aboutsummaryrefslogtreecommitdiff
path: root/test/vboot/vboot_test.sh
blob: 6d7abb82bd72b85a861e3524a7b92c34e853817a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#!/bin/bash
#
# Copyright (c) 2013, Google Inc.
#
# Simple Verified Boot Test Script
#
# SPDX-License-Identifier:	GPL-2.0+

set -e

# Run U-Boot and report the result
# Args:
#	$1:	Test message
run_uboot() {
	echo -n "Test Verified Boot Run: $1: "
	${uboot} -d sandbox-u-boot.dtb >${tmp} -c '
sb load hostfs - 100 test.fit;
fdt addr 100;
bootm 100;
reset'
	if ! grep -q "$2" ${tmp}; then
		echo
		echo "Verified boot key check failed, output follows:"
		cat ${tmp}
		false
	else
		echo "OK"
	fi
}

echo "Simple Verified Boot Test"
echo "========================="
echo
echo "Please see doc/uImage.FIT/verified-boot.txt for more information"
echo

err=0
tmp=/tmp/vboot_test.$$

dir=$(dirname $0)

if [ -z ${O} ]; then
	O=.
fi
O=$(readlink -f ${O})

dtc="-I dts -O dtb -p 2000"
uboot="${O}/u-boot"
mkimage="${O}/tools/mkimage"
fit_check_sign="${O}/tools/fit_check_sign"
keys="${dir}/dev-keys"
echo ${mkimage} -D "${dtc}"

echo "Build keys"
mkdir -p ${keys}

PUBLIC_EXPONENT=${1}

if [ -z "${PUBLIC_EXPONENT}" ]; then
	PUBLIC_EXPONENT=65537
fi

# Create an RSA key pair
openssl genpkey -algorithm RSA -out ${keys}/dev.key \
    -pkeyopt rsa_keygen_bits:2048 \
    -pkeyopt rsa_keygen_pubexp:${PUBLIC_EXPONENT} 2>/dev/null

# Create a certificate containing the public key
openssl req -batch -new -x509 -key ${keys}/dev.key -out ${keys}/dev.crt

pushd ${dir} >/dev/null

function do_test {
	echo do $sha test
	# Compile our device tree files for kernel and U-Boot
	dtc -p 0x1000 sandbox-kernel.dts -O dtb -o sandbox-kernel.dtb
	dtc -p 0x1000 sandbox-u-boot.dts -O dtb -o sandbox-u-boot.dtb

	# Create a number kernel image with zeroes
	head -c 5000 /dev/zero >test-kernel.bin

	# Build the FIT, but don't sign anything yet
	echo Build FIT with signed images
	${mkimage} -D "${dtc}" -f sign-images-$sha.its test.fit >${tmp}

	run_uboot "unsigned signatures:" "dev-"

	# Sign images with our dev keys
	echo Sign images
	${mkimage} -D "${dtc}" -F -k dev-keys -K sandbox-u-boot.dtb \
		-r test.fit >${tmp}

	run_uboot "signed images" "dev+"


	# Create a fresh .dtb without the public keys
	dtc -p 0x1000 sandbox-u-boot.dts -O dtb -o sandbox-u-boot.dtb

	echo Build FIT with signed configuration
	${mkimage} -D "${dtc}" -f sign-configs-$sha.its test.fit >${tmp}

	run_uboot "unsigned config" $sha"+ OK"

	# Sign images with our dev keys
	echo Sign images
	${mkimage} -D "${dtc}" -F -k dev-keys -K sandbox-u-boot.dtb \
		-r test.fit >${tmp}

	run_uboot "signed config" "dev+"

	echo check signed config on the host
	if ! ${fit_check_sign} -f test.fit -k sandbox-u-boot.dtb >${tmp}; then
		echo
		echo "Verified boot key check on host failed, output follows:"
		cat ${tmp}
		false
	else
		if ! grep -q "dev+" ${tmp}; then
			echo
			echo "Verified boot key check failed, output follows:"
			cat ${tmp}
			false
		else
			echo "OK"
		fi
	fi

	run_uboot "signed config" "dev+"

	# Increment the first byte of the signature, which should cause failure
	sig=$(fdtget -t bx test.fit /configurations/conf@1/signature@1 value)
	newbyte=$(printf %x $((0x${sig:0:2} + 1)))
	sig="${newbyte} ${sig:2}"
	fdtput -t bx test.fit /configurations/conf@1/signature@1 value ${sig}

	run_uboot "signed config with bad hash" "Bad Data Hash"
}

sha=sha1
do_test
sha=sha256
do_test

popd >/dev/null

echo
if ${ok}; then
	echo "Test passed"
else
	echo "Test failed"
fi