1#!/bin/bash 2 3# Copyright 2013 The ChromiumOS Authors 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# Run verified boot firmware and kernel verification tests. 8 9# Load common constants and variables. 10. "$(dirname "$0")/common.sh" 11 12return_code=0 13 14function test_vbutil_key_single { 15 local algonum=$1 16 local keylen=$2 17 local hashalgo=$3 18 19 echo -e "For signing key ${COL_YELLOW}RSA-$keylen/$hashalgo${COL_STOP}:" 20 # Pack the key 21 if ! "${FUTILITY}" vbutil_key \ 22 --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" \ 23 --key "${TESTKEY_DIR}/key_rsa${keylen}.keyb" \ 24 --version 1 \ 25 --algorithm "${algonum}" 26 then 27 return_code=255 28 fi 29 30 # Unpack the key 31 # TODO: should verify we get the same key back out? 32 if ! "${FUTILITY}" vbutil_key \ 33 --unpack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" 34 then 35 return_code=255 36 fi 37} 38 39function test_vbutil_key_all { 40 algorithmcounter=0 41 for keylen in "${key_lengths[@]}" 42 do 43 for hashalgo in "${hash_algos[@]}" 44 do 45 test_vbutil_key_single "$algorithmcounter" "$keylen" "$hashalgo" 46 algorithmcounter=$((algorithmcounter + 1)) 47 done 48 done 49} 50 51function test_vbutil_key { 52 test_vbutil_key_single 4 2048 sha256 53 test_vbutil_key_single 7 4096 sha256 54 test_vbutil_key_single 11 8192 sha512 55} 56 57function test_vbutil_keyblock_single { 58 local signing_algonum=$1 59 local signing_keylen=$2 60 local signing_hashalgo=$3 61 local data_algonum=$4 62 local data_keylen=$5 63 local data_hashalgo=$6 64 65 echo -e "For ${COL_YELLOW}signing algorithm \ 66RSA-${signing_keylen}/${signing_hashalgo}${COL_STOP} \ 67and ${COL_YELLOW}data key algorithm RSA-${datakeylen}/\ 68${datahashalgo}${COL_STOP}" 69 # Remove old file 70 keyblockfile="${TESTKEY_SCRATCH_DIR}/" 71 keyblockfile+="sign${signing_algonum}_data" 72 keyblockfile+="${data_algonum}.keyblock" 73 rm -f "${keyblockfile}" 74 75 # Wrap private key 76 if ! "${FUTILITY}" vbutil_key \ 77 --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk" \ 78 --key "${TESTKEY_DIR}/key_rsa${signing_keylen}.pem" \ 79 --algorithm "${signing_algonum}" 80 then 81 echo -e "${COL_RED}Wrap vbprivk${COL_STOP}" 82 return_code=255 83 fi 84 85 # Wrap public key 86 if ! "${FUTILITY}" vbutil_key \ 87 --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" \ 88 --key "${TESTKEY_DIR}/key_rsa${signing_keylen}.keyb" \ 89 --algorithm "${signing_algonum}" 90 then 91 echo -e "${COL_RED}Wrap vbpubk${COL_STOP}" 92 return_code=255 93 fi 94 95 # Pack 96 if ! "${FUTILITY}" vbutil_keyblock --pack "${keyblockfile}" \ 97 --datapubkey \ 98 "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ 99 --signprivate \ 100 "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk" 101 then 102 echo -e "${COL_RED}Pack${COL_STOP}" 103 return_code=255 104 fi 105 106 # Unpack 107 if ! "${FUTILITY}" vbutil_keyblock --unpack "${keyblockfile}" \ 108 --datapubkey \ 109 "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" \ 110 --signpubkey \ 111 "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" 112 then 113 echo -e "${COL_RED}Unpack${COL_STOP}" 114 return_code=255 115 fi 116 117 # Check 118 if ! cmp -s \ 119 "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ 120 "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" 121 then 122 echo -e "${COL_RED}Check${COL_STOP}" 123 return_code=255 124 exit 1 125 fi 126 127 echo -e "${COL_YELLOW}Testing keyblock creation using \ 128external signer.${COL_STOP}" 129 # Pack using external signer 130 # Pack 131 if ! "${FUTILITY}" vbutil_keyblock --pack "${keyblockfile}" \ 132 --datapubkey \ 133 "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ 134 --signprivate_pem \ 135 "${TESTKEY_DIR}/key_rsa${signing_keylen}.pem" \ 136 --pem_algorithm "${signing_algonum}" \ 137 --externalsigner "${SCRIPT_DIR}/external_rsa_signer.sh" 138 then 139 echo -e "${COL_RED}Pack${COL_STOP}" 140 return_code=255 141 fi 142 143 # Unpack 144 if ! "${FUTILITY}" vbutil_keyblock --unpack "${keyblockfile}" \ 145 --datapubkey \ 146 "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" \ 147 --signpubkey \ 148 "${TESTKEY_SCRATCH_DIR}/key_alg${signing_algonum}.vbpubk" 149 then 150 echo -e "${COL_RED}Unpack${COL_STOP}" 151 return_code=255 152 fi 153 154 # Check 155 if ! cmp -s \ 156 "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ 157 "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" 158 then 159 echo -e "${COL_RED}Check${COL_STOP}" 160 return_code=255 161 exit 1 162 fi 163} 164 165 166function test_vbutil_keyblock_all { 167# Test for various combinations of firmware signing algorithm and 168# kernel signing algorithm 169 signing_algorithmcounter=0 170 data_algorithmcounter=0 171 for signing_keylen in "${key_lengths[@]}" 172 do 173 for signing_hashalgo in "${hash_algos[@]}" 174 do 175 data_algorithmcounter=0 176 for datakeylen in "${key_lengths[@]}" 177 do 178 for datahashalgo in "${hash_algos[@]}" 179 do 180 test_vbutil_keyblock_single \ 181 "$signing_algorithmcounter" "$signing_keylen" "$signing_hashalgo" \ 182 "$data_algorithmcounter" "$data_keylen" "$data_hashalgo" 183 data_algorithmcounter=$((data_algorithmcounter + 1)) 184 done 185 done 186 signing_algorithmcounter=$((signing_algorithmcounter + 1)) 187 done 188 done 189} 190 191function test_vbutil_keyblock { 192 test_vbutil_keyblock_single 7 4096 sha256 4 2048 sha256 193 test_vbutil_keyblock_single 11 8192 sha512 4 2048 sha256 194 test_vbutil_keyblock_single 11 8192 sha512 7 4096 sha256 195} 196 197 198check_test_keys 199 200echo 201echo "Testing vbutil_key..." 202if [ "$1" == "--all" ] ; then 203 test_vbutil_key_all 204else 205 test_vbutil_key 206fi 207 208echo 209echo "Testing vbutil_keyblock..." 210if [ "$1" == "--all" ] ; then 211 test_vbutil_keyblock_all 212else 213 test_vbutil_keyblock 214fi 215 216exit $return_code 217