1*8617a60dSAndroid Build Coastguard Worker#!/bin/bash 2*8617a60dSAndroid Build Coastguard Worker 3*8617a60dSAndroid Build Coastguard Worker# Copyright 2014 The ChromiumOS Authors 4*8617a60dSAndroid Build Coastguard Worker# Use of this source code is governed by a BSD-style license that can be 5*8617a60dSAndroid Build Coastguard Worker# found in the LICENSE file. 6*8617a60dSAndroid Build Coastguard Worker# 7*8617a60dSAndroid Build Coastguard Worker# End-to-end test for vboot2 firmware verification 8*8617a60dSAndroid Build Coastguard Worker 9*8617a60dSAndroid Build Coastguard Worker# Load common constants and variables. 10*8617a60dSAndroid Build Coastguard Worker. "$(dirname "$0")/common.sh" 11*8617a60dSAndroid Build Coastguard Worker 12*8617a60dSAndroid Build Coastguard Workerset -e 13*8617a60dSAndroid Build Coastguard Worker 14*8617a60dSAndroid Build Coastguard Workerecho 'Creating test firmware' 15*8617a60dSAndroid Build Coastguard Worker 16*8617a60dSAndroid Build Coastguard Worker# Run tests in a dedicated directory for easy cleanup or debugging. 17*8617a60dSAndroid Build Coastguard WorkerDIR="${TEST_DIR}/vb2fw_test_dir" 18*8617a60dSAndroid Build Coastguard Worker[ -d "$DIR" ] || mkdir -p "$DIR" 19*8617a60dSAndroid Build Coastguard Workerecho "Testing vb2_verify_fw in $DIR" 20*8617a60dSAndroid Build Coastguard Workercd "$DIR" 21*8617a60dSAndroid Build Coastguard Worker 22*8617a60dSAndroid Build Coastguard Worker# Dummy firmware body 23*8617a60dSAndroid Build Coastguard Workerecho 'This is a test firmware body. This is only a test. Lalalalala' \ 24*8617a60dSAndroid Build Coastguard Worker > body.test 25*8617a60dSAndroid Build Coastguard Worker 26*8617a60dSAndroid Build Coastguard Workeralgo_to_rsa() 27*8617a60dSAndroid Build Coastguard Worker{ 28*8617a60dSAndroid Build Coastguard Worker case $1 in 29*8617a60dSAndroid Build Coastguard Worker 0|1|2) printf "rsa1024";; 30*8617a60dSAndroid Build Coastguard Worker 3|4|5) printf "rsa2048";; 31*8617a60dSAndroid Build Coastguard Worker 6|7|8) printf "rsa4096";; 32*8617a60dSAndroid Build Coastguard Worker 9|10|11) printf "rsa8192";; 33*8617a60dSAndroid Build Coastguard Worker *) exit 1;; 34*8617a60dSAndroid Build Coastguard Worker esac 35*8617a60dSAndroid Build Coastguard Worker} 36*8617a60dSAndroid Build Coastguard Worker 37*8617a60dSAndroid Build Coastguard Workeralgo_to_sha() 38*8617a60dSAndroid Build Coastguard Worker{ 39*8617a60dSAndroid Build Coastguard Worker case $1 in 40*8617a60dSAndroid Build Coastguard Worker 0|3|6|9) printf "sha1";; 41*8617a60dSAndroid Build Coastguard Worker 1|4|7|10) printf "sha256";; 42*8617a60dSAndroid Build Coastguard Worker 2|5|8|11) printf "sha512";; 43*8617a60dSAndroid Build Coastguard Worker *) exit 1;; 44*8617a60dSAndroid Build Coastguard Worker esac 45*8617a60dSAndroid Build Coastguard Worker} 46*8617a60dSAndroid Build Coastguard Worker 47*8617a60dSAndroid Build Coastguard Workerrun_test() 48*8617a60dSAndroid Build Coastguard Worker{ 49*8617a60dSAndroid Build Coastguard Worker local root_algo=$1 50*8617a60dSAndroid Build Coastguard Worker local fw_algo=$2 51*8617a60dSAndroid Build Coastguard Worker local kern_algo=$3 52*8617a60dSAndroid Build Coastguard Worker 53*8617a60dSAndroid Build Coastguard Worker local root_rsa 54*8617a60dSAndroid Build Coastguard Worker local fw_rsa 55*8617a60dSAndroid Build Coastguard Worker local kern_rsa 56*8617a60dSAndroid Build Coastguard Worker root_rsa="$(algo_to_rsa "${root_algo}")" 57*8617a60dSAndroid Build Coastguard Worker fw_rsa="$(algo_to_rsa "${fw_algo}")" 58*8617a60dSAndroid Build Coastguard Worker kern_rsa="$(algo_to_rsa "${kern_algo}")" 59*8617a60dSAndroid Build Coastguard Worker 60*8617a60dSAndroid Build Coastguard Worker local root_sha 61*8617a60dSAndroid Build Coastguard Worker local fw_sha 62*8617a60dSAndroid Build Coastguard Worker root_sha="$(algo_to_sha "${root_algo}")" 63*8617a60dSAndroid Build Coastguard Worker fw_sha="$(algo_to_sha "${fw_algo}")" 64*8617a60dSAndroid Build Coastguard Worker 65*8617a60dSAndroid Build Coastguard Worker # Pack keys using original vboot utilities 66*8617a60dSAndroid Build Coastguard Worker "${FUTILITY}" vbutil_key --pack rootkey.test \ 67*8617a60dSAndroid Build Coastguard Worker --key "${TESTKEY_DIR}/key_${root_rsa}.keyb" \ 68*8617a60dSAndroid Build Coastguard Worker --algorithm "${root_algo}" 69*8617a60dSAndroid Build Coastguard Worker "${FUTILITY}" vbutil_key --pack fwsubkey.test \ 70*8617a60dSAndroid Build Coastguard Worker --key "${TESTKEY_DIR}/key_${fw_rsa}.keyb" \ 71*8617a60dSAndroid Build Coastguard Worker --algorithm "${fw_algo}" 72*8617a60dSAndroid Build Coastguard Worker "${FUTILITY}" vbutil_key --pack kernkey.test \ 73*8617a60dSAndroid Build Coastguard Worker --key "${TESTKEY_DIR}/key_${kern_rsa}.keyb" \ 74*8617a60dSAndroid Build Coastguard Worker --algorithm "${kern_algo}" 75*8617a60dSAndroid Build Coastguard Worker 76*8617a60dSAndroid Build Coastguard Worker # Create a GBB with the root key 77*8617a60dSAndroid Build Coastguard Worker "${FUTILITY}" gbb -c 128,2400,0,0 gbb.test 78*8617a60dSAndroid Build Coastguard Worker "${FUTILITY}" gbb gbb.test -s --hwid='Test GBB' \ 79*8617a60dSAndroid Build Coastguard Worker --rootkey=rootkey.test 80*8617a60dSAndroid Build Coastguard Worker 81*8617a60dSAndroid Build Coastguard Worker # Keyblock with firmware subkey is signed by root key 82*8617a60dSAndroid Build Coastguard Worker "${FUTILITY}" vbutil_keyblock --pack keyblock.test \ 83*8617a60dSAndroid Build Coastguard Worker --datapubkey fwsubkey.test \ 84*8617a60dSAndroid Build Coastguard Worker --signprivate "${TESTKEY_DIR}/key_${root_rsa}.${root_sha}.vbprivk" 85*8617a60dSAndroid Build Coastguard Worker 86*8617a60dSAndroid Build Coastguard Worker # Firmware preamble is signed with the firmware subkey 87*8617a60dSAndroid Build Coastguard Worker "${FUTILITY}" sign \ 88*8617a60dSAndroid Build Coastguard Worker --version 1 \ 89*8617a60dSAndroid Build Coastguard Worker --signprivate "${TESTKEY_DIR}/key_${fw_rsa}.${fw_sha}.vbprivk" \ 90*8617a60dSAndroid Build Coastguard Worker --keyblock keyblock.test \ 91*8617a60dSAndroid Build Coastguard Worker --kernelkey kernkey.test \ 92*8617a60dSAndroid Build Coastguard Worker --fv body.test \ 93*8617a60dSAndroid Build Coastguard Worker --outfile vblock.test 94*8617a60dSAndroid Build Coastguard Worker 95*8617a60dSAndroid Build Coastguard Worker echo "Verifying test firmware using vb2_verify_fw" \ 96*8617a60dSAndroid Build Coastguard Worker "(root=${root_algo}, fw=${fw_algo}, kernel=${kern_algo})" 97*8617a60dSAndroid Build Coastguard Worker 98*8617a60dSAndroid Build Coastguard Worker # Verify the firmware using vboot2 checks 99*8617a60dSAndroid Build Coastguard Worker "${TEST_DIR}/vb20_verify_fw" gbb.test vblock.test body.test 100*8617a60dSAndroid Build Coastguard Worker if [ -e "${TEST_DIR}/vb20_hwcrypto_verify_fw" ] 101*8617a60dSAndroid Build Coastguard Worker then 102*8617a60dSAndroid Build Coastguard Worker echo "Verifying test firmware using vb20_hwcrypto_verify_fw" \ 103*8617a60dSAndroid Build Coastguard Worker "(root=${root_algo}, fw=${fw_algo}, kernel=${kern_algo})" 104*8617a60dSAndroid Build Coastguard Worker "${TEST_DIR}/vb20_hwcrypto_verify_fw" gbb.test vblock.test body.test 105*8617a60dSAndroid Build Coastguard Worker fi 106*8617a60dSAndroid Build Coastguard Worker 107*8617a60dSAndroid Build Coastguard Worker happy 'vb2_verify_fw succeeded' 108*8617a60dSAndroid Build Coastguard Worker} 109*8617a60dSAndroid Build Coastguard Worker 110*8617a60dSAndroid Build Coastguard Workerrun_test 11 7 4 111*8617a60dSAndroid Build Coastguard Workerrun_test 11 11 11 112*8617a60dSAndroid Build Coastguard Workerrun_test 1 1 1 113