| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, vb2_unpack_key() actually unpacked a key buffer. Callers
that had a vb2_packed_key had to typecast it back to a uint8_t buffer to
unpack it. Rename vb2_unpack_key() to vb2_unpack_key_buffer(), and make
vb2_unpack_key() unpack a vb2_packed_key.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge;
emerge-samus and boot it
Change-Id: I9ee38a819c59cc58a72ead78cf5ddf3d0f301ae7
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400906
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At this point, all that's left are a few constants in the cryptolib
header files, and they're only used by host-side code. So move them to
a host-side header file and get rid of cryptolib.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: I2235f0e84e13fef313afe54e749b73744b157884
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400903
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The old vboot1 cryptolib hard-coded many of its padding arrays in a
padding.c file. Use the equivalent vboot2 apis instead.
This change is almost exclusively on the host and test side; the only
firmware impact is on a single line of debug output.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: If689ffd92f0255847bea2424950da4547b2c0df3
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400902
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Originally, we didn't trust the firmware to provide these functions from
a standard library. Now, with coreboot, we do.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: I4e624c40085f2b665275a38624340b2f6aabcf11
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/399120
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change fixes errors reported by coreboot toolchain.
BUG=chromium:649554
BRANCH=none
TEST=make runtests
Change-Id: Icd61899718af64b3d199fff37bbea2ccec6ab2cd
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400666
Commit-Ready: Dan Shi <dshi@google.com>
Reviewed-by: Martin Roth <martinroth@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change makes futility-bdb --create take --load_address parameter,
which sets the load address field in the BDB header.
BUG=chromium:649554
BRANCH=none
TEST=make runtests
$ futility bdb --resign test/futility/data/bin.bdb --data_version 2
then futility show --type bdb test/futility/data/bin.bdb
Change-Id: Ib4dec86c2a043e0989c91bbc01f39776e3630e4c
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/399594
Commit-Ready: Daisuke Nojiri <dnojiri@google.com>
Tested-by: Daisuke Nojiri <dnojiri@google.com>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change makes futility-bdb command take --data_version parameter.
BUG=chromium:649554
BRANCH=none
TEST=make runtests
$ futility bdb --resign test/futility/data/bin.bdb --data_version 2
then futility show --type bdb test/futility/data/bin.bdb
Change-Id: I567d5879555f4ae7382fc47ef79135e7a13b7600
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/399593
Commit-Ready: Daisuke Nojiri <dnojiri@google.com>
Tested-by: Daisuke Nojiri <dnojiri@google.com>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change makes futility show command dump more information
of the BDB header.
BUG=chromium:649554
BRANCH=none
TEST=make runtests
$ futility show --type bdb ~/tmp/rotor/bin/coreboot.rom
Change-Id: I8a10ed03b673879ab80f777b34863e670d37cd8c
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/399061
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change makes futility show command dump information of the
signatures found in a BDB.
BUG=chromium:649554
BRANCH=none
TEST=make runtests
$ futility show --type bdb ~/tmp/rotor/bin/coreboot.rom
Change-Id: I168dcd5adf237ec9989f43e3834577257e9a10ff
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/399060
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change makes futility show command dump information of the keys
found in a BDB.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. run futility show tests/futility/data/bdb.bin
Change-Id: I82bb3956b043adf1febe42941618608865525da2
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/399059
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change makes futility show command to dump data header information
in a BDB. # of hashes is used to verify 'futility bdb --add' can add a
hash in the unit test.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. run futility show tests/futility/data/bdb.bin
BDB Header:
Struct Version: 0x1:0x0
BDB key digest: c7895611c24efb2249d97376189eeee07def6bcd8ab162a3850d279354f08ddf
size: 1176
Data Header:
Struct Version: 0x1:0x0
# of Hashes: 2
Hash Entry Size:56
Signed Size: 272
Description:
Hash #0:
Offset: 0x2
Size: 35
Partition: 3
Type: 1
Load Address: 0x4
Digest: 72bcf33f448465f035bd58e4b61501db925e67c89feb4a70cb909d8b425861f4
Hash #1:
Offset: 0x2
Size: 35
Partition: 3
Type: 1
Load Address: 0x4
Digest: 72bcf33f448465f035bd58e4b61501db925e67c89feb4a70cb909d8b425861f4
Change-Id: I88934b761236f36a5d607c96f6f2543a62e50b68
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/392949
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes futility show command print out hash information.
BUG=chromium:649555
BRANCH=none
TEST=make runtests. Ran futility show tests/futility/data/bdb.bin.
Change-Id: I4d0e933b7b9dca6548aa8488d9ca85b8692a5d49
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/392948
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When --ignore_key_digest is specified, futility bdb --verify command
returns success even if the key digest didn't match. Warning message
will be printed to remind the digest wasn't checked.
BUG=chromium:649554
BRANCH=none
TEST=Tested as follows:
$ build/futility/futility bdb --verify tests/futility/data/bdb.bin \
--ignore_key_digest
BDB is valid. Key digest doesn't match but ignored.
$ echo $?
0
Change-Id: I996b0a4f7bbbcf546e2d958f28c5ee8fb251fb99
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/392946
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes futility show command support boot block descriptor (BDB)
of the common boot flow.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. Ran futility show bdb.bin.
Change-Id: I5f199a32ab1c268351e822e37ed39e41ae19bc7a
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/388631
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds 'verify' sub-command to futility bdb. It verifies a BDB.
If a key digest is given, it also checks the validity of the embedded
BDB key.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. Ran futility bdb --create, --add, --resign, --verify.
Change-Id: Ie19dc0f067c3c6ce65b2b6184bad14b49b188f6d
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/387906
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
'resign' sub-command signs a BDB using keys provided. It can resign only
the data key, the hashes, or both. Required keys vary depending on what
part of BDB is invalid and on what public key is specified in the command
line. It then detects what key is needed based on
the verification result and fails if the required key is not provided.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. Ran futility bdb --create, --add, --resign, --verify
Change-Id: I589a5972f1d7e5066eb56e1c5efb4ee7089d41cd
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/387118
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
futility bdb --add appends a new hash entry to the given BDB.
The resulting BDB does not have a valid signature and is expected to
be resigned by 'resign' sub-command after all hashes are added.
BUG=chromium:649554
BRANCH=none
TEST=make runtest. Ran futility bdb --add, then --resign, then --verify
(to be implemented)
Change-Id: Icdf185f8ac268a23bb3954f5e78df6f80e749e18
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/387117
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bdb command manipulates BDBs. '--create' sub-command creates a BDB.
Other sub-commands will follow in the successive patches.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. Ran futility bdb --create using test keys and verify
it with bdb --verify (to be implemented).
Change-Id: Ib0a6165ac93efc7478b9d999d3c837d47cf81ddd
Reviewed-on: https://chromium-review.googlesource.com/386794
Commit-Ready: Daisuke Nojiri <dnojiri@chromium.org>
Tested-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Assorted minor code issues, which we should fix so any new errors stand
out more.
BUG=chromium:643769
BRANCH=none
TEST=make runtests
Change-Id: I82ece2de948ef224115c408bdfc09445d3da119b
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/390337
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Assorted minor code issues, which we should fix so any new errors stand
out more.
BUG=chromium:643769
BRANCH=none
TEST=make runtests
Change-Id: I8fcf0c51e33d5dc49f650f4069f1579091cf188d
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/383713
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Assorted minor code issues, which we should fix so any new errors stand
out more.
BUG=chromium:643769
BRANCH=none
TEST=make runtests
Change-Id: Ib37b45dea54bd506b519b0304300b8d192e34339
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/382319
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Another in a long series of refactoring changes to replace old vboot1
code with its vboot2 equivalent. Futility changes only; no change to
firmware.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: I7be813b82820674e975db13d5e540e49bdea028d
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/366057
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Continued refactoring of host library to kernel style / vboot2 structs.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: Ifed376812ed7690eea1ec0dfab958e836f7724a0
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/363951
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If given a malformed file with an invalid algorithm, futility could
dereference null when looking up the algorithm names.
BUG=chromium:643769
BRANCH=none
TEST=make runtests
Change-Id: I26d1312b8bf2eec8d806664708676daa9f36fa58
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/380522
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This replaces calls to the old vboot 1 APIs with their vboot 2.0
equivalents.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: Ieb1a127577c6428c47ac088c3aaa0d0dad6275a8
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/356541
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This replaces calls to the vboot 1 host library with their vboot 2.0
equivalents.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: Id061554fd82ea3efe35d0fe1485693b47599a863
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/356540
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This refactors futility and the host library to use only vboot 2.0 APIs
to create and verify keyblocks.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: Ia3cc1e24971b94f01bcb4890c8666a3af6f84841
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/356129
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refactor futility to use only vboot 2.0 APIs to create signatures.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: I176e7f424fa556d34d8fe691df5681f1e43210ce
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/356128
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes the remaining vboot 1.0 API calls from cmd_show.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: I03c4260aa034100efbbea1005367cd85dfff273d
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/350173
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This replaces all calls to vboot1 VerifyFirmwarePreamble() with
equivalent vb2.0 functions. No effect on ToT firmware, which already
uses the vboot2.0 functions.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: I5c84e9ed0e0c75e2ea8dbd9bfcde0597bc457f24
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/349322
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Futility needs to link against both vboot1/vboot2.0 and vboot2.1
functions. This was easy in the past because it did (vboot1 +
vboot2.1) and there's no overlap.
In replacing vboot1 function calls and structs with vboot2.0, now there
are symbol collisions between vboot2.0 and vboot2.1. For example, both
of them use a struct called vb2_signature, but the structs are defined
differently. Functions which operate on those structs also overload.
Rename the vb2.1 structs to start with vb21_ instead of vb2_. Do the
same for vb2.1 functions which operate on vb2.1 data.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: I24defd87cbd9ef64239faf1a8e98ab2372d27539
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/347458
Reviewed-by: Daisuke Nojiri <dnojiri@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change replaces all calls to the old vboot1 SHA library with their
vboot2 equivalents.
This is the first in a long series of changes to move the core vboot kernel
verification into vb2, and the control/display loop out to depthcharge.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; build samus firmware and boot it
Change-Id: I31986eb766176c0e39a192c5ce15730471c3cf94
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/344342
Tested-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The major() func is defined in the sys/sysmacros.h header, so include it
explicitly for the prototype. Upstream C libs are moving away from having
sys/types.h include it all the time implicitly.
BUG=None
TEST=precq passes
BRANCH=None
Change-Id: I56b84138f08ded2376193403f9c9db22c5f24f71
Reviewed-on: https://chromium-review.googlesource.com/339680
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Musl complains about using sys/fcntl.h, and with -Werror that
gives a compilation failure. Every other file includes <fcntl.h>
so just use that.
Change-Id: Ibc743bbe335e9e9b91da7e4eacc01cc80cd8b35a
Reviewed-on: https://chromium-review.googlesource.com/313419
Commit-Ready: Doug Evans <dje@google.com>
Tested-by: Doug Evans <dje@google.com>
Reviewed-by: Nam Nguyen <namnguyen@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for PEM file containing a RSA Public key in futility "show"
and "create" commands.
When "futility create" is given a PEM file with only a RSA public key,
generate the proper .vbpubk2 rather than failing.
BRANCH=smaug
BUG=none
TEST=make runtests
and run manually
futility show tests/testkeys/key_rsa4096.pub.pem
futility show tests/testkeys/key_rsa4096.pem
Change-Id: I707ceca54c80ba21f53869ad86c86fa23b31e665
Reviewed-on: https://chromium-review.googlesource.com/306683
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Verify the size of the buffer read from the file before trying to use 1KB of
it for the new rwsig format detection.
Add a new test case with a short file containing only 4 bytes of unknown
data and run "futility show" on it.
BRANCH=smaug
BUG=none
TEST=futility show foobar.pub.pem
where foobar.pub.pem is a 451-byte file.
check that "make runtests" passes with the fix
and fails without it with the following message :
test_file_types.sh ... failed
FAIL: 13 / 14 passed
Change-Id: Ia9d68c6b528c2b3a595ea6791c907374616d051f
Reviewed-on: https://chromium-review.googlesource.com/306682
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The "rwsig" type is used for independent device firmware (not
Chromebook BIOS) that need to verify themselves instead of using
software sync.
The expected use case is that a RO firmware contains a
vb2_public_key struct along with an FMAP or other pointers to a
slot for RW firmware. The RW firmware slot reserves room for a
vb2_signature struct.
This CL changes the args and behavior of the rwsig type, so that
the RW firmware can be [re]signed independently of the rest of
the image.
BUG=chrome-os-partner:46254
BRANCH=smaug,ToT
TEST=make runtests, manual
Create a keypair:
futility create --desc "Key One" tests/testkeys/key_rsa2048.pem foo
Sign a RW binary and build a complete image out of the parts:
futility sign --type rwsig --prikey foo.vbprik2 rw.bin sig.bin
dd if=/dev/zero bs=65536 count=1 of=image.bin
dd if=rw.bin of=image.bin conv=notrunc
dd if=sig.bin bs=$((65536 - 1024)) seek=1 of=image.bin conv=notrunc
Verify both the separate parts and the combined image:
futility show --type rwsig --pubkey foo.vbpubk2 rw.bin sig.bin
futility show --type rwsig --pubkey foo.vbpubk2 image.bin
Re-sign the combined image with a different keypair:
futility create --desc "Key Two" tests/testkeys/key_rsa1024.pem bar
futility sign --type rwsig --prikey bar.vbprik2 image.bin
Now the first key no longer verifies:
futility show --type rwsig --pubkey foo.vbpubk2 image.bin
But the second key does:
futility show --type rwsig --pubkey bar.vbpubk2 image.bin
Change-Id: Ifdddab08f218f506eb1dce28851b153d70140a7b
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/305980
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the "rwsig" type, with initial support for RO+RW
firmware images that need to verify themselves instead of using
software sync. This uses our vb2 structs instead of raw binary
blobs. That will help us locate, identify, and verify the keys
and signatures in the signed firmware images.
BUG=chrome-os-partner:46254
BRANCH=smaug,ToT
TEST=make runtests
I also hacked up a test board with the EC-side signature
verification routines from a preliminary CL and tested this
signing scheme with that. It works.
Additional work is needed to make this seamless, but you can try
it out like so:
futility create ./tests/testkeys/key_rsa2048.pem foo
futility sign --type rwsig --prikey foo.vbprik2 --pubkey foo.vbpubk2 ec.bin
Change-Id: I876ab312a2b0b36411c5f739fe3252529728d034
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/305394
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The firmware for the USB Type-C power adapters uses raw binary
blobs for the public keys and signatures instead of
readily-identifiable structs. We've been able to sign these
firmware images for some time, but verifying the result generally
required testing them on hardware.
This CL adds some futilty support for recognizing and verifying
those images too. It just tries various sig and hash algorithms,
until it finds a combination for which the image is
self-consistent (where the pubkey blob verifies the signature
blob).
BUG=none
BRANCH=none
TEST=make runtests
This change also adds additional tests for usbpd1 images. We
ensure that we correctly recognize and verify an MP-signed
firmware, plus test signing and verifying usbpd1 images using
multiple signature and hash algorithms.
Change-Id: I4fbe8b37a694992f635d5469ae1c2449b1610dfd
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/302415
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ryu will store a hash of the GBB root key in a struct inside its boot
block. Add a vb2_ryu_root_key_hash struct for that.
If 'futility gbb_utility' is used to set the root key, also look for a
root key hash struct and fill it in. No error if not found, because
this needs to work on other platforms where the struct is not present.
This way, we don't need to change the signing scripts.
Added a --roothash option which can be used to check if the root key
hash is found, and if so, whether it's empty, valid, or invalid.
BUG=chromium:511405
BRANCH=ryu
TEST=manual
Take any existing image.bin.
cp image.bin image.orig
gbb_utility --roothash image.bin
- ryu root hash not found
Extract the root key
gbb_utility -k rootkey.bin image.bin
- exported root_key to file: rootkey.bin
Now, append a blank ryu root hash struct to it
echo '0000000: 5274 4b79 4861 7368 0100 0000 3000 0000' | xxd -r >> image.bin
echo '0000000: 0000 0000 0000 0000 0000 0000 0000 0000' | xxd -r >> image.bin
echo '0000000: 0000 0000 0000 0000 0000 0000 0000 0000' | xxd -r >> image.bin
Nothing is set yet
gbb_utility --roothash image.bin
- ryu root hash is unset
Setting the root key also sets the root hash
gbb_utility -s -k rootkey.bin image.bin
- import root_key from rootkey.bin: success
- calculate ryu root hash: success
successfully saved new image to: image.bin
See, it verifies
gbb_utility --roothash image.bin
- ryu root hash verified
Now, append a bad ryu root hash struct to it
cp image.orig image.bin
echo '0000000: 5274 4b79 4861 7368 0100 0000 3000 0000' | xxd -r >> image.bin
echo '0000000: 0001 0000 0000 0000 0000 0000 0000 0000' | xxd -r >> image.bin
echo '0000000: 0000 0000 0000 0000 0000 0000 0000 0000' | xxd -r >> image.bin
See, it fails
gbb_utility --roothash image.bin
- ryu root hash does not verify
Make sure the library doesn't contain the magic string
strings `which futility` | grep RtKyHash
(should be no output)
Change-Id: Ib46f93cac0f2b532bada4b187ae48efcf4926702
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/286237
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium:475949
TEST=CC=x86_64-cros-linux-gnu-clang CXX=x86_64-cros-linux-gnu-clang++
emerge-falco vboot_reference
BRANCH=none
Change-Id: I3341e840c3f26f8579d35e0bb411566b0ad86164
Reviewed-on: https://chromium-review.googlesource.com/265834
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Queue: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
No functional changes, just tweak the help message a bit.
BUG=none
BRANCH=none
TEST=make runtests
Change-Id: I3c9987560924bd6766d4e1a756a587d9aa123bbb
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/265740
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This suppresses following 'maybe-uninitialized' gcc 4.9.2 errors:
CC futility/futility.o
futility/futility.c: In function ‘do_help’:
futility/futility.c:262:2: error: ‘vstr’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
printf("The following %scommands are built-in:\n\n", vstr);
^
cc1: all warnings being treated as errors
host/lib21/host_misc.c: In function ‘vb2_str_to_id’:
host/lib21/host_misc.c:154:14: error: ‘val’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
id->raw[i] = val;
^
cc1: all warnings being treated as errors
BUG=none
BRANCH=none
TEST=compile, run unit tests
Change-Id: I6b9d19f2d6e9deb2010dd22602d2a3310f4db335
Signed-off-by: Anatol Pomazau <anatol@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/265370
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Commit-Queue: Anatol Pomazau <anatol@google.com>
Tested-by: Anatol Pomazau <anatol@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
vboot currently uses the |SHA256_CTX| name, which is claimed by OpenSSL.
To work around this, it defines OPENSSL_NO_SHA, but that can't be done
at compile time:
The OPENSSL_NO_* defines are set by OpenSSL to reflect the configuration
that it was built with so that users of OpenSSL can disable features as
needed. They can affect the contents of structures any thus the ABI of
the library.
If these defines are set outside of OpenSSL, then the library and the
code that uses it will have incompatible ABIs. At that point it's only
functioning by blind luck.
This change renames the name-collisions so that this hack isn't needed.
This is the same change as was made internally in cl/85758149.
BUG=none
BRANCH=none
TEST=emerge-samus coreboot; make runtests
Change-Id: I709da2507f341896d89d50129ce30ffb111a20d1
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/263506
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The USB Type-C chargers released with Samus ("Pixel (2015)") have
upgradable firmware. Those firmware images are currently signed
by some custom scripts. This adds support for those images to
futility, so that those custom scripts can be replaced.
Note that due to space considerations, the usbpd firmware images
don't have room for handy things like an FMAP or headers for the
signatures. Accordingly, all the normally variable factors (image
size, signature algorithms, etc.) are hard coded and the image
itself just looks like a bunch of random numbers. Because of
this:
1. There's no way to recognize this type of file, and nothing to
display about it.
2. You have to give the "--type usbpd1" arg to the sign command.
3. I'm designating this file type "v1" because I hope that the
firmware for any future adapters will be more readily
identifiable.
BUG=chromium:231574
BRANCH=none
TEST=make runtests
This adds a new test that signs usbpd1 firmware images using
futility, and compares the result to the same files signed by the
custom scripts, ensuring that they are bitwise identical.
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Change-Id: Idbe061db5b3c8e474ada47b40bcbe04bbecdba3a
Reviewed-on: https://chromium-review.googlesource.com/262899
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This moves the functions that handle BIOS file types into a
separate set of source files. BIOSes are constructed from other
components arranged in particular ways, so they shouldn't be
mixed in with the code specifically for those components.
BUG=chromium:231574
BRANCH=none
TEST=make runtests
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Change-Id: I15c3fec61498925f9b8c672092fd97e7ea2d90e9
Reviewed-on: https://chromium-review.googlesource.com/262898
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Just rearranging some internal functions and args.
BUG=none
BRANCH=none
TEST=make runtests
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Change-Id: Ib7d3ab358543c549c670b1cd2715f1b670da2001
Reviewed-on: https://chromium-review.googlesource.com/262897
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This declares the options for the sign and show commands in a
header file.
We want to split the code for logically separate file types into
separate source files, but we don't want to have multiple
option-parsing routines, so that we can be sure we're using the
same option names consistently (for example, --hash_alg always
takes the same args and means the same thing).
BUG=chromium:231574
BRANCH=none
TEST=make runtests
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Change-Id: I939bd19ba199b4c44eb41cff3571cff88df9a181
Reviewed-on: https://chromium-review.googlesource.com/262896
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows the user to manually specify the type of an input
file, since not all file types can be reliably identified.
This also adds a test to ensure that futility doesn't coredump if
you give it the wrong type (although I'm sure it's not exhaustive).
BUG=chromium:231574
BRANCH=none
TEST=make runtests
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Change-Id: I9d909305d9989fe7299e744c585de380109cf8cd
Reviewed-on: https://chromium-review.googlesource.com/262895
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of calling futil_traverse() to iterate through a preset
list of functions, this establishes a separate show() and sign()
function for each type of file.
The only significant change is that walking through the FMAP areas
within BIOS images is done in BIOS-specific functions instead of
that being the "normal" case with every other type of file
skipping that traversal.
This is a refactoring only. There is no externally visible change.
BUG=chromium:231574
BRANCH=none
TEST=make runtests
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Change-Id: I7080afb43e35308c8bb618793c8382c2efb3d6a1
Reviewed-on: https://chromium-review.googlesource.com/262894
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|