diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2018-05-30 11:56:18 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-06-07 23:33:42 -0700 |
| commit | 71cb7bd6d866114e4c811f049ccb6869e6b39f64 (patch) | |
| tree | af16ed0e565c2c35f2f587d69e1a8cfec5b28676 /util | |
| parent | a730fd6219d53469a8ca0e74a6631912a24877a3 (diff) | |
| download | chrome-ec-71cb7bd6d866114e4c811f049ccb6869e6b39f64.tar.gz | |
cr50: prepare for supporting both x25519 and p256 test keys
The signer script is checking the elf files for presence of test RMA
keys, currently hardcoded to be x25519 keys.
The algorithm (x25519 vs p256) is going to become a compile time
option, the script should be prepared to determine the type of the key
at run time, because the script could be used for signing images from
different branches, compiled with different config options.
The prod p256 key does not yet exist.
BRANCH=none
BUG=b:73296606
TEST=verified that prod signing images including x25519 keys is still
working as expected.
Change-Id: Icf48845279912ecc9ccdecec1764fcb5f85d22bd
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1079698
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Diffstat (limited to 'util')
| -rwxr-xr-x | util/signer/bs | 46 |
1 files changed, 42 insertions, 4 deletions
diff --git a/util/signer/bs b/util/signer/bs index 6a7eef169c..b40871b8ff 100755 --- a/util/signer/bs +++ b/util/signer/bs @@ -143,6 +143,44 @@ find_blob_in_blob() { return 1 } +# This function accepts two arguments, names of the two elf files. +# +# The files are searched for test RMA public key patterns - x25519 or p256, +# both files are supposed to have pattern of one of these keys and not the +# other. If this holds true the function prints the public key base name. If +# not both files include the same key, or include more than one key, the +# function reports failure and exits the script. +determine_rma_key_base() { + local base_name="${EC_ROOT}/board/cr50/rma_key_blob" + local curve + local curves=( "x25519" "p256" ) + local elf + local elves=( "$1" "$2" ) + local key_file + local mask=1 + local result=0 + + for curve in ${curves[@]}; do + key_file="${base_name}.${curve}.test" + for elf in ${elves[@]}; do + if find_blob_in_blob "${elf}" "${key_file}"; then + result=$(( result | mask )) + fi + mask=$(( mask << 1 )) + done + done + + case "${result}" in + (3) curve="x25519";; + (12) curve="p256";; + (*) echo "could not determine key type in the elves" >&2 + exit 1 + ;; + esac + + echo "${base_name}.${curve}.test" +} + SIGNER="cr50-codesigner" if ! which "${SIGNER}" 2>/dev/null > /dev/null; then echo "${SIGNER} is not available, try running 'sudo emerge cr50-utils'" >&2 @@ -212,7 +250,7 @@ if [[ -n "${do_prod}" && -n "${do_b1}" ]]; then exit 1 fi -RMA_KEY_BASE="${EC_ROOT}/board/cr50/rma_key_blob" +rma_key_base="$(determine_rma_key_base ${elves[@]})" signer_command_params=() signer_command_params+=(--b -x ${EC_BIN_ROOT}/fuses.xml) @@ -222,7 +260,7 @@ else cp "${EC_BIN_ROOT}/ec_RW-manifest-prod.json" "${tmpf}" signer_command_params+=(-k ${EC_BIN_ROOT}/cr50_RW-prod.pem.pub) # Swap test public RMA server key with the prod version. - signer_command_params+=(-S "${RMA_KEY_BASE}.test","${RMA_KEY_BASE}.prod") + signer_command_params+=(-S "${rma_key_base}.test","${rma_key_base}.prod") fi signer_command_params+=(-j ${tmpf}) @@ -253,13 +291,13 @@ for elf in ${elves[@]}; do exit 1 fi - if find_blob_in_blob "${signed_file}" "${RMA_KEY_BASE}.test"; then + if find_blob_in_blob "${signed_file}" "${rma_key_base}.test"; then echo "${progname}: test RMA key in the signed image!" >&2 rm *."${dst_suffix}" exit 1 fi - if ! find_blob_in_blob "${signed_file}" "${RMA_KEY_BASE}.prod"; then + if ! find_blob_in_blob "${signed_file}" "${rma_key_base}.prod"; then echo "${progname}: prod RMA key not in the signed image!" >&2 rm *."${dst_suffix}" exit 1 |