xref: /aosp_15_r20/external/vboot_reference/scripts/keygeneration/keyset_version_check.sh (revision 8617a60d3594060b7ecbd21bc622a7c14f3cf2bc) 
1#!/bin/bash
2# Copyright 2014 The ChromiumOS Authors
3# Use of this source code is governed by a BSD-style license that can be
4# found in the LICENSE file.
5
6# Script that validity checks a keyset to ensure actual key versions
7# match those set in key.versions.
8
9# Load common constants and variables.
10# shellcheck source=common.sh
11. "$(dirname "$0")/common.sh"
12
13# Abort on errors.
14set -e
15
16if [ $# -ne 1 ]; then
17  cat <<EOF
18Usage: $0 <keyset directory>
19
20Validity check a keyset directory for key versions.
21EOF
22  exit 1
23fi
24
25KEY_DIR="$1"
26VERSION_FILE="${KEY_DIR}/key.versions"
27
28keyblock_version() {
29  local keyblock="$1"
30  echo "$(vbutil_keyblock --unpack "${keyblock}" | grep 'Data key version' |
31    cut -f 2 -d : | tr -d ' ')"
32}
33
34key_version() {
35  local key="$1"
36  echo "$(vbutil_key --unpack "${key}" | grep 'Key Version' | cut -f 2 -d : |
37    tr -d ' ')"
38}
39
40# Compare versions and print out error if there is a mismatch.
41check_versions() {
42  local expected="$1"
43  local got="$2"
44  local expected_label="$3"
45  local got_label="$4"
46  if [[ ${expected} != ${got} ]]; then
47    echo "ERROR: ${expected_label} version does not match ${got_label} version"
48    echo "EXPECTED (${expected_label} version): ${expected}"
49    echo "GOT (${got_label} version): ${got}"
50    return 1
51  fi
52  return 0
53}
54
55# Check the key.versions against firmware.keyblock and firmware_data_key.vbpubk.
56check_firmware_keyblock() {
57  local fkey_keyblock="$1" fkey="$2"
58  local got_fkey_keyblock="$(keyblock_version "${fkey_keyblock}")"
59  local got_fkey="$(key_version "${fkey}")"
60
61  check_versions "${got_fkey_keyblock}" "${got_fkey}" \
62    "${fkey_keyblock##*/} keyblock key" "firmware key" || testfail=1
63  check_versions "${expected_fkey}" "${got_fkey}" "${fkey##*/} key" \
64    "firmware key" || testfail=1
65}
66
67# Validate the firmware keys in an loem keyset.
68check_loem_keyset() {
69  local line loem_index
70  while read line; do
71    loem_index=$(cut -d= -f1 <<<"${line}" | sed 's: *$::')
72
73    check_firmware_keyblock \
74      "${KEY_DIR}/firmware.loem${loem_index}.keyblock" \
75      "${KEY_DIR}/firmware_data_key.loem${loem_index}.vbpubk"
76  done < <(grep = "${KEY_DIR}"/loem.ini)
77}
78
79# Validate the firmware keys in a non-loem keyset.
80check_non_loem_keyset() {
81  check_firmware_keyblock \
82    "${KEY_DIR}/firmware.keyblock" \
83    "${KEY_DIR}/firmware_data_key.vbpubk"
84}
85
86main() {
87  local testfail=0
88
89  local expected_kkey="$(get_version kernel_key_version)"
90  local expected_fkey="$(get_version firmware_key_version)"
91  local expected_firmware="$(get_version firmware_version)"
92  local expected_kernel="$(get_version kernel_version)"
93
94  check_versions "${expected_firmware}" "${expected_kkey}" \
95    "firmware" "kernel key" || testfail=1
96
97  local got_kkey_keyblock="$(keyblock_version ${KEY_DIR}/kernel.keyblock)"
98  local got_ksubkey="$(key_version ${KEY_DIR}/kernel_subkey.vbpubk)"
99  local got_kdatakey="$(key_version ${KEY_DIR}/kernel_data_key.vbpubk)"
100
101  if [[ -f "${KEY_DIR}"/loem.ini ]]; then
102    check_loem_keyset
103  else
104    check_non_loem_keyset
105  fi
106
107  check_versions "${got_kkey_keyblock}" "${got_ksubkey}" "kernel keyblock key" \
108    "kernel subkey" || testfail=1
109  check_versions "${got_kdatakey}" "${got_ksubkey}" "kernel data key" \
110    "kernel subkey" || testfail=1
111  check_versions "${expected_kkey}" "${got_kdatakey}" "key.versions kernel key" \
112    "kernel datakey" || testfail=1
113  check_versions "${expected_kkey}" "${got_ksubkey}" "key.versions kernel key" \
114    "kernel subkey" || testfail=1
115
116  exit ${testfail}
117}
118
119main "$@"
120