1 #!/bin/bash 2 3 # Copyright (c) 2013 The Chromium OS Authors. All rights reserved. 4 # Use of this source code is governed by a BSD-style license that can be 5 # found in the LICENSE file. 6 7 # Run verified boot firmware and kernel verification tests. 8 9 # Load common constants and variables. 10 . "$(dirname "$0")/common.sh" 11 12 return_code=0 13 14 function test_vbutil_key_single { 15 local algonum=$1 16 local keylen=$2 17 local hashalgo=$3 18 19 echo -e "For signing key ${COL_YELLOW}RSA-$keylen/$hashalgo${COL_STOP}:" 20 # Pack the key 21 ${FUTILITY} vbutil_key \ 22 --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk \ 23 --key ${TESTKEY_DIR}/key_rsa${keylen}.keyb \ 24 --version 1 \ 25 --algorithm $algonum 26 if [ $? -ne 0 ] 27 then 28 return_code=255 29 fi 30 31 # Unpack the key 32 # TODO: should verify we get the same key back out? 33 ${FUTILITY} vbutil_key \ 34 --unpack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk 35 if [ $? -ne 0 ] 36 then 37 return_code=255 38 fi 39 } 40 41 function test_vbutil_key_all { 42 algorithmcounter=0 43 for keylen in ${key_lengths[@]} 44 do 45 for hashalgo in ${hash_algos[@]} 46 do 47 test_vbutil_key_single $algorithmcounter $keylen $hashalgo 48 let algorithmcounter=algorithmcounter+1 49 done 50 done 51 } 52 53 function test_vbutil_key { 54 test_vbutil_key_single 4 2048 sha256 55 test_vbutil_key_single 7 4096 sha256 56 test_vbutil_key_single 11 8192 sha512 57 } 58 59 function test_vbutil_keyblock_single { 60 local signing_algonum=$1 61 local signing_keylen=$2 62 local signing_hashalgo=$3 63 local data_algonum=$4 64 local data_keylen=$5 65 local data_hashalgo=$6 66 67 echo -e "For ${COL_YELLOW}signing algorithm \ 68 RSA-${signing_keylen}/${signing_hashalgo}${COL_STOP} \ 69 and ${COL_YELLOW}data key algorithm RSA-${datakeylen}/\ 70 ${datahashalgo}${COL_STOP}" 71 # Remove old file 72 keyblockfile="${TESTKEY_SCRATCH_DIR}/" 73 keyblockfile+="sign${signing_algonum}_data" 74 keyblockfile+="${data_algonum}.keyblock" 75 rm -f ${keyblockfile} 76 77 # Wrap private key 78 ${FUTILITY} vbutil_key \ 79 --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk \ 80 --key ${TESTKEY_DIR}/key_rsa${signing_keylen}.pem \ 81 --algorithm $signing_algonum 82 if [ $? -ne 0 ] 83 then 84 echo -e "${COL_RED}Wrap vbprivk${COL_STOP}" 85 return_code=255 86 fi 87 88 # Wrap public key 89 ${FUTILITY} vbutil_key \ 90 --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk \ 91 --key ${TESTKEY_DIR}/key_rsa${signing_keylen}.keyb \ 92 --algorithm $signing_algonum 93 if [ $? -ne 0 ] 94 then 95 echo -e "${COL_RED}Wrap vbpubk${COL_STOP}" 96 return_code=255 97 fi 98 99 # Pack 100 ${FUTILITY} vbutil_keyblock --pack ${keyblockfile} \ 101 --datapubkey \ 102 ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ 103 --signprivate \ 104 ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk 105 if [ $? -ne 0 ] 106 then 107 echo -e "${COL_RED}Pack${COL_STOP}" 108 return_code=255 109 fi 110 111 # Unpack 112 ${FUTILITY} vbutil_keyblock --unpack ${keyblockfile} \ 113 --datapubkey \ 114 ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 \ 115 --signpubkey \ 116 ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk 117 if [ $? -ne 0 ] 118 then 119 echo -e "${COL_RED}Unpack${COL_STOP}" 120 return_code=255 121 fi 122 123 # Check 124 if ! cmp -s \ 125 ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ 126 ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 127 then 128 echo -e "${COL_RED}Check${COL_STOP}" 129 return_code=255 130 exit 1 131 fi 132 133 echo -e "${COL_YELLOW}Testing keyblock creation using \ 134 external signer.${COL_STOP}" 135 # Pack using external signer 136 # Pack 137 ${FUTILITY} vbutil_keyblock --pack ${keyblockfile} \ 138 --datapubkey \ 139 ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ 140 --signprivate_pem \ 141 ${TESTKEY_DIR}/key_rsa${signing_keylen}.pem \ 142 --pem_algorithm "${signing_algonum}" \ 143 --externalsigner "${SCRIPT_DIR}/external_rsa_signer.sh" 144 145 if [ $? -ne 0 ] 146 then 147 echo -e "${COL_RED}Pack${COL_STOP}" 148 return_code=255 149 fi 150 151 # Unpack 152 ${FUTILITY} vbutil_keyblock --unpack ${keyblockfile} \ 153 --datapubkey \ 154 ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 \ 155 --signpubkey \ 156 ${TESTKEY_SCRATCH_DIR}/key_alg${signing_algonum}.vbpubk 157 if [ $? -ne 0 ] 158 then 159 echo -e "${COL_RED}Unpack${COL_STOP}" 160 return_code=255 161 fi 162 163 # Check 164 if ! cmp -s \ 165 ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ 166 ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 167 then 168 echo -e "${COL_RED}Check${COL_STOP}" 169 return_code=255 170 exit 1 171 fi 172 } 173 174 175 function test_vbutil_keyblock_all { 176 # Test for various combinations of firmware signing algorithm and 177 # kernel signing algorithm 178 signing_algorithmcounter=0 179 data_algorithmcounter=0 180 for signing_keylen in ${key_lengths[@]} 181 do 182 for signing_hashalgo in ${hash_algos[@]} 183 do 184 let data_algorithmcounter=0 185 for datakeylen in ${key_lengths[@]} 186 do 187 for datahashalgo in ${hash_algos[@]} 188 do 189 test_vbutil_keyblock_single \ 190 $signing_algorithmcounter $signing_keylen $signing_hashalgo \ 191 $data_algorithmcounter $data_keylen $data_hashalgo 192 let data_algorithmcounter=data_algorithmcounter+1 193 done 194 done 195 let signing_algorithmcounter=signing_algorithmcounter+1 196 done 197 done 198 } 199 200 function test_vbutil_keyblock { 201 test_vbutil_keyblock_single 7 4096 sha256 4 2048 sha256 202 test_vbutil_keyblock_single 11 8192 sha512 4 2048 sha256 203 test_vbutil_keyblock_single 11 8192 sha512 7 4096 sha256 204 } 205 206 207 check_test_keys 208 209 echo 210 echo "Testing vbutil_key..." 211 if [ "$1" == "--all" ] ; then 212 test_vbutil_key_all 213 else 214 test_vbutil_key 215 fi 216 217 echo 218 echo "Testing vbutil_keyblock..." 219 if [ "$1" == "--all" ] ; then 220 test_vbutil_keyblock_all 221 else 222 test_vbutil_keyblock 223 fi 224 225 exit $return_code 226 227