]>
Commit | Line | Data |
---|---|---|
041bca5b SG |
1 | #!/bin/sh |
2 | # | |
3 | # Copyright (c) 2013, Google Inc. | |
4 | # | |
5 | # Simple Verified Boot Test Script | |
6 | # | |
7 | # This program is free software; you can redistribute it and/or | |
8 | # modify it under the terms of the GNU General Public License as | |
9 | # published by the Free Software Foundation; either version 2 of | |
10 | # the License, or (at your option) any later version. | |
11 | # | |
12 | # This program is distributed in the hope that it will be useful, | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | # GNU General Public License for more details. | |
16 | # | |
17 | # You should have received a copy of the GNU General Public License | |
18 | # along with this program; if not, write to the Free Software | |
19 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, | |
20 | # MA 02111-1307 USA | |
21 | ||
22 | set -e | |
23 | ||
24 | # Run U-Boot and report the result | |
25 | # Args: | |
26 | # $1: Test message | |
27 | run_uboot() { | |
28 | echo -n "Test Verified Boot Run: $1: " | |
29 | ${uboot} -d sandbox-u-boot.dtb >${tmp} -c ' | |
30 | sb load host 0 100 test.fit; | |
31 | fdt addr 100; | |
32 | bootm 100; | |
33 | reset' | |
34 | if ! grep -q "$2" ${tmp}; then | |
35 | echo | |
36 | echo "Verified boot key check failed, output follows:" | |
37 | cat ${tmp} | |
38 | false | |
39 | else | |
40 | echo "OK" | |
41 | fi | |
42 | } | |
43 | ||
44 | echo "Simple Verified Boot Test" | |
45 | echo "=========================" | |
46 | echo | |
47 | echo "Please see doc/uImage.FIT/verified-boot.txt for more information" | |
48 | echo | |
49 | ||
50 | err=0 | |
51 | tmp=/tmp/vboot_test.$$ | |
52 | ||
53 | dir=$(dirname $0) | |
54 | ||
55 | if [ -z ${O} ]; then | |
56 | O=. | |
57 | fi | |
58 | O=$(readlink -f ${O}) | |
59 | ||
60 | dtc="-I dts -O dtb -p 2000" | |
61 | uboot="${O}/u-boot" | |
62 | mkimage="${O}/tools/mkimage" | |
63 | keys="${dir}/dev-keys" | |
64 | echo ${mkimage} -D "${dtc}" | |
65 | ||
66 | echo "Build keys" | |
67 | mkdir -p ${keys} | |
68 | ||
69 | # Create an RSA key pair | |
70 | openssl genrsa -F4 -out ${keys}/dev.key 2048 2>/dev/null | |
71 | ||
72 | # Create a certificate containing the public key | |
73 | openssl req -batch -new -x509 -key ${keys}/dev.key -out ${keys}/dev.crt | |
74 | ||
75 | pushd ${dir} >/dev/null | |
76 | ||
77 | # Compile our device tree files for kernel and U-Boot (CONFIG_OF_CONTROL) | |
78 | dtc -p 0x1000 sandbox-kernel.dts -O dtb -o sandbox-kernel.dtb | |
79 | dtc -p 0x1000 sandbox-u-boot.dts -O dtb -o sandbox-u-boot.dtb | |
80 | ||
81 | # Create a number kernel image with zeroes | |
82 | head -c 5000 /dev/zero >test-kernel.bin | |
83 | ||
84 | # Build the FIT, but don't sign anything yet | |
85 | echo Build FIT with signed images | |
86 | ${mkimage} -D "${dtc}" -f sign-images.its test.fit >${tmp} | |
87 | ||
88 | run_uboot "unsigned signatures:" "dev-" | |
89 | ||
90 | # Sign images with our dev keys | |
91 | echo Sign images | |
92 | ${mkimage} -D "${dtc}" -F -k dev-keys -K sandbox-u-boot.dtb -r test.fit >${tmp} | |
93 | ||
94 | run_uboot "signed images" "dev+" | |
95 | ||
96 | ||
97 | # Create a fresh .dtb without the public keys | |
98 | dtc -p 0x1000 sandbox-u-boot.dts -O dtb -o sandbox-u-boot.dtb | |
99 | ||
100 | echo Build FIT with signed configuration | |
101 | ${mkimage} -D "${dtc}" -f sign-configs.its test.fit >${tmp} | |
102 | ||
103 | run_uboot "unsigned config" "sha1+ OK" | |
104 | ||
105 | # Sign images with our dev keys | |
106 | echo Sign images | |
107 | ${mkimage} -D "${dtc}" -F -k dev-keys -K sandbox-u-boot.dtb -r test.fit >${tmp} | |
108 | ||
109 | run_uboot "signed config" "dev+" | |
110 | ||
111 | # Increment the first byte of the signature, which should cause failure | |
112 | sig=$(fdtget -t bx test.fit /configurations/conf@1/signature@1 value) | |
113 | newbyte=$(printf %x $((0x${sig:0:2} + 1))) | |
114 | sig="${newbyte} ${sig:2}" | |
115 | fdtput -t bx test.fit /configurations/conf@1/signature@1 value ${sig} | |
116 | ||
117 | run_uboot "signed config with bad hash" "Bad Data Hash" | |
118 | ||
119 | popd >/dev/null | |
120 | ||
121 | echo | |
122 | if ${ok}; then | |
123 | echo "Test passed" | |
124 | else | |
125 | echo "Test failed" | |
126 | fi |