OLD | NEW |
1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 // | 4 // |
5 // Utility for manipulating verified boot firmware images. | 5 // Utility for manipulating verified boot kernel images. |
6 // | 6 // |
7 | 7 |
8 #include "kernel_utility.h" | 8 #include "kernel_utility.h" |
9 | 9 |
10 #include <errno.h> | 10 #include <errno.h> |
11 #include <getopt.h> | 11 #include <getopt.h> |
12 #include <stdio.h> | 12 #include <stdio.h> |
13 #include <stdint.h> // Needed for UINT16_MAX. | 13 #include <stdint.h> // Needed for UINT16_MAX. |
14 #include <stdlib.h> | 14 #include <stdlib.h> |
15 #include <unistd.h> | 15 #include <unistd.h> |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
48 } | 48 } |
49 | 49 |
50 KernelUtility::~KernelUtility() { | 50 KernelUtility::~KernelUtility() { |
51 RSAPublicKeyFree(firmware_key_pub_); | 51 RSAPublicKeyFree(firmware_key_pub_); |
52 KernelImageFree(image_); | 52 KernelImageFree(image_); |
53 } | 53 } |
54 | 54 |
55 void KernelUtility::PrintUsage(void) { | 55 void KernelUtility::PrintUsage(void) { |
56 cerr << | 56 cerr << |
57 "Utility to generate/verify a verified boot kernel image\n\n" | 57 "Utility to generate/verify a verified boot kernel image\n\n" |
58 "Usage: firmware_utility <--generate|--verify> [OPTIONS]\n\n" | 58 "Usage: kernel_utility <--generate|--verify> [OPTIONS]\n\n" |
59 "For \"--verify\", required OPTIONS are:\n" | 59 "For \"--verify\", required OPTIONS are:\n" |
60 "--in <infile>\t\t\tVerified boot kernel image to verify.\n" | 60 "--in <infile>\t\t\tVerified boot kernel image to verify.\n" |
61 "--firmware_key_pub <pubkeyfile>\tPre-processed public firmware key " | 61 "--firmware_key_pub <pubkeyfile>\tPre-processed public firmware key " |
62 "to use for verification.\n\n" | 62 "to use for verification.\n\n" |
63 "For \"--generate\", required OPTIONS are:\n" | 63 "For \"--generate\", required OPTIONS are:\n" |
64 "--firmware_key <privkeyfile>\tPrivate firmware signing key file\n" | 64 "--firmware_key <privkeyfile>\tPrivate firmware signing key file\n" |
65 "--kernel_key <privkeyfile>\tPrivate kernel signing key file\n" | 65 "--kernel_key <privkeyfile>\tPrivate kernel signing key file\n" |
66 "--kernel_key_pub <pubkeyfile>\tPre-processed public kernel signing" | 66 "--kernel_key_pub <pubkeyfile>\tPre-processed public kernel signing" |
67 " key\n" | 67 " key\n" |
68 "--firmware_sign_algorithm <algoid>\tSigning algorithm used by " | 68 "--firmware_sign_algorithm <algoid>\tSigning algorithm used by " |
(...skipping 151 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
220 | 220 |
221 // Update header length. | 221 // Update header length. |
222 image_->header_len = GetKernelHeaderLen(image_); | 222 image_->header_len = GetKernelHeaderLen(image_); |
223 | 223 |
224 // Calculate header checksum. | 224 // Calculate header checksum. |
225 DigestInit(&ctx, SHA512_DIGEST_ALGORITHM); | 225 DigestInit(&ctx, SHA512_DIGEST_ALGORITHM); |
226 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->header_version), | 226 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->header_version), |
227 sizeof(image_->header_version)); | 227 sizeof(image_->header_version)); |
228 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->header_len), | 228 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->header_len), |
229 sizeof(image_->header_len)); | 229 sizeof(image_->header_len)); |
230 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->kernel_sign_algorithm), | 230 DigestUpdate(&ctx, |
| 231 reinterpret_cast<uint8_t*>(&image_->firmware_sign_algorithm), |
| 232 sizeof(image_->firmware_sign_algorithm)); |
| 233 DigestUpdate(&ctx, |
| 234 reinterpret_cast<uint8_t*>(&image_->kernel_sign_algorithm), |
231 sizeof(image_->kernel_sign_algorithm)); | 235 sizeof(image_->kernel_sign_algorithm)); |
232 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->kernel_key_version), | 236 DigestUpdate(&ctx, reinterpret_cast<uint8_t*>(&image_->kernel_key_version), |
233 sizeof(image_->kernel_key_version)); | 237 sizeof(image_->kernel_key_version)); |
234 DigestUpdate(&ctx, image_->kernel_sign_key, | 238 DigestUpdate(&ctx, image_->kernel_sign_key, |
235 RSAProcessedKeySize(image_->kernel_sign_algorithm)); | 239 RSAProcessedKeySize(image_->kernel_sign_algorithm)); |
236 header_checksum = DigestFinal(&ctx); | 240 header_checksum = DigestFinal(&ctx); |
237 Memcpy(image_->header_checksum, header_checksum, SHA512_DIGEST_SIZE); | 241 Memcpy(image_->header_checksum, header_checksum, SHA512_DIGEST_SIZE); |
238 Free(header_checksum); | 242 Free(header_checksum); |
239 | 243 |
240 image_->kernel_version = kernel_version_; | 244 image_->kernel_version = kernel_version_; |
241 image_->options.version[0] = options_.version[0]; | 245 image_->options.version[0] = options_.version[0]; |
242 image_->options.version[1] = options_.version[1]; | 246 image_->options.version[1] = options_.version[1]; |
243 image_->options.kernel_load_addr = options_.kernel_load_addr; | 247 image_->options.kernel_load_addr = options_.kernel_load_addr; |
244 image_->options.kernel_entry_addr = options_.kernel_entry_addr; | 248 image_->options.kernel_entry_addr = options_.kernel_entry_addr; |
245 image_->kernel_data = BufferFromFile(in_file_.c_str(), | 249 image_->kernel_data = BufferFromFile(in_file_.c_str(), |
246 &image_->options.kernel_len); | 250 &image_->options.kernel_len); |
247 if (!image_) | 251 if (!image_) |
248 return false; | 252 return false; |
249 // Generate and add the signatures. | 253 // Generate and add the signatures. |
250 if (!AddKernelKeySignature(image_, firmware_key_file_.c_str())) { | 254 if (!AddKernelKeySignature(image_, firmware_key_file_.c_str())) { |
251 cerr << "Couldn't write key signature to verified boot image.\n"; | 255 cerr << "Couldn't write key signature to verified boot kernel image.\n"; |
252 return false; | 256 return false; |
253 } | 257 } |
254 | 258 |
255 if (!AddKernelSignature(image_, kernel_key_file_.c_str())) { | 259 if (!AddKernelSignature(image_, kernel_key_file_.c_str())) { |
256 cerr << "Couldn't write firmware signature to verified boot image.\n"; | 260 cerr << "Couldn't write firmware signature to verified boot kernel image.\n"
; |
257 return false; | 261 return false; |
258 } | 262 } |
259 return true; | 263 return true; |
260 } | 264 } |
261 | 265 |
262 bool KernelUtility::VerifySignedImage(void) { | 266 bool KernelUtility::VerifySignedImage(void) { |
263 int error; | 267 int error; |
264 firmware_key_pub_ = RSAPublicKeyFromFile(firmware_key_pub_file_.c_str()); | 268 firmware_key_pub_ = RSAPublicKeyFromFile(firmware_key_pub_file_.c_str()); |
265 image_ = ReadKernelImage(in_file_.c_str()); | 269 image_ = ReadKernelImage(in_file_.c_str()); |
266 | 270 |
267 if (!firmware_key_pub_) { | 271 if (!firmware_key_pub_) { |
268 cerr << "Couldn't read pre-processed public root key.\n"; | 272 cerr << "Couldn't read pre-processed public root key.\n"; |
269 return false; | 273 return false; |
270 } | 274 } |
271 | 275 |
272 if (!image_) { | 276 if (!image_) { |
273 cerr << "Couldn't read firmware image or malformed image.\n"; | 277 cerr << "Couldn't read kernel image or malformed image.\n"; |
274 return false; | 278 return false; |
275 } | 279 } |
276 if (!(error = VerifyKernelImage(firmware_key_pub_, image_, 0))) | 280 if (!(error = VerifyKernelImage(firmware_key_pub_, image_, 0))) |
277 return true; | 281 return true; |
278 cerr << VerifyKernelErrorString(error) << "\n"; | 282 cerr << VerifyKernelErrorString(error) << "\n"; |
279 return false; | 283 return false; |
280 } | 284 } |
281 | 285 |
282 bool KernelUtility::CheckOptions(void) { | 286 bool KernelUtility::CheckOptions(void) { |
283 if (is_generate_ == is_verify_) { | 287 if (is_generate_ == is_verify_) { |
(...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
349 } | 353 } |
350 if (fu.is_verify()) { | 354 if (fu.is_verify()) { |
351 cerr << "Verification "; | 355 cerr << "Verification "; |
352 if (fu.VerifySignedImage()) | 356 if (fu.VerifySignedImage()) |
353 cerr << "SUCCESS.\n"; | 357 cerr << "SUCCESS.\n"; |
354 else | 358 else |
355 cerr << "FAILURE.\n"; | 359 cerr << "FAILURE.\n"; |
356 } | 360 } |
357 return 0; | 361 return 0; |
358 } | 362 } |
OLD | NEW |