Google Git
Sign in
cos / mirrors / cros / chromiumos / platform / vboot_reference / fcefaedf6281308a9be852ff7698948b31930ec7^! / .
commitfcefaedf6281308a9be852ff7698948b31930ec7[log] [tgz]
authorGaurav Shah <gauravsh@google.com>Wed Mar 19 16:40:40 2014 -0700
committerGaurav Shah <gauravsh@chromium.org>Tue Aug 26 02:25:59 2014 +0000
treef134c58ed7858f1992d34b891128b1f5ca8c6910
parent028f468aff976ef5e76f20133c64ec19cb9d1517 [diff]
keygeneration: Add a script to sanity check versions for a keyset

Add a script that runs sanity checks on the versions in a keyset.
In particular, tests whether the actual key versions match those
in key.versions. Also runs consistency checks (for example: firmware
version should match kernel subkey version).

BUG=none
TEST=run on all of our keysets
BRANCH=none

Change-Id: I5b509ba33127364f6b63252ad167646eb7dce710
Reviewed-on: https://chromium-review.googlesource.com/190790
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>

diff --git a/scripts/keygeneration/keyset_version_check.sh b/scripts/keygeneration/keyset_version_check.sh
new file mode 100755
index 0000000..7d1f642
--- /dev/null
+++ b/scripts/keygeneration/keyset_version_check.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+# Copyright 2014 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Script that sanity checks a keyset to ensure actual key versions
+# match those set in key.versions.
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+# Abort on errors.
+set -e
+
+if [ $# -ne 1 ]; then
+  cat <<EOF
+Usage: $0 <keyset directory>
+
+Sanity check a keyset directory for key versions.
+EOF
+  exit 1
+fi
+
+KEY_DIR="$1"
+VERSION_FILE="${KEY_DIR}/key.versions"
+
+keyblock_version() {
+  local keyblock="$1"
+  echo "$(vbutil_keyblock --unpack "${keyblock}" | grep 'Data key version' |
+    cut -f 2 -d : | tr -d ' ')"
+}
+
+key_version() {
+  local key="$1"
+  echo "$(vbutil_key --unpack "${key}" | grep 'Key Version' | cut -f 2 -d : |
+    tr -d ' ')"
+}
+
+# Compare versions and print out error if there is a mismatch.
+check_versions() {
+  local expected="$1"
+  local got="$2"
+  local expected_label="$3"
+  local got_label="$4"
+  if [[ ${expected} != ${got} ]]; then
+    echo "ERROR: ${expected_label} version does not match ${got_label} version"
+    echo "EXPECTED (${expected_label} version): ${expected}"
+    echo "GOT (${got_label} version): ${got}"
+    return 1
+  fi
+  return 0
+}
+
+main() {
+ local testfail=0
+
+ local expected_kkey="$(get_version kernel_key_version)"
+ local expected_fkey="$(get_version firmware_key_version)"
+ local expected_firmware="$(get_version firmware_version)"
+ local expected_kernel="$(get_version kernel_version)"
+
+ check_versions "${expected_firmware}" "${expected_kkey}" \
+   "firmware" "kernel key" || testfail=1
+
+ local got_fkey_keyblock="$(keyblock_version ${KEY_DIR}/firmware.keyblock)"
+ local got_fkey="$(key_version ${KEY_DIR}/firmware_data_key.vbpubk)"
+
+ local got_kkey_keyblock="$(keyblock_version ${KEY_DIR}/kernel.keyblock)"
+ local got_ksubkey="$(key_version ${KEY_DIR}/kernel_subkey.vbpubk)"
+ local got_kdatakey="$(key_version ${KEY_DIR}/kernel_data_key.vbpubk)"
+
+ check_versions "${got_fkey_keyblock}" "${got_fkey}" "firmware keyblock key" \
+   "firmware key" || testfail=1
+ check_versions "${got_kkey_keyblock}" "${got_ksubkey}" "kernel keyblock key" \
+   "kernel subkey" || testfail=1
+ check_versions "${got_kdatakey}" "${got_ksubkey}" "kernel data key" \
+   "kernel subkey" || testfail=1
+ check_versions "${expected_fkey}" "${got_fkey}" "key.versions firmware key" \
+   "firmware key" || testfail=1
+ check_versions "${expected_kkey}" "${got_kdatakey}" "key.versions kernel key" \
+   "kernel datakey" || testfail=1
+ check_versions "${expected_kkey}" "${got_ksubkey}" "key.versions kernel key" \
+   "kernel subkey" || testfail=1
+ exit ${testfail}
+}
+
+main "$@"