| OLD | NEW |
|---|
| 1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 // | 4 // |
| 5 // Utility for manipulating verified boot firmware images. | 5 // Utility for manipulating verified boot kernel images. |
| 6 // | 6 // |
| 7 | 7 |
| 8 #include "kernel_utility.h" | 8 #include "kernel_utility.h" |
| 9 | 9 |
| 10 #include <errno.h> | 10 #include <errno.h> |
| 11 #include <getopt.h> | 11 #include <getopt.h> |
| 12 #include <stdio.h> | 12 #include <stdio.h> |
| 13 #include <stdint.h> // Needed for UINT16_MAX. | 13 #include <stdint.h> // Needed for UINT16_MAX. |
| 14 #include <stdlib.h> | 14 #include <stdlib.h> |
| 15 #include <unistd.h> | 15 #include <unistd.h> |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 48 } | 48 } |
| 49 | 49 |
| 50 KernelUtility::~KernelUtility() { | 50 KernelUtility::~KernelUtility() { |
| 51 RSAPublicKeyFree(firmware_key_pub_); | 51 RSAPublicKeyFree(firmware_key_pub_); |
| 52 KernelImageFree(image_); | 52 KernelImageFree(image_); |
| 53 } | 53 } |
| 54 | 54 |
| 55 void KernelUtility::PrintUsage(void) { | 55 void KernelUtility::PrintUsage(void) { |
| 56 cerr << | 56 cerr << |
| 57 "Utility to generate/verify a verified boot kernel image\n\n" | 57 "Utility to generate/verify a verified boot kernel image\n\n" |
| 58 "Usage: firmware_utility <--generate|--verify> [OPTIONS]\n\n" | 58 "Usage: kernel_utility <--generate|--verify> [OPTIONS]\n\n" |
| 59 "For \"--verify\", required OPTIONS are:\n" | 59 "For \"--verify\", required OPTIONS are:\n" |
| 60 "--in <infile>\t\t\tVerified boot kernel image to verify.\n" | 60 "--in <infile>\t\t\tVerified boot kernel image to verify.\n" |
| 61 "--firmware_key_pub <pubkeyfile>\tPre-processed public firmware key " | 61 "--firmware_key_pub <pubkeyfile>\tPre-processed public firmware key " |
| 62 "to use for verification.\n\n" | 62 "to use for verification.\n\n" |
| 63 "For \"--generate\", required OPTIONS are:\n" | 63 "For \"--generate\", required OPTIONS are:\n" |
| 64 "--firmware_key <privkeyfile>\tPrivate firmware signing key file\n" | 64 "--firmware_key <privkeyfile>\tPrivate firmware signing key file\n" |
| 65 "--kernel_key <privkeyfile>\tPrivate kernel signing key file\n" | 65 "--kernel_key <privkeyfile>\tPrivate kernel signing key file\n" |
| 66 "--kernel_key_pub <pubkeyfile>\tPre-processed public kernel signing" | 66 "--kernel_key_pub <pubkeyfile>\tPre-processed public kernel signing" |
| 67 " key\n" | 67 " key\n" |
| 68 "--firmware_sign_algorithm <algoid>\tSigning algorithm used by " | 68 "--firmware_sign_algorithm <algoid>\tSigning algorithm used by " |
| (...skipping 151 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 220 | 220 |
| 221 // Update header length. | 221 // Update header length. |
| 222 image_->header_len = GetKernelHeaderLen(image_); | 222 image_->header_len = GetKernelHeaderLen(image_); |
| 223 | 223 |
| 224 // Calculate header checksum. | 224 // Calculate header checksum. |
| 225 DigestInit(&ctx, SHA512_DIGEST_ALGORITHM); | 225 DigestInit(&ctx, SHA512_DIGEST_ALGORITHM); |
| 226 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->header_version), | 226 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->header_version), |
| 227 sizeof(image_->header_version)); | 227 sizeof(image_->header_version)); |
| 228 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->header_len), | 228 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->header_len), |
| 229 sizeof(image_->header_len)); | 229 sizeof(image_->header_len)); |
| 230 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->kernel_sign_algorithm), | 230 DigestUpdate(&ctx, |
| 231 reinterpret_cast<uint8_t*>(&image_->firmware_sign_algorithm), |
| 232 sizeof(image_->firmware_sign_algorithm)); |
| 233 DigestUpdate(&ctx, |
| 234 reinterpret_cast<uint8_t*>(&image_->kernel_sign_algorithm), |
| 231 sizeof(image_->kernel_sign_algorithm)); | 235 sizeof(image_->kernel_sign_algorithm)); |
| 232 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->kernel_key_version), | 236 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->kernel_key_version), |
| 233 sizeof(image_->kernel_key_version)); | 237 sizeof(image_->kernel_key_version)); |
| 234 DigestUpdate(&ctx, image_->kernel_sign_key, | 238 DigestUpdate(&ctx, image_->kernel_sign_key, |
| 235 RSAProcessedKeySize(image_->kernel_sign_algorithm)); | 239 RSAProcessedKeySize(image_->kernel_sign_algorithm)); |
| 236 header_checksum = DigestFinal(&ctx); | 240 header_checksum = DigestFinal(&ctx); |
| 237 Memcpy(image_->header_checksum, header_checksum, SHA512_DIGEST_SIZE); | 241 Memcpy(image_->header_checksum, header_checksum, SHA512_DIGEST_SIZE); |
| 238 Free(header_checksum); | 242 Free(header_checksum); |
| 239 | 243 |
| 240 image_->kernel_version = kernel_version_; | 244 image_->kernel_version = kernel_version_; |
| 241 image_->options.version[0] = options_.version[0]; | 245 image_->options.version[0] = options_.version[0]; |
| 242 image_->options.version[1] = options_.version[1]; | 246 image_->options.version[1] = options_.version[1]; |
| 243 image_->options.kernel_load_addr = options_.kernel_load_addr; | 247 image_->options.kernel_load_addr = options_.kernel_load_addr; |
| 244 image_->options.kernel_entry_addr = options_.kernel_entry_addr; | 248 image_->options.kernel_entry_addr = options_.kernel_entry_addr; |
| 245 image_->kernel_data = BufferFromFile(in_file_.c_str(), | 249 image_->kernel_data = BufferFromFile(in_file_.c_str(), |
| 246 &image_->options.kernel_len); | 250 &image_->options.kernel_len); |
| 247 if (!image_) | 251 if (!image_) |
| 248 return false; | 252 return false; |
| 249 // Generate and add the signatures. | 253 // Generate and add the signatures. |
| 250 if (!AddKernelKeySignature(image_, firmware_key_file_.c_str())) { | 254 if (!AddKernelKeySignature(image_, firmware_key_file_.c_str())) { |
| 251 cerr << "Couldn't write key signature to verified boot image.\n"; | 255 cerr << "Couldn't write key signature to verified boot kernel image.\n"; |
| 252 return false; | 256 return false; |
| 253 } | 257 } |
| 254 | 258 |
| 255 if (!AddKernelSignature(image_, kernel_key_file_.c_str())) { | 259 if (!AddKernelSignature(image_, kernel_key_file_.c_str())) { |
| 256 cerr << "Couldn't write firmware signature to verified boot image.\n"; | 260 cerr << "Couldn't write firmware signature to verified boot kernel image.\n"
; |
| 257 return false; | 261 return false; |
| 258 } | 262 } |
| 259 return true; | 263 return true; |
| 260 } | 264 } |
| 261 | 265 |
| 262 bool KernelUtility::VerifySignedImage(void) { | 266 bool KernelUtility::VerifySignedImage(void) { |
| 263 int error; | 267 int error; |
| 264 firmware_key_pub_ = RSAPublicKeyFromFile(firmware_key_pub_file_.c_str()); | 268 firmware_key_pub_ = RSAPublicKeyFromFile(firmware_key_pub_file_.c_str()); |
| 265 image_ = ReadKernelImage(in_file_.c_str()); | 269 image_ = ReadKernelImage(in_file_.c_str()); |
| 266 | 270 |
| 267 if (!firmware_key_pub_) { | 271 if (!firmware_key_pub_) { |
| 268 cerr << "Couldn't read pre-processed public root key.\n"; | 272 cerr << "Couldn't read pre-processed public root key.\n"; |
| 269 return false; | 273 return false; |
| 270 } | 274 } |
| 271 | 275 |
| 272 if (!image_) { | 276 if (!image_) { |
| 273 cerr << "Couldn't read firmware image or malformed image.\n"; | 277 cerr << "Couldn't read kernel image or malformed image.\n"; |
| 274 return false; | 278 return false; |
| 275 } | 279 } |
| 276 if (!(error = VerifyKernelImage(firmware_key_pub_, image_, 0))) | 280 if (!(error = VerifyKernelImage(firmware_key_pub_, image_, 0))) |
| 277 return true; | 281 return true; |
| 278 cerr << VerifyKernelErrorString(error) << "\n"; | 282 cerr << VerifyKernelErrorString(error) << "\n"; |
| 279 return false; | 283 return false; |
| 280 } | 284 } |
| 281 | 285 |
| 282 bool KernelUtility::CheckOptions(void) { | 286 bool KernelUtility::CheckOptions(void) { |
| 283 if (is_generate_ == is_verify_) { | 287 if (is_generate_ == is_verify_) { |
| (...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 349 } | 353 } |
| 350 if (fu.is_verify()) { | 354 if (fu.is_verify()) { |
| 351 cerr << "Verification "; | 355 cerr << "Verification "; |
| 352 if (fu.VerifySignedImage()) | 356 if (fu.VerifySignedImage()) |
| 353 cerr << "SUCCESS.\n"; | 357 cerr << "SUCCESS.\n"; |
| 354 else | 358 else |
| 355 cerr << "FAILURE.\n"; | 359 cerr << "FAILURE.\n"; |
| 356 } | 360 } |
| 357 return 0; | 361 return 0; |
| 358 } | 362 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 975007:
Add fuzz testing driver programs for kernel and firmware verification. (Closed)
