diff options
author | Bill Richardson <wfrichar@chromium.org> | 2014-09-23 22:03:56 -0700 |
---|---|---|
committer | chrome-internal-fetch <chrome-internal-fetch@google.com> | 2014-09-27 00:28:48 +0000 |
commit | 5f2696d2ff09d7c9c5c6125e9f0a62e56e54e0b8 (patch) | |
tree | 78fe9db3fc891145366e3130dbf6ce30367b6fd3 /tests/futility | |
parent | b0f1cc5e22e87a3ef1655643116991673dd1b531 (diff) | |
download | vboot-5f2696d2ff09d7c9c5c6125e9f0a62e56e54e0b8.tar.gz |
futility: Add support for [re]signing kernel partitions
BUG=none
BRANCH=ToT
TEST=make runtests
This also modifies the tests to compare the futility sign command
results against the vbutil_kernel results.
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Change-Id: Ibc659f134cc83982e3f0c0bcc108cc0eddbe228e
Reviewed-on: https://chromium-review.googlesource.com/219730
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Diffstat (limited to 'tests/futility')
-rwxr-xr-x | tests/futility/run_test_scripts.sh | 1 | ||||
-rwxr-xr-x | tests/futility/test_show_kernel.sh | 55 | ||||
-rwxr-xr-x | tests/futility/test_sign_kernel.sh | 98 |
3 files changed, 116 insertions, 38 deletions
diff --git a/tests/futility/run_test_scripts.sh b/tests/futility/run_test_scripts.sh index bb59a0c8..bb3a600b 100755 --- a/tests/futility/run_test_scripts.sh +++ b/tests/futility/run_test_scripts.sh @@ -44,6 +44,7 @@ ${SCRIPTDIR}/test_main.sh ${SCRIPTDIR}/test_dump_fmap.sh ${SCRIPTDIR}/test_load_fmap.sh ${SCRIPTDIR}/test_gbb_utility.sh +${SCRIPTDIR}/test_show_kernel.sh ${SCRIPTDIR}/test_sign_firmware.sh ${SCRIPTDIR}/test_sign_kernel.sh " diff --git a/tests/futility/test_show_kernel.sh b/tests/futility/test_show_kernel.sh new file mode 100755 index 00000000..d4322451 --- /dev/null +++ b/tests/futility/test_show_kernel.sh @@ -0,0 +1,55 @@ +#!/bin/bash -eux +# Copyright (c) 2014 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +me=${0##*/} +TMP="$me.tmp" + +# Work in scratch directory +cd "$OUTDIR" + +DEVKEYS=${SRCDIR}/tests/devkeys +TESTKEYS=${SRCDIR}/tests/testkeys + +echo 'Creating test kernel' + +# Dummy kernel data +echo "hi there" > ${TMP}.config.txt +dd if=/dev/urandom bs=16384 count=1 of=${TMP}.bootloader.bin +dd if=/dev/urandom bs=32768 count=1 of=${TMP}.kernel.bin + +# Pack kernel data key using original vboot utilities. +${FUTILITY} vbutil_key --pack ${TMP}.datakey.test \ + --key ${TESTKEYS}/key_rsa2048.keyb --algorithm 4 + +# Keyblock with kernel data key is signed by kernel subkey +# Flags=5 means dev=0 rec=0 +${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock.test \ + --datapubkey ${TMP}.datakey.test \ + --flags 5 \ + --signprivate ${DEVKEYS}/kernel_subkey.vbprivk + +# Kernel preamble is signed with the kernel data key +${FUTILITY} vbutil_kernel \ + --pack ${TMP}.kernel.test \ + --keyblock ${TMP}.keyblock.test \ + --signprivate ${TESTKEYS}/key_rsa2048.sha256.vbprivk \ + --version 1 \ + --arch arm \ + --vmlinuz ${TMP}.kernel.bin \ + --bootloader ${TMP}.bootloader.bin \ + --config ${TMP}.config.txt + +echo 'Verifying test kernel' + +# Verify the kernel +${FUTILITY} show ${TMP}.kernel.test \ + --publickey ${DEVKEYS}/kernel_subkey.vbpubk \ + | egrep 'Signature.*valid' + +echo 'Test kernel blob looks good' + +# cleanup +rm -rf ${TMP}* +exit 0 diff --git a/tests/futility/test_sign_kernel.sh b/tests/futility/test_sign_kernel.sh index f6fe1a1a..0fdb6259 100755 --- a/tests/futility/test_sign_kernel.sh +++ b/tests/futility/test_sign_kernel.sh @@ -17,15 +17,15 @@ dd if=/dev/urandom bs=512 count=1 of=${TMP}.bootloader.bin dd if=/dev/urandom bs=512 count=1 of=${TMP}.bootloader2.bin # default padding -padding=65536 +padding=49152 try_arch () { local arch=$1 - echo -n "${arch}.a " 1>&3 + echo -n "${arch}: 1 " 1>&3 # pack it up the old way - ${FUTILITY} vbutil_kernel0 --debug \ + ${FUTILITY} vbutil_kernel --debug \ --pack ${TMP}.blob1.${arch} \ --keyblock ${DEVKEYS}/recovery_kernel.keyblock \ --signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \ @@ -34,17 +34,19 @@ try_arch () { --bootloader ${TMP}.bootloader.bin \ --vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \ --arch ${arch} \ + --pad ${padding} \ --kloadaddr 0x11000 # verify the old way - ${FUTILITY} vbutil_kernel0 --verify ${TMP}.blob1.${arch} \ + ${FUTILITY} vbutil_kernel --verify ${TMP}.blob1.${arch} \ + --pad ${padding} \ --signpubkey ${DEVKEYS}/recovery_key.vbpubk ${FUTILITY} vbutil_kernel --verify ${TMP}.blob1.${arch} \ + --pad ${padding} \ --signpubkey ${DEVKEYS}/recovery_key.vbpubk --debug # pack it up the new way - ${FUTILITY} vbutil_kernel --debug \ - --pack ${TMP}.blob2.${arch} \ + ${FUTILITY} sign --debug \ --keyblock ${DEVKEYS}/recovery_kernel.keyblock \ --signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \ --version 1 \ @@ -52,45 +54,70 @@ try_arch () { --bootloader ${TMP}.bootloader.bin \ --vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \ --arch ${arch} \ - --kloadaddr 0x11000 + --pad ${padding} \ + --kloadaddr 0x11000 \ + --outfile ${TMP}.blob2.${arch} # they should be identical cmp ${TMP}.blob1.${arch} ${TMP}.blob2.${arch} + echo -n "2 " 1>&3 + # repack it the old way - ${FUTILITY} vbutil_kernel0 \ + ${FUTILITY} vbutil_kernel \ --repack ${TMP}.blob3.${arch} \ --oldblob ${TMP}.blob1.${arch} \ --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ --keyblock ${DEVKEYS}/kernel.keyblock \ --version 2 \ + --pad ${padding} \ --config ${TMP}.config2.txt \ --bootloader ${TMP}.bootloader2.bin # verify the old way - ${FUTILITY} vbutil_kernel0 --verify ${TMP}.blob3.${arch} \ + ${FUTILITY} vbutil_kernel --verify ${TMP}.blob3.${arch} \ + --pad ${padding} \ --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk ${FUTILITY} vbutil_kernel --verify ${TMP}.blob3.${arch} \ + --pad ${padding} \ --signpubkey ${DEVKEYS}/kernel_subkey.vbpubk # repack it the new way - ${FUTILITY} vbutil_kernel \ - --repack ${TMP}.blob4.${arch} \ - --oldblob ${TMP}.blob2.${arch} \ + ${FUTILITY} sign --debug \ --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ --keyblock ${DEVKEYS}/kernel.keyblock \ --version 2 \ + --pad ${padding} \ --config ${TMP}.config2.txt \ - --bootloader ${TMP}.bootloader2.bin + --bootloader ${TMP}.bootloader2.bin \ + ${TMP}.blob2.${arch} \ + ${TMP}.blob4.${arch} # they should be identical cmp ${TMP}.blob3.${arch} ${TMP}.blob4.${arch} + echo -n "3 " 1>&3 + + # repack it the new way, in-place + cp ${TMP}.blob2.${arch} ${TMP}.blob5.${arch} + ${FUTILITY} sign --debug \ + --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ + --keyblock ${DEVKEYS}/kernel.keyblock \ + --version 2 \ + --pad ${padding} \ + --config ${TMP}.config2.txt \ + --bootloader ${TMP}.bootloader2.bin \ + ${TMP}.blob5.${arch} + + # they should be identical + cmp ${TMP}.blob3.${arch} ${TMP}.blob5.${arch} + + # and now just the vblocks... - echo -n "${arch}.v " 1>&3 + echo -n "4 " 1>&3 dd bs=${padding} count=1 if=${TMP}.blob1.${arch} of=${TMP}.blob1.${arch}.vb0 - ${FUTILITY} vbutil_kernel0 \ + ${FUTILITY} vbutil_kernel \ --pack ${TMP}.blob1.${arch}.vb1 \ --vblockonly \ --keyblock ${DEVKEYS}/recovery_kernel.keyblock \ @@ -100,13 +127,12 @@ try_arch () { --bootloader ${TMP}.bootloader.bin \ --vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \ --arch ${arch} \ + --pad ${padding} \ --kloadaddr 0x11000 cmp ${TMP}.blob1.${arch}.vb0 ${TMP}.blob1.${arch}.vb1 dd bs=${padding} count=1 if=${TMP}.blob2.${arch} of=${TMP}.blob2.${arch}.vb0 - ${FUTILITY} vbutil_kernel \ - --pack ${TMP}.blob2.${arch}.vb1 \ - --vblockonly \ + ${FUTILITY} sign --debug \ --keyblock ${DEVKEYS}/recovery_kernel.keyblock \ --signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \ --version 1 \ @@ -114,50 +140,46 @@ try_arch () { --bootloader ${TMP}.bootloader.bin \ --vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \ --arch ${arch} \ - --kloadaddr 0x11000 + --pad ${padding} \ + --kloadaddr 0x11000 \ + --vblockonly \ + ${TMP}.blob2.${arch}.vb1 + cmp ${TMP}.blob2.${arch}.vb0 ${TMP}.blob2.${arch}.vb1 + echo -n "5 " 1>&3 + dd bs=${padding} count=1 if=${TMP}.blob3.${arch} of=${TMP}.blob3.${arch}.vb0 - ${FUTILITY} vbutil_kernel0 \ + ${FUTILITY} vbutil_kernel \ --repack ${TMP}.blob3.${arch}.vb1 \ --vblockonly \ --oldblob ${TMP}.blob1.${arch} \ --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ --keyblock ${DEVKEYS}/kernel.keyblock \ --version 2 \ + --pad ${padding} \ --config ${TMP}.config2.txt \ --bootloader ${TMP}.bootloader2.bin cmp ${TMP}.blob3.${arch}.vb0 ${TMP}.blob3.${arch}.vb1 dd bs=${padding} count=1 if=${TMP}.blob4.${arch} of=${TMP}.blob4.${arch}.vb0 - ${FUTILITY} vbutil_kernel \ - --repack ${TMP}.blob4.${arch}.vb1 \ - --vblockonly \ - --oldblob ${TMP}.blob2.${arch} \ + ${FUTILITY} sign --debug \ --signprivate ${DEVKEYS}/kernel_data_key.vbprivk \ --keyblock ${DEVKEYS}/kernel.keyblock \ --version 2 \ --config ${TMP}.config2.txt \ - --bootloader ${TMP}.bootloader2.bin - cmp ${TMP}.blob4.${arch}.vb0 ${TMP}.blob4.${arch}.vb1 + --bootloader ${TMP}.bootloader2.bin \ + --pad ${padding} \ + --vblockonly \ + ${TMP}.blob2.${arch} \ + ${TMP}.blob4.${arch}.vb1 \ + cmp ${TMP}.blob4.${arch}.vb0 ${TMP}.blob4.${arch}.vb1 # Note: We specifically do not test repacking with a different --kloadaddr, # because the old way has a bug and does not update params->cmd_line_ptr to # point at the new on-disk location. Apparently (and not surprisingly), no # one has ever done that. - -#HEY # pack it up the new way -#HEY ${FUTILITY} sign --debug \ -#HEY --vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \ -#HEY --config ${TMP}.config.txt \ -#HEY --bootloader ${TMP}.bootloader.bin \ -#HEY --arch ${arch} \ -#HEY --keyblock ${DEVKEYS}/recovery_kernel.keyblock \ -#HEY --signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \ -#HEY --version 1 \ -#HEY --outfile ${TMP}.blob2.${arch} - } try_arch amd64 |