#!/bin/bash # Copyright (c) 2013 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. # Run verified boot firmware and kernel verification tests. # Load common constants and variables. . "$(dirname "$0")/common.sh" return_code=0 function test_vbutil_key_single { local algonum=$1 local keylen=$2 local hashalgo=$3 echo -e "For signing key ${COL_YELLOW}RSA-$keylen/$hashalgo${COL_STOP}:" # Pack the key ${FUTILITY} vbutil_key \ --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk \ --key ${TESTKEY_DIR}/key_rsa${keylen}.keyb \ --version 1 \ --algorithm $algonum if [ $? -ne 0 ] then return_code=255 fi # Unpack the key # TODO: should verify we get the same key back out? ${FUTILITY} vbutil_key \ --unpack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk if [ $? -ne 0 ] then return_code=255 fi } function test_vbutil_key_all { algorithmcounter=0 for keylen in ${key_lengths[@]} do for hashalgo in ${hash_algos[@]} do test_vbutil_key_single $algorithmcounter $keylen $hashalgo let algorithmcounter=algorithmcounter+1 done done } function test_vbutil_key { test_vbutil_key_single 4 2048 sha256 test_vbutil_key_single 7 4096 sha256 test_vbutil_key_single 11 8192 sha512 } function test_vbutil_keyblock_single { local signing_algonum=$1 local signing_keylen=$2 local signing_hashalgo=$3 local data_algonum=$4 local data_keylen=$5 local data_hashalgo=$6 echo -e "For ${COL_YELLOW}signing algorithm \ RSA-${signing_keylen}/${signing_hashalgo}${COL_STOP} \ and ${COL_YELLOW}data key algorithm RSA-${datakeylen}/\ ${datahashalgo}${COL_STOP}" # Remove old file keyblockfile="${TESTKEY_SCRATCH_DIR}/" keyblockfile+="sign${signing_algonum}_data" keyblockfile+="${data_algonum}.keyblock" rm -f ${keyblockfile} # Wrap private key ${FUTILITY} vbutil_key \ --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk \ --key ${TESTKEY_DIR}/key_rsa${signing_keylen}.pem \ --algorithm $signing_algonum if [ $? -ne 0 ] then echo -e "${COL_RED}Wrap vbprivk${COL_STOP}" return_code=255 fi # Wrap public key ${FUTILITY} vbutil_key \ --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk \ --key ${TESTKEY_DIR}/key_rsa${signing_keylen}.keyb \ --algorithm $signing_algonum if [ $? -ne 0 ] then echo -e "${COL_RED}Wrap vbpubk${COL_STOP}" return_code=255 fi # Pack ${FUTILITY} vbutil_keyblock --pack ${keyblockfile} \ --datapubkey \ ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ --signprivate \ ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk if [ $? -ne 0 ] then echo -e "${COL_RED}Pack${COL_STOP}" return_code=255 fi # Unpack ${FUTILITY} vbutil_keyblock --unpack ${keyblockfile} \ --datapubkey \ ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 \ --signpubkey \ ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk if [ $? -ne 0 ] then echo -e "${COL_RED}Unpack${COL_STOP}" return_code=255 fi # Check if ! cmp -s \ ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 then echo -e "${COL_RED}Check${COL_STOP}" return_code=255 exit 1 fi echo -e "${COL_YELLOW}Testing keyblock creation using \ external signer.${COL_STOP}" # Pack using external signer # Pack ${FUTILITY} vbutil_keyblock --pack ${keyblockfile} \ --datapubkey \ ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ --signprivate_pem \ ${TESTKEY_DIR}/key_rsa${signing_keylen}.pem \ --pem_algorithm "${signing_algonum}" \ --externalsigner "${SCRIPT_DIR}/external_rsa_signer.sh" if [ $? -ne 0 ] then echo -e "${COL_RED}Pack${COL_STOP}" return_code=255 fi # Unpack ${FUTILITY} vbutil_keyblock --unpack ${keyblockfile} \ --datapubkey \ ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 \ --signpubkey \ ${TESTKEY_SCRATCH_DIR}/key_alg${signing_algonum}.vbpubk if [ $? -ne 0 ] then echo -e "${COL_RED}Unpack${COL_STOP}" return_code=255 fi # Check if ! cmp -s \ ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 then echo -e "${COL_RED}Check${COL_STOP}" return_code=255 exit 1 fi } function test_vbutil_keyblock_all { # Test for various combinations of firmware signing algorithm and # kernel signing algorithm signing_algorithmcounter=0 data_algorithmcounter=0 for signing_keylen in ${key_lengths[@]} do for signing_hashalgo in ${hash_algos[@]} do let data_algorithmcounter=0 for datakeylen in ${key_lengths[@]} do for datahashalgo in ${hash_algos[@]} do test_vbutil_keyblock_single \ $signing_algorithmcounter $signing_keylen $signing_hashalgo \ $data_algorithmcounter $data_keylen $data_hashalgo let data_algorithmcounter=data_algorithmcounter+1 done done let signing_algorithmcounter=signing_algorithmcounter+1 done done } function test_vbutil_keyblock { test_vbutil_keyblock_single 7 4096 sha256 4 2048 sha256 test_vbutil_keyblock_single 11 8192 sha512 4 2048 sha256 test_vbutil_keyblock_single 11 8192 sha512 7 4096 sha256 } check_test_keys echo echo "Testing vbutil_key..." if [ "$1" == "--all" ] ; then test_vbutil_key_all else test_vbutil_key fi echo echo "Testing vbutil_keyblock..." if [ "$1" == "--all" ] ; then test_vbutil_keyblock_all else test_vbutil_keyblock fi exit $return_code