From c4daa6e936a5dc2dad28bb1e07af995c05b37a99 Mon Sep 17 00:00:00 2001 From: David Riley Date: Tue, 6 Nov 2018 15:10:34 -0800 Subject: image_signing: Verify cr50 signing manifest compliance When signing Cr50 images, Board ID flags and major version number fields of the manifest must follow the following convention: - even major version numbers indicate pre-pvt branch, Board ID flag bit 0x10 must be set; - odd major version numbers indicate mp branch, Board ID flag bit 0x10000 must be set; BRANCH=none BUG=b:74100307 TEST=extracted pre-pvt branch produced Cr50 tarball into /tmp/cr50.cp, and ran the following command: scripts/image_signing/sign_cr50_firmware.sh /tmp/cr50.cp tests/devkeys \ signed observed successful completion. Modified /tmp/cr50.cp/ec_RW-manifest-prod.json to set major version number to 3 instead of 4 and tried again, got the following error, as expected: sign_cr50_firmware.sh: ERROR : Inconsistent manifest \ /tmp/cr50.cp/ec_RW-manifest-prod.json: major = "3", board_id_flags = "16" Change-Id: Ic123df4396d7d497347de40a5ff448940c0b1982 Signed-off-by: Vadim Bendebury Reviewed-on: https://chromium-review.googlesource.com/1321410 Reviewed-by: David Riley Reviewed-by: Mike Frysinger --- scripts/image_signing/sign_cr50_firmware.sh | 37 +++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) (limited to 'scripts') diff --git a/scripts/image_signing/sign_cr50_firmware.sh b/scripts/image_signing/sign_cr50_firmware.sh index ae61cee5..b39babac 100755 --- a/scripts/image_signing/sign_cr50_firmware.sh +++ b/scripts/image_signing/sign_cr50_firmware.sh @@ -23,6 +23,41 @@ eval set -- "${FLAGS_ARGV}" set -e set -u +PRE_PVT_BID_FLAG=0x10 +MP_BID_FLAG=0x10000 +# This function accepts one argument, the name of the Cr50 manifest file which +# needs to be verified. +# +# The function verifies that the manifest is a proper json file, and that the +# manifest conforms to Cr50 version numbering and board ID flags convention: +# when signing pre-pvt images (major version number is even) the 0x10 flags +# bit must be set. When signing mp images (major version number is odd), the +# 0x10000 flags bit must be set. +verify_cr50_manifest() { + if [[ $# -ne 1 ]]; then + die "Usage: verify_cr50_manifest " + fi + + local manifest_json="$1" + local major + local bid_flags + + major="$(jq '.major' "${manifest_json}")" + bid_flags="$(jq '.board_id_flags' "${manifest_json}")" + + if (( major & 1 )); then + if (( bid_flags & MP_BID_FLAG )); then + return 0 + fi + else + if (( bid_flags & PRE_PVT_BID_FLAG )); then + return 0 + fi + fi + die "Inconsistent manifest ${manifest_source}: major = '${major}'," \ + "board_id_flags = '${bid_flags}'" +} + # This function accepts two arguments, names of two binary files. # # It searches the first passed-in file for the first 8 bytes of the second @@ -243,6 +278,8 @@ sign_cr50_firmware() { die "failed to convert ${manifest_source} into valid json" fi + verify_cr50_manifest "${manifest_file}" + dd if=/dev/zero bs="${IMAGE_SIZE}" count=1 status=none | tr '\000' '\377' > "${output_file}" if [[ "$(stat -c '%s' "${output_file}")" != "${IMAGE_SIZE}" ]]; then -- cgit v1.2.1