1 #!/bin/bash -eux 2 # Copyright 2014 The Chromium OS Authors. All rights reserved. 3 # Use of this source code is governed by a BSD-style license that can be 4 # found in the LICENSE file. 5 6 me=${0##*/} 7 TMP="$me.tmp" 8 9 # Work in scratch directory 10 cd "$OUTDIR" 11 12 # some stuff we'll need 13 DEVKEYS=${SRCDIR}/tests/devkeys 14 TESTKEYS=${SRCDIR}/tests/testkeys 15 SIGNER=${SRCDIR}/tests/external_rsa_signer.sh 16 17 18 # Create a copy of an existing keyblock, using the old way 19 ${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \ 20 --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ 21 --flags 7 \ 22 --signprivate ${DEVKEYS}/root_key.vbprivk 23 24 # Check it. 25 ${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock0 \ 26 --signpubkey ${DEVKEYS}/root_key.vbpubk 27 28 # It should be the same as the dev-key firmware keyblock 29 cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock0 30 31 32 # Now create it the new way 33 ${FUTILITY} sign --debug \ 34 --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ 35 --flags 7 \ 36 --signprivate ${DEVKEYS}/root_key.vbprivk \ 37 --outfile ${TMP}.keyblock1 38 39 # It should be the same too. 40 cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock1 41 42 43 # Create a keyblock without signing it. 44 45 # old way 46 ${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \ 47 --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ 48 --flags 14 49 50 # new way 51 ${FUTILITY} sign --debug \ 52 --flags 14 \ 53 ${DEVKEYS}/firmware_data_key.vbpubk \ 54 ${TMP}.keyblock1 55 56 cmp ${TMP}.keyblock0 ${TMP}.keyblock1 57 58 59 # Create one using PEM args 60 61 # old way 62 ${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock2 \ 63 --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ 64 --signprivate_pem ${TESTKEYS}/key_rsa4096.pem \ 65 --pem_algorithm 8 \ 66 --flags 9 67 68 # verify it 69 ${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock2 \ 70 --signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk 71 72 # new way 73 ${FUTILITY} sign --debug \ 74 --pem_signpriv ${TESTKEYS}/key_rsa4096.pem \ 75 --pem_algo 8 \ 76 --flags 9 \ 77 ${DEVKEYS}/firmware_data_key.vbpubk \ 78 ${TMP}.keyblock3 79 80 cmp ${TMP}.keyblock2 ${TMP}.keyblock3 81 82 # Try it with an external signer 83 84 # old way 85 ${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock4 \ 86 --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ 87 --signprivate_pem ${TESTKEYS}/key_rsa4096.pem \ 88 --pem_algorithm 8 \ 89 --flags 19 \ 90 --externalsigner ${SIGNER} 91 92 # verify it 93 ${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock4 \ 94 --signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk 95 96 # new way 97 ${FUTILITY} sign --debug \ 98 --pem_signpriv ${TESTKEYS}/key_rsa4096.pem \ 99 --pem_algo 8 \ 100 --pem_external ${SIGNER} \ 101 --flags 19 \ 102 ${DEVKEYS}/firmware_data_key.vbpubk \ 103 ${TMP}.keyblock5 104 105 cmp ${TMP}.keyblock4 ${TMP}.keyblock5 106 107 108 # cleanup 109 rm -rf ${TMP}* 110 exit 0 111
