blob: 9655e75a125371e74b9cd3771c5186ea83deea1e [file] [log] [blame]
#!/bin/bash -u
# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
if [ -z "$*" ]; then
cat <<EOF 1>&2
Usage: vbutil_what_keys IMAGE [IMAGE...]
Given a ChromiumOS disk image, try to figure out how it's signed. Note that
this does not verify the signature, it just reports which keyblock was used to
create the signature.
EOF
exit 1
fi
# We'll look up the known kernel.keyblock and recovery_kernel.keyblock sha1sums
# right here. Obtain them by running this script on images you know have been
# signed correctly (since the keys themselves are inside the HSM).
#
# e78ce746a037837155388a1096212ded04fb86eb recovery dev-key
# d6170aa480136f1f29cf339a5ab1b960585fa444 normal dev-key
#
# 20f3e8b77da6577706c91feefb203f98ee20d479 recovery ZGB MP
# 7b7ae8652775ad7305f565161b3acc00fcc8ea22 normal ZGB MP
#
# 03172b08f0b99172c73d947f51e8ca23d418bcbf recovery Alex MP
# af24e46b6c3805869616e71c002c9a2a847ad266 normal Alex MP
#
# f6fadd7e31eebf4bcc4eb8d2dd512e3a2313627f recovery Cr-48 MP
# a1454fcecb98a6f33b38638564bdfc20161a7b04 normal Cr-48 MP
#
TMPFILE=$(mktemp /tmp/keyblock_XXXXXXXXX)
trap "rm -f $TMPFILE" EXIT
dofile() {
file="$1"
echo "$file"
for pnum in $(cgpt find -n -t kernel "$file" 2>/dev/null); do
psize=$(cgpt show -s -i "$pnum" "$file")
if [ "$psize" -ge 128 ]; then
pstart=$(cgpt show -b -i "$pnum" "$file")
dd if="$file" of="$TMPFILE" bs=512 count=128 skip="$pstart" 2>/dev/null
psum=$(vbutil_keyblock --unpack "$TMPFILE" 2>/dev/null | \
grep sha1sum | sed -e 's/^.*: *//')
if [ -n "$psum" ]; then
match=$(grep "$psum" "$0" 2>/dev/null | sed -e 's/^# //')
flags=$(vbutil_keyblock --unpack "$TMPFILE" 2>/dev/null | \
grep Flags: | sed -e 's/^.*:[ 0-9]*//')
else
match=""
psum="--invalid--"
flags=""
fi
if [ -n "$match" ]; then
echo " part $pnum: $match ($flags)"
else
echo " part $pnum: $psum ($flags)"
fi
fi
done
}
for file in "$@"; do
dofile $file
done