diff options
Diffstat (limited to 'scripts/image_signing/verify_uefi.sh')
-rwxr-xr-x | scripts/image_signing/verify_uefi.sh | 38 |
1 files changed, 23 insertions, 15 deletions
diff --git a/scripts/image_signing/verify_uefi.sh b/scripts/image_signing/verify_uefi.sh index 959b5b8f..0d305117 100755 --- a/scripts/image_signing/verify_uefi.sh +++ b/scripts/image_signing/verify_uefi.sh @@ -1,5 +1,4 @@ #!/bin/bash - # Copyright 2018 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. @@ -10,7 +9,7 @@ set -e usage() { cat <<EOF -Usage: $PROG /path/to/target/dir /path/to/esp/dir +Usage: $PROG /path/to/target/dir /path/to/esp/dir /path/to/uefi/keys/dir Verify signatures of UEFI binaries in the target directory. EOF @@ -24,9 +23,10 @@ EOF main() { local target_dir="$1" local esp_dir="$2" + local key_dir="$3" - if [[ $# -ne 2 ]]; then - usage "command takes exactly 1 args" + if [[ $# -ne 3 ]]; then + usage "command takes exactly 3 args" fi if ! type -P sbverify &>/dev/null; then @@ -39,40 +39,48 @@ main() { local gsetup_dir="${esp_dir}/EFI/Google/GSetup" if [[ ! -f "${gsetup_dir}/pk/pk.der" ]]; then - warn "No PK cert" - exit 0 + die "No PK cert" fi local db_cert_der="${gsetup_dir}/db/db.der" if [[ ! -f "${db_cert_der}" ]]; then - warn "No DB cert" - exit 0 + die "No DB cert" fi + local cert="${key_dir}/db/db.pem" + local working_dir="$(make_temp_dir)" - local cert="${working_dir}/cert.pem" - openssl x509 -in "${db_cert_der}" -inform DER -out "${cert}" -outform PEM + local gsetup_cert="${working_dir}/cert.pem" + openssl x509 -in "${db_cert_der}" -inform DER \ + -out "${gsetup_cert}" -outform PEM - for efi_file in "${bootloader_dir}/"*".efi"; do + for efi_file in "${bootloader_dir}"/*.efi; do if [[ ! -f "${efi_file}" ]]; then continue fi sbverify --cert "${cert}" "${efi_file}" || - die "Verification failed: ${efi_file}" + die "Verification failed. file:${efi_file} cert:${cert}" + sbverify --cert "${gsetup_cert}" "${efi_file}" || + die "Verification failed. file:${efi_file} cert:${gsetup_cert}" done - for syslinux_kernel_file in "${syslinux_dir}/vmlinuz."?; do + for syslinux_kernel_file in "${syslinux_dir}"/vmlinuz.?; do if [[ ! -f "${syslinux_kernel_file}" ]]; then continue fi sbverify --cert "${cert}" "${syslinux_kernel_file}" || - warn "Verification failed: ${syslinux_kernel_file}" + warn "Verification failed. file:${syslinux_kernel_file} cert:${cert}" + sbverify --cert "${gsetup_cert}" "${syslinux_kernel_file}" || + warn "Verification failed. file:${syslinux_kernel_file}" \ + "cert:${gsetup_cert}" done local kernel_file="$(readlink -f "${kernel_dir}/vmlinuz")" if [[ -f "${kernel_file}" ]]; then sbverify --cert "${cert}" "${kernel_file}" || - warn "Verification failed: ${kernel_file}" + warn "Verification failed: file:${kernel_file} cert:${cert}" + sbverify --cert "${gsetup_cert}" "${kernel_file}" || + warn "Verification failed: file:${kernel_file} cert:${gsetup_cert}" fi } |