| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 // | 4 // |
| 5 // Utility for manipulating verified boot kernel images. | 5 // Utility for manipulating verified boot kernel images. |
| 6 // | 6 // |
| 7 | 7 |
| 8 #include "kernel_utility.h" | 8 #include "kernel_utility.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| (...skipping 18 matching lines...) Expand all Loading... |
| 29 namespace vboot_reference { | 29 namespace vboot_reference { |
| 30 | 30 |
| 31 KernelUtility::KernelUtility(): image_(NULL), | 31 KernelUtility::KernelUtility(): image_(NULL), |
| 32 firmware_key_pub_(NULL), | 32 firmware_key_pub_(NULL), |
| 33 header_version_(1), | 33 header_version_(1), |
| 34 firmware_sign_algorithm_(-1), | 34 firmware_sign_algorithm_(-1), |
| 35 kernel_sign_algorithm_(-1), | 35 kernel_sign_algorithm_(-1), |
| 36 kernel_key_version_(-1), | 36 kernel_key_version_(-1), |
| 37 kernel_version_(-1), | 37 kernel_version_(-1), |
| 38 kernel_len_(0), | 38 kernel_len_(0), |
| 39 kernel_config_(NULL), | |
| 40 is_generate_(false), | 39 is_generate_(false), |
| 41 is_verify_(false), | 40 is_verify_(false), |
| 42 is_describe_(false), | 41 is_describe_(false), |
| 43 is_only_vblock_(false) { | 42 is_only_vblock_(false) { |
| 44 } | 43 } |
| 45 | 44 |
| 46 KernelUtility::~KernelUtility() { | 45 KernelUtility::~KernelUtility() { |
| 47 Free(kernel_config_); | |
| 48 RSAPublicKeyFree(firmware_key_pub_); | 46 RSAPublicKeyFree(firmware_key_pub_); |
| 49 KernelImageFree(image_); | 47 KernelImageFree(image_); |
| 50 } | 48 } |
| 51 | 49 |
| 52 void KernelUtility::PrintUsage(void) { | 50 void KernelUtility::PrintUsage(void) { |
| 53 cerr << | 51 cerr << |
| 54 "Utility to generate/verify/describe a verified boot kernel image\n\n" | 52 "Utility to generate/verify/describe a verified boot kernel image\n\n" |
| 55 "Usage: kernel_utility <--generate|--verify|--describe> [OPTIONS]\n\n" | 53 "Usage: kernel_utility <--generate|--verify|--describe> [OPTIONS]\n\n" |
| 56 "For \"--verify\", required OPTIONS are:\n" | 54 "For \"--verify\", required OPTIONS are:\n" |
| 57 "--in <infile>\t\t\tVerified boot kernel image to verify.\n" | 55 "--in <infile>\t\t\tVerified boot kernel image to verify.\n" |
| 58 "--firmware_key_pub <pubkeyfile>\tPre-processed public firmware key " | 56 "--firmware_key_pub <pubkeyfile>\tPre-processed public firmware key " |
| 59 "to use for verification.\n\n" | 57 "to use for verification.\n\n" |
| 60 "For \"--generate\", required OPTIONS are:\n" | 58 "For \"--generate\", required OPTIONS are:\n" |
| 61 "--firmware_key <privkeyfile>\tPrivate firmware signing key file\n" | 59 "--firmware_key <privkeyfile>\tPrivate firmware signing key file\n" |
| 62 "--kernel_key <privkeyfile>\tPrivate kernel signing key file\n" | 60 "--kernel_key <privkeyfile>\tPrivate kernel signing key file\n" |
| 63 "--kernel_key_pub <pubkeyfile>\tPre-processed public kernel signing" | 61 "--kernel_key_pub <pubkeyfile>\tPre-processed public kernel signing" |
| 64 " key\n" | 62 " key\n" |
| 65 "--firmware_sign_algorithm <algoid>\tSigning algorithm used by " | 63 "--firmware_sign_algorithm <algoid>\tSigning algorithm used by " |
| 66 "the firmware\n" | 64 "the firmware\n" |
| 67 "--kernel_sign_algorithm <algoid>\tSigning algorithm to use for kernel\n" | 65 "--kernel_sign_algorithm <algoid>\tSigning algorithm to use for kernel\n" |
| 68 "--kernel_key_version <version#>\tKernel signing Key Version#\n" | 66 "--kernel_key_version <version#>\tKernel signing Key Version#\n" |
| 69 "--kernel_version <version#>\tKernel Version#\n" | 67 "--kernel_version <version#>\tKernel Version#\n" |
| 70 "--in <infile>\t\tKernel Image to sign\n" | 68 "--in <infile>\t\tKernel Image to sign\n" |
| 71 "--out <outfile>\t\tOutput file for verified boot Kernel image\n\n" | 69 "--out <outfile>\t\tOutput file for verified boot Kernel image\n\n" |
| 72 "Optional arguments for \"--generate\" include:\n" | 70 "Optional arguments for \"--generate\" include:\n" |
| 73 "--config <file>\t\t\tPopulate contents of kernel config from a file\n" | |
| 74 "--vblock\t\t\tJust output the verification block\n\n" | 71 "--vblock\t\t\tJust output the verification block\n\n" |
| 75 "<algoid> (for --*_sign_algorithm) is one of the following:\n"; | 72 "<algoid> (for --*_sign_algorithm) is one of the following:\n"; |
| 76 for (int i = 0; i < kNumAlgorithms; i++) { | 73 for (int i = 0; i < kNumAlgorithms; i++) { |
| 77 cerr << i << " for " << algo_strings[i] << "\n"; | 74 cerr << i << " for " << algo_strings[i] << "\n"; |
| 78 } | 75 } |
| 79 cerr << "\n\n"; | 76 cerr << "\n\n"; |
| 80 } | 77 } |
| 81 | 78 |
| 82 bool KernelUtility::ParseCmdLineOptions(int argc, char* argv[]) { | 79 bool KernelUtility::ParseCmdLineOptions(int argc, char* argv[]) { |
| 83 int option_index, i; | 80 int option_index, i; |
| 84 enum { | 81 enum { |
| 85 OPT_FIRMWARE_KEY = 1000, | 82 OPT_FIRMWARE_KEY = 1000, |
| 86 OPT_FIRMWARE_KEY_PUB, | 83 OPT_FIRMWARE_KEY_PUB, |
| 87 OPT_KERNEL_KEY, | 84 OPT_KERNEL_KEY, |
| 88 OPT_KERNEL_KEY_PUB, | 85 OPT_KERNEL_KEY_PUB, |
| 89 OPT_FIRMWARE_SIGN_ALGORITHM, | 86 OPT_FIRMWARE_SIGN_ALGORITHM, |
| 90 OPT_KERNEL_SIGN_ALGORITHM, | 87 OPT_KERNEL_SIGN_ALGORITHM, |
| 91 OPT_KERNEL_KEY_VERSION, | 88 OPT_KERNEL_KEY_VERSION, |
| 92 OPT_KERNEL_VERSION, | 89 OPT_KERNEL_VERSION, |
| 93 OPT_IN, | 90 OPT_IN, |
| 94 OPT_OUT, | 91 OPT_OUT, |
| 95 OPT_GENERATE, | 92 OPT_GENERATE, |
| 96 OPT_VERIFY, | 93 OPT_VERIFY, |
| 97 OPT_DESCRIBE, | 94 OPT_DESCRIBE, |
| 98 OPT_CONFIG, | |
| 99 OPT_VBLOCK, | 95 OPT_VBLOCK, |
| 100 }; | 96 }; |
| 101 static struct option long_options[] = { | 97 static struct option long_options[] = { |
| 102 {"firmware_key", 1, 0, OPT_FIRMWARE_KEY }, | 98 {"firmware_key", 1, 0, OPT_FIRMWARE_KEY }, |
| 103 {"firmware_key_pub", 1, 0, OPT_FIRMWARE_KEY_PUB }, | 99 {"firmware_key_pub", 1, 0, OPT_FIRMWARE_KEY_PUB }, |
| 104 {"kernel_key", 1, 0, OPT_KERNEL_KEY }, | 100 {"kernel_key", 1, 0, OPT_KERNEL_KEY }, |
| 105 {"kernel_key_pub", 1, 0, OPT_KERNEL_KEY_PUB }, | 101 {"kernel_key_pub", 1, 0, OPT_KERNEL_KEY_PUB }, |
| 106 {"firmware_sign_algorithm", 1, 0, OPT_FIRMWARE_SIGN_ALGORITHM }, | 102 {"firmware_sign_algorithm", 1, 0, OPT_FIRMWARE_SIGN_ALGORITHM }, |
| 107 {"kernel_sign_algorithm", 1, 0, OPT_KERNEL_SIGN_ALGORITHM }, | 103 {"kernel_sign_algorithm", 1, 0, OPT_KERNEL_SIGN_ALGORITHM }, |
| 108 {"kernel_key_version", 1, 0, OPT_KERNEL_KEY_VERSION }, | 104 {"kernel_key_version", 1, 0, OPT_KERNEL_KEY_VERSION }, |
| 109 {"kernel_version", 1, 0, OPT_KERNEL_VERSION }, | 105 {"kernel_version", 1, 0, OPT_KERNEL_VERSION }, |
| 110 {"in", 1, 0, OPT_IN }, | 106 {"in", 1, 0, OPT_IN }, |
| 111 {"out", 1, 0, OPT_OUT }, | 107 {"out", 1, 0, OPT_OUT }, |
| 112 {"generate", 0, 0, OPT_GENERATE }, | 108 {"generate", 0, 0, OPT_GENERATE }, |
| 113 {"verify", 0, 0, OPT_VERIFY }, | 109 {"verify", 0, 0, OPT_VERIFY }, |
| 114 {"describe", 0, 0, OPT_DESCRIBE }, | 110 {"describe", 0, 0, OPT_DESCRIBE }, |
| 115 {"config", 1, 0, OPT_CONFIG }, | |
| 116 {"vblock", 0, 0, OPT_VBLOCK }, | 111 {"vblock", 0, 0, OPT_VBLOCK }, |
| 117 {NULL, 0, 0, 0} | 112 {NULL, 0, 0, 0} |
| 118 }; | 113 }; |
| 119 while ((i = getopt_long(argc, argv, "", long_options, &option_index)) != -1) { | 114 while ((i = getopt_long(argc, argv, "", long_options, &option_index)) != -1) { |
| 120 switch (i) { | 115 switch (i) { |
| 121 case '?': | 116 case '?': |
| 122 return false; | 117 return false; |
| 123 break; | 118 break; |
| 124 case OPT_FIRMWARE_KEY: | 119 case OPT_FIRMWARE_KEY: |
| 125 firmware_key_file_ = optarg; | 120 firmware_key_file_ = optarg; |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 169 break; | 164 break; |
| 170 case OPT_GENERATE: | 165 case OPT_GENERATE: |
| 171 is_generate_ = true; | 166 is_generate_ = true; |
| 172 break; | 167 break; |
| 173 case OPT_VERIFY: | 168 case OPT_VERIFY: |
| 174 is_verify_ = true; | 169 is_verify_ = true; |
| 175 break; | 170 break; |
| 176 case OPT_DESCRIBE: | 171 case OPT_DESCRIBE: |
| 177 is_describe_ = true; | 172 is_describe_ = true; |
| 178 break; | 173 break; |
| 179 case OPT_CONFIG: | |
| 180 config_file_ = optarg; | |
| 181 break; | |
| 182 case OPT_VBLOCK: | 174 case OPT_VBLOCK: |
| 183 is_only_vblock_ = true; | 175 is_only_vblock_ = true; |
| 184 break; | 176 break; |
| 185 } | 177 } |
| 186 } | 178 } |
| 187 return CheckOptions(); | 179 return CheckOptions(); |
| 188 } | 180 } |
| 189 | 181 |
| 190 void KernelUtility::OutputSignedImage(void) { | 182 void KernelUtility::OutputSignedImage(void) { |
| 191 if (image_) { | 183 if (image_) { |
| 192 if (!WriteKernelImage(out_file_.c_str(), image_, is_only_vblock_)) { | 184 if (!WriteKernelImage(out_file_.c_str(), image_, is_only_vblock_)) { |
| 193 cerr << "Couldn't write verified boot kernel image to file " | 185 cerr << "Couldn't write verified boot kernel image to file " |
| 194 << out_file_ <<".\n"; | 186 << out_file_ <<".\n"; |
| 195 } | 187 } |
| 196 } | 188 } |
| 197 } | 189 } |
| 198 | 190 |
| 199 void KernelUtility::DescribeSignedImage(void) { | 191 void KernelUtility::DescribeSignedImage(void) { |
| 200 image_ = ReadKernelImage(in_file_.c_str()); | 192 image_ = ReadKernelImage(in_file_.c_str()); |
| 201 if (!image_) { | 193 if (!image_) { |
| 202 cerr << "Couldn't read kernel image or malformed image.\n"; | 194 cerr << "Couldn't read kernel image or malformed image.\n"; |
| 203 return; | 195 return; |
| 204 } | 196 } |
| 205 PrintKernelImage(image_); | 197 PrintKernelImage(image_); |
| 206 } | 198 } |
| 207 | 199 |
| 208 bool KernelUtility::GenerateSignedImage(void) { | 200 bool KernelUtility::GenerateSignedImage(void) { |
| 209 uint64_t len; | |
| 210 uint64_t kernel_key_pub_len; | 201 uint64_t kernel_key_pub_len; |
| 211 image_ = KernelImageNew(); | 202 image_ = KernelImageNew(); |
| 212 | 203 |
| 213 Memcpy(image_->magic, KERNEL_MAGIC, KERNEL_MAGIC_SIZE); | 204 Memcpy(image_->magic, KERNEL_MAGIC, KERNEL_MAGIC_SIZE); |
| 214 | 205 |
| 215 // TODO(gauravsh): make this a command line option. | 206 // TODO(gauravsh): make this a command line option. |
| 216 image_->header_version = 1; | 207 image_->header_version = 1; |
| 217 image_->firmware_sign_algorithm = (uint16_t) firmware_sign_algorithm_; | 208 image_->firmware_sign_algorithm = (uint16_t) firmware_sign_algorithm_; |
| 218 // Copy pre-processed public signing key. | 209 // Copy pre-processed public signing key. |
| 219 image_->kernel_sign_algorithm = (uint16_t) kernel_sign_algorithm_; | 210 image_->kernel_sign_algorithm = (uint16_t) kernel_sign_algorithm_; |
| 220 image_->kernel_sign_key = BufferFromFile(kernel_key_pub_file_.c_str(), | 211 image_->kernel_sign_key = BufferFromFile(kernel_key_pub_file_.c_str(), |
| 221 &kernel_key_pub_len); | 212 &kernel_key_pub_len); |
| 222 if (!image_->kernel_sign_key) | 213 if (!image_->kernel_sign_key) |
| 223 return false; | 214 return false; |
| 224 image_->kernel_key_version = kernel_key_version_; | 215 image_->kernel_key_version = kernel_key_version_; |
| 225 | 216 |
| 226 // Update header length. | 217 // Update header length. |
| 227 image_->header_len = GetKernelHeaderLen(image_); | 218 image_->header_len = GetKernelHeaderLen(image_); |
| 228 | 219 |
| 229 // Calculate header checksum. | 220 // Calculate header checksum. |
| 230 CalculateKernelHeaderChecksum(image_, image_->header_checksum); | 221 CalculateKernelHeaderChecksum(image_, image_->header_checksum); |
| 231 | 222 |
| 232 image_->kernel_version = kernel_version_; | 223 image_->kernel_version = kernel_version_; |
| 233 if (!config_file_.empty()) { | |
| 234 kernel_config_ = BufferFromFile(config_file_.c_str(), &len); | |
| 235 if (len >= sizeof(image_->kernel_config)) { | |
| 236 cerr << "Input kernel config file is too big!"; | |
| 237 return false; | |
| 238 } | |
| 239 Memcpy(image_->kernel_config, | |
| 240 kernel_config_, len); | |
| 241 } else { | |
| 242 Memset(image_->kernel_config, 0, | |
| 243 sizeof(image_->kernel_config)); | |
| 244 } | |
| 245 image_->kernel_data = BufferFromFile(in_file_.c_str(), | 224 image_->kernel_data = BufferFromFile(in_file_.c_str(), |
| 246 &image_->kernel_len); | 225 &image_->kernel_len); |
| 247 if (!image_->kernel_data) | 226 if (!image_->kernel_data) |
| 248 return false; | 227 return false; |
| 249 // Generate and add the signatures. | 228 // Generate and add the signatures. |
| 250 if (!AddKernelKeySignature(image_, firmware_key_file_.c_str())) { | 229 if (!AddKernelKeySignature(image_, firmware_key_file_.c_str())) { |
| 251 cerr << "Couldn't write key signature to verified boot kernel image.\n"; | 230 cerr << "Couldn't write key signature to verified boot kernel image.\n"; |
| 252 return false; | 231 return false; |
| 253 } | 232 } |
| 254 | 233 |
| (...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 356 } | 335 } |
| 357 else if (ku.is_verify()) { | 336 else if (ku.is_verify()) { |
| 358 cerr << "Verification "; | 337 cerr << "Verification "; |
| 359 if (ku.VerifySignedImage()) | 338 if (ku.VerifySignedImage()) |
| 360 cerr << "SUCCESS.\n"; | 339 cerr << "SUCCESS.\n"; |
| 361 else | 340 else |
| 362 cerr << "FAILURE.\n"; | 341 cerr << "FAILURE.\n"; |
| 363 } | 342 } |
| 364 return 0; | 343 return 0; |
| 365 } | 344 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2234003:
Change kernel vboot header layout and add support for separate header verification. (Closed)
Base URL: ssh://git@gitrw.chromium.org/chromiumos