From 6c17ef7446373d7a474671a3bd2dd2a4cce58741 Mon Sep 17 00:00:00 2001 From: Edward Hyunkoo Jee Date: Sat, 21 Apr 2018 02:07:40 -0700 Subject: image_signing: clean up UEFI signing/verifying code Follow up the code review comments on CL:995175, which was merged as 1493e938e45535f86b7132a83123c6319eacb217 ("image_signing: sign UEFI binaries") BUG=b:62189155 TEST=See CL:*613656 BRANCH=none Change-Id: Ic01bfbbfe39fbfb85c0f313ab62bbcd3e2fbb9a3 Reviewed-on: https://chromium-review.googlesource.com/1024919 Commit-Ready: Edward Jee Tested-by: Edward Jee Reviewed-by: Mike Frysinger --- scripts/image_signing/common_minimal.sh | 17 ++++++------ scripts/image_signing/install_gsetup_certs.sh | 10 ++++--- scripts/image_signing/sign_official_build.sh | 38 ++++++++++++++++----------- scripts/image_signing/sign_uefi.sh | 22 +++++++++------- scripts/image_signing/verify_uefi.sh | 38 ++++++++++++++++----------- 5 files changed, 74 insertions(+), 51 deletions(-) diff --git a/scripts/image_signing/common_minimal.sh b/scripts/image_signing/common_minimal.sh index d7ecc10e..3a0dccf9 100644 --- a/scripts/image_signing/common_minimal.sh +++ b/scripts/image_signing/common_minimal.sh @@ -254,9 +254,10 @@ mount_image_partition() { # Mount the image's ESP (EFI System Partition) on a newly created temporary # directory. -# Prints out the newly created temporary directory path if succeeded, prints -# out nothing if ESP doesn't exist, print out "MOUNT_FAILED" if mount failed. -# Args: IMAGE ESP_PARTNUM +# Prints out the newly created temporary directory path if succeeded. +# If the image doens't have an ESP partition, returns 0 without print anything. +# Args: IMAGE +# Returns: 0 if succeeded, 1 otherwise. mount_image_esp() { local image="$1" local ESP_PARTNUM=12 @@ -264,19 +265,19 @@ mount_image_esp() { local esp_offset=$(( $(partoffset "${image}" "${ESP_PARTNUM}") )) # Check if the image has an ESP partition. if [[ "${esp_offset}" == "0" ]]; then - return + return 0 fi local esp_dir="$(make_temp_dir)" # We use the 'unsafe' variant because the EFI system partition is vfat type # and can be mounted in RW mode. - if ! $(_mount_image_partition_retry "${image}" "${ESP_PARTNUM}" \ - "${esp_dir}" > /dev/null); then - echo "MOUNT_FAILED" - return + if ! _mount_image_partition_retry "${image}" "${ESP_PARTNUM}" \ + "${esp_dir}" >/dev/null; then + return 1 fi echo "${esp_dir}" + return 0 } # Extract a partition to a file diff --git a/scripts/image_signing/install_gsetup_certs.sh b/scripts/image_signing/install_gsetup_certs.sh index d515b790..e51843d8 100755 --- a/scripts/image_signing/install_gsetup_certs.sh +++ b/scripts/image_signing/install_gsetup_certs.sh @@ -1,5 +1,4 @@ #!/bin/bash - # Copyright 2018 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. @@ -12,7 +11,7 @@ usage() { cat </dev/null; then - die "Skip signing UEFI binaries (sbattach not found)." + die "Cannot sign UEFI binaries (sbattach not found)." fi if ! type -P sbsign &>/dev/null; then - die "Skip signing UEFI binaries (sbsign not found)." + die "Cannot sign UEFI binaries (sbsign not found)." fi if ! type -P sbverify &>/dev/null; then - die "Skip signing UEFI binaries (sbverify not found)." + die "Cannot sign UEFI binaries (sbverify not found)." fi local bootloader_dir="${target_dir}/efi/boot" @@ -65,7 +67,7 @@ main() { local kernel_dir="${target_dir}" local verify_cert="${key_dir}/db/db.pem" - if [[ ! -f "$verify_cert" ]]; then + if [[ ! -f "${verify_cert}" ]]; then die "No verification cert: ${verify_cert}" fi @@ -81,7 +83,8 @@ main() { local working_dir="$(make_temp_dir)" - for efi_file in "${bootloader_dir}/"*".efi"; do + local efi_file + for efi_file in "${bootloader_dir}"/*.efi; do if [[ ! -f "${efi_file}" ]]; then continue fi @@ -89,7 +92,8 @@ main() { "${sign_key}" "${sign_cert}" "${verify_cert}" done - for syslinux_kernel_file in "${syslinux_dir}/vmlinuz."?; do + local syslinux_kernel_file + for syslinux_kernel_file in "${syslinux_dir}"/vmlinuz.?; do if [[ ! -f "${syslinux_kernel_file}" ]]; then continue fi diff --git a/scripts/image_signing/verify_uefi.sh b/scripts/image_signing/verify_uefi.sh index 959b5b8f..0d305117 100755 --- a/scripts/image_signing/verify_uefi.sh +++ b/scripts/image_signing/verify_uefi.sh @@ -1,5 +1,4 @@ #!/bin/bash - # Copyright 2018 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. @@ -10,7 +9,7 @@ set -e usage() { cat </dev/null; then @@ -39,40 +39,48 @@ main() { local gsetup_dir="${esp_dir}/EFI/Google/GSetup" if [[ ! -f "${gsetup_dir}/pk/pk.der" ]]; then - warn "No PK cert" - exit 0 + die "No PK cert" fi local db_cert_der="${gsetup_dir}/db/db.der" if [[ ! -f "${db_cert_der}" ]]; then - warn "No DB cert" - exit 0 + die "No DB cert" fi + local cert="${key_dir}/db/db.pem" + local working_dir="$(make_temp_dir)" - local cert="${working_dir}/cert.pem" - openssl x509 -in "${db_cert_der}" -inform DER -out "${cert}" -outform PEM + local gsetup_cert="${working_dir}/cert.pem" + openssl x509 -in "${db_cert_der}" -inform DER \ + -out "${gsetup_cert}" -outform PEM - for efi_file in "${bootloader_dir}/"*".efi"; do + for efi_file in "${bootloader_dir}"/*.efi; do if [[ ! -f "${efi_file}" ]]; then continue fi sbverify --cert "${cert}" "${efi_file}" || - die "Verification failed: ${efi_file}" + die "Verification failed. file:${efi_file} cert:${cert}" + sbverify --cert "${gsetup_cert}" "${efi_file}" || + die "Verification failed. file:${efi_file} cert:${gsetup_cert}" done - for syslinux_kernel_file in "${syslinux_dir}/vmlinuz."?; do + for syslinux_kernel_file in "${syslinux_dir}"/vmlinuz.?; do if [[ ! -f "${syslinux_kernel_file}" ]]; then continue fi sbverify --cert "${cert}" "${syslinux_kernel_file}" || - warn "Verification failed: ${syslinux_kernel_file}" + warn "Verification failed. file:${syslinux_kernel_file} cert:${cert}" + sbverify --cert "${gsetup_cert}" "${syslinux_kernel_file}" || + warn "Verification failed. file:${syslinux_kernel_file}" \ + "cert:${gsetup_cert}" done local kernel_file="$(readlink -f "${kernel_dir}/vmlinuz")" if [[ -f "${kernel_file}" ]]; then sbverify --cert "${cert}" "${kernel_file}" || - warn "Verification failed: ${kernel_file}" + warn "Verification failed: file:${kernel_file} cert:${cert}" + sbverify --cert "${gsetup_cert}" "${kernel_file}" || + warn "Verification failed: file:${kernel_file} cert:${gsetup_cert}" fi } -- cgit v1.2.1