1 files changed, 23 insertions, 15 deletions

diff --git a/scripts/image_signing/verify_uefi.sh b/scripts/image_signing/verify_uefi.sh
index 959b5b8f..0d305117 100755
--- a/scripts/image_signing/verify_uefi.sh
+++ b/scripts/image_signing/verify_uefi.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-
 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
@@ -10,7 +9,7 @@ set -e
 
 usage() {
   cat <<EOF
-Usage: $PROG /path/to/target/dir /path/to/esp/dir
+Usage: $PROG /path/to/target/dir /path/to/esp/dir /path/to/uefi/keys/dir
 
 Verify signatures of UEFI binaries in the target directory.
 EOF
@@ -24,9 +23,10 @@ EOF
 main() {
   local target_dir="$1"
   local esp_dir="$2"
+  local key_dir="$3"
 
-  if [[ $# -ne 2 ]]; then
-    usage "command takes exactly 1 args"
+  if [[ $# -ne 3 ]]; then
+    usage "command takes exactly 3 args"
   fi
 
   if ! type -P sbverify &>/dev/null; then
@@ -39,40 +39,48 @@ main() {
   local gsetup_dir="${esp_dir}/EFI/Google/GSetup"
 
   if [[ ! -f "${gsetup_dir}/pk/pk.der" ]]; then
-    warn "No PK cert"
-    exit 0
+    die "No PK cert"
   fi
 
   local db_cert_der="${gsetup_dir}/db/db.der"
   if [[ ! -f "${db_cert_der}" ]]; then
-    warn "No DB cert"
-    exit 0
+    die "No DB cert"
   fi
 
+  local cert="${key_dir}/db/db.pem"
+
   local working_dir="$(make_temp_dir)"
-  local cert="${working_dir}/cert.pem"
-  openssl x509 -in "${db_cert_der}" -inform DER -out "${cert}" -outform PEM
+  local gsetup_cert="${working_dir}/cert.pem"
+  openssl x509 -in "${db_cert_der}" -inform DER \
+      -out "${gsetup_cert}" -outform PEM
 
-  for efi_file in "${bootloader_dir}/"*".efi"; do
+  for efi_file in "${bootloader_dir}"/*.efi; do
     if [[ ! -f "${efi_file}" ]]; then
       continue
     fi
     sbverify --cert "${cert}" "${efi_file}" ||
-        die "Verification failed: ${efi_file}"
+        die "Verification failed. file:${efi_file} cert:${cert}"
+    sbverify --cert "${gsetup_cert}" "${efi_file}" ||
+        die "Verification failed. file:${efi_file} cert:${gsetup_cert}"
   done
 
-  for syslinux_kernel_file in "${syslinux_dir}/vmlinuz."?; do
+  for syslinux_kernel_file in "${syslinux_dir}"/vmlinuz.?; do
     if [[ ! -f "${syslinux_kernel_file}" ]]; then
       continue
     fi
     sbverify --cert "${cert}" "${syslinux_kernel_file}" ||
-        warn "Verification failed: ${syslinux_kernel_file}"
+        warn "Verification failed. file:${syslinux_kernel_file} cert:${cert}"
+    sbverify --cert "${gsetup_cert}" "${syslinux_kernel_file}" ||
+        warn "Verification failed. file:${syslinux_kernel_file}" \
+            "cert:${gsetup_cert}"
   done
 
   local kernel_file="$(readlink -f "${kernel_dir}/vmlinuz")"
   if [[ -f "${kernel_file}" ]]; then
     sbverify --cert "${cert}" "${kernel_file}" ||
-        warn "Verification failed: ${kernel_file}"
+        warn "Verification failed: file:${kernel_file} cert:${cert}"
+    sbverify --cert "${gsetup_cert}" "${kernel_file}" ||
+        warn "Verification failed: file:${kernel_file} cert:${gsetup_cert}"
   fi
 }