1#!/bin/bash -eux 2# Copyright 2014 The ChromiumOS Authors 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5 6me=${0##*/} 7TMP="$me.tmp" 8 9# Work in scratch directory 10cd "$OUTDIR" 11 12# some stuff we'll need 13DEVKEYS=${SRCDIR}/tests/devkeys 14TESTKEYS=${SRCDIR}/tests/testkeys 15SIGNER=${SRCDIR}/tests/external_rsa_signer.sh 16 17 18# Create a copy of an existing keyblock, using the old way 19"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \ 20 --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \ 21 --flags 23 \ 22 --signprivate "${DEVKEYS}/root_key.vbprivk" 23 24# Check it. 25"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock0" \ 26 --signpubkey "${DEVKEYS}/root_key.vbpubk" 27 28# It should be the same as the dev-key firmware keyblock 29cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock0" 30 31 32# Now create it the new way 33"${FUTILITY}" --debug sign \ 34 --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \ 35 --flags 23 \ 36 --signprivate "${DEVKEYS}/root_key.vbprivk" \ 37 --outfile "${TMP}.keyblock1" 38 39# It should be the same too. 40cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock1" 41 42 43# Create a keyblock without signing it. 44 45# old way 46"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \ 47 --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \ 48 --flags 14 49 50# new way 51"${FUTILITY}" --debug sign \ 52 --flags 14 \ 53 "${DEVKEYS}/firmware_data_key.vbpubk" \ 54 "${TMP}.keyblock1" 55 56cmp "${TMP}.keyblock0" "${TMP}.keyblock1" 57 58 59# Create one using PEM args 60 61# old way 62"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock2" \ 63 --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \ 64 --signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \ 65 --pem_algorithm 8 \ 66 --flags 9 67 68# verify it 69"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock2" \ 70 --signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk" 71 72# new way 73"${FUTILITY}" --debug sign \ 74 --pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \ 75 --pem_algo 8 \ 76 --flags 9 \ 77 "${DEVKEYS}/firmware_data_key.vbpubk" \ 78 "${TMP}.keyblock3" 79 80cmp "${TMP}.keyblock2" "${TMP}.keyblock3" 81 82# Try it with an external signer 83 84# old way 85"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock4" \ 86 --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \ 87 --signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \ 88 --pem_algorithm 8 \ 89 --flags 19 \ 90 --externalsigner "${SIGNER}" 91 92# verify it 93"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock4" \ 94 --signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk" 95 96# new way 97"${FUTILITY}" --debug sign \ 98 --pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \ 99 --pem_algo 8 \ 100 --pem_external "${SIGNER}" \ 101 --flags 19 \ 102 "${DEVKEYS}/firmware_data_key.vbpubk" \ 103 "${TMP}.keyblock5" 104 105cmp "${TMP}.keyblock4" "${TMP}.keyblock5" 106 107 108# cleanup 109rm -rf "${TMP}"* 110exit 0 111