Google Git
Sign in
cos / third_party / platform / vboot_reference / 06780662c89b05684a934ea3a1538df02f512e1c
commit06780662c89b05684a934ea3a1538df02f512e1c[log] [tgz]
authorVadim Bendebury <vbendeb@chromium.org>Tue Sep 21 19:53:34 2021 -0700
committerCommit Bot <commit-bot@chromium.org>Mon Oct 18 22:11:41 2021 +0000
tree24a1292be3f5812886fcf4706be96301923cd235
parent2ffa62d35c7be7217287151ab9de14266ee6df66 [diff]
futility: add subcommand for creating and verifying the RO_GSCVD area

The help text of the new subcommand is as follows:

-------
  This utility creates an RO verification space in the Chrome OS AP
  firmware image or allows to validate a previously prepared image
  containing the RO verification space.

  Usage: futilitygscvd PARAMS <AP FIRMWARE FILE> [<root key hash>]

  Creation of RO Verification space:

  Required PARAMS:
    -R|--ranges        STRING        Comma separated colon delimited
                                       hex tuples <offset>:<size>, the
                                       areas of the RO covered by the
                                       signature
    -r|--root_pub_key  <file>        The main public key, in .vbpubk
                                       format, used to verify platform
                                       key
    -k|--keyblock      <file>        Signed platform public key in
                                       .keyblock format, used for run
                                       time RO verifcation
    -p|--platform_priv <file>        Private platform key in .vbprivk
                                       format, used for signing RO
                                       verification data
  Optional PARAMS:
    [--outfile]        OUTFILE       Output firmware image containing
                                       RO verification information

  Validation of RO Verification space:

     The only required parameter is <AP FIRMWARE FILE>, if optional
     <root key hash> is given, it is compared to the hash of the body
     of the root key found in <AP_FIRMWARE_FILE>.

    -h|--help                        Print this message
-------

When creating GVD section, the sha256 hash of the root public key
payload is printed on stdout, this is the hash to include in the GSC
image to for the root key verification.

Code converting ASCII hex string into binary is refactored into a misc
function.

BRANCH=none
BUG=b:141191727
TEST=testing included the following steps:

   . modified guybrush coreboot to allocate an 8KB RO_GSCVD area in
     FMAP and built a guybrush BIOS image
   . filled GVD space as described in the source file comments
   . verified the created space as described in the source file comments
   . verified AP RO integrity on the GSC size using crrev.com/c/3172256

Change-Id: I51a80be5007a32d5286b93499f71da84f41b3d81
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3174570
Reviewed-by: Julius Werner <jwerner@chromium.org>
6 files changed
tree: 24a1292be3f5812886fcf4706be96301923cd235
  1. cgpt/
  2. firmware/
  3. futility/
  4. host/
  5. scripts/
  6. tests/
  7. utility/
  8. .checkpatch.conf
  9. .clang-format
  10. .gitignore
  11. Android.mk
  12. emerge_test.sh
  13. LICENSE
  14. Makefile
  15. OWNERS
  16. PRESUBMIT.cfg
  17. README
  18. unblocked_terms.txt
  19. vboot_host.pc.in