diff options
| author | Bill Richardson <wfrichar@chromium.org> | 2014-09-23 22:17:02 -0700 |
|---|---|---|
| committer | chrome-internal-fetch <chrome-internal-fetch@google.com> | 2014-09-27 00:28:51 +0000 |
| commit | c540f59be047d69251b7f9ce0637a8a0c6fe150f (patch) | |
| tree | 1734eb933cb0bada6f4993c12c554724464de013 /tests/futility | |
| parent | 5f2696d2ff09d7c9c5c6125e9f0a62e56e54e0b8 (diff) | |
| download | vboot-c540f59be047d69251b7f9ce0637a8a0c6fe150f.tar.gz | |
futility: Allow signing raw firmware blob and keyblocks
BUG=none
BRANCH=ToT
TEST=make runtests
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Change-Id: Ib1cf55301fd4c54e3280ef01b7d67a780e7e56fe
Reviewed-on: https://chromium-review.googlesource.com/219731
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Diffstat (limited to 'tests/futility')
| -rwxr-xr-x | tests/futility/run_test_scripts.sh | 2 | ||||
| -rwxr-xr-x | tests/futility/test_sign_fw_main.sh | 46 | ||||
| -rwxr-xr-x | tests/futility/test_sign_keyblocks.sh | 110 |
3 files changed, 158 insertions, 0 deletions
diff --git a/tests/futility/run_test_scripts.sh b/tests/futility/run_test_scripts.sh index bb3a600b..f4508461 100755 --- a/tests/futility/run_test_scripts.sh +++ b/tests/futility/run_test_scripts.sh @@ -45,6 +45,8 @@ ${SCRIPTDIR}/test_dump_fmap.sh ${SCRIPTDIR}/test_load_fmap.sh ${SCRIPTDIR}/test_gbb_utility.sh ${SCRIPTDIR}/test_show_kernel.sh +${SCRIPTDIR}/test_sign_keyblocks.sh +${SCRIPTDIR}/test_sign_fw_main.sh ${SCRIPTDIR}/test_sign_firmware.sh ${SCRIPTDIR}/test_sign_kernel.sh " diff --git a/tests/futility/test_sign_fw_main.sh b/tests/futility/test_sign_fw_main.sh new file mode 100755 index 00000000..eec68a6c --- /dev/null +++ b/tests/futility/test_sign_fw_main.sh @@ -0,0 +1,46 @@ +#!/bin/bash -eux +# Copyright 2014 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +me=${0##*/} +TMP="$me.tmp" + +# Work in scratch directory +cd "$OUTDIR" + +KEYDIR=${SRCDIR}/tests/devkeys + +# create a firmware blob +dd bs=1024 count=16 if=/dev/urandom of=${TMP}.fw_main + +# try the old way +${FUTILITY} vbutil_firmware --vblock ${TMP}.vblock.old \ + --keyblock ${KEYDIR}/firmware.keyblock \ + --signprivate ${KEYDIR}/firmware_data_key.vbprivk \ + --version 12 \ + --fv ${TMP}.fw_main \ + --kernelkey ${KEYDIR}/kernel_subkey.vbpubk \ + --flags 42 + +# verify +${FUTILITY} vbutil_firmware --verify ${TMP}.vblock.old \ + --signpubkey ${KEYDIR}/root_key.vbpubk \ + --fv ${TMP}.fw_main + +# and the new way +${FUTILITY} sign --debug \ + --signprivate ${KEYDIR}/firmware_data_key.vbprivk \ + --keyblock ${KEYDIR}/firmware.keyblock \ + --kernelkey ${KEYDIR}/kernel_subkey.vbpubk \ + --version 12 \ + --fv ${TMP}.fw_main \ + --flags 42 \ + ${TMP}.vblock.new + +# They should match +cmp ${TMP}.vblock.old ${TMP}.vblock.new + +# cleanup +rm -rf ${TMP}* +exit 0 diff --git a/tests/futility/test_sign_keyblocks.sh b/tests/futility/test_sign_keyblocks.sh new file mode 100755 index 00000000..1cccd346 --- /dev/null +++ b/tests/futility/test_sign_keyblocks.sh @@ -0,0 +1,110 @@ +#!/bin/bash -eux +# Copyright 2014 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +me=${0##*/} +TMP="$me.tmp" + +# Work in scratch directory +cd "$OUTDIR" + +# some stuff we'll need +DEVKEYS=${SRCDIR}/tests/devkeys +TESTKEYS=${SRCDIR}/tests/testkeys +SIGNER=${SRCDIR}/tests/external_rsa_signer.sh + + +# Create a copy of an existing keyblock, using the old way +${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \ + --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ + --flags 7 \ + --signprivate ${DEVKEYS}/root_key.vbprivk + +# Check it. +${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock0 \ + --signpubkey ${DEVKEYS}/root_key.vbpubk + +# It should be the same as the dev-key firmware keyblock +cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock0 + + +# Now create it the new way +${FUTILITY} sign --debug \ + --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ + --flags 7 \ + --signprivate ${DEVKEYS}/root_key.vbprivk \ + --outfile ${TMP}.keyblock1 + +# It should be the same too. +cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock1 + + +# Create a keyblock without signing it. + +# old way +${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \ + --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ + --flags 14 + +# new way +${FUTILITY} sign --debug \ + --flags 14 \ + ${DEVKEYS}/firmware_data_key.vbpubk \ + ${TMP}.keyblock1 + +cmp ${TMP}.keyblock0 ${TMP}.keyblock1 + + +# Create one using PEM args + +# old way +${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock2 \ + --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ + --signprivate_pem ${TESTKEYS}/key_rsa4096.pem \ + --pem_algorithm 8 \ + --flags 9 + +# verify it +${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock2 \ + --signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk + +# new way +${FUTILITY} sign --debug \ + --pem_signpriv ${TESTKEYS}/key_rsa4096.pem \ + --pem_algo 8 \ + --flags 9 \ + ${DEVKEYS}/firmware_data_key.vbpubk \ + ${TMP}.keyblock3 + +cmp ${TMP}.keyblock2 ${TMP}.keyblock3 + +# Try it with an external signer + +# old way +${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock4 \ + --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ + --signprivate_pem ${TESTKEYS}/key_rsa4096.pem \ + --pem_algorithm 8 \ + --flags 19 \ + --externalsigner ${SIGNER} + +# verify it +${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock4 \ + --signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk + +# new way +${FUTILITY} sign --debug \ + --pem_signpriv ${TESTKEYS}/key_rsa4096.pem \ + --pem_algo 8 \ + --pem_external ${SIGNER} \ + --flags 19 \ + ${DEVKEYS}/firmware_data_key.vbpubk \ + ${TMP}.keyblock5 + +cmp ${TMP}.keyblock4 ${TMP}.keyblock5 + + +# cleanup +rm -rf ${TMP}* +exit 0 |