diff options
-rw-r--r-- | futility/cmd_sign.c | 22 | ||||
-rw-r--r-- | futility/file_type_bios.c | 26 | ||||
-rw-r--r-- | futility/futility_options.h | 2 | ||||
-rwxr-xr-x | scripts/image_signing/make_dev_firmware.sh | 6 | ||||
-rwxr-xr-x | scripts/image_signing/resign_firmwarefd.sh | 20 | ||||
-rwxr-xr-x | scripts/image_signing/sign_firmware.sh | 2 | ||||
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 12 | ||||
-rwxr-xr-x | scripts/keygeneration/create_new_keys.sh | 16 | ||||
-rw-r--r-- | tests/futility/data/README | 1 | ||||
-rw-r--r-- | tests/futility/data/bios_zgb_mp.bin | bin | 4194304 -> 0 bytes | |||
-rw-r--r-- | tests/futility/data_bios_zgb_mp.bin_expect.txt | 6 | ||||
-rw-r--r-- | tests/futility/expect_output/show.tests_futility_data_bios_peppy_mp.bin (renamed from tests/futility/expect_output/show.tests_futility_data_bios_zgb_mp.bin) | 40 | ||||
-rw-r--r-- | tests/futility/test_file_types.c | 2 | ||||
-rwxr-xr-x | tests/futility/test_file_types.sh | 2 | ||||
-rwxr-xr-x | tests/futility/test_show_contents.sh | 2 | ||||
-rwxr-xr-x | tests/futility/test_sign_firmware.sh | 14 |
16 files changed, 31 insertions, 142 deletions
diff --git a/futility/cmd_sign.c b/futility/cmd_sign.c index 59999977..b35712a3 100644 --- a/futility/cmd_sign.c +++ b/futility/cmd_sign.c @@ -367,11 +367,6 @@ static const char usage_bios[] = "\n" " [--infile] INFILE Input firmware image (modified\n" " in place if no OUTFILE given)\n" "\n" - "These are required if the A and B firmware differ:\n" - " -S|--devsign FILE.vbprivk The DEV private firmware data key\n" - " -B|--devkeyblock FILE.keyblock The keyblock containing the\n" - " DEV public firmware data key\n" - "\n" "Optional PARAMS:\n" " -v|--version NUM The firmware version number" " (default %d)\n" @@ -620,8 +615,6 @@ static const struct option long_opts[] = { {"signprivate", 1, NULL, 's'}, {"keyblock", 1, NULL, 'b'}, {"kernelkey", 1, NULL, 'k'}, - {"devsign", 1, NULL, 'S'}, - {"devkeyblock", 1, NULL, 'B'}, {"version", 1, NULL, 'v'}, {"flags", 1, NULL, 'f'}, {"loemdir", 1, NULL, 'd'}, @@ -703,21 +696,6 @@ static int do_sign(int argc, char *argv[]) errorcnt++; } break; - case 'S': - sign_option.devsignprivate = - vb2_read_private_key(optarg); - if (!sign_option.devsignprivate) { - fprintf(stderr, "Error reading %s\n", optarg); - errorcnt++; - } - break; - case 'B': - sign_option.devkeyblock = vb2_read_keyblock(optarg); - if (!sign_option.devkeyblock) { - fprintf(stderr, "Error reading %s\n", optarg); - errorcnt++; - } - break; case 'v': sign_option.version_specified = 1; sign_option.version = strtoul(optarg, &e, 0); diff --git a/futility/file_type_bios.c b/futility/file_type_bios.c index 17efddec..13428c14 100644 --- a/futility/file_type_bios.c +++ b/futility/file_type_bios.c @@ -408,31 +408,11 @@ static int sign_bios_at_end(struct bios_state_s *state) return 1; } - /* Do A & B differ ? */ - if (fw_a->len != fw_b->len || - memcmp(fw_a->buf, fw_b->buf, fw_a->len)) { - /* Yes, must use DEV keys for A */ - if (!sign_option.devsignprivate || !sign_option.devkeyblock) { - fprintf(stderr, - "FW A & B differ. DEV keys are required.\n"); - return 1; - } - retval |= write_new_preamble(vblock_a, fw_a, - sign_option.devsignprivate, - sign_option.devkeyblock); - } else { - retval |= write_new_preamble(vblock_a, fw_a, - sign_option.signprivate, - sign_option.keyblock); - } - - /* FW B is always normal keys */ - retval |= write_new_preamble(vblock_b, fw_b, - sign_option.signprivate, + retval |= write_new_preamble(vblock_a, fw_a, sign_option.signprivate, sign_option.keyblock); - - + retval |= write_new_preamble(vblock_b, fw_b, sign_option.signprivate, + sign_option.keyblock); if (sign_option.loemid) { retval |= write_loem("A", vblock_a); diff --git a/futility/futility_options.h b/futility/futility_options.h index 9c99bba1..da839586 100644 --- a/futility/futility_options.h +++ b/futility/futility_options.h @@ -34,8 +34,6 @@ struct sign_option_s { struct vb2_private_key *signprivate; struct vb2_keyblock *keyblock; struct vb2_packed_key *kernel_subkey; - struct vb2_private_key *devsignprivate; - struct vb2_keyblock *devkeyblock; uint32_t version; int version_specified; uint32_t flags; diff --git a/scripts/image_signing/make_dev_firmware.sh b/scripts/image_signing/make_dev_firmware.sh index 0db56382..20c8414a 100755 --- a/scripts/image_signing/make_dev_firmware.sh +++ b/scripts/image_signing/make_dev_firmware.sh @@ -167,8 +167,6 @@ main() { local recovery_pubkey="${FLAGS_keys}/recovery_key.vbpubk" local firmware_keyblock="${FLAGS_keys}/firmware.keyblock" local firmware_prvkey="${FLAGS_keys}/firmware_data_key.vbprivk" - local dev_firmware_keyblock="${FLAGS_keys}/dev_firmware.keyblock" - local dev_firmware_prvkey="${FLAGS_keys}/dev_firmware_data_key.vbprivk" local kernel_sub_pubkey="${FLAGS_keys}/kernel_subkey.vbpubk" local ec_efs_pubkey="${FLAGS_keys}/key_ec_efs.vbpubk2" local ec_efs_prvkey="${FLAGS_keys}/key_ec_efs.vbprik2" @@ -281,8 +279,6 @@ main() { echo "Using keyblocks (developer, normal)..." else echo "Using keyblocks (normal, normal)..." - dev_firmware_prvkey="$firmware_prvkey" - dev_firmware_keyblock="$firmware_keyblock" fi debug_msg "Extract firmware version and data key version" @@ -351,8 +347,6 @@ main() { "${IMAGE_BIOS}" \ "${firmware_prvkey}" \ "${firmware_keyblock}" \ - "${dev_firmware_prvkey}" \ - "${dev_firmware_keyblock}" \ "${kernel_sub_pubkey}" \ "${firmware_version}" \ ${optional_opts} || diff --git a/scripts/image_signing/resign_firmwarefd.sh b/scripts/image_signing/resign_firmwarefd.sh index d4cb5b8c..ea233157 100755 --- a/scripts/image_signing/resign_firmwarefd.sh +++ b/scripts/image_signing/resign_firmwarefd.sh @@ -20,20 +20,12 @@ SRC_FD=$1 DST_FD=$2 FIRMWARE_DATAKEY=$3 FIRMWARE_KEYBLOCK=$4 -DEV_FIRMWARE_DATAKEY=$5 -DEV_FIRMWARE_KEYBLOCK=$6 -KERNEL_SUBKEY=$7 +KERNEL_SUBKEY=$5 # optional -VERSION=$8 -PREAMBLE_FLAG=$9 -LOEM_OUTPUT_DIR=${10} -LOEMID=${11} - -if [ ! -e $DEV_FIRMWARE_KEYBLOCK ] || [ ! -e $DEV_FIRMWARE_DATAKEY ] ; then - echo "No dev firmware keyblock/datakey found. Reusing normal keys." - DEV_FIRMWARE_KEYBLOCK="$FIRMWARE_KEYBLOCK" - DEV_FIRMWARE_DATAKEY="$FIRMWARE_DATAKEY" -fi +VERSION=$6 +PREAMBLE_FLAG=$7 +LOEM_OUTPUT_DIR=$8 +LOEMID=$9 # pass optional args [ -n "$VERSION" ] && VERSION="--version $VERSION" @@ -44,8 +36,6 @@ fi exec ${FUTILITY} sign \ --signprivate $FIRMWARE_DATAKEY \ --keyblock $FIRMWARE_KEYBLOCK \ - --devsign $DEV_FIRMWARE_DATAKEY \ - --devkeyblock $DEV_FIRMWARE_KEYBLOCK \ --kernelkey $KERNEL_SUBKEY \ $VERSION \ $PREAMBLE_FLAG \ diff --git a/scripts/image_signing/sign_firmware.sh b/scripts/image_signing/sign_firmware.sh index 0e7ac7c4..ebc6cdc7 100755 --- a/scripts/image_signing/sign_firmware.sh +++ b/scripts/image_signing/sign_firmware.sh @@ -57,8 +57,6 @@ sign_one() { "${temp_fw}" \ "${key_dir}/firmware_data_key${loem_key}.vbprivk" \ "${key_dir}/firmware${loem_key}.keyblock" \ - "${key_dir}/dev_firmware_data_key${loem_key}.vbprivk" \ - "${key_dir}/dev_firmware${loem_key}.keyblock" \ "${key_dir}/kernel_subkey.vbpubk" \ "${firmware_version}" \ "" \ diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 98c86104..e9c219e6 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -515,14 +515,6 @@ resign_firmware_payload() { local signprivate="${KEY_DIR}/firmware_data_key${key_suffix}.vbprivk" local keyblock="${KEY_DIR}/firmware${key_suffix}.keyblock" - local devsign="${KEY_DIR}/dev_firmware_data_key${key_suffix}.vbprivk" - local devkeyblock="${KEY_DIR}/dev_firmware${key_suffix}.keyblock" - - if [ ! -e "${devsign}" ] || [ ! -e "${devkeyblock}" ] ; then - echo "No dev firmware keyblock/datakey found. Reusing normal keys." - devsign="${signprivate}" - devkeyblock="${keyblock}" - fi # Path to bios.bin. local bios_path="${shellball_dir}/${bios_image}" @@ -566,8 +558,6 @@ resign_firmware_payload() { echo "Signing Bios with:" ${FUTILITY} sign \ --signprivate "${signprivate}" \ --keyblock "${keyblock}" \ - --devsign "${devsign}" \ - --devkeyblock "${devkeyblock}" \ --kernelkey "${KEY_DIR}/kernel_subkey.vbpubk" \ --version "${FIRMWARE_VERSION}" \ "${extra_args[@]}" \ @@ -576,8 +566,6 @@ resign_firmware_payload() { ${FUTILITY} sign \ --signprivate "${signprivate}" \ --keyblock "${keyblock}" \ - --devsign "${devsign}" \ - --devkeyblock "${devkeyblock}" \ --kernelkey "${KEY_DIR}/kernel_subkey.vbpubk" \ --version "${FIRMWARE_VERSION}" \ "${extra_args[@]}" \ diff --git a/scripts/keygeneration/create_new_keys.sh b/scripts/keygeneration/create_new_keys.sh index 2e1fd22c..4a2ad33a 100755 --- a/scripts/keygeneration/create_new_keys.sh +++ b/scripts/keygeneration/create_new_keys.sh @@ -14,7 +14,6 @@ usage() { Usage: ${PROG} [options] Options: - --devkeyblock Also generate developer firmware keyblock and data key --android Also generate android keys --uefi Also generate UEFI keys --8k Use 8k keys instead of 4k (enables options below) @@ -36,8 +35,6 @@ EOF main() { set -e - # Flag to indicate whether we should be generating a developer keyblock flag. - local dev_keyblock="false" local android_keys="false" local uefi_keys="false" local root_key_algoid=${ROOT_KEY_ALGOID} @@ -50,11 +47,6 @@ main() { while [[ $# -gt 0 ]]; do case $1 in - --devkeyblock) - echo "Will also generate developer firmware keyblock and data key." - dev_keyblock="true" - ;; - --android) echo "Will also generate Android keys." android_keys="true" @@ -158,9 +150,6 @@ main() { make_pair ec_data_key ${EC_DATAKEY_ALGOID} ${eckey_version} make_pair root_key ${root_key_algoid} make_pair firmware_data_key ${FIRMWARE_DATAKEY_ALGOID} ${fkey_version} - if [[ "${dev_keyblock}" == "true" ]]; then - make_pair dev_firmware_data_key ${DEV_FIRMWARE_DATAKEY_ALGOID} ${fkey_version} - fi make_pair kernel_subkey ${KERNEL_SUBKEY_ALGOID} ${ksubkey_version} make_pair kernel_data_key ${KERNEL_DATAKEY_ALGOID} ${kdatakey_version} @@ -178,11 +167,6 @@ main() { # Ditto EC keyblock make_keyblock ec ${EC_KEYBLOCK_MODE} ec_data_key ec_root_key - if [[ "${dev_keyblock}" == "true" ]]; then - # Create the dev firmware keyblock for use only in Developer mode. - make_keyblock dev_firmware ${DEV_FIRMWARE_KEYBLOCK_MODE} dev_firmware_data_key root_key - fi - # Create the recovery kernel keyblock for use only in Recovery mode. make_keyblock recovery_kernel ${RECOVERY_KERNEL_KEYBLOCK_MODE} recovery_kernel_data_key recovery_key diff --git a/tests/futility/data/README b/tests/futility/data/README index 57038c37..933de029 100644 --- a/tests/futility/data/README +++ b/tests/futility/data/README @@ -1,5 +1,4 @@ These are officially signed BIOS images from existing Chromebooks. - bios_zgb_mp.bin RW firmware A and B are different bios_link_mp.bin uses the RO_NORMAL flag to skip RW firmware validation bios_peppy_mp.bin doesn't do any of those things diff --git a/tests/futility/data/bios_zgb_mp.bin b/tests/futility/data/bios_zgb_mp.bin Binary files differdeleted file mode 100644 index c85d8202..00000000 --- a/tests/futility/data/bios_zgb_mp.bin +++ /dev/null diff --git a/tests/futility/data_bios_zgb_mp.bin_expect.txt b/tests/futility/data_bios_zgb_mp.bin_expect.txt deleted file mode 100644 index 2a021ce1..00000000 --- a/tests/futility/data_bios_zgb_mp.bin_expect.txt +++ /dev/null @@ -1,6 +0,0 @@ -9f59876c7f7dc881f02d934786c6b7c2c17dcaac -9bd99a594c45b6739899a17ec29ac2289ee75463 -a0e4415cd4e271802504cce3a211b54562178fc8 -5d2b220899c4403d564092ada3f12d3cc4483223 -e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450 -5d2b220899c4403d564092ada3f12d3cc4483223 diff --git a/tests/futility/expect_output/show.tests_futility_data_bios_zgb_mp.bin b/tests/futility/expect_output/show.tests_futility_data_bios_peppy_mp.bin index 2f9f8073..88733c9e 100644 --- a/tests/futility/expect_output/show.tests_futility_data_bios_zgb_mp.bin +++ b/tests/futility/expect_output/show.tests_futility_data_bios_peppy_mp.bin @@ -1,47 +1,47 @@ -BIOS: tests/futility/data/bios_zgb_mp.bin +BIOS: tests/futility/data/bios_peppy_mp.bin GBB header: GBB - Version: 1.0 - Flags: 0x00000000 + Version: 1.1 + Flags: 0x00000039 Regions: offset size hwid 0x00000080 0x00000100 - bmpvf 0x00001180 0x0003de80 + bmpvf 0x00001180 0x000ece80 rootkey 0x00000180 0x00001000 - recovery_key 0x0003f000 0x00001000 - Size: 0x00040000 / 0x00040000 + recovery_key 0x000ee000 0x00001000 + Size: 0x000ef000 / 0x000ef000 GBB content: - HWID: {FA42644C-CF3A-4692-A9D3-1A667CB232E9} + HWID: X86 PEPPY TEST 4211 digest: <none> Root Key: Vboot API: 1.0 Algorithm: 11 RSA8192 SHA512 Key Version: 1 - Key sha1sum: 9f59876c7f7dc881f02d934786c6b7c2c17dcaac + Key sha1sum: fc68bcb88bf9af1907289a9f377d658b3b9fe5b0 Recovery Key: Vboot API: 1.0 Algorithm: 11 RSA8192 SHA512 Key Version: 1 - Key sha1sum: 9bd99a594c45b6739899a17ec29ac2289ee75463 + Key sha1sum: bf39d0d3e30cbf6a121416d04df4603ad5310779 Firmware body: FW_MAIN_A - Offset: 0x00030000 - Size: 0x000dffc0 + Offset: 0x00210000 + Size: 0x000c0000 Firmware body: FW_MAIN_B - Offset: 0x00120000 - Size: 0x000dffc0 + Offset: 0x00300000 + Size: 0x000c0000 Keyblock: VBLOCK_A Signature: valid Size: 0x8b8 - Flags: 6 DEV !REC + Flags: 7 !DEV DEV !REC Data key algorithm: 8 RSA4096 SHA512 Data key version: 1 - Data key sha1sum: a78aaa1691c2125ef8ccefa1a8a6bea92d38fae6 + Data key sha1sum: f917ad29e36aa8a286f978c1aa0550ea31c6a561 Firmware Preamble: Size: 2164 Header version: 2.1 Firmware version: 2 Kernel key algorithm: 7 RSA4096 SHA256 Kernel key version: 2 - Kernel key sha1sum: 0c9fd5b03ab47d37924ba8a7beb64039d84ed0e1 - Firmware body size: 917440 + Kernel key sha1sum: cc05423373b76acbec23ec45dfa3696a2ea6dc0f + Firmware body size: 146456 Preamble flags: 0 Body verification succeeded. Keyblock: VBLOCK_B @@ -50,14 +50,14 @@ Keyblock: VBLOCK_B Flags: 7 !DEV DEV !REC Data key algorithm: 8 RSA4096 SHA512 Data key version: 1 - Data key sha1sum: 4fe08ed739069d6834b68612eb707998a0825f34 + Data key sha1sum: f917ad29e36aa8a286f978c1aa0550ea31c6a561 Firmware Preamble: Size: 2164 Header version: 2.1 Firmware version: 2 Kernel key algorithm: 7 RSA4096 SHA256 Kernel key version: 2 - Kernel key sha1sum: 0c9fd5b03ab47d37924ba8a7beb64039d84ed0e1 - Firmware body size: 917440 + Kernel key sha1sum: cc05423373b76acbec23ec45dfa3696a2ea6dc0f + Firmware body size: 146456 Preamble flags: 0 Body verification succeeded. diff --git a/tests/futility/test_file_types.c b/tests/futility/test_file_types.c index d53760c3..17388cfd 100644 --- a/tests/futility/test_file_types.c +++ b/tests/futility/test_file_types.c @@ -26,7 +26,7 @@ static struct { {FILE_TYPE_KEYBLOCK, "tests/devkeys/kernel.keyblock"}, {FILE_TYPE_FW_PREAMBLE, "tests/futility/data/fw_vblock.bin"}, {FILE_TYPE_GBB, "tests/futility/data/fw_gbb.bin"}, - {FILE_TYPE_BIOS_IMAGE, "tests/futility/data/bios_zgb_mp.bin"}, + {FILE_TYPE_BIOS_IMAGE, "tests/futility/data/bios_peppy_mp.bin"}, {FILE_TYPE_KERN_PREAMBLE, "tests/futility/data/kern_preamble.bin"}, {FILE_TYPE_RAW_FIRMWARE, }, /* need a test for this */ {FILE_TYPE_RAW_KERNEL, }, /* need a test for this */ diff --git a/tests/futility/test_file_types.sh b/tests/futility/test_file_types.sh index 93c63913..c51e38f2 100755 --- a/tests/futility/test_file_types.sh +++ b/tests/futility/test_file_types.sh @@ -32,7 +32,7 @@ test_case "pubkey" "tests/devkeys/root_key.vbpubk" test_case "keyblock" "tests/devkeys/kernel.keyblock" test_case "fw_pre" "tests/futility/data/fw_vblock.bin" test_case "gbb" "tests/futility/data/fw_gbb.bin" -test_case "bios" "tests/futility/data/bios_zgb_mp.bin" +test_case "bios" "tests/futility/data/bios_peppy_mp.bin" test_case "kernel" "tests/futility/data/kern_preamble.bin" # We don't have a way to identify these (yet?) # test_case "RAW_FIRMWARE" diff --git a/tests/futility/test_show_contents.sh b/tests/futility/test_show_contents.sh index 1533ba4c..fddebe81 100755 --- a/tests/futility/test_show_contents.sh +++ b/tests/futility/test_show_contents.sh @@ -16,7 +16,7 @@ SHOW_FILES=" tests/devkeys/kernel.keyblock tests/futility/data/fw_vblock.bin tests/futility/data/fw_gbb.bin - tests/futility/data/bios_zgb_mp.bin + tests/futility/data/bios_peppy_mp.bin tests/futility/data/kern_preamble.bin tests/futility/data/sample.vbpubk2 tests/futility/data/sample.vbprik2 diff --git a/tests/futility/test_sign_firmware.sh b/tests/futility/test_sign_firmware.sh index 8e303e32..04eb385f 100755 --- a/tests/futility/test_sign_firmware.sh +++ b/tests/futility/test_sign_firmware.sh @@ -30,17 +30,6 @@ INFILES="${INFILES} ${ONEMORE}" set -o pipefail -# We've removed dev_firmware keyblock and private keys from ToT test key dir. -# It's currently only available on few legacy (alex, zgb) devices' key folders -# on signer bot. Add them to ${KEYDIR} if you need to test that. -DEV_FIRMWARE_PARAMS="" -if [ -f "${KEYDIR}/dev_firmware.keyblock" ]; then - DEV_FIRMWARE_PARAMS=" - -S ${KEYDIR}/dev_firmware_data_key.vbprivk - -B ${KEYDIR}/dev_firmware.keyblock" - INFILES="${INFILES} ${SCRIPT_DIR}/futility/data/bios_zgb_mp.bin" -fi - count=0 for infile in $INFILES; do @@ -85,7 +74,6 @@ for infile in $INFILES; do ${FUTILITY} sign \ -s ${KEYDIR}/firmware_data_key.vbprivk \ -b ${KEYDIR}/firmware.keyblock \ - ${DEV_FIRMWARE_PARAMS} \ -k ${KEYDIR}/kernel_subkey.vbpubk \ -v 14 \ -f 8 \ @@ -155,7 +143,6 @@ echo -n "$count " 1>&3 ${FUTILITY} sign \ -s ${KEYDIR}/firmware_data_key.vbprivk \ -b ${KEYDIR}/firmware.keyblock \ - ${DEV_FIRMWARE_PARAMS} \ -k ${KEYDIR}/kernel_subkey.vbpubk \ ${MORE_OUT} ${MORE_OUT}.2 @@ -172,7 +159,6 @@ ${FUTILITY} load_fmap ${MORE_OUT} VBLOCK_A:/dev/urandom VBLOCK_B:/dev/zero ${FUTILITY} sign \ -s ${KEYDIR}/firmware_data_key.vbprivk \ -b ${KEYDIR}/firmware.keyblock \ - ${DEV_FIRMWARE_PARAMS} \ -k ${KEYDIR}/kernel_subkey.vbpubk \ ${MORE_OUT} ${MORE_OUT}.3 |