diff options
author | Jakub Czapiga <jacz@semihalf.com> | 2022-07-04 12:34:28 +0200 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-07-22 07:46:32 +0000 |
commit | 64dd01225f64d6745a008d91fba3fcac2f1920bd (patch) | |
tree | 6d1bb9a194c763284a8d2655853b212ade295cd7 /tests | |
parent | 499b1814a76303b332c49dd5efb2c84e30b973ba (diff) | |
download | vboot-64dd01225f64d6745a008d91fba3fcac2f1920bd.tar.gz |
futility: Add --keyset option to sign command for BIOS and kernelstabilize-14998.Bfactory-foobar-15000.B
This patch adds --keyset option for sign command for BIOS_IMAGE,
RAW_FIRMWARE, RAW_KERNEL and KERN_PREAMBLE file types. The default value
of this option is '/usr/share/vboot/devkeys'. It allows futility to load
public and private keys, and keyblocks from under this path, when they
were not provided manually using their respective options.
Files loaded by default for BIOS_IMAGE and RAW_FIRMWARE:
- ${keysetdir}/firmware_data_key.vbprivk
- ${keysetdir}/firmware.keyblock
- ${keysetdir}/kernel_subkey.vbpubk
Files loaded by default for RAW_KERNEL:
- ${keysetdir}/kernel_data_key.vbprivk
- ${keysetdir}/kernel.keyblock
File loaded by default for KERN_PREAMBLE:
- ${keysetdir}/kernel_data_key.vbprivk
BUG=none
BRANCH=none
TEST=make runfutiltests
Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Change-Id: Ic4026d501d88e0de7d2c6f52c7494c639d08bd15
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3740601
Auto-Submit: Jakub Czapiga <czapiga@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Julius Werner <jwerner@chromium.org>
Tested-by: Jakub Czapiga <czapiga@google.com>
Diffstat (limited to 'tests')
-rwxr-xr-x | tests/futility/test_sign_firmware.sh | 43 | ||||
-rwxr-xr-x | tests/futility/test_sign_fw_main.sh | 4 | ||||
-rwxr-xr-x | tests/futility/test_sign_kernel.sh | 5 |
3 files changed, 16 insertions, 36 deletions
diff --git a/tests/futility/test_sign_firmware.sh b/tests/futility/test_sign_firmware.sh index c373803f..fe8462c8 100755 --- a/tests/futility/test_sign_firmware.sh +++ b/tests/futility/test_sign_firmware.sh @@ -111,9 +111,7 @@ for infile in $INFILES; do mkdir -p "${loemdir}" "${FUTILITY}" sign \ - -s "${KEYDIR}/firmware_data_key.vbprivk" \ - -b "${KEYDIR}/firmware.keyblock" \ - -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ -v 14 \ -f 8 \ -d "${loemdir}" \ @@ -193,8 +191,7 @@ cbfstool "${GOOD_CBFS_OUT}.1" add \ "${FUTILITY}" sign \ -s "${KEYDIR}/firmware_data_key.vbprivk" \ - -b "${KEYDIR}/firmware.keyblock" \ - -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ "${GOOD_CBFS_OUT}.1" "${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" \ @@ -222,9 +219,8 @@ cbfstool "${GOOD_CBFS_OUT}.1" add \ echo -n "${count} " 1>&3 "${FUTILITY}" sign \ - -s "${KEYDIR}/firmware_data_key.vbprivk" \ -b "${KEYDIR}/firmware.keyblock" \ - -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ "${MORE_OUT}" "${MORE_OUT}.2" m=$("${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" \ @@ -238,9 +234,8 @@ echo -n "${count} " 1>&3 "${FUTILITY}" load_fmap "${MORE_OUT}" VBLOCK_A:/dev/urandom VBLOCK_B:/dev/zero "${FUTILITY}" sign \ - -s "${KEYDIR}/firmware_data_key.vbprivk" \ - -b "${KEYDIR}/firmware.keyblock" \ -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ "${MORE_OUT}" "${MORE_OUT}.3" m=$("${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" \ @@ -256,7 +251,7 @@ echo -n "${count} " 1>&3 "${FUTILITY}" sign \ -s "${KEYDIR}/firmware_data_key.vbprivk" \ -b "${KEYDIR}/firmware.keyblock" \ - -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ "${CLEAN_B}" "${CLEAN_B}.1" "${FUTILITY}" verify --publickey "${KEYDIR}/root_key.vbpubk" "${CLEAN_B}.1" \ @@ -291,8 +286,8 @@ apply_xxd_patch "${NO_B_SLOT_PATCH}" "${NO_B_SLOT}" "${FUTILITY}" sign \ -s "${KEYDIR}/firmware_data_key.vbprivk" \ - -b "${KEYDIR}/firmware.keyblock" \ -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ -v 1 \ "${NO_B_SLOT}" "${NO_B_SLOT_SIGNED_IMG}" @@ -321,9 +316,9 @@ echo -en 'echo "0xFFEEDD0"; exit 0;' > "${CBFSTOOL_STUB}" chmod +x "${CBFSTOOL_STUB}" if CBFSTOOL="${CBFSTOOL_STUB}" "${FUTILITY}" sign \ - -s "${KEYDIR}/firmware_data_key.vbprivk" \ -b "${KEYDIR}/firmware.keyblock" \ -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ -v 1 \ "${GOOD_CBFS}" "${TMP}.1.${GOOD_CBFS##*/}" then @@ -351,9 +346,7 @@ exit 0; EOF if CBFSTOOL="${CBFSTOOL_STUB}" "${FUTILITY}" sign \ - -s "${KEYDIR}/firmware_data_key.vbprivk" \ - -b "${KEYDIR}/firmware.keyblock" \ - -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ -v 1 \ "${GOOD_CBFS}" "${TMP}.2.${GOOD_CBFS##*/}" then @@ -379,9 +372,7 @@ for keyblock_patch in "${BAD_KEYBLOCK_PATCHES[@]}"; do grep -q 'VBLOCK_A keyblock component is invalid' <<< "${FUTIL_OUTPUT}" FUTIL_OUTPUT="$("${FUTILITY}" sign \ - -s "${KEYDIR}/firmware_data_key.vbprivk" \ - -b "${KEYDIR}/firmware.keyblock" \ - -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ "${BAD_IN}" "${BAD_OUT}" 2>&1)" grep -q 'VBLOCK_A keyblock is invalid' <<< "${FUTIL_OUTPUT}" @@ -410,9 +401,7 @@ for vblock_patch in "${BAD_PREAMBLE_PATCHES[@]}"; do grep -q 'VBLOCK_A is invalid' <<< "${FUTIL_OUTPUT}" FUTIL_OUTPUT="$("${FUTILITY}" sign \ - -s "${KEYDIR}/firmware_data_key.vbprivk" \ - -b "${KEYDIR}/firmware.keyblock" \ - -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ "${BAD_IN}" "${BAD_OUT}" 2>&1)" grep -q 'VBLOCK_A preamble is invalid' <<< "${FUTIL_OUTPUT}" @@ -441,9 +430,7 @@ for vblock_patch in "${BAD_FMAP_KEYBLOCK_PATCHES[@]}"; do grep -q 'VBLOCK_A keyblock component is invalid' <<< "${FUTIL_OUTPUT}" FUTIL_OUTPUT="$(if "${FUTILITY}" sign \ - -s "${KEYDIR}/firmware_data_key.vbprivk" \ - -b "${KEYDIR}/firmware.keyblock" \ - -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ "${BAD_IN}" "${BAD_OUT}" 2>&1; \ then false; fi)" m="$(grep -c -E \ @@ -466,9 +453,7 @@ FUTIL_OUTPUT="$(if "${FUTILITY}" verify \ grep -q 'VBLOCK_A is invalid' <<< "${FUTIL_OUTPUT}" FUTIL_OUTPUT="$(if "${FUTILITY}" sign \ - -s "${KEYDIR}/firmware_data_key.vbprivk" \ - -b "${KEYDIR}/firmware.keyblock" \ - -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ "${BAD_IN}" "${BAD_OUT}" 2>&1; \ then false; fi)" m="$(grep -c -E \ @@ -490,9 +475,7 @@ FUTIL_OUTPUT="$(if "${FUTILITY}" verify \ grep -q 'VBLOCK_A is invalid' <<< "${FUTIL_OUTPUT}" FUTIL_OUTPUT="$(if "${FUTILITY}" sign \ - -s "${KEYDIR}/firmware_data_key.vbprivk" \ - -b "${KEYDIR}/firmware.keyblock" \ - -k "${KEYDIR}/kernel_subkey.vbpubk" \ + -K "${KEYDIR}" \ "${BAD_IN}" "${BAD_OUT}" 2>&1; \ then false; fi)" m="$(grep -c -E \ diff --git a/tests/futility/test_sign_fw_main.sh b/tests/futility/test_sign_fw_main.sh index 6ab2083b..e22f9072 100755 --- a/tests/futility/test_sign_fw_main.sh +++ b/tests/futility/test_sign_fw_main.sh @@ -30,9 +30,7 @@ dd bs=1024 count=16 if=/dev/urandom of="${TMP}.fw_main" # and the new way "${FUTILITY}" --debug sign \ - --signprivate "${KEYDIR}/firmware_data_key.vbprivk" \ - --keyblock "${KEYDIR}/firmware.keyblock" \ - --kernelkey "${KEYDIR}/kernel_subkey.vbpubk" \ + --keyset "${KEYDIR}" \ --version 12 \ --fv "${TMP}.fw_main" \ --flags 42 \ diff --git a/tests/futility/test_sign_kernel.sh b/tests/futility/test_sign_kernel.sh index 61b1c5aa..bba1164f 100755 --- a/tests/futility/test_sign_kernel.sh +++ b/tests/futility/test_sign_kernel.sh @@ -45,8 +45,7 @@ try_arch () { # pack it up the new way "${FUTILITY}" --debug sign \ - --keyblock "${DEVKEYS}/recovery_kernel.keyblock" \ - --signprivate "${DEVKEYS}/recovery_kernel_data_key.vbprivk" \ + --keyset "${DEVKEYS}/recovery_" \ --version 1 \ --config "${TMP}.config.txt" \ --bootloader "${TMP}.bootloader.bin" \ @@ -84,7 +83,7 @@ try_arch () { # repack it the new way "${FUTILITY}" --debug sign \ - --signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \ + --keyset "${DEVKEYS}" \ --keyblock "${DEVKEYS}/kernel.keyblock" \ --version 2 \ --pad "${padding}" \ |