utility/vbutil_what_keys


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

#!/bin/bash -u
# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

if [ -z "$*" ]; then
  cat <<EOF 1>&2

Usage:  vbutil_what_keys IMAGE [IMAGE...]

Given a ChromiumOS disk (or BIOS) image, try to figure out how it's signed.
Note that this does not verify the signature, it just reports which keyblock
was used to create the signature.

EOF
  exit 1
fi


# We'll look up the known kernel.keyblock and recovery_kernel.keyblock sha1sums
# right here. Obtain them by running this script on images you know have been
# signed correctly (since the keys themselves are inside the HSM).
#
# e78ce746a037837155388a1096212ded04fb86eb  recovery dev-key
# d6170aa480136f1f29cf339a5ab1b960585fa444    normal dev-key
#
# 20f3e8b77da6577706c91feefb203f98ee20d479  recovery ZGB MP
# 7b7ae8652775ad7305f565161b3acc00fcc8ea22    normal ZGB MP
#
# 03172b08f0b99172c73d947f51e8ca23d418bcbf  recovery Alex MP
# af24e46b6c3805869616e71c002c9a2a847ad266    normal Alex MP
#
# f6fadd7e31eebf4bcc4eb8d2dd512e3a2313627f  recovery Cr-48 MP
# a1454fcecb98a6f33b38638564bdfc20161a7b04    normal Cr-48 MP
#
# de11a604715a920d7371ceefda75a5b1b062443f recovery Tegra2-Kaen PVT
# 5c626cd8a684e470e74d3ceaf518aae745fe15dc   normal Tegra2-Kaen PVT
#
# cb45bc04a932e4bcac41b44d31afd9516ca0fe24 recovery Lumpy PVT
# fa55cba16857a49270fb1561f87343c00959eb19   normal Lumpy PVT
#
# 057a03c1526a1be7f42d29095c5a583231a75b35 recovery Stumpy PVT
# 04dd63e835c979b57f87fd74e99af68e0cd39ad7   normal Stumpy PVT
#
# 6f6d6df4e328633904990cf8c60baa18b8cf6fc7 recovery Stumpy MP
# de0b76af3caa55a8e7aa34c805e4248ad03b18e7   normal Stumpy MP

# And here are values for BIOS components.
#
# The default H2C HWIDs are fixed for each platform
# {97A1FBD6-FDE1-4FC5-BB81-286608B90FCE}    Alex H2C
# {9D799111-A88A-439E-9E1F-FBBB41B00A9A}    Cr-48 H2C
# {24B107F2-BA6A-4EBD-8CDD-E768438CE0F0}    Stumpy H2C
# {FA42644C-CF3A-4692-A9D3-1A667CB232E9}    ZGB H2C

# The first line is the recovery key, the second is the root key
#
# c14bd720b70d97394257e3e826bd8f43de48d4ed  dev-key
# b11d74edd286c144e1135b49e7f0bc20cf041f10  dev-key
#
# 5c5776bf7574e5601c25042e0748b6844cfdd1dc  Alex MP
# 00f77be2a0c013343db84fc6259da09e558b8318  Alex MP
#
# ebcac421fbf411bee99ee90672a3add17f5a967b  Lumpy PVT
# c9fc61f331b34e00a148e657bde5fb6b0b576c0a  Lumpy PVT
#
# 5d0d163b824cab5ae4f23fb2cc012e2a4124f4fe  Cr-48 MP
# 541f467a7d8747f55ae9087ee4e34155f5ee3cd7  Cr-48 MP
#
# 8540f56f87d91c5403704c960c1f385705201e20  Stumpy PVT
# 06939c65797eadfe6be1b3343a2e339800a34108  Stumpy PVT
#
# 9bd99a594c45b6739899a17ec29ac2289ee75463  ZGB MP
# 9f59876c7f7dc881f02d934786c6b7c2c17dcaac  ZGB MP
#
# 37e7bad73449f782f280b1668fed48d1132137fa  Stumpy MP
# 4ec4ba0a746b37b1c6286ab807c2a5b1e7ab4ab0  Stumpy MP

set -o pipefail

TMPFILE=$(mktemp /tmp/keyblock_XXXXXXXXX)
trap "rm -f $TMPFILE" EXIT

dofile() {
  file="$1"
  size=$(stat -c %s "$file")

  if [ "$size" -le 8388608 ]; then
    echo "BIOS: $file"

    hwid=$(gbb_utility --hwid "$file" | sed -e 's/^.*: *//') || continue;
    match1=$(grep "$hwid" "$0" 2>/dev/null | sed -e 's/^# //')

    gbb_utility --recoverykey="$TMPFILE" "$file" >/dev/null
    recoverykey=$(vbutil_key --unpack "$TMPFILE" | grep sha1sum | \
      sed -e 's/^.*: *//')
    match2=$(grep "$recoverykey" "$0" 2>/dev/null | sed -e 's/^# //')

    gbb_utility --rootkey="$TMPFILE" "$file" >/dev/null
    rootkey=$(vbutil_key --unpack "$TMPFILE" | grep sha1sum | \
      sed -e 's/^.*: *//')
    match3=$(grep "$rootkey" "$0" 2>/dev/null |  sed -e 's/^# //')

    echo "  hwid:          ${match1:-$hwid}"
    echo "  recovery key:  ${match2:-$recoverykey}"
    echo "  root key:      ${match3:-$rootkey}"

  else
    echo "IMAGE: $file"

    for pnum in $(cgpt find -n -t kernel "$file" 2>/dev/null); do

      psize=$(cgpt show -s -i "$pnum" "$file")
      if [ "$psize" -ge 128 ]; then

        pstart=$(cgpt show -b -i "$pnum" "$file")
        dd if="$file" of="$TMPFILE" bs=512 count=128 skip="$pstart" 2>/dev/null

        psum=$(vbutil_keyblock --unpack "$TMPFILE" 2>/dev/null | \
          grep sha1sum | sed -e 's/^.*: *//')

        if [ -n "$psum" ]; then
          match=$(grep "$psum" "$0" 2>/dev/null | sed -e 's/^# //')
          flags=$(vbutil_keyblock --unpack "$TMPFILE" 2>/dev/null | \
            grep Flags: | sed -e 's/^.*:[ 0-9]*//')
        else
          match=""
          psum="--invalid--"
          flags=""
        fi

        echo "  part $pnum:    ${match:-$psum} ($flags)"
      fi

    done
  fi
}


for file in "$@"; do
  dofile $file
done