| OLD | NEW |
|---|
| 1 This directory contains a reference implementation for Chrome OS | 1 This directory contains a reference implementation for Chrome OS |
| 2 verified boot in firmware. | 2 verified boot in firmware. |
| 3 | 3 |
| 4 ---------- | 4 ---------- |
| 5 Directory Structure | 5 Directory Structure |
| 6 ---------- | 6 ---------- |
| 7 | 7 |
| 8 The source is organized into distinct modules - | 8 The source is organized into distinct modules - |
| 9 | 9 |
| 10 vboot_firmware/ - Contains ONLY the code required by the BIOS to validate | 10 firmware/ - Contains ONLY the code required by the BIOS to validate |
| 11 the secure boot components. There shouldn't be any code in here that signs | 11 the secure boot components. There shouldn't be any code in here that |
| 12 or generates images. BIOS should require ONLY this directory to implement | 12 signs or generates images. BIOS should require ONLY this directory to |
| 13 secure boot. Refer to vboot_firmware/README for futher details. | 13 implement secure boot. Refer to firmware/README for futher details. |
| 14 | 14 |
| 15 cgptlib/ - Work in progress for handling GPT headers. Parts of this will no | 15 cgpt/ - Utility to read/write/modify GPT partitions. Much like the |
| 16 doubt be migrated into vboot_firmware/ | 16 gpt tool, but with support for Chrome OS extensiosn. |
| 17 | 17 |
| 18 misclibs/ - Miscellaneous functions used by userland utilities. | 18 host/ - Miscellaneous functions used by userland utilities. |
| 19 | 19 |
| 20 utility/ - Utilities for generating and verifying signed | 20 utility/ - Utilities for generating and verifying signed |
| 21 firmware and kernel images, as well as arbitrary blobs. | 21 firmware and kernel images, as well as arbitrary blobs. |
| 22 | 22 |
| 23 vfirmware/ and vkernel/ - Functions for generating, verifying, and | |
| 24 manipulating signed firmware and kernel images. | |
| 25 | |
| 26 tests/ - User-land tests and benchmarks that test the reference | 23 tests/ - User-land tests and benchmarks that test the reference |
| 27 implementation. Please have a look at these if you'd like to | 24 implementation. Please have a look at these if you'd like to |
| 28 understand how to use the reference implementation. | 25 understand how to use the reference implementation. |
| 29 | 26 |
| 30 build/ - a directory where the generated files go to. | 27 build/ - a directory where the generated files go to. |
| 31 | 28 |
| 32 -------------------- | 29 -------------------- |
| 33 Building and testing | 30 Building and testing |
| 34 -------------------- | 31 -------------------- |
| 35 | 32 |
| (...skipping 18 matching lines...) Expand all Loading... |
| 54 in the top level directory or | 51 in the top level directory or |
| 55 | 52 |
| 56 cd tests | 53 cd tests |
| 57 BUILD=../build make runtests | 54 BUILD=../build make runtests |
| 58 | 55 |
| 59 | 56 |
| 60 ---------- | 57 ---------- |
| 61 Some useful utilities: | 58 Some useful utilities: |
| 62 ---------- | 59 ---------- |
| 63 | 60 |
| 64 firmware_utility.c To generate verified boot firmware images. | 61 vbutil_key» » Convert a public key into .vbpubk format |
| 62 vbutil_keyblock»» Wrap a public key inside a signature and checksum |
| 63 vbutil_firmware»» Create a .vblock with signature info for a |
| 64 » » » firmware image |
| 65 vbutil_kernel» » Pack a kernel image, bootloader, and config into |
| 66 » » » a signed binary |
| 65 | 67 |
| 66 kernel_utility.c To generate verified boot kernel images. | 68 dumpRSAPublicKey » Dump RSA Public key (from a DER-encoded X509 |
| 67 | 69 » » » certificate) in a format suitable for |
| 68 dumpRSAPublicKey.c Dump RSA Public key (from a DER-encoded X509 | 70 » » » use by RSAVerify* functions in |
| 69 certificate) in a format suitable for | 71 » crypto/. |
| 70 » » use by RSAVerify* functions in | |
| 71 crypto/. | |
| 72 | 72 |
| 73 verify_data.c Verify a given signature on a given file. | 73 verify_data.c Verify a given signature on a given file. |
| 74 | 74 |
| 75 | 75 |
| 76 | 76 |
| 77 ---------- | 77 ---------- |
| 78 Generating a signed firmware image: | 78 Generating a signed firmware image: |
| 79 ---------- | 79 ---------- |
| 80 | 80 |
| 81 * Step 1: Generate RSA root and signing keys. | 81 * Step 1: Generate RSA root and signing keys. |
| (...skipping 10 matching lines...) Expand all Loading... |
| 92 | 92 |
| 93 * Step 2: Generate pre-processed public versions of the above keys using | 93 * Step 2: Generate pre-processed public versions of the above keys using |
| 94 utility/dumpRSAPublicKey | 94 utility/dumpRSAPublicKey |
| 95 | 95 |
| 96 # dumpRSAPublicKey expects an x509 certificate as input. | 96 # dumpRSAPublicKey expects an x509 certificate as input. |
| 97 $ openssl req -batch -new -x509 -key root_key.pem -out root_key.crt | 97 $ openssl req -batch -new -x509 -key root_key.pem -out root_key.crt |
| 98 $ openssl req -batch -new -x509 -key signing_key.pem -out signing_key.crt | 98 $ openssl req -batch -new -x509 -key signing_key.pem -out signing_key.crt |
| 99 $ utility/dumpRSAPublicKey root_key.crt > root_key.keyb | 99 $ utility/dumpRSAPublicKey root_key.crt > root_key.keyb |
| 100 $ utility/dumpRSAPublicKey signing_key.crt > signing_key.keyb | 100 $ utility/dumpRSAPublicKey signing_key.crt > signing_key.keyb |
| 101 | 101 |
| 102 ************** TODO: STUFF PAST HERE IS OUT OF DATE *************** |
| 103 |
| 102 At this point we have all the requisite keys needed to generate a signed | 104 At this point we have all the requisite keys needed to generate a signed |
| 103 firmware image. | 105 firmware image. |
| 104 | 106 |
| 105 .pem RSA Public/Private Key Pair | 107 .pem RSA Public/Private Key Pair |
| 106 .crt X509 Key Certificate | 108 .crt X509 Key Certificate |
| 107 .keyb Pre-processed RSA Public Key | 109 .keyb Pre-processed RSA Public Key |
| 108 | 110 |
| 109 | 111 |
| 110 * Step 3: Use utility/firmware_utility to generate a signed firmare blob. | 112 * Step 3: Use utility/firmware_utility to generate a signed firmare blob. |
| 111 | 113 |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 144 | 146 |
| 145 ---------- | 147 ---------- |
| 146 Generating a signed kernel image: | 148 Generating a signed kernel image: |
| 147 ---------- | 149 ---------- |
| 148 | 150 |
| 149 The steps for generating a signed kernel image are similar to that of | 151 The steps for generating a signed kernel image are similar to that of |
| 150 a firmware image. Since verification is chained - RO firmware verifies | 152 a firmware image. Since verification is chained - RO firmware verifies |
| 151 RW firmware which verifies the kernel, only the keys change. An additional | 153 RW firmware which verifies the kernel, only the keys change. An additional |
| 152 kernel signing key must be generated. The firmware signing generated above | 154 kernel signing key must be generated. The firmware signing generated above |
| 153 is the root key equivalent for signed kernel images. | 155 is the root key equivalent for signed kernel images. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2815011:
Remove unused files, and tidy the directory structure of the remaining ones. (Closed)
Base URL: ssh://gitrw.chromium.org/vboot_reference.git