You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
111 lines
2.6 KiB
111 lines
2.6 KiB
#!/bin/bash -eux
|
|
# Copyright 2014 The Chromium OS Authors. All rights reserved.
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
|
|
me=${0##*/}
|
|
TMP="$me.tmp"
|
|
|
|
# Work in scratch directory
|
|
cd "$OUTDIR"
|
|
|
|
# some stuff we'll need
|
|
DEVKEYS=${SRCDIR}/tests/devkeys
|
|
TESTKEYS=${SRCDIR}/tests/testkeys
|
|
SIGNER=${SRCDIR}/tests/external_rsa_signer.sh
|
|
|
|
|
|
# Create a copy of an existing keyblock, using the old way
|
|
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \
|
|
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
|
|
--flags 7 \
|
|
--signprivate ${DEVKEYS}/root_key.vbprivk
|
|
|
|
# Check it.
|
|
${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock0 \
|
|
--signpubkey ${DEVKEYS}/root_key.vbpubk
|
|
|
|
# It should be the same as the dev-key firmware keyblock
|
|
cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock0
|
|
|
|
|
|
# Now create it the new way
|
|
${FUTILITY} sign --debug \
|
|
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
|
|
--flags 7 \
|
|
--signprivate ${DEVKEYS}/root_key.vbprivk \
|
|
--outfile ${TMP}.keyblock1
|
|
|
|
# It should be the same too.
|
|
cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock1
|
|
|
|
|
|
# Create a keyblock without signing it.
|
|
|
|
# old way
|
|
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \
|
|
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
|
|
--flags 14
|
|
|
|
# new way
|
|
${FUTILITY} sign --debug \
|
|
--flags 14 \
|
|
${DEVKEYS}/firmware_data_key.vbpubk \
|
|
${TMP}.keyblock1
|
|
|
|
cmp ${TMP}.keyblock0 ${TMP}.keyblock1
|
|
|
|
|
|
# Create one using PEM args
|
|
|
|
# old way
|
|
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock2 \
|
|
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
|
|
--signprivate_pem ${TESTKEYS}/key_rsa4096.pem \
|
|
--pem_algorithm 8 \
|
|
--flags 9
|
|
|
|
# verify it
|
|
${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock2 \
|
|
--signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk
|
|
|
|
# new way
|
|
${FUTILITY} sign --debug \
|
|
--pem_signpriv ${TESTKEYS}/key_rsa4096.pem \
|
|
--pem_algo 8 \
|
|
--flags 9 \
|
|
${DEVKEYS}/firmware_data_key.vbpubk \
|
|
${TMP}.keyblock3
|
|
|
|
cmp ${TMP}.keyblock2 ${TMP}.keyblock3
|
|
|
|
# Try it with an external signer
|
|
|
|
# old way
|
|
${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock4 \
|
|
--datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \
|
|
--signprivate_pem ${TESTKEYS}/key_rsa4096.pem \
|
|
--pem_algorithm 8 \
|
|
--flags 19 \
|
|
--externalsigner ${SIGNER}
|
|
|
|
# verify it
|
|
${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock4 \
|
|
--signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk
|
|
|
|
# new way
|
|
${FUTILITY} sign --debug \
|
|
--pem_signpriv ${TESTKEYS}/key_rsa4096.pem \
|
|
--pem_algo 8 \
|
|
--pem_external ${SIGNER} \
|
|
--flags 19 \
|
|
${DEVKEYS}/firmware_data_key.vbpubk \
|
|
${TMP}.keyblock5
|
|
|
|
cmp ${TMP}.keyblock4 ${TMP}.keyblock5
|
|
|
|
|
|
# cleanup
|
|
rm -rf ${TMP}*
|
|
exit 0
|