summaryrefslogtreecommitdiff
path: root/utility/dev_debug_vboot
blob: a171eb4c51de53102e3a157ba41dd623c2a2ad87 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162

#!/bin/sh
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
#
# Usage:  dev_debug_vboot [ --cleanup | DIRECTORY ]
#
# This extracts some useful debugging information about verified boot. A short
# summary is printed on stdout, more detailed information and working files are
# left in a log directory.
#

TMPDIR=/tmp/debug_vboot
LOGFILE=noisy.log

# TODO(wfrichar): Need to support ARM. The hard disk path is likely different.
HD=/dev/sda
ACPI=/sys/devices/platform/chromeos_acpi

cleanup() {
  if [ -n "${CLEANUP}" ]; then
    find "${TMPDIR}" -type f -not -name "${LOGFILE}" -exec rm {} ";"
  fi
}

die() {
  echo "$*" 1>&2
  exit 1
}

info() {
  echo "$@"
  echo "#" "$@" >> "$LOGFILE"
}

infon() {
  echo -n "$@"
  echo "#" "$@" >> "$LOGFILE"
}

log() {
  echo "+" "$@" >> "$LOGFILE"
  "$@" >> "$LOGFILE" 2>&1
}

loghead() {
  echo "+" "$@" "| head" >> "$LOGFILE"
  "$@" | head >> "$LOGFILE" 2>&1
}
logdie() {
  echo "+" "$@" >> "$LOGFILE"
  "$@" >> "$LOGFILE" 2>&1
  die "$@"
}

result() {
  if [ "$?" = "0" ]; then
    info "OK"
  else
    info "FAILED"
  fi
}

require_chromeos_bios() {
  log cgpt show "${HD}"
  log rootdev -s
  if [ ! -e "${ACPI}/HWID" ]; then
    info "Not running Chrome OS BIOS, no further information available"
    exit 0
  fi
  # including /dev/null just to get final "\n"
  log head "${ACPI}"/*ID "${ACPI}"/BINF* "${ACPI}"/CHSW /dev/null
  log reboot_mode
  log ls -la /mnt/stateful_partition/.need_firmware_update
  log ls -la /root/.force_update_firmware
}

# Here we go...
umask 022
trap cleanup EXIT

# Parse args
if [ -n "$1" ]; then
  if [ "$1" = "--cleanup" ]; then
    CLEANUP=1
  else
    TMPDIR="$1"
    [ -d ${TMPDIR} ] || die "${TMPDIR} doesn't exist"
    USE_EXISTING=yes
  fi
fi

[ -d ${TMPDIR} ] || mkdir -p ${TMPDIR} || exit 1
cd ${TMPDIR}
echo "$0 $*" > "$LOGFILE"
log date
echo "Saving verbose log as $(pwd)/$LOGFILE"

BIOS=bios.rom

# Find BIOS and kernel images
if [ -n "$USE_EXISTING" ]; then
  info "Using images in $(pwd)/"
else
  require_chromeos_bios
  info "Extracting BIOS image from flash..."
  log flashrom --wp-status
  log flashrom -r ${BIOS}

  HD_KERN_A="${HD}2"
  HD_KERN_B="${HD}4"
  tmp=$(rootdev -s -d)2
  if [ "$tmp" != "$HD_KERN_A" ]; then
    USB_KERN_A="$tmp"
  fi

  info "Extracting kernel images from drives..."
  log dd if=${HD_KERN_A} of=hd_kern_a.blob
  log dd if=${HD_KERN_B} of=hd_kern_b.blob
  if [ -n "$USB_KERN_A" ]; then
    log dd if=${USB_KERN_A} of=usb_kern_a.blob
  fi
fi

# Make sure we have something to work on
[ -f "$BIOS" ] || logdie "no BIOS image found"
ls *kern*.blob >/dev/null 2>&1 || logdie "no kernel images found"

info "Extracting BIOS components..."
log dump_fmap -x ${BIOS} || logdie "Unable to extract BIOS components"

info "Pulling root and recovery keys from GBB..."
log gbb_utility -g --rootkey rootkey.vbpubk --recoverykey recoverykey.vbpubk \
  GBB_Area || logdie "Unable to extract keys from GBB"
log vbutil_key --unpack rootkey.vbpubk
log vbutil_key --unpack recoverykey.vbpubk

infon "Verify firmware A with root key... "
log vbutil_firmware --verify Firmware_A_Key --signpubkey rootkey.vbpubk \
  --fv Firmware_A_Data --kernelkey kernel_subkey_a.vbpubk ; result
infon "Verify firmware B with root key... "
log vbutil_firmware --verify Firmware_B_Key --signpubkey rootkey.vbpubk \
  --fv Firmware_B_Data --kernelkey kernel_subkey_b.vbpubk ; result

for key in kernel_subkey_a.vbpubk kernel_subkey_b.vbpubk; do
  infon "Test $key... "
  log vbutil_key --unpack $key ; result
done

for keyblock in *kern*.blob; do
  infon "Test $keyblock... "
  log vbutil_keyblock --unpack $keyblock ; result
  loghead od -Ax -tx1 $keyblock
done

# Test each kernel with each key
for key in kernel_subkey_a.vbpubk kernel_subkey_b.vbpubk recoverykey.vbpubk; do
  for kern in *kern*.blob; do
    infon "Verify $kern with $key... "
    log vbutil_kernel --verify $kern --signpubkey $key ; result
  done
done
View Lorry Controller Status