1*8617a60dSAndroid Build Coastguard Worker#!/bin/bash 2*8617a60dSAndroid Build Coastguard Worker 3*8617a60dSAndroid Build Coastguard Worker# Copyright 2013 The ChromiumOS Authors 4*8617a60dSAndroid Build Coastguard Worker# Use of this source code is governed by a BSD-style license that can be 5*8617a60dSAndroid Build Coastguard Worker# found in the LICENSE file. 6*8617a60dSAndroid Build Coastguard Worker 7*8617a60dSAndroid Build Coastguard Worker# Run verified boot firmware and kernel verification tests. 8*8617a60dSAndroid Build Coastguard Worker 9*8617a60dSAndroid Build Coastguard Worker# Load common constants and variables. 10*8617a60dSAndroid Build Coastguard Worker. "$(dirname "$0")/common.sh" 11*8617a60dSAndroid Build Coastguard Worker 12*8617a60dSAndroid Build Coastguard Workerreturn_code=0 13*8617a60dSAndroid Build Coastguard Worker 14*8617a60dSAndroid Build Coastguard Workerfunction test_vbutil_key_single { 15*8617a60dSAndroid Build Coastguard Worker local algonum=$1 16*8617a60dSAndroid Build Coastguard Worker local keylen=$2 17*8617a60dSAndroid Build Coastguard Worker local hashalgo=$3 18*8617a60dSAndroid Build Coastguard Worker 19*8617a60dSAndroid Build Coastguard Worker echo -e "For signing key ${COL_YELLOW}RSA-$keylen/$hashalgo${COL_STOP}:" 20*8617a60dSAndroid Build Coastguard Worker # Pack the key 21*8617a60dSAndroid Build Coastguard Worker if ! "${FUTILITY}" vbutil_key \ 22*8617a60dSAndroid Build Coastguard Worker --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" \ 23*8617a60dSAndroid Build Coastguard Worker --key "${TESTKEY_DIR}/key_rsa${keylen}.keyb" \ 24*8617a60dSAndroid Build Coastguard Worker --version 1 \ 25*8617a60dSAndroid Build Coastguard Worker --algorithm "${algonum}" 26*8617a60dSAndroid Build Coastguard Worker then 27*8617a60dSAndroid Build Coastguard Worker return_code=255 28*8617a60dSAndroid Build Coastguard Worker fi 29*8617a60dSAndroid Build Coastguard Worker 30*8617a60dSAndroid Build Coastguard Worker # Unpack the key 31*8617a60dSAndroid Build Coastguard Worker # TODO: should verify we get the same key back out? 32*8617a60dSAndroid Build Coastguard Worker if ! "${FUTILITY}" vbutil_key \ 33*8617a60dSAndroid Build Coastguard Worker --unpack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" 34*8617a60dSAndroid Build Coastguard Worker then 35*8617a60dSAndroid Build Coastguard Worker return_code=255 36*8617a60dSAndroid Build Coastguard Worker fi 37*8617a60dSAndroid Build Coastguard Worker} 38*8617a60dSAndroid Build Coastguard Worker 39*8617a60dSAndroid Build Coastguard Workerfunction test_vbutil_key_all { 40*8617a60dSAndroid Build Coastguard Worker algorithmcounter=0 41*8617a60dSAndroid Build Coastguard Worker for keylen in "${key_lengths[@]}" 42*8617a60dSAndroid Build Coastguard Worker do 43*8617a60dSAndroid Build Coastguard Worker for hashalgo in "${hash_algos[@]}" 44*8617a60dSAndroid Build Coastguard Worker do 45*8617a60dSAndroid Build Coastguard Worker test_vbutil_key_single "$algorithmcounter" "$keylen" "$hashalgo" 46*8617a60dSAndroid Build Coastguard Worker algorithmcounter=$((algorithmcounter + 1)) 47*8617a60dSAndroid Build Coastguard Worker done 48*8617a60dSAndroid Build Coastguard Worker done 49*8617a60dSAndroid Build Coastguard Worker} 50*8617a60dSAndroid Build Coastguard Worker 51*8617a60dSAndroid Build Coastguard Workerfunction test_vbutil_key { 52*8617a60dSAndroid Build Coastguard Worker test_vbutil_key_single 4 2048 sha256 53*8617a60dSAndroid Build Coastguard Worker test_vbutil_key_single 7 4096 sha256 54*8617a60dSAndroid Build Coastguard Worker test_vbutil_key_single 11 8192 sha512 55*8617a60dSAndroid Build Coastguard Worker} 56*8617a60dSAndroid Build Coastguard Worker 57*8617a60dSAndroid Build Coastguard Workerfunction test_vbutil_keyblock_single { 58*8617a60dSAndroid Build Coastguard Worker local signing_algonum=$1 59*8617a60dSAndroid Build Coastguard Worker local signing_keylen=$2 60*8617a60dSAndroid Build Coastguard Worker local signing_hashalgo=$3 61*8617a60dSAndroid Build Coastguard Worker local data_algonum=$4 62*8617a60dSAndroid Build Coastguard Worker local data_keylen=$5 63*8617a60dSAndroid Build Coastguard Worker local data_hashalgo=$6 64*8617a60dSAndroid Build Coastguard Worker 65*8617a60dSAndroid Build Coastguard Worker echo -e "For ${COL_YELLOW}signing algorithm \ 66*8617a60dSAndroid Build Coastguard WorkerRSA-${signing_keylen}/${signing_hashalgo}${COL_STOP} \ 67*8617a60dSAndroid Build Coastguard Workerand ${COL_YELLOW}data key algorithm RSA-${datakeylen}/\ 68*8617a60dSAndroid Build Coastguard Worker${datahashalgo}${COL_STOP}" 69*8617a60dSAndroid Build Coastguard Worker # Remove old file 70*8617a60dSAndroid Build Coastguard Worker keyblockfile="${TESTKEY_SCRATCH_DIR}/" 71*8617a60dSAndroid Build Coastguard Worker keyblockfile+="sign${signing_algonum}_data" 72*8617a60dSAndroid Build Coastguard Worker keyblockfile+="${data_algonum}.keyblock" 73*8617a60dSAndroid Build Coastguard Worker rm -f "${keyblockfile}" 74*8617a60dSAndroid Build Coastguard Worker 75*8617a60dSAndroid Build Coastguard Worker # Wrap private key 76*8617a60dSAndroid Build Coastguard Worker if ! "${FUTILITY}" vbutil_key \ 77*8617a60dSAndroid Build Coastguard Worker --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk" \ 78*8617a60dSAndroid Build Coastguard Worker --key "${TESTKEY_DIR}/key_rsa${signing_keylen}.pem" \ 79*8617a60dSAndroid Build Coastguard Worker --algorithm "${signing_algonum}" 80*8617a60dSAndroid Build Coastguard Worker then 81*8617a60dSAndroid Build Coastguard Worker echo -e "${COL_RED}Wrap vbprivk${COL_STOP}" 82*8617a60dSAndroid Build Coastguard Worker return_code=255 83*8617a60dSAndroid Build Coastguard Worker fi 84*8617a60dSAndroid Build Coastguard Worker 85*8617a60dSAndroid Build Coastguard Worker # Wrap public key 86*8617a60dSAndroid Build Coastguard Worker if ! "${FUTILITY}" vbutil_key \ 87*8617a60dSAndroid Build Coastguard Worker --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" \ 88*8617a60dSAndroid Build Coastguard Worker --key "${TESTKEY_DIR}/key_rsa${signing_keylen}.keyb" \ 89*8617a60dSAndroid Build Coastguard Worker --algorithm "${signing_algonum}" 90*8617a60dSAndroid Build Coastguard Worker then 91*8617a60dSAndroid Build Coastguard Worker echo -e "${COL_RED}Wrap vbpubk${COL_STOP}" 92*8617a60dSAndroid Build Coastguard Worker return_code=255 93*8617a60dSAndroid Build Coastguard Worker fi 94*8617a60dSAndroid Build Coastguard Worker 95*8617a60dSAndroid Build Coastguard Worker # Pack 96*8617a60dSAndroid Build Coastguard Worker if ! "${FUTILITY}" vbutil_keyblock --pack "${keyblockfile}" \ 97*8617a60dSAndroid Build Coastguard Worker --datapubkey \ 98*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ 99*8617a60dSAndroid Build Coastguard Worker --signprivate \ 100*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk" 101*8617a60dSAndroid Build Coastguard Worker then 102*8617a60dSAndroid Build Coastguard Worker echo -e "${COL_RED}Pack${COL_STOP}" 103*8617a60dSAndroid Build Coastguard Worker return_code=255 104*8617a60dSAndroid Build Coastguard Worker fi 105*8617a60dSAndroid Build Coastguard Worker 106*8617a60dSAndroid Build Coastguard Worker # Unpack 107*8617a60dSAndroid Build Coastguard Worker if ! "${FUTILITY}" vbutil_keyblock --unpack "${keyblockfile}" \ 108*8617a60dSAndroid Build Coastguard Worker --datapubkey \ 109*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" \ 110*8617a60dSAndroid Build Coastguard Worker --signpubkey \ 111*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" 112*8617a60dSAndroid Build Coastguard Worker then 113*8617a60dSAndroid Build Coastguard Worker echo -e "${COL_RED}Unpack${COL_STOP}" 114*8617a60dSAndroid Build Coastguard Worker return_code=255 115*8617a60dSAndroid Build Coastguard Worker fi 116*8617a60dSAndroid Build Coastguard Worker 117*8617a60dSAndroid Build Coastguard Worker # Check 118*8617a60dSAndroid Build Coastguard Worker if ! cmp -s \ 119*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ 120*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" 121*8617a60dSAndroid Build Coastguard Worker then 122*8617a60dSAndroid Build Coastguard Worker echo -e "${COL_RED}Check${COL_STOP}" 123*8617a60dSAndroid Build Coastguard Worker return_code=255 124*8617a60dSAndroid Build Coastguard Worker exit 1 125*8617a60dSAndroid Build Coastguard Worker fi 126*8617a60dSAndroid Build Coastguard Worker 127*8617a60dSAndroid Build Coastguard Worker echo -e "${COL_YELLOW}Testing keyblock creation using \ 128*8617a60dSAndroid Build Coastguard Workerexternal signer.${COL_STOP}" 129*8617a60dSAndroid Build Coastguard Worker # Pack using external signer 130*8617a60dSAndroid Build Coastguard Worker # Pack 131*8617a60dSAndroid Build Coastguard Worker if ! "${FUTILITY}" vbutil_keyblock --pack "${keyblockfile}" \ 132*8617a60dSAndroid Build Coastguard Worker --datapubkey \ 133*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ 134*8617a60dSAndroid Build Coastguard Worker --signprivate_pem \ 135*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_DIR}/key_rsa${signing_keylen}.pem" \ 136*8617a60dSAndroid Build Coastguard Worker --pem_algorithm "${signing_algonum}" \ 137*8617a60dSAndroid Build Coastguard Worker --externalsigner "${SCRIPT_DIR}/external_rsa_signer.sh" 138*8617a60dSAndroid Build Coastguard Worker then 139*8617a60dSAndroid Build Coastguard Worker echo -e "${COL_RED}Pack${COL_STOP}" 140*8617a60dSAndroid Build Coastguard Worker return_code=255 141*8617a60dSAndroid Build Coastguard Worker fi 142*8617a60dSAndroid Build Coastguard Worker 143*8617a60dSAndroid Build Coastguard Worker # Unpack 144*8617a60dSAndroid Build Coastguard Worker if ! "${FUTILITY}" vbutil_keyblock --unpack "${keyblockfile}" \ 145*8617a60dSAndroid Build Coastguard Worker --datapubkey \ 146*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" \ 147*8617a60dSAndroid Build Coastguard Worker --signpubkey \ 148*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_SCRATCH_DIR}/key_alg${signing_algonum}.vbpubk" 149*8617a60dSAndroid Build Coastguard Worker then 150*8617a60dSAndroid Build Coastguard Worker echo -e "${COL_RED}Unpack${COL_STOP}" 151*8617a60dSAndroid Build Coastguard Worker return_code=255 152*8617a60dSAndroid Build Coastguard Worker fi 153*8617a60dSAndroid Build Coastguard Worker 154*8617a60dSAndroid Build Coastguard Worker # Check 155*8617a60dSAndroid Build Coastguard Worker if ! cmp -s \ 156*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ 157*8617a60dSAndroid Build Coastguard Worker "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" 158*8617a60dSAndroid Build Coastguard Worker then 159*8617a60dSAndroid Build Coastguard Worker echo -e "${COL_RED}Check${COL_STOP}" 160*8617a60dSAndroid Build Coastguard Worker return_code=255 161*8617a60dSAndroid Build Coastguard Worker exit 1 162*8617a60dSAndroid Build Coastguard Worker fi 163*8617a60dSAndroid Build Coastguard Worker} 164*8617a60dSAndroid Build Coastguard Worker 165*8617a60dSAndroid Build Coastguard Worker 166*8617a60dSAndroid Build Coastguard Workerfunction test_vbutil_keyblock_all { 167*8617a60dSAndroid Build Coastguard Worker# Test for various combinations of firmware signing algorithm and 168*8617a60dSAndroid Build Coastguard Worker# kernel signing algorithm 169*8617a60dSAndroid Build Coastguard Worker signing_algorithmcounter=0 170*8617a60dSAndroid Build Coastguard Worker data_algorithmcounter=0 171*8617a60dSAndroid Build Coastguard Worker for signing_keylen in "${key_lengths[@]}" 172*8617a60dSAndroid Build Coastguard Worker do 173*8617a60dSAndroid Build Coastguard Worker for signing_hashalgo in "${hash_algos[@]}" 174*8617a60dSAndroid Build Coastguard Worker do 175*8617a60dSAndroid Build Coastguard Worker data_algorithmcounter=0 176*8617a60dSAndroid Build Coastguard Worker for datakeylen in "${key_lengths[@]}" 177*8617a60dSAndroid Build Coastguard Worker do 178*8617a60dSAndroid Build Coastguard Worker for datahashalgo in "${hash_algos[@]}" 179*8617a60dSAndroid Build Coastguard Worker do 180*8617a60dSAndroid Build Coastguard Worker test_vbutil_keyblock_single \ 181*8617a60dSAndroid Build Coastguard Worker "$signing_algorithmcounter" "$signing_keylen" "$signing_hashalgo" \ 182*8617a60dSAndroid Build Coastguard Worker "$data_algorithmcounter" "$data_keylen" "$data_hashalgo" 183*8617a60dSAndroid Build Coastguard Worker data_algorithmcounter=$((data_algorithmcounter + 1)) 184*8617a60dSAndroid Build Coastguard Worker done 185*8617a60dSAndroid Build Coastguard Worker done 186*8617a60dSAndroid Build Coastguard Worker signing_algorithmcounter=$((signing_algorithmcounter + 1)) 187*8617a60dSAndroid Build Coastguard Worker done 188*8617a60dSAndroid Build Coastguard Worker done 189*8617a60dSAndroid Build Coastguard Worker} 190*8617a60dSAndroid Build Coastguard Worker 191*8617a60dSAndroid Build Coastguard Workerfunction test_vbutil_keyblock { 192*8617a60dSAndroid Build Coastguard Worker test_vbutil_keyblock_single 7 4096 sha256 4 2048 sha256 193*8617a60dSAndroid Build Coastguard Worker test_vbutil_keyblock_single 11 8192 sha512 4 2048 sha256 194*8617a60dSAndroid Build Coastguard Worker test_vbutil_keyblock_single 11 8192 sha512 7 4096 sha256 195*8617a60dSAndroid Build Coastguard Worker} 196*8617a60dSAndroid Build Coastguard Worker 197*8617a60dSAndroid Build Coastguard Worker 198*8617a60dSAndroid Build Coastguard Workercheck_test_keys 199*8617a60dSAndroid Build Coastguard Worker 200*8617a60dSAndroid Build Coastguard Workerecho 201*8617a60dSAndroid Build Coastguard Workerecho "Testing vbutil_key..." 202*8617a60dSAndroid Build Coastguard Workerif [ "$1" == "--all" ] ; then 203*8617a60dSAndroid Build Coastguard Worker test_vbutil_key_all 204*8617a60dSAndroid Build Coastguard Workerelse 205*8617a60dSAndroid Build Coastguard Worker test_vbutil_key 206*8617a60dSAndroid Build Coastguard Workerfi 207*8617a60dSAndroid Build Coastguard Worker 208*8617a60dSAndroid Build Coastguard Workerecho 209*8617a60dSAndroid Build Coastguard Workerecho "Testing vbutil_keyblock..." 210*8617a60dSAndroid Build Coastguard Workerif [ "$1" == "--all" ] ; then 211*8617a60dSAndroid Build Coastguard Worker test_vbutil_keyblock_all 212*8617a60dSAndroid Build Coastguard Workerelse 213*8617a60dSAndroid Build Coastguard Worker test_vbutil_keyblock 214*8617a60dSAndroid Build Coastguard Workerfi 215*8617a60dSAndroid Build Coastguard Worker 216*8617a60dSAndroid Build Coastguard Workerexit $return_code 217