1#!/bin/bash -eux 2# Copyright 2014 The Chromium OS Authors. All rights reserved. 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5 6me=${0##*/} 7TMP="$me.tmp" 8 9# Work in scratch directory 10cd "$OUTDIR" 11 12# some stuff we'll need 13DEVKEYS=${SRCDIR}/tests/devkeys 14TESTKEYS=${SRCDIR}/tests/testkeys 15SIGNER=${SRCDIR}/tests/external_rsa_signer.sh 16 17 18# Create a copy of an existing keyblock, using the old way 19${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \ 20 --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ 21 --flags 7 \ 22 --signprivate ${DEVKEYS}/root_key.vbprivk 23 24# Check it. 25${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock0 \ 26 --signpubkey ${DEVKEYS}/root_key.vbpubk 27 28# It should be the same as the dev-key firmware keyblock 29cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock0 30 31 32# Now create it the new way 33${FUTILITY} sign --debug \ 34 --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ 35 --flags 7 \ 36 --signprivate ${DEVKEYS}/root_key.vbprivk \ 37 --outfile ${TMP}.keyblock1 38 39# It should be the same too. 40cmp ${DEVKEYS}/firmware.keyblock ${TMP}.keyblock1 41 42 43# Create a keyblock without signing it. 44 45# old way 46${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock0 \ 47 --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ 48 --flags 14 49 50# new way 51${FUTILITY} sign --debug \ 52 --flags 14 \ 53 ${DEVKEYS}/firmware_data_key.vbpubk \ 54 ${TMP}.keyblock1 55 56cmp ${TMP}.keyblock0 ${TMP}.keyblock1 57 58 59# Create one using PEM args 60 61# old way 62${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock2 \ 63 --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ 64 --signprivate_pem ${TESTKEYS}/key_rsa4096.pem \ 65 --pem_algorithm 8 \ 66 --flags 9 67 68# verify it 69${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock2 \ 70 --signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk 71 72# new way 73${FUTILITY} sign --debug \ 74 --pem_signpriv ${TESTKEYS}/key_rsa4096.pem \ 75 --pem_algo 8 \ 76 --flags 9 \ 77 ${DEVKEYS}/firmware_data_key.vbpubk \ 78 ${TMP}.keyblock3 79 80cmp ${TMP}.keyblock2 ${TMP}.keyblock3 81 82# Try it with an external signer 83 84# old way 85${FUTILITY} vbutil_keyblock --pack ${TMP}.keyblock4 \ 86 --datapubkey ${DEVKEYS}/firmware_data_key.vbpubk \ 87 --signprivate_pem ${TESTKEYS}/key_rsa4096.pem \ 88 --pem_algorithm 8 \ 89 --flags 19 \ 90 --externalsigner ${SIGNER} 91 92# verify it 93${FUTILITY} vbutil_keyblock --unpack ${TMP}.keyblock4 \ 94 --signpubkey ${TESTKEYS}/key_rsa4096.sha512.vbpubk 95 96# new way 97${FUTILITY} sign --debug \ 98 --pem_signpriv ${TESTKEYS}/key_rsa4096.pem \ 99 --pem_algo 8 \ 100 --pem_external ${SIGNER} \ 101 --flags 19 \ 102 ${DEVKEYS}/firmware_data_key.vbpubk \ 103 ${TMP}.keyblock5 104 105cmp ${TMP}.keyblock4 ${TMP}.keyblock5 106 107 108# cleanup 109rm -rf ${TMP}* 110exit 0 111