From afa7350dccee079673831ef16a7c60a9a74ba77f Mon Sep 17 00:00:00 2001 From: Bill Richardson Date: Sun, 11 Sep 2016 02:55:52 -0700 Subject: make_dev_firmware.sh should use key.versions file The 'key.versions' file is used by the image signing scripts to ensure that newly generated keys and re-signed buildbot images have the correct version numbers to avoid rollback in officially-signed Chrome OS images. If a skilled user is re-keying her Chromebook to use personal keys in normal mode (which requires disabling WP and changing the GBB and VBLOCK_A/B), she can avoid clearing the TPM rollback counters if make_dev_firmware.sh will obtain the firmware_version from the key.versions file in her personal key directory. BUG=none BRANCH=none TEST=make runtests, manual tests Extract an MP-signed BIOS from a Chromebook Peppy. flashrom -p host -r peppy.bin Resign it without this CL: make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy.bin Resign it with this CL: make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new.bin Confirm no difference: cmp dev_peppy.bin dev_peppy_new.bin Temporarily edit tests/devkeys/key.versions to contain firmware_key_version=2 firmware_version=3 kernel_key_version=4 kernel_version=5 Resign again: make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new2.bin Confirm that the only difference is the firmware version in VBLOCK_A/B: futility show dev_peppy_new*.bin Change-Id: I133f1b58fb969eaeb239a44a4800750c4eee1d5f Signed-off-by: Bill Richardson Reviewed-on: https://chromium-review.googlesource.com/383887 Reviewed-by: Mike Frysinger --- scripts/image_signing/common_minimal.sh | 9 +++++++++ scripts/image_signing/make_dev_firmware.sh | 13 ++++++++++--- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/scripts/image_signing/common_minimal.sh b/scripts/image_signing/common_minimal.sh index fa566761..a591ae47 100644 --- a/scripts/image_signing/common_minimal.sh +++ b/scripts/image_signing/common_minimal.sh @@ -338,6 +338,15 @@ rw_mount_disabled() { # Misc functions # ---------------------------------------------------------------------------- +# Parses the version file containing key=value lines +# Args: key file +# Returns: value +get_version() { + local key="$1" + local file="$2" + awk -F= -vkey="${key}" '$1 == key { print $NF }' "${file}" +} + # Returns true if all files in parameters exist. # Args: List of files ensure_files_exist() { diff --git a/scripts/image_signing/make_dev_firmware.sh b/scripts/image_signing/make_dev_firmware.sh index c44e6717..9509769d 100755 --- a/scripts/image_signing/make_dev_firmware.sh +++ b/scripts/image_signing/make_dev_firmware.sh @@ -122,6 +122,8 @@ main() { local dev_firmware_keyblock="$FLAGS_keys/dev_firmware.keyblock" local dev_firmware_prvkey="$FLAGS_keys/dev_firmware_data_key.vbprivk" local kernel_sub_pubkey="$FLAGS_keys/kernel_subkey.vbpubk" + local version_file="$FLAGS_keys/key.versions" + local firmware_version= local is_from_live=0 local backup_image= @@ -140,6 +142,11 @@ main() { ensure_files_exist "$FLAGS_from" || exit 1 fi + if [ -e "$version_file" ]; then + firmware_version=$(get_version "firmware_version" "$version_file") + fi + : ${firmware_version:=1} + debug_msg "Checking software write protection status" disable_write_protection || if is_debug_mode; then @@ -200,9 +207,8 @@ main() { local unsigned_image="$(make_temp_file)" local optional_opts="" if [ -n "$FLAGS_preamble_flags" ]; then - # optional_opts: VERSION FLAGS - debug_msg "Setting new VERSION=1, FLAGS=$FLAGS_preamble_flags" - optional_opts="1 $FLAGS_preamble_flags" + debug_msg "Setting FLAGS=$FLAGS_preamble_flags" + optional_opts="$FLAGS_preamble_flags" fi cp -f "$IMAGE" "$unsigned_image" "$SCRIPT_BASE/resign_firmwarefd.sh" \ @@ -213,6 +219,7 @@ main() { "$dev_firmware_prvkey" \ "$dev_firmware_keyblock" \ "$kernel_sub_pubkey" \ + "$firmware_version" \ $optional_opts >"$EXEC_LOG" 2>&1 || err_die "Failed to re-sign firmware. (message: $(cat "$EXEC_LOG"))" if is_debug_mode; then -- cgit v1.2.1