE: The kernel and config file can't really be random, but the bootloader # can. That's probably close enough. echo "Generating test image file..." - dd if=/dev/urandom of=${TEST_IMAGE_FILE} bs=${TEST_IMAGE_SIZE} count=1 + dd if=/dev/urandom of="${TEST_IMAGE_FILE}" bs="${TEST_IMAGE_SIZE}" count=1 echo "Generating test bootloader file..." # TODO(gauravsh): Use a valid bootloader here? - dd if=/dev/urandom of=${TEST_BOOTLOADER_FILE} bs=${TEST_BOOTLOADER_SIZE} \ + dd if=/dev/urandom of="${TEST_BOOTLOADER_FILE}" bs="${TEST_BOOTLOADER_SIZE}" \ count=1 echo "Generating test config file..." # TODO(gauravsh): Use a valid config file here? - dd if=/dev/urandom of=${TEST_CONFIG_FILE} bs=${TEST_CONFIG_SIZE} count=1 + dd if=/dev/urandom of="${TEST_CONFIG_FILE}" bs="${TEST_CONFIG_SIZE}" count=1 } -mkdir -p ${TESTCASE_DIR} +mkdir -p "${TESTCASE_DIR}" pre_work check_test_keys -generate_fuzzing_images ${TEST_IMAGE_FILE} - +generate_fuzzing_images "${TEST_IMAGE_FILE}" diff --git a/tests/gen_test_cases.sh b/tests/gen_test_cases.sh index 540fc2a2..80ed90c0 100755 --- a/tests/gen_test_cases.sh +++ b/tests/gen_test_cases.sh @@ -17,17 +17,17 @@ TEST_FILE_SIZE=1000000 function generate_test_signatures { echo "Generating test signatures..." algorithmcounter=0 - for keylen in ${key_lengths[@]} + for keylen in "${key_lengths[@]}" do - for hashalgo in ${hash_algos[@]} + for hashalgo in "${hash_algos[@]}" do - openssl dgst -${hashalgo} -binary ${TEST_FILE} > \ - ${TEST_FILE}.${hashalgo}.digest - ${BIN_DIR}/signature_digest_utility $algorithmcounter \ - ${TEST_FILE} | openssl rsautl \ - -sign -pkcs -inkey ${TESTKEY_DIR}/key_rsa${keylen}.pem \ - > ${TEST_FILE}.rsa${keylen}_${hashalgo}.sig - let algorithmcounter=algorithmcounter+1 + openssl dgst "-${hashalgo}" -binary "${TEST_FILE}" > \ + "${TEST_FILE}.${hashalgo}.digest" + "${BIN_DIR}/signature_digest_utility" "$algorithmcounter" \ + "${TEST_FILE}" | openssl rsautl \ + -sign -pkcs -inkey "${TESTKEY_DIR}/key_rsa${keylen}.pem" \ + > "${TEST_FILE}.rsa${keylen}_${hashalgo}.sig" + algorithmcounter=$((algorithmcounter + 1)) done done } @@ -39,10 +39,10 @@ function generate_test_file { echo "(skipping, file already exists)" return fi - dd if=/dev/urandom of=${TEST_FILE} bs=${TEST_FILE_SIZE} count=1 + dd if=/dev/urandom of="${TEST_FILE}" bs="${TEST_FILE_SIZE}" count=1 } -mkdir -p ${TESTCASE_DIR} +mkdir -p "${TESTCASE_DIR}" check_test_keys generate_test_file generate_test_signatures diff --git a/tests/gen_test_keys.sh b/tests/gen_test_keys.sh index 04315ac3..37722fb9 100755 --- a/tests/gen_test_keys.sh +++ b/tests/gen_test_keys.sh @@ -17,11 +17,11 @@ sha_types=( 1 256 512 ) function generate_keys { key_index=0 key_name_base="${TESTKEY_DIR}/key_rsa" - for i in ${key_lengths[@]} + for i in "${key_lengths[@]}" do key_base="${key_name_base}${i}" if [ -f "${key_base}.keyb" ]; then - key_index=$((${key_index} + 1)) + key_index=$((key_index + 1)) continue fi @@ -33,34 +33,33 @@ function generate_keys { bits="${i%%_exp${exp}}" fi - openssl genrsa -${exp} -out ${key_base}.pem ${bits} + openssl genrsa "-${exp}" -out "${key_base}.pem" "${bits}" # Generate self-signed certificate from key. - openssl req -batch -new -x509 -key ${key_base}.pem \ - -out ${key_base}.crt + openssl req -batch -new -x509 -key "${key_base}.pem" \ + -out "${key_base}.crt" # Generate pre-processed key for use by RSA signature verification code. - ${BIN_DIR}/dumpRSAPublicKey -cert ${key_base}.crt \ - > ${key_base}.keyb + "${BIN_DIR}/dumpRSAPublicKey" -cert "${key_base}.crt" > "${key_base}.keyb" alg_index=0 - for sha_type in ${sha_types[@]} + for sha_type in "${sha_types[@]}" do - alg=$((${key_index} * 3 + ${alg_index})) + alg=$((key_index * 3 + alg_index)) # wrap the public key - ${FUTILITY} vbutil_key \ + "${FUTILITY}" vbutil_key \ --pack "${key_base}.sha${sha_type}.vbpubk" \ --key "${key_base}.keyb" \ --version 1 \ --algorithm ${alg} # wrap the private key - ${FUTILITY} vbutil_key \ + "${FUTILITY}" vbutil_key \ --pack "${key_base}.sha${sha_type}.vbprivk" \ --key "${key_base}.pem" \ --algorithm ${alg} - alg_index=$((${alg_index} + 1)) + alg_index=$((alg_index} + 1)) done - key_index=$((${key_index} + 1)) + key_index=$((key_index + 1)) done } diff --git a/tests/gen_test_vbpubks.sh b/tests/gen_test_vbpubks.sh index 8ea2759d..a318d3dc 100755 --- a/tests/gen_test_vbpubks.sh +++ b/tests/gen_test_vbpubks.sh @@ -11,16 +11,16 @@ function generate_vpubks { algorithmcounter=0 - for keylen in ${key_lengths[@]} + for keylen in "${key_lengths[@]}" do - for hashalgo in ${hash_algos[@]} + for hashalgo in "${hash_algos[@]}" do - ${FUTILITY} vbutil_key --pack \ - --in ${TESTKEY_DIR}/key_rsa${keylen}.keyb \ - --out ${TESTKEY_DIR}/key_rsa${keylen}.${hashalgo}.vbpubk \ + "${FUTILITY}" vbutil_key --pack \ + --in "${TESTKEY_DIR}/key_rsa${keylen}.keyb" \ + --out "${TESTKEY_DIR}/key_rsa${keylen}.${hashalgo}.vbpubk" \ --version 1 \ - --algorithm ${algorithmcounter} - let algorithmcounter=algorithmcounter+1 + --algorithm "${algorithmcounter}" + algorithmcounter=$((algorithmcounter + 1)) done done } diff --git a/tests/load_kernel_tests.sh b/tests/load_kernel_tests.sh index 45eedf4c..cd1bd635 100755 --- a/tests/load_kernel_tests.sh +++ b/tests/load_kernel_tests.sh @@ -27,21 +27,21 @@ dd if=/dev/urandom bs=16384 count=1 of="dummy_bootloader.bin" dd if=/dev/urandom bs=32768 count=1 of="dummy_kernel.bin" # Pack kernel data key using original vboot utilities. -${FUTILITY} vbutil_key --pack datakey.test \ - --key ${TESTKEY_DIR}/key_rsa2048.keyb --algorithm 4 +"${FUTILITY}" vbutil_key --pack datakey.test \ + --key "${TESTKEY_DIR}/key_rsa2048.keyb" --algorithm 4 # Keyblock with kernel data key is signed by kernel subkey # Flags=21 means dev=0 rec=0 minios=0 -${FUTILITY} vbutil_keyblock --pack keyblock.test \ +"${FUTILITY}" vbutil_keyblock --pack keyblock.test \ --datapubkey datakey.test \ --flags 21 \ - --signprivate ${SCRIPT_DIR}/devkeys/kernel_subkey.vbprivk + --signprivate "${SCRIPT_DIR}/devkeys/kernel_subkey.vbprivk" # Kernel preamble is signed with the kernel data key -${FUTILITY} vbutil_kernel \ +"${FUTILITY}" vbutil_kernel \ --pack "kernel.test" \ --keyblock "keyblock.test" \ - --signprivate ${TESTKEY_DIR}/key_rsa2048.sha256.vbprivk \ + --signprivate "${TESTKEY_DIR}/key_rsa2048.sha256.vbprivk" \ --version 1 \ --arch arm \ --vmlinuz "dummy_kernel.bin" \ @@ -51,9 +51,9 @@ ${FUTILITY} vbutil_kernel \ echo 'Verifying test kernel' # Verify the kernel -${FUTILITY} vbutil_kernel \ +"${FUTILITY}" vbutil_kernel \ --verify "kernel.test" \ - --signpubkey ${SCRIPT_DIR}/devkeys/kernel_subkey.vbpubk + --signpubkey "${SCRIPT_DIR}/devkeys/kernel_subkey.vbpubk" happy 'Kernel verification succeeded' @@ -69,7 +69,7 @@ dd if=kernel.test of=disk.test bs=512 seek=64 conv=notrunc # And verify it using futility echo 'Verifying test disk image' -${BUILD_RUN}/tests/verify_kernel disk.test \ - ${SCRIPT_DIR}/devkeys/kernel_subkey.vbpubk +"${BUILD_RUN}/tests/verify_kernel" disk.test \ + "${SCRIPT_DIR}/devkeys/kernel_subkey.vbpubk" happy 'Image verification succeeded' diff --git a/tests/run_cgpt_tests.sh b/tests/run_cgpt_tests.sh index 3f186242..7f59205a 100755 --- a/tests/run_cgpt_tests.sh +++ b/tests/run_cgpt_tests.sh @@ -10,27 +10,26 @@ . "$(dirname "$0")/common.sh" CGPT=$(readlink -f "$1") -[ -x "$CGPT" ] || error "Can't execute $CGPT" +[ -x ""${CGPT}"" ] || error "Can't execute $CGPT" -MTD="${@:2}" +MTD=("${@:2}") # Run tests in a dedicated directory for easy cleanup or debugging. DIR="${TEST_DIR}/cgpt_test_dir" [ -d "$DIR" ] || mkdir -p "$DIR" -warning "testing $CGPT in $DIR" +warning "testing "${CGPT}" in $DIR" cd "$DIR" assert_fail() { set +e - "$@" 2>/dev/null - if [ $? == 0 ]; then + if "$@" 2>/dev/null; then error "$*" " should have failed but did not" fi set -e } # Test failure on non existing file. -assert_fail ${CGPT} show $MTD blah_404_haha +assert_fail "${CGPT}" show "${MTD[@]}" blah_404_haha echo "Create an empty file to use as the device..." NUM_SECTORS=1000 @@ -76,264 +75,271 @@ RANDOM_NUM=6 RANDOM_DRIVE_GUID='12345678-0000-1111-2222-123456789ABC' -$CGPT create $MTD ${DEV} +"${CGPT}" create "${MTD[@]}" ${DEV} run_basic_tests() { echo "Create a bunch of partitions, using the real GUID types..." - $CGPT add $MTD -b ${DATA_START} -s ${DATA_SIZE} -t ${DATA_GUID} \ + "${CGPT}" add "${MTD[@]}" -b ${DATA_START} -s ${DATA_SIZE} -t ${DATA_GUID} \ -l "${DATA_LABEL}" ${DEV} - $CGPT add $MTD -b ${KERN_START} -s ${KERN_SIZE} -t ${KERN_GUID} \ + "${CGPT}" add "${MTD[@]}" -b ${KERN_START} -s ${KERN_SIZE} -t ${KERN_GUID} \ -l "${KERN_LABEL}" ${DEV} - $CGPT add $MTD -b ${ROOTFS_START} -s ${ROOTFS_SIZE} -t ${ROOTFS_GUID} \ - -l "${ROOTFS_LABEL}" ${DEV} - $CGPT add $MTD -b ${ESP_START} -s ${ESP_SIZE} -t ${ESP_GUID} \ + "${CGPT}" add "${MTD[@]}" -b ${ROOTFS_START} -s ${ROOTFS_SIZE} \ + -t ${ROOTFS_GUID} -l "${ROOTFS_LABEL}" ${DEV} + "${CGPT}" add "${MTD[@]}" -b ${ESP_START} -s ${ESP_SIZE} -t ${ESP_GUID} \ -l "${ESP_LABEL}" ${DEV} - $CGPT add $MTD -b ${FUTURE_START} -s ${FUTURE_SIZE} -t ${FUTURE_GUID} \ - -l "${FUTURE_LABEL}" ${DEV} - $CGPT add $MTD -b ${RANDOM_START} -s ${RANDOM_SIZE} -t ${RANDOM_GUID} \ - -l "${RANDOM_LABEL}" ${DEV} + "${CGPT}" add "${MTD[@]}" -b ${FUTURE_START} -s ${FUTURE_SIZE} \ + -t ${FUTURE_GUID} -l "${FUTURE_LABEL}" ${DEV} + "${CGPT}" add "${MTD[@]}" -b ${RANDOM_START} -s ${RANDOM_SIZE} \ + -t ${RANDOM_GUID} -l "${RANDOM_LABEL}" ${DEV} echo "Extract the start and size of given partitions..." - X=$($CGPT show $MTD -b -i $DATA_NUM ${DEV}) - Y=$($CGPT show $MTD -s -i $DATA_NUM ${DEV}) + X=$("${CGPT}" show "${MTD[@]}" -b -i $DATA_NUM ${DEV}) + Y=$("${CGPT}" show "${MTD[@]}" -s -i $DATA_NUM ${DEV}) [ "$X $Y" = "$DATA_START $DATA_SIZE" ] || error - X=$($CGPT show $MTD -b -i $KERN_NUM ${DEV}) - Y=$($CGPT show $MTD -s -i $KERN_NUM ${DEV}) + X=$("${CGPT}" show "${MTD[@]}" -b -i $KERN_NUM ${DEV}) + Y=$("${CGPT}" show "${MTD[@]}" -s -i $KERN_NUM ${DEV}) [ "$X $Y" = "$KERN_START $KERN_SIZE" ] || error - X=$($CGPT show $MTD -b -i $ROOTFS_NUM ${DEV}) - Y=$($CGPT show $MTD -s -i $ROOTFS_NUM ${DEV}) + X=$("${CGPT}" show "${MTD[@]}" -b -i $ROOTFS_NUM ${DEV}) + Y=$("${CGPT}" show "${MTD[@]}" -s -i $ROOTFS_NUM ${DEV}) [ "$X $Y" = "$ROOTFS_START $ROOTFS_SIZE" ] || error - X=$($CGPT show $MTD -b -i $ESP_NUM ${DEV}) - Y=$($CGPT show $MTD -s -i $ESP_NUM ${DEV}) + X=$("${CGPT}" show "${MTD[@]}" -b -i $ESP_NUM ${DEV}) + Y=$("${CGPT}" show "${MTD[@]}" -s -i $ESP_NUM ${DEV}) [ "$X $Y" = "$ESP_START $ESP_SIZE" ] || error - X=$($CGPT show $MTD -b -i $FUTURE_NUM ${DEV}) - Y=$($CGPT show $MTD -s -i $FUTURE_NUM ${DEV}) + X=$("${CGPT}" show "${MTD[@]}" -b -i $FUTURE_NUM ${DEV}) + Y=$("${CGPT}" show "${MTD[@]}" -s -i $FUTURE_NUM ${DEV}) [ "$X $Y" = "$FUTURE_START $FUTURE_SIZE" ] || error - X=$($CGPT show $MTD -b -i $RANDOM_NUM ${DEV}) - Y=$($CGPT show $MTD -s -i $RANDOM_NUM ${DEV}) + X=$("${CGPT}" show "${MTD[@]}" -b -i $RANDOM_NUM ${DEV}) + Y=$("${CGPT}" show "${MTD[@]}" -s -i $RANDOM_NUM ${DEV}) [ "$X $Y" = "$RANDOM_START $RANDOM_SIZE" ] || error echo "Change the beginning..." DATA_START=$((DATA_START + 10)) - $CGPT add $MTD -i 1 -b ${DATA_START} ${DEV} || error - X=$($CGPT show $MTD -b -i 1 ${DEV}) + "${CGPT}" add "${MTD[@]}" -i 1 -b ${DATA_START} ${DEV} || error + X=$("${CGPT}" show "${MTD[@]}" -b -i 1 ${DEV}) [ "$X" = "$DATA_START" ] || error echo "Change the size..." DATA_SIZE=$((DATA_SIZE + 10)) - $CGPT add $MTD -i 1 -s ${DATA_SIZE} ${DEV} || error - X=$($CGPT show $MTD -s -i 1 ${DEV}) + "${CGPT}" add "${MTD[@]}" -i 1 -s ${DATA_SIZE} ${DEV} || error + X=$("${CGPT}" show "${MTD[@]}" -s -i 1 ${DEV}) [ "$X" = "$DATA_SIZE" ] || error echo "Change the type..." - $CGPT add $MTD -i 1 -t reserved ${DEV} || error - X=$($CGPT show $MTD -t -i 1 ${DEV} | tr 'A-Z' 'a-z') + "${CGPT}" add "${MTD[@]}" -i 1 -t reserved ${DEV} || error + X=$("${CGPT}" show "${MTD[@]}" -t -i 1 ${DEV} | tr '[:upper:]' '[:lower:]') [ "$X" = "$FUTURE_GUID" ] || error # arbitrary value - $CGPT add $MTD -i 1 -t 610a563a-a55c-4ae0-ab07-86e5bb9db67f ${DEV} || error - X=$($CGPT show $MTD -t -i 1 ${DEV}) + "${CGPT}" add "${MTD[@]}" -i 1 -t 610a563a-a55c-4ae0-ab07-86e5bb9db67f \ + ${DEV} || error + X=$("${CGPT}" show "${MTD[@]}" -t -i 1 ${DEV}) [ "$X" = "610A563A-A55C-4AE0-AB07-86E5BB9DB67F" ] || error - $CGPT add $MTD -i 1 -t data ${DEV} || error - X=$($CGPT show $MTD -t -i 1 ${DEV} | tr 'A-Z' 'a-z') + "${CGPT}" add "${MTD[@]}" -i 1 -t data ${DEV} || error + X=$("${CGPT}" show "${MTD[@]}" -t -i 1 ${DEV} | tr '[:upper:]' '[:lower:]') [ "$X" = "$DATA_GUID" ] || error - ORIG_ID=$($CGPT show $MTD -v ${DEV} | \ + ORIG_ID=$("${CGPT}" show "${MTD[@]}" -v ${DEV} | \ grep -i "disk uuid" | head -1 | awk ' { print $3 } ' ) [ ! "$ORIG_ID" = "$RANDOM_DRIVE_GUID" ] || error - $CGPT edit $MTD -u ${RANDOM_DRIVE_GUID} ${DEV} || error - X=$($CGPT show $MTD -v ${DEV} | grep -i "disk uuid" | \ + "${CGPT}" edit "${MTD[@]}" -u ${RANDOM_DRIVE_GUID} ${DEV} || error + X=$("${CGPT}" show "${MTD[@]}" -v ${DEV} | grep -i "disk uuid" | \ head -1 | awk ' { print $3 } ' ) [ "$X" = "${RANDOM_DRIVE_GUID}" ] || error - $CGPT edit $MTD -u ${ORIG_ID} ${DEV} || error - X=$($CGPT show $MTD -v ${DEV} | grep -i "disk uuid" | \ + "${CGPT}" edit "${MTD[@]}" -u "${ORIG_ID}" ${DEV} || error + X=$("${CGPT}" show "${MTD[@]}" -v ${DEV} | grep -i "disk uuid" | \ head -1 | awk ' { print $3 } ' ) [ "$X" = "${ORIG_ID}" ] || error } run_basic_tests -ORIG_ID=$($CGPT show $MTD -v ${DEV} | \ +ORIG_ID=$("${CGPT}" show "${MTD[@]}" -v ${DEV} | \ grep -i "disk uuid" | awk ' { print $3 } ' ) [ ! "$ORIG_ID" = "$RANDOM_DRIVE_GUID" ] || error -$CGPT edit $MTD -u ${RANDOM_DRIVE_GUID} ${DEV} || error -X=$($CGPT show $MTD -v ${DEV} | grep -i "disk uuid" | \ +"${CGPT}" edit "${MTD[@]}" -u ${RANDOM_DRIVE_GUID} ${DEV} || error +X=$("${CGPT}" show "${MTD[@]}" -v ${DEV} | grep -i "disk uuid" | \ head -1 | awk ' { print $3 } ' ) [ "$X" = "${RANDOM_DRIVE_GUID}" ] || error -$CGPT edit $MTD -u ${ORIG_ID} ${DEV} || error -X=$($CGPT show $MTD -v ${DEV} | grep -i "disk uuid" | \ +"${CGPT}" edit "${MTD[@]}" -u "${ORIG_ID}" ${DEV} || error +X=$("${CGPT}" show "${MTD[@]}" -v ${DEV} | grep -i "disk uuid" | \ awk ' { print $3 } ' ) [ "$X" = "${ORIG_ID}" ] || error echo "Set the boot partition.." -$CGPT boot $MTD -i ${KERN_NUM} ${DEV} >/dev/null +"${CGPT}" boot "${MTD[@]}" -i ${KERN_NUM} ${DEV} >/dev/null echo "Check the PMBR's idea of the boot partition..." -X=$($CGPT boot $MTD ${DEV}) -Y=$($CGPT show $MTD -u -i $KERN_NUM $DEV) +X=$("${CGPT}" boot "${MTD[@]}" ${DEV}) +Y=$("${CGPT}" show "${MTD[@]}" -u -i $KERN_NUM $DEV) [ "$X" = "$Y" ] || error # Input: sequence of priorities # Output: ${DEV} has kernel partitions with the given priorities make_pri() { local idx=0 - $CGPT create $MTD ${DEV} + "${CGPT}" create "${MTD[@]}" ${DEV} for pri in "$@"; do idx=$((idx+1)) - $CGPT add $MTD -t kernel -l "kern$idx" -b $((100 + 2 * $idx)) -s 1 -P $pri ${DEV} + "${CGPT}" add "${MTD[@]}" -t kernel -l "kern$idx" -b $((100 + 2 * idx)) \ + -s 1 -P $pri ${DEV} done } # Output: returns string containing priorities of all kernels get_pri() { - echo $( - for idx in $($CGPT find $MTD -t kernel ${DEV} | sed -e s@${DEV}@@); do - $CGPT show $MTD -i $idx -P ${DEV} + local output=() + for idx in $("${CGPT}" find "${MTD[@]}" -t kernel ${DEV} | sed -e s@${DEV}@@); + do + output+=("$("${CGPT}" show "${MTD[@]}" -i "$idx" -P ${DEV})") done - ) + echo "${output[@]}" } # Input: list of priorities # Operation: expects ${DEV} to contain those kernel priorities assert_pri() { local expected="$*" - local actual=$(get_pri) + local actual + actual=$(get_pri) [ "$actual" = "$expected" ] || \ error 1 "expected priority \"$expected\", actual priority \"$actual\"" } # no kernels at all. This should do nothing. -$CGPT create $MTD ${DEV} +"${CGPT}" create "${MTD[@]}" ${DEV} run_prioritize_tests() { echo "Test the cgpt prioritize command..." - $CGPT add $MTD -t rootfs -b 100 -s 1 ${DEV} - $CGPT prioritize $MTD ${DEV} + "${CGPT}" add "${MTD[@]}" -t rootfs -b 100 -s 1 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" ${DEV} assert_pri "" # common install/upgrade sequence make_pri 2 0 0 - $CGPT prioritize $MTD -i 1 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -i 1 ${DEV} assert_pri 1 0 0 - $CGPT prioritize $MTD -i 2 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -i 2 ${DEV} assert_pri 1 2 0 - $CGPT prioritize $MTD -i 1 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -i 1 ${DEV} assert_pri 2 1 0 - $CGPT prioritize $MTD -i 2 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -i 2 ${DEV} assert_pri 1 2 0 # lots of kernels, all same starting priority, should go to priority 1 make_pri 8 8 8 8 8 8 8 8 8 8 8 0 0 8 - $CGPT prioritize $MTD ${DEV} + "${CGPT}" prioritize "${MTD[@]}" ${DEV} assert_pri 1 1 1 1 1 1 1 1 1 1 1 0 0 1 # now raise them all up again - $CGPT prioritize $MTD -P 4 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -P 4 ${DEV} assert_pri 4 4 4 4 4 4 4 4 4 4 4 0 0 4 # set one of them higher, should leave the rest alone - $CGPT prioritize $MTD -P 5 -i 3 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -P 5 -i 3 ${DEV} assert_pri 4 4 5 4 4 4 4 4 4 4 4 0 0 4 # set one of them lower, should bring the rest down - $CGPT prioritize $MTD -P 3 -i 4 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -P 3 -i 4 ${DEV} assert_pri 1 1 2 3 1 1 1 1 1 1 1 0 0 1 # raise a group by including the friends of one partition - $CGPT prioritize $MTD -P 6 -i 1 -f ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -P 6 -i 1 -f ${DEV} assert_pri 6 6 4 5 6 6 6 6 6 6 6 0 0 6 # resurrect one, should not affect the others make_pri 0 0 0 0 0 0 0 0 0 0 0 0 0 0 - $CGPT prioritize $MTD -i 2 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -i 2 ${DEV} assert_pri 0 1 0 0 0 0 0 0 0 0 0 0 0 0 # resurrect one and all its friends make_pri 0 0 0 0 0 0 0 0 1 2 0 0 0 0 - $CGPT prioritize $MTD -P 5 -i 2 -f ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -P 5 -i 2 -f ${DEV} assert_pri 5 5 5 5 5 5 5 5 3 4 5 5 5 5 # no options should maintain the same order - $CGPT prioritize $MTD ${DEV} + "${CGPT}" prioritize "${MTD[@]}" ${DEV} assert_pri 3 3 3 3 3 3 3 3 1 2 3 3 3 3 # squish all the ranks make_pri 1 1 2 2 3 3 4 4 5 5 0 6 7 7 - $CGPT prioritize $MTD -P 6 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -P 6 ${DEV} assert_pri 1 1 1 1 2 2 3 3 4 4 0 5 6 6 # squish the ranks by not leaving room make_pri 1 1 2 2 3 3 4 4 5 5 0 6 7 7 - $CGPT prioritize $MTD -P 7 -i 3 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -P 7 -i 3 ${DEV} assert_pri 1 1 7 1 2 2 3 3 4 4 0 5 6 6 # squish the ranks while bringing the friends along make_pri 1 1 2 2 3 3 4 4 5 5 0 6 7 7 - $CGPT prioritize $MTD -P 6 -i 3 -f ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -P 6 -i 3 -f ${DEV} assert_pri 1 1 6 6 1 1 2 2 3 3 0 4 5 5 # squish them pretty hard make_pri 1 1 2 2 3 3 4 4 5 5 0 6 7 7 - $CGPT prioritize $MTD -P 2 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -P 2 ${DEV} assert_pri 1 1 1 1 1 1 1 1 1 1 0 1 2 2 # squish them really really hard (nobody gets reduced to zero, though) make_pri 1 1 2 2 3 3 4 4 5 5 0 6 7 7 - $CGPT prioritize $MTD -P 1 -i 3 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -P 1 -i 3 ${DEV} assert_pri 1 1 1 1 1 1 1 1 1 1 0 1 1 1 make_pri 15 15 14 14 13 13 12 12 11 11 10 10 9 9 8 8 7 7 6 6 5 5 4 4 3 3 2 2 1 1 0 - $CGPT prioritize $MTD -i 3 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -i 3 ${DEV} assert_pri 14 14 15 13 12 12 11 11 10 10 9 9 8 8 7 7 6 6 5 5 4 4 3 3 2 2 1 1 1 1 0 - $CGPT prioritize $MTD -i 5 ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -i 5 ${DEV} assert_pri 13 13 14 12 15 11 10 10 9 9 8 8 7 7 6 6 5 5 4 4 3 3 2 2 1 1 1 1 1 1 0 # but if I bring friends I don't have to squish - $CGPT prioritize $MTD -i 1 -f ${DEV} + "${CGPT}" prioritize "${MTD[@]}" -i 1 -f ${DEV} assert_pri 15 15 13 12 14 11 10 10 9 9 8 8 7 7 6 6 5 5 4 4 3 3 2 2 1 1 1 1 1 1 0 } run_prioritize_tests echo "Test cgpt repair command" -$CGPT repair $MTD ${DEV} -($CGPT show $MTD ${DEV} | grep -q INVALID) && error +"${CGPT}" repair "${MTD[@]}" ${DEV} +("${CGPT}" show "${MTD[@]}" ${DEV} | grep -q INVALID) && error # Zero primary header and partition table and try to repair it. dd if=/dev/zero of=${DEV} conv=notrunc bs=512 count=33 2>/dev/null -$CGPT show $MTD ${DEV} | grep -q INVALID -$CGPT repair $MTD ${DEV} -($CGPT show $MTD ${DEV} | grep -q INVALID) && error +"${CGPT}" show "${MTD[@]}" ${DEV} | grep -q INVALID +"${CGPT}" repair "${MTD[@]}" ${DEV} +("${CGPT}" show "${MTD[@]}" ${DEV} | grep -q INVALID) && error # Zero secondary header and partition table and try to repair it. -dd if=/dev/zero of=${DEV} seek=$(($NUM_SECTORS - 33)) conv=notrunc bs=512 count=33 2>/dev/null -$CGPT show $MTD ${DEV} | grep -q INVALID -$CGPT repair $MTD ${DEV} -($CGPT show $MTD ${DEV} | grep -q INVALID) && error +dd if=/dev/zero of=${DEV} seek=$((NUM_SECTORS - 33)) conv=notrunc bs=512 \ + count=33 2>/dev/null +"${CGPT}" show "${MTD[@]}" ${DEV} | grep -q INVALID +"${CGPT}" repair "${MTD[@]}" ${DEV} +("${CGPT}" show "${MTD[@]}" ${DEV} | grep -q INVALID) && error echo "Test with IGNOREME primary GPT..." -$CGPT create $MTD ${DEV} -$CGPT legacy $MTD -p ${DEV} -$CGPT show $MTD ${DEV} | egrep -q "IGNORED.*Pri GPT" 2>/dev/null -($CGPT show $MTD ${DEV} | grep -q "Pri GPT table" 2>/dev/null) && error -$CGPT repair $MTD ${DEV} 2>/dev/null -$CGPT show $MTD ${DEV} | egrep -q "IGNORED.*Pri GPT" 2>/dev/null -($CGPT show $MTD ${DEV} | grep -q "Pri GPT table" 2>/dev/null) && error -$CGPT legacy $MTD -e ${DEV} 2>/dev/null -($CGPT show $MTD ${DEV} | egrep -q "IGNORED.*Pri GPT") && error -$CGPT show $MTD ${DEV} | grep -q "Pri GPT table" - -$CGPT create $MTD ${DEV} -$CGPT legacy $MTD -p ${DEV} +"${CGPT}" create "${MTD[@]}" ${DEV} +"${CGPT}" legacy "${MTD[@]}" -p ${DEV} +"${CGPT}" show "${MTD[@]}" ${DEV} | grep -q -E "IGNORED.*Pri GPT" 2>/dev/null +("${CGPT}" show "${MTD[@]}" ${DEV} | grep -q "Pri GPT table" 2>/dev/null) && \ + error +"${CGPT}" repair "${MTD[@]}" ${DEV} 2>/dev/null +"${CGPT}" show "${MTD[@]}" ${DEV} | grep -q -E "IGNORED.*Pri GPT" 2>/dev/null +("${CGPT}" show "${MTD[@]}" ${DEV} | grep -q "Pri GPT table" 2>/dev/null) && \ + error +"${CGPT}" legacy "${MTD[@]}" -e ${DEV} 2>/dev/null +("${CGPT}" show "${MTD[@]}" ${DEV} | grep -q -E "IGNORED.*Pri GPT") && error +"${CGPT}" show "${MTD[@]}" ${DEV} | grep -q "Pri GPT table" + +"${CGPT}" create "${MTD[@]}" ${DEV} +"${CGPT}" legacy "${MTD[@]}" -p ${DEV} run_basic_tests 2>/dev/null -$CGPT create $MTD ${DEV} -$CGPT legacy $MTD -p ${DEV} +"${CGPT}" create "${MTD[@]}" ${DEV} +"${CGPT}" legacy "${MTD[@]}" -p ${DEV} run_prioritize_tests 2>/dev/null # Now make sure that we don't need write access if we're just looking. @@ -341,48 +347,47 @@ echo "Test read vs read-write access..." chmod 0444 ${DEV} # These should fail -$CGPT create $MTD -z ${DEV} 2>/dev/null && error -$CGPT add $MTD -i 2 -P 3 ${DEV} 2>/dev/null && error -$CGPT repair $MTD ${DEV} 2>/dev/null && error -$CGPT prioritize $MTD -i 3 ${DEV} 2>/dev/null && error +"${CGPT}" create "${MTD[@]}" -z ${DEV} 2>/dev/null && error +"${CGPT}" add "${MTD[@]}" -i 2 -P 3 ${DEV} 2>/dev/null && error +"${CGPT}" repair "${MTD[@]}" ${DEV} 2>/dev/null && error +"${CGPT}" prioritize "${MTD[@]}" -i 3 ${DEV} 2>/dev/null && error # Most 'boot' usage should fail too. -$CGPT boot $MTD -p ${DEV} 2>/dev/null && error +"${CGPT}" boot "${MTD[@]}" -p ${DEV} 2>/dev/null && error dd if=/dev/zero of=fake_mbr.bin bs=100 count=1 2>/dev/null -$CGPT boot $MTD -b fake_mbr.bin ${DEV} 2>/dev/null && error -$CGPT boot $MTD -i 2 ${DEV} 2>/dev/null && error +"${CGPT}" boot "${MTD[@]}" -b fake_mbr.bin ${DEV} 2>/dev/null && error +"${CGPT}" boot "${MTD[@]}" -i 2 ${DEV} 2>/dev/null && error -$CGPT boot $MTD ${DEV} >/dev/null -$CGPT show $MTD ${DEV} >/dev/null -$CGPT find $MTD -t kernel ${DEV} >/dev/null +"${CGPT}" boot "${MTD[@]}" ${DEV} >/dev/null +"${CGPT}" show "${MTD[@]}" ${DEV} >/dev/null +"${CGPT}" find "${MTD[@]}" -t kernel ${DEV} >/dev/null # Enable write access again to test boundary in off device storage chmod 600 ${DEV} # GPT too small dd if=/dev/zero of=${DEV} bs=5632 count=1 -assert_fail $CGPT create -D 1024 ${DEV} +assert_fail ""${CGPT}"" create -D 1024 ${DEV} # GPT is just right for 16 entries (512 + 512 + 16 * 128) * 2 = 6144 dd if=/dev/zero of=${DEV} bs=6144 count=1 -$CGPT create -D 1024 ${DEV} +"${CGPT}" create -D 1024 ${DEV} # Create a small 8K file to simulate Flash NOR section dd if=/dev/zero of=${DEV} bs=8K count=1 # Drive size is not multiple of 512 -assert_fail $CGPT create -D 511 ${DEV} -assert_fail $CGPT create -D 513 ${DEV} -MTD="-D 1024" +assert_fail ""${CGPT}"" create -D 511 ${DEV} +assert_fail ""${CGPT}"" create -D 513 ${DEV} # Create a GPT table for a device of 1024 bytes (2 sectors) -$CGPT create $MTD ${DEV} +"${CGPT}" create -D 1024 ${DEV} # Make sure number of entries is reasonable for 8KiB GPT -X=$($CGPT show -D 1024 -d ${DEV} | grep -c "Number of entries: 24") +X=$("${CGPT}" show -D 1024 -d ${DEV} | grep -c "Number of entries: 24") [ "$X" = "2" ] || error # This fails because header verification is off due to different drive size -assert_fail $CGPT show ${DEV} +assert_fail ""${CGPT}"" show ${DEV} # But this passes because we pass in correct drive size -$CGPT show $MTD ${DEV} +"${CGPT}" show -D 1024 ${DEV} # This fails because beginning sector is over the size of the device -assert_fail $CGPT add $MTD -b 2 -s 1 -t data ${DEV} +assert_fail ""${CGPT}"" add -D 1024 -b 2 -s 1 -t data ${DEV} # This fails because partition size is over the size of the device -assert_fail $CGPT add $MTD -b 0 -s 3 -t data ${DEV} +assert_fail ""${CGPT}"" add -D 1024 -b 0 -s 3 -t data ${DEV} echo "Done." diff --git a/tests/run_preamble_tests.sh b/tests/run_preamble_tests.sh index 429213c8..23902158 100755 --- a/tests/run_preamble_tests.sh +++ b/tests/run_preamble_tests.sh @@ -34,10 +34,8 @@ for d in $algs; do for rr in $algs; do if [ "$r" = "$rr" ]; then what="verify" - cmp="-ne" else what="reject" - cmp="-eq" fi : $(( tests++ )) echo -n "${what} fw_${d}_${r}.vblock with root_${rr}.vbpubk ... " @@ -45,7 +43,9 @@ for d in $algs; do --verify "${V2DIR}/fw_${d}_${r}.vblock" \ --signpubkey "${DATADIR}/root_${rr}.vbpubk" \ --fv "${DATADIR}/FWDATA" >/dev/null 2>&1 - if [ "$?" "$cmp" 0 ]; then + if [[ ( $? != 0 && $what == "verify" ) || \ + ( $? == 0 && $what == "reject" ) ]] + then echo -e "${COL_RED}FAILED${COL_STOP}" : $(( errs++ )) else @@ -62,17 +62,17 @@ for d in $algs; do for rr in $algs; do if [ "$r" = "$rr" ]; then what="verify" - cmp="-ne" else what="reject" - cmp="-eq" fi : $(( tests++ )) echo -n "${what} kern_${d}_${r}.vblock with root_${rr}.vbpubk ... " "${FUTILITY}" vbutil_kernel \ --verify "${V2DIR}/kern_${d}_${r}.vblock" \ --signpubkey "${DATADIR}/root_${rr}.vbpubk" >/dev/null 2>&1 - if [ "$?" "$cmp" 0 ]; then + if [[ ( $? != 0 && $what == "verify" ) || \ + ( $? == 0 && $what == "reject" ) ]] + then echo -e "${COL_RED}FAILED${COL_STOP}" : $(( errs++ )) else @@ -88,9 +88,9 @@ for d in $algs; do for r in $algs; do : $(( tests++ )) echo -n "verify kern_${d}_${r}.vblock with hash only ... " - "${FUTILITY}" vbutil_kernel \ + if ! "${FUTILITY}" vbutil_kernel \ --verify "${V2DIR}/kern_${d}_${r}.vblock" >/dev/null 2>&1 - if [ "$?" -ne 0 ]; then + then echo -e "${COL_RED}FAILED${COL_STOP}" : $(( errs++ )) else diff --git a/tests/run_vbutil_kernel_arg_tests.sh b/tests/run_vbutil_kernel_arg_tests.sh index 95317ec4..6367662b 100755 --- a/tests/run_vbutil_kernel_arg_tests.sh +++ b/tests/run_vbutil_kernel_arg_tests.sh @@ -44,7 +44,7 @@ while [ "$k" -lt "${#KERN_VALS[*]}" ]; do while [ "$b" -lt "${#BOOT_VALS[*]}" ]; do echo -n "pack kern_${k}_${b}.vblock ... " : $(( tests++ )) - "${FUTILITY}" vbutil_kernel \ + if ! "${FUTILITY}" vbutil_kernel \ --pack "${TMPDIR}/kern_${k}_${b}.vblock" \ --keyblock "${KEYBLOCK}" \ --signprivate "${SIGNPRIVATE}" \ @@ -53,7 +53,7 @@ while [ "$k" -lt "${#KERN_VALS[*]}" ]; do --config "${CONFIG}" \ "${KERN_VALS[$k]}" \ "${BOOT_VALS[$k]}" >/dev/null - if [ "$?" -ne 0 ]; then + then echo -e "${COL_RED}FAILED${COL_STOP}" : $(( errs++ )) else @@ -65,12 +65,12 @@ while [ "$k" -lt "${#KERN_VALS[*]}" ]; do done # Now unpack it -for v in ${TMPDIR}/kern_*.vblock; do +for v in "${TMPDIR}"/kern_*.vblock; do : $(( tests++ )) vv=$(basename "$v") echo -n "verify $vv ... " - "${FUTILITY}" vbutil_kernel --verify "$v" >/dev/null - if [ "$?" -ne 0 ]; then + if ! "${FUTILITY}" vbutil_kernel --verify "$v" >/dev/null + then echo -e "${COL_RED}FAILED${COL_STOP}" : $(( errs++ )) else @@ -78,9 +78,9 @@ for v in ${TMPDIR}/kern_*.vblock; do fi : $(( tests++ )) echo -n "verify $vv signed ... " - "${FUTILITY}" vbutil_kernel --verify "$v" \ + if ! "${FUTILITY}" vbutil_kernel --verify "$v" \ --signpubkey "${SIGNPUBLIC}" >/dev/null - if [ "$?" -ne 0 ]; then + then echo -e "${COL_RED}FAILED${COL_STOP}" : $(( errs++ )) else @@ -100,7 +100,7 @@ USB_SIGNPRIVATE="${DEVKEYS}/recovery_kernel_data_key.vbprivk" USB_SIGNPUBKEY="${DEVKEYS}/recovery_key.vbpubk" echo -n "pack USB kernel ... " : $(( tests++ )) -"${FUTILITY}" vbutil_kernel \ +if ! "${FUTILITY}" vbutil_kernel \ --pack "${USB_KERN}" \ --keyblock "${USB_KEYBLOCK}" \ --signprivate "${USB_SIGNPRIVATE}" \ @@ -109,7 +109,7 @@ echo -n "pack USB kernel ... " --bootloader "${BIG}" \ --vmlinuz "${BIG}" \ --arch arm -if [ "$?" -ne 0 ]; then +then echo -e "${COL_RED}FAILED${COL_STOP}" : $(( errs++ )) else @@ -119,10 +119,10 @@ fi # And verify it. echo -n "verify USB kernel ... " : $(( tests++ )) -"${FUTILITY}" vbutil_kernel \ +if ! "${FUTILITY}" vbutil_kernel \ --verify "${USB_KERN}" \ --signpubkey "${USB_SIGNPUBKEY}" >/dev/null -if [ "$?" -ne 0 ]; then +then echo -e "${COL_RED}FAILED${COL_STOP}" : $(( errs++ )) else @@ -139,13 +139,13 @@ SSD_SIGNPRIVATE="${DEVKEYS}/kernel_data_key.vbprivk" SSD_SIGNPUBKEY="${DEVKEYS}/kernel_subkey.vbpubk" echo -n "repack to SSD kernel ... " : $(( tests++ )) -"${FUTILITY}" vbutil_kernel \ +if ! "${FUTILITY}" vbutil_kernel \ --repack "${SSD_KERN}" \ --vblockonly \ --keyblock "${SSD_KEYBLOCK}" \ --signprivate "${SSD_SIGNPRIVATE}" \ --oldblob "${TMPDIR}/usb_kern.bin" >/dev/null -if [ "$?" -ne 0 ]; then +then echo -e "${COL_RED}FAILED${COL_STOP}" : $(( errs++ )) else @@ -155,14 +155,14 @@ fi # To verify it, we have to replace the vblock from the original image. tempfile="${TMPDIR}/foo.bin" cat "${SSD_KERN}" > "$tempfile" -dd if="${USB_KERN}" bs=65536 skip=1 >> $tempfile 2>/dev/null +dd if="${USB_KERN}" bs=65536 skip=1 >> "$tempfile" 2>/dev/null echo -n "verify SSD kernel ... " : $(( tests++ )) -"${FUTILITY}" vbutil_kernel \ +if ! "${FUTILITY}" vbutil_kernel \ --verify "$tempfile" \ --signpubkey "${SSD_SIGNPUBKEY}" >/dev/null -if [ "$?" -ne 0 ]; then +then echo -e "${COL_RED}FAILED${COL_STOP}" : $(( errs++ )) else @@ -170,7 +170,7 @@ else fi # Finally make sure that the kernel command line stays good. -orig=$(cat "${CONFIG}" | tr '\012' ' ') +orig=$(tr '\012' ' ' < "${CONFIG}") packed=$("${FUTILITY}" dump_kernel_config "${USB_KERN}") echo -n "check USB kernel config ..." : $(( tests++ )) @@ -184,7 +184,7 @@ fi repacked=$("${FUTILITY}" dump_kernel_config "${tempfile}") echo -n "check SSD kernel config ..." : $(( tests++ )) -if [ "$orig" != "$packed" ]; then +if [ "$orig" != "$repacked" ]; then echo -e "${COL_RED}FAILED${COL_STOP}" : $(( errs++ )) else diff --git a/tests/run_vbutil_tests.sh b/tests/run_vbutil_tests.sh index 84f66d1a..b9db2a7c 100755 --- a/tests/run_vbutil_tests.sh +++ b/tests/run_vbutil_tests.sh @@ -18,21 +18,19 @@ function test_vbutil_key_single { echo -e "For signing key ${COL_YELLOW}RSA-$keylen/$hashalgo${COL_STOP}:" # Pack the key - ${FUTILITY} vbutil_key \ - --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk \ - --key ${TESTKEY_DIR}/key_rsa${keylen}.keyb \ + if ! "${FUTILITY}" vbutil_key \ + --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" \ + --key "${TESTKEY_DIR}/key_rsa${keylen}.keyb" \ --version 1 \ - --algorithm $algonum - if [ $? -ne 0 ] + --algorithm "${algonum}" then return_code=255 fi # Unpack the key # TODO: should verify we get the same key back out? - ${FUTILITY} vbutil_key \ - --unpack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk - if [ $? -ne 0 ] + if ! "${FUTILITY}" vbutil_key \ + --unpack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" then return_code=255 fi @@ -40,12 +38,12 @@ function test_vbutil_key_single { function test_vbutil_key_all { algorithmcounter=0 - for keylen in ${key_lengths[@]} + for keylen in "${key_lengths[@]}" do - for hashalgo in ${hash_algos[@]} + for hashalgo in "${hash_algos[@]}" do - test_vbutil_key_single $algorithmcounter $keylen $hashalgo - let algorithmcounter=algorithmcounter+1 + test_vbutil_key_single "$algorithmcounter" "$keylen" "$hashalgo" + algorithmcounter=$((algorithmcounter + 1)) done done } @@ -72,49 +70,45 @@ ${datahashalgo}${COL_STOP}" keyblockfile="${TESTKEY_SCRATCH_DIR}/" keyblockfile+="sign${signing_algonum}_data" keyblockfile+="${data_algonum}.keyblock" - rm -f ${keyblockfile} + rm -f "${keyblockfile}" # Wrap private key - ${FUTILITY} vbutil_key \ - --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk \ - --key ${TESTKEY_DIR}/key_rsa${signing_keylen}.pem \ - --algorithm $signing_algonum - if [ $? -ne 0 ] + if ! "${FUTILITY}" vbutil_key \ + --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk" \ + --key "${TESTKEY_DIR}/key_rsa${signing_keylen}.pem" \ + --algorithm "${signing_algonum}" then echo -e "${COL_RED}Wrap vbprivk${COL_STOP}" return_code=255 fi # Wrap public key - ${FUTILITY} vbutil_key \ - --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk \ - --key ${TESTKEY_DIR}/key_rsa${signing_keylen}.keyb \ - --algorithm $signing_algonum - if [ $? -ne 0 ] + if ! "${FUTILITY}" vbutil_key \ + --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" \ + --key "${TESTKEY_DIR}/key_rsa${signing_keylen}.keyb" \ + --algorithm "${signing_algonum}" then echo -e "${COL_RED}Wrap vbpubk${COL_STOP}" return_code=255 fi # Pack - ${FUTILITY} vbutil_keyblock --pack ${keyblockfile} \ + if ! "${FUTILITY}" vbutil_keyblock --pack "${keyblockfile}" \ --datapubkey \ - ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ + "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ --signprivate \ - ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk - if [ $? -ne 0 ] + "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk" then echo -e "${COL_RED}Pack${COL_STOP}" return_code=255 fi # Unpack - ${FUTILITY} vbutil_keyblock --unpack ${keyblockfile} \ + if ! "${FUTILITY}" vbutil_keyblock --unpack "${keyblockfile}" \ --datapubkey \ - ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 \ + "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" \ --signpubkey \ - ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk - if [ $? -ne 0 ] + "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" then echo -e "${COL_RED}Unpack${COL_STOP}" return_code=255 @@ -122,8 +116,8 @@ ${datahashalgo}${COL_STOP}" # Check if ! cmp -s \ - ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ - ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 + "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ + "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" then echo -e "${COL_RED}Check${COL_STOP}" return_code=255 @@ -134,27 +128,24 @@ ${datahashalgo}${COL_STOP}" external signer.${COL_STOP}" # Pack using external signer # Pack - ${FUTILITY} vbutil_keyblock --pack ${keyblockfile} \ + if ! "${FUTILITY}" vbutil_keyblock --pack "${keyblockfile}" \ --datapubkey \ - ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ + "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ --signprivate_pem \ - ${TESTKEY_DIR}/key_rsa${signing_keylen}.pem \ + "${TESTKEY_DIR}/key_rsa${signing_keylen}.pem" \ --pem_algorithm "${signing_algonum}" \ --externalsigner "${SCRIPT_DIR}/external_rsa_signer.sh" - - if [ $? -ne 0 ] then echo -e "${COL_RED}Pack${COL_STOP}" return_code=255 fi # Unpack - ${FUTILITY} vbutil_keyblock --unpack ${keyblockfile} \ + if ! "${FUTILITY}" vbutil_keyblock --unpack "${keyblockfile}" \ --datapubkey \ - ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 \ + "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" \ --signpubkey \ - ${TESTKEY_SCRATCH_DIR}/key_alg${signing_algonum}.vbpubk - if [ $? -ne 0 ] + "${TESTKEY_SCRATCH_DIR}/key_alg${signing_algonum}.vbpubk" then echo -e "${COL_RED}Unpack${COL_STOP}" return_code=255 @@ -162,8 +153,8 @@ external signer.${COL_STOP}" # Check if ! cmp -s \ - ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ - ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 + "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ + "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" then echo -e "${COL_RED}Check${COL_STOP}" return_code=255 @@ -177,22 +168,22 @@ function test_vbutil_keyblock_all { # kernel signing algorithm signing_algorithmcounter=0 data_algorithmcounter=0 - for signing_keylen in ${key_lengths[@]} + for signing_keylen in "${key_lengths[@]}" do - for signing_hashalgo in ${hash_algos[@]} + for signing_hashalgo in "${hash_algos[@]}" do - let data_algorithmcounter=0 - for datakeylen in ${key_lengths[@]} + data_algorithmcounter=0 + for datakeylen in "${key_lengths[@]}" do - for datahashalgo in ${hash_algos[@]} + for datahashalgo in "${hash_algos[@]}" do test_vbutil_keyblock_single \ - $signing_algorithmcounter $signing_keylen $signing_hashalgo \ - $data_algorithmcounter $data_keylen $data_hashalgo - let data_algorithmcounter=data_algorithmcounter+1 + "$signing_algorithmcounter" "$signing_keylen" "$signing_hashalgo" \ + "$data_algorithmcounter" "$data_keylen" "$data_hashalgo" + data_algorithmcounter=$((data_algorithmcounter + 1)) done done - let signing_algorithmcounter=signing_algorithmcounter+1 + signing_algorithmcounter=$((signing_algorithmcounter + 1)) done done } @@ -223,4 +214,3 @@ else fi exit $return_code - diff --git a/tests/test_using_qemu.sh b/tests/test_using_qemu.sh index 081d963e..5ed29740 100755 --- a/tests/test_using_qemu.sh +++ b/tests/test_using_qemu.sh @@ -24,11 +24,11 @@ sudo mount --bind /dev "${SYSROOT}/dev" # Don't exit on error, so we can capture the error code set +e -sudo chroot ${SYSROOT} ${QEMU_RUN} \ +sudo chroot "${SYSROOT}" "${QEMU_RUN}" \ -E LD_LIBRARY_PATH=/lib64:/lib:/usr/lib64:/usr/lib \ - -E HOME=${HOME} \ - -E BUILD=${BUILD_RUN} \ - -- $* + -E HOME="${HOME}" \ + -E BUILD="${BUILD_RUN}" \ + -- "$@" exit_code=$? set -e diff --git a/tests/vb2_firmware_tests.sh b/tests/vb2_firmware_tests.sh index 88b6e6a8..51803e22 100755 --- a/tests/vb2_firmware_tests.sh +++ b/tests/vb2_firmware_tests.sh @@ -50,34 +50,41 @@ run_test() local fw_algo=$2 local kern_algo=$3 - local root_rsa="$(algo_to_rsa ${root_algo})" - local fw_rsa="$(algo_to_rsa ${fw_algo})" - local kern_rsa="$(algo_to_rsa ${kern_algo})" - - local root_sha="$(algo_to_sha ${root_algo})" - local fw_sha="$(algo_to_sha ${fw_algo})" - local kern_sha="$(algo_to_sha ${kern_algo})" + local root_rsa + local fw_rsa + local kern_rsa + root_rsa="$(algo_to_rsa "${root_algo}")" + fw_rsa="$(algo_to_rsa "${fw_algo}")" + kern_rsa="$(algo_to_rsa "${kern_algo}")" + + local root_sha + local fw_sha + root_sha="$(algo_to_sha "${root_algo}")" + fw_sha="$(algo_to_sha "${fw_algo}")" # Pack keys using original vboot utilities - ${FUTILITY} vbutil_key --pack rootkey.test \ - --key "${TESTKEY_DIR}/key_${root_rsa}.keyb" --algorithm ${root_algo} - ${FUTILITY} vbutil_key --pack fwsubkey.test \ - --key "${TESTKEY_DIR}/key_${fw_rsa}.keyb" --algorithm ${fw_algo} - ${FUTILITY} vbutil_key --pack kernkey.test \ - --key "${TESTKEY_DIR}/key_${kern_rsa}.keyb" --algorithm ${kern_algo} + "${FUTILITY}" vbutil_key --pack rootkey.test \ + --key "${TESTKEY_DIR}/key_${root_rsa}.keyb" \ + --algorithm "${root_algo}" + "${FUTILITY}" vbutil_key --pack fwsubkey.test \ + --key "${TESTKEY_DIR}/key_${fw_rsa}.keyb" \ + --algorithm "${fw_algo}" + "${FUTILITY}" vbutil_key --pack kernkey.test \ + --key "${TESTKEY_DIR}/key_${kern_rsa}.keyb" \ + --algorithm "${kern_algo}" # Create a GBB with the root key - ${FUTILITY} gbb -c 128,2400,0,0 gbb.test - ${FUTILITY} gbb gbb.test -s --hwid='Test GBB' \ + "${FUTILITY}" gbb -c 128,2400,0,0 gbb.test + "${FUTILITY}" gbb gbb.test -s --hwid='Test GBB' \ --rootkey=rootkey.test # Keyblock with firmware subkey is signed by root key - ${FUTILITY} vbutil_keyblock --pack keyblock.test \ + "${FUTILITY}" vbutil_keyblock --pack keyblock.test \ --datapubkey fwsubkey.test \ --signprivate "${TESTKEY_DIR}/key_${root_rsa}.${root_sha}.vbprivk" # Firmware preamble is signed with the firmware subkey - ${FUTILITY} vbutil_firmware \ + "${FUTILITY}" vbutil_firmware \ --vblock vblock.test \ --keyblock keyblock.test \ --signprivate "${TESTKEY_DIR}/key_${fw_rsa}.${fw_sha}.vbprivk" \ @@ -89,7 +96,7 @@ run_test() "(root=${root_algo}, fw=${fw_algo}, kernel=${kern_algo})" # Verify the firmware using vboot2 checks - ${BUILD_RUN}/tests/vb20_verify_fw gbb.test vblock.test body.test + "${BUILD_RUN}/tests/vb20_verify_fw" gbb.test vblock.test body.test happy 'vb2_verify_fw succeeded' } diff --git a/tests/vb2_rsa_tests.sh b/tests/vb2_rsa_tests.sh index 903d38da..58d99b2c 100755 --- a/tests/vb2_rsa_tests.sh +++ b/tests/vb2_rsa_tests.sh @@ -16,24 +16,24 @@ TEST_FILE=${TESTCASE_DIR}/test_file function test_signatures { algorithmcounter=0 - for keylen in ${key_lengths[@]} + for keylen in "${key_lengths[@]}" do - for hashalgo in ${hash_algos[@]} + for hashalgo in "${hash_algos[@]}" do echo -e "For ${COL_YELLOW}RSA-$keylen and $hashalgo${COL_STOP}:" - ${BIN_DIR}/verify_data $algorithmcounter \ - ${TESTKEY_DIR}/key_rsa${keylen}.keyb \ - ${TEST_FILE}.rsa${keylen}_${hashalgo}.sig \ - ${TEST_FILE} - if [ $? -ne 0 ] + if ! "${BIN_DIR}/verify_data" "$algorithmcounter" \ + "${TESTKEY_DIR}/key_rsa${keylen}.keyb" \ + "${TEST_FILE}.rsa${keylen}_${hashalgo}.sig" \ + "${TEST_FILE}" then return_code=255 fi - let algorithmcounter=algorithmcounter+1 + algorithmcounter=$((algorithmcounter + 1)) done done echo -e "Peforming ${COL_YELLOW}PKCS #1 v1.5 Padding Tests${COL_STOP}..." - ${TEST_DIR}/vb20_rsa_padding_tests ${TESTKEY_DIR}/rsa_padding_test_pubkey.keyb + "${TEST_DIR}/vb20_rsa_padding_tests" \ + "${TESTKEY_DIR}/rsa_padding_test_pubkey.keyb" } check_test_keys @@ -41,4 +41,3 @@ echo "Testing signature verification..." test_signatures exit $return_code - |