OLD | NEW |
1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
2 * Use of this source code is governed by a BSD-style license that can be | 2 * Use of this source code is governed by a BSD-style license that can be |
3 * found in the LICENSE file. | 3 * found in the LICENSE file. |
4 * | 4 * |
5 * Verified boot firmware utility | 5 * Verified boot firmware utility |
6 */ | 6 */ |
7 | 7 |
8 #include <getopt.h> | 8 #include <getopt.h> |
9 #include <inttypes.h> /* For PRIu64 */ | 9 #include <inttypes.h> /* For PRIu64 */ |
10 #include <stddef.h> | 10 #include <stddef.h> |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
53 "For '--vblock <file>', required OPTIONS are:\n" | 53 "For '--vblock <file>', required OPTIONS are:\n" |
54 " --keyblock <file> Key block in .keyblock format\n" | 54 " --keyblock <file> Key block in .keyblock format\n" |
55 " --signprivate <file> Signing private key in .vbprivk format\n" | 55 " --signprivate <file> Signing private key in .vbprivk format\n" |
56 " --version <number> Firmware version\n" | 56 " --version <number> Firmware version\n" |
57 " --fv <file> Firmware volume to sign\n" | 57 " --fv <file> Firmware volume to sign\n" |
58 " --kernelkey <file> Kernel subkey in .vbpubk format\n" | 58 " --kernelkey <file> Kernel subkey in .vbpubk format\n" |
59 "\n" | 59 "\n" |
60 "For '--verify <file>', required OPTIONS are:\n" | 60 "For '--verify <file>', required OPTIONS are:\n" |
61 " --signpubkey <file> Signing public key in .vbpubk format\n" | 61 " --signpubkey <file> Signing public key in .vbpubk format\n" |
62 " --fv <file> Firmware volume to verify\n" | 62 " --fv <file> Firmware volume to verify\n" |
| 63 "\n" |
| 64 "For '--verify <file>', optional OPTIONS are:\n" |
| 65 " --kernelkey <file> Write the kernel subkey to this file\n" |
63 ""); | 66 ""); |
64 return 1; | 67 return 1; |
65 } | 68 } |
66 | 69 |
67 | 70 |
68 /* Create a firmware .vblock */ | 71 /* Create a firmware .vblock */ |
69 static int Vblock(const char* outfile, const char* keyblock_file, | 72 static int Vblock(const char* outfile, const char* keyblock_file, |
70 const char* signprivate, uint64_t version, | 73 const char* signprivate, uint64_t version, |
71 const char* fv_file, const char* kernelkey_file) { | 74 const char* fv_file, const char* kernelkey_file) { |
72 | 75 |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
150 if (i) { | 153 if (i) { |
151 error("Can't write output file %s\n", outfile); | 154 error("Can't write output file %s\n", outfile); |
152 unlink(outfile); | 155 unlink(outfile); |
153 return 1; | 156 return 1; |
154 } | 157 } |
155 | 158 |
156 /* Success */ | 159 /* Success */ |
157 return 0; | 160 return 0; |
158 } | 161 } |
159 | 162 |
160 | |
161 static int Verify(const char* infile, const char* signpubkey, | 163 static int Verify(const char* infile, const char* signpubkey, |
162 const char* fv_file) { | 164 const char* fv_file, const char* kernelkey_file) { |
163 | 165 |
164 VbKeyBlockHeader* key_block; | 166 VbKeyBlockHeader* key_block; |
165 VbFirmwarePreambleHeader* preamble; | 167 VbFirmwarePreambleHeader* preamble; |
166 VbPublicKey* data_key; | 168 VbPublicKey* data_key; |
167 VbPublicKey* sign_key; | 169 VbPublicKey* sign_key; |
| 170 VbPublicKey* kernel_subkey; |
168 RSAPublicKey* rsa; | 171 RSAPublicKey* rsa; |
169 uint8_t* blob; | 172 uint8_t* blob; |
170 uint64_t blob_size; | 173 uint64_t blob_size; |
171 uint8_t* fv_data; | 174 uint8_t* fv_data; |
172 uint64_t fv_size; | 175 uint64_t fv_size; |
173 uint64_t now = 0; | 176 uint64_t now = 0; |
174 | 177 |
175 if (!infile || !signpubkey || !fv_file) { | 178 if (!infile || !signpubkey || !fv_file) { |
176 error("Must specify filename, signpubkey, and fv\n"); | 179 error("Must specify filename, signpubkey, and fv\n"); |
177 return 1; | 180 return 1; |
(...skipping 25 matching lines...) Expand all Loading... |
203 if (0 != KeyBlockVerify(key_block, blob_size, sign_key, 0)) { | 206 if (0 != KeyBlockVerify(key_block, blob_size, sign_key, 0)) { |
204 error("Error verifying key block.\n"); | 207 error("Error verifying key block.\n"); |
205 return 1; | 208 return 1; |
206 } | 209 } |
207 Free(sign_key); | 210 Free(sign_key); |
208 now += key_block->key_block_size; | 211 now += key_block->key_block_size; |
209 | 212 |
210 printf("Key block:\n"); | 213 printf("Key block:\n"); |
211 data_key = &key_block->data_key; | 214 data_key = &key_block->data_key; |
212 printf(" Size: %" PRIu64 "\n", key_block->key_block_size); | 215 printf(" Size: %" PRIu64 "\n", key_block->key_block_size); |
| 216 printf(" Flags: %" PRIu64 " (ignored)\n", |
| 217 key_block->key_block_flags); |
213 printf(" Data key algorithm: %" PRIu64 " %s\n", data_key->algorithm, | 218 printf(" Data key algorithm: %" PRIu64 " %s\n", data_key->algorithm, |
214 (data_key->algorithm < kNumAlgorithms ? | 219 (data_key->algorithm < kNumAlgorithms ? |
215 algo_strings[data_key->algorithm] : "(invalid)")); | 220 algo_strings[data_key->algorithm] : "(invalid)")); |
216 printf(" Data key version: %" PRIu64 "\n", data_key->key_version); | 221 printf(" Data key version: %" PRIu64 "\n", data_key->key_version); |
217 printf(" Flags: %" PRIu64 "\n", key_block->key_block_flags); | 222 printf(" Data key sha1sum: "); |
| 223 PrintPubKeySha1Sum(data_key); |
| 224 printf("\n"); |
218 | 225 |
219 rsa = PublicKeyToRSA(&key_block->data_key); | 226 rsa = PublicKeyToRSA(&key_block->data_key); |
220 if (!rsa) { | 227 if (!rsa) { |
221 error("Error parsing data key.\n"); | 228 error("Error parsing data key.\n"); |
222 return 1; | 229 return 1; |
223 } | 230 } |
224 | 231 |
225 /* Verify preamble */ | 232 /* Verify preamble */ |
226 preamble = (VbFirmwarePreambleHeader*)(blob + now); | 233 preamble = (VbFirmwarePreambleHeader*)(blob + now); |
227 if (0 != VerifyFirmwarePreamble(preamble, blob_size - now, rsa)) { | 234 if (0 != VerifyFirmwarePreamble(preamble, blob_size - now, rsa)) { |
228 error("Error verifying preamble.\n"); | 235 error("Error verifying preamble.\n"); |
229 return 1; | 236 return 1; |
230 } | 237 } |
231 now += preamble->preamble_size; | 238 now += preamble->preamble_size; |
232 | 239 |
233 printf("Preamble:\n"); | 240 printf("Preamble:\n"); |
234 printf(" Size: %" PRIu64 "\n", preamble->preamble_size); | 241 printf(" Size: %" PRIu64 "\n", preamble->preamble_size); |
235 printf(" Header version: %" PRIu32 ".%" PRIu32"\n", | 242 printf(" Header version: %" PRIu32 ".%" PRIu32"\n", |
236 preamble->header_version_major, preamble->header_version_minor); | 243 preamble->header_version_major, preamble->header_version_minor); |
237 printf(" Firmware version: %" PRIu64 "\n", preamble->firmware_version); | 244 printf(" Firmware version: %" PRIu64 "\n", preamble->firmware_version); |
| 245 kernel_subkey = &preamble->kernel_subkey; |
238 printf(" Kernel key algorithm: %" PRIu64 " %s\n", | 246 printf(" Kernel key algorithm: %" PRIu64 " %s\n", |
239 preamble->kernel_subkey.algorithm, | 247 kernel_subkey->algorithm, |
240 (preamble->kernel_subkey.algorithm < kNumAlgorithms ? | 248 (kernel_subkey->algorithm < kNumAlgorithms ? |
241 algo_strings[preamble->kernel_subkey.algorithm] : "(invalid)")); | 249 algo_strings[kernel_subkey->algorithm] : "(invalid)")); |
242 printf(" Kernel key version: %" PRIu64 "\n", | 250 printf(" Kernel key version: %" PRIu64 "\n", |
243 preamble->kernel_subkey.key_version); | 251 kernel_subkey->key_version); |
| 252 printf(" Kernel key sha1sum: "); |
| 253 PrintPubKeySha1Sum(kernel_subkey); |
| 254 printf("\n"); |
244 printf(" Firmware body size: %" PRIu64 "\n", | 255 printf(" Firmware body size: %" PRIu64 "\n", |
245 preamble->body_signature.data_size); | 256 preamble->body_signature.data_size); |
246 | 257 |
247 /* TODO: verify body size same as signature size */ | 258 /* TODO: verify body size same as signature size */ |
248 | 259 |
249 /* Verify body */ | 260 /* Verify body */ |
250 if (0 != VerifyData(fv_data, fv_size, &preamble->body_signature, rsa)) { | 261 if (0 != VerifyData(fv_data, fv_size, &preamble->body_signature, rsa)) { |
251 error("Error verifying firmware body.\n"); | 262 error("Error verifying firmware body.\n"); |
252 return 1; | 263 return 1; |
253 } | 264 } |
254 printf("Body verification succeeded.\n"); | 265 printf("Body verification succeeded.\n"); |
| 266 |
| 267 if (kernelkey_file) { |
| 268 if (0 != PublicKeyWrite(kernelkey_file, kernel_subkey)) { |
| 269 fprintf(stderr, |
| 270 "vbutil_firmware: unable to write kernel subkey\n"); |
| 271 return 1; |
| 272 } |
| 273 } |
| 274 |
255 return 0; | 275 return 0; |
256 } | 276 } |
257 | 277 |
258 | 278 |
259 int main(int argc, char* argv[]) { | 279 int main(int argc, char* argv[]) { |
260 | 280 |
261 char* filename = NULL; | 281 char* filename = NULL; |
262 char* key_block_file = NULL; | 282 char* key_block_file = NULL; |
263 char* signpubkey = NULL; | 283 char* signpubkey = NULL; |
264 char* signprivate = NULL; | 284 char* signprivate = NULL; |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
315 } | 335 } |
316 | 336 |
317 if (parse_error) | 337 if (parse_error) |
318 return PrintHelp(); | 338 return PrintHelp(); |
319 | 339 |
320 switch(mode) { | 340 switch(mode) { |
321 case OPT_MODE_VBLOCK: | 341 case OPT_MODE_VBLOCK: |
322 return Vblock(filename, key_block_file, signprivate, version, fv_file, | 342 return Vblock(filename, key_block_file, signprivate, version, fv_file, |
323 kernelkey_file); | 343 kernelkey_file); |
324 case OPT_MODE_VERIFY: | 344 case OPT_MODE_VERIFY: |
325 return Verify(filename, signpubkey, fv_file); | 345 return Verify(filename, signpubkey, fv_file, kernelkey_file); |
326 default: | 346 default: |
327 printf("Must specify a mode.\n"); | 347 printf("Must specify a mode.\n"); |
328 return PrintHelp(); | 348 return PrintHelp(); |
329 } | 349 } |
330 } | 350 } |
OLD | NEW |