tests/futility/test_sign_keyblocks.sh - third_party/vboot_reference - Git at Google

 #!/bin/bash -eux
 # Copyright 2014 The ChromiumOS Authors
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 me=${0##*/}
 TMP="$me.tmp"

 # Work in scratch directory
 cd "$OUTDIR"

 # some stuff we'll need
 DEVKEYS=${SRCDIR}/tests/devkeys
 TESTKEYS=${SRCDIR}/tests/testkeys
 SIGNER=${SRCDIR}/tests/external_rsa_signer.sh


 # Create a copy of an existing keyblock, using the old way
 "${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \
   --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
   --flags 23 \
   --signprivate "${DEVKEYS}/root_key.vbprivk"

 # Check it.
 "${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock0" \
   --signpubkey "${DEVKEYS}/root_key.vbpubk"

 # It should be the same as the dev-key firmware keyblock
 cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock0"


 # Now create it the new way
 "${FUTILITY}" --debug sign \
   --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
   --flags 23 \
   --signprivate "${DEVKEYS}/root_key.vbprivk" \
   --outfile "${TMP}.keyblock1"

 # It should be the same too.
 cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock1"


 # Create a keyblock without signing it.

 # old way
 "${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \
   --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
   --flags 14

 # new way
 "${FUTILITY}" --debug sign \
   --flags 14 \
   "${DEVKEYS}/firmware_data_key.vbpubk" \
   "${TMP}.keyblock1"

 cmp "${TMP}.keyblock0" "${TMP}.keyblock1"


 # Create one using PEM args

 # old way
 "${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock2" \
   --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
   --signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \
   --pem_algorithm 8 \
   --flags 9

 # verify it
 "${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock2" \
   --signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk"

 # new way
 "${FUTILITY}" --debug sign \
   --pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \
   --pem_algo 8 \
   --flags 9 \
   "${DEVKEYS}/firmware_data_key.vbpubk" \
   "${TMP}.keyblock3"

 cmp "${TMP}.keyblock2" "${TMP}.keyblock3"

 # Try it with an external signer

 # old way
 "${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock4" \
   --datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
   --signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \
   --pem_algorithm 8 \
   --flags 19 \
   --externalsigner "${SIGNER}"

 # verify it
 "${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock4" \
   --signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk"

 # new way
 "${FUTILITY}" --debug sign \
   --pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \
   --pem_algo 8 \
   --pem_external "${SIGNER}" \
   --flags 19 \
   "${DEVKEYS}/firmware_data_key.vbpubk" \
   "${TMP}.keyblock5"

 cmp "${TMP}.keyblock4" "${TMP}.keyblock5"


 # cleanup
 rm -rf "${TMP}"*
 exit 0
	#!/bin/bash -eux
	# Copyright 2014 The ChromiumOS Authors
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	me=${0##*/}
	TMP="$me.tmp"

	# Work in scratch directory
	cd "$OUTDIR"

	# some stuff we'll need
	DEVKEYS=${SRCDIR}/tests/devkeys
	TESTKEYS=${SRCDIR}/tests/testkeys
	SIGNER=${SRCDIR}/tests/external_rsa_signer.sh


	# Create a copy of an existing keyblock, using the old way
	"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \
	--datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
	--flags 23 \
	--signprivate "${DEVKEYS}/root_key.vbprivk"

	# Check it.
	"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock0" \
	--signpubkey "${DEVKEYS}/root_key.vbpubk"

	# It should be the same as the dev-key firmware keyblock
	cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock0"


	# Now create it the new way
	"${FUTILITY}" --debug sign \
	--datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
	--flags 23 \
	--signprivate "${DEVKEYS}/root_key.vbprivk" \
	--outfile "${TMP}.keyblock1"

	# It should be the same too.
	cmp "${DEVKEYS}/firmware.keyblock" "${TMP}.keyblock1"


	# Create a keyblock without signing it.

	# old way
	"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock0" \
	--datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
	--flags 14

	# new way
	"${FUTILITY}" --debug sign \
	--flags 14 \
	"${DEVKEYS}/firmware_data_key.vbpubk" \
	"${TMP}.keyblock1"

	cmp "${TMP}.keyblock0" "${TMP}.keyblock1"


	# Create one using PEM args

	# old way
	"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock2" \
	--datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
	--signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \
	--pem_algorithm 8 \
	--flags 9

	# verify it
	"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock2" \
	--signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk"

	# new way
	"${FUTILITY}" --debug sign \
	--pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \
	--pem_algo 8 \
	--flags 9 \
	"${DEVKEYS}/firmware_data_key.vbpubk" \
	"${TMP}.keyblock3"

	cmp "${TMP}.keyblock2" "${TMP}.keyblock3"

	# Try it with an external signer

	# old way
	"${FUTILITY}" vbutil_keyblock --pack "${TMP}.keyblock4" \
	--datapubkey "${DEVKEYS}/firmware_data_key.vbpubk" \
	--signprivate_pem "${TESTKEYS}/key_rsa4096.pem" \
	--pem_algorithm 8 \
	--flags 19 \
	--externalsigner "${SIGNER}"

	# verify it
	"${FUTILITY}" vbutil_keyblock --unpack "${TMP}.keyblock4" \
	--signpubkey "${TESTKEYS}/key_rsa4096.sha512.vbpubk"

	# new way
	"${FUTILITY}" --debug sign \
	--pem_signpriv "${TESTKEYS}/key_rsa4096.pem" \
	--pem_algo 8 \
	--pem_external "${SIGNER}" \
	--flags 19 \
	"${DEVKEYS}/firmware_data_key.vbpubk" \
	"${TMP}.keyblock5"

	cmp "${TMP}.keyblock4" "${TMP}.keyblock5"


	# cleanup
	rm -rf "${TMP}"*
	exit 0