Randall Spangler | 6a97b3e | 2010-06-10 17:55:02 -0700 | [diff] [blame] | 1 | #!/bin/bash |
| 2 | |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 3 | # Copyright (c) 2013 The Chromium OS Authors. All rights reserved. |
Randall Spangler | 6a97b3e | 2010-06-10 17:55:02 -0700 | [diff] [blame] | 4 | # Use of this source code is governed by a BSD-style license that can be |
| 5 | # found in the LICENSE file. |
| 6 | |
| 7 | # Run verified boot firmware and kernel verification tests. |
| 8 | |
| 9 | # Load common constants and variables. |
| 10 | . "$(dirname "$0")/common.sh" |
| 11 | |
| 12 | return_code=0 |
| 13 | |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 14 | function test_vbutil_key_single { |
| 15 | local algonum=$1 |
| 16 | local keylen=$2 |
| 17 | local hashalgo=$3 |
| 18 | |
| 19 | echo -e "For signing key ${COL_YELLOW}RSA-$keylen/$hashalgo${COL_STOP}:" |
| 20 | # Pack the key |
Bill Richardson | a1d9fe6 | 2014-09-05 12:52:27 -0700 | [diff] [blame] | 21 | ${FUTILITY} vbutil_key \ |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 22 | --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk \ |
| 23 | --key ${TESTKEY_DIR}/key_rsa${keylen}.keyb \ |
| 24 | --version 1 \ |
| 25 | --algorithm $algonum |
| 26 | if [ $? -ne 0 ] |
| 27 | then |
| 28 | return_code=255 |
| 29 | fi |
| 30 | |
| 31 | # Unpack the key |
| 32 | # TODO: should verify we get the same key back out? |
Bill Richardson | a1d9fe6 | 2014-09-05 12:52:27 -0700 | [diff] [blame] | 33 | ${FUTILITY} vbutil_key \ |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 34 | --unpack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk |
| 35 | if [ $? -ne 0 ] |
| 36 | then |
| 37 | return_code=255 |
| 38 | fi |
| 39 | } |
| 40 | |
| 41 | function test_vbutil_key_all { |
Randall Spangler | 6a97b3e | 2010-06-10 17:55:02 -0700 | [diff] [blame] | 42 | algorithmcounter=0 |
| 43 | for keylen in ${key_lengths[@]} |
| 44 | do |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 45 | for hashalgo in ${hash_algos[@]} |
| 46 | do |
| 47 | test_vbutil_key_single $algorithmcounter $keylen $hashalgo |
| 48 | let algorithmcounter=algorithmcounter+1 |
| 49 | done |
Randall Spangler | 6a97b3e | 2010-06-10 17:55:02 -0700 | [diff] [blame] | 50 | done |
| 51 | } |
| 52 | |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 53 | function test_vbutil_key { |
| 54 | test_vbutil_key_single 4 2048 sha256 |
| 55 | test_vbutil_key_single 7 4096 sha256 |
| 56 | test_vbutil_key_single 11 8192 sha512 |
| 57 | } |
Randall Spangler | 6a97b3e | 2010-06-10 17:55:02 -0700 | [diff] [blame] | 58 | |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 59 | function test_vbutil_keyblock_single { |
| 60 | local signing_algonum=$1 |
| 61 | local signing_keylen=$2 |
| 62 | local signing_hashalgo=$3 |
| 63 | local data_algonum=$4 |
| 64 | local data_keylen=$5 |
| 65 | local data_hashalgo=$6 |
| 66 | |
| 67 | echo -e "For ${COL_YELLOW}signing algorithm \ |
| 68 | RSA-${signing_keylen}/${signing_hashalgo}${COL_STOP} \ |
| 69 | and ${COL_YELLOW}data key algorithm RSA-${datakeylen}/\ |
| 70 | ${datahashalgo}${COL_STOP}" |
| 71 | # Remove old file |
| 72 | keyblockfile="${TESTKEY_SCRATCH_DIR}/" |
| 73 | keyblockfile+="sign${signing_algonum}_data" |
| 74 | keyblockfile+="${data_algonum}.keyblock" |
| 75 | rm -f ${keyblockfile} |
| 76 | |
| 77 | # Wrap private key |
Bill Richardson | a1d9fe6 | 2014-09-05 12:52:27 -0700 | [diff] [blame] | 78 | ${FUTILITY} vbutil_key \ |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 79 | --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk \ |
| 80 | --key ${TESTKEY_DIR}/key_rsa${signing_keylen}.pem \ |
| 81 | --algorithm $signing_algonum |
| 82 | if [ $? -ne 0 ] |
| 83 | then |
| 84 | echo -e "${COL_RED}Wrap vbprivk${COL_STOP}" |
| 85 | return_code=255 |
| 86 | fi |
| 87 | |
| 88 | # Wrap public key |
Bill Richardson | a1d9fe6 | 2014-09-05 12:52:27 -0700 | [diff] [blame] | 89 | ${FUTILITY} vbutil_key \ |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 90 | --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk \ |
| 91 | --key ${TESTKEY_DIR}/key_rsa${signing_keylen}.keyb \ |
| 92 | --algorithm $signing_algonum |
| 93 | if [ $? -ne 0 ] |
| 94 | then |
| 95 | echo -e "${COL_RED}Wrap vbpubk${COL_STOP}" |
| 96 | return_code=255 |
| 97 | fi |
| 98 | |
| 99 | # Pack |
Bill Richardson | a1d9fe6 | 2014-09-05 12:52:27 -0700 | [diff] [blame] | 100 | ${FUTILITY} vbutil_keyblock --pack ${keyblockfile} \ |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 101 | --datapubkey \ |
| 102 | ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ |
| 103 | --signprivate \ |
| 104 | ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk |
| 105 | if [ $? -ne 0 ] |
| 106 | then |
| 107 | echo -e "${COL_RED}Pack${COL_STOP}" |
| 108 | return_code=255 |
| 109 | fi |
| 110 | |
| 111 | # Unpack |
Bill Richardson | a1d9fe6 | 2014-09-05 12:52:27 -0700 | [diff] [blame] | 112 | ${FUTILITY} vbutil_keyblock --unpack ${keyblockfile} \ |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 113 | --datapubkey \ |
| 114 | ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 \ |
| 115 | --signpubkey \ |
| 116 | ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk |
| 117 | if [ $? -ne 0 ] |
| 118 | then |
| 119 | echo -e "${COL_RED}Unpack${COL_STOP}" |
| 120 | return_code=255 |
| 121 | fi |
| 122 | |
| 123 | # Check |
| 124 | if ! cmp -s \ |
| 125 | ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ |
| 126 | ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 |
| 127 | then |
| 128 | echo -e "${COL_RED}Check${COL_STOP}" |
| 129 | return_code=255 |
| 130 | exit 1 |
| 131 | fi |
| 132 | |
| 133 | echo -e "${COL_YELLOW}Testing keyblock creation using \ |
| 134 | external signer.${COL_STOP}" |
| 135 | # Pack using external signer |
| 136 | # Pack |
Bill Richardson | a1d9fe6 | 2014-09-05 12:52:27 -0700 | [diff] [blame] | 137 | ${FUTILITY} vbutil_keyblock --pack ${keyblockfile} \ |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 138 | --datapubkey \ |
| 139 | ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ |
| 140 | --signprivate_pem \ |
| 141 | ${TESTKEY_DIR}/key_rsa${signing_keylen}.pem \ |
| 142 | --pem_algorithm "${signing_algonum}" \ |
| 143 | --externalsigner "${SCRIPT_DIR}/external_rsa_signer.sh" |
| 144 | |
| 145 | if [ $? -ne 0 ] |
| 146 | then |
| 147 | echo -e "${COL_RED}Pack${COL_STOP}" |
| 148 | return_code=255 |
| 149 | fi |
| 150 | |
| 151 | # Unpack |
Bill Richardson | a1d9fe6 | 2014-09-05 12:52:27 -0700 | [diff] [blame] | 152 | ${FUTILITY} vbutil_keyblock --unpack ${keyblockfile} \ |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 153 | --datapubkey \ |
| 154 | ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 \ |
| 155 | --signpubkey \ |
| 156 | ${TESTKEY_SCRATCH_DIR}/key_alg${signing_algonum}.vbpubk |
| 157 | if [ $? -ne 0 ] |
| 158 | then |
| 159 | echo -e "${COL_RED}Unpack${COL_STOP}" |
| 160 | return_code=255 |
| 161 | fi |
| 162 | |
| 163 | # Check |
| 164 | if ! cmp -s \ |
| 165 | ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \ |
| 166 | ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 |
| 167 | then |
| 168 | echo -e "${COL_RED}Check${COL_STOP}" |
| 169 | return_code=255 |
| 170 | exit 1 |
| 171 | fi |
| 172 | } |
| 173 | |
| 174 | |
| 175 | function test_vbutil_keyblock_all { |
Randall Spangler | 6a97b3e | 2010-06-10 17:55:02 -0700 | [diff] [blame] | 176 | # Test for various combinations of firmware signing algorithm and |
| 177 | # kernel signing algorithm |
| 178 | signing_algorithmcounter=0 |
| 179 | data_algorithmcounter=0 |
| 180 | for signing_keylen in ${key_lengths[@]} |
| 181 | do |
| 182 | for signing_hashalgo in ${hash_algos[@]} |
| 183 | do |
| 184 | let data_algorithmcounter=0 |
| 185 | for datakeylen in ${key_lengths[@]} |
| 186 | do |
| 187 | for datahashalgo in ${hash_algos[@]} |
| 188 | do |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 189 | test_vbutil_keyblock_single \ |
| 190 | $signing_algorithmcounter $signing_keylen $signing_hashalgo \ |
| 191 | $data_algorithmcounter $data_keylen $data_hashalgo |
Randall Spangler | 6a97b3e | 2010-06-10 17:55:02 -0700 | [diff] [blame] | 192 | let data_algorithmcounter=data_algorithmcounter+1 |
| 193 | done |
| 194 | done |
| 195 | let signing_algorithmcounter=signing_algorithmcounter+1 |
| 196 | done |
| 197 | done |
| 198 | } |
| 199 | |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 200 | function test_vbutil_keyblock { |
| 201 | test_vbutil_keyblock_single 7 4096 sha256 4 2048 sha256 |
| 202 | test_vbutil_keyblock_single 11 8192 sha512 4 2048 sha256 |
| 203 | test_vbutil_keyblock_single 11 8192 sha512 7 4096 sha256 |
| 204 | } |
| 205 | |
Randall Spangler | 6a97b3e | 2010-06-10 17:55:02 -0700 | [diff] [blame] | 206 | |
| 207 | check_test_keys |
| 208 | |
| 209 | echo |
| 210 | echo "Testing vbutil_key..." |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 211 | if [ "$1" == "--all" ] ; then |
| 212 | test_vbutil_key_all |
| 213 | else |
| 214 | test_vbutil_key |
| 215 | fi |
Randall Spangler | 6a97b3e | 2010-06-10 17:55:02 -0700 | [diff] [blame] | 216 | |
| 217 | echo |
| 218 | echo "Testing vbutil_keyblock..." |
Randall Spangler | e8cfa31 | 2013-01-02 16:49:38 -0800 | [diff] [blame] | 219 | if [ "$1" == "--all" ] ; then |
| 220 | test_vbutil_keyblock_all |
| 221 | else |
| 222 | test_vbutil_keyblock |
| 223 | fi |
Randall Spangler | 6a97b3e | 2010-06-10 17:55:02 -0700 | [diff] [blame] | 224 | |
| 225 | exit $return_code |
| 226 | |