blob: 75d367d0be31e9fd7d51219c6e317d5fa0fc276e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
#!/bin/bash -eux
# Copyright 2014 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
me=${0##*/}
TMP="$me.tmp"
# Work in scratch directory
cd "$OUTDIR"
# some stuff we'll need
DEVKEYS=${SRCDIR}/tests/devkeys
TESTKEYS=${SRCDIR}/tests/testkeys
SIGNER=${SRCDIR}/tests/external_rsa_signer.sh
# Create a copy of an existing keyblock, using the old way
"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \
--datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
--flags 23 \
--signprivate "${DEVKEYS}/root_key.vbprivk"
# Check it.
"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock0" \
--signpubkey "${DEVKEYS}/root_key.vbpubk"
# It should be the same as the dev-key firmware keyblock
cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock0"
# Now create it the new way
"${FUTILITY}" --debug sign \
--datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
--flags 23 \
--signprivate "${DEVKEYS}/root_key.vbprivk" \
--outfile "${TMP}.keyblock1"
# It should be the same too.
cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock1"
# Create a keyblock without signing it.
# old way
"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \
--datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
--flags 14
# new way
"${FUTILITY}" --debug sign \
--flags 14 \
"${DEVKEYS}/firmware_data_key.vbpubk" \
"${TMP}.keyblock1"
cmp "${TMP}.keyblock0" "${TMP}.keyblock1"
# Create one using PEM args
# old way
"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock2" \
--datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
--signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \
--pem_algorithm 8 \
--flags 9
# verify it
"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock2" \
--signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk"
# new way
"${FUTILITY}" --debug sign \
--pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \
--pem_algo 8 \
--flags 9 \
"${DEVKEYS}/firmware_data_key.vbpubk" \
"${TMP}.keyblock3"
cmp "${TMP}.keyblock2" "${TMP}.keyblock3"
# Try it with an external signer
# old way
"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock4" \
--datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
--signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \
--pem_algorithm 8 \
--flags 19 \
--externalsigner "${SIGNER}"
# verify it
"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock4" \
--signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk"
# new way
"${FUTILITY}" --debug sign \
--pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \
--pem_algo 8 \
--pem_external "${SIGNER}" \
--flags 19 \
"${DEVKEYS}/firmware_data_key.vbpubk" \
"${TMP}.keyblock5"
cmp "${TMP}.keyblock4" "${TMP}.keyblock5"
# cleanup
rm -rf "${TMP}"*
exit 0
|