1#!/bin/bash
2
3# Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# Run verified boot firmware and kernel verification tests.
8
9# Load common constants and variables.
10. "$(dirname "$0")/common.sh"
11
12return_code=0
13
14function test_vbutil_key_single {
15    local algonum=$1
16    local keylen=$2
17    local hashalgo=$3
18
19    echo -e "For signing key ${COL_YELLOW}RSA-$keylen/$hashalgo${COL_STOP}:"
20    # Pack the key
21    ${FUTILITY} vbutil_key \
22        --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk \
23        --key ${TESTKEY_DIR}/key_rsa${keylen}.keyb \
24        --version 1 \
25        --algorithm $algonum
26    if [ $? -ne 0 ]
27    then
28        return_code=255
29    fi
30
31    # Unpack the key
32    # TODO: should verify we get the same key back out?
33    ${FUTILITY} vbutil_key \
34        --unpack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk
35    if [ $? -ne 0 ]
36    then
37        return_code=255
38    fi
39}
40
41function test_vbutil_key_all {
42  algorithmcounter=0
43  for keylen in ${key_lengths[@]}
44  do
45      for hashalgo in ${hash_algos[@]}
46      do
47          test_vbutil_key_single $algorithmcounter $keylen $hashalgo
48          let algorithmcounter=algorithmcounter+1
49      done
50  done
51}
52
53function test_vbutil_key {
54    test_vbutil_key_single 4 2048 sha256
55    test_vbutil_key_single 7 4096 sha256
56    test_vbutil_key_single 11 8192 sha512
57}
58
59function test_vbutil_keyblock_single {
60    local signing_algonum=$1
61    local signing_keylen=$2
62    local signing_hashalgo=$3
63    local data_algonum=$4
64    local data_keylen=$5
65    local data_hashalgo=$6
66
67          echo -e "For ${COL_YELLOW}signing algorithm \
68RSA-${signing_keylen}/${signing_hashalgo}${COL_STOP} \
69and ${COL_YELLOW}data key algorithm RSA-${datakeylen}/\
70${datahashalgo}${COL_STOP}"
71          # Remove old file
72          keyblockfile="${TESTKEY_SCRATCH_DIR}/"
73          keyblockfile+="sign${signing_algonum}_data"
74          keyblockfile+="${data_algonum}.keyblock"
75          rm -f ${keyblockfile}
76
77          # Wrap private key
78          ${FUTILITY} vbutil_key \
79            --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk \
80            --key ${TESTKEY_DIR}/key_rsa${signing_keylen}.pem \
81            --algorithm $signing_algonum
82          if [ $? -ne 0 ]
83          then
84            echo -e "${COL_RED}Wrap vbprivk${COL_STOP}"
85            return_code=255
86          fi
87
88          # Wrap public key
89          ${FUTILITY} vbutil_key \
90            --pack ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk \
91            --key ${TESTKEY_DIR}/key_rsa${signing_keylen}.keyb \
92            --algorithm $signing_algonum
93          if [ $? -ne 0 ]
94          then
95            echo -e "${COL_RED}Wrap vbpubk${COL_STOP}"
96            return_code=255
97          fi
98
99          # Pack
100          ${FUTILITY} vbutil_keyblock --pack ${keyblockfile} \
101            --datapubkey \
102              ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \
103            --signprivate \
104              ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbprivk
105          if [ $? -ne 0 ]
106          then
107            echo -e "${COL_RED}Pack${COL_STOP}"
108            return_code=255
109          fi
110
111          # Unpack
112          ${FUTILITY} vbutil_keyblock --unpack ${keyblockfile} \
113            --datapubkey \
114            ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 \
115            --signpubkey \
116            ${TESTKEY_SCRATCH_DIR}/key_alg${algonum}.vbpubk
117          if [ $? -ne 0 ]
118          then
119            echo -e "${COL_RED}Unpack${COL_STOP}"
120            return_code=255
121          fi
122
123          # Check
124          if ! cmp -s \
125            ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \
126            ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2
127          then
128            echo -e "${COL_RED}Check${COL_STOP}"
129            return_code=255
130            exit 1
131          fi
132
133          echo -e "${COL_YELLOW}Testing keyblock creation using \
134external signer.${COL_STOP}"
135          # Pack using external signer
136          # Pack
137          ${FUTILITY} vbutil_keyblock --pack ${keyblockfile} \
138            --datapubkey \
139              ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \
140            --signprivate_pem \
141              ${TESTKEY_DIR}/key_rsa${signing_keylen}.pem \
142            --pem_algorithm "${signing_algonum}" \
143            --externalsigner "${SCRIPT_DIR}/external_rsa_signer.sh"
144
145          if [ $? -ne 0 ]
146          then
147            echo -e "${COL_RED}Pack${COL_STOP}"
148            return_code=255
149          fi
150
151          # Unpack
152          ${FUTILITY} vbutil_keyblock --unpack ${keyblockfile} \
153            --datapubkey \
154            ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2 \
155            --signpubkey \
156            ${TESTKEY_SCRATCH_DIR}/key_alg${signing_algonum}.vbpubk
157          if [ $? -ne 0 ]
158          then
159            echo -e "${COL_RED}Unpack${COL_STOP}"
160            return_code=255
161          fi
162
163          # Check
164          if ! cmp -s \
165            ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk \
166            ${TESTKEY_SCRATCH_DIR}/key_alg${data_algonum}.vbpubk2
167          then
168            echo -e "${COL_RED}Check${COL_STOP}"
169            return_code=255
170            exit 1
171          fi
172}
173
174
175function test_vbutil_keyblock_all {
176# Test for various combinations of firmware signing algorithm and
177# kernel signing algorithm
178  signing_algorithmcounter=0
179  data_algorithmcounter=0
180  for signing_keylen in ${key_lengths[@]}
181  do
182    for signing_hashalgo in ${hash_algos[@]}
183    do
184      let data_algorithmcounter=0
185      for datakeylen in ${key_lengths[@]}
186      do
187        for datahashalgo in ${hash_algos[@]}
188        do
189          test_vbutil_keyblock_single \
190                $signing_algorithmcounter $signing_keylen $signing_hashalgo \
191                $data_algorithmcounter $data_keylen $data_hashalgo
192          let data_algorithmcounter=data_algorithmcounter+1
193        done
194      done
195      let signing_algorithmcounter=signing_algorithmcounter+1
196    done
197  done
198}
199
200function test_vbutil_keyblock {
201    test_vbutil_keyblock_single 7 4096 sha256 4 2048 sha256
202    test_vbutil_keyblock_single 11 8192 sha512 4 2048 sha256
203    test_vbutil_keyblock_single 11 8192 sha512 7 4096 sha256
204}
205
206
207check_test_keys
208
209echo
210echo "Testing vbutil_key..."
211if [ "$1" == "--all" ] ; then
212    test_vbutil_key_all
213else
214    test_vbutil_key
215fi
216
217echo
218echo "Testing vbutil_keyblock..."
219if [ "$1" == "--all" ] ; then
220    test_vbutil_keyblock_all
221else
222    test_vbutil_keyblock
223fi
224
225exit $return_code
226
227