1#!/bin/bash
2# Copyright 2014 The Chromium OS Authors. All rights reserved.
3# Use of this source code is governed by a BSD-style license that can be
4# found in the LICENSE file.
5
6# Script that sanity checks a keyset to ensure actual key versions
7# match those set in key.versions.
8
9# Load common constants and variables.
10. "$(dirname "$0")/common.sh"
11
12# Abort on errors.
13set -e
14
15if [ $# -ne 1 ]; then
16  cat <<EOF
17Usage: $0 <keyset directory>
18
19Sanity check a keyset directory for key versions.
20EOF
21  exit 1
22fi
23
24KEY_DIR="$1"
25VERSION_FILE="${KEY_DIR}/key.versions"
26
27keyblock_version() {
28  local keyblock="$1"
29  echo "$(vbutil_keyblock --unpack "${keyblock}" | grep 'Data key version' |
30    cut -f 2 -d : | tr -d ' ')"
31}
32
33key_version() {
34  local key="$1"
35  echo "$(vbutil_key --unpack "${key}" | grep 'Key Version' | cut -f 2 -d : |
36    tr -d ' ')"
37}
38
39# Compare versions and print out error if there is a mismatch.
40check_versions() {
41  local expected="$1"
42  local got="$2"
43  local expected_label="$3"
44  local got_label="$4"
45  if [[ ${expected} != ${got} ]]; then
46    echo "ERROR: ${expected_label} version does not match ${got_label} version"
47    echo "EXPECTED (${expected_label} version): ${expected}"
48    echo "GOT (${got_label} version): ${got}"
49    return 1
50  fi
51  return 0
52}
53
54main() {
55 local testfail=0
56
57 local expected_kkey="$(get_version kernel_key_version)"
58 local expected_fkey="$(get_version firmware_key_version)"
59 local expected_firmware="$(get_version firmware_version)"
60 local expected_kernel="$(get_version kernel_version)"
61
62 check_versions "${expected_firmware}" "${expected_kkey}" \
63   "firmware" "kernel key" || testfail=1
64
65 local got_fkey_keyblock="$(keyblock_version ${KEY_DIR}/firmware.keyblock)"
66 local got_fkey="$(key_version ${KEY_DIR}/firmware_data_key.vbpubk)"
67
68 local got_kkey_keyblock="$(keyblock_version ${KEY_DIR}/kernel.keyblock)"
69 local got_ksubkey="$(key_version ${KEY_DIR}/kernel_subkey.vbpubk)"
70 local got_kdatakey="$(key_version ${KEY_DIR}/kernel_data_key.vbpubk)"
71
72 check_versions "${got_fkey_keyblock}" "${got_fkey}" "firmware keyblock key" \
73   "firmware key" || testfail=1
74 check_versions "${got_kkey_keyblock}" "${got_ksubkey}" "kernel keyblock key" \
75   "kernel subkey" || testfail=1
76 check_versions "${got_kdatakey}" "${got_ksubkey}" "kernel data key" \
77   "kernel subkey" || testfail=1
78 check_versions "${expected_fkey}" "${got_fkey}" "key.versions firmware key" \
79   "firmware key" || testfail=1
80 check_versions "${expected_kkey}" "${got_kdatakey}" "key.versions kernel key" \
81   "kernel datakey" || testfail=1
82 check_versions "${expected_kkey}" "${got_ksubkey}" "key.versions kernel key" \
83   "kernel subkey" || testfail=1
84 exit ${testfail}
85}
86
87main "$@"
88