From 539cbc27305b6aef9643adffc3297c7079fe7457 Mon Sep 17 00:00:00 2001 From: Randall Spangler Date: Wed, 18 Jun 2014 14:15:04 -0700 Subject: vboot2: Add end-to-end test of firmware verification This constructs a test firmware using the old vboot signing utilities, and then verifies it using vboot2 libraries. This ensures vboot2 can read files signed by the current signing process. BUG=chromium:370082 BRANCH=none TEST=VBOOT2=1 make runtests Change-Id: Icc113c982e5ed99382a4592f9ab688784e853c8e Signed-off-by: Randall Spangler Reviewed-on: https://chromium-review.googlesource.com/204561 Reviewed-by: Daisuke Nojiri Reviewed-by: Bill Richardson --- Makefile | 1 + tests/vb2_firmware_tests.sh | 57 +++++++++++++++++++++++++++++++++++++++++++++ utility/vb2_verify_fw.c | 8 +++---- 3 files changed, 62 insertions(+), 4 deletions(-) create mode 100755 tests/vb2_firmware_tests.sh diff --git a/Makefile b/Makefile index 2acdb980..60509f67 100644 --- a/Makefile +++ b/Makefile @@ -1080,6 +1080,7 @@ runtestscripts: test_setup genfuzztestcases tests/run_vbutil_tests.sh ifneq (${VBOOT2},) tests/vb2_rsa_tests.sh + tests/vb2_firmware_tests.sh endif .PHONY: runmisctests diff --git a/tests/vb2_firmware_tests.sh b/tests/vb2_firmware_tests.sh new file mode 100755 index 00000000..39c4dd97 --- /dev/null +++ b/tests/vb2_firmware_tests.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# Copyright (c) 2014 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. +# +# End-to-end test for vboot2 firmware verification + +# Load common constants and variables. +. "$(dirname "$0")/common.sh" + +set -e + +echo 'Creating test firmware' + +# Run tests in a dedicated directory for easy cleanup or debugging. +DIR="${TEST_DIR}/vb2fw_test_dir" +[ -d "$DIR" ] || mkdir -p "$DIR" +echo "Testing vb2_verify_fw in $DIR" +cd "$DIR" + +# Dummy firmware body +echo 'This is a test firmware body. This is only a test. Lalalalala' \ + > body.test + +# Pack keys using original vboot utilities +${UTIL_DIR}/vbutil_key --pack rootkey.test \ + --key ${TESTKEY_DIR}/key_rsa8192.keyb --algorithm 11 +${UTIL_DIR}/vbutil_key --pack fwsubkey.test \ + --key ${TESTKEY_DIR}/key_rsa4096.keyb --algorithm 7 +${UTIL_DIR}/vbutil_key --pack kernkey.test \ + --key ${TESTKEY_DIR}/key_rsa2048.keyb --algorithm 4 + +# Create a GBB with the root key +${UTIL_DIR}/gbb_utility -c 128,2400,0,0 gbb.test +${UTIL_DIR}/gbb_utility gbb.test -s --hwid='Test GBB' --rootkey=rootkey.test + +# Keyblock with firmware subkey is signed by root key +${UTIL_DIR}/vbutil_keyblock --pack keyblock.test \ + --datapubkey fwsubkey.test \ + --signprivate ${TESTKEY_DIR}/key_rsa8192.sha512.vbprivk + +# Firmware preamble is signed with the firmware subkey +${UTIL_DIR}/vbutil_firmware \ + --vblock vblock.test \ + --keyblock keyblock.test \ + --signprivate ${TESTKEY_DIR}/key_rsa4096.sha256.vbprivk \ + --fv body.test \ + --version 1 \ + --kernelkey kernkey.test + +echo 'Verifying test firmware using vb2_verify_fw' + +# Verify the firmware using vboot2 utility +${UTIL_DIR}/vb2_verify_fw gbb.test vblock.test body.test + +happy 'vb2_verify_fw succeeded' diff --git a/utility/vb2_verify_fw.c b/utility/vb2_verify_fw.c index 2d662de0..f7ec0b50 100644 --- a/utility/vb2_verify_fw.c +++ b/utility/vb2_verify_fw.c @@ -171,7 +171,7 @@ int main(int argc, char *argv[]) if (rv) { printf("Phase 1 wants recovery mode.\n"); save_if_needed(&ctx); - return 0; + return rv; } /* Determine which firmware slot to boot */ @@ -180,7 +180,7 @@ int main(int argc, char *argv[]) if (rv) { printf("Phase 2 wants reboot.\n"); save_if_needed(&ctx); - return 0; + return rv; } /* Try that slot */ @@ -189,7 +189,7 @@ int main(int argc, char *argv[]) if (rv) { printf("Phase 3 wants reboot.\n"); save_if_needed(&ctx); - return 0; + return rv; } /* Verify body */ @@ -198,7 +198,7 @@ int main(int argc, char *argv[]) save_if_needed(&ctx); if (rv) { printf("Phase 4 wants reboot.\n"); - return 0; + return rv; } printf("Yaay!\n"); -- cgit v1.2.1