From 56ca7296a0c35ca8a7b06584d7f714551c918bef Mon Sep 17 00:00:00 2001
From: Vadim Bendebury <vbendeb@google.com>
Date: Wed, 16 Nov 2022 15:14:13 -0800
Subject: sign_gsc_firmware: check ti50 images for prohibited blobs

We want to add an additional layer of protection against accidental
releasing of prod signed images with dev public keys and hashes for
which private keys are not secret.

The blobs of the keys and hashes to avoid are available in the Ti50
tarball, this patch adds a check and fails the signing process each
time the prohibited blob is found in the Ti50 binary.

BRANCH=none
BUG=b:254059627
TEST=invoked the script to sign Ti50 images built with and without
     'ALLOW_AP_RO_DEV_SIGNING_KEY=1 TI50_DEV=1' defined, Observed
     signer failure when signing the image with either variable
     defined, reporting the presence of the appropriate blob.

Change-Id: I8497e749807f862f6d20cf33cad4657008a6372a
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4032539
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Allen Webb <allenwebb@google.com>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Jett Rink <jettrink@chromium.org>
---
 scripts/image_signing/sign_gsc_firmware.sh | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/scripts/image_signing/sign_gsc_firmware.sh b/scripts/image_signing/sign_gsc_firmware.sh
index 52091650..5ef25081 100755
--- a/scripts/image_signing/sign_gsc_firmware.sh
+++ b/scripts/image_signing/sign_gsc_firmware.sh
@@ -340,6 +340,7 @@ sign_rw() {
   local rma_key_base=""
   local signer_command_params
   local temp_dir
+  local prohibited_blobs=()
 
   temp_dir="$(make_temp_dir)"
   signer_command_params=(-x "${fuses_file}" --key "${key_file}")
@@ -375,6 +376,12 @@ sign_rw() {
       # Indicate D1 signing.
       signer_command_params+=( "--dauntless" "--ihex" )
       base_name="ti50"
+      # Key and hashes used in dev, must not leak into prod signed images.
+      prohibited_blobs=(
+        "${rma_key_dir}/rma_test_pub_key.bin"
+        "${rma_key_dir}/arv_2k_test_key_hash.bin"
+        "${rma_key_dir}/arv_4k_test_key_hash.bin"
+      )
       ;;
     (*)
       die "Unknown generation value \"${generation}\""
@@ -392,6 +399,7 @@ sign_rw() {
     local hex_signed="${temp_dir}/hex_signed"
     local bin_signed="${temp_dir}/bin_signed"
     local hex_base
+    local blob
 
     # Make sure output files are not owned by root.
     touch "${bin_signed}" "${hex_signed}"
@@ -415,6 +423,15 @@ sign_rw() {
       fi
     fi
 
+    for blob in "${prohibited_blobs[@]}"; do
+      if [[ ! -f ${blob} ]]; then
+        die "${blob} not found in the GSC tarball"
+      fi
+      if find_blob_in_blob "${bin_signed}" "${blob}"; then
+        die "${blob} found in signed image"
+      fi
+    done
+
     hex_base="$(get_hex_base "${hex_signed}")"
     paste_bin "${result_file}" "${bin_signed}" "${image_base}" "${hex_base}"
   done
-- 
cgit v1.2.1