Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(149)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: utility/vbutil_firmware.c

Issue 2837005: Add vbutil_firmware (Closed) Base URL: ssh://gitrw.chromium.org/vboot_reference.git
Patch Set: rebase Created 10 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « utility/Makefile ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
2 * Use of this source code is governed by a BSD-style license that can be
3 * found in the LICENSE file.
4 *
5 * Verified boot firmware utility
6 */
7
8 #include <getopt.h>
9 #include <inttypes.h> /* For PRIu64 */
10 #include <stddef.h>
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <unistd.h>
14
15 #include "cryptolib.h"
16 #include "host_common.h"
17 #include "kernel_blob.h"
18 #include "vboot_common.h"
19
20
21 /* Command line options */
22 enum {
23 OPT_MODE_VBLOCK = 1000,
24 OPT_MODE_VERIFY,
25 OPT_KEYBLOCK,
26 OPT_SIGNPUBKEY,
27 OPT_SIGNPRIVATE,
28 OPT_VERSION,
29 OPT_FV,
30 OPT_KERNELKEY,
31 };
32
33 static struct option long_opts[] = {
34 {"vblock", 1, 0, OPT_MODE_VBLOCK },
35 {"verify", 1, 0, OPT_MODE_VERIFY },
36 {"keyblock", 1, 0, OPT_KEYBLOCK },
37 {"signpubkey", 1, 0, OPT_SIGNPUBKEY },
38 {"signprivate", 1, 0, OPT_SIGNPRIVATE },
39 {"version", 1, 0, OPT_VERSION },
40 {"fv", 1, 0, OPT_FV },
41 {"kernelkey", 1, 0, OPT_KERNELKEY },
42 {NULL, 0, 0, 0}
43 };
44
45
46 /* Print help and return error */
47 static int PrintHelp(void) {
48
49 puts("vbutil_firmware - Verified boot key block utility\n"
50 "\n"
51 "Usage: vbutil_firmware <--vblock|--verify> <file> [OPTIONS]\n"
52 "\n"
53 "For '--vblock <file>', required OPTIONS are:\n"
54 " --keyblock <file> Key block in .keyblock format\n"
55 " --signprivate <file> Signing private key in .pem format\n"
56 " --version <number> Firmware version\n"
57 " --fv <file> Firmware volume to sign\n"
58 " --kernelkey <file> Kernel subkey in .vbpubk format\n"
59 "\n"
60 "For '--verify <file>', required OPTIONS are:\n"
61 " --signpubkey <file> Signing public key in .vbpubk format\n"
62 " --fv <file> Firmware volume to verify\n"
63 "");
64 return 1;
65 }
66
67
68 /* Create a firmware .vblock */
69 static int Vblock(const char* outfile, const char* keyblock_file,
70 const char* signprivate, uint64_t version,
71 const char* fv_file, const char* kernelkey_file) {
72
73 VbPrivateKey* signing_key;
74 VbPublicKey* kernel_subkey;
75 VbSignature* body_sig;
76 VbFirmwarePreambleHeader* preamble;
77 VbKeyBlockHeader* key_block;
78 uint64_t key_block_size;
79 uint8_t* fv_data;
80 uint64_t fv_size;
81 FILE* f;
82 uint64_t i;
83
84 if (!outfile) {
85 error("Must specify output filename\n");
86 return 1;
87 }
88 if (!keyblock_file || !signprivate || !kernelkey_file) {
89 error("Must specify all keys\n");
90 return 1;
91 }
92 if (!fv_file) {
93 error("Must specify firmware volume\n");
94 return 1;
95 }
96
97 /* Read the key block and keys */
98 key_block = (VbKeyBlockHeader*)ReadFile(keyblock_file, &key_block_size);
99 if (!key_block) {
100 error("Error reading key block.\n");
101 return 1;
102 }
103
104 signing_key = PrivateKeyRead(signprivate, key_block->data_key.algorithm);
105 if (!signing_key) {
106 error("Error reading signing key.\n");
107 return 1;
108 }
109
110 kernel_subkey = PublicKeyRead(kernelkey_file);
111 if (!kernel_subkey) {
112 error("Error reading kernel subkey.\n");
113 return 1;
114 }
115
116 /* Read and sign the firmware volume */
117 fv_data = ReadFile(fv_file, &fv_size);
118 if (!fv_data)
119 return 1;
120 if (!fv_size) {
121 error("Empty firmware volume file\n");
122 return 1;
123 }
124 body_sig = CalculateSignature(fv_data, fv_size, signing_key);
125 if (!body_sig) {
126 error("Error calculating body signature\n");
127 return 1;
128 }
129 Free(fv_data);
130
131 /* Create preamble */
132 preamble = CreateFirmwarePreamble(version,
133 kernel_subkey,
134 body_sig,
135 signing_key);
136 if (!preamble) {
137 error("Error creating preamble.\n");
138 return 1;
139 }
140
141 /* Write the output file */
142 f = fopen(outfile, "wb");
143 if (!f) {
144 error("Can't open output file %s\n", outfile);
145 return 1;
146 }
147 i = ((1 != fwrite(key_block, key_block_size, 1, f)) ||
148 (1 != fwrite(preamble, preamble->preamble_size, 1, f)));
149 fclose(f);
150 if (i) {
151 error("Can't write output file %s\n", outfile);
152 unlink(outfile);
153 return 1;
154 }
155
156 /* Success */
157 return 0;
158 }
159
160
161 static int Verify(const char* infile, const char* signpubkey,
162 const char* fv_file) {
163
164 VbKeyBlockHeader* key_block;
165 VbFirmwarePreambleHeader* preamble;
166 VbPublicKey* data_key;
167 VbPublicKey* sign_key;
168 RSAPublicKey* rsa;
169 uint8_t* blob;
170 uint64_t blob_size;
171 uint8_t* fv_data;
172 uint64_t fv_size;
173 uint64_t now = 0;
174
175 if (!infile || !signpubkey || !fv_file) {
176 error("Must specify filename, signpubkey, and fv\n");
177 return 1;
178 }
179
180 /* Read public signing key */
181 sign_key = PublicKeyRead(signpubkey);
182 if (!sign_key) {
183 error("Error reading signpubkey.\n");
184 return 1;
185 }
186
187 /* Read blob */
188 blob = ReadFile(infile, &blob_size);
189 if (!blob) {
190 error("Error reading input file\n");
191 return 1;
192 }
193
194 /* Read firmware volume */
195 fv_data = ReadFile(fv_file, &fv_size);
196 if (!fv_data) {
197 error("Error reading firmware volume\n");
198 return 1;
199 }
200
201 /* Verify key block */
202 key_block = (VbKeyBlockHeader*)blob;
203 if (0 != KeyBlockVerify(key_block, blob_size, sign_key)) {
204 error("Error verifying key block.\n");
205 return 1;
206 }
207 Free(sign_key);
208 now += key_block->key_block_size;
209
210 printf("Key block:\n");
211 data_key = &key_block->data_key;
212 printf(" Size: %" PRIu64 "\n", key_block->key_block_size);
213 printf(" Data key algorithm: %" PRIu64 " %s\n", data_key->algorithm,
214 (data_key->algorithm < kNumAlgorithms ?
215 algo_strings[data_key->algorithm] : "(invalid)"));
216 printf(" Data key version: %" PRIu64 "\n", data_key->key_version);
217 printf(" Flags: %" PRIu64 "\n", key_block->key_block_flags);
218
219 rsa = PublicKeyToRSA(&key_block->data_key);
220 if (!rsa) {
221 error("Error parsing data key.\n");
222 return 1;
223 }
224
225 /* Verify preamble */
226 preamble = (VbFirmwarePreambleHeader*)(blob + now);
227 if (0 != VerifyFirmwarePreamble2(preamble, blob_size - now, rsa)) {
228 error("Error verifying preamble.\n");
229 return 1;
230 }
231 now += preamble->preamble_size;
232
233 printf("Preamble:\n");
234 printf(" Size: %" PRIu64 "\n", preamble->preamble_size);
235 printf(" Header version: %" PRIu32 ".%" PRIu32"\n",
236 preamble->header_version_major, preamble->header_version_minor);
237 printf(" Firmware version: %" PRIu64 "\n", preamble->firmware_version);
238 printf(" Kernel key algorithm: %" PRIu64 " %s\n",
239 preamble->kernel_subkey.algorithm,
240 (preamble->kernel_subkey.algorithm < kNumAlgorithms ?
241 algo_strings[preamble->kernel_subkey.algorithm] : "(invalid)"));
242 printf(" Kernel key version: %" PRIu64 "\n",
243 preamble->kernel_subkey.key_version);
244 printf(" Firmware body size: %" PRIu64 "\n",
245 preamble->body_signature.data_size);
246
247 /* TODO: verify body size same as signature size */
248
249 /* Verify body */
250 if (0 != VerifyData(fv_data, &preamble->body_signature, rsa)) {
251 error("Error verifying firmware body.\n");
252 return 1;
253 }
254 printf("Body verification succeeded.\n");
255 return 0;
256 }
257
258
259 int main(int argc, char* argv[]) {
260
261 char* filename = NULL;
262 char* key_block_file = NULL;
263 char* signpubkey = NULL;
264 char* signprivate = NULL;
265 uint64_t version = 0;
266 char* fv_file = NULL;
267 char* kernelkey_file = NULL;
268 int mode = 0;
269 int parse_error = 0;
270 char* e;
271 int i;
272
273 while ((i = getopt_long(argc, argv, "", long_opts, NULL)) != -1) {
274 switch (i) {
275 case '?':
276 /* Unhandled option */
277 printf("Unknown option\n");
278 parse_error = 1;
279 break;
280
281 case OPT_MODE_VBLOCK:
282 case OPT_MODE_VERIFY:
283 mode = i;
284 filename = optarg;
285 break;
286
287 case OPT_KEYBLOCK:
288 key_block_file = optarg;
289 break;
290
291 case OPT_SIGNPUBKEY:
292 signpubkey = optarg;
293 break;
294
295 case OPT_SIGNPRIVATE:
296 signprivate = optarg;
297 break;
298
299 case OPT_FV:
300 fv_file = optarg;
301 break;
302
303 case OPT_KERNELKEY:
304 kernelkey_file = optarg;
305 break;
306
307 case OPT_VERSION:
308 version = strtoul(optarg, &e, 0);
309 if (!*optarg || (e && *e)) {
310 printf("Invalid --version\n");
311 parse_error = 1;
312 }
313 break;
314 }
315 }
316
317 if (parse_error)
318 return PrintHelp();
319
320 switch(mode) {
321 case OPT_MODE_VBLOCK:
322 return Vblock(filename, key_block_file, signprivate, version, fv_file,
323 kernelkey_file);
324 case OPT_MODE_VERIFY:
325 return Verify(filename, signpubkey, fv_file);
326 default:
327 printf("Must specify a mode.\n");
328 return PrintHelp();
329 }
330 }
OLDNEW
« no previous file with comments | « utility/Makefile ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698