README - fp2-dev/platform/external/vboot_reference - Gitiles

 This directory contains a reference implementation for Chrome OS
 verified boot in firmware.

 ----------
 Directory Structure
 ----------

 The source is organized into distinct modules -

 vboot_firmware/ - Contains ONLY the code required by the BIOS to validate
 the secure boot components. There shouldn't be any code in here that signs
 or generates images. BIOS should require ONLY this directory to implement
 secure boot. Refer to vboot_firmware/README for futher details.

 cgptlib/ - Work in progress for handling GPT headers. Parts of this will no
 doubt be migrated into vboot_firmware/

 misclibs/ - Miscellaneous functions used by userland utilities.

 utility/ - Utilities for generating and verifying signed
 firmware and kernel images, as well as arbitrary blobs.

 vfirmware/ and vkernel/ - Functions for generating, verifying, and
 manipulating signed firmware and kernel images.

 tests/ - User-land tests and benchmarks that test the reference
 implementation. Please have a look at these if you'd like to
 understand how to use the reference implementation.


 ----------
 Some useful utilities:
 ----------

 firmware_utility.c To generate verified boot firmware images.

 kernel_utility.c To generate verified boot kernel images.

 dumpRSAPublicKey.c Dump RSA Public key (from a DER-encoded X509
                    certificate) in a format suitable for
 		   use by RSAVerify* functions in
                    crypto/.

 verify_data.c Verify a given signature on a given file.


 ----------
 Generating a signed firmware image:
 ----------

 * Step 1: Generate RSA root and signing keys.

 # Root key is always 8192 bits.
 $ openssl genrsa -F4 -out root_key.pem 8192

 # Signing key can be between 1024-8192 bits.
 $ openssl genrsa -F4 -out signing_key.pem <1024|2048|4096|8192>

 Note: The -F4 option must be specified to generate RSA keys with
       a public exponent of 65535. RSA keys with 3 as a public
       exponent (the default) won't work.

 * Step 2: Generate pre-processed public versions of the above keys using
         utility/dumpRSAPublicKey

 # dumpRSAPublicKey expects an x509 certificate as input.
 $ openssl req -batch -new -x509 -key root_key.pem -out root_key.crt
 $ openssl req -batch -new -x509 -key signing_key.pem -out signing_key.crt
 $ utility/dumpRSAPublicKey root_key.crt > root_key.keyb
 $ utility/dumpRSAPublicKey signing_key.crt > signing_key.keyb

 At this point we have all the requisite keys needed to generate a signed
 firmware image.

 .pem   RSA Public/Private Key Pair
 .crt   X509 Key Certificate
 .keyb  Pre-processed RSA Public Key


 * Step 3: Use utility/firmware_utility to generate a signed firmare blob.

 $ utility/firmware_utility --generate \
   --root_key root_key.pem \
   --firmware_sign_key signing_key.pem \
   --firmware_sign_key_pub signing_key.keyb \
   --firmware_sign_algorithm <algoid> \
   --firmware_key_version 1 \
   --firmware_version 1 \
   --in <firmware blob file> \
   --out <output file>

 Where <algoid> is based on the signature algorithm to use for firmware
 signining. The list of <algoid> specifications can be output by running
 'utility/firmware_utility' without any arguments.

 Note: --firmware_key_version and --firmware_version are part of a signed
       image and are used to prevent rollbacks to older version. For testing,
       they can just be set valid values.


 * Step 4: Verify that this image verifies.

 $ utility/firmware_utility --verify \
                          --in <signed firmware image>
                          --root_key_pub root_key.keyb
 Verification SUCCESS.


 Note: The verification functions expects a pointer to the
       pre-processed public root key as input. For testing purposes,
       root_key.keyb can be stored in RW part of the firmware. For the
       final firmware, this will be a fixed public key which cannot be
       changed and must be stored in RO firmware.

 ----------
 Generating a signed kernel image:
 ----------

 The steps for generating a signed kernel image are similar to that of
 a firmware image. Since verification is chained - RO firmware verifies
 RW firmware which verifies the kernel, only the keys change. An additional
 kernel signing key must be generated. The firmware signing generated above
 is the root key equivalent for signed kernel images.
	This directory contains a reference implementation for Chrome OS
	verified boot in firmware.

	----------
	Directory Structure
	----------

	The source is organized into distinct modules -

	vboot_firmware/ - Contains ONLY the code required by the BIOS to validate
	the secure boot components. There shouldn't be any code in here that signs
	or generates images. BIOS should require ONLY this directory to implement
	secure boot. Refer to vboot_firmware/README for futher details.

	cgptlib/ - Work in progress for handling GPT headers. Parts of this will no
	doubt be migrated into vboot_firmware/

	misclibs/ - Miscellaneous functions used by userland utilities.

	utility/ - Utilities for generating and verifying signed
	firmware and kernel images, as well as arbitrary blobs.

	vfirmware/ and vkernel/ - Functions for generating, verifying, and
	manipulating signed firmware and kernel images.

	tests/ - User-land tests and benchmarks that test the reference
	implementation. Please have a look at these if you'd like to
	understand how to use the reference implementation.


	----------
	Some useful utilities:
	----------

	firmware_utility.c To generate verified boot firmware images.

	kernel_utility.c To generate verified boot kernel images.

	dumpRSAPublicKey.c Dump RSA Public key (from a DER-encoded X509
	certificate) in a format suitable for
	use by RSAVerify* functions in
	crypto/.

	verify_data.c Verify a given signature on a given file.



	----------
	Generating a signed firmware image:
	----------

	* Step 1: Generate RSA root and signing keys.

	# Root key is always 8192 bits.
	$ openssl genrsa -F4 -out root_key.pem 8192

	# Signing key can be between 1024-8192 bits.
	$ openssl genrsa -F4 -out signing_key.pem <1024\|2048\|4096\|8192>

	Note: The -F4 option must be specified to generate RSA keys with
	a public exponent of 65535. RSA keys with 3 as a public
	exponent (the default) won't work.

	* Step 2: Generate pre-processed public versions of the above keys using
	utility/dumpRSAPublicKey

	# dumpRSAPublicKey expects an x509 certificate as input.
	$ openssl req -batch -new -x509 -key root_key.pem -out root_key.crt
	$ openssl req -batch -new -x509 -key signing_key.pem -out signing_key.crt
	$ utility/dumpRSAPublicKey root_key.crt > root_key.keyb
	$ utility/dumpRSAPublicKey signing_key.crt > signing_key.keyb

	At this point we have all the requisite keys needed to generate a signed
	firmware image.

	.pem RSA Public/Private Key Pair
	.crt X509 Key Certificate
	.keyb Pre-processed RSA Public Key


	* Step 3: Use utility/firmware_utility to generate a signed firmare blob.

	$ utility/firmware_utility --generate \
	--root_key root_key.pem \
	--firmware_sign_key signing_key.pem \
	--firmware_sign_key_pub signing_key.keyb \
	--firmware_sign_algorithm <algoid> \
	--firmware_key_version 1 \
	--firmware_version 1 \
	--in <firmware blob file> \
	--out <output file>

	Where <algoid> is based on the signature algorithm to use for firmware
	signining. The list of <algoid> specifications can be output by running
	'utility/firmware_utility' without any arguments.

	Note: --firmware_key_version and --firmware_version are part of a signed
	image and are used to prevent rollbacks to older version. For testing,
	they can just be set valid values.


	* Step 4: Verify that this image verifies.

	$ utility/firmware_utility --verify \
	--in <signed firmware image>
	--root_key_pub root_key.keyb
	Verification SUCCESS.


	Note: The verification functions expects a pointer to the
	pre-processed public root key as input. For testing purposes,
	root_key.keyb can be stored in RW part of the firmware. For the
	final firmware, this will be a fixed public key which cannot be
	changed and must be stored in RO firmware.

	----------
	Generating a signed kernel image:
	----------

	The steps for generating a signed kernel image are similar to that of
	a firmware image. Since verification is chained - RO firmware verifies
	RW firmware which verifies the kernel, only the keys change. An additional
	kernel signing key must be generated. The firmware signing generated above
	is the root key equivalent for signed kernel images.