1*8617a60dSAndroid Build Coastguard Worker#!/bin/sh -ue 2*8617a60dSAndroid Build Coastguard Worker# Copyright 2011 The ChromiumOS Authors 3*8617a60dSAndroid Build Coastguard Worker# Use of this source code is governed by a BSD-style license that can be 4*8617a60dSAndroid Build Coastguard Worker# found in the LICENSE file. 5*8617a60dSAndroid Build Coastguard Worker# 6*8617a60dSAndroid Build Coastguard Worker# Usage: dev_debug_vboot [ --cleanup | DIRECTORY ] 7*8617a60dSAndroid Build Coastguard Worker# 8*8617a60dSAndroid Build Coastguard Worker# This extracts some useful debugging information about verified boot. A short 9*8617a60dSAndroid Build Coastguard Worker# summary is printed on stdout, more detailed information and working files are 10*8617a60dSAndroid Build Coastguard Worker# left in a log directory. 11*8617a60dSAndroid Build Coastguard Worker# 12*8617a60dSAndroid Build Coastguard Worker############################################################################## 13*8617a60dSAndroid Build Coastguard Worker 14*8617a60dSAndroid Build Coastguard Worker# Clean up PATH for root use. Note that we're assuming [ is always built-in. 15*8617a60dSAndroid Build Coastguard Worker[ "${EUID:-0}" = 0 ] && PATH=/bin:/sbin:/usr/bin:/usr/sbin 16*8617a60dSAndroid Build Coastguard Worker 17*8617a60dSAndroid Build Coastguard WorkerPUBLOGFILE="/var/log/debug_vboot_noisy.log" 18*8617a60dSAndroid Build Coastguard Worker 19*8617a60dSAndroid Build Coastguard WorkerOPT_CLEANUP= 20*8617a60dSAndroid Build Coastguard WorkerOPT_BIOS= 21*8617a60dSAndroid Build Coastguard WorkerOPT_FORCE= 22*8617a60dSAndroid Build Coastguard WorkerOPT_IMAGE= 23*8617a60dSAndroid Build Coastguard WorkerOPT_KERNEL= 24*8617a60dSAndroid Build Coastguard WorkerOPT_VERBOSE= 25*8617a60dSAndroid Build Coastguard Worker 26*8617a60dSAndroid Build Coastguard WorkerFLAG_SAVE_LOG_FILE=yes 27*8617a60dSAndroid Build Coastguard Worker 28*8617a60dSAndroid Build Coastguard WorkerLOGFILE=/dev/stdout 29*8617a60dSAndroid Build Coastguard WorkerTMPDIR= 30*8617a60dSAndroid Build Coastguard Worker 31*8617a60dSAndroid Build Coastguard Worker############################################################################## 32*8617a60dSAndroid Build Coastguard Worker 33*8617a60dSAndroid Build Coastguard Workerusage() { 34*8617a60dSAndroid Build Coastguard Worker local prog 35*8617a60dSAndroid Build Coastguard Worker 36*8617a60dSAndroid Build Coastguard Worker prog=${0##*/} 37*8617a60dSAndroid Build Coastguard Worker cat <<EOF 38*8617a60dSAndroid Build Coastguard Worker 39*8617a60dSAndroid Build Coastguard WorkerUsage: $prog [options] [DIRECTORY] 40*8617a60dSAndroid Build Coastguard Worker 41*8617a60dSAndroid Build Coastguard WorkerThis logs as much as it can about the verified boot process. With no arguments 42*8617a60dSAndroid Build Coastguard Workerit will attempt to read the current BIOS, extract the firmware keys, and use 43*8617a60dSAndroid Build Coastguard Workerthose keys to validate all the ChromeOS kernel partitions it can find. A 44*8617a60dSAndroid Build Coastguard Workersummary output is printed on stdout, and the detailed log is copied to 45*8617a60dSAndroid Build Coastguard Worker$PUBLOGFILE afterwards. 46*8617a60dSAndroid Build Coastguard Worker 47*8617a60dSAndroid Build Coastguard WorkerIf a directory is given, it will attempt to use the components from that 48*8617a60dSAndroid Build Coastguard Workerdirectory and will leave the detailed log in that directory. 49*8617a60dSAndroid Build Coastguard Worker 50*8617a60dSAndroid Build Coastguard WorkerOptions: 51*8617a60dSAndroid Build Coastguard Worker 52*8617a60dSAndroid Build Coastguard Worker -b FILE, --bios FILE Specify the BIOS image to use 53*8617a60dSAndroid Build Coastguard Worker -i FILE, --image FILE Specify the disk image to use 54*8617a60dSAndroid Build Coastguard Worker -k FILE, --kernel FILE Specify the kernel partition image to use 55*8617a60dSAndroid Build Coastguard Worker -v Spew the detailed log to stdout 56*8617a60dSAndroid Build Coastguard Worker 57*8617a60dSAndroid Build Coastguard Worker -c, --cleanup Delete the DIRECTORY when done 58*8617a60dSAndroid Build Coastguard Worker 59*8617a60dSAndroid Build Coastguard Worker -h, --help Print this help message and exit 60*8617a60dSAndroid Build Coastguard Worker 61*8617a60dSAndroid Build Coastguard WorkerEOF 62*8617a60dSAndroid Build Coastguard Workerexit 0 63*8617a60dSAndroid Build Coastguard Worker} 64*8617a60dSAndroid Build Coastguard Worker 65*8617a60dSAndroid Build Coastguard Workercleanup() { 66*8617a60dSAndroid Build Coastguard Worker if [ -n "${FLAG_SAVE_LOG_FILE}" ]; then 67*8617a60dSAndroid Build Coastguard Worker if cp -f "${LOGFILE}" "${PUBLOGFILE}" 2>/dev/null; then 68*8617a60dSAndroid Build Coastguard Worker info "Exporting log file as ${PUBLOGFILE}" 69*8617a60dSAndroid Build Coastguard Worker fi 70*8617a60dSAndroid Build Coastguard Worker fi 71*8617a60dSAndroid Build Coastguard Worker if [ -n "${OPT_CLEANUP}" ] && [ -d "${TMPDIR}" ] ; then 72*8617a60dSAndroid Build Coastguard Worker cd / 73*8617a60dSAndroid Build Coastguard Worker rm -rf "${TMPDIR}" 74*8617a60dSAndroid Build Coastguard Worker fi 75*8617a60dSAndroid Build Coastguard Worker} 76*8617a60dSAndroid Build Coastguard Worker 77*8617a60dSAndroid Build Coastguard Workerdie() { 78*8617a60dSAndroid Build Coastguard Worker echo "$*" 1>&2 79*8617a60dSAndroid Build Coastguard Worker exit 1 80*8617a60dSAndroid Build Coastguard Worker} 81*8617a60dSAndroid Build Coastguard Worker 82*8617a60dSAndroid Build Coastguard Workerinfo() { 83*8617a60dSAndroid Build Coastguard Worker echo "$@" 84*8617a60dSAndroid Build Coastguard Worker echo "#" "$@" >> "$LOGFILE" 85*8617a60dSAndroid Build Coastguard Worker} 86*8617a60dSAndroid Build Coastguard Worker 87*8617a60dSAndroid Build Coastguard Workerinfon() { 88*8617a60dSAndroid Build Coastguard Worker echo -n "$@" 89*8617a60dSAndroid Build Coastguard Worker echo "#" "$@" >> "$LOGFILE" 90*8617a60dSAndroid Build Coastguard Worker} 91*8617a60dSAndroid Build Coastguard Worker 92*8617a60dSAndroid Build Coastguard Workerdebug() { 93*8617a60dSAndroid Build Coastguard Worker echo "#" "$@" >> "$LOGFILE" 94*8617a60dSAndroid Build Coastguard Worker} 95*8617a60dSAndroid Build Coastguard Worker 96*8617a60dSAndroid Build Coastguard Workerlog() { 97*8617a60dSAndroid Build Coastguard Worker echo "+" "$@" >> "$LOGFILE" 98*8617a60dSAndroid Build Coastguard Worker "$@" >> "$LOGFILE" 2>&1 99*8617a60dSAndroid Build Coastguard Worker} 100*8617a60dSAndroid Build Coastguard Worker 101*8617a60dSAndroid Build Coastguard Workerloghead() { 102*8617a60dSAndroid Build Coastguard Worker echo "+" "$@" "| head" >> "$LOGFILE" 103*8617a60dSAndroid Build Coastguard Worker "$@" | head >> "$LOGFILE" 2>&1 104*8617a60dSAndroid Build Coastguard Worker} 105*8617a60dSAndroid Build Coastguard Worker 106*8617a60dSAndroid Build Coastguard Workerlogdie() { 107*8617a60dSAndroid Build Coastguard Worker echo "+ERROR:" "$@" >> "$LOGFILE" 108*8617a60dSAndroid Build Coastguard Worker die "$@" 109*8617a60dSAndroid Build Coastguard Worker} 110*8617a60dSAndroid Build Coastguard Worker 111*8617a60dSAndroid Build Coastguard Workerresult() { 112*8617a60dSAndroid Build Coastguard Worker LAST_RESULT=$? 113*8617a60dSAndroid Build Coastguard Worker if [ "${LAST_RESULT}" = "0" ]; then 114*8617a60dSAndroid Build Coastguard Worker info "OK" 115*8617a60dSAndroid Build Coastguard Worker else 116*8617a60dSAndroid Build Coastguard Worker info "FAILED" 117*8617a60dSAndroid Build Coastguard Worker fi 118*8617a60dSAndroid Build Coastguard Worker} 119*8617a60dSAndroid Build Coastguard Worker 120*8617a60dSAndroid Build Coastguard Workerrequire_utils() { 121*8617a60dSAndroid Build Coastguard Worker local missing 122*8617a60dSAndroid Build Coastguard Worker 123*8617a60dSAndroid Build Coastguard Worker missing= 124*8617a60dSAndroid Build Coastguard Worker for tool in $* ; do 125*8617a60dSAndroid Build Coastguard Worker if ! type "$tool" >/dev/null 2>&1 ; then 126*8617a60dSAndroid Build Coastguard Worker missing="$missing $tool" 127*8617a60dSAndroid Build Coastguard Worker fi 128*8617a60dSAndroid Build Coastguard Worker done 129*8617a60dSAndroid Build Coastguard Worker if [ -n "$missing" ]; then 130*8617a60dSAndroid Build Coastguard Worker logdie "can't find these programs: $missing" 131*8617a60dSAndroid Build Coastguard Worker fi 132*8617a60dSAndroid Build Coastguard Worker} 133*8617a60dSAndroid Build Coastguard Worker 134*8617a60dSAndroid Build Coastguard Workerextract_kerns_from_file() { 135*8617a60dSAndroid Build Coastguard Worker local start 136*8617a60dSAndroid Build Coastguard Worker local size 137*8617a60dSAndroid Build Coastguard Worker local part 138*8617a60dSAndroid Build Coastguard Worker local rest 139*8617a60dSAndroid Build Coastguard Worker 140*8617a60dSAndroid Build Coastguard Worker debug "Extracting kernel partitions from $1 ..." 141*8617a60dSAndroid Build Coastguard Worker cgpt find -v -t kernel "$1" | grep 'Label:' | 142*8617a60dSAndroid Build Coastguard Worker while read start size part rest; do 143*8617a60dSAndroid Build Coastguard Worker name="part_${part}" 144*8617a60dSAndroid Build Coastguard Worker log dd if="$1" bs=512 skip=${start} count=${size} of="${name}" && 145*8617a60dSAndroid Build Coastguard Worker echo "${name}" 146*8617a60dSAndroid Build Coastguard Worker done 147*8617a60dSAndroid Build Coastguard Worker} 148*8617a60dSAndroid Build Coastguard Worker 149*8617a60dSAndroid Build Coastguard Workerformat_as_tpm_version() { 150*8617a60dSAndroid Build Coastguard Worker local data_key_ver="$1" 151*8617a60dSAndroid Build Coastguard Worker local ver="$2" 152*8617a60dSAndroid Build Coastguard Worker printf '0x%04x%04x' "${data_key_ver}" "${ver}" 153*8617a60dSAndroid Build Coastguard Worker} 154*8617a60dSAndroid Build Coastguard Worker 155*8617a60dSAndroid Build Coastguard Workerfix_old_names() { 156*8617a60dSAndroid Build Coastguard Worker # Convert any old-style names to new-style 157*8617a60dSAndroid Build Coastguard Worker [ -f GBB_Area ] && log mv -f GBB_Area GBB 158*8617a60dSAndroid Build Coastguard Worker [ -f Firmware_A_Key ] && log mv -f Firmware_A_Key VBLOCK_A 159*8617a60dSAndroid Build Coastguard Worker [ -f Firmware_B_Key ] && log mv -f Firmware_B_Key VBLOCK_B 160*8617a60dSAndroid Build Coastguard Worker [ -f Firmware_A_Data ] && log mv -f Firmware_A_Data FW_MAIN_A 161*8617a60dSAndroid Build Coastguard Worker [ -f Firmware_B_Data ] && log mv -f Firmware_B_Data FW_MAIN_B 162*8617a60dSAndroid Build Coastguard Worker true 163*8617a60dSAndroid Build Coastguard Worker} 164*8617a60dSAndroid Build Coastguard Worker 165*8617a60dSAndroid Build Coastguard Workerreport_firmware_mismatch() { 166*8617a60dSAndroid Build Coastguard Worker # Check for mismatched OS/firmware and send UMA metrics 167*8617a60dSAndroid Build Coastguard Worker if ! type "chromeos-firmwareupdate" >/dev/null 2>&1 ; then 168*8617a60dSAndroid Build Coastguard Worker debug "Skip checking firmware mismatch: missing 'chromeos-firmwareupdate'." 169*8617a60dSAndroid Build Coastguard Worker return 1 170*8617a60dSAndroid Build Coastguard Worker fi 171*8617a60dSAndroid Build Coastguard Worker 172*8617a60dSAndroid Build Coastguard Worker local cros_fwid="$(crossystem fwid 2>/dev/null)" 173*8617a60dSAndroid Build Coastguard Worker 174*8617a60dSAndroid Build Coastguard Worker local model="$(cros_config / name || echo unknown)" 175*8617a60dSAndroid Build Coastguard Worker local manifest="$(chromeos-firmwareupdate --manifest 2>/dev/null)" 176*8617a60dSAndroid Build Coastguard Worker local expect_fwid=$(echo "${manifest}" | 177*8617a60dSAndroid Build Coastguard Worker jq -c -r ".${model}.host.versions.rw" 2>/dev/null) 178*8617a60dSAndroid Build Coastguard Worker 179*8617a60dSAndroid Build Coastguard Worker if [ -z "${expect_fwid}" ] || [ "${expect_fwid}" = "null" ]; then 180*8617a60dSAndroid Build Coastguard Worker debug "Failed to get the expected fwid for model '${model}'." 181*8617a60dSAndroid Build Coastguard Worker elif [ "${cros_fwid}" = "${expect_fwid}" ]; then 182*8617a60dSAndroid Build Coastguard Worker info "Report UMA metrics: System firmware matched OS bundled firmware." 183*8617a60dSAndroid Build Coastguard Worker metrics_client -e "Platform.Firmware.Mismatch" 0 2 184*8617a60dSAndroid Build Coastguard Worker else 185*8617a60dSAndroid Build Coastguard Worker info "Report UMA metrics: System firmware mismatched OS bundled firmware." 186*8617a60dSAndroid Build Coastguard Worker metrics_client -e "Platform.Firmware.Mismatch" 1 2 187*8617a60dSAndroid Build Coastguard Worker fi 188*8617a60dSAndroid Build Coastguard Worker} 189*8617a60dSAndroid Build Coastguard Worker 190*8617a60dSAndroid Build Coastguard Worker############################################################################## 191*8617a60dSAndroid Build Coastguard Worker# Here we go... 192*8617a60dSAndroid Build Coastguard Worker 193*8617a60dSAndroid Build Coastguard Workerumask 022 194*8617a60dSAndroid Build Coastguard Worker 195*8617a60dSAndroid Build Coastguard Worker# defaults 196*8617a60dSAndroid Build Coastguard WorkerDEV_DEBUG_FORCE= 197*8617a60dSAndroid Build Coastguard Worker 198*8617a60dSAndroid Build Coastguard Worker# override them? 199*8617a60dSAndroid Build Coastguard Worker[ -f /etc/default/vboot_reference ] && . /etc/default/vboot_reference 200*8617a60dSAndroid Build Coastguard Worker 201*8617a60dSAndroid Build Coastguard Worker# Pre-parse args to replace actual args with a sanitized version. 202*8617a60dSAndroid Build Coastguard WorkerTEMP=$(getopt -o hvb:i:k:cf --long help,bios:,image:,kernel:,cleanup,force \ 203*8617a60dSAndroid Build Coastguard Worker -n $0 -- "$@") 204*8617a60dSAndroid Build Coastguard Workereval set -- "$TEMP" 205*8617a60dSAndroid Build Coastguard Worker 206*8617a60dSAndroid Build Coastguard Worker# Now look at them. 207*8617a60dSAndroid Build Coastguard Workerwhile true ; do 208*8617a60dSAndroid Build Coastguard Worker case "${1:-}" in 209*8617a60dSAndroid Build Coastguard Worker -b|--bios) 210*8617a60dSAndroid Build Coastguard Worker OPT_BIOS=$(readlink -f "$2") 211*8617a60dSAndroid Build Coastguard Worker shift 2 212*8617a60dSAndroid Build Coastguard Worker FLAG_SAVE_LOG_FILE= 213*8617a60dSAndroid Build Coastguard Worker ;; 214*8617a60dSAndroid Build Coastguard Worker -i|--image=*) 215*8617a60dSAndroid Build Coastguard Worker OPT_IMAGE=$(readlink -f "$2") 216*8617a60dSAndroid Build Coastguard Worker shift 2 217*8617a60dSAndroid Build Coastguard Worker FLAG_SAVE_LOG_FILE= 218*8617a60dSAndroid Build Coastguard Worker ;; 219*8617a60dSAndroid Build Coastguard Worker -k|--kernel) 220*8617a60dSAndroid Build Coastguard Worker OPT_KERNEL=$(readlink -f "$2") 221*8617a60dSAndroid Build Coastguard Worker shift 2 222*8617a60dSAndroid Build Coastguard Worker FLAG_SAVE_LOG_FILE= 223*8617a60dSAndroid Build Coastguard Worker ;; 224*8617a60dSAndroid Build Coastguard Worker -c|--cleanup) 225*8617a60dSAndroid Build Coastguard Worker OPT_CLEANUP=yes 226*8617a60dSAndroid Build Coastguard Worker shift 227*8617a60dSAndroid Build Coastguard Worker ;; 228*8617a60dSAndroid Build Coastguard Worker -f|--force) 229*8617a60dSAndroid Build Coastguard Worker OPT_FORCE=yes 230*8617a60dSAndroid Build Coastguard Worker shift 231*8617a60dSAndroid Build Coastguard Worker ;; 232*8617a60dSAndroid Build Coastguard Worker -v) 233*8617a60dSAndroid Build Coastguard Worker OPT_VERBOSE=yes 234*8617a60dSAndroid Build Coastguard Worker shift 235*8617a60dSAndroid Build Coastguard Worker FLAG_SAVE_LOG_FILE= 236*8617a60dSAndroid Build Coastguard Worker ;; 237*8617a60dSAndroid Build Coastguard Worker -h|--help) 238*8617a60dSAndroid Build Coastguard Worker usage 239*8617a60dSAndroid Build Coastguard Worker break 240*8617a60dSAndroid Build Coastguard Worker ;; 241*8617a60dSAndroid Build Coastguard Worker --) 242*8617a60dSAndroid Build Coastguard Worker shift 243*8617a60dSAndroid Build Coastguard Worker break 244*8617a60dSAndroid Build Coastguard Worker ;; 245*8617a60dSAndroid Build Coastguard Worker *) 246*8617a60dSAndroid Build Coastguard Worker die "Internal error in option parsing" 247*8617a60dSAndroid Build Coastguard Worker ;; 248*8617a60dSAndroid Build Coastguard Worker esac 249*8617a60dSAndroid Build Coastguard Workerdone 250*8617a60dSAndroid Build Coastguard Worker 251*8617a60dSAndroid Build Coastguard Workerif [ -z "${1:-}" ]; then 252*8617a60dSAndroid Build Coastguard Worker TMPDIR=$(mktemp -d /tmp/debug_vboot_XXXXXXXXX) 253*8617a60dSAndroid Build Coastguard Workerelse 254*8617a60dSAndroid Build Coastguard Worker TMPDIR="$1" 255*8617a60dSAndroid Build Coastguard Worker [ -d ${TMPDIR} ] || die "$TMPDIR doesn't exist" 256*8617a60dSAndroid Build Coastguard Worker FLAG_SAVE_LOG_FILE= 257*8617a60dSAndroid Build Coastguard Workerfi 258*8617a60dSAndroid Build Coastguard Worker[ -z "${OPT_VERBOSE}" ] && LOGFILE="${TMPDIR}/noisy.log" 259*8617a60dSAndroid Build Coastguard Worker 260*8617a60dSAndroid Build Coastguard Worker[ -d ${TMPDIR} ] || mkdir -p ${TMPDIR} || exit 1 261*8617a60dSAndroid Build Coastguard Workercd ${TMPDIR} || exit 1 262*8617a60dSAndroid Build Coastguard Workerecho "Running $0 $*" > "$LOGFILE" 263*8617a60dSAndroid Build Coastguard Workerlog date 264*8617a60dSAndroid Build Coastguard Workerdebug "DEV_DEBUG_FORCE=($DEV_DEBUG_FORCE)" 265*8617a60dSAndroid Build Coastguard Workerdebug "OPT_CLEANUP=($OPT_CLEANUP)" 266*8617a60dSAndroid Build Coastguard Workerdebug "OPT_BIOS=($OPT_BIOS)" 267*8617a60dSAndroid Build Coastguard Workerdebug "OPT_FORCE=($OPT_FORCE)" 268*8617a60dSAndroid Build Coastguard Workerdebug "OPT_IMAGE=($OPT_IMAGE)" 269*8617a60dSAndroid Build Coastguard Workerdebug "OPT_KERNEL=($OPT_KERNEL)" 270*8617a60dSAndroid Build Coastguard Workerdebug "FLAG_SAVE_LOG_FILE=($FLAG_SAVE_LOG_FILE)" 271*8617a60dSAndroid Build Coastguard Workerecho "Saving verbose log as $LOGFILE" 272*8617a60dSAndroid Build Coastguard Workertrap cleanup EXIT 273*8617a60dSAndroid Build Coastguard Worker 274*8617a60dSAndroid Build Coastguard Workerif [ -n "${DEV_DEBUG_FORCE}" ] && [ -z "${OPT_FORCE}" ]; then 275*8617a60dSAndroid Build Coastguard Worker info "Not gonna do anything without the --force option." 276*8617a60dSAndroid Build Coastguard Worker exit 0 277*8617a60dSAndroid Build Coastguard Workerfi 278*8617a60dSAndroid Build Coastguard Worker 279*8617a60dSAndroid Build Coastguard Worker 280*8617a60dSAndroid Build Coastguard Worker# Make sure we have the programs we need 281*8617a60dSAndroid Build Coastguard Workerneed="futility" 282*8617a60dSAndroid Build Coastguard Worker[ -z "${OPT_BIOS}" ] && need="$need flashrom" 283*8617a60dSAndroid Build Coastguard Worker[ -z "${OPT_KERNEL}" ] && need="$need cgpt" 284*8617a60dSAndroid Build Coastguard Workerrequire_utils $need 285*8617a60dSAndroid Build Coastguard Worker 286*8617a60dSAndroid Build Coastguard Worker 287*8617a60dSAndroid Build Coastguard Worker# Assuming we're on a ChromeOS device, see what we know. 288*8617a60dSAndroid Build Coastguard Workerset +e 289*8617a60dSAndroid Build Coastguard Workerlog crossystem --all 290*8617a60dSAndroid Build Coastguard Workerlog rootdev -s 291*8617a60dSAndroid Build Coastguard Workerlog ls -aCF /root 292*8617a60dSAndroid Build Coastguard Workerlog ls -aCF /mnt/stateful_partition 293*8617a60dSAndroid Build Coastguard Workerdevs=$(awk '/(mmcblk[0-9])$|(sd[a-z])$|(nvme[0-9]+n[0-9]+)$/ {print "/dev/"$4}' /proc/partitions) 294*8617a60dSAndroid Build Coastguard Workerfor d in $devs; do 295*8617a60dSAndroid Build Coastguard Worker log cgpt show $d 296*8617a60dSAndroid Build Coastguard Workerdone 297*8617a60dSAndroid Build Coastguard Workerlog futility flash --wp-status 298*8617a60dSAndroid Build Coastguard Workertpm_fwver=$(crossystem tpm_fwver) || tpm_fwver="UNKNOWN" 299*8617a60dSAndroid Build Coastguard Workertpm_kernver=$(crossystem tpm_kernver) || tpm_kernver="UNKNOWN" 300*8617a60dSAndroid Build Coastguard Workerset -e 301*8617a60dSAndroid Build Coastguard Worker 302*8617a60dSAndroid Build Coastguard Worker 303*8617a60dSAndroid Build Coastguard Workerinfo "Extracting BIOS components..." 304*8617a60dSAndroid Build Coastguard WorkerBIOS_IMAGE="${OPT_BIOS}" 305*8617a60dSAndroid Build Coastguard Workerif [ -z "${BIOS_IMAGE}" ]; then 306*8617a60dSAndroid Build Coastguard Worker info "Reading BIOS image from flash..." 307*8617a60dSAndroid Build Coastguard Worker BIOS_IMAGE="bios.rom" 308*8617a60dSAndroid Build Coastguard Worker if ! log futility read "${BIOS_IMAGE}" ; then 309*8617a60dSAndroid Build Coastguard Worker logdie "Fail to read BIOS." 310*8617a60dSAndroid Build Coastguard Worker fi 311*8617a60dSAndroid Build Coastguard Workerfi 312*8617a60dSAndroid Build Coastguard Worker 313*8617a60dSAndroid Build Coastguard Worker# Extract all FMAP sections. 314*8617a60dSAndroid Build Coastguard Workerlog futility dump_fmap -x "${BIOS_IMAGE}" 315*8617a60dSAndroid Build Coastguard Workerfix_old_names 316*8617a60dSAndroid Build Coastguard Worker 317*8617a60dSAndroid Build Coastguard Workerinfo "Pulling root and recovery keys from GBB..." 318*8617a60dSAndroid Build Coastguard Workerlog futility gbb -g --rootkey rootkey.vbpubk \ 319*8617a60dSAndroid Build Coastguard Worker --recoverykey recoverykey.vbpubk \ 320*8617a60dSAndroid Build Coastguard Worker "GBB" || logdie "Unable to extract keys from GBB" 321*8617a60dSAndroid Build Coastguard Workerlog futility vbutil_key --unpack rootkey.vbpubk 322*8617a60dSAndroid Build Coastguard Workerlog futility vbutil_key --unpack recoverykey.vbpubk 323*8617a60dSAndroid Build Coastguard Workerfutility vbutil_key --unpack rootkey.vbpubk | 324*8617a60dSAndroid Build Coastguard Worker grep -q b11d74edd286c144e1135b49e7f0bc20cf041f10 && 325*8617a60dSAndroid Build Coastguard Worker info " Looks like dev-keys" 326*8617a60dSAndroid Build Coastguard Worker 327*8617a60dSAndroid Build Coastguard Worker# Okay if firmware verification fails. 328*8617a60dSAndroid Build Coastguard Workerset +e 329*8617a60dSAndroid Build Coastguard Workerlog futility verify -P "${BIOS_IMAGE}" 330*8617a60dSAndroid Build Coastguard Worker# Rerun to get version numbers. 331*8617a60dSAndroid Build Coastguard Workerfutility verify -P "${BIOS_IMAGE}" > tmp.txt 332*8617a60dSAndroid Build Coastguard Workerfor fw in A B; do 333*8617a60dSAndroid Build Coastguard Worker infon "Verify firmware ${fw} with root key: " 334*8617a60dSAndroid Build Coastguard Worker grep -q "^bios::VBLOCK_${fw}::verified" tmp.txt ; result 335*8617a60dSAndroid Build Coastguard Worker if [ "${LAST_RESULT}" = "0" ]; then 336*8617a60dSAndroid Build Coastguard Worker data_key_ver="$(sed -nE "s/^bios::VBLOCK_${fw}::keyblock::data_key::version::(.*)$/\1/p" tmp.txt)" 337*8617a60dSAndroid Build Coastguard Worker fw_ver="$(sed -nE "s/^bios::VBLOCK_${fw}::preamble::firmware_version::(.*)$/\1/p" tmp.txt)" 338*8617a60dSAndroid Build Coastguard Worker ver="$(format_as_tpm_version "${data_key_ver}" "${fw_ver}")" 339*8617a60dSAndroid Build Coastguard Worker info " TPM=${tpm_fwver}, this=${ver}" 340*8617a60dSAndroid Build Coastguard Worker fi 341*8617a60dSAndroid Build Coastguard Workerdone 342*8617a60dSAndroid Build Coastguard Workerset -e 343*8617a60dSAndroid Build Coastguard Worker 344*8617a60dSAndroid Build Coastguard Workerinfo "Examining kernels..." 345*8617a60dSAndroid Build Coastguard Workerif [ -n "${OPT_KERNEL}" ]; then 346*8617a60dSAndroid Build Coastguard Worker kernparts="${OPT_KERNEL}" 347*8617a60dSAndroid Build Coastguard Workerelif [ -n "${OPT_IMAGE}" ]; then 348*8617a60dSAndroid Build Coastguard Worker if [ -f "${OPT_IMAGE}" ]; then 349*8617a60dSAndroid Build Coastguard Worker kernparts=$(extract_kerns_from_file "${OPT_IMAGE}") 350*8617a60dSAndroid Build Coastguard Worker else 351*8617a60dSAndroid Build Coastguard Worker kernparts=$(cgpt find -t kernel "${OPT_IMAGE}") 352*8617a60dSAndroid Build Coastguard Worker fi 353*8617a60dSAndroid Build Coastguard Workerelse 354*8617a60dSAndroid Build Coastguard Worker kernparts=$(cgpt find -t kernel) 355*8617a60dSAndroid Build Coastguard Workerfi 356*8617a60dSAndroid Build Coastguard Worker[ -n "${kernparts}" ] || logdie "No kernels found" 357*8617a60dSAndroid Build Coastguard Worker 358*8617a60dSAndroid Build Coastguard Worker# Okay if any of the kernel verifications fails. 359*8617a60dSAndroid Build Coastguard Workerset +e 360*8617a60dSAndroid Build Coastguard Workerkc=0 361*8617a60dSAndroid Build Coastguard Workerfor kname in ${kernparts}; do 362*8617a60dSAndroid Build Coastguard Worker if [ -f "${kname}" ]; then 363*8617a60dSAndroid Build Coastguard Worker kfile="${kname}" 364*8617a60dSAndroid Build Coastguard Worker else 365*8617a60dSAndroid Build Coastguard Worker kfile="kern_${kc}" 366*8617a60dSAndroid Build Coastguard Worker debug "copying ${kname} to ${kfile}..." 367*8617a60dSAndroid Build Coastguard Worker log dd if="${kname}" of="${kfile}" 368*8617a60dSAndroid Build Coastguard Worker fi 369*8617a60dSAndroid Build Coastguard Worker 370*8617a60dSAndroid Build Coastguard Worker infon "Kernel ${kname}: " 371*8617a60dSAndroid Build Coastguard Worker log futility vbutil_keyblock --unpack "${kfile}" ; result 372*8617a60dSAndroid Build Coastguard Worker if [ "${LAST_RESULT}" != "0" ]; then 373*8617a60dSAndroid Build Coastguard Worker loghead od -Ax -tx1 "${kfile}" 374*8617a60dSAndroid Build Coastguard Worker else 375*8617a60dSAndroid Build Coastguard Worker # Test each kernel with each key 376*8617a60dSAndroid Build Coastguard Worker for key in VBLOCK_A VBLOCK_B recoverykey.vbpubk; do 377*8617a60dSAndroid Build Coastguard Worker infon " Verify ${kname} with $key: " 378*8617a60dSAndroid Build Coastguard Worker log futility verify -P --publickey "${key}" "${kfile}" ; result 379*8617a60dSAndroid Build Coastguard Worker if [ "${LAST_RESULT}" = "0" ]; then 380*8617a60dSAndroid Build Coastguard Worker # rerun to get version numbers 381*8617a60dSAndroid Build Coastguard Worker futility verify -P --publickey "${key}" "${kfile}" > tmp.txt 382*8617a60dSAndroid Build Coastguard Worker data_key_ver="$(sed -nE "s/^kernel::keyblock::data_key::version::(.*)$/\1/p" tmp.txt)" 383*8617a60dSAndroid Build Coastguard Worker kernel_ver="$(sed -nE "s/^kernel::preamble::kernel_version::(.*)$/\1/p" tmp.txt)" 384*8617a60dSAndroid Build Coastguard Worker ver="$(format_as_tpm_version "${data_key_ver}" "${kernel_ver}")" 385*8617a60dSAndroid Build Coastguard Worker info " TPM=${tpm_kernver} this=${ver}" 386*8617a60dSAndroid Build Coastguard Worker fi 387*8617a60dSAndroid Build Coastguard Worker done 388*8617a60dSAndroid Build Coastguard Worker fi 389*8617a60dSAndroid Build Coastguard Worker 390*8617a60dSAndroid Build Coastguard Worker kc=$(expr $kc + 1) 391*8617a60dSAndroid Build Coastguard Workerdone 392*8617a60dSAndroid Build Coastguard Worker 393*8617a60dSAndroid Build Coastguard Workerreport_firmware_mismatch || true 394*8617a60dSAndroid Build Coastguard Worker 395*8617a60dSAndroid Build Coastguard Workerexit 0 396