Google Git
Sign in
cos / mirrors / cros / chromiumos / platform / vboot_reference / 52a15f96ac009222ebf7d1299c7d17825e5a4ab5 / . / tests / futility / test_sign_kernel.sh
blob: 2a8e8c139c44b34dd9bee209880f41ca2217ab78 [file] [log] [blame]
#!/bin/bash -eux
# Copyright (c) 2014 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
me=${0##*/}
TMP="$me.tmp"
# Work in scratch directory
cd "$OUTDIR"
DEVKEYS=${SRCDIR}/tests/devkeys
echo "hi there" > ${TMP}.config.txt
echo "hello boys" > ${TMP}.config2.txt
dd if=/dev/urandom bs=512 count=1 of=${TMP}.bootloader.bin
dd if=/dev/urandom bs=512 count=1 of=${TMP}.bootloader2.bin
# default padding
padding=49152
try_arch () {
local arch=$1
echo -n "${arch}: 1 " 1>&3
# pack it up the old way
${FUTILITY} vbutil_kernel --debug \
--pack ${TMP}.blob1.${arch} \
--keyblock ${DEVKEYS}/recovery_kernel.keyblock \
--signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \
--version 1 \
--config ${TMP}.config.txt \
--bootloader ${TMP}.bootloader.bin \
--vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \
--arch ${arch} \
--pad ${padding} \
--kloadaddr 0x11000
# verify the old way
${FUTILITY} vbutil_kernel --verify ${TMP}.blob1.${arch} \
--pad ${padding} \
--signpubkey ${DEVKEYS}/recovery_key.vbpubk
${FUTILITY} vbutil_kernel --verify ${TMP}.blob1.${arch} \
--pad ${padding} \
--signpubkey ${DEVKEYS}/recovery_key.vbpubk --debug
# pack it up the new way
${FUTILITY} sign --debug \
--keyblock ${DEVKEYS}/recovery_kernel.keyblock \
--signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \
--version 1 \
--config ${TMP}.config.txt \
--bootloader ${TMP}.bootloader.bin \
--vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \
--arch ${arch} \
--pad ${padding} \
--kloadaddr 0x11000 \
--outfile ${TMP}.blob2.${arch}
# they should be identical
cmp ${TMP}.blob1.${arch} ${TMP}.blob2.${arch}
echo -n "2 " 1>&3
# repack it the old way
${FUTILITY} vbutil_kernel \
--repack ${TMP}.blob3.${arch} \
--oldblob ${TMP}.blob1.${arch} \
--signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
--keyblock ${DEVKEYS}/kernel.keyblock \
--version 2 \
--pad ${padding} \
--config ${TMP}.config2.txt \
--bootloader ${TMP}.bootloader2.bin
# verify the old way
${FUTILITY} vbutil_kernel --verify ${TMP}.blob3.${arch} \
--pad ${padding} \
--signpubkey ${DEVKEYS}/kernel_subkey.vbpubk
${FUTILITY} vbutil_kernel --verify ${TMP}.blob3.${arch} \
--pad ${padding} \
--signpubkey ${DEVKEYS}/kernel_subkey.vbpubk
# repack it the new way
${FUTILITY} sign --debug \
--signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
--keyblock ${DEVKEYS}/kernel.keyblock \
--version 2 \
--pad ${padding} \
--config ${TMP}.config2.txt \
--bootloader ${TMP}.bootloader2.bin \
${TMP}.blob2.${arch} \
${TMP}.blob4.${arch}
# they should be identical
cmp ${TMP}.blob3.${arch} ${TMP}.blob4.${arch}
echo -n "3 " 1>&3
# repack it the new way, in-place
cp ${TMP}.blob2.${arch} ${TMP}.blob5.${arch}
${FUTILITY} sign --debug \
--signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
--keyblock ${DEVKEYS}/kernel.keyblock \
--version 2 \
--pad ${padding} \
--config ${TMP}.config2.txt \
--bootloader ${TMP}.bootloader2.bin \
${TMP}.blob5.${arch}
# they should be identical
cmp ${TMP}.blob3.${arch} ${TMP}.blob5.${arch}
# and now just the vblocks...
echo -n "4 " 1>&3
dd bs=${padding} count=1 if=${TMP}.blob1.${arch} of=${TMP}.blob1.${arch}.vb0
${FUTILITY} vbutil_kernel \
--pack ${TMP}.blob1.${arch}.vb1 \
--vblockonly \
--keyblock ${DEVKEYS}/recovery_kernel.keyblock \
--signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \
--version 1 \
--config ${TMP}.config.txt \
--bootloader ${TMP}.bootloader.bin \
--vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \
--arch ${arch} \
--pad ${padding} \
--kloadaddr 0x11000
cmp ${TMP}.blob1.${arch}.vb0 ${TMP}.blob1.${arch}.vb1
dd bs=${padding} count=1 if=${TMP}.blob2.${arch} of=${TMP}.blob2.${arch}.vb0
${FUTILITY} sign --debug \
--keyblock ${DEVKEYS}/recovery_kernel.keyblock \
--signprivate ${DEVKEYS}/recovery_kernel_data_key.vbprivk \
--version 1 \
--config ${TMP}.config.txt \
--bootloader ${TMP}.bootloader.bin \
--vmlinuz ${SCRIPTDIR}/data/vmlinuz-${arch}.bin \
--arch ${arch} \
--pad ${padding} \
--kloadaddr 0x11000 \
--vblockonly \
${TMP}.blob2.${arch}.vb1
cmp ${TMP}.blob2.${arch}.vb0 ${TMP}.blob2.${arch}.vb1
# and verify it the new way
dd bs=${padding} skip=1 if=${TMP}.blob2.${arch} of=${TMP}.blob2.${arch}.kb1
${FUTILITY} verify --debug \
--pad ${padding} \
--publickey ${DEVKEYS}/recovery_key.vbpubk \
--fv ${TMP}.blob2.${arch}.kb1 \
${TMP}.blob2.${arch}.vb1
echo -n "5 " 1>&3
dd bs=${padding} count=1 if=${TMP}.blob3.${arch} of=${TMP}.blob3.${arch}.vb0
${FUTILITY} vbutil_kernel \
--repack ${TMP}.blob3.${arch}.vb1 \
--vblockonly \
--oldblob ${TMP}.blob1.${arch} \
--signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
--keyblock ${DEVKEYS}/kernel.keyblock \
--version 2 \
--pad ${padding} \
--config ${TMP}.config2.txt \
--bootloader ${TMP}.bootloader2.bin
cmp ${TMP}.blob3.${arch}.vb0 ${TMP}.blob3.${arch}.vb1
dd bs=${padding} count=1 if=${TMP}.blob4.${arch} of=${TMP}.blob4.${arch}.vb0
${FUTILITY} sign --debug \
--signprivate ${DEVKEYS}/kernel_data_key.vbprivk \
--keyblock ${DEVKEYS}/kernel.keyblock \
--version 2 \
--config ${TMP}.config2.txt \
--bootloader ${TMP}.bootloader2.bin \
--pad ${padding} \
--vblockonly \
${TMP}.blob2.${arch} \
${TMP}.blob4.${arch}.vb1 \
cmp ${TMP}.blob4.${arch}.vb0 ${TMP}.blob4.${arch}.vb1
dd bs=${padding} skip=1 if=${TMP}.blob4.${arch} of=${TMP}.blob4.${arch}.kb1
${FUTILITY} verify --debug \
--pad ${padding} \
--publickey ${DEVKEYS}/kernel_subkey.vbpubk \
--fv ${TMP}.blob4.${arch}.kb1 \
${TMP}.blob4.${arch}.vb1
# Note: We specifically do not test repacking with a different --kloadaddr,
# because the old way has a bug and does not update params->cmd_line_ptr to
# point at the new on-disk location. Apparently (and not surprisingly), no
# one has ever done that.
}
try_arch amd64
try_arch arm
# cleanup
rm -rf ${TMP}*
exit 0