summaryrefslogtreecommitdiff
path: root/scripts/image_signing/verify_uefi.sh
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/image_signing/verify_uefi.sh')
-rwxr-xr-xscripts/image_signing/verify_uefi.sh79
1 files changed, 79 insertions, 0 deletions
diff --git a/scripts/image_signing/verify_uefi.sh b/scripts/image_signing/verify_uefi.sh
new file mode 100755
index 00000000..959b5b8f
--- /dev/null
+++ b/scripts/image_signing/verify_uefi.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# Copyright 2018 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+. "$(dirname "$0")/common.sh"
+
+set -e
+
+usage() {
+ cat <<EOF
+Usage: $PROG /path/to/target/dir /path/to/esp/dir
+
+Verify signatures of UEFI binaries in the target directory.
+EOF
+ if [[ $# -gt 0 ]]; then
+ error "$*"
+ exit 1
+ fi
+ exit 0
+}
+
+main() {
+ local target_dir="$1"
+ local esp_dir="$2"
+
+ if [[ $# -ne 2 ]]; then
+ usage "command takes exactly 1 args"
+ fi
+
+ if ! type -P sbverify &>/dev/null; then
+ die "Cannot verify UEFI signatures (sbverify not found)."
+ fi
+
+ local bootloader_dir="${target_dir}/efi/boot"
+ local syslinux_dir="${target_dir}/syslinux"
+ local kernel_dir="${target_dir}"
+ local gsetup_dir="${esp_dir}/EFI/Google/GSetup"
+
+ if [[ ! -f "${gsetup_dir}/pk/pk.der" ]]; then
+ warn "No PK cert"
+ exit 0
+ fi
+
+ local db_cert_der="${gsetup_dir}/db/db.der"
+ if [[ ! -f "${db_cert_der}" ]]; then
+ warn "No DB cert"
+ exit 0
+ fi
+
+ local working_dir="$(make_temp_dir)"
+ local cert="${working_dir}/cert.pem"
+ openssl x509 -in "${db_cert_der}" -inform DER -out "${cert}" -outform PEM
+
+ for efi_file in "${bootloader_dir}/"*".efi"; do
+ if [[ ! -f "${efi_file}" ]]; then
+ continue
+ fi
+ sbverify --cert "${cert}" "${efi_file}" ||
+ die "Verification failed: ${efi_file}"
+ done
+
+ for syslinux_kernel_file in "${syslinux_dir}/vmlinuz."?; do
+ if [[ ! -f "${syslinux_kernel_file}" ]]; then
+ continue
+ fi
+ sbverify --cert "${cert}" "${syslinux_kernel_file}" ||
+ warn "Verification failed: ${syslinux_kernel_file}"
+ done
+
+ local kernel_file="$(readlink -f "${kernel_dir}/vmlinuz")"
+ if [[ -f "${kernel_file}" ]]; then
+ sbverify --cert "${cert}" "${kernel_file}" ||
+ warn "Verification failed: ${kernel_file}"
+ fi
+}
+
+main "$@"
View Lorry Controller Status