vboot2: Add end-to-end test of firmware verification

This constructs a test firmware using the old vboot signing utilities,
and then verifies it using vboot2 libraries.  This ensures vboot2 can
read files signed by the current signing process.

BUG=chromium:370082
BRANCH=none
TEST=VBOOT2=1 make runtests

Change-Id: Icc113c982e5ed99382a4592f9ab688784e853c8e
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/204561
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
diff --git a/Makefile b/Makefile
index 2acdb98..60509f6 100644
--- a/Makefile
+++ b/Makefile
@@ -1080,6 +1080,7 @@
 	tests/run_vbutil_tests.sh
 ifneq (${VBOOT2},)
 	tests/vb2_rsa_tests.sh
+	tests/vb2_firmware_tests.sh
 endif
 
 .PHONY: runmisctests
diff --git a/tests/vb2_firmware_tests.sh b/tests/vb2_firmware_tests.sh
new file mode 100755
index 0000000..39c4dd9
--- /dev/null
+++ b/tests/vb2_firmware_tests.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+# Copyright (c) 2014 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# End-to-end test for vboot2 firmware verification
+
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
+set -e
+
+echo 'Creating test firmware'
+
+# Run tests in a dedicated directory for easy cleanup or debugging.
+DIR="${TEST_DIR}/vb2fw_test_dir"
+[ -d "$DIR" ] || mkdir -p "$DIR"
+echo "Testing vb2_verify_fw in $DIR"
+cd "$DIR"
+
+# Dummy firmware body
+echo 'This is a test firmware body.  This is only a test.  Lalalalala' \
+    > body.test
+
+# Pack keys using original vboot utilities
+${UTIL_DIR}/vbutil_key --pack rootkey.test \
+    --key ${TESTKEY_DIR}/key_rsa8192.keyb --algorithm 11
+${UTIL_DIR}/vbutil_key --pack fwsubkey.test \
+    --key ${TESTKEY_DIR}/key_rsa4096.keyb --algorithm 7
+${UTIL_DIR}/vbutil_key --pack kernkey.test \
+    --key ${TESTKEY_DIR}/key_rsa2048.keyb --algorithm 4
+
+# Create a GBB with the root key
+${UTIL_DIR}/gbb_utility -c 128,2400,0,0 gbb.test
+${UTIL_DIR}/gbb_utility gbb.test -s --hwid='Test GBB' --rootkey=rootkey.test
+
+# Keyblock with firmware subkey is signed by root key
+${UTIL_DIR}/vbutil_keyblock --pack keyblock.test \
+    --datapubkey fwsubkey.test \
+    --signprivate ${TESTKEY_DIR}/key_rsa8192.sha512.vbprivk
+
+# Firmware preamble is signed with the firmware subkey
+${UTIL_DIR}/vbutil_firmware \
+    --vblock vblock.test \
+    --keyblock keyblock.test \
+    --signprivate ${TESTKEY_DIR}/key_rsa4096.sha256.vbprivk \
+    --fv body.test \
+    --version 1 \
+    --kernelkey kernkey.test
+
+echo 'Verifying test firmware using vb2_verify_fw'
+
+# Verify the firmware using vboot2 utility
+${UTIL_DIR}/vb2_verify_fw gbb.test vblock.test body.test
+
+happy 'vb2_verify_fw succeeded'
diff --git a/utility/vb2_verify_fw.c b/utility/vb2_verify_fw.c
index 2d662de..f7ec0b5 100644
--- a/utility/vb2_verify_fw.c
+++ b/utility/vb2_verify_fw.c
@@ -171,7 +171,7 @@
 	if (rv) {
 		printf("Phase 1 wants recovery mode.\n");
 		save_if_needed(&ctx);
-		return 0;
+		return rv;
 	}
 
 	/* Determine which firmware slot to boot */
@@ -180,7 +180,7 @@
 	if (rv) {
 		printf("Phase 2 wants reboot.\n");
 		save_if_needed(&ctx);
-		return 0;
+		return rv;
 	}
 
 	/* Try that slot */
@@ -189,7 +189,7 @@
 	if (rv) {
 		printf("Phase 3 wants reboot.\n");
 		save_if_needed(&ctx);
-		return 0;
+		return rv;
 	}
 
 	/* Verify body */
@@ -198,7 +198,7 @@
 	save_if_needed(&ctx);
 	if (rv) {
 		printf("Phase 4 wants reboot.\n");
-		return 0;
+		return rv;
 	}
 
 	printf("Yaay!\n");