diff options
author | Bill Richardson <wfrichar@chromium.org> | 2011-06-16 16:02:56 -0700 |
---|---|---|
committer | Bill Richardson <wfrichar@chromium.org> | 2011-06-17 10:22:22 -0700 |
commit | f155ab3a26d07f94dcf64732d6e19b59da1c96ed (patch) | |
tree | 9122c48d1c709de5584b009e06440628ec903bdb /utility | |
parent | 8fbdc10ebad1b14794aba593025338f017261972 (diff) | |
download | vboot-f155ab3a26d07f94dcf64732d6e19b59da1c96ed.tar.gz |
Add vbutil_what_keys utility to figure out how a disk image is signed.
BUG=none
TEST=none
Change-Id: I8a2e0d07384f0437064b964c6b292af9c3a67ea1
Reviewed-on: http://gerrit.chromium.org/gerrit/2802
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Tested-by: Bill Richardson <wfrichar@chromium.org>
Diffstat (limited to 'utility')
-rw-r--r-- | utility/Makefile | 7 | ||||
-rwxr-xr-x | utility/vbutil_what_keys | 79 |
2 files changed, 85 insertions, 1 deletions
diff --git a/utility/Makefile b/utility/Makefile index a60ef21a..9ae4d28c 100644 --- a/utility/Makefile +++ b/utility/Makefile @@ -37,7 +37,8 @@ TARGET_NAMES = crossystem \ dev_sign_file \ dump_fmap \ dev_debug_vboot \ - pack_firmware_image + pack_firmware_image \ + vbutil_what_keys ifeq ($(MINIMAL),) TARGET_NAMES += bmpblk_utility eficompress efidecompress @@ -131,6 +132,10 @@ ${BUILD_ROOT}/dev_debug_vboot: dev_debug_vboot cp -f $< $@ chmod +x $@ +${BUILD_ROOT}/vbutil_what_keys: vbutil_what_keys + cp -f $< $@ + chmod +x $@ + ${BUILD_ROOT}/tpmc: tpmc.c $(LIBS) $(CC) $(CFLAGS) $< -o $@ $(LIBS) diff --git a/utility/vbutil_what_keys b/utility/vbutil_what_keys new file mode 100755 index 00000000..9655e75a --- /dev/null +++ b/utility/vbutil_what_keys @@ -0,0 +1,79 @@ +#!/bin/bash -u +# Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +if [ -z "$*" ]; then + cat <<EOF 1>&2 + +Usage: vbutil_what_keys IMAGE [IMAGE...] + +Given a ChromiumOS disk image, try to figure out how it's signed. Note that +this does not verify the signature, it just reports which keyblock was used to +create the signature. + +EOF + exit 1 +fi + + +# We'll look up the known kernel.keyblock and recovery_kernel.keyblock sha1sums +# right here. Obtain them by running this script on images you know have been +# signed correctly (since the keys themselves are inside the HSM). +# +# e78ce746a037837155388a1096212ded04fb86eb recovery dev-key +# d6170aa480136f1f29cf339a5ab1b960585fa444 normal dev-key +# +# 20f3e8b77da6577706c91feefb203f98ee20d479 recovery ZGB MP +# 7b7ae8652775ad7305f565161b3acc00fcc8ea22 normal ZGB MP +# +# 03172b08f0b99172c73d947f51e8ca23d418bcbf recovery Alex MP +# af24e46b6c3805869616e71c002c9a2a847ad266 normal Alex MP +# +# f6fadd7e31eebf4bcc4eb8d2dd512e3a2313627f recovery Cr-48 MP +# a1454fcecb98a6f33b38638564bdfc20161a7b04 normal Cr-48 MP +# + +TMPFILE=$(mktemp /tmp/keyblock_XXXXXXXXX) +trap "rm -f $TMPFILE" EXIT + +dofile() { + file="$1" + echo "$file" + + for pnum in $(cgpt find -n -t kernel "$file" 2>/dev/null); do + + psize=$(cgpt show -s -i "$pnum" "$file") + if [ "$psize" -ge 128 ]; then + + pstart=$(cgpt show -b -i "$pnum" "$file") + dd if="$file" of="$TMPFILE" bs=512 count=128 skip="$pstart" 2>/dev/null + + psum=$(vbutil_keyblock --unpack "$TMPFILE" 2>/dev/null | \ + grep sha1sum | sed -e 's/^.*: *//') + + if [ -n "$psum" ]; then + match=$(grep "$psum" "$0" 2>/dev/null | sed -e 's/^# //') + flags=$(vbutil_keyblock --unpack "$TMPFILE" 2>/dev/null | \ + grep Flags: | sed -e 's/^.*:[ 0-9]*//') + else + match="" + psum="--invalid--" + flags="" + fi + + if [ -n "$match" ]; then + echo " part $pnum: $match ($flags)" + else + echo " part $pnum: $psum ($flags)" + fi + fi + + done +} + + +for file in "$@"; do + dofile $file +done + |