diff options
author | Mike Frysinger <vapier@chromium.org> | 2017-01-11 21:12:16 -0500 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-01-14 20:19:06 -0800 |
commit | 62461d719ff658512a9595cfc1e67e2a127bd1fc (patch) | |
tree | cff815a2bee3ff32208234ac4018125ac6caa8a0 | |
parent | 3409e6063332220890a2fc2b106e4a20a1f836b8 (diff) | |
download | vboot-62461d719ff658512a9595cfc1e67e2a127bd1fc.tar.gz |
image_signing: support signing of OCI containers
BUG=chromium:660209
TEST=`./sign_official_build.sh oci-container fastboot/ ../tests/devkeys` works
TEST=signing an image inserted the container pubkey
BRANCH=None
Change-Id: I75793b03e93f2c18b1495a3ec729ad04d2e17401
Reviewed-on: https://chromium-review.googlesource.com/427538
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
-rwxr-xr-x | scripts/image_signing/insert_container_publickey.sh | 49 | ||||
-rwxr-xr-x | scripts/image_signing/sign_oci_container.sh | 94 | ||||
-rwxr-xr-x | scripts/image_signing/sign_official_build.sh | 14 | ||||
-rw-r--r-- | tests/devkeys/cros-oci-container-pub.pem | 14 | ||||
-rw-r--r-- | tests/devkeys/cros-oci-container.pem | 52 |
5 files changed, 223 insertions, 0 deletions
diff --git a/scripts/image_signing/insert_container_publickey.sh b/scripts/image_signing/insert_container_publickey.sh new file mode 100755 index 00000000..8724e051 --- /dev/null +++ b/scripts/image_signing/insert_container_publickey.sh @@ -0,0 +1,49 @@ +#!/bin/bash +# Copyright 2017 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Load common constants and variables. +. "$(dirname "$0")/common.sh" + +load_shflags || exit 1 + +FLAGS_HELP="Usage: ${PROG} <image.bin|rootfs_dir> <public_key.pem> + +Installs the container verification public key <public_key.pem> to +<image.bin|rootfs_dir>. +" + +# Parse command line. +FLAGS "$@" || exit 1 +eval set -- "${FLAGS_ARGV}" + +# Abort on error. +set -e + +main() { + if [[ $# -ne 2 ]]; then + flags_help + exit 1 + fi + + local image="$1" + local pub_key="$2" + local rootfs + local key_location="/usr/share/misc/" + + if [[ -d "${image}" ]]; then + rootfs="${image}" + else + rootfs=$(make_temp_dir) + mount_image_partition "${image}" 3 "${rootfs}" + fi + + sudo install \ + -D -o root -g root -m 644 \ + "${pub_key}" "${rootfs}/${key_location}/oci-container-key-pub.pem" + info "Container verification key was installed." \ + "Do not forget to resign the image!" +} + +main "$@" diff --git a/scripts/image_signing/sign_oci_container.sh b/scripts/image_signing/sign_oci_container.sh new file mode 100755 index 00000000..df3eb0fa --- /dev/null +++ b/scripts/image_signing/sign_oci_container.sh @@ -0,0 +1,94 @@ +#!/bin/bash +# Copyright 2017 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +. "$(dirname "$0")/common.sh" + +load_shflags || exit 1 + +DEFINE_string output "" \ + "Where to write signed output to (default: sign in-place)" + +FLAGS_HELP="Usage: ${PROG} [options] <input_container> <key_dir> + +Signs <input_container> with keys in <key_dir>. Should have a config.json +file in the OCI format. + +Input can be an unpacked container, or a CRX/ZIP file. +" + +# Parse command line. +FLAGS "$@" || exit 1 +eval set -- "${FLAGS_ARGV}" + +# Abort on error. +set -e + +# Sign the directory holding OCI container(s). We look for manifest.json files. +sign_oci_container() { + [[ $# -eq 3 ]] || die "Usage: sign_oci_container <input> <key> <output>" + local input="${1%/}" + local key_file="$2" + local output="$3" + + if [[ "${input}" != "${output}" ]]; then + rsync -a "${input}/" "${output}/" + fi + + local manifest out_manifest + while read -d $'\0' -r manifest; do + out_manifest="${output}/${manifest}.sig" + manifest="${input}/${manifest}" + info "Signing: ${manifest}" + if ! openssl dgst -sha256 -sign "${key_file}" \ + -out "${out_manifest}" "${manifest}"; then + die "Failed to sign" + fi + done < <(find "${input}/" -name manifest.json -printf '%P\0') +} + +# Sign the crx/zip holding OCI container(s). We look for manifest.json files. +sign_oci_container_zip() { + [[ $# -eq 3 ]] || die "Usage: sign_oci_container_zip <input> <key> <output>" + local input="$1" + local key_file="$2" + local output="$3" + local tempdir=$(make_temp_dir) + + info "Unpacking archive: ${input}" + unzip -q "${input}" -d "${tempdir}" + + sign_oci_container "${tempdir}" "${key_file}" "${tempdir}" + + rm -f "${output}" + info "Packing archive: ${output}" + ( + cd "${tempdir}" + zip -q -r - ./ + ) >"${output}" +} + +main() { + if [[ $# -ne 2 ]]; then + flags_help + exit 1 + fi + + local input="${1%/}" + local key_dir="$2" + + local key_file="${key_dir}/cros-oci-container.pem" + if [[ ! -e "${key_file}" ]]; then + die "Missing key file: ${key_file}" + fi + + : "${FLAGS_output:=${input}}" + + if [[ -f "${input}" ]]; then + sign_oci_container_zip "${input}" "${key_file}" "${FLAGS_output}" + else + sign_oci_container "${input}" "${key_file}" "${FLAGS_output}" + fi +} +main "$@" diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh index 5d691958..80774731 100755 --- a/scripts/image_signing/sign_official_build.sh +++ b/scripts/image_signing/sign_official_build.sh @@ -39,6 +39,7 @@ where <type> is one of: nv_lp0_firmware (sign nvidia lp0 firmware) accessory_usbpd (sign USB-PD accessory firmware) accessory_rwsig (sign accessory RW firmware) + oci-container (sign an OCI container) output_image: File name of the signed output image version_file: File name of where to read the kernel and firmware versions. @@ -612,6 +613,17 @@ resign_android_image_if_exists() { echo "Re-signed Android image" } +# Sign an oci container with the given keys. +# Args: CONTAINER KEY_DIR [OUTPUT_CONTAINER] +sign_oci_container() { + local image=$1 + local key_dir=$2 + local output=$3 + + "${SCRIPT_DIR}/sign_oci_container.sh" \ + "${image}" "${key_dir}" --output "${output}" +} + # Verify an image including rootfs hash using the specified keys. verify_image() { local rootfs_image=$(make_temp_file) @@ -924,6 +936,8 @@ elif [[ "${TYPE}" == "accessory_rwsig" ]]; then fi cp "${INPUT_IMAGE}" "${OUTPUT_IMAGE}" futility sign --type rwsig --prikey "${KEY_NAME}.vbprik2" "${OUTPUT_IMAGE}" +elif [[ "${TYPE}" == "oci-container" ]]; then + sign_oci_container "${INPUT_IMAGE}" "${KEY_DIR}" "${OUTPUT_IMAGE}" else echo "Invalid type ${TYPE}" exit 1 diff --git a/tests/devkeys/cros-oci-container-pub.pem b/tests/devkeys/cros-oci-container-pub.pem new file mode 100644 index 00000000..33e972e6 --- /dev/null +++ b/tests/devkeys/cros-oci-container-pub.pem @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsuDzv7AH20X+44RmE1V0 +8g5pYEJcl4IjwCOz9d3YQb2YjEjnOLFVBFBsZwvh0OzQF25PKnd+sK7SgI+pEl7q +3MfUNvbojIs8wpK5Qdbyvbm1DPzz+jKQ/aoAJD2gz32hiUsdbUfxFDZ9ADlu+KxW +KXIv7fVUJhk60F8rQWqT7H82rgbZ3oSRexyeXu508JaeN0onrZ0M5vOo4lhnOkTV +a2HvOIcCOSkpPeJNCvKfzz9FapVzbp54dAxh/rouv0orrwdEoubbV0fVkAi21puz +AhzzKscZjB32lZrpct2MOZxInsmQOpBqXPBIUizrD1jVDHPwOmeUGI9C+PUWkief +5DvI5bpjbUXc7y8DM5Hgizw30qYGvQnLyj+Xl33znS5cqWK/AS9nMGNMPz2dmXWM +LdXMxKX1jBSzIXOgH7N4tp4jI7aPU/pDhvdrig9BTHH2GlsqKWAqfwwSI8m5tcaX +2x+VO+TiP8E9PN4koyPtilcIysMmHLxyFvlozPx5J5Y6M3VoxryYvWE1gnNlUn60 +mUONQ7N5NKbXnRg24ULLMFTCUQsufvJeaGTDVEcDdYS17JuX7TR1SzKLax+Q/fa3 +V6C3CYub+EP+fcIJn3BC/Hzu/qsPxN2aMju+VMFnzyvnvHqekcSYdYeYtGi4bUYh +7fmF4tdaG1/EgAsIbxhWe/sCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/tests/devkeys/cros-oci-container.pem b/tests/devkeys/cros-oci-container.pem new file mode 100644 index 00000000..bdb15baf --- /dev/null +++ b/tests/devkeys/cros-oci-container.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCy4PO/sAfbRf7j +hGYTVXTyDmlgQlyXgiPAI7P13dhBvZiMSOc4sVUEUGxnC+HQ7NAXbk8qd36wrtKA +j6kSXurcx9Q29uiMizzCkrlB1vK9ubUM/PP6MpD9qgAkPaDPfaGJSx1tR/EUNn0A +OW74rFYpci/t9VQmGTrQXytBapPsfzauBtnehJF7HJ5e7nTwlp43SietnQzm86ji +WGc6RNVrYe84hwI5KSk94k0K8p/PP0VqlXNunnh0DGH+ui6/SiuvB0Si5ttXR9WQ +CLbWm7MCHPMqxxmMHfaVmuly3Yw5nEieyZA6kGpc8EhSLOsPWNUMc/A6Z5QYj0L4 +9RaSJ5/kO8jlumNtRdzvLwMzkeCLPDfSpga9CcvKP5eXffOdLlypYr8BL2cwY0w/ +PZ2ZdYwt1czEpfWMFLMhc6Afs3i2niMjto9T+kOG92uKD0FMcfYaWyopYCp/DBIj +ybm1xpfbH5U75OI/wT083iSjI+2KVwjKwyYcvHIW+WjM/HknljozdWjGvJi9YTWC +c2VSfrSZQ41Ds3k0ptedGDbhQsswVMJRCy5+8l5oZMNURwN1hLXsm5ftNHVLMotr +H5D99rdXoLcJi5v4Q/59wgmfcEL8fO7+qw/E3ZoyO75UwWfPK+e8ep6RxJh1h5i0 +aLhtRiHt+YXi11obX8SACwhvGFZ7+wIDAQABAoICADlSHqnZddsNRg2QWsltRAlh +FuFywosGeABVMJDkIy2F3QFvRzECmnTEdMhcpWM2z8QCZDn+ismBbBEoeAxcADT5 +kAaA/qoy4CiVrensQGMNxHfCA0i0tYOj22HBoet7na0KNgbT2+wXPd05ilcDmqSz +Y6qESA/hW9hz9r+CsJ5Dcbk4ls5YeuoRlKplDXIfQdoD2E0pG35SrFbD72hbsGw1 +uNvLX6oDh6S+BOQyNYXLB6qM862J+J1vbmObM+m2keMHmDX/dmA0s7nxIO4KfMV7 +k2ys2oHtBBySxKY7WnkHnLnNa3to1bysfvBeVoDXfYX9DQkaMfngxpxSpYX2TqTi +I2huEYsC40ZIUdl1EM2Wfz+nTRkcv/OgQsOpF/HH5dmVovbOt5VnthZZDdtsrLaD +Uz2M56hd53tscNdTPlrngX/A5cffcEF0rjuF1RvSOI27vbHF3q/swvSht97/fo47 +y8JeZwjZ/1wkGyFPNLvLmE918Eo+PEB2tJxPvYG1nMMNHJegwF3S85dyj5UfzgMP +4AIS1NWMuogrWX0IaymLrDBYyFWwm6V6MOwoFcKb8uVKfNzJqzv5+U+rzsEY5Fj2 +hSyRj0jBVS8YmQdl6z4ib9GOALatnaj0j0iOaNdklUAl2gQ3HSFoF+lg0VXuWpbi +SoUe495XgfWOjPURImhpAoIBAQDjH9S4Tdvfqr+2XnIITNwnCtbKoiQ9MWqHRl1m +eeaNDiiZ0X6iTdwVqLYQ1qAMFBJJ7Rb1OtbspMmybhrqrKOaErP4226UbFNnBXdH +gZqyWjaNAbGmj7xOO5OtmhnjyfXqNapsG3PptO51bvJDkpEGxkofQbZwXZiYkkhb +OHE5xWtvKOUwoxzRDa6V7SQL+dNIdIerfXq14lIqUPNapQjakc9doZ/G4UChj65R +jXc1m2ofYxRzs2hIIAL9LepHj+q4dRJZSKtIq/YaDiHnJp78Epbfqya5yGOU3DAW +voswDZmwddEJ1XRBtHDw/9MitKfJizmhR3As60P5DJIQbY49AoIBAQDJnuGFzv/r +c9aQKAHgcFygaSOdHiia8+qSj3gwUsGKv2ZmZwBRdhGMPXgYW06pYQ3hjB5GQp8l +mHNHx+JVrgAAV2QFjj6KM5cFrnd3z9zDOYrXALKuQAioRpIyxCOwaqxD5D22ia9q +KYD3j0/jtQIozL9XjMbC+WlQjSWa+in3+zcyoyWDbTcavMiDs+Qx3ZCghlvd90Kb +hKjH3q8RrXmEbqaBAyUBqUgd0Qo7mkMWgwwd2tIp99S8fyiivc60tQmGT2j0uC4x +2TkYT41MOgXJ7YIKoYW4M/pJ/lMpo3QRWOPERPvcc00USX6wgU/SBDHCNEcQvEOR +V0ohlKTe9U6XAoIBAFBArhRVhoyYs9cHtjlSlzPAc7bz5eQtctvLtDMCfcF3sEbx +rFJDOrH4hCSdAb5i1TeD6+nI2aqSa6Z9m0sypzhIxYj4WDFfuXScjNIabIP6tm3K +nHAjN8FY8cyUt/MyKI+SWN6MML/yq5OZGUdhIZeINyamPIWlvMakYabB4dgs9tI3 +XAx8hjEkKX1WZrdIlixy6IFi/BoKl0fWhLaRu/gnL2OBOYi3jPPJZinw1598g9oF +U3Oyf/WEQiodsDuLEcANtecQc11hTbtVJQudLO4az27G9g8NTIqL5v4SY/IdzCF6 +79sOrl6NGJ8/deY8eVEQvdNL/8oPc1wr4eymGW0CggEBAL4kdm9o7nWwwxMkh9CQ +Zupo/Us5m/W2PuyFHUYFZb1iEEJWtTgd7yKg/deKlL6sZxjkudBtGAWupll1qoA/ +HoUz5YJPya8wRCb5iHWXtIzwgX2OjPREM2XvWAVEcJv5nghRAdpaMvIdviC6KQ+I +L0cnAPSiMPjDmox68JIdhuL1KfM5ZTFzGFrA2yFJz9UvLSwWSiElBM4B5+LGobg8 +L7OzXpegzY+pg/eKoune65IZeJ3XNgiaTyiNi1cfRgeqDBd8YHEaGYatY2kH7SuM +NNVghhlchu1XJ54MmYVVPyr096irnhMjMfgF79KpwQtBJWQPRU4FHnu9JI5SzsHt ++nUCggEBAJHeduZvtj/gqBUyWq2NZSX4HqNXX2tgfGpqmpG44fPCBEyY5O+RPnPW +OVwcdZgpPj8w3TIslU+QzvGCKnQsdvDuz+n01R/kJEwCufBtlxQAMWnPizajhYX/ +14eY5TgLKJ3fnAFkN6YGO76VNhqYMMaN41YqEFuG2U/UEpWrRSaGwq+XOd3kzigV +xDvde55w/vtCGLYD4IRIDh1lEqGMMuNObC07TA0CejN5LaP3k9eUWXoxmMIH+d5W +bZj6QKTVB/8A4JrYCXfmqZXxDKr0DsESJk70MdWBM1HTLRljTeULHGJjqNVhODgJ +s/ORY1XQOYcH60h6pmikfYcgeVCE3WU= +-----END PRIVATE KEY----- |