diff options
author | Joel Kitching <kitching@google.com> | 2021-06-16 05:23:19 +0800 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2021-07-05 02:46:24 +0000 |
commit | 9ea1e75805cfb7523729c5f5d48df0d05ced1b11 (patch) | |
tree | 5ce8f16f296b745a800762c42e76e7889ac34d54 /tests | |
parent | b95414c73b1b44485a072abdd55e0d8f965deb9d (diff) | |
download | vboot-9ea1e75805cfb7523729c5f5d48df0d05ced1b11.tar.gz |
vboot: introduce minios_kernel.keyblock
miniOS requires a distinct kernel data key, whose dev key pair
is added in this CL as minios_kernel_data_key.vb{pub,priv}k.
A distinct keyblock is also required. The keyblock should set
the kernel keyblock flag MINIOS_1. Other keyblocks are modified
appropriately to set MINIOS_0. Keyblocks were generated using
the following commands:
$ futility vbutil_keyblock
--flags 23
--datapubkey tests/devkeys/ec_data_key.vbpubk
--signprivate tests/devkeys/ec_root_key.vbprivk
--pack tests/devkeys/ec.keyblock
Keyblock file: tests/devkeys/ec.keyblock
Signature valid
Flags: 23 !DEV DEV !REC !MINIOS
Data key algorithm: 7 RSA4096 SHA256
Data key version: 1
Data key sha1sum: 5833470fe934be76753cb6501dbb8fbf88ab272b
$ futility vbutil_keyblock
--flags 23
--datapubkey tests/devkeys/firmware_data_key.vbpubk
--signprivate tests/devkeys/root_key.vbprivk
--pack tests/devkeys/firmware.keyblock
Keyblock file: tests/devkeys/firmware.keyblock
Signature valid
Flags: 23 !DEV DEV !REC !MINIOS
Data key algorithm: 7 RSA4096 SHA256
Data key version: 1
Data key sha1sum: e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450
$ futility vbutil_keyblock
--flags 27
--datapubkey tests/devkeys/recovery_kernel_data_key.vbpubk
--signprivate tests/devkeys/recovery_key.vbprivk
--pack tests/devkeys/recovery_kernel.keyblock
Keyblock file: tests/devkeys/recovery_kernel.keyblock
Signature valid
Flags: 27 !DEV DEV REC !MINIOS
Data key algorithm: 11 RSA8192 SHA512
Data key version: 1
Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb
$ futility vbutil_keyblock
--flags 43
--datapubkey tests/devkeys/minios_kernel_data_key.vbpubk
--signprivate tests/devkeys/recovery_key.vbprivk
--pack tests/devkeys/minios_kernel.keyblock
Keyblock file: tests/devkeys/minios_kernel.keyblock
Signature valid
Flags: 43 !DEV DEV REC MINIOS
Data key algorithm: 8 RSA4096 SHA512
Data key version: 1
Data key sha1sum: 65441886bc54cbfe3a7308b650806f4b61d8d142
$ futility vbutil_keyblock
--flags 23
--datapubkey tests/devkeys/kernel_data_key.vbpubk
--signprivate tests/devkeys/kernel_subkey.vbprivk
--pack tests/devkeys/kernel.keyblock
Keyblock file: tests/devkeys/kernel.keyblock
Signature valid
Flags: 23 !DEV DEV !REC !MINIOS
Data key algorithm: 4 RSA2048 SHA256
Data key version: 1
Data key sha1sum: d6170aa480136f1f29cf339a5ab1b960585fa444
$ futility vbutil_keyblock
--flags 26
--datapubkey tests/devkeys/installer_kernel_data_key.vbpubk
--signprivate tests/devkeys/recovery_key.vbprivk
--pack tests/devkeys/installer_kernel.keyblock
Keyblock file: tests/devkeys/installer_kernel.keyblock
Signature valid
Flags: 26 DEV REC !MINIOS
Data key algorithm: 11 RSA8192 SHA512
Data key version: 1
Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb
BUG=b:188121855
TEST=make clean && make runtests
BRANCH=none
Signed-off-by: Joel Kitching <kitching@google.com>
Change-Id: I5b3e4def83ff29ca156b3c84dfcb8398f4985e67
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2965485
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/devkeys/ec.keyblock | bin | 1720 -> 1720 bytes | |||
-rw-r--r-- | tests/devkeys/firmware.keyblock | bin | 2232 -> 2232 bytes | |||
-rw-r--r-- | tests/devkeys/installer_kernel.keyblock | bin | 3256 -> 3256 bytes | |||
-rw-r--r-- | tests/devkeys/kernel.keyblock | bin | 1208 -> 1208 bytes | |||
-rw-r--r-- | tests/devkeys/minios_kernel.keyblock | bin | 0 -> 2232 bytes | |||
-rw-r--r-- | tests/devkeys/minios_kernel_data_key.vbprivk | bin | 0 -> 2356 bytes | |||
-rw-r--r-- | tests/devkeys/minios_kernel_data_key.vbpubk | bin | 0 -> 1064 bytes | |||
-rw-r--r-- | tests/devkeys/recovery_kernel.keyblock | bin | 3256 -> 3256 bytes | |||
-rw-r--r-- | tests/futility/expect_output/show.tests_devkeys_kernel.keyblock | 2 | ||||
-rw-r--r-- | tests/futility/expect_output/vbutil_firmware.verify | 2 | ||||
-rw-r--r-- | tests/futility/expect_output/vbutil_keyblock.tests_devkeys_kernel.keyblock | 2 | ||||
-rwxr-xr-x | tests/futility/test_sign_keyblocks.sh | 4 | ||||
-rwxr-xr-x | tests/load_kernel_tests.sh | 4 |
13 files changed, 7 insertions, 7 deletions
diff --git a/tests/devkeys/ec.keyblock b/tests/devkeys/ec.keyblock Binary files differindex 6b088f32..d9342918 100644 --- a/tests/devkeys/ec.keyblock +++ b/tests/devkeys/ec.keyblock diff --git a/tests/devkeys/firmware.keyblock b/tests/devkeys/firmware.keyblock Binary files differindex 1e2273e5..e3653f85 100644 --- a/tests/devkeys/firmware.keyblock +++ b/tests/devkeys/firmware.keyblock diff --git a/tests/devkeys/installer_kernel.keyblock b/tests/devkeys/installer_kernel.keyblock Binary files differindex cfa3bd18..282e1d62 100644 --- a/tests/devkeys/installer_kernel.keyblock +++ b/tests/devkeys/installer_kernel.keyblock diff --git a/tests/devkeys/kernel.keyblock b/tests/devkeys/kernel.keyblock Binary files differindex 9740be4e..6bb72137 100644 --- a/tests/devkeys/kernel.keyblock +++ b/tests/devkeys/kernel.keyblock diff --git a/tests/devkeys/minios_kernel.keyblock b/tests/devkeys/minios_kernel.keyblock Binary files differnew file mode 100644 index 00000000..3675690b --- /dev/null +++ b/tests/devkeys/minios_kernel.keyblock diff --git a/tests/devkeys/minios_kernel_data_key.vbprivk b/tests/devkeys/minios_kernel_data_key.vbprivk Binary files differnew file mode 100644 index 00000000..da3a15bf --- /dev/null +++ b/tests/devkeys/minios_kernel_data_key.vbprivk diff --git a/tests/devkeys/minios_kernel_data_key.vbpubk b/tests/devkeys/minios_kernel_data_key.vbpubk Binary files differnew file mode 100644 index 00000000..34ff93be --- /dev/null +++ b/tests/devkeys/minios_kernel_data_key.vbpubk diff --git a/tests/devkeys/recovery_kernel.keyblock b/tests/devkeys/recovery_kernel.keyblock Binary files differindex ad16e399..c1c8effd 100644 --- a/tests/devkeys/recovery_kernel.keyblock +++ b/tests/devkeys/recovery_kernel.keyblock diff --git a/tests/futility/expect_output/show.tests_devkeys_kernel.keyblock b/tests/futility/expect_output/show.tests_devkeys_kernel.keyblock index 6505d91e..2266424f 100644 --- a/tests/futility/expect_output/show.tests_devkeys_kernel.keyblock +++ b/tests/futility/expect_output/show.tests_devkeys_kernel.keyblock @@ -1,7 +1,7 @@ Keyblock: tests/devkeys/kernel.keyblock Signature: ignored Size: 0x4b8 - Flags: 7 !DEV DEV !REC + Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 4 RSA2048 SHA256 Data key version: 1 Data key sha1sum: d6170aa480136f1f29cf339a5ab1b960585fa444 diff --git a/tests/futility/expect_output/vbutil_firmware.verify b/tests/futility/expect_output/vbutil_firmware.verify index edc9c654..e23c1699 100644 --- a/tests/futility/expect_output/vbutil_firmware.verify +++ b/tests/futility/expect_output/vbutil_firmware.verify @@ -1,6 +1,6 @@ Keyblock: Size: 2232 - Flags: 7 (ignored) + Flags: 23 (ignored) Data key algorithm: 7 RSA4096 SHA256 Data key version: 1 Data key sha1sum: e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450 diff --git a/tests/futility/expect_output/vbutil_keyblock.tests_devkeys_kernel.keyblock b/tests/futility/expect_output/vbutil_keyblock.tests_devkeys_kernel.keyblock index d55fce3a..afb0faf2 100644 --- a/tests/futility/expect_output/vbutil_keyblock.tests_devkeys_kernel.keyblock +++ b/tests/futility/expect_output/vbutil_keyblock.tests_devkeys_kernel.keyblock @@ -1,6 +1,6 @@ Keyblock file: tests/devkeys/kernel.keyblock Signature valid -Flags: 7 !DEV DEV !REC +Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 4 RSA2048 SHA256 Data key version: 1 Data key sha1sum: d6170aa480136f1f29cf339a5ab1b960585fa444 diff --git a/tests/futility/test_sign_keyblocks.sh b/tests/futility/test_sign_keyblocks.sh index 7ba43afa..f689c89c 100755 --- a/tests/futility/test_sign_keyblocks.sh +++ b/tests/futility/test_sign_keyblocks.sh @@ -18,7 +18,7 @@ SIGNER=${SRCDIR}/tests/external_rsa_signer.sh # Create a copy of an existing keyblock, using the old way ${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \ --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ - --flags 7 \ + --flags 23 \ --signprivate ${DEVKEYS}/root_key.vbprivk # Check it. @@ -32,7 +32,7 @@ cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock0 # Now create it the new way ${FUTILITY} --debug sign \ --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ - --flags 7 \ + --flags 23 \ --signprivate ${DEVKEYS}/root_key.vbprivk \ --outfile ${TMP}.keyblock1 diff --git a/tests/load_kernel_tests.sh b/tests/load_kernel_tests.sh index d5f41f25..45eedf4c 100755 --- a/tests/load_kernel_tests.sh +++ b/tests/load_kernel_tests.sh @@ -31,10 +31,10 @@ ${FUTILITY} vbutil_key --pack datakey.test \ --key ${TESTKEY_DIR}/key_rsa2048.keyb --algorithm 4 # Keyblock with kernel data key is signed by kernel subkey -# Flags=5 means dev=0 rec=0 +# Flags=21 means dev=0 rec=0 minios=0 ${FUTILITY} vbutil_keyblock --pack keyblock.test \ --datapubkey datakey.test \ - --flags 5 \ + --flags 21 \ --signprivate ${SCRIPT_DIR}/devkeys/kernel_subkey.vbprivk # Kernel preamble is signed with the kernel data key |