| #!/bin/bash |
| |
| # Copyright 2013 The ChromiumOS Authors |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # Run verified boot firmware and kernel verification tests. |
| |
| # Load common constants and variables. |
| . "$(dirname "$0")/common.sh" |
| |
| return_code=0 |
| |
| function test_vbutil_key_single { |
| local algonum=$1 |
| local keylen=$2 |
| local hashalgo=$3 |
| |
| echo -e "For signing key ${COL_YELLOW}RSA-$keylen/$hashalgo${COL_STOP}:" |
| # Pack the key |
| if ! "${FUTILITY}" vbutil_key \ |
| --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" \ |
| --key "${TESTKEY_DIR}/key_rsa${keylen}.keyb" \ |
| --version 1 \ |
| --algorithm "${algonum}" |
| then |
| return_code=255 |
| fi |
| |
| # Unpack the key |
| # TODO: should verify we get the same key back out? |
| if ! "${FUTILITY}" vbutil_key \ |
| --unpack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" |
| then |
| return_code=255 |
| fi |
| } |
| |
| function test_vbutil_key_all { |
| algorithmcounter=0 |
| for keylen in "${key_lengths[@]}" |
| do |
| for hashalgo in "${hash_algos[@]}" |
| do |
| test_vbutil_key_single "$algorithmcounter" "$keylen" "$hashalgo" |
| algorithmcounter=$((algorithmcounter + 1)) |
| done |
| done |
| } |
| |
| function test_vbutil_key { |
| test_vbutil_key_single 4 2048 sha256 |
| test_vbutil_key_single 7 4096 sha256 |
| test_vbutil_key_single 11 8192 sha512 |
| } |
| |
| function test_vbutil_keyblock_single { |
| local signing_algonum=$1 |
| local signing_keylen=$2 |
| local signing_hashalgo=$3 |
| local data_algonum=$4 |
| local data_keylen=$5 |
| local data_hashalgo=$6 |
| |
| echo -e "For ${COL_YELLOW}signing algorithm \ |
| RSA-${signing_keylen}/${signing_hashalgo}${COL_STOP} \ |
| and ${COL_YELLOW}data key algorithm RSA-${datakeylen}/\ |
| ${datahashalgo}${COL_STOP}" |
| # Remove old file |
| keyblockfile="${TESTKEY_SCRATCH_DIR}/" |
| keyblockfile+="sign${signing_algonum}_data" |
| keyblockfile+="${data_algonum}.keyblock" |
| rm -f "${keyblockfile}" |
| |
| # Wrap private key |
| if ! "${FUTILITY}" vbutil_key \ |
| --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk" \ |
| --key "${TESTKEY_DIR}/key_rsa${signing_keylen}.pem" \ |
| --algorithm "${signing_algonum}" |
| then |
| echo -e "${COL_RED}Wrap vbprivk${COL_STOP}" |
| return_code=255 |
| fi |
| |
| # Wrap public key |
| if ! "${FUTILITY}" vbutil_key \ |
| --pack "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" \ |
| --key "${TESTKEY_DIR}/key_rsa${signing_keylen}.keyb" \ |
| --algorithm "${signing_algonum}" |
| then |
| echo -e "${COL_RED}Wrap vbpubk${COL_STOP}" |
| return_code=255 |
| fi |
| |
| # Pack |
| if ! "${FUTILITY}" vbutil_keyblock --pack "${keyblockfile}" \ |
| --datapubkey \ |
| "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ |
| --signprivate \ |
| "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk" |
| then |
| echo -e "${COL_RED}Pack${COL_STOP}" |
| return_code=255 |
| fi |
| |
| # Unpack |
| if ! "${FUTILITY}" vbutil_keyblock --unpack "${keyblockfile}" \ |
| --datapubkey \ |
| "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" \ |
| --signpubkey \ |
| "${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk" |
| then |
| echo -e "${COL_RED}Unpack${COL_STOP}" |
| return_code=255 |
| fi |
| |
| # Check |
| if ! cmp -s \ |
| "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ |
| "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" |
| then |
| echo -e "${COL_RED}Check${COL_STOP}" |
| return_code=255 |
| exit 1 |
| fi |
| |
| echo -e "${COL_YELLOW}Testing keyblock creation using \ |
| external signer.${COL_STOP}" |
| # Pack using external signer |
| # Pack |
| if ! "${FUTILITY}" vbutil_keyblock --pack "${keyblockfile}" \ |
| --datapubkey \ |
| "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ |
| --signprivate_pem \ |
| "${TESTKEY_DIR}/key_rsa${signing_keylen}.pem" \ |
| --pem_algorithm "${signing_algonum}" \ |
| --externalsigner "${SCRIPT_DIR}/external_rsa_signer.sh" |
| then |
| echo -e "${COL_RED}Pack${COL_STOP}" |
| return_code=255 |
| fi |
| |
| # Unpack |
| if ! "${FUTILITY}" vbutil_keyblock --unpack "${keyblockfile}" \ |
| --datapubkey \ |
| "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" \ |
| --signpubkey \ |
| "${TESTKEY_SCRATCH_DIR}/key_alg${signing_algonum}.vbpubk" |
| then |
| echo -e "${COL_RED}Unpack${COL_STOP}" |
| return_code=255 |
| fi |
| |
| # Check |
| if ! cmp -s \ |
| "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk" \ |
| "${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2" |
| then |
| echo -e "${COL_RED}Check${COL_STOP}" |
| return_code=255 |
| exit 1 |
| fi |
| } |
| |
| |
| function test_vbutil_keyblock_all { |
| # Test for various combinations of firmware signing algorithm and |
| # kernel signing algorithm |
| signing_algorithmcounter=0 |
| data_algorithmcounter=0 |
| for signing_keylen in "${key_lengths[@]}" |
| do |
| for signing_hashalgo in "${hash_algos[@]}" |
| do |
| data_algorithmcounter=0 |
| for datakeylen in "${key_lengths[@]}" |
| do |
| for datahashalgo in "${hash_algos[@]}" |
| do |
| test_vbutil_keyblock_single \ |
| "$signing_algorithmcounter" "$signing_keylen" "$signing_hashalgo" \ |
| "$data_algorithmcounter" "$data_keylen" "$data_hashalgo" |
| data_algorithmcounter=$((data_algorithmcounter + 1)) |
| done |
| done |
| signing_algorithmcounter=$((signing_algorithmcounter + 1)) |
| done |
| done |
| } |
| |
| function test_vbutil_keyblock { |
| test_vbutil_keyblock_single 7 4096 sha256 4 2048 sha256 |
| test_vbutil_keyblock_single 11 8192 sha512 4 2048 sha256 |
| test_vbutil_keyblock_single 11 8192 sha512 7 4096 sha256 |
| } |
| |
| |
| check_test_keys |
| |
| echo |
| echo "Testing vbutil_key..." |
| if [ "$1" == "--all" ] ; then |
| test_vbutil_key_all |
| else |
| test_vbutil_key |
| fi |
| |
| echo |
| echo "Testing vbutil_keyblock..." |
| if [ "$1" == "--all" ] ; then |
| test_vbutil_keyblock_all |
| else |
| test_vbutil_keyblock |
| fi |
| |
| exit $return_code |