Google Git
Sign in
fuchsia / third_party / vboot_reference / refs/heads/upstream/stabilize-14998.B / . / tests / futility / test_sign_kernel.sh
blob: bba1164ffcad810d5d7c06dbec28063c1a52eb98 [file] [log] [blame]
#!/bin/bash -eux
# Copyright (c) 2014 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
me=${0##*/}
TMP="$me.tmp"
# Work in scratch directory
cd "$OUTDIR"
DEVKEYS=${SRCDIR}/tests/devkeys
echo "hi there" > "${TMP}.config.txt"
echo "hello boys" > "${TMP}.config2.txt"
dd if=/dev/urandom bs=512 count=1 of="${TMP}.bootloader.bin"
dd if=/dev/urandom bs=512 count=1 of="${TMP}.bootloader2.bin"
dd if=/dev/urandom bs=1M count=16 of="${TMP}.kern_partition"
# default padding
padding=49152
try_arch () {
local arch=$1
echo -n "${arch}: 1 " 1>&3
# pack it up the old way
"${FUTILITY}" --debug vbutil_kernel \
--pack "${TMP}.blob1.${arch}" \
--keyblock "${DEVKEYS}/recovery_kernel.keyblock" \
--signprivate "${DEVKEYS}/recovery_kernel_data_key.vbprivk" \
--version 1 \
--config "${TMP}.config.txt" \
--bootloader "${TMP}.bootloader.bin" \
--vmlinuz "${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin" \
--arch "${arch}" \
--pad "${padding}" \
--kloadaddr 0x11000
# verify the old way
"${FUTILITY}" vbutil_kernel --verify "${TMP}.blob1.${arch}" \
--pad "${padding}" \
--signpubkey "${DEVKEYS}/recovery_key.vbpubk" > "${TMP}.verify1"
# pack it up the new way
"${FUTILITY}" --debug sign \
--keyset "${DEVKEYS}/recovery_" \
--version 1 \
--config "${TMP}.config.txt" \
--bootloader "${TMP}.bootloader.bin" \
--vmlinuz "${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin" \
--arch "${arch}" \
--pad "${padding}" \
--kloadaddr 0x11000 \
--outfile "${TMP}.blob2.${arch}"
"${FUTILITY}" vbutil_kernel --verify "${TMP}.blob2.${arch}" \
--pad "${padding}" \
--signpubkey "${DEVKEYS}/recovery_key.vbpubk" > "${TMP}.verify2"
# they should be identical
cmp "${TMP}.blob1.${arch}" "${TMP}.blob2.${arch}"
diff "${TMP}.verify1" "${TMP}.verify2"
echo -n "2 " 1>&3
# repack it the old way
"${FUTILITY}" --debug vbutil_kernel \
--repack "${TMP}.blob3.${arch}" \
--oldblob "${TMP}.blob1.${arch}" \
--signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \
--keyblock "${DEVKEYS}/kernel.keyblock" \
--version 2 \
--pad "${padding}" \
--config "${TMP}.config2.txt" \
--bootloader "${TMP}.bootloader2.bin"
# verify the old way
"${FUTILITY}" vbutil_kernel --verify "${TMP}.blob3.${arch}" \
--pad "${padding}" \
--signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify3"
# repack it the new way
"${FUTILITY}" --debug sign \
--keyset "${DEVKEYS}" \
--keyblock "${DEVKEYS}/kernel.keyblock" \
--version 2 \
--pad "${padding}" \
--config "${TMP}.config2.txt" \
--bootloader "${TMP}.bootloader2.bin" \
"${TMP}.blob2.${arch}" \
"${TMP}.blob4.${arch}"
"${FUTILITY}" vbutil_kernel --verify "${TMP}.blob4.${arch}" \
--pad "${padding}" \
--signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify4"
# they should be identical
cmp "${TMP}.blob3.${arch}" "${TMP}.blob4.${arch}"
diff "${TMP}.verify3" "${TMP}.verify4"
echo -n "3 " 1>&3
# repack it the new way, in-place
cp "${TMP}.blob2.${arch}" "${TMP}.blob5.${arch}"
"${FUTILITY}" --debug sign \
--signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \
--keyblock "${DEVKEYS}/kernel.keyblock" \
--version 2 \
--pad "${padding}" \
--config "${TMP}.config2.txt" \
--bootloader "${TMP}.bootloader2.bin" \
"${TMP}.blob5.${arch}"
"${FUTILITY}" vbutil_kernel --verify "${TMP}.blob5.${arch}" \
--pad "${padding}" \
--signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify5"
# they should be identical
cmp "${TMP}.blob3.${arch}" "${TMP}.blob5.${arch}"
diff "${TMP}.verify3" "${TMP}.verify5"
# and now just the vblocks...
echo -n "4 " 1>&3
# pack the old way
"${FUTILITY}" vbutil_kernel \
--pack "${TMP}.blob1.${arch}.vb1" \
--vblockonly \
--keyblock "${DEVKEYS}/recovery_kernel.keyblock" \
--signprivate "${DEVKEYS}/recovery_kernel_data_key.vbprivk" \
--version 1 \
--config "${TMP}.config.txt" \
--bootloader "${TMP}.bootloader.bin" \
--vmlinuz "${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin" \
--arch "${arch}" \
--pad "${padding}" \
--kloadaddr 0x11000
# compare this new vblock with the one from the full pack
dd bs="${padding}" count=1 if="${TMP}.blob1.${arch}" \
of="${TMP}.blob1.${arch}.vb0"
cmp "${TMP}.blob1.${arch}.vb0" "${TMP}.blob1.${arch}.vb1"
# pack the new way
"${FUTILITY}" --debug sign \
--keyblock "${DEVKEYS}/recovery_kernel.keyblock" \
--signprivate "${DEVKEYS}/recovery_kernel_data_key.vbprivk" \
--version 1 \
--config "${TMP}.config.txt" \
--bootloader "${TMP}.bootloader.bin" \
--vmlinuz "${SCRIPT_DIR}/futility/data/vmlinuz-${arch}.bin" \
--arch "${arch}" \
--pad "${padding}" \
--kloadaddr 0x11000 \
--vblockonly \
"${TMP}.blob2.${arch}.vb1"
# compare this new vblock with the one from the full pack
dd bs="${padding}" count=1 if="${TMP}.blob2.${arch}" \
of="${TMP}.blob2.${arch}.vb0"
cmp "${TMP}.blob2.${arch}.vb0" "${TMP}.blob2.${arch}.vb1"
echo -n "5 " 1>&3
# now repack the old way, again emitting just the vblock
"${FUTILITY}" vbutil_kernel \
--repack "${TMP}.blob3.${arch}.vb1" \
--vblockonly \
--oldblob "${TMP}.blob1.${arch}" \
--signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \
--keyblock "${DEVKEYS}/kernel.keyblock" \
--version 2 \
--pad "${padding}" \
--config "${TMP}.config2.txt" \
--bootloader "${TMP}.bootloader2.bin"
# compare the full repacked vblock with the new repacked vblock
dd bs="${padding}" count=1 if="${TMP}.blob3.${arch}" \
of="${TMP}.blob3.${arch}.vb0"
cmp "${TMP}.blob3.${arch}.vb0" "${TMP}.blob3.${arch}.vb1"
# extract just the kernel blob
dd bs="${padding}" skip=1 if="${TMP}.blob3.${arch}" \
of="${TMP}.blob3.${arch}.kb0"
# and verify it using the new vblock (no way to do that with vbutil_kernel)
"${FUTILITY}" --debug verify \
--pad "${padding}" \
--publickey "${DEVKEYS}/kernel_subkey.vbpubk" \
--fv "${TMP}.blob3.${arch}.kb0" \
"${TMP}.blob3.${arch}.vb1" > "${TMP}.verify3v"
# repack the new way
"${FUTILITY}" --debug sign \
--signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \
--keyblock "${DEVKEYS}/kernel.keyblock" \
--version 2 \
--config "${TMP}.config2.txt" \
--bootloader "${TMP}.bootloader2.bin" \
--pad "${padding}" \
--vblockonly \
"${TMP}.blob2.${arch}" \
"${TMP}.blob4.${arch}.vb1" \
# compare the full repacked vblock with the new repacked vblock
dd bs="${padding}" count=1 if="${TMP}.blob4.${arch}" \
of="${TMP}.blob4.${arch}.vb0"
cmp "${TMP}.blob4.${arch}.vb0" "${TMP}.blob4.${arch}.vb1"
# extract just the kernel blob
dd bs="${padding}" skip=1 if="${TMP}.blob4.${arch}" \
of="${TMP}.blob4.${arch}.kb0"
# and verify it using the new vblock (no way to do that with vbutil_kernel)
"${FUTILITY}" --debug verify \
--pad "${padding}" \
--publickey "${DEVKEYS}/kernel_subkey.vbpubk" \
--fv "${TMP}.blob4.${arch}.kb0" \
"${TMP}.blob4.${arch}.vb1" > "${TMP}.verify4v"
echo -n "6 " 1>&3
# Now lets repack some kernel partitions, not just blobs.
cp "${TMP}.kern_partition" "${TMP}.part1.${arch}"
dd if="${TMP}.blob1.${arch}" of="${TMP}.part1.${arch}" conv=notrunc
# Make sure the partitions verify
"${FUTILITY}" vbutil_kernel --verify "${TMP}.part1.${arch}" \
--pad "${padding}" \
--signpubkey "${DEVKEYS}/recovery_key.vbpubk" > "${TMP}.verify6"
# The partition should verify the same way as the blob
diff "${TMP}.verify1" "${TMP}.verify6"
# repack it the old way
"${FUTILITY}" --debug vbutil_kernel \
--repack "${TMP}.part6.${arch}" \
--oldblob "${TMP}.part1.${arch}" \
--signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \
--keyblock "${DEVKEYS}/kernel.keyblock" \
--version 2 \
--pad "${padding}" \
--config "${TMP}.config2.txt" \
--bootloader "${TMP}.bootloader2.bin"
# verify the old way
"${FUTILITY}" vbutil_kernel --verify "${TMP}.part6.${arch}" \
--pad "${padding}" \
--signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify6.old"
# this "partition" should actually be the same as the old-way blob
cmp "${TMP}.blob3.${arch}" "${TMP}.part6.${arch}"
# repack it the new way, in-place
cp "${TMP}.part1.${arch}" "${TMP}.part6.${arch}.new1"
"${FUTILITY}" --debug sign \
--signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \
--keyblock "${DEVKEYS}/kernel.keyblock" \
--version 2 \
--pad "${padding}" \
--config "${TMP}.config2.txt" \
--bootloader "${TMP}.bootloader2.bin" \
"${TMP}.part6.${arch}.new1"
"${FUTILITY}" vbutil_kernel --verify "${TMP}.part6.${arch}.new1" \
--pad "${padding}" \
--signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify6.new1"
# The verification should be indentical
diff "${TMP}.verify6.old" "${TMP}.verify6.new1"
# But the content should only match up to the size of the kernel blob, since
# we're modifying an entire partition in-place.
blobsize=$(stat -c '%s' "${TMP}.part6.${arch}")
cmp -n "${blobsize}" "${TMP}.part6.${arch}" "${TMP}.part6.${arch}.new1"
# The rest of the partition should be unchanged.
cmp -i "${blobsize}" "${TMP}.part1.${arch}" "${TMP}.part6.${arch}.new1"
# repack it the new way, from input to output
cp "${TMP}.part1.${arch}" "${TMP}.part1.${arch}.in"
"${FUTILITY}" --debug sign \
--signprivate "${DEVKEYS}/kernel_data_key.vbprivk" \
--keyblock "${DEVKEYS}/kernel.keyblock" \
--version 2 \
--pad "${padding}" \
--config "${TMP}.config2.txt" \
--bootloader "${TMP}.bootloader2.bin" \
"${TMP}.part1.${arch}.in" \
"${TMP}.part6.${arch}.new2"
"${FUTILITY}" vbutil_kernel --verify "${TMP}.part6.${arch}.new2" \
--pad "${padding}" \
--signpubkey "${DEVKEYS}/kernel_subkey.vbpubk" > "${TMP}.verify6.new2"
# The input file should not have changed (just being sure).
cmp "${TMP}.part1.${arch}" "${TMP}.part1.${arch}.in"
# The verification should be indentical
diff "${TMP}.verify6.old" "${TMP}.verify6.new2"
# And creating a new output file should only emit a blob's worth
cmp "${TMP}.part6.${arch}" "${TMP}.part6.${arch}.new2"
# Note: We specifically do not test repacking with a different --kloadaddr,
# because the old way has a bug and does not update params->cmd_line_ptr to
# point at the new on-disk location. Apparently (and not surprisingly), no
# one has ever done that.
}
try_arch amd64
try_arch arm
# cleanup
rm -rf "${TMP}"*
exit 0