| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 // | 4 // |
| 5 // Utility for manipulating verified boot kernel images. | 5 // Utility for manipulating verified boot kernel images. |
| 6 // | 6 // |
| 7 | 7 |
| 8 #include "kernel_utility.h" | 8 #include "kernel_utility.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 20 matching lines...) Expand all Loading... |
| 31 namespace vboot_reference { | 31 namespace vboot_reference { |
| 32 | 32 |
| 33 KernelUtility::KernelUtility(): image_(NULL), | 33 KernelUtility::KernelUtility(): image_(NULL), |
| 34 firmware_key_pub_(NULL), | 34 firmware_key_pub_(NULL), |
| 35 header_version_(1), | 35 header_version_(1), |
| 36 firmware_sign_algorithm_(-1), | 36 firmware_sign_algorithm_(-1), |
| 37 kernel_sign_algorithm_(-1), | 37 kernel_sign_algorithm_(-1), |
| 38 kernel_key_version_(-1), | 38 kernel_key_version_(-1), |
| 39 kernel_version_(-1), | 39 kernel_version_(-1), |
| 40 is_generate_(false), | 40 is_generate_(false), |
| 41 is_verify_(false) { | 41 is_verify_(false), |
| 42 is_describe_(false){ |
| 42 // Populate kernel config options with defaults. | 43 // Populate kernel config options with defaults. |
| 43 options_.version[0] = 1; | 44 options_.version[0] = 1; |
| 44 options_.version[1] = 0; | 45 options_.version[1] = 0; |
| 45 options_.kernel_len = 0; | 46 options_.kernel_len = 0; |
| 46 options_.kernel_load_addr = 0; | 47 options_.kernel_load_addr = 0; |
| 47 options_.kernel_entry_addr = 0; | 48 options_.kernel_entry_addr = 0; |
| 48 } | 49 } |
| 49 | 50 |
| 50 KernelUtility::~KernelUtility() { | 51 KernelUtility::~KernelUtility() { |
| 51 RSAPublicKeyFree(firmware_key_pub_); | 52 RSAPublicKeyFree(firmware_key_pub_); |
| 52 KernelImageFree(image_); | 53 KernelImageFree(image_); |
| 53 } | 54 } |
| 54 | 55 |
| 55 void KernelUtility::PrintUsage(void) { | 56 void KernelUtility::PrintUsage(void) { |
| 56 cerr << | 57 cerr << |
| 57 "Utility to generate/verify a verified boot kernel image\n\n" | 58 "Utility to generate/verify/describe a verified boot kernel image\n\n" |
| 58 "Usage: kernel_utility <--generate|--verify> [OPTIONS]\n\n" | 59 "Usage: kernel_utility <--generate|--verify|--describe> [OPTIONS]\n\n" |
| 59 "For \"--verify\", required OPTIONS are:\n" | 60 "For \"--verify\", required OPTIONS are:\n" |
| 60 "--in <infile>\t\t\tVerified boot kernel image to verify.\n" | 61 "--in <infile>\t\t\tVerified boot kernel image to verify.\n" |
| 61 "--firmware_key_pub <pubkeyfile>\tPre-processed public firmware key " | 62 "--firmware_key_pub <pubkeyfile>\tPre-processed public firmware key " |
| 62 "to use for verification.\n\n" | 63 "to use for verification.\n\n" |
| 63 "For \"--generate\", required OPTIONS are:\n" | 64 "For \"--generate\", required OPTIONS are:\n" |
| 64 "--firmware_key <privkeyfile>\tPrivate firmware signing key file\n" | 65 "--firmware_key <privkeyfile>\tPrivate firmware signing key file\n" |
| 65 "--kernel_key <privkeyfile>\tPrivate kernel signing key file\n" | 66 "--kernel_key <privkeyfile>\tPrivate kernel signing key file\n" |
| 66 "--kernel_key_pub <pubkeyfile>\tPre-processed public kernel signing" | 67 "--kernel_key_pub <pubkeyfile>\tPre-processed public kernel signing" |
| 67 " key\n" | 68 " key\n" |
| 68 "--firmware_sign_algorithm <algoid>\tSigning algorithm used by " | 69 "--firmware_sign_algorithm <algoid>\tSigning algorithm used by " |
| (...skipping 25 matching lines...) Expand all Loading... |
| 94 {"kernel_sign_algorithm", 1, 0, 0}, | 95 {"kernel_sign_algorithm", 1, 0, 0}, |
| 95 {"kernel_key_version", 1, 0, 0}, | 96 {"kernel_key_version", 1, 0, 0}, |
| 96 {"kernel_version", 1, 0, 0}, | 97 {"kernel_version", 1, 0, 0}, |
| 97 {"in", 1, 0, 0}, | 98 {"in", 1, 0, 0}, |
| 98 {"out", 1, 0, 0}, | 99 {"out", 1, 0, 0}, |
| 99 {"generate", 0, 0, 0}, | 100 {"generate", 0, 0, 0}, |
| 100 {"verify", 0, 0, 0}, | 101 {"verify", 0, 0, 0}, |
| 101 {"config_version", 1, 0, 0}, | 102 {"config_version", 1, 0, 0}, |
| 102 {"kernel_load_addr", 1, 0, 0}, | 103 {"kernel_load_addr", 1, 0, 0}, |
| 103 {"kernel_entry_addr", 1, 0, 0}, | 104 {"kernel_entry_addr", 1, 0, 0}, |
| 105 {"describe", 0, 0, 0}, |
| 104 {NULL, 0, 0, 0} | 106 {NULL, 0, 0, 0} |
| 105 }; | 107 }; |
| 106 while (1) { | 108 while (1) { |
| 107 int i = getopt_long(argc, argv, "", long_options, &option_index); | 109 int i = getopt_long(argc, argv, "", long_options, &option_index); |
| 108 if (-1 == i) // Done with option processing. | 110 if (-1 == i) // Done with option processing. |
| 109 break; | 111 break; |
| 110 if ('?' == i) // Invalid option found. | 112 if ('?' == i) // Invalid option found. |
| 111 return false; | 113 return false; |
| 112 | 114 |
| 113 if (0 == i) { | 115 if (0 == i) { |
| (...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 173 errno = 0; | 175 errno = 0; |
| 174 options_.kernel_load_addr = | 176 options_.kernel_load_addr = |
| 175 strtol(optarg, reinterpret_cast<char**>(NULL), 10); | 177 strtol(optarg, reinterpret_cast<char**>(NULL), 10); |
| 176 if (errno) | 178 if (errno) |
| 177 return false; | 179 return false; |
| 178 break; | 180 break; |
| 179 case 14: // kernel_entry_addr | 181 case 14: // kernel_entry_addr |
| 180 errno = 0; | 182 errno = 0; |
| 181 options_.kernel_entry_addr = | 183 options_.kernel_entry_addr = |
| 182 strtol(optarg, reinterpret_cast<char**>(NULL), 10); | 184 strtol(optarg, reinterpret_cast<char**>(NULL), 10); |
| 183 | |
| 184 if (errno) | 185 if (errno) |
| 185 return false; | 186 return false; |
| 186 break; | 187 break; |
| 188 case 15: // describe |
| 189 is_describe_ = true; |
| 190 break; |
| 187 } | 191 } |
| 188 } | 192 } |
| 189 } | 193 } |
| 190 return CheckOptions(); | 194 return CheckOptions(); |
| 191 } | 195 } |
| 192 | 196 |
| 193 void KernelUtility::OutputSignedImage(void) { | 197 void KernelUtility::OutputSignedImage(void) { |
| 194 if (image_) { | 198 if (image_) { |
| 195 if (!WriteKernelImage(out_file_.c_str(), image_)) { | 199 if (!WriteKernelImage(out_file_.c_str(), image_)) { |
| 196 cerr << "Couldn't write verified boot kernel image to file " | 200 cerr << "Couldn't write verified boot kernel image to file " |
| 197 << out_file_ <<".\n"; | 201 << out_file_ <<".\n"; |
| 198 } | 202 } |
| 199 } | 203 } |
| 200 } | 204 } |
| 201 | 205 |
| 206 void KernelUtility::DescribeSignedImage(void) { |
| 207 image_ = ReadKernelImage(in_file_.c_str()); |
| 208 if (!image_) { |
| 209 cerr << "Couldn't read kernel image or malformed image.\n"; |
| 210 return; |
| 211 } |
| 212 PrintKernelImage(image_); |
| 213 } |
| 214 |
| 202 bool KernelUtility::GenerateSignedImage(void) { | 215 bool KernelUtility::GenerateSignedImage(void) { |
| 203 uint64_t kernel_key_pub_len; | 216 uint64_t kernel_key_pub_len; |
| 204 uint8_t* header_checksum; | |
| 205 DigestContext ctx; | |
| 206 image_ = KernelImageNew(); | 217 image_ = KernelImageNew(); |
| 207 | 218 |
| 208 Memcpy(image_->magic, KERNEL_MAGIC, KERNEL_MAGIC_SIZE); | 219 Memcpy(image_->magic, KERNEL_MAGIC, KERNEL_MAGIC_SIZE); |
| 209 | 220 |
| 210 // TODO(gauravsh): make this a command line option. | 221 // TODO(gauravsh): make this a command line option. |
| 211 image_->header_version = 1; | 222 image_->header_version = 1; |
| 212 image_->firmware_sign_algorithm = (uint16_t) firmware_sign_algorithm_; | 223 image_->firmware_sign_algorithm = (uint16_t) firmware_sign_algorithm_; |
| 213 // Copy pre-processed public signing key. | 224 // Copy pre-processed public signing key. |
| 214 image_->kernel_sign_algorithm = (uint16_t) kernel_sign_algorithm_; | 225 image_->kernel_sign_algorithm = (uint16_t) kernel_sign_algorithm_; |
| 215 image_->kernel_sign_key = BufferFromFile(kernel_key_pub_file_.c_str(), | 226 image_->kernel_sign_key = BufferFromFile(kernel_key_pub_file_.c_str(), |
| 216 &kernel_key_pub_len); | 227 &kernel_key_pub_len); |
| 217 if (!image_->kernel_sign_key) | 228 if (!image_->kernel_sign_key) |
| 218 return false; | 229 return false; |
| 219 image_->kernel_key_version = kernel_key_version_; | 230 image_->kernel_key_version = kernel_key_version_; |
| 220 | 231 |
| 221 // Update header length. | 232 // Update header length. |
| 222 image_->header_len = GetKernelHeaderLen(image_); | 233 image_->header_len = GetKernelHeaderLen(image_); |
| 223 | 234 |
| 224 // Calculate header checksum. | 235 // Calculate header checksum. |
| 225 DigestInit(&ctx, SHA512_DIGEST_ALGORITHM); | 236 CalculateKernelHeaderChecksum(image_, image_->header_checksum); |
| 226 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->header_version), | |
| 227 sizeof(image_->header_version)); | |
| 228 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->header_len), | |
| 229 sizeof(image_->header_len)); | |
| 230 DigestUpdate(&ctx, | |
| 231 reinterpret_cast<uint8_t*>(&image_->firmware_sign_algorithm), | |
| 232 sizeof(image_->firmware_sign_algorithm)); | |
| 233 DigestUpdate(&ctx, | |
| 234 reinterpret_cast<uint8_t*>(&image_->kernel_sign_algorithm), | |
| 235 sizeof(image_->kernel_sign_algorithm)); | |
| 236 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->kernel_key_version), | |
| 237 sizeof(image_->kernel_key_version)); | |
| 238 DigestUpdate(&ctx, image_->kernel_sign_key, | |
| 239 RSAProcessedKeySize(image_->kernel_sign_algorithm)); | |
| 240 header_checksum = DigestFinal(&ctx); | |
| 241 Memcpy(image_->header_checksum, header_checksum, SHA512_DIGEST_SIZE); | |
| 242 Free(header_checksum); | |
| 243 | 237 |
| 244 image_->kernel_version = kernel_version_; | 238 image_->kernel_version = kernel_version_; |
| 245 image_->options.version[0] = options_.version[0]; | 239 image_->options.version[0] = options_.version[0]; |
| 246 image_->options.version[1] = options_.version[1]; | 240 image_->options.version[1] = options_.version[1]; |
| 241 // TODO(gauravsh): Add a command line option for this. |
| 242 Memset(image_->options.cmd_line, 0, sizeof(image_->options.cmd_line)); |
| 247 image_->options.kernel_load_addr = options_.kernel_load_addr; | 243 image_->options.kernel_load_addr = options_.kernel_load_addr; |
| 248 image_->options.kernel_entry_addr = options_.kernel_entry_addr; | 244 image_->options.kernel_entry_addr = options_.kernel_entry_addr; |
| 249 image_->kernel_data = BufferFromFile(in_file_.c_str(), | 245 image_->kernel_data = BufferFromFile(in_file_.c_str(), |
| 250 &image_->options.kernel_len); | 246 &image_->options.kernel_len); |
| 251 if (!image_) | 247 if (!image_) |
| 252 return false; | 248 return false; |
| 253 // Generate and add the signatures. | 249 // Generate and add the signatures. |
| 254 if (!AddKernelKeySignature(image_, firmware_key_file_.c_str())) { | 250 if (!AddKernelKeySignature(image_, firmware_key_file_.c_str())) { |
| 255 cerr << "Couldn't write key signature to verified boot kernel image.\n"; | 251 cerr << "Couldn't write key signature to verified boot kernel image.\n"; |
| 256 return false; | 252 return false; |
| (...skipping 20 matching lines...) Expand all Loading... |
| 277 cerr << "Couldn't read kernel image or malformed image.\n"; | 273 cerr << "Couldn't read kernel image or malformed image.\n"; |
| 278 return false; | 274 return false; |
| 279 } | 275 } |
| 280 if (!(error = VerifyKernelImage(firmware_key_pub_, image_, 0))) | 276 if (!(error = VerifyKernelImage(firmware_key_pub_, image_, 0))) |
| 281 return true; | 277 return true; |
| 282 cerr << VerifyKernelErrorString(error) << "\n"; | 278 cerr << VerifyKernelErrorString(error) << "\n"; |
| 283 return false; | 279 return false; |
| 284 } | 280 } |
| 285 | 281 |
| 286 bool KernelUtility::CheckOptions(void) { | 282 bool KernelUtility::CheckOptions(void) { |
| 287 if (is_generate_ == is_verify_) { | 283 // Ensure that only one of --{describe|generate|verify} is set. |
| 288 cerr << "One of --generate or --verify must be specified.\n"; | 284 if (!((is_describe_ && !is_generate_ && !is_verify_) || |
| 285 (!is_describe_ && is_generate_ && !is_verify_) || |
| 286 (!is_describe_ && !is_generate_ && is_verify_))) { |
| 287 cerr << "One (and only one) of --describe, --generate or --verify " |
| 288 << "must be specified.\n"; |
| 289 return false; | 289 return false; |
| 290 } | 290 } |
| 291 // Common required options. | 291 // Common required options. |
| 292 if (in_file_.empty()) { | 292 if (in_file_.empty()) { |
| 293 cerr << "No input file specified.\n"; | 293 cerr << "No input file specified.\n"; |
| 294 return false; | 294 return false; |
| 295 } | 295 } |
| 296 // Required options for --verify. | 296 // Required options for --verify. |
| 297 if (is_verify_ && firmware_key_pub_file_.empty()) { | 297 if (is_verify_ && firmware_key_pub_file_.empty()) { |
| 298 cerr << "No pre-processed public firmware key file specified.\n"; | 298 cerr << "No pre-processed public firmware key file specified.\n"; |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 334 cerr <<"No output file specified.\n"; | 334 cerr <<"No output file specified.\n"; |
| 335 return false; | 335 return false; |
| 336 } | 336 } |
| 337 } | 337 } |
| 338 return true; | 338 return true; |
| 339 } | 339 } |
| 340 | 340 |
| 341 } // namespace vboot_reference | 341 } // namespace vboot_reference |
| 342 | 342 |
| 343 int main(int argc, char* argv[]) { | 343 int main(int argc, char* argv[]) { |
| 344 vboot_reference::KernelUtility fu; | 344 vboot_reference::KernelUtility ku; |
| 345 if (!fu.ParseCmdLineOptions(argc, argv)) { | 345 if (!ku.ParseCmdLineOptions(argc, argv)) { |
| 346 fu.PrintUsage(); | 346 ku.PrintUsage(); |
| 347 return -1; | 347 return -1; |
| 348 } | 348 } |
| 349 if (fu.is_generate()) { | 349 if (ku.is_describe()) { |
| 350 if (!fu.GenerateSignedImage()) | 350 ku.DescribeSignedImage(); |
| 351 } |
| 352 else if (ku.is_generate()) { |
| 353 if (!ku.GenerateSignedImage()) |
| 351 return -1; | 354 return -1; |
| 352 fu.OutputSignedImage(); | 355 ku.OutputSignedImage(); |
| 353 } | 356 } |
| 354 if (fu.is_verify()) { | 357 else if (ku.is_verify()) { |
| 355 cerr << "Verification "; | 358 cerr << "Verification "; |
| 356 if (fu.VerifySignedImage()) | 359 if (ku.VerifySignedImage()) |
| 357 cerr << "SUCCESS.\n"; | 360 cerr << "SUCCESS.\n"; |
| 358 else | 361 else |
| 359 cerr << "FAILURE.\n"; | 362 cerr << "FAILURE.\n"; |
| 360 } | 363 } |
| 361 return 0; | 364 return 0; |
| 362 } | 365 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1088001:
Add --describe flag to {firmware|kernel}_utility. (Closed)
