blob: 2ab33945334abc40c748c1d3f76d093f25629103 [file] [log] [blame]
#!/bin/bash
# Copyright 2014 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Script that validity checks a keyset to ensure actual key versions
# match those set in key.versions.
# Load common constants and variables.
. "$(dirname "$0")/common.sh"
# Abort on errors.
set -e
if [ $# -ne 1 ]; then
cat <<EOF
Usage: $0 <keyset directory>
Validity check a keyset directory for key versions.
EOF
exit 1
fi
KEY_DIR="$1"
VERSION_FILE="${KEY_DIR}/key.versions"
keyblock_version() {
local keyblock="$1"
echo "$(vbutil_keyblock --unpack "${keyblock}" | grep 'Data key version' |
cut -f 2 -d : | tr -d ' ')"
}
key_version() {
local key="$1"
echo "$(vbutil_key --unpack "${key}" | grep 'Key Version' | cut -f 2 -d : |
tr -d ' ')"
}
# Compare versions and print out error if there is a mismatch.
check_versions() {
local expected="$1"
local got="$2"
local expected_label="$3"
local got_label="$4"
if [[ ${expected} != ${got} ]]; then
echo "ERROR: ${expected_label} version does not match ${got_label} version"
echo "EXPECTED (${expected_label} version): ${expected}"
echo "GOT (${got_label} version): ${got}"
return 1
fi
return 0
}
# Check the key.versions against firmware.keyblock and firmware_data_key.vbpubk.
check_firmware_keyblock() {
local fkey_keyblock="$1" fkey="$2"
local got_fkey_keyblock="$(keyblock_version "${fkey_keyblock}")"
local got_fkey="$(key_version "${fkey}")"
check_versions "${got_fkey_keyblock}" "${got_fkey}" \
"${fkey_keyblock##*/} keyblock key" "firmware key" || testfail=1
check_versions "${expected_fkey}" "${got_fkey}" "${fkey##*/} key" \
"firmware key" || testfail=1
}
# Validate the firmware keys in an loem keyset.
check_loem_keyset() {
local line loem_index
while read line; do
loem_index=$(cut -d= -f1 <<<"${line}" | sed 's: *$::')
check_firmware_keyblock \
"${KEY_DIR}/firmware.loem${loem_index}.keyblock" \
"${KEY_DIR}/firmware_data_key.loem${loem_index}.vbpubk"
done < <(grep = "${KEY_DIR}"/loem.ini)
}
# Validate the firmware keys in a non-loem keyset.
check_non_loem_keyset() {
check_firmware_keyblock \
"${KEY_DIR}/firmware.keyblock" \
"${KEY_DIR}/firmware_data_key.vbpubk"
}
main() {
local testfail=0
local expected_kkey="$(get_version kernel_key_version)"
local expected_fkey="$(get_version firmware_key_version)"
local expected_firmware="$(get_version firmware_version)"
local expected_kernel="$(get_version kernel_version)"
check_versions "${expected_firmware}" "${expected_kkey}" \
"firmware" "kernel key" || testfail=1
local got_kkey_keyblock="$(keyblock_version ${KEY_DIR}/kernel.keyblock)"
local got_ksubkey="$(key_version ${KEY_DIR}/kernel_subkey.vbpubk)"
local got_kdatakey="$(key_version ${KEY_DIR}/kernel_data_key.vbpubk)"
if [[ -f "${KEY_DIR}"/loem.ini ]]; then
check_loem_keyset
else
check_non_loem_keyset
fi
check_versions "${got_kkey_keyblock}" "${got_ksubkey}" "kernel keyblock key" \
"kernel subkey" || testfail=1
check_versions "${got_kdatakey}" "${got_ksubkey}" "kernel data key" \
"kernel subkey" || testfail=1
check_versions "${expected_kkey}" "${got_kdatakey}" "key.versions kernel key" \
"kernel datakey" || testfail=1
check_versions "${expected_kkey}" "${got_ksubkey}" "key.versions kernel key" \
"kernel subkey" || testfail=1
exit ${testfail}
}
main "$@"