| Gaurav Shah | 56c9f4d | 2010-03-03 13:15:53 -0800 | [diff] [blame] | 1 | This directory contains a reference implementation for Chrome OS |
| 2 | verified boot in firmware. |
| 3 | |
| 4 | ---------- |
| 5 | Directory Structure |
| 6 | ---------- |
| 7 | |
| 8 | include/ - Contains all the code headers. firmware_image.h and |
| 9 | kernel_image.h contains the structures that represent a verified boot |
| 10 | firmware and kernel image. Note that the |
| 11 | |
| 12 | crypto/ - Contains the implementation for the crypto library. This |
| 13 | includes implementations for SHA1, SHA256, SHA512, and RSA signature |
| 14 | verification (for PKCS #1 v1.5 signatures). |
| 15 | |
| 16 | common/ - Contains some utility functions and stub implementations for |
| 17 | certain wrapper functions used in the verification code. Some of these |
| 18 | (for example Free(), Malloc()) will need to be replaced with |
| 19 | appropriate firmware-land equivalent. |
| 20 | |
| 21 | utils/ - This contains the implementation of kernel and firmware image |
| 22 | verification (see firmware_image.c and kernel_image.c) and some |
| 23 | utilities (e.g. firmware_utility - for generating verified boot |
| 24 | firmware images). |
| 25 | |
| 26 | tests/ - User-land tests and benchmarks that test the reference |
| 27 | implementation. Please have a look at these if you'd like to |
| 28 | understand how to use the reference implementation. |
| 29 | |
| 30 | |
| 31 | ---------- |
| 32 | Some useful utilities: |
| 33 | ---------- |
| 34 | |
| 35 | firmware_utility.c To generate verified boot firmware images. |
| 36 | |
| 37 | dumpRSAPublicKey.c Dump RSA Public key (from a DER-encoded X509 |
| 38 | certificate) in a format suitable for |
| 39 | use by RSAVerify* functions in |
| 40 | crypto/. |
| 41 | |
| 42 | verify_data.c Verify a given signature on a given file. |
| 43 | |
| 44 | |
| 45 | ---------- |
| 46 | Here's what is required for a minimal verified boot implementation |
| 47 | ---------- |
| 48 | |
| 49 | 1) Crypto implementation from crypto/. The verified boot code should |
| 50 | use the wrappers from rsa_utility.h and sha_utility.h - RSAVerify_f() |
| 51 | and Digest*() functions. |
| 52 | |
| 53 | 2) Verified Firmware and Kernel image verification functions - only |
| 54 | functions that work on binary blobs (VerifyFirmware() and |
| 55 | VerifyKernel()) are required. The functions that work on Firmware and |
| 56 | Kernel images (e.g. VerifyFirmwareImage()) are only useful for |
| 57 | user-land utilities that manipulate signed firmware and kernel images. |
| 58 | |