blob: f689c89c85f8892988a84b1d4b76687dd35bb6e5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
#!/bin/bash -eux
# Copyright 2014 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
me=${0##*/}
TMP="$me.tmp"
# Work in scratch directory
cd "$OUTDIR"
# some stuff we'll need
DEVKEYS=${SRCDIR}/tests/devkeys
TESTKEYS=${SRCDIR}/tests/testkeys
SIGNER=${SRCDIR}/tests/external_rsa_signer.sh
# Create a copy of an existing keyblock, using the old way
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
--flags 23 \
--signprivate ${DEVKEYS}/root_key.vbprivk
# Check it.
${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock0 \
--signpubkey ${DEVKEYS}/root_key.vbpubk
# It should be the same as the dev-key firmware keyblock
cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock0
# Now create it the new way
${FUTILITY} --debug sign \
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
--flags 23 \
--signprivate ${DEVKEYS}/root_key.vbprivk \
--outfile ${TMP}.keyblock1
# It should be the same too.
cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock1
# Create a keyblock without signing it.
# old way
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
--flags 14
# new way
${FUTILITY} --debug sign \
--flags 14 \
${DEVKEYS}/firmware_data_key.vbpubk \
${TMP}.keyblock1
cmp ${TMP}.keyblock0 ${TMP}.keyblock1
# Create one using PEM args
# old way
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock2 \
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
--signprivate_pem ${TESTKEYS}/key_rsa4096.pem \
--pem_algorithm 8 \
--flags 9
# verify it
${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock2 \
--signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk
# new way
${FUTILITY} --debug sign \
--pem_signpriv ${TESTKEYS}/key_rsa4096.pem \
--pem_algo 8 \
--flags 9 \
${DEVKEYS}/firmware_data_key.vbpubk \
${TMP}.keyblock3
cmp ${TMP}.keyblock2 ${TMP}.keyblock3
# Try it with an external signer
# old way
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock4 \
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
--signprivate_pem ${TESTKEYS}/key_rsa4096.pem \
--pem_algorithm 8 \
--flags 19 \
--externalsigner ${SIGNER}
# verify it
${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock4 \
--signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk
# new way
${FUTILITY} --debug sign \
--pem_signpriv ${TESTKEYS}/key_rsa4096.pem \
--pem_algo 8 \
--pem_external ${SIGNER} \
--flags 19 \
${DEVKEYS}/firmware_data_key.vbpubk \
${TMP}.keyblock5
cmp ${TMP}.keyblock4 ${TMP}.keyblock5
# cleanup
rm -rf ${TMP}*
exit 0
|