| #!/bin/bash -eux |
| # Copyright 2014 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| me=${0##*/} |
| TMP="$me.tmp" |
| |
| # Work in scratch directory |
| cd "$OUTDIR" |
| |
| # some stuff we'll need |
| DEVKEYS=${SRCDIR}/tests/devkeys |
| TESTKEYS=${SRCDIR}/tests/testkeys |
| SIGNER=${SRCDIR}/tests/external_rsa_signer.sh |
| |
| |
| # Create a copy of an existing keyblock, using the old way |
| ${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \ |
| --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ |
| --flags 7 \ |
| --signprivate ${DEVKEYS}/root_key.vbprivk |
| |
| # Check it. |
| ${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock0 \ |
| --signpubkey ${DEVKEYS}/root_key.vbpubk |
| |
| # It should be the same as the dev-key firmware keyblock |
| cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock0 |
| |
| |
| # Now create it the new way |
| ${FUTILITY} --debug sign \ |
| --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ |
| --flags 7 \ |
| --signprivate ${DEVKEYS}/root_key.vbprivk \ |
| --outfile ${TMP}.keyblock1 |
| |
| # It should be the same too. |
| cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock1 |
| |
| |
| # Create a keyblock without signing it. |
| |
| # old way |
| ${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \ |
| --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ |
| --flags 14 |
| |
| # new way |
| ${FUTILITY} --debug sign \ |
| --flags 14 \ |
| ${DEVKEYS}/firmware_data_key.vbpubk \ |
| ${TMP}.keyblock1 |
| |
| cmp ${TMP}.keyblock0 ${TMP}.keyblock1 |
| |
| |
| # Create one using PEM args |
| |
| # old way |
| ${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock2 \ |
| --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ |
| --signprivate_pem ${TESTKEYS}/key_rsa4096.pem \ |
| --pem_algorithm 8 \ |
| --flags 9 |
| |
| # verify it |
| ${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock2 \ |
| --signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk |
| |
| # new way |
| ${FUTILITY} --debug sign \ |
| --pem_signpriv ${TESTKEYS}/key_rsa4096.pem \ |
| --pem_algo 8 \ |
| --flags 9 \ |
| ${DEVKEYS}/firmware_data_key.vbpubk \ |
| ${TMP}.keyblock3 |
| |
| cmp ${TMP}.keyblock2 ${TMP}.keyblock3 |
| |
| # Try it with an external signer |
| |
| # old way |
| ${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock4 \ |
| --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ |
| --signprivate_pem ${TESTKEYS}/key_rsa4096.pem \ |
| --pem_algorithm 8 \ |
| --flags 19 \ |
| --externalsigner ${SIGNER} |
| |
| # verify it |
| ${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock4 \ |
| --signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk |
| |
| # new way |
| ${FUTILITY} --debug sign \ |
| --pem_signpriv ${TESTKEYS}/key_rsa4096.pem \ |
| --pem_algo 8 \ |
| --pem_external ${SIGNER} \ |
| --flags 19 \ |
| ${DEVKEYS}/firmware_data_key.vbpubk \ |
| ${TMP}.keyblock5 |
| |
| cmp ${TMP}.keyblock4 ${TMP}.keyblock5 |
| |
| |
| # cleanup |
| rm -rf ${TMP}* |
| exit 0 |