[futility] Open gscvd in R/O mode when verifying

Otherwise, it will mutate the file under your feet!
This also adds some clarifying messages, including a message if
verification failed due to incorrect signing instead of silent output.

BUG=None
TEST=`futility gscvd <file>` does not change sha256sum of file
BRANCH=None
Signed-off-by: Alyssa Haroldsen <kupiakos@google.com>

Change-Id: Ic793ad47c0160e3cedb7e2b7cc842a3f4380749d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3584690
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Alyssa Haroldsen <kupiakos@google.com>
Tested-by: Alyssa Haroldsen <kupiakos@google.com>

2 files changed, 18 insertions, 12 deletions

diff --git a/futility/cmd_gscvd.c b/futility/cmd_gscvd.c
index 7fff2933..e8b2fae1 100644
--- a/futility/cmd_gscvd.c
+++ b/futility/cmd_gscvd.c
@@ -40,9 +40,9 @@
  *   AP firmware file is ~/tmp/guybrush-signed:
  *
   ./build/futility/futility gscvd --outfile ~/tmp/guybrush-signed \
-     -R 818100:10000,f00000:100,f80000:2000,f8c000:1000,0x00804000:0x00000800 \
-     -k ~/tmp/packed -p tests/devkeys/arv_platform.vbprivk -b 5a5a4352  \
-     -r tests/devkeys/arv_root.vbpubk ~/tmp/image-guybrush.serial.bin
+    -R 818100:10000,f00000:100,f80000:2000,f8c000:1000,0x00804000:0x00000800 \
+    -k ~/tmp/packed -p tests/devkeys/arv_platform.vbprivk -b 5a5a4352  \
+    -r tests/devkeys/arv_root.vbpubk ~/tmp/image-guybrush.serial.bin
  *------------
  * Command to validate a previously signed AP firmware file. The hash is the
  *  sha256sum of tests/devkeys/kernel_subkey.vbpubk:
@@ -140,12 +140,13 @@ struct gscvd_ro_ranges {
  *
  * @return 0 on success 1 on failure.
  */
-static int load_ap_firmware(const char *file_name, struct file_buf *file)
+static int load_ap_firmware(const char *file_name, struct file_buf *file,
+			int mode)
 {
 	int fd;
 	int rv;
 
-	fd = open(file_name, O_RDWR);
+	fd = open(file_name, mode);
 	if (fd < 0) {
 		ERROR("Can't open %s: %s\n", file_name,
 		      strerror(errno));
@@ -156,7 +157,8 @@ static int load_ap_firmware(const char *file_name, struct file_buf *file)
 	do {
 		rv = 1;
 
-		if (futil_map_file(fd, MAP_RW, &file->data, &file->len)) {
+		if (futil_map_file(fd, mode == O_RDWR ? MAP_RW : MAP_RO,
+				   &file->data, &file->len)) {
 			file->data = NULL;
 			break;
 		}
@@ -807,7 +809,7 @@ static int validate_gscvd(int argc, char *argv[])
 
 		rv = -1; /* Speculative, will be cleared on success. */
 
-		if (load_ap_firmware(file_name, &ap_firmware_file))
+		if (load_ap_firmware(file_name, &ap_firmware_file, O_RDONLY))
 			break;
 
 		/* Copy ranges from gscvd to local structure. */
@@ -842,12 +844,15 @@ static int validate_gscvd(int argc, char *argv[])
 			break;
 		}
 
-		if (validate_pubk_signature(&gvd->root_key_header,
-					    kblock))
+		if (validate_pubk_signature(&gvd->root_key_header, kblock)) {
+			ERROR("Keyblock not signed by root key\n");
 			break;
+		}
 
-		if (validate_gvd_signature(gvd, &kblock->data_key))
+		if (validate_gvd_signature(gvd, &kblock->data_key)) {
+			ERROR("GVD not signed by platform key\n");
 			break;
+		}
 
 		rv = 0;
 	} while (false);
@@ -1009,7 +1014,7 @@ static int do_gscvd(int argc, char *argv[])
 		if (validate_privk(kblock, plat_privk))
 			break;
 
-		if (load_ap_firmware(work_file, &ap_firmware_file))
+		if (load_ap_firmware(work_file, &ap_firmware_file, O_RDWR))
 			break;
 
 		if (verify_ranges(&ranges, &ap_firmware_file))
diff --git a/futility/cmd_show.c b/futility/cmd_show.c
index dbe6edde..08974e4c 100644
--- a/futility/cmd_show.c
+++ b/futility/cmd_show.c
@@ -635,4 +635,5 @@ static int do_verify(int argc, char *argv[])
 
 DECLARE_FUTIL_COMMAND(verify, do_verify,
 		      VBOOT_VERSION_ALL,
-		      "Verify the signatures of various binary components");
+		      "Verify the signatures of various binary components. "
+		      "This does not verify GSCVD contents.");