Home | History | Annotate | Download | only in keygeneration 
      1 #!/bin/bash
      2 # Copyright 2014 The Chromium OS Authors. All rights reserved.
      3 # Use of this source code is governed by a BSD-style license that can be
      4 # found in the LICENSE file.
      5 
      6 # Script that sanity checks a keyset to ensure actual key versions
      7 # match those set in key.versions.
      8 
      9 # Load common constants and variables.
     10 . "$(dirname "$0")/common.sh"
     11 
     12 # Abort on errors.
     13 set -e
     14 
     15 if [ $# -ne 1 ]; then
     16   cat <<EOF
     17 Usage: $0 <keyset directory>
     18 
     19 Sanity check a keyset directory for key versions.
     20 EOF
     21   exit 1
     22 fi
     23 
     24 KEY_DIR="$1"
     25 VERSION_FILE="${KEY_DIR}/key.versions"
     26 
     27 keyblock_version() {
     28   local keyblock="$1"
     29   echo "$(vbutil_keyblock --unpack "${keyblock}" | grep 'Data key version' |
     30     cut -f 2 -d : | tr -d ' ')"
     31 }
     32 
     33 key_version() {
     34   local key="$1"
     35   echo "$(vbutil_key --unpack "${key}" | grep 'Key Version' | cut -f 2 -d : |
     36     tr -d ' ')"
     37 }
     38 
     39 # Compare versions and print out error if there is a mismatch.
     40 check_versions() {
     41   local expected="$1"
     42   local got="$2"
     43   local expected_label="$3"
     44   local got_label="$4"
     45   if [[ ${expected} != ${got} ]]; then
     46     echo "ERROR: ${expected_label} version does not match ${got_label} version"
     47     echo "EXPECTED (${expected_label} version): ${expected}"
     48     echo "GOT (${got_label} version): ${got}"
     49     return 1
     50   fi
     51   return 0
     52 }
     53 
     54 main() {
     55  local testfail=0
     56 
     57  local expected_kkey="$(get_version kernel_key_version)"
     58  local expected_fkey="$(get_version firmware_key_version)"
     59  local expected_firmware="$(get_version firmware_version)"
     60  local expected_kernel="$(get_version kernel_version)"
     61 
     62  check_versions "${expected_firmware}" "${expected_kkey}" \
     63    "firmware" "kernel key" || testfail=1
     64 
     65  local got_fkey_keyblock="$(keyblock_version ${KEY_DIR}/firmware.keyblock)"
     66  local got_fkey="$(key_version ${KEY_DIR}/firmware_data_key.vbpubk)"
     67 
     68  local got_kkey_keyblock="$(keyblock_version ${KEY_DIR}/kernel.keyblock)"
     69  local got_ksubkey="$(key_version ${KEY_DIR}/kernel_subkey.vbpubk)"
     70  local got_kdatakey="$(key_version ${KEY_DIR}/kernel_data_key.vbpubk)"
     71 
     72  check_versions "${got_fkey_keyblock}" "${got_fkey}" "firmware keyblock key" \
     73    "firmware key" || testfail=1
     74  check_versions "${got_kkey_keyblock}" "${got_ksubkey}" "kernel keyblock key" \
     75    "kernel subkey" || testfail=1
     76  check_versions "${got_kdatakey}" "${got_ksubkey}" "kernel data key" \
     77    "kernel subkey" || testfail=1
     78  check_versions "${expected_fkey}" "${got_fkey}" "key.versions firmware key" \
     79    "firmware key" || testfail=1
     80  check_versions "${expected_kkey}" "${got_kdatakey}" "key.versions kernel key" \
     81    "kernel datakey" || testfail=1
     82  check_versions "${expected_kkey}" "${got_ksubkey}" "key.versions kernel key" \
     83    "kernel subkey" || testfail=1
     84  exit ${testfail}
     85 }
     86 
     87 main "$@"
     88