Home Explore Help
Sign In
coolsoul
/
u-boot
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: a0af08b9db
Branches Tags
u-boot
/
test
/
vboot
/
vboot_test.sh

vboot_test.sh 3.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143 
  1. #!/bin/sh
    2. 

  2. #
    3. 

  3. # Copyright (c) 2013, Google Inc.
    4. 

  4. #
    5. 

  5. # Simple Verified Boot Test Script
    6. 

  6. #
    7. 

  7. # SPDX-License-Identifier:	GPL-2.0+
    8. 

  8. 

  9. set -e
    10. 

  10. 

  11. # Run U-Boot and report the result
    12. 

  12. # Args:
    13. 

  13. #	$1:	Test message
    14. 

  14. run_uboot() {
    15. 

  15. 	echo -n "Test Verified Boot Run: $1: "
    16. 

  16. 	${uboot} -d sandbox-u-boot.dtb >${tmp} -c '
    17. 

  17. sb load host 0 100 test.fit;
    18. 

  18. fdt addr 100;
    19. 

  19. bootm 100;
    20. 

  20. reset'
    21. 

  21. 	if ! grep -q "$2" ${tmp}; then
    22. 

  22. 		echo
    23. 

  23. 		echo "Verified boot key check failed, output follows:"
    24. 

  24. 		cat ${tmp}
    25. 

  25. 		false
    26. 

  26. 	else
    27. 

  27. 		echo "OK"
    28. 

  28. 	fi
    29. 

  29. }
    30. 

  30. 

  31. echo "Simple Verified Boot Test"
    32. 

  32. echo "========================="
    33. 

  33. echo
    34. 

  34. echo "Please see doc/uImage.FIT/verified-boot.txt for more information"
    35. 

  35. echo
    36. 

  36. 

  37. err=0
    38. 

  38. tmp=/tmp/vboot_test.$$
    39. 

  39. 

  40. dir=$(dirname $0)
    41. 

  41. 

  42. if [ -z ${O} ]; then
    43. 

  43. 	O=.
    44. 

  44. fi
    45. 

  45. O=$(readlink -f ${O})
    46. 

  46. 

  47. dtc="-I dts -O dtb -p 2000"
    48. 

  48. uboot="${O}/u-boot"
    49. 

  49. mkimage="${O}/tools/mkimage"
    50. 

  50. fit_check_sign="${O}/tools/fit_check_sign"
    51. 

  51. keys="${dir}/dev-keys"
    52. 

  52. echo ${mkimage} -D "${dtc}"
    53. 

  53. 

  54. echo "Build keys"
    55. 

  55. mkdir -p ${keys}
    56. 

  56. 

  57. # Create an RSA key pair
    58. 

  58. openssl genrsa -F4 -out ${keys}/dev.key 2048 2>/dev/null
    59. 

  59. 

  60. # Create a certificate containing the public key
    61. 

  61. openssl req -batch -new -x509 -key ${keys}/dev.key -out ${keys}/dev.crt
    62. 

  62. 

  63. pushd ${dir} >/dev/null
    64. 

  64. 

  65. function do_test {
    66. 

  66. 	echo do $sha test
    67. 

  67. 	# Compile our device tree files for kernel and U-Boot
    68. 

  68. 	dtc -p 0x1000 sandbox-kernel.dts -O dtb -o sandbox-kernel.dtb
    69. 

  69. 	dtc -p 0x1000 sandbox-u-boot.dts -O dtb -o sandbox-u-boot.dtb
    70. 

  70. 

  71. 	# Create a number kernel image with zeroes
    72. 

  72. 	head -c 5000 /dev/zero >test-kernel.bin
    73. 

  73. 

  74. 	# Build the FIT, but don't sign anything yet
    75. 

  75. 	echo Build FIT with signed images
    76. 

  76. 	${mkimage} -D "${dtc}" -f sign-images-$sha.its test.fit >${tmp}
    77. 

  77. 

  78. 	run_uboot "unsigned signatures:" "dev-"
    79. 

  79. 

  80. 	# Sign images with our dev keys
    81. 

  81. 	echo Sign images
    82. 

  82. 	${mkimage} -D "${dtc}" -F -k dev-keys -K sandbox-u-boot.dtb \
    83. 

  83. 		-r test.fit >${tmp}
    84. 

  84. 

  85. 	run_uboot "signed images" "dev+"
    86. 

  86. 

  87. 

  88. 	# Create a fresh .dtb without the public keys
    89. 

  89. 	dtc -p 0x1000 sandbox-u-boot.dts -O dtb -o sandbox-u-boot.dtb
    90. 

  90. 

  91. 	echo Build FIT with signed configuration
    92. 

  92. 	${mkimage} -D "${dtc}" -f sign-configs-$sha.its test.fit >${tmp}
    93. 

  93. 

  94. 	run_uboot "unsigned config" $sha"+ OK"
    95. 

  95. 

  96. 	# Sign images with our dev keys
    97. 

  97. 	echo Sign images
    98. 

  98. 	${mkimage} -D "${dtc}" -F -k dev-keys -K sandbox-u-boot.dtb \
    99. 

  99. 		-r test.fit >${tmp}
    100. 

  100. 

  101. 	run_uboot "signed config" "dev+"
    102. 

  102. 

  103. 	echo check signed config on the host
    104. 

  104. 	if ! ${fit_check_sign} -f test.fit -k sandbox-u-boot.dtb >${tmp}; then
    105. 

  105. 		echo
    106. 

  106. 		echo "Verified boot key check on host failed, output follows:"
    107. 

  107. 		cat ${tmp}
    108. 

  108. 		false
    109. 

  109. 	else
    110. 

  110. 		if ! grep -q "dev+" ${tmp}; then
    111. 

  111. 			echo
    112. 

  112. 			echo "Verified boot key check failed, output follows:"
    113. 

  113. 			cat ${tmp}
    114. 

  114. 			false
    115. 

  115. 		else
    116. 

  116. 			echo "OK"
    117. 

  117. 		fi
    118. 

  118. 	fi
    119. 

  119. 

  120. 	run_uboot "signed config" "dev+"
    121. 

  121. 

  122. 	# Increment the first byte of the signature, which should cause failure
    123. 

  123. 	sig=$(fdtget -t bx test.fit /configurations/conf@1/signature@1 value)
    124. 

  124. 	newbyte=$(printf %x $((0x${sig:0:2} + 1)))
    125. 

  125. 	sig="${newbyte} ${sig:2}"
    126. 

  126. 	fdtput -t bx test.fit /configurations/conf@1/signature@1 value ${sig}
    127. 

  127. 

  128. 	run_uboot "signed config with bad hash" "Bad Data Hash"
    129. 

  129. }
    130. 

  130. 

  131. sha=sha1
    132. 

  132. do_test
    133. 

  133. sha=sha256
    134. 

  134. do_test
    135. 

  135. 

  136. popd >/dev/null
    137. 

  137. 

  138. echo
    139. 

  139. if ${ok}; then
    140. 

  140. 	echo "Test passed"
    141. 

  141. else
    142. 

  142. 	echo "Test failed"
    143. 

  143. fi
    144.